CN105071938A - Group authentication method based on threshold secret sharing - Google Patents

Abstract

The invention discloses a group authentication method based on threshold secret sharing. The group authentication method comprises the following steps of marking n group members as [Ui, i=1,2,...,n]; generating and distributing two secret shares (s1i,s2i) by a secret distributor SD for each group member Ui by means of a (t,n) threshold secret sharing solution; generating and distributing 2*(t-1) secret shares (s1i,s2i) for a group authentication server AS, i=n+1,..., n+t-1; in authentication, if authentication to m users is required, generating two tokens by each authenticated user Ui by means of the secret shares (s1i,s2i) of his own; and performing unified authentication or one-by-one authentication on m users to be authenticated by the group authentication server. The group authentication method can be used for verifying whether all users are legal in one time, and furthermore can quickly and effectively determine all non-group-members on condition that non-group-members exist.

Description

A kind of group authentication method based on threshold secret sharing

Technical field

The present invention relates to field of information security technology, particularly relate to a kind of group authentication method based on threshold secret sharing.

Background technology

At present, (t, n) basic thought of threshold secret sharing is that a Secret sharing is become n secret shadow, and each share is distributed to a participant, only have the individual or t of t (t≤n) above participant's cooperation could Restore Secret, being less than t participant cannot Restore Secret, and wherein t is threshold value.(t, n) threshold secret sharing scheme has a variety of implementation, and what be wherein most widely used is exactly Shamir secret sharing scheme:

Program supposition D is secret distributor, and n is the number of participant, and t is threshold value, and p is Big prime and much larger than n; Secret space and share space are finite field gf (p), and (t, n) threshold secret sharing scheme of Shamir is divided into two parts:

Part I, secret distribution phase:

(1) t-1 order polynomial f (x): f (the x)=a on secret distributor D Stochastic choice GF (p) _t-1x ^t-1+ ... + a ₂x ²+ a ₁x+a ₀modp, wherein a ₀=f (0)=s, s is secret, and f (x) maintains secrecy by D;

(2) D selects n mutually different nonzero element x in finite field gf (p) _l, x ₂..., x _n, calculate s _i=f (x _i), 1≤i≤n.

(3) by s _i, (l≤i≤n) key distribution is to participant U _i, value x _iu _ipublic information, s _ifor U _isecret shadow.

Part II, secret reconstruction stage:

Any m, (n>=m>=t), individual participant, such as, { U ₁, U ₂..., U _m, their secret shadow { s can be utilized _l, s ₂..., s _mby Lagrange interpolation formula modp calculates f (0) and recovers shared secret s.

Further, based in the scheme of threshold secret sharing, group certification is in order to verify whether a user belongs to certain predefined group, and of the prior art group of certificate scheme is:

(1) secret shadow generates:

Suppose total n group membership, be designated as { U _i| i=1,2 ..., n}, Group administrators selects the individual t-1 order polynomial of k (kt>n-1) on GF (p), f _l(x), l=1,2 ..., k, wherein p is Big prime, utilizes k multinomial to each participant U _igenerate k secret shadow f _l(x _i), l=1,2 ..., k, wherein x _i, i=1,2 ..., k is public information.For arbitrary secret s, keeper finds k to (w _j, d _j), j=1,2 ... k, order open w _j, d _j, j=1,2 ... k, and the one-way Hash value H (s) of s, wherein H (.) is an one-way Hash function.

(2) secret reconstruct:

In authentication phase, if there be m user to participate in certification, each user U _i, i=1,2 ... m utilizes k the secret shadow of oneself to generate token $c_i={\mathrm{\Σ}}_{j=1}^k{d}_j{f}_j\left(x_i\right){\Π}_{r=1,r\≠i}^m(w_j-x_r)/(x_i-x_r)\mathrm{mod}p$ And token is distributed to other participants, member collects a neat m c _icalculate afterwards if H (s)=H (s '), then m member is all legal; If H (s) ≠ H (s '), illegal member must be had in group.

In above-mentioned group of verification process, Group administrators will select k multinomial and generate k secret shadow for each group membership, the size of k is limited by thresholding t and total group membership's number n simultaneously, i.e. kt>n-1, thus scheme underaction, also makes the distribution procedure of multinomial management and secret shadow complicated simultaneously; In addition, whether the program can all users of disposable checking be all legal group membership, but if there is disabled user (non-group membership) to exist, the program cannot determine its quantity, more cannot determine concrete disabled user.Just because of the scheme multinomial complex management of above-mentioned prior art and do not have to solve the problem of non-group membership of finding fast, make such scheme can only be applied to the preliminary treatment in early stage of group certification, its range of application and practicality reduce greatly.

Summary of the invention

The object of this invention is to provide a kind of group authentication method based on threshold secret sharing, utilize the method not only can all users of disposable checking whether all legal, can also fast and effeciently determine all non-group memberships when there being non-group membership to exist.

Based on a group authentication method for threshold secret sharing, described method comprises:

N group membership is designated as { U _i| i=1,2 ..., n};

Utilize (t, n) threshold secret sharing scheme to each group membership U by secret distributor SD _igenerate and distribute two secret shadow (s _1i, s _2i), i=1,2 ..., n;

Generate to group certificate server AS and distribute the individual secret shadow (s of 2* (t-1) _1i, s _2i), i=n+1, n+2 ..., n+t-1, and generate two secret s _a, s _b, wherein, s _a=f ({ s _1i| i ∈ I _h), s _b=f ({ s _2i| i ∈ I _h), f is secret reconstruction function, I _hfor 1,2 ..., the subset comprising h element of n}, wherein t<=h<=n; With seasonal s ₁and s ₂be respectively s _aand s _blinear combination;

Secret distributor discloses several to (a ₁, b ₁), (a ₂, b ₂), and s ₁, s ₂one-way Hash value H (s ₁), H (s ₂);

When carrying out certification, if group certificate server needs to carry out certification to m user, then each certified user U _iutilize the secret shadow s of oneself _1i, s _2igenerating 2 tokens is:

c _1i＝g(a ₁,b ₁,s _1i,s _2i,{U _j|j∈I _m},{U _k|k＝n+1,n+2,…,n+t-1},r _1i),

C _2i=g (a ₂, b ₂, s _1i, s _2i, U _i, { U _k| k=n+1, n+2 ..., n+t-1}, r _2i); Wherein, 1≤m≤n, r _1i, r _2ifor random number, g is token generating function;

And the token of generation is submitted to group certificate server AS by overt channel;

Unified certification is carried out to a m to be certified user, to judge whether there is disabled user by group certificate server; If there is disabled user, then certification is one by one used to find out all concrete disabled users.

As seen from the above technical solution provided by the invention, utilize the method not only can all users of disposable checking whether all legal, can also fast and effeciently determine all non-group memberships when there being non-group membership to exist.

Accompanying drawing explanation

In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.

Fig. 1 provides by the embodiment of the present invention group authentication method schematic flow sheet based on threshold secret sharing;

Fig. 2 is secret shadow distribution schematic diagram in example of the present invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on embodiments of the invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to protection scope of the present invention.

Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail, be illustrated in figure 1 the embodiment of the present invention group authentication method schematic flow sheet based on threshold secret sharing is provided, include a secret distributor (SD in this scenario, ShareDistributor), a group certificate server (AS, and n group membership { U AuthenticationServer), _i| i=1,2 ... n}, wherein communicated by overt channel between AS with each certified user, receive the authentication token of certified user, to complete the certification to each user, and there is safe lane between SD and AS and between SD and each member, SD distributes secret shadow by safe lane to AS and each group membership, with reference to figure 1, described group of authentication method comprises:

Step 11: carry out initialization, is designated as { U by n group membership _i| i=1,2 ..., n};

Step 12: utilize (t, n) threshold secret sharing scheme to each group membership U by secret distributor SD _igenerate and distribute two secret shadow (s _1i, s _2i), i=1,2 ..., n;

Step 13:SD generates for organizing certificate server AS and distributes the individual secret shadow (s of 2* (t-1) _1i, s _2i), i=n+1, n+2 ..., n+t-1, SD generate two secret s _a, s _b;

In this step, s _a=f ({ s _1i| i ∈ I _h), s _b=f ({ s _2i| i ∈ I _h), f is secret reconstruction function, I _hfor 1,2 ..., the subset comprising h element of n}, wherein t<=h<=n;

Step 14: make s ₁and s ₂be respectively s _aand s _blinear combination, secret distributor SD discloses several to (a ₁, b ₁), (a ₂, b ₂), and s ₁, s ₂one-way Hash value H (s ₁), H (s ₂);

In this step, with seasonal s ₁and s ₂be respectively s _aand s _blinear combination, such as s ₁=a ₁s _a+ b ₁s _b, s ₂=a ₂s _a+ b ₂s _b;

After this verification process no longer needs the participation of secret distributor SD.

Step 15: when carrying out certification, if group certificate server AS needs to carry out certification to m user, then each certified user U _iutilize the secret shadow s of oneself _1i,s _2igenerate 2 tokens;

In this step, concrete 2 tokens generated are:

c _1i＝g(a ₁,b ₁,s _1i,s _2i,{U _i|i∈I _m},{U _k|k＝n+1,n+2,…,n+t-1},r _1i),

C _2i=g (a ₂, b ₂, s _1i, s _2i, U _i, { U _k| k=n+1, n+2 ..., n+t-1}, r _2i); Wherein, 1≤m≤n, r _1i, r _2ifor random number, g is token generating function;

Step 16: the token of generation is submitted to group certificate server AS by overt channel;

Step 17: carry out unified certification to a m to be certified user by group certificate server AS, to judge whether there is disabled user, if there is disabled user, then uses certification one by one to find out concrete disabled user.

In this step, the method for specifically carrying out unified certification and certification is one by one:

First, when carrying out unified certification, group certificate server AS utilizes 2* (t-1) the individual secret shadow of oneself to generate corresponding token:

C _as=g (a ₁, b ₁, { U _i| i ∈ I _m, { (s _1k, s _2k, U _k| k=n+1, n+2 ..., n+t-1}, r _j), r _jfor random number;

Described group of certificate server utilizes formula s ₁'=f ' ({ c _1i| i ∈ I _m, c _as) calculate s ₁' and H (s ₁'), f ' is another secret reconstruction function;

If H is (s ₁)=H (s ₁'), then all authentic m users are by certification, are group membership;

If H is (s ₁) ≠ H (s ₁'), then at least there is a user is non-group membership, carries out certification one by one again, specifically comprise by described group of certificate server to all m user:

For each certified user U _iregenerate 1 token c _i=g (U _i, a ₂, b ₂, { (s _1k, s _2k, U _k| k=n+1, n+2 ..., n+t-1}, r _i), g is token generating function, r _ifor random number;

Again by described group of authentication server computes s ₂'=f ' (c _2i, c _i) and H (s ₂'), wherein f ' is secret reconstruction function;

If H is (s ₂)=H (s ₂'), then this carries out the U of certification _ibe legal group membership, otherwise be non-group membership.

By above-mentioned group authentication method, after the disposable submission token of each user, both can unify to organize certification to all users, also can carry out certification one by one to each user separately; Namely this group certificate scheme not only can all group memberships of disposable checking whether all legal, and when there being illegal member to exist, also can determine all illegal users fast.

Be described in detail to above-mentioned authentication method with concrete example below, this example is to realize above-mentioned group of certificate scheme based on Shamir ' s (t, n) threshold secret sharing, specific as follows:

First carry out initialization, in Scenario, total n group membership, is designated as { U _i| U _i∈ GF (p), U _i≠ 0, U _i≠ 1, i=1,2 ..., n}, wherein p is a Big prime, and GF (p) is a finite field.Q is another big integer, and p>nq ²+ q.

Secret distributor SD selects two t-1 order polynomials in GF (p) with a _i, b _i∈ GF (p) is each group membership U _igenerate 2 secret shadow f ₁(U _i), f ₂(U _i), i=1,2 ..., n, and by safe lane by f ₁(U _i), f ₂(U _i) be distributed to U in confidence _i;

SD is group certificate server AS generation 2* (t-1) individual secret shadow simultaneously, f ₁(U _k), f ₂(U _k), k=n+1, n+2 ..., n+t-1;

Then, SD goes up Stochastic choice two number to (a at GF (p) ₁, b ₁), (a ₂, b ₂), form two secret s ₁={ a ₁f ₁(0)+b ₁f ₂(1) } modp, s ₂={ a ₂f ₁(0)+b ₂f ₂(1) } modp, makes s ₁and s ₂all on Zq.

Finally, SD calculates s ₁and s ₂one-way Hash value H (s ₁), H (s ₂), and open (a ₁, b ₁), (a ₂, b ₂), one-way Hash function H (.), secret shadow distribution figure as shown in Figure 2, in Fig. 2: secret distributor SD is respectively for each group membership U _igenerate (s _1i, s _2i), i=1,2 ..., n.

Then first carry out unified certification by group certificate server AS, suppose the individual user { U of m (m>=1) _i| U _i∈ GF (p), i ∈ I _mparticipate in certification, the user U of each participation certification _icalculate 2 tokens:

$\begin{array}{c}{c}_{1i}=\left(a_1{f}_1\right(U_i){\&Pi;}_{j\&Element;I_m,j\&NotEqual;i}\frac{-U_j}{U_i-U_j}{\&Pi;}_{k=n+1}^{n+t-1}\frac{-U_k}{U_i-U_k}+b_1{f}_2\left(U_i\right){\&Pi;}_{j\&Element;I_m,j\&NotEqual;i}\frac{1-U_j}{U_i-U_j}{\&Pi;}_{k=n+1}^{n+t-1}\frac{1-U_k}{U_i-U_k}+\\ r_{1i}q)\mathrm{mod}p,\end{array}$

$c_{2i}=\left(a_2{f}_1\right(U_i){\&Pi;}_{k=n+1}^{n+t-1}\frac{-U_k}{U_i-U_k}+b_2{f}_2(U_i){\&Pi;}_{k=n+1}^{n+t-1}\frac{1-U_k}{U_i-U_k}+r_{2i}q)\mathrm{mod}p,$ I=1,2 ... m, wherein, r _1i, r _2iu _ithe random number that Zq selects, U _iabove-mentioned two tokens are sent to group certificate server AS by overt channel.

Organize the secret shadow computational token that certificate server AS utilizes oneself:

$\begin{array}{c}{c}_{as}=\\ {\&Sigma;}_{i=n+1}^{n+t-1}\&lsqb;a_1{f}_1\left(U_i\right){\&Pi;}_{k=n+1,k\&NotEqual;i}^{n+t-1}\frac{-U_k}{U_i-U_k}{\&Pi;}_{j\&Element;I_m}\frac{-U_j}{U_i-U_j}+b_1{f}_2\left(U_i\right){\&Pi;}_{k=n+1,k\&NotEqual;i}^{n+t-1}\frac{1-U_k}{U_i-U_k}{\&Pi;}_{j\&Element;I_m}\frac{1-U_j}{U_i-U_j}\&rsqb;+\\ rq\left(\mathrm{mod}p\right),\end{array}$

Wherein, r is the random number selected on Zq.

Group certificate server AS utilizes the token c of each user received _i(i ∈ I _m) and oneself token c _asrestore Secret $s_1^{\&prime;}=({\&Sigma;}_{i\&Element;I_m}{c}_{1i}+c_{as})\mathrm{mod}p\mathrm{mod}q.$

If H (s ' ₁)=H (s ₁), then all users pass through certification;

If H (s ' ₁) ≠ H (s ₁), then must there is disabled user (i.e. non-group membership) in group, and then carry out certification one by one, if there is disabled user, then AS can carry out certification one by one to each user under without the need to further interaction scenario, and concrete proof procedure is as follows:

AS is to user U _iwhen carrying out certification, the secret shadow of oneself is utilized to generate token c _i,

$\begin{array}{c}{c}_i\{{\&Sigma;}_{j=n+1}^{n+t-1}\&lsqb;a_2{f}_1\left(U_j\right){\&Pi;}_{k=n+1,k\&NotEqual;j}^{n+t-1}\frac{-U_k}{U_j-U_k}\frac{-U_i}{U_j-U_i}+b_2{f}_2\left(U_j\right){\&Pi;}_{k=n+1,k\&NotEqual;j}^{n+t-1}\frac{1-U_k}{U_j-U_k}\frac{1-U_i}{U_j-U_i}\&rsqb;+\\ r_{i}q\}\mathrm{mod}p\end{array}$

Wherein, r _ifor certain random number of AS uniform design on Zq.

Then, AS calculates s ' ₂=(c _2i+ c _i) modpmodq and H (s ' ₂);

If H (s ' ₂)=H (s ₂), then U _ifor group membership, otherwise U _ifor disabled user (non-group membership), the method can verify all disabled users within o (n) time.

The scheme of above-described embodiment is to realize based on Shamir ' s (t, n) threshold secret sharing, can realize accordingly, do not limit here in specific implementation based on any (t, n) threshold secret sharing scheme.

In sum, the group authentication method tool based on threshold secret sharing of the present invention has the following advantages:

1) by secret shadow randomization is constructed group authentication token, avoid each group membership and hold too much secret shadow problem, reduce the complexity of token structure, improve the flexibility of scheme;

2) program is after the disposable submission token of each user, both can unify to organize certification to user, and also can carry out certification one by one to each user separately;

3) program can within O (1) time all group memberships of fast verification whether legal, if there is illegal member, server can determine all illegal users fast within O (n) time;

4) each group membership only needs to hold two secret shadow, reduces the distribution of secret shadow and the cost of management;

5) program does not rely on any public key algorithm, and the group certificate scheme relatively based on PKI is more safe and reliable.

The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.

Claims (2)

1. based on a group authentication method for threshold secret sharing, it is characterized in that, described method comprises:

N group membership is designated as { U _i| i=1,2 ..., n};

Utilize (t, n) threshold secret sharing scheme to each group membership U by secret distributor SD _igenerate and distribute two secret shadow (s _1i, s _2i), i=1,2 ..., n;

Secret distributor SD generates for organizing certificate server AS and distributes the individual secret shadow (s of 2* (t-1) _1i, s _2i), i=n+1, n+2 ..., n+t-1, and secret distributor SD generates two secret s _a, s _b, wherein, s _a=f ({ s _1i| i ∈ I _h), s _b=f ({ s _2i| i ∈ I _h), f is secret reconstruction function, I _hfor 1,2 ..., the subset comprising h element of n}, wherein t<=h<=n;

Make s ₁and s ₂be respectively s _aand s _blinear combination, secret distributor SD discloses several to (a ₁, b ₁), (a ₂, b ₂), and s ₁, s ₂one-way Hash value H (s ₁), H (s ₂);

When carrying out certification, if group certificate server AS needs to carry out certification to m user, then each certified user U _iutilize the secret shadow s of oneself _1i,s _2igenerating 2 tokens is:

c _1i＝g(a ₁,b ₁,s _1i,s _2i,{U _i|i∈I _m},{U _k|k＝n+1,n+2,…,n+t-1},r _1i),

C _2i=g (a ₂, b ₂, s _1i, s _2i, U _i, { U _k| k=n+1, n+2 ..., n+t-1}, r _2i); Wherein, 1≤≤ m≤n, r _1i, r _2ifor random number, g is token generating function;

And the token of generation is submitted to group certificate server AS by overt channel;

By group certificate server AS, unified certification is carried out to a m to be certified user, to judge whether there is disabled user, if there is disabled user, then use certification one by one to find out all concrete disabled users.

2. according to claim 1 based on the group authentication method of threshold secret sharing, it is characterized in that, describedly by group certificate server AS, unified certification is carried out to a m to be certified user, to judge whether there is disabled user, if there is disabled user, then use certification one by one to find out concrete disabled user, specifically comprise:

When carrying out unified certification, group certificate server utilizes 2* (t-1) the individual secret shadow of oneself to generate corresponding token:

C _as=g (a ₁, b ₁, { U _i| i ∈ I _m, { (s _1k, s _2k, U _k| k=n+1, n+2 ..., n+t-1}, r _as), r _asfor random number;

Described group of certificate server utilizes formula s ₁'=f ' ({ c _1i| i ∈ I _m, c _as) calculate s ₁' and H (s ₁'), f ' is secret reconstruction function;

If H is (s ₁)=H (s ₁'), then all authentic m users are by certification, are group membership;

If H is (s ₁) ≠ H (s ₁'), then at least there is a user is non-group membership, carries out certification one by one again, specifically comprise by described group of certificate server to all m user:

For U _iregenerate 1 token c _i=g (U _i, a ₂, b ₂, { (s _1k, s _2k, U _k| k=n+1, n+2 ..., n+t-1}, r _i), g is token generating function, r _ifor random number;

Again by described group of authentication server computes s ₂'=f ' (c _2i, c _i) and H (s ₂'), wherein f ' is secret reconstruction function;

If H is (s ₂)=H (s ₂'), then this certified user U _ibe legal group membership, otherwise be non-group membership.