Proxying Is Enough: Security of Proxying in TLS Oracles and AEAD Context Unforgeability
Abstract
TLS allows a client to securely obtain data from a server, but does not allow the client to offer the data provenance to an external node. TLS oracle protocols are used to solve the problem. Specifically, the verifier node, as an external node, is convinced that the data is indeed coming from a pre-defined TLS server, while remaining unable to access the client’s credentials (e.g., password). Previous TLS oracle protocols such as DECO (CCS 2020) enforced the communication pattern of server-client-verifier and utilized a novel three-party handshake process during TLS to ensure data integrity against potential tempering by the client. However, this approach introduces a significant performance penalty on the client and the verifier. Most recently, some works have proposed to reduce the overhead by putting the verifier (as a proxy) between the server and the client such that the correct TLS transcript is available to the verifier. Nevertheless, these works still rely on heavy two-party secure computations or zero-knowledge proofs. In this work, we push the proxy model to the extreme, where the verifier only needs to forward messages without performing any other heavy computational operations when only the credentials should be protected and the data retrieved from the server could be open to the verifier. Surprisingly, we prove that the thorough proxy model is enough to guarantee security in some common scenarios, allowing a saving of 60–90% in running time under common scenarios.
We first formalize the proxy-based Oracle protocol and functionality that allows the verifier to directly proxy client-server TLS communication, without entering a three-party handshake or interfering with the connection in any way. We then show that for common TLS-based higher-level protocols such as HTTPS, data integrity to the verifier proxy is ensured by the variable padding built into the HTTP protocol semantics. On the other hand, if a TLS-based protocol comes without variable padding, we demonstrate that data integrity cannot be guaranteed. In this context, we then study the case where the TLS response is pre-determined and cannot be tampered with during the connection. We propose the concept of context unforgeability and show that data integrity can also be guaranteed as long as the underlying Authenticated Encryption with Associated Data (AEAD) satisfies context unforgeability. We further show that ChaCha20-Poly1305 satisfies the concept while AES-GCM does not.
Keywords and phrases:
Oracle, TLS, AEAD, Key CommitmentFunding:
Yaobin Shen: Yaobin Shen is supported by the National Key Research and Development Program of China (2024YFB4504800), and the National Natural Science Foundation of China (62402404).Copyright and License:
2012 ACM Subject Classification:
Security and privacy Block and stream ciphers ; Security and privacy Security protocolsAcknowledgements:
We would like to thank Madhavan Malolan and Kirill Kutsenok from the Reclaim Protocol for helpful discussions and suggestions.Funding:
This work is supported partially by the National Science Foundation under grant CNS-1846316 and a gift from Supra Labs.Editors:
Zeta Avarikioti and Nicolas ChristinSeries and Publisher:
Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik
1 Introduction
Transport Layer Security (TLS) [24, 25] has been widely used to establish a secure communication channel between a client and a server, enabling secure data access (we refer to such data as TLS-protected data). However, TLS relies on symmetric encryption and both the client and the server can obtain the key. This enables the client to build a ciphertext for any data and falsely claim that it comes from the server. Thus, TLS does not allow the client to prove the provenance and integrity of the data to third parties, limiting the propagation of data. In particular, many decentralized applications on the blockchain need to access the TLS-protected data as third parties. Due to the TLS limitation, we cannot rely on each client to feed data into the blockchain. Therefore, a type of service called Oracle [5, 7] was proposed to feed TLS-protected data into blockchains while guaranteeing the provenance and integrity of data.
A straightforward way to implement the service is to allow a verifier to act as the client to access data from the server. Unfortunately, this approach compromises the client’s security and privacy, as the verifier needs to obtain the client’s credentials. Therefore, a desirable way is to allow the verifier to participate in the communication between the client and the server to prevent the client from modifying the data, but without obtaining additional private information.
In Figure 1, we give a use case to explain how the oracle works: There is an application on the blockchain that activates a rental contract if “Alice’s credit score exceeds 750”. Alice uses her password to request the credit score from bank A, through a TLS connection. The verifier participates in the TLS communication without learning request and response messages but can check if Alice’s credit score in bank A exceeds 750. If so, the verifier submits the confirmation information to the blockchain, and then the rental contract is activated.
For some applications, only request should be hidden from the verifier, and the response could be open to the verifier. As in the above example, Alice may be willing to open {Res, Username: Alice, Credit: 780} to the verifier; however, she does not want to reveal the password in the request to the verifier, as the verifier can obtain more sensitive information using the password. On the other hand, there are also some applications where protecting the response is also necessary, e.g., the response includes bank statements. An oracle protocol designed for the former scenario can be adapted to the latter by incorporating zero-knowledge proofs, allowing the client to prove that the data in response satisfies a specific predicate without revealing the data to the verifier.
As bringing clients’ private data securely and selectively to blockchains is a problem of immense interest, a few academic [33, 32, 26, 16, 31, 9] and industrial [4, 22] efforts in this direction are already available. Earlier works typically involve modifying the TLS server-side code [26] or utilizing trusted hardware [32]. While the approaches remain an interesting theoretical probability, typical servers are reluctant to use modified TLS, and the usage of trusted hardware introduces additional trusted entities. Hence both approaches see limited use.
(Proxy-but-)2PC-based TLS Oracle.
In a seminal work, Zhang et al. [33] proposed DECO, which overcomes this practicality barrier without making any changes to the TLS server-side code and using any trusted hardware. The core reason why the client in TLS can forge the TLS data is that the symmetric encryption and authentication key generated in the TLS session is shared by the client and the server (please see Section 2 for more details). DECO [33], essentially splits the role of the client in typical TLS into two parties, as shown in Figure 2(a), so that the client cannot learn the entire symmetric encryption and authentication key. In particular, the client and the verifier collaboratively communicate with the server using secure two-party computation (2PC). Moreover, while the client and the verifier collaborate, it is only the client that communicates with the server as in TLS. We call this design as “2PC-based TLS oracle” protocol. Later, the subsequent works [31, 9, 6] also follow the model.
In addition, Zhang et al. [33] also discussed another design framework, where the verifier acts as a proxy to communicate with the sender but the verifier still needs to perform 2PC with the client, as shown in Figure 2(b). We call this design as “proxy-but-2PC based TLS oracle” protocol. Xie et al. [31] proposed a solution in this model that utilizes a garble-then-prove scheme.
We can see that the previous works all rely on heavy 2PC between the client and the verifier. A natural question is “Is there a secure TLS oracle solution that can totally avoid heavy 2PC between the client and the verifier?”
(this work).
Proxy-based TLS Oracle.
To answer this question, in this work, we consider a pure proxy-based TLS oracle as shown in Figure 2(c), where the verifier only needs to forward the messages generated by the client and the server, without additionally introducing any heavy computation, which directly implies better performance. In addition, compared with the (proxy-but-)2PC-based TLS oracles, the proxy-based oracle enables better compatibility across different TLS versions, as the verifier only needs to forward messages. Moreover, the proxy-based oracle not only does not modify server-side code but also achieves client-side non-modification.
Given that AEAD (Authenticated Encryption with Associated Data) is the core building block of TLS, we investigate the security of two AEAD schemes, AES-GCM and ChaCha20-Poly1305, which are overwhelmingly used in TLS 1.2/1.3 with an adoption rate of over 99% [29]. Based on the security of AEAD, we systematically conduct an investigation that outlines the boundary between security and insecurity of the proxy-based TLS oracle protocol. Surprisingly, we find that the proxy-based TLS oracle can be securely used in two prevalent situations, HTTPS (see Section 6) and prefixed relevant data (see Section 7).
1.1 Contributions
Formalization.
We provide an oracle ideal functionality and formalize the notion of the above proxy-based TLS oracle protocol that allows the verifier to directly proxy client-server TLS communication. The definitions allow us to analyze its security in this paper but can also be applied to different versions of TLS and a comparison between oracle protocols. We consider them to be of independent interest.
Impossibility.
Based on the above definitions, we also prove that if the underlying AEAD scheme satisfies key commitment, the proxy-based TLS oracle protocol can securely realize the oracle ideal functionality in Figure 11. On the other hand, in Section 5, we find that without the key commitment, an adversarial client can potentially forge a message to the verifier.
Therefore, we know that the key commitment is sufficient and necessary to guarantee the security of the proxy-based TLS oracle protocol. However, the AEAD schemes currently used in TLS do not satisfy the key commitment, according to previous research [10, 1], which means that the proxy-based TLS oracle protocol is not secure without specific constraints.
Possibility.
Fortunately, we observe that the real-world application scenarios provide some practical constraints such that the proxy-based TLS oracle can be used securely.
HTTPS. In Section 6, we define a new notion called “variable padding” in Definition 6, and prove that when the plaintext contains a sufficiently long variable padding, AES-GCM and ChaCha20-Poly1305 satisfy the key commitment, which means that the proxy-based TLS oracle is secure in this case. Notably, we show that the TLS-based HTTPS protocol, which is used in over 85% of all web pages [23], contains a sufficiently long variable padding, and thus the proxy-based TLS oracle protocol can be securely used on it.
Prefixed relevant data. In Section 7, we focus on the constraint where the response plaintext is prefixed and not changeable by the client once the connection is established. For example, in practice, the client cannot arbitrarily modify his age, salary, social security number, etc. To analyze the security in this case, we propose a new cryptographic property, context unforgeability, and prove that AES-GCM is not secure yet, ChaCha20-Poly1305 is secure with respect to context unforgeability. In addition, we prove that as long as the TLS uses a context-unforgeable AEAD scheme, the proxy-based TLS oracle is secure.
New AEAD Security Property.
Besides being used for analyzing the security of the proxy-based TLS oracle, the newly proposed context unforgeability precisely bridges the gap in the security analysis of AEAD, and thus may be of independent interest.
2 Technical Overview
In practice, a client can retrieve a message from a server via TLS. An Oracle protocol aims to allow the client to prove to a verifier that the message is indeed obtained from the server and satisfies a predetermined requirement (e.g., age is greater than ). Typically, there are two cases: one is that the message can be open to the verifier, called “public mode”, and the other is that the client does not want to leak the entire to the verifier, called “private mode”. The protocol for the public mode can be transformed to that for the private mode by using a zero-knowledge proof with the opening information in the public mode as witness. Therefore, for simplicity, here we focus on the public mode, and we also show the private mode in Section 4.
In this work, we assume that server is always honest, while client and verifier can be malicious. The key idea of our work is to use verifier as a proxy to prevent client from tampering with the message . Therefore, we also assume that verifier reliably connects to server , i.e., verifier can ensure that she indeed connects with server and the communication messages cannot be tampered with by others (including client ). The assumption has been accepted by other proxy-setting systems [28]. Based on the above assumptions, we design a proxy-based oracle protocol as illustrated in Figure 3 and obtain a series of theoretical results summarized in Figure 4. Next, we will detail how we obtain these results.
TLS relies on authenticated encryption with associated data (AEAD), a symmetric-key primitive, to achieve integrity and confidentiality of exchanged messages. As shown in Figure 3 (ignoring the verifier), TLS consists of a two-party handshake phase and a record phase. After the two-party handshake phase, the server and the client both obtain a key/nonce pair111Here, we ignore the other key/nonce pair for encrypting and decrypting the client’s messages, as this work mainly focuses on preventing the client from forging the server’s messages. of AEAD to encrypt and decrypt the server’s messages. Then, in the record phase, the server and the client communicate with each other using the key/nonce pair generated by the handshake phase. We can see that the client also holds the key/nonce pair of AEAD. Therefore, the client can use the key/nonce pair to encrypt another distinct message to generate a ciphertext , and falsely claim that is retrieved from server . Note that here we discuss the original TLS without the verifier as a proxy.
To address the problem, previous works [33, 9, 31, 6, 16] prevent client from obtaining the whole key by splitting the key into two parts, each of which is obtained by client and verifier respectively. Specifically, client and verifier collectively fulfill the role of the client in TLS through a secure two-party computation (2PC) protocol. However, compared with the original TLS protocol, introducing a 2PC protocol incurs significant extra costs, which raises a question: Is it possible to avoid 2PC protocols?
Preliminary Attempt.
We observe that in the attack above, client uses the AEAD key/nonce pair to generate a new ciphertext , where is the original ciphertext from server . The essence of previous works [33, 9, 31, 6, 16] is to ensure that client cannot obtain the complete AEAD key before he commits the message. Our preliminary attempt is to ensure that verifier can directly obtain the ciphertext from server , such that verifier can recognize any modifications on the ciphertext . To this end, we treat verifier as a proxy that forwards and records the messages between server and client , as shown in Figure 3. In this way, the ciphertext cannot be modified by client . Moreover, verifier records the transcript generated during the handshake phase. Therefore, client can provide to verifier to prove the following three statements: he holds a key/nonce pair that can decrypt to a message ; the message satisfies a preset requirement; the key/nonce pair is derived from the transcript .
Obviously, once obtaining , the verifier can verify the first two statements directly222Given that HTTP is a stateless protocol, to avoid using the same key the verifier obtained for future rounds of interaction, the client can terminate the current connection with the server and handshake again to restart one. For other protocols, we note that TLS 1.3 supports a key update mechanism (see Footnote 5) that allows us to refresh the key/nonce pair for subsequent communications without needing another handshake.. However, the verifier cannot verify the third statement, since it involves private information (namely, the secret used in Diffie-Hellman Handshake) held by the client (please see Figure 5 for more details). Note that if the client provide the private information used in Diffie-Hellman handshake process to the verifier, the verifier can know all the keys and nonces, and thus the verifier can decrypt the request ciphertext ( in Figure 3) to learn the credential.
Using a zero-knowledge proof to prove the third statement is a straightforward way. However, the hash function used in TLS 1.2/1.3 to derive key/nonce is SHA256, which is not SNARK (Succinct Non-interactive Argument Knowledge)-friendly [13]. A concurrent and independent work by Ernstberger [12] have tried to reduce the cost for proving the statement. However, their results showed that the proof for this statement still occupies the cost in the public mode and the cost in the private mode (see Table 1). Therefore, to further reduce the overhead, we delve deeper into the potential of eliminating the proof that the key/nonce pair is derived from the transcript (i.e., the above statement 3).
Eliminating the Proof of Key Origin.
As shown by the previous research [10, 1], the AEAD schemes used by TLS do not satisfy the key commitment property (see Lemma 3); an adversary can efficiently construct a ciphertext and two distinct key/nonce pairs and , such that can be decrypted to two distinct messages and by using and respectively. At first glance, in our proxy-based oracle protocol, client cannot launch the above attack, since client seems unable to construct the ciphertext sent by server . However, we observe this is not true, since client obtains the key/nonce pair as soon as completing the handshake phase. Then, client can construct a ciphertext such that it can be decrypted into and under key/nonce pair and another key/nonce pair respectively. Moreover, meets the predetermined requirement, while does not. Subsequently, the client can change the record in server to through external interactions, so that server produces and sends the ciphertext . Finally, client can use to convince verifier that satisfying the preset requirement is the corresponding plaintext. For example, if the message is about bank balance, client can adjust his balance to , and then prove that balance by using (see Section 5).
With Variable Padding. According to the above analysis, we know that key commitment is necessary for a secure proxy-based oracle protocol without proving that the key is derived from a given transcript. Fortunately, we observe that if the plaintext is well-formatted as seen in HTTPS (or more formally, has a variable padding), the adversary cannot break the key commitment. Intuitively, even if the adversary can generate and , the probability that and are both well-formatted is negligible (see Section 6).
In practice, HTTPS (using TLS on the application layer protocol HTTP) satisfies the above condition, since HTTP headers are variably padded [20]. Therefore, our proxy-based oracle protocol without proving the key origin and 2PC protocols is secure with HTTPS. While HTTPS is one of the most popular protocols and thus the current results are already sufficient to address a wide range of application scenarios, we also discuss if our proxy-based oracle protocol can be securely used for other protocols whose messages are not variably padded.
Without Variable Padding. In the above attack, we assume that client can arbitrarily modify the record in server . However, in some scenarios (e.g., ages, stock prices and insurance numbers), client is not able to perform modifications. In these cases, the AEAD used in TLS only needs to satisfy a weaker security property: given a ciphertext , a key/nonce pair and the corresponding message , the adversary cannot construct another key/nonce pair such that can be decrypted to another message . In Section 7, we formally define this security property as context unforgeability (CFY-security) and systematically investigate if the AEADs (including AES-GCM and ChaCha20-Poly1305) used in TLS satisfy this new security property. We prove that AES-GCM does not satisfy the context unforgeability, whereas ChaCha20-Poly1305 does.
Hierarchical Security of AEAD.
Besides designing an efficient proxy-based oracle protocol, our newly proposed security property, context unforgeability, bridges the gap in the security analysis of AEAD, as shown in Figure 5. Interestingly, combined with the previous properties, context commitment333The works [10, 15] first proposed the key commitment problem. Then Bellare et al. [2] extended to committing nonce and associated data, and Menda et al. [18] summarized them as context commitment. [10, 15, 18] and context undiscoverability [18], the hierarchical security of AEAD precisely corresponds to the hierarchical security of hash functions.
3 Preliminary
We briefly outline the relevant background knowledge on TLS, the definition and security properties of Authenticated Encryption with Associated Data (AEAD).
Notations.
We use to denote the bit-length of a string , and to represent its substring starting at (-based) with length , and to denote the concatenation of strings and . We represent the set size as .
3.1 TLS
Transport Layer Security (TLS) is a family of communication protocols designed to provide end-to-end security over a computer network. Its most prominent use remains to be HTTPS, the web-browsing protocol that sees day-to-day use. TLS 1.3 is the latest protocol in the TLS family, defined in August 2018 [24].
There are two main protocols in TLS. The handshake protocol negotiates a symmetric key to be used in the record protocol. The record protocol manages the transmission of messages, using an authenticated encryption with associated data (AEAD) cipher suite to ensure confidentiality and integrity. An overview of TLS is available in Footnote˜5.
Authenticated Encryption with Associated Data.
Nonce-based authenticated encryption with associated data (AEAD) schemes [17] are employed in TLS to ensure data confidentiality and integrity. An AEAD scheme consists of the following four algorithms . We refer to Full Version’s Appendix A for a full definition.
Cipher Suites in TLS.
TLS supports a handful number of cipher suites [24], with AES-GCM and ChaCha20-Poly1305 being the most popular and enabled in OpenSSL by default [30]. Notably, all cipher suites in TLS adopt a block-based construction – the plaintext and the associated data are packed into a series of fixed-size blocks and , which is then processed by the algorithm to produce the ciphertext.
AES-GCM. AES-GCM is the most widely used cipher suite in TLS and the only cipher suite that must be implemented by every application under the specification. In AES-GCM, all the computation is done over the field . The ciphertext is obtained by where is the AES block cipher.
AES-GCM also ensures authenticity by using an authentication tag where is a concatenation of , and their length. For further information, we refer the reader to the specification for clarity [11].
ChaCha20-Poly1305. ChaCha20-Poly1305 is an alternative to AES-GCM. In ChaCha20-Poly1305, encryption is done similarly to AES-GCM: where is the ChaCha20 stream cipher.
However, the authentication tag computation in ChaCha20 is different from AES-GCM due to the usage of Poly1305. First, two 128-bit variables are sampled from the stream cipher. Then, the authentication tag where is the concatenation of associated data, ciphertext and their length as in AES-GCM. The computation of is done over , then truncated to 128 bits. For details, we refer the reader to the RFC specification [21].
Key Update.
TLS 1.3, the latest TLS version, also supports an operation known as a key update. The operation allows any party to refresh the secret (i.e., and/or in Figure 5) used on either or both sides. The new secret is generated based on a hash of the old secret, and the new keys and IVs are derived from the new secrets based on the same rule as shown in Figure 5.
3.2 Context Attacks of AEAD
In the proxying oracle protocol, we need to discuss the possibility that an adversarial prover deceives the verifier by providing a symmetric key that does not correspond to the one in the handshake yet still decrypts the ciphertext. This corresponds to the concept of context discovery and commitment attacks, first summarized by Menda et al. [18]. Here we outline a couple of specific definitions that will be useful in our cases. We use to denote a specification of the more general case discussed by Menda et al.
Context Discovery Attack.
A context discovery (CDY) attack refers to the adversary’s capability to come up with some part of the context (i.e. a key and/or a nonce) that decrypts the given ciphertext without error, although not necessarily to the original plaintext. Formally:
Definition 1 (Context Discovery).
Fix some AEAD parameter and a corresponding AEAD oracle . The game is defined as:
-
1.
The challenger samples a random ciphertext from some ciphertext space and its corresponding decryption context .
-
2.
The challenger sends to some adversary .
-
3.
The adversary wins if it outputs a valid context that decrypt successfully.
The adversary’s -advantage is defined as the probability it wins under queries to the AEAD oracle .
Context Commitment Attack.
A context commitment (CMT) attack refers to the adversary’s capability to come up with some context (e.g. ciphertext) and provide two interpretations of it. Formally, the game is defined as:
Definition 2 (Context Commitment).
Fix some AEAD parameter and a corresponding AEAD oracle . The game is defined as:
-
1.
The challenger samples and sends to some adversary .
-
2.
The adversary wins if it outputs a ciphertext and two valid contexts and with that decrypts successfully.
The adversary’s -advantage is defined as the probability it wins under queries to the AEAD oracle .
Rationale for the Definition.
As Menda et al. [18] have pointed out, there exist many variations of commitment attacks with different limitations on the key, nonce and associated data. Here we observe that in TLS the verifier cannot access the key and the nonce but can access the associated data. Therefore, the adversary (i.e., client ) can only manipulate the key and the nonce. Based on the fact, we pick the above definition that matches our scenario. Nevertheless, we observe that our definition of CDY and CMT is a specification of the granular security framework proposed by Menda et al., and we defer the discussion of the general abstraction to Full Version’s Appendix B.
Relationship between CMT and CDY.
Menda et al. proved that CMT security implies CDY security, assuming that there is a non-negligible probability that a ciphertext can be decrypted under two different contexts (known as context compression). They also make an analogy that CDY is to CMT as a preimage attack is to a collision attack on a hash function. The required security for AEAD in proxying is a little more lenient than CDY but a little more strict than CMT. We will define an in-between game, the context forgery (CFY) attack, and discuss the relation between the three games in Section 7.2.
Key Commitment Attacks.
The two major cipher suites in TLS, AES-GCM and ChaCha20-Poly1305, are not key committing under this definition. The concrete attack is well-studied and presented in multiple works [1, 18, 10].
Lemma 3 (Key Commitment Attacks).
For where is an ideal cipher modeling AES and is a random function modeling ChaCha20, there exists an adversary that queries the oracle at most times and wins with probability at least .
4 Proxy-based Oracle Protocol
Our proxy-based oracle protocol (shown in Figure 7) is parameterized by a predicate . There are a server , a client and a verifier . The client aims to prove that where is from server , to verifier . To prevent client from altering the data received from server , we use verifier as a proxy to relay the messages between server and client . Our protocol consists of four phases: (1) handshake phase, (2) request phase, (3) response phase, and (4) prove phase. Next, we detail the four phases, and define the functionality in Figure 11 in Full Version’s Appendix C.1.
In the handshake phase, client and server perform the TLS handshake protocol, and the communication messages are relayed by verifier . Then, the client and the server can obtain the pair of initial client/server application key , and derive the client write key/IV pair and the server write key/IV pair (see Section 3.1 for more details). Later, and would be updated, so we use and to denote the currently used key/IV pairs.
In the request and response phases, client and server still follow the specification of TLS to generate the request ciphertext under and the response ciphertext under . The verifier is responsible for relaying the two ciphertexts.
In the prove phase, client can choose the public mode (i.e., ) or the private mode (i.e., ). In the public mode, client opens the response and the server write key/IV pair to verifier . Then, verifier checks if the response ciphertext can be decrypted to using and where is the pertinent message extracted from . If the verification is successful, verifier outputs , otherwise, outputs . Since that is opened and cannot be used for the subsequent communications, client informs server to update and to and by using the key update mechanism (see Section 3.1 for more details). In the private mode, the client invokes to generate a proof proving that he holds a server write key/IV pair that can decrypt the response ciphertext to and where is the pertinent message extracted from . If the proof is valid, the verifier outputs , otherwise, outputs .
5 Vulnerability in Unrestricted Setting
While it is tempting to reason the protocol’s security on general TLS connections, unfortunately, as we confirm the intuition of previous works [33, 16], the proxy-based oracle protocol is not secure if we only consider the oracle with unrestricted setting . We present our findings below.
Theorem 4.
When the underlying AEAD is vulnerable to key-committing attacks (see Lemma 3), there exists some server and predicate such that the protocol does not realize the functionality (see Figure 11 in Full Version’s Appendix C.1).
Proof.
Recall that in key-committing attack (see Definition 2), the adversary (i.e., the client ) can generate a ciphertext and two contexts and , where , such that the ciphertext can be successfully decrypted under the two contexts. At first glance, the key-committing attack is not applicable to our scenario, as it is the server that generates the response ciphertext . However, since the client can obtain after the handshake phase and the associated data can be known beforehand according to the specification of TLS [25, 24], the client can manipulate the data stored by the server through a side channel to build a ciphertext . For instance, the client’s balance in some bank can be manipulated by withdrawing or saving funds. Specifically, we then construct an attacker that does the following:
starts the protocol. It starts handshaking with the server through verifier to obtain .
builds a ciphertext and another context , such that and through traditional key commitment attacks (see Lemma 3).
modifies the server-side data to via side-channel methods, such that the verifier receives and records the response ciphertext .
uses to convince the verifier that is the plaintext.
A real-life attack scenario can also be found in the famous Facebook attack [10]. In the Facebook attack, the attacker constructs a specific ciphertext after the handshake, when it knows the symmetric key that will be used in the communication. It has the server store this ciphertext, which it will decrypt later using a different key other than the one in the handshake.
Nevertheless, not all hope is lost. We observe that the attack in the theorem exploited the fact that the AEAD scheme in TLS is not key-committing. In fact, as we will see in the theorem below, realizes if and only if the underlying AEAD is key-committing.
Theorem 5.
Given a secure AEAD with key commitment security (see Lemma 3), protocol shown in Figure 7 can securely realize the oracle functionality (see Figure 11 in Full Version’s Appendix C.1) in the -hybrid model, against a static active adversary who can corrupt client or verifier .
We refer the readers to Full Version’s Appendix E for proof details.
6 Variable Padding and HTTPS Server
The previous section shows that key commitment is necessary and sufficient for a secure oracle protocol. However, with all that being said, key committing is simply not a property present in the current TLS protocol. Fortunately, we find that all HTTPS responses contain an HTTP header at the start of the plaintext, which can be used to prevent key-committing attacks. In this section, we define a notion called variable padding to capture the padding-like structure existing in HTTPS responses. Furthermore, we prove that when considering plaintexts with variable padding, both AES-GCM and ChaCha20-Poly1305 are secure against key-committing attacks. Next, we first give more details about variable padding.
6.1 Variable Padding
Figure 8 contains a typical response header from an Apache server. The sample header has 308 bytes of text – enough for 19 blocks of AES. Albertini et al. [1] have shown that AEAD schemes can be made key-committing with 4 blocks of fixed padding. However, we observe that an adversarial prover in our game has some wiggle room for the header, because it may be able to determine parameters such as HTTP status code and response date. Nevertheless, we find its capability highly constrained, since all of these parameters have limited ranges of value. For instance, the HTTP status code has only 63 variations. If we take a rather generous time window of one hour between the response of the server and the receival of the verifier, then the response date has no more than 3600 different variations. This motivates us to define the concept of variable padding: padding with limited variations controlled by the adversary.
Definition 6 (Variable padding).
Consider a set that consists of only -bit strings. We say that a string is variably padded by , if the -bit prefix of is in .
For instance, consider the sample header in Figure 8. We can easily verify that the first 54 bytes consist of only the status code and the date as the variable parameters. Therefore, we can assert that there exists a 54-byte string set with , such that all response plaintext produced by this particular server is variably padded by .
Application to Generic HTTPS Servers.
While to achieve the tightest security bound, the specific padding and length should be analyzed on a per-server basis, we can nevertheless demonstrate a generic bound based on the HTTP status code and date header.
Corollary 7.
Every valid HTTP response is variably padded by a -byte string set with if it follows good practice and is received within seconds.
This corollary is verified by noticing that RFC 7231 requires any server with a reasonable clock to send the date header, and states “it is good practice to send header fields that contain control data first, such as… Date on responses”. Notably, both Apache and Nginx, the two popular HTTP server implementations, have Server and Date as the first two response headers; meanwhile, the HTTP header with a date takes at least 54 bytes.
6.2 Key Commitment with Variable Padding
Next, we consider an adversarial prover’s advantage with a variably padded plaintext, in AES-GCM and ChaCha20-Poly1305. Since the verifier has access to the ciphertext transcript, the attacker needs to come up with some ciphertext and two pairs of key and nonce such that both and give a plaintext variably padded by some .
Analysis on AES-GCM.
We first formalize our statement for AES-GCM.
Theorem 8 (GCM Key commitment with variable padding).
Assume is an ideal block cipher with -bit block size and is a GCM scheme defined on . The adversary’s advantage of constructing a ciphertext , an associated data , and two key/nonce pairs such that both and give a plaintext variably padded by some -bit string set within queries to is at most , where and is the bit-length of IV.
Proof.
We first fix a key/nonce pair and two prefixes and consider the bad event BAD where there exists another key/nonce pair and a ciphertext such that has prefix and has prefix . Let us upper-bound the probability as follows.
We assume that the -bit prefix spans across blocks and extra bits, which means that . We know that for some ciphertext , has prefix and has prefix . Therefore, according to the AES-GCM encryption process, the following equation set holds:
Recall that we consider fixed and prefixes and . Therefore, the equation set above tells us that blocks and extra bits of are also fixed. Next, we calculate how many can satisfy the requirement.
Because is an ideal cipher and block size is bits, both and are permutations on elements. In Figure 9, we show the results of the permutation on the elements. We assume that from -th block to -th block are fixed and the first bits in the -th block are also fixed. We can see that the remaining bits in the -th block can be randomly chosen from . Once the remaining bits in the -th block are chosen, the blocks are fixed. Then, the remaining blocks have a total of possible assignments. Therefore, the upper bound of the number of satisfying the above requirement is given by
Without considering the above requirement, could be randomly chosen from permutations. Hence the probability of BAD happening is at most
Now the total probability is bounded by the summation of all different keys the adversary tests (note that the adversary queries at most times) and all different nonces and prefixes, so
Since in TLS, the nonce for AES-GCM is uniquely determinely by a 96-bit IV, we have . Plugging in the generic HTTP padding with bits, bits, and a generous seconds gives us . Note that .
Therefore, the protocol is secure on HTTPS servers.
Analysis on ChaCha20-Poly1305.
Similarly, below we demonstrate the security of ChaCha20Poly1305.
Theorem 9 (Poly1305 Key commitment with variable padding).
Assume is an ideal random function representing ChaCha20 and is a Poly1305 scheme defined on . The adversary’s advantage of constructing a ciphertext , an associated data , and two key/nonce pairs such that both and give a plaintext variably padded by some -bit string set within queries to is at most , where is the bit-length of IV.
Proof.
The only difference in the analysis between AES-GCM and ChaCha20-Poly1305 is that AES is a random permutation and ChaCha20 is a random function. Therefore, following a similar analysis, we can bound the probability of getting a bad random function to Therefore, the overall probability is bounded by
Similarly, in TLS, the nonce for ChaCha20-Poly1305 is uniquely determined by a 96-bit IV. Therefore, we have . Plugging in the generic HTTP padding with bits, bits, and seconds gives us .
Theorem 10.
Assume TLS uses either AES-GCM or ChaCha20-Poly1305. Fix some set variable padding of polynomial size. Let denote the same functionality as , except that the server’s response is guaranteed to be variably padded by . Protocol shown in Figure 7 can securely realize the oracle functionality defined in Figure 11 in the -hybrid model, against a static active adversary who can corrupt client or verifier .
The proof follows a direct application of the above analysis on AES-GCM and ChaCha20-Poly1305 to Theorem 5.
7 Beyond HTTPS: without Variable Padding
We have shown that proxying is secure over HTTPS thanks to the variable padding. Nonetheless, exploring the potential usage of proxying over home-bake protocols is still an interesting topic from a theoretical perspective. We have seen that proxying is not secure given any home-bake protocol: the Facebook attack [10] is a practical counter-example. Therefore, we must restrict the adversarial prover’s power to some extent. In this section, we explore the scenario where the prover must fix the server’s response before the protocol. This is common in many daily scenarios. For instance, an adversarial prover should not be able to change his age depending on the handshake secret.
We formalize the intuition as functionality in Figure 12 in Full Version’s Appendix C.2. Unlike the functionality , the functionality obtains the data related to client , denoted as , from the environment , before the handshake phase. Then, in the response phase, the functionality applies the query to to obtain the response . This reflects that is fixed before the handshake phase.
7.1 Context Forgery Attack
What we are considering is akin to a forgery attack: our adversarial attacker must come up with an additional explanation of the ciphertext provided by the server. We notice that the context discovery (CDY) attack on AEAD (see Definition 1) considered by Menda et al. [18] is closely related to our problem, but there are notable differences.
Specifically, the adversarial considered by us has more knowledge than what is described under the CDY model in Menda et al. [18], since he knows the original context (i.e., key/nonce pair) of the ciphertext. Moreover, he also has a different goal in mind: he cannot just find any context that decrypts the ciphertext – he has to find one that is different from the original context. Based on these differences, we propose a new model named context forgeability (CFY) and relate this to the second-preimage attack on a hash function, similar to how CDY is to CMT as a preimage attack is to a collision attack. More formally, we can define the context forgery attack game as:
Definition 11 (Context Forgery).
Fix some AEAD parameter and a corresponding AEAD oracle . The game is defined as:
-
1.
The challenger samples a random ciphertext from some ciphertext space and its corresponding decryption context .
-
2.
The challenger sends to some adversary .
-
3.
The adversary wins if it outputs a valid context with that decrypts successfully.
The adversary’s -advantage is defined as the probability it wins under queries to the AEAD oracle .
Analysis on AES-GCM.
AES-GCM is known for various commitment weaknesses [10], and it is not difficult to intuit that it is not secure in this scenario. Since a CDY attack implies a CFY attack (see Corollary 16), we can use ideas that Menda et al. [18] proposed for the CDY attack to give an attack for CFY.
Theorem 12.
There is an attack under that breaks -GCM with probability at least , assuming is an 128-bit ideal block cipher.
Proof.
For simplicity, let us consider a message with one block of ciphertext and no associated data. If we obtain some key , nonce and the only ciphertext block from the input, the tag follows the definition of GCM where Now suppose we sample some other key , then we have the following equation, given the fixed tag and ciphertext block that
It is obvious that given , can be solved using the above equation. Moreover, since is reversible, we can solve for . In AES-GCM the nonce must end with , so this particular has probability of satisfying the requirement. Observing that this try of uses two queries of (that is, one is for and the other is for decrypting ), we can bound the success probability of queries to .
Analysis on ChaCha20-Poly1305.
To analyze game under ChaCha20-Poly1305, we first abstract its authentication tag computation mechanism as where is a polynomial whose coefficient depends only on the concatenation of the associated data and the ciphertext, and is the secret generated by the ChaCha20 pseudorandom function. We then demonstrate its security in .
Theorem 13.
The adversary’s advantage in when attacking -Poly1305 is no more than , where is the number of queries the adversary made to and is a 512-bit random oracle.
Proof.
We start by fixing some key and nonce the adversary has queried for the first time. Observe that since is a random oracle, is a uniform distribution regardless of any prior queries. Therefore, is also uniformly distributed over the whole range. Now observe that in order for to satisfy the tag requirement, we have Rearrange and we have Observe that for some fixed , is still uniformly distributed over . Denote . We can bound the probability of satisfying the tag requirement by Since the attacker makes queries, we bound the probability to .
Protocol Security Under CFY.
We demonstrate that the proxying protocol realizes as long as the underlying AEAD is secure under .
Theorem 14.
We refer the readers to Full Version’s Appendix F for the full proof.
7.2 Relationship between CMT, CFY and CDY
An interesting observation is that a similar hierarchy exists concerning CDY, CFY and CMT just like the hash function. CMT-security implies CFY-security, and CFY-security implies CDY-security assuming context compression. We provide our insight in the following two corollaries and defer a formal proof on the generalized case under Menda et al.’s framework to Full Version’s Appendix B.
Corollary 15.
For some AEAD and any adversary that wins the game with advantage , there exists an adversary that wins the game with advantage .
The relationship between CFY and CDY, on the other hand, is not so clear-cut. While a CDY attack on an AEAD scheme often implies a CFY attack, it is not universally true. In the case where a ciphertext cannot be decrypted under two different contexts (i.e., the following event), a CDY attack may be easy but a CFY attack will be impossible. However, similar to the analysis of Menda et al. on CDY, we can bound the advantage of the adversary with the probability of :
Corollary 16.
For some AEAD and any adversary that wins the game with advantage , there exists an adversary that wins the game with advantage such that where is the event that for a randomly sampled , the resulting ciphertext can only be decrypted when the associated data is .
8 Evaluation
Due to the fact that the related works’ implementations are close-sourced, including DECO [33], the work by Xie et al. [31], Janus [16], ORIGO666The end-to-end codebase in ORIGO (https://github.com/opex-research/tls-oracle-demo) is open-sourced, but the zero-knowledge component (https://github.com/opex-research/tls-zkp) is not. [12], we conduct an empirical survey to outline the cost that can be saved by our technique in Table 1, using numbers reported in these papers. We split the result from these papers into the following three parts, and our result in this paper can eliminate the cost in key-related assurance:
-
1.
TLS proxy overhead: cost associated with TLS proxying and network cost.
-
2.
Key-related assurance: cost associated with ensuring key commitment. Some prior work [33, 31, 16] utilizes 2PC protocols to generate query since the key is split between the client and the oracle. Here, we consider the processes of three-party handshake and relevant 2PC to be in this category, since our result does not need to split the key, and eliminates these costs.
-
3.
Record layer assurance: cost on proving statements in the record layer.
Based on empirical data, in the simple case where everything that needs to be hidden resides in the request and the record layer assurance does not need to be deployed, we can achieve around a 90% saving in running time by eliminating key-related assurance. On the other hand, if we consider typical record layer assurance protocols deployed by these works, we can achieve around a 60% saving in performance, depending on the complexity of the record layer circuit.
| Work | Scenario | Record Type | Resp. | Key-Related | Record | ||
| Size | Off. | On. | Off. | On. | |||
| (B) | (s) | (s) | |||||
| ORIGO [12] (Groth16) | Circuit111Here, we ignore the other key/nonce pair for encrypting and decrypting the client’s messages, as this work mainly focuses on preventing the client from forging the server’s messages. | Open22footnotemark: 2 (32 B) | |||||
| ORIGO [12] (Plonk) | Circuit | Open (32 B) | |||||
| Janus [16] | LAN | Open (256 B) | |||||
| Xie et al. [31] | LAN | – | – | 4444 | – | ||
| DECO [33] (512 B Query) | LAN | – | – | – | |||
| DECO [33] (512 B Query) | WAN (100 Mbps) | – | – | – | |||
| DECO [33] (1 KB Query) | LAN | – | – | – | |||
| DECO [33] (1 KB Query) | WAN (100 Mbps) | – | – | – | |||
| DECO [33] | Circuit | Binary Options33footnotemark: 3 | – | – | – | ||
| DECO [33] | Circuit | Age Proof | – | – | – | ||
| DECO [33] | Circuit | Price Dis- crimination | – | – | – | ||
-
1.
Local computation of proof circuit.
-
2.
Selective opening of a substring of the response.
-
3.
DECO designed some scenarios where the prover proves a specific statement.
-
4.
Xie et al.’s work only reported the online computation cost of 2-party computations.
9 Related Work
AEAD Commitment Security.
It is known that a lot of AEAD schemes do not have the most robust commitment security. One prominent example of an exploit is the attack on Facebook Messenger by Dodis et al. [10]. Commitment security on AEAD has received a lot of research since around that time [15, 8]. Menda et al. provided a generalization and analysis on the topic [18], which we leverage in this paper. Albertini et al. analyzed several possible ways to fix popular AEAD schemes [1]. Our work builds and extends on the framework by Menda et al. [18] and gives it a practical scenario. With this toolset, we are able to reason the security of proxying and give concrete security bounds with proof.
TLS Proxy & Oracle Protocols.
Using TLS under multi-party scenarios has been investigated a number of times under different scenarios [19, 3, 14, 27]. TLS oracle protocols have also recently been studied by a variety of academic papers. Earlier results often include modifying the TLS server to some extent and using trusted hardware which are considered not universal [32, 26]. DECO by Zhang et al. [33] in 2020 is one of the first papers that combines a TLS oracle with zero-knowledge proof to preserve user privacy over a general TLS server. Janus by Lauinger et al. [16] demonstrates an efficient two-party computation that optimizes the performance of zero-knowledge proof by the client. A work in a similar direction by Xie et al. [31] uses the garble-then-prove technique instead. DIDO by Chan et al. [9] proposes further optimization based on TLS 1.3. ORIGO [12], an independent and concurrent work of ours, observed that the ZK proof for key derivation can be optimized.
Meanwhile, there is also significant industry effort on this topic. The recent Reclaim Protocol [22] provides an implementation that is based purely on proxying without the three-party handshake but provides no security proof of the integrity of the data. Thus our work is also a theoretical discussion of the industry effort that validates its usage under common scenarios but also points out its limitations.
10 Conclusion and Discussion
In this paper, we formalize the notion of a proxy TLS oracle protocol that does not enter any communication between the client and the server like previous works. We first reason for its limitation on arbitrary TLS protocols, confirming the intuition of previous works. We then prove that the proxy protocol is secure under an application layer protocol with a variable padding, such as HTTPS. We further explore the scenario where the application layer does not provide variable padding. We show that if the adversary cannot tamper with the response after establishing the connection, context unforgeability (CFY) of the underlying AEAD is sufficient to demonstrate security. We analyze the cipher suites in TLS, and find that AES-GCM does not satisfy the property, but ChaCha20-Poly1305 does.
Multi-Round Support.
We observe that the NIZK proof of the protocol does not reveal the key/nonce pair used in the communication. Therefore, our protocol naturally supports the client and the server communicating in multiple rounds after a handshake connection, as in the original TLS.
In practice, when the data do not involve privacy, the client can choose to directly reveal the key/nonce pair and data to the verifier, rather than using the NIZK proof. In this case, since HTTP is a stateless protocol, the client can terminate the connection and handshake again to start a new one for future rounds. Moreover, we note that TLS 1.3 supports a key update mechanism (see Footnote˜5) that allows us to refresh the key/nonce pair for subsequent communications without needing another handshake.
Side-Channel Connection.
Our protocol does not stop an adversarial client from connecting to the server simultaneously without proxying through the verifier. In fact, when the web server is not restricted in its response, there is an attack using a side channel connection (see Theorem 4), and we prove that the HTTPS response format can be used to defend against the attack. Moreover, in our scenario, the purpose of the client is to have the data obtained from the server validated by the verifier so that the data can be submitted to the blockchain. Therefore, the client has no motivation to bypass the verifier when he tries to acquire the data.
BGP Attacks and Proxy-Server Connection Hijacking.
In the main body of the paper, we assumed that the verifier has a trusted connection to the TLS server. Indeed, the problem is not meaningful if the server is not trusted or if there is no trusted way to access the server, since there would not exist any root of trust under this scenario.
Here, we note that if the client can adaptively corrupt the connection between the verifier and the TLS server, it can first establish the connection with the real server and obtain the HTTPS certificate, and then hijack the connection to transmit the message with the master secret it knows. This attack works even if the verifier pins the server certificate in advance, but requires the client to adaptively corrupt the connection.
References
- [1] Ange Albertini, Thai Duong, Shay Gueron, Stefan Kölbl, Atul Luykx, and Sophie Schmieg. How to abuse and fix authenticated encryption without key commitment. In Kevin R. B. Butler and Kurt Thomas, editors, USENIX Security 2022, pages 3291–3308. USENIX Association, August 2022. URL: https://www.usenix.org/conference/usenixsecurity22/presentation/albertini.
- [2] Mihir Bellare and Viet Tung Hoang. Efficient schemes for committing authenticated encryption. In Orr Dunkelman and Stefan Dziembowski, editors, EUROCRYPT 2022, Part II, volume 13276 of LNCS, pages 845–875. Springer, Heidelberg, May / June 2022. doi:10.1007/978-3-031-07085-3_29.
- [3] Karthikeyan Bhargavan, Ioana Boureanu, Antoine Delignat-Lavaud, Pierre-Alain Fouque, and Cristina Onete. A formal treatment of accountable proxying over TLS. In 2018 IEEE Symposium on Security and Privacy, pages 799–816. IEEE Computer Society Press, May 2018. doi:10.1109/SP.2018.00021.
- [4] Lorenz Breidenbach, Christian Cachin, Benedict Chan, Alex Coventry, Steve Ellis, Ari Juels, Farinaz Koushanfar, Andrew Miller, Brendan Magauran, Daniel Moroz, et al. Chainlink 2.0: Next steps in the evolution of decentralized oracle networks, 2021. URL: https://chain.link/.
- [5] Vitalik Buterin. Ethereum white paper: A next-generation smart contract and decentralized application platform. https://finpedia.vn/wp-content/uploads/2022/02/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf. Accessed: March 28, 2024.
- [6] Sofía Celi, Alex Davidson, Hamed Haddadi, Gonçalo Pestana, and Joe Rowell. Distefano: Decentralized infrastructure for sharing trusted encrypted facts and nothing more. Cryptology ePrint Archive, Paper 2023/1063, 2023. URL: https://eprint.iacr.org/2023/1063.
- [7] Chainlink Foundation. What is the blockchain oracle problem? https://blog.chain.link/what-is-the-blockchain-oracle-problem/. Accessed: March 28, 2024.
- [8] John Chan and Phillip Rogaway. On committing authenticated-encryption. In Vijayalakshmi Atluri, Roberto Di Pietro, Christian Damsgaard Jensen, and Weizhi Meng, editors, ESORICS 2022, Part II, volume 13555 of LNCS, pages 275–294. Springer, Heidelberg, September 2022. doi:10.1007/978-3-031-17146-8_14.
- [9] Kwan Yin Chan, Handong Cui, and Tsz Hon Yuen. DIDO: data provenance from restricted TLS 1.3 websites. In Information Security Practice and Experience, pages 154–169. Springer Nature, 2023. doi:10.1007/978-981-99-7032-2_10.
- [10] Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, and Joanne Woodage. Fast message franking: From invisible salamanders to encryptment. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS, pages 155–186. Springer, Heidelberg, August 2018. doi:10.1007/978-3-319-96884-1_6.
- [11] Morris Dworkin. Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. Technical Report NIST Special Publication (SP) 800-38D, National Institute of Standards and Technology, Gaithersburg, MD, 2007. doi:10.6028/NIST.SP.800-38D.
- [12] Jens Ernstberger, Jan Lauinger, Yinnan Wu, Arthur Gervais, and Sebastian Steinhorst. ORIGO: Proving provenance of sensitive data with constant communication. Cryptology ePrint Archive, Paper 2024/447, 2024. URL: https://eprint.iacr.org/2024/447.
- [13] Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger. Poseidon: A new hash function for zero-knowledge proof systems. In Michael Bailey and Rachel Greenstadt, editors, USENIX Security 2021, pages 519–535. USENIX Association, August 2021. URL: https://www.usenix.org/conference/usenixsecurity21/presentation/grassi.
- [14] Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish. Zero-knowledge middleboxes. In Kevin R. B. Butler and Kurt Thomas, editors, USENIX Security 2022, pages 4255–4272. USENIX Association, August 2022. URL: https://www.usenix.org/conference/usenixsecurity22/presentation/grubbs.
- [15] Paul Grubbs, Jiahui Lu, and Thomas Ristenpart. Message franking via committing authenticated encryption. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS, pages 66–97. Springer, Heidelberg, August 2017. doi:10.1007/978-3-319-63697-9_3.
- [16] Jan Lauinger, Jens Ernstberger, Andreas Finkenzeller, and Sebastian Steinhorst. Janus: Fast privacy-preserving data provenance for TLS 1.3. Cryptology ePrint Archive, Report 2023/1377, 2023. URL: https://eprint.iacr.org/2023/1377.
- [17] David McGrew. An Interface and Algorithms for Authenticated Encryption. RFC 5116, January 2008. doi:10.17487/RFC5116.
- [18] Sanketh Menda, Julia Len, Paul Grubbs, and Thomas Ristenpart. Context discovery and commitment attacks - how to break CCM, EAX, SIV, and more. In Carmit Hazay and Martijn Stam, editors, EUROCRYPT 2023, Part IV, volume 14007 of LNCS, pages 379–407. Springer, Heidelberg, April 2023. doi:10.1007/978-3-031-30634-1_13.
- [19] David Naylor, Kyle Schomp, Matteo Varvello, Ilias Leontiadis, Jeremy Blackburn, Diego R. López, Konstantina Papagiannaki, Pablo Rodriguez Rodriguez, and Peter Steenkiste. Multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS. In ACM SIGCOMM 2015, volume 45, pages 199–212. ACM Press, August 2015. doi:10.1145/2829988.2787482.
- [20] Henrik Nielsen, Jeffrey Mogul, Larry M Masinter, Roy T. Fielding, Jim Gettys, Paul J. Leach, and Tim Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1. RFC 2616, June 1999. doi:10.17487/RFC2616.
- [21] Yoav Nir and Adam Langley. ChaCha20 and Poly1305 for IETF Protocols. RFC 7539, May 2015. doi:10.17487/RFC7539.
- [22] Reclaim Protocol. Reclaim protocol: Claiming and managing self-sovereign credentials, 2023. URL: https://www.reclaimprotocol.org/.
- [23] Q-Success. Usage statistics of default protocol https for websites. https://w3techs.com/technologies/details/ce-httpsdefault. Accessed: April 10, 2024.
- [24] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. doi:10.17487/RFC8446.
- [25] Eric Rescorla and Tim Dierks. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008. doi:10.17487/RFC5246.
- [26] Hubert Ritzdorf, Karl Wüst, Arthur Gervais, Guillaume Felley, and Srdjan Capkun. TLS-N: Non-repudiation over TLS enablign ubiquitous content signing. In NDSS 2018. The Internet Society, February 2018. URL: https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_09-4_Ritzdorf_paper.pdf.
- [27] Sijun Tan, Weikeng Chen, Ryan Deng, and Raluca Ada Popa. MPCAuth: Multi-factor authentication for distributed-trust systems. In 2023 IEEE Symposium on Security and Privacy, pages 829–847. IEEE Computer Society Press, May 2023. doi:10.1109/SP46215.2023.10179481.
- [28] Liang Wang, Gilad Asharov, Rafael Pass, Thomas Ristenpart, and abhi shelat. Blind certificate authorities. In 2019 IEEE Symposium on Security and Privacy, pages 1015–1032. IEEE Computer Society Press, May 2019. doi:10.1109/SP.2019.00007.
- [29] David Warburton. The 2021 TLS telemetry report. https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report. Accessed: April 10, 2024.
- [30] The OpenSSL Wiki. Tls1.3, 2023. URL: https://wiki.openssl.org/index.php/TLS1.3.
- [31] Xiang Xie, Kang Yang, Xiao Wang, and Yu Yu. Lightweight authentication of web data via garble-then-prove. Cryptology ePrint Archive, Report 2023/964, 2023. URL: https://eprint.iacr.org/2023/964.
- [32] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. Town crier: An authenticated data feed for smart contracts. In Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 2016, pages 270–282. ACM Press, October 2016. doi:10.1145/2976749.2978326.
- [33] Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, and Ari Juels. DECO: Liberating web data using decentralized oracles for TLS. In Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna, editors, ACM CCS 2020, pages 1919–1938. ACM Press, November 2020. doi:10.1145/3372297.3417239.
