Paper 2021/725

KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip

Felix Günther, Simon Rastikian, Patrick Towa, and Thom Wiggers

Abstract

The recent KEMTLS protocol (Schwabe, Stebila and Wiggers,CCS’20) is a promising design for a quantum-safe TLS handshake protocol. Focused on the web setting, wherein clients learn server public-key certificates only during connection establishment, a drawback of KEMTLS compared to TLS 1.3 is that it introduces an additional round trip before the server can send data, and an extra one for the client as well in the case of mutual authentication. In many scenarios, including IoT and embedded settings, client devices may however have the targeted server certificate pre-loaded, so that such performance penalty seems unnecessarily restrictive. This work proposes a variant of KEMTLS tailored to such scenarios. Our protocol leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities. It combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the first data flow on, and full forward secrecy upon the first round trip. The new protocol is proved to achieve strong security guarantees, based on the security of the underlying building blocks, in a new model for multi-stage key exchange with medium-lived keys.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. ACNS 2022
Keywords
Authenticated Key ExchangePost-QuantumIdentity ProtectionKEMTLS
Contact author(s)
patrick towa @ inf ethz ch
History
2022-05-16: last of 2 revisions
2021-06-02: received
See all versions
Short URL
https://ia.cr/2021/725
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/725,
      author = {Felix Günther and Simon Rastikian and Patrick Towa and Thom Wiggers},
      title = {{KEMTLS} with Delayed Forward Identity Protection in (Almost) a Single Round Trip},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/725},
      year = {2021},
      url = {https://eprint.iacr.org/2021/725}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.