Multiuser Message Authentication, Application to Veriﬁable Secret Sharing and Key Management Schemes

Providing authentication for the messages exchanged among a group of users is an important issue in secure group communication. We develop multiuser authentication schemes with perfect protection against colluding malicious users numbering fewer than k , where all the n users are allowed to be senders (simultaneously with being receivers). In our scheme each user is required to store secret information of size 2 k log 2 q 1 bits, and tags to authenticate messages are of length k log 2 q . We use this to obtain, in the setup in which the participants are allowed to employ previously distributed private keys, a non-interactive veriﬁable secret sharing scheme for multiple dealers, in which shares reveal no information about the secret, and dealers cannot deal inconsistent shares. We also provide authentication to the group key management schemes proposed by Blundo et al. and Fiat-Naor without incurring extra storage cost.


Introduction
In a conventional point-to-point authentication system [29], a sender wants to send a message over a public channel to a receiver. In a telephone conversation, separate channel is available for communication, hence no authentication is required. In applications like Internet based video conferencing, board meeting, scientific discussion etc., several users may need to communicate over a broadcast channel securely. There may be an active attacker who can try to perform impersonation attack or substitution attack. To provide protection against such attacks, the sender and receiver use an authentication code.
In [23], an authentication scheme is developed which enables all the users in the group to verify the intended sender and one cannot cheat others in the group by claiming as a different entity. Authentication code is generated and sent along with the message by the sender and the same is used by the receivers to verify authenticity of the received message. The system comprises of a set of N users {u 1 , u 2 , . . . , u N } and a trusted KDC. At the outset, the KDC generates and gives keys to all the users in the system securely. It requires any set of users in the system to be able to broadcast a message to all the other users who will individually verify the authenticity of the received message. Users in the system do not trust each other and may collude to construct fraudulent messages and try to perform impersonation attack. The objective of this paper is to develop a system providing perfect protection against such attacks.
To provide protection for such a system, a set of conventional point-to-point authentication system can be used, in which each pair of users is given with a shared key. To broadcast an authenticated message, user will construct a separate authentication tag for every other user, concatenates them and will append it to the message. This method increases the amount of key storage at each user, produces a very long authentication tag for the message which results in high communication cost.
Desmedt, Frankel and Yung consider the problem with a single transmitter (fixed sender) in [12] and provide a solution: A trusted KDC distributes secret key information to all the users in the system. When a transmitter broadcasts a message to N receivers, they will individually verify the authenticity of the message using their secret key information. There are malicious groups of receivers -the size of the largest such group is less than k -who use their secret keys and all the previous communications in the system to construct fraudulent messages. Bounds and construction for multi-receiver authentication codes are given in [15], [17], [25], [24].
Safavi-Naini and Wang considered extensions of the scheme of Desmedt et al. [12] in [26], [27] and [25]. In [26] and [25], they relaxed the restriction that the sender be fixed beforehand. Instead, they allowed any one of the user to become a sender after the initial stage of key distribution by a trusted KDC. They call this as the case of the dynamic sender. They showed (Theorem 3.2, [26]) that, in any such scheme with perfect protection, the secret key information at each user and the size of the authentication tag sent along with the message, cannot be less than 2k log 2 q bits and k log 2 q bits respectively; and they presented a scheme meeting these bounds. Here, q is a prime power such that q ≥ size of message space.
In [27] authors dropped the restriction of a single sender, and proposed a scheme for the situation with t (t > 0) senders. This scheme uses symmetric polynomials in two variables over GF (q) and is developed from Blom's key distribution scheme [6]. Here the size of the secret key information at each user, and of the authentication tag for a message, grew linearly with t.
In this paper we continue to consider the setup in [26], [27]. We drop the restriction on the number of senders. That is, we allow subset of N users or all N users P 1 , P 2 , . . . , P N to broadcast messages. A group of malicious parties -who number fewer than k (where k is the threshold) -may collude and try to launch an impersonation attack (by using their secret keys and all previous communications) against a pair, say P i and P j , by generating a message such that P j accepts it as authentic and being sent from P i . We develop schemes in which perfect protection is guaranteed against such attacks.
In our schemes, the secret storage required at each user, and the size of the authentication tag sent with a message, do not depend on the number of senders as they do in [27]. In fact, these sizes meet the lower bound on the sizes fixed by Theorem 3.2 [26] quoted above, which was proved for the case of a single (dynamic) sender. We present a scheme in which, for a given k and N , each party is required to store secret information of size 2klog 2 q bits, and the size of an authentication tag is klog 2 q bits. (Here, we assume that k and N are such that size of message space ≥ 2kN ). In this scheme each party is required to store a further 8(N − 1)klog 2 q bits of information, which need not be guarded against exposure. But the security of the scheme is indifferent to exposure of this further information, either to an adversary or to the other participants.
We begin by treating the case k = 2 separately. We are unable to generalize the approach leading to this scheme to the case of arbitrary k. Hence for arbitrary k we present an alternate scheme in which the total storage at each participant is 4log 2 q bits (all of which is to be held secret from the adversary and the other participants), and the size of the authentication tag is 2log 2 q bits.
All our schemes are algebraic in nature. Further, they involve suitably distributing the evaluations and/or coefficients of polynomials of a single variable. It may here be recalled that the algebraic constructions of [12] also involve polynomials of a single variable, while those of [26], [27] involve polynomials in two variables. Our scheme can be used to construct a secure dynamic conferencing by combining with the scheme proposed by Blundo et. al. in [8].
We also present an application of our scheme to Verifiable Secret Sharing [14], [22]. In the setup of [14], [22], it is shown that it is not possible to satisfy the following requirements: the dealers should be able to deal shares of their secrets to the other participants without exposing any information about these secrets; at the same time, every k participants, who have verified the shares they received as correct, should recover the (same) secret from their shares. In our scheme we show that by allowing participants to possess private key information (which may be distributed at the outset by a trusted KDC) permits the satisfaction of the above mentioned requirements.
We organize the paper as follows: Model used in the scheme is discussed in Section II, we discuss the case k = 2 in Section III, in Section IV we present the scheme for arbitrary k. We present an application of our scheme to Verifiable Secret Sharing in Section V. In Section VI we discuss providing authentication to group key management schemes proposed by Blundo et. al. [8] and Fiat-Naor [2]. We conclude the paper in Section VII.

Model
The system comprises of a trusted KDC and N users, say, P 1 , P 2 , . . . , P N , who want to communicate over a broadcast channel. Out of N users in the system any user can broadcast a message to all other users in the system who can individually verify the authenticity of the received message. Hence all N users can act as both senders and receivers. The channel is subject to an active attack i.e., an attacker may try to perform impersonation attack or substitution attack. Also, users in the system may not trust each other, that is some users may collude to construct fraudulent messages. The scheme developed provides a perfect protection against collusion of up to k (threshold) members in which senders and receivers use an authentication code to verify the authenticity of the message received.
The scheme comprises of three phases: 1. Key Distribution: The trusted KDC picks and distributes private key information to all the users securely.

Broadcast:
The sender broadcasts a message to all the other users in the system, along with an authentication tag. 3. Verification: Each user verifies the authenticity of the message broadcast by the sender.

A scheme for the case k = 2
Key distribution: A trusted KDC picks at random two Verification: On receiving (α, β, s), P j finds the polynomial of degree 2 with values of α at x = 2i − 1, β at x = 2i, and F A (2j − 1) + sF B (2j − 1) at x = 2j − 1. P j accepts the message received from P i as authentic, and sent by P i , if this polynomial takes the value F A (2j) + sF B (2j) at x = 2j. Size of secret information: Each participant being required to store 4 values from GF (q), the size of the secret information at each participant is 4 log 2 q bits. Proof of security: is a malicious participant who, while sending a message s ′ , wishes to appear as P i to the receiver P j . Since P i is claimed to be the origin of the transmission, the receiver P j , in order to verify the authenticity of the message, expects the value of the polynomial

A scheme for arbitrary k
Key distribution: The trusted KDC fixes the security pa- in other words, such that It then determines the value β i,j taken by the polynomial is a polynomial of degree 2k over GF (q), α i,j (therefore also β i,j ) may be taken to be elements of GF (q 2k ).) It publicly sends to P i the val- (Thus any participant could find out all the α i,j 's and, β i,j 's.) Broadcast: P i , in order to send a message s, broadcasts (a i1 + sb i1 , a i2 + sb i2 , . . . , a ik + sb ik , s). Verification: In effect P i has broadcast the message s and the polynomial F s,i (x) = A i (x) + sB i (x). On receiving this, P j forms the polynomial x k {F s,i (x)} + A j (x) + sB j (x) using its secret information (which, in effect, consists of the polynomials A j (x) and B j (x)). It verifies that this polynomial evaluates to 1 + sβ i,j at x = α i,j , which will indeed be the case, since This comes to 2k log 2 q bits of secret information. P i has to also store the 4(N − 1) elements (α i,j , α j,i , β i,j , β j,i ) ∈ GF (q 2k ), j ∈ {1, . . . , N } \ {i}, but these do not need to be guarded against exposure. This is a further 8(N − 1)k log 2 q bits. Proof of security: , is a group of malicious receivers who wish to impersonate P i while sending the message s ′ to P j . In order to do so, they need to determine the k coefficients of the polynomial . The secret information they possess between them corresponds to the conditions for r = 1, . . . , k − 1. Since these fix the evaluations of , which is known only to be a polynomial of degree = k − 1 and on whose coefficients there are no further restrictions, only at k − 1 points, they only determine a set of q polynomials (of degree = k − 1) to which x −1 F s ′ ,i (x) belongs.

Application to Verifiable Secret Sharing
Suppose in a group of N users some users (called dealers) have secrets, and each dealer wishes to distribute his secret as shares to the remaining users. Since the users do not trust each other completely, they insist that they be able to verify (without talking with the dealer, or the other users) that the shares they receive are consistent. That is, for every secret, if any k users have each verified their corresponding shares as correct, then these shares should reconstruct that secret. At the same time, the dealer would like to create shares each of which reveal no information about the secret.
Schemes to achieve this, called (non-interactive) Verifiable Secret Sharing schemes, were first investigated in [14] and [22]. While in the scheme of [14] an ıinfinitely powerful adversary can learn the secret by listening to broadcast information, in the scheme of [22] an infinitely powerful dealer can compute inconsistent shares.
Motivated by this it is natural to seek, as Pedersen points out in [22], a non-interactive verifiable secret sharing scheme satisfying the following requirements: 1. No information about the secret is revealed, and 2. Even an infinitely powerful dealer cannot compute inconsistent shares.
But he shows that it is impossible to construct such a scheme in the setting he considers.
In particular, in that setting the users have no (prior) private information apart, possibly, from the secrets which they wish to share. Here, we change the setting to allow a trusted KDC, at the outset, to distribute private keys to the users. (Thus while distributing these keys, KDC has no knowledge about the secrets which some of the users may later decide to share. The KDC has no further role after this key distribution phase.) We ask if some of the users, who later have secrets they wish to distribute, can take advantage of the private keys they possess, in order to construct the shares satisfying the requirements (1) and (2).
They can do this in a simple way, by making use of the message authentication codes presented in the previous section. The idea is for the dealer to determine the shares of the secret using Shamir's secret sharing scheme [28], and send to each user (in secret) his corresponding share along with the authentication tag calculated by treating this share as a message. That (1) is satisfied is obvious. That (2) is satisfied is to say that substitution attacks on the underlying authentication code fail, and this we have already shown in the previous section.
Let us outline our proposal in detail: for each i, i = 1, . . . , N , the trusted KDC picks at random the 2k elements a i1 , a i2 , . . ., a ik , b i1 , b i2 , . . . , b ik and sends these elements to P i in secret. Denote by A i (x) the polynomial a i1 x k + a i2 x k−1 + · · · + a ik x, and by B i (x) the polyno- and determines the value β i,j taken by the polynomial After this the KDC has no further role. Suppose that, at a later point in time, a user P i has a secret s, which it wishes to share. It determines N shares s 1 , s 2 , . . . , s N using Shamir's (N, k) threshold secret sharing scheme [28] and sends to P j , j = 1, . . . , N , On receiving this, P j forms the polynomial x k {F sj ,i (x)} + A j (x) + s j B j (x) using its secret information, and verifies that this polynomial evaluates to 1 + s j β i,j at x = α i,j .

Secure Authentic Communication
Providing authentication for the messages exchanged between group members in addition to confidentiality is an important issue in SGC. Several group key management techniques have been proposed [8,11,9,30,19,3,20,2,18,4,1,21,13,10,7,5]. All these schemes address computation of group key for confidential communication among the group members. Among the above mentioned schemes, we consider two group key management schemes: one proposed by Blundo et al. [8] and the other proposed by Fiat-Naor [2] and try to provide secure authentic group communication by using the authentication scheme we have developed.

Blundo et al. Authentic SGC Scheme
In [8], a non-interactive protocol has been developed to derive a common group key for secure communication. It provides only confidentiality of the messages exchanged between the users of the secure group. Here, we apply the authentication scheme developed to provide authentication for the protocol in [8]. To provide authentication using our multiparty authentication scheme, each user is required to store secret information of size 3klog 2 q bits. This incurs an extra storage cost for the users. To avoid this extra storage, our scheme makes use of a part of the available information with the users which is used for group key computation of Blundo et al. conference keying protocol. So, no extra information is generated and communicated by KDC to users in order to provide authenticity for the group communication and no extra storage is required at the users.
Our Secure Authentic Communication scheme comprises of seven phases: Polynomial Selection, Key Distribution, Polynomial Construction for Authentication, Computation of α i,j and β i,j , Group Key Computation, Secure Authentic Communication and Verification.
The Blundo et al. [8] non-interactive group keying protocol is given in Appendix A. In order for the users in the secure group to communicate with confidentiality and authenticity, we can combine the features of our authentication scheme with that of Blundo et al. [8] group keying protocol. Figure 1 demonstrates the secure authentic group communication for a group with t users.
In the protocol each user u i , i = 1, . . . , N is required to store in secret  , x 2 , . . . , x t ), will pick 2k elements for authentication from this polynomial itself. In the protocol it is specified that u i , i = 1, . . . , N picks 2k elements sequentially starting from the i th coefficient in cyclic order from the coefficients of the polynomial i.e., u 1 picks 2k elements starting from coefficient 1 to coefficient 2k, u 2 picks 2k elements starting from coefficient 2 to 2k + 1 and so on. The use of this assumption is two fold. First, no two users can construct the same polynomials A(x) and B(x) i.e., for every two users u i and . Second, this helps KDC to construct the polynomials A(x) and B(x) for each user and to compute the values of α i,j and β i,j for each ordered pair (i,j) (i ̸ = j), which reduces the computation burden with the users.
. . , N } \{i, j} collude and try to impersonate u i while sending a message to u j , then u j fails to verify the authenticity of u i as per the proof of security illustrated in Section IV . Hence the scheme is secure against collusion of fewer than k malicious parties and provides confidential authentic communication between group members which is more appropriate for the applications like scientific discussion, board meeting etc.

Fiat-Naor Authentic SGC Scheme
The Broadcast Encryption is the problem of sending an encrypted message to a larger user base such that the message can only be decrypted by a dynamically changing privileged subset. A Broadcast encryption scheme is a collection of algorithms that allows a centralized transmitter to send encrypted message to a collection of users such that only a privileged subset of users decrypt them [16]. This is made possible with the computation of a secret key which is known only to members of the privileged set.
As another key management scheme to provide authentication, we consider an information theoretic based key management scheme proposed by Amos Fiat and Moni Naor [2] and we provide authenticity for the messages exchanged. Fiat and Naor [2] were first to introduce broadcast encryption and they suggested methods for securely broadcasting information among privileged user set. The broadcast information can only be decrypted by authorized users and coalition of up to k other users will reveal no information about the secret key.
The basic scheme proposed by Fiat and Naor in [2] allows users to determine a common key for every subset, which is resilient to any set S of size ≤ k and is discussed in Appendix B. Here, in Figure 2 we discuss the protocol for providing authentication to this scheme.
• Polynomial Selection: KDC picks at random a symmetric polynomial P (x 1 , . . . , x t ) of degree k with t variables whose coefficients are from GF (q), q > N and is a prime.
• Polynomial Construction for Authentication: Each user u i , i = 1, . . . , N , picks 2k elements sequentially starting from i th coefficient in cyclic order from the coefficients of the symmetric polynomial distributed by KDC in Key Distribution step. Let these coefficients be denoted as a i1 , a i2 , . . . , a ik , and b i1 , b i2 , . . . , b ik , and constructs the polynomials • Computation of α i,j and β i,j : KDC also constructs the polynomials A i (x) and B i (x) for each user u i , i = 1, . . . , N as depicted in previous step. For each ordered pair (i, j) (i ̸ = j) it determines α i,j satisfying the equation and determines the value β i,j taken by the polynomial • Group Key Computation: If the users u j1 , . . . , u jt want to set up a group key then each user u ji evaluates f ji (x 2 , . . . , x t ) at (x 2 , . . . , x t ) = (j 1 , . . . , j i−1 , j i+1 , . . . , j t ). The group key for users u j1 , . . . , u jt is equal to BK = P (j 1 , . . . , j t ).
• Secure Authentic Communication: If u i wants to send a message m securely, it broadcasts (a i1 +mb i1 , a i2 +mb i2 , . . . , a ik +mb ik , E BK (m)) i.e., it broadcasts the polynomial F m,i (x) = A i (x)+mB i (x) along with the encrypted message.
• Verification: Upon receiving this information, u j first decrypts E BK (m) using group key BK to get the message m. Now, u j constructs the polynomial x k {F m,i (x)}+A j (x)+mB j (x) and verifies that this polynomial evaluates Hence u j has verified the authenticity of the sender i.e., u i .
• Computation of α i,j and β i,j : KDC also constructs the polynomials A i (x) and B i (x) for each user u i , i = 1, . . . , N as depicted in previous step. For each ordered pair (i, j) (i ̸ = j) it determines an α i,j satisfying the equation and determines the value β i,j taken by the polynomial • Key Computation by privileged user set: Let T denote the privileged user set. The common secret key, SK to the privileged set T is obtained by performing exclusive-or of all keys K B , B ∈ U − T .
• Adding Authenticity for Message Broadcast: If u i wants to send a message m securely, it broadcasts (a i1 +mb i1 , a i2 +mb i2 , . . . , a ik +mb ik , E SK (m)) i.e., it broadcasts the polynomial F m,i (x) = A i (x)+mB i (x) along with encrypted message.
Users will construct polynomials A(x) and B(x) for authentication using the same keys which are used for key computation. Hence no extra information is required for providing authentication, which does not incur extra storage at the users. KDC also constructs the polynomials A(x) and B(x) for all the users in the system, which allows KDC to compute the values of α i,j and β i,j for each ordered pair (i,j) (i ̸ = j), thus reducing the computation burden with the users.
As illustrated in Section IV , this scheme is also secure against collusion of fewer than k malicious parties.

Conclusion and Future Work
Providing authenticity for the messages exchanged between users in the system is an important issue in secure dynamic group communication. In this paper we have developed schemes which provide perfect protection against colluding malicious parties. In our scheme, for a given k and N , each party is required to store secret information of size 2klog 2 q bits and klog 2 q bits of authentication tag. We have applied our authentication scheme to verifiable secret sharing, in which users in the system can verify the correctness of the share they received. We have tried to provide authentication to group key management schemes proposed by Blundo et al. and Fiat-Naor without incurring extra storage cost.
In this paper We have provided authentication for group key management schemes proposed by Blundo et al. and Fiat-Naor. As a future work, the same concept can be extended to provide authentication for other group communication schemes. In all the schemes it may not be possible to provide authentication without incurring extra storage cost. But, with little bit extra storage, authentic group communication can be made possible among group members and same thing may be verified.
Appendix A Blundo et al. non-interactive k-secure t-group protocol is as follows: • KDC picks at random a symmetric polynomial P (x 1 , . . . , x t ) of degree k with t variables with coefficients over GF (q), q > N .
Appendix B Fiat and Naor proposed a basic scheme which allows users to determine a common key for every subset, which is resilient to any set S of size ≤ k. In this scheme, for a given k each user is preassigned with a set of keys such that, once the users are told which of them are in the privilege set and which are not, each user in the privilege set can construct the group key on its own. This scheme considers a set U of n users. For every set B ⊂ U, 0 ≤ |B| ≤ k, a key K B is given to every user x ∈ U − B. Let T denote the privilege user set. The group key to the privilege set T is obtained by performing exclusive-or of all keys K B , B ∈ U − T .
The scheme is resilient to every coalition of up to k users, since even if up to k users collude, they all will be missing the key K S . Hence they are unable to compute the group key. In this scheme, each user in the system is assigned with keys and each user is required to perform exclusive-or operations to obtain the group key.