Skip to main content

Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9451)


Motivated by the wide adoption of authenticated encryption and TLS, we suggest a basic channel abstraction, an augmented secure channel (ASC), that allows a sender to send a receiver messages consisting of two parts, where one is privacy-protected and both are authenticity-protected. Working in the tradition of constructive cryptography, we formalize this idea and provide a construction of this kind of channel using the lower-level tool authenticated-encryption.

We look at recent proposals on TLS 1.3 and suggest that the criterion by which their security can be judged is quite simple: do they construct an ASC? Due to this precisely defined goal, we are able to give a natural construction that comes with a rigorous security proof and directly leads to a proposal on TLS 1.3 that is provably secure.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    We suspect that alternative definitional frameworks, like treating ASCs in the UC framework [4] or RSIM [1, 21], would yield closely related findings.

  2. 2.

    For example, the resource \({\mathsf {enc}_{\varPi }}^\mathsf {A}{\mathsf {dec}_{\varPi }}^\mathsf {B}\, [\mathbf {SK}_{\mathcal {K}}, \mathbf {IC}]\) is obtained by attaching Alice’s converter \({\mathsf {enc}_{\varPi }}\) at interface \(\mathsf {A}\) and Bob’s converter \({\mathsf {dec}_{\varPi }}\) at interface \(\mathsf {B}\) of \([\mathbf {SK}_{\mathcal {K}}, \mathbf {IC}]\), where the interfaces are indicated by superscripts.

  3. 3.

    Here, \((E, I) \in \mathcal {H}_{\mathrm {E}}\times \mathcal {H}_{\mathrm {I}}\) denotes an encoding of that pair as an element in \(\mathcal {A}\). Abusing notation, we generally do not distinguish between a tuple and its encoding as an element in \(\varSigma ^*\).

  4. 4.

    For a list L, we denote by \(L \ \Vert \ x\) the list L with x appended. Furthermore, the ith element of a list L with n elements is denoted by L[i] for \(i \in \{0, \ldots , n-1\}\).

  5. 5.

    We refer to the most recent draft (retrieved on August 28, 2015) that is available for download at

  6. 6.

    Previous versions of TLS supported MAC-then-Encrypt modes.

  7. 7.

    Until draft 5, the choice of the nonce was not specified, and it was transmitted together with the ciphertext.

  8. 8.

    While applications usually provide data to TLS as a sequence of multi-byte strings, TLS only guarantees that the same stream of bytes, as the concatenation of the individual strings, is delivered. TLS does not guarantee that the boundaries between the multi-byte strings are preserved as chosen by the application, cf. [7]. The message \(M\) in Fig. 7 is to be understood as the multi-byte string used within the TLS protocol, which is not necessarily the same as chosen by the higher-level application.

  9. 9.

    The value \(\{3,4\}\) corresponds to TLS version 1.3. The reason for this value is that the version of TLS 1.0, as the successor of SSL 3.0, is encoded as the value \(\{3, 1\}\).


  1. Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (RSIM) framework for asynchronous systems. Inf. Comput. 205(12), 1685–1720 (2007)

    CrossRef  MathSciNet  MATH  Google Scholar 

  2. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  3. Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  4. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)

    Google Scholar 

  5. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  6. Coretti, S., Maurer, U., Tackmann, B.: Constructing confidential channels from authenticated channels—public-key encryption revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 134–153. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  7. Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015)

    CrossRef  Google Scholar 

  8. Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  9. He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.: A modular correctness proof of IEEE 802.11i and TLS. In: Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS 2005), pp. 2–15 (2005)

    Google Scholar 

  10. Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015)

    Google Scholar 

  11. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  12. Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  13. Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  14. Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)Constructing TLS. Cryptology ePrint Archive, Report 2014/020 (2014)

    Google Scholar 

  15. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  16. Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  17. Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) The Second Symposium on Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press (2011)

    Google Scholar 

  18. Maurer, U., Rüedlinger, A., Tackmann, B.: Confidentiality and integrity: a constructive perspective. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 209–229. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  19. Morrissey, P., Smart, N.P., Warinschi, B.: A modular security analysis of the TLS handshake protocol. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 55–73. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  20. Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  21. Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 184–200. IEEE Computer Society (2001)

    Google Scholar 

  22. Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)

    Google Scholar 

  23. Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(3), 365–403 (2003)

    CrossRef  Google Scholar 

  24. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  25. Wagner D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: USENIX - Workshop on Electronic Commerce, pp. 29–40 (1996)

    Google Scholar 

Download references


Ueli Maurer was supported by the Swiss National Science Foundation (SNF), project no. 200020-132794. Björn Tackmann was supported by the Swiss National Science Foundation (SNF) via Fellowship no. P2EZP2_155566 and the NSF grants CNS-1116800 and CNS-1228890. Much of the work on this paper was done while Phil Rogaway was visiting Ueli Maurer’s group at ETH Zurich. Many thanks to Ueli for hosting that sabbatical. Rogaway was also supported by NSF grants CNS-1228828 and CNS-1314885.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Christian Badertscher .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Badertscher, C., Matt, C., Maurer, U., Rogaway, P., Tackmann, B. (2015). Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer. In: Au, MH., Miyaji, A. (eds) Provable Security. ProvSec 2015. Lecture Notes in Computer Science(), vol 9451. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26058-7

  • Online ISBN: 978-3-319-26059-4

  • eBook Packages: Computer ScienceComputer Science (R0)