<div dir="ltr"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><div class="gmail_default" style="font-family:georgia,serif">
- (in: w encrypts m to r) if attacker "a" passively compromises w, they
are able/unable to decrypt current (in-transit) and/or future ciphertext
(i.e. "act as r")<br>- (in: w authenticates m to r) if attacker "a" passively compromises r,
they are able/unable to authenticate messages to r (i.e. "act as w")<br><br>
I'm sure *someone* has considered it before, but I can't remember any
literature that explicitly names this property - as opposed to say,
"forward secrecy" or "key compromise impersonation". Does anyone who's
more widely-read than I, know more about this?</div></blockquote><div><br><div class="gmail_default" style="font-family:georgia,serif;display:inline">This is discussed in<a href="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6957115&tag=1"> Actor Key Compromise: Consequences and Countermeasures</a> [Basin, Cremers, Horvat; CSF 2014]. As you point out, the idea is known as KCI for authenticated key exchange protocols, but it's applicable much more widely.<br><br></div><div class="gmail_default" style="font-family:georgia,serif;display:inline">Katriel<br></div></div></div>