Simple Security Definitions for and Constructions of 0-RTT Key Exchange

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


Zero Round-Trip Time (0-RTT) key exchange protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol. The 0-RTT KE concept was first realized by Google in the QUIC Crypto protocol, and a 0-RTT mode has been intensively discussed for inclusion in TLS 1.3.

In 0-RTT KE two keys are generated, typically using a Diffie-Hellman key exchange. The first key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share.

In this paper, we propose simple security models, which catch the intuition behind known 0-RTT KE protocols; namely that the first (resp. second) key should remain indistinguishable from a random value, even if the second (resp. first) key is revealed. We call this property strong key independence. We also give the first constructions of 0-RTT KE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists (This work was partially supported by a STSM Grant from COST Action IC1306).


Foundations Low-latency key exchange 0-RTT protocols Authenticated key exchange Non-interactive key exchange QUIC TLS 1.3. 


  1. 1.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, 3–5 November 1993, Fairfax, Virginia, USA, pp. 62–73. ACM Press (1993)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). doi: 10.1007/3-540-48329-2_21 CrossRefGoogle Scholar
  3. 3.
    Bergsma, F., Jager, T., Schwenk, J.: One-round key exchange with strong security: an efficient and generic construction in the standard model. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 477–494. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46447-2_21 Google Scholar
  4. 4.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_14 CrossRefGoogle Scholar
  5. 5.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997). doi: 10.1007/BFb0024447 CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signatures based on computational Diffie-Hellman. In: Yung et al. [30], pp. 229–240Google Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). doi: 10.1007/3-540-44987-6_28 CrossRefGoogle Scholar
  8. 8.
    Cash, D., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_8 CrossRefGoogle Scholar
  9. 9.
    Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Cheung, B.S.N., Hui, L.C.K., Sandhu, R.S., Wong, D.S. (eds.) ASIACCS 2011, 22–24 March 2011, Hong Kong, China, pp. 80–91. ACM Press (2011)Google Scholar
  10. 10.
    Cremers, C.J.F.: Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01957-9_2 CrossRefGoogle Scholar
  11. 11.
    Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS 2014, 3–7 November 2014, Scottsdale, AZ, USA, pp. 1193–1204. ACM Press (2014)Google Scholar
  12. 12.
    Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36362-7_17 CrossRefGoogle Scholar
  13. 13.
    Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: IEEE S&P 2015 [16], pp. 305–320Google Scholar
  14. 14.
    Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). doi: 10.1007/978-3-319-56617-7_18 CrossRefGoogle Scholar
  15. 15.
    Hale, B., Jager, T., Lauer, S., Schwenk, J.: Simple security definitions for and constructions of 0-RTT key exchange. Cryptology ePrint Archive, Report 2015/1214 (2015).
  16. 16.
    IEEE Symposium on Security and Privacy, 17–21 May 2015, San Jose, CA, USA. IEEE Computer Society Press (2015)Google Scholar
  17. 17.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_17 CrossRefGoogle Scholar
  18. 18.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). doi: 10.1007/11535218_33 CrossRefGoogle Scholar
  19. 19.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_24 CrossRefGoogle Scholar
  20. 20.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75670-5_1 CrossRefGoogle Scholar
  21. 21.
    Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung et al. [30], pp. 378–394Google Scholar
  22. 22.
    Law, L., Menezes, A., Minghua, Q., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: IEEE S&P 2015 [16], pp. 214–231Google Scholar
  24. 24.
    NIST: SKIPJACK and KEA algorithm specifications (1998).
  25. 25.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3: draft-ietf-tls-tls13-08. Technical report, August 2015. Expires 29 Feb 2016Google Scholar
  26. 26.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3: draft-ietf-tls-tls13-18. Technical report, October 2016. Expires 29 April 2017Google Scholar
  27. 27.
    Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A new security model for authenticated key agreement. In: Garay, J.A., Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 219–234. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15317-4_15 CrossRefGoogle Scholar
  28. 28.
    Steinfeld, R., Pieprzyk, J., Wang, H.: How to strengthen any weakly unforgeable signature into a strongly unforgeable signature. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 357–371. Springer, Heidelberg (2006). doi: 10.1007/11967668_23 CrossRefGoogle Scholar
  29. 29.
    Yoneyama, K., Zhao, Y.: Taxonomical security consideration of authenticated key exchange resilient to intermediate computation leakage. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 348–365. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24316-5_25 CrossRefGoogle Scholar
  30. 30.
    Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): PKC 2006. LNCS, vol. 3958. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  31. 31.
    Zhao, Y.: Identity-concealed authenticated encryption and key exchange. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, 24–28 October 2016, Vienna, Austria, pp. 1464–1479. ACM Press (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.NTNU, Norwegian University of Science and TechnologyTrondheimNorway
  2. 2.Paderborn UniversityPaderbornGermany
  3. 3.Horst Görtz InstituteRuhr-University BochumBochumGermany

Personalised recommendations