0-RTT Key Establishment with Full Forward Secrecy

01.09.2016, 16:30 – 17:30

2016/09/01 16:30-17:30

Speaker: Tibor Jager | Location: Mornewegstraße 32 (S4|14), Room 3.1.01, Darmstadt

Organizer: Felix Günther


Reducing latency overhead while maintaining critical security guar- antees like forward secrecy has become a major design goal for key exchange (KE) protocols, both in academia and industry. Of partic- ular interest in this regard are 0-RTT protocols, a class of KE proto- cols which preemptively allow for the sending of a cryptographically-protected payload along with the very first KE protocol message, thereby minimizing latency. One very prominent example for such a protocol is Google’s QUIC proposal; a 0-RTT mode is also under discussion for the upcoming TLS version 1.3.

Intrinsically, the main challenge of a 0-RTT KE is to achieve for- ward secrecy and security against replay attacks for the very first payload message sent in the protocol. According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a long-term or medium-term secret of the receiver. If this secret is leaked to an attacker after the session, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session. In this paper we show that this belief is actually false.

We construct the first 0-RTT KE protocol which provides full forward secrecy for all transmitted payload messages and is au- tomatically resilient to replay attacks. Our approach involves to building the 0-RTT protocol based on a puncturable key encapsulation scheme, which permits each ciphertext to only be decrypted once. Fundamentally, this is achieved by evolving the secret key after each decryption operation, but without modifying the corresponding public key.

Short Bio

Tibor Jager teaches computer networks and IT-security at Ruhr University Bochum. His research interests include applied and theoretical cryptography, with emphasis on the design and formal analysis of cryptographic protocols, digital signatures, and public-key encryption schemes, as well as practical attacks and countermeasures.