Embed Size (px)
Citation preview
Research ArticleGroup Authentication with Multiple Trials andMultiple Authentications
Hung-Yu Chien
Department of Information Management National Chi Nan University 470 University Road Puli Taiwan
Correspondence should be addressed to Hung-Yu Chien hychienncnuedutw
Received 20 January 2017 Revised 22 April 2017 Accepted 27 April 2017 Published 28 May 2017
Academic Editor Angel Martın Del Rey
Copyright copy 2017 Hung-Yu Chien This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Group authentication aims at facilitating efficient authentication of a group of provers by a group of verifiers A new groupauthentication scheme is proposed to improve the security of existent asynchronous group authentication schemes and to achievebetter computational performance The new scheme allows any groups of legitimate members to execute multiple authenticationtrials even under the participation of active attackers
1 Introduction
Authentication is a must for securing computer and net-work applications Conventional authentications either userauthentication or device authentication all focus on the one-to-one scenario where one verifier aims at verifying thelegitimacy of one prover at one time As more and moreInternet-of-Things (IoTs) [1 2] applications and many socialnetworking applications require the authentication of a groupof participants efficiently these many-to-many authentica-tion scenarios call for new kinds of group authentications inwhich many verifiers would like to verify the legitimacy ofmany provers at one time to save cost and increase efficiency
Based on Shamirrsquos (119905 119899) secret sharing [3] Harn [4]proposed three (119905 119898 119899) group authentication schemes wheret represents the minimum threshold of participants 119898denotes the number of participants in one trial and 119899 denotesthe total number of members of the group As long as thenumber 119898 ge 119905 and all these 119898 participants are legitimatethe group authentication succeeds otherwise it fails Thesegroup authentication schemes can efficiently authenticate agroup of legitimate entities or act as a preprocess to detectthe existence of any illegitimate participants One of Harnrsquosgroup authentication schemes is synchronous (119905 119898 119899) groupauthentication inwhich all participants are required to releasetheir secret tokens simultaneously otherwise an illegitimateparticipant might forge valid tokens using the releasedtokens of othersThe other two schemes are the asynchronous
(119905 119898 119899) group authentication and the asynchronous (119905 119898 119899)group authentication with multiple authentications werespectively call them Harnrsquos asynchronous GAS1 and HarnrsquosasynchronousGAS2 in the rest of this paperThe two schemesall allow the participants release their tokens asynchronouslyHarnrsquos asynchronous GAS2 further provides the group toexecute multiple authentications (to recover multiple systemsecrets) using the same set of predistributed tokens
This paper would focus on the asynchronous schemesbecause the synchronous case is impractical We find thatHarnrsquos two asynchronous schemes could not support legiti-mate entities execute multiple trials even if the specific secretis not yet recovered This weakness has two implications ifthe groups of entities try several times to recover a specificsecret (for group authentications) then an attacker mightderive entitiesrsquo tokens and further derive the system secretif the system only allows at most one trial for any specificsecret (corresponds to a specific group authentication) thenan attacker can easily paralyze the system by simply releasinginvalid tokens In Harnrsquos publication [4] it only emphasizesthat once a secret is recovered then the corresponding groupauthentication is no longer valid however the security ofthe cases that the members try several times for the not-yet-recovered secret has been neglected
This paper will show the weaknesses of Harnrsquos asyn-chronous schemes and propose a new scheme to conquerthe weaknesses and improve the efficiency This rest ofthis paper is organized as follows Section 2 reviews Harnrsquos
HindawiSecurity and Communication NetworksVolume 2017 Article ID 3109624 7 pageshttpsdoiorg10115520173109624
2 Security and Communication Networks
asynchronous schemes Section 3 shows the weaknessesSection 4 proposes our new scheme and Section 5 analyzesits securities and evaluates its performance Section 6 statesour conclusions
2 Review of Harnrsquos Asynchronous GroupAuthentication Schemes (GAS)
The schemes consist of two phases the initialization phaseand the group authentication phase The group manager(GM) initializes the system parameters and assigns eachregistered entity some secret tokens in the initializationphase Then any groups of 119898 legitimate entities with 119898 ge 119905can execute the group authentication to verify the legitimacyof the participating entities
21 (119905 119898 119899) Asynchronous GAS-Harnrsquos Asynchronous GAS1Initially the group manager (GM) selects 119896 (where 119896119905 gt119899 minus 1) random polynomials with degree 119905 minus 1 119891119897(119909) = 1198861198970 +1198861198971119909 + sdot sdot sdot + 119886119897119905minus1119909119905minus1mod119901 119897 = 1 119896 where 119901 is a primeand 119886119897119894isin119877119885119901 He also generates and assigns secret tokens119891119897(119909119894) 119897 = 1 119896 to each entity 119880119894 isin 119880 = 1198801 119880119899where 119909119894 is 119880119894rsquos public identity For any secret 119904 the GMfinds integers 119889119895 119908119895 119895 = 1 sim 119896 in GF(119901) such that 119904 =sum119895=1sim119896 119889119895119891119895(119908119895)mod119901 where 119908119894 = 119908119895 for every pair of 119894 and119895 The GM publishes these parameters 119889119895 119908119895 119895 = 1 sim 119896 andℎ(119904) where ℎ() is a secure cryptographic hash function
When 119898 (119898 ge 119905) entities = 1198751 119875119898 would liketo authenticate each other each 119875119894 computes and releases119888119894 = sum119896119895=1 119889119895119891119895(119909119894)prod119898119903=1119903 =119894((119908119895 minus 119909119903)(119909119894 minus 119909119903))mod119901 Aftergathering all the released values the participants compute1199041015840 = sum119898119894=1 119888119894mod119901 and verify whether the equation ℎ(119904) =ℎ(1199041015840) holds If the verification succeeds then the groupauthentication succeeds otherwise it fails This scheme onlyallows one valid group authentication
22 (119905 119898 119899) Asynchronous GAS with Multiple Authentica-tions-Harnrsquos Asynchronous GAS2 The (119905 119898 119899) asynchronousGAS with multiple authentications allows the tokens to bereused for multiple authentications (for multiple secrets)
Initially the GM selects two large primes 119901 and 119902 suchthat 119902 divides 119901 minus 1 GF(q) is a subgroup of GF(119901) and every119892119894 is a generator for the subgroup GF(119902) The GM selects tworandom polynomials 119891119897(119909) 119897 = 1 2 having degree 119905 minus 1each with coefficients in GF(p) The GM generates tokens119891119897(119909) 119897 = 1 2 for each registered member 119880119894 The GMselects multiple secrets 119904119894s For each secret 119904119894 the GM selects119908119894119895 119889119894119895 119895 = 1 2 in GF(q) where 1199081198941 = 1199081198942 The secret119904119894 is determined as 119904119894 = 119892119894sum
2119895=1 119889119894119895119891(119908119894119895)mod 119902mod119901 The GM
publishes these numbers 119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894))When 119898 (119898 ge 119905) entities = 1198751 119875119898 would
like to perform the group authentication corresponding tothe reconstruction of the secret 119904119894 each participant 119875V isin computes 119888V = sum2119895=1 119889119895119891119895(119909V)prod119898119903=1119903 =V((119908119895 minus 119909119903)(119909V minus119909119903))mod 119902 and 119890V = 119892119894119888Vmod119901 Each 119875V releases 119890V Aftercollecting all 119890Vs V = 1 119898 the participating entities
compute 1199041015840119894 = prod119898V=1119890V and check whether ℎ(1199041015840119894 )= ℎ(119904119894) holds
If it holds then the group authentication succeeds otherwiseit fails
3 The Weaknesses of HarnrsquosAsynchronous Schemes
We find that both Harnrsquos asynchronous GAS1 and Harnrsquosasynchronous GAS2 share one critical weakness Theschemes perform group authentication by recovering andverifying the sealed secret If the schemes allow users tolaunch several trials before the secret is recovered thenan attacker would recover both the system secrets andthe usersrsquo secret tokens by joining the process severaltimes On the other hand if each secret only allows onetrial of authentication no matter whether the specificsecret is recovered or not then the system is vulnerable toDenial of Service (DOS) attacks by simply releasing a falsevalue to spoil the authentication instance and the groupauthentication function of the system After releasing a fakedata any groups of valid members can no longer performany group authentications
The key idea of our attack on Harnrsquos asynchronous GAS1is introduced in the following phases
Phase 1 Even though the secret tokens 119891119895(119909119894)s are well pro-tected in the released value 119888119894 = sum119896119895=1 119889119895119891119895(119909119894)prod119898119903=1119903 =119894((119908119895 minus119909119903)(119909119894minus119909119903))mod119901 one could solve these unknown variables119891119895(119909119894)s as long as he gets k distinct 119888119894 where each 119888119894corresponds to the value released by a specific user 119880119894 inan authentication instance and there is at least one mem-ber different in any pair of groups in these authenticationinstances in such cases the attacker will have k independentequations with k unknown variables 119891119895(119909119894)s and he can solvethe equations Let 119865119894 equiv 119891119895(119909119894) | 1 le 119894 le 119896 =1198911(119909119894) 119891119896(119909119894) denote the set of secret tokens owned bythe user 119880119894 after the above attack the attacker can acquire119865119894 Now the attacker continues the next phase to acquire thesecret polynomials
Phase 2 The attacker repeatedly involves the authenticationinstances and acquires the secret tokens until he gets thesecret tokens of more than t users Denote these secret tokenset as 119865 equiv 1198651 119865119894 119865119905 = 1198911(1199091) 119891119896(1199091) 1198911(119909119894) 119891119896(119909119894) 1198911(119909119905) 119891119896(119909119905) At this point heorganizes these secret tokens as 1198651 = 1198911(1199091) 1198911(1199092) 1198911(119909119905) 1198652 = 1198912(1199091) 1198912(1199092) 1198912(119909119905) 119865119896 = 119891119896(1199091)119891119896(1199092) 119891119896(119909119905) Based on 119865119894 1 le 119894 le 119896 the attackerapplies the Lagrange polynomial equation to reconstruct thepolynomials119891119894(119909) 1 le 119894 le 119896The attacker then continues thenext phase to derive the system secrets and the secret tokensof other remaining members
Phase 3 Using the polynomials 119891119894(119909) 1 le 119894 le 119896 the attackercompute 119904 = sum119895=1sim119896 119889119895119891119895(119908119895)mod119901 for the system secretFor any user 119880119903 isin 119880 = 1198801 119880119899 and the secret tokensof 119880119903 that have not yet been disclosed the attacker computes1198911(119909119903) 119891119896(119909119903) At this point the attacker has derived all
Security and Communication Networks 3
the system secrets and all the secret tokens of all users Theminimumnumber of runs that the attacker should participatein is 119896
The above attack can be easily extended to plot on Harnrsquosasynchronous GAS2 Attackers can acquire the secret values(1198921198941198911(119909V) 1198921198941198912(119909V)) | forall valid 119894 and 1 le V le 119899 corresponding tothe secret tokens 1198911(119909V) 1198912(119909V) | 1 le V le 119899 and the systemsecrets 119904119894 = 119892119894sum
2119895=1 119889119894119895119891(119908119894119895)mod 119902mod119901
Example 1 Now we take one example to demonstrate theattack process
System Initialization Let 119901 = 11 119905 = 3 119899 = 6 119896 = 2 (1198891 =1 1199081 = 6) and (1198892 = 2 1199081 = 7) be the system parameters1198911(119909) = 1 + 2119909 + 21199092mod 11 and 1198912(119909) = 2 + 2119909 + 11199092mod 11are the two secret polynomials and the system secret is 119904 =1 sdot 1198911(6) + 2 sdot 1198912(7)mod 11 = 8 + 20mod 11 = 6 The groupof users 119880 is 119880119894 with identity 119909119894 = 119894 1 le 119894 le 6 1198801 gets thesecret tokens (1198911(1) = 5 1198912(1) = 5) 1198802 gets the secret tokens(1198911(2) = 2 1198912(2) = 10) 1198803 gets the secret tokens (1198911(3) =3 1198912(3) = 6) 1198804 gets the secret tokens (1198911(4) = 8 1198912(4) = 4)1198805 gets the secret tokens (1198911(5) = 6 1198912(5) = 4) and 1198806 getsthe secret tokens (1198911(6) = 8 1198912(6) = 6)
Now we show the attack
Attack Phase 1 Assume that the attackerA participates in tworuns of authentications with 1198801 1198802 1198803 and respectivelyimpersonates 1198804 1198805 in these runs
In run 1 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894)4
prod119903=1119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894 le 3 (1)
We list the calculations as follows
1198881 =2
sum119895=1
119889119895119891119895 (1)4
prod119903=1119903 =1
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 4)(1 minus 2) (1 minus 3) (1 minus 4) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 4)(1 minus 2) (1 minus 3) (1 minus 4)
= 1 sdot 5 sdot 4 sdot 3 sdot 2minus1 sdot minus2 sdot minus3 + 2 sdot 5 sdot
5 sdot 4 sdot 3minus1 sdot minus2 sdot minus3
= 1 sdot 5 sdot 7 + 2 sdot 5 sdot 1 = 1
1198882 =2
sum119895=1
119889119895119891119895 (2)4
prod119903=1119903 =2
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 4)(2 minus 1) (2 minus 3) (2 minus 4) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 4)(2 minus 1) (2 minus 3) (2 minus 4)
= 1 sdot 2 sdot 5 sdot 3 sdot 21 sdot minus1 sdot minus2 + 2 sdot 10 sdot
6 sdot 4 sdot 31 sdot minus1 sdot minus2
= 1 sdot 2 sdot 4 + 2 sdot 10 sdot 3 = 2
1198883 =2
sum119895=1
119889119895119891119895 (3)4
prod119903=1119903 =3
119908119895 minus 1199033 minus 119903
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 4)(3 minus 1) (3 minus 2) (3 minus 4) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 4)(3 minus 1) (3 minus 2) (3 minus 4)
= 1 sdot 3 sdot 5 sdot 4 sdot 22 sdot 1 sdot minus1 + 2 sdot 6 sdot6 sdot 5 sdot 32 sdot 1 sdot minus1
= 1 sdot 3 sdot 2 + 2 sdot 6 sdot 10 = 5(2)
In run 2 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894) prod119903isin1235119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894
le 3
(3)
as follows
1198881 =2
sum119895=1
119889119895119891119895 (1) prod119903=235
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 5)(1 minus 2) (1 minus 3) (1 minus 5) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 5)(1 minus 2) (1 minus 3) (1 minus 5)
= 1 sdot 5 sdot 4 sdot 3 sdot 1minus1 sdot minus2 sdot minus4 + 2 sdot 5 sdot
5 sdot 4 sdot 2minus1 sdot minus2 sdot minus4
= 1 sdot 5 sdot 4 + 2 sdot 5 sdot 6 = 3
1198882 =2
sum119895=1
119889119895119891119895 (2) prod119903=135
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 5)(2 minus 1) (2 minus 3) (2 minus 5) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 5)(2 minus 1) (2 minus 3) (2 minus 5)
= 1 sdot 2 sdot 5 sdot 3 sdot 11 sdot minus1 sdot minus3 + 2 sdot 10 sdot
6 sdot 4 sdot 21 sdot minus1 sdot minus3
= 1 sdot 2 sdot 5 + 2 sdot 10 sdot 5 = 0
1198883 =2
sum119895=1
119889119895119891119895 (3) prod119903=125
119908119895 minus 1199033 minus 119903
4 Security and Communication Networks
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 5)(3 minus 1) (3 minus 2) (3 minus 5) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 5)(3 minus 1) (3 minus 2) (3 minus 5)
= 1 sdot 3 sdot 5 sdot 4 sdot 12 sdot 1 sdot minus2 + 2 sdot 6 sdot6 sdot 5 sdot 22 sdot 1 sdot minus2 = 3
(4)
So now A has the following independent equations in(5a) (5b) and (5c) He then solves the equations and gets1198911(1) = 5 1198912(1) = 5 1198911(2) = 2 1198912(2) = 10 1198911(3) =3 1198912(3) = 6
71198911 (1) + 21198912 (1) = 1mod 11
41198911 (1) + 1198912 (1) = 3mod 11(5a)
41198911 (2) + 61198912 (2) = 2mod 11
51198911 (2) + 101198912 (2) = 0mod 11(5b)
21198911 (3) + 91198912 (3) = 5mod 11
61198911 (3) + 31198912 (3) = 3mod 11(5c)
A applies the Lagrange polynomial formula on (1198911(1) =5 1198911(2) = 2 1198911(3) = 3) and derives the polynomial 1198911(119909) =1 + 2119909 + 21199092mod 11 applies the formula on (1198912(1) =5 1198912(2) = 10 1198912(3) = 6) and derives 1198912(119909) = 2 +2119909 + 11199092mod 11 Finally he computes 119904 = 1 sdot 1198911(6) + 2 sdot1198912(7)mod 11 = 8 + 20mod 11 = 6 He can further computesthe secret tokens of other remaining members (1198911(119894) 1198912(119894)) |4 le 119894 le 6
4 An Improved Scheme That Enables MultipleTrials and Multiple Authentications
Now we will propose an improved scheme that not onlyconquers the weaknesses of Harnrsquos (119905 119898 119899) asynchronousschemes but also improves the system performance The GMin our scheme only publishes simple public data and themembers can execute group authentication with multipleauthentications and multiple trials
41 Preliminaries We shall propose our scheme based onelliptic curve cryptography and bilinear pairing We nowbriefly review them as follows
Elliptic curves over119866119865(119901) [6] a nonsupersingular ellipticcurve 119864(119865119901) is the set of points 119875 = (119909 119910) for 119909 119910 isin 119885119875satisfying the equation 1199102 equiv 1199093 +119886119909+119887(mod119901) where 119886 119887 isin119885119901 are constants such that 41198863 + 271198872 = 0mod119901 togetherwith the point O called the point at infinity Two points 119875 =(1199091 1199101) and 119876 = (1199092 1199102) on the elliptic curve E can be addedtogether using the following rule if 1199092 = 1199091 and 1199102 = minus1199101then 119875 + 119876 = 119874 otherwise 119875 + 119876 = (1199093 1199103) where 1199093 =1205822 minus 1199091 minus 1199092mod119901 1199103 = 120582(1199091 minus 1199093) minus 1199101mod119901 and 120582 =(1199102 minus1199101)(1199092 minus1199091) if 119875 = 119876 or 120582 = (311990912 +119886)(21199101) if 119875 = 119876
Definition 2 (nondegenerate bilinear computable map [7])Let 1198661 1198662 and 1198663 be cyclic groups of prime order 119902 where1198661 and 1198662 are additive groups on elliptic curves and 1198663 ismultiplicative Let 119890 1198661 times 1198662 rarr 1198663 be a map with thefollowing properties
(1) Nondegenerate there exists 119883119884 isin 1198661 1198662 such that119890(119883 119884) = 1
(2) Bilinear 119890(1198831 + 1198832 119884) = 119890(1198831 119884) sdot 119890(1198832 119884) and119890(119883 1198841 + 1198842) = 119890(119883 1198841) sdot 119890(119883 1198842)
(3) Computability there exist efficient algorithms tocompute 119890(119875 119876) for all 119875119876 isin 1198661 1198662
Definition 3 The elliptic curve discrete logarithm problem(ECDLP) [6] is as follows given an elliptic curve over a finitefield 119865119901 and two points 119875119876 isin 119864(119865119901) find a number 119896 suchthat 119876 = 119896119875
Definition 4 (the Bilinear Pairing Inversion (BPI) problem[7]) Given 119890(119875 119876) isin 1198663 and 119876 isin 1198662 find 119875
Definition 5 The computational elliptic curve Diffie-Hellman problem (ECDHP) [6] is as follows given an ellipticcurve over a finite field 119865119901 a point 119875 isin 119864(119865119901) of order 119902 andpoints 119860 = 119886119875 119861 = 119887119875 isin ⟨119875⟩ find the point 119862 = 119886119887119875
It is believed that the ECDHP the ECDLP and the BPI arehard problems for proper parameter setting
42 The Proposed Scheme
421 The System Model Here we describe the model forone group and it is easy to extend this model for severalgroups In the system there are two kinds of participantsthe GM and a group of registered members The GM isresponsible for setting upupdating the system parametersAfter initialization the participants in each session wouldlike to verify whether all the participants belong to the samegroup this verification is achieved by the validation of theaggregated released-sharesTheGM is trusted and registeredmembers might be compromised and disclose their secretsUnless being compromised a registered member alwaysbehaves honestly
The GM publishes a predetermined parameter 119905 Thescheme can verify whether all participants of one sessionwith119898 participants (119898 ge 119905) belong to the same groupThe schemeis secure if it can withstand the collusion of up to 119905minus1 insiders(registered members)
422 The Scheme Facilitating Multiple Trials and MultipleAuthentications without Serverrsquos Active Participation LikeHarnrsquos asynchronous (119905 119898 119899) schemes our scheme alsofollows the same (119905 119898 119899) notation the asynchronous com-munication and multiple authentications Additionally ourscheme allows multiple trials The GM only needs to publishsome simple data no matter how many authentications andtrails these members would like to perform The schemeconsists of two phases the initialization phase and the groupauthentication phase
Security and Communication Networks 5
Initialization The GM sets up three cyclic groups 1198661 1198662and 1198663 with order q where 1198661 and 1198662 are additive groupson elliptic curves and 1198663 is multiplicative P is a generatorfor 1198662 It chooses a secret random polynomial with degree119905 minus 1 119891(119909) = 1198860 + 1198861119909 + sdot sdot sdot + 119886119905minus1119909119905minus1mod 119902 with 1198860 = 119904and a master secret 119904 It computes 119876 = 119904119875 and publishes 119876as the system-wise public key For each registered member119880119894 isin 119880 = 1198801 119880119899 with identity 119909119894 it assigns 119891(119909119894) as 119880119894rsquossecret token
Group Authentication When 119898 (119898 ge 119905) entities =1198751 119875119898 would like to authenticate each other in theVth authentication instance the group of users agree on arandom point 119877V (we discuss two options of implementingthe generation of random points 119877Vs in Section 43) Each119875119894 isin computes 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903)) and119888119894119877V and releases 119888119894119877V After all users release their valuesthey compute sum119898119894=1 119888119894119877V and verify whether the equation119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) holds If it holds they satisfy thegroup authentication otherwise they fail
43 Implementation Options of Choosing 119877V The generationand selection of the random points 119877V play a crucial factoraffecting the security Here we discuss two possible optionsThe two options mainly tackle the possible threat that anadversary might manipulate the selection of 119877V
The first one is that the GM periodically updates a listof authenticated random points and the entities choose onefrom the list of unused ones The entities refuse to apply anypoints that they have used
The second approach is applying a one-way hash functionthat maps any strings to a random pointmdash1198671 0 1lowast rarr 1198661Boneh and Franklinrsquos MaptoPoint function is one of suchfunctions [7] In this approach each participant in the groupcalculates 119877V = 1198671(date time 1199091 1199092 sdot sdot sdot 119909119898)where date and time are the current timestamp and 119909119894s arethe participantsrsquo identities
44 Comparison of Our Improvements with One Possi-ble Extension of Harnrsquos GAS2 In addition to our pro-posed scheme one another possible improvement is byextending Harnrsquos GAS2 The system might require thateach participant never tries to recover one specific secrettwice that is whenever an authentication fails he shouldonly try another authentication corresponding to othersecrets This arrangement could prevent the attacks inSection 3
However wewould like to discuss the differences betweenthe above extension with our scheme The extension eventhough it could reduce the treats of our attacks is stillnot absolutely immune to DOS attacks The GM has topreselect lots of possible secrets and publishes these numbers119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894)) If the list is not largeenough then the successive releasing of false shares couldquickly deplete the list If the GM tries to prepare a very longlist it causes it lots of overhead
On the contrary our implementation Option 2 is muchmore simple efficient and withstand heavy DOS attacks
5 Security Analysis andPerformance Evaluation
51 The Security
Lemma 6 Given a random point 119877V and a group of members = 1198801 119880119898 with 119898 ge 119905 the only condition that thegroup P can reconstruct the value 119904119877V in the proposed schemeis that all the participating members are valid and the schemecan resist up to 119905 minus 1 colluded insiders
Proof Since the secret tokens are generated using a secret 119905 minus1-degree polynomial the scheme can resist the collusion ofup to 119905minus1 insiders Also any single invalid contribution fromany invalid participants would ruin the computation of 119904119877V
Lemma 7 Given a valid released value 119888119894119877V where 119888119894 =119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894minus119909119903)) one cannot derive the value 119888119894 andthe corresponding 119891(119909119894) as long as the ECDLP is hard
Lemma 8 Given a valid released 119888119894119877V and another point one cannot derive the value 119888119894 as long as the ECDHP is hard
Lemma 9 Given the values 119890(119877V 119876) and119876 one cannot derivethe valuesum119898119894=1 119888119894119877V which satisfies 119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) aslong as the BPI is hard
Based on the above lemmas we have the followingtheorem
Theorem 10 The proposed scheme satisfies the securityrequirements of the asynchronous (119905 119898 119899) group authentica-tion
52 The Performance We first compare the computationalcomplexities of the three schemes ours Harnrsquos GAS1 andHarnrsquos GAS2
Let119879ℎ denote the time complexity for one hash operation119879EM denote that of one elliptic curve pointmultiplication119879EAdenote that for one elliptic curve point addition119879mul119902 denotethat for one multiplication in field 119902 (where 119902 correspondsto the order of 1198661 1198662 1198663 in our scheme) 119879inv119902 denote thatfor one inverse operation in field 119902 119879mul119901 denote that forone multiplication in field 119901 (where 119901 corresponds to themodular field in Harnrsquos schemes) 119879inv119901 denote that for onemultiplication in field 119901 119879exp119901119879exp119902 respectively denotethat for one exponentiation in field 119901119902 and 119879pair denote thatfor one pairing
Each user 119880119894 in our scheme needs to compute oneLagrange component 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903))one 119888119894119877 119898 minus 1 point additions in 1198661 and the verification119890(sum119898119894=1 119888119894119877 119875)
= 119890(119877 119876) The verification costs two pairingoperations (2119879pair1198661) The addition in 1198661 costs 119898119879EA Thecomputation of 119888119894119877 costs 119879EM and the computation of 119888119894 costs(2(119898 minus 1) + 2)119879mul119902+ 119879inv119902 So totally it takes (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair
Each participant in Harnrsquos GAS1 takes 119896[(2(119898 minus 2) +3)119879mul119901 + 119879inv119901] for computing 119888119894 takes (119898 minus 1)119879add119901 for
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 Security and Communication Networks
asynchronous schemes Section 3 shows the weaknessesSection 4 proposes our new scheme and Section 5 analyzesits securities and evaluates its performance Section 6 statesour conclusions
2 Review of Harnrsquos Asynchronous GroupAuthentication Schemes (GAS)
The schemes consist of two phases the initialization phaseand the group authentication phase The group manager(GM) initializes the system parameters and assigns eachregistered entity some secret tokens in the initializationphase Then any groups of 119898 legitimate entities with 119898 ge 119905can execute the group authentication to verify the legitimacyof the participating entities
21 (119905 119898 119899) Asynchronous GAS-Harnrsquos Asynchronous GAS1Initially the group manager (GM) selects 119896 (where 119896119905 gt119899 minus 1) random polynomials with degree 119905 minus 1 119891119897(119909) = 1198861198970 +1198861198971119909 + sdot sdot sdot + 119886119897119905minus1119909119905minus1mod119901 119897 = 1 119896 where 119901 is a primeand 119886119897119894isin119877119885119901 He also generates and assigns secret tokens119891119897(119909119894) 119897 = 1 119896 to each entity 119880119894 isin 119880 = 1198801 119880119899where 119909119894 is 119880119894rsquos public identity For any secret 119904 the GMfinds integers 119889119895 119908119895 119895 = 1 sim 119896 in GF(119901) such that 119904 =sum119895=1sim119896 119889119895119891119895(119908119895)mod119901 where 119908119894 = 119908119895 for every pair of 119894 and119895 The GM publishes these parameters 119889119895 119908119895 119895 = 1 sim 119896 andℎ(119904) where ℎ() is a secure cryptographic hash function
When 119898 (119898 ge 119905) entities = 1198751 119875119898 would liketo authenticate each other each 119875119894 computes and releases119888119894 = sum119896119895=1 119889119895119891119895(119909119894)prod119898119903=1119903 =119894((119908119895 minus 119909119903)(119909119894 minus 119909119903))mod119901 Aftergathering all the released values the participants compute1199041015840 = sum119898119894=1 119888119894mod119901 and verify whether the equation ℎ(119904) =ℎ(1199041015840) holds If the verification succeeds then the groupauthentication succeeds otherwise it fails This scheme onlyallows one valid group authentication
22 (119905 119898 119899) Asynchronous GAS with Multiple Authentica-tions-Harnrsquos Asynchronous GAS2 The (119905 119898 119899) asynchronousGAS with multiple authentications allows the tokens to bereused for multiple authentications (for multiple secrets)
Initially the GM selects two large primes 119901 and 119902 suchthat 119902 divides 119901 minus 1 GF(q) is a subgroup of GF(119901) and every119892119894 is a generator for the subgroup GF(119902) The GM selects tworandom polynomials 119891119897(119909) 119897 = 1 2 having degree 119905 minus 1each with coefficients in GF(p) The GM generates tokens119891119897(119909) 119897 = 1 2 for each registered member 119880119894 The GMselects multiple secrets 119904119894s For each secret 119904119894 the GM selects119908119894119895 119889119894119895 119895 = 1 2 in GF(q) where 1199081198941 = 1199081198942 The secret119904119894 is determined as 119904119894 = 119892119894sum
2119895=1 119889119894119895119891(119908119894119895)mod 119902mod119901 The GM
publishes these numbers 119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894))When 119898 (119898 ge 119905) entities = 1198751 119875119898 would
like to perform the group authentication corresponding tothe reconstruction of the secret 119904119894 each participant 119875V isin computes 119888V = sum2119895=1 119889119895119891119895(119909V)prod119898119903=1119903 =V((119908119895 minus 119909119903)(119909V minus119909119903))mod 119902 and 119890V = 119892119894119888Vmod119901 Each 119875V releases 119890V Aftercollecting all 119890Vs V = 1 119898 the participating entities
compute 1199041015840119894 = prod119898V=1119890V and check whether ℎ(1199041015840119894 )= ℎ(119904119894) holds
If it holds then the group authentication succeeds otherwiseit fails
3 The Weaknesses of HarnrsquosAsynchronous Schemes
We find that both Harnrsquos asynchronous GAS1 and Harnrsquosasynchronous GAS2 share one critical weakness Theschemes perform group authentication by recovering andverifying the sealed secret If the schemes allow users tolaunch several trials before the secret is recovered thenan attacker would recover both the system secrets andthe usersrsquo secret tokens by joining the process severaltimes On the other hand if each secret only allows onetrial of authentication no matter whether the specificsecret is recovered or not then the system is vulnerable toDenial of Service (DOS) attacks by simply releasing a falsevalue to spoil the authentication instance and the groupauthentication function of the system After releasing a fakedata any groups of valid members can no longer performany group authentications
The key idea of our attack on Harnrsquos asynchronous GAS1is introduced in the following phases
Phase 1 Even though the secret tokens 119891119895(119909119894)s are well pro-tected in the released value 119888119894 = sum119896119895=1 119889119895119891119895(119909119894)prod119898119903=1119903 =119894((119908119895 minus119909119903)(119909119894minus119909119903))mod119901 one could solve these unknown variables119891119895(119909119894)s as long as he gets k distinct 119888119894 where each 119888119894corresponds to the value released by a specific user 119880119894 inan authentication instance and there is at least one mem-ber different in any pair of groups in these authenticationinstances in such cases the attacker will have k independentequations with k unknown variables 119891119895(119909119894)s and he can solvethe equations Let 119865119894 equiv 119891119895(119909119894) | 1 le 119894 le 119896 =1198911(119909119894) 119891119896(119909119894) denote the set of secret tokens owned bythe user 119880119894 after the above attack the attacker can acquire119865119894 Now the attacker continues the next phase to acquire thesecret polynomials
Phase 2 The attacker repeatedly involves the authenticationinstances and acquires the secret tokens until he gets thesecret tokens of more than t users Denote these secret tokenset as 119865 equiv 1198651 119865119894 119865119905 = 1198911(1199091) 119891119896(1199091) 1198911(119909119894) 119891119896(119909119894) 1198911(119909119905) 119891119896(119909119905) At this point heorganizes these secret tokens as 1198651 = 1198911(1199091) 1198911(1199092) 1198911(119909119905) 1198652 = 1198912(1199091) 1198912(1199092) 1198912(119909119905) 119865119896 = 119891119896(1199091)119891119896(1199092) 119891119896(119909119905) Based on 119865119894 1 le 119894 le 119896 the attackerapplies the Lagrange polynomial equation to reconstruct thepolynomials119891119894(119909) 1 le 119894 le 119896The attacker then continues thenext phase to derive the system secrets and the secret tokensof other remaining members
Phase 3 Using the polynomials 119891119894(119909) 1 le 119894 le 119896 the attackercompute 119904 = sum119895=1sim119896 119889119895119891119895(119908119895)mod119901 for the system secretFor any user 119880119903 isin 119880 = 1198801 119880119899 and the secret tokensof 119880119903 that have not yet been disclosed the attacker computes1198911(119909119903) 119891119896(119909119903) At this point the attacker has derived all
Security and Communication Networks 3
the system secrets and all the secret tokens of all users Theminimumnumber of runs that the attacker should participatein is 119896
The above attack can be easily extended to plot on Harnrsquosasynchronous GAS2 Attackers can acquire the secret values(1198921198941198911(119909V) 1198921198941198912(119909V)) | forall valid 119894 and 1 le V le 119899 corresponding tothe secret tokens 1198911(119909V) 1198912(119909V) | 1 le V le 119899 and the systemsecrets 119904119894 = 119892119894sum
2119895=1 119889119894119895119891(119908119894119895)mod 119902mod119901
Example 1 Now we take one example to demonstrate theattack process
System Initialization Let 119901 = 11 119905 = 3 119899 = 6 119896 = 2 (1198891 =1 1199081 = 6) and (1198892 = 2 1199081 = 7) be the system parameters1198911(119909) = 1 + 2119909 + 21199092mod 11 and 1198912(119909) = 2 + 2119909 + 11199092mod 11are the two secret polynomials and the system secret is 119904 =1 sdot 1198911(6) + 2 sdot 1198912(7)mod 11 = 8 + 20mod 11 = 6 The groupof users 119880 is 119880119894 with identity 119909119894 = 119894 1 le 119894 le 6 1198801 gets thesecret tokens (1198911(1) = 5 1198912(1) = 5) 1198802 gets the secret tokens(1198911(2) = 2 1198912(2) = 10) 1198803 gets the secret tokens (1198911(3) =3 1198912(3) = 6) 1198804 gets the secret tokens (1198911(4) = 8 1198912(4) = 4)1198805 gets the secret tokens (1198911(5) = 6 1198912(5) = 4) and 1198806 getsthe secret tokens (1198911(6) = 8 1198912(6) = 6)
Now we show the attack
Attack Phase 1 Assume that the attackerA participates in tworuns of authentications with 1198801 1198802 1198803 and respectivelyimpersonates 1198804 1198805 in these runs
In run 1 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894)4
prod119903=1119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894 le 3 (1)
We list the calculations as follows
1198881 =2
sum119895=1
119889119895119891119895 (1)4
prod119903=1119903 =1
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 4)(1 minus 2) (1 minus 3) (1 minus 4) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 4)(1 minus 2) (1 minus 3) (1 minus 4)
= 1 sdot 5 sdot 4 sdot 3 sdot 2minus1 sdot minus2 sdot minus3 + 2 sdot 5 sdot
5 sdot 4 sdot 3minus1 sdot minus2 sdot minus3
= 1 sdot 5 sdot 7 + 2 sdot 5 sdot 1 = 1
1198882 =2
sum119895=1
119889119895119891119895 (2)4
prod119903=1119903 =2
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 4)(2 minus 1) (2 minus 3) (2 minus 4) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 4)(2 minus 1) (2 minus 3) (2 minus 4)
= 1 sdot 2 sdot 5 sdot 3 sdot 21 sdot minus1 sdot minus2 + 2 sdot 10 sdot
6 sdot 4 sdot 31 sdot minus1 sdot minus2
= 1 sdot 2 sdot 4 + 2 sdot 10 sdot 3 = 2
1198883 =2
sum119895=1
119889119895119891119895 (3)4
prod119903=1119903 =3
119908119895 minus 1199033 minus 119903
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 4)(3 minus 1) (3 minus 2) (3 minus 4) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 4)(3 minus 1) (3 minus 2) (3 minus 4)
= 1 sdot 3 sdot 5 sdot 4 sdot 22 sdot 1 sdot minus1 + 2 sdot 6 sdot6 sdot 5 sdot 32 sdot 1 sdot minus1
= 1 sdot 3 sdot 2 + 2 sdot 6 sdot 10 = 5(2)
In run 2 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894) prod119903isin1235119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894
le 3
(3)
as follows
1198881 =2
sum119895=1
119889119895119891119895 (1) prod119903=235
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 5)(1 minus 2) (1 minus 3) (1 minus 5) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 5)(1 minus 2) (1 minus 3) (1 minus 5)
= 1 sdot 5 sdot 4 sdot 3 sdot 1minus1 sdot minus2 sdot minus4 + 2 sdot 5 sdot
5 sdot 4 sdot 2minus1 sdot minus2 sdot minus4
= 1 sdot 5 sdot 4 + 2 sdot 5 sdot 6 = 3
1198882 =2
sum119895=1
119889119895119891119895 (2) prod119903=135
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 5)(2 minus 1) (2 minus 3) (2 minus 5) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 5)(2 minus 1) (2 minus 3) (2 minus 5)
= 1 sdot 2 sdot 5 sdot 3 sdot 11 sdot minus1 sdot minus3 + 2 sdot 10 sdot
6 sdot 4 sdot 21 sdot minus1 sdot minus3
= 1 sdot 2 sdot 5 + 2 sdot 10 sdot 5 = 0
1198883 =2
sum119895=1
119889119895119891119895 (3) prod119903=125
119908119895 minus 1199033 minus 119903
4 Security and Communication Networks
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 5)(3 minus 1) (3 minus 2) (3 minus 5) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 5)(3 minus 1) (3 minus 2) (3 minus 5)
= 1 sdot 3 sdot 5 sdot 4 sdot 12 sdot 1 sdot minus2 + 2 sdot 6 sdot6 sdot 5 sdot 22 sdot 1 sdot minus2 = 3
(4)
So now A has the following independent equations in(5a) (5b) and (5c) He then solves the equations and gets1198911(1) = 5 1198912(1) = 5 1198911(2) = 2 1198912(2) = 10 1198911(3) =3 1198912(3) = 6
71198911 (1) + 21198912 (1) = 1mod 11
41198911 (1) + 1198912 (1) = 3mod 11(5a)
41198911 (2) + 61198912 (2) = 2mod 11
51198911 (2) + 101198912 (2) = 0mod 11(5b)
21198911 (3) + 91198912 (3) = 5mod 11
61198911 (3) + 31198912 (3) = 3mod 11(5c)
A applies the Lagrange polynomial formula on (1198911(1) =5 1198911(2) = 2 1198911(3) = 3) and derives the polynomial 1198911(119909) =1 + 2119909 + 21199092mod 11 applies the formula on (1198912(1) =5 1198912(2) = 10 1198912(3) = 6) and derives 1198912(119909) = 2 +2119909 + 11199092mod 11 Finally he computes 119904 = 1 sdot 1198911(6) + 2 sdot1198912(7)mod 11 = 8 + 20mod 11 = 6 He can further computesthe secret tokens of other remaining members (1198911(119894) 1198912(119894)) |4 le 119894 le 6
4 An Improved Scheme That Enables MultipleTrials and Multiple Authentications
Now we will propose an improved scheme that not onlyconquers the weaknesses of Harnrsquos (119905 119898 119899) asynchronousschemes but also improves the system performance The GMin our scheme only publishes simple public data and themembers can execute group authentication with multipleauthentications and multiple trials
41 Preliminaries We shall propose our scheme based onelliptic curve cryptography and bilinear pairing We nowbriefly review them as follows
Elliptic curves over119866119865(119901) [6] a nonsupersingular ellipticcurve 119864(119865119901) is the set of points 119875 = (119909 119910) for 119909 119910 isin 119885119875satisfying the equation 1199102 equiv 1199093 +119886119909+119887(mod119901) where 119886 119887 isin119885119901 are constants such that 41198863 + 271198872 = 0mod119901 togetherwith the point O called the point at infinity Two points 119875 =(1199091 1199101) and 119876 = (1199092 1199102) on the elliptic curve E can be addedtogether using the following rule if 1199092 = 1199091 and 1199102 = minus1199101then 119875 + 119876 = 119874 otherwise 119875 + 119876 = (1199093 1199103) where 1199093 =1205822 minus 1199091 minus 1199092mod119901 1199103 = 120582(1199091 minus 1199093) minus 1199101mod119901 and 120582 =(1199102 minus1199101)(1199092 minus1199091) if 119875 = 119876 or 120582 = (311990912 +119886)(21199101) if 119875 = 119876
Definition 2 (nondegenerate bilinear computable map [7])Let 1198661 1198662 and 1198663 be cyclic groups of prime order 119902 where1198661 and 1198662 are additive groups on elliptic curves and 1198663 ismultiplicative Let 119890 1198661 times 1198662 rarr 1198663 be a map with thefollowing properties
(1) Nondegenerate there exists 119883119884 isin 1198661 1198662 such that119890(119883 119884) = 1
(2) Bilinear 119890(1198831 + 1198832 119884) = 119890(1198831 119884) sdot 119890(1198832 119884) and119890(119883 1198841 + 1198842) = 119890(119883 1198841) sdot 119890(119883 1198842)
(3) Computability there exist efficient algorithms tocompute 119890(119875 119876) for all 119875119876 isin 1198661 1198662
Definition 3 The elliptic curve discrete logarithm problem(ECDLP) [6] is as follows given an elliptic curve over a finitefield 119865119901 and two points 119875119876 isin 119864(119865119901) find a number 119896 suchthat 119876 = 119896119875
Definition 4 (the Bilinear Pairing Inversion (BPI) problem[7]) Given 119890(119875 119876) isin 1198663 and 119876 isin 1198662 find 119875
Definition 5 The computational elliptic curve Diffie-Hellman problem (ECDHP) [6] is as follows given an ellipticcurve over a finite field 119865119901 a point 119875 isin 119864(119865119901) of order 119902 andpoints 119860 = 119886119875 119861 = 119887119875 isin ⟨119875⟩ find the point 119862 = 119886119887119875
It is believed that the ECDHP the ECDLP and the BPI arehard problems for proper parameter setting
42 The Proposed Scheme
421 The System Model Here we describe the model forone group and it is easy to extend this model for severalgroups In the system there are two kinds of participantsthe GM and a group of registered members The GM isresponsible for setting upupdating the system parametersAfter initialization the participants in each session wouldlike to verify whether all the participants belong to the samegroup this verification is achieved by the validation of theaggregated released-sharesTheGM is trusted and registeredmembers might be compromised and disclose their secretsUnless being compromised a registered member alwaysbehaves honestly
The GM publishes a predetermined parameter 119905 Thescheme can verify whether all participants of one sessionwith119898 participants (119898 ge 119905) belong to the same groupThe schemeis secure if it can withstand the collusion of up to 119905minus1 insiders(registered members)
422 The Scheme Facilitating Multiple Trials and MultipleAuthentications without Serverrsquos Active Participation LikeHarnrsquos asynchronous (119905 119898 119899) schemes our scheme alsofollows the same (119905 119898 119899) notation the asynchronous com-munication and multiple authentications Additionally ourscheme allows multiple trials The GM only needs to publishsome simple data no matter how many authentications andtrails these members would like to perform The schemeconsists of two phases the initialization phase and the groupauthentication phase
Security and Communication Networks 5
Initialization The GM sets up three cyclic groups 1198661 1198662and 1198663 with order q where 1198661 and 1198662 are additive groupson elliptic curves and 1198663 is multiplicative P is a generatorfor 1198662 It chooses a secret random polynomial with degree119905 minus 1 119891(119909) = 1198860 + 1198861119909 + sdot sdot sdot + 119886119905minus1119909119905minus1mod 119902 with 1198860 = 119904and a master secret 119904 It computes 119876 = 119904119875 and publishes 119876as the system-wise public key For each registered member119880119894 isin 119880 = 1198801 119880119899 with identity 119909119894 it assigns 119891(119909119894) as 119880119894rsquossecret token
Group Authentication When 119898 (119898 ge 119905) entities =1198751 119875119898 would like to authenticate each other in theVth authentication instance the group of users agree on arandom point 119877V (we discuss two options of implementingthe generation of random points 119877Vs in Section 43) Each119875119894 isin computes 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903)) and119888119894119877V and releases 119888119894119877V After all users release their valuesthey compute sum119898119894=1 119888119894119877V and verify whether the equation119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) holds If it holds they satisfy thegroup authentication otherwise they fail
43 Implementation Options of Choosing 119877V The generationand selection of the random points 119877V play a crucial factoraffecting the security Here we discuss two possible optionsThe two options mainly tackle the possible threat that anadversary might manipulate the selection of 119877V
The first one is that the GM periodically updates a listof authenticated random points and the entities choose onefrom the list of unused ones The entities refuse to apply anypoints that they have used
The second approach is applying a one-way hash functionthat maps any strings to a random pointmdash1198671 0 1lowast rarr 1198661Boneh and Franklinrsquos MaptoPoint function is one of suchfunctions [7] In this approach each participant in the groupcalculates 119877V = 1198671(date time 1199091 1199092 sdot sdot sdot 119909119898)where date and time are the current timestamp and 119909119894s arethe participantsrsquo identities
44 Comparison of Our Improvements with One Possi-ble Extension of Harnrsquos GAS2 In addition to our pro-posed scheme one another possible improvement is byextending Harnrsquos GAS2 The system might require thateach participant never tries to recover one specific secrettwice that is whenever an authentication fails he shouldonly try another authentication corresponding to othersecrets This arrangement could prevent the attacks inSection 3
However wewould like to discuss the differences betweenthe above extension with our scheme The extension eventhough it could reduce the treats of our attacks is stillnot absolutely immune to DOS attacks The GM has topreselect lots of possible secrets and publishes these numbers119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894)) If the list is not largeenough then the successive releasing of false shares couldquickly deplete the list If the GM tries to prepare a very longlist it causes it lots of overhead
On the contrary our implementation Option 2 is muchmore simple efficient and withstand heavy DOS attacks
5 Security Analysis andPerformance Evaluation
51 The Security
Lemma 6 Given a random point 119877V and a group of members = 1198801 119880119898 with 119898 ge 119905 the only condition that thegroup P can reconstruct the value 119904119877V in the proposed schemeis that all the participating members are valid and the schemecan resist up to 119905 minus 1 colluded insiders
Proof Since the secret tokens are generated using a secret 119905 minus1-degree polynomial the scheme can resist the collusion ofup to 119905minus1 insiders Also any single invalid contribution fromany invalid participants would ruin the computation of 119904119877V
Lemma 7 Given a valid released value 119888119894119877V where 119888119894 =119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894minus119909119903)) one cannot derive the value 119888119894 andthe corresponding 119891(119909119894) as long as the ECDLP is hard
Lemma 8 Given a valid released 119888119894119877V and another point one cannot derive the value 119888119894 as long as the ECDHP is hard
Lemma 9 Given the values 119890(119877V 119876) and119876 one cannot derivethe valuesum119898119894=1 119888119894119877V which satisfies 119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) aslong as the BPI is hard
Based on the above lemmas we have the followingtheorem
Theorem 10 The proposed scheme satisfies the securityrequirements of the asynchronous (119905 119898 119899) group authentica-tion
52 The Performance We first compare the computationalcomplexities of the three schemes ours Harnrsquos GAS1 andHarnrsquos GAS2
Let119879ℎ denote the time complexity for one hash operation119879EM denote that of one elliptic curve pointmultiplication119879EAdenote that for one elliptic curve point addition119879mul119902 denotethat for one multiplication in field 119902 (where 119902 correspondsto the order of 1198661 1198662 1198663 in our scheme) 119879inv119902 denote thatfor one inverse operation in field 119902 119879mul119901 denote that forone multiplication in field 119901 (where 119901 corresponds to themodular field in Harnrsquos schemes) 119879inv119901 denote that for onemultiplication in field 119901 119879exp119901119879exp119902 respectively denotethat for one exponentiation in field 119901119902 and 119879pair denote thatfor one pairing
Each user 119880119894 in our scheme needs to compute oneLagrange component 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903))one 119888119894119877 119898 minus 1 point additions in 1198661 and the verification119890(sum119898119894=1 119888119894119877 119875)
= 119890(119877 119876) The verification costs two pairingoperations (2119879pair1198661) The addition in 1198661 costs 119898119879EA Thecomputation of 119888119894119877 costs 119879EM and the computation of 119888119894 costs(2(119898 minus 1) + 2)119879mul119902+ 119879inv119902 So totally it takes (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair
Each participant in Harnrsquos GAS1 takes 119896[(2(119898 minus 2) +3)119879mul119901 + 119879inv119901] for computing 119888119894 takes (119898 minus 1)119879add119901 for
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 3
the system secrets and all the secret tokens of all users Theminimumnumber of runs that the attacker should participatein is 119896
The above attack can be easily extended to plot on Harnrsquosasynchronous GAS2 Attackers can acquire the secret values(1198921198941198911(119909V) 1198921198941198912(119909V)) | forall valid 119894 and 1 le V le 119899 corresponding tothe secret tokens 1198911(119909V) 1198912(119909V) | 1 le V le 119899 and the systemsecrets 119904119894 = 119892119894sum
2119895=1 119889119894119895119891(119908119894119895)mod 119902mod119901
Example 1 Now we take one example to demonstrate theattack process
System Initialization Let 119901 = 11 119905 = 3 119899 = 6 119896 = 2 (1198891 =1 1199081 = 6) and (1198892 = 2 1199081 = 7) be the system parameters1198911(119909) = 1 + 2119909 + 21199092mod 11 and 1198912(119909) = 2 + 2119909 + 11199092mod 11are the two secret polynomials and the system secret is 119904 =1 sdot 1198911(6) + 2 sdot 1198912(7)mod 11 = 8 + 20mod 11 = 6 The groupof users 119880 is 119880119894 with identity 119909119894 = 119894 1 le 119894 le 6 1198801 gets thesecret tokens (1198911(1) = 5 1198912(1) = 5) 1198802 gets the secret tokens(1198911(2) = 2 1198912(2) = 10) 1198803 gets the secret tokens (1198911(3) =3 1198912(3) = 6) 1198804 gets the secret tokens (1198911(4) = 8 1198912(4) = 4)1198805 gets the secret tokens (1198911(5) = 6 1198912(5) = 4) and 1198806 getsthe secret tokens (1198911(6) = 8 1198912(6) = 6)
Now we show the attack
Attack Phase 1 Assume that the attackerA participates in tworuns of authentications with 1198801 1198802 1198803 and respectivelyimpersonates 1198804 1198805 in these runs
In run 1 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894)4
prod119903=1119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894 le 3 (1)
We list the calculations as follows
1198881 =2
sum119895=1
119889119895119891119895 (1)4
prod119903=1119903 =1
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 4)(1 minus 2) (1 minus 3) (1 minus 4) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 4)(1 minus 2) (1 minus 3) (1 minus 4)
= 1 sdot 5 sdot 4 sdot 3 sdot 2minus1 sdot minus2 sdot minus3 + 2 sdot 5 sdot
5 sdot 4 sdot 3minus1 sdot minus2 sdot minus3
= 1 sdot 5 sdot 7 + 2 sdot 5 sdot 1 = 1
1198882 =2
sum119895=1
119889119895119891119895 (2)4
prod119903=1119903 =2
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 4)(2 minus 1) (2 minus 3) (2 minus 4) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 4)(2 minus 1) (2 minus 3) (2 minus 4)
= 1 sdot 2 sdot 5 sdot 3 sdot 21 sdot minus1 sdot minus2 + 2 sdot 10 sdot
6 sdot 4 sdot 31 sdot minus1 sdot minus2
= 1 sdot 2 sdot 4 + 2 sdot 10 sdot 3 = 2
1198883 =2
sum119895=1
119889119895119891119895 (3)4
prod119903=1119903 =3
119908119895 minus 1199033 minus 119903
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 4)(3 minus 1) (3 minus 2) (3 minus 4) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 4)(3 minus 1) (3 minus 2) (3 minus 4)
= 1 sdot 3 sdot 5 sdot 4 sdot 22 sdot 1 sdot minus1 + 2 sdot 6 sdot6 sdot 5 sdot 32 sdot 1 sdot minus1
= 1 sdot 3 sdot 2 + 2 sdot 6 sdot 10 = 5(2)
In run 2 A will get
119888119894 =2
sum119895=1
119889119895119891119895 (119909119894) prod119903isin1235119903 =119894
119908119895 minus 119909119903119909119894 minus 119909119903
mod119901 | 1 le 119894
le 3
(3)
as follows
1198881 =2
sum119895=1
119889119895119891119895 (1) prod119903=235
119908119895 minus 1199031 minus 119903
= 1 sdot 1198911 (1)(6 minus 2) (6 minus 3) (6 minus 5)(1 minus 2) (1 minus 3) (1 minus 5) + 2
sdot 1198912 (1)(7 minus 2) (7 minus 3) (7 minus 5)(1 minus 2) (1 minus 3) (1 minus 5)
= 1 sdot 5 sdot 4 sdot 3 sdot 1minus1 sdot minus2 sdot minus4 + 2 sdot 5 sdot
5 sdot 4 sdot 2minus1 sdot minus2 sdot minus4
= 1 sdot 5 sdot 4 + 2 sdot 5 sdot 6 = 3
1198882 =2
sum119895=1
119889119895119891119895 (2) prod119903=135
119908119895 minus 1199032 minus 119903
= 1 sdot 1198911 (2)(6 minus 1) (6 minus 3) (6 minus 5)(2 minus 1) (2 minus 3) (2 minus 5) + 2
sdot 1198912 (2)(7 minus 1) (7 minus 3) (7 minus 5)(2 minus 1) (2 minus 3) (2 minus 5)
= 1 sdot 2 sdot 5 sdot 3 sdot 11 sdot minus1 sdot minus3 + 2 sdot 10 sdot
6 sdot 4 sdot 21 sdot minus1 sdot minus3
= 1 sdot 2 sdot 5 + 2 sdot 10 sdot 5 = 0
1198883 =2
sum119895=1
119889119895119891119895 (3) prod119903=125
119908119895 minus 1199033 minus 119903
4 Security and Communication Networks
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 5)(3 minus 1) (3 minus 2) (3 minus 5) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 5)(3 minus 1) (3 minus 2) (3 minus 5)
= 1 sdot 3 sdot 5 sdot 4 sdot 12 sdot 1 sdot minus2 + 2 sdot 6 sdot6 sdot 5 sdot 22 sdot 1 sdot minus2 = 3
(4)
So now A has the following independent equations in(5a) (5b) and (5c) He then solves the equations and gets1198911(1) = 5 1198912(1) = 5 1198911(2) = 2 1198912(2) = 10 1198911(3) =3 1198912(3) = 6
71198911 (1) + 21198912 (1) = 1mod 11
41198911 (1) + 1198912 (1) = 3mod 11(5a)
41198911 (2) + 61198912 (2) = 2mod 11
51198911 (2) + 101198912 (2) = 0mod 11(5b)
21198911 (3) + 91198912 (3) = 5mod 11
61198911 (3) + 31198912 (3) = 3mod 11(5c)
A applies the Lagrange polynomial formula on (1198911(1) =5 1198911(2) = 2 1198911(3) = 3) and derives the polynomial 1198911(119909) =1 + 2119909 + 21199092mod 11 applies the formula on (1198912(1) =5 1198912(2) = 10 1198912(3) = 6) and derives 1198912(119909) = 2 +2119909 + 11199092mod 11 Finally he computes 119904 = 1 sdot 1198911(6) + 2 sdot1198912(7)mod 11 = 8 + 20mod 11 = 6 He can further computesthe secret tokens of other remaining members (1198911(119894) 1198912(119894)) |4 le 119894 le 6
4 An Improved Scheme That Enables MultipleTrials and Multiple Authentications
Now we will propose an improved scheme that not onlyconquers the weaknesses of Harnrsquos (119905 119898 119899) asynchronousschemes but also improves the system performance The GMin our scheme only publishes simple public data and themembers can execute group authentication with multipleauthentications and multiple trials
41 Preliminaries We shall propose our scheme based onelliptic curve cryptography and bilinear pairing We nowbriefly review them as follows
Elliptic curves over119866119865(119901) [6] a nonsupersingular ellipticcurve 119864(119865119901) is the set of points 119875 = (119909 119910) for 119909 119910 isin 119885119875satisfying the equation 1199102 equiv 1199093 +119886119909+119887(mod119901) where 119886 119887 isin119885119901 are constants such that 41198863 + 271198872 = 0mod119901 togetherwith the point O called the point at infinity Two points 119875 =(1199091 1199101) and 119876 = (1199092 1199102) on the elliptic curve E can be addedtogether using the following rule if 1199092 = 1199091 and 1199102 = minus1199101then 119875 + 119876 = 119874 otherwise 119875 + 119876 = (1199093 1199103) where 1199093 =1205822 minus 1199091 minus 1199092mod119901 1199103 = 120582(1199091 minus 1199093) minus 1199101mod119901 and 120582 =(1199102 minus1199101)(1199092 minus1199091) if 119875 = 119876 or 120582 = (311990912 +119886)(21199101) if 119875 = 119876
Definition 2 (nondegenerate bilinear computable map [7])Let 1198661 1198662 and 1198663 be cyclic groups of prime order 119902 where1198661 and 1198662 are additive groups on elliptic curves and 1198663 ismultiplicative Let 119890 1198661 times 1198662 rarr 1198663 be a map with thefollowing properties
(1) Nondegenerate there exists 119883119884 isin 1198661 1198662 such that119890(119883 119884) = 1
(2) Bilinear 119890(1198831 + 1198832 119884) = 119890(1198831 119884) sdot 119890(1198832 119884) and119890(119883 1198841 + 1198842) = 119890(119883 1198841) sdot 119890(119883 1198842)
(3) Computability there exist efficient algorithms tocompute 119890(119875 119876) for all 119875119876 isin 1198661 1198662
Definition 3 The elliptic curve discrete logarithm problem(ECDLP) [6] is as follows given an elliptic curve over a finitefield 119865119901 and two points 119875119876 isin 119864(119865119901) find a number 119896 suchthat 119876 = 119896119875
Definition 4 (the Bilinear Pairing Inversion (BPI) problem[7]) Given 119890(119875 119876) isin 1198663 and 119876 isin 1198662 find 119875
Definition 5 The computational elliptic curve Diffie-Hellman problem (ECDHP) [6] is as follows given an ellipticcurve over a finite field 119865119901 a point 119875 isin 119864(119865119901) of order 119902 andpoints 119860 = 119886119875 119861 = 119887119875 isin ⟨119875⟩ find the point 119862 = 119886119887119875
It is believed that the ECDHP the ECDLP and the BPI arehard problems for proper parameter setting
42 The Proposed Scheme
421 The System Model Here we describe the model forone group and it is easy to extend this model for severalgroups In the system there are two kinds of participantsthe GM and a group of registered members The GM isresponsible for setting upupdating the system parametersAfter initialization the participants in each session wouldlike to verify whether all the participants belong to the samegroup this verification is achieved by the validation of theaggregated released-sharesTheGM is trusted and registeredmembers might be compromised and disclose their secretsUnless being compromised a registered member alwaysbehaves honestly
The GM publishes a predetermined parameter 119905 Thescheme can verify whether all participants of one sessionwith119898 participants (119898 ge 119905) belong to the same groupThe schemeis secure if it can withstand the collusion of up to 119905minus1 insiders(registered members)
422 The Scheme Facilitating Multiple Trials and MultipleAuthentications without Serverrsquos Active Participation LikeHarnrsquos asynchronous (119905 119898 119899) schemes our scheme alsofollows the same (119905 119898 119899) notation the asynchronous com-munication and multiple authentications Additionally ourscheme allows multiple trials The GM only needs to publishsome simple data no matter how many authentications andtrails these members would like to perform The schemeconsists of two phases the initialization phase and the groupauthentication phase
Security and Communication Networks 5
Initialization The GM sets up three cyclic groups 1198661 1198662and 1198663 with order q where 1198661 and 1198662 are additive groupson elliptic curves and 1198663 is multiplicative P is a generatorfor 1198662 It chooses a secret random polynomial with degree119905 minus 1 119891(119909) = 1198860 + 1198861119909 + sdot sdot sdot + 119886119905minus1119909119905minus1mod 119902 with 1198860 = 119904and a master secret 119904 It computes 119876 = 119904119875 and publishes 119876as the system-wise public key For each registered member119880119894 isin 119880 = 1198801 119880119899 with identity 119909119894 it assigns 119891(119909119894) as 119880119894rsquossecret token
Group Authentication When 119898 (119898 ge 119905) entities =1198751 119875119898 would like to authenticate each other in theVth authentication instance the group of users agree on arandom point 119877V (we discuss two options of implementingthe generation of random points 119877Vs in Section 43) Each119875119894 isin computes 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903)) and119888119894119877V and releases 119888119894119877V After all users release their valuesthey compute sum119898119894=1 119888119894119877V and verify whether the equation119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) holds If it holds they satisfy thegroup authentication otherwise they fail
43 Implementation Options of Choosing 119877V The generationand selection of the random points 119877V play a crucial factoraffecting the security Here we discuss two possible optionsThe two options mainly tackle the possible threat that anadversary might manipulate the selection of 119877V
The first one is that the GM periodically updates a listof authenticated random points and the entities choose onefrom the list of unused ones The entities refuse to apply anypoints that they have used
The second approach is applying a one-way hash functionthat maps any strings to a random pointmdash1198671 0 1lowast rarr 1198661Boneh and Franklinrsquos MaptoPoint function is one of suchfunctions [7] In this approach each participant in the groupcalculates 119877V = 1198671(date time 1199091 1199092 sdot sdot sdot 119909119898)where date and time are the current timestamp and 119909119894s arethe participantsrsquo identities
44 Comparison of Our Improvements with One Possi-ble Extension of Harnrsquos GAS2 In addition to our pro-posed scheme one another possible improvement is byextending Harnrsquos GAS2 The system might require thateach participant never tries to recover one specific secrettwice that is whenever an authentication fails he shouldonly try another authentication corresponding to othersecrets This arrangement could prevent the attacks inSection 3
However wewould like to discuss the differences betweenthe above extension with our scheme The extension eventhough it could reduce the treats of our attacks is stillnot absolutely immune to DOS attacks The GM has topreselect lots of possible secrets and publishes these numbers119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894)) If the list is not largeenough then the successive releasing of false shares couldquickly deplete the list If the GM tries to prepare a very longlist it causes it lots of overhead
On the contrary our implementation Option 2 is muchmore simple efficient and withstand heavy DOS attacks
5 Security Analysis andPerformance Evaluation
51 The Security
Lemma 6 Given a random point 119877V and a group of members = 1198801 119880119898 with 119898 ge 119905 the only condition that thegroup P can reconstruct the value 119904119877V in the proposed schemeis that all the participating members are valid and the schemecan resist up to 119905 minus 1 colluded insiders
Proof Since the secret tokens are generated using a secret 119905 minus1-degree polynomial the scheme can resist the collusion ofup to 119905minus1 insiders Also any single invalid contribution fromany invalid participants would ruin the computation of 119904119877V
Lemma 7 Given a valid released value 119888119894119877V where 119888119894 =119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894minus119909119903)) one cannot derive the value 119888119894 andthe corresponding 119891(119909119894) as long as the ECDLP is hard
Lemma 8 Given a valid released 119888119894119877V and another point one cannot derive the value 119888119894 as long as the ECDHP is hard
Lemma 9 Given the values 119890(119877V 119876) and119876 one cannot derivethe valuesum119898119894=1 119888119894119877V which satisfies 119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) aslong as the BPI is hard
Based on the above lemmas we have the followingtheorem
Theorem 10 The proposed scheme satisfies the securityrequirements of the asynchronous (119905 119898 119899) group authentica-tion
52 The Performance We first compare the computationalcomplexities of the three schemes ours Harnrsquos GAS1 andHarnrsquos GAS2
Let119879ℎ denote the time complexity for one hash operation119879EM denote that of one elliptic curve pointmultiplication119879EAdenote that for one elliptic curve point addition119879mul119902 denotethat for one multiplication in field 119902 (where 119902 correspondsto the order of 1198661 1198662 1198663 in our scheme) 119879inv119902 denote thatfor one inverse operation in field 119902 119879mul119901 denote that forone multiplication in field 119901 (where 119901 corresponds to themodular field in Harnrsquos schemes) 119879inv119901 denote that for onemultiplication in field 119901 119879exp119901119879exp119902 respectively denotethat for one exponentiation in field 119901119902 and 119879pair denote thatfor one pairing
Each user 119880119894 in our scheme needs to compute oneLagrange component 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903))one 119888119894119877 119898 minus 1 point additions in 1198661 and the verification119890(sum119898119894=1 119888119894119877 119875)
= 119890(119877 119876) The verification costs two pairingoperations (2119879pair1198661) The addition in 1198661 costs 119898119879EA Thecomputation of 119888119894119877 costs 119879EM and the computation of 119888119894 costs(2(119898 minus 1) + 2)119879mul119902+ 119879inv119902 So totally it takes (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair
Each participant in Harnrsquos GAS1 takes 119896[(2(119898 minus 2) +3)119879mul119901 + 119879inv119901] for computing 119888119894 takes (119898 minus 1)119879add119901 for
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 Security and Communication Networks
= 1 sdot 1198911 (3)(6 minus 1) (6 minus 2) (6 minus 5)(3 minus 1) (3 minus 2) (3 minus 5) + 2
sdot 1198912 (3)(7 minus 1) (7 minus 2) (7 minus 5)(3 minus 1) (3 minus 2) (3 minus 5)
= 1 sdot 3 sdot 5 sdot 4 sdot 12 sdot 1 sdot minus2 + 2 sdot 6 sdot6 sdot 5 sdot 22 sdot 1 sdot minus2 = 3
(4)
So now A has the following independent equations in(5a) (5b) and (5c) He then solves the equations and gets1198911(1) = 5 1198912(1) = 5 1198911(2) = 2 1198912(2) = 10 1198911(3) =3 1198912(3) = 6
71198911 (1) + 21198912 (1) = 1mod 11
41198911 (1) + 1198912 (1) = 3mod 11(5a)
41198911 (2) + 61198912 (2) = 2mod 11
51198911 (2) + 101198912 (2) = 0mod 11(5b)
21198911 (3) + 91198912 (3) = 5mod 11
61198911 (3) + 31198912 (3) = 3mod 11(5c)
A applies the Lagrange polynomial formula on (1198911(1) =5 1198911(2) = 2 1198911(3) = 3) and derives the polynomial 1198911(119909) =1 + 2119909 + 21199092mod 11 applies the formula on (1198912(1) =5 1198912(2) = 10 1198912(3) = 6) and derives 1198912(119909) = 2 +2119909 + 11199092mod 11 Finally he computes 119904 = 1 sdot 1198911(6) + 2 sdot1198912(7)mod 11 = 8 + 20mod 11 = 6 He can further computesthe secret tokens of other remaining members (1198911(119894) 1198912(119894)) |4 le 119894 le 6
4 An Improved Scheme That Enables MultipleTrials and Multiple Authentications
Now we will propose an improved scheme that not onlyconquers the weaknesses of Harnrsquos (119905 119898 119899) asynchronousschemes but also improves the system performance The GMin our scheme only publishes simple public data and themembers can execute group authentication with multipleauthentications and multiple trials
41 Preliminaries We shall propose our scheme based onelliptic curve cryptography and bilinear pairing We nowbriefly review them as follows
Elliptic curves over119866119865(119901) [6] a nonsupersingular ellipticcurve 119864(119865119901) is the set of points 119875 = (119909 119910) for 119909 119910 isin 119885119875satisfying the equation 1199102 equiv 1199093 +119886119909+119887(mod119901) where 119886 119887 isin119885119901 are constants such that 41198863 + 271198872 = 0mod119901 togetherwith the point O called the point at infinity Two points 119875 =(1199091 1199101) and 119876 = (1199092 1199102) on the elliptic curve E can be addedtogether using the following rule if 1199092 = 1199091 and 1199102 = minus1199101then 119875 + 119876 = 119874 otherwise 119875 + 119876 = (1199093 1199103) where 1199093 =1205822 minus 1199091 minus 1199092mod119901 1199103 = 120582(1199091 minus 1199093) minus 1199101mod119901 and 120582 =(1199102 minus1199101)(1199092 minus1199091) if 119875 = 119876 or 120582 = (311990912 +119886)(21199101) if 119875 = 119876
Definition 2 (nondegenerate bilinear computable map [7])Let 1198661 1198662 and 1198663 be cyclic groups of prime order 119902 where1198661 and 1198662 are additive groups on elliptic curves and 1198663 ismultiplicative Let 119890 1198661 times 1198662 rarr 1198663 be a map with thefollowing properties
(1) Nondegenerate there exists 119883119884 isin 1198661 1198662 such that119890(119883 119884) = 1
(2) Bilinear 119890(1198831 + 1198832 119884) = 119890(1198831 119884) sdot 119890(1198832 119884) and119890(119883 1198841 + 1198842) = 119890(119883 1198841) sdot 119890(119883 1198842)
(3) Computability there exist efficient algorithms tocompute 119890(119875 119876) for all 119875119876 isin 1198661 1198662
Definition 3 The elliptic curve discrete logarithm problem(ECDLP) [6] is as follows given an elliptic curve over a finitefield 119865119901 and two points 119875119876 isin 119864(119865119901) find a number 119896 suchthat 119876 = 119896119875
Definition 4 (the Bilinear Pairing Inversion (BPI) problem[7]) Given 119890(119875 119876) isin 1198663 and 119876 isin 1198662 find 119875
Definition 5 The computational elliptic curve Diffie-Hellman problem (ECDHP) [6] is as follows given an ellipticcurve over a finite field 119865119901 a point 119875 isin 119864(119865119901) of order 119902 andpoints 119860 = 119886119875 119861 = 119887119875 isin ⟨119875⟩ find the point 119862 = 119886119887119875
It is believed that the ECDHP the ECDLP and the BPI arehard problems for proper parameter setting
42 The Proposed Scheme
421 The System Model Here we describe the model forone group and it is easy to extend this model for severalgroups In the system there are two kinds of participantsthe GM and a group of registered members The GM isresponsible for setting upupdating the system parametersAfter initialization the participants in each session wouldlike to verify whether all the participants belong to the samegroup this verification is achieved by the validation of theaggregated released-sharesTheGM is trusted and registeredmembers might be compromised and disclose their secretsUnless being compromised a registered member alwaysbehaves honestly
The GM publishes a predetermined parameter 119905 Thescheme can verify whether all participants of one sessionwith119898 participants (119898 ge 119905) belong to the same groupThe schemeis secure if it can withstand the collusion of up to 119905minus1 insiders(registered members)
422 The Scheme Facilitating Multiple Trials and MultipleAuthentications without Serverrsquos Active Participation LikeHarnrsquos asynchronous (119905 119898 119899) schemes our scheme alsofollows the same (119905 119898 119899) notation the asynchronous com-munication and multiple authentications Additionally ourscheme allows multiple trials The GM only needs to publishsome simple data no matter how many authentications andtrails these members would like to perform The schemeconsists of two phases the initialization phase and the groupauthentication phase
Security and Communication Networks 5
Initialization The GM sets up three cyclic groups 1198661 1198662and 1198663 with order q where 1198661 and 1198662 are additive groupson elliptic curves and 1198663 is multiplicative P is a generatorfor 1198662 It chooses a secret random polynomial with degree119905 minus 1 119891(119909) = 1198860 + 1198861119909 + sdot sdot sdot + 119886119905minus1119909119905minus1mod 119902 with 1198860 = 119904and a master secret 119904 It computes 119876 = 119904119875 and publishes 119876as the system-wise public key For each registered member119880119894 isin 119880 = 1198801 119880119899 with identity 119909119894 it assigns 119891(119909119894) as 119880119894rsquossecret token
Group Authentication When 119898 (119898 ge 119905) entities =1198751 119875119898 would like to authenticate each other in theVth authentication instance the group of users agree on arandom point 119877V (we discuss two options of implementingthe generation of random points 119877Vs in Section 43) Each119875119894 isin computes 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903)) and119888119894119877V and releases 119888119894119877V After all users release their valuesthey compute sum119898119894=1 119888119894119877V and verify whether the equation119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) holds If it holds they satisfy thegroup authentication otherwise they fail
43 Implementation Options of Choosing 119877V The generationand selection of the random points 119877V play a crucial factoraffecting the security Here we discuss two possible optionsThe two options mainly tackle the possible threat that anadversary might manipulate the selection of 119877V
The first one is that the GM periodically updates a listof authenticated random points and the entities choose onefrom the list of unused ones The entities refuse to apply anypoints that they have used
The second approach is applying a one-way hash functionthat maps any strings to a random pointmdash1198671 0 1lowast rarr 1198661Boneh and Franklinrsquos MaptoPoint function is one of suchfunctions [7] In this approach each participant in the groupcalculates 119877V = 1198671(date time 1199091 1199092 sdot sdot sdot 119909119898)where date and time are the current timestamp and 119909119894s arethe participantsrsquo identities
44 Comparison of Our Improvements with One Possi-ble Extension of Harnrsquos GAS2 In addition to our pro-posed scheme one another possible improvement is byextending Harnrsquos GAS2 The system might require thateach participant never tries to recover one specific secrettwice that is whenever an authentication fails he shouldonly try another authentication corresponding to othersecrets This arrangement could prevent the attacks inSection 3
However wewould like to discuss the differences betweenthe above extension with our scheme The extension eventhough it could reduce the treats of our attacks is stillnot absolutely immune to DOS attacks The GM has topreselect lots of possible secrets and publishes these numbers119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894)) If the list is not largeenough then the successive releasing of false shares couldquickly deplete the list If the GM tries to prepare a very longlist it causes it lots of overhead
On the contrary our implementation Option 2 is muchmore simple efficient and withstand heavy DOS attacks
5 Security Analysis andPerformance Evaluation
51 The Security
Lemma 6 Given a random point 119877V and a group of members = 1198801 119880119898 with 119898 ge 119905 the only condition that thegroup P can reconstruct the value 119904119877V in the proposed schemeis that all the participating members are valid and the schemecan resist up to 119905 minus 1 colluded insiders
Proof Since the secret tokens are generated using a secret 119905 minus1-degree polynomial the scheme can resist the collusion ofup to 119905minus1 insiders Also any single invalid contribution fromany invalid participants would ruin the computation of 119904119877V
Lemma 7 Given a valid released value 119888119894119877V where 119888119894 =119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894minus119909119903)) one cannot derive the value 119888119894 andthe corresponding 119891(119909119894) as long as the ECDLP is hard
Lemma 8 Given a valid released 119888119894119877V and another point one cannot derive the value 119888119894 as long as the ECDHP is hard
Lemma 9 Given the values 119890(119877V 119876) and119876 one cannot derivethe valuesum119898119894=1 119888119894119877V which satisfies 119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) aslong as the BPI is hard
Based on the above lemmas we have the followingtheorem
Theorem 10 The proposed scheme satisfies the securityrequirements of the asynchronous (119905 119898 119899) group authentica-tion
52 The Performance We first compare the computationalcomplexities of the three schemes ours Harnrsquos GAS1 andHarnrsquos GAS2
Let119879ℎ denote the time complexity for one hash operation119879EM denote that of one elliptic curve pointmultiplication119879EAdenote that for one elliptic curve point addition119879mul119902 denotethat for one multiplication in field 119902 (where 119902 correspondsto the order of 1198661 1198662 1198663 in our scheme) 119879inv119902 denote thatfor one inverse operation in field 119902 119879mul119901 denote that forone multiplication in field 119901 (where 119901 corresponds to themodular field in Harnrsquos schemes) 119879inv119901 denote that for onemultiplication in field 119901 119879exp119901119879exp119902 respectively denotethat for one exponentiation in field 119901119902 and 119879pair denote thatfor one pairing
Each user 119880119894 in our scheme needs to compute oneLagrange component 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903))one 119888119894119877 119898 minus 1 point additions in 1198661 and the verification119890(sum119898119894=1 119888119894119877 119875)
= 119890(119877 119876) The verification costs two pairingoperations (2119879pair1198661) The addition in 1198661 costs 119898119879EA Thecomputation of 119888119894119877 costs 119879EM and the computation of 119888119894 costs(2(119898 minus 1) + 2)119879mul119902+ 119879inv119902 So totally it takes (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair
Each participant in Harnrsquos GAS1 takes 119896[(2(119898 minus 2) +3)119879mul119901 + 119879inv119901] for computing 119888119894 takes (119898 minus 1)119879add119901 for
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 5
Initialization The GM sets up three cyclic groups 1198661 1198662and 1198663 with order q where 1198661 and 1198662 are additive groupson elliptic curves and 1198663 is multiplicative P is a generatorfor 1198662 It chooses a secret random polynomial with degree119905 minus 1 119891(119909) = 1198860 + 1198861119909 + sdot sdot sdot + 119886119905minus1119909119905minus1mod 119902 with 1198860 = 119904and a master secret 119904 It computes 119876 = 119904119875 and publishes 119876as the system-wise public key For each registered member119880119894 isin 119880 = 1198801 119880119899 with identity 119909119894 it assigns 119891(119909119894) as 119880119894rsquossecret token
Group Authentication When 119898 (119898 ge 119905) entities =1198751 119875119898 would like to authenticate each other in theVth authentication instance the group of users agree on arandom point 119877V (we discuss two options of implementingthe generation of random points 119877Vs in Section 43) Each119875119894 isin computes 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903)) and119888119894119877V and releases 119888119894119877V After all users release their valuesthey compute sum119898119894=1 119888119894119877V and verify whether the equation119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) holds If it holds they satisfy thegroup authentication otherwise they fail
43 Implementation Options of Choosing 119877V The generationand selection of the random points 119877V play a crucial factoraffecting the security Here we discuss two possible optionsThe two options mainly tackle the possible threat that anadversary might manipulate the selection of 119877V
The first one is that the GM periodically updates a listof authenticated random points and the entities choose onefrom the list of unused ones The entities refuse to apply anypoints that they have used
The second approach is applying a one-way hash functionthat maps any strings to a random pointmdash1198671 0 1lowast rarr 1198661Boneh and Franklinrsquos MaptoPoint function is one of suchfunctions [7] In this approach each participant in the groupcalculates 119877V = 1198671(date time 1199091 1199092 sdot sdot sdot 119909119898)where date and time are the current timestamp and 119909119894s arethe participantsrsquo identities
44 Comparison of Our Improvements with One Possi-ble Extension of Harnrsquos GAS2 In addition to our pro-posed scheme one another possible improvement is byextending Harnrsquos GAS2 The system might require thateach participant never tries to recover one specific secrettwice that is whenever an authentication fails he shouldonly try another authentication corresponding to othersecrets This arrangement could prevent the attacks inSection 3
However wewould like to discuss the differences betweenthe above extension with our scheme The extension eventhough it could reduce the treats of our attacks is stillnot absolutely immune to DOS attacks The GM has topreselect lots of possible secrets and publishes these numbers119908119894119895 119889119894119895 119895 = 1 2 and (119892119894 ℎ(119904119894)) If the list is not largeenough then the successive releasing of false shares couldquickly deplete the list If the GM tries to prepare a very longlist it causes it lots of overhead
On the contrary our implementation Option 2 is muchmore simple efficient and withstand heavy DOS attacks
5 Security Analysis andPerformance Evaluation
51 The Security
Lemma 6 Given a random point 119877V and a group of members = 1198801 119880119898 with 119898 ge 119905 the only condition that thegroup P can reconstruct the value 119904119877V in the proposed schemeis that all the participating members are valid and the schemecan resist up to 119905 minus 1 colluded insiders
Proof Since the secret tokens are generated using a secret 119905 minus1-degree polynomial the scheme can resist the collusion ofup to 119905minus1 insiders Also any single invalid contribution fromany invalid participants would ruin the computation of 119904119877V
Lemma 7 Given a valid released value 119888119894119877V where 119888119894 =119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894minus119909119903)) one cannot derive the value 119888119894 andthe corresponding 119891(119909119894) as long as the ECDLP is hard
Lemma 8 Given a valid released 119888119894119877V and another point one cannot derive the value 119888119894 as long as the ECDHP is hard
Lemma 9 Given the values 119890(119877V 119876) and119876 one cannot derivethe valuesum119898119894=1 119888119894119877V which satisfies 119890(sum119898119894=1 119888119894119877V 119875)
= 119890(119877V 119876) aslong as the BPI is hard
Based on the above lemmas we have the followingtheorem
Theorem 10 The proposed scheme satisfies the securityrequirements of the asynchronous (119905 119898 119899) group authentica-tion
52 The Performance We first compare the computationalcomplexities of the three schemes ours Harnrsquos GAS1 andHarnrsquos GAS2
Let119879ℎ denote the time complexity for one hash operation119879EM denote that of one elliptic curve pointmultiplication119879EAdenote that for one elliptic curve point addition119879mul119902 denotethat for one multiplication in field 119902 (where 119902 correspondsto the order of 1198661 1198662 1198663 in our scheme) 119879inv119902 denote thatfor one inverse operation in field 119902 119879mul119901 denote that forone multiplication in field 119901 (where 119901 corresponds to themodular field in Harnrsquos schemes) 119879inv119901 denote that for onemultiplication in field 119901 119879exp119901119879exp119902 respectively denotethat for one exponentiation in field 119901119902 and 119879pair denote thatfor one pairing
Each user 119880119894 in our scheme needs to compute oneLagrange component 119888119894 = 119891(119909119894)prod119898119903=1119903 =119894(minus119909119903(119909119894 minus 119909119903))one 119888119894119877 119898 minus 1 point additions in 1198661 and the verification119890(sum119898119894=1 119888119894119877 119875)
= 119890(119877 119876) The verification costs two pairingoperations (2119879pair1198661) The addition in 1198661 costs 119898119879EA Thecomputation of 119888119894119877 costs 119879EM and the computation of 119888119894 costs(2(119898 minus 1) + 2)119879mul119902+ 119879inv119902 So totally it takes (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair
Each participant in Harnrsquos GAS1 takes 119896[(2(119898 minus 2) +3)119879mul119901 + 119879inv119901] for computing 119888119894 takes (119898 minus 1)119879add119901 for
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 Security and Communication Networks
Table 1 Summaries of performance of group authentication schemes
Ours Harnrsquos GAS1 Harnrsquos GAS2Securities under multiple trials foreach secret
Allow multiple authenticationswith multiple trials
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Attackers can disclose systemrsquossecrets and usersrsquo secret tokens
Each userrsquos computational cost forone group authentication(detailed)
(2(119898 minus 1) + 2)119879mul119902 + 119879inv119902 +119879EM + 119898119879EA + 2119879pair
119896[(2(119898 minus 2) + 3)119879mul119901 + 119879inv119901] +(119898 minus 1)119879add119901 + 1119879ℎ
2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902] +119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Approximated complexities(based on the figures from [5])
(7119898 + 1429)119879mul119902 + 2119879pair cong(7119898 + 6785)119879mul119902
41119896(2119898 + 239)119879mul119902 + (119898 minus1)119879add119901 + 1119879ℎ cong
41119896(2119898+239)119879mul119902 +(119898minus1)119879add119901(45119898 + 1418)119879mul119902
3 10 50 100 150 200 250 300 350
Comparison of approximated cost
OursHarnrsquos GAS2
02000400060008000
100001200014000160001800020000
Figure 1The comparison of computational cost versus the numberof participants The unit of the cost is 119879mul119902
computing 1199041015840 and takes 1119879ℎ for verifying ℎ(119904)= ℎ(1199041015840) Each
participant totally takes 119896[(2(119898minus2)+3)119879mul119901 +119879inv119901] + (119898minus1)119879add119901 + 1119879ℎ
Each participant in Harnrsquos GAS2 takes [(2(119898 minus 2) +3)119879mul119902 + 119879inv119902] for computing 119888V takes 119879exp119901 for computing119890V takes (119898 minus 1)119879mul119901 for computing 1199041015840119894 and takes 1119879ℎ forverifying ℎ(119904119894)
= ℎ(1199041015840119894 ) Each participant totally takes [(2(119898 minus2) + 3)119879mul119902 + 119879inv119902] + 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ
Table 1 summarizes the performance Row 2 lists thesecurity properties Only our scheme can resist an attackerfrom deriving the secrets when the schemes allow multipletrials Row 3 lists the detailed computational complexityBased on Row 3 it is still difficult to get an insight of thecomplexities since they involve quite different operationsWetherefore further evaluate the computational cost under thepractical setting from NSA [8] and the algebra equations ofelliptic curve operations [6] The security of ECC with 160-bit key is roughly equivalent to that of RSA with 1024-bit keyor D-H algorithm with 1024-bit key So let us assume thatthe q (the order of 1198661 and 1198662) in our scheme is 160 bitsand p in Harnrsquos schemes is 1024 bits Under the above settingand approximations 119879mul119901 (the time complexity of a fieldmultiplication in 119885119901 where p is 1024 bits) is 41 times 119879mul119902(the time complexity of field multiplication in 119885119902 where qis 160 bits) 119879EM cong 29119879mul119901 119879EA cong 012119879mul119901 119879exp119901 cong240119879mul119901 cong 8119879EM and 119879EM cong 241119879EA where cong meansldquoroughly equalrdquo
Using the above setting and approximations and neglect-ing the minor computations like hashing and field addition
the complexities in Row 3 can be further simplified as followsThe complexity of our scheme is as follows (2(119898 minus 1) +2)119879mul119902 + 119879inv119902 + 119879EM + 119898119879EA + 2119879pair cong (2(119898 minus 1) +2)119879mul119902+119879inv119902+29119879mul119901+012119898119879mul119901 + 2119879pair cong 2119898119879mul119902+240119879mul119902 + 29 lowast 41119879mul119902 + 012119898 lowast 41119879mul119901 + 2119879pair cong(7119898 + 1429)119879mul119902 + 2119879pair The complexity of Harnrsquos GAS1is as follows 119896[(2(119898 minus 2) + 3)119879mul119901 +119879inv119901] + (119898 minus 1)119879add119901 +1119879ℎ cong 41119896(2119898 + 239)119879mul119902 + (119898 minus 1)119879add119901 The complexityof Harnrsquos GAS2 is as follows 2[(2(119898 minus 2) + 3)119879mul119902 + 119879inv119902]+ 119879exp119901 + (119898 minus 1)119879mul119901 + 1119879ℎ cong 2[(2(119898 minus 2) + 239)119879mul119902] +240 lowast 41119879mul119902 + 41(119898 minus 1)119879mul119902 + 1119879ℎ cong (45119898 + 1418)119879mul119902
To further simplify the complexity approximation werefer to an efficient paring implementation [5] Based onthe figures there [5] we roughly approximate one pairingoperation as 5356119879mul119902 We approximate (7119898+1429)119879mul119902 +2119879pair cong (7119898 + 6785)119879mul119902 in Row 4 From Row 4 wecan tell that Harnrsquos schemes have lower computational costthan ours when the number of participants is small butthe costs of Harnrsquos schemes grow faster than ours when thenumber of participants increases All the costs of the threeschemes increase as the number of participants increasesbut the cost of Harnrsquos GAS1 also depends on the valuek Because the parameter k in Harnrsquos GAS1 should satisfy119896119905 gt 119899 minus 1 we only compare our scheme with HarnrsquosGAS2 in Figure 1 to give us an insight of the performancesof the three schemes From Figure 1 we can see that thecost of Harnrsquos GAS2 increases much faster than ours whenthe number of participants increases When the number isaround 141 the cost of Harnrsquos GAS2 overpasses ours andincreases very fast The comparison shows that our schemenot only owns better security but also provides better com-putational performance when the number of participants islarge
6 Conclusions
In this paper we have shown the weaknesses of Harnrsquosasynchronous group authentication schemes An attacker canderive the system secrets and the membersrsquo secret tokens ifthe schemes allow multiple trials before the correspondingsecret is recovered or an attacker can easily disable thefunctions of the schemes by simply releasing invalid shares ifthe schemes donot allowmultiple trialsWehave proposed animproved scheme that allows multiple trials for each systemsecret The analysis shows that our scheme even has bettercomputational performancewhen the number of participantsis greater than 141
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 7
Conflicts of Interest
The author declares that he has no conflicts of interest
Acknowledgments
This project is partially supported by the Ministry of Scienceand Technology Taiwan under Grant no MOST 105-2221-E-260-014 The author would like to express the gratitude toKun-Bo Chen for his efforts of collecting literature
References
[1] S Kim J-Y Choi and J Jeong ldquoOn authentication signalingcosts in hierarchical LTE networksrdquo in Proceedings of 7thInternational Conference on ltitalicgtUbi-Media Computing andWorkshopsltitalicgt U-MEDIA 2014 pp 11ndash16 UlaanbaatarMongolia July 2014
[2] J Li M Wen and T Zhang ldquoGroup-based authentication andkey agreement with dynamic policy updating for MTC in LTE-A networksrdquo IEEE Internet of Things Journal vol 3 no 3 pp408ndash417 2016
[3] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for ComputingMachinery vol 22 no 11 pp 612-6131979
[4] L Harn ldquoGroup authenticationrdquo IEEETransactions on Comput-ers vol 62 no 9 pp 1893ndash1898 2013
[5] J-L Beuchat J E G Dıaz S Mitsunari E Okamoto FRodrıguez-Henrıquez and T Teruya High-Speed SoftwareImplementation of the Optimal Ate Pairing over Barreto-Naehrig Curvesrdquo IACREprint 2010354 httpseprintiacrorg2010354pdf
[6] A Jurisic and A J Menezes Elliptic Curves and CryptographyCerticomWhitepaper 1997
[7] D Boneh and M Franklin ldquoIdentity-based encryption fromthe Weil pairingrdquo in Proceeding of the Advances in Cryptol-ogymdashCRYPTO 2001 vol 2139 of Lecture Notes in ComputerScience pp 213ndash229 Springer-Verlag Santa Barbara CalifUSA 2001
[8] National Security Agency the US ldquoThe Case for Elliptic CurveCryptographyrdquo httpswwwnsagovbusinessprogramsellip-tic_curveshtml Accessed 25 Dec 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
