how does it prove destruction of the key or that it didn't send the key to a key-logging server? 2/2
-
-
Replying to @stevecheckoway
It doesn't, but it raises the cost of that attack to the same as the cost of logging PMS. Always in favor of making attacks more expensive.
2 replies 0 retweets 2 likes -
Replying to @colmmacc @stevecheckoway
I also think of it as preventing an inadvertent implementation mistake, similar to how implicit nonces do for AEAD.
1 reply 0 retweets 2 likes -
Replying to @colmmacc
Maybe one could use a NIZK to prove knowledge of PRNG inputs used for DH sk, but who wants to verify a proof each TLS connection?
2 replies 0 retweets 0 likes -
Replying to @stevecheckoway
That's a smart idea. In practice it can enough that tools like SSLabs do it occasionally. That's how endpoint security is /really/ enforced.
1 reply 1 retweet 1 like -
-
Replying to @stevecheckoway @colmmacc
For comparison, CT validation is never enforced for privacy reasons. This might actually work.
1 reply 0 retweets 0 likes -
I'd love for there to be an enforceable proof of uniqueness for every DH param used in TLS. That would be like getting a pony for me.
1 reply 0 retweets 1 like -
Replying to @grittygrease @stevecheckoway
I'm off to patent a scheme based on punctureable encryption, VRFs and block chains
1 reply 0 retweets 1 like -
Replying to @colmmacc @stevecheckoway
Too late, I've already patented all three.
1 reply 0 retweets 1 like
I'll just take yours and append "in the context of a post-quantum system"
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.