A Group Key Establishment Scheme

Group authentication is a method of confirmation that a set of users belong to a group and of distributing a common key among them. Unlike the standard authentication schemes where one central authority authenticates users one by one, group authentication can handle the authentication process at once for all members of the group. The recently presented group authentication algorithms mainly exploit Lagrange's polynomial interpolation along with elliptic curve groups over finite fields. As a fresh approach, this work suggests use of linear spaces for group authentication and key establishment for a group of any size. The approach with linear spaces introduces a reduced computation and communication load to establish a common shared key among the group members. The advantages of using vector spaces make the proposed method applicable to energy and resource constrained devices. In addition to providing lightweight authentication and key agreement, this proposal allows any user in a group to make a non-member to be a member, which is expected to be useful for autonomous systems in the future. The scheme is designed in a way that the sponsors of such members can easily be recognized by anyone in the group. Unlike the other group authentication schemes based on Lagrange's polynomial interpolation, the proposed scheme doesn't provide a tool for adversaries to compromise the whole group secrets by using only a few members' shares as well as it allows to recognize a non-member easily, which prevents service interruption attacks.



There are no comments yet.


page 1

page 10


Authenticated Hand-Over Algorithm for Group Communication

Shamir or Blakley secret sharing schemes are used for the authentication...

An insecure noninteractive group key establishment scheme

A serious weakness in the recently proposed Chen-Hsu-Harn group authenti...

Authentication and Hand-Over Algorithms for IoT Group

Current advancements in mobility of devices and also Internet of Things ...

An Energy Efficient Authentication Scheme using Chebyshev Chaotic Map for Smart Grid Environment

As one of the important applications of Smart grid, charging between ele...

The Albakri-Harn key pre-distribution scheme is insecure

The Albakri-Harn group key pre-distribution protocol, which enables any ...

Group Key Agreement in Information Centric Networks with Tree Group Diffie-Hellman

The client-server model is known to scale badly without redundant server...

Heuristics facilitates the evolution of transitive inference and social hierarchy in a large group

Transitive inference (TI) refers to social cognition that facilitates th...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Authentication is a process of verifying the identity of an entity, in other words, it is a process for deciding whether or not a user is really who it claims to be [SSL, PGP]. Since it has a vital role on establishing a secure communication and confidential data transmission, it is important to utilize an efficient and reliable authentication process. In the presence of a densely populated network and a high number of devices connected to each other, authentication task becomes a challenging process in terms of need for the storage, energy, communication and computation power. Aligning with the authentication process, the additional security measure, called secret key distribution among the users in a network, puts an unbearable computational burden to especially the resource constraint devices in case of employing standard cryptographic primitives. In order to reduce this high computational complexity of authentication and key agreement processes, group authentication schemes (GASs) have been presented as a solution instead of one-to-one authentication.
GAS is a process that has the same purpose as authentication algorithms but it is for authenticating all users in the same group at once instead of one by one. Considering the energy consumption and necessity of computational power in sequential (i.e. one by one) authentication methods, a GAS can be seen as a proper alternative. Since the recent developments in the communication systems requires new authentication algorithms, various group authentication schemes have been presented since the presentation of its first version introduced by Harn [Harn]. Almost all group authentication schemes so far utilize Lagrange’s polynomial interpolation. However, these schemes come with some problems like managing scalability of the algorithm in terms of the desired security level when the number of users in the group increases, reducing the communication load for distributing the secret shares and generating the master key, dealing with the computational complexity when elliptic curve over a finite field is utilized for the sake of security. Below, we are going to delve a bit more deeply into these problems posed by the current GASs.

Scalability with security: In practice, an application using group authentication might need to deal with a high number of users in a group. With the increase in the number of devices connected to each other, there might be difficulties in the group authentication and key sharing methods. The current practical algorithms offer a trade-off between security and operational cost and it is a challenging medium to determine the most suitable group authentication method for each case. Combining a certain number of group users’ private information would eventually lead to all users’ secrets in the current group authentication algorithms. Therefore in such cases the group security is compromised by an adversary by taking only some member’s private information.

The larger the group is, the more members’ secret should be required to compromise in polynomial interpolation based algorithms. That means a scalable GAS might provide a lower security level than a non-scalable one. But a scalable group authentication algorithm might not provide the desired security level [YA]. On the other hand, the desired security level can be achieved by compromising scalability. The proposed algorithm is designed to be both scalable and providing a higher security level.
Communication cost: In GASs, which are inspired by Shamir secret sharing algorithm [SSS], the public keys are random numbers and private keys are the images of these random numbers under the group manager’s private function [Harn]. The main drawback of all these group authentication algorithms is to require several communication to construct the group secret. The group secret has to be obtained by each member of the group in order to communicate in a secure way among the members of the group. Each member therefore goes through the same process to have this secret key. This process might include sharing secrets with other members. In addition to high communication cost, unfortunately such sharing operation if not secure might give an opportunity to an eavesdropper to capture the group secret.
Computational comlexity: In order to add an extra security layer, current methods utilize elliptic curves over a finite fields along with the polynomial interpolation [YA]. The security of the system then would depend on the hardness assumption of discrete logarithm problem (DLP) in an elliptic curve group over a finite field. On the other hand, interpolating points in Euclidean plane itself might be considered to be costly let alone involving group operation in an elliptic curve group. A single addition or doubling in an elliptic curve group costs more than 12 multiplications in a finite field. A powering algorithm in an elliptic curve group providing hard DLP might need to perform at least thousands of multiplications in a finite field. Even though, these operations are tolerable in terms of energy usage and computational power at the beginning, frequent authentication or key sharing might not be bearable in some situations where power constraint devices involve.
In order to jointly address the aforementioned problems, the proposed GAS offers a mathematical algorithm based on projection on a vector space. The scheme provides a scalable lightweight group authentication algorithm with the desired security level and requires a small number of operations for a key exchange and authentication in a group regardless of number of members in the group. Thereby it is suitable to be adapted by devices with limited resources. In addition to these advancement, in this proposal the private information of each device is independent of one another. In other words even if an adversary obtains all members private keys but one, the adversary can not extract any information about that member’s secret key .

I-a Advantages of the Proposed Scheme:

As a fresh new approach, the proposed lighweight group key establishment scheme solely relies on inner product operations, which might require univariate polynomial arithmetic depending on the selected inner product space. Due to the nature of inner product spaces, the proposed algorithm encompasses the following advantages that are not offered by the well-known group authentication algorithms. These advantages make the proposed scheme a likely candidate for practical authentication and key establishment in communication systems.

Advantage 1

The group key establishment doesn’t require having other members’ share for each individual in the group. In other words, a publicly known information released by the group manager is enough to extract the group secret for a member of a group. In this way, the security risk coming from exchanging members share among the peers is removed completely and this reduces communication costs among the members dramatically.

Advantage 2

The secure communication among the members of a group first requires the authentication of members if a usual group authentication algorithm is employed. The key establishment of the proposed scheme is set up in a way that a non-member can not continue exchanging data with the members and this removes the authentication step. Since a non-member can not extract the key, the additional authentication phase is not necessary.

Advantage 3

Cost of extracting key or authentication is independent of the number of users in the group. On the other hand, the group authentication algorithms based on polynomial interpolation sets up the group function according to the number users. In some case, more members imply costly operations [Harn]. Even though, a scalable GAS was presented in [YA], it still constructs the function based on the number of members in the group.

Advantage 4

In the proposed method, any member can add a non-member to the group and any new peer’s sponsor can easily be recognized by other members of the group. As for other group authentication algorithms, in order for a member to add an additional member in a group, it has to have all privileges of the group manager. In other words, if a member of a group is going to add a non-member to the group, the member has to have the knowledge of the function which was first selected by the group manager. Whoever has this function can add any user to the group and no-one can recognize the actual sponsor of the newly added member.

Advantage 5

In a GAS based on polynomial interpolation the security of the whole group communication is directly related to the group secret function which is generated by the group manager. Interestingly, this function can be revealed if a certain number of users’ private information are combined. Therefore, in case an adversary has such number of users’ data, the secure communication will be completely compromised. In such situations, the private keys of all members are also compromised by the adversary. In the proposed method, if an adversary obtains the private keys of some members, it cannot fully control the other members’ private information. Hence, the secret of each individual remains independent of one another.

Advantage 6

The GASs based on the idea of secret sharing authenticates users by combining a certain members’ share in case the group manager is not available. Only when all shares’ are legitimate then the method confirms the users. In other words, even if one user is not legitimate, existing GASs cannot continue the authentication process as well as the method can not pinpoint the illegitimate users in the group. This might cause interruption of service even if a single adversary attacking the group authentication process. The proposed method allows any member of the group to locate a non-member easily and this prevents the group from such attack which eventually may lead a denial of service (DoS) [ddos].

The remaining part of the paper is organized as follows. In Section II, related studies in the general area of authentication and in particular group authentication and mathematical background are presented. Section III is spared for describing the proposed method along with the security analysis. Conclusion and future plan are given in Section IV.

Ii Background

The increase in the number of communication devices (especially IoT devices which have become an important part of our lives) day by day compels researchers to look for non-traditional methods to secure digital communication [IoTSoc]. The first constraint that stands out during designing of secure protocols is the presence of devices with limited energy and computational resources. In other words, considering the widespread use of these devices and their communication with each other despite resource-constrained feature, data privacy and authentication are the main issues for resource constrained devices. Therefore, traditional methods employing a public key algorithm [DH, ElGamal, RSA] for authentication and key agreement are not suitable for structure of mobile devices’ environment due to several reasons: One of the major reasons is the requirement of high computational load during the implementation of public key algorithms and the second one is the over load of responding to all device’s requests separately. In fact, utilizing any of these public key algorithms in an authentication scheme also requires a certification authority. Indeed, the certification is indispensable to prevent the well known Man-in-the-Middle Attack [maninthemiddle]. In addition to necessity of high computational power, the additional communication load with the certification authority might bring an unbearable computational burden. Considering all these problems with the usual authentication schemes, GAS might be the most suitable solution for the resource constraint devices.
One of the most useful tool for the purpose of constructing a GAS is secret sharing algorithm. The first study on the topic of threshold secret sharing scheme was presented by Shamir [SSS]. With this algorithm, a secret is divided into a number of pairs to be distributed among the share holders as their private keys. The secret can only be recovered by any member when it has as many shares as the threshold value. It is obvious that Shamirs’s secret sharing algorithm can not resist if a certain (threshold or more) shares are compromised. In other words, any adversary can obtain the secret by having as many shares as the threshold value.
The work proposed by Harn [Harn] exploits polynomial interpolation in the three different authentication schemes as in the case of secret sharing algorithm. In the first scheme, a polynomial of degree is selected and the constant term of it, say , is set to be the secret group key by the group manager . Then the calculates the private key , where the public key to be sent the corresponding user . For authentication users release their tokens and once each user has total shares they can compute the group key:

This method is secure when private key sharing is done simultaneously, otherwise any adversary can obtain the group key by having or more shares via constructing the polynomial with these shares. Harn has proposed the second scheme in case sharing is asynchronous. In the token generation phase, the selects random polynomials having degree such that for . Then, it sets the secret key for user as for and public keys for where for any secret are constructed by as:

For authentication part each user, , computes

After this calculation, each user releases the result and then all user can calculate

In the following step users verify whether the equality, , holds and then the authentication process is completed, that is, all users have been authenticated. In this method, the security of group authentication has been provided since any adversary can not obtain any information about private tokens of users in the group. However, this method is able to use only once. In other words, once the secret key is revealed to users and the authentication phase is completed successfully, can not be used as a secret any more.
In order to remedy this deficiency, Harn proposed another authentication scheme. This scheme is suitable for multiple authentications. In this third proposal, the group manager first selects two large prime and such that divides , generators of and two polynomials for which both have degree . then selects random integers , for to compute each secret

The randomly chosen integers and the hash values are made publicly known by . For group authentication each user can compute

via their tokens and then computes to share other users in the group. Once the users have all for each one computes

and check if . If the equality holds, authentication of the all users in the group is done. Otherwise, there must be at least one user which is not a group member. Note that any attacker can not obtain any information about by having thanks to hardness assumption of discrete logarithm problem. All the methods summarized above have certain vulnerabilities which prevents them to be employed in practice and a relevant method for group authentication has been introduced in [YA].The elliptic curve discrete logarithm problem (ECDLP) is utilized in this work to provide a certain security level for the group authentication algorithm. In the initialization phase the group manager determines a cyclic group , a generator for it, an encryption and a decryption algorithms , and a hash function . also selects a polynomial of degree whose constant term is the master secret . Each user for in the group has one public information and one private information . Lastly, the group manager computes the value and makes and ’s publicly known and shares with the user privately. For handling authentication, each user computes and sends it to in the group by concatenating this information with its identification number. This prevents the public share to be used by any other user in the future communications. If the is responsible for authentication part, it computes for each user and compare results with the received values. If all of them is valid, verification is done successfully. Otherwise, the users which is not a group member can be determined by . If is not included the verification phase, any user collects from others in the group, can handle authentication by computing

This verifier node checks whether

If the equation is satisfied, then the authentication is done successfully. Otherwise, a non-member or non-members of the group try to join authentication phase but it is not possible to determine which sender is the culprit. We should emphasize here that as in the case of Harn’s group authentication methods, in the scenario where the group manager is not involved it is not easy to find the user or users which are not group member.
In addition to authentication, a Diffie-Hellman like key exchange method is exploited in the key agreement stage for private communication of two members. Consider users and which are to establish a secret among them. They both compute where . The user sends to and an adversary can obtain ’s private token from this only if the adversary can handle ECDLP. Similarly, the user sends to and obtain the shared key by using its private key .
In the group key agreement phase, each user utilizes a symmetric key algorithm to share its own private information . Each user decrypts the received information and obtain for and computes

The key agreement part is end with checking if holds.
There are several works about authentication based on Shamir’s secret sharing algorithms. One of them is a selective group authentication scheme for IoT-based medical information systems[healtcaresystem]. This proposal aims to solve the security problems in healthcare service such as misuse of medical devices, illegal access to medical service and so on. For this purpose, a group authentication scheme using Shamir’s threshold technique is presented but it is not a suitable for resource limited devices since a lot of communication is needed even for a single user to authenticate. Another secret sharing-based group authentication study is [graycode]. In this work, the Gray code is used to construct the shares and the XOR operation is used to reconstruct the secret. Even though it differs from traditional secret sharing studies in this aspect, the part of how to share the key between users in the group is missing. In addition to this, the key establishment scheme in the proposal is for a group of certain number of members (3 or 7 users). The protocol in [vandermonde] employs a linear secret sharing scheme using Vandermonde matrix instead of classic version to distribute pairs of the group key. The purpose of this work is to reduce computation load of the group authentication phase for energy constrained IoT devices.
There is also another mathematical approach to group authentication [CRT]. This proposal is based on the Chinese remainder theorem (CRT). That is, if any user has shadows up to , the secret value can be computed using CRT. Another group authentication study which uses the Paillier threshold cryptography as a tool is proposed in [mahallethreshold]

. They have compared the running time of their work with Harn’s algoritms and show that their experimental results are better than Harn’s work. However, there is a point to note here that they did not count the cost of public and private key encryptions and the scalability issue is not considered. Apart from mathematical based algorithms, various other types algorithms have been proposed for authentication. A machine learning tool along with biometrics have been proposed to perform authentication in IoT systems

[ML]. The method asks users to have a certain share to be authenticated and it is only suitable for small size groups. An authentication method for a dynamic groups has been investigated in [dynamic]. The method requires aggregation of users’ share to conduct authentication in machine type communication. A lightweight authentication method is presented for especially machine to machine communication in [24]. Each user performs computations to obtain their authentication codes to be send to group manager and the group manager authenticates users based on received codes.

The algorithm in this work is based on the inner product on a vector space. For the sake of completeness, a brief summary of inner product and orthogonal projection are presented in the following part.

Ii-a Approximation with an Orthogonal Projection

The approximation problem has been at the center of interest for applied sciences [eigenfaces], [orthogonalprojection]. In a universal space of , it might be easier to work with a nice behaving subspace of it. For example, if is the space of all continuous functions defined on , the polynomial subspace of is more convenient to work with. In that respect, for any element in , the important problem is to find an element in such that is the closest to in . The distance function or so-called norm is defined in terms of an inner product. The closest vector varies in terms of the defined distance function as does the method of finding such . One of the oldest and most popular method works exploiting defined inner product nicely in most situations is [Kincaid, Section 6.9]. In this method, is the best approximation to in if and only of is perpendicular to all vectors in , as depicted in Fig. 1.

Figure 1: The best approximation to is the projection vector.

Once determined a basis for the subspace , locating the best approximation will be just a computational task. As lies in , can be written as

where ’s are in the base field for . Solving the following linear systems for determines ;

The other way or sometimes the easiest way is to convert the basis to an orthonormal basis . Then

where again The computational load in this way occurs while converting to via Gram-Schmidt orthogonalization method [GS]. The computational load depends on the selected inner product space and the inner product itself. For example, a suitable universal set is a polynomial space . An inner product on can be chosen the standard one as:

A subspace of can be selected as the set of all polynomials of degree . The proposed algorithm distributes random elements in the selected subspace to the members in the group. For , the algorithm selects 5 random elements. In other words, the method randomly pics in the base field then

is the random element in .

Iii Proposed Method

In this work, the inner product spaces, whose elements are generally polynomials, are exploited for a group authentication and key establishment scheme. A inner product space is the main object in our scheme. The idea emerged from a realization that a finite dimensional subspace of a vector space has infinitely many basis and once a user has any basis for the subspace, it will have every privileged as the others having a basis for the same subspace. The secrets are constructed with the predefined subspace and apart from group members, no one else can construct the group secret. Once the initial distribution of basis to group members is completed, the group members can construct the secure key and establish a secure communication network. Moreover, the members can privately exchange data with the group manager and another peer in the group.
Let denote a group and represent a member of it for some integers . A group manager which is denoted by for a group is assumed to have more computational power and energy resource comparing to the other members of the group. In general, the authentication of a user in the group is expected to be handled by the group manager. Note that the proposed method also describes a way of authentication by any other member of the group . All groups in the scheme employ a subspace of a predetermined universal inner product space . One might select to be an infinite dimension vector space, for example can be all polynomials over a finite field .
A basis for is selected to be a secret of the group manager , that is,

The nature of subspace allows one to select infinitely many bases for it and in some case, it will be enough to know any basis for to reveal secret key. On the other hand, the design of the algorithm forces to have knowledge of the selected basis to compromise the secret of the group as whole. In other words, realizing the subspace of allows one to obtain certain secrets of the group. Therefore, the group manager keeps and the selected basis secret. The group manager also employs a randomly selected function while distributing the secrets of individuals. The selected function can be a polynomial of large degree . The security analysis in the next part indicates that the integer might be larger than the expected number of users in the group . The group manager has the following secret informations:

Figure 2: The group manager’s secrets

Any user in the group is given a public key which in general is selected to be an integer. The secret of is

where are numbers selected randomly by the corresponding group manager as depicted in Figure 3. These numbers stay same for all members of the group. Note that each group member will have a linearly independent set in and these bases act as secret keys of the respected members.

Figure 3: The first registration of a user takes place in a secure channel.

The security of group communication in proposal is resistant to be compromised by an attacker if only some users’ shares are obtained. In other words, since the private information of each individual is independent of one another if an adversary obtains all members private keys but one, the adversary can not achieve any information about the that member’s secret or can not construct the function that the group manager generates the secrets of other users from as long as the degree of it is greater than number of users involving authentication process.

Iii-1 Authentication of users in a group

The first part of the proposed scheme is in charge of authentication in the group. Let be a user to be authenticated by a group manager . The group manager randomly selects a vector in the universal such that . The group manager publishes . The user, , computes

and then encrypts the first coordinate of ’s basis. The encryption should be handled via a symmetric key algorithm, say AES for example, and the key is . In other words, the user computes

where is an encryption function. The received cipher is decrypted by the same secret key as the group manager has also a basis for the subspace . In fact, the decryption function with the key and the input results in

The manager has and the function . The public information of the user is known by everyone including the group manager. The manager then checks if the below equation

holds. Note that if the data coming from the user is the actual data then

Note that the group manager itself only has the knowledge of .

1:  The group manager sends the arbitrarily chosen vector in such that to the user .
2:   computes to use it as encryption key in a encryption function to encrypt the first element of the ’s basis set.
3:   sends the cipher to the .
4:  Once receive the cipher decrypt it with the decryption function by using the same key and obtain
5:   computes and checks if the result is equal to , then authentication of is done.
Algorithm 1 : One by One Authentication with
Group Manager

The authentication might need to be conducted by GM to its users one by one in certain cases. In such a case, if a non-member tries to infiltrate to group, the manager immediately recognizes it during the authentication process. In fact, the process forces one to know a point on the graph of as well as the subspace and the basis earlier determined by . The ability to recognize anyone trying to impersonate a group member prevents DOS attack to the system. The first step in the authentication process uses a random vector to obtain a common secret between two communication parties. The arbitrary vector varies in each process therefore it is not possible to accommodate replay attack in the authentication phase.

Iii-2 Establishing Group Secret

The process of generating a group secret also assures that a non-member can not join to the group communication. In other words, the key establishment scheme stands for group authentication. Therefore, the one by one authentication process can be skipped and group key establishment phase is utilized. The group secret can be established via direction of the group leader or any trusted element in the group. In what follows, the group manager is in charge of establishing the group secret. The manager selects a random vector such that . This vector is made public and the group secret is extracted from it by computing

Note that computing requires information of any basis for the subspace , in other words, the projection of onto the subspace of is the same regardless of using any basis for .

1:  The group manager selects a random vector such that and makes it public.
2:  The group key that can be obtained by anyone having the basis for . The secret is constructed by computing and it will be in use for the confidentiality of data exchanging among group members.
Algorithm 2 : Group Authentication and Key Agreement

The secret then is utilized as a key of any symmetric key algorithm for confidentiality of messages. Constructing group secret key doesn’t require any exchange of data among users in the group since each peer can obtain the key by using its own tokens which are the basis elements of . Unlike the other group authentication methods, every user in the group can extract the group key without any other users’ private information which eliminates the security concerns of users while sharing their secrets. In terms of communication cost, each user is required to communicate once to extract the secret as obtaining the group key costs a single projection operation for each user and the selected vector is public.

Note that the number of users in the group doesn’t affect the cost of authentication as opposite to secret sharing based group authentication methods.

Iii-3 Adding a user to a group by a member

In certain situations, the group manager might not be available to handle adding new members to the group or each member of might be given the privileges of registering a user to the group. In such cases, a member can add a non-member, denoted by , to the group and that user can communicate securely among the users in the group. Interestingly, the group manager can easily recognize the group member who added to the group. might or might not be given all privileges of the group member until it becomes a member via the group manager . Consider the group member which has the following basis set:

The is selects a number randomly and construct a new basis for :

The new basis is given to the new user . The public key of is

where is the public key of , and is the index of the users selected by .

The sponsor does not need to know the function to add the user to the group conversation. Note that the user can easily grasp the group secret with using its basis and the new user’s sponsor can be recognized from its public key by anyone or from its private key by the group manager having the function .

1:  The user selects a number randomly and constructs a new basis set from
by multiplying each element of with to add non-member to the group.
2:  The new basis
is given to and becomes a sponsored user then it can be a new user of the group once approvals.
Algorithm 3 : Making A User A Group Member

Iii-a Security Analysis

Iii-A1 Cryptanalysis

The privacy of a single individual whose public information is is violated if an adversary has the information of the user’s private key along with the corresponding basis set . In such a situation, the adversary has every privilege of the user. We are going to discuss if such a scenario is possible from exploiting broadcast public information. Let denote the user by and the group by and the manager by The group’s information that is known to everyone is . This public vector is selected by and preferably is chosen to be in the outside of subspace generated by the users’ bases. The constructed private key is going to be used during secure group communication. At this point, we are assuming is not known by the adversary. In other words, the adversary has the only information which is the public vector broadcast by . Even the adversary might have obtained distinct public vectors over time, it can not guess a basis set generating the same subspace as the members generate. The above discussion leads the following proposition..

Proposition III.1.

Let be a group and be a public vector broadcast at the time . Suppose that an adversary captures a number of distinct public vectors at different time. It is still infeasible for the adversary to guess required basis for the group secret key let alone a legitimate user’s private information.

Proposition III.2.

Suppose an adversary has the basis set which belongs to a user . It is still infeasible to obtain .


The adversary does not know the original basis set and the scalars therefore it is not possible to guess . ∎

Proposition III.3.

Suppose an adversary has obtain more than one user’s bases. It is still not possible to obtain the function or any other user’s private information.


At this point, we should note there that in practice the inner product spaces are taken to be over large size finite fields. Let assume that has the following bases:

From this information, it is possible to obtain the ratio of the value of public information of users under the function but not the function itself. Without the function , it is not possible to get other members’ private data. ∎

Proposition III.4.

Let be a basis for a subspace of vector space for and is function of degree . As long as , it is infeasible to construct .


The polynomial has degree and it is known from Newton’s theorem that constructing is only possible when at least points on the graph of is known. ∎

Proposition III.3 forces to define a security parameter which is the size of finite field where the employed inner product space lies. In addition to this, the degree of is another security parameter by Proposition III.4. Let the security parameters be

It is not hard to observe that these parameters directly related to the cost of key derivation operations. In other words, they offer trade off between security&privacy and cost of computations.

Iii-A2 Known Cyber Attack Analysis:

In this section, we discuss the well-known attacks and the proposed algorithm’s resistance to these attacks.
DoS Attack: In the secret sharing based GASs, the authentication is performed only when a certain number of member’ shares are combined and the authentication is completed only all participants are legitimate. This means that even if a single illegitimate user participates in the authentication phase, the process fails. In addition to this, the group manager can not recognize the illegitimate user and this makes such algorithms vulnerable to DOS attacks. In other words, any attacker can cause disruption of service and it may not be possible to determine which user is causing that. In this work, any one who does not have a basis set for chosen subspace can not take part in the authentication and key agreement phase. So, even if an intruder tries to participate in the authentication phase with an illegitimate basis, this attempt does not cause a delay or problem in the service. Thereby, a DOS attack can not performed by an attacker.
Replay and Man-in-the-Middle Attack: The fact that the user authentication algorithm does not require any private data sharing creates a safe environment against Man-in-The-Middle Attack. In fact, since an authentication and constructing a shared secret key are handled at the same time for each communicating party including the group manager, an intruder without knowledge of group private space, it can not proceed communicating with any group member. Moreover, since for each authentication session the group manager publishes different vector that users will extract the secret key any adversary sniffing exchanged data for some previous authentication phase can not perform replay attack.

Group Manager Compromise Attack: A node in a group has two sets of crucial data: One is for confidential group communication and the other one is for verifying of being a legitimate member in the group. This crucial data is provided by the manager of the group. Therefore, compromising group manager’s secret allows one to access all member’s private information. Unlike the other group authentication algorithms that are based on polynomial interpolation, compromising few members’ private key does not allow an adversary to impersonate as a group manager. In other words, as we explain in Proposition III.4 it is not possible to take over the group management unless the attacker can capture at least the private where is the degree of the group manager’s private function .

Let be the manager of the group and be the private data of such that . Assume that an adversary obtains secrets of some members of . Let be the such private information for the users for . The knowledge of this information does not allow to extract the point on the graph of . Even if such information is obtained, as long as the adversary can not act as a group manager by Proposition III.4.
A Group Member Compromise Attack: Each member has a basis for and the security of group communication depends on the knowledge of the subspace . In other words, an adversary does not need to know individuals’ secrets to compromise the confidentiality of group communication instead any basis for provides enough tool for an adversary. Once a non-member obtains any basis for then it can take a part in data transaction among the members of the group. On the other hand, in order to impersonate a legitimate member in a group, an adversary must obtain the private key of a legitimate user.

Iii-B The Running Time

In order to obtain the common secret key , any user needs to compute the projection of a given vector onto the subspace generated by the basis elements.

Each user has a unique basis for the subspace determined by the group manager. Let be the assigned subspace by the group manager such that

Each member has a basis consisting of exactly elements. The common secret key is extracted from the projection vector on the . One way to find the projection vector requires obtaining an orthonormal basis for

. Such a basis can be found via performing Gram-Schmidt orthogonalization process. The Gram-Schmidt process requires

The normalization of the basis elements needs more inner products. Let be an orthonormal basis for . The projection of onto can be computed as

Overall, the number of inner products for computing projection of onto is bounded by where again stands for the dimension of . Since the cost of overall operation for producing the projection vector is dominated by the inner product computation, the running time of the algorithm is bounded by inner products.
The second way to compute projection of a vector on is the following: Let be the projection of onto where . The coefficients can be found by solving the linear system:

The number of inner products on the right side of the above system is

Overall, inner product computations should be performed. Even though the number of inner products is asymptotically again in this direction, the real time implementation might be more efficient in certain cases. In fact, the computations to solve linear systems can be performed in parallel which allows exploiting multi-core environment. As most of the systems including IoT devices are adapting multi-core processors to their hardware architecture, solving linear systems instead of applying Gram-Schmidt orthogonalization process might be less costly for some devices. Comparing to other group authentication schemes, the proposed method authentication and key exchange methods do not depend on the number of users in the groups. Unlike other methods, the authentication scheme does not require any data exchange between members and our method avoids costly operations like elliptic curve group addition [YA]. The real time test results show that the average time requires generating the secret key is not more than 5 ms where the subspace of with dimension of 100. Note that the test is conducted on a personnel computer running (i7-5600 2.6 GHz, 8GB RAM) on a Linux.

Iv Conclusion

The recently presented idea of group authentication possesses a potential to be applied for various environments and applications. In addition to be a computationally lightweight, the proposed group authentication method allows any member to authenticate other group members and establishes a secret key among them. The proposed algorithm exploits inner products to create a novel group authentication method where the aim is to provide the desired security level as well as to require only lightweight computational load.
Being a first group authentication algorithm with inner product spaces, the method has the potential to improve further to provide group handover schemes for near future mobile base stations. Considering the near future IoT systems, which are expected be similar to human society, each user should be able to introduce its trusted partners to the groups that it belongs to. In this respect, the research to create a secure and reliable system should take into consideration of such a demand. In certain cases, a new member not introduced by the group manager might need to be excluded some group conversation until it is registered by the group manager and a future work should have aim to construct such an algorithm.