[Cryptography] Hohha Protocol : 1. Key renewal review

Ismail Kizir ikizir at gmail.com
Sun Nov 25 10:08:51 EST 2018

On Sun, Nov 25, 2018 at 5:05 PM Peter Fairbrother <peter at tsto.co.uk> wrote:
> Forward secrecy (there is a decent case for calling it backwards
> secrecy, but we are stuck with forward secrecy for now) implies that an
> attacker cannot decrypt past traffic after some key secret is deleted.
> But you aren't deleting any secrets. If an attacker gets the raw key
> material [1] he can use it to decrypt all past messages.
> The best way I can think of offhand to provide PQ forward secrecy is by
> key updating. Assume two keys, kA for Alice to call Bob, kB for Bob to
> call Alice (synchronisation gets very complicated otherwise).
> Alice calls Bob, using the key or a derived key - then she updates kA by
> some PQ resistant method, eg she hashes it, deletes the old kA, and
> stores the hash as kA.
> When Bob gets the message he uses his copy of kA to decrypt it, then
> hashes his copy of kA, deletes the original kA and stores the hash as kA.
> As soon as both copies of kA are deleted, there is no key material which
> an attacker can use to decrypt the message (assuming the hash cannot be
> reversed).

If an attacker obtains somehow you initial raw key material and if it
records whole communication, it can also decrypt all of your messages.
What you are suggesting is just a more complicated and less secure
method of what I am suggesting.
Am I wrong?
Or am I missing something?

Ismail Kizir

More information about the cryptography mailing list