The TLS protocol is intended to enable secure end-to-end communication over insecure
networks, including the Internet. Unfortunately, this goal has been thwarted a number of …

The Transport Layer Security (TLS) protocol supports various authentication modes, key
exchange methods, and protocol extensions. Confusingly, each combination may prescribe …

The first edition of this book was published in 2003. Inevitably, certain parts of the book
became outdated quickly. At the same time new developments have continued apace …

We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version
1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with …

After a development process of many months, the TLS 1.3 specification is nearly complete.
To prevent past mistakes, this crucial security protocol must be thoroughly scrutinised prior …

We present the OPTLS key-exchange protocol, its design, rationale and cryptographic
analysis. OPTLS design has been motivated by the ongoing work in the TLS working group …

Reducing latency overhead while maintaining critical security guarantees like forward
secrecy has become a major design goal for key exchange (KE) protocols, both in academia …

In the development of TLS 1.3, the IETF TLS Working Group has adopted an “analysis-prior-
to-deployment” design philosophy. This is in sharp contrast to all previous versions of the …

The pre-shared key (PSK) handshake modes of TLS 1.3 allow for the performant, low-
latency resumption of previous connections and are widely used on the Web and by …

We construct lightweight authenticated key exchange protocols based on pre-shared keys,
which achieve full forward security and rely only on simple and efficient symmetric-key …