Nowadays, a life without communicating over the Internet is unimaginable. This communication reaches from staying in contact with other people using instant messaging services or social media to delicate tasks like transferring money from home using online banking. The Internet itself needs to be considered as an insecure communication channel as potential attackers could read the communication or even make unwanted modifications to it. Presumably, the importance of the Internet would never have been as it is today without the means that enable secure communication. The de-facto standard for secure communication is the Transport Layer Security (TLS) protocol. It enables two parties to communicate securely over an insecure channel, such as the Internet, with the use of cryptography. Since there are so many applications including delicate ones (e.g., online banking) that rely on secure communication over the Internet, a rigorous analysis of a security mechanism as important as TLS is crucial. Modern cryptography makes use of the tools of math to provide rigorous formal treatments of cryptographic constructions referred to as security proofs. It is even common that new constructions nowadays come with such a proof of security. A proof of security does not only provide an excellent assertion of the plausibility of a construction, but also can be used to select parameters, which determine the provided level of security of a cryptographic system, based on a theoretical foundation. Here, we are particularly concerned about the tightness of the security proof. Tight security proofs allow it to deploy cryptographic systems with parameters that are backed up by the security proof without the need to compensate any loss in security induced by the security proof and allow for a deployment that does not need to trade off efficiency against security. In this thesis, we investigate the tight security of the most recent version of the TLS protocol TLS 1.3 (RFC 8446).
The document is publicly available on the WWW