#### Abstract

A new type of authentication, called* group authentication*, has been proposed recently which can authenticate all users belonging to the same group at once in a group communication. However, the group authentication can only detect the existence of nonmembers but cannot identify who are the nonmembers. Furthermore, in a group communication, it needs not only to authenticate memberships but also to establish a group key among all members. In this paper, we propose a novel design to provide both membership authentication and group key establishment. Our proposed membership authentication can not only detect nonmembers but also identify who are the nonmembers. We first propose a basic membership authentication and key establishment protocol which can only support one-time group communication. Then, we extend the basic protocol to support multiple group communications. Our design is unique since tokens of users issued by a group manager (GM) during registration are used for both membership authentication and group key establishment.

#### 1. Introduction

User authentication and key establishment are two primary security functions in most secure communications. User authentication is the process of determining whether someone is, in fact, who it is declared to be. Key establishment is the process of distributing a secret communication key to all users. The key can be used to protect the secrecy or integrity of exchange messages in the communication.

The trend of communication research has been moved from peer-to-peer communication into group communication in which more than two users participated in the communication session. Although conventional peer-to-peer authentication [1, 2] can be used in group communication to authenticate participants in a straightforward manner the complexity of using this approach is , where is the number of users involved in the group communication. In a recent paper [3], a new type of authentication, called* group authentication*, has been proposed which is specially designed for the group communications. The complexity of using a group authentication is in which it authenticates participants all at once. However, the group authentication can only detect the existence of nonmembers but cannot identify who are the nonmembers. Furthermore, in a group communication, it needs not only to authenticate memberships but also to establish a group key among all members.

Centralized group key establishment protocols [4, 5] are the most widely used group key management protocols due to their efficiency. The centralized group key has a mutually trusted KGC to select a group key and then transport the group key to group members secretly. For example, the IEEE 802.11i standard [6] has an online server to select a group key and transport it to each group member. Laih et al. [7] proposed the first group key protocol using a secret sharing scheme. Harn and Lin [8] proposed an authenticated group key transfer protocol based on a secret sharing scheme. The advantage of using a secret sharing scheme is its efficiency. However, the limitation of using a centralized group key establishment is due to its requirement of a trusted KGC. In some applications, such as in an ad hoc network, a trusted KGC may not be available.

The most commonly used public-key agreement protocol is the Diffie-Hellman (DH) key exchange protocol [9, 10]. Harn and Lin [11] proposed a group DH protocol using the secret sharing scheme. Recently, Wu et al. [12] proposed a new approach which is a hybrid of group key agreement and public-key broadcast encryption. Their scheme is built from public-key based bilinear groups. The main disadvantage of the group DH key exchange is due to its computational and communication complexity since the group key is determined by all group members so each member needs to compute DH keys and exchange information to other members in the process.

In this paper, we propose a novel design to provide both membership authentication and group key establishment. Our proposed membership authentication can not only detect nonmembers but also identify who are the nonmembers. In our protocols, members can accomplish membership authentication and key establishment by themselves without needing any other trusted KGC. We first propose a basic membership authentication and key establishment protocol which can only support one-time group communication. Then, we extend the basic protocol to support multiple group communications. Our design is unique since tokens of users issued by a group manager (GM) during registration are used for both membership authentication and group key establishment.

Here, we summarize contributions of our paper.(i)We propose protocols to provide both membership authentication and group key establishment. Our protocols do not need a trusted KGC in real-time to provide authentication and key establishment.(ii)The membership authentication can not only detect nonmembers but also identify who are nonmembers.(iii)Tokens of members obtained during registration can not only be used for membership authentication but also be used to establish a pairwise shared key between any pair of members.(iv)All exchange information between members can be encrypted using pairwise shared keys.

The rest of paper is organized as follows. In Section 2, we provide some preliminaries, including bivariate polynomials and membership authentication and objectives of our proposed protocols. The basic protocol of membership authentication and group key establishment for one-time group communication is proposed in Section 3. The extended protocol for multiple group communications is presented in Section 4. The conclusion is given in Section 5.

#### 2. Preliminaries

##### 2.1. Bivariate Polynomials

Shamir’s SS [13] is based on a univariate polynomial, , with , where is the secret. The dealer selects this polynomial with degree and uses it to generate shares, , for shareholders, where is a prime with , and is the public information associated with each shareholder.

There are many verifiable secret sharing schemes [14–16] using bivariate polynomials. A bivariate polynomial with degree can be represented as , where . If the coefficients satisfy , it is a symmetric polynomial.

The dealer can use a symmetric bivariate polynomial, , to generate shares, , for shareholders. Each share, , is a univariate polynomial with degree . Note that since , a pairwise key, , can be established between shareholders, and . Thus, using a symmetric bivariate polynomial can enable two users to establish a pairwise shared key.

##### 2.2. Membership Authentication and Key Establishment

In this section, we describe membership authentication proposed in this paper. Motivated by the group authentication [3] which authenticates users all at once with complexity , we extend its capability of group authentication such that our protocol can not only detect the existence of nonmembers but also identify nonmembers. In our protocols, the GM is in charge of registering all members initially. GM selects a secret and hides the secret in a polynomial. GM issues tokens which are coordinate points on the polynomial to members initially.

Later, in real-time operation, members can accomplish membership authentication and key establishment by themselves without the assistance of any trusted KGC. We need to point out that both GM and KGC must be trusted parties; but GM is needed only during initialization and KGC is needed during real-time implementation. Members present their tokens to be authenticated. Nonmembership detection process is first executed. If all released tokens are valid tokens, the secret can be recovered successfully and all users are members; otherwise the recovered secret is invalid so there exist nonmembers. Thus, the detectability of our protocol is guaranteed if there are a sufficient number of tokens available to recover the secret. In other words, the minimal number of tokens needed is determined by the degree of polynomial used to generate tokens initially.

After nonmember being detected, nonmembership identification process is executed. The protocol first needs to identify a set of tokens which can recover the valid secret. The token holders are all members. Then, the set of valid tokens can be used as a base to check each remaining token to determine its validity. In this approach, nonmembers can be identified one at a time gradually. Thus, the identifiability of our protocol is guaranteed if there exists at least a set of valid tokens which can be used to recover the real secret.

In the membership authentication, the GM is in charge of registering all members initially. GM knows all members; but each member does not need to know other members. This unique feature is especially suitable for some applications. For example, after an earthquake, the Department of Homeland Security may dispatch a responsive team which involves agents from different agencies, such as Department of Defense and Department of Health and Human Services, to form a mobile ad hoc network and uses the network to exchange sensitive information. In such network, there is a GM to register members initially; but each member does not need to know other members. The GM issues tokens to members before deploying them to the disaster site. In forming such a secure ad hoc network, all members can follow the membership authentication protocol without the assistance of the GM. If all users are legitimate members, the outcome of the membership authentication can authenticate users all at once; otherwise, the membership authentication can further identify nonmembers. Finally, a group key is shared among all members.

During system setup, the GM follows a SS to select a univariate polynomial, , with degree and , where is the secret. The GM generates tokens, , for members, where is the public information associated with each member . The GM sends each token to each member secretly. The GM makes publicly known, where is a one-way function of the secret. In a membership authentication which involves users, for example, , each user uses his token to compute, , as his released value. Each will be encrypted using a pairwise shared key and send it to each other user separately. After decrypting and collecting all released values, , each member can compute , where is a public function. There is a nonmembership detection algorithm, GA, which allows each user to determine whether all users are members based on their released values. That is,Furthermore, if there are nonmembers, a nonmembership identification algorithm can identify nonmembers.

In a secure group communication, it needs not only membership authentication but also a group key establishment to distribute a group key to all members. The group key is used to protect exchange messages. One unique feature of our proposed protocols is that tokens of members generated by GM initially can not only be used to authenticate membership but also be used to establish pairwise keys between any pair of members. Therefore, in our protocols, all exchange information between members is encrypted by pairwise shared keys and thus the recovered secret is not available to nonmembers. We propose using the recovered secret as the group key for secure communication. This proposed key establishment is accomplished efficiently.

##### 2.3. Objectives of Our Protocols

###### 2.3.1. Security Objective

In our protocols, we consider two types of adversaries: insider and outsider.

*Inside Attacker*. Inside attacker is a legitimate member who owns a token generated by GM. But inside attacker may try to recover other member’s token. After obtaining other members’ tokens, the inside attacker is able to recover the secret of GM and forge tokens for attackers. We will also consider attack imposed by colluded inside attackers.

*Outside Attacker*. Outside attacker is an attacker who does not own any token generated by GM and may try to impersonate a legitimate member or to recover the secret group key.

###### 2.3.2. Performance Objective

The objectives of membership authentication are not only to detect the existence of nonmembers but also to identify nonmembers. The following two properties are associated with our proposed protocols.

*Detectability*. This property means the ability of membership authentication to detect the existence of nonmembers.

*Identifiability*. This property means the ability of membership authentication to identify who are nonmembers.

In Section 3.2, we will examine conditions which will limit these two properties.

#### 3. Basic Protocol of Membership Authentication and Key Establishment

In our design, the GM uses a bivariate polynomial to generate tokens for members. The tokens can be used not only to establish pairwise keys between any pair of members but also to achieve membership authentication and group key establishment.

##### 3.1. Algorithm

*Basic Protocol of Membership Authentication and Key Establishment*

*Token Generation*. The GM selects a degree symmetric polynomial: where , is the secret, and is a prime with . The GM computes tokens, , for group members, , where is the public information associated with each group member, . The GM sends each token, , to member secretly. The GM makes publicly known, where is a one-way function of the secret.

*Membership Authentication and Key Establishment*. Assume that (i.e., ) members, , want to establish a secure group communication.

*Step 1. *Each member uses his/her token, , to compute .

*Step 2. *Each member uses his/her token, , to compute pairwise shared keys, , where is the secret key shared between members, and .

*Step 3. *Each member computes , where denotes the conventional encryption of using the key , each member , to other members.

*Step 4. *After receiving ciphertext, , from other members, computes , where denotes the decryption of using the key .

*Nonmembership Detection*

*Step 5. *Each member computes . If , all members have been successfully authenticated and is the group communication key; otherwise, there are nonmembers and continue on next step.

*Nonmembership Identification*

*Step 6. *Each member uses , obtained from Step to compute .

*Step 7. *Each member searches for a subset of values from the set, , for example, the subset is , and uses them to compute . If , then tokens in this sunset are all valid and they are members; is the group communication key. Then, this subset is used as a base to test each remaining token one at a time to check whether using this token and all tokens in the subset can still recover the same secret or not. If it is so, the token is valid and the token holder is a member; otherwise, it is invalid and the token holder is a nonmember.

##### 3.2. Analysis

*(i) Correctness*

*Nonmembership Detection*. In Step , each member uses his/her token to compute the partial information of the secret, , and, in Step , to compute pairwise secret keys shared with other members. In Step , the partial information of the secret is encrypted using these pairwise shared keys to other members and then, in Step , each member recovers , from other members. Finally, in Step , since and , following Lagrange interpolation formula, we have . It implies that any subset with or more than members can work together with others to compute . Hence, it holds that . On the other hand, if there are nonmembers, then .

*Nonmembership Identification*. Following Lagrange interpolation formula, in Step of our proposed protocol, any members with their valid tokens, for example, the subset of tokens is , can use their tokens to recover the secret. This set of valid tokens can be used to test the validity of each remaining token one at a time. The test procedure is just by including this token and all tokens in the set to check whether it can still recover the same secret or not. This process can be used to identify nonmembers.

*(ii) Security*

Theorem 1 (inside attack). *The proposed basic protocol can resist up to colluded members to recover the secret polynomial of GM.*

*Proof. * is a symmetric polynomial with , selected by GM which contains different coefficients. In the proposed basic protocol, each token, , is a univariate polynomial with degree . In other words, each member can use his token to establish linearly independent equations in terms of the coefficients of the polynomial . There are linearly independent equations with knowing tokens. If GM wants to prevent up to colluded group members from recovering the secret polynomial, , it needs . Thus, up to colluded members cannot recover the secret polynomial, .

Theorem 2 (outside attack). *The proposed basic protocol can resist any nonmember to obtain the secret.*

*Proof. *In our proposed protocol, the partial information of the secret is encrypted using pairwise keys shared with other group members. Since nonmember does not own any valid token generated by the GM, nonmembers neither can impersonate any group members nor can decrypt any ciphertext, then, to obtain the partial information of the secret. Thus, after all members are successfully authenticated, the recovered secret can be used as the secret group key since the recovered secret is not available to nonmembers.

*(iii) Performance*

*Detectability*. The nonmembership detection is based on Lagrange interpolation formula. That is, with* t *or more than* t *coordinate points of a polynomial can uniquely determine this polynomial and the secret; however, if there is any invalid value in the set of coordinate points, it cannot determine the original polynomial and the secret. Thus, our nonmembership detection can detect the existence of nonmembers. The only condition which limits the detectability is that it requires to have at least* t *tokens presented in the process.

*Identifiability*. The nonmembership identification is based on the polynomial and the secret which was used to generate tokens initially. According to Lagrange interpolation formula, any* t *valid tokens can recover this original polynomial. Thus, each member needs first to search for a set of* t *valid tokens which can be used to recover the real secret. The token holders in this set are members. Then, this set of tokens is used as a base to test each remaining token by checking whether with this token and all tokens in the base the same secret can still be recovered or not. If it is so, the token holder is a member; otherwise, the token holder is a nonmember. The only condition which limits the identifiability is that it requires having at least* t *valid tokens presented in the protocols.

*Computational Complexity*. In the basic protocol, each token, , is a univariate polynomial with degree Thus, each member needs to store coefficients of a univariate polynomial. The memory storage of each shareholder is bits, where is the modulus. In the protocol, there is no interaction among users. Each member sends ciphertext , to other members. Horner’s rule [17] can be used to evaluate polynomials. In the following discussion, we show the cost for computing , in Step . From Horner’s rule, evaluating a polynomial of degree needs multiplications and additions. Since multiplication takes more time than addition, the performance is only addressed to the number of multiplications needed. The computational cost in Step to compute is to evaluate one polynomial. The computational cost in Step to compute pairwise shared keys, , is to evaluate polynomials, where is the number of members participating in the secret reconstruction. Overall, the computational cost to reconstruct the secret of each member is to compute multiplications.

In our proposed protocol, the main computation is the polynomial evaluation. The modulus in our polynomial computation is much smaller than the modulus (e.g., 1,024 bits) used in most public-key cryptosystems. In addition, not like most conventional user authentication protocol which authenticates one user each time, the proposed protocol authenticates all users at once. After all users are successfully authenticated, there is no computation needed to establish a group key. Thus, the proposed protocol is very efficient in comparing with most communication protocols.

However, if there exist nonmembers, the nonmembership identification is invoked. Since each member needs to search for a subset of* t *valid tokens from a set containing users participating in a secure group communication, the complexity of this searching is , where is the number of participants in a group communication. We would like to point out that in some practical applications can be a small integer. Once this subset of valid tokens is determined, Lagrange interpolation formula is executed to test each remaining token one at a time to identify whether it is an invalid token or not.

After user authentication and key establishment, all participating members can recover the secret and the tokens, , of other members. In other words, the tokens cannot be reused for multiple times since members can impersonate other members participating in different secret group communications. In the next section, we extend the basic protocol to support multiple group communications.

#### 4. Extended Protocol for Multiple Group Communications

In this section, an extended protocol in which tokens obtained from the GM initially can be reused for multiple group communications is presented. The basic idea is that the GM needs to select two large public primes, and , such that divides , is a unique subgroup of with order , and every is a generator of . GM follows the same* token generation* procedure as described in Section 3 to select a symmetric polynomial, , and generate tokens, , for group members, . In addition, GM computes, , and makes publicly known, where* m* is the number of secure group communications that the protocol can support.

##### 4.1. Algorithm

*Extended Protocol for Multiple Group Communications*

*Group Authentication and Key Establishment*. Assume that, at th round, (i.e., ) members, , want to establish a secure group communication.

*Step 1. *Each member uses his/her token, , to compute , and .

*Step 2. *Each member uses his/her token, , to compute pairwise shared keys, , where is the secret key shared between members, and .

*Step 3. *Each member computes , where denotes the conventional encryption of using the key . Each member sends , to other members.

*Step 4. *After receiving ciphertext, , from other members, computes , where denotes the decryption of using the key .

*Nonmembership Detection*

*Step 5. *Each member computes If , all members have been successfully authenticated and is the group communication key; otherwise, there are nonmembers and continue on next step.

*Nonmembership Identification*

*Step 6. *Each member uses , obtained from Step to compute .

*Step 7. *Each member searches for a subset of values from the set, , for example, the subset is , and uses them to compute . If , then tokens in this sunset are all valid and they are members and is the group communication key. Then, this subset is used as a base to test each remaining token one at a time to check whether using this token and all tokens in the subset can still recover the same secret or not. If it is so, the token is valid and the token holder is a member; otherwise, it is invalid and the token holder is a nonmember.

##### 4.2. Analysis

*(i) Correctness*

*Nonmembership Detection*. In Step , since , and , following Lagrange interpolation formula, we have . It implies that any subset of group members can work together to compute . Hence, it holds that . Otherwise, if there are nonmembers, then .

*Nonmembership Identification*. In Step , we get . Thus, in Step , if values in the subset are all valid, we should have .

*(ii) Security*. In this extended protocol, each member’s private value of token, , is protected in the value , under the discrete logarithm assumption. Similarly, the secret, , is protected in the public value, , under the discrete logarithm assumption.

*(iii) Performance*. The modular exponentiation takes more computational time than multiplication and addition. So, we only consider the modular exponentiation in the following discussion. In this extended protocol, each member needs to compute only one modular exponentiation if all users are members. However, if there are nonmembers, more modular exponentiations are needed to identify nonmembers.

*Remark 3. *In comparison between algorithms presented in Sections 3 and 4, tokens generated during initiation can only be used for one group communication in the basic algorithm but tokens can be used for multiple group communications in the extended algorithm. Furthermore, only polynomial evaluations are needed in the basic algorithm but modular exponentiations are needed in the extended algorithm. According to Horner’s rule [17], each polynomial evaluation needs modular multiplications. But, each modular exponentiation with two large moduli, and (say is 160 bits and is 1024 bits), needs modular multiplications. Since is much smaller than , computational speed in the basic algorithm is much faster than computational speed in the extended algorithm.

#### 5. Conclusion

We propose two efficient protocols of membership authentication and key establishment. The basic protocol can support a one-time communication in which each member needs only to perform polynomial evaluation. The extended protocol can support multiple communications in which each member needs to perform modular exponentiations. Both protocols are noninteractive.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest.

#### Authors’ Contributions

Lein Harn and Ching-Fang Hsu contributed equally to this work.