Forward secrecy

Forward secrecy is the property of a protocol that past session keys remain secret even if a party's long-term keys are compromised later. It is achieved by deriving each session key from an ephemeral key exchange and deleting the ephemeral secrets after use, so nothing kept on disk can reconstruct old sessions. TLS 1.3 made ephemeral key exchange mandatory (RFC 8446).

What it does not protect against

Forward secrecy defends against later key theft, not later cryptanalysis. If an eavesdropper records traffic whose ephemeral exchange used a quantum-breakable scheme such as elliptic-curve Diffie-Hellman, a future quantum computer can recompute the session key from the recording alone; deleting keys does not help, because the attacker never needed them. This is the harvest now, decrypt later scenario (harvest now, decrypt later).

Post-quantum forward secrecy

Protecting recorded traffic requires the ephemeral exchange itself to be quantum-resistant. Deployed designs run a post-quantum key encapsulation mechanism alongside a classical curve, as in post-quantum TLS and Signal's PQXDH handshake (Signal PQXDH).

Sources

  1. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 (IETF, 2018)
  2. The PQXDH Key Agreement Protocol (Signal, 2023)
Cite this entry
"Forward secrecy." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/forward-secrecy@misc{pqwiki-forward-secrecy, title = {Forward secrecy}, howpublished = {\url{https://postquantum.wiki/forward-secrecy}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }