Forward Secrecy. A cryptographic primitive or protocol provides forward secrecy with respect to a long term private key if compromise of the private key does not result in compromise of security of previously communicated or stored messages. With \signature-then-encryption", since di erent keys are involved in signature gener- ation and public key encryption, forward secrecy is in general guaranteed with respect to ▇▇▇▇▇'s long term private key. (Nevertheless, loss of ▇▇▇▇▇'s private key renders her signature forgeable.) In contrast, with the signcryption schemes, it is easy to see that knowing ▇▇▇▇▇'s private key alone is su cient to recover the original message of a signcrypted text. Thus no forward secrecy is provided by the signcryption schemes with respect to ▇▇▇▇▇'s private key. A similar observation applies to \signature-then-encryption-with-a-static-key" with respect to ▇▇▇▇▇'s shared static key. Forward secrecy has been regarded particularly important for session key establish- ment [20]. However, to fully understand its implications to practical security solutions, we should identify (1) how one's long term private key may be compromised, (2) how often it may happen, and (3) what can be done to reduce the risks of a long key being compromised. In addition, the cost involved in achieving forward secrecy is also an important factor that should be taken into consideration.
Appears in 2 contracts
Sources: Submission to Ieee P1363a, Submission to Ieee P1363a