Abstract
The recent KEMTLS protocol (Schwabe, Stebila and Wiggers, CCS’20) is a promising design for a quantum-safe TLS handshake protocol. Focused on the web setting, wherein clients learn server public-key certificates only during connection establishment, a drawback of KEMTLS compared to TLS 1.3 is that it introduces an additional round trip before the server can send data, and an extra one for the client as well in the case of mutual authentication. In many scenarios, including IoT and embedded settings, client devices may however have the targeted server certificate pre-loaded, so that such performance penalty seems unnecessarily restrictive.
This work proposes a variant of KEMTLS tailored to such scenarios. Our protocol leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities. It combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the first data flow on, and full forward secrecy upon the first round trip. The new protocol is proved to achieve strong security guarantees, based on the security of the underlying building blocks, in a new model for multi-stage key exchange with medium-lived keys.
S. Rastikian—Part of the work was completed while the second author was affiliated with DIENS, École Normale Supérieure, PSL University, Paris, France.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The server does so once per client; the client will then switch to the next key for subsequent handshakes.
References
Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 117–150. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_5
Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. J. Cryptol. 34(3), 1–57 (2021). https://doi.org/10.1007/s00145-021-09385-0
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., Zanella-Béguelin, S.: Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy, pp. 506–525. IEEE Computer Society Press, May 2016. https://doi.org/10.1109/SP.2016.37
Birr-Pixton, J.: A modern TLS library in rust. https://github.com/ctz/rustls
Boyd, C., Gellert, K.: A modern view on forward security. Cryptology ePrint Archive, Report 2019/1362 (2019). https://eprint.iacr.org/2019/1362
Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. Cryptology ePrint Archive, Report 2020/1029 (2020). https://eprint.iacr.org/2020/1029
Diemert, D., Jager, T.: On the tight security of TLS 1.3: theoretically-sound cryptographic parameters for real-world deployments. Cryptology ePrint Archive, Report 2020/726 (2020). https://eprint.iacr.org/2020/726
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197–1210. ACM Press, October 2015. https://doi.org/10.1145/2810103.2813653
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol. J. Cryptol. 34(4), 1–69 (2021). https://doi.org/10.1007/s00145-021-09384-1
Dowling, B., Stebila, D.: Modelling ciphersuite and version negotiation in the TLS protocol. In: Foo, E., Stebila, D. (eds.) ACISP 2015. LNCS, vol. 9144, pp. 270–288. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-19962-7_16
Smartm2m; guidelines for security, privacy and interoperability in IoT system definition; a concrete approach. Technical report. ETSI SR 003 680, ETSI (2020)
Fagan, M., Megas, K., Scarfone, K., Smith, M.: Foundational cybersecurity activities for IoT device manufacturers. Technical report. NISTIR 8259, NIST (2020)
Fagan, M., Megas, K., Scarfone, K., Smith, M.: IoT device cybersecurity capability core baseline. Technical report. NISTIR 8259A, NIST (2020)
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press, November 2014. https://doi.org/10.1145/2660267.2660308
Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, pp. 60–75. IEEE, April 2017
Grubbs, P., Maram, V., Paterson, K.G.: Anonymous, robust post-quantum public key encryption. Cryptology ePrint Archive, Report 2021/708 (2021). https://eprint.iacr.org/2021/708
Günther, F.: Modeling advanced security aspects of key exchange and secure channel protocols. Ph.D. thesis, Technische Universität, Darmstadt (2018). http://tuprints.ulb.tu-darmstadt.de/7162/
Günther, F., Rastikian, S., Towa, P., Wiggers, T.: KEMTLS with delayed forward identity protection in (almost) a single round trip. Cryptology ePrint Archive, Report 2021/725 (2021). https://eprint.iacr.org/2021/725
Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Kannwischer, M., Rijneveld, J., Schwabe, P., Stebila, D., Wiggers, T.: PQClean: clean, portable, tested implementations of post quantum cryptography. https://github.com/pqclean/pqclean
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. Cryptology ePrint Archive, Report 2015/978 (2015). https://eprint.iacr.org/2015/978
Kwiatkowski, K., Valenta, L.: The TLS post-quantum experiment (2019). https://blog.cloudflare.com/the-tls-post-quantum-experiment/
Langley, A.: Cecpq2 (2018). https://www.imperialviolet.org/2018/12/12/cecpq2.html
Lyubashevsky, V., et al.: Crystals-Dilithium. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Mohassel, P.: A closer look at anonymity and robustness in encryption schemes. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 501–518. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_29
NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. Technical report (2016)
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard), August 2018. https://doi.org/10.17487/RFC8446, https://www.rfc-editor.org/rfc/rfc8446.txt
Santesson, S., Tschofenig, H.: Transport Layer Security (TLS) Cached Information Extension. RFC 7924, July 2016. https://doi.org/10.17487/RFC7924, https://rfc-editor.org/rfc/rfc7924.txt
Schwabe, P., et al.: CRYSTALS-Kyber. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1461–1480. ACM Press, November 2020. https://doi.org/10.1145/3372297.3423350
Schwabe, P., Stebila, D., Wiggers, T.: More efficient post-quantum KEMTLS with pre-distributed public keys. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12972, pp. 3–22. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88418-5_1
Sjöberg, K., Andres, P., Buburuzan, T., Brakemeier, A.: C-ITS deployment in Europe - current status and outlook. CoRR abs/1609.03876 (2016). http://arxiv.org/abs/1609.03876
Song, F.: A note on quantum security for post-quantum cryptography. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 246–265. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_15
Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) Selected Areas in Cryptography – SAC 2016, SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-69453-5_2
Acknowledgments
The authors thank Kenny Paterson and Cédric Fournet for helpful discussions. This work was supported by the Eurostars ZERO-TOUCH Project (E113920) and the European Research Council under Grant Agreement No. 805031 (EPOQUE). Felix Günther was supported in part by German Research Foundation (DFG) Research Fellowship grant GU 1859/1-1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Günther, F., Rastikian, S., Towa, P., Wiggers, T. (2022). KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-09234-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09233-6
Online ISBN: 978-3-031-09234-3
eBook Packages: Computer ScienceComputer Science (R0)