A Tale of Two Models: Formal Verification of KEMTLS via Tamarin

Abstract

KEMTLS is a proposal for changing the TLS handshake to authenticate the handshake using long-term key encapsulation mechanism keys instead of signatures, motivated by trade-offs in the characteristics of post-quantum algorithms. Prior proofs of security of KEMTLS and its variant KEMTLS-PDK have been hand-written proofs in the reductionist model under computational assumptions. In this paper, we present computer-verified symbolic analyses of KEMTLS and KEMTLS-PDK using two distinct Tamarin models. In the first analysis, we adapt the detailed Tamarin model of TLS 1.3 by Cremers et al. (ACM CCS 2017), which closely follows the wire-format of the protocol specification, to KEMTLS(-PDK). We show that KEMTLS(-PDK) has equivalent security properties to the main handshake of TLS 1.3 proven in this model. We were able to fully automate this Tamarin proof, compared with the previous TLS 1.3 Tamarin model, which required a big manual proving effort; we also uncovered some inconsistencies in the previous model. In the second analysis, we present a novel Tamarin model of KEMTLS(-PDK), which closely follows the multi-stage key exchange security model from prior pen-and-paper proofs of KEMTLS(-PDK). The second approach is further away from the wire-format of the protocol specification but captures more subtleties in security definitions, like deniability and different levels of forward secrecy; it also identifies some flaws in the security claims from the pen-and-paper proofs. Our positive security results increase the confidence in the design of KEMTLS(-PDK). Moreover, viewing these models side-by-side allows us to comment on the trade-off in symbolic analysis between detail in protocol specification and granularity of security properties.

S. Celi—Now works for Brave Software, Inc.

Appendices

A AErrors Identified in the Stated Properties of KEMTLS(-PDK)

Using Model #2, we identified minor mistakes in some of the forward secrecy and authentication properties listed in the original KEMTLS [32] and KEMTLS-PDK [34] papers. See the original papers for the definition of the symbols.

• In KEMTLS-mutual: \(\textsf{auth}^S_3 = 3\) and \(\textsf{auth}^S_4 = 4\) both should have been set to 5; \(\textsf{FS}^S_{3,3} = \textsf{FS}^S_{3,4} = \textsf{FS}^S_{4,4} = {\textsf{wfs2}} \) should all have been \({\textsf{wfs1}} \); and \(\textsf{auth}^S_6=6\) should have been \(\textsf{auth}^S_6=\infty \).

• In KEMTLS-PDK-sauth: \(\textsf{FS}^C_{1,j}\) and \(\textsf{FS}^S_{1,j}\) should have been \({0} \) for all j; \(\textsf{auth}^C_5 = 5\) should have been \(\textsf{auth}^C_5 = \infty \); and \(\textsf{FS}^S_{i,4}\) should have been \({\textsf{wfs1}} \) for \(i=2,3,4\).

• In KEMTLS-PDK-mutual: the message \({\texttt{SKC}}\) should have been included in the \({\texttt{SF}}\) MAC computation and \({\texttt{SF}}\) should have been included in the \({\texttt{CF}}\) MAC computation; \(\textsf{FS}^C_{1,j}\) and \(\textsf{FS}^S_{1,j}\) should have been \({0} \) for all j; \(\textsf{auth}^C_5 = 5\) should have been \(\textsf{auth}^C_5 = \infty \); and \(\textsf{FS}^S_{4,4}={\textsf{wfs1}} \) should have been \({\textsf{wfs2}} \).

The source papers have been updated online [33, 35] with our corrections.

B BPerformance

We ran our two models using tamarin-prover version 1.16.1 on a server that has two 20-core Intel Xeon Gold 6230 CPUs, which after hyperthreading gives us 80 threads; the server has 192 GB of RAM. We note that communication bottlenecks between cores prevent fully utilising all resources.

Model #1 Table 2 shows run-times of the most time-consuming lemmas from Model #1. All four KEMTLS variants were supported simultaneously.

Table 2. Wall-clock run-time (hh:mm:ss) and memory usage of selected lemmas for Model #1

Model #2 Table 3 shows the run-time for the various lemmas, for each KEMTLS variant on its own, and when all four KEMTLS variants are supported simultaneously; Tamarin was restricted to using 16 cores.

Table 3. Wall-clock run-time (hh:mm:ss) of lemmas for Model #2