Cryptology ePrint Archive: Report 2022/246

On the Concrete Security of TLS 1.3 PSK Mode

Hannah Davis and Denis Diemert and Felix Günther and Tibor Jager

Abstract: The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-latency resumption of previous connections and are widely used on the Web and by resource-constrained devices, e.g., in the Internet of Things. Taking advantage of these performance benefits with optimal and theoretically-sound parameters requires tight security proofs. We give the first tight security proofs for the TLS 1.3 PSK handshake modes.

Our main technical contribution is to address a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques. These approaches ignore existing interdependencies in TLS 1.3's key schedule, arising from the fact that the same cryptographic hash function is used in several components of the key schedule and the handshake more generally. We overcome this gap by proposing a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework. Interestingly, we observe that for one specific configuration, PSK-only mode with hash function SHA-384, it seems difficult to argue indifferentiability due to a lack of domain separation between the various hash function usages. We view this as an interesting insight for the design of protocols, such as future TLS versions.

For all other configurations however, our proofs significantly tighten the security of the TLS 1.3 PSK modes, confirming standardized parameters (for which prior bounds provided subpar or even void guarantees) and enabling a theoretically-sound deployment.

Category / Keywords: cryptographic protocols / key exchange; indifferentiability; tightness; Transport Layer Security; TLS 1.3

Original Publication (with major differences): IACR-EUROCRYPT-2022

Date: received 25 Feb 2022, last revised 28 Feb 2022

Contact author: h3davis at eng ucsd edu, denis diemert at uni-wuppertal de, mail at felixguenther info, tibor jager at uni-wuppertal de

Available format(s): PDF | BibTeX Citation

Version: 20220302:135513 (All versions of this report)

Short URL: ia.cr/2022/246


[ Cryptology ePrint archive ]