CONCEPT Cited by 1 source

Forward security¶

Definition¶

Forward security (historically forward secrecy in the TLS literature) is the property that compromise of long-term key material at time T does not expose data from sessions established before T. Past traffic remains confidential even if today's keys leak.

Classical realisation: ephemeral Diffie–Hellman in TLS — each session derives a symmetric key from a fresh DH exchange; the server's long-term signing key is used only to authenticate the ephemeral exchange, not to encrypt it. When the long-term key leaks later, recorded past ciphertexts remain undecryptable because the ephemeral private halves were destroyed at session end.

Forward security in confidential-computing services¶

In WhatsApp Private Processing, forward security is extended from the TLS wire to the inference state. Meta names it as one of the foundational requirements:

"Private Processing must not retain access to user messages once the session is complete to ensure that the attacker can not gain access to historical requests or responses."

The mechanism stack:

Ephemeral per-session key between device and the attested CVM.
The ephemeral key is non-extractable from the TEE — no route from host / hypervisor / operator to read it at rest.
No durable storage of session state (concepts/stateless-processing).
CVM teardown / state-reset between sessions so the ephemeral key material is gone from memory after the session.

Difference from "data is deleted"¶

Forward security is a cryptographic property — it makes recovery mathematically infeasible given the ciphertexts alone. Standard "data deletion" is an operational property — it relies on the operator not having made a backup, on logs having been cleaned, on the filesystem actually honouring unlink. Forward security works even if the attacker captured every past network packet AND breaks into the server today: if the ephemeral keys were destroyed, the ciphertexts stay opaque.

Composes with stateless processing¶

Stateless: no durable copy of content is kept.
Forward-secure: no durable copy of keys that could decrypt captured content is kept.

Either one alone is insufficient. Stateless without forward-secure keys: the content is gone but a leaked key could decrypt captured-in-transit ciphertext. Forward-secure without statelessness: the key is gone but the content was written to disk. Meta names the combined requirement "Stateless processing and forward security".

Seen in¶

sources/2025-04-30-meta-building-private-processing-for-ai-tools-on-whatsapp — forward security is operationalised as "no retained access to messages once the session is complete" via ephemeral keys inside the TEE, composed with stateless service design. Canonical wiki instance.

concepts/stateless-processing — the content-side sibling.
concepts/trusted-execution-environment — non-extractable key material lives inside the TEE.
concepts/confidential-computing — the posture forward security is one pillar of.
concepts/hpke — provides per-message forward security at the transport layer in Private Processing's OHTTP step.
concepts/end-to-end-encryption — the invariant forward security preserves across time.
systems/whatsapp-private-processing — canonical wiki deployment.