We provide the first informal and formal definitions for post-compromise security, and show that it can be achieved in several scenarios. At a technical level, we instantiate our informal definitions in the setting of authenticated key exchange (AKE) protocols, and develop two new strong security models for two different threat models. We show that both of these security models can be satisfied, by proposing two concrete protocol constructions and proving they are secure in the models. Our work leads to crucial insights on how post-compromise security can (and cannot) be achieved, paving the way for applications in other domains.
Category / Keywords: Post-Compromise Security, Security Protocols, Key Exchange, Ratcheting, Future Secrecy, Threat Models Original Publication (with minor differences): 2016 IEEE 29th Computer Security Foundations Symposium (CSF)