On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments

@article{Diemert2020OnTT,
  title={On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments},
  author={Denis Diemert and Tibor Jager},
  journal={Journal of Cryptology},
  year={2020},
  volume={34},
  pages={1-57}
}
We consider the theoretically sound selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is quadratic in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be… 

On the Concrete Security of TLS 1.3 PSK Mode

TLDR
This work addresses a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques, and proposes a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework.

Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

TLDR
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model.

ASAP: Algorithm Substitution Attacks on Cryptographic Protocols

TLDR
This work shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks and shows that Signal's double-ratchet protocol shows higher immunity to ASAs, as the leakage requires much more messages.

Tightly-Secure Authenticated Key Exchange, Revisited

We introduce new tightly-secure authenticated key exchange (AKE) protocols that are extremely efficient, yet have only a constant security loss and can be instantiated in the random oracle model both

Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

TLDR
This paper gives a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs), and describes two new constructions of PPRFs which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3.

Construction and Security Analysis of 0-RTT Protocols

TLDR
This thesis presents the first 0-RTT session resumption protocol that indeed achieves forward security for all messages and shows that the protocol can be incorporated into the recently standardized TLS 1.3 handshake without modifications to client-side implementations.

Cryptographic Analysis of the Bluetooth Secure Connection Protocol Suite

TLDR
It is shown that the Bluetooth protocol still matches the common key secrecy requirements of a key exchange protocol if one assumes a trust-on-first-use (TOFU) relationship, which means that the adversary needs to mount an active attack during the initial connection, otherwise the subsequent reconnections remain secure.

On IND-qCCA Security in the ROM and Its Applications - CPA Security Is Sufficient for TLS 1.3

TLDR
This work shows that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM, and implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary and can be replaced by the CDH assumption in the ROM.

More Efficient Digital Signatures with Tight Multi-User Security

TLDR
This work constructs the currently most efficient signature schemes with tight multi-user security against adaptive corruptions and proposes a new variant of the generic construction of signatures from sequential OR-proofs, based on lossy identification schemes, to achieve strong existential unforgeability.

Lattice-based Signatures with Tight Adaptive Corruptions and More

TLDR
This work constructs the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from lattices based on the Learning with Errors (LWE) assumption, and formally rule out the possibility that the aforementioned “ID-toSignature” methodology can work tightly using parallel OR proofs.

References

SHOWING 1-10 OF 71 REFERENCES

Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

TLDR
New, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols’ security levels are given, and it is proved that the strong Diffie–Hellman problem is as hard as solving discrete logarithms in the generic group model.

On the Security of TLS-DHE in the Standard Model

TLDR
The notion of authenticated and confidential channel establishment ACCE is defined as a new security model which captures precisely the security properties expected from TLS in practice, and the combination of the TLS Handshake with data encryption in the TLS Record Layer can be proven secure in this model.

On the Security of the PKCS#1 v1.5 Signature Scheme

TLDR
This work introduces a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures and proves full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption.

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

TLDR
Two attacks which transfer the potential weakness of prior TLS versions to two recently proposed protocols that do not even support PKCS#1 v1.5 are described, namely Google's QUIC protocol and TLS~1.3.

miTLS: Verifying Protocol Implementations against Real-World Attacks

TLDR
The miTLS project intends to solve the apparent contradiction between published proofs and real-world attacks, which reveals a gap between TLS theory and practice and sheds light on recent attacks, yields security guarantees for typical TLS usages, and informs the design of the protocol's next version.

On the Impossibility of Tight Cryptographic Reductions

TLDR
A new meta-reduction technique is described that enables interesting novel applications, including a formal proof that for certain cryptographic primitives, the security loss incurred when the primitive is transferred from an idealized single- user setting to the more realistic multi-user setting is impossible to avoid.

Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates

TLDR
Previous security models for key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections, are extended to capture such cases.

On the Security of the TLS Protocol: A Systematic Analysis

TLDR
This paper shows how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol.

The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

TLDR
This paper revisits the mu security of GCM and provides new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying.

Optimal Security Proofs for PSS and Other Signature Schemes

  • J. Coron
  • Computer Science, Mathematics
    EUROCRYPT
  • 2001
TLDR
A new security proof for PSS is derived in which a much shorter random salt is used to achieve the same security level, namely it is shown that log2 qsig bits suffice, whereqsig is the number of signature queries made by the attacker.
...