The TLS protocol is intended to enable secure end-to-end communication over insecure
networks, including the Internet. Unfortunately, this goal has been thwarted a number of …

TLS 1.3 is the next version of the Transport Layer Security (TLS) protocol. Its clean-slate
design is a reaction both to the increasing demand for low-latency HTTPS connections and …

We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version
1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with …

The record layer is the main bridge between TLS applications and internal sub-protocols. Its
core functionality is an elaborate form of authenticated encryption: streams of messages for …

We propose the first tight security proof for the ordinary two-message signed Diffie–Hellman
key exchange protocol in the random oracle model. Our proof is based on the strong …

Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive
variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the …

A deniable authenticated key exchange (DAKE) protocol establishes a secure channel
without producing cryptographic evidence of communication. A DAKE offers strong …

In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-
to-deployment” design philosophy. This is in sharp contrast to all previous versions of the …

The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-
latency resumption of previous connections and are widely used on the Web and by …

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-
shared key (PSK). The PSK is used to mutually authenticate the parties, under the …