The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in “0-RTT” (“zero round-trip time”), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session’s encryption secrets upon receipt of the client’s first message. The standard techniques to achieve this are session caches or, alternatively, session tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks. In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like session caches and session tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). We show that our construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol. To this end, we present a generic composition of our new construction with TLS 1.3 and prove its security. This yields the first construction that achieves forward security for all messages, including the 0-RTT data. We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard session caches, for “128-bit security” it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB session cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new “domain extension” technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard session cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second.

TLS 1.3 0-RTT模式使客户端可以重新连接到服务器，从而以“ 0-RTT”（“零往返时间”）发送加密的应用程序层数据，而无需事先进行交互式握手。从根本上讲，这要求服务器在接收到客户端的第一条消息后，重新构建先前会话的加密机密。实现此目的的标准技术是会话缓存或会话票证。前者提供了向前的安全性并可以抵抗重放攻击，但是需要大量的服务器端存储。后者所需的存储空间可忽略不计，但没有提供前向安全性，并且已知容易受到重放攻击。在本文中，我们首先正式定义会话恢复协议作为会话缓存和会话票证等机制的抽象观点。我们提供了一种新的通用构造，该构造基于可穿孔的伪随机函数（PPRF）可证明提供前向安全性和重播弹性。我们证明了我们的构造可以立即用于TLS 1.3 0-RTT中，并可以由服务器单方面部署，而无需对客户端或协议进行任何更改。为此，我们介绍了使用TLS 1.3的新构造的一般组成，并证明了其安全性。这产生了第一种结构，该结构实现了所有人的向前安全性消息，包括0-RTT数据。然后，我们描述PPRF的两种新结构，它们特别适合用于TLS 1.3中的前向安全和重放恢复会话恢复。第一种构造基于强大的RSA假设。与标准会话缓存相比，对于“ 128位安全性”，在实例化时，它使所需的服务器存储量减少了将近20倍，从而使密钥派生和打孔在一起的平均费用要比RSA组中的一个完整指数便宜。 。因此，一个1 GB的会话缓存只能用大约51 MB的存储空间代替，这大大减少了所需的安全内存量。对于更大的安全性参数或换取更昂贵的计算，甚至可以实现更大的存储量减少。第二种结构将标准的二叉树PPRF与新的“域扩展”技术结合在一起。为合理选择参数，与标准会话缓存相比，这最多可将所需的存储减少5倍。它仅采用对称加密，适用于高流量情况，并且每秒可处理数千张票证。