Public-Key 0-RTT Protocols Tibor Jager Paderborn University Summer - - PowerPoint PPT Presentation

Public-Key 0-RTT Protocols

Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy Šibenik, Croatia June 20th, 2019

Outline

• Mass surveillance and Forward Security
• 0-RTT Protocols and their Forward Security

– Challenges – Impossibility?

• Forward-Secure 0-RTT Protocols

– Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019)

2

Internet

Before ca. 2011

3

Encrypted = Not encrypted =

Internet

Before ca. 2011

4

J

Encrypted = Not encrypted =

5 https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435

6 https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/

7 https://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435 https://blog.whatsapp.com/10000618/end-to-end-encryption?l=en https://www.facebook.com/notes/facebook-engineering/secure- browsing-by-default/10151590414803920/ April 5, 2016

Internet

Today

8

L

Encrypted = Not encrypted =

Internet

Mass Surveillance of Encrypted Data

9

Encrypted = Not encrypted = Database

Internet

Mass Surveillance of Encrypted Data

10

Encrypted = Not encrypted =

Google, we need your secret key.

Database

Internet

Mass Surveillance of Encrypted Data

11

Encrypted = Not encrypted =

Google, we need your secret key.

Database

Lavabit

12

https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden

Lavabit

13

https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden

Lavabit

14 https://arstechnica.com/tech-policy/2014/04/lavabit-held-in-contempt-of-court-for- printing-crypto-key-in-tiny-font/

Mass Surveillance Everywhere

15 https://techcrunch.com/2016/01/14/no-backdoors-but-uk-government- still-wants-encryption-decrypted-on-request/ https://www.forbes.com/sites/kenrapoza/2017/10/16/russia-fines- cryptocurrency-worlds-preferred-messaging-app-telegram/#767569eef765 https://zoomapps.club/whatsapp-threema-and-co- seehofer-wants-to-enforce-decryption-of-chats/

Forward Security*

Time

16

Secret key Session 1 with Alice Session 3 with Charlie Session 2 with Bob Session 4 with Alice

Makes large-scale collection of encrypted data useless

*aka. Forward Secrecy, aka. Perfect Forward Secrecy/Security, aka. pre-compromise security

Outline

• Mass surveillance and Forward Security
• 0-RTT Protocols and their Forward Security

– Challenges – Impossibility?

• Forward-Secure 0-RTT Protocols

– Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019)

17

Server S

Key Establishment with TLS 1.3

Client

18

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

Compute session key k

Enck(Payload)

Server S

Key Establishment with TLS 1.3

Client

19

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

1 RTT Compute session key k

Enck(Payload)

Server S

Key Establishment with TLS 1.3

Client

20

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

1 RTT Compute session key k

SYN SYN/ACK ACK

1 RTT

Enck(Payload)

Server S

Key Establishment with TLS 1.3

Client

21

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

1 RTT Compute session key k

SYN SYN/ACK ACK

1 RTT

2 RTTs before first payload message can be sent Is this really necessary?

Enck(Payload)

Server S

Key Establishment with TLS 1.3

Client

22

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

1 RTT Compute session key k

Enck(Payload)

Using UDP instead of TCP saves one RTT

SYN SYN/ACK ACK

1 RTT

Enck(Payload)

Server S

Key Establishment with TLS 1.3

Client

23

ServerHello ClientHello Cert, Cert Vfy., SFIN Client Finished CFIN

1 RTT Compute session key k

Enck(Payload)

Using UDP instead of TCP saves one RTT Objective: send cryptographically protected payload in first message from client to server (“0-RTT KE”)

SYN SYN/ACK ACK

1 RTT

Enck(Payload)

Why 0-RTT?

• Delay page delivery by 100 ms

⇒ -1% revenue

(Amazon, 2006)

• 500 ms RTT not unusual for*

– Mobile internet – Satellite internet – Rural broadband connections

• Why not!

24

(*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

Why 0-RTT?

• Delay page delivery by 100 ms

⇒ -1% revenue

(Amazon, 2006)

• 500 ms RTT not unusual for*

– Mobile internet – Satellite internet – Rural broadband connections

• Why not!

25

(*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

Yearly revenue in 2018: 232.9 billion USD

Why 0-RTT?

• Delay page delivery by 100 ms

⇒ -1% revenue

(Amazon, 2006)

• 500 ms RTT not unusual for*

– Mobile internet – Satellite internet – Rural broadband connections

• Why not!

26

(*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

Yearly revenue in 2018: 232.9 billion USD

Why 0-RTT?

• Delay page delivery by 100 ms

⇒ -1% revenue

(Amazon, 2006)

• 500 ms RTT not unusual for*

– Mobile internet – Satellite internet – Rural broadband connections

• Latency requirements of

applications

27

(*) http://glinden.blogspot.se/2006/11/marissa-mayer-at-web-20.html

Yearly revenue in 2018: 232.9 billion USD

Trivial Protocol

C = Encpk(k) SymEnc(k, payload) k = Decsk(C)

28

(pk, sk) Client Server

Trivial Protocol

C = Encpk(k) SymEnc(k, payload) k = Decsk(C)

29

Major deficiencies:

• 1. No Forward Secrecy
• 2. Vulnerable to replay attacks

(pk, sk) Client Server

Replay Attack

C = Encpk(k) SymEnc(k, payload) (pk, sk) k = Decsk(C)

30

Replay Attack

C = Encpk(k) SymEnc(k, payload) (pk, sk) k = Decsk(C) C = Encpk(k) SymEnc(k, payload)

31

Replay Attack

C = Encpk(k) SymEnc(k, payload) (pk, sk) k = Decsk(C) C = Encpk(k) SymEnc(k, payload) C = Encpk(k) SymEnc(k, payload)

32

Breaking Confidentiality with a Replay Attack

33

Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

34

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

35

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

36

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

37

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

38

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Breaking Confidentiality with a Replay Attack

39

GET DissidentsHandbook.pdf Web Server GoodCitizensManual.pdf DissidentsHandbook.pdf GET DissidentsHandbook.pdf ERROR 404 not found DissidentsHandbook.pdf Colm MacCárthaigh, Security Review of TLS1.3 0-RTT, https://github.com/tlswg/tls13-spec/issues/1001

Preventing replays for 0-RTT Protocols

• Server may remember all received messages

– Difficult in applications with multiple servers (load balancing, multiple data centers, …)

• Alternatively, use this only for applications

where replay attacks are “not harmful”™

• Eric Rescorla in a talk(*) about TLS 1.3 0-RTT:

– “Difficult application integration issue” – “But too big a win not to do”

40

(*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

Preventing replays for 0-RTT Protocols

• Server may remember all received messages

– Difficult in applications with multiple servers (load balancing, multiple data centers, …)

• Or use only for applications where replay

attacks are “not harmful”™

• Eric Rescorla in a talk(*) about TLS 1.3 0-RTT:

– “Difficult application integration issue” – “But too big a win not to do”

41

(*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

Preventing replays for 0-RTT Protocols

• Server may remember all received messages

– Difficult in applications with multiple servers (load balancing, multiple data centers, …)

• Or use only for applications where replay

attacks are “not harmful”™

• Eric Rescorla in a talk(*) about TLS 1.3 0-RTT:

– “Difficult application integration issue” – “But too big a win not to do”

42

(*) http://web.stanford.edu/class/ee380/Abstracts/151118-slides.pdf

Objective

Construct a protocol that allows to send cryptographically protected payload in first message from client to server

• Without replay attacks
• With forward security

(A priori not even clear that such protocols exist)

43

Impossible to achieve forward security for 0-RTT KE?

C SymEnc(k, payload) (C, k) = F(pk) (pk, sk) k = G(C, sk) Corruption of sk allows to compute k

44

“What about PFS? Can't be done in 0-RTT.”

(https://mailarchive.ietf.org/arch/msg/tls/OZwGgVhySbVhU36BMX1elQ9x0GE)

Impossible to achieve forward security for 0-RTT KE?

• Is it possible to evolve sk, s.t.

G(C, sk) can be computed “only once”?

– Forward-secure encryption [EC:CanHalKat03] – Puncturable encryption [SP:GreMie15]

C SymEnc(k, payload) (C, k) = F(pk) (pk, sk) k = G(C, sk) Corruption of sk allows to compute k

45

Outline

• Mass surveillance and Forward Security
• 0-RTT Protocols and their Forward Security

– Challenges – Impossibility?

• Forward-Secure 0-RTT Protocols

– Rather theoretical solution (EUROCRYPT 2017) – Somewhat practical solution (EUROCRYPT 2018) – Practical solution for TLS 1.3 (EUROCRYPT 2019)

46

Idea: Use Puncturable Encryption

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

k = Decsk(C)

47

C = Encpk(k) Enc(k, data)

Idea: Use Puncturable Encryption

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

k = Decsk(C) sk\C = Puncture(sk, C) Delete sk

48

C = Encpk(k) Enc(k, data)

Idea: Use Puncturable Encryption

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

• sk\C decrypts all ciphertexts except for C
• Repeated puncturing is possible

– sk\C1 = Puncture(sk, C1) – sk\C1,C2 = Puncture(sk\C1, C2) – ... – sk\C1,C2 can not be used to decrypt C1, C2

k = Decsk(C) sk\C = Puncture(sk, C) Delete sk

49

C = Encpk(k) Enc(k, data)

• sk\C decrypts all ciphertexts except for C
• Repeated puncturing is possible

– sk\C1 = Puncture(sk, C1) – sk\C1,C2 = Puncture(sk\C1, C2) – ... – sk\C1,C2 can not be used to decrypt C1, C2

k = Decsk(C) sk\C = Puncture(sk, C) Delete sk

50

C = Encpk(k) Enc(k, data)

Idea: Use Puncturable Encryption

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

• sk\C decrypts all ciphertexts except for C
• Repeated puncturing is possible

– sk\C1 = Puncture(sk, C1) – sk\C1,C2 = Puncture(sk\C1, C2) – ...

• sk\C1,C2 can not be used to decrypt C1 or C2

k = Decsk(C) sk\C = Puncture(sk, C) Delete sk

51

C = Encpk(k) Enc(k, data)

Idea: Use Puncturable Encryption

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

First Theoretical Construction

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

• First 0-RTT protocol with full forward security

– Provably secure – Low communication complexity

• Main drawbacks:

– |sk|: hundreds of MBs/GBs – Puncturing: several minutes

52

• First 0-RTT protocol with full forward security

– Provably secure – Low communication complexity

• Main drawbacks:

– |sk|: hundreds of MBs/GBs – Puncturing: several minutes

53

First Theoretical Construction

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

• First 0-RTT protocol with full forward security

– Provably secure – Low communication complexity

• Main drawbacks:

– |sk|: hundreds of MBs/GBs – Puncturing: several minutes

54

First Theoretical Construction

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

• First 0-RTT protocol with full forward security

– Provably secure – Low communication complexity

• Main drawbacks:

– |sk|: hundreds of MBs/GBs – Puncturing: several minutes

• But clean design approach

– Will be useful for applications to TLS 1.3, too!

55

First Theoretical Construction

(Günther, Hale, Jager, Lauer; EUROCRYPT 2017)

Hierarchical Key Delegation

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

56

sk

0101

pk

Hierarchical Key Delegation

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

57

sk

0101

Can be realized with

• Cryptographic hash functions
• Hierarchical identity-based encryption

pk

Puncturing skε

(Inspired by constrained PRFs [BW13, BGI13, KPTZ13])

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

58

sk

0101

pk

Puncturing skε

(Inspired by constrained PRFs [BW13, BGI13, KPTZ13])

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

59

sk

0101

pk

Puncturing skε

(Inspired by constrained PRFs [BW13, BGI13, KPTZ13])

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

60

sk

0101

pk

Puncturing skε

(Inspired by constrained PRFs [BW13, BGI13, KPTZ13])

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

61

pk

Puncturing skε

(Inspired by constrained PRFs [BW13, BGI13, KPTZ13])

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

|sk\0101| ≈ 2*secpar

62

pk

Puncturing again

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

63

pk

Puncturing again

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11

|sk| ≤ 2*secpar*|punctures|

64

pk

What have we achieved so far?

• Full forward secrecy ✓
• Security against replay attacks ✓
• |sk|≥ total number of sessions ✗

65

What have we achieved so far?

• Full forward secrecy ✓
• Security against replay attacks ✓
• |sk|≥ total number of sessions ✗

66

Potential approaches:

• 1. Replace pk frequently
• 2. Non-interactive purging of sk

Purging the secret key from time to time [EC:CanHalKat03]

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00 sk01 sk10 sk11 4 Time slots

67

pk

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00=t00 sk01 sk10 sk11 Puncture here at “time 1” 4 Time slots

68

Purging the secret key from time to time

Following [CHK03]

pk

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00=t00 sk01 sk10 sk11 Puncture here at “time 2” 4 Time slots

69

Purging the secret key from time to time

Following [CHK03]

pk

skε sk0 sk1 sk000 sk001 sk010 sk011

sk

0000

sk

0001

sk

0010

sk

0011

sk

0100

sk

0101

sk

0110

sk

0111

sk

1000

sk

1001

sk

1010

sk

1011

sk

1100

sk

1101

sk

1110

sk

1111

sk100 sk101 sk110 sk111 sk00=t00 sk01 sk10 sk11 Puncture here at “time 2” 4 Time slots

70

Purging the secret key from time to time

Following [CHK03]

Non-interactive:

• no update of pk
• loosely synchronized clocks

pk

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

71

• New approach to construct 0-RTT protocols
• Features:

– Provably secure – Low communication complexity – |sk|: hundreds of MBs/GBs – Very efficient puncturing

• Ready for practical deployment

– But not yet in all applications

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

72

• New approach to construct 0-RTT protocols
• Features:

– Provably secure – Low communication complexity – |sk|: hundreds of MBs/GBs – Very efficient puncturing

• Ready for practical deployment

– But not yet in all applications

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

73 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk2 sk3 … skm … … … … … … … … …

Secret key = Public key =

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

74 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk2 sk3 … skm … … … … … … … … …

Secret key = Public key = Can be compressed to a single pk using e.g. IBE

75 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk2 sk3 … skm … … … … … … … … …

• Each ciphertext is associated to n public/secret

keys pairs (here n = 3)

– Determined by universal hashing (“Bloom filter”)

• C can only be decrypted with matching sk

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

Ciphertext C

Secret key = Public key =

76 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk3 … … … … … … … … …

Puncture(sk,C):

• Delete the secret keys

associated to C

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

Ciphertext C

Secret key = Public key =

77 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk3 … … … … … … … … …

Puncture(sk,C):

• Delete the secret keys

associated to C

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

L

Ciphertext C

Secret key = Public key =

78 pk1 pk2 pk3 … pkm … … … … … … … … … sk1 sk3 … … … … … … … … …

• Decryption of CB possible, if

at least one associated secret key is not yet deleted

• Error probability can be arbitrarily small via choice of

Bloom filter parameters

Bloom Filter Encryption

(Derler, Jager, Slamanig, Striecks; EUROCRYPT 2018)

Ciphertext C Ciphertext CB

Secret key = Public key =

How practical is this?

• 1 million sessions/key

(low-traffic services)

• Pr[Dec. error] ≤ 10-3
• |sk| ≈ 700 MB

79

How practical is this?

• 1 million sessions/key

(low-traffic services)

• Pr[Dec. error] ≤ 10-3
• |sk| ≈ 700 MB

80

Requirements of :

• 2000 sessions/s
• Very short 0-RTT key lifetime

(one hour = 7.2 M sessions/key)

• Pr[Dec. error] ≤ 10-2
• |sk|≈ 2.2 GB

0-RTT in TLS 1.3

(Aviram, Gellert, Jager; EUROCRYPT 2019)

81

• Alternative approach to construct 0-RTT protocols

– Based on “TLS 1.3 approach”

• Not really 0-RTT session initiation
• Rather: 0-RTT session resumption
• Features:

– Provably secure – Low communication complexity – |sk|: a few MBs – Quite efficient puncturing

• Ready for practical deployment

– But not yet in all applications

0-RTT in TLS 1.3

• Two different approaches:

– Session tickets – Session caches

• Indistinguishable on client side
• Server may choose

– (And use other variants that are not described in the standard)

82

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

83

Server Client (pk,sk) Tag Key T1 k1 T2 k2 … …

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

84

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T (pk,sk) Tag Key T1 k1 T2 k2 … …

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

85

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload) kßDec(tk,T) T (pk,sk) Tag Key T1 k1 T2 k2 … …

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

86

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T) gb, SymEnc(gab, payload) T (pk,sk) Tag Key T1 k1 T2 k2 … …

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

87

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T)

• 0-RTT key establishment session resumption ?
• Forward secrecy for 0-RTT payload ✓
• Replay prevention ✓
• Server-side storage ✗

gb, SymEnc(gab, payload) T (pk,sk) Tag Key T1 k1 T2 k2 … …

0-RTT in TLS 1.3 with Session Caches

(High-level idea)

88

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T)

• 0-RTT key establishment session resumption ?
• Forward secrecy for 0-RTT payload ✓
• Replay prevention ✓
• Server-side storage ✗

gb, SymEnc(gab, payload) T (pk,sk) Tag Key T1 k1 T2 k2 … …

“Opaque” message type à may contain arbitrary data

0-RTT in TLS 1.3 with Session Tickets

(High-level idea)

89

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T = Enc(tk, k) (pk,sk) Token key tk

0-RTT in TLS 1.3 with Session Tickets

(High-level idea)

90

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T) gb, SymEnc(gab, payload) T = Enc(tk, k) (pk,sk) Token key tk

0-RTT in TLS 1.3 with Session Tickets

(High-level idea)

91

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T)

• 0-RTT key establishment session resumption ?
• Replay prevention: server remembers that T was redeemed

during life time of k (✓)

• Server-side storage ✓
• Forward secrecy for 0-RTT payload ✗

gb, SymEnc(gab, payload) T = Enc(tk, k) (pk,sk) Token key tk

“Puncturable Session Tickets”

(High-level idea)

92

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T) gb, SymEnc(gab, payload) T = Enc(tk, k) (pk,sk) Ticket key tk tk\C = Puncture(sk, C) Delete tk

“Puncturable Session Tickets”

(High-level idea)

93

Server Client Initial protocol session (not 0-RTT) Store: (k, T) T, SymEnc(k, 0-RTT payload), ga kßDec(tk,T) gb, SymEnc(gab, payload) T = Enc(tk, k) (pk,sk) Ticket key tk tk\C = Puncture(sk, C) Delete tk

Best of both worlds:

• Same forward security as Session Caches
• Session ticket approach à Less secure memory on server

Further Contributions

• New construction of a Puncturable Pseudorandom

Function

– Particularly suitable for efficient use in TLS 1.3 – Puncturing ≈ RSA signature

• Definition of general “session resumption” protocols

– Security model – Formal security analysis

• See https://eprint.iacr.org/2019/228

94

Summary and Open Problems

• Fully forward-secret 0-RTT protocols exist!

– New techniques – Very simple protocols – Reasonably efficient for servers with moderate requirements (number of sessions)

• Can we make this more practical?

– Suitable for very large-scale applications

• Beyond key exchange?

95

Summary and Open Problems

• Fully forward-secret 0-RTT protocols exist!

– New techniques – Very simple protocols – Reasonably efficient for servers with moderate requirements (number of sessions)

• Can we make this more practical?

– Suitable for very large-scale applications

• Beyond key exchange?

96