On 13/09/15 17:50, Ximin Luo wrote: > - chain-based ratcheting has this property - as the sender, you encrypt m[i] > using k, then hash it and delete the original for m[i+1]. the recipient will > need to keep extra state around if they want to handle out-of-order messages.
Whoops, this is wrong. It *doesn't* have the aforementioned property - someone that compromises the encryptor here can still decrypt all future ciphertexts. It's not exactly Axolotl's so-called "future secrecy" [2] either. For example: > - public key encryption has this property, if you don't also > encrypt-to-yourself (which is a common default for GPG encryption :() OTOH with this scheme, if the decryptor is compromised, then the attacker can here also decrypt all future ciphertexts, so it's not strictly "future secrecy". I am wondering if we need more precise terms; compromise on the decryptor vs encryptor side can make a big difference. Arguably you want protection against both, but with a term like "future secrecy" you can argue/market that you have this property even if it applies only to one side. X [2] https://whispersystems.org/blog/advanced-ratcheting/ -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
