Neil Madden2d ago

#cryptography nerds: what would you call the analogous property to forward secrecy in a protocol that only does authentication (so no secrecy)?

For example, let’s suppose I send a stream of audit log messages signed in batches with an EdDSA key. I could rotate that key after every batch, (including the next PK in the previous signed batch). Thus a compromise of the signing key at time t allows forging future records but not altering prior records.

NIST calls this “backtracking resistance” in the context of DRBGs, which could work as a generic term. Is there any other term in wide use?

Show threadCoda
@neilmadden I’d go with “forward authenticity”. But also “forward secrecy” is a silly metaphor because it protects messages in the past from compromises in the future while protecting future messages from past compromises is “post-compromise security”. So having zigged and then zagged maybe you could zug and call it “pre-compromise anti-forgery”.
Mar 24 at 11:17pmWeb
Show threadNeil Madden1d ago
@coda cool, just gotta add a “perfect” on there too...