[Cryptography] Is "perfect forward secrecy" the biggest fraud of last decade?

[William Allen Simpson]

On 8/28/18 4:45 PM, Ismail Kizir wrote:
> I think that the concept of "perfect forward secrecy" used in Signal
> based applications forced us to rely solely on asymmetric algorithms,
> which, will reveal all our secrecy in a few years!

I'm not sure whether you are using the term "perfect" forward secrecy
correctly.  Perhaps the definitions have changed over time?

I've taken a quick look at the article, and it only mentions factoring
large numbers.  That's applicable to public/private key pairs.  But
doesn't seem to be applicable to symmetric keys.

Does Signal really only use asymmetric algorithms?


> Because, the designers of Signal and similar protocols knew that
> quantum computer revolution was already imminent!
> 
Not even worrying about quantum, circa 1994-1995 we were worried
about other kinds of attacks.  Photuris distinguished between
"forward secrecy" and "perfect forward secrecy".

Forward secrecy was provided by the establishment mechanism of an
ephemeral session key.  Also, independent keys were used for each
direction of traffic.

Perfect forward secrecy required destruction of the signing key
used in the authentication exchange.

Both the signing and shared secrets were used in generating the
session keys, so you'd have to solve multiple hard problems for
every key.

Photuris also provided a Secret Exchange to generate a short
term signing key prior to the session key.  That could be used
multiple times for repeat exchanges and session key rollover,
then easily destroyed.

So you really needed to solve many hard problems for every key.
We figured at that rate, it would be easier to attack the
symmetric algorithms than try to break any keys.

That doesn't help data at rest, the only time you'd need to
re-encrypt.  Are you using asymmetric algorithms for data at rest?