Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

AbstractForward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (Eurocrypt, 2017). It is based on puncturable encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 s and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom filter encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.

Download Full-text

T0RTT: Non-Interactive Immediate Forward-Secret Single-Pass Circuit Construction

Proceedings on Privacy Enhancing Technologies ◽

10.2478/popets-2020-0030 ◽

2020 ◽

Vol 2020 (2) ◽

pp. 336-357

Author(s):

Sebastian Lauer ◽

Kai Gellert ◽

Robert Merget ◽

Tobias Handirk ◽

Jörg Schwenk

Keyword(s):

Overlay Networks ◽

Round Trip Time ◽

Round Trip ◽

Forward Secrecy ◽

Cryptographic Primitives ◽

Trip Time ◽

Cryptographic Keys ◽

Security Guarantees ◽

Open Question ◽

Message Overhead

AbstractMaintaining privacy on the Internet with the presence of powerful adversaries such as nation-state attackers is a challenging topic, and the Tor project is currently the most important tool to protect against this threat. The circuit construction protocol (CCP) negotiates cryptographic keys for Tor circuits, which overlay TCP/IP by routing Tor cells over n onion routers. The current circuit construction protocol provides strong security guarantees such as forward secrecy by exchanging 𝒪(n2) messages.For several years it has been an open question if the same strong security guarantees could be achieved with less message overhead, which is desirable because of the inherent latency in overlay networks. Several publications described CCPs which require only 𝒪(n) message exchanges, but significantly reduce the security of the resulting Tor circuit. It was even conjectured that it is impossible to achieve both message complexity 𝒪(n) and forward secrecy immediately after circuit construction (so-called immediate forward secrecy). Inspired by the latest advancements in zero round-trip time key exchange (0-RTT), we present a new CCP protocol Tor 0-RTT (T0RTT). Using modern cryptographic primitives such as puncturable encryption allow to achieve immediate forward secrecy using only 𝒪(n) messages. We implemented these new primitives to give a first indication of possible problems and how to overcome them in order to build practical CCPs with 𝒪(n) messages and immediate forward secrecy in the future.

Download Full-text