[Cryptography] Perfection versus Forward Secrecy

Eugen Leitl eugen at leitl.org
Fri Sep 13 02:08:38 EDT 2013

On Thu, Sep 12, 2013 at 09:33:34AM -0700, Tony Arcieri wrote:

> What's really bothered me about the phrase "perfect forward secrecy" is
> it's being applied to public key algorithms we know will be broken as soon
> as a large quantum computer has been built (in e.g. a decade or two).

I do not think that the spooks are too far away from open research in
QC hardware. It does not seem likely that we'll be getting real QC
any time soon, if ever.

The paranoid nuclear option remains: one time pads. There is obviously
a continuum for XORing with output very large state PRNGs and
XORing with one time pads. It should be possible to build families
of such which resist reverse-engineering the state. While
juggling around several MByte or GByte "keys" is inconvenient, some
applications are well worth it.

Why e.g. SWIFT is not running on one time pads is beyond me.

> Meanwhile people seem to think that it's some sort of technique that will
> render messages unbreakable forever.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130913/8fa41b62/attachment.pgp>

More information about the cryptography mailing list