[Resource Topic] 2021/467: Key-schedule Security for the TLS 1.3 Standard

Welcome to the resource topic for 2021/467

Key-schedule Security for the TLS 1.3 Standard

Authors: Chris Brzuska, Antoine Delignat-Lavaud, Christoph Egger, Cédric Fournet, Konrad Kohbrok, Markulf Kohlweiss


We analyze the security of the TLS 1.3 key establishment protocol, as specified at the end of its rigorous standardization process. We define a core key-schedule and reduce its security to concrete assumptions against an adversary that controls client and server configurations and adaptively chooses some of their keys. Our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. We show that the output keys are secure as soon as any of their input key materials are. Our compositional, code-based proof makes use of state separation to yield concrete reductions despite the complexity of the key schedule. We also discuss (late) changes to the standard that would improve its robustness and simplify its analysis.

ePrint: https://eprint.iacr.org/2021/467

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .

If reading the whole book is a bit too much effort, there’s also a condensed version available:
https://static.siccegge.de/pdfs/BDEFKK22.pdf (and soon from springer but without the appendix)

1 Like

thanks my issue has been fixed.