I recall a P1363 meeting which discussed the issue of confusion over
multiple interpretations (or misinterpretations) of "perfect forward secrecy".
I and others suggested dropping the word "perfect" for the reason you discuss.
PFS was defined in <http://www.IntegritySciences.com/links.html#DvOW92>,
and variations of FS are defined in the latest draft of P1363 Appendix D.
<http://grouper.ieee.org/groups/1363/P1363/draft.html>.
At 07:40 PM 5/4/00 -0000, lcs Mixmaster Remailer wrote:
>What is the difference (if any) between "perfect" forward secrecy and
>just plain old ordinary forward secrecy?
>
>Forward secrecy sounds like it means secrecy against attacks forward
>(later) in time. When you burn your one time pad after use you have
>forward secrecy, because afterwards there is no way to reconstruct
>the message. Likewise a DH exchange produces forward secrecy once the
>secret exponents are destroyed, because again the information necessary
>to reconstruct the result is lost.
>
>Usually in cryptography "perfect" refers to information theoretic
>security, as distinguished from computational security.
>
>By this definition, the burned OTP would provide perfect forward secrecy.
>The DH exchange would not, because computational attacks could in
>principle recover the secret.
>
>However DH is widely stated to provide PFS. Therefore "perfect" must
>mean something else in this context. Can anyone shed light on the
>distinction between PFS and FS?
As far as I know, PFS is approximately equal to FS, and wasn't meant to
refer to information theoretic security. I'll leave it to others more familiar
with the latter field correct me as needed.
---------------------------------------------------
David P. Jablon
Integrity Sciences, Inc.
+1 508 898 9024
[EMAIL PROTECTED]
www.IntegritySciences.com
