0-RTT Key Exchange

0 Round-Trip Time (0-RTT)

In 0-RTT KE two keys are generated, typically using a Diffie-Hellman key exchange.

The first key is a combination of an ephemeral client share and a long-lived server share.

The second key is computed using an ephemeral server share and the same ephemeral client share.

Google QUIC protocol 如下图所示:

[ACNS 2017] Simple Security Definitions for and Constructions of 0-RTT Key Exchange