We now turn to analyzing the TLS 1.3 pre-shared key handshakes, with and without Diffie–Hellman key exchange (PSK-(EC)DHE, resp. PSK) and with optional 0-RTT keys, in the pre-shared–secret multi-stage key exchange (sMSKE) model.
Protocol Properties The PSK/PSK-(EC)DHE (0-RTT) handshakes targets the following protocol-specific properties \((\textsf {M} ,\textsf {AUTH} ,\textsf {FS} ,\textsf {USE} ,\textsf {REPLAY} )\):
-
\(\textsf {M} = 8\): The PSK handshakes with optional 0-RTT consist of eight stages deriving, in order: the early traffic secret \(\mathrm {ETS}\) and early exporter master secret \(\mathrm {EEMS}\) (both only in 0-RTT mode), the client and server handshake traffic keys \(\mathrm {tk}_{\text {chs}}\) and \(\mathrm {tk}_{\text {shs}}\), the client and server application traffic secrets \(\mathrm {CATS}\) and \(\mathrm {SATS}\), the exporter master secret \(\mathrm {EMS}\), and the resumption master secret \(\mathrm {RMS}\).
-
The authentication properties \(\textsf {AUTH} \) differ between the PSK(-only) and the PSK-(EC)DHE (0-RTT) handshakes:
-
– for PSK (0-RTT), \(\textsf {AUTH} = \big \{((1,1), (2,2), \ldots , (8,8))\big \}\): All keys are immediately mutually authenticated (from the pre-shared key).
-
– for PSK-(EC)DHE (0-RTT), \(\textsf {AUTH} = \big \{ ((1,1),(2,2),(5,8),(5,8),(5,8),(6,8),(7,8),(8,8)) \big \}\): The 0-RTT keys \(\mathrm {ETS}\)/\(\mathrm {EEMS}\) are always mutually authenticated, the handshake traffic keys \(\mathrm {tk}_{\text {chs}}\)/\(\mathrm {tk}_{\text {shs}}\) are initially unauthenticated, all non-0-RTT keys reach unilateral authentication with stage 5 and mutual authentication with stage 8. (It is not straightforward to see why some PSK-(EC)DHE keys are not considered to be immediately mutually authenticated, in contrast to keys from the PSK-only handshake. Consider the handshake traffic keys in the PSK-(EC)DHE handshake: in the model, the adversary \(\mathcal {A}\) could send its own \(g^x\) share to a server session; the server will derive the handshake traffic keys from \(\mathrm {PSK}\) and \(\mathrm {DHE}\). Those keys should now be considered forward secret (due to the ephemeral DH shares); however, when \(\mathcal {A}\) corrupts \(\mathrm {PSK}\), it can compute the handshake traffic keys. Hence, these keys cannot be treated as forward secret and mutually authenticated at the same time.
-
Forward secrecy of the PSK handshake depends on whether an ephemeral Diffie–Hellman key exchange is performed:
-
– for PSK-only, \(\textsf {FS} = \infty \): The PSK-only handshake does not provide any forward secrecy.
-
– for PSK-(EC)DHE, \(\textsf {FS} = 3\): The PSK-(EC)DHE handshake provides forward secrecy for all non–0-RTT keys.
-
\(\textsf {USE} = (\textsf {internal} : \{3,4\}, \textsf {external} : \{1,2,5,6,7,8\})\): The handshake traffic keys are used internally to encrypt the second part of the handshake; all other keys are external.
-
\(\textsf {REPLAY} = (\textsf {replayable} : \{1,2\}, \textsf {nonreplayable} : \{3,4,5,6,7,8\})\): The 0-RTT keys \(\mathrm {ETS}\) and \(\mathrm {EEMS}\) are replayable, all other stages’ keys are not.
Session and Contributive Identifiers As for the full 1-RTT handshake (cf. Sect. 5), we define the session identifiers over the unencrypted handshake messages; each stage’s identifier includes a label and all handshake messages up to when that stage accepts:
$$\begin{aligned} \textsf {sid} _{1}&= (\text {``ETS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} ),\\ \textsf {sid} _{2}&= (\text {``EEMS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} ),\\ \textsf {sid} _{3}&= (\text {``CHTS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} ),\\ \textsf {sid} _{4}&= (\text {``SHTS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} ),\\ \textsf {sid} _{5}&= (\text {``CATS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} , \texttt {EE} , \texttt {SF} ),\\ \textsf {sid} _{6}&= (\text {``SATS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} , \texttt {EE} , \texttt {SF} ),\\ \textsf {sid} _{7}&= (\text {``EMS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} , \texttt {EE} , \texttt {SF} ),\\ \textsf {sid} _{8}&= (\text {``RMS''},&~\texttt {CH} , \texttt {CKS} ^\dagger , \texttt {CPSK} , \texttt {SH} , \texttt {SKS} ^\dagger , \texttt {SPSK} , \texttt {EE} , \texttt {SF} , \texttt {CF} ). \end{aligned}$$
Components indicated with \(^\dagger \) are present only in the PSK-(EC)DHE variant.
For the contributive identifiers in stages 3 and 4, as for the full handshake we want to ensure server sessions with honest client contribution can be tested, even if the server’s response never reaches the client. Therefore, we let client (resp. server) upon sending (resp. receiving) the \(\texttt {ClientHello} \), \(\texttt {ClientKeyShare} ^\dagger \) and \(\texttt {ClientPreSharedKey} \) messages set \(\textsf {cid} _{3} = (\text {``CHTS''},\texttt {CH} ,\texttt {CKS} ^\dagger , \texttt {CPSK} )\), \(\textsf {cid} _{4} = (\text {``SHTS''},\texttt {CH} ,\texttt {CKS} ^\dagger , \texttt {CPSK} )\) and later, upon receiving (resp. sending) the \(\texttt {ServerHello} \), \(\texttt {ServerKeyShare} ^\dagger \) and \(\texttt {ServerPreSharedKey} \) messages, extend it to \(\textsf {cid} _{3} = (\text {``CHTS''},\texttt {CH} ,\texttt {CKS} ^\dagger ,\texttt {CPSK} ,\texttt {SH} ,\texttt {SKS} ^\dagger ,\texttt {SPSK} )\), \(\textsf {cid} _{4} = (\text {``SHTS''},\texttt {CH} ,\texttt {CKS} ^\dagger ,\texttt {CPSK} ,\texttt {SH} ,\texttt {SKS} ^\dagger ,\texttt {SPSK} )\). All other contributive identifiers are set to \(\textsf {cid} _{i} = \textsf {sid} _{i}\) (for stages \(i \in \{1,2,5,6,7,8\}\)) when the respective session identifier is set.
TLS 1.3 PSK-only (0-RTT optional)
We can begin to give our security results for the TLS 1.3 PSK-only \(\text {0-RTT} \) handshake. We start with \(\textsf {Match} \) security.
Match Security
Theorem 6.1
(\(\textsf {Match} \) security of TLS1.3-PSK-0RTT). The TLS 1.3 PSK-only 0-RTT handshake is \(\textsf {Match} \)-secure with properties \((\textsf {M} ,\textsf {AUTH} ,\textsf {FS} ,\textsf {USE} ,\textsf {REPLAY} )\) given above. For any efficient adversary \(\mathcal {A}\), there exists an efficient algorithm \(\mathcal {B}\) such that
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Match} } \le \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}}^{\textsf {COLL} } + \frac{n_{p}^2}{|\mathcal {P}|} + n_{s}^2 \cdot 2^{-|\textit{nonce}|}, \end{aligned}$$
where \(n_{s}\) is the maximum number of sessions, \(n_{p}\) is the maximum number of pre-shared secrets, \(|\mathcal {P}|\) is the size of the pre-shared secret space, and \(|\textit{nonce}|=256\) is the bit length of the nonces.
Recall that \(\textsf {Match} \) security is a soundness property of the session identifiers. From our definition of session identifiers above, it follows immediately that partnered sessions agree on the derived key, opposite roles, authentication properties, contributive identifiers, and the respective stages. As in the proof of \(\textsf {Match} \) security for TLS1.3-full-1RTT, the security bound arises as the birthday bound for two honest sessions choosing the same nonce; this not happening ensures at most two partners share the same session identifier.
Proof
We need to show the seven properties of \(\textsf {Match} \) security (cf. Definition 4.1).
-
1.
Sessions with the same session identifier for some stage hold the same key at that stage.
The session identifiers in each stage include the pre-shared identifier \(\textsf {pssid} = pskid\) (through the \(\texttt {CPSK} \) and \(\texttt {SPSK} \) messages, fixing the only key input \(\mathrm {PSK}\) (as both parties agree upon a mapping \(\textsf {pss} _{U,V}(\textsf {pssid} ) = \textsf {pss} = \mathrm {PSK}\) to all derived stage keys (recall that \(\mathrm {DHE}= 0\) in the TLS 1.3 PSK-only 0-RTT handshake). Furthermore, for each stage, the session identifier includes all handshake messages that enter the key derivation: for stages 1 and 2 messages up to \(\texttt {CPSK} \) for stages 3 and 4 messages up to \(\texttt {SPSK} \), for stages 5, 6, 7 messages up to \(\texttt {SF} \), and for stage 8 all messages (up to \(\texttt {CF} \)). In each stage, the session identifier hence determines all inputs to the key derivation, and agreement on it thus ensures agreement on the stage key.
-
2.
Sessions with the same session identifier for some stage have opposite roles, except for potential multiple responders in replayable stages.
Assuming at most two sessions share the same session identifier (which we show below), two initiator (client) or responder (server) sessions never hold the same session identifier as they never accept wrong-role incoming messages, and the initial \(\texttt {Hello} \) messages are typed with the sender’s role. This is excluding stages 1 and 2, which are replayable stages in the TLS 1.3 PSK-only 0-RTT handshake.
-
3.
Sessions with the same session identifier for some stage agree on that stage’s authentication level.
All stages in the TLS 1.3 PSK-only 0-RTT handshake are mutually authenticated, so this is trivially true.
-
4.
Sessions with the same session identifier for some stage share the same contributive identifier.
This holds due to, for each stage i, the contributive identifier \(\textsf {cid} _{i}\) being final and equal to \(\textsf {sid} _{i}\) once the session identifier is set.
-
5.
Sessions are partnered with the intended (authenticated) participant and share the same key identifier.
All session identifiers include the \(\textsf {pssid} \) and binder values sent as part of the \(\texttt {ClientHello} \). The \(\textsf {pssid} \) thus is trivially agreed upon. The binder value is derived from that \(\mathrm {PSK}\) through a sequence of \(\textsf {HKDF} \)/\(\textsf {HMAC} \) computations. If we treat \(\textsf {HMAC} \) as an unkeyed collision-resistant hash function over both inputs, the key and the message space, agreement on binder implies agreement on \(\mathrm {PSK}\). This step is necessary, as \(\mathcal {A}\) can set multiple \(\mathrm {PSK}\) values to share the same \(\textsf {pssid} \), and thus a \(\textsf {pssid} \) does not necessarily uniquely determine a pre-shared secret \(\mathrm {PSK}\) from each peer’s perspective. Instead, we use binder to uniquely determine agreement upon \(\mathrm {PSK}\) between peers. As all \(\mathrm {PSK}\) values are chosen uniformly at random within the \(\textsf {NewSecret} \) query, they collide only with negligible probability, bounded by the birthday bound \(n_{p}^2 / |\mathcal {P}|\), where \(\mathcal {P}\) is the pre-shared secret space and \(n_{p}\) the maximum number of pre-shared secrets. Therefore, agreement on binder and \(\mathrm {PSK}\) finally implies that \(\textsf {pssid} \), as interpreted by the partnered client and server session, originates from the same \(\textsf {NewSecret} \) call. This, from the perspective of both client and server, uniquely identifies the respective peer’s identity and hence ensures agreement on the intended peers.
-
6.
Session identifiers are distinct for different stages.
This holds trivially as each stage’s session identifier has a unique label.
-
7.
At most two sessions have the same session identifier at any non-replayable stage.
Recall that stages 1 and 2 are replayable, so we only need to consider stages \(i \in \{3,4,5,6,7,8\}\). Observe that all session identifiers from these stages include a client and server random nonce (\(r_{c}\) and \(r_{s}\) respectively), through the \(\texttt {ClientHello} \) and \(\texttt {ServerHello} \) messages. Therefore, for a threefold collision among session identifiers of honest parties, some session would need to pick the same nonce as one other session (which then may be partnered through a regular protocol run to some third session). The probability for such collision to happen can be bounded from above by the birthday bound \(n_{s}^2 \cdot 2^{-|\textit{nonce}|}\), where \(n_{s}\) is the maximum number of sessions, and \(|\textit{nonce}| = 256\) the nonces’ bit length. \(\square \)
Multi-Stage Security
Theorem 6.2
(\(\textsf {Multi} \text {-}\textsf {Stage} \) security of TLS1.3-PSK-0RTT). The TLS 1.3 PSK 0-RTT handshake is \(\textsf {Multi} \text {-}\textsf {Stage} \)-secure with properties \((\textsf {M} ,\textsf {AUTH} ,\textsf {FS} ,\textsf {USE} ,\textsf {REPLAY} )\) given above. Formally, for any efficient adversary \(\mathcal {A}\) against the \(\textsf {Multi} \text {-}\textsf {Stage} \) security there exist efficient algorithms \(\mathcal {B}_{1}\), ..., \(\mathcal {B}_{8}\) such that
$$\begin{aligned}&\textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Multi} \text {-}\textsf {Stage} ,\mathcal {D}} \\&\quad \le 8n_{s}\left( \begin{array}{l} \textsf {Adv} _{\textsf {H} ,\mathcal {B}_{1}}^{\textsf {COLL} } + n_{p}\left( \begin{array}{l} \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{2}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{3}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{4}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{5}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, 2\cdot \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{6}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{7}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{8}}^{\textsf {PRF} \text { -}\textsf {sec} } \end{array} \right) \end{array} \right) \end{aligned}$$
where \(n_{s}\) is the maximum number of sessions, \(n_{u}\) is the maximum number of users, and \(n_{p}\) is the maximum number of pre-shared secrets.
For the TLS 1.3 PSK 0-RTT handshake, \(\textsf {Multi} \text {-}\textsf {Stage} \) security follows from the security of the pre-shared key: all keys are derived from a pre-shared secret \(\mathrm {PSK}\) unknown to the adversary (since the PSK mode is not forward secret, \(\mathrm {PSK}\) may not be corrupted in the tested session) As such, derived keys are indistinguishable from random (under PRF assumptions on the \(\textsf {HKDF} .\textsf {Extract} \) and \(\textsf {HKDF} .\textsf {Expand} \) steps) which are independent, allowing revealing and testing of session keys across different stages.
Proof
As before, we proceed via a sequence of games, bounding the differences between games via a series of assumptions until we demonstrate that \(\mathcal {A}\)’s advantage in winning the final game is 0.
Game 0. This is the original \(\textsf {Multi} \text {-}\textsf {Stage} \) game, i.e.,
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Multi} \text {-}\textsf {Stage} ,\mathcal {D}} = \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{0}}. \end{aligned}$$
Game 1. We restrict \(\mathcal {A}\) to a single \(\textsf {Test} \) query, reducing its advantage by a factor of at most \(1/8n_{s}\). Formally, we construct an adversary from \(\mathcal {A}\) making only a single \(\textsf {Test} \) query via a hybrid argument, analogously to the proof of Theorem 5.2 on page 27, detailed in Appendix A.
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{0}} \le 8 n_{s}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{1}}. \end{aligned}$$
From now on, we can refer to the session \(\textsf {label} \) tested at stage i, and assume that we know this session in advance.
Game 2. In this game, the challenger aborts if any two honest sessions compute the same hash value for different inputs in any evaluation of the hash function \(\textsf {H} \). If this event occurs, this can be used to break the collision resistance of \(\textsf {H} \) by letting a reduction \(\mathcal {B}_{1}\) (with approximately the same running time as \(\mathcal {A}\)) output the two distinct input values to \(\textsf {H} \). Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{1}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2}} + \textsf {Adv} _{\textsf {H} ,\mathcal {B}_{1}}^{\textsf {COLL} }. \end{aligned}$$
Game 3. In this game, the challenger guesses the pre-shared secret \(\mathrm {PSK}\) used in the tested session, and aborts the game if that guess was incorrect. This reduces \(\mathcal {A}\)’s advantage by a factor of at most \(1/n_{p}\) for \(n_{p}\) being the maximum number of registered pre-shared secrets, thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2}} \le n_{p}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{3}}. \end{aligned}$$
Game 4. In this game, we replace the outputs of the pseudorandom function \(\textsf {HKDF} .\) \(\textsf {Extract} \) in all evaluations using the tested session’s guessed pre-shared secret \(\mathrm {PSK}\) as a key by random values. This affects the derivation of the early secret \(\mathrm {ES}\) in any session using the same shared \(\mathrm {PSK}\). We replace the derivation of \(\mathrm {ES}\) in such sessions with a random value
. We can bound the difference this step introduces in the advantage of \(\mathcal {A}\) by the dual PRF security of \(\textsf {HKDF} .\textsf {Extract} \). Note that any successful adversary cannot issue a \(\textsf {Corrupt} \) query to reveal the \(\mathrm {PSK}\) used in the tested session, and thus the pre-shared secret is an unknown and uniformly random value, and the simulation is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{3}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{4}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{2}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game 5. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {ES}}\) replaced in \(G_{4}\). This affects the derivation of the derived early secret \(\mathrm {dES}\), the binder key \(\mathrm {BK}\), the early traffic secret \(\mathrm {ETS}\), and the early exporter master secret \(\mathrm {EEMS}\) in any session using the same early secret value \(\widetilde{\mathrm {ES}}\) due to the stage being replayable. We replace the derivation of \(\mathrm {dES}\), \(\mathrm {BK}\), \(\mathrm {ETS}\) and \(\mathrm {EEMS}\) in such sessions with random values \(\widetilde{\mathrm {dES}}\), \(\widetilde{\mathrm {BK}}\), \(\widetilde{\mathrm {ETS}}\),
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by Game \(G_{4}\), \(\widetilde{\mathrm {ES}}\) is an unknown and uniformly random value, and this replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{4}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{5}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{3}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
At this point, we have replaced the stage 1 and stage 2 keys (\(\widetilde{\mathrm {ETS}}\) and \(\widetilde{\mathrm {EEMS}}\), respectively). We note that if \(\mathcal {A}\) issues a \(\textsf {Reveal} (\textsf {label} ,i)\) query to a session \(\textsf {label} '\) such that the tested session \(\textsf {label} .\textsf {sid} _{i} = \textsf {label} '.\textsf {sid} _{i}\), then \(\mathcal {A}\) would lose the game. Since these stages are replayable, there may be multiple such sessions such that \(\textsf {label} .\textsf {sid} _{i} = \textsf {label} '.\textsf {sid} _{i}\), however if any of these stages is revealed, \(\mathcal {A}\) loses the game.
Game 6. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations using the value \(\widetilde{\mathrm {dES}}\) replaced in \(G_{5}\). This affects the derivation of the handshake secret \(\mathrm {HS}\) in any session using the same derived early secret value \(\widetilde{\mathrm {dES}}\), as the derivation of \(\mathrm {HS}\) includes no additional entropy. We replace the derivation of \(\mathrm {HS}\) in such sessions with a random value
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that by the previous game, \(\widetilde{\mathrm {dES}}\) is a uniformly random value, and the simulation is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{5}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{6}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{4}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game 7. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {HS}}\) replaced in \(G_{6}\). This affects the derivation of the client handshake traffic secret \(\mathrm {CHTS}\), the server handshake traffic secret \(\mathrm {SHTS}\) in the target session and (if it exists) its matching partner, and the derived handshake secret \(\mathrm {dHS}\) in all sessions using the same handshake secret \(\widetilde{\mathrm {HS}}\). Note that for \(\mathrm {CHTS}\) and \(\mathrm {SHTS}\), these values are distinct from any other session using the same handshake secret value \(\widetilde{\mathrm {HS}}\), as the evaluation also takes as input the hash value \(H_{2} = \textsf {H} (\texttt {CH} \Vert \texttt {CPSK} \Vert \texttt {SH} \Vert \texttt {SPSK} )\), where \(\texttt {CH} \) and \(\texttt {SH} \) contain the client and server random values \(r_{c}\), \(r_{s}\) respectively, and by Game \(G_{2}\) we exclude hash collisions. However, \(\mathrm {dHS}\) may be derived in multiple sessions, as it includes no additional entropy in its computation. We replace the derivation of \(\mathrm {CHTS}\), \(\mathrm {SHTS}\) and \(\mathrm {dHS}\) in such sessions with random values
. To ensure consistency, we replace derivations of \(\mathrm {dHS}\) with the replaced \(\widetilde{\mathrm {dHS}}\) sampled by the first session to evaluate \(\textsf {HKDF} .\textsf {Expand} \) using \(\widetilde{\mathrm {HS}}\). We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game, \(\widetilde{\mathrm {HS}}\) is a uniformly random value, and the replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{6}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{7}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{5}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game 8. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the values \(\widetilde{\mathrm {CHTS}}\), \(\widetilde{\mathrm {SHTS}}\) replaced in \(G_{7}\). This affects the derivation of the client handshake traffic key \(\mathrm {tk}_{\text {chs}}\), and the server handshake traffic key \(\mathrm {tk}_{\text {shs}}\) in the target session and its matching partner. We replace the derivation of \(\mathrm {tk}_{\text {chs}}\) and \(\mathrm {tk}_{\text {shs}}\) with random values
and
, where L indicates the sum of key length and iv length for the negotiated AEAD scheme. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of two evaluations of the pseudorandom functions \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game \(\widetilde{\mathrm {CHTS}}\) and \(\widetilde{\mathrm {SHTS}}\) are uniformly random values, and these replacements are sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{7}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{8}} + 2 \cdot \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{6}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game 9. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations of the value \(\widetilde{\mathrm {dHS}}\) replaced in \(G_{8}\). This affects the derivation of the master secret \(\mathrm {MS}\) in any session using the same derived handshake secret \(\mathrm {dHS}\). We replace the derivation of \(\mathrm {MS}\) in such sessions with the random value
. \(\mathrm {MS}\) may be derived in multiple sessions, as it includes no additional entropy in its computation. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that by Game \(G_{7}\), \(\mathrm {dHS}\) is a uniformly random value and this replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{8}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{9}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{7}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game 10. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations of the value \(\widetilde{\mathrm {MS}}\) replaced in \(G_{9}\) in the targeted session and its matching session. This affects the derivation of the client application traffic secret \(\mathrm {CATS}\), the server application traffic secret \(\mathrm {SATS}\) the exporter master secret \(\mathrm {EMS}\) and the resumption master secret \(\mathrm {RMS}\). For \(\mathrm {CATS}\), \(\mathrm {SATS}\) and \(\mathrm {EMS}\), these evaluations are distinct from any other session, as the evaluation of \(\textsf {HKDF} .\textsf {Expand} \) also takes as input \(H_{4} = \textsf {H} (\texttt {CH} \Vert \texttt {CPSK} \Vert \texttt {SH} \Vert \texttt {SPSK} \Vert \texttt {SF} )\), where \(\texttt {CH} \) and \(\texttt {SH} \) contain the client and server random values \(r_{c}\) and \(r_{s}\) respectively, and by Game \(G_{2}\) we exclude hash collisions. For \(\mathrm {RMS}\), this evaluation is distinct from any other session, as the evaluation of \(\textsf {HKDF} .\textsf {Expand} \) also takes as input \(H_{5} = \textsf {H} (\texttt {CH} \Vert \texttt {CPSK} \Vert \texttt {SH} \Vert \texttt {SPSK} \Vert \texttt {SF} \Vert \texttt {CF} )\). We replace the derivation of \(\mathrm {CATS},\mathrm {SATS}\), \(\mathrm {EMS}\) and \(\mathrm {RMS}\) with random values \(\widetilde{\mathrm {CATS}}\), \(\widetilde{\mathrm {SATS}}\), \(\widetilde{\mathrm {EMS}}\),
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the secret of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game \(\widetilde{\mathrm {MS}}\) is a uniformly random and independent value, and these replacements are sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{9}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{10}} + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{8}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
In Game \(G_{10}\) we have now replaced all stages’ keys in the tested session with uniformly random values independent from the protocol execution, and thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{10}} = 0. \end{aligned}$$
Combining the given single bounds yields the overall security statement. \(\square \)
TLS 1.3 PSK-(EC)DHE (0-RTT optional)
We can now turn to the security results for the TLS 1.3 PSK-(EC)DHE \(\text {0-RTT} \) handshake, starting again with \(\textsf {Match} \) security.
Match Security
Theorem 6.3
(\(\textsf {Match} \) security of TLS1.3-PSK-(EC)DHE-0RTT). The TLS 1.3 PSK-(EC)DHE 0-RTT handshake is \(\textsf {Match} \)-secure with properties \((\textsf {M} ,\textsf {AUTH} ,\textsf {FS} ,\textsf {USE} ,\textsf {REPLAY} )\) given above. For any efficient adversary \(\mathcal {A}\), there exists an efficient algorithm \(\mathcal {B}\) such that
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Match} } \le \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}}^{\textsf {COLL} } + \frac{n_{p}^2}{|\mathcal {P}|} + n_{s}^2 \cdot \frac{1}{q} \cdot 2^{-|\textit{nonce}|}, \end{aligned}$$
where \(n_{s}\) is the maximum number of sessions, q is the group order, \(n_{p}\) is the maximum number of pre-shared secrets, \(|\mathcal {P}|\) is the size of the pre-shared secret space, and \(|\textit{nonce}|=256\) is the bit length of the nonces.
As before, the soundness properties of \(\textsf {Match} \) security follow immediately from our definition of session identifiers, with the security bound arising as the birthday bound for two honest sessions choosing the same nonce and group element. The proof hence closely follows the one for Theorem 6.1.
Proof
We need to show the seven properties of \(\textsf {Match} \) security (cf. Definition 4.1).
-
1.
Sessions with the same session identifier for some stage hold the same key at that stage. The session identifiers in each stage include both the pre-shared identifier pskid and the Diffie–Hellman shares \(g^x\) and \(g^y\) (through the \(\texttt {CPSK} \) and \(\texttt {SPSK} \), and \(\texttt {CKS} \), \(\texttt {SKS} \) messages respectively), fixing both the pre-shared key input \(\mathrm {PSK}\) and the Diffie–Hellman key input \(\mathrm {DHE}=g^{xy}\) for all derived stage keys. Furthermore, for each stage, the session identifier includes all handshake messages that enter the key derivation: for stages 1 and 2 messages up to \(\texttt {CPSK} \), for stages 3 and 4 messages up to \(\texttt {SPSK} \), for stages 5, 6, 7 messages up to \(\texttt {SF} \), and for stage 8 all messages (up to \(\texttt {CF} \)). In each stage, the session identifier hence determines all inputs to the key derivation, and agreement on it thus ensures agreement on the stage key.
-
2.
Sessions with the same session identifier for some stage have opposite roles, except for potential multiple responders in replayable stages. Assuming at most two sessions share the same session identifier (which we show below), two initiator (client) or responder (server) sessions never hold the same session identifier as they never accept wrong-role incoming messages, and the initial \(\texttt {Hello} \) messages are typed with the sender’s role. This is excluding stages 1 and 2, which are replayable stages in the TLS 1.3 PSK-(EC)DHE 0-RTT handshake.
-
3.
Sessions with the same session identifier for some stage agree on that stage’s authentication level. By definition, the vector determining (upgradable) authentication is fixed to \(((1,1),(2,2),(5,8),(5,8),(5,8),(6,8),(7,8),(8,8))\), to which hence trivially all sessions agree.
-
4.
Sessions with the same session identifier for some stage share the same contributive identifier. This holds due to, for each stage i, the contributive identifier \(\textsf {cid} _{i}\) being final and equal to \(\textsf {sid} _{i}\) once the session identifier is set.
-
5.
Sessions are partnered with the intended (authenticated) participant and share the same key identifier. All session identifiers include the \(\textsf {pssid} \) and binder values sent as part of the \(\texttt {ClientHello} \). The \(\textsf {pssid} \) thus is trivially agreed upon and uniquely determining a pre-shared secret \(\mathrm {PSK}\) from each peer’s perspective. The binder value is derived from that \(\mathrm {PSK}\) through a sequence of \(\textsf {HKDF} \)/\(\textsf {HMAC} \) computations. If we treat \(\textsf {HMAC} \) as an unkeyed collision-resistant hash function over both inputs, the key and the message space, agreement on binder implies agreement on \(\mathrm {PSK}\). This step is necessary, as \(\mathcal {A}\) can set multiple \(\mathrm {PSK}\) values to share the same \(\textsf {pssid} \), and thus a \(\textsf {pssid} \) does not necessarily uniquely determine a pre-shared secret \(\mathrm {PSK}\) from each peer’s perspective. Instead, we use binder to uniquely determine agreement upon \(\mathrm {PSK}\) between peers. As all \(\mathrm {PSK}\) values are chosen uniformly at random within the \(\textsf {NewSecret} \) query, they collide only with negligible probability, bounded by the birthday bound \(n_{p}^2 / |\mathcal {P}|\), where \(\mathcal {P}\) is the pre-shared secret space and \(n_{p}\) the maximum number of pre-shared secrets. Therefore, agreement on binder and \(\mathrm {PSK}\) finally implies that \(\textsf {pssid} \), as interpreted by the partnered client and server session, originates from the same \(\textsf {NewSecret} \) call. This, from the perspective of both client and server, uniquely identifies the respective peer’s identity and hence ensures agreement on the intended peers.
-
6.
Session identifiers are distinct for different stages. This holds trivially as each stage’s session identifier has a unique label.
-
7.
At most two sessions have the same session identifier at any non-replayable stage. Recall that stages 1 and 2 are replayable, so we consider only stages \(i \in \{3,4,5,6,7,8\}\). Recall that all session identifiers from these stages held by some session include a client and server random nonce and Diffie–Hellman share, as all session identifiers contain both the \(\texttt {ClientHello} \) and \(\texttt {ServerHello} \) messages. Therefore, for a threefold collision among session identifiers of honest parties, some session would need to pick the same nonce and group element as one other session (which then may be partnered through a regular protocol run to some third session). The probability for such collision to happen can be bounded from above by the birthday bound \(n_{s}^2 \cdot 1/q \cdot 2^{-|\textit{nonce}|}\), where \(n_{s}\) is the maximum number of sessions, q is the group order, and \(|\textit{nonce}| = 256\) the nonces’ bit length. \(\square \)
Multi-Stage Security
Theorem 6.4
(\(\textsf {Multi} \text {-}\textsf {Stage} \) security of TLS1.3-PSK-(EC)DHE-0RTT). The TLS 1.3 PSK-(EC)DHE 0-RTT handshake is \(\textsf {Multi} \text {-}\textsf {Stage} \)-secure with properties \((\textsf {M} ,\textsf {AUTH} ,\textsf {FS} ,\textsf {USE} ,\textsf {REPLAY} )\) given above. Formally, for any efficient adversary \(\mathcal {A}\) against the \(\textsf {Multi} \text {-}\textsf {Stage} \) security there exist efficient algorithms \(\mathcal {B}_{1}\), ..., \(\mathcal {B}_{16}\) such that
$$\begin{aligned}&\textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Multi} \text {-}\textsf {Stage} ,\mathcal {D}} \\&\quad \le 8 n_{s}\left( \begin{array}{r} \textsf {Adv} _{\textsf {H} ,\mathcal {B}_{1}}^{\textsf {COLL} } + n_{p}n_{s}\left( \begin{array}{l} \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{2}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{3}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{4}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{5}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{6}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{7}}^{\textsf {EUF} \text { -}\textsf {CMA} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{8}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{9}}^{\textsf {EUF} \text { -}\textsf {CMA} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{10}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{11}}^{\textsf {PRF} \text { -}\textsf {sec} } \end{array} \right) \\ + n_{s}\left( \begin{array}{l} \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathbb {G},\mathcal {B}_{12}}^{\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{13}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, 2\cdot \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{14}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{15}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{16}}^{\textsf {PRF} \text { -}\textsf {sec} } \end{array} \right) \end{array} \right) \end{aligned}$$
where \(n_{s}\) is the maximum number of sessions, \(n_{p}\) the maximum number of pre-shared secrets established between any two parties, and \(n_{u}\) is the maximum number of users.
For the TLS 1.3 PSK-(EC)DHE 0-RTT handshake, \(\textsf {Multi} \text {-}\textsf {Stage} \) security essentially follows from two lines of reasoning. First, the (unforgeable) MAC tags covering (a collision-resistant hash of) the full \(\texttt {Hello} \) messages ensure that session stages with an authenticated peer share hold exchanged Diffie–Hellman shares originating from an honest partner session. Then, all keys are derived in a way ensuring that (a) for forward-secret stages, the keys are derived from a Diffie–Hellman secret unknown to the adversary are indistinguishable from random (under \(\textsf {PRF} \text { -}\textsf {ODH} \) and dual-PRF-sec/\({\textsf {PRF} \text {-}\textsf {sec} }\) assumptions on the \(\textsf {HKDF} .\textsf {Extract} \) and \(\textsf {HKDF} .\textsf {Expand} \) steps), and for non-forward-secret stages the keys are derived from a pre-shared secret unknown to the adversary, and are also indistinguishable from random (under \(\textsf {PRF} \) assumptions on the \(\textsf {HKDF} .\textsf {Expand} \) and \(\textsf {HKDF} .\textsf {Extract} \) steps) which (b) are independent, allowing revealing and testing of session keys across different stages.
Proof
Again, we proceed via a sequence of games starting from the \(\textsf {Multi} \text {-}\textsf {Stage} \) game and bounding the advantage (differences) of adversary \(\mathcal {A}\).
Game 0. This is the original \(\textsf {Multi} \text {-}\textsf {Stage} \) game, i.e.,
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{\textsf {Multi} \text {-}\textsf {Stage} ,\mathcal {D}} = \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{0}}. \end{aligned}$$
Game 1. We again restrict \(\mathcal {A}\) to a single \(\textsf {Test} \) query, reducing its advantage by a factor of at most \(1/8n_{s}\) via a hybrid argument analogous to the one in the proof of Theorem 5.2 on page 27, detailed in Appendix A.
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{0}} \le 8 n_{s}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{1}}. \end{aligned}$$
From now on, we can refer to the session \(\textsf {label} \) tested at stage i, and assume to know the session in advance.
Game 2. In this game, the challenger aborts if any two honest sessions compute the same hash value for different inputs in any evaluation of the hash function \(\textsf {H} \). We can break the collision resistance of \(\textsf {H} \) in case of this event by letting a reduction \(\mathcal {B}_{1}\) output the two distinct input values to \(\textsf {H} \). Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{1}} \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2}} + \textsf {Adv} _{\textsf {H} ,\mathcal {B}_{1}}^{\textsf {COLL} }. \end{aligned}$$
From this point, our analysis separately considers the following three (disjoint) cases:
-
A.
that the tested session \(\textsf {label} \) has no honest contributive partner in the third stage (i.e., there exists no \(\textsf {label} ' \ne \textsf {label} \) with \(\textsf {label} .\textsf {cid} _{3} = \textsf {label} '.\textsf {cid} _{3}\)), and,
-
B.
the tested session \(\textsf {label} \) has an honest contributive partner in the third stage (i.e., there exists \(\textsf {label} '\) with \(\textsf {label} .\textsf {cid} _{3} = \textsf {label} '.\textsf {cid} _{3}\)) and \(\mathcal {A}\) issues a \(\textsf {Test} \) query to the non-forward-secret stages (i.e., \(\mathcal {A}\) issues \(\textsf {Test} (\textsf {label} , i)\) where \(i \in \{1,2\}\).
-
C.
the tested session \(\textsf {label} \) has an honest contributive partner in the third stage (i.e., there exists \(\textsf {label} '\) with \(\textsf {label} .\textsf {cid} _{3} = \textsf {label} '.\textsf {cid} _{3}\)) and \(\mathcal {A}\) issues a \(\textsf {Test} \) query to the forward-secret stages (i.e., \(\mathcal {A}\) issues \(\textsf {Test} (\textsf {label} , i)\) where \(i \in \{3, \ldots , 8\}\).
This allows us to consider the adversary’s advantage separately for cases A (denoted “test w/o partner”), B (denoted “NFS test w/ partner”) and C (“FS test w/ partner”):
$$\begin{aligned}&\textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2}} \\&\quad \le \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},~\text {test w/o partner}} + \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},~\text {NFS test w/ partner}} \\&\qquad + \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},~\text {FS test w/ partner}}. \end{aligned}$$
Case A. Test without Partner
As before, we first consider the case that the tested session \(\textsf {label} \) has no stage 3 contributive partner. For tested initiator sessions, this means that there exists no honest session that has output the received \(\texttt {SH} \), \(\texttt {SKS} \), and \(\texttt {SPSK} \) messages. For tested responder session, this means that there exists no honest initiator session that has output the received \(\texttt {CH} \), \(\texttt {CKS} \), or \(\texttt {CPSK} \) messages. Since these messages are included in all subsequent stage session identifiers, this implies the tested session does not have a contributive partner in any stage. By definition, an adversary cannot win if the \(\textsf {Test} \) query issued to such a session is in a stage that, at the time of the test query, has an unauthenticated peer (where authentication refers to the rectified notion). For a tested responder session without an honest contributive partner in stage 3, a \(\textsf {Test} \) query can only be issued to the session when it reaches stage 8. For a tested initiator session without an honest contributive partner in stage 3, a \(\textsf {Test} \) query can only be issued to the session when it reaches stage 5.
Game A.0. This is identical to Game \(G_{2}\) with adversary restricted to testing a session without an honest contributive partner in the third stage.
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},\text { test w/o partner}} = \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.0}}. \end{aligned}$$
Game A.1. In this game, the challenger guesses the pre-shared secret \(\mathrm {PSK}\) used in the tested session, and aborts the game if that guess was incorrect. This reduces \(\mathcal {A}\)’s advantage by a factor of at most \(1/n_{p}\) (for \(n_{p}\) the maximum number of pre-shared secrets), thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.0}} \le n_{p}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.1}}. \end{aligned}$$
Game A.2. In this game, the challenger aborts immediately if the initiator (resp. responder) session with label \(\textsf {label} \) accepts in the fifth (resp. eighth) stage without an honest contributive partner in stage 3. Let \(\textsf {abort} ^{G_{A.2}, \mathcal {A}}_{acc}\) denote the event this occurs in \(G_{A.2}\). Thus:
$$\begin{aligned} \Big |\textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.1}} - \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.2}}\Big | \le \Pr [\textsf {abort} ^{G_{A.2}, \mathcal {A}}_{acc}] \end{aligned}$$
Note that Case A restricts \(\mathcal {A}\) to issuing a \(\textsf {Test} \) query to a session without an honest contributive partner in stage 3. Because of the authentication type of \(\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RTT} \), this \(\textsf {Test} \) query can only be issued to the initiator (resp. responder) session after it reaches stage 5 (resp. 8). Since \(G_{A.2}\) is aborted when the session reaches those stages, a successful adversary cannot issue such a query, and thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{A.2}} = 0. \end{aligned}$$
We now turn to bounding the probability that \(\textsf {abort} ^{G_{A.2}, \mathcal {A}}_{acc}\) occurs.
Game A.3. In this game, the challenger guesses a session (from at most \(n_{s}\) sessions in the game) and aborts if the guessed session is not the first initiator (resp. responder) session which accepts in the fifth (resp. eighth) stage without an honest contributive partner in stage 3. If the challenger guesses correctly (which happens with probability at least \(1/n_{s}\)), then this game aborts at exactly the same time as the previous game, and thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.2}, \mathcal {A}}_{acc}] \le n_{s}\cdot \Pr [\textsf {abort} ^{G_{A.3}, \mathcal {A}}_{acc}]. \end{aligned}$$
We restrict \(\mathcal {A}\) from making a \(\textsf {Corrupt} (U,V,k)\) query such that \(\textsf {label} .\textsf {id} = U\), \(\textsf {label} .\textsf {pid} = V\), \(\textsf {label} .\textsf {pssid} = k\), and show that this does not impact \(\mathcal {A}\)’s advantage in winning this case. By the definition of the case, there does not exist a session \(\textsf {label} '\) such that \(\textsf {label} '.\textsf {cid} _{3} = \textsf {label} .\textsf {cid} _{3}\) where \(\mathcal {A}\)’s \(\textsf {Test} \) query is issued to \(\textsf {label} \). Since PSK-(EC)DHE mode is unilaterally authenticated in stage 5 and mutually authenticated in stage 8, if the adversary issues a \(\textsf {Corrupt} (U,V,k)\) query before the tested session \(\textsf {label} \) (without an honest contributive partner in stage 3) reaches accept in its partner’s authenticating stage, when \(\mathcal {A}\) issues a \(\textsf {Test} (\textsf {label} ,i)\) query (where \(i \in \{1,\ldots ,8\}\)) the lost flag is set and \(\mathcal {A}\) will lose the game. By the previous games, we abort when the initiator session \(\textsf {label} \) (resp. responder session) reaches stage 5 (resp. stage 8) without an honest contributive partner, and thus \(\mathcal {A}\) will never issue a \(\textsf {Corrupt} (U,V,k)\) query. In the following games, this will allow us to replace the pre-shared secret \(\textsf {pss} \) in the tested session (and all sessions with the same \(\textsf {pss} \) value) without being inconsistent or detectable with regard to the \(\textsf {Corrupt} \) query. In what follows, let \(\textsf {pss} _{U,V,k}\) be the guessed pre-shared secret.
Game A.4. In this game, we replace the outputs of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations using the tested session’s guessed pre-shared secret \(\textsf {pss} _{U,V,k}\) as a key by random values. This affects the derivation of the early secret \(\mathrm {ES}\) in any session using the same shared \(\mathrm {PSK}\). We replace the derivation of \(\mathrm {ES}\) in such sessions with a random value
. We can bound the difference this step introduces in the advantage of \(\mathcal {A}\) by the (dual) security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that any successful adversary cannot issue a \(\textsf {Corrupt} \) query to reveal \(\textsf {pss} _{U,V,k}\) used in the tested session, and thus the pre-shared secret is an unknown and uniformly random value, and the simulation is sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.3}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.4}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{2}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.5. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {ES}}\) replaced in \(G_{A.4}\). This affects the derivation of the derived early secret \(\mathrm {dES}\), the binder key \(\mathrm {BK}\), the early traffic secret \(\mathrm {ETS}\), and the early exporter master secret \(\mathrm {EEMS}\) in any session using the same early secret value \(\widetilde{\mathrm {ES}}\) due to the stage being replayable. We replace the derivation of \(\mathrm {dES}\), \(\mathrm {BK}\), \(\mathrm {ETS}\) and \(\mathrm {EEMS}\) in such sessions with random values \(\widetilde{\mathrm {dES}}\), \(\widetilde{\mathrm {BK}}\), \(\widetilde{\mathrm {ETS}}\),
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by Game \(G_{A.4}\), \(\widetilde{\mathrm {ES}}\) is an unknown and uniformly random value, and this replacement is sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.4}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.5}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{3}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.6. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations using the value \(\widetilde{\mathrm {dES}}\) replaced in \(G_{A.5}\). This affects the derivation of the handshake secret \(\mathrm {HS}\) in any session using the same derived early secret value \(\widetilde{\mathrm {dES}}\), due to the stage being replayable. We replace the derivation of \(\mathrm {HS}\) in such sessions with a random value
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that by the previous game, \(\widetilde{\mathrm {dES}}\) is a uniformly random value, and the simulation is sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.5}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.6}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{4}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.7. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {HS}}\) replaced in \(G_{A.6}\). This affects the derivation of the client handshake traffic secret \(\mathrm {CHTS}\), the server handshake traffic secret \(\mathrm {SHTS}\) in the target session and its matching partner, and the derived handshake secret \(\mathrm {dHS}\) in all sessions using the same handshake secret \(\widetilde{\mathrm {HS}}\). Note that for \(\mathrm {CHTS}\) and \(\mathrm {SHTS}\), these values are distinct from any other session using the same handshake secret value \(\widetilde{\mathrm {HS}}\), as the evaluation also takes as input the hash value \(H_{2} = \textsf {H} (\texttt {CH} \Vert \texttt {SH} )\), (where \(\texttt {CH} \) and \(\texttt {SH} \) contain the client and server random values \(r_{c}\), \(r_{s}\) respectively) and by Game \(G_{2}\) we exclude hash collisions. We replace the derivation of \(\mathrm {CHTS}\), \(\mathrm {SHTS}\) and \(\mathrm {dHS}\) in such sessions with random values
. To ensure consistency, we replace derivations of \(\mathrm {dHS}\) with the replaced \(\widetilde{\mathrm {dHS}}\) sampled by the first session to evaluate \(\textsf {HKDF} .\textsf {Expand} \) using \(\widetilde{\mathrm {HS}}\). We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game, \(\widetilde{\mathrm {HS}}\) is a uniformly random value, and the replacement is sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.6}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.7}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{5}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.8. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the client handshake traffic secret \(\widetilde{\mathrm {CHTS}}\) replaced in \(G_{A.7}\). This affects the derivation of the client handshake traffic key \(\mathrm {tk}_{\text {chs}}\), and the client finished key \(\mathrm {fk}_{C}\) in the target session. We replace the derivation of \(\mathrm {tk}_{\text {chs}}\) and \(\mathrm {fk}_{C}\) with random values
,
, where L indicates the sum of key length and iv length for the negotiated AEAD scheme. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game \(\widetilde{\mathrm {CHTS}}\) is a uniformly random value, and these replacements are sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.7}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.8}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{6}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.9. In this game, we show how any adversary that manages to trigger \(\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}\) (where the tested session has a responder role) can be used to build an adversary \(\mathcal {B}_{7}\) that breaks the existential unforgeability of the \(\textsf {HMAC} \) scheme. We let \(\mathcal {B}_{7}\) simulate \(G_{A.8}\) for \(\mathcal {A}\) as specified, but when the guessed session requires a MAC computation using \(\widetilde{\mathrm {fk}_{C}}\), \(\mathcal {B}_{7}\) instead invokes a MAC oracle to generate that value. Since \(\widetilde{\mathrm {fk}_{C}}\) is a uniformly random and independent value, this simulation is sound. When \(\mathcal {A}\) triggers \(\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}\) (for responder test sessions), the accepting session must have received a \(\texttt {ClientFinished} \) message that is a valid MAC tag over the hash value \(H_{4}=\textsf {H} (\texttt {CH} \Vert \ldots \Vert \texttt {SF} )\). Since all other sessions hold different session identifiers (as there exists no honest contributive partner in the third stage of the accepting session), no honest party will have requested a MAC tag over that session hash. In addition, by Game \(G_{2}\) there exist no hash collisions, so the MAC input is distinct to all other MAC inputs for any honest party. Thus, this message was never queried to the MAC oracle and is a forgery. This allows us to bound the probability of \(\mathcal {A}\) triggering \(\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}\) due to a stage-8 accepting responder session without a stage-3 contributive partner by:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.8}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{7}}^{{\textsf {EUF} \text {-}\textsf {CMA} }} \end{aligned}$$
Note that for the rest of this case, we bound the probability of an adversary triggering \(\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}\) when the tested session has an initiator role.
Game A.10. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the server handshake traffic secret \(\widetilde{\mathrm {SHTS}}\) replaced in \(G_{A.9}\). This affects the derivation of the server handshake traffic key \(\mathrm {tk}_{\text {shs}}\), and the server finished key \(\mathrm {fk}_{S}\) in the target session. We replace the derivation of \(\mathrm {tk}_{\text {shs}}\) and \(\mathrm {fk}_{S}\) with random values
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by a previous game \(\widetilde{\mathrm {SHTS}}\) is a uniformly random value, and these replacements are sound. Thus:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.9}, \mathcal {A}}_{acc}] \le \Pr [\textsf {abort} ^{G_{A.10}, \mathcal {A}}_{acc}] + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{8}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game A.11. In this game, we show how any adversary that manages to trigger \(\textsf {abort} ^{G_{A.11}, \mathcal {A}}_{acc}\) (where the test session is an initiator session) can be used to build an adversary \(\mathcal {B}_{9}\) that breaks the existential unforgeability of the \(\textsf {HMAC} \) scheme. We let \(\mathcal {B}_{9}\) simulate \(G_{A.10}\) for \(\mathcal {A}\) as specified, but when the guessed session or its partner session requires a MAC computation using \(\widetilde{\mathrm {fk}_{S}}\), \(\mathcal {B}_{9}\) instead invokes a MAC oracle to generate that value. Since \(\widetilde{\mathrm {fk}_{S}}\) is a uniformly random and independent value, this simulation is sound. When \(\mathcal {A}\) triggers \(\textsf {abort} ^{G_{A.11}, \mathcal {A}}_{acc}\) (for initiator test sessions), the accepting session must have received a \(\texttt {ServerFinished} \) message that is a valid MAC tag over the hash value \(H_{7}=\textsf {H} (\texttt {CH} \Vert \ldots \Vert \texttt {SPSK} )\). Since all other sessions hold different session identifiers (as there exists no honest contributive partner in the third stage of the accepting session), no honest party will have requested a MAC tag over that session hash. In addition, by Game \(G_{2}\) there exist no hash collisions, so the MAC input is distinct to all other MAC inputs for any honest party. Thus, this message was never queried to the MAC oracle and is a forgery. This allows us to bound the probability of \(\mathcal {A}\) triggering \(\textsf {abort} ^{G_{A.11}, \mathcal {A}}_{acc}\) due to a stage-5 accepting initiator session without a stage-3 contributive identifier by:
$$\begin{aligned} \Pr [\textsf {abort} ^{G_{A.11}, \mathcal {A}}_{acc}] \le \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{9}}^{\textsf {EUF} \text { -}\textsf {CMA} } \end{aligned}$$
Combining the given single bounds yield the security statement below:
$$\begin{aligned}&\textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},\text { test. w/o partner}}\\&\quad \le n_{p}n_{s}\left( \begin{array}{l} \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{2}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{3}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{4}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{5}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{6}}^{{\textsf {PRF} \text {-}\textsf {sec} }} + \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{7}}^{\textsf {EUF} \text { -}\textsf {CMA} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{8}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HMAC} ,\mathcal {B}_{9}}^{\textsf {EUF} \text { -}\textsf {CMA} } \end{array} \right) \end{aligned}$$
Case B. NFS Test with Partner
We now turn to the case where the tested session has an honest contributive partner in the third stage, and \(\mathcal {A}\) issues a \(\textsf {Test} (\textsf {label} ,i)\) query such that \(i \in \{1,2\}\).
Game B.0. This is identical to Game \(G_{2}\) with the adversary testing a session with an honest contributive partner in the third stage.
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{2},\text {NFS test with partner}} = \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.0}}. \end{aligned}$$
Game B.1. In this game, we guess the pre-shared secret \(\mathrm {PSK}\) used in the tested session and abort on a wrong guess. This reduces \(\mathcal {A}\)’s advantage by a factor of at most \(1/n_{p}\), thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.0}} \le n_{p}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.1}}. \end{aligned}$$
Game B.2. In this game, we let the challenger guess a session (from at most \(n_{s}\) in the game) and abort if the session guessed is not the honest contributive partner in stage 3 of the tested session. This reduces \(\mathcal {A}\)’s advantage by a factor of at most \(1/n_{s}\), and thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.1}} \le n_{s}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.2}}. \end{aligned}$$
Game B.3. In this game, we replace the outputs of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations using the tested session’s guessed pre-shared secret \(\textsf {pss} _{U,V,k}\) as a key by random values. This affects the derivation of the early secret \(\mathrm {ES}\) in any session using the same shared \(\mathrm {PSK}\). We replace the derivation of \(\mathrm {ES}\) in such sessions with a random value
. We can bound the difference this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that any successful adversary cannot issue a \(\textsf {Corrupt} \) query to reveal \(\textsf {pss} _{U,V,k}\) used in the tested session (as \(\mathcal {A}\) will issue a query \(\textsf {Test} (\textsf {label} , i)\) such that \(i \in \{1,2\}\) by the definition of this case, and \(\mathcal {A}\) will cause the lost flag to be set if \(\textsf {Corrupt} (U,V,k)\) is issued), and thus the pre-shared secret is an unknown and uniformly random value, and the simulation is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.2}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.3}}\\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{10}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game B.4. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {ES}}\) replaced in \(G_{B.3}\). This affects the derivation of the derived early secret \(\mathrm {dES}\), the binder key \(\mathrm {BK}\), the early traffic secret \(\mathrm {ETS}\), and the early exporter master secret \(\mathrm {EEMS}\) in any session using the same early secret value \(\widetilde{\mathrm {ES}}\) due to the stage being replayable. We replace the derivation of \(\mathrm {dES}\), \(\mathrm {BK}\), \(\mathrm {ETS}\) and \(\mathrm {EEMS}\) in such sessions with random values \(\widetilde{\mathrm {dES}}\), \(\widetilde{\mathrm {BK}}\), \(\widetilde{\mathrm {ETS}}\),
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by Game \(G_{B.3}\), \(\widetilde{\mathrm {ES}}\) is an unknown and uniformly random value, and this replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.3}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text { -}\texttt {PSK} \text { -}\texttt {(EC)DHE} \text { -}\texttt {0RTT} ,\mathcal {A}}^{G_{B.4}}\\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{11}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
We note that at this point, we have replaced the stage 1 and stage 2 keys (\(\widetilde{\mathrm {ETS}}\) and \(\widetilde{\mathrm {EEMS}}\), respectively). We note that if \(\mathcal {A}\) issues a \(\textsf {Reveal} (\textsf {label} ,i)\) query to a session \(\textsf {label} '\) such that the tested session \(\textsf {label} .\textsf {sid} _{i} = \textsf {label} '.\textsf {sid} _{i}\), then \(\mathcal {A}\) would lose the game. Since these stages are replayable, then there may be multiple such sessions such that \(\textsf {label} .\textsf {sid} _{i} = \textsf {label} '.\textsf {sid} _{i}\). Since \(\widetilde{\mathrm {ETS}}\) and \(\widetilde{\mathrm {EEMS}}\) are now uniformly random values independent of the protocol execution, we have:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{B.4}} = 0. \end{aligned}$$
Combining the given single bounds yields the security statement below:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{2},\text {NFS test with partner}} \le n_{s}n_{p}\big ( \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{10}}^{\textsf {dual} \text { -}\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{11}}^{\textsf {PRF} \text { -}\textsf {sec} }\big ) \end{aligned}$$
Case C. FS Test with Partner
We now turn to the third case, “FS Test with Partner”, where the tested session has an honest contributive partner in the third stage, and \(\mathcal {A}\) issues a \(\textsf {Test} (\textsf {label} ,i)\) query such that \(i \in \{3,\ldots ,8\}\).
Game C.0. This is identical to Game \(G_{2}\) with the adversary testing a session with an honest contributive partner in the third stage.
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{2},\text {FS test with partner}} = \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.0}}. \end{aligned}$$
Game C.1. In this game, we let the challenger guess a session (from at most \(n_{s}\) in the game) and abort if the session guessed is not the honest contributive partner in stage 3 of the tested session. This reduces \(\mathcal {A}\)’s advantage by a factor of at most \(1/n_{s}\) and thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.0}} \le n_{s}\cdot \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.1}}. \end{aligned}$$
Game C.2. In this game, we replace the handshake secret \(\mathrm {HS}\) derived in the tested session and its contributive partner session with a uniformly random and independent string
. We employ the \(\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} \) assumption in order to be able to simulate the computation of \(\mathrm {HS}\) in a partnered client session for a modified \(\texttt {ServerKeyShare} \) message. More precisely, we can turn any adversary capable of distinguishing this change into an adversary \(\mathcal {B}_{12}\) against the \(\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} \) security of the \(\textsf {HKDF} .\textsf {Extract} \) function (taking \(\mathrm {dES}\) as first and \(\mathrm {DHE}\) as second input). For this, \(\mathcal {B}_{12}\) asks for a \(\textsf {PRF} \) challenge on \(\mathrm {dES}\). It uses the obtained Diffie-Hellman shares \(g^x\), \(g^y\) within \(\texttt {ClientKeyShare} \) and \(\texttt {ServerKeyShare} \) of the tested session and its contributive partner session, and the PRF challenge value as \(\mathrm {HS}\) in the test session. If necessary, \(\mathcal {B}_{12}\) uses its \(\textsf {PRF} \text { -}\textsf {ODH} \) queries to derive \(\mathrm {HS}\) in the partnered session on differing \(g^{y'} \ne g^y\). Providing a sound simulation of either \(G_{C.1}\) (if the bit sampled by the \(\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} \) challenger was 0 and thus \(\widetilde{\mathrm {HS}} = \textsf {PRF} (\mathrm {dES},g^{xy})\)) or \(G_{C.2}\) (if the bit sampled by the \(\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} \) challenger was 1 and thus
), this bounds the advantage difference of \(\mathcal {A}\) as:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.1}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.2}} \\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathbb {G},\mathcal {B}_{12}}^{\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} }. \end{aligned}$$
Game C.3. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the value \(\widetilde{\mathrm {HS}}\) replaced in \(G_{C.2}\). This affects the derivation of the client handshake traffic secret \(\mathrm {CHTS}\), the server handshake traffic secret \(\mathrm {SHTS}\) in the target session and its matching partner, and the derived handshake secret \(\mathrm {dHS}\) in all sessions using the same handshake secret \(\widetilde{\mathrm {HS}}\). Note that for \(\mathrm {CHTS}\) and \(\mathrm {SHTS}\), these values are distinct from any other session using the same handshake secret value \(\widetilde{\mathrm {HS}}\), as the evaluation also takes as input the hash value \(H_{2} = \textsf {H} (\texttt {CH} \Vert \texttt {SH} )\), (where \(\texttt {CH} \) and \(\texttt {SH} \) contain the client and server random values \(r_{c}\), \(r_{s}\) respectively) and by Game \(G_{2}\) we exclude hash collisions. We replace the derivation of \(\mathrm {CHTS}\), \(\mathrm {SHTS}\) and \(\mathrm {dHS}\) in such sessions with random values
. To ensure consistency, we replace derivations of \(\mathrm {dHS}\) with the replaced \(\widetilde{\mathrm {dHS}}\) sampled by the first session to evaluate \(\textsf {HKDF} .\textsf {Expand} \) using \(\widetilde{\mathrm {HS}}\). We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game, \(\widetilde{\mathrm {HS}}\) is a uniformly random value, and the replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.2}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.3}} \\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{13}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
At this point, \(\widetilde{\mathrm {CHTS}}\) and \(\widetilde{\mathrm {SHTS}}\) are independent of any values computed in any session non-partnered (in stage 1 or 2) with the tested session: distinct session identifiers and no hash collisions (as of Game \(G_{2}\)) ensure that the PRF label inputs for deriving \(\widetilde{\mathrm {CHTS}}\) and \(\widetilde{\mathrm {SHTS}}\) are unique.
Game C.4. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations using the values \(\widetilde{\mathrm {CHTS}}\), \(\widetilde{\mathrm {SHTS}}\) replaced in \(G_{C.3}\). This affects the derivation of the client handshake traffic key \(\mathrm {tk}_{\text {chs}}\), and the server handshake traffic key \(\mathrm {tk}_{\text {shs}}\) in the target session and its matching partner. In the derivation, we replace \(\mathrm {tk}_{\text {chs}}\) and \(\mathrm {tk}_{\text {shs}}\) with random values
and
, where L indicates the sum of key length and iv length for the negotiated AEAD scheme. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of two evaluations of the pseudorandom functions \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game \(\widetilde{\mathrm {CHTS}}\) and \(\widetilde{\mathrm {SHTS}}\) are uniformly random values, and these replacements are sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RTT} ,\mathcal {A}}^{G_{C.3}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RTT} ,\mathcal {A}}^{G_{C.4}} \\&+ 2 \cdot \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{14}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game C.5. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \) in all evaluations of the value \(\widetilde{\mathrm {dHS}}\) replaced in Game \(G_{C.4}\). This affects the derivation of the master secret \(\mathrm {MS}\) in any session using the same derived handshake secret \(\mathrm {dHS}\). We replace the derivation of \(\mathrm {MS}\) in such sessions with the random value
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the security of the pseudorandom function \(\textsf {HKDF} .\textsf {Extract} \). Note that by Game \(G_{C.3}\), \(\widetilde{\mathrm {dHS}}\) is a uniformly random value and this replacement is sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.4}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.5}} \\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{15}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
Game C.6. In this game, we replace the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \) in all evaluations of the value \(\widetilde{\mathrm {MS}}\) replaced in \(G_{C.5}\) in the targeted session and its matching session. This affects the derivation of the client application traffic secret \(\mathrm {CATS}\), the server application traffic secret \(\mathrm {SATS}\) the exporter master secret \(\mathrm {EMS}\) and the resumption master secret \(\mathrm {RMS}\). For \(\mathrm {CATS}\), \(\mathrm {SATS}\) and \(\mathrm {EMS}\), these evaluations are distinct from any other session, as the evaluation of \(\textsf {HKDF} .\textsf {Expand} \) also takes as input \(H_{4} = \textsf {H} (\texttt {CH} \Vert \texttt {SH} \Vert \texttt {SF} )\) (where \(\texttt {CH} \) and \(\texttt {SH} \) contain the client and server random values \(r_{c}\) and \(r_{s}\) respectively), and by Game \(G_{2}\) we exclude hash collisions. For \(\mathrm {RMS}\), this evaluation is distinct from any other session, as the evaluation of \(\textsf {HKDF} .\textsf {Expand} \) also takes as input \(H_{5} = \textsf {H} (\texttt {CH} \Vert \texttt {SH} \Vert \texttt {SF} \Vert \texttt {CF} )\). We replace the derivation of \(\mathrm {CATS}\), \(\mathrm {SATS}\), \(\mathrm {EMS}\), and \(\mathrm {RMS}\) with random values \(\widetilde{\mathrm {CATS}}\), \(\widetilde{\mathrm {SATS}}\), \(\widetilde{\mathrm {EMS}}\),
. We can bound the difference that this step introduces in the advantage of \(\mathcal {A}\) by the secret of the pseudorandom function \(\textsf {HKDF} .\textsf {Expand} \). Note that by the previous game \(\widetilde{\mathrm {MS}}\) is a uniformly random and independent value, and these replacements are sound. Thus:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.5}}\le & {} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.6}} \\&+ \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{16}}^{\textsf {PRF} \text { -}\textsf {sec} }. \end{aligned}$$
We note that in this game we have now replaced all stages’ keys (with the restriction that the tested stage is from stages 3-8) in the tested session with uniformly random values independent of the protocol execution and thus
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{C.6}} = 0. \end{aligned}$$
Combining the given single bounds yields the security statement below:
$$\begin{aligned} \textsf {Adv} _{\texttt {TLS1.3} \text {-}\texttt {PSK} \text {-}\texttt {(EC)DHE} \text {-}\texttt {0RT} ,\mathcal {A}}^{G_{2},\text {FS test with partner}} \le n_{s}\left( \begin{array}{l} \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathbb {G},\mathcal {B}_{12}}^{\textsf {dual} \text { -}\textsf {snPRF} \text { -}\textsf {ODH} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{13}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, 2 \cdot \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{14}}^{\textsf {PRF} \text { -}\textsf {sec} } + \textsf {Adv} _{\textsf {HKDF} .\textsf {Extract} ,\mathcal {B}_{15}}^{\textsf {PRF} \text { -}\textsf {sec} } \\ +\, \textsf {Adv} _{\textsf {HKDF} .\textsf {Expand} ,\mathcal {B}_{16}}^{\textsf {PRF} \text { -}\textsf {sec} } \end{array} \right) \end{aligned}$$
\(\square \)