Foundations of Low-Latency Key Exchange

低延迟密钥交换的基础

• 批准号: 290131697
• 负责人: Professor Dr.-Ing. Tibor Jager
• 金额: --
• 依托单位: Lehrstuhl für IT Security and Cryptography
• 依托单位国家: 德国
• 项目类别: Research Grants
• 财政年份: 2016
• 资助国家: 德国
• 起止时间: 2015-12-31 至 2021-12-31
• 项目状态: 已结题
• 来源: https://gepris.dfg.de/gepris/projekt/290131697?language=en
• 关键词: Foundations; Low; Latency; Key; Exchange

Authenticated key exchange (AKE) protocols are implemented in all modern Web browsers of personal computers, smartphones, and tablet computers. We use them every day, when reading e-mails, doing online-banking, going online-shopping, or transmitting passwords over the Internet. Classical AKE protocols like TLS incur a huge latency overhead, which stems from the fact that a relatively large number of protocol messages must be exchanged before the first cryptographically protected payload message can be transmitted.A recent breakthrough is based on the observation that a cleverly designed AKE protocol, which enables either party to transmit cryptographically protected messages already with the first AKE protocol message, allows to establish a key without unnecessary latency. Such protocols are called low-latency key exchange (LLKE) protocols.Interestingly, the concept of LLKE originates not from academia, but from industry, motivated by concrete practical demands of distributed applications. The idea of LLKE stems from the Quick UDP Internet Connections (QUIC) protocol recently proposed by Google. QUIC aims at reducing the latency for key establishment to a minimum, while still providing all security guarantees expected from a key-exchange protocol on the Internet. QUIC is implemented in recent versions of the Google Chrome web browser, the Opera web browser, and it is in use on Google's web servers. In a sense, practice is currently ahead of academic research on LLKE protocols. Such a situation appears from time to time, in particular in the development of Internet technologies. However, it is clearly not desirable. In particular in the area of cryptographic security protocols, which are often in wide-spread use over a very long time, it is important that we have a very good understanding of the security guarantees provided by these protocols and their limitations.The current state-of-the-art of LLKE protocols raises a number of intriguing research questions with great importance for both the theoretical foundations of cryptology and practical applications of cryptographic protocols. Even though LLKE is an interesting primitive of high practical relevance, all previous works in this area provide an a posteriori security analysis of QUIC [FG14, LJBN15]. Most importantly, we do not yet have any foundational constructions, for example from generic complexity assumptions, with tight security, or with "full" forward security. The latter is considered an important security goal of modern key exchange protocols. In the project described in this proposal will provide such foundational constructions of low-latency protocols, and of key-refreshing key exchange protocols, which generalize the concept of LLKE.

认证密钥交换(AKE)协议在个人计算机、智能手机和平板电脑的所有现代Web浏览器中实现。我们每天都在使用它们，当阅读电子邮件、网上银行、网上购物或通过互联网传输密码时。经典的AKE协议如TLS会产生巨大的延迟开销，这是因为在发送第一个受密码保护的有效载荷消息之前必须交换相对大量的协议消息。最近的一个突破是基于观察到的一个巧妙设计的AKE协议，该协议允许任何一方传输已经具有第一个AKE协议消息的受密码保护的消息，允许在没有不必要延迟的情况下建立密钥。这种协议被称为低延迟密钥交换(LLKE)协议。有趣的是，LLKE的概念不是源于学术界，而是源于工业界，其动机是分布式应用的具体实际需求。Llke的想法源于Google最近提出的Quick UDP Internet Connections(Quic)协议。Quic的目标是将密钥建立的延迟降低到最低，同时仍然提供互联网上的密钥交换协议所期望的所有安全保证。Quic在最新版本的Google Chrome Web浏览器、Opera Web浏览器上实现，并在Google的Web服务器上使用。从某种意义上说，目前对LLKE协议的实践研究领先于学术研究。这种情况时有出现，特别是在互联网技术的发展中。然而，这显然是不可取的。尤其是在密码安全协议领域，我们必须很好地了解这些协议所提供的安全保证及其局限性。LLKE协议的最新发展提出了许多有趣的研究问题，对密码协议的理论基础和实际应用都具有重要意义。尽管Llke是一个具有很高实用价值的有趣原语，但这一领域的所有前人工作都提供了Quic[FG14，LJBN15]的后验安全分析。最重要的是，我们还没有任何基础结构，例如，根据一般的复杂性假设，具有严格的安全性，或具有“完全”向前安全性。后者被认为是现代密钥交换协议的重要安全目标。在本提案中描述的项目中将提供低延迟协议和密钥刷新密钥交换协议的基础结构，这些基础结构概括了LLKE的概念。