0-RTT Key Establishment with Full Forward Secrecy Felix Gnther 1 - PowerPoint PPT Presentation

0-RTT Key Establishment with Full Forward Secrecy Felix Günther 1 Britta Hale 2 Tibor Jager 3 Sebastian Lauer 4 1 Technischen Universität Darmstadt 2 NTNU Norwegian University of Science and Technology 3 Paderborn University 4 Ruhr-Universität Bochum Eurocrypt 2017

0-RTT with full forward secrecy Yes, it is possible! Britta Hale | EUROCRYPT 2017 | 2/ 256

key exchange latency Round-Trip Time (RTT) Client Server 1-RTT 2-RTT Britta Hale | EUROCRYPT 2017 | 3/ 256

key exchange latency TLS+TCP: Client Server ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 4/ 256

key exchange latency TLS+TCP: Client Server TCP SYN 1-RTT TCP SYN+ACK ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 4/ 256

key exchange latency TLS + UDP: Client Server TCP SYN 1-RTT TCP SYN+ACK ClientHello ServerHello Enc.Extensions 1-RTT Server Finished Client Finished Session Key: K Session Key: K Britta Hale | EUROCRYPT 2017 | 5/ 256

Why not send cryptographically protected payload immediately ? Britta Hale | EUROCRYPT 2017 | 6/ 256

Zero Round-Trip Time (0-RTT) Client Server payload 0-RTT Britta Hale | EUROCRYPT 2017 | 7/ 256

• QUIC by ... Britta Hale | EUROCRYPT 2017 | 8/ 256

• QUIC by ... (Quick UDP Internet Connections) Britta Hale | EUROCRYPT 2017 | 8/ 256

QUIC Protocol Server ( pk sig , sk sig ) , sk Client (prior session) config: g sk , Sig ( sk sig , g sk ) Britta Hale | EUROCRYPT 2017 | 9/ 256

QUIC Protocol Server ( pk sig , sk sig ) , sk Client (prior session) config: g sk , Sig ( sk sig , g sk ) a ∈ Z q , k = g a · sk g a Enc( k , payload ) b ∈ Z q Enc( k , g b ) K = g ab K = g ab Britta Hale | EUROCRYPT 2017 | 9/ 256

QUIC Protocol Issues: Replay Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

QUIC Protocol Issues: Replay Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

QUIC Protocol Issues: Forward Secrecy Server ( pk sig , sk sig ) , sk Client k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

QUIC Protocol Issues: Forward Secrecy Server ( pk sig , sk sig ) , sk Client k = g a · sk k = g a · sk g a Enc( k , payload) Britta Hale | EUROCRYPT 2017 | 10/ 256

Forward Secrecy Threat Landscape: Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: K 0 Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: K 0 k 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Are past session keys secure? Britta Hale | EUROCRYPT 2017 | 11/ 256

Forward Secrecy Threat Landscape: Learn long-term key K 0 k 1 K 1 k i K i Are past session keys secure? Perfect Forward Secrecy: Long-term key compromised Past session keys remain secure Britta Hale | EUROCRYPT 2017 | 11/ 256

QUIC medium-lived Learn long-term key K 0 k 1 K 1 k i K i Britta Hale | EUROCRYPT 2017 | 12/ 256

Is Perfect Forward Secrecy even possible for 0-RTT? Britta Hale | EUROCRYPT 2017 | 13/ 256

Yes! Britta Hale | EUROCRYPT 2017 | 14/ 256

Yes! Our design: • Full Forward Secrecy Britta Hale | EUROCRYPT 2017 | 14/ 256

Yes! Our design: • Full Forward Secrecy • Replay protection Britta Hale | EUROCRYPT 2017 | 14/ 256

Yes! Our design: • Full Forward Secrecy • Replay protection • Based on hierarchical ID-based key encapsulation mechanism (with selective security) and one-time signatures Britta Hale | EUROCRYPT 2017 | 14/ 256

Yes! Our design: • Full Forward Secrecy • Replay protection • Based on hierarchical ID-based key encapsulation mechanism (with selective security) and one-time signatures • Flexible to different instantiations/assumptions • post-quantum • pairings • etc... Britta Hale | EUROCRYPT 2017 | 14/ 256

Core idea: Server: static public key – private key can be updated → Forward Secret KEM → Forward Secret 0-RTT KE Britta Hale | EUROCRYPT 2017 | 15/ 256

Forward Secure 0-RTT KE Core idea: Server ( pk , sk ) Client ( C, K ) ← Enc( pk ) C K ← Dec( sk , C ) sk ← Punct( sk , C ) ≈ sk /C K K Britta Hale | EUROCRYPT 2017 | 16/ 256

Hierarchical ID-Based KEM sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 17/ 256

Hierarchical ID-Based KEM sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 17/ 256

Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 18/ 256

Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 18/ 256

Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 sk 0010 sk 0011 Britta Hale | EUROCRYPT 2017 | 19/ 256

Puncturing private key sk sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 • private key size ≈ #punctures × log (max #punctures/timeslot) sk 0010 sk 0011 + log(#timeslots) • #punctures = #sessions Britta Hale | EUROCRYPT 2017 | 19/ 256

Purging the private key: time sync intervals t 0 , t 1 , . . . sk sk 0 sk 1 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 Britta Hale | EUROCRYPT 2017 | 20/ 256

Purging the private key: time sync intervals t 0 , t 1 , . . . sk sk 0 sk 1 erase after t 0 sk 00 sk 01 sk 10 sk 11 sk 000 sk 001 sk 010 sk 011 sk 100 sk 101 sk 110 sk 111 Britta Hale | EUROCRYPT 2017 | 21/ 256

Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds Britta Hale | EUROCRYPT 2017 | 22/ 256

Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds → need only selective security ...Room for improvement? Britta Hale | EUROCRYPT 2017 | 22/ 256

Evaluation: Barreto-Naehrig elliptic curve P256, bilinear pairing, pk 128bits, one-time sig pk 256bits, timeslot length 30bits, avg. clock rate 3.2GHz • Enc: ms • Dec: seconds • Puncturing: seconds → need only selective security ...Room for improvement? ... vs. Green and Myers S&P ’15: • Any HIBE vs. specific bilinear groups • CCA-secure in standard model vs. ROM Britta Hale | EUROCRYPT 2017 | 22/ 256

Summary Now: • FS 0-RTT key exchange + security model • Generic construction + security proof (from one-time signatures and any hierarchical ID-based KEM with selective security) Britta Hale | EUROCRYPT 2017 | 23/ 256

Summary Now: • FS 0-RTT key exchange + security model • Generic construction + security proof (from one-time signatures and any hierarchical ID-based KEM with selective security) Future: • Optimize KEM key delegation • Make it practical! Britta Hale | EUROCRYPT 2017 | 23/ 256

Questions ? Britta Hale | EUROCRYPT 2017 | 24/ 256

Britta Hale | EUROCRYPT 2017 | 25/ 256

acknowledgements Some slide designs are based on presentations of the same work by co-authors Felix Günther and Tibor Jager Britta Hale | EUROCRYPT 2017 | 26/ 256