Cryptology ePrint Archive: Report 2020/1029

Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

Hannah Davis and Felix GŁnther

Abstract: We give new proofs that justify the SIGMA and TLS 1.3 key exchange protocols not just in principle, but in practice. By this we mean that, for standardized elliptic curve group sizes, the overall protocol actually achieves the intended security level.

Prior work gave reductions of both protocols' security to the underlying building blocks that were loose (in the number of users and/or sessions), so loose that they gave no guarantees for practical parameters. Adapting techniques by Cohn-Gordon et al. (Crypto 2019), we give reductions for SIGMA and TLS 1.3 to the strong Diffie-Hellman problem which are tight, and prove that this problem is as hard as solving discrete logarithms in the generic group model. Leveraging our tighter and fully-quantitative bounds, we meet the protocols' targeted security levels when instantiated with standardized curves and improve over prior bounds by up to over 80 bits of security across a range of real-world parameters.

Category / Keywords: cryptographic protocols / Key exchange, SIGMA, TLS 1.3, security bounds, tightness

Date: received 25 Aug 2020, last revised 26 Aug 2020

Contact author: h3davis at eng ucsd edu, mail@felixguenther info

Available format(s): PDF | BibTeX Citation

Version: 20200827:031328 (All versions of this report)

Short URL: ia.cr/2020/1029


[ Cryptology ePrint archive ]