Cryptanalysis and Improvement of a Group Authentication Scheme with Multiple Trials and Multiple Authentications

Authentication is one of the most fundamental services in cryptography and information security. Compared with the traditional authentication methods, group authentication allows a group of users to be authenticated at once rather than authenticating each of these users individually. Therefore, it is more desirable in the group oriented environment, such as multicast/conference communications. In this paper, we ﬁrst demonstrate that a recent group authentication scheme by Chien (Security and Communication Networks, 2017) suﬀers some security ﬂaws, i.e. an adversary in the asynchronous communication model can pretend to be a legitimate group member without being detected. We then use the Anonymous Veto Networks (AV-net) to patch Chien’s scheme, so that its security can be rigorously proved in a well-deﬁned security model.


Introduction
Authentication confirms whether some entity is who or what it claims to be. It is an important security service in cryptography and information security. Traditionally, the authentication process is carried out between two parties. e prover proves its identity to the verifier using a single or some combination of the following methods: something it has, something it knows, or something it is. e verifier will accept the proof if the prover, indeed, possesses the credential. However, this one-to-one authentication approach is inefficient in the group oriented environment, e.g., multicast/conference communications and broadroom elections [1,2]. If each user needs to authenticate every user's identity, a large number of authentication operations (quadratic to the number of users) need to be performed across the entire group. To address this problem, group authentication [3] has been proposed recently, so that instead of authenticating each user individually, all users in the group can be authenticated at once. If all users are legitimate group members, the group authentication is sufficient to prove that they all belong to the same group. Even if there exist some nonmembers, the group authentication still can be used as a preprocessing step before applying some traditional authentication techniques to identify those nonmembers.
In general, a group authentication scheme consists of two phases. In the initialization phase, the group manager (GM) generates a credential for each group member, and these credentials are sent through some secure networks. In the authentication phase, each player uses her credential to compute a token and broadcasts it. As follows, every user can use the revealed information to verify whether all these users are belonging to the same group. Two security requirements are fundamental for group authentication schemes. One is that if all users are legitimate group members, the authentication will always be successful. e other is that any nonmember with no valid credential cannot pretend to be a group member without being detected. Moreover, two other requirements are also highly desirable for group authentication schemes: (1) reuse of the credentials in multiple authentication sessions; (2) allowance of players to broadcast their tokens through asynchronous networks. Note that the first requirement helps to avoid the cumbersome processes of distributing credentials for every authentication session, and the asynchronous networks are easier to be established than the synchronous ones, especially in the distributed environment.

Our Contributions.
In his work [4], Chien has proposed a group authentication scheme, claiming to satisfy the abovementioned requirements. In this paper, we first demonstrate that Chien's scheme fails to achieve its claimed security in the asynchronous networks. In particular, an adversary in the asynchronous communication model can always wait until the other legitimate users having revealed their tokens and then fabricate a valid token using the revealed ones. We then use a novel technique, called Anonymous Veto Networks (AV-net), to patch Chien's scheme. To avoid the "design-break-patch loop," our proposed scheme is rigorously analyzed in a well-defined security model [5].

Organization of the Paper.
e rest of the paper is organized as follows. In Section 2, we briefly review some related works in the literature. Chien's scheme is described and analyzed in Section 3. In Section 4, we outline some preliminaries, including notations, building blocks, and security models. In Section 5, we introduce our improvement of Chien's scheme and analyze it with respect to security and efficiency. Finally, we conclude in Section 6.

Related Works
After the concept being initially introduced by Harn [3], group authentication has been widely accepted as a useful tool in cryptography to simultaneously prove that a group of users are all legitimate members [6]. Recently, a number of group authentication schemes have been proposed in the literature. For example, Chien [4] used a different mathematical structure to renovate Harn's scheme, with the purpose of allowing the credentials to be used in multiple trials in asynchronous networks. Liu et al. [7] considered the resource restrained environment and proposed a lightweight group authentication scheme in which the authentication is executed by checking whether the interpolation of the credentials returns a polynomial with the expected degree. Mahalle et al. [8] used the threshold Paillier cipher to design a group authentication scheme for the Internet of ings. Li et al. [9] extended the functionalities of group authentication so that not only the group members can be authenticated at once but also pairwise keys can be established among the group members. Guo et al. [10] and Elmouaatamid et al. [11] independently explored how to further trace the nonmembers if the group authentication fails. However, a common drawback of these existing works is that their security is only justified using heuristic arguments rather than formal security proofs, and several of these schemes have already been found to contain security flaws. For example, Ahmadian and Jamshidpour [12] showed that Harn's scheme is insecure because an adversary in the asynchronous networks can impersonate a group member without being detected. In paper [3], Harn simply conjectured that the adversary needs to reconstruct all the polynomials to fabricate a valid token. But, this adversary may use a very novel method, called the linear subspace attack, to fabricate a valid token without recovering any of the polynomials. In their work [5], Xia et al. proposed a formal security model for group authentication that captures the main security requirements.
is work has also improved Harn's scheme so that the modified scheme can be rigorously proved to achieve the desirable security properties.
In this paper, we first demonstrate that Chien's scheme is also insecure in the asynchronous networks. We then propose an improvement of Chien's scheme and prove its security using the security model in paper [5].

Description.
Note that our description here is slightly different from Chien's original scheme [4]. We use a symmetric bilinear map in order to simplify the description, while Chien uses an asymmetric bilinear map. It is well known that compared with the symmetric bilinear map, the asymmetric one has advantages in security and bandwidth, but our attack against Chien's scheme also works when an asymmetric bilinear map is used instead.
We denote G 1 and G 2 as two finite cyclic groups of order q for some large prime q. A bilinear map e: G 1 × G 1 ⟶ G 2 is defined between these two groups, satisfying the following properties: (i) Bilinear: the map e: G 1 × G 1 ⟶ G 2 is said to be bilinear if e(aP, bQ) � e(P, Q) ab for all P, Q ∈ G 1 and all a, b ∈ Z q (ii) Nondegenerate: the map e does not send all pairs in G 1 × G 1 to the identity in G 2 (iii) Computable: there exists an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 Chien's multiple group authentication scheme works as follows: (i) Init: GM first selects two finite cyclic groups G 1 and G 2 with prime order q and a bilinear map e: G 1 × G 1 ⟶ G 2 . Denote P as a generator of G 1 . GM then selects a secret R i ← R Z q and sets Q � sP. GM selects l values R i ← R G 1 for i ∈ Z l . GM associates the pairwise different integers w 1 , w 2 , . . . , w n with the group members. Finally, GM outputs the system parameters params � (G 1 , G 2 , e, q, P, Q, R i i∈Z l , w i i∈Z n ).
(ii) Dist: GM selects a random polynomial f(x) � a 0 + a 1 x + · · · + a t−1 x t− 1 over Z q with degree t − 1, such that a 0 � s. GM, then computes the credentials s i � f(w i ), and sends them to the group members through the secure channel.
(iv) Auth: in the σ-th session, every user can verify whether all the users are legitimate group members by checking: Note that if all players are legitimate group members, we have t∈Ω c i � sR σ . Also, thanks to the bilinear property, this further implies that the abovementioned equation holds. But, if there exist some nonmembers, the relation t∈Ω c i � sR σ can only satisfy with negligible probability. erefore, the abovementioned equation can be used to check whether a group authentication is successful.

3.2.
Analysis. Now, we demonstrate that, in the asynchronous communication model, an adversary A who has no valid credential can pretend to be a legitimate group member without being detected. Without loss of generality, suppose that A attends the σ-th group authentication session together with t legitimate group members U 1 , U 2 , . . . , U t and A would like to impersonate the group member U t+1 . e attack works as follows: (i) Each legitimate group member U i computes and broadcasts her token At this time, the group authentication will be successful because t+1 i�1 c i � sR σ . e consequence is that the adversary A has impersonated the group member U t+1 without being detected. e main reason for this attack is that since the Lagrange coefficients can be publicly computed, A can remove them from the revealed tokens and then uses the modified tokens to interpolate a new valid token. To solve this problem, we need to disable A's ability of removing the Lagrange coefficients from the revealed tokens.

Notations.
We assume that all players are probabilistic polynomial time (PPT) algorithms with respect to the security parameter λ. Standard notations are used for probabilistic algorithms and experiments. For example, if A is a probabilistic algorithm, then A(x 1 , x 2 , . . .) denotes the result of running A on inputs x 1 , x 2 , and so on. We denote y←A(x 1 , x 2 , . . .) as the experiment of assigning y as A(x 1 , x 2 , . . .). If S is a finite set, then we denote x← R S as the operation of picking an element uniformly from S. Moreover, Pr[x←S; y←T; · · · : p(x, y, . . .)] denotes the probability that the predicate p(x, y, . . .) will be true after the ordered execution of the algorithms x←S; y←T, and so on.

Building
Blocks. Shamir secret sharing [13]: it shares the secret value sεZ q among n users, so that any t or more users can work together to recover the secret, but less than t users cannot get any information of the secret. In the sharing phase, the dealer first selects a random polynomial f(x) � a 0 + a 1 x + · · · + a t−1 x t− 1 over Z q with degree t − 1, where a 0 � s. en, the dealer computes the shares s i � f(w i ) and sends them to each user through the secure channel. Here, w 1 , w 2 , . . . , w n are public parameters associated with the users that are pairwise different. In the reconstruction phase, any subset Ω (where |Ω| ≥ t) of these users can reconstruct the secret s by Lagrange interpolation: Anonymous veto networks (AV-nets) [14]: they assume that there exist broadcast channels, and all the messages are exchanged through these channels. Suppose n users are involved, and then the protocol works as follows: (i) Round 1: each user U i selects a value x i ← R Z q and broadcasts g x i . U i also proves that she has the knowledge of x i without revealing it, e.g., using the Schnorr identification technique [15]. When this round finishes, every user computes (ii) Round 2: every user broadcasts a value g x i y i and proves the knowledge of x i within g x i y i without revealing it. Now, we have To see that the abovementioned property always holds, by definition, y i � j<i x j − j>i x j ; hence, we have Security and Communication Networks 3 4.3. Security model. We adapt the models and definitions in paper [5] and prove our proposed scheme using this security model.
e participants: there are four types of participants in group authentication schemes: (i) Group manager (GM): the GM initializes the protocol and generates credentials for the users. In any authentication protocol, the user needs to possess some secret that is unknown to the others. (ii) Users: each of the n users will receive a credential from the GM, and they will use their credentials to participate in the group authentication. (iii) Inside adversary: the inside adversary A I controls at most t − 1 users, where t is the threshold such that t > n/2. A I can obtain these users' internal states. A I 's purpose is to learn some secret information or to pass the group authentication by herself. (iv) Outside adversary: the outside adversary A O does not own any valid credential generated by the GM, but her purpose is to impersonate a group member in the group authentication without being detected.
Communication model: we assume that there exists a secure channel between the GM and every user, so that the credentials can be distributed securely. Moreover, we assume that every participant is connected to a broadcast channel, where any message sent through this channel can be heard by the other participants within some specified time bound. Note that the broadcast channel is only assumed to be asynchronous, such that messages sent from the uncorrupted users to the corrupted ones can be delivered relatively fast, the case in which the adversary can wait for the messages of the uncorrupted users to arrive, then decide on her computation and communication, and still get her messages delivered to the honest users on time. In comparison, all the users need to send their messages simultaneously in the synchronous networks. erefore, adversaries in an asynchronous network are more powerful as they could obtain more information to assist their attacks. System model: the group authentication scheme is specified by the following four randomized algorithms: Init, Dist, Comp, and Auth.
(i) e initialization algorithm Init is run by the GM.
Init takes as inputs the security parameter λ; it outputs the system parameters params. (ii) e distribution algorithm Dist is run by the GM.
Dist takes as inputs the system parameters params and the number of users n; it outputs a set of credentials s 1 , s 2 , . . . , s n . ese credentials are sent to U through the secure channel, where U denotes the set of all legitimate group members. (iii) e computation algorithm Comp is run by every user. Comp takes as inputs the system parameters params, the session index σ, the set of participated users Ω, and a credential s i ; it outputs a token c i through the broadcast channel. (iv) e group authentication algorithm Auth is run by the participated users. Auth takes as inputs the system parameters params, the session index σ and a set of tokens c i iεΩ ; it outputs 1 if |Ω| ≥ t and Ω only contains legitimate group members, and it outputs 0 otherwise. ″ Auth ″ params, σ, c i iεΩ ″ � 1 ″ � 1.
Definition 2 (secrecy). e inside adversary A I cannot learn any secret information in the group authentication process. Formally, a group authentication scheme is said to have the secrecy property if we have In the abovementioned expression, View A I (Real (λ, params)) is denoted as A I 's view in the real run of the protocol , � c means computationally indistinguishable, and View A I (SIM S (λ, params)) is denoted as A I 's view of the transcripts simulated by a PPT simulator S with only public information as inputs.
Definition 3 (no forgery). e inside adversary A I cannot pass the group authentication by herself. Formally, a group authentication scheme is said to have the no forgery property if we have Pr params ⟵ Init(λ); s i iϵU ⟵ ″ Di st ″ params, n ″ ; ″ In the abovementioned expression, U A denotes the users that are controlled by A I , such that U A ⊂ U and |U A | ≤ t − 1. Ω denotes an oracle that is used to query the group authentication service, and Σ records all the session indexes which have been queried.
Definition 4 (no impersonation). e outside adversary A O cannot impersonate a group member without being detected. Formally, a group authentication scheme is said to have the no impersonation property if we have In the abovementioned expression, A O is assumed to impersonate the user U μ , where μ ∉ Ω.
Computational assumptions: we assume that the following assumptions hold against any PPT algorithm.
Definition 5 (discrete logarithm (DL) assumption). e description of the finite cyclic group G is given, where |G| ≥ q and g is a generator of G. e discrete logarithm assumption implies that there exists a negligible function ε(·) such that for all PPT adversaries A D L , we have Pr x← R Z q ; x * ←A D L G, q, g, g x : x * � x < ε(λ). (9) Definition 6 (computational Diffie-Hellman (CDH) assumption). e description of the finite cyclic group G given, where |G| ≥ q and g is a generator of G. e computational Diffie-Hellman assumption implies that there exists a negligible function ε(·) such that for all PPT adversaries

e Proposed Scheme.
e improved multiple group authentication scheme in the asynchronous communication model works as follows: (i) Init: GM first selects two finite cyclic groups G 1 and G 2 with prime order q, and a bilinear map e: G 1 × G 1 ⟶ G 2 . P is denoted as a generator of G 1 . GM then selects a secret s← R Z q and sets Q � sP. GM selects l values R i ← R G 1 for i ∈ Z l . GM associates the pairwise different integers w 1 , w 2 , . . . , w n with the group members. Finally, GM outputs the system parameters params � (G 1 , G 2 , e, q, P, Q, R i i∈Z l , w i i∈Z n ).
(ii) Dist.: GM selects a random polynomial f(x) � a 0 + a 1 x + · · · + a t−1 x t− 1 over Z q with degree t − 1, such that a 0 � s. GM, then computes the credentials s i � f(w i ), and sends them to the group members through the secure channel. (iii) Comp: in the σ-th session, every participating user in Ω first selects u i ← R Z q and broadcasts u i R σ . en, each user computes v i R σ � j∈Ω,j<i u j R σ − j∈Ω,j>i u j R σ . As follows, every user computes and broadcasts her token as where L i � jεΩ,j≠i w j /(w j − w i ) is the Lagrange coefficient. (iv) Auth: In the σ-th session, every user can verify whether all the users are legitimate group members by checking:

Security Analysis
Theorem 1. Our modified group authentication scheme satisfies the correctness property.
Proof. If Ω⊆U and |Ω| ≥ t, the Lagrange interpolation implies that s � i∈Ω s i L i , where L i � j∈Ω,j≠i w j /(w j − w i ) is the Lagrange coefficient. Moreover, because the AV-nets have the property that i∈Ω u i v i R σ � 0, we have erefore, the equation e( t∈Ω c i , P) � e(R σ , Q) will hold, and the authentication will be successful. □ Theorem 2. Our modified group authentication scheme satisfies the secrecy property, assuming that the DL problem holds in G 1 .
Proof. We denote Real (λ, params) as the real run of the protocol and SIM S (λ, params) as the protocol simulated by a PPT simulator S with only public information as inputs.
Real (λ, params): (i) Init: GM generates and outputs the system parameters params � (G 1 , G 2 , e, q, P, Q, R i i∈Z l , w i i∈Z n ).

Security and Communication Networks 5
(ii) Dist: GM computes the credentials s i � f(w i ) and sends them to the group members through the secret channel. Without loss of generality, we assume that the credentials s 1 , s 2 , . . . , s t−1 are learnt by the inside adversary A I . (iii) Comp: in the σ-th session, every participating user in Ω selects u i ← R Z q and broadcasts u i R σ . en, each user computes v i R σ � j∈Ω,j<i u j R σ − j∈Ω,j>i u j R σ and broadcasts her token as (i) Init: the simulator S outputs the system parameters params � (G 1 , G 2 , e, q, P, Q, R i i∈Z l , w i i∈Z n ). We now prove that it is infeasible for the inside adversary A I to distinguish these two protocols. In the Init algorithm, the same public parameters params are published in both protocols. In the Dist algorithm, the same credentials s 1 , s 2 , . . . , s t−1 are learnt by A I in both protocols. In the Comp algorithm, both sets u 1 , u 2 , . . . , u t−1 and u 1 ′ , u 2 ′ , . . . , u t−1 ′ are randomly distributed in Z q , and all the broadcast values are randomly distributed in G 1 . In Auth, the algorithm will be successful in both protocols. erefore, A I cannot distinguish between Real (λ, params) and SIM S (λ, params) because all these algorithms in A I 's view are indistinguishable. In other words, we have Moreover, based on the DL assumption, A I cannot learn any secret information of s from the public information Q � sP or i∈Ω c i � sR σ . Hence, our modified scheme satisfies the secrecy property. □ Theorem 3. Our modified group authentication scheme satisfies the no forgery property, assuming that the CDH problem holds in G 1 .
Proof. We denote X as the event that A I can predict the value sR σ from the public parameters params and Y as the event that A I has learnt some secret information through querying the oracle Ω. We denote F as the event that A I outputs a successful forgery. en, we have In the abovementioned expression, X and Y denote the complements of X and Y, respectively.
Firstly, we prove that Pr[X] is negligible. Assume that the inside adversary A O can predict the value sR σ from the public parameters params with nonnegligible probability, e.g., A I derives sR σ from the equation e(sR σ , P) � e(R σ , Q).
en, we show that there exists another adversary B who can use A I as a subroutine to break the CDH problem in G 1 with nonnegligible probability. e reduction works as follows: suppose B is given the description of G 1 with prime order q and P is a generator of G 1 . Moreover, B is given two random values Q � sP and R σ � xP in G 1 , and B's task is to compute sR σ � sxP. In the Init algorithm, B simulates the public parameters params by selecting another cyclic group G 2 with order q, a bilinear map e: G 1 × G 1 ⟶ G 2 , as well as l − 1 random values R i i∈ 1,2,...,l , then, sends params to A I . In the Dist algorithm, B selects t − 1 random values s 1 , s 2 , . . . , s t−1 in Z q and sends them to A I . In the Comp algorithm, B selects t − 1 random values u 1 , u 2 , . . . , u t−1 in Z q and sends them to A I . B also broadcasts the required number of random values in G 1 . Note that the abovementioned steps generate a simulated environment for A I that is indistinguishable from a real run of our modified scheme Π. If A I outputs her predict of sR σ , B uses it to solve the CDH problem. Because it is assumed that the CDH assumption holds in G 1 , our hypothesis that A I can predicate the value sR σ from params with nonnegligible probability must be false. Hence, we have Pr[X] < ε 1 (λ) for some negligible function ε 1 (·).
Secondly, eorem 2 implies that the real run of our modified scheme Π does not leak any secret information to A I , based on the DL assumption in G 1 . Also, the hybrid argument [16] further implies that A I does not learn any secret information even if she has queried the oracle Ο polynomial number of times. Hence, we have Pr[Y] < ε 2 (λ) for some negligible function ε 2 (·).
Finally, we analyze the probability Pr[F | X∧Y]. In this case, A I needs to guess the value sR σ . Because s is randomly distributed in Z q and A I only controls at most t − 1 group members, the probability of guessing sR σ correct in each trial is exactly 1/q. Recall that A I can try polynomial number of times, and we have Pr[F | X∧Y] � Q/q, where Q denotes the number of trials A I has made.
Putting the abovementioned analyses together, assuming that the CDH assumption holds in G 1 , we have for some negligible function ε(·). erefore, our modified scheme satisfies the no forgery property. Putting the abovementioned analysis together, we conclude that Pr[F] < ε(λ) + Q/q, which is negligible. erefore, our modified scheme satisfies the no impersonation property assuming that the CDH assumption holds in G 1 . □ 5.3. Efficiency Analysis. We now give a brief efficiency analysis of our modified scheme. In the Init algorithm, GM selects the system parameters, including two finite cyclic group G 1 and G 2 , a bilinear map e between these two groups, and some random values in G 1 . e computation of Q � sP takes 1 multiplication in G 1 . In the Dist algorithm, GM selects a random polynomial f(x) over Z q with degree t − 1 and evaluates this polynomial at n different points. When using Horner's rule, each evaluation of f(x) takes t − 1 multiplications and t additions in Z q , and each credential is a value in Z q . In the Comp algorithm, each user broadcasts 2 values in G 1 in two individual rounds. e total computations for each user require at most n + 2 multiplications and n additions in G 1 . Note that, in this step, the Lagrange coefficients can be precomputed beforehand. In the Auth algorithm, each user performs at most n additions in G 1 and 2 bilinear maps.
An efficiency comparison between our proposed scheme and Chien's scheme [4] is given in Table 1. Denote the symbols +G 1 , ×G 1 , +Z q , ×Z q and ⟶ as the computations of addition in G 1 , multiplication in G 1 , addition in Z q , multiplication in Z q , and bilinear pairing G 1 × G 1 ⟶ G 2 , respectively. Also, we ignore the other calculations, i.e., select a random element from a group, since their costs are negligible compared with the abovementioned computations.

Conclusions
In this paper, we have pointed out a security flaw in an existing group authentication scheme by Chien [4]. If this scheme was used in the asynchronous communication model, the adversary can pretend to be a legitimate group member without being detected. e major reason for this attack is that the adversary is able to remove the Lagrange coefficients from the revealed tokens. We have employed the AV-net to solve this problem, and we have rigorously proved that our improvement satisfies the desirable security properties in a well-defined security model. erefore, our proposed protocol can be safely used as a drop-in replacement for Chien's scheme in asynchronous networks.

Data Availability
e authors confirm that no data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.