[messaging] Forward secrecy and multiple devices

Nadim Kobeissi nadim at nadim.computer
Fri Oct 31 07:41:22 PDT 2014

Dear Ximin,
Thanks very much for your explanation. Unfortunately, it only confirms 
my pessimistic assumptions regarding the possibility of true forward 
secrecy on multiple devices. I was hoping this list would be aware of 
some kind of breakthrough I've missed out on, but that doesn't seem to 
be the case.

Hope you're doing well. :-)


------ Original Message ------
From: "Ximin Luo" <infinity0 at pwned.gg>
To: "messaging" <messaging at moderncrypto.org>
Sent: 2014-10-31 10:14:04 AM
Subject: Re: [messaging] Forward secrecy and multiple devices

>Forward secrecy is the inability to decrypt ciphertext after it's been 
>decrypted the first time, by throwing away (enough of) the decryption 
>key-material. If you want to be able to decrypt it indefinitely 
>onwards, it defeats the point.
>If you want to encrypt a message to multiple devices in a 
>forward-secret way, the maximum you can achieve is to have it 
>decryptable (i.e. not forward secret) until the last device that reads 
>the message throws away its ephemeral decryption key, at which point 
>you gain the property of "forward secrecy".
>As long as key material exists somewhere to be able to decrypt whatever 
>ciphertext you store wherever, *by definition* this situation is not 
>forward-secret. Sorry...
>The schemes other people described are forward-secret for only *part* 
>of the message lifetime. It may be the case that these "partial" 
>forward-secrecy schemes make sense for certain use cases. For example, 
>if the (re-encrypted) ciphertext is only exposed on private 
>infrastructure e.g. locally on each target device, or on "trusted 
>third-party infrastructure" (lol), this may arguably be a bit safer 
>than simply storing the original ciphertext (that was seen by the 
>adversary) and ephemeral key. This is dangerous territory to go into, 
>On 31/10/14 13:04, Nadim Kobeissi wrote:
>>  Hi everyone,
>>  I've been wondering about how to make asynchronous forward-secret 
>>messaging systems work when the user is accessing message history from 
>>multiple devices.
>>  Say I send a bunch of messages from computer A to another user's 
>>computer U.
>>  Later, I buy myself a new computer B on which I want to download and 
>>decrypt my message history.
>>  If the messages I sent all relied on my long-term identity, then I 
>>can just use my long-term key pair to decrypt the messages on computer 
>>B and there wouldn't be a problem.
>>  However, I am wondering how that would work in case I was using 
>>forward-secret session keys that changed message by message. How would 
>>the session secrets be communicated across devices? How would computer 
>>B be able to decrypt my forward-secret messages sent from computer A?
>>  It would be great to hear the opinion of the many experts on this 
>>list regarding this matter.
>>  Regards,
>>  NK

More information about the Messaging mailing list