Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols

Abstract

We give new, fully-quantitative and concrete bounds that justify the SIGMA and TLS 1.3 key exchange protocols not just in principle, but in practice. By this we mean that, for standardized elliptic curve group sizes, the overall protocol actually achieves the intended security level.

Prior work gave reductions of both protocols’ security to the underlying building blocks that were loose (in the number of users and/or sessions), so loose that they gave no guarantees for practical parameters. Adapting techniques by Cohn-Gordon et al. (Crypto 2019), we give reductions for SIGMA and TLS 1.3 to the strong Diffie–Hellman problem which are tight, and prove that this problem is as hard as solving discrete logarithms in the generic group model. Leveraging our tighter bounds, we meet the protocols’ targeted security levels when instantiated with standardized curves and improve over prior bounds by up to over 90 bits of security across a range of real-world parameters.

Appendices

A Evaluation Details

Fully-Quantitative CK SIGMA Bound. Comparing our SIGMA bound from Theorem 4 to the original security proof by Canetti and Krawczyk [17] (CK) faces two complications. First, we must reconstruct a concrete security bound from the CK proof, which merely refers to the decisional Diffie–Hellman and “standard security notions” for digital signatures, MACs, and PRFs (i.e., single-user \(\mathsf {EUF{\text { -}}CMA}\) and PRF security). Second, the CK result is given in a stronger security model for key exchange [16] which allows state-reveal attacks. Further, the CK proof assumes out-of-band unique session identifiers, whereas protocols in practice have to establish those from, e.g., nonces (introducing a corresponding collision bound as in our analysis). We are therefore inherently constrained to compare qualitatively different security properties here.

Let us informally consider a game-based definition of the CK model [16] in the same style as our AKE model (cf. Definition 1), capturing the same oracles plus an additional state-reveal oracle, with \(q_{\textsc {RSt}}\) denoting the number of queries to this oracle, and session identifiers that, like ours, consist of the session and peers’ nonces and DH shares. Translating the SIGMA-I security proof from [17, Theorem 6 in the full version], we obtained the following concrete security bound:

where \(\textit{nl}\) is the nonce length, \(\mathbb {G}\) the used Diffie–Hellman group of prime order p, the number of test queries is restricted to \(q_{\textsc {T}}= 1\), and \(\mathcal {B}_i\) (for \(i = 1,\dots ,5\)) are the described reductions in [17, Theorem 6 in the full version] all running in time \(t_{\mathcal {B}_i} \approx t\). For simplicity, we present the above bound in terms of “multi-user” PRF, signature, and MAC advantages for a single user \(q_{\textsc {Nw}}= 1\), which are equivalent to the corresponding single-user advantages (cf. Appendix B).

Fully-Quantitative DFGS TLS 1.3 Bound. We compare our security bound for TLS 1.3 from Theorem 5 with the bound of Dowling et al. [24] (DFGS). Note that this bound is established in a multi-stage key exchange model [25], here we focus only on the main application key derivation, as in our proof. The DFGS bound needs instantiation through the random oracle only in one step (the PRF-ODH assumption on \(\mathsf {HKDF}.\mathsf {Extract}\)) while other \(\mathsf {PRF}\) steps remain in the standard model. Our proof instead models both \(\mathsf {HKDF}.\mathsf {Extract}\) and \(\mathsf {HKDF}.\mathsf {Expand}\) as random oracles. Translating the bound from [24, Theorems 5.1, 5.2] yields:

Let us further unpack the PRF-ODH term. Following Brendel et al. [15], it can be reduced to the strong Diffie–Hellman assumption modeling \(\mathsf {HKDF}.\mathsf {Extract}\) as a random oracle.⁸ In this reduction, the single DH oracle query is checked against each random oracle query via the strong-DH oracle, hence establishing the following bound: \( \mathsf {Adv}^{\mathsf {dual{\text { -}}snPRF{\text { -}}ODH}}_{\mathsf {RO},\mathbb {G}}(t_{\mathcal {B}_3}, q_{\textsc {RO}}) \le \mathsf {Adv}^{\mathsf {stDH}}_{\mathbb {G}}(t_{\mathcal {B}_3}, q_{\textsc {RO}})\)

B Assumptions, Building Blocks, Multi-user Security

Definition 6

(Multi-user PRF security). Let \(\mathsf {PRF}:\{0,1\}^k \times \{0,1\}^m \rightarrow \{0,1\}^n\) be a function (for \(k, n \in \mathbb {N}\) and \(m \in \mathbb {N}\cup \{*\}\)) and \(\mathrm {G}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF},\mathcal {A}}\) be the multi-user PRF security game defined as in Fig. 5. We define \( \mathsf {Adv}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF}}(t,q_{\textsc {Nw}},q_{\textsc {Fn}},q_{\textsc {Fn/U}}) := 2 \cdot \max _\mathcal {A}\Pr \left[ \mathrm {G}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF},\mathcal {A}} \Rightarrow 1 \right] - 1\), where the maximum is taken over all adversaries, denoted \((t, q_{\textsc {Nw}}, q_{\textsc {Fn}},q_{\textsc {Fn/U}})\)-\(\mathsf {mu{\text { -}}PRF}\)-adversaries, running in time at most t and making at most \(q_{\textsc {Nw}}\) queries to their \(\textsc {New}\) oracle, at most \(q_{\textsc {Fn}}\) total queries to their \(\textsc {Fn}\) oracle, and at most \(q_{\textsc {Fn/U}}\) queries \(\textsc {Fn}(i, \cdot )\) for any user i.

Generically, the multi-user security of PRFs reduces to single-user security (formally, \(\mathrm {G}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF},\mathcal {A}}\) with \(\mathcal {A}\) restricted to \(q_{\textsc {Nw}}= 1\) queries to \(\textsc {New}\)) with a factor in the number of users via a hybrid argument [7], i.e., \( \mathsf {Adv}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF}}(t, q_{\textsc {Nw}}, q_{\textsc {Fn}},q_{\textsc {Fn/U}}) \le q_{\textsc {Nw}}\cdot \mathsf {Adv}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {PRF}}(t', 1, q_{\textsc {Fn/U}}, q_{\textsc {Fn/U}})\), where \(t \approx t'\). (Note that the total number \(q_{\textsc {Fn}}\) of queries to the \(\textsc {Fn}\) oracle across all users does not affect the reduction.) There exist simple and efficient constructions, like AMAC [6], that however achieve multi-user security tightly. If we use a random oracle \(\mathsf {RO}\) as a PRF with key length kl, then \( \mathsf {Adv}^{\mathsf {mu{\text { -}}PRF}}_{\mathsf {RO}}(t,q_{\textsc {Nw}},q_{\textsc {Fn}},q_{\textsc {Fn/U}},q_{\textsc {RO}}) \le \frac{q_{\textsc {Nw}}\cdot q_{\textsc {RO}}}{2^{kl}}\).

Fig. 5.

Multi-user PRF security of a pseudorandom function \(\mathsf {PRF}:\{0,1\}^k \times \{0,1\}^m \rightarrow \{0,1\}^n\). \(\mathsf {FUNC}\) is the space of all functions \(\{0,1\}^m \rightarrow \{0,1\}^n\).

Definition 7

(Signature \(\mathsf {mu{\text { -}}EUF{\text { -}}CMA}\) security [4]). Let \(\mathsf {S}\) be a signature scheme and \(\mathrm {G}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S},\mathcal {A}}\) be the game for signature multi-user existential unforgeability under chosen-message attacks with adaptive corruptions (see the full version [20] for the formal definition). We define \(\mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S}}(t,q_{\textsc {Nw}},q_{\textsc {Sg}},q_{\textsc {Sg/U}},q_{\textsc {C}}) := \max _\mathcal {A}\Pr \left[ \mathrm {G}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S},\mathcal {A}} \Rightarrow 1 \right] \), where the maximum is taken over all adversaries, denoted \((t, q_{\textsc {Nw}}, q_{\textsc {Sg}}, q_{\textsc {Sg/U}}, q_{\textsc {C}})\)-\(\mathsf {mu{\text { -}}EUF{\text { -}}CMA}\)-adversaries, running in time at most t and making at most \(q_{\textsc {Nw}}\), \(q_{\textsc {Sg}}\), resp. \(q_{\textsc {C}}\) total queries to their \(\textsc {New}\), \(\textsc {Sign}\), resp. \(\textsc {Corrupt}\) oracle, and making at most \(q_{\textsc {Sg/U}}\) queries \(\textsc {Sign}(i, \cdot )\) for any user i.

Multi-user EUF-CMA security of signature schemes (with adaptive corruptions) can be reduced to classical, single-user EUF-CMA security (formally, \(\mathrm {G}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S},\mathcal {A}}\) with \(\mathcal {A}\) restricted to \(q_{\textsc {Nw}}= 1\) queries to \(\textsc {New}\)) by a standard hybrid argument, losing a factor of number of users. Formally, this yields \(\mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S}}(t,q_{\textsc {Nw}},q_{\textsc {Sg}},q_{\textsc {Sg/U}},q_{\textsc {C}}) \le q_{\textsc {Nw}}\cdot \mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {S}}(t',1,q_{\textsc {Sg/U}},q_{\textsc {Sg/U}},0)\), where \(t \approx t'\). (Note that the reduction is not affected by the total number of signature queries \(q_{\textsc {Sg}}\) across all users.) In many cases, such loss is indeed unavoidable [5].

Definition 8

(MAC \(\mathsf {mu{\text { -}}EUF{\text { -}}CMA}\) security). Let \(\mathsf {M}\) be a MAC scheme and \(\mathrm {G}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {M},\mathcal {A}}\) be the game for MAC multi-user existential unforgeability under chosen-message attacks with adaptive corruptions (see the full version [20] for the formal definition). We define \(\mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {M}}(t,q_{\textsc {Nw}},q_{\textsc {Tg}},q_{\textsc {Tg/U}},q_{\textsc {V\!f}},q_{\textsc {V\!f/U}},q_{\textsc {C}}) := \max _\mathcal {A}\Pr \left[ \mathrm {G}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {M},\mathcal {A}} \Rightarrow 1 \right] \), where the maximum is taken over all adversaries, denoted \((t,q_{\textsc {Nw}},q_{\textsc {Tg}},q_{\textsc {Tg/U}},q_{\textsc {V\!f}},q_{\textsc {V\!f/U}},q_{\textsc {C}})\)-\(\mathsf {mu{\text { -}}EUF{\text { -}}CMA}\)-adversaries, running in time at most t and making at most \(q_{\textsc {Nw}}\), \(q_{\textsc {Tg}}\), \(q_{\textsc {V\!f}}\), resp. \(q_{\textsc {C}}\) queries to their \(\textsc {New}\), \(\textsc {Sign}\), \(\textsc {Vrfy}\), resp. \(\textsc {Corrupt}\) oracle, and making at most \(q_{\textsc {Tg/U}}\) queries \(\textsc {Tag}(i, \cdot )\), resp. \(q_{\textsc {V\!f/U}}\) queries \(\textsc {Vrfy}(i, \cdot )\) for any user i.

As for signature schemes, multi-user EUF-CMA security of MACs reduces to the single-user case (\(q_{\textsc {Nw}}= 1\)) by a standard hybrid argument: \(\mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {M}}(t,q_{\textsc {Nw}},q_{\textsc {Tg}},q_{\textsc {Tg/U}},q_{\textsc {V\!f}},q_{\textsc {V\!f/U}},q_{\textsc {C}}) \le q_{\textsc {Nw}}\cdot \mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {M}}(t,1,q_{\textsc {Tg/U}},q_{\textsc {Tg/U}},q_{\textsc {V\!f/U}},q_{\textsc {V\!f/U}},0)\), where \(t \approx t'\).(Note that the reduction is not affected by the total number of tagging and verification queries \(q_{\textsc {Tg}}\) resp. \(q_{\textsc {V\!f}}\) across all users.)

Our multi-user definition of MACs provides a verification oracle, which is non-standard (and in general not equivalent to a definition with a single forgery attempts, as Bellare, Goldreich and Mityiagin [9] showed). For PRF-based MACs (which in particular includes HMAC used in TLS 1.3), it however is equivalent and the reduction from multi-query to single-query verification is tight [9].

In our key exchange reductions, we actually do not need to corrupt MAC keys, i.e., we achieve \(q_{\textsc {C}}= 0\). This in particular allows specific constructions like AMAC [6] achieving tight multi-user security (without corruptions).

If we use a random oracle \(\mathsf {RO}\) as PRF-like MAC with key length \(\textit{kl}\) and output length \(ol\), then \(\mathsf {Adv}^{\mathsf {mu{\text { -}}EUF{\text { -}}CMA}}_{\mathsf {RO}}(t, q_{\textsc {Nw}}, q_{\textsc {Tg}}, q_{\textsc {Tg/U}}, q_{\textsc {V\!f}}, q_{\textsc {V\!f/U}}, q_{\textsc {C}},q_{\textsc {RO}}) \le \frac{q_{\textsc {V\!f}}}{2^{ol}}+\frac{(q_{\textsc {Nw}}-q_{\textsc {C}})\cdot q_{\textsc {RO}}}{2^{\textit{kl}}}\).

Definition 9

(Hash function collision resistance). Let \(\mathsf {H}:\{0,1\}^* \rightarrow \{0,1\}^{ol}\) for \(ol\in \mathbb {N}\) be a function. For a given adversary \(\mathcal {A}\) running in time at most t, we can consider .

If we use a random oracle \(\mathsf {RO}\) as hash function, then \(\mathsf {Adv}^{\mathsf {CR}}_{\mathsf {RO}}(t,q_{\textsc {RO}}) \le \frac{q_{\textsc {RO}}^2}{2^{ol+1}}+\frac{1}{2^{ol}}\)

C Proof of the Strong Diffie–Hellman GGM Bound

We establish the bound of Theorem 3 through a sequence of incrementally changing code-based games; see the full version [20] for complete details.

Game 0. We formalize the strong Diffie–Hellman problem in the GGM using the setting and notation of Bellare and Dai [8]. Briefly, we represent a group a group of prime order p using an arbitrary set \(\mathbb {G}\) of label strings and a randomly chosen bijection \(\textit{E}: \mathbb {Z}_p \rightarrow \mathbb {G}\), called the encoding function. For any two strings \(A,B \in \mathbb {G}\), we define the operation \(A \mathop {\textsc {OP}_\textit{E}} B = \textit{E}(\textit{E}^{-1}(A) + \textit{E}^{-1}(B) \mod p)\). The adversary is given the identity element \(\mathbbm {1}= \textit{E}(0)\), a generator \(g = \textit{E}(1)\), challenges \(\textit{X}\) and \(\textit{Y}\), and oracle access to \(\textsc {OP}_\textit{E}\) through an oracle \(\textsc {OP}\). Note that for any integer \(a \in \mathbb {Z}_p\), we can compute \(g^a = \textit{E}(a)\). On an input A, B, the \(\mathsf {stDH}\) oracle uses this property to find the discrete logarithm a of A in order to check whether \(\textit{E}(xa) = X^a = B\). Throughout, we track the set \(GL\) of group element labels the adversary has seen, and return \(\bot \) in response to all oracle queries containing other labels. By definition, \(\mathsf {Adv}^{\mathsf {stDH}}_{\mathbb {G}}(t, q_{\textsc {sDH}}) = \Pr [\mathrm{G}_{0} \Rightarrow 1].\)

Game 1. Although the notation of \(\mathrm{G}_{0}\) is simpler and more intuitive, it is more useful for the proof game to internally represent elements of \(\mathbb {G}\) with vectors over \(\mathbb {Z}_p^3\) instead of integers in \(\mathbb {Z}_p\), as we do in Fig. 6. We map elements \(\vec {t} \in \mathbb {Z}_p^{3}\) back to \(\mathbb {Z}_p\) by taking the inner product of \(\vec {t}\) with the vector (1, x, y). (Effectively, we take \(\vec {t}\) to be the coefficients of a linear combination of 1, x, and y, which are represented respectively by the basis vectors \(\vec {e_1}\), \(\vec {e_2}\), and \(\vec {e_3}\).)

Composing this map with the encoding function \(\textit{E}\) induces a transformation from \(\mathbb {Z}_p^3\) to \(\mathbb {G}\), which we implement via an internal oracle \(\textsc {VE}\). We cache the transformation in table \(TV\) and its inverse in table \(TI\). Each element of \(\mathbb {G}\) now has multiple vector representations, but the bilinearity of the inner product ensures that the view of the adversary is not changed, and \(\Pr [\mathrm{G}_{1} ] = \Pr [\mathrm{G}_{0} ].\)

Fig. 6.

Game \(\mathrm{G}_{1}\) of the \(\mathsf {stDH}\) proof.

Games 2–3. In Game \(\mathrm{G}_{3}\), we make two undetectable changes: we lazily sample the bijection \(\textit{E}\), and in the \(\mathsf {stDH}\) oracle, we replace the condition \(\textsc {VE}(x\vec {a}) = B = \textsc {VE}(\vec {b})\) with the equivalent condition \(\langle x \vec {a}-\vec {b}, \vec {x} \rangle = 0\).

We continue in the next game by sampling the entries of \(TV\) directly instead of through calls to \(\textit{E}\). Distinct vectors \(\vec {t}\) and \(\vec {t'}\) no longer map to the same group element when \(\langle \vec {t},\vec {x}\rangle = \langle \vec {t'}, \vec {x} \rangle \). The adversary cannot notice this change unless two such \(t, t'\) are queried to \(\textsc {VE}\); we call this event \(F_1\) and let \(\textsc {Finalize}\) return \(\mathsf {true}\) when it occurs. This only increases the success probability of the adversary, so \(\Pr [\mathrm{G}_{1}] \le \Pr [\mathrm{G}_{3}].\) At this point, function \(\textit{E}\) is unused and becomes redundant.

Game 4. The adversary can trivially get a \(\mathsf {true}\) response from the \(\mathsf {stDH}\) oracle by computing \(A = g^a\) for any integer a and \(B = \textit{X}^a\). We now return \(\mathsf {false}\) in all other cases. Let \(F_2\) be the event where the adversary makes a nontrivial query (A, B) to \(\mathsf {stDH}\) that should return \(\mathsf {true}\), i.e., one where \(\langle x TI(A) -TI(B), \vec {x} \rangle = 0\). Unless \(F_2\) occurs, the output of \(\mathsf {stDH}\) does not change, so \(\Pr [\mathrm{G}_{3}]\le \Pr [\mathrm{G}_{4}\text { and } \overline{F_2}] + \Pr [F_2].\)

Game 5. This game is identical to \(\mathrm{G}_{4}\), except \(\textsc {Finalize}\) returns \(\mathsf {true}\) whenever event \(F_2\) could have occurred. It follows that \(\Pr [\mathrm{G}_{3}] \le \Pr [\mathrm{G}_{5}]\). At this point, variables x, y, and \(\vec {x}\) are not used by any oracle except \(\textsc {Finalize}\), so we delay their initialization until the end of the game without detection by the adversary.

Collecting bounds reveals that \(\mathsf {Adv}^{\mathsf {stDH}}_{\mathbb {G}}(t, q_{\textsc {sDH}})\le \Pr [\mathrm{G}_{5}*]\). A t-query adversary playing \(\mathrm{G}_{5}*\) wins only if events \(F_1\) or \(F_2\) occur, or if \([\textsc {VE}(x\vec {e_3}) = Z]\). Event \(F_1\) occurs when table \(TI\) contains distinct \(\vec {t_i}, \vec {t_j}\) such that \(\langle \vec {t_i}-\vec {t_j},(1,x,y) \rangle \). This means (x, y) is a root of the bivariate linear polynomial \((\vec {t_i}-\vec {t_j})[0] + (\vec {t_i}-\vec {t_j})[1]\cdot x + (\vec {t_i}-\vec {t_j})[2] \cdot y\). Since x and y are sampled independently by the \(\textsc {Finalize}\) oracle, this occurs with probability at most 1/p for each polynomial by Lemma 1 of [42]. Event \(F_2\) occurs when \(\langle x \vec {t_i} - \vec {t_j}, \vec {x} \rangle = 0\) for some \(t_i\), \(t_j\) in \(TI\). Similarly, this means that (x, y) must be a root of the quadratic \((x\vec {t_i}-\vec {t_j})[0] + (x\vec {t_i}-\vec {t_j})[1]\cdot x + (x\vec {t_i}-\vec {t_j})[2] \cdot y\). By Lemma 1, this occurs with probability at most 2/p for each \((\vec {t_i},\vec {t_j})\) pair. Finally, \([\textsc {VE}(x\vec {e_3}) = Z]\) holds with probability at most 1/p because \(\textsc {VE}(x \vec {e_3})\) is uniformly random.

Taking a union bound over the \((t+4)^2\) possible pairs \((\vec {t_i},\vec {t_j})\), we obtain \(\Pr [\mathrm{G}_{5}*] \le (3(t+4)^2+1)/p\). The theorem statement follows for all \(t>25\).    \(\square \)