Cryptology ePrint Archive: Report 2015/1214

Simple Security Definitions for and Constructions of 0-RTT Key Exchange

Britta Hale and Tibor Jager and Sebastian Lauer and Jörg Schwenk

Abstract: Zero Round-Trip Time (0-RTT) key exchange protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol, while providing perfect forward secrecy. The 0-RTT KE concept was first realized by Google in the QUIC Crypto protocol, and a 0-RTT mode has been intensively discussed for inclusion in TLS 1.3. In 0-RTT KE two keys are generated, typically using a Diffie-Hellman key exchange. The first key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share. In this paper, we propose simple security models, which catch the intuition behind known 0-RTT KE protocols; namely that the first (respectively, second) key should remain indistinguishable from a random value, even if the second (respectively, first) key is revealed. We call this property strong key independence. We also give the first constructions of 0-RTT KE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists.

Category / Keywords: cryptographic protocols / Foundations, low-latency key exchange, zero-RTT protocols, authenticated key exchange, non-interactive key exchange, QUIC, TLS 1.3

Original Publication (with minor differences): ACNS 2017

Date: received 18 Dec 2015, last revised 16 May 2017

Contact author: sebastian lauer at rub de

Available format(s): PDF | BibTeX Citation

Note: Adding publication details.

Version: 20170516:072822 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]