Authenticated key exchange (AKE) protocols are implemented in all modern Web browsers of personal computers, smartphones, and tablet computers. We use them every day, when reading e-mails, doing online-banking, going online-shopping, or transmitting passwords over the Internet. Classical AKE protocols like TLS incur a huge latency overhead, which stems from the fact that a relatively large number of protocol messages must be exchanged before the first cryptographically protected payload message can be transmitted.A recent breakthrough is based on the observation that a cleverly designed AKE protocol, which enables either party to transmit cryptographically protected messages already with the first AKE protocol message, allows to establish a key without unnecessary latency. Such protocols are called low-latency key exchange (LLKE) protocols.Interestingly, the concept of LLKE originates not from academia, but from industry, motivated by concrete practical demands of distributed applications. The idea of LLKE stems from the Quick UDP Internet Connections (QUIC) protocol recently proposed by Google. QUIC aims at reducing the latency for key establishment to a minimum, while still providing all security guarantees expected from a key-exchange protocol on the Internet. QUIC is implemented in recent versions of the Google Chrome web browser, the Opera web browser, and it is in use on Google's web servers. In a sense, practice is currently ahead of academic research on LLKE protocols. Such a situation appears from time to time, in particular in the development of Internet technologies. However, it is clearly not desirable. In particular in the area of cryptographic security protocols, which are often in wide-spread use over a very long time, it is important that we have a very good understanding of the security guarantees provided by these protocols and their limitations.The current state-of-the-art of LLKE protocols raises a number of intriguing research questions with great importance for both the theoretical foundations of cryptology and practical applications of cryptographic protocols. Even though LLKE is an interesting primitive of high practical relevance, all previous works in this area provide an a posteriori security analysis of QUIC [FG14, LJBN15]. Most importantly, we do not yet have any foundational constructions, for example from generic complexity assumptions, with tight security, or with "full" forward security. The latter is considered an important security goal of modern key exchange protocols. In the project described in this proposal will provide such foundational constructions of low-latency protocols, and of key-refreshing key exchange protocols, which generalize the concept of LLKE.

DFG Programme Research Grants