On Sun, Sep 13, 2015 at 8:50 AM, Ximin Luo <[email protected]> wrote: > While I was doing an exercise on classifying and enumerating security > properties, I came up with the following one: > > - (in: w encrypts m to r) if attacker "a" passively compromises w, they are > able/unable to decrypt current (in-transit) and/or future ciphertext (i.e. > "act as r") > > This is the encryption analog of KCI ("key compromise impersonation") which > applies to authentication
Or is it the future analog of PFS, applied to post-compromise data instead of pre-compromise? Most people think of PFS as applying to (pre-compromise encrypted data, confidentiality) and KCI applying to (post-compromise sessions, authentication), but the (post-compromise encrypted data, confidentiality) case sometimes gets included under "forward security" and sometimes doesn't. > Note that the former is not exactly the same as forward secrecy, which is > modelled as a passive compromise on the *decryptor's* side There's no consistent definition for "forward secrecy" or "forward security" (and "perfect" in this context has always been meaningless). If you're talking about "forward-secure public-key encryption", then you're correct that it only applies to the recipient's private key, but that's because only the recipient *has* a private key. In mutually-authenticated key agreement, forward security or secrecy generally refers to both parties' long-term keys. In one-pass key agreements, works like Gorantla and Halevi/Krawczyk have used "sender forward secrecy" or "sender's forward secrecy" to distinguish sender from recipient compromise: https://eprint.iacr.org/2009/436 https://eprint.iacr.org/2010/638 Stepping back: the terminology is sort of a mess here, and if you want to speak about complex case with precision, you probably just need to spell out exactly what compromises you're considering and their consequences: - compromise of key A enables attack B but not C - compromise of key D enables attack E but not F etc... Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
