Anonymous and Unlinkable Membership Authentication with Illegal Privilege Transfer Detection

Anonymous authentication schemes, mostly based on the notion of group signatures, allow a group member to obtain membership from a server and gain access rights if the member can prove their authenticity to the verifier. However, existing authentication schemes are impractical because they neglect to provide an exclusive verification of the blacklist. In addition, the schemes are unaware of malicious members who are involved in privilege transferring. In this paper, a novel membership authentication scheme providing detection of membership transfer and proof of membership exclusiveness to the blacklist is proposed.


Introduction
The rapid development of the Internet has resulted in an increase in electronic transactions that allow users to buy goods or services from online platforms provided by Internet companies, including Google, Facebook, eBay, and Twitter.
Service providers must confirm whether a user is permitted to access its resource.Access control [1] [2] provides a solution by verifying either a cryptographic certificate or a username and password.However, the information provided by the user during an interaction with the service provider may undermine the user privacy: the user must risk being traced or even impersonated by corrupt service providers.
Group signatures [3] [4] [5] [6] allow group members with privilege to sign a signature under the group secret key.On the basis of an auxiliary cryptographic technique called zero-knowledge proof [7], the verifier can check the member's access rights by using the group public key without knowing the member's identity.The member obtains access to the service if their presented signature is verified to be valid.If necessary, the signature can be opened by a specific group manager to identify the signature's originator in case of a dispute.Several provably secure authentication schemes [8] [9] [10] [11] have been proposed to create anonymous memberships in which any member of a group can prove to the service provider (i.e., the verifier) that they are qualified to access a service or file; however, these schemes are impractical because they do not provide exclusive verification of revoked memberships.As proven by the fact that some members have been revoked, in contrast to the use of fixed time periods [12] by employing a one-way chain, Ateniese et al. [13] require group members to prove that their membership does not appear on the current certificate revocation list (CRL).However, in their scheme, the verifier must check whether the member's membership fits any of the revocation information on the CRL in turn by using their "REVOKE" algorithm every time a member requests membership authentication.The cost to the group manager is proportional to the number of revoked group members because issuing new memberships to non-revoked members is required every time a membership is revoked.Clearly, the scheme performs inefficiently and has not been improved to date.
Additionally, state-of-the-art authentication schemes provide few revocation methods without describing how to detect malicious members' illegal behavior; in other words, such schemes are unaware of malicious members who have been involved in privilege transfer.This is known as impersonation or an illegal privilege transfer attack and is a priority for prevention because it regularly occurs in the aforementioned schemes and is difficult to trace.In addition, the modern authentication schemes are becoming more complicated to ensure security.However, this is not a favorable development because it will obstruct the development of membership authentication schemes, resulting in research becoming impractical and unattractive.In summary, a robust authentication scheme should contain two components: a membership authentication approach that can withstand members who engage in membership transfer and proof of membership that is exclusive to the current CRL.
In this paper, a novel membership authentication scheme is proposed that provides a simple solution for membership authentication and revocation.The proposed scheme may suffer from the disadvantage of illegal privilege transfer; however, this problem can easily be solved by employing the traitor tracing technique [14] [15] [16] [17] [18].Traitor tracing was first suggested by [14], which discusses how to identify a traitor in a public key cryptographic scheme and proposes some approaches for revoking access rights for at least one of the traitors involved in illegal privilege transfer.To evade accountability, a traitor may attempt to modify their secret key to avoid being traced.schemes ensure that no such strategy can succeed, and the schemes guarantee that the traitor's identity is revealed.Typical CRL approaches are not directly applicable to our proposed scheme because the memberships are anonymous and unlinkable.Instead of compiling a typical CRL, the dynamic accumulator technique [19] [20] [21] is employed in the proposed scheme to enable an eligible member to prove the exclusiveness of their membership on the CRL.

Organization of the Thesis
This paper is organized as follows.Section 2 describes the anonymous authentication scheme and its requirements as well as the dynamic accumulators.An anonymous and unlinkable membership authentication scheme with illegal privilege transfer detection is proposed in Section 3. Security and performance analysis of the proposed scheme is detailed in Section 4. Finally, Section 5 presents the conclusion.

Anonymous Authentication Schemes
Group signatures [12] [13] with membership revocation are typically defined using the following algorithms:

Setup:
A probabilistic algorithm that outputs the group public key and group secret key for the group manager, given a security parameter as the input.

Join:
A protocol between the group manager and a user that results in the user becoming a group member and receiving a group signing key.

Sign:
A probabilistic algorithm that outputs an anonymous membership for a member, with some necessary parameters (including the member's group signing key) as the input.

Verify:
An algorithm for examining the validity of an alleged membership with respect to a group public key.

Open:
An algorithm, which can only be implemented by the group manager, used to determine the originator's identity.Some authentication schemes [10] [11] have been proposed for creating anonymous memberships by extending the idea of group signatures.Three parties are involved in generic authentication schemes, namely the prover (i.e., the member), issuer (i.e., the key generation center [KGC]), and verifier (i.e., the application server [AS]).The issuer is assumed to be a trusted third party responsible for generating unique and anonymous memberships for eligible provers.A prover with membership can prove to the verifier that they have been given an appropriate membership.The verifier can verify the validity of memberships, but knows nothing about the prover's real identity.The scheme must guarantee that different authentication messages submitted by the same prover cannot be linked.
Additionally, the following security requirements, which have been identified and discussed in the literature, should be inspected.
Unforgeability: Only an eligible prover can obtain a unique valid membership.An adversary cannot feasibly forge a membership that can obtain verification.
Strong/weak unlinkability: Strong unlinkability ensures that the pseudonym and real identity of a prover cannot be linked during multiple uses of the membership.Conversely, weak unlinkability allows only a pseudonym but not the prover's real identity to be linked when the prover uses the membership more than once.
Nontransferability: Even though the verifier knows nothing about the prover's real identity during the interactions; however, a sound authentication scheme must guarantee that membership transfer behavior can be detected and abused memberships can be revoked.
Excludability: Neither a group member nor the group manager can sign on behalf of other group members.
For efficient exclusive verification of the CRL and detection of illegal privilege transfer, the following attractive security properties are necessary: Dynamic membership: The membership can easily be updated by any eligible member of the group when inserting (deleting) a new (abusive) member rather than issuing a new membership or requiring the verifier to refer to the CRL.
Traitor detection: The scheme must be able to determine the real identity of the malicious member.

Dynamic Reversed Accumulator
Accumulators were first proposed by Benaloh and de Mare [22] for combining a set of members' specific values into one accumulator.Each corresponding member is assigned a unique witness, which is used to prove the validity of their membership.However, the computational complexity of the Benaloh-de Mare scheme increases linearly, either according to the number of group members or the number of revoked members.In 2002, Camenisch and Lysyanskaya [19] proposed an efficient dynamic accumulator scheme in which members can update their witness dynamically without the authority's help.Additionally, the computational complexity of inserting and deleting a member as well as updating members' witnesses is independent of the number of accumulated values.In 2009, Camenisch et al. proposed an additional accumulator scheme [20] that involves using a bilinear cryptography technique.However, the schemes in [19] [20] were later proved insecure by Kuo et al. [21]  In this section, we review the dynamic reversed accumulator scheme of Kuo et al. [21], which relies on the strong RSA assumption [7] [27].To the best of our knowledge, their scheme is the most efficient and secure accumulator scheme for state-of-the-art dynamic accumulators and is highly applicable for the granting and revoking of privileges.

Initialization:
Let the modulus n p q = × , with p and q safe primes; U be a set of t eligible members, each with an identity u x (   1, , u t =  ); and U  be a set of members being revoked.All identities are assumed to be pairwise relatively prime, and the authority maintains the sets U and U  , which are initially empty.The authority chooses an element n g QR ∈ and a prime z (which can be 2); computes the accumulator as ( ) , where 1 g ≠ ; and publishes ( ) Here,

( )
f ⋅ is a public quasi−commutative function [21].It holds that , , , , mod To include a new member w x , the authority examines whether w x U ∉ , and if so, adds w x to the set U (new set of eligible members as ) and updates the aforementioned archive.The new member is given a witness ( ) ( ) Here, the accumulator ACC is not changed; therefore, the group members do not need to update their witnesses.

Witness verification:
Only an eligible member u x U ∈ can prove the validity of their system access to a verifier, that their unique value u x is included in the public accumulator ACC, and that they know the corresponding witness u wit on the basis of the zero-knowledge proof technique.The verifier can verify the correctness by using the online public information ACC maintained by the authority, and the group member u x is granted access rights if the following Equation ( 1) holds for their claim: ( ) ( ) Member deletion: When the membership of group member v x is revoked, the authority deletes v x from the set U and moves the value v x into the set U  .The authority computes the new accumulator ( ) the archive, and publishes the revocation information ( ) of p, q is required for computing 1 v x − .Kuo et al. called their scheme a dynamic reversed accumulator because the value v x U ∈  here is subtracted from the accumulator and the accumulator decreases gradually.Additionally, each member in U must update their witness to reflect the result of the updated accumulator.
On the basis of the extended Euclidean algorithm, the eligible members u x U ∈ can compute the integers a and b satisfying 1 u v a x b x × + × = and update their witnesses as mod Computing the witness update does not require knowledge of (p, q) and can be performed only by the eligible members u x U ∈ .It is infeasible for the revoked member

Proposed Anonymous Authentication Scheme
In this section, a basic scheme of anonymous membership authentication with anonymity, unlinkability, and efficiency is proposed.Furthermore, we discuss its security.Subsequently, an enhanced version of the scheme is accordingly proposed, and this scheme is analyzed in the next section.The member must additionally establish a secure channel with the verifier in contrast to the aforementioned authentication schemes; in other words, a lower layer node-to-node secure channel with randomized encryption is assumed.

Bilinear Groups and Security Assumptions
The following definition of a bilinear map comes from [28] and is a fundamental building block of our proposed scheme.Let ( ) , and ( ) , T ⋅  be three groups of the same prime order q, and let P, Q be two generators of 1  and 2  , respectively.We say that ( )  ˆT e × → :    satisfies the fol- lowing properties: ˆ, , ab e aP bQ e P Q = .
• Nondegeneracy: ( ) The proposed membership authentication scheme can be operated in both symmetric and asymmetric settings.For greater efficiency, the symmetric setting is more appropriate, whereas the asymmetric setting has greater security.Here, we directly use the asymmetric setting to enrich our cryptanalysis content in Section 4 and demonstrate the flexibility of our proposed scheme.
The security of our scheme relies on the hardness of the following problems, which were introduced in [29].
Both problems FAPI-j (for j = 1 or 2) have a unique solution for each given pair ( ) ∈   such that ( ) ˆ, e z =   when a pairing ê as above and a value T z ∈  are given.

Basic Scheme
In this section, we first introduce a basic anonymous authentication scheme comprising three parties, namely the group member, KGC, and AS.A KGC is a trusted third party responsible for issuing private keys to all valid members, and an AS provides services to any eligible member with proof of valid membership.
The basic scheme comprises the following algorithms: Setup.
As mentioned in Section 3.1, 1  , 2  , and T  are three bilinear cyclic groups of prime order q;  is a bilinear mapping with under- lying groups of same order q; and 1 P ∈  and 2 Q ∈  are two generators.Let j x be N prime numbers chosen from the field * q  , for 1 j N ≤ ≤ .The KGC selects a large even integer k with k N < and computes the group secret key as and the corresponding group public key as The KGC then publishes the system parameters as , , , , , , , .
T q e P Q Y =     Join.
For each legitimate member i U of a group, the KGC randomly selects 2 k elements of j x (the components of this subset are denoted as ˆj x ) and com- putes , but i a P and i b Q cannot be used directly as proof of membership, otherwise any two application service requests are easily linked and the member's privacy is threatened.Here, an archive is required for maintaining the tuple ( i a , i b , i U ) in which the KGC can reveal the real identity of a malicious member who has been recognized as a traitor.

Sign.
When the member i U requests service from an AS, i U selects two random numbers * , q α β ∈  and computes , and C P αβ = .
Here, the tuple is the membership of i U for obtaining access to application services provided by a specific AS. Verify.

1)
{ } i U cannot compute and send ( ) directly to the AS.Otherwise, the scheme becomes insecure if it is designed in the aforementioned approach.
Because the verification equation would become and any attacker could select two random ′  and ′  and then compute , where A′ and B′ are also randomly selected.The attack can thusly pass the verification procedure with the forged membership proof { } , , , , Selection of parameter k.

Remarks and Discussion
Impersonation or illegal privilege transfer attack.
A sound anonymous membership authentication scheme should consider how to counteract a forged membership duplication to others from a valid member.That is, a valid member i U may attempt to share their private key { } , i i a P b Q with their untrusted friend x U .We assume that collusion among the AS, KGC, and x U is possible.With knowledge of both i a P and i b Q (and the related identity of its owner revealed by the x U ), the AS can obtain both when the original member i U logs in to the AS.To check whether a service request is made by i U , the AS verifies whether ( ) ( ) Clearly, this "private key revelation" forces i U not to share their private key and privilege with others; otherwise, any two of i U 's service requests can be S.-M.Yen et al.
linked and their anonymity will be ruined.In this attack, the original member i U also risks privilege revocation by the KGC (here, a typical blacklist is re- quired) after an unauthorized privilege transfer is confirmed.The privilege is thus nontransferable.
In the following, we show another privilege transfer approach launched by the member i U , but this approach does not undermine i U 's anonymity.Let α and β be two blinding factors as before; i U uses a third blinding factor γ and sends the "transformed" private key { } to their friend x U , who can be either trusted or untrusted.On the basis of this transformed private key, the unprivileged x U can prove their membership to the AS through the same anonymous authentication scheme by computing i a P P , and C P αβ = .The AS also verifies the membership proof by checking whether Equation ( 2) holds.In this attack, collusion between the AS and x U to threaten the original member i U 's privacy is impossible.Nevertheless, the untrusted friend x U can disclose the fact of illegal privilege transfer to the KGC by providing { } . Recall that the KGC keeps the i a and i b selected for each member i U and can therefore check whether a member i U is involved in an unauthorized privilege transfer as follows: ( ) ( ) If Equation ( 5) holds, the original member i U is revoked, and this forces i U to not share their transformed private key and privilege with others.
In addition, if x U would never betray i U , the trusted KGC can be consulted online to recognize this privilege transfer as follows.Assume that the KGC can compute ( ) to the KGC for investigating potential privilege transfers, the KGC attempts to use all registered members' information ( ) , i i a b , for 1 i N ≤ ≤ , and computes both ( ) The KGC then tests whether any ( ) whether the received authentication message was generated by privileged member i U .Clearly, the authentication message generated from a transformed pri- vate key with 1 γ ≠ will fail to pass the verification, and we can conclude that someone has transferred their membership to someone else.The KGC knows nothing regarding the malicious member's real identity, which is known as "weak unlinkability."In a medium-sized setting with a moderately large number of members, the described online investigation might be possible if not performed frequently.However, this method cannot completely prevent illegal privilege transfer attack.
This basic scheme cannot withstand the replay attack.

Enhanced Version of the Proposed Scheme
Consider the potential illegal privilege transfer attack and unpreventable replay attack mentioned in Section 3.2.1.An enhanced scheme is proposed in this section.The scheme features anonymity and unlinkabilty and guarantees security against the aforementioned attacks.Because some algorithms are identical to those defined in Section 3.2, including Setup and Join, this section describes only the differences.The algorithms of the enhanced scheme are detailed as follows: Sign.
Let i T be a timestamp and ( ) { } * 1 : 0,1 h ⋅ → be a collision-free one-way hash function.When the member i U requests service from an AS, i U selects two random numbers , and , where Here, the tuple is the membership of i U for obtaining access to the application services provided by a specific AS. Verify.
2) Let V T be the current timestamp of the AS and td T be an appropriate to- lerance in the time delay.Given the group public key Y, the AS can verify the membership proof presented by a member i U , and i U is granted access rights if the following Equations (( 8) and ( 9)) hold; otherwise, the AS rejects the re- The scheme enables the AS to validate i U 's claim while learning nothing about their real identity, even if it colludes with the KGC.For the purpose of anonymous authentication and strong unlinkability, two blinding factors and a timestamp are employed so that a member can prove their membership multiple times to the same or to a different AS.All the authentication messages

{ }
, , , , i A B T   cannot be linked to reveal that they are all generated by the same member.Cryptanalysis of this enhanced scheme is presented in Section 4.

Detection of Illegal Privilege Transfer
The member i U is assumed to be able to send the transformed private key to their friend x U , who can be either a trusted or an untrusted individual, where γ is a random number and 1 γ ≠ .After obtaining the transformed private key, , where

( )
x t h T = .The unprivileged party x U can prove their membership to the AS through the aforementioned improved anonymous authentication scheme and obtain access to the resource on the AS if Equations (( 8) and ( 9)) hold.Here, collusion between the AS and x U that threatens the original member i U 's privacy is impossible.As mentioned in Sec- tion 3.2.1,two approaches exist for detecting whether a member i U is involved in an unauthorized privilege transfer.The first is to let x U disclose i U 's illegal privilege transfer by providing { } to the KGC; however, this approach is passive and impractical for preventing private keys from being transformed.The second is that the trusted KGC can be consulted online to recognize the privilege transfer as follows.Recall that the KGC retains i a and i b when generating private keys for each member i U .If the AS provides a suspicious to the KGC for investigating potential privilege transfer, the KGC attempts to use all values of i b , for 1 i N ≤ ≤ , of registered members and computes both The KGC checks whether any i π equals i λ to determine whether the re- ceived authentication message was generated by privileged member i U .Clearly, the aforementioned authentication message generated from a transformed private key with 1 γ ≠ fails to pass the verification.We can conclude that the re- ceived authentication message is an impersonated membership and that someone has shared their private key and privilege with another, but the KGC does not know who is the traitor at this stage because the proposed authentication scheme provides "anonymity".Consequently, the KGC uses the information ( i a , i b ) to compute i θ , for 1 i N ≤ ≤ , as follows: The KGC subsequently examines all values of i b , for 1 i N ≤ ≤ , to determine whether any i θ equals ( ) ˆ, i e P b Q and thus discover the real identity and revoke the membership of the traitor i U who is involved in an unauthorized pri- vilege transfer.This online detection approach can be performed regularly in case the AS has noticed that an unauthorized privilege transfer has occurred in the system.

Exclusiveness of the Membership
By employing the dynamic reversed accumulator of Kuo et al., which is described in Section 2.2, a member Alice who has been included in the set U receives a membership ( A wit , A x ) and can therefore prove to the AS that her iden- tity A x is not on the CRL; this is called "exclusiveness of the membership".Of course, a dynamic public archive is required for storing information regarding joined and revoked members as well as the current accumulator ACC.Each member is assumed to read the archive regularly and update their witness when ACC has been changed.This accumulator performs more efficiently than existing methods because renewing the accumulator and valid members' witnesses is required only when revoking violating members but not when adding new members.The AS thus does not have to verify whether a member is on the CRL in contrast to those presented in [6] [13].Additionally, forging of the witness by an adversary is infeasible according to the strong RSA assumption [7] [27].
In addition, the accumulator of Kuo et al. provides efficient multiwitness verification in which a group member may access multiple services or files simultaneously and the AS can verify the member's qualifications simultaneously.This property is outstanding and has not been demonstrated in previous studies.
Suppose that m services exist, namely S both provided by the same AS, she may be assigned the witnesses ( ) ).Thus, Alice can convince the AS of the validity of her membership and gains access to services 1 S and 2 S by providing the corresponding witnesses ACC of services 1 S and 2 S and verify whether Alice is quali- fied to access these services through Equation ( 13): ( )

Performance and Security Analysis
This section verifies our claim of an efficient, anonymous, and unlinkable membership authentication scheme.We first detail the security properties provided by our scheme.Note that some properties have been detailed in the aforementioned sections.

Resistance of replay attack
An adversary may attempt to resend a stolen membership tuple to pass verification.Recall that AS accepts a membership proof if Equation ( 8) holds (one of the necessary conditions); thus, resending a stolen membership tuple would increase the time of ( V i T T − ) and therefore the adversary cannot pass the verification.

Membership nontransferability
Recall that a valid member i U can send the transformed private key to their who is involved in unauthorized privilege transfer will be revoked by the KGC.This can force the member i U not to share their private key and privilege with others; otherwise, any two of i U 's service requests can be linked and their ano- nymity will be ruined.
The following two lemmas from [29] [30] must be given before demonstrating theorems related to our scheme.
(FAPI-1 ⟹ GPI:) Given a GPI instance Y and an element  , , , , , , T q e P Q Y =     .The proposed scheme can withstand f  from private key forgery through the following manners of attack: ˆ, e Y =   4) extracting the group secret key X from the group public key Y. Proof.
We discuss these cases of possible forgery in the following.

Case 1:
An adversary f  may attempt to find two elements ∈   such that ( ) ( ) The success of f  can be used to solve the GPI problem defined in Section 3.1.

Cases 2 & 3:
From Lemmas 1 and 2, we know that 1) the GPI problem is not harder than either FAPI-1 or FAPI-2 and 2) if FAPI-j (where j = 1 or 2) is solvable, then the CDH problem is solvable.That is, an f  who can succeed in cases 2 and 3 can be used to solve the problems of GPI and CDH.

□
From this reasoning, we know GPI ≤ FAPI-j = CDH ≤ DL T  .A straightforward approach for f  is to forge an eligible private key by using the method of Case 1.However, no efficient algorithm is available that can break the GPI with a nonnegligible probability ( ) v k .In summary, we conclude that our proposed scheme is secure against any possible private key forgery.Additionally, forged memberships generated using the aforementioned approaches will be recognized by the proposed scheme for detecting illegal privilege transfer described in Section 3.3.1,if the AS reports suspicious membership to the KGC for investigation.
Theorem 4 (Resistance against membership impersonation).Let m  be a polynomial-time adversary with a valid private key.Given the system parameter  , the proposed scheme can withstand an adversary m  engaging in a private key impersonation aimed at the other eligible members i U or the new member k U . Proof.
If the adversary m  has ever joined the group, they may attempt to add a random number γ to the private key ( )

□
Finally, Table 1 illustrates the substantial improvement of our proposed scheme compared with other schemes for the security concerns that we mentioned and defined in Section 2.1.Our proposed scheme features strong unlinkability, nontransferability, dynamic membership, and traitor detection.Table 2 shows the main enhancement in efficiency achieved by our scheme.The computational cost of our scheme comprises that of the presented anonymous authentication scheme and the dynamic accumulator of Kuo et al. [21].

Conclusion
We propose a novel membership authentication scheme through which anonymity, strong unlinkability, and illegal privilege transfer detection are provided.As aforementioned discussion, our proposed scheme can perform more efficiently if the symmetric setting of bilinear map groups is applied.By employing an efficient dynamic reversed accumulator, system members can prove their membership exclusiveness of the CRL to the verifier.Additionally, the practicality and attractiveness of our proposed scheme is supported.
How to cite this paper: Yen, S.-M., Kuo, T.-M.and Yang, T.-Y.(2018) Anonymous and Unlinkable Membership Authentication with Illegal Privilege Transfer Detection.Int.J. Communications, Network and System Sciences, 11, 9-26.https://doi.org/10.4236/ijcns.2018.112002 . Crucially, the computational costs of both updating the group accumulator and each individual member's witness are independent of the size of U  .The scheme of Kuo et al. features a substantial computational cost reduction compared with the existing methods because renewing the accumulator and valid members' witnesses is required only when revoking violating members (not including new members).

2 ≠
  and the bilinear map

1 A wit and 2 A 1 ACC and 2
wit on the basis of the zero-knowledge proof technique.The AS must obtain the current accumulators

U
can prove their validity to the AS by computing { } , , , , x A B T   with the transformed private key.Through detection of illegal privilege transfer, as described in Section 3.3.1, the membership of any traitor S.-M.Yen et al.
this attack cannot be recognized by the proposed illegal privilege transfer detection mechanism.This problem can be reduced to the selection of parameter k described in Section 3.2.We assume that k = 200, which yields ( ) 59 200,100 10 C = combinations of the value i a .The probability that two assignments of the value i a for different members are identical is approximately 1/10 59 , which is also the probability that the adversary S.-M.Yen et al. m  can succeed in computing the valid private keys of eligible members v x Y ∈ and is negligible.
later.Although other accumu- the pairing is non-degenerate and the groups Because blinding factors α and β are used, i U can prove their mem- bership multiple times to the same or to a different AS; by contrast, all the au- : , , , , i U A B C ⇒ AS   over a secure channel.2) AS verifies the membership proof by checking whether DOI: 10.4236/ijcns.2018.112002

Table 1 .
Comparison of security requirements.

Table 2 .
Comparison of computational costs.
e eA S : addition/subtraction over exponent, P: pairing operation, n S : squaring operation modulo n, Eu: extended Euclidean, and PK: proof of knowledge.