Paper 2020/1044

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol

Benjamin Dowling, University of Sheffield
Marc Fischlin, TU Darmstadt
Felix Günther, ETH Zurich
Douglas Stebila, University of Waterloo

We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/"PSK" mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions.

Note: This revision contains minor corrections to details of the key derivation function inputs.

Available format(s)
Cryptographic protocols
Publication info
A minor revision of an IACR publication in JOC 2021
key exchangeTransport Layer Security protocolTLS 1.3
Contact author(s)
b dowling @ sheffield ac uk
marc fischlin @ tu-darmstadt de
mail @ felixguenther info
dstebila @ uwaterloo ca
2023-02-27: last of 2 revisions
2020-08-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benjamin Dowling and Marc Fischlin and Felix Günther and Douglas Stebila},
      title = {A Cryptographic Analysis of the {TLS} 1.3 Handshake Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1044},
      year = {2020},
      doi = {10.1007/s00145-021-09384-1},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.