[Cryptography] Perfection versus Forward Secrecy

Guido Witmond guido at witmond.nl
Thu Sep 12 17:32:29 EDT 2013

On 09/12/13 18:33, Tony Arcieri wrote:
> On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore <gnu at toad.com
> <mailto:gnu at toad.com>> wrote:
>     There doesn't seem to be much downside to just calling it "Forward
>     Secrecy" rather than "Perfect Forward Secrecy".  We all seem to agree
>     that it isn't perfect, and that it is a step forward in security, at a
>     moderate cost in latency and performance.
> What's really bothered me about the phrase "perfect forward secrecy" is
> it's being applied to public key algorithms we know will be broken as
> soon as a large quantum computer has been built (in e.g. a decade or
> two). Meanwhile people seem to think that it's some sort of technique
> that will render messages unbreakable forever.

Perhaps of (little) comfort:

By the time that quantum computer has been built, it will become clear
that by breaking the PFS crypto, you also break the non-repudiation.

In other words: No one can claim in a (decent) court that a certain
message has been sent by you, when the quantum computer can break both
the PFS and the merkle-tree hashes that are supposed to prove the

In the mean time, remember Scott Mc Nealy: "Privacy online is dead."


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130912/d3b91ef1/attachment.pgp>

More information about the cryptography mailing list