Abstract
Modern cryptographic protocols, such as TLS 1.3 and QUIC, can send cryptographically protected data in “zero round-trip times (0-RTT)”, that is, without the need for a prior interactive handshake. Such protocols meet the demand for communication with minimal latency, but those currently deployed in practice achieve only rather weak security properties, as they may not achieve forward security for the first transmitted payload message and require additional countermeasures against replay attacks.
Recently, 0-RTT protocols with full forward security and replay resilience have been proposed in the academic literature. These are based on puncturable encryption, which uses rather heavy building blocks, such as cryptographic pairings. Some constructions were claimed to have practical efficiency, but it is unclear how they compare concretely to protocols deployed in practice, and we currently do not have any benchmark results that new protocols can be compared with.
We provide the first concrete performance analysis of a modern 0-RTT protocol with full forward security, by integrating the Bloom Filter Encryption scheme of Derler et al. (EUROCRYPT 2018) in the Chromium QUIC implementation and comparing it to Google’s original QUIC protocol. We find that for reasonable deployment parameters, the server CPU load increases approximately by a factor of eight and the memory consumption on the server increases significantly, but stays below 400 MB even for medium-scale deployments that handle up to 50K connections per day. The difference of the size of handshake messages is small enough that transmission time on the network is identical, and therefore not significant.
We conclude that while current 0-RTT protocols with full forward security come with significant computational overhead, their use in practice is feasible, and may be used in applications where the increased CPU and memory load can be tolerated in exchange for full forward security and replay resilience on the cryptographic protocol level. Our results serve as a first benchmark that can be used to assess the efficiency of 0-RTT protocols potentially developed in the future.
Supported by the German Research Foundation (DFG), project JA 2445/2-1 and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823. Part of this work was completed while the authors were employed at Paderborn University.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
The server may choose any lifetime for the Bloom filter key material by parametrizing the Bloom filter accordingly. We provide a concrete paramtrization for our anaylsis in Sect. 5.1.
- 3.
Enabling point compression leads to a decrease of 19% in memory consumption on server side while increasing the computational load per decapsulation by roughly 6%.
- 4.
All machines are located within the same room. Hence, the resulting network latency is significantly lower compared to real-world latencies between clients and servers, especially compared to the required computation time of the implemented protocol. Overall, the network latency does not influence our results and is thus neglected in the following sections.
- 5.
Inspection in Wireshark revealed that messages are padded to occupy the full MTU size, canceling out small size differences.
References
perf: Linux profiling with performance counters. https://perf.wiki.kernel.org/index.php/Main_Page
The Chromium Project. https://www.chromium.org/
Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic
Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 117–150. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_5
Belshe, M., Peon, R., Thomson, M.: Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, IETF, May 2015. http://tools.ietf.org/rfc/rfc7540.txt
Belshe, M., Peon, R.: SPDY Protocol - Draft 3.1. Technical report, Google (2013), https://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Boyd, C., Gellert, K.: A modern view on forward security. Comput. J. (2020). https://doi.org/10.1093/comjnl/bxaa104
Brutlag, J.: Speed matters (2009). https://ai.googleblog.com/2009/06/speed-matters.html
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Chang, W.T., Langley, A.: QUIC crypto (2014). https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g
Cheng, Y., Chu, J., Radhakrishnan, S., Jain, A.: TCP Fast Open. RFC 7413, IETF, December 2014, http://tools.ietf.org/rfc/rfc7413.txt
Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 200–215. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_12
Derler, D., Gellert, K., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018/199 (2018) https://eprint.iacr.org/2018/199
Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_14
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Gellert, K.: Construction and security analysis of 0-RTT protocols. Ph.D. thesis, University of Wuppertal, Germany (2020). https://doi.org/10.25926/eg6a-6059
Godard, S.: Performance monitoring tools for Linux. https://github.com/sysstat/sysstat
Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May 2015, pp. 305–320. IEEE Computer Society Press (2015)
Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_18
Iyengar, J., Thomson, M.: QUIC: A UDP-Based Multiplexed and Secure Transport. Draft draft-ietf-quic-transport-18, IETF, January 2019. http://tools.ietf.org/id/draft-ietf-quic-transport-18.txt
Lauer, S., Gellert, K., Merget, R., Handirk, T., Schwenk, J.: T0rtt: non-interactive immediate forward-secret single-pass circuit construction. Proceedings on Privacy Enhancing Technologies 2020(2), 336–357 (2020). https://content.sciendo.com/view/journals/popets/2020/2/article-p336.xml
Linden, G.: Marissa Mayer at Web 2.0 (2006). https://glinden.blogspot.com/2006/11/marissa-mayer-at-web-20.html
Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May 2015, pp. 214–231. IEEE Computer Society Press (2015)
MacCarthaigh, C.: Security Review of TLS 1.3 0-RTT. https://github.com/tlswg/tls13-spec/issues/1001. Accessed 29 Jul 2018
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018). https://rfc-editor.org/rfc/rfc8446.txt
Roskind, J.: Quick UDP internet connections: Multiplexed stream transport over UDP (2012). https://docs.google.com/document/d/1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34/edit
Strigeus, L., Hazel, G., Shalunov, S., Norberg, A., Cohen, B.: uTorrent transport protocol. Technical report, BEP29, BitTorrent.org (2009). http://www.bittorrent.org/beps/bep_0029.html
Thomson, M., Turner, S.: Using TLS to Secure QUIC. Internet-Draft draft-ietf-quic-tls-29, Internet Engineering Task Force, June 2020. https://datatracker.ietf.org/doc/html/draft-ietf-quic-tls-29, work in Progress
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Dallmeier, F. et al. (2020). Forward-Secure 0-RTT Goes Live: Implementation and Performance Analysis in QUIC. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)