[messaging] Naming and classifying a security property

Ximin Luo infinity0 at pwned.gg
Sun Sep 13 09:15:10 PDT 2015

On 13/09/15 17:50, Ximin Luo wrote:
> - chain-based ratcheting has this property - as the sender, you encrypt m[i] using k, then hash it and delete the original for m[i+1]. the recipient will need to keep extra state around if they want to handle out-of-order messages.

Whoops, this is wrong. It *doesn't* have the aforementioned property - someone that compromises the encryptor here can still decrypt all future ciphertexts.

It's not exactly Axolotl's so-called "future secrecy" [2] either. For example:

> - public key encryption has this property, if you don't also encrypt-to-yourself (which is a common default for GPG encryption :()

OTOH with this scheme, if the decryptor is compromised, then the attacker can here also decrypt all future ciphertexts, so it's not strictly "future secrecy".

I am wondering if we need more precise terms; compromise on the decryptor vs encryptor side can make a big difference. Arguably you want protection against both, but with a term like "future secrecy" you can argue/market that you have this property even if it applies only to one side.


[2] https://whispersystems.org/blog/advanced-ratcheting/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150913/b8806241/attachment.sig>

More information about the Messaging mailing list