Paper 2017/082

Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates

Marc Fischlin and Felix Günther


We investigate security of key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections. This key can then be already used to protect early application data, transmitted to the server before both parties interact further to switch to fully secure keys. Two recent prominent examples supporting such 0-RTT modes are Google's QUIC protocol and the latest drafts for the upcoming TLS version 1.3. We are especially interested in the question how replay attacks, enabled through the lack of contribution from the server, affect security in the 0-RTT case. Whereas the first proposal of QUIC uses state on the server side to thwart such attacks, the latest version of QUIC and TLS 1.3 rather accept them as inevitable. We analyze what this means for the key secrecy of both the preshared-key-based 0-RTT handshake in draft-14 of TLS 1.3 as well as the Diffie-Hellman-based 0-RTT handshake in TLS 1.3 draft-12. As part of this we extend previous security models to capture such cases, also shedding light on the limitations and options for 0-RTT security under replay attacks.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision.2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017)
Transport Layer Security (TLS)key exchangeprotocol analysiszero round-trip timecomposition
Contact author(s)
guenther @ cs tu-darmstadt de
2017-02-06: received
Short URL
Creative Commons Attribution


      author = {Marc Fischlin and Felix Günther},
      title = {Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates},
      howpublished = {Cryptology ePrint Archive, Paper 2017/082},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.