0-RTT Key Exchange with Full Forward Secrecy
https://eprint.iacr.org/2017/223 [eprint.iacr.org]
2017-03-07 06:48
According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a non-ephemeral secret of the receiver. If this secret is later leaked to an attacker, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session. In this paper we show that this belief is actually false. We construct the first 0-RTT key exchange protocol which provides full forward secrecy for all transmitted payload messages and is automatically resilient to replay attacks.
Shove it into overdrive. Highway to the danger zone.
source: green