^{1}

^{2}

^{3}

^{4}

^{5}

^{6}

^{1}

^{2}

^{3}

^{4}

^{5}

^{6}

Authentication is one of the most fundamental services in cryptography and information security. Compared with the traditional authentication methods, group authentication allows a group of users to be authenticated at once rather than authenticating each of these users individually. Therefore, it is more desirable in the group oriented environment, such as multicast/conference communications. In this paper, we first demonstrate that a recent group authentication scheme by Chien (Security and Communication Networks, 2017) suffers some security flaws, i.e. an adversary in the asynchronous communication model can pretend to be a legitimate group member without being detected. We then use the Anonymous Veto Networks (AV-net) to patch Chien’s scheme, so that its security can be rigorously proved in a well-defined security model.

Authentication confirms whether some entity is who or what it claims to be. It is an important security service in cryptography and information security. Traditionally, the authentication process is carried out between two parties. The prover proves its identity to the verifier using a single or some combination of the following methods: something it has, something it knows, or something it is. The verifier will accept the proof if the prover, indeed, possesses the credential. However, this one-to-one authentication approach is inefficient in the group oriented environment, e.g., multicast/conference communications and broadroom elections [

In general, a group authentication scheme consists of two phases. In the

In his work [

The rest of the paper is organized as follows. In Section

After the concept being initially introduced by Harn [

However, a common drawback of these existing works is that their security is only justified using heuristic arguments rather than formal security proofs, and several of these schemes have already been found to contain security flaws. For example, Ahmadian and Jamshidpour [

In this paper, we first demonstrate that Chien’s scheme is also insecure in the asynchronous networks. We then propose an improvement of Chien’s scheme and prove its security using the security model in paper [

Note that our description here is slightly different from Chien’s original scheme [

We denote

Bilinear: the map

Nondegenerate: the map

Computable: there exists an efficient algorithm to compute

Chien’s multiple group authentication scheme works as follows:

Init: GM first selects two finite cyclic groups

Dist: GM selects a random polynomial

Comp: in the

Auth: in the

Note that if all players are legitimate group members, we have

Now, we demonstrate that, in the asynchronous communication model, an adversary

Each legitimate group member

After receiving these tokens,

Finally,

At this time, the group authentication will be successful because

We assume that all players are probabilistic polynomial time (PPT) algorithms with respect to the security parameter

Shamir secret sharing [

Anonymous veto networks (AV-nets) [

Round 1: each user

Round 2: every user broadcasts a value

To see that the abovementioned property always holds, by definition,

We adapt the models and definitions in paper [

The participants: there are four types of participants in group authentication schemes:

Group manager (GM): the GM initializes the protocol and generates credentials for the users. In any authentication protocol, the user needs to possess some secret that is unknown to the others.

Users: each of the

Inside adversary: the inside adversary

Outside adversary: the outside adversary

Communication model: we assume that there exists a secure channel between the GM and every user, so that the credentials can be distributed securely. Moreover, we assume that every participant is connected to a broadcast channel, where any message sent through this channel can be heard by the other participants within some specified time bound. Note that the broadcast channel is only assumed to be asynchronous, such that messages sent from the uncorrupted users to the corrupted ones can be delivered relatively fast, the case in which the adversary can wait for the messages of the uncorrupted users to arrive, then decide on her computation and communication, and still get her messages delivered to the honest users on time. In comparison, all the users need to send their messages simultaneously in the synchronous networks. Therefore, adversaries in an asynchronous network are more powerful as they could obtain more information to assist their attacks.

System model: the group authentication scheme is specified by the following four randomized algorithms:

The initialization algorithm

The distribution algorithm

The computation algorithm

The group authentication algorithm

Security Model: the following security properties are considered in the security model.

(correctness). If a set

In the abovementioned expression,

(secrecy). The inside adversary

In the abovementioned expression,

(no forgery). The inside adversary

In the abovementioned expression,

(no impersonation). The outside adversary

In the abovementioned expression,

Computational assumptions: we assume that the following assumptions hold against any PPT algorithm.

(discrete logarithm (DL) assumption). The description of the finite cyclic group

(computational Diffie–Hellman (CDH) assumption). The description of the finite cyclic group

The improved multiple group authentication scheme in the asynchronous communication model works as follows:

Init: GM first selects two finite cyclic groups

Dist.: GM selects a random polynomial

Comp: in the

where

Auth: In the

Our modified group authentication scheme satisfies the correctness property.

If

Therefore, the equation

Our modified group authentication scheme satisfies the secrecy property, assuming that the DL problem holds in

We denote

Init:

Dist:

Comp: in the

Auth: in the

Init: the simulator

Dist:

Comp: We denote

Auth: in the

We now prove that it is infeasible for the inside adversary

Moreover, based on the DL assumption,

Our modified group authentication scheme satisfies the no forgery property, assuming that the CDH problem holds in

We denote

In the abovementioned expression,

Firstly, we prove that

Secondly, Theorem

Finally, we analyze the probability

Putting the abovementioned analyses together, assuming that the CDH assumption holds in

Our modified group authentication scheme satisfies the no impersonation property, assuming that the

Denote

Firstly, we prove that

Next, we analyze the probability

Putting the abovementioned analysis together, we conclude that

We now give a brief efficiency analysis of our modified scheme. In the

An efficiency comparison between our proposed scheme and Chien’s scheme [

Comparison between our scheme and Chien’s scheme.

Chien’s scheme | ||||

Our scheme |

In this paper, we have pointed out a security flaw in an existing group authentication scheme by Chien [

The authors confirm that no data were used to support this study.

The authors declare that there are no conflicts of interest regarding the publication of this paper.

This work was supported by the National Natural Science Foundation of China (Grant nos. 61662016 and 61772224), Key Projects of Guangxi Natural Science Foundation (Grant no. 2018JJD170004), and Guangxi Key Laboratory of Trusted Software (Grant no. KX201908).