A Modern View on Forward Security

Boyd, Colin; Gellert, Kai

doi:10.1093/comjnl/bxaa104

Cited by 26 publications

(20 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, the Signal protocol also includes a semi-static key in user pre-key bundles, and always includes key derivations based on that semi-static key. If the Signal server runs out of ephemeral pre-keys, the corresponding key share is not derived and left out; in that case the semi-static key share still provides delayed forward secrecy [14]. We capture this similarly in SPQR by encapsulating a key-ciphertext pair (𝐾 3 , 𝑐 3 ) against Bob's ephemeral KEM public key 𝑒𝑝𝑘 𝐵 only if the latter is present.…”

Section: Initiator Registrationmentioning

confidence: 99%

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Brendel

Fiedler

Günther

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The key exchange protocol that establishes initial shared secrets in the handshake of the Signal end-to-end encrypted messaging protocol has several important characteristics: (1) it runs asynchronously (without both parties needing to be simultaneously online), (2) it provides implicit mutual authentication while retaining deniability (transcripts cannot be used to prove either party participated in the protocol), and (3) it retains security even if some keys are compromised (forward secrecy and beyond). All of these properties emerge from clever use of the highly flexible Diffie-Hellman protocol.While quantum-resistant key encapsulation mechanisms (KEMs) can replace Diffie-Hellman key exchange in some settings, there is no KEM-based replacement for the Signal handshake that achieves all three aforementioned properties, in part due to the inherent asymmetry of KEM operations. In this paper, we show how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes. There are several candidates for post-quantum DVS schemes, either direct constructions or via ring signatures. This yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.

show abstract

Section: Initiator Registrationmentioning

confidence: 99%

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Brendel

Fiedler

Günther

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…For a more general treatment of the notion of "forward security" and "forward secrecy" in non-interactive contexts (such as 0-RTT protocols or instant messaging), we refer to a work by Boyd and Gellert [13].…”

Section: Session Ticketsmentioning

confidence: 99%

Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

2021

Self Cite

View full text Add to dashboard Cite

The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in “0-RTT” (“zero round-trip time”), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session’s encryption secrets upon receipt of the client’s first message. The standard techniques to achieve this are session caches or, alternatively, session tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks. In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like session caches and session tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). We show that our construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol. To this end, we present a generic composition of our new construction with TLS 1.3 and prove its security. This yields the first construction that achieves forward security for all messages, including the 0-RTT data. We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard session caches, for “128-bit security” it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB session cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new “domain extension” technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard session cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second.

show abstract

“…As the time-based constructions were inspired by forwardsecure encryption, the qualifier "forward-secure" was added to the primitive's name. For a detailed discussion on the meaning of forward secrecy in non-interactive settings such as 0-RTT, we refer to a recent work by Gellert and Boyd [14].…”

Section: Introductionmentioning

confidence: 99%

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

Derler¹,

Gellert

Jager

et al. 2021

J Cryptol

Self Cite

View full text Add to dashboard Cite

Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (Eurocrypt, 2017). It is based on puncturable encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 s and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom filter encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.

show abstract

A Modern View on Forward Security

Cited by 26 publications

References 20 publications

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

Contact Info

Product

Resources

About