Re: [MLS] Use Cases for avoiding Forward Secrecy

Phillip Hallam-Baker <> Wed, 28 February 2018 23:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA86D127023 for <>; Wed, 28 Feb 2018 15:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oUePavs5lbPZ for <>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6D44B126FDC for <>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
Received: by with SMTP id l5so3842819otf.9 for <>; Wed, 28 Feb 2018 15:03:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=8Xc+524sI/+KovON+PWgxvWD8MmXiVEJfVGj0BNbFcY=; b=L4ZKyepmHyowC51TNs0+2Z/tC99eLMuM9Xuh8xSxv4hd+efcBA1AOQW9RH2TYTASpa cknazvev7SR6sCt/ATgC+/ldHY6vwvDVJa5jkxWh78v+r9JSA7bkr+jQOB86XsHXaff8 ffeS0QryK5CCXE4AXLyAXYIgFltVw+nhZ/OIGStVP1TyjqZ52+jXTL9SPLFbrJNU6uMx x3YTSxp7htIP3ejqGYle81NI/C0sM8XQgP5HkzZmrzLhfkx7w7WZKT6Y1V+tUuRMSyf2 hbywh2kDHBF14XSz9p/XzhfpokKsUVctYLct3jAZiPYyjH+GboBmWCsRoTXA3QjrJJLC 0/UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=8Xc+524sI/+KovON+PWgxvWD8MmXiVEJfVGj0BNbFcY=; b=BpUQzBaDASp4GjALNWXlwF1f/xUlf+S4EMjmGyOgQZbf4kSBFlUuOgYokZE/Obwwxs Y59pnxUzkbeL9kZMVTfgy5lKRV7eiKfrFB8BnM1hHu1/rzb5QN7t3Qm/ciQiXR5QCRly /qgxT+OBbX2o7V5kyVij8a4wf12+TFbKDJyopjkQlWqOxH5X8avnG9/2Raj4EuFbNibJ EzcB6RyNwLi9Z4mr1dwCuLxmjaT6sMmF0330HnSDCiGe0wxXvxzqNgvxXNqVnlUU+5PI JUrew/WKtrfye0Sg2mBa2CclM9Itku+8id8xD9y7kgn05vugM8Noy+e6PjFEyhOSY/gl fRvQ==
X-Gm-Message-State: APf1xPApU8+L7yTucdURJxQ4tf9JO0TbQXXaaYfFM7uEyjNO6wa1/W6A qZxHM0zEVJel3SxaHvBI1PBDzUADJoN0FVkChyA=
X-Google-Smtp-Source: AG47ELuaBSxXYPJYHuRGxnwCv2USNTMhG5yR3x/Dmj6viSnFehb9d6PO/qqVo6sY3BN965/BrLNSecyEUvpC6J6bStw=
X-Received: by with SMTP id j46mr13830658otd.218.1519859012751; Wed, 28 Feb 2018 15:03:32 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 28 Feb 2018 15:03:31 -0800 (PST)
In-Reply-To: <20180228222800.0a978ded@T-200>
References: <> <> <> <20180228222800.0a978ded@T-200>
From: Phillip Hallam-Baker <>
Date: Wed, 28 Feb 2018 18:03:31 -0500
X-Google-Sender-Auth: UEf9Gaj0a50rm9aNQj5AfVCHW88
Message-ID: <>
To: Dennis Jackson <>
Content-Type: multipart/alternative; boundary="001a113d0cf490577505664dc008"
Archived-At: <>
Subject: Re: [MLS] Use Cases for avoiding Forward Secrecy
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Feb 2018 23:03:35 -0000

On Wed, Feb 28, 2018 at 5:28 PM, Dennis Jackson <>

> > If however we are working at the message layer, we will often want to
> > support an asynchronous mode in which one party sends some data and
> > another picks it up later. That does not prevent us working end to
> > end but it does prevent us using PFS.
> This is incorrect. You may want to review the design of Signal, or
> indeed the current MLS draft.

​No it is completely correct. The P in PFS stands for Perfect .

If Alice creates a message for Bob using only her knowledge of Bob's public
key then it is not going to be PFS because a compromise of Bob's private
key is a breach.

What Signal is doing is sending messages based on Bob's key plus state from
previous communications that Alice and Bob have stored. Now that is
providing some form of Forward Secrecy but only a marketing person would
claim it was 'Perfect'.

​The cost of this shared state is far from trivial at the protocol level as
both the sending and receiving device have to be in synchronization. What
happens when Alice and Bob have a dozen devices? Then we have 144 sets of
shared state.​