Puncturable Symmetric KEMs for Forward-Secret 0-RTT Key Exchange

Sammanfattning: The latest version of the Transport Layer Security protocol (TLS 1.3) introduces a pre-shared key zero round-trip time (0-RTT) mode. This enables session resumption with no latency before the first application data can be sent, at the cost of losing forward secrecy and replay protection. There is high demand from Internet companies for this performance-enhancing feature, and some service providers have chosen to already enable it by default despite the security compromise currently associated to it. In this work we explore the possibility to achieve forward secrecy for resumed sessions in 0-RTT mode, mitigating the security risks presently adherent to it. To abstract the key exchange in TLS 0-RTT mode, we introduce a new primitive which we call symmetric-key key encapsulation mechanisms (S-KEMs). Forward secrecy is attained through ``puncturing'' of the secret key, which we capture formally by puncturable S-KEMs (PS-KEMs). Furthermore, to enable optimizations that leverage ordering and to achieve the greatest possible generality of our model, we also introduce stateful versions of S-KEMs and PS-KEMs. We examine the relationship between these new primitives, give game-based functionality and security notions and show how pseudorandom functions (specifically based on the Goldreich-Goldwasser-Micali construction) can be used to build instantiations which meet the security goals.