Paper 2022/246

On the Concrete Security of TLS 1.3 PSK Mode

Hannah Davis, University of California, San Diego
Denis Diemert, University of Wuppertal
Felix Günther, ETH Zurich
Tibor Jager, University of Wuppertal

The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-latency resumption of previous connections and are widely used on the Web and by resource-constrained devices, e.g., in the Internet of Things. Taking advantage of these performance benefits with optimal and theoretically-sound parameters requires tight security proofs. We give the first tight security proofs for the TLS 1.3 PSK handshake modes. Our main technical contribution is to address a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques. These approaches ignore existing interdependencies in TLS 1.3's key schedule, arising from the fact that the same cryptographic hash function is used in several components of the key schedule and the handshake more generally. We overcome this gap by proposing a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework. Interestingly, we observe that for one specific configuration, PSK-only mode with hash function SHA-384, it seems difficult to argue indifferentiability due to a lack of domain separation between the various hash function usages. We view this as an interesting insight for the design of protocols, such as future TLS versions. For all other configurations however, our proofs significantly tighten the security of the TLS 1.3 PSK modes, confirming standardized parameters (for which prior bounds provided subpar or even void guarantees) and enabling a theoretically-sound deployment.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in EUROCRYPT 2022
key exchangeindifferentiabilitytightnessTransport Layer SecurityTLS 1.3
Contact author(s)
hannahedavis @ protonmail com
denis diemert @ uni-wuppertal de
mail @ felixguenther info
tibor jager @ uni-wuppertal de
2023-09-26: last of 2 revisions
2022-03-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hannah Davis and Denis Diemert and Felix Günther and Tibor Jager},
      title = {On the Concrete Security of TLS 1.3 PSK Mode},
      howpublished = {Cryptology ePrint Archive, Paper 2022/246},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.