Perfect Forward Secrecy (PFS)

Does xx Messenger use Perfect Forward Secrecy (PFS)?

We have forward secrecy. The difference between the two is very subtle, but in perfect forward secrecy each key derived from the long term key is guaranteed not to compromise other keys.

Mixnets cannot guarantee message order, so rekey messages are sent at random intervals. When the messenger rekeys, it creates a new key derived from a longer term key. Each message sent in between a rekey uses a key that is derived from the key derived via the rekey. So we have 3 levels: Long term key → rekey key derived from long term key → message key derived from rekey key.

If an attacker breaks a long term key, they can’t break any given rekey message, but if they break a rekey key, they can generate all message keys for that rekey key. We chose this construction for reliability reasons because mixnets reorder messages by design and they can lose messages (remember, there’s no metadata like in other systems!). We want to keep the rekey intervals relatively short to minimize exposure.