Cryptanalysis of e-mail protocols providing perfect forward secrecy

Recently, two e-mail protocols were proposed claiming to provide perfect secrecy. These protocols use authentication and (Diffie-Hellman) key-exchange techniques, and as such, other standard security criteria besides perfect forward secrecy include key-replay resilience, known-key security, key freshness and unknown key-share resilience are expected too. In this paper, we show that the two protocols cannot resist replay attacks, and further that the first falls to unknown key-share attacks while the second fails to provide perfect forward secrecy, contrary to the designers' claims. Although the two protocols were intended by the designers to be more secure variants compared to the common e-mail protocol, our results show that being newer does not necessarily mean being more secure.