Paper 2015/1214

Simple Security Definitions for and Constructions of 0-RTT Key Exchange

Britta Hale, Tibor Jager, Sebastian Lauer, and Jörg Schwenk


Zero Round-Trip Time (0-RTT) key exchange protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol, while providing perfect forward secrecy. The 0-RTT KE concept was first realized by Google in the QUIC Crypto protocol, and a 0-RTT mode has been intensively discussed for inclusion in TLS 1.3. In 0-RTT KE two keys are generated, typically using a Diffie-Hellman key exchange. The first key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share. In this paper, we propose simple security models, which catch the intuition behind known 0-RTT KE protocols; namely that the first (respectively, second) key should remain indistinguishable from a random value, even if the second (respectively, first) key is revealed. We call this property strong key independence. We also give the first constructions of 0-RTT KE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists.

Note: Adding publication details.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.ACNS 2017
Foundationslow-latency key exchangezero-RTT protocolsauthenticated key exchangenon-interactive key exchangeQUICTLS 1.3
Contact author(s)
sebastian lauer @ rub de
2017-05-16: last of 6 revisions
2015-12-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Britta Hale and Tibor Jager and Sebastian Lauer and Jörg Schwenk},
      title = {Simple Security Definitions for and Constructions of 0-RTT Key Exchange},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1214},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.