Key-Schedule Security for the TLS 1.3 Standard

Chris Brzuska*, Antoine Delignat-Lavaud, Christoph Egger, Cédric Fournet, Konrad Kohbrok, Markulf Kohlweiss

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Transport Layer Security (TLS) is the cryptographic backbone of secure communication on the Internet. In its latest version 1.3, the standardization process has taken formal analysis into account both due to the importance of the protocol and the experience with conceptual attacks against previous versions. To manage the complexity of TLS (the specification exceeds 100 pages), prior reduction-based analyses have focused on some protocol features and omitted others, e.g., included session resumption and omitted agile algorithms or vice versa. This article is a major step towards analysing the TLS 1.3 key establishment protocol as specified at the end of its rigorous standardization process. Namely, we provide a full proof of the TLS key schedule, a core protocol component which produces output keys and internal keys of the key exchange protocol. In particular, our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. Technically, we rely on state-separating proofs (Asiacrypt ’18) and introduce techniques to model large and complex derivation graphs. Our key schedule analysis techniques have been used subsequently to analyse the key schedule of Draft 11 of the MLS protocol (S &P ’22) and to propose improvements.

Original languageEnglish
Title of host publicationAdvances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings
EditorsShweta Agrawal, Dongdai Lin
Number of pages30
ISBN (Print)978-3-031-22962-6
Publication statusPublished - 2022
MoE publication typeA4 Conference publication
EventInternational Conference on the Theory and Application of Cryptology and Information Security - Taipei, Taiwan, Republic of China
Duration: 5 Dec 20229 Dec 2022
Conference number: 28

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13791 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


ConferenceInternational Conference on the Theory and Application of Cryptology and Information Security
Abbreviated titleASIACRYPT
Country/TerritoryTaiwan, Republic of China


  • Key schedule
  • Protocol analysis
  • State-separating proofs
  • TLS 1.3


Dive into the research topics of 'Key-Schedule Security for the TLS 1.3 Standard'. Together they form a unique fingerprint.

Cite this