Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead

This paper investigates the question of whether a key agreement protocol with the same communication complexity as the original Diffie-Hellman protocol (DHP) (two messages with a single group element per message), and similar low computational overhead, can achieve forward secrecy against active attackers in a provable way. We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol [23]. We analyze a variant of the protocol (denotedmOT) which achieves the above goal. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the OkamotoTanaka protocol by Schridde et al. which is of particular interest in the case of Mobile Ad-Hoc Networks where nodes from different authorities might be required to communicate securely.