A. , D. Bhargavan, K. Durumeric, Z. Gaudry, P. Green et al., Imperfect forward secrecy: How Diffie- Hellman fails in practice, Proceedings of ACM CCS, pp.2015-2020, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01184171

A. , N. Bernstein, D. Paterson, K. Poettering, B. And-schuldt et al., On the security of RC4 in TLS and WPA, USENIX Security Symposium, 2013.

A. , N. And-paterson, and K. , Plaintext-recovery attacks against datagram TLS, Network and Distributed System Security Symposium (NDSS'12), 2012.

A. , N. And-paterson, and K. , Lucky thirteen: Breaking the TLS and DTLS record protocols, IEEE Symposium on Security and Privacy (SP'13), 2013.

A. Delignat-lavaud, A. Bhargavan, and K. , Network-based Origin Confusion Attacks against HTTPS Virtual Hosting, Proceedings of the 24th International Conference on World Wide Web, WWW '15, pp.227-237, 2015.
DOI : 10.1145/2659897

URL : https://hal.archives-ouvertes.fr/hal-01114246

A. , M. Mancini, L. I. Ritter, E. And-ryan, and M. , Privacy through pseudonymity in mobile telephony systems, 21st Annual Network and Distributed System Security Symposium, 2014.

A. , M. Mancini, L. I. Ritter, E. Ryan, M. Golde et al., New privacy issues in mobile telephony: fix and verification, ACM Conference on Computer and Communications Security, pp.205-216, 2012.

A. , M. Mancini, L. I. Ritter, E. Ryan, M. Golde et al., New privacy issues in mobile telephony: fix and verification, the ACM Conference on Computer and Communications Security, CCS'12, pp.205-216, 2012.

A. , M. Ritter, E. And-ryan, and M. D. , Statverif: Verification of stateful processes, Proceedings of the 24th IEEE Computer Security Foundations Symposium, CSF 2011, pp.33-47, 2011.

A. , G. Herzberg, A. Krawczyk, H. And-tsudik, and G. , Untraceable mobility or how to travel incognito, Elsevier Computer Networks, pp.871-884, 1999.

A. Bar-on, Improved Higher-Order Differential Attacks on MISTY1, Fast Software Encryption -22nd International Workshop, FSE 2015, pp.28-47, 2015.
DOI : 10.1007/978-3-662-48116-5_2

B. , M. Kilian, J. And-rogaway, and P. , The security of the cipher block chaining message authentication code, J. Comput. Syst. Sci, vol.61, issue.3, pp.362-399, 2000.

B. , M. And-namprempre, and C. , Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Advances in Cryptology -ASI- ACRYPT 6th International Conference on the Theory and Application of Cryptology and Information Security, pp.531-545, 2000.

B. , M. Pointcheval, D. And-rogaway, and P. , Authenticated key exchange secure against dictionary attacks, Advances in Cryptology -EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, pp.139-155, 2000.

B. , M. And-rogaway, and P. , Entity authentication and key distribution, Advances in Cryptology -CRYPTO '93, 13th Annual International Cryptology, pp.232-249, 1993.

B. , M. And-rogaway, and P. , Entity authentication and key distribution, In CRYPTO, 1993.

B. , M. And-rogaway, and P. , Provably secure session key distribution: the three party case, Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, pp.57-66, 1995.

B. , B. Bhargavan, K. Antoine-delignat-lavaud, F. , C. Kohlweiss et al., A messy state of the union: Taming the composite state machines of TLS, Proceedings of IEEE S&P, p.2015, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01114250

B. , G. Daemen, J. Peeters, M. And-assche, and G. , Keccak specification, In NIST Specifications, 2008.

B. , G. Daemen, J. Peeters, M. And-assche, and G. , On the indifferentiability of the sponge construction, Advances in Cryptology -EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp.181-197, 2008.

B. , B. Bhargavan, K. Delignat-lavaud, A. Fournet, C. Kohlweiss et al., A messy state of the union: Taming the composite state machines of TLS, Proceedings of IEEE S&P, p.2015, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01114250

B. , K. Delignat-lavaud, A. Fournet, C. Pironti, A. And-strub et al., Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS, Proceedings of IEEE S&P, p.2014, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01102259

B. , K. Fournet, C. Kohlweiss, M. Pironti, A. And-strub et al., Implementing TLS with verified cryptopgrahic security, Proceedings of IEEE S&P 2013, 2013.

B. , K. Fournet, C. Kohlweiss, M. Pironti, A. Strub et al., Proving the TLS handshake secure (as it is), Advances in Cryptology -CRYPTO 2014 -34th Annual Cryptology Conference, Proceedings (2014), pp.235-255978
URL : https://hal.archives-ouvertes.fr/hal-01102229

B. , K. And-leurent, and G. , Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH, Accepted at NDSS 2016, 2016.

B. , E. Dunkelman, O. And-keller, and N. , A related-key rectangle attack on the full KASUMI, Advances in Cryptology -ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, pp.443-461, 2005.

B. Blanchet and B. Blanchet, An efficient cryptographic protocol verifier based on prolog rules Automatic verification of security protocols in the symbolic model: The verifier proverif. In Foundations of Security Analysis and Design VII -FOSAD 2012, Tutorial Lectures, pp.14-82, 2001.

B. , C. Fischlin, M. Smart, N. Warinschi, B. And-williams et al., Less is more: Relaxed yet composable security notions for key exchange, International Journal of Information Security, vol.12, issue.4, 2013.

B. , C. Kon-jacobsen, H. And-stebila, and D. , Safely exporting keys from secure channels: on the security of EAP-TLS and TLS key exporters, EuroCrypt, 2016.

C. , R. And-krawczyk, and H. , Universally composable notions of key exchange and secure channels, Advances in Cryptology -EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, pp.337-351, 2002.

C. , R. And-krawczyk, and H. , Universally composable notions of key exchange and secure channels, Proceedings of EUROCRYPT'02, 2002.

C. , B. Hiltgen, A. Vaudenay, S. And, and M. Vuagnoux, Password interception in a SSL/TLS channel, Proceedings of CRYPTO 2003, 2003.

D. , T. And-rescorla, and E. , The transport layer security (TLS) protocol version 1.2. RFC 5246, 2008.

D. , B. Fischlin, M. Unther, F. And-stebila, and D. , A cryptographic analysis of the TLS 1.3 handshake protocol candidates, In ACM CCS, pp.1197-1210, 2015.

D. , O. Keller, N. And-shamir, and A. , A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3g telephony, Advances in Cryptology -CRYPTO 2010, 30th Annual Cryptology Conference, Proceedings (2010), pp.393-410978

G. , M. Iyengar, S. , J. , S. Anubhai et al., The most dangerous code in the world: Validating SSL certificates in non-browser software, Proceedings of ACM CCS'12, 2012.

G. , C. Shapiro, J. And-burd, and D. , Terminating ssl connections without locallyaccessible private keys, p.75, 2013.

G. , F. Kohlar, F. And-stebila, and D. , On the security of TLS renegotiation, 2013.

H. , C. Sundararajan, M. Datta, A. Derek, A. And-mitchell et al., A modular correctness proof of IEEE 802.11i and TLS, Proceedings of ACM CCS'05, 2005.

H. , J. Pashalidis, A. Vercauteren, F. And-preneel, and B. , A new RFID privacy model, Computer Security -ESORICS 2011 -16th European Symposium on Research in Computer Security Proceedings (2011), pp.568-587, 2011.

J. , T. Kohlar, F. Schage, S. And, and J. Schwenk, On the security of TLS- DHE in the standard model, Advances in Cryptology -CRYPTO 2012 -32nd Annual Cryptology Conference, Proceedings (2012), pp.273-293978

J. , T. Kohlar, F. Sch¨agesch¨-sch¨age, S. And-schwenk, and J. , On the security of TLS-DHE in the standard model, Proceedings of CRYPTO 2012, 2012.

J. , J. , A. Kaliski-jr, and B. , On the security of RSA encryption in TLS, Proceedings of CRYPTO 2002, 2002.

K. and S. Ip, Encapsulating Security Payload (ESP), RFC 4303, In RFC Editor, 2005.

K. , H. Bellare, M. And-canetti, and R. , HMAC: Keyed-Hashing for Message Authentication, RFC 2104, updated by RFC 6151, In RFC Editor, 1997.

K. , H. Paterson, K. G. And-wee, and H. , On the security of the TLS protocol: A systematic analysis, Advances in Cryptology -CRYPTO 2013 -33rd Annual Cryptology Conference, Proceedings (2013), pp.429-448

K. , H. And-wee, H. , O. Gourdin, B. And-debar et al., The OPTLS protocol and tls 1.3 TLS record protocol: Security analysis and defense-in-depth countermeasures, Proceedings of Euro S&P (2016), IEEE Proceedings of ACM ASIACCS, p.2015, 2015.

M. , U. And-tackmann, and B. , On the soundness of Authenticate-then-Encrypt: Formalizing the malleability of symmetric encryption, Proceedings on ACM CCS, p.10, 2010.

M. , U. Tackmann, B. And-coretti, and S. , Key exchange with unilateral authentication: Composable security definition and modular protocol design, Cryptology ePrint Archive, vol.555, 2013.

M. , D. A. And-viega, and J. , The security and performance of the galois/counter mode (GCM) of operation, Progress in Cryptology -INDOCRYPT 2004, 5th International Conference on Cryptology in India, pp.343-355978, 2004.

M. Lee, N. P. Smart, B. Warinschi, and G. J. Watson, Anonymity guarantees of the UMTS/LTE authentication and connection protocol, International Journal of Information Security, vol.4, issue.2, pp.513-527, 2014.
DOI : 10.1109/TWC.2004.842941

M. , S. F. And-tsay, and J. , Computational security analysis of the UMTS and LTE authentication and key agreement protocols, 2012.

M. , P. Smart, N. And-warinschi, and B. , A modular security analysis of the TLS handshake protocol, Proceedings of ASIACRYPT 2008, 2008.

M. , P. Smart, N. P. And-warinschi, and B. , The TLS handshake protocol: A modular analysis, J. Cryptology, vol.23, issue.2, pp.187-223, 2010.

N. , D. Schomp, K. Varvello, M. Leontiadis, I. Blackburn et al., Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS, Proceedings of SIGCOMM 2015, 2015.

P. , R. And-vaudenay, and S. , Mutual authentication in RFID: Security and privacy, Proc. on the 3 rd ACM Symposium on Information, Computer and Communications Security, pp.292-299, 2008.

P. , K. Ristenpart, T. And-shrimpton, and T. , Tag size does matter: Attacks and proofs for the TLS record protocol, Advances in Cryptology ? ASIACRYPT 2011, 2011.

P. , A. And, and M. Hansen, Anonymity, unlinkability, undetectability, unobservability , pseudonymity, and identity management ? a consolidated proposal for terminology

R. , U. D. Fischlin, M. Kasper, M. And-onete, and C. , A formal approach to distance bounding RFID protocols, Proceedings of the 14 th Information Security Conference ISC 2011, pp.47-62, 2011.

S. , M. Khan, A. And-mitchell, and C. J. , Another look at privacy threats in 3G mobile telephony

S. , D. , A. Sullivan, and N. , An analysis of TLS handshake proxying, p.2015, 2015.

T. , J. And-mjølsnes, and S. F. , A vulnerability in the UMTS and LTE authentication and key agreement protocols, Computer Network Security -6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, MMM-ACNS. Proceedings, pp.978-981, 2012.

U. Meyer and S. Wetzel, A man-in-the-middle attack on UMTS, Proceedings of the 2004 ACM workshop on Wireless security , WiSe '04, pp.90-97, 2004.
DOI : 10.1145/1023646.1023662

F. Van-den-broek, R. Verdult, . And, and J. De-ruiter, Defeating IMSI Catchers, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pp.340-351, 2015.
DOI : 10.1145/2664243.2664272

W. , D. And-schneier, and B. , Analysis of the SSL 3.0 protocol, USENIX Workshop on Electronic Commerce, 1996.

Z. Ahmadian, . Somayeh, A. Salimi, and . Salahi, New attacks on UMTS network access, 2009 Wireless Telecommunications Symposium, pp.1-6, 2009.
DOI : 10.1109/WTS.2009.5068979