International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 19 December 2015

Britta Hale, Tibor Jager, Sebastian Lauer, Jörg Schwenk
ePrint Report ePrint Report
Low-latency key exchange (LLKE) protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol, while providing perfect forward secrecy. The LLKE concept was first realized by Google in the QUIC protocol, and a low-latency mode is currently under discussion for inclusion in TLS 1.3.

In LLKE two keys are generated, typically using a Diffie-Hellman key exchange. The first key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share.

In this paper, we propose (relatively) simple, novel security models, which catch the intuition behind known LLKE protocols; namely that the first (respectively, second) key should remain indistinguishable from a random value, even if the second (respectively, first) key is revealed. We call this property strong key independence. We also give the first constructions of LLKE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists.
Expand

Additional news items may be found on the IACR news page.