Abstract

Authentication is one of the most fundamental services in cryptography and information security. Compared with the traditional authentication methods, group authentication allows a group of users to be authenticated at once rather than authenticating each of these users individually. Therefore, it is more desirable in the group oriented environment, such as multicast/conference communications. In this paper, we first demonstrate that a recent group authentication scheme by Chien (Security and Communication Networks, 2017) suffers some security flaws, i.e. an adversary in the asynchronous communication model can pretend to be a legitimate group member without being detected. We then use the Anonymous Veto Networks (AV-net) to patch Chien’s scheme, so that its security can be rigorously proved in a well-defined security model.

1. Introduction

Authentication confirms whether some entity is who or what it claims to be. It is an important security service in cryptography and information security. Traditionally, the authentication process is carried out between two parties. The prover proves its identity to the verifier using a single or some combination of the following methods: something it has, something it knows, or something it is. The verifier will accept the proof if the prover, indeed, possesses the credential. However, this one-to-one authentication approach is inefficient in the group oriented environment, e.g., multicast/conference communications and broadroom elections [1, 2]. If each user needs to authenticate every user’s identity, a large number of authentication operations (quadratic to the number of users) need to be performed across the entire group. To address this problem, group authentication [3] has been proposed recently, so that instead of authenticating each user individually, all users in the group can be authenticated at once. If all users are legitimate group members, the group authentication is sufficient to prove that they all belong to the same group. Even if there exist some nonmembers, the group authentication still can be used as a preprocessing step before applying some traditional authentication techniques to identify those nonmembers.

In general, a group authentication scheme consists of two phases. In the initialization phase, the group manager (GM) generates a credential for each group member, and these credentials are sent through some secure networks. In the authentication phase, each player uses her credential to compute a token and broadcasts it. As follows, every user can use the revealed information to verify whether all these users are belonging to the same group. Two security requirements are fundamental for group authentication schemes. One is that if all users are legitimate group members, the authentication will always be successful. The other is that any nonmember with no valid credential cannot pretend to be a group member without being detected. Moreover, two other requirements are also highly desirable for group authentication schemes: (1) reuse of the credentials in multiple authentication sessions; (2) allowance of players to broadcast their tokens through asynchronous networks. Note that the first requirement helps to avoid the cumbersome processes of distributing credentials for every authentication session, and the asynchronous networks are easier to be established than the synchronous ones, especially in the distributed environment.

1.1. Our Contributions

In his work [4], Chien has proposed a group authentication scheme, claiming to satisfy the abovementioned requirements. In this paper, we first demonstrate that Chien’s scheme fails to achieve its claimed security in the asynchronous networks. In particular, an adversary in the asynchronous communication model can always wait until the other legitimate users having revealed their tokens and then fabricate a valid token using the revealed ones. We then use a novel technique, called Anonymous Veto Networks (AV-net), to patch Chien’s scheme. To avoid the “design-break-patch loop,” our proposed scheme is rigorously analyzed in a well-defined security model [5].

1.2. Organization of the Paper

The rest of the paper is organized as follows. In Section 2, we briefly review some related works in the literature. Chien’s scheme is described and analyzed in Section 3. In Section 4, we outline some preliminaries, including notations, building blocks, and security models. In Section 5, we introduce our improvement of Chien’s scheme and analyze it with respect to security and efficiency. Finally, we conclude in Section 6.

2. Related Works

After the concept being initially introduced by Harn [3], group authentication has been widely accepted as a useful tool in cryptography to simultaneously prove that a group of users are all legitimate members [6]. Recently, a number of group authentication schemes have been proposed in the literature. For example, Chien [4] used a different mathematical structure to renovate Harn’s scheme, with the purpose of allowing the credentials to be used in multiple trials in asynchronous networks. Liu et al. [7] considered the resource restrained environment and proposed a lightweight group authentication scheme in which the authentication is executed by checking whether the interpolation of the credentials returns a polynomial with the expected degree. Mahalle et al. [8] used the threshold Paillier cipher to design a group authentication scheme for the Internet of Things. Li et al. [9] extended the functionalities of group authentication so that not only the group members can be authenticated at once but also pairwise keys can be established among the group members. Guo et al. [10] and Elmouaatamid et al. [11] independently explored how to further trace the nonmembers if the group authentication fails.

However, a common drawback of these existing works is that their security is only justified using heuristic arguments rather than formal security proofs, and several of these schemes have already been found to contain security flaws. For example, Ahmadian and Jamshidpour [12] showed that Harn’s scheme is insecure because an adversary in the asynchronous networks can impersonate a group member without being detected. In paper [3], Harn simply conjectured that the adversary needs to reconstruct all the polynomials to fabricate a valid token. But, this adversary may use a very novel method, called the linear subspace attack, to fabricate a valid token without recovering any of the polynomials. In their work [5], Xia et al. proposed a formal security model for group authentication that captures the main security requirements. This work has also improved Harn’s scheme so that the modified scheme can be rigorously proved to achieve the desirable security properties.

In this paper, we first demonstrate that Chien’s scheme is also insecure in the asynchronous networks. We then propose an improvement of Chien’s scheme and prove its security using the security model in paper [5].

3. Analysis of Chien’s Scheme

3.1. Description

Note that our description here is slightly different from Chien’s original scheme [4]. We use a symmetric bilinear map in order to simplify the description, while Chien uses an asymmetric bilinear map. It is well known that compared with the symmetric bilinear map, the asymmetric one has advantages in security and bandwidth, but our attack against Chien’s scheme also works when an asymmetric bilinear map is used instead.

We denote and as two finite cyclic groups of order for some large prime . A bilinear map is defined between these two groups, satisfying the following properties:(i)Bilinear: the map is said to be bilinear if for all and all (ii)Nondegenerate: the map does not send all pairs in to the identity in (iii)Computable: there exists an efficient algorithm to compute for any

Chien’s multiple group authentication scheme works as follows:(i)Init: GM first selects two finite cyclic groups and with prime order and a bilinear map . Denote as a generator of . GM then selects a secret and sets . GM selects values for . GM associates the pairwise different integers with the group members. Finally, GM outputs the system parameters .(ii)Dist: GM selects a random polynomial over with degree , such that . GM, then computes the credentials , and sends them to the group members through the secure channel.(iii)Comp: in the -th session (), every participating user in computes her token and broadcasts it, where is the Lagrange coefficient.(iv)Auth: in the -th session, every user can verify whether all the users are legitimate group members by checking:

Note that if all players are legitimate group members, we have . Also, thanks to the bilinear property, this further implies that the abovementioned equation holds. But, if there exist some nonmembers, the relation can only satisfy with negligible probability. Therefore, the abovementioned equation can be used to check whether a group authentication is successful.

3.2. Analysis

Now, we demonstrate that, in the asynchronous communication model, an adversary who has no valid credential can pretend to be a legitimate group member without being detected. Without loss of generality, suppose that attends the -th group authentication session together with legitimate group members and would like to impersonate the group member . The attack works as follows:(i)Each legitimate group member computes and broadcasts her token , where is the Lagrange coefficient.(ii)After receiving these tokens, modifies them as for and interpolates , where(i)Finally, computes the token , where , and broadcasts .

At this time, the group authentication will be successful because . The consequence is that the adversary has impersonated the group member without being detected. The main reason for this attack is that since the Lagrange coefficients can be publicly computed, can remove them from the revealed tokens and then uses the modified tokens to interpolate a new valid token. To solve this problem, we need to disable ’s ability of removing the Lagrange coefficients from the revealed tokens.

4. Preliminaries

4.1. Notations

We assume that all players are probabilistic polynomial time (PPT) algorithms with respect to the security parameter . Standard notations are used for probabilistic algorithms and experiments. For example, if is a probabilistic algorithm, then denotes the result of running on inputs , and so on. We denote as the experiment of assigning as . If is a finite set, then we denote as the operation of picking an element uniformly from . Moreover, denotes the probability that the predicate will be true after the ordered execution of the algorithms , and so on. A function is called negligible if for all , there exists a such that for all .

4.2. Building Blocks

Shamir secret sharing [13]: it shares the secret value among users, so that any or more users can work together to recover the secret, but less than users cannot get any information of the secret. In the sharing phase, the dealer first selects a random polynomial over with degree , where . Then, the dealer computes the shares and sends them to each user through the secure channel. Here, are public parameters associated with the users that are pairwise different. In the reconstruction phase, any subset (where ) of these users can reconstruct the secret by Lagrange interpolation: , where is called the Lagrange coefficient.

Anonymous veto networks (AV-nets) [14]: they assume that there exist broadcast channels, and all the messages are exchanged through these channels. Suppose users are involved, and then the protocol works as follows:(i)Round 1: each user selects a value and broadcasts . also proves that she has the knowledge of without revealing it, e.g., using the Schnorr identification technique [15]. When this round finishes, every user computes (ii)Round 2: every user broadcasts a value and proves the knowledge of within without revealing it. Now, we have

To see that the abovementioned property always holds, by definition, ; hence, we have

4.3. Security model

We adapt the models and definitions in paper [5] and prove our proposed scheme using this security model. The participants: there are four types of participants in group authentication schemes:(i)Group manager (GM): the GM initializes the protocol and generates credentials for the users. In any authentication protocol, the user needs to possess some secret that is unknown to the others.(ii)Users: each of the users will receive a credential from the GM, and they will use their credentials to participate in the group authentication.(iii)Inside adversary: the inside adversary controls at most users, where is the threshold such that . can obtain these users’ internal states. ’s purpose is to learn some secret information or to pass the group authentication by herself.(iv)Outside adversary: the outside adversary does not own any valid credential generated by the GM, but her purpose is to impersonate a group member in the group authentication without being detected. Communication model: we assume that there exists a secure channel between the GM and every user, so that the credentials can be distributed securely. Moreover, we assume that every participant is connected to a broadcast channel, where any message sent through this channel can be heard by the other participants within some specified time bound. Note that the broadcast channel is only assumed to be asynchronous, such that messages sent from the uncorrupted users to the corrupted ones can be delivered relatively fast, the case in which the adversary can wait for the messages of the uncorrupted users to arrive, then decide on her computation and communication, and still get her messages delivered to the honest users on time. In comparison, all the users need to send their messages simultaneously in the synchronous networks. Therefore, adversaries in an asynchronous network are more powerful as they could obtain more information to assist their attacks. System model: the group authentication scheme is specified by the following four randomized algorithms: Init, Dist, Comp, and Auth.(i)The initialization algorithm Init is run by the GM. Init takes as inputs the security parameter ; it outputs the system parameters .(ii)The distribution algorithm Dist is run by the GM. Dist takes as inputs the system parameters and the number of users ; it outputs a set of credentials . These credentials are sent to through the secure channel, where denotes the set of all legitimate group members.(iii)The computation algorithm Comp is run by every user. Comp takes as inputs the system parameters , the session index , the set of participated users , and a credential ; it outputs a token through the broadcast channel.(iv)The group authentication algorithm Auth is run by the participated users. Auth takes as inputs the system parameters , the session index and a set of tokens ; it outputs 1 if and only contains legitimate group members, and it outputs 0 otherwise. Security Model: the following security properties are considered in the security model.

Definition 1. (correctness). If a set () of users are participating in the group authentication and they are all legitimate group members, then the group authentication will be successful. Formally, a group authentication scheme is said to have the correctness property if we haveIn the abovementioned expression, and .

Definition 2. (secrecy). The inside adversary cannot learn any secret information in the group authentication process. Formally, a group authentication scheme is said to have the secrecy property if we haveIn the abovementioned expression, is denoted as ’s view in the real run of the protocol , means computationally indistinguishable, and is denoted as ’s view of the transcripts simulated by a PPT simulator with only public information as inputs.

Definition 3. (no forgery). The inside adversary cannot pass the group authentication by herself. Formally, a group authentication scheme is said to have the no forgery property if we haveIn the abovementioned expression, denotes the users that are controlled by , such that and . Ω denotes an oracle that is used to query the group authentication service, and Σ records all the session indexes which have been queried.

Definition 4. (no impersonation). The outside adversary cannot impersonate a group member without being detected. Formally, a group authentication scheme is said to have the no impersonation property if we haveIn the abovementioned expression, is assumed to impersonate the user , where .
Computational assumptions: we assume that the following assumptions hold against any PPT algorithm.

Definition 5. (discrete logarithm (DL) assumption). The description of the finite cyclic group is given, where and is a generator of . The discrete logarithm assumption implies that there exists a negligible function such that for all PPT adversaries , we have

Definition 6. (computational Diffie–Hellman (CDH) assumption). The description of the finite cyclic group given, where and is a generator of . The computational Diffie–Hellman assumption implies that there exists a negligible function such that for all PPT adversaries , we have .

5. An Improvement of Chien’s Scheme

5.1. The Proposed Scheme

The improved multiple group authentication scheme in the asynchronous communication model works as follows:(i)Init: GM first selects two finite cyclic groups and with prime order , and a bilinear map . is denoted as a generator of . GM then selects a secret and sets . GM selects values for . GM associates the pairwise different integers with the group members. Finally, GM outputs the system parameters .(ii)Dist.: GM selects a random polynomial over with degree , such that . GM, then computes the credentials , and sends them to the group members through the secure channel.(iii)Comp: in the -th session, every participating user in first selects and broadcasts . Then, each user computes . As follows, every user computes and broadcasts her token as where is the Lagrange coefficient.(iv)Auth: In the -th session, every user can verify whether all the users are legitimate group members by checking:

5.2. Security Analysis

Theorem 1. Our modified group authentication scheme satisfies the correctness property.

Proof. If and , the Lagrange interpolation implies that , where is the Lagrange coefficient. Moreover, because the AV-nets have the property that , we haveTherefore, the equation will hold, and the authentication will be successful.

Theorem 2. Our modified group authentication scheme satisfies the secrecy property, assuming that the DL problem holds in .

Proof. We denote as the real run of the protocol and as the protocol simulated by a PPT simulator with only public information as inputs.
:(i)Init: generates and outputs the system parameters .(ii)Dist: computes the credentials and sends them to the group members through the secret channel. Without loss of generality, we assume that the credentials are learnt by the inside adversary .(iii)Comp: in the -th session, every participating user in selects and broadcasts . Then, each user computes and broadcasts her token as . In this step, learns which are possessed by the corrupted users and all the broadcast values.(iv)Auth: in the -th session, everyone verifies whether .:(i)Init: the simulator outputs the system parameters .(ii)Dist: sends the credentials to the inside adversary .(iii)Comp: We denote . In the -th session, randomly selects values from and broadcasts for . sends to . , then, randomly selects values from and computes . Then, broadcasts the tokens .(iv)Auth: in the -th session, everyone verifies whether .We now prove that it is infeasible for the inside adversary to distinguish these two protocols. In the Init algorithm, the same public parameters are published in both protocols. In the Dist algorithm, the same credentials are learnt by in both protocols. In the Comp algorithm, both sets and are randomly distributed in , and all the broadcast values are randomly distributed in . In Auth, the algorithm will be successful in both protocols. Therefore, cannot distinguish between and because all these algorithms in ’s view are indistinguishable. In other words, we haveMoreover, based on the DL assumption, cannot learn any secret information of from the public information or . Hence, our modified scheme satisfies the secrecy property.

Theorem 3. Our modified group authentication scheme satisfies the no forgery property, assuming that the CDH problem holds in .

Proof. We denote as the event that can predict the value from the public parameters and as the event that has learnt some secret information through querying the oracle Ω. We denote as the event that outputs a successful forgery. Then, we haveIn the abovementioned expression, and denote the complements of and , respectively.
Firstly, we prove that is negligible. Assume that the inside adversary can predict the value from the public parameters with nonnegligible probability, e.g., derives from the equation . Then, we show that there exists another adversary who can use as a subroutine to break the CDH problem in with nonnegligible probability. The reduction works as follows: suppose is given the description of with prime order and is a generator of . Moreover, is given two random values and in , and ’s task is to compute . In the Init algorithm, simulates the public parameters by selecting another cyclic group with order , a bilinear map , as well as random values in . , then, sends to . In the Dist algorithm, selects random values in and sends them to . In the Comp algorithm, selects random values in and sends them to . also broadcasts the required number of random values in . Note that the abovementioned steps generate a simulated environment for that is indistinguishable from a real run of our modified scheme . If outputs her predict of , uses it to solve the CDH problem. Because it is assumed that the CDH assumption holds in , our hypothesis that can predicate the value from with nonnegligible probability must be false. Hence, we have for some negligible function .
Secondly, Theorem 2 implies that the real run of our modified scheme does not leak any secret information to , based on the DL assumption in . Also, the hybrid argument [16] further implies that does not learn any secret information even if she has queried the oracle polynomial number of times. Hence, we have for some negligible function .
Finally, we analyze the probability . In this case, needs to guess the value . Because is randomly distributed in and only controls at most group members, the probability of guessing correct in each trial is exactly . Recall that can try polynomial number of times, and we have , where denotes the number of trials has made.
Putting the abovementioned analyses together, assuming that the CDH assumption holds in , we havefor some negligible function . Therefore, our modified scheme satisfies the no forgery property.