Anonymous authentication schemes, mostly based on the notion of group signatures, allow a group member to obtain membership from a server and gain access rights if the member can prove their authenticity to the verifier. However, existing authentication schemes are impractical because they neglect to provide an exclusive verification of the blacklist. In addition, the schemes are unaware of malicious members who are involved in privilege transferring. In this paper, a novel membership authentication scheme providing detection of membership transfer and proof of membership exclusiveness to the blacklist is proposed.
The rapid development of the Internet has resulted in an increase in electronic transactions that allow users to buy goods or services from online platforms provided by Internet companies, including Google, Facebook, eBay, and Twitter. Service providers must confirm whether a user is permitted to access its resource. Access control [
Group signatures [
Additionally, state-of-the-art authentication schemes provide few revocation methods without describing how to detect malicious members’ illegal behavior; in other words, such schemes are unaware of malicious members who have been involved in privilege transfer. This is known as impersonation or an illegal privilege transfer attack and is a priority for prevention because it regularly occurs in the aforementioned schemes and is difficult to trace. In addition, the modern authentication schemes are becoming more complicated to ensure security. However, this is not a favorable development because it will obstruct the development of membership authentication schemes, resulting in research becoming impractical and unattractive. In summary, a robust authentication scheme should contain two components: a membership authentication approach that can withstand members who engage in membership transfer and proof of membership that is exclusive to the current CRL.
In this paper, a novel membership authentication scheme is proposed that provides a simple solution for membership authentication and revocation. The proposed scheme may suffer from the disadvantage of illegal privilege transfer; however, this problem can easily be solved by employing the traitor tracing technique [
Organization of the Thesis
This paper is organized as follows. Section 2 describes the anonymous authentication scheme and its requirements as well as the dynamic accumulators. An anonymous and unlinkable membership authentication scheme with illegal privilege transfer detection is proposed in Section 3. Security and performance analysis of the proposed scheme is detailed in Section 4. Finally, Section 5 presents the conclusion.
Group signatures [
Setup:
A probabilistic algorithm that outputs the group public key and group secret key for the group manager, given a security parameter as the input.
Join:
A protocol between the group manager and a user that results in the user becoming a group member and receiving a group signing key.
Sign:
A probabilistic algorithm that outputs an anonymous membership for a member, with some necessary parameters (including the member’s group signing key) as the input.
Verify:
An algorithm for examining the validity of an alleged membership with respect to a group public key.
Open:
An algorithm, which can only be implemented by the group manager, used to determine the originator’s identity.
Some authentication schemes [
Additionally, the following security requirements, which have been identified and discussed in the literature, should be inspected.
Unforgeability:
Only an eligible prover can obtain a unique valid membership. An adversary cannot feasibly forge a membership that can obtain verification.
Strong/weak unlinkability:
Strong unlinkability ensures that the pseudonym and real identity of a prover cannot be linked during multiple uses of the membership. Conversely, weak unlinkability allows only a pseudonym but not the prover’s real identity to be linked when the prover uses the membership more than once.
Nontransferability:
Even though the verifier knows nothing about the prover’s real identity during the interactions; however, a sound authentication scheme must guarantee that membership transfer behavior can be detected and abused memberships can be revoked.
Excludability:
Neither a group member nor the group manager can sign on behalf of other group members.
For efficient exclusive verification of the CRL and detection of illegal privilege transfer, the following attractive security properties are necessary:
Dynamic membership:
The membership can easily be updated by any eligible member of the group when inserting (deleting) a new (abusive) member rather than issuing a new membership or requiring the verifier to refer to the CRL.
Traitor detection:
The scheme must be able to determine the real identity of the malicious member.
Accumulators were first proposed by Benaloh and de Mare [
In this section, we review the dynamic reversed accumulator scheme of Kuo et al. [
Initialization:
Let the modulus n = p × q , with p and q safe primes; U be a set of t eligible members, each with an identity x u ( u = 1 , ⋯ , t ); and U ˜ be a set of members being revoked. All identities are assumed to be pairwise relatively prime, and the authority maintains the sets U and U ˜ , which are initially empty. The authority chooses an element g ∈ Q R n and a prime z (which can be 2); computes the accumulator as A C C = f ( g , z ) = g z mod n , where g ≠ 1 ; and publishes ( A C C , g ) . Here, f ( ⋅ ) is a public quasi-commutative function [
・ f ( f ( g , x 1 ) , x 2 ) = f ( f ( g , x 2 ) , x 1 ) = g ∏ u = 1 2 x u mod n ;
・ f ( g , U ) = f ( f ( ⋯ f ( g , x 1 ) ⋯ ) , x t ) = g ∏ u = 1 t x u mod n .
Member insertion:
To include a new member x w , the authority examines whether x w ∉ U , and if so, adds x w to the set U (new set of eligible members as U ′ = U ∪ { x w } ) and updates the aforementioned archive. The new member is given a witness w i t w = f ( A C C , x w − 1 ) = g z × x w − 1 mod ϕ ( n ) mod n and a value x w for gcd ( x w , ϕ ( n ) ) = 1 . Here, the accumulator ACC is not changed; therefore, the group members do not need to update their witnesses.
Witness verification:
Only an eligible member x u ∈ U can prove the validity of their system access to a verifier, that their unique value x u is included in the public accumulator ACC, and that they know the corresponding witness w i t u on the basis of the zero-knowledge proof technique. The verifier can verify the correctness by using the online public information ACC maintained by the authority, and the group member x u is granted access rights if the following Equation (1) holds for their claim:
w i t u x u ≡ g ( z × x u − 1 ) × x u ≡ A C C ( mod n ) . (1)
Member deletion:
When the membership of group member x v is revoked, the authority deletes x v from the set U and moves the value x v into the set U ˜ . The authority computes the new accumulator A C C ′ = f ( A C C , x v − 1 ) = A C C x v − 1 mod n , updates the archive, and publishes the revocation information ( A C C ′ , x v ) . Knowledge of p, q is required for computing x v − 1 . Kuo et al. called their scheme a dynamic reversed accumulator because the value x v ∈ U ˜ here is subtracted from the accumulator and the accumulator decreases gradually. Additionally, each member in U must update their witness to reflect the result of the updated accumulator. On the basis of the extended Euclidean algorithm, the eligible members x u ∈ U can compute the integers a and b satisfying a × x u + b × x v = 1 and update their witnesses as w i t ′ u = A C C ′ a × w i t u b mod n , such that ( w i t ′ u ) x u = A C C ′ . Computing the witness update does not require knowledge of (p, q) and can be performed only by the eligible members x u ∈ U . It is infeasible for the revoked member x v to update their witness because gcd ( x v , x v ) ≠ 1 . Crucially, the computational costs of both updating the group accumulator and each individual member’s witness are independent of the size of U ˜ .
The scheme of Kuo et al. features a substantial computational cost reduction compared with the existing methods because renewing the accumulator and valid members’ witnesses is required only when revoking violating members (not including new members).
In this section, a basic scheme of anonymous membership authentication with anonymity, unlinkability, and efficiency is proposed. Furthermore, we discuss its security. Subsequently, an enhanced version of the scheme is accordingly proposed, and this scheme is analyzed in the next section. The member must additionally establish a secure channel with the verifier in contrast to the aforementioned authentication schemes; in other words, a lower layer node-to-node secure channel with randomized encryption is assumed.
The following definition of a bilinear map comes from [
・ Bilinearity: ∀ ( P , Q ) ∈ G 1 × G 2 and ∀ a , b ∈ ℤ q * , e ^ ( a P , b Q ) = e ^ ( P , Q ) a b .
・ Nondegeneracy: e ^ ( P , Q ) ≠ 1 .
・ Computability: ∀ ( P , Q ) ∈ G 1 × G 2 , e ^ ( P , Q ) is efficiently computable.
The proposed membership authentication scheme can be operated in both symmetric and asymmetric settings. For greater efficiency, the symmetric setting is more appropriate, whereas the asymmetric setting has greater security. Here, we directly use the asymmetric setting to enrich our cryptanalysis content in Section 4 and demonstrate the flexibility of our proposed scheme.
The security of our scheme relies on the hardness of the following problems, which were introduced in [
Definition 1 (Fixed Argument Pairing Inversion Problems). Let e ^ be an asymmetric pairing. The fixed argument pairing inversion 1 (FAPI-1) problem is as follows: Given U 1 ∈ R G 1 and a value z ∈ G T , compute U 2 ∈ G 2 such that e ^ ( U 1 , U 2 ) = z . The fixed argument pairing inversion 2 (FAPI-2) problem is as follows: Given U 2 ∈ R G 2 and a value z ∈ G T , compute U 1 ∈ G 1 such that e ^ ( U 1 , U 2 ) = z .
Both problems FAPI-j (for j = 1 or 2) have a unique solution for each given pair ( U j , z ) ∈ G j × G T because the pairing is non-degenerate and the groups G 1 , G 2 , and G T are cyclic of order q. Finally, a general case of the pairing inversion problem is presented in the following definition.
Definition 2 (Generalized Pairing Inversion (GPI) Problem). The problem is to find two values U 1 ∈ G 1 and U 2 ∈ G 2 such that e ^ ( U 1 , U 2 ) = z when a pairing e ^ as above and a value z ∈ G T are given.
In this section, we first introduce a basic anonymous authentication scheme comprising three parties, namely the group member, KGC, and AS. A KGC is a trusted third party responsible for issuing private keys to all valid members, and an AS provides services to any eligible member with proof of valid membership. The basic scheme comprises the following algorithms:
Setup.
As mentioned in Section 3.1, G 1 , G 2 , and G T are three bilinear cyclic groups of prime order q; e ^ : G 1 × G 2 → G T is a bilinear mapping with underlying groups of same order q; and P ∈ G 1 and Q ∈ G 2 are two generators. Let x j be N prime numbers chosen from the field ℤ q * , for 1 ≤ j ≤ N . The KGC selects a large even integer k with k < N and computes the group secret key as X = ∏ j = 1 k x j and the corresponding group public key as Y = e ^ ( P , Q ) X . The KGC then publishes the system parameters as
G = ( G 1 , G 2 , G T , q , e ^ , P , Q , Y ) .
Join.
For each legitimate member U i of a group, the KGC randomly selects k / 2 elements of x j (the components of this subset are denoted as x ^ j ) and computes a i = ∏ j = 1 k / 2 x ^ j and b i = X / a i . Subsequently, U i is given their private key ( a i P , b i Q ). Clearly, we have e ^ ( a i P , b i Q ) = e ^ ( P , Q ) X = Y , but a i P and b i Q cannot be used directly as proof of membership, otherwise any two application service requests are easily linked and the member’s privacy is threatened. Here, an archive is required for maintaining the tuple ( a i , b i , U i ) in which the KGC can reveal the real identity of a malicious member who has been recognized as a traitor.
Sign.
When the member U i requests service from an AS, U i selects two random numbers α , β ∈ ℤ q * and computes ℙ = a i P + α P and ℚ = b i Q + β Q . U i also computes A = e ^ ( a i P , Q ) β , B = e ^ ( P , b i Q ) α , and C = α β P . Here, the tuple { ℙ , ℚ , A , B , C } is the membership of U i for obtaining access to application services provided by a specific AS.
Verify.
1) U i ⇒ A S : { ℙ , ℚ , A , B , C } over a secure channel.
2) AS verifies the membership proof by checking whether
e ^ ( ℙ , ℚ ) = Y × A × B × e ^ ( C , Q ) . (2)
Because blinding factors α and β are used, U i can prove their membership multiple times to the same or to a different AS; by contrast, all the authentication messages { ℙ , ℚ , A , B , C } cannot be linked to reveal that they are all generated by the same member U i .
Correctness of the scheme.
The correctness of the verification is shown as follows. Given the group public key Y = e ^ ( P , Q ) X = e ^ ( a i P , b i Q ) and the membership proof { ℙ , ℚ , A , B , C } , U i gains access to AS’s services if the scheme works correctly and Equation (3) holds:
e ^ ( ℙ , ℚ ) = e ^ ( ( a i + α ) P , ( b i + β ) Q ) = e ^ ( P , Q ) ( a i + α ) × ( b i + β ) = e ^ ( P , Q ) a i b i × e ^ ( a i P , Q ) β × e ^ ( P , b i Q ) α × e ^ ( P , Q ) α β = Y × A × B × e ^ ( C , Q ) . (3)
U i cannot compute and send C = e ^ ( P , Q ) α β directly to the AS. Otherwise, the scheme becomes insecure if it is designed in the aforementioned approach. Because the verification equation would become
e ^ ( ℙ , ℚ ) = Y × A × B × C ,
and any attacker could select two random ℙ ′ and ℚ ′ and then compute C ′ = e ^ ( ℙ ′ , ℚ ′ ) / ( Y × A ′ × B ′ ) , where A ′ and B ′ are also randomly selected. The attack can thusly pass the verification procedure with the forged membership proof { ℙ ′ , ℚ ′ , A ′ , B ′ , C ′ } .
Selection of parameter k.
Let k = 100 and 200; it yields C ( 100 , 50 ) = 10 29 and C ( 200 , 100 ) = 10 59 combinations of the value a i , respectively, where C ( ⋅ ) is a combination function.
Remarks and DiscussionImpersonation or illegal privilege transfer attack.
A sound anonymous membership authentication scheme should consider how to counteract a forged membership duplication to others from a valid member. That is, a valid member U i may attempt to share their private key { a i P , b i Q } with their untrusted friend U x . We assume that collusion among the AS, KGC, and U x is possible. With knowledge of both a i P and b i Q (and the related identity of its owner revealed by the U x ), the AS can obtain both α P = ℙ − a i P and β Q = ℚ − b i Q when the original member U i logs in to the AS. To check whether a service request is made by U i , the AS verifies whether
e ^ ( C , Q ) = e ^ ( α P , β Q ) . (4)
Clearly, this “private key revelation” forces U i not to share their private key and privilege with others; otherwise, any two of U i ’s service requests can be linked and their anonymity will be ruined. In this attack, the original member U i also risks privilege revocation by the KGC (here, a typical blacklist is required) after an unauthorized privilege transfer is confirmed. The privilege is thus nontransferable.
In the following, we show another privilege transfer approach launched by the member U i , but this approach does not undermine U i ’s anonymity. Let α and β be two blinding factors as before; U i uses a third blinding factor γ and sends the “transformed” private key { γ a i P , γ − 1 b i Q } to their friend U x , who can be either trusted or untrusted. On the basis of this transformed private key, the unprivileged U x can prove their membership to the AS through the same anonymous authentication scheme by computing ℙ = γ a i P + α P , ℚ = γ − 1 b i Q + β Q , A = e ^ ( a i γ P , Q ) β , B = e ^ ( P , b i γ − 1 Q ) α , and C = α β P . The AS also verifies the membership proof by checking whether Equation (2) holds. In this attack, collusion between the AS and U x to threaten the original member U i ’s privacy is impossible. Nevertheless, the untrusted friend U x can disclose the fact of illegal privilege transfer to the KGC by providing { γ a i P , γ − 1 b i Q } . Recall that the KGC keeps the a i and b i selected for each member U i and can therefore check whether a member U i is involved in an unauthorized privilege transfer as follows:
e ^ ( γ a i P , γ − 1 b i Q ) a i − 1 b i − 1 = e ^ ( P , Q ) . (5)
If Equation (5) holds, the original member U i is revoked, and this forces U i to not share their transformed private key and privilege with others.
In addition, if U x would never betray U i , the trusted KGC can be consulted online to recognize this privilege transfer as follows. Assume that the KGC can compute e ^ ( P , Q ) a i + b i in advance for all registered members. If the AS provides a suspicious { ℙ , ℚ , A , B } to the KGC for investigating potential privilege transfers, the KGC attempts to use all registered members’ information ( a i , b i ) , for 1 ≤ i ≤ N , and computes both
π i = A a i − 1 B b i − 1 = e ^ ( P , Q ) γ β + γ − 1 α (6)
and
λ i = e ^ ( ℙ , Q ) × e ^ ( P , ℚ ) = e ^ ( P , Q ) γ a i + α e ^ ( P , Q ) γ − 1 b i + β = e ^ ( P , Q ) γ a i + γ − 1 b i + α + β . (7)
The KGC then tests whether any e ^ ( P , Q ) a i + b i × π i equals λ i to verify whether the received authentication message was generated by privileged member U i . Clearly, the authentication message generated from a transformed private key with γ ≠ 1 will fail to pass the verification, and we can conclude that someone has transferred their membership to someone else. The KGC knows nothing regarding the malicious member’s real identity, which is known as “weak unlinkability.” In a medium-sized setting with a moderately large number of members, the described online investigation might be possible if not performed frequently. However, this method cannot completely prevent illegal privilege transfer attack.
Replay attack.
This basic scheme cannot withstand the replay attack.
Consider the potential illegal privilege transfer attack and unpreventable replay attack mentioned in Section 3.2.1. An enhanced scheme is proposed in this section. The scheme features anonymity and unlinkabilty and guarantees security against the aforementioned attacks. Because some algorithms are identical to those defined in Section 3.2, including Setup and Join, this section describes only the differences. The algorithms of the enhanced scheme are detailed as follows:
Sign.
Let T i be a timestamp and h ( ⋅ ) : { 0 , 1 } * → G 1 be a collision-free one-way hash function. When the member U i requests service from an AS, U i selects two random numbers α , β ∈ ℤ q * and computes A = α β P , B = α P , ℙ = β − 1 a i P + t α P , and ℚ = β b i Q , where t = h ( T i ) . Here, the tuple { ℙ , ℚ , A , B , T i } is the membership of U i for obtaining access to the application services provided by a specific AS.
Verify.
1) U i ⇒ A S : { ℙ , ℚ , A , B , T i } over a secure channel.
2) Let T V be the current timestamp of the AS and T t d be an appropriate tolerance in the time delay. Given the group public key Y, the AS can verify the membership proof presented by a member U i , and U i is granted access rights if the following Equations ((8) and (9)) hold; otherwise, the AS rejects the request of U i :
T V − T i ≤ T t d (8)
e ^ ( ℙ , ℚ ) ≡ Y × e ^ ( t B , ℚ ) (9)
The scheme enables the AS to validate U i ’s claim while learning nothing about their real identity, even if it colludes with the KGC. For the purpose of anonymous authentication and strong unlinkability, two blinding factors and a timestamp are employed so that a member can prove their membership multiple times to the same or to a different AS. All the authentication messages { ℙ , ℚ , A , B , T i } cannot be linked to reveal that they are all generated by the same member. Cryptanalysis of this enhanced scheme is presented in Section 4.
The member U i is assumed to be able to send the transformed private key { γ a i P , γ − 1 b i Q } to their friend U x , who can be either a trusted or an untrusted individual, where γ is a random number and γ ≠ 1 . After obtaining the transformed private key, U x computes A = α β P , B = α P , ℙ = β − 1 γ a i P + t α P , and ℚ = β γ − 1 b i Q , where t = h ( T x ) . The unprivileged party U x can prove their membership to the AS through the aforementioned improved anonymous authentication scheme and obtain access to the resource on the AS if Equations ((8) and (9)) hold. Here, collusion between the AS and U x that threatens the original member U i ’s privacy is impossible. As mentioned in Section 3.2.1, two approaches exist for detecting whether a member U i is involved in an unauthorized privilege transfer. The first is to let U x disclose U i ’s illegal privilege transfer by providing { γ a i P , γ − 1 b i Q } to the KGC; however, this approach is passive and impractical for preventing private keys from being transformed. The second is that the trusted KGC can be consulted online to recognize the privilege transfer as follows. Recall that the KGC retains a i and b i when generating private keys for each member U i . If the AS provides a suspicious { ℙ , ℚ , A , B , T i } to the KGC for investigating potential privilege transfer, the KGC attempts to use all values of b i , for 1 ≤ i ≤ N , of registered members and computes both
π i = e ^ ( B , ℚ b i − 1 ) = e ^ ( P , Q ) α β γ − 1 (10)
and
λ i = e ^ ( A , Q ) = e ^ ( P , Q ) α β . (11)
The KGC checks whether any π i equals
The KGC subsequently examines all values of
By employing the dynamic reversed accumulator of Kuo et al., which is described in Section 2.2, a member Alice who has been included in the set U receives a membership (
In addition, the accumulator of Kuo et al. provides efficient multiwitness verification in which a group member may access multiple services or files simultaneously and the AS can verify the member’s qualifications simultaneously. This property is outstanding and has not been demonstrated in previous studies. Suppose that m services exist, namely
This section verifies our claim of an efficient, anonymous, and unlinkable membership authentication scheme. We first detail the security properties provided by our scheme. Note that some properties have been detailed in the aforementioned sections.
Resistance of replay attack
An adversary may attempt to resend a stolen membership tuple to pass verification. Recall that AS accepts a membership proof if Equation (8) holds (one of the necessary conditions); thus, resending a stolen membership tuple would increase the time of (
Membership nontransferability
Recall that a valid member
The following two lemmas from [
Lemma 1. The GPI is not harder than either FAPI-1 or FAPI-2.
Proof.
(FAPI-1 ⟹ GPI:)
Given a GPI instance Y and an element
(GPI ⇏ FAPI-1:)
By contrast, given an FAPI-1 instance as input, the GPI solver cannot solve the FAPI-1 problem.
We can similarly prove that GPI ≤ FAPI-2.
Lemma 2. If FAPI-j is solvable, then the computational Diffie-Hellman (CDH) problem in
Proof.
Let
The other two cases (solving CDH in
Theorem 3 (Private key forgery freeness). Let
1) computing
2) choosing an element
3) choosing an element
4) extracting the group secret key X from the group public key Y.
Proof.
We discuss these cases of possible forgery in the following.
Case 1:
An adversary
The success of
Cases 2 & 3:
From Lemmas 1 and 2, we know that 1) the GPI problem is not harder than either FAPI-1 or FAPI-2 and 2) if FAPI-j (where j = 1 or 2) is solvable, then the CDH problem is solvable. That is, an
Case 4:
Similarly, if
From this reasoning, we know GPI ≤ FAPI-j CDH ≤
Theorem 4 (Resistance against membership impersonation). Let
Proof.
If the adversary
Finally,
We propose a novel membership authentication scheme through which anonymity, strong unlinkability, and illegal privilege transfer detection are
Security requirements | [ | [ | Proposed scheme |
---|---|---|---|
Anonymity | Yes | Yes | Yes |
Unforgeability | Yes | Yes | Yes |
Strong/weak unlinkability | Weak unlinkability | Weak unlinkability | Strong unlinkability |
Nontransferability | No | No | Yes |
Exculpability | Yes | Yes | No |
Dynamic membership | Yes | No | Yes |
Traitor detection | No | No | Yes |
Algorithms | [ | [ | Proposed scheme |
---|---|---|---|
Setup | |||
Join | |||
Sign | |||
Verify | |||
Revoke | |||
Membership update | |||
member insertion member revocation | None None | Reissuing membership Reissuing membership | None |
*
provided. As aforementioned discussion, our proposed scheme can perform more efficiently if the symmetric setting of bilinear map groups is applied. By employing an efficient dynamic reversed accumulator, system members can prove their membership exclusiveness of the CRL to the verifier. Additionally, the practicality and attractiveness of our proposed scheme is supported.
Yen, S.-M., Kuo, T.-M. and Yang, T.-Y. (2018) Anonymous and Unlinkable Membership Authentication with Illegal Privilege Transfer Detection. Int. J. Communications, Network and System Sciences, 11, 9-26. https://doi.org/10.4236/ijcns.2018.112002