{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T21:39:56Z","timestamp":1769722796798,"version":"3.49.0"},"reference-count":58,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2021,5,18]],"date-time":"2021-05-18T00:00:00Z","timestamp":1621296000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,5,18]],"date-time":"2021-05-18T00:00:00Z","timestamp":1621296000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100012325","name":"Bergische Universit\u00e4t Wuppertal","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100012325","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2021,7]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in \u201c0-RTT\u201d (\u201czero round-trip time\u201d), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session\u2019s encryption secrets upon receipt of the client\u2019s first message. The standard techniques to achieve this are <jats:italic>session caches<\/jats:italic> or, alternatively, <jats:italic>session tickets<\/jats:italic>. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks. In this paper, we first formally define <jats:italic>session resumption protocols<\/jats:italic> as an abstract perspective on mechanisms like session caches and session tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). We show that our construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol. To this end, we present a generic composition of our new construction with TLS 1.3 and prove its security. This yields the first construction that achieves forward security for <jats:italic>all<\/jats:italic> messages, including the 0-RTT data. We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS\u00a01.3. The first construction is based on the strong RSA assumption. Compared to standard session caches, for \u201c128-bit security\u201d it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB session cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new \u201cdomain extension\u201d technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard session cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second.<\/jats:p>","DOI":"10.1007\/s00145-021-09385-0","type":"journal-article","created":{"date-parts":[[2021,5,18]],"date-time":"2021-05-18T22:02:45Z","timestamp":1621375365000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":18,"title":["Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT"],"prefix":"10.1007","volume":"34","author":[{"given":"Nimrod","family":"Aviram","sequence":"first","affiliation":[]},{"given":"Kai","family":"Gellert","sequence":"additional","affiliation":[]},{"given":"Tibor","family":"Jager","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,5,18]]},"reference":[{"key":"9385_CR1","doi-asserted-by":"crossref","unstructured":"N. Aviram, K. Gellert, T. Jager, Session resumption protocols and efficient forward security for tls 1.3 0-rtt. In: Ishai, Y., Rijmen, V. (eds.) Advances in Cryptology \u2013 EUROCRYPT 2019. pp. 117\u2013150. Springer International Publishing, Cham 2019","DOI":"10.1007\/978-3-030-17656-3_5"},{"key":"9385_CR2","doi-asserted-by":"crossref","unstructured":"C. Bader, D. Hofheinz, T. Jager, E. Kiltz, Y. Li, Tightly-secure authenticated key exchange. In: Dodis, Y., Nielsen, J.B. (eds.) TCC\u00a02015, Part\u00a0I. LNCS, vol. 9014, pp. 629\u2013658. Springer, Heidelberg, Germany, Warsaw, Poland (Mar\u00a023\u201325, 2015)","DOI":"10.1007\/978-3-662-46494-6_26"},{"key":"9385_CR3","doi-asserted-by":"crossref","unstructured":"N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT\u201997. LNCS, vol. 1233, pp. 480\u2013494. Springer, Heidelberg, Germany, Konstanz, Germany (May\u00a011\u201315, 1997)","DOI":"10.1007\/3-540-69053-0_33"},{"key":"9385_CR4","doi-asserted-by":"crossref","unstructured":"E. Barker, Recommendation for key management part 1: General (revision 4). NIST special publication 2016","DOI":"10.6028\/NIST.SP.800-57pt1r4"},{"key":"9385_CR5","unstructured":"M. Behr, I. Swett, Introducing QUIC support for HTTPS load balancing 2018, https:\/\/cloudplatform.googleblog.com\/2018\/06\/Introducing-QUIC-support-for-HTTPS-load-balancing.html"},{"key":"9385_CR6","doi-asserted-by":"crossref","unstructured":"M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO\u201996. LNCS, vol. 1109, pp. 1\u201315. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 1996)","DOI":"10.1007\/3-540-68697-5_1"},{"key":"9385_CR7","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 93. pp. 62\u201373. ACM Press, Fairfax, Virginia, USA (Nov\u00a03\u20135, 1993)","DOI":"10.1145\/168588.168596"},{"key":"9385_CR8","doi-asserted-by":"crossref","unstructured":"M. Bellare, I. Stepanovs, S. Tessaro, Poly-many hardcore bits for any one-way function and a framework for differing-inputs obfuscation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT\u00a02014, Part\u00a0II. LNCS, vol. 8874, pp. 102\u2013121. Springer, Heidelberg, Germany, Kaoshiung, Taiwan, R.O.C. (Dec\u00a07\u201311, 2014)","DOI":"10.1007\/978-3-662-45608-8_6"},{"key":"9385_CR9","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.Y. Strub, Zanella B\u00e9guelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO\u00a02014, Part\u00a0II. LNCS, vol. 8617, pp. 235\u2013255. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a017\u201321, 2014)","DOI":"10.1007\/978-3-662-44381-1_14"},{"issue":"2","key":"9385_CR10","doi-asserted-by":"publisher","first-page":"364","DOI":"10.1137\/0215025","volume":"15","author":"L Blum","year":"1986","unstructured":"L. Blum, M. Blum, M. Shub, A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364\u2013383 (1986), https:\/\/doi.org\/10.1137\/0215025","journal-title":"SIAM J. Comput"},{"key":"9385_CR11","unstructured":"H. B\u00f6ck, Fuzz-compare the OpenSSL function $$\\text{BN}\\_\\text{ mod }\\_\\text{ exp }()$$ and the libgcrypt function $$\\text{ gcry }\\_\\text{ mpi }\\_\\text{ powm }()$$, https:\/\/github.com\/hannob\/bignum-fuzz\/blob\/master\/openssl-vs-gcrypt-modexp.c"},{"key":"9385_CR12","doi-asserted-by":"crossref","unstructured":"D. Boneh, B. Waters, Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT\u00a02013, Part\u00a0II. LNCS, vol. 8270, pp. 280\u2013300. Springer, Heidelberg, Germany, Bengalore, India (Dec\u00a01\u20135, 2013)","DOI":"10.1007\/978-3-642-42045-0_15"},{"key":"9385_CR13","doi-asserted-by":"publisher","unstructured":"C. Boyd, K. Gellert, A Modern View on Forward Security. The Computer Journal (08 2020), https:\/\/doi.org\/10.1093\/comjnl\/bxaa104","DOI":"10.1093\/comjnl\/bxaa104"},{"key":"9385_CR14","doi-asserted-by":"crossref","unstructured":"E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC\u00a02014. LNCS, vol. 8383, pp. 501\u2013519. Springer, Heidelberg, Germany, Buenos Aires, Argentina (Mar\u00a026\u201328, 2014)","DOI":"10.1007\/978-3-642-54631-0_29"},{"key":"9385_CR15","doi-asserted-by":"crossref","unstructured":"J. Camenisch, A. Lysyanskaya, Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO\u00a02002. LNCS, vol. 2442, pp. 61\u201376. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 2002)","DOI":"10.1007\/3-540-45708-9_5"},{"key":"9385_CR16","unstructured":"W.T. Chang, A. Langley, QUIC crypto 2014, https:\/\/docs.google.com\/document\/d\/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g"},{"key":"9385_CR17","doi-asserted-by":"crossref","unstructured":"C. Cremers, M. Horvat, S. Scott, T. van\u00a0der Merwe, Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy. pp. 470\u2013485. IEEE Computer Society Press, San Jose, CA, USA (May\u00a022\u201326, 2016)","DOI":"10.1109\/SP.2016.35"},{"key":"9385_CR18","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-030-65411-5_11","volume-title":"Cryptology and Network Security","author":"F Dallmeier","year":"2020","unstructured":"F. Dallmeier, J.P. Drees, K. Gellert, T. Handirk, T. Jager, J. Klauke, S. Nachtigall, T. Renzelmann, R. Wolf, Forward-secure 0-rtt goes live: Implementation and performance analysis in quic. In: S. Krenn, H. Shulman, S. Vaudenay, (eds.) Cryptology and Network Security. pp. 211\u2013231. Springer International Publishing, Cham 2020"},{"key":"9385_CR19","doi-asserted-by":"crossref","unstructured":"D. Derler, K. Gellert, T. Jager, D. Slamanig, C. Striecks, Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018\/199 2018, https:\/\/eprint.iacr.org\/2018\/199","DOI":"10.1007\/978-3-319-78372-7_14"},{"key":"9385_CR20","doi-asserted-by":"crossref","unstructured":"D. Derler, T. Jager, D. Slamanig, C. Striecks, Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT\u00a02018, Part\u00a0III. LNCS, vol. 10822, pp. 425\u2013455. Springer, Heidelberg, Germany, Tel Aviv, Israel (Apr\u00a029\u00a0\u2013\u00a0May\u00a03, 2018)","DOI":"10.1007\/978-3-319-78372-7_14"},{"key":"9385_CR21","doi-asserted-by":"crossref","unstructured":"D. Diemert, T. Jager: On the tight security of tls 1.3: Theoretically-sound cryptographic parameters for real-world deployments. Cryptology ePrint Archive, Report 2020\/726 2020, https:\/\/eprint.iacr.org\/2020\/726","DOI":"10.1007\/s00145-021-09388-x"},{"key":"9385_CR22","doi-asserted-by":"crossref","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the tls 1.3 handshake protocol. Cryptology ePrint Archive, Report 2020\/1044 2020, https:\/\/eprint.iacr.org\/2020\/1044","DOI":"10.1007\/s00145-021-09384-1"},{"key":"9385_CR23","doi-asserted-by":"crossref","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the TLS\u00a01.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel:, C. (eds.) ACM CCS 15. pp. 1197\u20131210. ACM Press, Denver, CO, USA (Oct\u00a012\u201316, 2015)","DOI":"10.1145\/2810103.2813653"},{"key":"9385_CR24","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016\/081 2016, http:\/\/eprint.iacr.org\/2016\/081"},{"issue":"3","key":"9385_CR25","doi-asserted-by":"publisher","first-page":"26","DOI":"10.1145\/1823844.1823848","volume":"40","author":"N Dukkipati","year":"2010","unstructured":"N. Dukkipati, T. Refice, Y. Cheng, J. Chu, T. Herbert, A. Agarwal, A. Jain, N. Sutin, An argument for increasing TCP\u2019s initial congestion window. Computer Communication Review 40(3), 26\u201333 2010","journal-title":"Computer Communication Review"},{"key":"9385_CR26","unstructured":"T. Duong, T. Valverde, Q. Nguyen, Bad life advice - Replay attacks against HTTPS 2015, https:\/\/blog.valverde.me\/2015\/12\/07\/bad-life-advice\/"},{"key":"9385_CR27","unstructured":"M. Fischlin, F. G\u00fcnther, Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 14. pp. 1193\u20131204. ACM Press, Scottsdale, AZ, USA (Nov\u00a03\u20137, 2014)"},{"key":"9385_CR28","doi-asserted-by":"publisher","unstructured":"M. Fischlin, F. G\u00fcnther, Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26-28, 2017. pp. 60\u201375. IEEE 2017, https:\/\/doi.org\/10.1109\/EuroSP.2017.18","DOI":"10.1109\/EuroSP.2017.18"},{"key":"9385_CR29","doi-asserted-by":"crossref","unstructured":"K. Gj\u00f8steen, T. Jager, Practical and tightly-secure digital signatures and authenticated key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO\u00a02018, Part\u00a0II. LNCS, vol. 10992, pp. 95\u2013125. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a019\u201323, 2018)","DOI":"10.1007\/978-3-319-96881-0_4"},{"key":"9385_CR30","doi-asserted-by":"publisher","unstructured":"O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792\u2013807 (Aug 1986), https:\/\/doi.org\/10.1145\/6490.6503","DOI":"10.1145\/6490.6503"},{"key":"9385_CR31","doi-asserted-by":"crossref","unstructured":"O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions. In: 21st ACM STOC. pp. 25\u201332. ACM Press, Seattle, WA, USA (May\u00a015\u201317, 1989)","DOI":"10.1145\/73007.73010"},{"key":"9385_CR32","doi-asserted-by":"crossref","unstructured":"M.D. Green, I. Miers, Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy. pp. 305\u2013320. IEEE Computer Society Press, San Jose, CA, USA (May\u00a017\u201321, 2015)","DOI":"10.1109\/SP.2015.26"},{"key":"9385_CR33","doi-asserted-by":"crossref","unstructured":"F. G\u00fcnther, B. Hale, T. Jager, S. Lauer, 0-RTT key exchange with full forward secrecy. In: Coron, J., Nielsen, J.B. (eds.) EUROCRYPT\u00a02017, Part\u00a0III. LNCS, vol. 10212, pp. 519\u2013548. Springer, Heidelberg, Germany, Paris, France (Apr\u00a030\u00a0\u2013\u00a0May\u00a04, 2017)","DOI":"10.1007\/978-3-319-56617-7_18"},{"key":"9385_CR34","doi-asserted-by":"crossref","unstructured":"B. Hale, T. Jager, S. Lauer, J. Schwenk, Simple security definitions for and constructions of 0-RTT key exchange. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 17. LNCS, vol. 10355, pp. 20\u201338. Springer, Heidelberg, Germany, Kanazawa, Japan (Jul\u00a010\u201312, 2017)","DOI":"10.1007\/978-3-319-61204-1_2"},{"key":"9385_CR35","unstructured":"S. Iyengar, K. Nekritz, Building zero protocol for fast, secure mobile connections 2017, https:\/\/code.fb.com\/android\/building-zero-protocol-for-fast-secure-mobile-connections\/"},{"key":"9385_CR36","doi-asserted-by":"crossref","unstructured":"T. Jager, F. Kohlar, S. Sch\u00e4ge, J. Schwenk, On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO\u00a02012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a019\u201323, 2012)","DOI":"10.1007\/978-3-642-32009-5_17"},{"key":"9385_CR37","unstructured":"H. Kario, Add 3072, 7680 and 15360 bit RSA tests to openssl speed, https:\/\/groups.google.com\/forum\/#!topic\/mailing.openssl.dev\/bv8t7QcXrqg"},{"key":"9385_CR38","doi-asserted-by":"crossref","unstructured":"A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13. pp. 669\u2013684. ACM Press, Berlin, Germany (Nov\u00a04\u20138, 2013)","DOI":"10.1145\/2508859.2516668"},{"key":"9385_CR39","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, M. Bellare, R. Canetti, Hmac: Keyed-hashing for message authentication (February 1997), http:\/\/tools.ietf.org\/rfc\/rfc2104.txt, rFC2104","DOI":"10.17487\/rfc2104"},{"key":"9385_CR40","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, P. Eronen, Hmac-based extract-and-expand key derivation function (hkdf) (May 2010), http:\/\/tools.ietf.org\/rfc\/rfc5869.txt, rFC5869","DOI":"10.17487\/rfc5869"},{"key":"9385_CR41","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, Cryptographic extraction and key derivation: The HKDF scheme. In: Rabin, T. (ed.) CRYPTO\u00a02010. LNCS, vol. 6223, pp. 631\u2013648. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a015\u201319, 2010)","DOI":"10.1007\/978-3-642-14623-7_34"},{"key":"9385_CR42","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, K.G. Paterson, H. Wee, On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO\u00a02013, Part\u00a0I. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 2013)","DOI":"10.1007\/978-3-642-40041-4_24"},{"key":"9385_CR43","unstructured":"A. Langley, How to botch TLS forward secrecy 2013, https:\/\/www.imperialviolet.org\/2013\/06\/27\/botchingpfs.html"},{"key":"9385_CR44","unstructured":"A. Langley, Post-quantum confidentiality for TLS 2018, https:\/\/www.imperialviolet.org\/2018\/04\/11\/pqconftls.html"},{"key":"9385_CR45","doi-asserted-by":"crossref","unstructured":"S. Lauer, K. Gellert, R. Merget, T. Handirk, J. Schwenk, T0rtt: Non-interactive immediate forward-secret single-pass circuit construction. Proceedings on Privacy Enhancing Technologies 2020(2), 336 \u2013 357 (01 Apr 2020), https:\/\/content.sciendo.com\/view\/journals\/popets\/2020\/2\/article-p336.xml","DOI":"10.2478\/popets-2020-0030"},{"key":"9385_CR46","unstructured":"Z. Lin, TLS Session Resumption: Full-speed and Secure (2015), https:\/\/blog.cloudflare.com\/tls-session-resumption-full-speed-and-secure\/"},{"key":"9385_CR47","doi-asserted-by":"crossref","unstructured":"R. Lychev, S. Jero, A. Boldyreva, C. Nita-Rotaru, How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy. pp. 214\u2013231. IEEE Computer Society Press, San Jose, CA, USA (May\u00a017\u201321, 2015)","DOI":"10.1109\/SP.2015.21"},{"key":"9385_CR48","unstructured":"C. MacCarthaigh, Security Review of TLS 1.3 0-RTT. https:\/\/github.com\/tlswg\/tls13-spec\/issues\/1001, accessed: 2018-07-29"},{"key":"9385_CR49","unstructured":"E. Rescorla, TLS 0-RTT and Anti-Replay 2015, https:\/\/www.ietf.org\/mail-archive\/web\/tls\/current\/msg15594.html"},{"key":"9385_CR50","unstructured":"E. Rescorla, TLS 1.3 2015, http:\/\/web.stanford.edu\/class\/ee380\/Abstracts\/151118-slides.pdf"},{"key":"9385_CR51","doi-asserted-by":"crossref","unstructured":"E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 2018, https:\/\/rfc-editor.org\/rfc\/rfc8446.txt","DOI":"10.17487\/RFC8446"},{"key":"9385_CR52","doi-asserted-by":"crossref","unstructured":"P. Rogaway, Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 02. pp. 98\u2013107. ACM Press, Washington D.C., USA (Nov\u00a018\u201322, 2002)","DOI":"10.1145\/586110.586125"},{"key":"9385_CR53","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/11958239_14","volume-title":"Progress in Cryptology - VIETCRYPT 2006","author":"P Rogaway","year":"2006","unstructured":"P. Rogaway, Formalizing human ignorance. In: P.Q. Nguyen, (ed.) Progress in Cryptology - VIETCRYPT 2006. pp. 211\u2013228. Springer Berlin Heidelberg, Berlin, Heidelberg 2006"},{"key":"9385_CR54","doi-asserted-by":"crossref","unstructured":"A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC. pp. 475\u2013484. ACM Press, New York, NY, USA (May\u00a031\u00a0\u2013\u00a0Jun\u00a03, 2014)","DOI":"10.1145\/2591796.2591825"},{"key":"9385_CR55","doi-asserted-by":"crossref","unstructured":"A. Shamir, On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1), 38\u201344 (Feb 1983), http:\/\/doi.acm.org\/10.1145\/357353.357357","DOI":"10.1145\/357353.357357"},{"key":"9385_CR56","doi-asserted-by":"crossref","unstructured":"D. Springall, Z. Durumeric, J.A. Halderman, Measuring the security harm of TLS crypto shortcuts. In: Proceedings of the 2016 Internet Measurement Conference. pp. 33\u201347. ACM 2016","DOI":"10.1145\/2987443.2987480"},{"key":"9385_CR57","unstructured":"N. Sullivan, Introducing Zero Round Trip Time Resumption 2017, https:\/\/blog.cloudflare.com\/introducing-0-rtt\/"},{"key":"9385_CR58","unstructured":"The OpenSSL Project: OpenSSL: The open source toolkit for SSL\/TLS, www.openssl.org"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09385-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00145-021-09385-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09385-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,8,17]],"date-time":"2021-08-17T19:06:11Z","timestamp":1629227171000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00145-021-09385-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,18]]},"references-count":58,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,7]]}},"alternative-id":["9385"],"URL":"https:\/\/doi.org\/10.1007\/s00145-021-09385-0","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,5,18]]},"assertion":[{"value":"31 October 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 January 2021","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 January 2021","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 May 2021","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"20"}}