{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:04:31Z","timestamp":1775815471869,"version":"3.50.1"},"reference-count":90,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2017,1,18]],"date-time":"2017-01-18T00:00:00Z","timestamp":1484697600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2017,10]]},"DOI":"10.1007\/s00145-016-9248-2","type":"journal-article","created":{"date-parts":[[2017,1,18]],"date-time":"2017-01-18T17:37:32Z","timestamp":1484761052000},"page":"1276-1324","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Authenticated Confidential Channel Establishment and the Security of TLS-DHE"],"prefix":"10.1007","volume":"30","author":[{"given":"Tibor","family":"Jager","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Florian","family":"Kohlar","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sven","family":"Sch\u00e4ge","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"J\u00f6rg","family":"Schwenk","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2017,1,18]]},"reference":[{"key":"9248_CR1","doi-asserted-by":"crossref","unstructured":"M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie\u2013Hellman assumptions and an analysis of DHIES, in Topics in Cryptology\u2014CT-RSA\u00a02001, volume 2020 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by D. Naccache (Springer, Berlin, Germany, April\u00a08\u201312, 2001), pp. 143\u2013158","DOI":"10.1007\/3-540-45353-9_12"},{"key":"9248_CR2","unstructured":"M.R. Albrecht, K.G. Paterson, Lucky microseconds: a timing attack on Amazon\u2019s s2n implementation of TLS, in EUROCRYPT (1) (2016), pp. 622\u2013643"},{"key":"9248_CR3","doi-asserted-by":"crossref","unstructured":"N.J. AlFardan, K.G. Paterson, Lucky thirteen: Breaking the TLS and DTLS record protocols, in 2013 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May 19\u201322, 2013 (IEEE Computer Society Press, 2013), pp. 526\u2013540","DOI":"10.1109\/SP.2013.42"},{"key":"9248_CR4","unstructured":"N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J.\u00a0Alex Halderman, V. Dukhovni, E. K\u00e4sper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN: breaking TLS using sslv2, in 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10\u201312, 2016 (2016), pp. 689\u2013706"},{"key":"9248_CR5","unstructured":"G.\u00a0V. Bard, The vulnerability of SSL to chosen plaintext attack, in Cryptology ePrint Archive, Report 2004\/111 (2004), http:\/\/eprint.iacr.org\/"},{"key":"9248_CR6","doi-asserted-by":"crossref","unstructured":"G.V. Bard, A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL, in SECRYPT, ed. by M. Malek, E. Fern\u00e1ndez-Medina, J. Hernando (INSTICC Press, 2006), pp. 99\u2013109","DOI":"10.5220\/0002104100990109"},{"key":"9248_CR7","doi-asserted-by":"crossref","unstructured":"B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, J.K. Zinzindohoue, A messy state of the union: taming the composite state machines of TLS, in 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2015), pp. 535\u2013552","DOI":"10.1109\/SP.2015.39"},{"key":"9248_CR8","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, P.-Y. Strub, Triple handshakes and cookie cutters: breaking and fixing authentication over TLS, in 2014 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, 2014), pp. 98\u2013113","DOI":"10.1109\/SP.2014.14"},{"key":"9248_CR9","doi-asserted-by":"crossref","unstructured":"F. Bergsma, B. Dowling, F. Kohlar, J. Schwenk, D. Stebila, Multi-ciphersuite security of the secure shell (SSH) protocol, in ACM CCS 14: 21st Conference on Computer and Communications Security (ACM Press, 2014), pp. 369\u2013381","DOI":"10.1145\/2660267.2660286"},{"key":"9248_CR10","doi-asserted-by":"crossref","unstructured":"M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in Advances in Cryptology\u2014CRYPTO\u00a02006, volume 4117 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by C. Dwork (Springer, Berlin, Germany, August\u00a020\u201324, 2006), pp. 602\u2013619","DOI":"10.1007\/11818175_36"},{"key":"9248_CR11","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Fournet, R. Corin, E. Zalinescu, Cryptographically verified implementations for TLS, in ACM CCS 08: 15th Conference on Computer and Communications Security, Alexandria, Virginia, USA, ed. by P. Ning, P.F. Syverson, S. Jha (ACM Press, October\u00a027\u201331, 2008), pp. 459\u2013468","DOI":"10.1145\/1455770.1455828"},{"key":"9248_CR12","unstructured":"K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, Implementing TLS with verified cryptographic security, in IEEE S&P (2013), pp. 445\u2013459"},{"key":"9248_CR13","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, S.Z. B\u00e9guelin, Proving the TLS handshake secure (as it is), in Advances in Cryptology\u2014CRYPTO\u00a02014, Part II, volume 8617 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J.A. Garay, R. Gennaro (Springer, Berlin, Germany, August\u00a017\u201321, 2014), pp. 235\u2013255","DOI":"10.1007\/978-3-662-44381-1_14"},{"key":"9248_CR14","unstructured":"C. Brzuska, M. Fischlin, N.P. Smart, B. Warinschi, S.C. Williams, Less is more: relaxed yet composable security notions for key exchange, Int. J. Inf. Sec., 12(4):267\u2013297, 2013"},{"key":"9248_CR15","doi-asserted-by":"crossref","unstructured":"G. Barthe, B. Gr\u00e9goire, S. Heraud, S.Z. B\u00e9guelin, Computer-aided security proofs for the working cryptographer, in Advances in Cryptology\u2014CRYPTO\u00a02011, volume 6841 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by P. Rogaway (Springer, Berlin, Germany, August\u00a014\u201318, 2011), pp. 71\u201390","DOI":"10.1007\/978-3-642-22792-9_5"},{"key":"9248_CR16","doi-asserted-by":"crossref","unstructured":"C. Brzuska, H. Jacobsen, D. Stebila, Safely exporting keys from secure channels: on the security of EAP-TLS and TLS key exporters, in EUROCRYPT (1) 2016, pp. 670\u2013698","DOI":"10.1007\/978-3-662-49890-3_26"},{"key":"9248_CR17","doi-asserted-by":"crossref","unstructured":"M. Bellare, T. Kohno, C. Namprempre, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, in ACM CCS 02: 9th Conference on Computer and Communications Security, Washington D.C., USA, ed. by V. Atluri (ACM Press, November\u00a018\u201322, 2002), pp. 1\u201311","DOI":"10.1145\/586110.586112"},{"key":"9248_CR18","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1145\/996943.996945","volume":"7","author":"M Bellare","year":"2004","unstructured":"M. Bellare, T. Kohno, C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-mac paradigm, ACM Trans. Inf. Syst. Secur., 7:206\u2013241, May 2004","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"9248_CR19","doi-asserted-by":"crossref","unstructured":"D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology\u2014CRYPTO\u201998, volume 1462 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by H. Krawczyk (Springer, Berlin, Germany, August\u00a023\u201327, 1998), pp. 1\u201312","DOI":"10.1007\/BFb0055716"},{"key":"9248_CR20","unstructured":"B. Barak, Y. Lindell, T. Rabin, Protocol Initialization for the Framework of Universal Composability, Cryptology ePrint Archive, Report 2004\/006 (2004). http:\/\/eprint.iacr.org\/"},{"key":"9248_CR21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-09527-0","volume-title":"Protocols for Authentication and Key Establishment. Information Security and Cryptography","author":"C Boyd","year":"2003","unstructured":"C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment. Information Security and Cryptography (Springer, Berlin, 2003)"},{"key":"9248_CR22","doi-asserted-by":"crossref","unstructured":"C. Badertscher, C. Matt, U. Maurer, P. Rogaway, B. Tackmann, Augmented secure channels and the goal of the TLS 1.3 record layer, in ProvSec 2015: 9th International Conference on Provable Security, Lecture Notes in Computer Science (Springer, Berlin, 2015), pp. 85\u2013104","DOI":"10.1007\/978-3-319-26059-4_5"},{"key":"9248_CR23","doi-asserted-by":"crossref","unstructured":"M. Bellare, C. Namprempre, Authenticated encryption: relations among notions and analysis of the generic composition paradigm, in Advances in Cryptology\u2014ASIACRYPT\u00a02000, volume 1976 of Lecture Notes in Computer Science, Kyoto, Japan, ed. by T. Okamoto (Springer, Berlin, Germany, December\u00a03\u20137, 2000), pp. 531\u2013545","DOI":"10.1007\/3-540-44448-3_41"},{"issue":"4","key":"9248_CR24","doi-asserted-by":"publisher","first-page":"469","DOI":"10.1007\/s00145-008-9026-x","volume":"21","author":"M Bellare","year":"2008","unstructured":"M. Bellare, C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, 21(4):469\u2013491, 2008","journal-title":"J. Cryptol."},{"key":"9248_CR25","doi-asserted-by":"crossref","unstructured":"M. Bellare, D. Pointcheval, P. Rogaway, in Authenticated Key Exchange Secure Against Dictionary Attacks, in Advances in Cryptology\u2014EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, Bruges, Belgium, ed. by B. Preneel (Springer, Berlin, Germany, May 14\u201318, 2000), pp. 139\u2013155","DOI":"10.1007\/3-540-45539-6_11"},{"key":"9248_CR26","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Entity authentication and key distribution, in Advances in Cryptology\u2014CRYPTO\u201993, volume 773 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by D.R. Stinson (Springer, Berlin, Germany, August\u00a022\u201326, 1994), pp. 232\u2013249","DOI":"10.1007\/3-540-48329-2_21"},{"key":"9248_CR27","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology\u2014EUROCRYPT\u00a02006, volume 4004 of Lecture Notes in Computer Science, St. Petersburg, Russia, ed. by S. Vaudenay (Springer, Berlin, Germany, May\u00a028\u2013June\u00a01, 2006), pp. 409\u2013426","DOI":"10.1007\/11761679_25"},{"key":"9248_CR28","doi-asserted-by":"crossref","unstructured":"C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson, An Analysis of the EMV Channel Establishment Protocol, in ACM CCS 13: 20th Conference on Computer and Communications Security, ed. by A.-R. Sadeghi, V.\u00a0D. Gligor, M. Yung (ACM Press, Berlin, Germany, November 4\u20138, 2013), pp. 373\u2013386","DOI":"10.1145\/2508859.2516748"},{"key":"9248_CR29","doi-asserted-by":"crossref","unstructured":"M. Bellare, B. Tackmann, The multi-user security of authenticated encryption: AES-GCM in TLS 1.3, in Advances in Cryptology\u2014CRYPTO\u00a02016, Part I, Lecture Notes in Computer Science, Santa Barbara, CA, USA (Springer, Berlin, Germany, August 2016), pp. 247\u2013276","DOI":"10.1007\/978-3-662-53018-4_10"},{"key":"9248_CR30","doi-asserted-by":"crossref","unstructured":"S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in 6th IMA International Conference on Cryptography and Coding, volume 1355 of Lecture Notes in Computer Science, Cirencester, UK, ed. by M. Darnell (Springer, Berlin, Germany, December\u00a017\u201319, 1997), pp. 30\u201345","DOI":"10.1007\/BFb0024447"},{"key":"9248_CR31","doi-asserted-by":"crossref","unstructured":"R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, USA (IEEE Computer Society Press, October\u00a014\u201317, 2001), pp. 136\u2013145","DOI":"10.1109\/SFCS.2001.959888"},{"key":"9248_CR32","doi-asserted-by":"crossref","unstructured":"K.K.R. Choo, C. Boyd, Y. Hitchcock, Examining indistinguishability-based proof models for key establishment protocols, in Advances in Cryptology\u2014ASIACRYPT\u00a02005, volume 3788 of Lecture Notes in Computer Science, Chennai, India, ed. by B.K. Roy (Springer, Berlin, Germany, December\u00a04\u20138, 2005), pp. 585\u2013604","DOI":"10.1007\/11593447_32"},{"key":"9248_CR33","doi-asserted-by":"crossref","unstructured":"S.\u00a0Chaki, A.\u00a0Datta, Aspier: an automated framework for verifying security protocol implementations, in Computer Security Foundations Symposium, 2009. CSF \u201909. 22nd IEEE, (July 2009), pp. 172 \u2013185","DOI":"10.1109\/CSF.2009.20"},{"key":"9248_CR34","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, M. Joye, D. Naccache, P. Paillier, in New attacks on PKCS#1 v1.5 encryption (In Preneel [84]), pp. 369\u2013381","DOI":"10.1007\/3-540-45539-6_25"},{"key":"9248_CR35","doi-asserted-by":"crossref","unstructured":"R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology\u2014EUROCRYPT\u00a02001, volume 2045 of Lecture Notes in Computer Science, Innsbruck, Austria, ed. by B. Pfitzmann (Springer, Berlin, Germany, May\u00a06\u201310, 2001), pp. 453\u2013474","DOI":"10.1007\/3-540-44987-6_28"},{"key":"9248_CR36","doi-asserted-by":"crossref","unstructured":"R. Canetti, H. Krawczyk, Security analysis of IKE\u2019s signature-based key-exchange protocol, in Advances in Cryptology\u2014CRYPTO\u00a02002, volume 2442 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by M. Yung (Springer, Berlin, Germany, August 18\u201322, 2002), pp. 143\u2013161. http:\/\/eprint.iacr.org\/2002\/120\/","DOI":"10.1007\/3-540-45708-9_10"},{"key":"9248_CR37","doi-asserted-by":"crossref","unstructured":"C.J.F. Cremers, Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol, in ACNS 09: 7th International Conference on Applied Cryptography and Network Security, volume 5536 of Lecture Notes in Computer Science, Paris-Rocquencourt, France, ed. by M. Abdalla, D. Pointcheval, P.-A. Fouque, D. Vergnaud (Springer, Berlin, Germany, June\u00a02\u20135, 2009), pp. 20\u201333","DOI":"10.1007\/978-3-642-01957-9_2"},{"key":"9248_CR38","doi-asserted-by":"crossref","unstructured":"T.\u00a0Dierks, C.\u00a0Allen, The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), Obsoleted by RFC 4346, updated by RFCs 3546, 5746 (January 1999)","DOI":"10.17487\/rfc2246"},{"key":"9248_CR39","doi-asserted-by":"crossref","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015)","DOI":"10.1145\/2810103.2813653"},{"key":"9248_CR40","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, in A Cryptographic Analysis of the TLS 1.3 Draft-10 Full and Pre-shared Key Handshake Protocol. Cryptology ePrint Archive, Report 2016\/081 (2016). http:\/\/eprint.iacr.org\/2016\/081"},{"key":"9248_CR41","doi-asserted-by":"crossref","unstructured":"T.\u00a0Dierks, E.\u00a0Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard). Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746 (April 2006)","DOI":"10.17487\/rfc4346"},{"key":"9248_CR42","doi-asserted-by":"crossref","unstructured":"T.\u00a0Dierks, E.\u00a0Rescorla, in The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008), Updated by RFCs 5746, 5878","DOI":"10.17487\/rfc5246"},{"key":"9248_CR43","unstructured":"T. Duong, J. Rizzo, in The Crime Attack. https:\/\/docs.google.com\/presentation\/d\/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU\/ (2012)"},{"issue":"2","key":"9248_CR44","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1109\/TIT.1983.1056650","volume":"29","author":"D Dolev","year":"1983","unstructured":"Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198\u2013207, 1983.","journal-title":"IEEE Trans. Inf. Theory"},{"key":"9248_CR45","doi-asserted-by":"crossref","unstructured":"D.\u00a0Eastlake III, T.\u00a0Hansen, in US Secure Hash Algorithms (SHA and HMAC-SHA), RFC 4634 (Informational) (July 2006)","DOI":"10.17487\/rfc4634"},{"key":"9248_CR46","doi-asserted-by":"crossref","unstructured":"D.\u00a0Eastlake III, P.\u00a0Jones, in US Secure Hash Algorithm 1 (SHA1). RFC 3174 (Informational), Updated by RFC 4634 (September 2001)","DOI":"10.17487\/rfc3174"},{"key":"9248_CR47","doi-asserted-by":"crossref","unstructured":"M. Fischlin, A. Lehmann, D. Wagner, Hash function combiners in TLS and SSL, in Topics in Cryptology\u2014CT-RSA\u00a02010, volume 5985 of Lecture Notes in Computer Science, San Francisco, CA, USA, ed. by J. Pieprzyk (Springer, Berlin, Germany, March\u00a01\u20135, 2010), pp. 268\u2013283","DOI":"10.1007\/978-3-642-11925-5_19"},{"key":"9248_CR48","doi-asserted-by":"crossref","unstructured":"P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in ASIACCS 08: 3rd Conference on Computer and Communications Security, Tokyo, Japan, ed. by M. Abe, V. Gligor (ACM Press, March\u00a018\u201320, 2008), pp. 21\u201332","DOI":"10.1145\/1368310.1368317"},{"key":"9248_CR49","doi-asserted-by":"crossref","unstructured":"F. Giesen, F. Kohlar, D. Stebila, On the security of TLS renegotiation, in ACM Conference on Computer and Communications Security 2013, pp. 387\u2013398","DOI":"10.1145\/2508859.2516694"},{"key":"9248_CR50","doi-asserted-by":"crossref","unstructured":"S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, J. Schwenk, in Universally composable security analysis of TLS ProvSec, volume 5324 of LNCS, ed. by J. Baek, F. Bao, K. Chen, X. Lai (Springer, 2008), pp. 313\u2013327","DOI":"10.1007\/978-3-540-88733-1_22"},{"key":"9248_CR51","doi-asserted-by":"crossref","unstructured":"J. Jonsson, B.S. Kaliski Jr, On the security of RSA encryption in TLS, in Advances in Cryptology\u2014CRYPTO 2002, pp. 127\u2013142","DOI":"10.1007\/3-540-45708-9_9"},{"key":"9248_CR52","doi-asserted-by":"crossref","unstructured":"T. Jager, F. Kohlar, S. Sch\u00e4ge, J. Schwenk, On the security of TLS-DHE in the standard model, in Advances in Cryptology\u2014CRYPTO\u00a02012, volume 7417 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Safavi-Naini, R. Canetti (Springer, Berlin, Germany, August\u00a019\u201323, 2012), pp. 273\u2013293","DOI":"10.1007\/978-3-642-32009-5_17"},{"issue":"1","key":"9248_CR53","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/s102070100002","volume":"1","author":"D Johnson","year":"2001","unstructured":"D. Johnson, A. Menezes, S. Vanstone, The Elliptic Curve Digital Signature Algorithm (ECDSA), Int. J. Inf. Secur., 1(1):36\u201363, August 2001","journal-title":"Int. J. Inf. Secur."},{"key":"9248_CR54","doi-asserted-by":"crossref","unstructured":"T. Jager, J. Schwenk, J. Somorovsky, Practical invalid curve attacks on TLSECDH, in ACM CCS 15: 22nd Conference on Computer and Communications Security (ACM Press, New York, 2015), pp. 407\u2013425","DOI":"10.1007\/978-3-319-24174-6_21"},{"key":"9248_CR55","doi-asserted-by":"crossref","unstructured":"T. Jager, J. Schwenk, J. Somorovsky, in On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS #1 v1.5 Encryption (ACM CCS 2015), pp. 1185\u20131196","DOI":"10.1145\/2810103.2813657"},{"key":"9248_CR56","doi-asserted-by":"crossref","unstructured":"B.\u00a0Kaliski, PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational), Obsoleted by RFC 2437 (March 1998)","DOI":"10.17487\/rfc2313"},{"key":"9248_CR57","unstructured":"M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, in (De-)Constructing TLS. Cryptology ePrint Archive, Report 2014\/020 (2014). http:\/\/eprint.iacr.org\/"},{"key":"9248_CR58","doi-asserted-by":"crossref","unstructured":"M. Kohlweiss, U. Maurer, C. Onete, B. Tackmann, D. Venturi, (De-)constructing TLS 1.3, in Progress in Cryptology\u2014INDOCRYPT\u00a02015: 16th International Conference in Cryptology in India, Lecture Notes in Computer Science (Springer, Berlin, Germany, 2015), pp. 85\u2013102","DOI":"10.1007\/978-3-319-26617-6_5"},{"key":"9248_CR59","doi-asserted-by":"crossref","unstructured":"E. Kiltz, A. O\u2019Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in Advances in Cryptology\u2014CRYPTO\u00a02010, volume 6223 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by T. Rabin (Springer, Berlin, Germany, August\u00a015\u201319, 2010), pp. 295\u2013313","DOI":"10.1007\/978-3-642-14623-7_16"},{"key":"9248_CR60","doi-asserted-by":"crossref","unstructured":"E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes\u2014or\u2014why we cannot prove OAEP secure in the standard model, in Advances in Cryptology\u2014EUROCRYPT\u00a02009, volume 5479 of Lecture Notes in Computer Science, Cologne, Germany, (Springer, Berlin, Germany, April\u00a026\u201330, 2009), pp. 389\u2013406","DOI":"10.1007\/978-3-642-01001-9_23"},{"key":"9248_CR61","unstructured":"H. Krawczyk, K.G. Paterson, H. Wee, On the security of the TLS protocol: a systematic analysis, in Advances in Cryptology\u2014CRYPTO\u00a02013, Part I, volume 8042 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by R. Canetti, J.A. Garay, (Springer, Berlin, Germany, August\u00a018\u201322, 2013), pp. 429\u2013448"},{"key":"9248_CR62","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, The order of encryption and authentication for protecting communications (or: How secure is SSL?), in Advances in Cryptology\u2014CRYPTO\u00a02001, volume 2139 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by J. Kilian, (Springer, Berlin, Germany, August\u00a019\u201323, 2001), pp. 310\u2013331","DOI":"10.1007\/3-540-44647-8_19"},{"key":"9248_CR63","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, HMQV: a high-performance secure Diffie-Hellman protocol, in Advances in Cryptology\u2014CRYPTO\u00a02005, volume 3621 of Lecture Notes in Computer Science, Santa Barbara, CA, USA, ed. by V. Shoup (Springer, Berlin, Germany, August\u00a014\u201318, 2005), pp. 546\u2013566","DOI":"10.1007\/11535218_33"},{"key":"9248_CR64","unstructured":"F. Kohlar, S. Sch\u00e4ge, J. Schwenk, in On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013\/367 (2013). http:\/\/eprint.iacr.org\/"},{"key":"9248_CR65","doi-asserted-by":"crossref","unstructured":"R. K\u00fcsters, M. Tuengerthal, Composition theorems without pre-established session identifiers, in ACM CCS 11: 18th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by Y. Chen, G. Danezis, V. Shmatikov (ACM Press, October\u00a017\u201321, 2011), pp. 41\u201350","DOI":"10.1145\/2046707.2046715"},{"key":"9248_CR66","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, H. Wee, The OPTLS protocol and TLS 1.3, in IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbr\u00fccken, Germany (March 21\u201324, 2016), pp. 81\u201396","DOI":"10.1109\/EuroSP.2016.18"},{"key":"9248_CR67","unstructured":"G. Locke, P. Gallagher, in FIPS PUB 186-3 Federal Information Processing Standards Publication Digital Signature Standard (DSS) (2009)"},{"key":"9248_CR68","unstructured":"Y. Li, Personal Communication (2012)"},{"key":"9248_CR69","doi-asserted-by":"crossref","unstructured":"R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in IEEE S&P (2015 [53]), pp. 214\u2013231","DOI":"10.1109\/SP.2015.21"},{"key":"9248_CR70","unstructured":"R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses, in Cryptology ePrint Archive, Report 2015\/582 (2015). http:\/\/eprint.iacr.org\/"},{"key":"9248_CR71","doi-asserted-by":"crossref","unstructured":"B.A. LaMacchia, K. Lauter, A. Mityagin, Stronger security of authenticated key exchange, in ProvSec, volume 4784 of LNCS, ed. by W. Susilo, J.K. Liu, Y.\u00a0Mu (Springer, 2007), pp. 1\u201316","DOI":"10.1007\/978-3-540-75670-5_1"},{"key":"9248_CR72","doi-asserted-by":"crossref","unstructured":"Y. Li, S. Sch\u00e4ge, Z. Yang, F. Kohlar, J. Schwenk, On the security of the pre-shared key ciphersuites of TLS, in PKC\u00a02014: 17th International Workshop on Theory and Practice in Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, Buenos Aires, Argentina, ed. by H. Krawczyk (Springer, Berlin, Germany, March\u00a026\u201328, 2014), pp. 669\u2013684","DOI":"10.1007\/978-3-642-54631-0_38"},{"key":"9248_CR73","unstructured":"B. M\u00f6ller, T. Duong, K. Kotowicz, This Poodle Bites: Exploiting the ssl 3.0 fallback, PDF online (2014)"},{"key":"9248_CR74","doi-asserted-by":"crossref","unstructured":"J.C. Mitchell, Finite-state analysis of security protocols, in CAV, volume 1427 of LNCS, ed. by A.J. Hu, M.Y. Vardi (Springer, 1998), pp. 71\u201376","DOI":"10.1007\/BFb0028734"},{"key":"9248_CR75","doi-asserted-by":"crossref","unstructured":"P. Morrissey, N.P. Smart, B. Warinschi, A modular security analysis of the TLS handshake protocol, in Advances in Cryptology\u2014ASIACRYPT\u00a02008, volume 5350 of Lecture Notes in Computer Science, Melbourne, Australia, ed. by J. Pieprzyk (Springer, Berlin, Germany, December\u00a07\u201311, 2008), pp. 55\u201373","DOI":"10.1007\/978-3-540-89255-7_5"},{"issue":"2","key":"9248_CR76","doi-asserted-by":"publisher","first-page":"187","DOI":"10.1007\/s00145-009-9052-3","volume":"23","author":"P Morrissey","year":"2010","unstructured":"P. Morrissey, N.P. Smart, B. Warinschi, The TLS handshake protocol: A modular analysis, J. Cryptol., 23(2):187\u2013223, April 2010","journal-title":"J. Cryptol."},{"key":"9248_CR77","doi-asserted-by":"crossref","unstructured":"U. Maurer, B. Tackmann, On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption, in ACM CCS 10: 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, ed. by E. Al-Shaer, A.D. Keromytis, V. Shmatikov (ACM Press, October\u00a04\u20138, 2010), pp 505\u2013515","DOI":"10.1145\/1866307.1866364"},{"key":"9248_CR78","doi-asserted-by":"crossref","unstructured":"N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol, in ACM CCS 12: 19th Conference on Computer and Communications Security, Raleigh, NC, USA, ed. by T. Yu, G. Danezis, V.D. Gligor (ACM Press, October\u00a016\u201318, 2012), pp. 62\u201372","DOI":"10.1145\/2382196.2382206"},{"key":"9248_CR79","doi-asserted-by":"crossref","unstructured":"K. Ogata, K. Futatsugi, in Equational Approach to Formal Analysis of TLS, ICDCS (IEEE Computer Society, 2005), pp. 795\u2013804","DOI":"10.1109\/ICDCS.2005.32"},{"issue":"3","key":"9248_CR80","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1145\/322510.322530","volume":"2","author":"LC Paulson","year":"1999","unstructured":"Lawrence\u00a0C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332\u2013351, 1999.","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"9248_CR81","doi-asserted-by":"crossref","unstructured":"K.G. Paterson, T. Ristenpart, T. Shrimpton, Tag size does matter: attacks and proofs for the TLS record protocol, in Advances in Cryptology\u2014ASIACRYPT\u00a02011, volume 7073 of Lecture Notes in Computer Science, Seoul, South Korea, ed. by D.H. Lee, X. Wang (Springer, Berlin, Germany, December\u00a04\u20138, 2011), pp. 372\u2013389","DOI":"10.1007\/978-3-642-25385-0_20"},{"key":"9248_CR82","unstructured":"D. Pointcheval, S. Vaudenay, in On Provable Security for Digital Signature Algorithms, Technical report, Ecole Normale Superieure (1996)"},{"key":"9248_CR83","unstructured":"M. Ray, S. Dispensa, in Renegotiating TLS (2009). http:\/\/extendedsubset.com\/Renegotiating_TLS"},{"key":"9248_CR84","doi-asserted-by":"crossref","unstructured":"R.\u00a0Rivest, in The MD5 Message-Digest Algorithm. RFC 1321 (Informational) (April 1992)","DOI":"10.17487\/rfc1321"},{"key":"9248_CR85","unstructured":"Q. Sun, D.R. Simon, Y.-M. Wang, W. Russell, V.N. Padmanabhan, L. Qiu, Statistical identification of encrypted web browsing traffic, in IEEE Symposium on Security and Privacy (2002), pp. 19\u201330"},{"key":"9248_CR86","doi-asserted-by":"crossref","first-page":"219","DOI":"10.1515\/popets-2016-0037","volume":"4","author":"JM Schanck","year":"2016","unstructured":"J.M. Schanck, W. Whyte, Z. Zhang, Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world, Proc. Priv. Enhancing Technol., 4:219\u2013236, 2016","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"9248_CR87","unstructured":"S. Vaudenay, The security of DSA and ECDSA, in Public Key Cryptography\u2014PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, volume 2567 of LNCS (2003), pp. 309\u2013323"},{"key":"9248_CR88","doi-asserted-by":"crossref","unstructured":"C.V. Wright, L. Ballard, S.E. Coull, F. Monrose, G.M. Masson, Spot me if you can: uncovering spoken phrases in encrypted voip conversations, in IEEE Symposium on Security and Privacy (IEEE Computer Society, 2008), pp. 35\u201349","DOI":"10.1109\/SP.2008.21"},{"key":"9248_CR89","unstructured":"D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol, in Proceedings of the Second USENIX Workshop on Electronic Commerce (USENIX Association, 1996), pp. 29\u201340"},{"key":"9248_CR90","unstructured":"W. Zeller, E.W. Felten, in Cross-Site Request Forgeries: Exploitation and Prevention. Technical report (October 2008). Available at http:\/\/from.bz\/public\/documents\/publications\/csrf"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-016-9248-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-016-9248-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-016-9248-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,14]],"date-time":"2025-06-14T16:15:01Z","timestamp":1749917701000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-016-9248-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,1,18]]},"references-count":90,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,10]]}},"alternative-id":["9248"],"URL":"https:\/\/doi.org\/10.1007\/s00145-016-9248-2","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,1,18]]},"assertion":[{"value":"6 November 2014","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 November 2016","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 January 2017","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}