Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead

This paper investigates the question of whether a key agreement protocol with the same communication complexity as the original Diffie-Hellman protocol (DHP) (two messages with a single group element per message), and similar low computational overhead, can achieve forward secrecy against active attackers in a provable way.We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol [22]. We analyze a variant of the protocol (denoted mOT) which achieves the above goal. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the Okamoto-Tanaka protocol by Schridde et al. and show how to adapt mOT to the (non id-based) certificate-based setting.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Paulo S. L. M. Barreto,et al.  A New Two-Party Identity-Based Authenticated Key Agreement , 2005, CT-RSA.

[3]  Eike Kiltz,et al.  The Group of Signed Quadratic Residues and Applications , 2009, CRYPTO.

[4]  Colin Boyd,et al.  Security of Two-Party Identity-Based Key Agreement , 2005, Mycrypt.

[5]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[6]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[7]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[8]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[9]  Oded Goldreich,et al.  On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators , 2003, Journal of Cryptology.

[10]  Kenneth G. Paterson,et al.  Key Agreement Using Statically Keyed Authenticators , 2004, ACNS.

[11]  Dongho Won,et al.  On the Security of the Okamoto-Tanaka ID-Based Key Exchange Scheme against Active Attacks , 2000 .

[12]  Bernd Freisleben,et al.  An Identity-Based Key Agreement Protocol for the Network Layer , 2008, SCN.

[13]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[14]  Masahiro Mambo,et al.  A Note on the Complexity of Breaking Okamoto-Tanaka ID-Based Key Exchange Scheme , 1998, Public Key Cryptography.

[15]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[16]  Diana K. Smetters,et al.  Domain-Based Administration of Identity-Based Cryptosystems for Secure Email and IPSEC , 2003, USENIX Security Symposium.

[17]  Ronald L. Rivest,et al.  Lightweight email signatures , 2006 .

[18]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[19]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[20]  Rolf Blom,et al.  An Optimal Class of Symmetric Key Generation Systems , 1985, EUROCRYPT.

[21]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[22]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[23]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[24]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[25]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..

[26]  Eiji Okamoto,et al.  Key Distribution Systems Based on Identification Information , 1987, CRYPTO.

[27]  Zhang Ya-juan,et al.  An identity-based key-exchange protocol , 2008, Wuhan University Journal of Natural Sciences.

[28]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[29]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[30]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[31]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[32]  Liqun Chen,et al.  Identity based authenticated key agreement protocols from pairings , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[33]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[34]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[35]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[36]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[37]  Eiji Okamoto,et al.  Key distribution system based on identification information , 1989, IEEE J. Sel. Areas Commun..

[38]  Gene Tsudik,et al.  Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange , 2008, CT-RSA.