> > - (in: w encrypts m to r) if attacker "a" passively compromises w, they > are able/unable to decrypt current (in-transit) and/or future ciphertext > (i.e. "act as r") > - (in: w authenticates m to r) if attacker "a" passively compromises r, > they are able/unable to authenticate messages to r (i.e. "act as w") > > I'm sure *someone* has considered it before, but I can't remember any > literature that explicitly names this property - as opposed to say, > "forward secrecy" or "key compromise impersonation". Does anyone who's more > widely-read than I, know more about this? >
This is discussed in Actor Key Compromise: Consequences and Countermeasures <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6957115&tag=1> [Basin, Cremers, Horvat; CSF 2014]. As you point out, the idea is known as KCI for authenticated key exchange protocols, but it's applicable much more widely. Katriel
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
