[cryptography] deniable store and forward with integrity protection?
david-sarah at jacaranda.org
Tue Feb 15 23:51:47 EST 2011
On 2011-02-16 03:28, James A. Donald wrote:
> On 2011-02-16 10:04 AM, David-Sarah Hopwood wrote:
>> Note that a disadvantage of such protocols relative to
>> multi-round ones is that, as far as I know, they cannot
>> achieve forward secrecy.
> In that if either party to the protocol described loses
> control of his secret key, all messages can be retroactively
That's correct for static Diffie-Hellman. For the Encrypt-then-Sign
protocol I gave, messages can be retroactively decrypted
if-and-only-if the recipient's decryption key is compromised.
For a given message, the sender's decryption key is not used
(and compromise of its signing key does not allow decrypting
> I was unaware that any half round protocols had been
> described, though you proceed to describe one blow.
Ian Brown and Adam Back's suggestion is another, which appears
equally secure. It also has the property that messages can be
retroactively decrypted if-and-only-if the recipient's decryption
key is compromised.
> It would seem that forward secrecy inherently requires at
> least one and a half round trips, since the recipient of the
> message has to have a transient secret.
If the sender of the message is the protocol initiator, yes.
If the receiver is the protocol initiator (which is unusual,
but possible if the receiver is polling for messages), then
I think it only requires one round-trip.
> This problem can be somewhat mitigated by caching shared
> secrets for a moderate period.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 292 bytes
Desc: OpenPGP digital signature
More information about the cryptography