A cryptographic analysis of the TLS 1.3 handshake protocol

The TLS 1.3 key schedule


We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/'PSK' mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions.

Keywords: key exchange, Transport Layer Security protocol, TLS 1.3


Benjamin Dowling, Marc Fischlin, Felix Günther, Douglas Stebila. A cryptographic analysis of the TLS 1.3 handshake protocol. Journal of Cryptology, 34(37):1–69. Springer, July 2021. © The authors.




This research was supported by:
  • Australian Research Council (ARC) Discovery Project grant DP130104304
  • Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146
  • NSERC Discovery Accelerator Supplement grant RGPIN-2016-05146
  • EPSRC grant EP/L018543/1
  • German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint sup- port of the National Research Center for Applied Cybersecurity
  • Research Fellowship grant GU 1859/1-1 of the German Research Foundation (DFG)
  • National Science Foundation (NSF) grants CNS-1526801 and CNS-1717640
  • DFG as part of project S4 within the CRC 1119 CROSSING