[Cryptography] Is "perfect forward secrecy" the biggest fraud of last decade?

Sandy Harris sandyinchina at gmail.com
Sat Sep 1 10:05:10 EDT 2018


On Tue, Aug 28, 2018 at 6:29 PM Ismail Kizir <ikizir at gmail.com> wrote:

> I think that the concept of "perfect forward secrecy" used in Signal
> based applications forced us to rely solely on asymmetric algorithms,
> which, will reveal all our secrecy in a few years!
> Am I wrong?

Yes. If the asymmetric crypto is broken then many things fail.
In some systems, that is catastrophic; for example for PGP
if I learn your private key I can read all your messages since
the symmetric algorithm keys are protected only by the
asymmetric encryption.

For a key agreement algorithm like DH, the asymmetric crypto
is generally only used to authenticate the players. Breaking it
does not give an attacker any of the symmetric session keys;
it only lets him conduct man-in-the-middle attacks toget them,
and it takes one MITM per session key.

Forward secrecy means that breaking the asymmetric crypto
does not let him read either old messages that he may have
archived or new messages for which he has not conducted
a successful MITM attack. That is a useful property. As I
see it, no sane person would specify a key agreement
protocol without it.

On the other hand if quantum computers can solve the
discrete log problem efficiently, then DH goes belly up.
That would let them break the protocol completely,
reading new messages without MITM and reading old
ones despite forward secrecy, provided they had also
archived the DH exchanges.


More information about the cryptography mailing list