Common use of Forward Secrecy Clause in Contracts

Forward Secrecy. A key establishment protocol is said to o er forward secrecy with respect to a participant if compromise of the participant's long term secret key does not result in compromise of past session keys. Clearly a key establishment protocol based on a shared static key between two participants cannot o er forward secrecy. Among protocols that are based on public key cryptography and o er forward secrecy with respect to both participants are those derived from the Di e-▇▇▇▇▇▇▇ key estab- lishment protocol (see for example protocols proposed in [20, 25, 9]). Adding to these is ▇▇▇▇▇▇-▇▇▇▇▇▇ protocol [6] which o ers forward secrecy with respect to ▇▇▇▇▇ the sender (but not with respect to ▇▇▇ the receiver). In contrast, the signcryption based key transport protocols proposed in this submission do not o er forward secrecy with respect to either participant. However, it is our view that one cannot categorically claim that a key establishment protocol with forward secrecy is better than one without. Rather one should take into account the additional computational and communication overhead involved in providing forward secrecy. There are basically two approaches that may be employed in containing potential dam- ages due to compromise of a long term secret key. The rst is to design a key establishment protocol that o ers forward secrecy and hence can tolerate compromise of the key. The second is to nd a way to make the key less compromiseable. As will be shown immedi- ately, the second approach seems far more economical than the rst one in terms of extra computational cost involved. Before proceeding to a discussion on how to protect a participant's long term secret key from being compromised, we note that there are mainly two possible threats to the long term secret key: accidental loss and, more serious, theft. It turns out that both threats can be e ectively thwarted via such means as secret sharing, either in a mathematical [50] or physical sense. =

Forward Secrecy. A key establishment protocol is said to o er forward secrecy with respect to a participant if compromise of the participant's long term secret key does not result in compromise of past session keys. Clearly a key establishment protocol based on a shared static key between two participants cannot o er forward secrecy. Among protocols that are based on public key cryptography and o er forward secrecy with respect to both participants are those derived from the Di e-▇▇▇▇▇▇▇ key estab- lishment protocol (see for example protocols proposed in [20, 25, 9]). Adding to these is ▇▇▇▇▇▇-▇▇▇▇▇▇ protocol [6] which o ers forward secrecy with respect to ▇▇▇▇▇ the sender (but not with respect to ▇▇▇ Bob the receiver). In contrast, the signcryption based key transport protocols proposed in this submission do not o er forward secrecy with respect to either participant. However, it is our view that one cannot categorically claim that a key establishment protocol with forward secrecy is better than one without. Rather one should take into account the additional computational and communication overhead involved in providing forward secrecy. There are basically two approaches that may be employed in containing potential dam- ages due to compromise of a long term secret key. The rst is to design a key establishment protocol that o ers forward secrecy and hence can tolerate compromise of the key. The second is to nd a way to make the key less compromiseable. As will be shown immedi- ately, the second approach seems far more economical than the rst one in terms of extra computational cost involved. Before proceeding to a discussion on how to protect a participant's long term secret key from being compromised, we note that there are mainly two possible threats to the long term secret key: accidental loss and, more serious, theft. It turns out that both threats can be e ectively thwarted via such means as secret sharing, either in a mathematical [50] or physical sense. =