Paper 2020/1029

Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

Hannah Davis
Felix Günther

We give new, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols not just in principle, but in practice. By this we mean that, for standardized elliptic curve group sizes, the overall protocol actually achieves the intended security level. Prior work gave reductions of both protocols' security to the underlying building blocks that were loose (in the number of users and/or sessions), so loose that they gave no guarantees for practical parameters. Adapting techniques by Cohn-Gordon et al. (Crypto 2019), we give reductions for SIGMA and TLS 1.3 to the strong Diffie-Hellman problem which are tight. Leveraging our tighter bounds, we meet the protocols' targeted security levels when instantiated with standardized curves and improve over prior bounds by up to over 90 bits of security across a range of real-world parameters.

Note: Attribute generic group model bound for the Strong Diffie-Hellman problem to Abdalla et al.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. 19th International Conference on Applied Cryptography and Network Security (ACNS 2021)
Key exchange SIGMA TLS 1.3 security bounds tightness
Contact author(s)
h3davis @ eng ucsd edu
mail @ felixguenther info
2022-11-09: last of 2 revisions
2020-08-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hannah Davis and Felix Günther},
      title = {Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1029},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.