We consider the theoretically sound selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is quadratic in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be infeasible for practical use at large scale. Hence, while these previous works show that in principle the design of TLS 1.3 is secure in an asymptotic sense, they do not yet provide any useful concrete security guarantees for real-world parameters used in practice. In this work, we provide a new security proof for the cryptographic core of TLS 1.3 in the random oracle model, which reduces the security of TLS 1.3 tightly (that is, with constant security loss) to the (multi-user) security of its building blocks. For some building blocks, such as the symmetric record layer encryption scheme, we can then rely on prior work to establish tight security. For others, such as the RSA-PSS digital signature scheme currently used in TLS 1.3, we obtain at least a linear loss in the number of users, independent of the number of sessions, which is much easier to compensate with reasonable parameters. Our work also shows that by replacing the RSA-PSS scheme with a tightly secure scheme (e.g., in a future TLS version), one can obtain the first fully tightly secure TLS protocol. Our results enable a theoretically sound selection of parameters for TLS 1.3, even in large-scale settings with many users and sessions per user.

我们在实践中考虑了TLS 1.3 的加密参数的理论上合理的选择，例如代数组的大小或 RSA 密钥。虽然先前的工作为 TLS 1.3 提供了安全证明，但由于 TLS 的普遍使用，它们的安全损失在所有用户的会话总数中是二次方的。因此，为了以理论上合理的方式部署 TLS 1.3，有必要用不合理的大参数来补偿这种损失，而这些参数在大规模实际使用中是不可行的。因此，虽然这些先前的工作表明，原则上 TLS 1.3 的设计在渐近意义上是安全的，但它们还没有提供任何有用的具体对实践中使用的真实世界参数的安全保证。在这项工作中，我们提供了TLS 1.3的随机预言模型，从而降低了TLS 1.3的安全加密核心的新安全证明紧密（即具有恒定的安全损失）来的（多用户）安全的建筑模块。对于一些构建块，例如对称记录层加密方案，我们可以依靠先前的工作来建立严格的安全性。对于其他的，例如目前在 TLS 1.3 中使用的 RSA-PSS 数字签名方案，我们至少获得了一个线性用户数量的损失，与会话数量无关，用合理的参数更容易补偿。我们的工作还表明，通过用紧密安全的方案（例如，在未来的 TLS 版本中）替换 RSA-PSS 方案，可以获得第一个完全紧密安全的 TLS 协议。我们的结果为 TLS 1.3 提供了理论上合理的参数选择，即使在具有许多用户和每个用户会话的大规模设置中也是如此。