Forward secrecy and post-compromise security are the two temporal dimensions of cryptographic resilience. They protect in opposite directions, require different mechanisms, and are frequently confused — even by security professionals.
Understanding the distinction is essential for evaluating any system that claims to provide “security after compromise.”
Forward secrecy (sometimes called “perfect forward secrecy”) ensures that compromising the current state does not reveal past states or past secrets.
In a forward-secure system, each operation destroys information about previous operations. If an attacker captures your current signing key, they cannot reconstruct any key you used yesterday, last week, or last year.
Forward secrecy is achieved through one-way state evolution. Each state transition is mathematically irreversible. In PhoenixSig, the DyLWE core provides this property through deterministic evolution on module lattices, where recovering a previous state requires solving a computationally hard problem.
Post-compromise security ensures that after a compromise, the system can recover to a state the attacker cannot predict or control.
This is fundamentally harder than forward secrecy. Forward secrecy just requires one-way functions. PCS requires something more: new entropy that the attacker cannot access.
Here’s why: if the system state evolves deterministically (which is what gives us forward secrecy), then an attacker who captures the current state can compute all future states — because deterministic means predictable. To break this prediction, you need to inject something the attacker doesn’t have: fresh entropy from a source they cannot reach.
| Scenario | Forward Secrecy Only | PCS Only | Both (PhoenixSig) |
|---|---|---|---|
| Attacker gets current state | Past protected | Past exposed | Past protected |
| Attacker predicts future keys | Can predict | Blocked after refresh | Blocked after refresh |
| Attacker forges future signatures | Can forge | Blocked after refresh | Blocked after refresh |
Forward secrecy without PCS leaves the future exposed. PCS without forward secrecy leaves the past exposed. Only the combination protects in both temporal directions.
Forward secrecy for key exchange is well-understood and widely deployed (TLS 1.3, Signal Protocol). But forward secrecy and PCS for digital signatures remain almost entirely absent from deployed systems.
This is the gap PhoenixSig fills. The DyLWE core provides forward secrecy through deterministic state evolution. Phoenix injection provides PCS through TEE-anchored entropy. The combination delivers both properties for digital signatures — a first in production-targeted systems.
Explore the technical whitepaper or schedule a live demo.