Group Authentication with Multiple Trials and Multiple Authentications

Group authentication aims at facilitating efficient authentication of a group of provers by a group of verifiers. A new group authentication scheme is proposed to improve the security of existent asynchronous group authentication schemes and to achieve better computational performance. The new scheme allows any groups of legitimate members to execute multiple authentication trials even under the participation of active attackers.


Introduction
Authentication is a must for securing computer and network applications.Conventional authentications, either user authentication or device authentication, all focus on the oneto-one scenario where one verifier aims at verifying the legitimacy of one prover at one time.As more and more Internet-of-Things (IoTs) [1,2] applications and many social networking applications require the authentication of a group of participants efficiently, these many-to-many authentication scenarios call for new kinds of group authentications in which many verifiers would like to verify the legitimacy of many provers at one time to save cost and increase efficiency.
Based on Shamir's (, ) secret sharing [3], Harn [4] proposed three (, , ) group authentication schemes, where t represents the minimum threshold of participants,  denotes the number of participants in one trial, and  denotes the total number of members of the group.As long as the number  ≥  and all these  participants are legitimate, the group authentication succeeds; otherwise, it fails.These group authentication schemes can efficiently authenticate a group of legitimate entities or act as a preprocess to detect the existence of any illegitimate participants.One of Harn's group authentication schemes is synchronous (, , ) group authentication in which all participants are required to release their secret tokens simultaneously; otherwise, an illegitimate participant might forge valid tokens, using the released tokens of others.The other two schemes are the asynchronous (, , ) group authentication and the asynchronous (, , ) group authentication with multiple authentications; we, respectively, call them Harn's asynchronous GAS1 and Harn's asynchronous GAS2 in the rest of this paper.The two schemes all allow the participants release their tokens asynchronously; Harn's asynchronous GAS2 further provides the group to execute multiple authentications (to recover multiple system secrets) using the same set of predistributed tokens.
This paper would focus on the asynchronous schemes because the synchronous case is impractical.We find that Harn's two asynchronous schemes could not support legitimate entities execute multiple trials even if the specific secret is not yet recovered.This weakness has two implications; if the groups of entities try several times to recover a specific secret (for group authentications), then an attacker might derive entities' tokens and further derive the system secret; if the system only allows at most one trial for any specific secret (corresponds to a specific group authentication), then an attacker can easily paralyze the system by simply releasing invalid tokens.In Harn's publication [4], it only emphasizes that once a secret is recovered, then the corresponding group authentication is no longer valid; however, the security of the cases that the members try several times for the not-yetrecovered secret has been neglected.This paper will show the weaknesses of Harn's asynchronous schemes and propose a new scheme to conquer the weaknesses and improve the efficiency.This rest of this paper is organized as follows.Section 2 reviews Harn's asynchronous schemes.Section 3 shows the weaknesses.Section 4 proposes our new scheme, and Section 5 analyzes its securities and evaluates its performance.Section 6 states our conclusions.

Review of Harn's Asynchronous Group
Authentication Schemes (GAS) The schemes consist of two phases: the initialization phase and the group authentication phase.The group manager (GM) initializes the system parameters and assigns each registered entity some secret tokens in the initialization phase.Then, any groups of  legitimate entities with  ≥  can execute the group authentication to verify the legitimacy of the participating entities.= ℎ(  ) holds.If the verification succeeds, then the group authentication succeeds; otherwise, it fails.This scheme only allows one valid group authentication.
When  ( ≥ ) entities P = { 1 , . . .,   } would like to perform the group authentication corresponding to the reconstruction of the secret   , each participant

The Weaknesses of Harn's Asynchronous Schemes
We find that both Harn's asynchronous GAS1 and Harn's asynchronous GAS2 share one critical weakness.The schemes perform group authentication by recovering and verifying the sealed secret.If the schemes allow users to launch several trials before the secret is recovered, then an attacker would recover both the system secrets and the users' secret tokens by joining the process several times.On the other hand, if each secret only allows one trial of authentication no matter whether the specific secret is recovered or not, then the system is vulnerable to Denial of Service (DOS) attacks by simply releasing a false value to spoil the authentication instance and the group authentication function of the system.After releasing a fake data, any groups of valid members can no longer perform any group authentications.
The key idea of our attack on Harn's asynchronous GAS1 is introduced in the following phases.
Phase 1.Even though the secret tokens   (  )s are well protected in the released value )mod , one could solve these unknown variables   (  )s as long as he gets k distinct {  }, where each   corresponds to the value released by a specific user   in an authentication instance and there is at least one member different in any pair of groups in these authentication instances; in such cases, the attacker will have k independent equations with k unknown variables   (  )s and he can solve the equations.Let   ≡ {  (  ) | 1 ≤  ≤ } = { 1 (  ), . . .,   (  )} denote the set of secret tokens owned by the user   ; after the above attack, the attacker can acquire   .Now the attacker continues the next phase to acquire the secret polynomials.
Phase 3. Using the polynomials   (), 1 ≤  ≤ , the attacker compute  = ∑ =1∼     (  )mod  for the system secret.For any user   ∈  = { 1 , . . .,   } and the secret tokens of   that have not yet been disclosed, the attacker computes { 1 (  ), . . .,   (  )}.At this point, the attacker has derived all the system secrets and all the secret tokens of all users.The minimum number of runs that the attacker should participate in is .
The above attack can be easily extended to plot on Harn's asynchronous GAS2.Attackers can acquire the secret values Example 1.Now we take one example to demonstrate the attack process.
Attack Phase 1. Assume that the attacker A participates in two runs of authentications with { 1 ,  2 ,  3 } and, respectively, impersonates  4 ,  5 in these runs.
In run 1, A will get We list the calculations as follows: In run 2, A will get as follows: So now A has the following independent equations in (5a), (5b), and (5c).He then solves the equations and gets

An Improved Scheme That Enables Multiple Trials and Multiple Authentications
Now we will propose an improved scheme that not only conquers the weaknesses of Harn's (, , ) asynchronous schemes but also improves the system performance.The GM in our scheme only publishes simple public data and the members can execute group authentication with multiple authentications and multiple trials.

4.1.
Preliminaries.We shall propose our scheme, based on elliptic curve cryptography and bilinear pairing.We now briefly review them as follows.
Definition 3. The elliptic curve discrete logarithm problem (ECDLP) [6] is as follows: given an elliptic curve over a finite field   and two points ,  ∈ (  ), find a number  such that  = .
It is believed that the ECDHP, the ECDLP, and the BPI are hard problems for proper parameter setting.

The System Model.
Here we describe the model for one group, and it is easy to extend this model for several groups.In the system, there are two kinds of participants: the GM and a group of registered members.The GM is responsible for setting up/updating the system parameters.After initialization, the participants in each session would like to verify whether all the participants belong to the same group; this verification is achieved by the validation of the aggregated released-shares.The GM is trusted, and registered members might be compromised and disclose their secrets.Unless being compromised, a registered member always behaves honestly.
The GM publishes a predetermined parameter .The scheme can verify whether all participants of one session with  participants ( ≥ ) belong to the same group.The scheme is secure if it can withstand the collusion of up to −1 insiders (registered members).

The Scheme Facilitating Multiple Trials and Multiple
Authentications without Server's Active Participation.Like Harn's asynchronous (, , ) schemes, our scheme also follows the same (, , ) notation, the asynchronous communication, and multiple authentications.Additionally, our scheme allows multiple trials.The GM only needs to publish some simple data no matter how many authentications and trails these members would like to perform.The scheme consists of two phases: the initialization phase and the group authentication phase.
Initialization.The GM sets up three cyclic groups  1 ,  2 , and  3 with order q, where  1 and  2 are additive groups on elliptic curves and  3 is multiplicative.P is a generator for  2 .It chooses a secret random polynomial with degree  − 1, () =  0 +  1  + ⋅ ⋅ ⋅ +  −1  −1 mod  with  0 = , and a master secret .It computes  =  and publishes  as the system-wise public key.For each registered member   ∈  = { 1 , . . .,   } with identity   , it assigns (  ) as   's secret token.
Group Authentication.When  ( ≥ ) entities P = { 1 , . . .,   } would like to authenticate each other in the Vth authentication instance, the group of users agree on a random point  V (we discuss two options of implementing the generation of random points  V s in Section 4.3).Each   ∈ P computes   = (  )∏  =1, ̸ = (−  /(  −   )) and    V and releases    V .After all users release their values, they compute ∑  =1    V and verify whether the equation (∑  =1    V , ) ?
= ( V , ) holds.If it holds, they satisfy the group authentication; otherwise, they fail.

Implementation Options of Choosing 𝑅
V .The generation and selection of the random points  V play a crucial factor affecting the security.Here, we discuss two possible options.The two options mainly tackle the possible threat that an adversary might manipulate the selection of  V .
The first one is that the GM periodically updates a list of authenticated random points, and the entities choose one from the list of unused ones.The entities refuse to apply any points that they have used.
The second approach is applying a one-way hash function that maps any strings to a random point- 1 : {0, 1} * →  1 .Boneh and Franklin's MaptoPoint function is one of such functions [7].In this approach, each participant in the group calculates where date and time are the current timestamp and   s are the participants' identities.

Comparison of Our Improvements with One Possible Extension of Harn's GAS2.
In addition to our proposed scheme, one another possible improvement is by extending Harn's GAS2.The system might require that each participant never tries to recover one specific secret twice; that is, whenever an authentication fails, he should only try another authentication corresponding to other secrets.This arrangement could prevent the attacks in Section 3.
However, we would like to discuss the differences between the above extension with our scheme.The extension, even though it could reduce the treats of our attacks, is still not absolutely immune to DOS attacks.The GM has to preselect lots of possible secrets and publishes these numbers  , ,  , ,  = 1, 2, and {(  , ℎ(  ))}.If the list is not large enough, then the successive releasing of false shares could quickly deplete the list.If the GM tries to prepare a very long list, it causes it lots of overhead.
On the contrary, our implementation Option 2 is much more simple, efficient, and withstand heavy DOS attacks.

Security Analysis and Performance Evaluation
5.1.The Security Lemma 6.Given a random point  V and a group of members P = { 1, , . . .,   } with  ≥ , the only condition that the group P can reconstruct the value  V in the proposed scheme is that all the participating members are valid and the scheme can resist up to  − 1 colluded insiders.
Proof.Since the secret tokens are generated using a secret  − 1-degree polynomial, the scheme can resist the collusion of up to  − 1 insiders.Also, any single invalid contribution from any invalid participants would ruin the computation of  V .
Lemma = ( V , ) as long as the BPI is hard.
Based on the above lemmas, we have the following theorem.
Theorem 10.The proposed scheme satisfies the security requirements of the asynchronous (, , ) group authentication.

The Performance.
We first compare the computational complexities of the three schemes: ours, Harn's GAS1, and Harn's GAS2.
Let  ℎ denote the time complexity for one hash operation,  EM denote that of one elliptic curve point multiplication,  EA denote that for one elliptic curve point addition,  mul, denote that for one multiplication in field  (where  corresponds to the order of  1 ,  2 ,  3 in our scheme),  inv, denote that for one inverse operation in field ,  mul, denote that for one multiplication in field  (where  corresponds to the modular field in Harn's schemes),  inv, denote that for one multiplication in field ,  exp, / exp, , respectively, denote that for one exponentiation in field /, and  pair denote that for one pairing.
Each user   in our scheme needs to compute one Lagrange component   = (  )∏  Table 1 summarizes the performance.Row 2 lists the security properties.Only our scheme can resist an attacker from deriving the secrets when the schemes allow multiple trials.Row 3 lists the detailed computational complexity.Based on Row 3, it is still difficult to get an insight of the complexities since they involve quite different operations.We, therefore, further evaluate the computational cost under the practical setting from NSA [8] and the algebra equations of elliptic curve operations [6].The security of ECC with 160bit key is roughly equivalent to that of RSA with 1024-bit key or D-H algorithm with 1024-bit key.So let us assume that the q (the order of  1 and  2 ) in our scheme is 160 bits, and p in Harn's schemes is 1024 bits.Under the above setting and approximations,  mul, (the time complexity of a field multiplication in   , where p is 1024 bits) is 41 times  mul, (the time complexity of field multiplication in   , where q is 160 bits),  EM ≅ 29 To further simplify the complexity approximation, we refer to an efficient paring implementation [5].Based on the figures there [5], we roughly approximate one pairing operation as 5356 mul, .We approximate (7 + 1429) mul, + 2 pair ≅ (7 + 6785) mul, in Row 4. From Row 4, we can tell that Harn's schemes have lower computational cost than ours when the number of participants is small; but the costs of Harn's schemes grow faster than ours when the number of participants increases.All the costs of the three schemes increase as the number of participants increases, but the cost of Harn's GAS1 also depends on the value k.Because the parameter k in Harn's GAS1 should satisfy  >  − 1, we only compare our scheme with Harn's GAS2 in Figure 1 to give us an insight of the performances of the three schemes.From Figure 1, we can see that the cost of Harn's GAS2 increases much faster than ours when the number of participants increases.When the number is around 141, the cost of Harn's GAS2 overpasses ours and increases very fast.The comparison shows that our scheme not only owns better security but also provides better computational performance when the number of participants is large.

Conclusions
In this paper, we have shown the weaknesses of Harn's asynchronous group authentication schemes.An attacker can derive the system secrets and the members' secret tokens if the schemes allow multiple trials before the corresponding secret is recovered, or an attacker can easily disable the functions of the schemes by simply releasing invalid shares if the schemes do not allow multiple trials.We have proposed an improved scheme that allows multiple trials for each system secret.The analysis shows that our scheme even has better computational performance when the number of participants is greater than 141.

Figure 1 :
Figure 1: The comparison of computational cost versus the number of participants.The unit of the cost is  mul, .
7. Given a valid released value    V , where   = (  )∏  =1, ̸ = (−  /(  −  )), one cannot derive the value   and the corresponding (  ) as long as the ECDLP is hard.Given a valid released    V and another point R, one cannot derive the value   R as long as the ECDHP is hard.Given the values ( V , ) and , one cannot derive the value ∑  =1    V which satisfies (∑  =1    V , )