Construction and Security Analysis of 0-RTT Protocols

Abstract

If two parties want to communicate over an insecure channel, they typically execute an interactive cryptographic handshake to establish a shared secret, before any application data is sent. In contrast, zero round-trip time (0-RTT) protocols allow a sender to immediately send encrypted application data (0-RTT data) to a receiver without executing an interactive handshake. One of the major challenges when designing 0-RTT protocols is to guarantee forward security for the 0-RTT data. Forward security ensures that compromise of a communicating party does not impact security of past communications. However, the lack of interactivity in 0-RTT protocols renders it difficult to achieve forward security for the 0-RTT data. Only recently, novel techniques to overcome this challenge have been discovered. This thesis investigates design approaches to 0-RTT protocols and proposes new constructions of 0-RTT protocols with forward security for all sent data. This thesis starts with a discussion on the concept of forward security in noninteractive settings. Traditionally, forward security can be achieved if communication partners interactively agree on fresh secrets. However, this view limits the understanding of what forward security should mean in a non-interactive setting. Hence, we propose new terminology for a unified treatment of forward security, capturing both interactive and non-interactive communication settings. The remainder of this thesis can be split into two parts. The first part focuses on the design of 0-RTT key exchange protocols. We investigate how to build 0-RTT key exchange protocols from Bloom filter key encapsulation mechanisms, and describe the first mechanism with constant-size ciphertexts. We then use this scheme to construct the first multi-hop 0-RTT protocol for efficient connection establishment in the context of anonymous communications. The second part of this thesis focuses in 0-RTT session resumption protocols. Session resumption protocols require an already established secret shared between sender and recipient. This secret can then be used to re-establish a secure connection. Despite prior belief, we present the first 0-RTT session resumption protocol that indeed achieves forward security for all messages. In contrast to existing 0-RTT key exchange protocols, our 0-RTT session resumption protocol is highly efficient as it only relies on symmetric primitives. We show that our protocol can be incorporated into the recently standardized TLS 1.3 handshake without modifications to client-side implementations. This means that our protocol is immediately deployable by content providers without requiring changes to the standard.