Skip to main content

Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2019 (EUROCRYPT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11477))


The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in “0-RTT” (“zero round-trip time”), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session’s encryption secrets upon receipt of the client’s first message. The standard techniques to achieve this are Session Caches or, alternatively, Session Tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks.

In this paper, we first formally define session resumption protocols as an abstract perspective on mechanisms like Session Caches and Session Tickets. We give a new generic construction that provably provides forward security and replay resilience, based on puncturable pseudorandom functions (PPRFs). This construction can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol.

We then describe two new constructions of PPRFs, which are particularly suitable for use for forward-secure and replay-resilient session resumption in TLS 1.3. The first construction is based on the strong RSA assumption. Compared to standard Session Caches, for “128-bit security” it reduces the required server storage by a factor of almost 20, when instantiated in a way such that key derivation and puncturing together are cheaper on average than one full exponentiation in an RSA group. Hence, a 1 GB Session Cache can be replaced with only about 51 MBs of storage, which significantly reduces the amount of secure memory required. For larger security parameters or in exchange for more expensive computations, even larger storage reductions are achieved. The second construction combines a standard binary tree PPRF with a new “domain extension” technique. For a reasonable choice of parameters, this reduces the required storage by a factor of up to 5 compared to a standard Session Cache. It employs only symmetric cryptography, is suitable for high-traffic scenarios, and can serve thousands of tickets per second.

Supported by the German Research Foundation (DFG), project JA 2445/2-1, scholarships from The Israeli Ministry of Science and Technology, The Check Point Institute for Information Security, and The Yitzhak and Chaya Weinstein Research Institute for Signal Processing. We thank Nick Sullivan, Sven N. Hebrok and all anonymous reviewers for their valuable comments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    The above describes typical modes of operation of TLS 1.3. The standard also allows for other modes, e.g. modes that include client authentication. We expect other modes will be used much less often, and therefore they are beyond the scope of this paper.

  2. 2.

    Confusingly, the message containing this opaque sequence of bytes is always termed a “New Session Ticket Message”, for both Session Caches and encrypted self-contained Session Tickets. To our knowledge there is no standard nomenclature, in [39] or elsewhere, for these two different approaches when used in TLS 1.3; see e.g. [39, § 8.1]. TLS 1.2 referred to “Session ID Resumption” and “Session Ticket Resumption”, but these terms are not used in TLS 1.3.

  3. 3.

    Unless there is additional server-side logging of tickets that have already been used.

  4. 4.

    When using resumption, the client must include in its first message the ticket’s age, i.e. the time elapsed between receiving the ticket from the server in a previous session. The server expects this time interval to be precise up to a small window of error allowing for propagation delay, typically on the order of 10 s. An attacker can perform replay attacks within this time window.

  5. 5.

    When using Session Tickets, the same holds for mechanisms that store used tickets, which are likely to be distributed as well. See [39, §2.3, §8, §E.5], [36, 37] for more in-depth discussion.

  6. 6.

    Obtaining a formal security proof for this would be an interesting direction for future research, but is beyond the scope of this work.

  7. 7.

    The natural solution would be to encrypt n using public-key puncturable encryption, but this would be costly, and obviate most of the efficiency benefits described in this work. We are unfortunately unaware of a good solution that achieves session unlinkability in the event of server compromise. We further note that TLS 1.3 0-RTT includes a mechanism named “obfuscated ticket age” that solves a similar session linkability concern; that mechanism as well is not applicable here.

  8. 8.

    Cloudflare have suggested that these assumptions seem reasonable. Unfortunately, they cannot provide data on returning clients’ behavior yet.

  9. 9.

    When implementing tree-based PPRFs in session resumption scenarios, such windows should not be implemented as they only add management overhead to the algorithm instead of providing notable advantages. It is sufficient to use a tree-based PPRF as is and puncture leaves for which the ticket’s lifetime has expired. This way we achieve an implicit implementation of a sliding window scenario that ensures all established bounds still hold.

  10. 10.

    Typically, a ticket contains not only the Resumption Secret but also the chosen cipher suite and other additional session parameters, and is thus larger than just the Resumption Secret. Therefore it is reasonable to encrypt this data only once, while encrypting the shorter intermediary symmetric key multiple times. This makes the ticket as short as possible.

  11. 11.

    The relevant experiment is denoted as “Phase Two”; “Phase One” only added bytes to the client’s first flight.

  12. 12.

    We note that results for trees of 10,000 tickets should closely follow results for larger tree sizes. Trees are quickly split into smaller sub-trees when puncturing, regardless of the initial tree size. In the first puncturing operation we delete the root and store smaller sub-trees with at most half the nodes in each, and so forth.


  1. Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. Cryptology ePrint Archive (2019).

  2. Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997).

    Chapter  Google Scholar 

  3. Barker, E.: Recommendation for key management part 1: general (revision 4). NIST special publication (2016)

    Google Scholar 

  4. Behr, M., Swett, I.: Introducing QUIC support for HTTPS load balancing (2018).

  5. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, Fairfax, Virginia, USA, 3–5 November, pp. 62–73. ACM Press (1993)

    Google Scholar 

  6. Bellare, M., Stepanovs, I., Tessaro, S.: Poly-many hardcore bits for any one-way function and a framework for differing-inputs obfuscation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 102–121. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  7. Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  8. Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. Siam J. Comput. 15(2), 364–383 (1986).

    Article  MathSciNet  MATH  Google Scholar 

  9. Böck, H.: Fuzz-compare the OpenSSL function BN\_mod\_exp() and the libgcrypt function gcry\_mpi\_powm().

  10. Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  11. Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  12. Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002).

    Chapter  Google Scholar 

  13. Chang, W.T., Langley, A.: QUIC crypto (2014).

  14. Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 22–26 May, pp. 470–485. IEEE Computer Society Press (2016)

    Google Scholar 

  15. Derler, D., Gellert, K., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018/199 (2018).

  16. Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018).

    Chapter  Google Scholar 

  17. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, Denver, CO, USA, 12–16 October, pp. 1197–1210. ACM Press (2015)

    Google Scholar 

  18. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081 (2016).

  19. Dukkipati, N., et al.: An argument for increasing TCP’s initial congestion window. Comput. Commun. Rev. 40(3), 26–33 (2010)

    Article  Google Scholar 

  20. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, Scottsdale, AZ, USA, 3–7 November, pp. 1193–1204. ACM Press (2014)

    Google Scholar 

  21. Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 60–75. IEEE (2017).

  22. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986).

    Article  MathSciNet  MATH  Google Scholar 

  23. Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, Seattle, WA, USA, 15–17 May, pp. 25–32. ACM Press (1989)

    Google Scholar 

  24. Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May, pp. 305–320. IEEE Computer Society Press (2015)

    Google Scholar 

  25. Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017).

    Chapter  Google Scholar 

  26. Hale, B., Jager, T., Lauer, S., Schwenk, J.: Simple security definitions for and constructions of 0-RTT key exchange. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 20–38. Springer, Cham (2017).

    Chapter  Google Scholar 

  27. Iyengar, S., Nekritz, K.: Building zero protocol for fast, secure mobile connections (2017).

  28. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012).

    Chapter  MATH  Google Scholar 

  29. Kario, H.: Add 3072, 7680 and 15360 bit RSA tests to openssl speed.!topic/

  30. Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, 4–8 November, pp. 669–684. ACM Press (2013)

    Google Scholar 

  31. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  32. Langley, A.: How to botch TLS forward secrecy (2013).

  33. Langley, A.: Post-quantum confidentiality for TLS (2018).

  34. Lin, Z.: TLS session resumption: full-speed and secure (2015).

  35. Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy, pp. 214–231. IEEE Computer Society Press, San Jose, 17–21 May 2015

    Google Scholar 

  36. MacCarthaigh, C.: Security Review of TLS 1.3 0-RTT., Accessed 29 July 2018

  37. Rescorla, E.: TLS 0-RTT and Anti-Replay (2015).

  38. Rescorla, E.: TLS 1.3 (2015).

  39. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018).

  40. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, Washington D.C., USA, 18–22 November, pp. 98–107. ACM Press (2002)

    Google Scholar 

  41. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, New York, NY, USA, 31 May–3 June, pp. 475–484. ACM Press (2014)

    Google Scholar 

  42. Shamir, A.: On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1(1), 38–44 (1983).

    Article  Google Scholar 

  43. Springall, D., Durumeric, Z., Halderman, J.A.: Measuring the security harm of TLS crypto shortcuts. In: Proceedings of the 2016 Internet Measurement Conference, pp. 33–47. ACM (2016)

    Google Scholar 

  44. Sullivan, N.: Introducing Zero Round Trip Time Resumption (2017).

  45. The OpenSSL Project: OpenSSL: The open source toolkit for SSL/TLS.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Kai Gellert .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Aviram, N., Gellert, K., Jager, T. (2019). Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17655-6

  • Online ISBN: 978-3-030-17656-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics