What is the difference (if any) between "perfect" forward secrecy and
just plain old ordinary forward secrecy?
Forward secrecy sounds like it means secrecy against attacks forward
(later) in time. When you burn your one time pad after use you have
forward secrecy, because afterwards there is no way to reconstruct
the message. Likewise a DH exchange produces forward secrecy once the
secret exponents are destroyed, because again the information necessary
to reconstruct the result is lost.
Usually in cryptography "perfect" refers to information theoretic
security, as distinguished from computational security.
By this definition, the burned OTP would provide perfect forward secrecy.
The DH exchange would not, because computational attacks could in
principle recover the secret.
However DH is widely stated to provide PFS. Therefore "perfect" must
mean something else in this context. Can anyone shed light on the
distinction between PFS and FS?
