Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

  • Nimrod Aviram
  • Kai GellertEmail author
  • Tibor Jager
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)


The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in “0-RTT” (“zero round-trip time”), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session’s encryption secrets upon receipt of the client’s first message. The standard techniques to achieve this are Session Caches or, alternatively, Session Tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks.

In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like Session Caches and Session Tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). This construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol.

We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard Session Caches, for “128-bit security” it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB Session Cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new “domain extension” technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard Session Cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second.


  1. 1.
    Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. Cryptology ePrint Archive (2019).
  2. 2.
    Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). Scholar
  3. 3.
    Barker, E.: Recommendation for key management part 1: general (revision 4). NIST special publication (2016)Google Scholar
  4. 4.
    Behr, M., Swett, I.: Introducing QUIC support for HTTPS load balancing (2018).
  5. 5.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, Fairfax, Virginia, USA, 3–5 November, pp. 62–73. ACM Press (1993)Google Scholar
  6. 6.
    Bellare, M., Stepanovs, I., Tessaro, S.: Poly-many hardcore bits for any one-way function and a framework for differing-inputs obfuscation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 102–121. Springer, Heidelberg (2014). Scholar
  7. 7.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). Scholar
  8. 8.
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. Siam J. Comput. 15(2), 364–383 (1986). Scholar
  9. 9.
    Böck, H.: Fuzz-compare the OpenSSL function BN\_mod\_exp() and the libgcrypt function gcry\_mpi\_powm().
  10. 10.
    Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). Scholar
  11. 11.
    Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). Scholar
  12. 12.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). Scholar
  13. 13.
  14. 14.
    Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 22–26 May, pp. 470–485. IEEE Computer Society Press (2016)Google Scholar
  15. 15.
    Derler, D., Gellert, K., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018/199 (2018).
  16. 16.
    Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018). Scholar
  17. 17.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, Denver, CO, USA, 12–16 October, pp. 1197–1210. ACM Press (2015)Google Scholar
  18. 18.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081 (2016).
  19. 19.
    Dukkipati, N., et al.: An argument for increasing TCP’s initial congestion window. Comput. Commun. Rev. 40(3), 26–33 (2010)CrossRefGoogle Scholar
  20. 20.
    Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, Scottsdale, AZ, USA, 3–7 November, pp. 1193–1204. ACM Press (2014)Google Scholar
  21. 21.
    Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 60–75. IEEE (2017).
  22. 22.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986). Scholar
  23. 23.
    Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, Seattle, WA, USA, 15–17 May, pp. 25–32. ACM Press (1989)Google Scholar
  24. 24.
    Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May, pp. 305–320. IEEE Computer Society Press (2015)Google Scholar
  25. 25.
    Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). Scholar
  26. 26.
    Hale, B., Jager, T., Lauer, S., Schwenk, J.: Simple security definitions for and constructions of 0-RTT key exchange. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 20–38. Springer, Cham (2017). Scholar
  27. 27.
    Iyengar, S., Nekritz, K.: Building zero protocol for fast, secure mobile connections (2017).
  28. 28.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). Scholar
  29. 29.
    Kario, H.: Add 3072, 7680 and 15360 bit RSA tests to openssl speed.!topic/
  30. 30.
    Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, 4–8 November, pp. 669–684. ACM Press (2013)Google Scholar
  31. 31.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). Scholar
  32. 32.
    Langley, A.: How to botch TLS forward secrecy (2013).
  33. 33.
    Langley, A.: Post-quantum confidentiality for TLS (2018).
  34. 34.
    Lin, Z.: TLS session resumption: full-speed and secure (2015).
  35. 35.
    Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy, pp. 214–231. IEEE Computer Society Press, San Jose, 17–21 May 2015Google Scholar
  36. 36.
    MacCarthaigh, C.: Security Review of TLS 1.3 0-RTT., Accessed 29 July 2018
  37. 37.
    Rescorla, E.: TLS 0-RTT and Anti-Replay (2015).
  38. 38.
  39. 39.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018).
  40. 40.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, Washington D.C., USA, 18–22 November, pp. 98–107. ACM Press (2002)Google Scholar
  41. 41.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, New York, NY, USA, 31 May–3 June, pp. 475–484. ACM Press (2014)Google Scholar
  42. 42.
    Shamir, A.: On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1), 38–44 (1983). Scholar
  43. 43.
    Springall, D., Durumeric, Z., Halderman, J.A.: Measuring the security harm of TLS crypto shortcuts. In: Proceedings of the 2016 Internet Measurement Conference, pp. 33–47. ACM (2016)Google Scholar
  44. 44.
    Sullivan, N.: Introducing Zero Round Trip Time Resumption (2017).
  45. 45.
    The OpenSSL Project: OpenSSL: The open source toolkit for SSL/TLS.

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Tel Aviv UniversityTel AvivIsrael
  2. 2.Paderborn UniversityPaderbornGermany

Personalised recommendations