{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T09:03:14Z","timestamp":1775638994558,"version":"3.50.1"},"publisher-location":"Cham","reference-count":44,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319566160","type":"print"},{"value":"9783319566177","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-56617-7_18","type":"book-chapter","created":{"date-parts":[[2017,3,31]],"date-time":"2017-03-31T02:33:34Z","timestamp":1490927614000},"page":"519-548","source":"Crossref","is-referenced-by-count":71,"title":["0-RTT Key Exchange with Full Forward Secrecy"],"prefix":"10.1007","author":[{"given":"Felix","family":"G\u00fcnther","sequence":"first","affiliation":[]},{"given":"Britta","family":"Hale","sequence":"additional","affiliation":[]},{"given":"Tibor","family":"Jager","sequence":"additional","affiliation":[]},{"given":"Sebastian","family":"Lauer","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,4,1]]},"reference":[{"key":"18_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"553","DOI":"10.1007\/978-3-642-13190-5_28","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2010","author":"S Agrawal","year":"2010","unstructured":"Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553\u2013572. Springer, Heidelberg (2010). doi: 10.1007\/978-3-642-13190-5_28"},{"key":"18_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1007\/11693383_22","volume-title":"Selected Areas in Cryptography","author":"PSLM Barreto","year":"2006","unstructured":"Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319\u2013331. Springer, Heidelberg (2006). doi: 10.1007\/11693383_22"},{"key":"18_CR3","doi-asserted-by":"crossref","unstructured":"Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, , Fairfax, Virginia, USA, pp. 62\u201373. ACM Press, 3\u20135 November 1993","DOI":"10.1145\/168588.168596"},{"key":"18_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"232","DOI":"10.1007\/3-540-48329-2_21","volume-title":"Advances in Cryptology \u2014 CRYPTO 1993","author":"M Bellare","year":"1994","unstructured":"Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232\u2013249. Springer, Heidelberg (1994). doi: 10.1007\/3-540-48329-2_21"},{"key":"18_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1007\/978-3-662-44381-1_14","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"K Bhargavan","year":"2014","unstructured":"Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-B\u00e9guelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235\u2013255. Springer, Heidelberg (2014). doi: 10.1007\/978-3-662-44381-1_14"},{"key":"18_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"408","DOI":"10.1007\/978-3-662-44371-2_23","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"O Blazy","year":"2014","unstructured":"Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408\u2013425. Springer, Heidelberg (2014). doi: 10.1007\/978-3-662-44371-2_23"},{"key":"18_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"440","DOI":"10.1007\/11426639_26","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2005","author":"D Boneh","year":"2005","unstructured":"Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440\u2013456. Springer, Heidelberg (2005). doi: 10.1007\/11426639_26"},{"key":"18_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1007\/978-3-540-70500-0_6","volume-title":"Information Security and Privacy","author":"C Boyd","year":"2008","unstructured":"Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69\u201383. Springer, Heidelberg (2008). doi: 10.1007\/978-3-540-70500-0_6"},{"key":"18_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1007\/3-540-39200-9_16","volume-title":"Advances in Cryptology \u2014 EUROCRYPT 2003","author":"R Canetti","year":"2003","unstructured":"Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255\u2013271. Springer, Heidelberg (2003). doi: 10.1007\/3-540-39200-9_16"},{"key":"18_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"453","DOI":"10.1007\/3-540-44987-6_28","volume-title":"Advances in Cryptology \u2014 EUROCRYPT 2001","author":"R Canetti","year":"2001","unstructured":"Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453\u2013474. Springer, Heidelberg (2001). doi: 10.1007\/3-540-44987-6_28"},{"key":"18_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-3-540-75496-1_14","volume-title":"Information Security","author":"SSM Chow","year":"2007","unstructured":"Chow, S.S.M., Choo, K.-K.R.: Strongly-secure identity-based key agreement and anonymous extension. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 203\u2013220. Springer, Heidelberg (2007). doi: 10.1007\/978-3-540-75496-1_14"},{"key":"18_CR12","doi-asserted-by":"crossref","unstructured":"Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, pp. 164\u2013178 (2016)","DOI":"10.1109\/CSF.2016.19"},{"key":"18_CR13","unstructured":"Cremers, C., Feltz, M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011\/300 (2011). http:\/\/eprint.iacr.org\/2011\/300"},{"key":"18_CR14","doi-asserted-by":"crossref","unstructured":"Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis, verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: IEEE Symposium on Security and Privacy, San Jose, CA, USA, pp. 470\u2013485. IEEE Computer Society Press, 22\u201326 May 2016","DOI":"10.1109\/SP.2016.35"},{"key":"18_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"734","DOI":"10.1007\/978-3-642-33167-1_42","volume-title":"Computer Security \u2013 ESORICS 2012","author":"C Cremers","year":"2012","unstructured":"Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734\u2013751. Springer, Heidelberg (2012). doi: 10.1007\/978-3-642-33167-1_42"},{"key":"18_CR16","doi-asserted-by":"crossref","unstructured":"Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176, August 2008","DOI":"10.17487\/rfc5246"},{"key":"18_CR17","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, Denver, CO, USA, pp. 1197\u20131210. ACM Press, 12\u201316 October 2015","DOI":"10.1145\/2810103.2813653"},{"key":"18_CR18","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS 2014, Scottsdale, AZ, USA, pp. 1193\u20131204. ACM Press, 3\u20137 November 2014","DOI":"10.1145\/2660267.2660308"},{"key":"18_CR19","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy. IEEE, April 2017","DOI":"10.1109\/EuroSP.2017.18"},{"key":"18_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"537","DOI":"10.1007\/3-540-48405-1_34","volume-title":"Advances in Cryptology \u2014 CRYPTO 1999","author":"E Fujisaki","year":"1999","unstructured":"Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537\u2013554. Springer, Heidelberg (1999). doi: 10.1007\/3-540-48405-1_34"},{"key":"18_CR21","doi-asserted-by":"crossref","unstructured":"Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: IEEE S&P 2015 [25], pp. 305\u2013320 (2015)","DOI":"10.1109\/SP.2015.26"},{"key":"18_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"444","DOI":"10.1007\/11935230_29","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2006","author":"J Groth","year":"2006","unstructured":"Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444\u2013459. Springer, Heidelberg (2006). doi: 10.1007\/11935230_29"},{"key":"18_CR23","unstructured":"Hale, B., Jager, T., Lauer, S., Schwenk, J.: Simple security definitions for and constructions of 0-RTT key exchange. Cryptology ePrint Archive, Report 2015\/1214 (2015). http:\/\/eprint.iacr.org\/2015\/1214"},{"key":"18_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1007\/978-3-642-19379-8_20","volume-title":"Public Key Cryptography \u2013 PKC 2011","author":"S Halevi","year":"2011","unstructured":"Halevi, S., Krawczyk, H.: One-pass HMQV and asymmetric key-wrapping. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 317\u2013334. Springer, Heidelberg (2011). doi: 10.1007\/978-3-642-19379-8_20"},{"key":"18_CR25","unstructured":"IEEE Symposium on Security and Privacy, San Jose, CA, USA. IEEE Computer Society Press, 17\u201321 May 2015"},{"key":"18_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-642-32009-5_17","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012","author":"T Jager","year":"2012","unstructured":"Jager, T., Kohlar, F., Sch\u00e4ge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg (2012). doi: 10.1007\/978-3-642-32009-5_17"},{"key":"18_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"546","DOI":"10.1007\/11535218_33","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"H Krawczyk","year":"2005","unstructured":"Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546\u2013566. Springer, Heidelberg (2005). doi: 10.1007\/11535218_33"},{"key":"18_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1007\/978-3-642-40041-4_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"H Krawczyk","year":"2013","unstructured":"Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg (2013). doi: 10.1007\/978-3-642-40041-4_24"},{"key":"18_CR29","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: 2016 IEEE European Symposium on Security and Privacy, pp. 81\u201396. IEEE, March 2016","DOI":"10.1109\/EuroSP.2016.18"},{"key":"18_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-75670-5_1","volume-title":"Provable Security","author":"B LaMacchia","year":"2007","unstructured":"LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1\u201316. Springer, Heidelberg (2007). doi: 10.1007\/978-3-540-75670-5_1"},{"key":"18_CR31","unstructured":"Langley, A., Chang, W.-T.: QUIC Crypto. https:\/\/docs.google.com\/document\/d\/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g\/ . Accessed May 2016, Revision 26 May 2016"},{"key":"18_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"669","DOI":"10.1007\/978-3-642-54631-0_38","volume-title":"Public-Key Cryptography \u2013 PKC 2014","author":"Y Li","year":"2014","unstructured":"Li, Y., Sch\u00e4ge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669\u2013684. Springer, Heidelberg (2014). doi: 10.1007\/978-3-642-54631-0_38"},{"key":"18_CR33","doi-asserted-by":"crossref","unstructured":"Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: IEEE S&P 2015 [25], pp. 214\u2013231 (2015)","DOI":"10.1109\/SP.2015.21"},{"key":"18_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"738","DOI":"10.1007\/978-3-642-29011-4_43","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2012","author":"V Lyubashevsky","year":"2012","unstructured":"Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738\u2013755. Springer, Heidelberg (2012). doi: 10.1007\/978-3-642-29011-4_43"},{"key":"18_CR35","doi-asserted-by":"crossref","unstructured":"Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F. (eds.) ACM CCS 2007, Alexandria, Virginia, USA, pp. 195\u2013203. ACM Press, 28\u201331 October 2007","DOI":"10.1145\/1315245.1315270"},{"key":"18_CR36","doi-asserted-by":"crossref","unstructured":"Petullo, W.M., Zhang, X., Solworth, J.A., Bernstein, D.J., Lange, T.: MinimaLT: minimal-latency networking through better security. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, pp. 425\u2013438. ACM Press, 4\u20138 November 2013","DOI":"10.1145\/2508859.2516737"},{"key":"18_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-319-10879-7_2","volume-title":"Security and Cryptography for Networks","author":"D Pointcheval","year":"2014","unstructured":"Pointcheval, D., Sanders, O.: Forward secure non-interactive key exchange. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 21\u201339. Springer, Heidelberg (2014). doi: 10.1007\/978-3-319-10879-7_2"},{"key":"18_CR38","unstructured":"QUIC, a multiplexed stream transport over UDP. https:\/\/www.chromium.org\/quic"},{"key":"18_CR39","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3 - draft-ietf-tls-tls13-12. https:\/\/tools.ietf.org\/html\/draft-ietf-tls-tls13-12 . Accessed March 2016"},{"key":"18_CR40","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3 - draft-ietf-tls-tls13-18. https:\/\/tools.ietf.org\/html\/draft-ietf-tls-tls13-18 . Accessed October 2016"},{"key":"18_CR41","unstructured":"Rescorla, E.: 0-RTT and Anti-Replay (IETF TLS working group mailing list). IETF Mail Archive, https:\/\/mailarchive.ietf.org\/arch\/msg\/tls\/gDzOxgKQADVfItfC4NyW3ylr7yc . Accessed March 2015"},{"key":"18_CR42","unstructured":"Rescorla, E.: [TLS] Do we actually need semi-static DHE-based 0-RTT? IETF Mail Archive, https:\/\/mailarchive.ietf.org\/arch\/msg\/tls\/c43zNQH9vGeHVnXhAb_D3cpIAIw . Accessed February 2016"},{"key":"18_CR43","unstructured":"Williams, N.: [TLS] 0-RTT security considerations (was OPTLS). IETF Mail Archive, https:\/\/mailarchive.ietf.org\/arch\/msg\/tls\/OZwGgVhySbVhU36BMX1elQ9x0GE . Accessed November 2014"},{"key":"18_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-319-45741-3_16","volume-title":"Computer Security \u2013 ESORICS 2016","author":"DJ Wu","year":"2016","unstructured":"Wu, D.J., Taly, A., Shankar, A., Boneh, D.: Privacy, discovery, and authentication for the internet of things. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 301\u2013319. Springer, Heidelberg (2016). doi: 10.1007\/978-3-319-45741-3_16"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 EUROCRYPT 2017"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-56617-7_18","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,9,20]],"date-time":"2019-09-20T12:02:32Z","timestamp":1568980952000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-56617-7_18"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319566160","9783319566177"],"references-count":44,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-56617-7_18","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]}}}