[cryptography] Asynchronous forward secrecy encryption

Trevor Perrin trevp at trevp.net
Wed Sep 18 11:55:35 EDT 2013

On Wed, Sep 18, 2013 at 12:12 AM, Adam Back <adam at cypherspace.org> wrote:
> Thats a good approach but note it does assume your messages are delivered in
> the same order they are sent (even though they are delivered
> asynchronously).  That is generally the case but does not have to be -
> neither email nor UDP for example guarantee that.
> Maybe you would want to include an authenticated sequence number so the
> recipient can detect gaps and out of order messages, though that does create
> an attack where the attacker can delete a message, and cause the recipient
> to keep messages.
> Or better the actual key used could be derived to fix that.  eg
> k_{i+1}=H(k_i) delete k_i; but also sk_i=H(1||k_i) then use sk_i values.  In
> that way you can keep keys for a gap with no security implication other than
> the missing/delayed message security.  Other messages that come afterwards
> would be unaffected.

Yeah!  That's a great way to do it.

In case of out-of-order delivery, you could eventually delete unused
sk_i values once they get too old.

You could also encrypt the sequence numbers with some static key so as
not to leak info on the # of messages exchanged.


More information about the cryptography mailing list