Paper 2016/081

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol

Benjamin Dowling, Marc Fischlin, Felix Günther, and Douglas Stebila


We analyze the handshake protocol of TLS 1.3 draft-ietf-tls-tls13-10 (published October 2015). This continues and extends our previous analysis (CCS 2015, Cryptology ePrint Archive 2015) of former TLS 1.3 drafts (draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based). Here we show that the full (EC)DHE Diffie-Hellman-based handshake of draft-10 is also secure in the multi-stage key exchange framework of Fischlin and Günther which captures classical Bellare-Rogaway key secrecy for key exchange protocols that derive multiple keys. We also note that a recent protocol change---the introduction of a NewSessionTicket message for resumption, encrypted under the application traffic key---impairs the protocol modularity and hence our compositional guarantees that ideally would allow an independent analysis of the record protocol. We additionally analyze the pre-shared key modes (with and without ephemeral Diffie-Hellman key), and fit them into the composability framework, addressing composability with the input resumption secret from a previous handshake and of the output session keys.

Note: Corrected proofs using PRF-ODH assumption

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Transport Layer Security (TLS)key exchangeprotocol analysiscomposition
Contact author(s)
guenther @ cs tu-darmstadt de
2017-01-31: revised
2016-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benjamin Dowling and Marc Fischlin and Felix Günther and Douglas Stebila},
      title = {A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2016/081},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.