{"id":2308,"date":"2018-01-16T14:20:21","date_gmt":"2018-01-16T14:20:21","guid":{"rendered":"https:\/\/prismacloud.eu\/?p=2308"},"modified":"2018-04-03T12:11:46","modified_gmt":"2018-04-03T12:11:46","slug":"bloom-filter-encryption-and-applications-to-efficient-forward-secret-0-rtt-key-exchange","status":"publish","type":"post","link":"https:\/\/prismacloud.eu\/bloom-filter-encryption-and-applications-to-efficient-forward-secret-0-rtt-key-exchange\/","title":{"rendered":"Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange"},"content":{"rendered":"<p style=\"text-align: justify;\"><strong>Title<\/strong><\/p>\n<p style=\"text-align: justify;\">Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange<\/p>\n<p style=\"text-align: justify;\"><strong>Authors<\/strong><\/p>\n<p style=\"text-align: justify;\">David Derler, Tibor Jager, Daniel Slamanig, Christoph Striecks<\/p>\n<p style=\"text-align: justify;\"><strong>Abstract<\/strong><\/p>\n<p style=\"text-align: justify;\">Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data with the very first KE message, are motivated by the practical demand for secure low-latency communication.<br \/>\nFor a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secure 0-RTT protocol was described by G\u00fcnther et al. (EUROCRYPT 2017). It is based on Puncturable Encryption. Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice.<br \/>\nForward security is achieved by \"puncturing'' the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&amp;P 2015).<br \/>\nIn this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure.<br \/>\nWe describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secure 0-RTT protocols that are efficient enough to be deployed in practice. We, however, believe that BFE will find applications beyond forward-secure 0-RTT protocols.<\/p>\n<p style=\"text-align: justify;\"><strong>Venue<\/strong><\/p>\n<p style=\"text-align: justify;\">EUROCRYPT 2018 (<a href=\"https:\/\/eurocrypt.iacr.org\/2018\/\">https:\/\/eurocrypt.iacr.org\/2018\/<\/a>)<\/p>\n<p style=\"text-align: justify;\"><strong>Place and Date<\/strong><\/p>\n<p style=\"text-align: justify;\">Tel Aviv, Israel,\u00a0April 29-May 3, 2018<\/p>\n<p>[<a href=\"https:\/\/eprint.iacr.org\/2018\/199.pdf\">Download<\/a>]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data with the very first KE message, are motivated by the practical demand for secure low-latency communication.<br \/>\nFor a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secure 0-RTT protocol was described by G\u00fcnther et al. (EUROCRYPT 2017). It is based on Puncturable Encryption. Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice.<br \/>\nForward security is achieved by \"puncturing'' the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&#038;P 2015).<br \/>\nIn this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure.<br \/>\nWe describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secure 0-RTT protocols that are efficient enough to be deployed in practice. We, however, believe that BFE will find applications beyond forward-secure 0-RTT protocols.<\/p>\n","protected":false},"author":2,"featured_media":1898,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,8],"tags":[],"_links":{"self":[{"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/posts\/2308"}],"collection":[{"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/comments?post=2308"}],"version-history":[{"count":5,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/posts\/2308\/revisions"}],"predecessor-version":[{"id":2579,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/posts\/2308\/revisions\/2579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/media\/1898"}],"wp:attachment":[{"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/media?parent=2308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/categories?post=2308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prismacloud.eu\/wp-json\/wp\/v2\/tags?post=2308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}