Two comments on terminology. 1. "Forward secrecy" (especially "perfect forward secrecy") frequently deceives users into thinking that their communication is protected against future cryptanalytic advances, notably quantum computers.
In the MinimaLT paper we switched terminology from "forward secrecy" to "key erasure". Erasing keys clearly does nothing against cryptanalysis: at best it stops someone who steals your notes of the keys. This phrase also allows easy quantification: e.g., "key erasure after a minute" or "key erasure as soon as the next message is received". 2. When people say that a "post-quantum" system "has 2^128 security", what they typically mean is that the system * has 2^128 security against known _pre-quantum_ attacks and * retains _some_ security against post-quantum attacks, but it's rare for the _post-quantum security level_ to be quantified. It's reasonable to expect Grover-type attacks to break most of these systems with far fewer quantum operations, maybe as few as 2^64, which isn't good enough for long-term security. One exception is SPHINCS (http://sphincs.cr.yp.to): we explicitly targeted a 2^128 post-quantum security level. We're encouraging people to do this type of analysis and parameter selection for more systems. ---Dan _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
