{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T18:57:44Z","timestamp":1771613864968,"version":"3.50.1"},"reference-count":69,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2021,6,4]],"date-time":"2021-06-04T00:00:00Z","timestamp":1622764800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,6,4]],"date-time":"2021-06-04T00:00:00Z","timestamp":1622764800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100012325","name":"Bergische Universit\u00e4t Wuppertal","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100012325","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2021,7]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>We consider the<jats:italic>theoretically sound<\/jats:italic>selection of cryptographic parameters, such as the size of algebraic groups or RSA keys, for TLS 1.3 in practice. While prior works gave security proofs for TLS 1.3, their security loss is<jats:italic>quadratic<\/jats:italic>in the total number of sessions across all users, which due to the pervasive use of TLS is huge. Therefore, in order to deploy TLS 1.3 in a theoretically sound way, it would be necessary to compensate this loss with unreasonably large parameters that would be infeasible for practical use at large scale. Hence, while these previous works show that in principle the design of TLS 1.3 is secure in an asymptotic sense, they do not yet provide any useful<jats:italic>concrete<\/jats:italic>security guarantees for real-world parameters used in practice. In this work, we provide a new security proof for the cryptographic core of TLS 1.3 in the random oracle model, which reduces the security of TLS 1.3<jats:italic>tightly<\/jats:italic>(that is, with constant security loss) to the (multi-user) security of its building blocks. For some building blocks, such as the symmetric record layer encryption scheme, we can then rely on prior work to establish tight security. For others, such as the RSA-PSS digital signature scheme currently used in TLS 1.3, we obtain at least a<jats:italic>linear<\/jats:italic>loss in the number of users, independent of the number of sessions, which is much easier to compensate with reasonable parameters. Our work also shows that by replacing the RSA-PSS scheme with a tightly secure scheme (e.g., in a future TLS version), one can obtain the first fully tightly secure TLS protocol. Our results enable a theoretically sound selection of parameters for TLS 1.3, even in large-scale settings with many users and sessions per user.<\/jats:p>","DOI":"10.1007\/s00145-021-09388-x","type":"journal-article","created":{"date-parts":[[2021,6,4]],"date-time":"2021-06-04T16:03:02Z","timestamp":1622822582000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":40,"title":["On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments"],"prefix":"10.1007","volume":"34","author":[{"given":"Denis","family":"Diemert","sequence":"first","affiliation":[]},{"given":"Tibor","family":"Jager","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,6,4]]},"reference":[{"key":"9388_CR1","doi-asserted-by":"crossref","unstructured":"M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA\u00a02001. LNCS, vol. 2020, pp. 143\u2013158. Springer, Heidelberg, Germany, San Francisco, CA, USA (Apr\u00a08\u201312, 2001)","DOI":"10.1007\/3-540-45353-9_12"},{"key":"9388_CR2","doi-asserted-by":"crossref","unstructured":"N. Aviram, K. Gellert, T. Jager, Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT\u00a02019, Part\u00a0II. LNCS, vol. 11477, pp. 117\u2013150. Springer, Heidelberg, Germany, Darmstadt, Germany (May\u00a019\u201323, 2019)","DOI":"10.1007\/978-3-030-17656-3_5"},{"key":"9388_CR3","unstructured":"N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, J. Steube, L. Valenta, D. Adrian, J.A. Halderman, V. Dukhovni, E. K\u00e4sper, S. Cohney, S. Engels, C. Paar, Y. Shavitt, DROWN: Breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) USENIX Security 2016. pp. 689\u2013706. USENIX Association, Austin, TX, USA (Aug\u00a010\u201312, 2016)"},{"key":"9388_CR4","doi-asserted-by":"crossref","unstructured":"C. Bader, D. Hofheinz, T. Jager, E. Kiltz, Y. Li, Tightly-secure authenticated key exchange. In: Dodis, Y., Nielsen, J.B. (eds.) TCC\u00a02015, Part\u00a0I. LNCS, vol. 9014, pp. 629\u2013658. Springer, Heidelberg, Germany, Warsaw, Poland (Mar\u00a023\u201325, 2015)","DOI":"10.1007\/978-3-662-46494-6_26"},{"key":"9388_CR5","doi-asserted-by":"crossref","unstructured":"C. Bader, T. Jager, Y. Li, S. Sch\u00e4ge, On the impossibility of tight cryptographic reductions. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT\u00a02016, Part\u00a0II. LNCS, vol. 9666, pp. 273\u2013304. Springer, Heidelberg, Germany, Vienna, Austria (May\u00a08\u201312, 2016)","DOI":"10.1007\/978-3-662-49896-5_10"},{"key":"9388_CR6","doi-asserted-by":"crossref","unstructured":"M. Bellare, New proofs for NMAC and HMAC: Security without collision resistance. J. Cryptol. 28(4), 844\u2013878 (2015)","DOI":"10.1007\/s00145-014-9185-x"},{"key":"9388_CR7","doi-asserted-by":"crossref","unstructured":"M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO\u201996. LNCS, vol. 1109, pp. 1\u201315. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 1996)","DOI":"10.1007\/3-540-68697-5_1"},{"key":"9388_CR8","unstructured":"M. Bellare, R. Canetti, H. Krawczyk, Pseudorandom functions revisited: The cascade construction and its concrete security. In: 37th FOCS. pp. 514\u2013523. IEEE Computer Society Press, Burlington, Vermont (Oct\u00a014\u201316, 1996b)"},{"key":"9388_CR9","doi-asserted-by":"crossref","unstructured":"M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for waters\u2019 IBE scheme. Cryptology ePrint Archive, Report 2009\/084 (2009) http:\/\/eprint.iacr.org\/2009\/084","DOI":"10.1007\/978-3-642-01001-9_24"},{"key":"9388_CR10","doi-asserted-by":"crossref","unstructured":"M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for Waters\u2019 IBE scheme. In: Joux, A. (ed.) EUROCRYPT\u00a02009. LNCS, vol. 5479, pp. 407\u2013424. Springer, Heidelberg, Germany, Cologne, Germany (Apr\u00a026\u201330, 2009)","DOI":"10.1007\/978-3-642-01001-9_24"},{"key":"9388_CR11","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93. pp. 62\u201373. ACM Press, Fairfax, Virginia, USA (Nov\u00a03\u20135, 1993)","DOI":"10.1145\/168588.168596"},{"key":"9388_CR12","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO\u201993. LNCS, vol. 773, pp. 232\u2013249. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a022\u201326, 1994)","DOI":"10.1007\/3-540-48329-2_21"},{"key":"9388_CR13","doi-asserted-by":"crossref","unstructured":"M. Bellare, B. Tackmann, The multi-user security of authenticated encryption: AES-GCM in TLS\u00a01.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO\u00a02016, Part\u00a0I. LNCS, vol. 9814, pp. 247\u2013276. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a014\u201318, 2016)","DOI":"10.1007\/978-3-662-53018-4_10"},{"key":"9388_CR14","doi-asserted-by":"crossref","unstructured":"D.J. Bernstein, N. Duif, T. Lange, P. Schwabe, B.Y. Yang, High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES\u00a02011. LNCS, vol. 6917, pp. 124\u2013142. Springer, Heidelberg, Germany, Nara, Japan (Sep\u00a028\u2013Oct\u00a01, 2011)","DOI":"10.1007\/978-3-642-23951-9_9"},{"key":"9388_CR15","doi-asserted-by":"crossref","unstructured":"B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.Y. Strub, J.K. Zinzindohoue, A messy state of the union: Taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy. pp. 535\u2013552. IEEE Computer Society Press, San Jose, CA, USA (May\u00a017\u201321, 2015)","DOI":"10.1109\/SP.2015.39"},{"key":"9388_CR16","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Fournet, M. Kohlweiss, miTLS: Verifying protocol implementations against real-world attacks. IEEE Secur. Privacy 14(6), 18\u201325 (2016)","DOI":"10.1109\/MSP.2016.123"},{"key":"9388_CR17","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Brzuska, C. Fournet, M. Green, M. Kohlweiss, S. Zanella-B\u00e9guelin, Downgrade resilience in key-exchange protocols. In: 2016 IEEE Symposium on Security and Privacy. pp. 506\u2013525. IEEE Computer Society Press, San Jose, CA, USA (May\u00a022\u201326, 2016)","DOI":"10.1109\/SP.2016.37"},{"key":"9388_CR18","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, A. Delignat-Lavaud, C. Fournet, A. Pironti, P.Y. Strub, Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: 2014 IEEE Symposium on Security and Privacy. pp. 98\u2013113. IEEE Computer Society Press, Berkeley, CA, USA (May\u00a018\u201321, 2014)","DOI":"10.1109\/SP.2014.14"},{"key":"9388_CR19","doi-asserted-by":"crossref","unstructured":"K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P.Y. Strub, Zanella B\u00e9guelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO\u00a02014, Part\u00a0II. LNCS, vol. 8617, pp. 235\u2013255. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a017\u201321, 2014)","DOI":"10.1007\/978-3-662-44381-1_14"},{"key":"9388_CR20","doi-asserted-by":"crossref","unstructured":"D. Boneh, The decision Diffie-Hellman problem. In: Third Algorithmic Number Theory Symposium (ANTS). LNCS, vol. 1423. Springer, Heidelberg, Germany (1998), invited paper","DOI":"10.1007\/BFb0054851"},{"key":"9388_CR21","doi-asserted-by":"crossref","unstructured":"J. Brendel, M. Fischlin, F. G\u00fcnther, C. Janson, PRF-ODH: Relations, instantiations, and impossibility results. In: Katz, J., Shacham, H. (eds.) CRYPTO\u00a02017, Part\u00a0III. LNCS, vol. 10403, pp. 651\u2013681. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a020\u201324, 2017)","DOI":"10.1007\/978-3-319-63697-9_22"},{"key":"9388_CR22","unstructured":"C. Brzuska, M. Fischlin, N. Smart, B. Warinschi, S. Williams, Less is more: Relaxed yet composable security notions for key exchange. Cryptology ePrint Archive, Report 2012\/242 (2012), http:\/\/eprint.iacr.org\/2012\/242"},{"key":"9388_CR23","doi-asserted-by":"crossref","unstructured":"C. Brzuska, M. Fischlin, B. Warinschi, S.C. Williams, Composability of Bellare-Rogaway key exchange protocols. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011. pp. 51\u201362. ACM Press, Chicago, Illinois, USA (Oct\u00a017\u201321, 2011)","DOI":"10.1145\/2046707.2046716"},{"key":"9388_CR24","doi-asserted-by":"crossref","unstructured":"S. Chen, S. Jero, M. Jagielski, A. Boldyreva, C. Nita-Rotaru, Secure communication channel establishment: TLS 1.3 (over TCP fast open) vs. QUIC. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS\u00a02019, Part\u00a0I. LNCS, vol. 11735, pp. 404\u2013426. Springer, Heidelberg, Germany, Luxembourg (Sep\u00a023\u201327, 2019)","DOI":"10.1007\/978-3-030-29959-0_20"},{"key":"9388_CR25","doi-asserted-by":"crossref","unstructured":"K. Cohn-Gordon, C. Cremers, K. Gj\u00f8steen, H. Jacobsen, T. Jager, Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO\u00a02019, Part\u00a0III. LNCS, vol. 11694, pp. 767\u2013797. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 2019)","DOI":"10.1007\/978-3-030-26954-8_25"},{"key":"9388_CR26","doi-asserted-by":"crossref","unstructured":"J.S. Coron, Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT\u00a02002. LNCS, vol. 2332, pp. 272\u2013287. Springer, Heidelberg, Germany, Amsterdam, The Netherlands (Apr\u00a028\u2013May\u00a02, 2002)","DOI":"10.1007\/3-540-46035-7_18"},{"key":"9388_CR27","doi-asserted-by":"crossref","unstructured":"H. Davis, F. G\u00fcnther, Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. Cryptology ePrint Archive, Report 2020\/1029 (2020), https:\/\/eprint.iacr.org\/2020\/1029","DOI":"10.1007\/978-3-030-78375-4_18"},{"key":"9388_CR28","doi-asserted-by":"crossref","unstructured":"A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, J. Protzenko, A. Rastogi, N. Swamy, S. Zanella-B\u00e9guelin, K. Bhargavan, J. Pan, J.K. Zinzindohoue, Implementing and proving the TLS 1.3 record layer. In: 2017 IEEE Symposium on Security and Privacy. pp. 463\u2013482. IEEE Computer Society Press, San Jose, CA, USA (May\u00a022\u201326, 2017)","DOI":"10.1109\/SP.2017.58"},{"key":"9388_CR29","doi-asserted-by":"crossref","unstructured":"W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644\u2013654 (1976)","DOI":"10.1109\/TIT.1976.1055638"},{"key":"9388_CR30","doi-asserted-by":"crossref","unstructured":"Y. Dodis, J.P. Steinberger, Message authentication codes from unpredictable block ciphers. In: Halevi, S. (ed.) CRYPTO\u00a02009. LNCS, vol. 5677, pp. 267\u2013285. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a016\u201320, 2009)","DOI":"10.1007\/978-3-642-03356-8_16"},{"key":"9388_CR31","doi-asserted-by":"crossref","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the TLS\u00a01.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015. pp. 1197\u20131210. ACM Press, Denver, CO, USA (Oct\u00a012\u201316, 2015)","DOI":"10.1145\/2810103.2813653"},{"key":"9388_CR32","doi-asserted-by":"crossref","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the TLS 1.3 handshake protocol candidates. Cryptology ePrint Archive, Report 2015\/914 (2015) http:\/\/eprint.iacr.org\/2015\/914","DOI":"10.1145\/2810103.2813653"},{"key":"9388_CR33","unstructured":"B. Dowling, M. Fischlin, F. G\u00fcnther, D. Stebila, A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016\/081 (2016), http:\/\/eprint.iacr.org\/2016\/081"},{"key":"9388_CR34","doi-asserted-by":"crossref","unstructured":"B. Dowling, D. Stebila, Modelling ciphersuite and version negotiation in the TLS protocol. In: Foo, E., Stebila, D. (eds.) ACISP 15. LNCS, vol. 9144, pp. 270\u2013288. Springer, Heidelberg, Germany, Brisbane, QLD, Australia (Jun\u00a029\u2013Jul\u00a01, 2015)","DOI":"10.1007\/978-3-319-19962-7_16"},{"key":"9388_CR35","doi-asserted-by":"crossref","unstructured":"M. Fersch, E. Kiltz, B. Poettering, On the one-per-message unforgeability of (EC)DSA and its variants. In: Kalai, Y., Reyzin, L. (eds.) TCC\u00a02017, Part\u00a0II. LNCS, vol. 10678, pp. 519\u2013534. Springer, Heidelberg, Germany, Baltimore, MD, USA (Nov\u00a012\u201315, 2017)","DOI":"10.1007\/978-3-319-70503-3_17"},{"key":"9388_CR36","doi-asserted-by":"crossref","unstructured":"M. Fischlin, F. G\u00fcnther, Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014. pp. 1193\u20131204. ACM Press, Scottsdale, AZ, USA (Nov\u00a03\u20137, 2014)","DOI":"10.1145\/2660267.2660308"},{"key":"9388_CR37","doi-asserted-by":"crossref","unstructured":"M. Fischlin, F. G\u00fcnther, Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates. In: IEEE European Symposium on Security and Privacy 2017, EuroS&P 2017, Paris, France, April 26\u201328, 2017. pp. 60\u201375. IEEE (2017)","DOI":"10.1109\/EuroSP.2017.18"},{"key":"9388_CR38","doi-asserted-by":"crossref","unstructured":"K. Gj\u00f8steen, T. Jager, Practical and tightly-secure digital signatures and authenticated key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO\u00a02018, Part\u00a0II. LNCS, vol. 10992, pp. 95\u2013125. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a019\u201323, 2018)","DOI":"10.1007\/978-3-319-96881-0_4"},{"key":"9388_CR39","doi-asserted-by":"crossref","unstructured":"S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281\u2013308 (1988)","DOI":"10.1137\/0217017"},{"key":"9388_CR40","unstructured":"F. G\u00fcnther, Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols. Ph.D. thesis, Darmstadt University of Technology, Germany (2018), http:\/\/tuprints.ulb.tu-darmstadt.de\/7162\/"},{"key":"9388_CR41","doi-asserted-by":"crossref","unstructured":"V.T. Hoang, S. Tessaro, A. Thiruvengadam, The multi-user security of GCM, revisited: Tight bounds for nonce randomization. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018. pp. 1429\u20131440. ACM Press, Toronto, ON, Canada (Oct\u00a015\u201319, 2018)","DOI":"10.1145\/3243734.3243816"},{"key":"9388_CR42","doi-asserted-by":"crossref","unstructured":"T. Jager, S.A. Kakvi, A. May, On the security of the PKCS#1 v1.5 signature scheme. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018. pp. 1195\u20131208. ACM Press, Toronto, ON, Canada (Oct\u00a015\u201319, 2018)","DOI":"10.1145\/3243734.3243798"},{"key":"9388_CR43","doi-asserted-by":"crossref","unstructured":"T. Jager, F. Kohlar, S. Sch\u00e4ge, J. Schwenk, On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO\u00a02012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a019\u201323, 2012)","DOI":"10.1007\/978-3-642-32009-5_17"},{"key":"9388_CR44","doi-asserted-by":"crossref","unstructured":"T. Jager, J. Schwenk, J. Somorovsky, On the security of TLS\u00a01.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015. pp. 1185\u20131196. ACM Press, Denver, CO, USA (Oct\u00a012\u201316, 2015)","DOI":"10.1145\/2810103.2813657"},{"key":"9388_CR45","doi-asserted-by":"crossref","unstructured":"D. Johnson, A. Menezes, S.A. Vanstone, The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36\u201363 (2001), https:\/\/doi.org\/10.1007\/s102070100002","DOI":"10.1007\/s102070100002"},{"key":"9388_CR46","doi-asserted-by":"crossref","unstructured":"S. Josefsson, I. Liusvaara, Edwards-Curve Digital Signature Algorithm (EdDSA). RFC 8032 (Informational) (Jan 2017), https:\/\/www.rfc-editor.org\/rfc\/rfc8032.txt","DOI":"10.17487\/RFC8032"},{"key":"9388_CR47","doi-asserted-by":"crossref","unstructured":"S.A. Kakvi, On the security of RSA-PSS in the wild. In: Proceedings of the 5th Security Standardisation Research Workshop (SSR\u201319), November 11, 2019, London, United Kingdom. (2019)","DOI":"10.1145\/3338500.3360333"},{"key":"9388_CR48","doi-asserted-by":"crossref","unstructured":"B. Kaliski, PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational) (Mar 1998), https:\/\/www.rfc-editor.org\/rfc\/rfc2313.txt, obsoleted by RFC 2437","DOI":"10.17487\/rfc2313"},{"key":"9388_CR49","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, M. Bellare, R. Canetti: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational) (Feb 1997), https:\/\/www.rfc-editor.org\/rfc\/rfc2104.txt, updated by RFC 6151","DOI":"10.17487\/rfc2104"},{"key":"9388_CR50","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, P. Eronen, HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (Informational) (May 2010), https:\/\/www.rfc-editor.org\/rfc\/rfc5869.txt","DOI":"10.17487\/rfc5869"},{"key":"9388_CR51","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, SIGMA: The \u201cSIGn-and-MAc\u201d approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO\u00a02003. LNCS, vol. 2729, pp. 400\u2013425. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a017\u201321, 2003)","DOI":"10.1007\/978-3-540-45146-4_24"},{"key":"9388_CR52","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, Cryptographic extraction and key derivation: The HKDF scheme. In: Rabin, T. (ed.) CRYPTO\u00a02010. LNCS, vol. 6223, pp. 631\u2013648. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a015\u201319, 2010)","DOI":"10.1007\/978-3-642-14623-7_34"},{"key":"9388_CR53","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, Cryptographic extraction and key derivation: The HKDF scheme. Cryptology ePrint Archive, Report 2010\/264 (2010b), http:\/\/eprint.iacr.org\/2010\/264","DOI":"10.1007\/978-3-642-14623-7_34"},{"key":"9388_CR54","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in TLS\u00a01.3). In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016. pp. 1438\u20131450. ACM Press, Vienna, Austria (Oct\u00a024\u201328, 2016)","DOI":"10.1145\/2976749.2978325"},{"key":"9388_CR55","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, K.G. Paterson, H. Wee, On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO\u00a02013, Part\u00a0I. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug\u00a018\u201322, 2013)","DOI":"10.1007\/978-3-642-40041-4_24"},{"key":"9388_CR56","doi-asserted-by":"crossref","unstructured":"H. Krawczyk, H. Wee, The OPTLS protocol and TLS 1.3. Cryptology ePrint Archive, Report 2015\/978 (2015), http:\/\/eprint.iacr.org\/2015\/978","DOI":"10.1109\/EuroSP.2016.18"},{"key":"9388_CR57","doi-asserted-by":"crossref","unstructured":"N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, B. Preneel, A cross-protocol attack on the TLS protocol. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012. pp. 62\u201372. ACM Press, Raleigh, NC, USA (Oct\u00a016\u201318, 2012)","DOI":"10.1145\/2382196.2382206"},{"key":"9388_CR58","doi-asserted-by":"crossref","unstructured":"D. Micciancio, M. Walter, On the bit security of cryptographic primitives. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT\u00a02018, Part\u00a0I. LNCS, vol. 10820, pp. 3\u201328. Springer, Heidelberg, Germany, Tel Aviv, Israel (Apr\u00a029\u2013May\u00a03, 2018)","DOI":"10.1007\/978-3-319-78381-9_1"},{"key":"9388_CR59","unstructured":"K. Moriarty (Ed.), B. Kaliski, J. Jonsson, A. Rusch, PKCS #1: RSA Cryptography Specifications Version 2.2. RFC 8017 (Informational) (Nov 2016), https:\/\/www.rfc-editor.org\/rfc\/rfc8017.txt"},{"key":"9388_CR60","doi-asserted-by":"crossref","unstructured":"P. Morrissey, N.P. Smart, B. Warinschi, A modular security analysis of the TLS handshake protocol. In: Pieprzyk, J. (ed.) ASIACRYPT\u00a02008. LNCS, vol. 5350, pp. 55\u201373. Springer, Heidelberg, Germany, Melbourne, Australia (Dec\u00a07\u201311, 2008)","DOI":"10.1007\/978-3-540-89255-7_5"},{"key":"9388_CR61","doi-asserted-by":"crossref","unstructured":"N. Nisan, A. Ta-Shma, Extracting randomness: A survey and new constructions. J. Comput. Syst. Sci. 58(1), 148\u2013173 (1999), https:\/\/doi.org\/10.1006\/jcss.1997.1546","DOI":"10.1006\/jcss.1997.1546"},{"key":"9388_CR62","doi-asserted-by":"crossref","unstructured":"N. Nisan, D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43\u201352 (1996), https:\/\/doi.org\/10.1006\/jcss.1996.0004","DOI":"10.1006\/jcss.1996.0004"},{"key":"9388_CR63","doi-asserted-by":"crossref","unstructured":"T. Okamoto, D. Pointcheval, The gap-problems: A new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC\u00a02001. LNCS, vol. 1992, pp. 104\u2013118. Springer, Heidelberg, Germany, Cheju Island, South Korea (Feb\u00a013\u201315, 2001)","DOI":"10.1007\/3-540-44586-2_8"},{"key":"9388_CR64","doi-asserted-by":"crossref","unstructured":"E. Rescorla, Keying Material Exporters for Transport Layer Security (TLS). RFC 5705 (Proposed Standard) (Mar 2010), https:\/\/www.rfc-editor.org\/rfc\/rfc5705.txt, updated by RFCs 8446, 8447","DOI":"10.17487\/rfc5705"},{"key":"9388_CR65","doi-asserted-by":"crossref","unstructured":"E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard) (Aug 2018), https:\/\/www.rfc-editor.org\/rfc\/rfc8446.txt","DOI":"10.17487\/RFC8446"},{"key":"9388_CR66","doi-asserted-by":"crossref","unstructured":"P. Rogaway, Formalizing human ignorance. In: Nguyen, P.Q. (ed.) Progress in Cryptology - VIETCRYPT 06. LNCS, vol. 4341, pp. 211\u2013228. Springer, Heidelberg, Germany, Hanoi, Vietnam (Sep\u00a025\u201328, 2006)","DOI":"10.1007\/11958239_14"},{"key":"9388_CR67","doi-asserted-by":"crossref","unstructured":"P. Rogaway, Formalizing human ignorance: Collision-resistant hashing without the keys. Cryptology ePrint Archive, Report 2006\/281 (2006b), http:\/\/eprint.iacr.org\/2006\/281","DOI":"10.1007\/11958239_14"},{"key":"9388_CR68","unstructured":"V. Shoup, Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004\/332 (2004), http:\/\/eprint.iacr.org\/2004\/332"},{"key":"9388_CR69","unstructured":"D. Wagner, B. Schneier, Analysis of the SSL 3.0 protocol. In: Proceedings of the 2nd Conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2. pp. 29\u201340. WOEC\u201396, USENIX Association, USA (November 1996)"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09388-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00145-021-09388-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-021-09388-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,29]],"date-time":"2022-12-29T22:41:47Z","timestamp":1672353707000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00145-021-09388-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,6,4]]},"references-count":69,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,7]]}},"alternative-id":["9388"],"URL":"https:\/\/doi.org\/10.1007\/s00145-021-09388-x","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,6,4]]},"assertion":[{"value":"31 October 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 July 2020","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 July 2020","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 June 2021","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"30"}}