Speeding: On Low-Latency Key Exchange.

Low-latency key exchange (LLKE) protocols allow for the transmission of cryptographically protected payload data without requiring the prior exchange of messages of a cryptographic key exchange protocol, while providing perfect forward secrecy. The LLKE concept was rst realized by Google in the QUIC protocol, and a low-latency mode is currently under discussion for inclusion in TLS 1.3. In LLKE two keys are generated, typically using a Di e-Hellman key exchange. The rst key is a combination of an ephemeral client share and a long-lived server share. The second key is computed using an ephemeral server share and the same ephemeral client share. In this paper, we propose (relatively) simple, novel security models, which catch the intuition behind known LLKE protocols; namely that the rst (respectively, second) key should remain indistinguishable from a random value, even if the second (respectively, rst) key is revealed. We call this property strong key independence. We also give the rst constructions of LLKE which are provably secure in these models, based on the generic assumption that secure non-interactive key exchange (NIKE) exists.