Simple Security Definitions for and Constructions of 0-RTT Key Exchange

Zero Round-Trip Time (0-RTT) key exchange protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol. The 0-RTT KE concept was first realized by Google in the QUIC Crypto protocol, and a 0-RTT mode has been intensively discussed for inclusion in TLS 1.3.

[1]  Clemens Heinrich,et al.  Transport Layer Security (TLS) , 2011, Encyclopedia of Cryptography and Security.

[2]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[3]  David Cash,et al.  The Twin Diffie-Hellman Problem and Applications , 2008, EUROCRYPT.

[4]  Ron Steinfeld,et al.  How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature , 2007, CT-RSA.

[5]  Hassan M. Elkamchouchi,et al.  An efficient protocol for authenticated key agreement , 2011, 2011 28th National Radio Science Conference (NRSC).

[6]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[7]  Matthew Green,et al.  Forward Secure Asynchronous Messaging from Puncturable Encryption , 2015, 2015 IEEE Symposium on Security and Privacy.

[8]  Yunlei Zhao,et al.  Taxonomical Security Consideration of Authenticated Key Exchange Resilient to Intermediate Computation Leakage , 2011, ProvSec.

[9]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[10]  Kenneth G. Paterson,et al.  Non-Interactive Key Exchange , 2012, IACR Cryptol. ePrint Arch..

[11]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[12]  Jean-Claude Bajard,et al.  A New Security Model for Authenticated Key Agreement , 2010, SCN.

[13]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[14]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[15]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[16]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[17]  Yunlei Zhao,et al.  Identity-Concealed Authenticated Encryption and Key Exchange , 2016, CCS.

[18]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[19]  Britta Hale,et al.  0-RTT Key Exchange with Full Forward Secrecy , 2017, EUROCRYPT.

[20]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[21]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[22]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[23]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[24]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[25]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[26]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[27]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[28]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[29]  Tibor Jager,et al.  One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model , 2015, Public Key Cryptography.