Paper 2013/367

On the Security of TLS-DH and TLS-RSA in the Standard Model

Florian Kohlar, Sven Schäge, and Jörg Schwenk


TLS is the most important cryptographic protocol in the Internet. At CRYPTO 2012, Jager et al. presented the first proof of the unmodified TLS with ephemeral Diffie-Hellman key exchange (TLS-DHE) for mutual authentication. Since TLS cannot be proven secure under the classical definition of authenticated key exchange (AKE), they introduce a new security model called authenticated and confidential channel establishment (ACCE) that captures the security properties expected from TLS in practice. We extend this result in two ways. First we show that the cryptographic cores of the remaining ciphersuites, RSA encrypted key transport (TLS-RSA) and static Diffie-Hellman (TLS-DH), can be proven secure for mutual authentication in an extended ACCE model that also allows the adversary to register new public keys. In our security analysis we show that if TLS-RSA is instantiated with a CCA secure public key cryptosystem and TLS-DH is used in scenarios where a) the knowledge of secret key assumption holds or b) the adversary may not register new public keys at all, both ciphersuites can be proven secure in the standard model under standard security assumptions. Next, we present new and strong definitions of ACCE (and AKE) for server-only authentication which fit well into the general framework of Bellare-Rogaway-style models. We show that all three ciphersuites families do remain secure in this server-only setting. Our work identifies which primitives need to be exchanged in the TLS handshake to obtain strong security results under standard security assumptions (in the standard model) and may so help to guide future revisions of the TLS standard and make improvements to TLS's extensibility pay off.

Note: Updated grant code

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. -
authenticated key exchangeSSLTLSprovable securitystatic Diffie-HellmanRSAencrypted~key~transport
Contact author(s)
florian kohlar @ rub de
2013-06-17: last of 3 revisions
2013-06-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Florian Kohlar and Sven Schäge and Jörg Schwenk},
      title = {On the Security of TLS-DH and TLS-RSA in the Standard Model},
      howpublished = {Cryptology ePrint Archive, Paper 2013/367},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.