Paper 2021/467

Key-schedule Security for the TLS 1.3 Standard

Chris Brzuska, Antoine Delignat-Lavaud, Christoph Egger, Cédric Fournet, Konrad Kohbrok, and Markulf Kohlweiss


We analyze the security of the TLS 1.3 key establishment protocol, as specified at the end of its rigorous standardization process. We define a core key-schedule and reduce its security to concrete assumptions against an adversary that controls client and server configurations and adaptively chooses some of their keys. Our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. We show that the output keys are secure as soon as any of their input key materials are. Our compositional, code-based proof makes use of state separation to yield concrete reductions despite the complexity of the key schedule. We also discuss (late) changes to the standard that would improve its robustness and simplify its analysis.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
TLSkey scheduleconcrete securityagilitykey exchangeexpandextractstate separationcomposable securityreal world protocolsprotocolsprotocol analysis
Contact author(s)
chris brzuska @ aalto fi
antdl @ microsoft com
christoph egger @ fau de
fournet @ microsoft com
mkohlwei @ ed ac uk
konrad kohbrok @ aalto fi
2021-04-12: received
Short URL
Creative Commons Attribution


      author = {Chris Brzuska and Antoine Delignat-Lavaud and Christoph Egger and Cédric Fournet and Konrad Kohbrok and Markulf Kohlweiss},
      title = {Key-schedule Security for the {TLS} 1.3 Standard},
      howpublished = {Cryptology ePrint Archive, Paper 2021/467},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.