Abstract

Group authentication aims at facilitating efficient authentication of a group of provers by a group of verifiers. A new group authentication scheme is proposed to improve the security of existent asynchronous group authentication schemes and to achieve better computational performance. The new scheme allows any groups of legitimate members to execute multiple authentication trials even under the participation of active attackers.

1. Introduction

Authentication is a must for securing computer and network applications. Conventional authentications, either user authentication or device authentication, all focus on the one-to-one scenario where one verifier aims at verifying the legitimacy of one prover at one time. As more and more Internet-of-Things (IoTs) [1, 2] applications and many social networking applications require the authentication of a group of participants efficiently, these many-to-many authentication scenarios call for new kinds of group authentications in which many verifiers would like to verify the legitimacy of many provers at one time to save cost and increase efficiency.

Based on Shamir’s secret sharing [3], Harn [4] proposed three group authentication schemes, where t represents the minimum threshold of participants, denotes the number of participants in one trial, and denotes the total number of members of the group. As long as the number and all these participants are legitimate, the group authentication succeeds; otherwise, it fails. These group authentication schemes can efficiently authenticate a group of legitimate entities or act as a preprocess to detect the existence of any illegitimate participants. One of Harn’s group authentication schemes is synchronous group authentication in which all participants are required to release their secret tokens simultaneously; otherwise, an illegitimate participant might forge valid tokens, using the released tokens of others. The other two schemes are the asynchronous group authentication and the asynchronous group authentication with multiple authentications; we, respectively, call them Harn’s asynchronous GAS1 and Harn’s asynchronous GAS2 in the rest of this paper. The two schemes all allow the participants release their tokens asynchronously; Harn’s asynchronous GAS2 further provides the group to execute multiple authentications (to recover multiple system secrets) using the same set of predistributed tokens.

This paper would focus on the asynchronous schemes because the synchronous case is impractical. We find that Harn’s two asynchronous schemes could not support legitimate entities execute multiple trials even if the specific secret is not yet recovered. This weakness has two implications; if the groups of entities try several times to recover a specific secret (for group authentications), then an attacker might derive entities’ tokens and further derive the system secret; if the system only allows at most one trial for any specific secret (corresponds to a specific group authentication), then an attacker can easily paralyze the system by simply releasing invalid tokens. In Harn’s publication [4], it only emphasizes that once a secret is recovered, then the corresponding group authentication is no longer valid; however, the security of the cases that the members try several times for the not-yet-recovered secret has been neglected.

This paper will show the weaknesses of Harn’s asynchronous schemes and propose a new scheme to conquer the weaknesses and improve the efficiency. This rest of this paper is organized as follows. Section 2 reviews Harn’s asynchronous schemes. Section 3 shows the weaknesses. Section 4 proposes our new scheme, and Section 5 analyzes its securities and evaluates its performance. Section 6 states our conclusions.

2. Review of Harn’s Asynchronous Group Authentication Schemes (GAS)

The schemes consist of two phases: the initialization phase and the group authentication phase. The group manager (GM) initializes the system parameters and assigns each registered entity some secret tokens in the initialization phase. Then, any groups of legitimate entities with can execute the group authentication to verify the legitimacy of the participating entities.

2.1. Asynchronous GAS-Harn’s Asynchronous GAS1

Initially, the group manager (GM) selects (where ) random polynomials with degree , , where is a prime and . He also generates and assigns secret tokens , to each entity , where is ’s public identity. For any secret , the GM finds integers , in GF(), such that , where for every pair of and . The GM publishes these parameters , and , where is a secure cryptographic hash function.

When entities would like to authenticate each other, each computes and releases . After gathering all the released values, the participants compute and verify whether the equation holds. If the verification succeeds, then the group authentication succeeds; otherwise, it fails. This scheme only allows one valid group authentication.

2.2. Asynchronous GAS with Multiple Authentications-Harn’s Asynchronous GAS2

The asynchronous GAS with multiple authentications allows the tokens to be reused for multiple authentications (for multiple secrets).

Initially, the GM selects two large primes and , such that divides , GF(q) is a subgroup of GF(), and every is a generator for the subgroup GF(). The GM selects two random polynomials, , having degree each with coefficients in GF(p). The GM generates tokens, , for each registered member . The GM selects multiple secrets s. For each secret , the GM selects , in GF(q), where . The secret is determined as . The GM publishes these numbers , and .

When entities would like to perform the group authentication corresponding to the reconstruction of the secret , each participant computes and . Each releases . After collecting all , the participating entities compute and check whether holds. If it holds, then the group authentication succeeds; otherwise, it fails.

3. The Weaknesses of Harn’s Asynchronous Schemes

We find that both Harn’s asynchronous GAS1 and Harn’s asynchronous GAS2 share one critical weakness. The schemes perform group authentication by recovering and verifying the sealed secret. If the schemes allow users to launch several trials before the secret is recovered, then an attacker would recover both the system secrets and the users’ secret tokens by joining the process several times. On the other hand, if each secret only allows one trial of authentication no matter whether the specific secret is recovered or not, then the system is vulnerable to Denial of Service (DOS) attacks by simply releasing a false value to spoil the authentication instance and the group authentication function of the system. After releasing a fake data, any groups of valid members can no longer perform any group authentications.

The key idea of our attack on Harn’s asynchronous GAS1 is introduced in the following phases.

Phase 1. Even though the secret tokens s are well protected in the released value , one could solve these unknown variables s as long as he gets k distinct , where each corresponds to the value released by a specific user in an authentication instance and there is at least one member different in any pair of groups in these authentication instances; in such cases, the attacker will have k independent equations with k unknown variables s and he can solve the equations. Let denote the set of secret tokens owned by the user ; after the above attack, the attacker can acquire . Now the attacker continues the next phase to acquire the secret polynomials.

Phase 2. The attacker repeatedly involves the authentication instances and acquires the secret tokens until he gets the secret tokens of more than t users. Denote these secret token set as . At this point, he organizes these secret tokens as , . Based on , the attacker applies the Lagrange polynomial equation to reconstruct the polynomials . The attacker then continues the next phase to derive the system secrets and the secret tokens of other remaining members.

Phase 3. Using the polynomials , the attacker compute for the system secret. For any user and the secret tokens of that have not yet been disclosed, the attacker computes . At this point, the attacker has derived all the system secrets and all the secret tokens of all users. The minimum number of runs that the attacker should participate in is .

The above attack can be easily extended to plot on Harn’s asynchronous GAS2. Attackers can acquire the secret values valid and corresponding to the secret tokens and the system secrets .

Example 1. Now we take one example to demonstrate the attack process.
System Initialization. Let , , , , , and be the system parameters. and are the two secret polynomials, and the system secret is . The group of users, , is with identity . gets the secret tokens , gets the secret tokens , gets the secret tokens , gets the secret tokens , gets the secret tokens , and gets the secret tokens .
Now we show the attack.
Attack Phase 1. Assume that the attacker participates in two runs of authentications with and, respectively, impersonates in these runs.
In run 1, will getWe list the calculations as follows:In run 2, will getas follows:So now has the following independent equations in (5a), (5b), and (5c). He then solves the equations and gets . applies the Lagrange polynomial formula on and derives the polynomial , applies the formula on , and derives . Finally, he computes . He can further computes the secret tokens of other remaining members .

4. An Improved Scheme That Enables Multiple Trials and Multiple Authentications

Now we will propose an improved scheme that not only conquers the weaknesses of Harn’s asynchronous schemes but also improves the system performance. The GM in our scheme only publishes simple public data and the members can execute group authentication with multiple authentications and multiple trials.

4.1. Preliminaries

We shall propose our scheme, based on elliptic curve cryptography and bilinear pairing. We now briefly review them as follows.

Elliptic curves over [6]: a nonsupersingular elliptic curve is the set of points , for satisfying the equation , where are constants such that , together with the point O called the point at infinity. Two points and on the elliptic curve E can be added together using the following rule: if and , then ; otherwise, where , , and if or if .

Definition 2 (nondegenerate, bilinear, computable map [7]). Let , and be cyclic groups of prime order , where and are additive groups on elliptic curves and is multiplicative. Let : be a map with the following properties: (1)Nondegenerate: there exists such that .(2)Bilinear: and .(3)Computability: there exist efficient algorithms to compute for all .

Definition 3. The elliptic curve discrete logarithm problem (ECDLP) [6] is as follows: given an elliptic curve over a finite field and two points , find a number such that .

Definition 4 (the Bilinear Pairing Inversion (BPI) problem [7]). Given and , find .

Definition 5. The computational elliptic curve Diffie-Hellman problem (ECDHP) [6] is as follows: given an elliptic curve over a finite field , a point of order , and points , find the point .

It is believed that the ECDHP, the ECDLP, and the BPI are hard problems for proper parameter setting.

4.2. The Proposed Scheme

4.2.1. The System Model

Here we describe the model for one group, and it is easy to extend this model for several groups. In the system, there are two kinds of participants: the GM and a group of registered members. The GM is responsible for setting up/updating the system parameters. After initialization, the participants in each session would like to verify whether all the participants belong to the same group; this verification is achieved by the validation of the aggregated released-shares. The GM is trusted, and registered members might be compromised and disclose their secrets. Unless being compromised, a registered member always behaves honestly.

The GM publishes a predetermined parameter . The scheme can verify whether all participants of one session with participants belong to the same group. The scheme is secure if it can withstand the collusion of up to insiders (registered members).

4.2.2. The Scheme Facilitating Multiple Trials and Multiple Authentications without Server’s Active Participation

Like Harn’s asynchronous schemes, our scheme also follows the same notation, the asynchronous communication, and multiple authentications. Additionally, our scheme allows multiple trials. The GM only needs to publish some simple data no matter how many authentications and trails these members would like to perform. The scheme consists of two phases: the initialization phase and the group authentication phase.

Initialization. The GM sets up three cyclic groups , , and with order q, where and are additive groups on elliptic curves and is multiplicative. P is a generator for . It chooses a secret random polynomial with degree , with , and a master secret . It computes and publishes as the system-wise public key. For each registered member with identity , it assigns as ’s secret token.

Group Authentication. When entities would like to authenticate each other in the th authentication instance, the group of users agree on a random point (we discuss two options of implementing the generation of random points s in Section 4.3). Each computes and and releases . After all users release their values, they compute and verify whether the equation holds. If it holds, they satisfy the group authentication; otherwise, they fail.

4.3. Implementation Options of Choosing

The generation and selection of the random points play a crucial factor affecting the security. Here, we discuss two possible options. The two options mainly tackle the possible threat that an adversary might manipulate the selection of .

The first one is that the GM periodically updates a list of authenticated random points, and the entities choose one from the list of unused ones. The entities refuse to apply any points that they have used.

The second approach is applying a one-way hash function that maps any strings to a random point—. Boneh and Franklin’s MaptoPoint function is one of such functions [7]. In this approach, each participant in the group calculates = , where date and time are the current timestamp and s are the participants’ identities.

4.4. Comparison of Our Improvements with One Possible Extension of Harn’s GAS2

In addition to our proposed scheme, one another possible improvement is by extending Harn’s GAS2. The system might require that each participant never tries to recover one specific secret twice; that is, whenever an authentication fails, he should only try another authentication corresponding to other secrets. This arrangement could prevent the attacks in Section 3.

However, we would like to discuss the differences between the above extension with our scheme. The extension, even though it could reduce the treats of our attacks, is still not absolutely immune to DOS attacks. The GM has to preselect lots of possible secrets and publishes these numbers , and . If the list is not large enough, then the successive releasing of false shares could quickly deplete the list. If the GM tries to prepare a very long list, it causes it lots of overhead.

On the contrary, our implementation Option 2 is much more simple, efficient, and withstand heavy DOS attacks.

5. Security Analysis and Performance Evaluation

5.1. The Security

Lemma 6. Given a random point and a group of members with , the only condition that the group P can reconstruct the value in the proposed scheme is that all the participating members are valid and the scheme can resist up to colluded insiders.

Proof. Since the secret tokens are generated using a secret -degree polynomial, the scheme can resist the collusion of up to insiders. Also, any single invalid contribution from any invalid participants would ruin the computation of .

Lemma 7. Given a valid released value , where , one cannot derive the value and the corresponding as long as the ECDLP is hard.

Lemma 8. Given a valid released and another point , one cannot derive the value as long as the ECDHP is hard.

Lemma 9. Given the values and , one cannot derive the value which satisfies as long as the BPI is hard.

Based on the above lemmas, we have the following theorem.

Theorem 10. The proposed scheme satisfies the security requirements of the asynchronous group authentication.

5.2. The Performance

We first compare the computational complexities of the three schemes: ours, Harn’s GAS1, and Harn’s GAS2.

Let denote the time complexity for one hash operation, denote that of one elliptic curve point multiplication, denote that for one elliptic curve point addition, denote that for one multiplication in field (where corresponds to the order of in our scheme), denote that for one inverse operation in field , denote that for one multiplication in field (where corresponds to the modular field in Harn’s schemes), denote that for one multiplication in field , /, respectively, denote that for one exponentiation in field , and denote that for one pairing.

Each user in our scheme needs to compute one Lagrange component , one , point additions in , and the verification . The verification costs two pairing operations . The addition in costs . The computation of costs , and the computation of costs + . So totally it takes .