Cryptographic Parameters in TLS 1.3, QUIC, and Co.: Tighter Security and Robust Handling of Unreliable Networks

Speaker: Felix Günther , ETH Zurich

Date: Thursday, March 18, 2021

Time: 10:00 AM to 11:00 AM Note: all times are in the Eastern Time Zone

Public: Yes


Event Type: Seminar

Room Description:

Host: Srini Devadas, CSAIL

Contact: Kyle L Hogan,

Relevant URL:

Speaker URL: None

Speaker Photo:

Reminders to:,

Reminder Subject: TALK: Cryptographic Parameters in TLS 1.3, QUIC, and Co.: Tighter Security and Robust Handling of Unreliable Networks

Internet security protocols like TLS 1.3 or QUIC are composed of two core cryptographic components: First, they establish a shared secret key in a key exchange protocol, then they use a secure channel protocol to protect the actual application data using that secret. When determining what building blocks to use in these components, we rely on cryptographic security reductions to determine secure parameter choices. In this talk I will discuss some challenges in selecting cryptographically sound (i.e., provably secure) parameters for real-world protocols.

In the first part, I will present new, fully-quantitative and concrete bounds that justify the TLS 1.3 key exchange not just in principle, but in practice. By this we mean that, for standardized elliptic curve group sizes, the overall protocol actually achieves the intended security level. Prior work gave bounds that were loose (in the number of users and/or sessions), so loose that they gave no guarantees for practical parameters. Adapting techniques by Cohn-Gordon et al. (Crypto 2019), we give reductions for TLS 1.3 to the strong Diffie–Hellman problem which are tight, and prove that this problem is as hard as solving discrete logarithms in the generic group model. Leveraging our tighter bounds, we meet the protocols' targeted security levels when instantiated with standardized curves and improve over prior bounds by up to over 90 bits of security across a range of real-world parameters.

In the second part, I will discuss how non-reliable transport protocols, such as UDP, affect the cryptographic security of protocols like QUIC or DTLS running on top of them. Those protocols have to carefully catch effects arising naturally in unreliable networks, usually by using a sliding-window technique where ciphertexts can be decrypted correctly as long as they are not misplaced too far. We introduce the notion of robustness for cryptographic channels, generically capturing unreliable network behavior. Our robustness notion is orthogonal to classical integrity and guarantees that adversarial tampering cannot disturb the expected channel behavior. We establish that QUIC and DTLS 1.3 achieve the desired level of robustness. Notably though, their robust behavior translates to a practically relevant security degradation (when compared to, e.g., TLS 1.3). The security bounds we establish have led the responsible IETF working groups to introduce concrete forgery limits for both protocol drafts.

This talk is based on joint work Hannah Davis (UC San Diego) as well as with Marc Fischlin and Christian Janson (both TU Darmstadt).

Felix Günther (Postdoctoral Researcher, ETH Zurich)

Felix Günther is a postdoctoral researcher in the Applied Cryptography Group at ETH Zurich, working with Kenny Paterson, until recently supported by a research fellowship of the German Research Foundation (DFG). Prior, he was a postdoc at UC San Diego working with Mihir Bellare, after having obtained his Ph.D. from TU Darmstadt in 2018. His research interests are in applied cryptography enabling computer security, with a particular focus on provable security. His work aims to narrow the gap between the theoretical understanding and practical security of real-world cryptographic systems. Felix Günther received national and international awards for his Ph.D. thesis "Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols", including the ACM SIGSAC Doctoral Dissertation Award 2019 for Outstanding PhD Theses in Computer and Information Security.


Topic: CSAIL Security Seminar
Time: This is a recurring meeting Meet anytime

Join Zoom Meeting

Password: <3security

One tap mobile
+16465588656,,97527284254# US (New York)
+16699006833,,97527284254# US (San Jose)

Meeting ID: 975 2728 4254

US : +1 646 558 8656 or +1 669 900 6833

International Numbers:

Join by SIP

Join by Skype for Business

Research Areas:
Security & Cryptography, Systems & Networking

Impact Areas:

See other events that are part of the CSAIL Security Seminar Series 2021.

Created by Kyle L Hogan Email at Thursday, February 25, 2021 at 3:20 PM.