[Cryptography] Is "perfect forward secrecy" the biggest fraud of last decade?

Christian Huitema huitema at huitema.net
Sat Sep 1 18:38:14 EDT 2018

On 9/1/2018 7:05 AM, Sandy Harris wrote:

> On the other hand if quantum computers can solve the
> discrete log problem efficiently, then DH goes belly up.
> That would let them break the protocol completely,
> reading new messages without MITM and reading old
> ones despite forward secrecy, provided they had also
> archived the DH exchanges.

Straight DH could indeed be broken by quantum computers. What about DH
combined with shared secret, as in for example the PSK + (EC)DH modes of
TLS 1.3? Are those broken too?

-- Christian Huitema

More information about the cryptography mailing list