Symmetric Key Exchange with Full Forward Security and Robust Synchronization

Boyd, Colin; Davies, Gareth T.; Kock, Bor de; Gellert, Kai; Jager, Tibor; Millerjord, Lise

doi:10.1007/978-3-030-92068-5_23

Cited by 11 publications

(1 citation statement)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The number of random oracle queries models the number of hash function computations an adversary is capable of computing. Accordingly, we scale the number of RO queries with the runtime, always setting #RO = t/2 10 . Number of pre-shared keys #N ∈ {2 25 , 2 35 }.…”

Section: Evaluation Detailsmentioning

confidence: 99%

On the Concrete Security of TLS 1.3 PSK Mode

Davis

Diemert

Günther

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-latency resumption of previous connections and are widely used on the Web and by resource-constrained devices, e.g., in the Internet of Things. Taking advantage of these performance benefits with optimal and theoretically-sound parameters requires tight security proofs. We give the first tight security proofs for the TLS 1.3 PSK handshake modes.Our main technical contribution is to address a gap in prior tight security proofs of TLS 1.3 which modeled either the entire key schedule or components thereof as independent random oracles to enable tight proof techniques. These approaches ignore existing interdependencies in TLS 1.3's key schedule, arising from the fact that the same cryptographic hash function is used in several components of the key schedule and the handshake more generally. We overcome this gap by proposing a new abstraction for the key schedule and carefully arguing its soundness via the indifferentiability framework. Interestingly, we observe that for one specific configuration, PSK-only mode with hash function SHA-384, it seems difficult to argue indifferentiability due to a lack of domain separation between the various hash function usages. We view this as an interesting insight for the design of protocols, such as future TLS versions.For all other configurations however, our proofs significantly tighten the security of the TLS 1.3 PSK modes, confirming standardized parameters (for which prior bounds provided subpar or even void guarantees) and enabling a theoretically-sound deployment.

show abstract

Section: Evaluation Detailsmentioning

confidence: 99%

On the Concrete Security of TLS 1.3 PSK Mode

Davis

Diemert

Günther

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

Symmetric Key Exchange with Full Forward Security and Robust Synchronization

Boyd

Davies

Kock

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We construct lightweight authenticated key exchange protocols based on pre-shared keys, which achieve full forward security and rely only on simple and efficient symmetric-key primitives. All of our protocols have rigorous security proofs in a strong security model, all have low communication complexity, and are particularly suitable for resource-constrained devices. We describe three protocols that apply linear key evolution to provide different performance and security properties. Correctness in parallel and concurrent protocol sessions is difficult to achieve for linearly key-evolving protocols, emphasizing the need for assurance of availability alongside the usual confidentiality and authentication security goals. We introduce synchronization robustness as a new formal security goal, which essentially guarantees that parties can re-synchronize efficiently. All of our new protocols achieve this property. Since protocols based on linear key evolution cannot guarantee that all concurrently initiated sessions successfully derive a key, we also propose two constructions with non-linear key evolution based on puncturable PRFs. These are instantiable from standard hash functions and require O(C • log(|CTR|)) memory, where C is the number of concurrent sessions and |CTR| is an upper bound on the total number of sessions per party. These are the first protocols to simultaneously achieve full forward security, synchronization robustness, and concurrent correctness.

show abstract

A Provably Secure, Lightweight Protocol for Anonymous Authentication

Katz

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Symmetric Key Exchange with Full Forward Security and Robust Synchronization

Cited by 11 publications

References 27 publications

On the Concrete Security of TLS 1.3 PSK Mode

On the Concrete Security of TLS 1.3 PSK Mode

Symmetric Key Exchange with Full Forward Security and Robust Synchronization

A Provably Secure, Lightweight Protocol for Anonymous Authentication

Contact Info

Product

Resources

About