Transport Layer Security

This page collates research relevant to TLS and its developement through the years. It may be incomplete.

Key Exchange Security Models

• Needham, Roger M., and Michael D. Schroeder. "Using encryption for authentication in large networks of computers." Communications of the ACM 21.12 (1978): 993-999.http://pages.cs.wisc.edu/~remzi/Classes/537/LectureNotes/Papers/encryption.pdf

• Dolev, Danny, and Andrew Yao. "On the security of public key protocols." IEEE Transactions on information theory 29.2 (1983): 198-208.http://www.cs.huji.ac.il/~dolev/pubs/dolev-yao-ieee-01056650.pdf

• Bellare, Mihir, and Phillip Rogaway. "Entity Authentication and Key Distribution." Crypto. Vol. 93. 1993.http://cseweb.ucsd.edu/~mihir/papers/eakd.pdf

• Bellare, Mihir, and Phillip Rogaway. "Provably secure session key distribution: the three party case." Proceedings of the twenty-seventh annual ACM symposium on Theory of computing. ACM, 1995. APA. http://seclab.cs.ucdavis.edu/papers/Rogaway/3pkd.pdf

• Wagner, David, and Bruce Schneier. "Analysis of the SSL 3.0 protocol." The Second USENIX Workshop on Electronic Commerce Proceedings. Vol. 1. No. 1. 1996. https://www.usenix.org/publications/library/proceedings/ec96/full_papers/wagner/wagner.pdf

• Blake-Wilson, Simon, Don Johnson, and Alfred Menezes. "Key agreement protocols and their security analysis." Crytography and Coding (1997): 30-45. https://pdfs.semanticscholar.org/fdb0/3a4a533e09b71b18045ba85ba9978de65a2d.pdf

• Mitchell, John C., Vitaly Shmatikov, and Ulrich Stern. "Finite-State Analysis of SSL 3.0." USENIX Security Symposium. 1998. http://static.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/mitchell/mitchell_html/mitchell.html

• Blake-Wilson, Simon, and Alfred Menezes. "Authenticated Diffe-Hellman key agreement protocols." International Workshop on Selected Areas in Cryptography. Springer Berlin Heidelberg, 1998. https://pdfs.semanticscholar.org/2719/4ef08166b3b2b896443aedbd573d46b4f990.pdf

• Lincoln, Patrick, et al. "A probabilistic poly-time framework for protocol analysis." Proceedings of the 5th ACM conference on Computer and communications security. ACM, 1998. http://infolab.stanford.edu/pub/cstr/reports/cs/tn/98/78/CS-TN-98-78.pdf

• Bellare, Mihir, Ran Canetti, and Hugo Krawczyk. "A modular approach to the design and analysis of authentication and key exchange protocols." Proceedings of the thirtieth annual ACM symposium on Theory of computing. ACM, 1998. http://cseweb.ucsd.edu/~Mihir/papers/modular.pdf

• Shoup, Victor. "On formal models for secure key exchange." (1999). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.49.8224&rep=rep1&type=pdf

• Bellare, Mihir, David Pointcheval, and Phillip Rogaway. "Authenticated key exchange secure against dictionary attacks." Advances in Cryptology—EUROCRYPT 2000. Springer Berlin/Heidelberg, 2000. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.5966&rep=rep1&type=pdf

• Canetti, Ran, and Hugo Krawczyk. "Analysis of key-exchange protocols and their use for building secure channels." International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2001. http://web.cs.wpi.edu/~guttman/cs564/papers/canetti_krawczyk.pdf

• MacKenzie, Philip. "On the Security of the SPEKE Password-Authenticated Key Exchange Protocol." IACR Cryptology ePrint Archive 2001 (2001): 57. http://ai2-s2-pdfs.s3.amazonaws.com/4312/883a7982c97c1c3a4c168b17bfc44d16488d.pdf

• Krawczyk, Hugo. "The order of encryption and authentication for protecting communications (or: How secure is SSL?)." Advances in Cryptology—CRYPTO 2001. Springer Berlin/Heidelberg, 2001. https://pdfs.semanticscholar.org/abb3/9b98016e1809019245dd0a9d5a7e8473a710.pdf

• Katz, Jonathan. Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks. Diss. COLUMBIA UNIVERSITY, 2002. https://www.cs.umd.edu/~jkatz/papers/thesis.pdf

• Canetti, Ran, and Hugo Krawczyk. "Universally composable notions of key exchange and secure channels." International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2002. http://ai2-s2-pdfs.s3.amazonaws.com/2cae/3e9f86e99c136ced97d9da6a574bb207595f.pdf

• Katz, Jonathan, Rafail Ostrovsky, and Moti Yung. "Forward secrecy in password-only key exchange protocols." International Conference on Security in Communication Networks. Springer Berlin Heidelberg, 2002. ftp://nozdr.ru/biblio/kolxo3/Cs/CsLn/S/Security%20in%20Communication%20Networks,%203%20conf.,%20SCN%202002(LNCS2576,%20Springer,%202003)(ISBN%203540004203)(373s)CsLn.pdf#page=38

• Law, Laurie, et al. "An efficient protocol for authenticated key agreement." Designs, Codes and Cryptography 28.2 (2003): 119-134. http://cacr.uwaterloo.ca/techreports/1998/corr98-05.pdf

• Krawczyk, Hugo. "SIGMA: The ‘SIGn-and-MAc’approach to authenticated Diffie-Hellman and its use in the IKE protocols." Annual International Cryptology Conference. Springer Berlin Heidelberg, 2003. http://webee.technion.ac.il/~hugo/sigma-pdf.pdf

• Boyd, Colin, Wenbo Mao, and Kenneth G. Paterson. "Deniable authenticated key establishment for internet protocols." International Workshop on Security Protocols. Springer Berlin Heidelberg, 2003. https://pdfs.semanticscholar.org/d7fd/d1d0a74687925bdf0f2f084cf99246e6460d.pdf

• Tin, Yiu Shing Terry, Colin Boyd, and Juan Manuel González Nieto. "Provably secure mobile key exchange: Applying the Canetti-Krawczyk approach." Australasian Conference on Information Security and Privacy. Springer Berlin Heidelberg, 2003.http://eprints.qut.edu.au/24575/1/provably_secure_mobile_key_exchange-_applying_the_Canetti-Krawczyk_approach.pdf

• Boyd, Colin, Wenbo Mao, and Kenneth G. Paterson. "Key agreement using statically keyed authenticators." International Conference on Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2004. http://eprints.qut.edu.au/9989/1/Key_agreemnet_using_statistically_keyed_authenticators.pdf

• Aiello, William, et al. "Just fast keying: Key agreement in a hostile internet." ACM Transactions on Information and System Security (TISSEC) 7.2 (2004): 242-273. https://pdfs.semanticscholar.org/a7a3/ca0268f5ff8323a3aa3fe82babb4850f2276.pdf

• Krawczyk, Hugo. "HMQV: A high-performance secure Diffie-Hellman protocol." Annual International Cryptology Conference. Springer Berlin Heidelberg, 2005. https://eprint.iacr.org/2005/176.pdf

• Choo, Kim-Kwang Raymond, Colin Boyd, and Yvonne Hitchcock. "On session key construction in provably-secure key establishment protocols." International Conference on Cryptology in Malaysia. Springer Berlin Heidelberg, 2005. http://eprints.qut.edu.au/1753/1/On_Session_Key_Construction_in_Provably-Secure_Protocols_-_30_Jun_05.pdf

• Harn, Lein, W-J. Hsin, and Mohit Mehta. "Authenticated Diffie–Hellman key agreement protocol using a single cryptographic assumption." IEE Proceedings-Communications 152.4 (2005): 404-410.https://pdfs.semanticscholar.org/044a/6fc2b0b3ff1def8dddcac3e3af1f5a353a55.pdf

• Datta, Anupam. Security analysis of network protocols: Compositional reasoning and complexity-theoretic foundations. Diss. Stanford University, 2005. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.130.8170&rep=rep1&type=pdf

• Choo, Kim-Kwang Raymond, Colin Boyd, and Yvonne Hitchcock. "Examining indistinguishability-based proof models for key establishment protocols." International Conference on the Theory and Application of Cryptology and Information Security. Springer Berlin Heidelberg, 2005. http://eprints.qut.edu.au/2181/1/2181_1.pdf

• Cheng, Zhaohui, et al. "On The Indistinguishability-Based Security Model of Key Agreement Protocols-Simple Cases." IACR Cryptology ePrint Archive 2005 (2005): 129. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.59.5945&rep=rep1&type=pdf

• Choo, Kim-Kwang Raymond, and Yvonne Hitchcock. "Security requirements for key establishment proof models: revisiting Bellare–Rogaway and Jeong–Katz–Lee protocols." Australasian Conference on Information Security and Privacy. Springer Berlin Heidelberg, 2005. https://www.researchgate.net/profile/Kim-Kwang_Raymond_Choo/publication/220798644_Security_Requirements_for_Key_Establishment_Proof_Models_Revisiting_Bellare-Rogaway_and_Jeong-Katz-Lee_Protocols/links/09e4150be7aa1dee59000000.pdf

• He, Changhua, et al. "A modular correctness proof of IEEE 802.11 i and TLS." Proceedings of the 12th ACM conference on Computer and communications security. ACM, 2005. https://www.andrew.cmu.edu/user/danupam/hsddm-ccs05.pdf

• Kudla, Caroline, and Kenneth G. Paterson. "Modular security proofs for key agreement protocols." International Conference on the Theory and Application of Cryptology and Information Security. Springer, Berlin, Heidelberg, 2005. https://link.springer.com/content/pdf/10.1007/11593447_30.pdf

• Hitchcock, Yvonne, Colin Boyd, and Juan Manuel González Nieto. "Modular proofs for key exchange: rigorous optimizations in the Canetti–Krawczyk model." Applicable Algebra in Engineering, Communication and Computing 16.6 (2006): 405-438. http://link.springer.com/article/10.1007%2Fs00200-005-0185-9?LI=true

• Choo, Kim-Kwang Raymond. Key Establishment: Proofs and Refutations. Diss. Queensland University of Technology, 2006. https://www.researchgate.net/profile/Kim-Kwang_Raymond_Choo/publication/27475337_Key_establishment_proofs_and_refutations/links/09e4150be7aa087eca000000.pdf

• Di Raimondo, Mario, Rosario Gennaro, and Hugo Krawczyk. "Deniable authentication and key exchange." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.66.4486&rep=rep1&type=pdf

• Goldreich, Oded, and Yehuda Lindell. "Session-key generation using human passwords only." Journal of Cryptology 19.3 (2006): 241-340. http://dee.srv1.eu/refs/files/2/71.pdf

• Menezes, Alfred. "Another look at HMQV." Mathematical Cryptology JMC 1.1 (2007): 47-64. http://eprint.iacr.org/2005/205.pdf

• Bresson, Emmanuel, Mark Manulis, and Jörg Schwenk. "On security models and compilers for group key exchange protocols." International Workshop on Security. Springer Berlin Heidelberg, 2007. http://epubs.surrey.ac.uk/755182/1/BreMaSc_IWSEC07.pdf

• Katz, Jonathan, and Moti Yung. "Scalable protocols for authenticated group key exchange." Journal of Cryptology 20.1 (2007): 85-113. http://link.springer.com/article/10.1007%2Fs00145-006-0361-5?LI=true

• Krawczyk, Hugo. "A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3)." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.https://eprint.iacr.org/2016/711.pdf

• LaMacchia, Brian, Kristin Lauter, and Anton Mityagin. "Stronger security of authenticated key exchange." International Conference on Provable Security. Springer, Berlin, Heidelberg, 2007.https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/strongake-submitted.pdf

• Gajek, Sebastian, et al. "Universally composable security analysis of TLS." International Conference on Provable Security. Springer, Berlin, Heidelberg, 2008.https://eprint.iacr.org/2008/251.pdf

• Jiang, Shaoquan, and Reihaneh Safavi-Naini. "An efficient deniable key exchange protocol." International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2008. https://www.researchgate.net/profile/Shaoquan_Jiang/publication/266492440_An_Efficient_Fully_Deniable_Key_Exchange_Protocol/links/543c10830cf2d6698be364d1.pdf

• Morrissey, Paul, Nigel P. Smart, and Bogdan Warinschi. "A modular security analysis of the TLS handshake protocol." International Conference on the Theory and Application of Cryptology and Information Security. Springer Berlin Heidelberg, 2008. https://pdfs.semanticscholar.org/d0a3/fc786f5d101ef38a28cd9f7a03f0ca38be41.pdf

• Yao, Andrew C., and Yunlei Zhao. "Deniable internet key exchange." International Conference on Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2010. http://web.cs.ucdavis.edu/~franklin/ecs228/pubs/191.pdf

• Menezes, Alfred, and Berkant Ustaoglu. "On reusing ephemeral keys in Diffie-Hellman key agreement protocols." International Journal of Applied Cryptography 2.2 (2010): 154-158.http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.217.839&rep=rep1&type=pdf

• Katz, Jonathan, and Vinod Vaikuntanathan. "One-Round Password-Based Authenticated Key Exchange." IACR Cryptology ePrint Archive 2010 (2010): 368. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.178.923&rep=rep1&type=pdf

• Groce, Adam, and Jonathan Katz. "A new framework for efficient password-based authenticated key exchange." Proceedings of the 17th ACM conference on Computer and communications security. ACM, 2010. https://eprint.iacr.org/2010/147.pdf

• Sarr, Augustin P., Philippe Elbaz-Vincent, and Jean-Claude Bajard. "A new security model for authenticated key agreement." International Conference on Security and Cryptography for Networks. Springer Berlin Heidelberg, 2010. https://hal.archives-ouvertes.fr/hal-01099279/document

• Morrissey, Paul, Nigel P. Smart, and Bogdan Warinschi. "The TLS handshake protocol: A modular analysis." Journal of Cryptology 23.2 (2010): 187-223. https://www.researchgate.net/profile/Bogdan_Warinschi/publication/225442851_The_TLS_Handshake_Protocol_A_Modular_Analysis/links/02e7e522612cbafa25000000.pdf

• Zhang, Yazhe, Kunpeng Wang, and Bao Li. "A deniable group key establishment protocol in the standard model." International Conference on Information Security Practice and Experience. Springer Berlin Heidelberg, 2010. http://link.springer.com/chapter/10.1007%2F978-3-642-12827-1_23

• Cremers, Cas. "Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK." Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 2011. https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/69246/eth-4933-01.pdf?sequence=1https://eprint.iacr.org/2009/253.pdf

• Küsters, Ralf, and Max Tuengerthal. "Composition theorems without pre-established session identifiers." Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011. https://infsec.uni-trier.de/publications/paper/KuestersTuengerthal-CCS-2011.pdf

• Cremers, Cas, and Michele Feltz. "One-round strongly secure key exchange with perfect forward secrecy and deniability." IACR Cryptology ePrint Archive 2011 (2011): 300. https://pdfs.semanticscholar.org/b615/427ab261b6a41e7375beb9270b36c9c2a8fa.pdf

• Yi, Xun, Raylin Tso, and Eiji Okamoto. "Three-party password-authenticated key exchange without random oracles." Security and Cryptography (SECRYPT), 2011 Proceedings of the International Conference on. IEEE, 2011. http://ieeexplore.ieee.org/abstract/document/6732368/

• Yang, Guomin, et al. "Authenticated key exchange under bad randomness." International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2011. http://ro.uow.edu.au/cgi/viewcontent.cgi?article=3329&context=eispapers

• Brzuska, Christina, et al. "Composability of Bellare-Rogaway key exchange protocols." Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011. http://www.cs.bris.ac.uk/~bogdan/pdf/brc.pdf

• Jager, Tibor, et al. "A Standard-Model Security Analysis of TLS-DHE." IACR Cryptology ePrint Archive 2011.219 (2011). https://www.researchgate.net/profile/Florian_Kohlar/publication/220333894_A_Standard-Model_Security_Analysis_of_TLS-DHE/links/00b7d51bed4bb12d3a000000.pdf

• Goldberg, Ian, Douglas Stebila, and Berkant Ustaoglu. "Anonymity and one-way authentication in key exchange protocols." Designs, Codes and Cryptography (2012): 1-25.http://eprints.qut.edu.au/48245/1/main_full_version.pdf

• Yao, Andrew Chi-Chih, and Yunlei Zhao. "OAKE: a new family of implicitly authenticated diffie-hellman protocols." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. APA. https://eprint.iacr.org/2011/035.pdf

• Jager, Tibor, et al. "On the security of TLS-DHE in the standard model." Advances in Cryptology–CRYPTO 2012. Springer, Berlin, Heidelberg, 2012. 273-293. https://link.springer.com/content/pdf/10.1007/978-3-642-32009-5_17.pdf

• Liu, Shengli, et al. "Security model and analysis of FHMQV, revisited." International Conference on Information Security and Cryptology. Springer International Publishing, 2013. http://link.springer.com/chapter/10.1007/978-3-319-12087-4_16

• Brzuska, Christina, et al. "Less is more: Relaxed yet composable security notions for key exchange." International Journal of Information Security 12.4 (2013): 267-297. http://eprint.iacr.org/2012/242.pdf

• Brzuska, Christina. On the foundations of key exchange. Diss. Technische Universität, 2013. APA. http://tuprints.ulb.tu-darmstadt.de/3414/7/thesis-tuprint-2013.pdf

• Boyd, Colin, et al. "ASICS: Authenticated key exchange security incorporating certification systems." European Symposium on Research in Computer Security. Springer, Berlin, Heidelberg, 2013. APA. http://eprints.qut.edu.au/61829/1/eprint_61829.pdf

• Jost, Daniel. A constructive analysis of IPsec. Diss. ETH-Zürich, 2014. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.917.6475&rep=rep1&type=pdf

• Feltz, Michele, and Cas Cremers. "On the Limits of Authenticated Key Exchange Security with an Application to Bad Randomness." IACR Cryptology ePrint Archive 2014 (2014): 369. http://eprint.iacr.org/2014/369.pdf

• Bos, Joppe W., et al. "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem." Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 2015. http://eprints.qut.edu.au/86651/1/main.pdf

• Zhang, Jiang, et al. "Authenticated key exchange from ideal lattices." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2015.http://eprint.iacr.org/2014/589.pdf

• Cremers, Cas, and Michele Feltz. "Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal." Designs, Codes and Cryptography 74.1 (2015): 183-218. https://ora.ox.ac.uk/objects/uuid:d18649eb-e05c-40af-b87a-172d6d02c562/datastreams/ATTACHMENT01

• Bos, Joppe W., et al. "Post-quantum key exchange for the TLS protocol from the ring learning with errors problem." Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 2015. http://eprints.qut.edu.au/86651/1/main.pdf

• Singh, Vikram. "A Practical Key Exchange for the Internet using Lattice Cryptography." IACR Cryptology ePrint Archive 2015 (2015): 138. https://pdfs.semanticscholar.org/96b1/9f5c0d2fd09df770943f80d08c03cf4ddccb.pdf

• Jager, Tibor, Jörg Schwenk, and Juraj Somorovsky. "On the security of TLS 1.3 and QUIC against weaknesses in PKCS# 1 v1. 5 encryption." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015. http://euklid.org/pdf/CCS15.pdf

• Dowling, Benjamin, and Douglas Stebila. "Modelling ciphersuite and version negotiation in the TLS protocol." Australasian Conference on Information Security and Privacy. Springer International Publishing, 2015. http://eprints.qut.edu.au/86650/1/main_lncs.pdf

• Li, Xinyu, et al. "Multiple handshakes security of TLS 1.3 candidates." Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016. http://ieeexplore.ieee.org/abstract/document/7546519/

• Boyd, Colin, et al. "From stateless to stateful: Generic authentication and authenticated encryption constructions with application to TLS." Cryptographers’ Track at the RSA Conference. Springer, Cham, 2016. https://eprint.iacr.org/2015/1150.pdf

• Fischlin, Marc, et al. "Key confirmation in key exchange: a formal treatment and implications for TLS 1.3." Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016. http://ieeexplore.ieee.org/abstract/document/7546517/

• Krawczyk, Hugo, and Hoeteck Wee. "The OPTLS protocol and TLS 1.3." Security and Privacy (EuroS&P), 2016 IEEE European Symposium on. IEEE, 2016. APA. http://eprint.iacr.org/2015/978.pdf

• Cremers, Cas, et al. "Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication." Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016. http://tls13tamarin.github.io/TLS13Tamarin/docs/tls13tamarin.pdf

• Dowling, Benjamin, et al. "A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol." IACR Cryptology ePrint Archive 2016 (2016): 81. https://eprint.iacr.org/2016/081.pdf

• Zhao, Yunlei. "Identity-Concealed Authenticated Encryption and Key Exchange." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. http://dl.acm.org/citation.cfm?id=2978350

• Chen, Rongmao, et al. "Strongly leakage-resilient authenticated key exchange." Cryptographers’ Track at the RSA Conference. Springer International Publishing, 2016. http://eprint.iacr.org/2016/308.pdf

• Lan, Xiao, et al. "Investigating the Multi-Ciphersuite and Backwards-Compatibility Security of the Upcoming TLS 1.3." IEEE Transactions on Dependable and Secure Computing, 2017. http://ieeexplore.ieee.org/abstract/document/7883842/

• Küsters, Ralf, and Daniel Rausch. "A Framework for Universally Composable Diffie-Hellman Key Exchange." IACR Cryptology ePrint Archive 2017 (2017): 256.https://eprint.iacr.org/2017/256.pdf

• Bhargavan, Karthikeyan, et al. "Content Delivery over TLS: A Cryptographic Analysis of Keyless SSL." Proceedings of the 2nd IEEE European Symposium on Security and Privacy. 2017. http://epubs.surrey.ac.uk/813643/1/mainKeyless.pdf

• Günther, Felix, et al. "0-RTT Key Exchange with Full Forward Secrecy." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Cham, 2017.https://eprint.iacr.org/2017/223.pdf

• Dowling, Benjamin, and Kenneth G. Paterson. "A Cryptographic Analysis of the WireGuard Protocol."https://eprint.iacr.org/2018/080.pdf

• Dodis, Yevgeniy, and Dario Fiore. "Unilaterally-Authenticated Key Exchange." https://pdfs.semanticscholar.org/64f2/880941049aeb7717e27b805a1d046cf60acf.pdf

Attacks and Real-World Protocols

• Kaliski Jr, Burton S. "An unknown key-share attack on the MQV key agreement protocol." ACM Transactions on Information and System Security (TISSEC) 4.3 (2001): 275-288. http://dl.acm.org/citation.cfm?id=501981

• Krawczyk, Hugo, Kenneth G. Paterson, and Hoeteck Wee. "On the security of the TLS protocol: A systematic analysis." Advances in Cryptology–CRYPTO 2013. Springer, Berlin, Heidelberg, 2013. 429-448. https://eprint.iacr.org/2013/339.pdf

• Giesen, Florian, Florian Kohlar, and Douglas Stebila. "On the security of TLS renegotiation." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. http://eprints.qut.edu.au/62025/2/GKS13full.pdf

• Meyer, Christopher, et al. "Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks." USENIX Security. Vol. 14. 2014. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-meyer.pdf

• Jager, Tibor, Jörg Schwenk, and Juraj Somorovsky. "Practical invalid curve attacks on TLS-ECDH." European Symposium on Research in Computer Security. Springer International Publishing, 2015. http://nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf

• Garman, Christina, Kenneth G. Paterson, and Thyla Van der Merwe. "Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS." USENIX Security. 2015. https://www.usenix.org/sites/default/files/conference/protected-files/sec15_slides_garman.pdf

• Bhargavan, Karthikeyan, and Gaëtan Leurent. "Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH." Network and Distributed System Security Symposium--NDSS 2016. 2016. https://hal.inria.fr/hal-01244855/document

• Bhargavan, Karthikeyan, et al. "Downgrade resilience in key-exchange protocols." Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 2016. https://eprint.iacr.org/2016/072.pdf

• Aviram, Nimrod, et al. "DROWN: breaking TLS using SSLv2." 25th USENIX Security Symposium (USENIX Security 16)(Aug. 2016). 2016. http://dezhafzar.com/wp-content/uploads/2017/01/drown-attack-paper.pdf

• Albrecht, Martin R., and Kenneth G. Paterson. "Lucky Microseconds: A timing attack on amazon’s s2n implementation of TLS." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2016. https://pdfs.semanticscholar.org/35d6/03028fe164b46e71898d6780811a84d18c1e.pdf

Verified Proofs and Implementations

• Bella, Giampaolo. Inductive verification of cryptographic protocols. No. UCAM-CL-TR-493. University of Cambridge, Computer Laboratory, 2000. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-493.pdf

• Goubault-Larrecq, Jean. "A method for automatic cryptographic protocol verification." Parallel and Distributed Processing (2000): 977-984. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.34.3869&rep=rep1&type=pdf

• Lauter, Kristin, and Anton Mityagin. "Security analysis of KEA authenticated key exchange protocol." Public Key Cryptography. Vol. 3958. 2006. https://pdfs.semanticscholar.org/4e05/5184f0d2362bd649880146e942ef41fb47f9.pdf

• Cremers, Casimier Joseph Franciscus. Scyther: Semantics and verification of security protocols. Eindhoven, Netherlands: Eindhoven University of Technology, 2006. https://pure.tue.nl/ws/files/2425555/200612074.pdf

• Küsters, Ralf, and Tomasz Truderung. "Using ProVerif to analyze protocols with Diffie-Hellman exponentiation." Computer Security Foundations Symposium, 2009. CSF'09. 22nd IEEE. IEEE, 2009. https://pdfs.semanticscholar.org/6ef7/d56e104d6914cdf1861a20ac9dce8a08344e.pdf

• Beurdouche, Benjamin, et al. "A messy state of the union: Taming the composite state machines of TLS." Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 2015. https://hal.inria.fr/hal-01114250/document

• Barthe, Gilles, et al. "Mind the gap: Modular machine-checked proofs of one-round key exchange protocols." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, 2015. https://pdfs.semanticscholar.org/479f/5c87cb4e6a0bf6183d5e0835dd2694ecbba6.pdf

• Bhargavan, Karthikeyan, Cedric Fournet, and Markulf Kohlweiss. "miTLS: Verifying Protocol Implementations against Real-World Attacks." IEEE Security & Privacy 14.6 (2016): 18-25. http://ieeexplore.ieee.org/abstract/document/7782710/

• Delignat, Benjamin Beurdouche Karthikeyan Bhargavan Antoine, et al. "Towards a Provably Secure Implementation of TLS 1.3." https://jonathan.protzenko.fr/papers/tron16.pdf

• Bhargavan, Karthikeyan, et al. "Implementing and Proving the TLS 1.3 Record Layer." (2016). https://eprint.iacr.org/2016/1178.pdf

• Bhargavan, Karthikeyan, Nadim Kobeissi, and Bruno Blanchet. "ProScript TLS: Building a TLS 1.3 Implementation with a Verifiable Protocol Model." TRON Workshop-TLS 1.3, Ready Or Not. 2016. https://www.internetsociety.org/sites/default/files/T4-ProScript.pdf

• Somorovsky, Juraj. "Systematic fuzzing and testing of TLS libraries." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016. http://nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2016/10/19/tls-attacker-ccs16.pdf

Standards

• Kaufman, Charlie, et al. Internet key exchange protocol version 2 (IKEv2). No. RFC 7296. 2014.https://www.rfc-editor.org/rfc/rfc7296.txt

• Paterson, Kenneth G., and Thyla van der Merwe. "Reactive and Proactive Standardisation of TLS." Security Standardisation Research. Springer International Publishing, 2016. 160-186. https://pdfs.semanticscholar.org/b7aa/d9aa6661f2af54ce9266eb022d96c1e15576.pdf

General

• Springall, Drew, Zakir Durumeric, and J. Alex Halderman. "Measuring the Security Harm of TLS Crypto Shortcuts." Proceedings of the 2016 ACM on Internet Measurement Conference. ACM, 2016. http://delivery.acm.org/10.1145/2990000/2987480/p33-springall.pdf?ip=67.180.235.180&id=2987480&acc=OA&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E595DDC89FD3F921D&CFID=752545090&CFTOKEN=61452778&acm=1492566772_6c199157d88f0f3c9588ec3a38617f17

• Levillain, Olivier. A study of the TLS ecosystem. Diss. Institut National des Télécommunications, 2016. https://tel.archives-ouvertes.fr/tel-01454976/document

• Chothia, Tom, et al. "Why Banker Bob (still) Can’t Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps." http://fc17.ifca.ai/preproceedings/paper_83-2.pdf

• Samarasinghe, Nayanamana, and Mohammad Mannan. "Short Paper: TLS Ecosystems in Networked Devices vs. Web Servers." (2017). http://spectrum.library.concordia.ca/982186/1/tech-fc17.pdf