Crypto Wiki

In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.

Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.


PFS was originally introduced [3] by Diffie, van Oorschot, and Wiener and used to describe a property of the Station-to-Station protocol (STS), where the long-term secrets are private keys. PFS requires the use of public key cryptography, and cannot be achieved with symmetric cryptography alone.

PFS has also been used [4] to describe the analogous property of password-authenticated key agreement protocols where the long-term secret is a (shared) password.

Annex D.5.1 of IEEE 1363-2000 discusses the related one-party and two-party forward secrecy properties of various standard key agreement schemes.


  • PFS is an optional feature in IPsec (RFC 2412).
  • SSH.
  • Off-the-Record Messaging, a cryptography protocol and library for many instant messaging clients, provides perfect forward secrecy as well as deniable encryption.
  • In theory, Transport Layer Security can choose appropriate ciphers since SSLv3, but in everyday practice many implementations refuse to offer PFS or only provide it with very low encryption grade. [5]

See also[]

  • Diffie-Hellman key exchange is a cryptographic protocol that provides perfect forward secrecy.
  • Forward anonymity


  1. IEEE 1363-2000: IEEE Standard Specifications For Public Key Cryptography. Institute of Electrical and Electronics Engineers, 2000.
  2. Telecom Glossary 2000, T1 523-2001, Alliance for Telecommunications Industry Solutions (ATIS) Committee T1A1.
  3. Template:Cite journal
  4. Template:Cite journal
  5. Discussion on the TLS mailing list in October 2007


  1. H. Orman. The OAKLEY Key Determination Protocol. IETF RFC 2412.


de:Folgenlosigkeit (Kryptographie) nl:Perfect forward secrecy