Create Run

Run

@@ -0,0 +1,1036 @@
+# Key Exchange Protocols
+
+@inproceedings{cremers2011examining,
+  title={Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK},
+  author={Cremers, Cas},
+  booktitle={Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security},
+  pages={80--91},
+  year={2011},
+  organization={ACM}
+}
+
+@article{needham1978using,
+  title={Using encryption for authentication in large networks of computers},
+  author={Needham, Roger M and Schroeder, Michael D},
+  journal={Communications of the ACM},
+  volume={21},
+  number={12},
+  pages={993--999},
+  year={1978},
+  publisher={ACM}
+}
+
+@article{dolev1983security,
+  title={On the security of public key protocols},
+  author={Dolev, Danny and Yao, Andrew},
+  journal={IEEE Transactions on information theory},
+  volume={29},
+  number={2},
+  pages={198--208},
+  year={1983},
+  publisher={IEEE}
+}
+
+@inproceedings{gajek2008universally,
+  title={Universally composable security analysis of TLS},
+  author={Gajek, Sebastian and Manulis, Mark and Pereira, Olivier and Sadeghi, Ahmad-Reza and Schwenk, J{\"o}rg},
+  booktitle={International Conference on Provable Security},
+  pages={313--327},
+  year={2008},
+  organization={Springer}
+}
+
+@inproceedings{krawczyk2016unilateral,
+  title={A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3)},
+  author={Krawczyk, Hugo},
+  booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
+  pages={1438--1450},
+  year={2016},
+  organization={ACM}
+}
+
+@inproceedings{mitchell1998finite,
+  title={Finite-State Analysis of SSL 3.0.},
+  author={Mitchell, John C and Shmatikov, Vitaly and Stern, Ulrich},
+  booktitle={USENIX Security Symposium},
+  pages={201--216},
+  year={1998}
+}
+
+@inproceedings{wagner1996analysis,
+  title={Analysis of the SSL 3.0 protocol},
+  author={Wagner, David and Schneier, Bruce and others},
+  booktitle={The Second USENIX Workshop on Electronic Commerce Proceedings},
+  volume={1},
+  number={1},
+  pages={29--40},
+  year={1996}
+}
+
+@article{dowlingcryptographic,
+  title={A Cryptographic Analysis of the WireGuard Protocol},
+  author={Dowling, Benjamin and Paterson, Kenneth G}
+}
+
+@article{kusters2017framework,
+  title={A Framework for Universally Composable Diffie-Hellman Key Exchange.},
+  author={K{\"u}sters, Ralf and Rausch, Daniel},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2017},
+  pages={256},
+  year={2017}
+}
+
+@inproceedings{boyd2016stateless,
+  title={From stateless to stateful: Generic authentication and authenticated encryption constructions with application to TLS},
+  author={Boyd, Colin and Hale, Britta and Mj{\o}lsnes, Stig Frode and Stebila, Douglas},
+  booktitle={Cryptographers’ Track at the RSA Conference},
+  pages={55--71},
+  year={2016},
+  organization={Springer}
+}
+
+@inproceedings{krawczyk2001order,
+  title={The order of encryption and authentication for protecting communications (or: How secure is SSL?)},
+  author={Krawczyk, Hugo},
+  booktitle={Advances in Cryptology—CRYPTO 2001},
+  pages={310--331},
+  year={2001},
+  organization={Springer}
+}
+
+@inproceedings{kudla2005modular,
+  title={Modular security proofs for key agreement protocols},
+  author={Kudla, Caroline and Paterson, Kenneth G},
+  booktitle={International Conference on the Theory and Application of Cryptology and Information Security},
+  pages={549--565},
+  year={2005},
+  organization={Springer}
+}
+
+@article{brzuska2013less,
+  title={Less is more: Relaxed yet composable security notions for key exchange},
+  author={Brzuska, Christina and Fischlin, Marc and Smart, Nigel P and Warinschi, Bogdan and Williams, Stephen C},
+  journal={International Journal of Information Security},
+  volume={12},
+  number={4},
+  pages={267--297},
+  year={2013},
+  publisher={Springer}
+}
+
+@inproceedings{boyd2013asics,
+  title={ASICS: Authenticated key exchange security incorporating certification systems},
+  author={Boyd, Colin and Cremers, Cas and Feltz, Michele and Paterson, Kenneth G and Poettering, Bertram and Stebila, Douglas},
+  booktitle={European Symposium on Research in Computer Security},
+  pages={381--399},
+  year={2013},
+  organization={Springer}
+}
+
+@phdthesis{brzuska2013foundations,
+  title={On the foundations of key exchange},
+  author={Brzuska, Christina},
+  year={2013},
+  school={Technische Universit{\"a}t}
+}
+
+@inproceedings{bellare1993entity,
+  title={Entity Authentication and Key Distribution.},
+  author={Bellare, Mihir and Rogaway, Phillip},
+  booktitle={Crypto},
+  volume={93},
+  pages={232--249},
+  year={1993},
+  organization={Springer}
+}
+
+@article{cremers2015beyond,
+  title={Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal},
+  author={Cremers, Cas and Feltz, Michele},
+  journal={Designs, Codes and Cryptography},
+  volume={74},
+  number={1},
+  pages={183--218},
+  year={2015},
+  publisher={Springer}
+}
+
+@article{law2003efficient,
+  title={An efficient protocol for authenticated key agreement},
+  author={Law, Laurie and Menezes, Alfred and Qu, Minghua and Solinas, Jerry and Vanstone, Scott},
+  journal={Designs, Codes and Cryptography},
+  volume={28},
+  number={2},
+  pages={119--134},
+  year={2003},
+  publisher={Springer}
+}
+
+@inproceedings{bellare1995provably,
+  title={Provably secure session key distribution: the three party case},
+  author={Bellare, Mihir and Rogaway, Phillip},
+  booktitle={Proceedings of the twenty-seventh annual ACM symposium on Theory of computing},
+  pages={57--66},
+  year={1995},
+  organization={ACM}
+}
+
+@inproceedings{krawczyk2016optls,
+  title={The OPTLS protocol and TLS 1.3},
+  author={Krawczyk, Hugo and Wee, Hoeteck},
+  booktitle={Security and Privacy (EuroS\&P), 2016 IEEE European Symposium on},
+  pages={81--96},
+  year={2016},
+  organization={IEEE}
+}
+
+@inproceedings{cremers2016automated,
+  title={Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication},
+  author={Cremers, Cas and Horvat, Marko and Scott, Sam and van der Merwe, Thyla},
+  booktitle={Security and Privacy (SP), 2016 IEEE Symposium on},
+  pages={470--485},
+  year={2016},
+  organization={IEEE}
+}
+
+@article{dowling2016cryptographic,
+  title={A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol.},
+  author={Dowling, Benjamin and Fischlin, Marc and G{\"u}nther, Felix and Stebila, Douglas},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2016},
+  pages={81},
+  year={2016}
+}
+
+@inproceedings{zhao2016identity,
+  title={Identity-Concealed Authenticated Encryption and Key Exchange},
+  author={Zhao, Yunlei},
+  booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
+  pages={1464--1479},
+  year={2016},
+  organization={ACM}
+}
+
+@inproceedings{krawczyk2003sigma,
+  title={SIGMA: The ‘SIGn-and-MAc’approach to authenticated Diffie-Hellman and its use in the IKE protocols},
+  author={Krawczyk, Hugo},
+  booktitle={Annual International Cryptology Conference},
+  pages={400--425},
+  year={2003},
+  organization={Springer}
+}
+
+@inproceedings{krawczyk2005hmqv,
+  title={HMQV: A high-performance secure Diffie-Hellman protocol},
+  author={Krawczyk, Hugo},
+  booktitle={Annual International Cryptology Conference},
+  pages={546--566},
+  year={2005},
+  organization={Springer}
+}
+
+@inproceedings{he2005modular,
+  title={A modular correctness proof of IEEE 802.11 i and TLS},
+  author={He, Changhua and Sundararajan, Mukund and Datta, Anupam and Derek, Ante and Mitchell, John C},
+  booktitle={Proceedings of the 12th ACM conference on Computer and communications security},
+  pages={2--15},
+  year={2005},
+  organization={ACM}
+}
+
+@article{aiello2004just,
+  title={Just fast keying: Key agreement in a hostile internet},
+  author={Aiello, William and Bellovin, Steven M and Blaze, Matt and Canetti, Ran and Ioannidis, John and Keromytis, Angelos D and Reingold, Omer},
+  journal={ACM Transactions on Information and System Security (TISSEC)},
+  volume={7},
+  number={2},
+  pages={242--273},
+  year={2004},
+  publisher={ACM}
+}
+
+@inproceedings{boyd2004key,
+  title={Key agreement using statically keyed authenticators},
+  author={Boyd, Colin and Mao, Wenbo and Paterson, Kenneth G},
+  booktitle={International Conference on Applied Cryptography and Network Security},
+  pages={248--262},
+  year={2004},
+  organization={Springer}
+}
+
+@article{menezes2007another,
+  title={Another look at HMQV},
+  author={Menezes, Alfred},
+  journal={Mathematical Cryptology JMC},
+  volume={1},
+  number={1},
+  pages={47--64},
+  year={2007}
+}
+
+@inproceedings{lamacchia2007stronger,
+  title={Stronger security of authenticated key exchange},
+  author={LaMacchia, Brian and Lauter, Kristin and Mityagin, Anton},
+  booktitle={International Conference on Provable Security},
+  pages={1--16},
+  year={2007},
+  organization={Springer}
+}
+
+@inproceedings{bos2015post,
+  title={Post-quantum key exchange for the TLS protocol from the ring learning with errors problem},
+  author={Bos, Joppe W and Costello, Craig and Naehrig, Michael and Stebila, Douglas},
+  booktitle={Security and Privacy (SP), 2015 IEEE Symposium on},
+  pages={553--570},
+  year={2015},
+  organization={IEEE}
+}
+
+@inproceedings{di2006deniable,
+  title={Deniable authentication and key exchange},
+  author={Di Raimondo, Mario and Gennaro, Rosario and Krawczyk, Hugo},
+  booktitle={Proceedings of the 13th ACM conference on Computer and communications security},
+  pages={400--409},
+  year={2006},
+  organization={ACM}
+}
+
+@inproceedings{choo2005session,
+  title={On session key construction in provably-secure key establishment protocols},
+  author={Choo, Kim-Kwang Raymond and Boyd, Colin and Hitchcock, Yvonne},
+  booktitle={International Conference on Cryptology in Malaysia},
+  pages={116--131},
+  year={2005},
+  organization={Springer}
+}
+
+@article{goldberg2012anonymity,
+  title={Anonymity and one-way authentication in key exchange protocols},
+  author={Goldberg, Ian and Stebila, Douglas and Ustaoglu, Berkant},
+  journal={Designs, Codes and Cryptography},
+  pages={1--25},
+  year={2012},
+  publisher={Springer}
+}
+
+@inproceedings{yao2010deniable,
+  title={Deniable internet key exchange},
+  author={Yao, Andrew C and Zhao, Yunlei},
+  booktitle={International Conference on Applied Cryptography and Network Security},
+  pages={329--348},
+  year={2010},
+  organization={Springer}
+}
+
+@article{cremers2011one,
+  title={One-round strongly secure key exchange with perfect forward secrecy and deniability},
+  author={Cremers, Cas and Feltz, Michele},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2011},
+  pages={300},
+  year={2011}
+}
+
+@article{harn2005authenticated,
+  title={Authenticated Diffie--Hellman key agreement protocol using a single cryptographic assumption},
+  author={Harn, Lein and Hsin, W-J and Mehta, Mohit},
+  journal={IEE Proceedings-Communications},
+  volume={152},
+  number={4},
+  pages={404--410},
+  year={2005},
+  publisher={IET}
+}
+
+@phdthesis{datta2005security,
+  title={Security analysis of network protocols: Compositional reasoning and complexity-theoretic foundations},
+  author={Datta, Anupam},
+  year={2005},
+  school={Citeseer}
+}
+
+@article{menezes2010reusing,
+  title={On reusing ephemeral keys in Diffie-Hellman key agreement protocols},
+  author={Menezes, Alfred and Ustaoglu, Berkant},
+  journal={International Journal of Applied Cryptography},
+  volume={2},
+  number={2},
+  pages={154--158},
+  year={2010},
+  publisher={Inderscience Publishers}
+}
+
+@inproceedings{yao2013oake,
+  title={OAKE: a new family of implicitly authenticated diffie-hellman protocols},
+  author={Yao, Andrew Chi-Chih and Zhao, Yunlei},
+  booktitle={Proceedings of the 2013 ACM SIGSAC conference on Computer \& communications security},
+  pages={1113--1128},
+  year={2013},
+  organization={ACM}
+}
+
+@inproceedings{zhang2015authenticated,
+  title={Authenticated key exchange from ideal lattices},
+  author={Zhang, Jiang and Zhang, Zhenfeng and Ding, Jintai and Snook, Michael and Dagdelen, {\"O}zg{\"u}r},
+  booktitle={Annual International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={719--751},
+  year={2015},
+  organization={Springer}
+}
+
+@inproceedings{jiang2008efficient,
+  title={An efficient deniable key exchange protocol},
+  author={Jiang, Shaoquan and Safavi-Naini, Reihaneh},
+  booktitle={International Conference on Financial Cryptography and Data Security},
+  pages={47--52},
+  year={2008},
+  organization={Springer}
+}
+
+@inproceedings{yang2011authenticated,
+  title={Authenticated key exchange under bad randomness},
+  author={Yang, Guomin and Duan, Shanshan and Wong, Duncan S and Tan, Chik How and Wang, Huaxiong},
+  booktitle={International Conference on Financial Cryptography and Data Security},
+  pages={113--126},
+  year={2011},
+  organization={Springer}
+}
+
+@article{singh2015practical,
+  title={A Practical Key Exchange for the Internet using Lattice Cryptography.},
+  author={Singh, Vikram},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2015},
+  pages={138},
+  year={2015}
+}
+
+@inproceedings{yi2011three,
+  title={Three-party password-authenticated key exchange without random oracles},
+  author={Yi, Xun and Tso, Raylin and Okamoto, Eiji},
+  booktitle={Security and Cryptography (SECRYPT), 2011 Proceedings of the International Conference on},
+  pages={15--24},
+  year={2011},
+  organization={IEEE}
+}
+
+@phdthesis{jost2014constructive,
+  title={A constructive analysis of IPsec},
+  author={Jost, Daniel},
+  year={2014},
+  school={Citeseer}
+}
+
+@inproceedings{chen2016strongly,
+  title={Strongly leakage-resilient authenticated key exchange},
+  author={Chen, Rongmao and Mu, Yi and Yang, Guomin and Susilo, Willy and Guo, Fuchun},
+  booktitle={Cryptographers’ Track at the RSA Conference},
+  pages={19--36},
+  year={2016},
+  organization={Springer}
+}
+
+@article{feltz2014limits,
+  title={On the Limits of Authenticated Key Exchange Security with an Application to Bad Randomness.},
+  author={Feltz, Michele and Cremers, Cas},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2014},
+  pages={369},
+  year={2014}
+}
+
+@article{katz2010one,
+  title={One-Round Password-Based Authenticated Key Exchange.},
+  author={Katz, Jonathan and Vaikuntanathan, Vinod},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2010},
+  pages={368},
+  year={2010},
+  publisher={Citeseer}
+}
+
+@inproceedings{liu2013security,
+  title={Security model and analysis of FHMQV, revisited},
+  author={Liu, Shengli and Sakurai, Kouichi and Weng, Jian and Zhang, Fangguo and Zhao, Yunlei},
+  booktitle={International Conference on Information Security and Cryptology},
+  pages={255--269},
+  year={2013},
+  organization={Springer}
+}
+
+@inproceedings{jager2015security,
+  title={On the security of TLS 1.3 and QUIC against weaknesses in PKCS\# 1 v1. 5 encryption},
+  author={Jager, Tibor and Schwenk, J{\"o}rg and Somorovsky, Juraj},
+  booktitle={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
+  pages={1185--1196},
+  year={2015},
+  organization={ACM}
+}
+
+@article{lan2017investigating,
+  title={Investigating the Multi-Ciphersuite and Backwards-Compatibility Security of the Upcoming TLS 1.3},
+  author={Lan, Xiao and Xu, Jing and Zhang, Zhenfeng and Zhu, Wen Tao},
+  journal={IEEE Transactions on Dependable and Secure Computing},
+  year={2017},
+  publisher={IEEE}
+}
+
+@inproceedings{dowling2015modelling,
+  title={Modelling ciphersuite and version negotiation in the TLS protocol},
+  author={Dowling, Benjamin and Stebila, Douglas},
+  booktitle={Australasian Conference on Information Security and Privacy},
+  pages={270--288},
+  year={2015},
+  organization={Springer}
+}
+
+@inproceedings{li2016multiple,
+  title={Multiple handshakes security of TLS 1.3 candidates},
+  author={Li, Xinyu and Xu, Jing and Zhang, Zhenfeng and Feng, Dengguo and Hu, Honggang},
+  booktitle={Security and Privacy (SP), 2016 IEEE Symposium on},
+  pages={486--505},
+  year={2016},
+  organization={IEEE}
+}
+
+@inproceedings{fischlin2016key,
+  title={Key confirmation in key exchange: a formal treatment and implications for TLS 1.3},
+  author={Fischlin, Marc and G{\"u}nther, Felix and Schmidt, Benedikt and Warinschi, Bogdan},
+  booktitle={Security and Privacy (SP), 2016 IEEE Symposium on},
+  pages={452--469},
+  year={2016},
+  organization={IEEE}
+}
+
+@inproceedings{bellare2000authenticated,
+  title={Authenticated key exchange secure against dictionary attacks},
+  author={Bellare, Mihir and Pointcheval, David and Rogaway, Phillip},
+  booktitle={Advances in Cryptology—EUROCRYPT 2000},
+  pages={139--155},
+  year={2000},
+  organization={Springer}
+}
+
+@inproceedings{canetti2001analysis,
+  title={Analysis of key-exchange protocols and their use for building secure channels},
+  author={Canetti, Ran and Krawczyk, Hugo},
+  booktitle={International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={453--474},
+  year={2001},
+  organization={Springer}
+}
+
+@article{blake1997key,
+  title={Key agreement protocols and their security analysis},
+  author={Blake-Wilson, Simon and Johnson, Don and Menezes, Alfred},
+  journal={Crytography and Coding},
+  pages={30--45},
+  year={1997},
+  publisher={Springer}
+}
+
+@inproceedings{blake1998authenticated,
+  title={Authenticated Diffe-Hellman key agreement protocols},
+  author={Blake-Wilson, Simon and Menezes, Alfred},
+  booktitle={International Workshop on Selected Areas in Cryptography},
+  pages={339--361},
+  year={1998},
+  organization={Springer}
+}
+
+@inproceedings{bellare1998modular,
+  title={A modular approach to the design and analysis of authentication and key exchange protocols},
+  author={Bellare, Mihir and Canetti, Ran and Krawczyk, Hugo},
+  booktitle={Proceedings of the thirtieth annual ACM symposium on Theory of computing},
+  pages={419--428},
+  year={1998},
+  organization={ACM}
+}
+
+@article{shoup1999formal,
+  title={On formal models for secure key exchange},
+  author={Shoup, Victor},
+  year={1999},
+  publisher={Citeseer}
+}
+
+@inproceedings{canetti2002universally,
+  title={Universally composable notions of key exchange and secure channels},
+  author={Canetti, Ran and Krawczyk, Hugo},
+  booktitle={International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={337--351},
+  year={2002},
+  organization={Springer}
+}
+
+@inproceedings{lincoln1998probabilistic,
+  title={A probabilistic poly-time framework for protocol analysis},
+  author={Lincoln, Patrick and Mitchell, John and Mitchell, Mark and Scedrov, Andre},
+  booktitle={Proceedings of the 5th ACM conference on Computer and communications security},
+  pages={112--121},
+  year={1998},
+  organization={ACM}
+}
+
+@inproceedings{choo2005examining,
+  title={Examining indistinguishability-based proof models for key establishment protocols},
+  author={Choo, Kim-Kwang Raymond and Boyd, Colin and Hitchcock, Yvonne},
+  booktitle={International Conference on the Theory and Application of Cryptology and Information Security},
+  pages={585--604},
+  year={2005},
+  organization={Springer}
+}
+
+@article{katz2007scalable,
+  title={Scalable protocols for authenticated group key exchange},
+  author={Katz, Jonathan and Yung, Moti},
+  journal={Journal of Cryptology},
+  volume={20},
+  number={1},
+  pages={85--113},
+  year={2007},
+  publisher={Springer}
+}
+
+@inproceedings{katz2002forward,
+  title={Forward secrecy in password-only key exchange protocols},
+  author={Katz, Jonathan and Ostrovsky, Rafail and Yung, Moti},
+  booktitle={International Conference on Security in Communication Networks},
+  pages={29--44},
+  year={2002},
+  organization={Springer}
+}
+
+@article{cheng2005indistinguishability,
+  title={On The Indistinguishability-Based Security Model of Key Agreement Protocols-Simple Cases.},
+  author={Cheng, Zhaohui and Nistazakis, Manos and Comley, Richard and Vasiu, Luminita},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2005},
+  pages={129},
+  year={2005},
+  publisher={Citeseer}
+}
+
+@inproceedings{morrissey2008modular,
+  title={A modular security analysis of the TLS handshake protocol},
+  author={Morrissey, Paul and Smart, Nigel P and Warinschi, Bogdan},
+  booktitle={International Conference on the Theory and Application of Cryptology and Information Security},
+  pages={55--73},
+  year={2008},
+  organization={Springer}
+}
+
+@inproceedings{boyd2003deniable,
+  title={Deniable authenticated key establishment for internet protocols},
+  author={Boyd, Colin and Mao, Wenbo and Paterson, Kenneth G},
+  booktitle={International Workshop on Security Protocols},
+  pages={255--271},
+  year={2003},
+  organization={Springer}
+}
+
+@inproceedings{groce2010new,
+  title={A new framework for efficient password-based authenticated key exchange},
+  author={Groce, Adam and Katz, Jonathan},
+  booktitle={Proceedings of the 17th ACM conference on Computer and communications security},
+  pages={516--525},
+  year={2010},
+  organization={ACM}
+}
+
+@article{mackenzie2001security,
+  title={On the Security of the SPEKE Password-Authenticated Key Exchange Protocol.},
+  author={MacKenzie, Philip},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2001},
+  pages={57},
+  year={2001}
+}
+
+@inproceedings{sarr2010new,
+  title={A new security model for authenticated key agreement},
+  author={Sarr, Augustin P and Elbaz-Vincent, Philippe and Bajard, Jean-Claude},
+  booktitle={International Conference on Security and Cryptography for Networks},
+  pages={219--234},
+  year={2010},
+  organization={Springer}
+}
+
+@phdthesis{katz2002efficient,
+  title={Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks},
+  author={Katz, Jonathan},
+  year={2002},
+  school={COLUMBIA UNIVERSITY}
+}
+
+@article{goldreich2006session,
+  title={Session-key generation using human passwords only},
+  author={Goldreich, Oded and Lindell, Yehuda},
+  journal={Journal of Cryptology},
+  volume={19},
+  number={3},
+  pages={241--340},
+  year={2006},
+  publisher={Springer}
+}
+
+@inproceedings{choo2005security,
+  title={Security requirements for key establishment proof models: revisiting Bellare--Rogaway and Jeong--Katz--Lee protocols},
+  author={Choo, Kim-Kwang Raymond and Hitchcock, Yvonne},
+  booktitle={Australasian Conference on Information Security and Privacy},
+  pages={429--442},
+  year={2005},
+  organization={Springer}
+}
+
+@inproceedings{kusters2011composition,
+  title={Composition theorems without pre-established session identifiers},
+  author={K{\"u}sters, Ralf and Tuengerthal, Max},
+  booktitle={Proceedings of the 18th ACM conference on Computer and communications security},
+  pages={41--50},
+  year={2011},
+  organization={ACM}
+}
+
+@inproceedings{bresson2007security,
+  title={On security models and compilers for group key exchange protocols},
+  author={Bresson, Emmanuel and Manulis, Mark and Schwenk, J{\"o}rg},
+  booktitle={International Workshop on Security},
+  pages={292--307},
+  year={2007},
+  organization={Springer}
+}
+
+@article{morrissey2010tls,
+  title={The TLS handshake protocol: A modular analysis},
+  author={Morrissey, Paul and Smart, Nigel P and Warinschi, Bogdan},
+  journal={Journal of Cryptology},
+  volume={23},
+  number={2},
+  pages={187--223},
+  year={2010},
+  publisher={Springer}
+}
+
+@inproceedings{brzuska2011composability,
+  title={Composability of Bellare-Rogaway key exchange protocols},
+  author={Brzuska, Christina and Fischlin, Marc and Warinschi, Bogdan and Williams, Stephen C},
+  booktitle={Proceedings of the 18th ACM conference on Computer and communications security},
+  pages={51--62},
+  year={2011},
+  organization={ACM}
+}
+
+@inproceedings{tin2003provably,
+  title={Provably secure mobile key exchange: Applying the Canetti-Krawczyk approach},
+  author={Tin, Yiu Shing Terry and Boyd, Colin and Nieto, Juan Manuel Gonz{\'a}lez},
+  booktitle={Australasian Conference on Information Security and Privacy},
+  pages={166--179},
+  year={2003},
+  organization={Springer}
+}
+
+@phdthesis{choo2006key,
+  title={Key Establishment: Proofs and Refutations},
+  author={Choo, Kim-Kwang Raymond},
+  year={2006},
+  school={Queensland University of Technology}
+}
+
+@inproceedings{zhang2010deniable,
+  title={A deniable group key establishment protocol in the standard model},
+  author={Zhang, Yazhe and Wang, Kunpeng and Li, Bao},
+  booktitle={International Conference on Information Security Practice and Experience},
+  pages={308--323},
+  year={2010},
+  organization={Springer}
+}
+
+@article{hitchcock2006modular,
+  title={Modular proofs for key exchange: rigorous optimizations in the Canetti--Krawczyk model},
+  author={Hitchcock, Yvonne and Boyd, Colin and Gonz{\'a}lez Nieto, Juan Manuel},
+  journal={Applicable Algebra in Engineering, Communication and Computing},
+  volume={16},
+  number={6},
+  pages={405--438},
+  year={2006},
+  publisher={Springer}
+}
+
+@article{jager2011standard,
+  title={A Standard-Model Security Analysis of TLS-DHE.},
+  author={Jager, Tibor and Kohlar, Florian and Sch{\"a}ge, Sven and Schwenk, J{\"o}rg},
+  journal={IACR Cryptology ePrint Archive},
+  volume={2011},
+  number={219},
+  year={2011}
+}
+
+@incollection{jager2012security,
+  title={On the security of TLS-DHE in the standard model},
+  author={Jager, Tibor and Kohlar, Florian and Sch{\"a}ge, Sven and Schwenk, J{\"o}rg},
+  booktitle={Advances in Cryptology--CRYPTO 2012},
+  pages={273--293},
+  year={2012},
+  publisher={Springer}
+}
+
+### INCOMPLETE, financial crypto 2017
+@article{dodisunilaterally,
+  title={Unilaterally-Authenticated Key Exchange},
+  author={Dodis, Yevgeniy and Fiore, Dario}
+}
+
+@inproceedings{bhargavan2017content,
+  title={Content Delivery over TLS: A Cryptographic Analysis of Keyless SSL},
+  author={Bhargavan, Karthikeyan and Boureanu, IC and Fouque, Pierre-Alain and Onete, Cristina and Richard, Benjamin},
+  booktitle={Proceedings of the 2nd IEEE European Symposium on Security and Privacy},
+  year={2017}
+}
+
+@inproceedings{gunther20170,
+  title={0-RTT Key Exchange with Full Forward Secrecy},
+  author={G{\"u}nther, Felix and Hale, Britta and Jager, Tibor and Lauer, Sebastian},
+  booktitle={Annual International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={519--548},
+  year={2017},
+  organization={Springer}
+}
+
+# Attacks and Real-World Protocols
+
+@inproceedings{lauter2006security,
+  title={Security analysis of KEA authenticated key exchange protocol},
+  author={Lauter, Kristin and Mityagin, Anton},
+  booktitle={Public Key Cryptography},
+  volume={3958},
+  pages={378--394},
+  year={2006},
+  organization={Springer}
+}
+
+@inproceedings{jager2015practical,
+  title={Practical invalid curve attacks on TLS-ECDH},
+  author={Jager, Tibor and Schwenk, J{\"o}rg and Somorovsky, Juraj},
+  booktitle={European Symposium on Research in Computer Security},
+  pages={407--425},
+  year={2015},
+  organization={Springer}
+}
+
+@inproceedings{bhargavan2016transcript,
+  title={Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH},
+  author={Bhargavan, Karthikeyan and Leurent, Ga{\"e}tan},
+  booktitle={Network and Distributed System Security Symposium--NDSS 2016},
+  year={2016}
+}
+
+@inproceedings{bhargavan2016downgrade,
+  title={Downgrade resilience in key-exchange protocols},
+  author={Bhargavan, Karthikeyan and Brzuska, Christina and Fournet, C{\'e}dric and Green, Matthew and Kohlweiss, Markulf and Zanella-B{\'e}guelin, Santiago},
+  booktitle={Security and Privacy (SP), 2016 IEEE Symposium on},
+  pages={506--525},
+  year={2016},
+  organization={IEEE}
+}
+
+@inproceedings{aviram2016drown,
+  title={DROWN: breaking TLS using SSLv2},
+  author={Aviram, Nimrod and Schinzel, Sebastian and Somorovsky, Juraj and Heninger, Nadia and Dankel, Maik and Steube, Jens and Valenta, Luke and Adrian, David and Halderman, J Alex and Dukhovni, Viktor and others},
+  booktitle={25th USENIX Security Symposium (USENIX Security 16)(Aug. 2016)},
+  year={2016}
+}
+
+@inproceedings{meyer2014revisiting,
+  title={Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks.},
+  author={Meyer, Christopher and Somorovsky, Juraj and Weiss, Eugen and Schwenk, J{\"o}rg and Schinzel, Sebastian and Tews, Erik},
+  booktitle={USENIX Security},
+  volume={14},
+  pages={733--748},
+  year={2014}
+}
+
+@inproceedings{albrecht2016lucky,
+  title={Lucky Microseconds: A timing attack on amazon’s s2n implementation of TLS},
+  author={Albrecht, Martin R and Paterson, Kenneth G},
+  booktitle={Annual International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={622--643},
+  year={2016},
+  organization={Springer}
+}
+
+@inproceedings{garman2015attacks,
+  title={Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS.},
+  author={Garman, Christina and Paterson, Kenneth G and Van der Merwe, Thyla},
+  booktitle={USENIX Security},
+  pages={113--128},
+  year={2015}
+}
+
+@article{kaliski2001unknown,
+  title={An unknown key-share attack on the MQV key agreement protocol},
+  author={Kaliski Jr, Burton S},
+  journal={ACM Transactions on Information and System Security (TISSEC)},
+  volume={4},
+  number={3},
+  pages={275--288},
+  year={2001},
+  publisher={ACM}
+}
+
+@inproceedings{giesen2013security,
+  title={On the security of TLS renegotiation},
+  author={Giesen, Florian and Kohlar, Florian and Stebila, Douglas},
+  booktitle={Proceedings of the 2013 ACM SIGSAC conference on Computer \& communications security},
+  pages={387--398},
+  year={2013},
+  organization={ACM}
+}
+
+@incollection{krawczyk2013security,
+  title={On the security of the TLS protocol: A systematic analysis},
+  author={Krawczyk, Hugo and Paterson, Kenneth G and Wee, Hoeteck},
+  booktitle={Advances in Cryptology--CRYPTO 2013},
+  pages={429--448},
+  year={2013},
+  publisher={Springer}
+}
+
+# Verified Implementations
+
+@article{bhargavan2016mitls,
+  title={miTLS: Verifying Protocol Implementations against Real-World Attacks},
+  author={Bhargavan, Karthikeyan and Fournet, Cedric and Kohlweiss, Markulf},
+  journal={IEEE Security \& Privacy},
+  volume={14},
+  number={6},
+  pages={18--25},
+  year={2016},
+  publisher={IEEE}
+}
+
+@inproceedings{kusters2009using,
+  title={Using ProVerif to analyze protocols with Diffie-Hellman exponentiation},
+  author={K{\"u}sters, Ralf and Truderung, Tomasz},
+  booktitle={Computer Security Foundations Symposium, 2009. CSF'09. 22nd IEEE},
+  pages={157--171},
+  year={2009},
+  organization={IEEE}
+}
+
+@inproceedings{barthe2015mind,
+  title={Mind the gap: Modular machine-checked proofs of one-round key exchange protocols},
+  author={Barthe, Gilles and Crespo, Juan Manuel and Lakhnech, Yassine and Schmidt, Benedikt},
+  booktitle={Annual International Conference on the Theory and Applications of Cryptographic Techniques},
+  pages={689--718},
+  year={2015},
+  organization={Springer}
+}
+
+@article{delignattowards,
+  title={Towards a Provably Secure Implementation of TLS 1.3},
+  author={Delignat, Benjamin Beurdouche Karthikeyan Bhargavan Antoine and Ishtiaq, Lavaud C{\'e}dric Fournet Samin and Swamy, Markulf Kohlweiss Jonathan Protzenko Nikhil and Zinzindohou{\'e}, Santiago Zanella-B{\'e}guelin Jean Karim}
+}
+
+@article{bhargavan2016implementing,
+  title={Implementing and Proving the TLS 1.3 Record Layer},
+  author={Bhargavan, Karthikeyan and Delignat-Lavaud, Antoine and Fournet, Cédric and Kohlweiss, Markulf and Pan, Jianyang and Protzenko, Jonathan and Rastogi, Aseem and Swamy, Nikhil and Zanella-Béguelin, Santiago and Zinzindohoué, Jean Karim},
+  year={2016}
+}
+
+@inproceedings{bhargavan2016proscript,
+  title={ProScript TLS: Building a TLS 1.3 Implementation with a Verifiable Protocol Model},
+  author={Bhargavan, Karthikeyan and Kobeissi, Nadim and Blanchet, Bruno},
+  booktitle={TRON Workshop-TLS 1.3, Ready Or Not},
+  year={2016}
+}
+
+@inproceedings{beurdouche2015messy,
+  title={A messy state of the union: Taming the composite state machines of TLS},
+  author={Beurdouche, Benjamin and Bhargavan, Karthikeyan and Delignat-Lavaud, Antoine and Fournet, C{\'e}dric and Kohlweiss, Markulf and Pironti, Alfredo and Strub, Pierre-Yves and Zinzindohoue, Jean Karim},
+  booktitle={Security and Privacy (SP), 2015 IEEE Symposium on},
+  pages={535--552},
+  year={2015},
+  organization={IEEE}
+}
+
+@inproceedings{somorovsky2016systematic,
+  title={Systematic fuzzing and testing of TLS libraries},
+  author={Somorovsky, Juraj},
+  booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
+  pages={1492--1504},
+  year={2016},
+  organization={ACM}
+}
+
+@book{cremers2006scyther,
+  title={Scyther: Semantics and verification of security protocols},
+  author={Cremers, Casimier Joseph Franciscus},
+  year={2006},
+  publisher={Eindhoven University of Technology Eindhoven, Netherlands}
+}
+
+@article{goubault2000method,
+  title={A method for automatic cryptographic protocol verification},
+  author={Goubault-Larrecq, Jean},
+  journal={Parallel and Distributed Processing},
+  pages={977--984},
+  year={2000},
+  publisher={Springer}
+}
+
+@techreport{bella2000inductive,
+  title={Inductive verification of cryptographic protocols},
+  author={Bella, Giampaolo},
+  year={2000},
+  institution={University of Cambridge, Computer Laboratory}
+}
+
+# Standards
+
+@techreport{kaufman2014internet,
+  title={Internet key exchange protocol version 2 (IKEv2)},
+  author={Kaufman, Charlie and Hoffman, Paul and Nir, Yoav and Eronen, Parsi and Kivinen, T},
+  year={2014}
+}
+
+@incollection{paterson2016reactive,
+  title={Reactive and Proactive Standardisation of TLS},
+  author={Paterson, Kenneth G and van der Merwe, Thyla},
+  booktitle={Security Standardisation Research},
+  pages={160--186},
+  year={2016},
+  publisher={Springer}
+}
+
+# General, Measurement, etc.
+
+### INCOMPLETE, financial crypto 2017
+@article{samarasinghe2017short,
+  title={Short Paper: TLS Ecosystems in Networked Devices vs. Web Servers},
+  author={Samarasinghe, Nayanamana and Mannan, Mohammad},
+  year={2017}
+}
+
+### INCOMPLETE, financial crypto 2017
+@article{chothiabanker,
+  title={Why Banker Bob (still) Can’t Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps},
+  author={Chothia, Tom and Garcia, Flavio D and Heppel, Chris and Stone, Chris McMahon}
+}
+
+@phdthesis{levillain2016study,
+  title={A study of the TLS ecosystem},
+  author={Levillain, Olivier},
+  year={2016},
+  school={Institut National des T{\'e}l{\'e}communications}
+}
+
+@inproceedings{springall2016measuring,
+  title={Measuring the Security Harm of TLS Crypto Shortcuts},
+  author={Springall, Drew and Durumeric, Zakir and Halderman, J Alex},
+  booktitle={Proceedings of the 2016 ACM on Internet Measurement Conference},
+  pages={33--47},
+  year={2016},
+  organization={ACM}
+}