[messaging] Naming and classifying a security property

Katriel Cohn-Gordon katriel.cohn-gordon at cs.ox.ac.uk
Mon Sep 14 03:47:23 PDT 2015

> - (in: w encrypts m to r) if attacker "a" passively compromises w, they
> are able/unable to decrypt current (in-transit) and/or future ciphertext
> (i.e. "act as r")
> - (in: w authenticates m to r) if attacker "a" passively compromises r,
> they are able/unable to authenticate messages to r (i.e. "act as w")
> I'm sure *someone* has considered it before, but I can't remember any
> literature that explicitly names this property - as opposed to say,
> "forward secrecy" or "key compromise impersonation". Does anyone who's more
> widely-read than I, know more about this?

This is discussed in Actor Key Compromise: Consequences and Countermeasures
[Basin, Cremers, Horvat; CSF 2014]. As you point out, the idea is known as
KCI for authenticated key exchange protocols, but it's applicable much more

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150914/405f47b1/attachment.html>

More information about the Messaging mailing list