Cryptology ePrint Archive: Report 2021/467

Key-schedule Security for the TLS 1.3 Standard

Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and CÚdric Fournet and Konrad Kohbrok and Markulf Kohlweiss

Abstract: We analyze the security of the TLS 1.3 key establishment protocol, as specified at the end of its rigorous standardization process. We define a core key-schedule and reduce its security to concrete assumptions against an adversary that controls client and server configurations and adaptively chooses some of their keys. Our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. We show that the output keys are secure as soon as any of their input key materials are. Our compositional, code-based proof makes use of state separation to yield concrete reductions despite the complexity of the key schedule. We also discuss (late) changes to the standard that would improve its robustness and simplify its analysis.

Category / Keywords: cryptographic protocols / TLS, key schedule, concrete security, agility, key exchange, expand, extract, state separation, composable security, real world protocols, protocols, protocol analysis

Date: received 11 Apr 2021

Contact author: chris brzuska at aalto fi,antdl@microsoft com,christoph egger@fau de,fournet@microsoft com,mkohlwei@ed ac uk,konrad kohbrok@aalto fi

Available format(s): PDF | BibTeX Citation

Version: 20210412:180150 (All versions of this report)

Short URL: ia.cr/2021/467


[ Cryptology ePrint archive ]