Paper 2017/223

0-RTT Key Exchange with Full Forward Secrecy

Felix Günther, Britta Hale, Tibor Jager, and Sebastian Lauer


Reducing latency overhead while maintaining critical security guarantees like forward secrecy has become a major design goal for key exchange (KE) protocols, both in academia and industry. Of particular interest in this regard are 0-RTT protocols, a class of KE protocols which allow a client to send cryptographically protected payload in zero round-trip time (0-RTT) along with the very first KE protocol message, thereby minimizing latency. Prominent examples are Google's QUIC protocol and the upcoming TLS protocol version 1.3. Intrinsically, the main challenge in a 0-RTT key exchange is to achieve forward secrecy and security against replay attacks for the very first payload message sent in the protocol. According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a non-ephemeral secret of the receiver. If this secret is later leaked to an attacker, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session. In this paper we show that this belief is actually false. We construct the first 0-RTT key exchange protocol which provides full forward secrecy for all transmitted payload messages and is automatically resilient to replay attacks. In our construction we leverage a puncturable key encapsulation scheme which permits each ciphertext to only be decrypted once. Fundamentally, this is achieved by evolving the secret key after each decryption operation, but without modifying the corresponding public key or relying on shared state. Our construction can be seen as an application of the puncturable encryption idea of Green and Miers (S&P 2015). We provide a new generic and standard-model construction of this tool that can be instantiated with any selectively secure hierarchical identity-based key encapsulation scheme.

Note: Publication copyright information, citation fixes

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. EUROCRYPT'17
0-RTT key exchangeHierarchical IBEPuncturable Encryption
Contact author(s)
tibor jager @ upb de
2017-09-25: last of 2 revisions
2017-03-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Felix Günther and Britta Hale and Tibor Jager and Sebastian Lauer},
      title = {0-{RTT} Key Exchange with Full Forward Secrecy},
      howpublished = {Cryptology ePrint Archive, Paper 2017/223},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.