Asynchronous Group Authentication Based on Geometric Approach

Individual authentication in air warfare is used to check whether a single participant is a legal member of the predefined group but not determine all participants at one time. An asynchronous (m, t, n) group authentication protocol is proposed based on multidimensional sphere reconstruction theoremof space analytic geometrywithoutmaking any computational assumption, where m is the number of participants, t is threshold value, and n is the number of members. The proposed protocol can determine whether all participants belong to the predefined group at one time, which is applicable to batch verification prior to individual authentication.The center’s coordinate of (t − 1)-dimensional sphere is treated as the shared secret and the coordinate of the point on the surface of the sphere, multiplied by a random blind factor, is issued to all members as their tokens. If m participants can reconstruct the shared secret by utilizing their tokens, indicate that there is not any invalid participant, otherwise perform individual authentication.Analyses show the proposed scheme can not only rule out the illegal outsider but also resist up to t−1 groupmember conspiring to forge a valid token for an outsider. In addition, compared with other schemes the proposed scheme is more applicable for air warfare network, with light-weight computation, flexible distribution, and high information rate.


Introduction
In these days group oriented security become more and more important in air warfare.Take aeronautical communication network for an example, it is composed of various airborne weapons within a large scope by wireless.Airborne platforms share warfare information and interact with each other by aeronautical communication network.In the case the information which includes current position, condition and task, etc., is confidential, each airborne member would rather drop out the network than its confidential information is leaked [1,2].Hence every airborne platform should be assured that all members in the network are valid before transmitting confidential information.
Group authentication is one of the most important security services in many kinds of networks.Unlike traditional individual authentication group authentication verifies multiple signatures altogether at once and reduces verification time.Nowadays there are some proposed group authentication schemes which can authenticate all network members at one time.Concerning the basic theory group authentications fall into two categories: based on public key system and not based on public key system.In group authentication based on public key system [3][4][5][6][7], each member makes the individual signature by its private key and delivers its own signature to the aggregator, who is the selected one of group members.After receiving other signatures the aggregator compresses all signatures by the aggregate algorithms.The verifier can process multiple authentications at one time and make the batch verification of the security features, such as the integrity, traceability, and validity of messages.But it always includes complex computation, such as bilinear pairing and exponentiation, which need more computing efforts compared with symmetric cryptographic algorithms [8,9].Simultaneously there are also some group authentication schemes which are not based on public key system but some lightweight computation.For example, Harn [10] proposed a lightweight group authentication mechanism by using a preshared secret [11] in 2013.In the scheme the group manager is responsible for registering all group members.During registration the group manager uses Shamir's secret sharing scheme to issue a private token to each group member.Subsequently all users participating in the group shall reconstruct the preshared secret.When reconstruction is successful it proves that nodes of a network must be valid and belong to a group.Otherwise there must be one or more invalid users among the participants and further authentication, such as individual authentication and batch identification, should be executed.
Generally the group authentication based on secret reconstruction contains less computation overhead compared with public key based one; hence it is more suitable for airborne platform than public-key-based one when concerning fast and reliable authentication requirement in air warfare.In Harn's scheme the notion of t-threshold, m-user and ngroup was introduced and 3 schemes based on Shamir's (t,n)threshold secret sharing was proposed.In asynchronous (t, m, n) group authentication scheme, k polynomials was used to generate k tokens for each group member and m (m⩾t) participants are allowed to show the tokens asynchronously.Accept while the participants can reconstruct the secret, reject otherwise.The amount of participants must be known as a prior in order to reconstruct the secret, but in air warfare the amount is difficult to be known precisely and even not fixed.It require k polynomials and k is restricted by  >  − 1.So it is not efficient and flexible enough.Based on the Lagrange interpolation theory Li et al. [14] proposed group authentication in 2016, and there also exists the same problem as Harn's scheme.Miao et al. [12] developed the group authentication based on Chinese Residue Theorem, but it is one-time authentication since the secret is no longer a secret once it has been recovered.Ji et al. [15] suggested another asynchronous (t, m, n) group authentication scheme based on threshold secret sharing theory in 2016.Before authentication it is assumed that every member has a predistributed randomized component (RC for short) which ensures that all the member's tokens are correlative, but a new token could not be deduced by coalition attacks.Nevertheless it is hard to meet that the amount of participants is a prerequisite knowledge for group authentication.He et al. [13] improved Ji's scheme and proposed another (t, m, n) group authentication scheme in which invalid members could be identified if group authentication fails.In He's scheme one trusted center; i.e., authentication server which is responsible for identification of bad member is needed.But it is hard to deploy a fixed and trusted center in air warfare.
Considering the characteristics of air warfare we give the asynchronous group authentication scheme which is applicable to the decentralized and asynchronous communication environment based on secret sharing theory.Meanwhile networking frequently in air warfare requires that the secret can be reused in our scheme.The remainder of this paper is organized as follows.In Section 2, we introduce the system model, authentication procedure and hypothesis of this scheme.In Section 3 we propose our asynchronous group authentication scheme based on geometric approach, followed by its security proof and performance analysis in Sections 4 and 5, respectively.In the end we draw our conclusion in Section 6.

Model and Hypothesis
In this section we formalize the system model and identify authentication procedure.

System Model
2.1.1.Entities.In terms of group authentication there are 4 types of entities in proposed scheme, the group manager (GM for short), group members, cluster header and some adversaries, as shown in Figure 1.
(a)GM: It is the coordinator of the scheme, which is trusted by all group members and responsible for the setup and distributing a secret share to each member by predeployed secure channel.Generally ground-based command site plays the role of GM and is assumed that it is not easy to be assaulted.
(b)Group members: All of the members possess the valid token.Group members belong to a predefined group and obtain the subsecret from GM in advance.The token which derives from the subsecret is deemed as the certificate of group member.
(c)Cluster Header: It is one of the group members who verify the tokens.
(d)Adversaries: There are 2 types of adversaries described as follows, including Insiders and Outsiders.

Adversary Model.
In complicated air electromagnetic environment the network participants could be the members who have a valid token, or others who have no valid token.So there are 2 types of adversaries.
(a)Insiders: An insider is a legal member who obtains a valid token from GM but may band with other participants to forge a valid token for an illegal participant.It is assumed that there exist at most  − 2 insiders in our scheme.
(b)Outsiders: An outsider does not belong to the predefined group and does not have a valid token.During networking authentication an outsider may eavesdrop information exchanged within group members, likely derive a valid token, and pretend to be a legal group member.

Authentication
Procedure.Group authentication consists of three steps, i.e. setup, the generation of token and batch verification.
(a)Setup: GM generates some system parameters, selects a proper secret value S, and makes the shadow of S such as the hash value of S, publicly known.
(b)Generation of tokens: GM computes the subsecret and token for each group member, denoted as  = { 1 ,  2 , ⋅ ⋅ ⋅ ,   }, and distributes them to each group member securely.
(c)Batch verification: all participants show their tokens, then reconstruct a secret S  and compare the hash value of S  with the one of S, and thus verify whether all participants are legal simultaneously.

Our Scheme Based on Geometric Approach
We propose a group authentication scheme based on the threshold secret sharing theory.Geometric theory brings inspiration and productivity to the secret sharing scheme.Blakley [16] proposed a threshold secret sharing scheme based on projective geometry theory early in 1979.Later, some literatures suggest the similar schemes based on analytical geometric theory sequentially.Our proposed scheme is based on multidimensional sphere reconstruction theory.Next we reveal and examine the theorem that four points determinate a sphere and give our group authentication scheme, followed by analysis of correctness.

Multi-Dimensional
Sphere Reconstruction Theory.Every three triangle vertexes can determine a circle in a plane.And the center of the circle is the outside center of the triangle.Namely, every three points that do not lie on a straight line can determine a circle in a plane.Let ( 1 ,  1 ),( 2 ,  2 ) and ( 3 ,  3 ) be the coordinators of three triangle vertexes.Suppose that the equation of circle is Now let us substitute its coordinates into (1) and then get Simplify (2) further to where , and thus Choose a point (, ) of the plane and a random number r as the center and the radius of the circle respectively.The point (, ) of the plane is considered as the secret to be shared.Select n points of the circle arbitrarily and distribute the coordinates of n points to n users as the subsecrets of them, respectively.Therefore, it is a (3, ) threshold secret sharing scheme; at least 3 users show the subsecrets synchronously and reconstruct the circle and the secret (, ) is recovered.
When the reconstruction theory of three-dimensional circle is extended to ( − 1)-dimensional space,  arbitrary points that do not lie on the same ( − 2)-dimensional space could determine the sphere of ( − 1)-dimensional space.The equation of the sphere is denoted as where  = ∑ −1 =1  2  − .Similarly, the center ( 1 ,  2 , ⋅ ⋅ ⋅ ,  −1 ) of sphere is deemed as the secret to be shared.Select n points of the circle arbitrarily and distribute the coordinates of n points to n users as the subsecrets of them, respectively.Therefore, it is a (, ) threshold secret sharing scheme; at least t users show the subsecrets synchronously and reconstruct the circle, and the secret ( 1 ,  2 , ⋅ ⋅ ⋅ ,  −1 ) is recovered.Theorem 1 (see [17]).

Asynchronous Group Authentication.
The asynchronous group authentication contains three steps: setup, generation of tokens and batch verification, as shown in Figure 2.
(3)Batch Verification.While ( <  < ) participants participant collects all the tokens and computes where ( 1 ,  2 , ⋅ ⋅ ⋅ ,  −1 ) is substituted by     ,  =  + 1,  + 2, ⋅ ⋅ ⋅ , .If all D dec = 0 is true for  =  + 1,  + 2 ⋅ ⋅ ⋅ , then all participants are legal; otherwise there is at least one illegal participant, identifying the illegal participants is next to do.Proof.If the system of linear equations ( 13) has a solution, thus the rank of its coefficient matrix C equals the one of augmented matrix A, where
According to the characteristics of determinant ( 16) takes on the following form:

Security Analyses
As mentioned previously, there exist two attacks against group authentication.One is from Insider, the other is from Outsider.In our scheme some Insiders attempt to reconstruct the predefined secret successfully by using their own tokens, thus they may generate a new token for an invalid member.However, it is impossible for some Insiders to derive the secret from their own tokens according to sphere reconstruction theory, and so the scheme is secure even if some legal members are compromised; see the following Theorem 4 for details.On the other hand, an Outsider may intercept a valid token by eavesdropping on the private channel successfully.It is also impossible for an Outsider to replay the used token since blind factor is changed frequently, for details see Theorem 5.

Coalition Attack Resistance.
Assume that less than  − 1 legal members may attack the scheme together as previous hypothesis.But there exist  − 2 members who are likely to attack jointly and try to reconstruct the shared secret.It is out of the question to reconstruct a predefined sphere in  − 1 dimensional space by using  − 2 points on the sphere, so the coalition attack is ineffective by  − 2 members correspondingly.

Replay Attack Resistance.
After legal participants showing the invalid tokens asynchronously, the Outsider may acquire the token which is to be reused illegally next.In our scheme blind factor concealing the token is beneficial to resist against the replay attack.
There is any common factor in each row and column of determinant (20), so equation ( 16) is different from equation (20).The probability that  =   is 1/( − 1), where  is an odd prime, while  → ∞, 1/( − 1) →0.Consequently the probability that the reused token passes the new authentication is negligible.

Performance Comparison and Analysis
The network environment in air warfare is complicated.Besides security requirement, efficiency is necessary for any group oriented authentication.The air tactical network has their inherent characteristics, such as high speed of aircrafts, poor stability of network topology, unpredictable discontinuity of communication link etc., which pose challenges for authentication.Considering these requirements our scheme has four contributions.Firstly our scheme can determine if there is any invalid participant in network by computing determinant (12) once, whose complexity is O(1).Secondly all participants are allowed to show their tokens asynchronously since blind factor hides the token.Thirdly GM serves for system setup and secret issuing, not online server.Any participant may act as the verifier since the network is deployed by distributed mode.Fourthly in the proposed scheme tokens generated by the GM initially can be used only to determine whether all participants are legal members, not to recover the secret.So the same secret can be employed for multiple authentications.In addition, any open token will not compromise the secrecy of uncovered secrets.Besides feasible practicability the proposed scheme provides some gains in efficiency, as batch verification of multiple participants is significantly faster than individual authentication, i.e.,"oneby-one" verification.The following is for details comparing with other authentication schemes.

Comparison with Individual Authentication.
Individual authentication means that every two participants verify each other and any participant need verify other participants.Assume that 5 communications is necessary in each individual authentication, and it costs 5( − 1)! communications for m participants to finish individual authentications mutually.However, it costs only 2m communications for m participants to finish group authentication.One is for showing the token and the other is for issuing the decision.In terms of computation overhead our proposed group authentication scheme outperforms previously individual authentication.Individual authentication demands any participant to verify each of other participants, so the complexity is O(), but our proposed group authentication scheme demands only one batch verification so as to determine whether there is any invalid participant.The complexity is O(1).

Comparison with Other Group Authentication.
Our scheme is based on multidimensional sphere reconstruction theory instead of any mathematical hard problem.The computation overhead in our scheme is more lightweight, which contains neither bilinear pairing computation nor exponentiation, comparing with batch verification based on public key algorithm.Obviously our scheme mainly includes the calculation of high-order determinants which is associated with the number of participants.Concerning the efficiency of calculation Wiedemann [19] gave a probabilistic method whose complexity is O(( + 1)( + ( + 1) log( + 1))) for the calculation of  − 1 order determinant, where  represents the total of computation in Galios field.When  ( <  < ) participants join the group authentication, the computation of  −  determinants is demanded, so the complexity of our proposed scheme is O(( − )( + 1)( + ( + 1) log( + 1))).
By contrast with other group authentication schemes based on the secret sharing theory our scheme shows better efficiency, parallelization and accuracy, as shown in Table 2. Harn's scheme made use of k different polynomials of degree  − 1 to generate k tokens, the secret is magnified by k times and the information rate is  = log 2 ||/log 2 || < 1, where S is the secret and K is the total of secret share.Besides the threshold t is restricted by the number of polynomials and the total of members, i.e.,  >  − 1 in order to guarantee the security.For instance, if there are 1000 members and Harn's

2 SecurityFigure 1 :
Figure 1: The class diagram of entities in the communication network.

Figure 2 :
Figure 2: The detailed process diagram of asynchronous group authentication.