Speeding: On Low-Latency Key Exchange

Low-latency key exchange (LLKE) protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol, while providing perfect forward secrecy. The LLKE concept was rst realized by Google in the QUIC protocol, and a low-latency mode is currently under discussion for inclusion in TLS 1.3. In LLKE two keys are generated, typically using a Di e-Hellman key exchange. The rst key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share. In this paper, we propose (relatively) simple, novel security models, which catch the intuition behind known LLKE protocols; namely that the rst (respectively, second) key should remain indistinguishable from a random value, even if the second (respectively, rst) key is revealed. We call this property strong key independence. We also give the rst constructions of LLKE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists.

[1]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[2]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[3]  Yunlei Zhao,et al.  Identity-Concealed Authenticated Encryption and Key Exchange , 2016, CCS.

[4]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[5]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[6]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[7]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[8]  Kenneth G. Paterson,et al.  Non-Interactive Key Exchange , 2012, IACR Cryptol. ePrint Arch..

[9]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[10]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[11]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[12]  Ron Steinfeld,et al.  How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature , 2007, CT-RSA.

[13]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[14]  Jean-Claude Bajard,et al.  A New Security Model for Authenticated Key Agreement , 2010, SCN.

[15]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[16]  David Cash,et al.  The Twin Diffie-Hellman Problem and Applications , 2008, EUROCRYPT.

[17]  Hassan M. Elkamchouchi,et al.  An efficient protocol for authenticated key agreement , 2011, 2011 28th National Radio Science Conference (NRSC).

[18]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[20]  Tibor Jager,et al.  One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model , 2015, Public Key Cryptography.

[21]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[22]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[23]  Yunlei Zhao,et al.  Taxonomical Security Consideration of Authenticated Key Exchange Resilient to Intermediate Computation Leakage , 2011, ProvSec.