[cryptography] deniable store and forward with integrity protection?

David-Sarah Hopwood david-sarah at jacaranda.org
Tue Feb 15 23:51:47 EST 2011


On 2011-02-16 03:28, James A. Donald wrote:
> On 2011-02-16 10:04 AM, David-Sarah Hopwood wrote:
>> Note that a disadvantage of such protocols relative to
>> multi-round ones is that, as far as I know, they cannot
>> achieve forward secrecy.
> 
> In that if either party to the protocol described loses
> control of his secret key, all messages can be retroactively
> decrypted.

That's correct for static Diffie-Hellman. For the Encrypt-then-Sign
protocol I gave, messages can be retroactively decrypted
if-and-only-if the recipient's decryption key is compromised.
For a given message, the sender's decryption key is not used
(and compromise of its signing key does not allow decrypting
past messages).

> I was unaware that any half round protocols had been
> described, though you proceed to describe one blow.

Ian Brown and Adam Back's suggestion is another, which appears
equally secure. It also has the property that messages can be
retroactively decrypted if-and-only-if the recipient's decryption
key is compromised.

> It would seem that forward secrecy inherently requires at
> least one and a half round trips, since the recipient of the
> message has to have a transient secret.

If the sender of the message is the protocol initiator, yes.

If the receiver is the protocol initiator (which is unusual,
but possible if the receiver is polling for messages), then
I think it only requires one round-trip.

> This problem can be somewhat mitigated by caching shared
> secrets for a moderate period.

Yes.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110216/7d694f38/attachment.asc>


More information about the cryptography mailing list