Error? LWE Key-Exchange paper specifies DH being secure under private-key leakage?

The paper says that DH is forward-secure in the intro:

The Diffie-Hellman protocol offers an alternative algorithm to RSA for cryptographic key ex-
change. The Diffie-Hellman protocol generates more secure session keys that can’t be recovered
simply by knowing the user’s private key, a protocol security feature called forward security.

Which appears to me to be subtly incorrect; DH can be used to construct a forward-secure communications protocol using a combination of static/ephemeral key exchanges, but by itself it is not forward secure (and leakage of the static key is still a problem).

Asymmetric encryption also clearly implies forward-secrecy, so using the argument that DH → FS while encryption does not might be a bit of a stretch; although this might not have been as obvious as it appears to me now in 2012…

(Also is asccrypto supposed to be used for um-actually style questions?)

All questions are welcome as long as they are related to a paper (which it currently is). Since we believe that asking questions should be a smooth process, we don’t have strict rules about the type or the style of questions (we do check if the question statement is clear and self explanatory).

These are the very questions that the platform tries to store so that people having similar confusions doesn’t have to repeat the questions and authors doesn’t have to repeat the answers. Thanks for your participation.

1 Like

I’m sorry if this answer is unsatisfactory and rather subjective. I believe that what the authors meant is using Diffie-Hellman in combination of ephemeral keys, as you suggested. This becomes a bit clearer when looking at the text directly after the one you cited:

In order to decrypt all communication, now the adversary can no longer compromise just the user’s private key, but the adversary has to compromise the session keys belonging to every individual communication session. In other words, using the diffie-hellman protocol, even the adversary knows the session key of some particular session, he still can not learn anything about the session keys established before this particular session. Actually, SSL also uses the Diffie-Hellman protocol to support forward security.

I agree that the way it’s written seems to imply that forward security is a feature that DH enjoys, in contrast perhaps to other constructions, and hence it might be misleading.

1 Like