# On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments

@article{Diemert2020OnTT, title={On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments}, author={Denis Diemert and Tibor Jager}, journal={Journal of Cryptology}, year={2020}, volume={34}, pages={1-57} }

We consider the theoretically sound selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is quadratic in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be…

## 23 Citations

### On the Concrete Security of TLS 1.3 PSK Mode

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work addresses a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques, and proposes a new abstraction for the key schedule and carefully arguing its soundness via the indiﬀerentiability framework.

### Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model.

### ASAP: Algorithm Substitution Attacks on Cryptographic Protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks and shows that Signal's double-ratchet protocol shows higher immunity to ASAs, as the leakage requires much more messages.

### Tightly-Secure Authenticated Key Exchange, Revisited

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

We introduce new tightly-secure authenticated key exchange (AKE) protocols that are extremely efficient, yet have only a constant security loss and can be instantiated in the random oracle model both…

### Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

This paper gives a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs), and describes two new constructions of PPRFs which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3.

### Construction and Security Analysis of 0-RTT Protocols

- Computer Science, Mathematics
- 2020

This thesis presents the first 0-RTT session resumption protocol that indeed achieves forward security for all messages and shows that the protocol can be incorporated into the recently standardized TLS 1.3 handshake without modifications to client-side implementations.

### Cryptographic Analysis of the Bluetooth Secure Connection Protocol Suite

- Computer Science, MathematicsASIACRYPT
- 2021

It is shown that the Bluetooth protocol still matches the common key secrecy requirements of a key exchange protocol if one assumes a trust-on-ﬁrst-use (TOFU) relationship, which means that the adversary needs to mount an active attack during the initial connection, otherwise the subsequent reconnections remain secure.

### On IND-qCCA Security in the ROM and Its Applications - CPA Security Is Sufficient for TLS 1.3

- Computer Science, MathematicsEUROCRYPT
- 2022

This work shows that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM, and implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary and can be replaced by the CDH assumption in the ROM.

### More Efficient Digital Signatures with Tight Multi-User Security

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work constructs the currently most efficient signature schemes with tight multi-user security against adaptive corruptions and proposes a new variant of the generic construction of signatures from sequential OR-proofs, based on lossy identification schemes, to achieve strong existential unforgeability.

### Lattice-based Signatures with Tight Adaptive Corruptions and More

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work constructs the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from lattices based on the Learning with Errors (LWE) assumption, and formally rule out the possibility that the aforementioned “ID-toSignature” methodology can work tightly using parallel OR proofs.

## References

SHOWING 1-10 OF 71 REFERENCES

### Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model.

### On the Security of TLS-DHE in the Standard Model

- Computer Science, MathematicsCRYPTO
- 2012

The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model.

### On the Security of the PKCS#1 v1.5 Signature Scheme

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This work introduces a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures and proves full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption.

### On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

- Computer Science, MathematicsCCS
- 2015

Two attacks which transfer the potential weakness of prior TLS versions to two recently proposed protocols that do not even support PKCS#1 v1.5 are described, namely Google's QUIC protocol and TLS~1.3.

### miTLS: Verifying Protocol Implementations against Real-World Attacks

- Computer ScienceIEEE Security & Privacy
- 2016

The miTLS project intends to solve the apparent contradiction between published proofs and real-world attacks, which reveals a gap between TLS theory and practice and sheds light on recent attacks, yields security guarantees for typical TLS usages, and informs the design of the protocol's next version.

### On the Impossibility of Tight Cryptographic Reductions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

A new meta-reduction technique is described that enables interesting novel applications, including a formal proof that for certain cryptographic primitives, the security loss incurred when the primitive is transferred from an idealized single- user setting to the more realistic multi-user setting is impossible to avoid.

### Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates

- Computer Science, Mathematics2017 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2017

Previous security models for key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections, are extended to capture such cases.

### On the Security of the TLS Protocol: A Systematic Analysis

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.

### The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

- Computer Science, MathematicsCCS
- 2018

This paper revisits the mu security of GCM and provides new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying.

### Optimal Security Proofs for PSS and Other Signature Schemes

- Computer Science, MathematicsEUROCRYPT
- 2001

A new security proof for PSS is derived in which a much shorter random salt is used to achieve the same security level, namely it is shown that log2 qsig bits suffice, whereqsig is the number of signature queries made by the attacker.