CN108337092B - Method and system for performing collective authentication in a communication network - Google Patents

Method and system for performing collective authentication in a communication network Download PDF

Info

Publication number
CN108337092B
CN108337092B CN201711246426.5A CN201711246426A CN108337092B CN 108337092 B CN108337092 B CN 108337092B CN 201711246426 A CN201711246426 A CN 201711246426A CN 108337092 B CN108337092 B CN 108337092B
Authority
CN
China
Prior art keywords
node
attestation
value
verification
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711246426.5A
Other languages
Chinese (zh)
Other versions
CN108337092A (en
Inventor
大卫·那克西
王贵林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei International Pte Ltd
Original Assignee
Huawei International Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from SG10201700379UA external-priority patent/SG10201700379UA/en
Application filed by Huawei International Pte Ltd filed Critical Huawei International Pte Ltd
Publication of CN108337092A publication Critical patent/CN108337092A/en
Application granted granted Critical
Publication of CN108337092B publication Critical patent/CN108337092B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Abstract

The present invention provides methods, systems and apparatus for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes. The method comprises the following steps: calculating, by each attestation node, a first value based on a predetermined public modulus value and a random value selected by each attestation node; calculating, by the verification node, a first verification value based on the first values calculated by the plurality of attestation nodes; generating a random number for each attestation node; calculating, by each attestation node, a second value based on the generated random number, the selected random value, a private key of the each attestation node, and the predetermined public modulus value; calculating, by the validation node, a second validation value based on the second values calculated by the plurality of attestation nodes; and determining whether authentication is successful based on whether the first verification value, the second verification value, and the generated random number satisfy a predetermined authentication condition.

Description

Method and system for performing collective authentication in a communication network
Technical Field
The present invention generally relates to a method and system for performing collective authentication in a communication network, which allows a verification node (verification apparatus) to collectively authenticate a plurality of attestation nodes (attestation apparatuses) in the communication network.
Background
The existing Fiat-Shamir approach allows a one-to-one interaction between a verification node and an attestation node to authenticate the attestation node in the communication network. However, in many cases, it is necessary to authenticate multiple attestation nodes in a communication network as a whole. A typical example is a electricity meter network, the overall integrity of which must be checked by a verification node. With the existing Fiat-Shamir protocol, this interaction would require as many one-to-one sessions as there are electricity meters.
A second disadvantage of the existing Fiat-Shamir protocol is that each proving node must send its information directly to the verifying node. It is well known that the energy required to transmit a message increases with the distance between the sender and the receiver. Internet of Things (IoT) nodes are simple, energy-constrained devices. Thus, transferring energy to the verification node may be expensive and may shorten the lifetime of the device. Therefore, there is a need to find a solution for authenticating a proving node in a communication network to reduce energy and shorten the processing time of the proving node.
Disclosure of Invention
Embodiments of the present invention provide a solution for collectively authenticating multiple attestation nodes in a communication network through a verification node. In this solution, each proving node only transmits information to its nearest neighbor, i.e. its parent/child node, for verification by the verifying node, thus significantly reducing the transmission energy to the verifying node. Interchangeably, collective authentication may be referred to as clustered authentication.
According to a first aspect of the present invention, there is provided a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node. The method comprises the following steps:
calculating, by each attestation node in the network, a first value for said each attestation node based on predetermined public system parameters and a random value selected by said each attestation node;
calculating, by the verification node, a first verification value based on a plurality of first values calculated by the plurality of attestation nodes in the network;
generating a random number for said each proving node in the network;
calculating, by the each attestation node in the network, a second value for the each attestation node based on the random number generated for the each attestation node, the random value selected by the each attestation node, the private key of the each attestation node, and the predetermined public system parameters;
calculating, by the verification node, a second verification value based on a plurality of second values calculated by the plurality of attestation nodes in the network; and
determining, by the verifying node, whether authentication of the plurality of proving nodes is successful based on whether the first verification value, the second verification value and the random numbers generated for the plurality of proving nodes in the network satisfy a predetermined authentication condition.
With reference to the first aspect, in a first possible implementation of the first aspect, the method further includes:
sending, by each attestation node in the network, a first unit value to a parent node of the each attestation node, wherein if one of the attestation nodes in the network is directly connected to at least one child node, the first unit value is calculated based on the first values calculated by both the attestation node and the at least one child node of the attestation node; and if one of the proving nodes in the network is a leaving node, determining the first unit value based on the first value computed by the proving node;
wherein the step of calculating a first verification value based on the plurality of first values calculated by the attestation node further comprises:
calculating, by the authentication node, the first authentication value based on at least one first unit value, wherein each of the at least one first unit value is calculated accordingly by at least one attestation node directly connected to the authentication node in the network.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the method further includes:
sending, by the each attestation node in the network, a second unit value to a parent node of the each attestation node, wherein if one of the attestation nodes is directly connected to at least one child node, the second unit value is calculated based on the second values calculated by both the attestation node and the at least one child node of the attestation node; and if one of the proving nodes is a leaving node, determining the second unit value based on the second value computed by the proving node;
wherein the step of calculating a second verification value based on a plurality of second values calculated by the proving node further comprises:
calculating, by the authentication node, the second authentication value based on at least one second unit value, wherein each of the at least one second unit value is calculated accordingly by at least one attestation node directly connected to the authentication node in the network.
With reference to the first aspect or any one of the first and second possible implementations of the first aspect, in a third possible implementation of the first aspect, the step of generating a random number for each attestation node in the network further comprises:
generating, by the verifying node, a random number for the each proving node in the network; and
sending the generated random number for the each proving node to the each proving node directly or via a parent node of the each proving node in the network.
With reference to the first aspect or any one of the first and second possible implementations of the first aspect, in a fourth possible implementation of the first aspect, the step of generating a random number for each attestation node in the network further comprises:
generating, by the verification node, a root random value and sharing the generated root random value in the network;
generating, by the each attestation node, a random number for the each attestation node based on the root random value and a predetermined function.
With reference to the first aspect or any one of the first to fourth possible implementations of the first aspect, in a fifth possible implementation of the first aspect, the method further comprises:
the public or private key of each proving node in the network is computed by each proving node or verifying node or trusted party.
With reference to the fifth possible implementation of the first aspect, in a sixth possible implementation of the first aspect, the public or private key of each proving node is calculated based on predetermined public system parameters and an identity of each proving node.
With reference to the sixth possible implementation of the first aspect, in a seventh possible implementation of the first aspect, the predetermined system parameter is a public modulus, the public modulus being a product of a plurality of prime numbers, wherein at least two of the prime numbers are different.
With reference to the sixth or seventh possible implementation of the first aspect, in an eighth possible implementation of the first aspect, the public or private key of each attestation node is calculated according to the following equation:
Figure BDA0001490806360000021
or
Figure BDA0001490806360000022
Wherein v isi=(vi,1,…,vi,k) Is said proving node PiOf said public key, si=(si,1,…,si,k) Is said proving node PiN is the predetermined public system parameter called public modulus, u is the number of attestation nodes in the network, k is a preset integer no less than 1, c is a preset integer no less than 2.
With reference to the eighth possible implementation of the first aspect, in a ninth possible implementation of the first aspect, the first value is calculated by each proving node in the network according to the following equation:
Figure BDA0001490806360000031
wherein x isiIs formed by said proving node PiSaid first value calculated, n being said predetermined public modulus value, riIs due to the fact thatClear node PiThe random value selected, c is a preset integer not less than 2.
With reference to the ninth possible implementation of the first aspect, in a tenth possible implementation of the first aspect, the first verification value is calculated according to the following equation:
Figure BDA0001490806360000032
wherein x is the first verification value, xiIs formed by said proving node PiThe first value calculated, n is the predetermined system parameter called public modulus, u is the number of attestation nodes in the network.
With reference to the tenth possible implementation of the first aspect, in an eleventh possible implementation of the first aspect, the second verification value is calculated according to the following equation:
Figure BDA0001490806360000033
wherein y is the second verification value, yiIs formed by said proving node PiThe second value calculated, n is the predetermined public modulus value, u is the number of attestation nodes in the network, where the second value y is calculated according to the following equationi
Figure BDA0001490806360000034
Wherein n is the predetermined public modulus value, riIs formed by said proving node PiSelected said random value, si=(si,1,…,si,k) Is said proving node PiK is a preset integer, k is more than or equal to 1, ei=(ei,1,…,ei,k) Is directed to said proving node PiThe random number generated, wherein ei,jIs eiThe j-th bit.
With reference to the eleventh possible implementation of the first aspect, in a twelfth possible implementation of the first aspect, the step of determining whether the authentication of the plurality of attestation nodes is successful further comprises:
determining that the authentication of the plurality of attestation nodes is successful if the following equation is satisfied:
if it is not
Figure BDA0001490806360000035
Then
Figure BDA0001490806360000036
If it is not
Figure BDA0001490806360000037
Then
Figure BDA0001490806360000038
Wherein x is the first verification value, y is the second verification value, c is the predetermined integer, c ≧ 2, vi=(vi,1,…,vi,k) Is said proving node PiSaid public key of ei=(ei,1,…,ei,k) Is directed to said proving node PiThe generated random number.
With reference to any one of the fifth to twelfth possible implementations of the first aspect, in a thirteenth possible implementation of the first aspect, the private key of each proving node is derived from the random seed by evaluating a cryptographic strong pseudorandom function over at least the random seed and other relevant information.
With reference to any one of the fifth to twelfth possible implementations of the first aspect, in a fourteenth possible implementation of the first aspect, the private key of each proving node is derived by the proving node itself or by a trusted party that has been informed of a predetermined public modulus value.
With reference to any one of the fifth to twelfth possible implementations of the first aspect, in a fifteenth possible implementation of the first aspect, the private key of each attestation node is generated by randomly selecting a first group of words from a predetermined second group of words and calculating the products of the words in the first group based on a preset table consisting of all pairwise products of the second group of words.
With reference to the fifth possible implementation of the first aspect, in a sixteenth possible implementation of the first aspect, the public or private key of each attestation node is calculated according to the following equation:
Figure BDA0001490806360000041
wherein v isiIs said proving node PiOf said public key, siIs said proving node PiG is a cyclic group GqThe generator of (2), the cyclic group GqHaving a prime order q.
With reference to the sixteenth possible implementation of the first aspect, in a seventeenth possible implementation of the first aspect, the first value is calculated by each proving node according to the following equation:
Figure BDA0001490806360000042
wherein x isiIs formed by said proving node PiThe first value calculated, G being the cycle group GqIs generated from the generator riIs formed by said proving node PiThe random value is selected.
With reference to the seventeenth possible implementation of the first aspect, in an eighteenth possible implementation of the first aspect, the first verification value is calculated by the verification node according to the following equation:
Figure BDA0001490806360000043
wherein x is the first verification value and u is the number of attestation nodes in the network.
With reference to the eighteenth possible implementation of the first aspect, in a nineteenth possible implementation of the first aspect, the second verification value is calculated according to the following equation:
Figure BDA0001490806360000044
wherein y is the second verification value, yiIs formed by said proving node PiThe second value calculated, u being the number of attestation nodes in the network, q being the cyclic group GqWherein the second value y is calculated according to the following equationi
yi=ri+sieimod q, or
yi=ri-siei mod q
Wherein r isiIs formed by said proving node PiSelected said random value, siIs said proving node PiSaid private key of eiIs directed to said proving node PiThe generated random number.
With reference to the nineteenth possible implementation of the first aspect, in a twentieth possible implementation of the first aspect, the step of determining whether the authentication of the plurality of attestation nodes is successful further comprises:
the authentication of the plurality of attestation nodes in the network is successful if the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes satisfy a predetermined authentication condition shown in the following equation:
if y is passedi=ri+sieimod q computing yiThen, then
Figure BDA0001490806360000045
If y is passedi=ri-sieimod q computing yiThen, then
Figure BDA0001490806360000046
Wherein x is the first verification value, y is the second verification value, viIs said proving node PiSaid public key of eiIs directed to said proving node PiThe generated random number.
With reference to the twelfth or twentieth possible implementation of the first aspect, in a twenty-first possible implementation of the first aspect, the method further comprises: if authentication of multiple attestation nodes is determined to be unsuccessful
Classifying, by the validation node, the plurality of attestation nodes in the network into a plurality of subsets of attestation nodes, and authenticating whether each subset of attestation nodes satisfies the predetermined authentication condition; or
Performing, by the verifying node, an existing Fiat-Shamir method to determine whether each of the proving nodes in the network satisfies the authentication condition.
With reference to the first aspect or any of the previous possible implementations of the first aspect, in a twenty-second possible implementation of the first aspect, the method further comprises, before the step of calculating the plurality of first values:
sending, by the verifying node, an authentication request message (AR-message) to the each proving node directly or via a parent node directly connected to the each proving node.
According to a second aspect of the present invention, there is provided a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node. The method comprises the following steps:
calculating, by the validation node, a first validation value based on a plurality of first values, wherein each of the first values is calculated individually by one of the plurality of attestation nodes in the network based on a predetermined public system parameter and a random value selected by the attestation node;
calculating, by the verification node, a second verification value based on a plurality of second values, wherein each of the second values is calculated individually by one of the plurality of attestation nodes in the network based on a random number generated for the attestation node, the random value selected by the attestation node, and the predetermined public system parameter; and
determining, by the verifying node, whether authentication of the plurality of proving nodes is successful based on whether the first verification value, the second verification value and the random numbers generated for the plurality of proving nodes in the network satisfy a predetermined authentication condition.
Referring to the second aspect, in a first possible implementation of the second aspect, the step of calculating the first verification value based on the plurality of first values further comprises:
calculating, by the verifying node, the first verification value based on at least one first unit value respectively received from at least one proving node directly connected to the verifying node, wherein each of the at least one first unit value is calculated based on a first value calculated by a proving node directly connected to the verifying node and at least one first value respectively calculated by at least one child node of the proving node directly connected to the verifying node.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the step of calculating the second verification value based on the plurality of second values further includes:
calculating, by the verification node, the second verification value based on at least one second unit value respectively received from at least one attestation node directly connected to the verification node, wherein each of the at least one second unit value is calculated based on a second value separately calculated by an attestation node directly connected to the verification node and at least one second value respectively calculated by at least one child node of the attestation node directly connected to the verification node.
With reference to the second aspect or any one of the first and second possible embodiments of the second aspect, in a third possible embodiment of the second aspect, the method further comprises:
generating, by the verification node, a random number for each attestation node in the network and sending the generated random numbers to the each attestation node in the network.
With reference to the second aspect or any one of the first and second possible embodiments of the second aspect, in a fourth possible embodiment of the second aspect, the method further comprises:
generating, by the verification node, a root random value and sharing the generated root random value in the network;
wherein the random number for each attestation node in the network is generated by the each attestation node based on the root random value and a predetermined function.
According to a third aspect of the present invention, there is provided a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node. The method comprises the following steps:
calculating, by each proving node in the network, a first value based on predetermined public system parameters and a random value selected by the each proving node, and transmitting the calculated first value to a parent node directly connected to the each proving node; and
calculating, by the each attestation node in the network, a second value based on a random number generated for the each attestation node, the random value selected by the each attestation node, the private key of the each attestation node, and the predetermined public system parameters, and sending the calculated second value to a parent node directly connected to the each attestation node.
Referring to the third aspect, in a first possible implementation of the third aspect, the method further includes:
receiving, by said each proving node in said network, a root random value from said verifying node, an
Generating, by the each attestation node, a random number for computing the second value for the each attestation node based on the received root random value and a predefined function.
According to a fourth aspect of the present invention, there is provided a system for performing collective authentication in a communication network. The system comprises:
a verification node and a plurality of attestation nodes,
wherein each of the attestation nodes is to: calculating a first value based on a predetermined public modulus value and a random value selected by said each of said attestation nodes; and calculating a second value based on the random number generated for said each of said attestation nodes, said random value selected by said each of said attestation nodes, said private key of said each of said attestation nodes, and said predetermined public modulus value; and is
The verification node is configured to: calculating a first verification value based on a plurality of first values calculated by the plurality of attestation nodes in the network; calculating a second verification value based on a plurality of second values calculated by the plurality of attestation nodes in the network; and determining whether authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes satisfy a predetermined authentication condition.
With reference to the fourth aspect, in a first possible implementation of the fourth aspect, each of the attestation nodes is further for sending a first unit value to a parent node of said each of the attestation nodes in the network, wherein if one of the attestation nodes in the network is directly connected to at least one child node in the network, the first unit value is calculated based on the first values calculated by both the attestation node and the at least one child node of the attestation node in the network; and if one of the proving nodes in the network is a leaving node, determining the first unit value based on the first value computed by the proving node;
wherein the verifying node is further configured to calculate the first verification value based on at least one first unit value, wherein each of the at least one first unit value is calculated accordingly by at least one proving node directly connected to the verifying node in the network.
With reference to the fourth aspect or the first possible implementation of the fourth aspect, in a second possible implementation of the fourth aspect, each of the proving nodes in the network is further configured to send a second unit value to a parent node of said each proving node in the network, wherein if one of the proving nodes is directly connected to at least one child node in the network, the second unit value is calculated based on the second values calculated by both the proving node and the at least one child node of the proving node in the network; and if the proving node is a leaving node, determining the second unit value based on the second value computed by the proving node;
wherein the verifying node is further configured to calculate the second verification value based on at least one second unit value, wherein each of the at least one second unit value is calculated accordingly by at least one proving node directly connected to the verifying node in the network.
With reference to the fourth aspect or any one of the first and second possible implementations of the fourth aspect, in a third possible implementation of the fourth aspect, the validation node is further configured to: generating the random number for the each proving node in the network, and sending the generated random number for the each proving node to the each proving node directly or via a parent node of the each proving node in the network.
With reference to the fourth aspect or any one of the first to third possible implementations of the fourth aspect, in a fourth possible implementation of the fourth aspect, the verification node is further configured to generate a root random value and share the generated root random value in the network;
wherein the each of the attestation nodes is further to generate a random number for the each of the attestation nodes based on the root random value and a predetermined function.
Reference is made to the fourth aspect as such or any one of the first to fourth possible implementations of the fourth aspect, in a fifth possible implementation of the fourth aspect, the each proving node is further configured to calculate a public key or the private key of the each proving node; or the verifying node or trusted party is configured to compute the public key or the private key of the each proving node in the network.
With reference to the fifth possible implementation of the fourth aspect, in a sixth possible implementation of the fourth aspect, the each of the attestation nodes or the trusted party is further configured to calculate the public or private key of the each of the attestation nodes based on the predetermined modulus value.
With reference to the sixth possible implementation of the fourth aspect, in a seventh possible implementation of the fourth aspect, the predetermined public modulus value is a product of a plurality of prime numbers, wherein at least two of the prime numbers are different.
With reference to the sixth or seventh possible implementation of the fourth aspect, in an eighth possible implementation of the fourth aspect, each of the attestation nodes or the trusted party is further configured to calculate the public or private key of each attestation node according to the following equation:
Figure BDA0001490806360000071
or
Figure BDA0001490806360000072
Wherein v isi=(vi,1,…,vi,k) Is said proving node PiOf said public key, si=(si,1,…,si,k) Is said proving node PiN is the predetermined public modulus value, u is the number of the attestation nodes in the network, k is a predetermined number not less than 1C is a preset integer not less than 2.
With reference to the eighth possible implementation of the fourth aspect, in a ninth possible implementation of the fourth aspect, each of the proving nodes is further configured to calculate the first value according to the following equation:
Figure BDA0001490806360000073
wherein x isiIs formed by said proving node PiThe first value calculated, n being the predetermined public modulus value, riIs formed by said proving node PiThe random value selected, c is a preset integer not less than 2.
With reference to the ninth possible implementation of the fourth aspect, in a tenth possible implementation of the fourth aspect, the validation node is further configured to calculate the first validation value according to the following equation:
Figure BDA0001490806360000074
wherein x is the first verification value, xiIs formed by said proving node PiThe first value calculated, n is the predetermined public modulus value, and u is the number of attestation nodes in the network.
With reference to the tenth possible implementation of the fourth aspect, in an eleventh possible implementation of the fourth aspect, each of the proving nodes in the network is further configured to calculate the second value according to the following equation:
Figure BDA0001490806360000075
wherein the verification node is further configured to calculate the second verification value according to the following equation:
Figure BDA0001490806360000076
wherein, yiIs formed by said proving node PiThe second value, r, calculatediIs formed by said proving node PiSelected said random value, si=(si,1,…,si,k) Is said proving node PiK is a preset integer, k is more than or equal to 1, ei=(ei,1,…,ei,k) Is directed to said proving node PiThe generated random number, wherein ei,jIs eiIs the predetermined public modulus value, y is the second verification value, and u is the number of attestation nodes in the network.
With reference to the eleventh possible implementation of the fourth aspect, in a twelfth possible implementation of the fourth aspect, the verifying node is further configured to: determining whether the authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes satisfy the predetermined authentication conditions indicated in the following equations:
if it is not
Figure BDA0001490806360000081
Then
Figure BDA0001490806360000082
If it is not
Figure BDA0001490806360000083
Then
Figure BDA0001490806360000084
Wherein x is the first verification value, y is the second verification value, c is a preset integer, c ≧ 2, vi=(vi,1,…,vi,k) Is said proving node PiThe public key of (2).
With reference to any one of the fifth to twelfth possible implementations of the fourth aspect, in a thirteenth possible implementation of the fourth aspect, the private key of each attestation node is derived from the random seed by evaluating an encrypted strong pseudorandom function on the random seed and other relevant information.
With reference to any one of the fifth to twelfth possible implementations of the fourth aspect, in a fourteenth possible implementation of the fourth aspect, the private key of each proving node is derived by the proving node itself or by a trusted party that has been informed of a predetermined public modulus value.
With reference to any one of the fifth to twelfth possible implementations of the fourth aspect, in a fifteenth possible implementation of the fourth aspect, the private key of each attestation node is generated by randomly selecting a first group of words from a predetermined second group of words and calculating the products of the words in the first group based on a preset table consisting of all pairwise products of the second group of words.
With reference to the fifth possible implementation of the fourth aspect, in a fifteenth possible implementation of the fourth aspect, each of the attestation nodes or the trusted party is further configured to calculate the public or private key of each attestation node according to the following equation:
Figure BDA0001490806360000085
wherein v isiIs said proving node PiOf said public key, siIs said proving node PiG is a cyclic group GqThe generator of (2), the cyclic group GqHaving a prime order q.
With reference to the fifteenth possible implementation of the fourth aspect, in a sixteenth possible implementation of the fourth aspect, the first value is calculated by each proving node according to the following equation:
Figure BDA0001490806360000086
wherein x isiIs proved by the proving node PiThe first calculatedValue G is the cycle group GqThe generator of riIs formed by said proving node PiThe random value is selected.
With reference to the sixteenth possible implementation of the fourth aspect, in a seventeenth possible implementation of the fourth aspect, the verification node is further configured to calculate the first verification value according to the following equation:
Figure BDA0001490806360000087
wherein x is the first verification value and u is the number of attestation nodes in the network.
With reference to the seventeenth possible implementation of the fourth aspect, in an eighteenth possible implementation of the fourth aspect, each of the proving nodes is further configured to calculate the second value according to the following equation:
yi=ri+sieimod q, or
yi=ri-siei mod q
Wherein the verification node is further configured to calculate the second verification value according to the following equation:
Figure BDA0001490806360000091
wherein, yiIs formed by said proving node PiThe second value, r, calculatediIs formed by said proving node PiSelected said random value, siIs said proving node PiSaid private key of eiIs directed to said proving node PiThe generated random number, y is the second verification value, u is the number of the proving nodes in the network, q is the cyclic group GqThe prime order of (a).
With reference to the eighteenth possible implementation of the fourth aspect, in a nineteenth possible implementation of the fourth aspect, the verifying node is further configured to: determining whether the authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes satisfy the predetermined authentication conditions indicated in the following equations:
if y is passedi=ri+sieimod q computing yiThen, then
Figure BDA0001490806360000092
If y is passedi=ri-sieimod q computing yiThen, then
Figure BDA0001490806360000093
Wherein x is the first verification value, y is the second verification value, viIs said proving node PiThe public key of (2).
With reference to the twelfth or eighteenth possible implementation of the fourth aspect, in a twentieth possible implementation of the fourth aspect, the authentication node is further configured to
If the authentication of the plurality of attestation nodes is unsuccessful, classifying the plurality of attestation nodes in the network into a plurality of subsets of attestation nodes, and authenticating whether each subset of the attestation nodes satisfies a predetermined authentication condition; or
An existing Fiat-Shamir method is performed to determine whether each of the proving nodes in the network satisfies a predetermined authentication condition.
With reference to the fourth aspect or any one of the first to twentieth possible embodiments of the fourth aspect, the verification node is further configured to send an authentication request message (AR-message) to each of the proving nodes in the network directly or via a parent node directly connected to said each proving node;
wherein each of the proving nodes is further to calculate the first value after receiving the authentication request message.
According to a fifth aspect of the present invention, there is provided an apparatus for performing collective authentication in a communication network comprising a plurality of proving nodes. The apparatus is used for
Calculating a first verification value based on a plurality of first values, wherein each of the first values is calculated individually by one of the plurality of attestation nodes in the network based on predetermined public system parameters and random values selected by the attestation node;
calculating a second verification value based on a plurality of second values, wherein each of the second values is calculated individually by one of the plurality of attestation nodes in the network based on a random number generated for the attestation node, the random value selected by the attestation node, the private key of the attestation node, and the predetermined public system parameters; and is
Determining whether authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for each of the plurality of attestation nodes satisfy a predetermined authentication condition.
According to a sixth aspect of the present invention, there is provided an attestation node for performing collective authentication in a communication network comprising a verification node and a plurality of attestation nodes. The attestation node is used for
Calculating a first value based on predetermined public system parameters and a random value selected by the proving node, and sending the calculated first value to a parent node directly connected to the proving node in the network;
calculating a second value based on a random number generated for the proving node, the random value selected by the proving node, the private key of the proving node and the predetermined public system parameters, and sending the calculated second value to the parent node directly connected to the proving node in the network.
Drawings
The invention will be described in detail with reference to the accompanying drawings, in which:
fig. 1 is a flow chart illustrating a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node according to a first embodiment of the invention;
FIG. 2 illustrates the steps of calculating a first value by each proving node and sending the first value to its parent node in the network according to one example of the first embodiment in FIG. 1;
FIG. 3 illustrates the steps of generating a random vector by a verifying node and sending the random vector to a proving node in the network according to one example of the first embodiment in FIG. 1;
FIG. 4 illustrates the steps of calculating by each proving node a second value and sending the second value to its parent node in the network, according to one example of the first embodiment in FIG. 1;
FIG. 5 is a flow diagram illustrating a process for failed authentication according to one embodiment of the invention;
fig. 6 is a flow chart illustrating a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node according to a second embodiment of the invention.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of various illustrative embodiments of the invention. It will be understood by those skilled in the art, however, that embodiments of the invention may be practiced without some or all of these specific details. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to limit the scope of the present invention. In the drawings, like reference numerals refer to the same or similar functionality or features throughout the several views.
An embodiment of the present invention provides a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node, the method comprising at least the steps of:
each attestation node in the network calculating a first value for each attestation node based on predetermined public system parameters and a random value selected by each attestation node;
the authentication node calculating a first authentication value based on a plurality of first values calculated by a plurality of attestation nodes in the network;
generating a random number for each attestation node in the network;
each proving node in the network calculating a second value for each proving node based on a random number generated for each proving node, a random value selected by each proving node, a private key of each proving node, and predetermined public system parameters;
the verifying node calculating a second verification value based on a plurality of second values calculated by a plurality of proving nodes in the network; and determining whether authentication of the plurality of attestation nodes is successful based on whether the first verification value, the second verification value, and random numbers generated for the plurality of attestation nodes in the network satisfy a predetermined authentication condition.
Fig. 1 is a flow chart illustrating a method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node according to a first embodiment of the invention. In this embodiment, the communication network comprises u +1 nodes/devices, which are the verification node/device V and the u attestation nodes/devices P1、…、Pu. The u +1 nodes/devices in the communication network form a spanning tree W. The verification node V is the root node in the spanning tree W, and all nodes/devices in the spanning tree W are aware of its parent node/device and its child nodes/devices, and if an index exists, also of its index.
In the case of the Internet of Things (IoT)/Machine-to-Machine (M2M), the verification node/device V may be a server, gateway, router, or attestation node/device/entity P for authenticating multiple IoT/M2MiA suitable entity of (a). Certification of nodes/devices P in Wireless Sensor Networks (WSNs)iMay be a plurality of sensors and the authentication node/device may be a base station.
In this embodiment of the present invention,based on predetermined public system parameters and each proving node PiIs calculated for each proving node PiPrivate key and public key. In particular, each proving node PiSatisfies equation (1) or (2), i.e., each proving node P can be calculated according to equation (1) or (2) belowiPublic and private keys of (2):
Figure BDA0001490806360000111
Figure BDA0001490806360000112
wherein v isi=(vi,1,…,vi,k) Is a proving node PiOf public key, si=(si,1,…,si,k) Is a proving node PiN is a predetermined public system parameter called a public modulus, which is a product of a plurality of prime numbers, where some of the prime numbers may be the same, or at least two of the prime numbers are different, u is the number of attestation nodes in the network; k is a preset integer not less than 1; c is a preset integer not less than 2.
Here, the predetermined public system parameter n, the private key or the public key of each certification node may be generated in the same manner as the existing Fiat-Shamir scheme/method, and n is shared by all nodes in the network. The authentication process will be described below with reference to fig. 2 to 4.
In block 101, optionally, the proving node is triggered to perform an authentication process with the verifying node V.
In this embodiment, if the network has multiple layers/levels of attestation nodes connected to verification node V, the authentication process may be triggered by an authentication request message (AR-message) from verification node V. The verification node V may first send an authentication request message (AR-message) to all first-level attestation nodes directly connected to the verification node to trigger the authentication process. Each of the first-level proof nodes then sends AR-messages to its child nodes accordingly.
Referring to FIG. 2, in one example of an embodiment, a proving node directly connected to a verifying node V comprises a proving node P4And proving node P7. Proving node P4With three child nodes P1、P2And P3Proving node P7With two child nodes P5And P6. In this example, verification node V may first send an AR-message to P4And P7Followed by P4Sending AR-messages to its child nodes P1To P2;P7Sending AR-messages to its child nodes P5And P6
The AR-message may contain a commitment to e for guaranteeing the zero-knowledge nature of the protocol even for untrusted verification nodes. The commitment to e is to hide the value of e, but at the same time the validation node V cannot change the value of e when it needs to disclose it. Here e is a challenge selected by the authentication node V, which will be explained below.
In other embodiments of the present invention, the authentication process may be triggered according to a predetermined timing when the proving node automatically performs collective or cluster authentication using the verifying node V.
In block 102, each of the proving nodes in the network calculates a first value based on predetermined public system parameters and a random value selected by each proving node, and sends the calculated first value to its parent node.
In one example of this embodiment, each of the attestation nodes may calculate the first value according to equation (3) below:
Figure BDA0001490806360000113
wherein x isiIs proved by the proving node PiA first calculated value, n being a predetermined public modulus, riIs proved by the proving node PiThe selected random value, c, is a preset integer not less than 2. Referring to FIG. 2, inIn this example, node P will be certified1、P2And P3The correspondingly calculated first value is sent to its parent proving node P4(ii) a Will prove the node P5And P6The correspondingly calculated first value is transmitted to its parent proving node P7
In block 103, each of the parent attesting nodes in the network calculates a first unit value based on its own first value and the first values of its child nodes, and sends the calculated first unit value to its parent attesting node if it is present, or sends the calculated first unit value to verification node V. A parent attestation node includes any attestation node in a communication network having at least one child attestation node.
These recursion procedures are performed based on the number of levels/levels of the spanning tree W in the network. In the example shown in fig. 2, the network has two layers of attestation nodes, so the recursive procedure is performed in two steps.
In the example shown in FIG. 2, the parent attesting node in the network contains an attesting node P4And P7. Proving node P4Based on its own first value and its child node P1To P3Calculates a first unit value. In particular, the proving node P4By associating its own first value with the self-certifying node P1To P3Calculates a first unit value by multiplying all the first values, and sends the calculated first unit value to verification node V. Similarly, the proving node P7Based on its own first value and its child node P5And P6Calculates a first unit value. In particular, the proving node P7By associating its own first value with the self-certifying node P5And P6Calculates a first unit value, and sends the calculated first unit value to verification node V.
In block 104, the verification node V calculates a first verification value based on at least one first unit value respectively calculated by at least one attestation node directly connected to the verification node V.
In the example shown in fig. 2, the first verification value is calculated according to the following equation (4):
Figure BDA0001490806360000121
where x is a first verification value, xiIs proved by the proving node PiThe first value calculated, n is a predetermined public modulus value, and u is the number of certifying nodes in the network. In the example shown in fig. 2, the network has 7 proving nodes, u ═ 7.
Alternatively, each of the parent attestation nodes may send only its own first value and the first values of its child nodes to verification node V, which will then calculate the first verification value based on equation (4).
In block 105, a random number is generated for each attestation node in the communication network.
In embodiments of the invention, a random number may be generated by the verification node for each of the proving nodes in the network and sent to each of the proving nodes in the network. Alternatively, a random number for each attestation node may be generated by the attestation node based on a root random value generated and shared by the verification nodes.
As shown in fig. 3, in one embodiment of the present invention, a random vector e ═ is generated by the verification node V (e ═ e)1,e2,e3,e4,e5,e6,e7) And sends the random vector as an authentication challenge (AC-message) to a proving node P directly connected to the verifying node4And P7. Next, the node P is certified4Sending a random vector e to its child node P1、P2And P3Each of (a); proving node P7Sending a random vector e to its child device P5And P6Each of which.
It should be noted that the purpose of this step is to inform or provide each of the proving nodes in the network with the random numbers generated for it. This can be achieved in various ways. For example, the entire random vector e may be shared to each of the attestation nodes in the network, and each of the attestation nodes in the network identifies a corresponding random number generated for itself from the received random vector. Alternatively, for each of the proving nodes in the network, only the relevant part of the random vector is shared, e.g. the random numbers generated for itself and its child proving nodes may only be sent to the proving node if the proving node is a parent proving node in the network, or the corresponding random numbers generated for this proving node only be sent to the proving node if the proving node has no child nodes in the network, i.e. the proving node is a leaving node.
In block 106, each of the attestation nodes in the network computes a second value based on the random value selected by each attestation node, the private key of each attestation node, and the random number generated for each attestation node, and sends the computed second value to its parent node in the network.
In one embodiment of the invention, each of the proving nodes calculates the second value according to equation (5)
Figure BDA0001490806360000122
Where n is a predetermined public modulus, riIs proved by the proving node PiSelected random value, si=(si,1,…,si,k) Is a proving node PiK is a preset integer, k is not less than 1, ei=(ei,1,…,ei,k) Is directed to proving node PiThe generated random number.
In block 107, each of the parent attestation nodes in the network calculates a second unit value based on the second value of its own and the second values of its child devices and sends the calculated second unit value to its parent node if it exists or sends the calculated second unit value to the verification node V.
These recursion procedures are performed based on the number of levels/levels of the spanning tree W in the network. In the example shown in fig. 2, the network has two layers of attestation nodes, so the recursive procedure is performed in two steps.
In block 108, the verifying node calculates a second verification value based on the at least one second unit value, wherein each of the at least one second unit value is calculated accordingly by at least one proving node directly connected to the verifying node in the network, i.e. by at least one child node of the verifying node in the network.
In one example of this embodiment, the verification node calculates the second verification value according to equation (6) below:
Figure BDA0001490806360000131
where y is the second verification value, yiIs proved by the proving node PiThe second value calculated, n is a predetermined public modulus value, and u is the number of certifying nodes in the network.
In block 109, the verification node V determines whether authentication of the plurality of attestation nodes is successful based on whether the first verification value, the second verification value, and the random number generated for each attestation node satisfy a predetermined authentication condition.
In particular, if the first verification value, the second verification value, and the random number generated for each attestation node satisfy a predetermined authentication condition, the verification node determines that the authentication of the plurality of attestation nodes was successful, i.e., all attestation nodes were successfully authenticated.
In one example of this embodiment, the verifying node determines whether authentication of the plurality of proving nodes is successful according to the following equation (7) or (8), i.e., predetermined authentication conditions:
if it is not
Figure BDA0001490806360000132
Then
Figure BDA0001490806360000133
If it is not
Figure BDA0001490806360000134
Then
Figure BDA0001490806360000135
Wherein x is a first verification value, y is a second verification value, c is a predetermined integer, c ≧ 2, vi=(vi,1,…,vi,k) Is a proving node PiThe public key of (2).
If verification node V determines that all of the attestation nodes are successfully authenticated, verification node V may output a set of authenticated Attestation Nodes (AN).
It should be noted that the above authentication process may be run or performed multiple times in order to enhance the privacy of and/or reduce the size of the private key of each attestation node.
For a predefined safety parameter λ, it is at least 20. To ensure this security level, it is proposed to impose the following constraints on the parameters:
the authentication protocol should be run or executed t times such that t ≧ λ/k, where k refers to the number of private keys per attestation node. When c is close to λ, this number is reasonably close to one;
to achieve a critical 20-bit security level for online authentication, tk ≧ λ ≧ 20 may be required, which means that an attacker can impersonate a node through authentication by guessing the correct challenge vector e, with a success rate of approximately one million;
the predetermined public system parameter, i.e. the public modulus value n, should be at least 512 bits.
The skilled person will appreciate that the Public Key of each certifying node can be authenticated by another entity via any suitable means, e.g. issued by a trusted party (commonly referred to as an authentication authority) as in a Public Key Infrastructure (PKI), pre-installed by the manufacturer, configured by the owner, stored in a Key directory available to all legitimate nodes and users. To achieve mutual authentication, the verification device V may also authenticate the proving node itself by signing the newly generated message with its private key.
The total number of operations required to authenticate a network depends on the exact topology in the vicinity, but is indeed limited by the following conditions:
the number of modulo squaring operations is (2tu +1)
The number of modular multiplication operations is less than (2u +2uk) t.
On average, each attestation node performs only a constant number of operations. Finally, only o (d) (i.e., linear in number in units of d) messages are sent, where d is the number of times W is the order of logu, so only a logarithmic number of messages are sent during authentication.
For many lightweight IoT devices, memory is a scarce resource, so in some cases, for each node PiTo store up to k | n | bits of the private key si=(si,1,…,si,k) Can be a challenge. To reduce memory requirements, each s may be divided intoi,jA short random number, e.g., 80 bits, is selected. Furthermore, a node PiEven random seeds b can be selectediAnd then by finding a random seed biAnd the value of the encryption type strong pseudo-random function G of other information such as the index j, etc. to derive the private key value si,jEach of which. For example, each PiCan set si,j=G(biJ). In practice, G may be a cryptographic hash function. According to the random seed biGeneration of si,jThereafter, each corresponding public key value v is still calculated by equation (1)i
It should be noted that as a disadvantage of this variant, proving at each authentication the node needs to solve the value of the function G k times from the random seed biIts private key vector is restored.
In this embodiment of the invention, the uk bit challenge e is equal to (e)1,…,eu) Sent to all individual nodes throughout the network. One way to shorten the length of e without compromising privacy is as follows:
the verification node V selects a short value e, for example 80 bits, and sends it to the node.
Each proving node PiBy evaluating an encrypted strong pseudorandom function H about an input containing e and its index or identitySelf-computing challenge ei. For example, e can be setiH (e, i). In practice, H may be a cryptographic hash function.
The verification means V also calculate in the same way the challenge eiAnd the validity of (x, y) is checked according to equation (7) or (8) using these challenge values.
This variant does not affect privacy under the assumption of an ideal pseudorandom function H, and can be used in conjunction with other improvements described below.
Similar to the existing Fiat-Shamir scheme, the public modulus n is known by assuming that there is a prime factor that is known and is responsible for deducing the private key s of each proving nodei,jThe trusted party of the present invention may convert the authentication process disclosed in embodiments of the present invention into an identity-based scheme.
In detail, T may first be derived from P by using an encrypted strong pseudorandom function FiIdentification information ID ofiAnd the index j and possibly other information, to derive each proving node PiThe public key of (2). For example by determining the public key vi,j=F(IDiJ), T can be derived from v according to equation (1) or equation (2) by using secret knowledge of the prime factor of its modulus ni,jDeducing the private key si,j. It should be noted that in this variant, it may be necessary to delete some v deduced from the use of function Fi,jBut this process will not affect the verifying device to restore the node PiThe public key of (2).
To further reduce the computational cost of the authentication process, in one embodiment of the invention, the following operations are performed:
each proving node PiSelect m words w1,…,wmWhere the word is a 32-bit value and is computed once, and for all look-up tables of pairwise products, pi,j=wiwj. Note that each entry pi,jIs 64 bits long.
-generating a value s by randomly sampling m' times from the alphabeti,j' s. That is, s is created by concatenating only m' words (bit patterns) taken from the alphabeti,j
-thus, the values s each being a 32 m' bit integeri,j' s can take mm′A possible value.
To calculate the response yiEach proving node PiA plurality of values s have to be calculatedi,jsi,lSaid value si,jsi,lCan be determined by looking up all values pi,jComposition table. This is a significant speed increase over the original practice.
For example, if m ═ m32, then each siIs at 3232=2160The 1024 bits selected from the possible values.
The size of the look-up table is moderate, for example given that due to the symmetry of the look-up table only 32 x (32+ 1)/2-528 values need to be stored. Since each entry is 64 bits, the lookup table size is reduced to only 4224 bytes.
Furthermore, this size can be further reduced if these m words are selected according to some specific rule, such as the first minimum m words.
The idea is that if some products are pre-computed and stored, they are only aggregated online during the authentication process, the computational cost can be reduced: for any 1. ltoreq. a, b. ltoreq. k, will pass si,a,b=si,asi,bmod n defined si,a,bIs stored in a look-up table. Will si,a,bIs used to evaluate yiThe following three possible situations arise for the value of (c):
1.si,aand si,bBoth appear at yiThe probability of this occurrence is 1/4, in which case an additional multiplication must be performed;
2.si,aand si,bAre not present in yiThe probability of such occurrence is 1/4, in which case no action is performed;
3.si,aor si,bEither, but not both, are present at yiThe probability of this occurrence is 1/2, in which case a single multiplication is required.
Thus, period of timeThe number of desired multiplication operations is reduced by 25%, that is, to (3/4)2k-1Where k is the size of e.
The scalable approach works in windows with gamma > 1 size. For example, in the case where γ ≦ 3, for each 0 ≦ l < k/3, the following values are calculated in advance:
si,3l+1,3l+2=si,3l+1si,3l+2mod n,
si,3l+2,3l+3=si,3l+2si,3l+3mod n,
si,3l+1,3l+3=si,3l+1si,3l+3mod n,
si,3l+1,3l+2,3l+3=si,3l+1si,3l+2si,3l+3mod n。
following the same analysis as above, the number of multiplications expected during the challenge response phase is (7/24)2k. The cost is that larger values of γ require more pre-computation and memory. More precisely, by writing μ ═ 2kmod γ and using symbols
Figure BDA0001490806360000154
Referring to the integer part of the number q, the following trade-offs result, where L is siThe component number of (A):
the expected number of multiplication operations is
Figure BDA0001490806360000151
The number of left-hand multiplications is
-
Figure BDA0001490806360000152
-the number of values stored in the look-up table is
Figure BDA0001490806360000153
The authentication process can be adapted to better fit the operational constraints: for example, in the context of IoT, exporting communications from a node is an extremely expensive operation. Another object of the described variations of the invention is to reduce the amount of information sent, reduce the size of the memory and/or reduce the amount of computation performed by individual nodes while maintaining privacy.
To simplify the exception process, the indices of the proving node and the verifying node may be explicitly or implicitly employed with message transmissions between nodes in the network.
If the first verification value, the second verification value, and the random number generated for each attestation node do not satisfy the predetermined authentication conditions, then the authentication process fails, and the verification node V may perform a process of failing authentication as described below.
The above authentication process may fail due to different reasons that may be induced at any step, either accidentally or intentionally. Due to the distributed nature of the algorithm already described above, a single defective node is sufficient to fail authentication. According to one embodiment of the invention, the verifying node may perform several optional processes for failed authentication, including aborting/terminating the authentication procedure, running/performing the authentication process again with all of the proving nodes, identifying a subset of the proving nodes that failed the authentication, or performing an existing Fiat-Shamir authentication process with each proving node in the network individually. This process of failed authentication is illustrated in fig. 5 and described below.
In block 501, the verification node V determines whether the first verification value x, the second verification value y, and the random number for each attestation node satisfy the predetermined authentication conditions indicated in equation (7) or (8), and if so, the flow order proceeds to block 502; if not, the flow order proceeds to block 503.
In block 502, the verification node V will certify all the nodes P1,…,PuAdded to AN Authenticated Node (AN) of the set that was previously initialized to be empty. This means that all the proving nodes in the network are successfully authenticated and the authentication process is completed normally. Otherwise, at least one node fails authentication. V may choose a different method for the process of failed authentication.
In block 503, the verification node V determines whether to abort/terminate the authentication process. If so, flow proceeds to block 504; if not, the flow sequence proceeds to block 505.
In block 504, all the proving nodes are unauthenticated and the AN is unchanged.
In block 505, the verification node V determines whether to perform the authentication process again. If so, the flow sequence proceeds to block 501 to determine whether the first verification value x, the second verification value y, and the random number for each attestation node satisfy the predetermined authentication conditions indicated in equation (7) or (8); if not, the flow sequence proceeds to block 506.
In block 506, if the verification node V elects to classify the attestation nodes in the network into a plurality of subsets and to perform the authentication process independently for each subset of the attestation nodes, then the flow order proceeds to block 507; otherwise, the flow order proceeds to block 511.
In blocks 507 through 510, the verification node V determines whether the first verification value x and the second verification value y calculated for the current subset of attestation nodes satisfy the predetermined authentication condition indicated in equation (7) or (8). If so, the verifying node V adds the current subset of proving nodes to the set AN; if not, the set AN is unchanged. If the current subset of the proving node is the last subset, the set AN is output, and if the current subset of the proving node is not the last subset, the flow order proceeds to block 507.
If, in block 511, verification node V elects to independently authenticate the proving node in the network using the existing Fiat-Shamir method, the flow sequence proceeds to block 512.
In blocks 512 through 515, if verification node V determines that the current proving node is authenticated, verification node V adds the current proving node to set AN; if not, the set AN is unchanged. If the current proving node is the last proving node, the verifying node V outputs a set AN; if the current proving node is not the last proving node, the flow order proceeds to block 512 to authenticate the next proving node.
It should be noted that the embodiment shown in fig. 5 is merely illustrative of various optional processes for failed authentication. It is not intended to limit the scope of the present invention. In particular, in other embodiments of the present invention, the order of the steps in blocks 503, 505, 506, and 511 may be reversed, as these steps are independent.
In this embodiment, all the proving nodes not in the AN are classified as unsuccessfully authenticated nodes in view of the exporting AN.
To authenticate each subset of attestation nodes, verification node V is assumed to know or be informed by each first level parent node of the indices of all attestation nodes in this subset, i.e., the nodes directly connected to verification node V. Further, if desired, for a subset of the attestation nodes that have failed in the authentication process, each first level parent attestation node may similarly find the child attestation node of the first level parent attestation node responsible for the failure, but here assume that the first level parent attestation node knows the public keys of its child attestation nodes. Child attestation nodes of the first level parent attestation node may be departure nodes, i.e., attestation nodes that do not have child nodes in the network, or child attestation nodes of the first level parent attestation node may be parent nodes that have at least one child node in the network. Even further, this process may proceed step by step with respect to the underlying parent attesting node to accurately identify all individual attesting nodes that fail authentication one by one.
In order to enable the existing Fiat-Shamir scheme as a backup authentication, there is no real additional burden in implementing this solution. This is due to the fact that: all of the certifying nodes have participated in the hardware and software required for Fiat-Shamir computing and can use the same public system parameters, such as public modulus.
The basic idea of the above collective/clustered authentication procedure can be extended to some other recognition scheme consisting of commitment, challenge and response. The following shows how the present invention is applicable to the Schnorr identification scheme, (c.p. Schnorr, "effective identification and signatures for smart cards", edited by g.brassard, cryptology evolution-1989, european cryptology era, page 239-.
Similar to the Shamir-Fiat algorithm based on cluster authentication, the invention discussed above can be extended directly to a distributed Schnorr identification scheme, where the validation means V can collectively authenticate u nodes P within the network in an efficient manner1,…,Pu
Fig. 6 is a flow diagram illustrating a method for performing collective authentication in a communication network including a verification node and a plurality of attestation nodes in accordance with another embodiment of the invention. In this embodiment, the public or private key for each attestation node is calculated according to equation (9) below:
Figure BDA0001490806360000171
wherein v isiIs a proving node PiOf public key, siIs a proving node PiG is a cyclic group GqThe generator of (2), the cyclic group GqHaving a prime order q. Circulation group GqHas a binary length of at least 80 bits.
Steps similar to the embodiment shown in fig. 1 will not be described in detail here.
In block 601, a collective cluster authentication process between verification node V and attestation node is triggered.
In block 602, each of the proving nodes calculates a first value according to equation (10) below and sends the calculated first value to its parent node in the network.
Figure BDA0001490806360000172
Wherein x isiIs proved by the proving node PiThe first value calculated, G being the cycle group GqIs generated from the generator riIs proved by the proving node PiA selected random value.
In block 603, each of the parent attestation nodes in the network calculates a first unit value based on its own first value and the first values of its child nodes, and sends the calculated first unit value to its parent attestation node if it exists, or sends the calculated first unit value to verification node V.
In block 604, verification node V calculates the product of all first unit values received from its child nodes in the communication network to obtain a first verification value, as shown in equation (11):
Figure BDA0001490806360000173
where x is the first verification value and u is the number of certifying nodes in the network.
In block 605, a random number is generated for each proving node in the network.
In block 606, each of the proving nodes in the network calculates a second value according to equation (12) or (13), and sends the calculated second value to its parent node in the network.
yi=ri+sieimod q, or (12)
yi=ri-siei mod q。 (13)
Wherein r isiIs proved by the proving node PiSelected random value, siIs a proving node PiPrivate key of eiIs directed to proving node PiThe generated random number.
In block 607, each of the parent attestation nodes in the network calculates a second unit value based on the second value of itself and the second values of its child devices and sends the calculated second unit value to its parent device if it exists or sends the calculated second unit value to the verification node V.
In block 608, the verification node calculates a second verification value according to equation (14) below:
Figure BDA0001490806360000174
where y is a second verification value, yiIs proved by the proving node PiThe second value calculated, u being the number of proving nodes in the network, q being the cycle group GqPrime order of (c).
In block 609, the verification node V determines whether authentication of the plurality of attestation nodes is successful based on whether the first verification value, the second verification value, and the random number generated for each attestation node satisfy a predetermined authentication condition.
The predetermined authentication condition is shown in the following equation (15) or (16):
if y is generated according to equation (12)iThen, then
Figure BDA0001490806360000175
If y is generated according to equation (13)iThen, then
Figure BDA0001490806360000176
Where x is a first verification value, y is a second verification value, viIs a proving node PiPublic key of eiIs directed to proving node PiThe generated random number.
The procedure of failed authentication described above and illustrated in fig. 5 is applicable to the second embodiment. Will not be described in detail herein.
Note that the underlying cyclic group G of prime order qqCan be selected as ZpA subgroup of integer numbers p, where p is a large prime number having at least 512 bits and q is a divisor of (p-1).
It should be noted that the underlying cyclic group G of prime orders q may be referred to in an additive rather than multiplicative mannerq. In particular, GqOptionally a cyclic group of points defined on an elliptic curve.
Note that to ensure privacy, the underlying cyclic group GqHas a binary length of at least 80.
It should be noted that the public key v of each nodeiCan be made available to another entity via, for example, a Public Key infrastructure (Public Key Infrastru)Feature, PKI), pre-installed by the manufacturer, configured by the owner, stored in a key directory accessible to all legitimate nodes and users.
It should be noted that v may even be set to v by assuming that a system administrator (often referred to as a private key generator) signs the identity of each node to generate a signature that is treated as the private key of the nodeiDefined as slave node PiThe identity-based public key derived from the identity (and other parameters) of (c). Specifically, this Signature may be generated by using the Schnorr Signature scheme or other Signature Schemes Based on Diffie-Hellman keys as studied by Mihir Bellare et al ("Identity-Based Identification and proof of confidentiality of Signature Schemes)", European Association of cryptology 2004, page 268-.
It should be noted that to enable mutual authentication, the verification device V may also sign the verification node P by using its private key to a newly generated message1,…,PuSelf-authentication is performed.
According to the embodiments of the present invention described above, the authentication process disclosed in the present invention can be used to perform cluster authentication on multiple attestation nodes simultaneously in a communication network. Furthermore, each proving node in the communication network only transmits information to its nearest neighbor node, i.e. its parent/child node, for verification by the verifying node, thus significantly reducing the transmission energy to the verifying node.
It is to be understood that the embodiments and features described above are to be considered as illustrative and not restrictive. For example, the above embodiments may be used in combination with each other. Numerous other embodiments will be apparent to those skilled in the art upon consideration of the specification and practice of the embodiments. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled. Furthermore, certain terminology is used for the purpose of descriptive clarity and is not intended to limit the disclosed embodiments of the invention.

Claims (14)

1. A method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node, the method comprising:
calculating, by each attestation node in the network, a first value for said each attestation node based on predetermined public system parameters and a random value selected by said each attestation node;
calculating, by the verification node, a first verification value based on a plurality of first values calculated by the plurality of attestation nodes in the network;
generating a random number for said each proving node in the network;
calculating, by the each attestation node in the network, a second value for the each attestation node based on the random number generated for the each attestation node, the random value selected by the each attestation node, a private key of the each attestation node, and the predetermined public system parameters;
calculating, by the verification node, a second verification value based on a plurality of second values calculated by the plurality of attestation nodes in the network; and
determining, by the verifying node, whether authentication of the plurality of proving nodes is successful based on whether the first verification value, the second verification value and the random numbers generated for the plurality of proving nodes in the network satisfy a predetermined authentication condition.
2. The method of claim 1, further comprising:
sending, by each attestation node in the network, a first unit value to a parent node of the each attestation node, wherein if one of the attestation nodes in the network is directly connected to at least one child node, the first unit value is calculated based on the first values calculated by both the attestation node and the at least one child node of the attestation node; determining the first unit value based on the first value computed by the proving node if one of the proving nodes in the network is a leaving node;
wherein said step of calculating a first verification value based on said plurality of first values calculated by said attestation node further comprises:
calculating, by the authentication node, the first authentication value based on at least one first unit value, wherein each of the at least one first unit value is calculated accordingly by at least one attestation node directly connected to the authentication node in the network.
3. The method of claim 2, further comprising:
sending, by the each attestation node in the network, a second unit value to a parent node of the each attestation node, wherein if one of the attestation nodes is directly connected to at least one child node, the second unit value is calculated based on the second values calculated by both the attestation node and the at least one child node of the attestation node; and if one of the proving nodes is a leaving node, determining the second unit value based on the second value computed by the proving node;
wherein the step of calculating a second verification value based on a plurality of second values calculated by the attestation node further comprises:
calculating, by the authentication node, the second authentication value based on at least one second unit value, wherein each of the at least one second unit value is calculated accordingly by at least one attestation node directly connected to the authentication node in the network.
4. A method according to any one of claims 1 to 3, wherein the step of generating a random number for said each proving node in the network comprises:
generating, by the verifying node, a random number for the each proving node in the network; and
sending the generated random number for the each proving node to the each proving node directly or via a parent node of the each proving node in the network.
5. A method according to any one of claims 1 to 3, wherein the step of generating a random number for said each proving node in the network comprises:
generating, by the verification node, a root random value and sharing the generated root random value in the network;
generating, by the each attestation node, a random number for the each attestation node based on the root random value and a predetermined function.
6. A method for performing collective authentication in a communication network having a verification node and a plurality of attestation nodes connected to the verification node, the method comprising:
calculating, by each attestation node in the network, a first value for said each attestation node based on predetermined public system parameters and a random value selected by said each attestation node, and sending said calculated first value to a parent attestation node directly connected to said each attestation node;
calculating, by each of the parent attestation nodes in the network, a first unit value based on the first value of itself and the first values of child attestation nodes directly connected to the parent attestation node, and sending the calculated first unit value to the verification node;
calculating, by the verification node, a first verification value based on the first unit value calculated by the parent attestation node directly connected to the verification node;
calculating, by the each attestation node in the network, a second value based on a random number generated for the each attestation node, the random value selected by the each attestation node, a private key of the each attestation node, and the predetermined public system parameters, and sending the calculated second value to a parent attestation node directly connected to the each attestation node;
calculating, by each of the parent attestation nodes in the network, a second unit value based on the second value of itself and the second values of child attestation nodes directly connected to the parent attestation node, and sending the calculated second unit value to the verification node;
calculating, by the verification node, a second verification value based on the second unit value calculated by the parent attestation node directly connected to the verification node;
determining, by the verifying node, whether authentication of the plurality of proving nodes is successful based on whether the first verification value, the second verification value and the random numbers generated for the plurality of proving nodes in the network satisfy a predetermined authentication condition.
7. The method of claim 6, further comprising:
receiving, by said each proving node in said network, a root random value from said verifying node, an
Generating, by the each attestation node, a nonce to compute the second value for the each attestation node based on the received root nonce and a predetermined function.
8. A system for performing collective authentication in a communication network, comprising:
a verification node and a plurality of attestation nodes,
wherein each of the attestation nodes is to: calculating a first value based on a predetermined public modulus value and a random value selected by said each of said attestation nodes; and calculating a second value based on the random number generated for said each of said attestation nodes, said random value selected by said each of said attestation nodes, the private key of said each of said attestation nodes, and said predetermined public modulus value;
the verification node is configured to: calculating a first verification value based on a plurality of first values calculated by the plurality of attestation nodes in the network; calculating a second verification value based on a plurality of second values calculated by the plurality of attestation nodes in the network; and determining whether authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes satisfy a predetermined authentication condition.
9. The system of claim 8, wherein each of the attestation nodes is further configured to send a first unit value to a parent node of said each of the attestation nodes in the network, wherein if one of the attestation nodes in the network is directly connected to at least one child node in the network, the first unit value is calculated based on the first values calculated by both the attestation node and the at least one child node of the attestation node in the network; and if one of the proving nodes in the network is a leaving node, determining the first unit value based on the first value computed by the proving node;
wherein the verifying node is further configured to calculate the first verification value based on at least one first unit value, wherein each of the at least one first unit value is calculated accordingly by at least one proving node directly connected to the verifying node in the network.
10. The system of claim 9, wherein each of the attestation nodes in the network is further configured to send a second unit value to a parent node of said each attestation node in the network, wherein if one of the attestation nodes is directly connected to at least one child node in the network, the second unit value is calculated based on the second values calculated by both the attestation node and the at least one child node of the attestation node in the network; and if the proving node is a leaving node, determining the second unit value based on the second value computed by the proving node;
wherein the verifying node is further configured to calculate the second verification value based on at least one second unit value, wherein each of the at least one second unit value is calculated accordingly by at least one proving node directly connected to the verifying node in the network.
11. The system according to any of claims 8 to 10, wherein the verification node is further configured to: generating the random number for the each proving node in the network, and sending the generated random number for the each proving node to the each proving node directly or via a parent node of the each proving node in the network.
12. The system according to any of claims 8 to 10, wherein the verification node is further configured to generate a root random value and to share the generated root random value in the network;
wherein the each of the attestation nodes is further to generate a random number for the each of the attestation nodes based on the root random value and a predetermined function.
13. An apparatus for performing collective authentication in a communication network comprising a plurality of proving nodes, characterized in that the apparatus is configured to
Calculating a first verification value based on a plurality of first values, wherein each of the first values is calculated individually by one of the plurality of attestation nodes in the network based on predetermined public system parameters and random values selected by the attestation node;
calculating a second verification value based on a plurality of second values, wherein each of the second values is calculated individually by one of the plurality of attestation nodes in the network based on a random number generated for the attestation node, the random value selected by the attestation node, a private key of the attestation node, and the predetermined public system parameters; and is
Determining whether authentication of the plurality of attestation nodes in the network is successful based on whether the first verification value, the second verification value, and the random numbers generated for each of the plurality of attestation nodes satisfy a predetermined authentication condition.
14. An attestation node for performing collective authentication in a communication network comprising a verification node and a plurality of attestation nodes, characterized in that the attestation node is configured to
Calculating a first value based on predetermined public system parameters and a random value selected by the proving node, and sending the calculated first value to a parent proving node directly connected to the proving node in the network;
calculating a second value based on a random number generated for said each proving node, said random value selected by said each proving node, a private key of said each proving node and said predetermined public system parameter, and sending said calculated second value to said parent proving node directly connected to said each proving node;
the attestation node is a parent attestation node, the attestation node further to:
calculating a first unit value based on the first value of itself and the first value of a child attestation node directly connected to the attestation node, and sending the calculated first unit value to the verification node, such that the verification node calculates a first verification value based on the first unit value calculated by the parent attestation node directly connected to the verification node;
calculating a second unit value based on the second value of itself and the second value of a child attestation node directly connected to the attestation node, and sending the calculated second unit value to the verification node, such that the verification node calculates a second verification value based on the second unit value calculated by the parent attestation node directly connected to the verification node and determines whether authentication of the plurality of attestation nodes is successful based on whether the first verification value, the second verification value, and the random numbers generated for the plurality of attestation nodes in the network satisfy a predetermined authentication condition.
CN201711246426.5A 2017-01-17 2017-12-01 Method and system for performing collective authentication in a communication network Active CN108337092B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10201700379U 2017-01-17
SG10201700379UA SG10201700379UA (en) 2016-01-20 2017-01-17 Method and system for performing collective authentication in a communication network

Publications (2)

Publication Number Publication Date
CN108337092A CN108337092A (en) 2018-07-27
CN108337092B true CN108337092B (en) 2021-02-12

Family

ID=62923681

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711246426.5A Active CN108337092B (en) 2017-01-17 2017-12-01 Method and system for performing collective authentication in a communication network

Country Status (1)

Country Link
CN (1) CN108337092B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220051498A1 (en) * 2018-09-14 2022-02-17 Spectrum Brands, Inc. Authentication of internet of things devices, including electronic locks
CN109617735B (en) 2018-12-26 2021-04-09 华为技术有限公司 Cloud computing data center system, gateway, server and message processing method
CN110535657B (en) * 2019-08-21 2022-03-04 上海唯链信息科技有限公司 Method and device for mutual identity authentication of multiple private key management devices
US10783082B2 (en) 2019-08-30 2020-09-22 Alibaba Group Holding Limited Deploying a smart contract
CN110675256B (en) * 2019-08-30 2020-08-21 阿里巴巴集团控股有限公司 Method and device for deploying and executing intelligent contracts

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101888295A (en) * 2009-05-15 2010-11-17 南京理工大学 Distributed multi-term safety certification method
CN102271379A (en) * 2011-05-09 2011-12-07 陈志奎 Energy-saving routing method of nodes of internet of things based on context-aware technology
CN103701700A (en) * 2013-12-24 2014-04-02 中国科学院信息工程研究所 Node discovering method and system in communication network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8695089B2 (en) * 2007-03-30 2014-04-08 International Business Machines Corporation Method and system for resilient packet traceback in wireless mesh and sensor networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101888295A (en) * 2009-05-15 2010-11-17 南京理工大学 Distributed multi-term safety certification method
CN102271379A (en) * 2011-05-09 2011-12-07 陈志奎 Energy-saving routing method of nodes of internet of things based on context-aware technology
CN103701700A (en) * 2013-12-24 2014-04-02 中国科学院信息工程研究所 Node discovering method and system in communication network

Also Published As

Publication number Publication date
CN108337092A (en) 2018-07-27

Similar Documents

Publication Publication Date Title
CN108337092B (en) Method and system for performing collective authentication in a communication network
US7308097B2 (en) Digital signature and authentication method and apparatus
US8914643B2 (en) Anonymous authentication system and anonymous authentication method
US20210243026A1 (en) Password based threshold token generation
CN110167021B (en) Vehicle-mounted virtual key implementation and communication method
US10057071B2 (en) Component for connecting to a data bus, and methods for implementing a cryptographic functionality in such a component
US20040030932A1 (en) Cryptographic methods and apparatus for secure authentication
Hohenberger et al. Universal signature aggregators
Li et al. Provably secure certificate-based signature scheme without pairings
Brogle et al. Sequential aggregate signatures with lazy verification from trapdoor permutations
Harkins Dragonfly key exchange
CN112787796B (en) Aggregation method and device for detecting false data injection in edge calculation
CA2305896C (en) Key validation scheme
AU2015202599B2 (en) Methods and devices for securing keys when key-management processes are subverted by an adversary
CN107294696B (en) Method for distributing full homomorphic keys for Leveled
Ruan et al. After-the-fact leakage-resilient identity-based authenticated key exchange
Tian et al. Analysis and improvement of an authenticated key exchange protocol for sensor networks
KR100989185B1 (en) A password authenticated key exchange method using the RSA
CN109951276A (en) Embedded device remote identity authentication method based on TPM
US20110064216A1 (en) Cryptographic message signature method having strengthened security, signature verification method, and corresponding devices and computer program products
Sarier A new biometric identity based encryption scheme secure against DoS attacks
Tsai An improved cross-layer privacy-preserving authentication in WAVE-enabled VANETs
CN116707956A (en) Zero knowledge proof-based internet of things equipment authentication method and device
KR20080005344A (en) System for authenticating user&#39;s terminal based on authentication server
CN116055136A (en) Secret sharing-based multi-target authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant