Paper 2021/725
KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip
Felix Günther and Patrick Towa
Abstract
The recent KEMTLS protocol (Schwabe, Stebila and Wiggers, CCS’20) is a promising design for a quantum-safe TLS handshake protocol. Focused on the web setting, wherein clients learn server public-key certificates only during connection establishment, a drawback compared to TLS 1.3 in terms of latency is that KEMTLS introduces an additional round trip before the server can send data. In many scenarios, including IoT and embedded settings, client devices may however have the targeted server certificate pre-loaded, so that such performance penalty seems unnecessarily restrictive. This work proposes a variant of KEMTLS tailored to such scenarios. The protocol leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities. It combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the first data flow on, and full forward secrecy upon the first round trip. The protocol is proved to achieve strong security guarantees, based on the security of the underlying building blocks, in a new model for multi-stage key exchange with medium-lived keys.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint. MINOR revision.
- Keywords
- Authenticated Key ExchangePost-QuantumIdentity ProtectionKEMTLS
- Contact author(s)
- patrick towa @ inf ethz ch
- History
- 2022-05-16: last of 2 revisions
- 2021-06-02: received
- See all versions
- Short URL
- https://ia.cr/2021/725
- License
-
CC BY