Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead
Lecture Notes in Computer Science
The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resulted in some remarkable protocols, e.g., MQV, where the protocol's communication cost is identical to that of the basic DHP and the computation overhead is small. Unfortunately, MQV and similar 2-message
... itly authenticated" protocols do not achieve full security against active attacks since they cannot provide forward secrecy (PFS), a major security goal of DHP, against active attackers. In this paper we investigate the question of whether one can push the limits of authenticated DHPs even further, namely, to achieve communication complexity as in the original DHP (two messages with a single group element per message), maintain low computational overhead, and yet achieve full PFS against active attackers in a provable way. We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol  . We present a variant of the protocol (denoted mOT) which achieves the above minimal communication, incurs a computational overhead relative to the basic DHP that is practically negligible, and yet achieves full provable key agreement security, including PFS, against active attackers. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the Okamoto-Tanaka protocol by Schridde et al. and show how to adapt mOT to the (non id-based) certificate-based setting. Since the invention of the Diffie-Hellman protocol (DHP)  , much work has been dedicated to armor the protocol against active ("man in the middle") attacks. Designing authenticated Diffie-Hellman protocols has proved to be very challenging at the design and analysis level, especially when trying to optimize performance (both computation and communication). This line of work has been important not only from the practical point of view but also for understandings what are the essential limits for providing authentication to the DHP. In particular, it has been shown that one can obtain an authenticated DH protocol with the same communication as the basic unauthenticated DHP (at least if one ignores the transmission of public key certificates); namely, a 2-message exchange where each party sends a single DH value, and where the two messages can be sent in any order. A prominent example of such protocols is MQV  (and its provably-secure variant HMQV ) where the cost of computing a session key is as in the basic unauthenticated DHP plus half the cost of one exponentiation (i.e., one off-line exponentiation and 1.5 on-line exponentiations). Protocols such as the 2-message MQV are "implicitly-authenticated protocols;" that is, the information transmitted between the parties is computed without access to the parties' long-term secrets while the authentication is accomplished via the computation of the session key that involves the long-term private/public keys of the parties. Unfortunately, implicitly-authenticated protocols, while offering superb performance, are inherently limited in their security against active attackers. Indeed, as shown in  , such protocols can achieve perfect forward secrecy (PFS) against passive attackers only. Recall that PFS ensures that once a session key derived from a Diffie-Hellman value is erased from memory, there is no way to recover the session key even by an attacker that gains access to the long-term authentication keys of the parties after the session is established. PFS is a major security feature that sets DHPs apart from other key agreement protocols (such as those based in PK encryption) and is the main reason for the extensive use of DHPs in practice (e.g., IPsec and SSH). Adding PFS against active attackers to protocols like MQV requires increased communication in the form of additional messages and/or explicit signatures. In this paper we investigate the theoretical and practical question of whether the limits of DHPs can be pushed further and obtain a protocol with full security against active attackers (including PFS) while preserving the communication complexity of a basic DHP (two messages with a single group element per message) and low computational overhead. We answer this question in the affirmative by departing from implicitly authenticated protocols and resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol  . We present a variant of the protocol (denoted mOT) which achieves the above minimal communication, incurs a negligible computational overhead relative to a basic DHP over an RSA group, and yet achieves provable security including full PFS against active attackers 1 . Moreover, due to the identity-based properties of mOT, even the sending and verification of certificates is avoided in the protocol. Our Results An analysis of the original Okamoto-Tanaka protocol shows that it is vulnerable to some forms of attacks, in particular known-key and malleability attacks. Yet, after introducing some simple but crucial hashing operations, we obtain a protocol, mOT, for which we present a rigorous proof of security in the Canetti-Krawczyk (CK) Key-Agreement Protocol model  . The security of the 1 There are DH protocols that provide full PFS against active attacks with just two messages, but they require to send (and process) additional information, e.g. explicit signatures  or encrypted challenges  . protocol in this model, including weak PFS (i.e., against passive attacks only), can be proven in the random oracle model under the standard RSA assumption. For the proof of full PFS against active attackers (and only for this proof) we resort to non-black-box assumptions in the form of the "knowledge of exponent" assumptions. We provide more details now. Modified Okamoto-Tanaka (mOT). Our modified Okamoto-Tanaka protocol, which we denote by mOT, is described in Figure 1 (for a precise specification see Section 3). We describe the protocol as an identity-based protocol using a KGC (key generation center) as this setting provides added performance advantages to the protocol. A certificate-based variant is presented in Section 6. The differences between mOT and the original Okamoto-Tanaka protocol include the hashing operation on identities as well as the hashing and squaring operations in the computation of the session key K. We show that omitting any one of the two hash operations renders the protocol insecure. As for the squaring operation, we use it in our proofs but we do not know of a specific attack if omitted. The Modified Okamoto-Tanaka (mOT ) Protocol Setting: A Key Generation Center (KGC) chooses RSA parameters N = pq (such that p and q are random safe primes), and exponents d, e, and a random generator g of QR N , the (cyclic) subgroup of quadratic residues modN . KGC publishes N, e, g, two hash functions H (with range QR N ) and H (with range of the desired length of the session key), and distributes to each user U with identity idU a private key SU = H(idU ) d mod N . Key agreement: A and B choose ephemeral private exponents x and y, respectively. A and B set the session key to K = H (K, idA, idB, α, β) The security result that sets our protocol and work apart, however, is our proof of full PFS for mOT, namely, perfect forward secrecy against fully active attackers. The proof of full PFS (and only this proof) requires two additional "non-black-box" assumptions: one is the well-known KEA1 (knowledge of exponent) assumption [11, 2] related to the hardness of the Diffie-Hellman problem and the second is similar in spirit but applies to the discrete logarithm problem (see Section 4). Enjoying full PFS is a major advantage of mOT relative to efficient two-message protocols such as MQV that can only offer weak PFS. Indeed, in spite of mOT transmitting a single group element in each of the two messages, it overcomes the inherent PFS limitations of implcitly authenticated DHPs by involving the sender's private key in the computation of each protocol's message. Most importantly, as we explain below, this full security against active attackers is achieved with zero communication and negligible computational overhead relative to the basic DHP. We believe this to be not just a practical feature of mOT but also a significant contribution to the theory of key agreement protocols showing that armoring the original DHP against active attackers can be achieved essentially "for free".