Our main technical contribution is to address a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques. These approaches ignore existing interdependencies in TLS 1.3's key schedule, arising from the fact that the same cryptographic hash function is used in several components of the key schedule and the handshake more generally. We overcome this gap by proposing a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework. Interestingly, we observe that for one specific configuration, PSK-only mode with hash function SHA-384, it seems difficult to argue indifferentiability due to a lack of domain separation between the various hash function usages. We view this as an interesting insight for the design of protocols, such as future TLS versions.
For all other configurations however, our proofs significantly tighten the security of the TLS 1.3 PSK modes, confirming standardized parameters (for which prior bounds provided subpar or even void guarantees) and enabling a theoretically-sound deployment.
Category / Keywords: cryptographic protocols / key exchange; indifferentiability; tightness; Transport Layer Security; TLS 1.3 Original Publication (with major differences): IACR-EUROCRYPT-2022 Date: received 25 Feb 2022, last revised 28 Feb 2022 Contact author: h3davis at eng ucsd edu, denis diemert at uni-wuppertal de, mail at felixguenther info, tibor jager at uni-wuppertal de Available format(s): PDF | BibTeX Citation Version: 20220302:135513 (All versions of this report) Short URL: ia.cr/2022/246