CN110945832B - Symmetric group authentication method and system - Google Patents

Symmetric group authentication method and system Download PDF

Info

Publication number
CN110945832B
CN110945832B CN201880028158.6A CN201880028158A CN110945832B CN 110945832 B CN110945832 B CN 110945832B CN 201880028158 A CN201880028158 A CN 201880028158A CN 110945832 B CN110945832 B CN 110945832B
Authority
CN
China
Prior art keywords
node
response
nodes
level
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201880028158.6A
Other languages
Chinese (zh)
Other versions
CN110945832A (en
Inventor
大卫·那克西
王贵林
伊丽莎白·夸利亚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei International Pte Ltd
Original Assignee
Huawei International Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei International Pte Ltd filed Critical Huawei International Pte Ltd
Publication of CN110945832A publication Critical patent/CN110945832A/en
Application granted granted Critical
Publication of CN110945832B publication Critical patent/CN110945832B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/34Encoding or coding, e.g. Huffman coding or error correction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a symmetric group authentication system and method of root nodes for authenticating n nodes of a spanning tree network having n +1 nodes formed by y levels, wherein the first level is composed of root nodes. The method comprises a first stage comprising: the root node performs the following operations: determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i H, wherein a and h are two positive integers; determining a first one-way function f and a second one-way function g; generating n random binary matrices M of size ab i N keys k i A public key K and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure DDA0002250303050000011
transmits K to all n nodes and transmits (M) i ,k i ) To each node x i . The method also includes a second phase of authenticating the n nodes, including the root node: generating a challenge value c, wherein c is a random number with a binary length of b; transmitting the challenge value to a second level node; receiving a response r from the second level node i (ii) a Response r from the second level node i Polymerizing to obtain a polymerization response r; by the following expression
Figure DDA0002250303050000012
Checking the polymerization response r; and determining that the polymerization response is acceptable if and only if the hamming weight of r' is equal to h.

Description

Symmetric group authentication method and system
Technical Field
The present disclosure relates to methods and systems for symmetric authentication schemes. In particular, the present disclosure relates to a method and system that allows a verification device to collectively authenticate multiple verification devices.
Background
In a typical wireless network scenario, multiple nodes are connected by wireless connections. One node that is distinct from the remaining nodes is called a "base station," which may be a stronger controlling device, while the other nodes are low-end (IoT) devices.
The base station wants to know whether the network as a whole is subject to intervention and therefore uses an authentication protocol. Assuming that the network topology is known, for example, each node knows to whom it is connected. Messages on the network are sent from one node to another and in this way are relayed throughout the connected network. Interacting with each node of a base station individually is often not an ideal way due to the limited network bandwidth and the cost of long distance transmission. Instead, there is a need for a way to aggregate responses from child nodes so that information about network bandwidth and energy consumption transmitted between nodes is more compact and efficient. In particular, the result of aggregating all responses (in some order depending on the network topology) may be sent as a final response to the base station. The base station may then check whether the final aggregated response is correct. Such a manner of collectively authenticating a plurality of nodes (hereinafter, inspection equipment/inspection entity/inspection object) by an authenticator (hereinafter, base station/inspection entity/inspection equipment/inspection object/server) is called aggregate authentication or group authentication.
Group authentication can be designed through either asymmetric primitives (e.g., digital signatures) or symmetric primitives (e.g., hash functions and message authentication codes). In particular, a way of aggregating signatures based on public keys is proposed. In this scheme, signatures of multiple signers on multiple messages can be aggregated into one signature and sent to a verifier, who can perform a valid authentication algorithm to verify the validity of the aggregated signature. However, public key systems are typically too expensive for low end (IoT) devices, not to mention that most aggregate signatures consist of even slower bilinear pairs.
Although the base station will compute each node, aggregate the results, and check if the received response matches the expected value, performing group authentication through symmetric primitives is more efficient. While generally feasible, this practice is not always optimal. Accordingly, those skilled in the art are striving to advance group authentication schemes.
Disclosure of Invention
The above and other problems are solved. The embodiments of the present disclosure provide systems and methods that bring advancement in the art. A first advantage of the system and method according to embodiments of the present disclosure is that the system and method is extremely lightweight because only basic operations (i.e., hash, matrix multiplication, and exclusive or) are used in the algorithms and protocols. Thus, the composition scheme and its variants are much more efficient than public-key encrypted aggregate signatures and aggregate or group authentication schemes consisting of MACs. A second advantage of the system and method according to embodiments of the present disclosure is that the verification cost is independent of the number of nodes and is inherently conducive to verification computations due to the use of shortcuts, so it is very efficient even for scenarios where there are a large number of nodes or devices to be authenticated (typically many IoT applications). A third advantage of the system and method according to embodiments of the present disclosure is that with the system and method, although depending on the height of the tree in which the nodes are organized in a tree topology, the communication cost is independent of the number of nodes in the network for aggregation reasons. A fourth advantage of the system and method according to embodiments of the present disclosure is that the system and method can be implemented in software only and thus easily implemented on existing devices. A fifth advantage of systems and methods according to embodiments of the present disclosure is that passive and active opponents may be avoided with the systems and methods.
A first aspect describes a symmetric population authentication method for root nodes for authenticating n nodes of a spanning tree network of n +1 nodes formed by y levels, wherein the first level is composed of root nodes. The method comprises a first stage comprising: the root node performs the following operations: determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i H, wherein a and h are two positive integers; determining a first one-way function f and a second one-way function g; generating n random binary matrices M of size ab i N keys k i A public key K and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure GDA0002378291980000021
transmits K to all n nodes and transmits (M) i ,k i ) To each node x i . The method also includes a second phase of authenticating the n nodes, wherein the root node is required to: generating a challenge value c, wherein c is a random number with a binary length of b; transmitting the challenge value to a second level node; receiving a response r from the second level node i (ii) a The response r from the second level node i Polymerizing to obtain a polymerization response r; by the following expression
Figure GDA0002378291980000022
Checking the polymerization response r; and determining that the polymerization response is acceptable if and only if the hamming weight of r' is equal to h.
According to an embodiment of the first aspect, the response r from the second level node is i Polymerizing to obtain a polymerization response r, comprising: the root node will respond with r i Combined with a pure xor operation.
According to an embodiment of the first aspect, the first stage further comprises: n nodes receive and store M i 、k i And K.
According to an embodiment of the first aspect, the first stage further comprises: the root node sets S to { e } i H and the first and second one-way functions to n nodes x i
According to an embodiment of the first aspect, the first stage further comprises: n nodes receive and store S ═ e i And first and second one-way functions.
According to an embodiment of the first aspect, the second stage further comprises: each of the nodes: receiving a challenge; generating a product code of simplex codes, e, in response to receiving the challenge q Wherein q is g (k) i C) and e q The q code word of the product code of the simplex code; by the following expression
Figure GDA0002378291980000023
Generating a response r i (ii) a And transmitting the response to the root node.
According to an embodiment of the first aspect, the second stage further comprises: each of the nodes between the second level to the y-1 th level performs the following operations: receiving a response from the subordinate node; aggregating the generated response with a response from the subordinate node; and transmitting the aggregated response to the superordinate node.
According to an embodiment of the first aspect, the binary length of a is 1200, h is 320, the binary length of b is 256, k i And K has a binary length of 128.
According to an embodiment of the first aspect, the separate forms are
Figure GDA0002378291980000024
The code replaces the product code of the simplex code and it is determined that the aggregate response r 'is acceptable if and only if the hamming weight of r' is equal to or less than 2 h.
According to an embodiment of the first aspect, the method further comprises: and if the aggregation response is not acceptable, the root node identifies the error node.
According to an embodiment of the first aspect, the step of performing a wrong node identificationThe method comprises the following steps: and (3) repeating the steps by the root node: generating a challenge value c; transmitting the challenge value to a second level node; receiving a response r from the second level node i (ii) a Aggregating responses r from second level nodes i (ii) a Checking the polymerization response r; and determining that the polymerization response is acceptable if and only if the hamming weight of r is equal to h.
According to an embodiment of the first aspect, the step of performing the wrong node identification comprises: the root node performs the following operations: verifying each of the responses received from the second level node, the second level node being a current level node; the authenticated list is appended to contain the indices of authenticated nodes with valid responses, and the failure list is appended to contain the indices of authenticated nodes with invalid responses.
According to an embodiment of the first aspect, the step of performing the wrong node identification further comprises: the root node performs the following operations: 1) performing a second stage together with the current-level node and the next-level node in the fault list, that is, the child nodes of the current-level node in the fault list; 2) appending the authenticated list to contain an index of authenticated nodes with valid responses, and appending the failure list to contain an index of authenticated nodes with invalid responses; and repeating steps 1 and 2 until the y-1 st level node.
According to an embodiment of the first aspect, the step of performing the wrong node identification comprises: the root node performs the following operations: generating a challenge value c; transmitting challenge value to node x i One node in (1); from the node x i A node in receives a response r i (ii) a By the following expression
Figure GDA0002378291980000032
Test response r i (ii) a And determining that the response is acceptable if and only if the hamming weight of r' is equal to h.
A second aspect describes a symmetric group authentication system for a spanning tree network of n +1 nodes in y-layers, where the first level consists of the root nodes. The system includes a root node of a first level of a spanning tree network,the root node has a processor, a non-transitory memory, and instructions stored in the non-transitory memory that are executable by the processor to: in a first stage, a product code S ═ e { e } of a simplex code having a code word of size a and a Hamming weight h is determined i H, wherein a and h are two positive integers; determining a first one-way function f and a second one-way function g; generating n random binary matrices M of size ab i N keys k i A public key K and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure GDA0002378291980000031
transmit K to all n nodes and will (M) i ,k i ) To each node x i (ii) a In the second stage, generating a challenge value c, wherein c is a random number with a binary length of b; transmitting the challenge value to a second level node; receiving a response r from the second level node i (ii) a The response r from the second level node i Polymerizing to obtain a polymerization response r; by the following expression
Figure GDA0002378291980000033
Checking the polymerization response r; and determining that the polymerization response is acceptable if and only if the hamming weight of r' is equal to h.
According to one embodiment of the second aspect, the response r from the second level node i Aggregating, the instructions to obtain an aggregated response r comprising aggregating the response r i An instruction combined with a pure exclusive or operation.
According to one embodiment of the second aspect, each of the n nodes includes a processor, a non-transitory memory, and instructions stored in the non-transitory memory that are executable by the processor to receive and store M i 、k i And K.
According to an embodiment of the second aspect, the instructions of the root node further comprise setting S to { e ═ e i And instructions for the first and second one-way functions to be transmitted to the n nodes.
According to the second aspectIn one embodiment, the instructions for the n nodes further comprise receiving and storing S ═ e i Instructions of the first and second one-way functions.
According to one embodiment of the second aspect, the instructions in each of the n nodes further comprise instructions to: receiving a challenge; generating a product code of simplex codes, e, in response to receiving the challenge q Wherein q is g (k) i C) and e q The q code word of the product code of the simplex code; by the following expression
Figure GDA0002378291980000034
Generating a response r i (ii) a And transmitting the response to the root node.
According to one embodiment of the second aspect, the instructions in each of the nodes between the second level to the y-1 th level comprise instructions to: receiving a response from the subordinate node; aggregating the generated response with a response from the subordinate node; and transmitting the aggregated response to each superordinate node.
According to one embodiment of the second aspect, the binary length of a is 1200, h is 320, the binary length of b is 256, k i And K has a binary length of 128.
According to an embodiment of the second aspect, the separate forms
Figure GDA0002378291980000042
A code replaces the product code of the simplex code and it is determined that the aggregate response r 'is acceptable if and only if the hamming weight of r' is equal to or less than 2 h.
According to one embodiment of the second aspect, the root node further comprises instructions to: and if the aggregation response is not acceptable, carrying out error node identification.
According to one embodiment of the second aspect, the instructions for performing faulty node identification comprise instructions for: the node repeats the steps: generating a challenge value c; transmitting the challenge value to a second level node; receiving a response r from the second level node i (ii) a Aggregating responses r from second level nodes i (ii) a Checking the polymerization response r; and determining if and onlyThe polymerization response is acceptable when the hamming weight of r' is equal to h.
According to an embodiment of the second aspect, the instructions for performing faulty node identification further comprise instructions for: verifying each of the responses received from the second level node, the second level node being a current level node; and appending the authenticated list to contain an index of authenticated nodes with valid responses, and appending the failure list to contain an index of authenticated nodes with invalid responses.
According to an embodiment of the second aspect, the instructions for performing faulty node identification further comprise instructions for: verifying each of the responses received from the second level node, the second level node being a current level node; and appending the authenticated list to contain an index of authenticated nodes with valid responses, and appending the failure list to contain an index of authenticated nodes with invalid responses. 1) Performing a second stage together with the current-level node and the next-level node in the fault list, that is, the child nodes of the current-level node in the fault list; 2) appending an authenticated list to contain an index of authenticated nodes with valid responses, and appending a failure list to contain an index of authenticated nodes with invalid responses; and repeating steps 1 and 2 until the y-1 st level node.
According to one embodiment of the second aspect, the instructions for performing faulty node identification include instructions for: generating a challenge value c; transmitting challenge value to node x i One node in (1); from the node x i A node in receives a response r i (ii) a By the following expression
Figure GDA0002378291980000043
Test response r i (ii) a And determining that the response is acceptable if and only if the hamming weight of r' is equal to h.
A third aspect describes a symmetric group authentication method of root nodes for authenticating n nodes of a spanning tree network with n +1 nodes formed by y levels, wherein the first level is composed of root nodes. The method comprises a first stageThe method comprises the following steps: the root node performs the following operations: determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i H, wherein a and h are two positive integers; determining a first one-way function f and a second one-way function g; generating n random binary matrices M of size ab i N keys k i A public key K and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure GDA0002378291980000041
transmit K to all n nodes and will (M) i ,k i ) To each node x i (ii) a And a second phase of authenticating the n nodes, comprising the root node performing the following operations: generating a challenge value c, wherein c is a random number with a binary length of b; transmitting the challenge value to node x i A node in (b); from the node x i Receives a response r from a node in i (ii) a By the following expression
Figure GDA0002378291980000044
Test response r i (ii) a And determining that the response is acceptable if and only if the r' hamming weight is equal to h.
According to an embodiment of the third aspect, the first stage further comprises: each node x i Receiving and storing M i 、k i And K.
According to an embodiment of the third aspect, the first stage further comprises: the root node sets S to { e ═ e i And the first and second one-way functions are transmitted to all n nodes.
According to an embodiment of the third aspect, the first stage further comprises: n nodes receive and store S ═ e i And first and second one-way functions.
According to an embodiment of the third aspect, the second stage further comprises: node x i Performs the following operations: receiving a challenge; generating a product code of simplex codes, e, in response to receiving the challenge q Wherein q is g (k) i C) and e q The q code word of the product code of the simplex code;by the following expression
Figure GDA0002378291980000052
Generating a response r i (ii) a And will respond to r i To the root node.
According to an embodiment of the third aspect, the product code of the simplex code uses an individual shape
Figure GDA0002378291980000053
Code and determining that the aggregate response r 'is acceptable if and only if the hamming weight of r' is equal to or less than 2 h.
A fourth aspect describes a symmetric group authentication system for a spanning tree network composed of n +1 nodes in y-layers, where the first level consists of the root nodes. The system includes a root node of a first level of a spanning tree network, the root node having a processor, a non-transitory memory, and instructions stored in the non-transitory memory that are executable by the processor to: in a first stage, a product code S ═ e { e } of a simplex code having a code word of size a and a Hamming weight h is determined i H, wherein a and h are two positive integers; determining a first one-way function f and a second one-way function g; generating n random binary matrices M of size ab i N keys k i A public key K and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure GDA0002378291980000051
transmit K to all n nodes and will (M) i ,k i ) To each node x i (ii) a In the second stage, generating a challenge value c, wherein c is a random number with a binary length of b; transmitting the challenge value to node x i A node in (b); from the node x i A node in receives a response r i (ii) a Will come from the node x i Of a node r i Polymerizing to obtain a polymerization response r; by the following expression
Figure GDA0002378291980000057
Test response r i (ii) a And determining that the response is acceptable if and only if the hamming weight of r' is equal to h.
According to one embodiment of the fourth aspect, each of the n nodes includes a processor, a non-transitory memory, and instructions stored in the non-transitory memory that are executable by the processor to receive and store M i 、k i And K.
According to an embodiment of the fourth aspect, the instructions in the root node further comprise instructions to: transmission S ═ e i And first and second one-way functions to the n nodes.
According to an embodiment of the fourth aspect, the instructions in the n nodes further comprise instructions to: receiving and storing S ═ e i And first and second one-way functions.
According to an embodiment of the fourth aspect, the instructions in each of the n nodes further comprise instructions to: receiving a challenge c; generating a product code of simplex codes, e, in response to receiving the challenge c q Wherein q is g (k) i C) and e q The q code word of the product code of the simplex code; by the following expression
Figure GDA0002378291980000055
Generating a response r i (ii) a And transmitting the response to the root node.
According to an embodiment of the fourth aspect, the product code of the simplex code uses a simplex code
Figure GDA0002378291980000056
Code and determining that the aggregate response r 'is acceptable if and only if the hamming weight of r' is equal to or less than 2 h.
Drawings
The above advantages and features according to the present invention are described in the following detailed description and are shown in the following drawings:
FIG. 1 illustrates a simplified network infrastructure implementing a method and system according to the present disclosure;
FIG. 2 illustrates a processing system of a server of a simplified network infrastructure that executes instructions to perform the provisioning processes of the method and system in accordance with the present disclosure;
FIG. 3 illustrates a block diagram of the underlying network interfaces of a simplified network infrastructure that executes instructions to perform the provisioning process of the method and system in accordance with the present disclosure;
FIG. 4 illustrates a timing diagram of information flow between a server and a node according to the present disclosure;
FIG. 5 illustrates a process performed by a processing system of a server according to the present disclosure;
FIG. 6 illustrates a process performed by a processing system of a network interface or one of the parent nodes according to the present disclosure;
FIG. 7 illustrates a process performed by a processing system of a network interface or one of the leaf nodes according to the present disclosure;
FIG. 8 illustrates a process performed by a processing system of a server to select an option to identify a faulty node according to the present disclosure; and
FIG. 9 illustrates a process performed by a processing system of a server to identify a faulty node according to the present disclosure.
Detailed Description
The present disclosure relates to methods and systems for symmetric authentication schemes. In particular, the present disclosure relates to a method and system that allows a verification device to collectively authenticate multiple verification devices.
Fig. 1 illustrates a simplified network infrastructure 100. In particular, the network infrastructure 100 shows a server 110, the server 110 establishing a connection to connect all nodes 120.
When the server 110 wishes to know whether the network infrastructure 100 is subject to intervention, the server 110 uses an authentication protocol to authenticate the nodes 1 to 17. It is assumed that each node 120 is aware of the topology of the network infrastructure 100. Messages on network infrastructure 100 are transmitted from one node to another and relayed throughout the connected network. Due to the limited bandwidth and cost of long distance transmission, it is generally not an ideal way for the server 110 to interact directly with each node. Thus, instead of child nodes 5 to 17 directly authenticating with the server 110, parent nodes 1 to 4 may receive responses from child nodes 5 to 17 and aggregate the responses to the server. For example, the parent node 1 receives responses from the child nodes 5 to 7, and aggregates the responses of the child nodes 5 to 7 with its own response and transmits the aggregated response to the server 110; the parent node 2 receives the responses of the child nodes 8 to 10, aggregates the responses of the child nodes 8 to 10 with its own response, and transmits the aggregated response to the server 110; the parent node 3 receives the responses of the child nodes 11 to 13, aggregates the responses of the child nodes 11 to 13 with its own response, and transmits the aggregated response to the server 110; the parent node 4 receives the responses of the child nodes 14 to 17, aggregates the responses of the child nodes 14 to 17 with its own response, and transmits the aggregated response to the server 110. The server then aggregates the responses from the parent nodes 1 to 4 and checks whether the aggregated response is correct. This way of authenticating multiple nodes collectively by a server is called group authentication.
According to the present disclosure, a fast symmetric group authentication is provided. Such symmetric group authentication is characterized by the server 110 having a special key ("shortcut"). The special key is a verification entity V which allows the server 110 to authenticate the entire network without the need to compute the value of each node, thus saving computation.
For purposes of this disclosure, the server 110 may be a base station or an authentication server provided by a service provider for managing connectivity between the node 120 and servers managed by the service provider or servers managed by other server providers. The node 120 may be a mobile device or an Internet of things (IoT) device communicatively connected to the server 110.
The processes stored in the media in the form of instructions executed by the processing system or virtual machines running on the processing system of server 110 provide a method and/or system in accordance with the present invention. The instructions may be stored in firmware, hardware, or software. Fig. 2 illustrates a processing system 200 of the server 110 in the simplified network infrastructure 100, the network infrastructure 100 executing instructions to perform methods and/or system provisioning processes according to the present disclosure. Those skilled in the art will appreciate that the exact configuration of each processing system may be different and that the exact configuration of the processing system for each facility may vary. Thus, the processing system 200 shown in FIG. 2 is merely an example.
Processing system 200 includes a Central Processing Unit (CPU) 205. The CPU205 is a processor, microprocessor, or any combination of processors and microprocessors that execute instructions to perform processes according to the present invention. The CPU205 is coupled to a memory bus 210 and an Input/Output (I/O) bus 215. The CPU205 and the memories 220 and 225 are connected via the memory bus 210 to transfer data and instructions between the memories and the CPU 205. The CPU205 and peripheral devices are coupled via the I/O bus 215 to transfer data between the CPU205 and the peripheral devices. Those skilled in the art will appreciate that the I/O bus 215 and the memory bus 210 may be combined into one bus or subdivided into many other buses, and configured precisely by those skilled in the art.
A nonvolatile Memory 220 such as a Read Only Memory (ROM) is connected to the Memory bus 210. The non-volatile memory 220 stores instructions and data necessary to operate the various subsystems of the processing system 200 and to boot the system for boot-up. Those skilled in the art will appreciate that any number of types of memory may be used to perform this function.
A volatile Memory 225, such as a Random Access Memory (RAM), is also coupled to Memory bus 210. The volatile memory 225 stores instructions and data required by the CPU205 for executing software instructions directed to processes such as those required to provide a system in accordance with the present invention. Those skilled in the art will recognize that any number of types of memory may be used as volatile memory, and the type of actual use is made by those skilled in the art as a matter of design choice.
I/O device 230, keyboard 235, display 240, memory 245, network device 250, and any number of other peripheral devices are connected to I/O bus 215 to exchange data with CPU205 for use in applications executed by CPU 205. The I/O device 230 is any device that transmits and/or receives data from the CPU 205. The keyboard 235 is a specific type of I/O that receives user input and transmits the input to the CPU 205. The display 240 receives display data from the CPU205 and displays pictures on a screen for viewing by a user. The memory 245 is a device that transmits data to the CPU205 and receives data from the CPU205 to save the data to a medium. Network device 250 connects CPU205 to a network to enable data transfer between other servers and node 120.
For purposes of this disclosure, the term "internet of things" (IoT) device refers to any apparatus having a communication interface that allows for the transmission and reception of information in the IoT device over a wired or wireless connection. IoT devices include, but are not limited to, sensing devices, embedded systems, webcams, gateways, cell phones, computers, laptops, Personal Digital Assistants (PDAs), white appliances, and the like.
For embedded systems, gateways, cell phones, computers, laptops, and PDAs, such IoT devices are typically configured with wireless network interfaces (e.g., bluetooth, Wi-Fi direct, Long-Term Evolution (LTE) direct, RF antennas, etc.) or wired network interfaces (e.g., ethernet connections, USB or firewire connections, etc.) to allow for the transmission and reception of data.
White goods such as refrigerators and washing machines may not be configured with any wired or wireless network interfaces. Accordingly, it is common to provide a network interface module to allow these devices to communicatively connect with mobile devices or routers so that these IoT devices can communicate with the server 110. Fig. 3 shows a block diagram of an underlying network interface 300. The network interface 300 may receive and transmit data and execute software applications. The network interface 300 includes a processor 310, a memory 320, a transceiver 330, and an input/output port 340.
Processor 310 is a processor, microprocessor, microcontroller, application specific integrated circuit, Digital Signal Processor (DSP), programmable logic circuit, or other data processing device that executes instructions to perform a process according to the present disclosure. The processor 310 is capable of executing various application programs stored in the memory 320.
The memory 320 may include a read-only memory (ROM), a random-access memory (RAM), an electrically erasable programmable read-only memory (EEPROM), a flash memory card, or any memory commonly used in computers. The memory 320 stores instructions for performing processes in accordance with the present disclosure.
One or more input/output (I/O) ports 340 may be used to allow the processor 310 to communicate with and control various I/O devices of the IoT devices. Peripheral devices that may be connected to the network interface 300 through the I/O ports 340 include USB memory devices, SD cards or other memory devices for transmitting information to the core network 330 or receiving information from the core network 330. In addition to updating applications stored in memory 320 or installing new applications on memory via transceiver 330, a user may also install new applications or update applications on memory 320 via a user interface, such as USB via I/O port 340.
The transceiver 330 includes a transmitter and a receiver for transmitting data to and receiving data from the server 110 directly or indirectly through a mobile device or a router. The transceiver 330 may transmit or receive data via one or more of the following wireless or wired technology standards: bluetooth, Wi-Fi direct, Long-Term Evolution (LTE) direct, RF antenna, Ethernet connection, USB or firewire connection, and the like.
Those skilled in the art will appreciate that other features will be included in the network interface 300. Further, components within network interface 300 may be replaced with other components that perform similar functions. In short, the network interface 300 as shown in FIG. 3 is to be considered merely illustrative and not restrictive.
The present disclosure embodiments propose a method of registering a node 120, e.g., an IoT device, on a server 110 and mutual authentication between the node 120 and the server 110.
A symmetric group authentication protocol in accordance with the systems and methods of the present disclosure is described below. The symmetric group authentication method is based on a product code of a simplex code and a learning parity with noise (LPN) problem, and uses two hash functions f and g using a secret key. Before describing the systems and methods according to the present disclosure, a brief description of pure configuration codes and LPNs is now provided.
Simple shape code
Simple shape code having parameters (2) ρ -1, p) linear code encoding p bit symbols as (2) ρ -1) a bit codeword, where p is a positive integer. The simplex barcode satisfies the following two characteristics:
characteristic 1: having a parameter (2) ρ -1, ρ) has a hamming weight ρ.
Characteristic 2: if e i And e j Are two codewords of a simple shape code, then
Figure GDA0002378291980000084
(e.g., e) i And e j The xor operator) is also a valid codeword.
In another variation, the length is t (2) ρ Product code of simplex code of-1) is defined as belonging to the class with parameter (2) ρ 1, ρ) of the pure codewords. The product code of the simplex code has a hamming weight of tpj, and also satisfies property 2.
In yet another variation, the length is (2) ρ The individual forms of (1)
Figure GDA00023782919800000810
The code is constructed as a permutation P and a simplex code
Figure GDA00023782919800000811
Figure GDA00023782919800000812
Order to
Figure GDA00023782919800000813
Where P runs on a binary string. Separate form
Figure GDA0002378291980000085
The code R is defined as
Figure GDA0002378291980000086
However, in a single form
Figure GDA0002378291980000087
The code does not satisfy the above two characteristics. In particular, single form
Figure GDA0002378291980000089
The hamming weight of the code varies between 0 and 2 ρ. Further, in general, two codewords that are XOR'd do not result in a valid codeword. However, experimental evidence suggests that by iteration
Figure GDA0002378291980000088
The code distribution obtained by the above construction is such that the hamming weight is concentrated on about 2 ρ.
Learning Parity with Noise (LPN)
The security of the proposed group authentication method and its variants depend on the following basic assumptions: the difficulty of Learning the Parity with Noise (LPN) problem is defined as follows.
In one example, the attack algorithm A is given a parameter q satisfying 0 < q < 1 and a secret
Figure GDA0002378291980000081
Propaphos machine O (m,q) Access rights of (c). Here, the first and second liquid crystal display panels are,
Figure GDA0002378291980000082
a finite field greater than 2, with a dimension k. Upon receipt of the challenge
Figure GDA0002378291980000083
Prophetic machine O (m,q) Randomly selecting a noise bit e such that Pr [ e ═ 1]Q, i.e. e equals 1, with a probability of q. Then, the prediction machine will
Figure GDA0002378291980000092
The output is to algorithm A, where c · m represents the dot product of c and m by taking c and m as two binary vectors of dimension k. The purpose of the attack algorithm A is to use a prediction machine O (m,q) Solves the secret m. Any probabilistic linear programming polynomial algorithm A is widely recognized as having only a trivial benefit to solve the secret m, allowing A to be on the predictive machine O (m,q) A polynomial number of queries is performed. This computational assumption is called the LPN assumption.
It should be noted that the deviation of e is an important parameter: if q is 0, then it is not important to solve the LPN problem (linear operation); on the other hand, if q is 1/2, then the LPN cannot be resolved (one-time key). Thus, LPN is interesting and important when 0 < q < 1/2.
There is currently no known effective algorithm for solving the generic LPN problem example. Therefore, the LPN problem is considered to be difficult to solve. Many cryptographic primitives are based on the difficulty of LPN.
In the proposed primitive, it is assumed that each node x i A secret shared with the server is configured, also known as the verifying entity V or root node. In fact, additional hardware/software security measures should be implemented to prevent the secret from being revealed to an adversary.
For the purposes of this disclosure, it is assumed that the entire network is treated as a spanning tree W with y levels, V being the root node of W and all nodes know (if any) their own parent and child nodes and their indices. For example, the network infrastructure 100 shows a spanning tree W with three levels of nodes. In particular, the first level, corresponding to server 110, is the root node in the basic checking entity V, also called W; second level pairCorresponding to nodes 1 to 4; and a third level corresponds to nodes 5 to 17, said nodes 5 to 17 being leaf nodes. For purposes of this disclosure, node x 0 Finger server 100, x 1-17 Refer to nodes 1 to 17 in fig. 1. All nodes know their own parent and child nodes and their indices. Parent and child nodes are also called verification nodes/devices/entities.
Fig. 4 shows a timing diagram 400 of the flow of information between server 110 and node 120. Timing diagram 400 includes two phases. For purposes of discussion, the server 100 is also referred to as a root node.
The first stage 405 includes establishing a group authentication protocol by running the following algorithm:
1. setup (J, n) is run to build the system. In this algorithm, the server 110 determines the public parameter pp necessary for implementing the security of J bits of a spanning tree network with n +1 nodes. In particular, the algorithm selects the product code S ═ e of a simplex code with codewords of size a and hamming weight h i Where a and h are two positive integers. In addition, two one-way functions f and g using the key are also selected. The public parameter pp is defined as the set S, a, h, f, g.
2. KeyGen (pp, n) is run to generate the necessary keys and matrices. In particular, the server 110 is for each of the nodes, k i Public key K, n random binary matrices M i And a "shortcut" matrix M generates n private keys, where M is the XOR operator of all n random binary matrices: (
Figure GDA0002378291980000091
) M is known only to the server 110.
In step 415, a parametric, n random binary matrices (M) are disclosed i ) N private keys (k) i ) And the public key (K) is safely distributed at each node x of the whole spanning tree network i Where i is an index of a node in the spanning tree network, e.g., 1-n. The public parameters S, a, h, f and g are all considered to be known by all nodes in the network. Thus, it is possible to specify the disclosure in advance in the nodeInstead of sending the public parameters in step 415. More details of the first stage are described below in conjunction with fig. 5.
The second stage 410 includes: triggering the nodes in the spanning tree W to make the server 110 perform group authentication by the following algorithm:
1. challenge (pp) is run to generate and transmit challenges. In particular, server 110 generates a random vector c of binary length b and sends it as an authentication challenge to a second level parent node, e.g., nodes 1 through 4 in the entire spanning tree network W. Recursively, each parent forwards the challenge c to its children until all leaf nodes receive c in step 420.
2. Each of the nodes 120 runs a Response (pp, c, { M) i ,k i K) to generate a response in step 425. In particular based on c and its private secret (M) i ,k i K), each node calculates a value r i And takes this as a response to the challenge c, where r is calculated by the following equation i
Figure GDA0002378291980000104
Wherein the index q ═ g (k) i C) and e q Is the q-th codeword of the product code of the simplex code. The product code S of the simplex code is part of the public parameter pp and it is assumed that each node knows how to generate or identify a specific codeword in S by running a suitable algorithm. After the child nodes generate responses, the responses are transmitted to the respective parent nodes in step 430.
3. Each of the nodes other than the leaf nodes runs Aggregate (pp, r) 1 ,...,r n ) And transmits the aggregated response to the respective parent node in steps 435 to 440. Each of the nodes in the y-1 level aggregates the responses received from its child nodes. In short, each node in the y-1 stage will have a respective value r j With all responses r received from child nodes i And carrying out exclusive or operation. The algorithm can be expressed by the following equation:
Figure GDA0002378291980000101
the aggregated response is transmitted to the respective parent node up to the first level node, i.e. the root node.
4. The root node runs Verify (pp, c, r, { M, K }) in step 445. Before running the algorithm, the root node also runs an aggregation algorithm to combine the responses from the second level nodes to get the final aggregated response. The final polymerization response r is verified as acceptable if and only if the following equation is satisfied:
Figure GDA0002378291980000105
where e represents the hamming weight of the binary string e.
The main idea of the group authentication protocol is that each node shares a secret key with the server and the nodes do not interact directly with the server. Instead, the parent nodes of the various levels recursively combine the responses from the nodes up to the server.
The core interaction between the root node and the remaining nodes can be described as follows:
1. after the first stage, the root node has (M) i ,k i M, K, pp) and the other nodes have (M) i ,k i ,K,pp)。
2. Root node generating challenge values
Figure GDA0002378291980000102
And transmitting it as an authentication challenge value to the second level nodes to the remaining nodes in the leaf node level nodes, wherein the challenge is
Figure GDA0002378291980000103
Is a random vector c of binary length b.
3. Each of the nodes generates a response as follows:
a. determining k using a one-way function g and an input i And the index q of c.
b. Determining M i f(K,c),M i f (K, c) is a matrix M i Dot product with the output one-way function f and the input public keys K and c.
c. By mixing M i f (K, c) is XOR-ed with the q code word of the product code of the simplex code to determine the response r i
4. Will respond to r i From the leaf node level up to the root node. Responses are aggregated at each stage.
5. And carrying out XOR operation on the final aggregation response r and Mf (K, c) to obtain the dot product of the shortcut matrix M, the output one-way function f and the input public key K and c. If the response is valid, the final result will be a codeword that satisfies properties 1 and 2 of the product code of the simplex code.
More details of the two stages will now be described, as follows. The symmetric group authentication method is based on a product code of a simplex code and a learning parity with noise (LPN) problem, and uses two one-way functions f and g using a secret key. One possible way to implement a one-way function is to use a hash function.
Fig. 5 illustrates a process 500 according to the present disclosure performed by processing system 200 of server 110. The process 500 begins at step 505 by establishing a network in the following manner. First, the server 110 determines the public parameters using the algorithm Setup (J, n). In particular, given the security parameters J and n (the number of nodes in the network), a public parameter pp necessary to achieve the security of J bits for a network with n nodes is generated in process 500. In particular, the product code S of the simplex code having a codeword with size a and hamming weight h is selected in process 500 as { e ═ e } i And h are two positive integers. In addition, two one-way functions f and g using a key are also selected. The public parameter pp is defined as the set S, a, h, f, g. In one embodiment, the disclosure parameters are predetermined and may be retrieved from memory. More details regarding the selection of the disclosed parameters will be described below.
The server then runs the algorithm KeyGen (pp, n) to target node (k) i ) Each node in (2) generates n private keys, a public key (K), n random binary matrices (M) i ) And a "shortcut" matrix M known only to the server, where i is 1. In particular, given the public parameters pp and n, the server 110 runs an algorithm to generate a random binary matrix M of n sizes ab i Where b is a positive integer, n private keys k i A public key K, and a shortcut matrix
Figure GDA0002378291980000111
Then (K, pp) is securely distributed to all nodes of the whole network, (M) i And k i ) Securely distributed over each node x i . The information may be transmitted to the remaining nodes individually or by the group method. In the group approach, a parent node (e.g., a non-leaf node) can identify the wrong child node if necessary because the parent node is secret to the secret key of each child node. Those skilled in the art will appreciate that the root node may implement various types of passing to its child nodes without departing from the disclosure. In one embodiment, the public parameter is preset in all nodes and is not required to be transmitted to the nodes.
One method of generating the private key and the public key is asymmetric key encryption in which there is a pair of keys used for authentication. Those skilled in the art will recognize that other methods of generating public and non-public keys may be implemented, with the exact method being performed by those skilled in the art, without departing from the present disclosure.
Random binary matrix M i The matrix M may be assigned by b bits of a long binary vector of a random binary vector of size ab i Are generated. Furthermore, the long binary vector of size ab may be generated by any suitable cryptographic primitive (e.g., a hash function) in the random root seed plus additional possible inputs. The first phase of generating the necessary keys and transmitting the necessary keys to the node 120 ends after step 505.
The second phase begins at step 510, where the server 110 generates a challenge value using the algorithm challenge (pp). The challenge c is a random number of binary length b. The challenge value is transmitted to all nodes. In particular, in the group authentication method, the challenge value is transmitted to the second level node, which in turn transmits the challenge value to each child node. The method is repeated recursively until the leaf node receives the challenge. In short, each parent node recursively forwards the challenge c to its child nodes until all leaf nodes receive the challenge.
In step 515, the server 110 receives an aggregate response from each of the second level nodes.
In step 520, the server 110 aggregates the responses from each of the second level nodes to obtain a final aggregated response. The server then checks whether the final aggregated response to the challenge for the public parameter pp and the shortcut key K is valid in the following way.
Aggregate (pp, r) by the following algorithm 1 ,...,r n ) Aggregating responses from each of the parent nodes, wherein r i The finger is from node x i In response to (2). Upon receipt of a response (r) 1 ,...,r n ) The server runs an algorithm to generate a final aggregate response r of the following binary length a:
Figure GDA0002378291980000112
equation (2) essentially is to receive the response r from the second level node i Combined with the xor operator.
The final aggregation response r is checked by the following algorithm Verify (pp, c, r, { M, K }). The server accepts r as a valid aggregate response from all nodes if and only if the following equation is satisfied:
Figure GDA0002378291980000121
where e represents the hamming weight of the binary string e. In particular, equation (3) includes verifying the response from the node using the shortcut matrix and the public key. More specifically, the public key K and the challenge c are used for a function f and the product of the shortcut matrix M and the output of the function f, which is input to the public key K, and the challenge c is XOR' ed with the aggregated response. If all nodes respond correctly, the final result will be a product code that generates a simplex code that satisfies the above conditions.
If the final aggregated response is valid, step 525 continues with step 530 of process 500 and outputs AN Authenticated Node (AN). If the final aggregate response is incorrect, step 535 of process 500 continues to identify the faulty node. More details of the process of identifying a faulty node will be described below in conjunction with fig. 8 and 9.
It is noted that the present method is completely different from a group authentication structure for aggregating Message Authentication Codes (MACs) in which a verifier recalculates MACs for each node and then aggregates the MACs for verification.
In one embodiment, the root node may directly authenticate each child node. In the present embodiment, the second stage including steps 510 to 530 is modified in the following manner. In step 510, the server 110 generates a challenge value using the algorithm challenge (pp), and transmits the challenge value to the relevant node x i To perform authentication. In step 515, server 110 is slave to relevant node x i Receive response r i . Since the root node only receives one response r i There is no requirement that the polymerization be conducted in step 520. Thus, in step 520, the server 110 passes the following algorithm Verify (pp, c, r) i M, K) to verify the response r i And (4) or not. The server acceptance will come from node x if and only if the following equation is satisfied i R of i As valid responses from the relevant nodes:
Figure GDA0002378291980000122
where e represents the hamming weight of the binary string e. In particular, equation (3') includes using and correlating node x i The correlation matrix and the public key verify the response from the correlation node. More particularly, a public key K and a challenge c are used for the function f and the associated node x i Matrix M of correlations i Product with the output of the function f, which is input for the public key K, and combines the challenge c with the response r from the relevant node i And carrying out exclusive or operation. If the relevant nodes all respond correctly, the final result will be a product code that generates a simplex code that satisfies the above conditions.
If the response is valid, step 525 continues with step 530 of process 500 and outputs AN Authenticated Node (AN). If the response is incorrect, proceed to step 535 of process 500 to associate node x with i Identified as a faulty node.
Fig. 6 illustrates a process 600 performed by the network interface 300 or by a processing system of one of the second through y-1 th level nodes, e.g., parent nodes 1 through 4, according to the present disclosure. Process 600 begins at step 605 by receiving (M) from a root node or parent node i ,k i K, pp). In response to receiving (M) from server 110 i ,k i K, pp), the node stores pp and K and the associated K i And M i . For example, node 1 stores (M) 1 ,k 1 K, pp), node 2 stores (M) 2 ,k 2 K, pp), node 3 stores (M) 3 ,k 3 K, pp), node 4 stores (M) 4 ,k 4 K, pp). In one embodiment, the public parameters are preset in all nodes, the nodes do not receive the public parameters, and the nodes should be able to retrieve the public parameters from the respective memories.
In step 610, each of the parent nodes will be (M) i ,k i K, pp) to each child node. For example, node 1 will (M) i ,k i K, pp) to nodes 5 to 7, node 2 will transmit (M) i ,k i K, pp) to nodes 8 to 10, node 3 will transmit (M) i ,k i K, pp) to nodes 11 to 13, node 4 will (M) i ,k i K, pp) to the nodes 14 to 17. The first phase 405 of the group authentication protocol ends after step 610. In this scenario, only the parent node knows the secrets of its child nodes. Thus, as described below, the parent node can identify the wrong child node if necessary. Alternatively, if the root node broadcasts information to all nodes individually, step 610 would not be needed and the parent node would not be able to identify the wrong child node. Those skilled in the art will appreciate that the root node may implement various types of passing to its child nodes without departing from the disclosure. In one embodiment, the public parameter is preset in all nodes and is not transmitted to the child nodes.
In step 615 of process 600, a challenge is received from a root or parent node. In response to receiving the challenge from the server or parent node, the challenge value is transmitted to each child node in step 620 of process 600.
In step 625 of process 600, a Response (pp, c, { M) with the following algorithm is generated i ,k i K }) in the response. In particular, each of the parent nodes runs an algorithm to generate a response r for a root node i The root node is the checking entity V, where r is calculated by the following equation i
Figure GDA0002378291980000132
Wherein the index q is g (k) i ,c),e q Is the q-th codeword of the product code of the simplex code. Equation (1) includes two steps, where the first step includes determining q to select the qth codeword from the product code of the simplex code, and the second step includes dividing M into i f (K, c) and e q Product code r for performing an exclusive-or operation to form a new simplex code i
In step 630 of process 600, a response is received from the child node. In response to receiving the responses from the child nodes, the parent node aggregates the responses according to equation (2) in step 635. In particular, the responses are exclusive-ored together. For example, node 1 wouldThe responses are aggregated into
Figure GDA0002378291980000133
Node 2 aggregates the responses into
Figure GDA0002378291980000134
Node 3 aggregates the responses into
Figure GDA0002378291980000135
Node 4 aggregates the responses into
Figure GDA0002378291980000136
In step 640, the aggregate response is transmitted to the server or parent node. Process 600 ends after step 640.
Fig. 7 shows a process 700 performed by the network interface 300 or by a processing system of one of the leaf nodes 5 to 17 according to the present disclosure. Process 700 begins at step 705 by receiving (M) from a parent node i ,k i K). In response to receiving (M) from parent node i ,k i K), child node stores the associated M i 、k i And K.
In step 715 of process 700, a challenge is received from the parent node. In Response to receiving the challenge from the parent node, in process 700, a Response (pp, c, { M) is generated with the following algorithm i ,k i K }) in the response. In particular, each of the leaf nodes 5 to 17 runs an algorithm to generate a response r for the parent node i Wherein the value r i Calculated by equation (1).
In step 740, the child nodes transmit their responses to the respective parent nodes. Process 700 ends after step 740. The process 700 is typically performed by a leaf node, as the leaf node will not receive any responses. Thus, unlike process 600, there is no requirement that responses be received and responses be aggregated in process 700. However, when the root node initiates a false node identification, the current level node (which may be a non-leaf node) may be required to perform steps 715-740. More details of this will be described below. It is also noted that in this embodiment, the root node wishes to directly check a particular node, whether that node is a leaf node or a non-leaf node, and that the particular node needs to perform steps 715-740.
Evidence of the present scheme
The proposed scheme is correct because of the feature checking of product codes that can be simply replaced and purely shape-coded. In terms of safety, firstly, it is easy to see that the rate of missing detection is zero. Secondly, for a sufficiently large b, the expression P can be justified FA False positive rate (meaning that an adversary may attempt to obtain certification by sending a trial response to a verifying entity) of (a) is controlled by:
Figure GDA0002378291980000131
in practice, it is sufficient to ensure that the above inequality holds.
Finally, the protocol is resistant to both passive and active attacks. That is, it may prove difficult to break the above protocol, whether for passive or active attacks, at least as much as the case of solving the LPN problem. More specifically, this means that by assuming the difficulty of the LPN problem, a passive attacker who can eavesdrop on the communication will not be able to learn the secret key, while an active attacker will not be able to forge the response of a given random challenge c, even if he/she has been given a propheter that enters the group authentication protocol at polynomial time.
In the second phase, the indexes of all nodes whose responses have been aggregated and the partial aggregation value are transmitted to the upper node. In this way the receiver and eventually the verifying entity V will know explicitly which node's responses have been aggregated and which node's responses have not. While it is still desirable for the verifying node to be able to quickly determine which nodes in the network are functioning well through one instance of group authentication, the above approach would be helpful if there were often nodes that failed to successfully send their responses to their parents. More specifically, at this point, each parent node still aggregates the responses from its child nodes in the same manner specified in the second phase, and then forwards the aggregated response along with its index to the next level parent node. Thus, once the verifying entity V has obtained a final aggregate response r 'from the set of nodes, which represents all responding nodes, V can still confirm the correctness of r' by verifying whether the following equation holds, even if no response is received from some of the nodes:
Figure GDA0002378291980000141
wherein
Figure GDA0002378291980000142
If equation (5) holds, all nodes in N' (e.g., all nodes to which it responds) are authenticated. This is because the property 2 of the product code of the simplex code assumes that the xor operator of the two code words of the product code of the simplex code is also a valid code word that can satisfy the property 1. Thus, not all nodes are required to send their responses in the second phase. In short, the root node cannot directly check the response from the node using the shortcut matrix. Instead, the root node must xor the matrix associated with the index of the node that provided the response to form a new shortcut matrix to verify the response. In the above-mentioned embodiment, the single form
Figure GDA0002378291980000144
The code may replace the product code of a simplex code, although the checking equation (3) is replaced by the following equation accordingly:
Figure GDA0002378291980000143
the variables specified in the proof of measure are adapted to the use of individual forms
Figure GDA0002378291980000145
Scheme of codes. At this time, similar changes can be made to equation (5), for example, M 'and r' in equation (6) are substituted for M and r, respectively.
When a product code of a simplex code is used, the above symmetric group authentication also implies that the node x is actually a node x i A (private) symmetric authentication with a verifying entity V (although V could be any normal node). That is, for this variable, all algorithms Setup, KeyGen, Challenge and Response remain the same as above, and the algorithm Aggregate is deleted for checking x for Challenge c i Response r of i The checking algorithm of (2) runs as follows:
Verify(pp,c,r i ,{M i ,k i k }): verifying that entity V accepts r if and only if the following equation is satisfied i As for a message from node x i Correct response of challenge c:
Figure GDA0002378291980000146
wherein the index q is g (k) i ,c),e q Is the q-th codeword of the product code of the simplex code. That is, when r is generated i Then V passes only the management and node x i Same calculation to check r i The correctness of the operation.
Alternatively, the following simpler equation may be substituted for the test equation (7):
Figure GDA0002378291980000147
it is noted that for a single node x i Equation (8) is just one version of equation (3). However, the security level of the verification algorithm given by equation (8) will be lower than that given by equation (7) because although the hamming weight of this vector is guaranteed to be h, no secret k is used in equation (8) i To test M i f (K, c) and r i Whether the xor operator of (a) is the index q ═ g (k) i Product code e of simplex code of c) q
When using the separate form
Figure GDA0002378291980000148
When encoding, a (private) symmetric authentication scheme similar to the one given above may be obtained. That is, in selecting individual forms
Figure GDA0002378291980000149
In the case of codes, all algorithms Setup, KeyGen, Challenge and Response remain the same, and the algorithm Aggregate is deleted for checking x for Challenge c i Response r of i The checking algorithm of (2) runs as follows:
Verify(pp,c,r i ,{M i ,k i k }): verifying that entity V accepts r if and only if the following equation is satisfied i As for a message from node x i Correct response of challenge c:
Figure GDA0002378291980000152
wherein the index q ═ g (k) i C) and e q Is in a separate form
Figure GDA0002378291980000153
The q-th codeword of the code. That is, V is only generating r i When passing through node x i Check r for the same calculation performed i The correctness of the operation.
Alternatively, the test equation (9) may be replaced by the following simpler equation:
Figure GDA0002378291980000154
again, note that for a single node x i Equation (10) is just one version of equation (6). Similarly, the security level of the verification algorithm of equation (10) will be lower than that of the verification algorithm of equation (9), since equation (10) does not use the secret k despite the hamming weight guarantee of this vector being greater than 2h i Test M i f (K, c) and r i Whether the xor operator of (a) is the index q ═ g (k) i The individual forms of c)
Figure GDA0002378291980000155
Code e q
Selection of parameters
In order to achieve 128-bit security, it is proposed that a takes a value of approximately between 600 and 1200. Let η be h/a. The ideal value of η is 0.25 because it makes the LPN problem difficult to maintain. Once the value of a is given, the Hamming weight of the product code of the simplex code is determined. In fact, at this time, according to equation (4), the following inequality should be satisfied:
Figure GDA0002378291980000151
as for b, as described above, it is recommended to select the value b 256. This ensures that the false positive rate formula (e.g., equation (4) or equation (11)) is correct and that the protocol implements zero knowledge proof.
Suggesting a secret k i And the value of the public key K is 128 bits or more. A value for a system with lower security may be 80 bits.
In one example, a user may use a code of length a 1200, which has a hamming weight h as close to the ideal value of 300 as possible. Therefore, a product code of a pure shape code with p ═ 4 and t ═ 80 can be selected, which means that the binary length of the final codeword is a ═ 2 4 -1) × 80 ═ 1200 and hamming weight h ═ 80 × 4 ═ 320. In this case, η is 0.26. By considering the lengths b, k i And k, yielding the parameters in table 1 below.
Parameter(s) Recommended value
ρ 4
t 80
a 1200
b 256
h 320
|k i |,|K| 128
TABLE 1
Table 2 below provides a set of possible parameter combinations for a protocol, showing the trade-off between security and computation. It should be noted that P FA Indicating the false positive rate. In the code of
Figure GDA0002378291980000162
In the case of codes, only P is estimated FA And are indicated by asterisks in the tables.
Figure GDA0002378291980000161
TABLE 2
Complexity of the design
The total amount of computation required for network authentication depends on the exact topology at hand, but can be combined with the following computational security.
The work factor of the node is essentially equal to the work factor of the checking entity V, since the proposed protocol is based on symmetric encryption. The cost includes:
1. evaluation of hash functions f and g. Assuming similar effects, the costs of f and g can be considered equal;
2.e q generating; and
3. a matrix obtained by vector multiplication.
Instantiation of f and g.
Essentially, the functions f and g are used to break the linearity of the matrix by vector multiplication, and thus the functions f and g can be implemented as a Lehmer random number generator. Generators are easy to implement in some assembly instructions, especially when the modulus used is a multiplicative friendly modulus N-2 31 -1 ═ 2, 147, 483, 647. Other options include selecting the secret N, using montgomery multiplication to obtain montgomery multiplication parasitics in the speed merge result.
The generator needs to generate enough keys e in total q (160 bits) entropy plus sufficient entropy to form f (k, c), e.g., 160+ b bits. This requires approximately (160+ b)/32 generator rounds (in the case of 32 bit pseudo-random outputs per round). If an IoT node has an 8-bit microcontroller (e.g., 68HC05), there will be a multiplication of 4 × (160+ b)/32 ═ 160+ b)/8 bytes. Modular reduction and billing requires this double amount. Assuming that each multiplication takes 5 cycles, the workload of estimating functions f and g is w 1 2 × 5 × (160+ b)/8 ═ 5(160+ b)/4 clock cycles.
e q And (4) generating.
e q Generation e of q In practice, this involves xoring approximately 80 codewords selected from 160 codewords, each of which has a length a. The XOR operator for each vector requires an a/8 byte operation of the XOR operator (EOR instruction), typically 4 cycles. The operands that are XOR'd are required to be read and the result of the return XOR operator must be stored. The upper limit of the results required for these billing operations is 20 additional cycles, requiring approximately w cycles to perform the operation 2 80 × a/8 × (20+4) — 240a clock cycles.
A matrix obtained by scalar multiplication.
The remainder is the final matrix obtained by the vector product. Here, the matrix of a bits by b bits must be exclusive-ored with the b-bit vector. As explained, the xor operator of an x-bit vector by an x-bit vector takes x/8 × 24 ═ 3x cycles. Therefore, the total cost of the substrate is w 2 3ab clock cycles.
The total cost. Adding 1000 additional cycles to the general algorithm billing results in the following total cost per node:
w=1000+w 1 +w 2 +w 3 1000+5(160+ b)/4+240a +3ab 1200+240a +5b/4+3ab (clock period).
Assuming a customary clock frequency of 10MHz, the global computation time for the six parameter sets in table two is obtained as in table 3 below. Since b is 256 in all parameter sets, the function formulated in table 2 is summarized as w 1520+1008a clock cycles.
Collection a b Period of time Time (ms)
A 1209 256 1,220,192 122
B 1197 256 1,208,096 121
C 1200 256 1,211,120 121
D 600 256 606,320 61
E 1209 256 1,220,192 122
F 1197 256 1,208,096 121
TABLE 3
Generating private keys from random seeds
The protocol can accommodate more appropriate operational constraints: in an IoT environment, for example, generating communications in nodes is a very expensive operation. It is also an object of the invention to describe variables that reduce the amount of information sent, the size of the memory and/or the number of computations performed by individual nodes while maintaining security.
Memory is a scarce resource for many portable IoT devices. Thus, in some scenarios, for each node x i In other words, the secret matrix M storing ab bits i Is a challenge. To save memory, M i Can be estimated with respect to s i Strong cryptographic pseudo-random function F of other information, from a random seed s i Is prepared by the steps of (1). For example, order (M) i ) j =F(s i I, j) wherein (M) i ) j Representation matrix M i J (th) row and node x i And verifying that entity V knows random seed s i . In practice, F may be a cryptographic hash function.
It is noted that a drawback of this variant is that each time a node is authenticated, it is necessary to evaluate the secret matrix M of the node by evaluating the function F of degree a i From random seeds s i And (4) recovering.
It should be noted that, alternatively, the user may define M in a similar manner i The column (c). In addition, to save storage of the check node V, V may obtain the random seed s of all nodes from the common seed s i Although it is believed that the master secret node s should only be known to V.
Procedure for authentication failure
The identification of a faulty node in step 535 of process 500 is now discussed. Different reasons may lead to failure of the symmetric group authentication described above, and this may happen accidentally or maliciously at any step. As a result of the aggregation of information, a single defective node is sufficient to cause authentication failure. At this point, V may make a different choice, i.e., abandon, re-run the entire process with all nodes, identify a subset of nodes that failed authentication, or perform conventional authentication with each node individually. Fig. 8 shows a procedure of authentication failure.
Fig. 8 illustrates a process 800 performed by the server 100 to identify a faulty node according to the present disclosure. Process 800 begins at step 805 with the selection of an option to continue identifying the faulty node. There are three options that may be selected, option 1) repeating from step 510 of process 500, option 2) the top-down method, and option 3) authenticating each node individually. Those skilled in the art will appreciate that other methods of identifying a faulty node may be performed without departing from the present disclosure. Selection of the option may be triggered by the user. Alternatively, the selection is predetermined. For example, in a first embodiment, in process 800, execution of option 1 may continue, after which option 2 may cause option 1 to fail. In a second embodiment, only option 2 may continue to be executed directly in process 800. In a third embodiment, in process 800, execution of option 1 may continue, after which option 3 may cause option 1 to fail. Those skilled in the art will appreciate that other arrangements may be implemented and that the exact choice of options may be made by those skilled in the art without departing from the present disclosure.
In process 800, if option 1 is selected, then execution continues at step 810. In step 810 of process 800, the group authentication process is again run with all nodes. This means that process 800 repeats from step 510 of process 500. In conjunction with the first embodiment described above, if the final aggregate response is still incorrect, then step 820 continues in process 800.
In process 800, if option 2 is selected, then step 815 continues. In step 815, the server authenticates the subset of nodes individually under each level of parent nodes. More details are described below in connection with fig. 9.
In process 800, if option 3 is selected, then execution continues at step 820. In step 820, the server authenticates each node individually throughout the network. In particular, once a positive response r is obtained with respect to the challenge c i Node x i Adding AN. If a negative response r is obtained with respect to the challenge c i Then node x is connected i And adding a fault list. This process continues until all nodes have been processed.
FIG. 9 shows a process 900 performed by a server to identify a faulty node by a top-down method. It should be noted that in this approach, it is assumed that the server knows or is informed by each second level node of the indices of all nodes in each subset. Furthermore, for a subset of nodes that fail authentication, if necessary, each second level node may similarly find out which of its child nodes (being leaf nodes or third level parent nodes) needs to be responsible for the failure, although in this case, it is assumed that here the second level parent node knows the private key of its child node. Still further, with respect to the subordinate parent node, the present flow may be further executed gradually to accurately identify all individual authentication-failed nodes one by one.
Process 900 begins at step 905 by examining the responses from the current node, i.e., the second level node, respectively. This means that the response from the second level node received in step 515 is checked separately. In other words, in this process, the responses from the second level nodes are not aggregated to obtain the final aggregated response. Instead, the root node checks whether the response from each of the nodes in the second level with respect to the public parameter pp and the shortcut key, respectively, is correct. If the response is valid, the index of the authenticated node in step 910 is appended to the authenticated node in process 900. If the response received from the second level node is invalid, in process 900, the fault list including the index of the possible faulty node in step 910 is updated.
In step 915 of process 900, steps 510 through 525 are performed for responses of nodes of the current level and the next level identified in the fault list. In other words, the nodes in the second level nodes and the third level nodes identified in the fault list are authenticated to identify the faulty node. Step 510 must be decorated such that, for the node of the current level, the challenge represents that the node of the current level performs steps 715 through 740 of process 700. This is because the nodes of the current level are not required to receive responses from the child nodes. Similar to step 905, in process 900, the responses from the nodes of the current level and the next level are verified, respectively. In other words, in this process, the aggregated response from each of the nodes in the current level and the next level is not aggregated to obtain the final aggregated response. Instead, the root node checks whether the response from each of the nodes in the second and third levels with respect to the public parameter pp and the shortcut key, respectively, is correct.
If the response received from each of the nodes of the current level and the next level is valid, in step 920, the index of the authenticated node is appended to the authenticated node in process 900. If the responses from the nodes of the second and third levels are valid, in process 900, a fault list including indices of possible faulty nodes is updated. Alternatively, the failure list is updated by removing the index of the authenticated node attached to the AN.
In step 930 of process 900, it is determined whether the node of the next level is the node of the last level, e.g., a leaf node. If the next level node is a leaf node, in process 900, continue to step 940 and output an authenticated node. If the next level node is not a leaf node, in process 900, execution continues at step 935, where the next level node is selected as the current node, and the process repeats from step 915.
Process 900 ends after step 940.
The above is a description of embodiments of methods and systems for group authentication protocols that provide a more efficient method of authenticating a large number of authentication devices in a spanning tree network. It is anticipated that one skilled in the art will be able to and will design alternative methods and systems based on this disclosure that will infringe upon the present invention as set forth in the following claims.

Claims (22)

1. A symmetric group authentication system which is a symmetric group authentication system of a spanning tree network composed of n +1 nodes in y layers, characterized in that a first level is composed of root nodes, the system comprising:
a root node of a first level of the spanning tree network, the root node to:
determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i H, wherein a and h are two positive integers;
determining a first one-way function f and a second one-way function g;
generating n random binary moments of a row and b columnMatrix M i N keys k i A public key K, and a shortcut matrix M, where a and b are positive integers, i denotes a node index 1 to n, and
Figure FDA0003666727370000013
k i a shared key between the node i and the root node is used, and K is a shared key between n nodes and the root node;
will K, S ═ e i And the first and second one-way functions are transferred to all n nodes and (M) is transmitted i ,k i ) To each node x i
Generating a challenge value c, wherein c is a random number with a binary length of b; and
transmitting the challenge value to a second level node; wherein
Any node in the second level nodes is to:
product code for generating a simplex code, e q Wherein q is g (k) i C) and e q A q-th codeword that is a product code of a simplex code in response to receiving the challenge c;
by the following expression
Figure FDA0003666727370000011
Generating a response r i (ii) a And
transmitting the response to the root node;
the root node is further configured to:
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i Obtaining a polymerization response r;
by the following expression
Figure FDA0003666727370000012
Checking the polymerization response r; and
it was determined that the polymerization response was acceptable if and only if the hamming weight of r' was equal to h.
2. The symmetric group authentication system of claim 1, wherein the aggregating responses r from the second level nodes i The step of obtaining the polymerization response r comprises:
will respond to r i Combined with a pure xor operation.
3. A symmetric group authentication system according to claim 1 or 2, wherein each of the second through y-1 level nodes is configured to:
receiving a response from the subordinate node;
aggregating the generated response with a response from the subordinate node; and
the aggregated response is transmitted to each superordinate node.
4. A symmetric group authentication system according to claim 1 or 2, characterized in that the binary length of a is 1200, h is 320, the binary length of b is 256, and k is i And K has a binary length of 128.
5. The symmetric group authentication system according to claim 1 or 2, wherein the root node is further configured to:
and if the aggregation response is not acceptable, identifying a wrong node.
6. The symmetric group authentication system according to claim 5, wherein the step of performing false node identification comprises:
repeating the steps:
generating a challenge value c;
transmitting the challenge value to a second level node;
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i
Checking the polymerization response r; and
it was determined that the polymerization response was acceptable if and only if the hamming weight of r' was equal to h.
7. The symmetric group authentication system of claim 6, wherein the root node is further configured to:
verifying each of the responses received from the second level node, the second level node being a current level node; and
the authenticated list is appended to contain the indices of authenticated nodes with valid responses, and the failure list is appended to contain the indices of authenticated nodes with invalid responses.
8. A symmetric group authentication system according to claim 1 or 2, characterized in that the individual shapes are shaped as follows
Figure FDA0003666727370000023
A code replaces the product code of the simplex code and determines that the aggregate response r 'is acceptable if and only if the hamming weight of r' is equal to or less than 2 h.
9. A symmetric group authentication method is characterized in that the method is used for authenticating n nodes of a spanning tree network which is composed of y levels and has n +1 nodes, and the first level is composed of root nodes; the method comprises the following steps:
generating a challenge value c, wherein c is a random number with a binary length of b;
transmitting the challenge value to a second level node;
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i Obtaining a polymerization response r;
by the following expression
Figure FDA0003666727370000021
Examining the aggregate response r, where f is a one-way function, M is a shortcut matrix, and
Figure FDA0003666727370000022
M i a binary matrix with rows a and columns b, wherein i refers to node indexes 1 to n; and
determining that the polymerization response is acceptable if and only if the Hamming weight of r' is equal to h, where h is a positive integer.
10. The symmetric group authentication method according to claim 9, further comprising:
determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i Wherein a is a positive integer;
determining a second one-way function g and a first one-way function f;
generating n random binary matrixes M of a rows and b columns and n keys k i A public key K, and a shortcut matrix M, where b is a positive integer, K i A shared key between the node i and the root node is used, and K is a shared key between n nodes and the root node; and
will K, S ═ e i The first and second one-way functions are transmitted to all n nodes and (M) is transmitted i ,k i ) To each node x i
11. The symmetric group authentication method according to claim 9 or 10, further comprising:
and if the aggregation response is not acceptable, identifying a wrong node.
12. The symmetric group authentication method according to claim 11, wherein the step of performing the wrong node identification comprises: the root node performs the following operations:
repeating the steps:
generating a challenge value c;
transmitting the challenge value to a second level node;
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i
Checking the polymerization response r; and
it was determined that the polymerization response was acceptable if and only if the hamming weight of r' was equal to h.
13. The symmetric group authentication method according to claim 12, wherein the step of performing the wrong node identification comprises: the root node performs the following operations:
examining each of the responses received from the second level node, the second level node being a current level node; and
the authenticated list is appended to contain the indices of authenticated nodes with valid responses, and the failure list is appended to contain the indices of authenticated nodes with invalid responses.
14. A symmetric group authentication system which is a symmetric group authentication system of a spanning tree network composed of n +1 nodes in y layers, characterized in that a first level is composed of root nodes, the system comprising:
a root node of a first level of a spanning tree network, the root node having a processor, a non-transitory memory, and instructions stored in the non-transitory memory that are executable by the processor to:
generating a challenge value c, wherein c is a random number with a binary length of b; and
transmitting the challenge value to a second level node;
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i Obtaining a polymerization response r;
by the following expression
Figure FDA0003666727370000031
Checking the polymerization response r; and
it was determined that the polymerization response was acceptable if and only if the hamming weight of r' was equal to h.
15. The symmetric group authentication system of claim 14, wherein the root node further comprises instructions to:
determining a product code S ═ e of a simplex code having codewords of size a and hamming weight h i H, wherein a is a positive integer;
determining a second one-way function g and a first one-way function f;
generating n random binary matrixes M of a rows and b columns i N keys k i A public key K, and a shortcut matrix M, where b is a positive integer and K i The key is a shared key between the node i and the root node, and K is a shared key between n nodes and the root node; and
will K, S ═ e i The first and second one-way functions are transmitted to all n nodes and (M) is transmitted i ,k i ) To each node x i
16. The symmetric group authentication system according to claim 14 or 15, wherein the root node further comprises instructions for:
and if the aggregation response is not acceptable, identifying a wrong node.
17. The symmetric group authentication system of claim 16, wherein the instructions for performing false node identification comprise instructions for:
repeating the steps:
generating a challenge value c;
transmitting the challenge value to a second level node;
receiving a response r from the second level node i
Aggregating responses r from the second level nodes i
Checking the polymerization response r; and
it was determined that the polymerization response was acceptable if and only if the hamming weight of r' was equal to h.
18. The symmetric group authentication system of claim 17, wherein the instructions for performing false node identification further comprise instructions for: verifying each of the responses received from the second level node, the second level node being a current level node; and
the authenticated list is appended to contain the indices of authenticated nodes with valid responses, and the failure list is appended to contain the indices of authenticated nodes with invalid responses.
19. A symmetric group authentication method is a symmetric group authentication method of a spanning tree network composed of n +1 nodes and y layers, and is characterized in that a first level is composed of root nodes, and the method aiming at one node of a second level comprises the following steps:
receiving M from a root node i 、k i 、K、S={e i H, and a first one-way function f and a second one-way function g, where S ═ e i Is a product code of a simple shape code having a code word with a size a and a hamming weight h, a and h being two positive integers, M i A binary matrix of rows and columns a and b, a and b being positive integers and i referring to the node indices 1 to n, k i A shared key between the node i and the root node is used, and K is a shared key between n nodes and the root node;
receiving a challenge c from a root node;
product code for generating a simplex code, e q Wherein q is g (k) i C) and e q A q-th codeword of a product code that is a simplex code responsive to a received challenge c, c being a random number of binary length b;
by the following expression
Figure FDA0003666727370000041
Generating a response r i (ii) a And
transmitting the response to the root node.
20. The symmetric group authentication method of claim 19, further comprising:
receiving a response from the subordinate node;
aggregating the generated response with a response from the subordinate node; and
the aggregated response is transmitted to each superordinate node.
21. A symmetric group authentication system which is a symmetric group authentication system of a spanning tree network composed of n +1 nodes in y layers, characterized in that a first level is composed of root nodes, the system comprising:
a node of a second level of the spanning tree network, the node having a processor, a non-transitory memory, and instructions stored in the non-transitory memory, the instructions being executable by the processor to:
receiving M from root node i 、k i 、K、S={e i H, and a first one-way function f and a second one-way function g, where S ═ e i Is a product code of a simple shape code having a code word with a size a and a hamming weight h, a and h being two positive integers, M i A binary matrix of rows and columns a and b, a and b being positive integers and i referring to the node indices 1 to n, k i The key is a shared key between the node i and the root node, and K is a shared key between n nodes and the root node;
receiving a challenge c from a root node;
product code for generating simplex code, e q Wherein q is g (k) i C) and e q Q-th codeword of a product code that is a simplex code responsive to a received challenge c, c being a random number of binary length b;
by the following expression
Figure FDA0003666727370000051
Generating a response r i (ii) a And
transmitting the response to the root node.
22. The symmetric group authentication system of claim 21, wherein the instructions in the one node further comprise instructions to:
receiving a response from the subordinate node;
aggregating the generated response with a response from the subordinate node; and
the aggregated response is transmitted to each superordinate node.
CN201880028158.6A 2017-04-28 2018-04-26 Symmetric group authentication method and system Active CN110945832B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SG10201703532PA SG10201703532PA (en) 2017-04-28 2017-04-28 Method and System for Symmetric Swarm Authentication
SG10201703532P 2017-04-28
PCT/SG2018/050201 WO2018199847A1 (en) 2017-04-28 2018-04-26 Method and system for symmetric swarm authentication

Publications (2)

Publication Number Publication Date
CN110945832A CN110945832A (en) 2020-03-31
CN110945832B true CN110945832B (en) 2022-09-09

Family

ID=62223182

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880028158.6A Active CN110945832B (en) 2017-04-28 2018-04-26 Symmetric group authentication method and system

Country Status (3)

Country Link
CN (1) CN110945832B (en)
SG (1) SG10201703532PA (en)
WO (1) WO2018199847A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114007222B (en) * 2021-10-20 2024-03-15 北京龙智数科科技服务有限公司 Illegal data authentication method, illegal data authentication device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119364A (en) * 2007-09-13 2008-02-06 上海大学 Authenticating Ad Hoc group cipher key negotiation protocol
CN103166919A (en) * 2011-12-13 2013-06-19 中国移动通信集团黑龙江有限公司 Method and system for internet of things information transmission
CN103560879A (en) * 2013-10-09 2014-02-05 中国科学院信息工程研究所 Method for achieving lightweight authentication and key agreement
CN104393999A (en) * 2014-12-10 2015-03-04 暨南大学 Slave device authentication method and system for master device
EP3073668A1 (en) * 2015-03-25 2016-09-28 Juniper Networks, Inc. Apparatus and method for authenticating network devices

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2700430B1 (en) * 1992-12-30 1995-02-10 Jacques Stern Method of authenticating at least one identification device by a verification device and device for its implementation.
US9215072B1 (en) * 2012-10-23 2015-12-15 Authernative, Inc. Back-end matching method supporting front-end knowledge-based probabilistic authentication systems for enhanced credential security
US9911007B2 (en) * 2015-02-27 2018-03-06 Guardtime IP Holdings, Ltd. Redundant fail-safe synchronization in a data authentication infrastructure

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119364A (en) * 2007-09-13 2008-02-06 上海大学 Authenticating Ad Hoc group cipher key negotiation protocol
CN103166919A (en) * 2011-12-13 2013-06-19 中国移动通信集团黑龙江有限公司 Method and system for internet of things information transmission
CN103560879A (en) * 2013-10-09 2014-02-05 中国科学院信息工程研究所 Method for achieving lightweight authentication and key agreement
CN104393999A (en) * 2014-12-10 2015-03-04 暨南大学 Slave device authentication method and system for master device
EP3073668A1 (en) * 2015-03-25 2016-09-28 Juniper Networks, Inc. Apparatus and method for authenticating network devices

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A novel secure message delivery and authentication method for vehicular ad hoc networks;H. Liu等;《2016 First IEEE International Conference on Computer Communication and the Internet (ICCCI)》;20161015;全文 *
基于身份的签密方案研究;祁正华;《中国博士学位论文全文数据库信息科技辑》;20120715;全文 *

Also Published As

Publication number Publication date
WO2018199847A1 (en) 2018-11-01
SG10201703532PA (en) 2018-11-29
CN110945832A (en) 2020-03-31

Similar Documents

Publication Publication Date Title
CN112446785B (en) Cross-chain transaction method, system, device, equipment and storage medium
CN109716375B (en) Block chain account processing method, device and storage medium
US9715590B2 (en) System and device for verifying the integrity of a system from its subcomponents
CN110089075B (en) Pseudo-random generation of matrices for computing fuzzy extractors and method for verification
US9407631B1 (en) Multi-server passcode verification for one-time authentication tokens with auxiliary channel compatibility
Eldefrawy et al. Mobile one‐time passwords: two‐factor authentication using mobile phones
US9454654B1 (en) Multi-server one-time passcode verification on respective high order and low order passcode portions
ES2894726T3 (en) Consensus Protocol for Authorized Ledgers
CN101997681A (en) Authentication method and system for multi-node path and relevant node equipment
CN110719172B (en) Signature method, signature system and related equipment in block chain system
EP3563514B1 (en) Robust computational fuzzy extractor and method for authentication
CN108337092A (en) Method and system for executing collective&#39;s certification in a communication network
Fakroon et al. Multifactor authentication scheme using physically unclonable functions
US11323256B2 (en) Method for generating on-board a cryptographic key using a physically unclonable function
CN113939821A (en) System and method for non-parallel mining on a workload justification blockchain network
CN101789939B (en) Effective realization method for credible OpenSSH
CN110945832B (en) Symmetric group authentication method and system
EP3563515B1 (en) Reverse computational fuzzy extractor and method for authentication
US10230532B2 (en) Entity authentication in network
US9191324B2 (en) MAC aggregation with message multiplicity for use in a multi-node data network
Long et al. Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information
Subramani et al. EPPAS: Energy‐efficient privacy‐preserving and physically secure mutual authentication scheme for secure communication in smart grid systems
EP3861671A1 (en) Continuous space-bounded non-malleable codes from stronger proofs-of-space
Gope et al. A reconfigurable and secure firmware updating framework for advanced metering infrastructure
Yang et al. Memory attestation of wireless sensor nodes through trusted remote agents

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant