1 Introduction

1.1 Background and motivation

Authentication serves as a cornerstone technique in trust management and data protection within network systems [1]. Typically, there are four primary methods for constructing authentication schemes: knowledge-based (such as passwords), possession-based (such as ID cards or passports), static biological traits (such as fingerprints or facial features), and dynamic behavioral traits (such as gait or voice). Despite the diversity in identity authentication methods, traditional authentication techniques often rely on a centralized entity that manages users’ network information and processes their authentication requests. This approach will lead to two significant issues:

  1. 1.

    System Performance: in a centralized system, the server must handle authentication requests from a large number of users, which can result in performance bottlenecks. If the authentication framework is not designed to handle high concurrency, a single point of failure may arise, compromising the system’s reliability.

  2. 2.

    Privacy Concerns: since the centralized server must be fully trusted, there is a risk of user privacy manipulation and disclosure if the server is compromised or corrupted. This places a heavy reliance on the server’s integrity and security, which can be a potential vulnerability in the system.

To address these issues, alternative authentication mechanisms that distribute the authentication process and reduce reliance on a single centralized entity are being explored. These include decentralized authentication protocols which can provide increased security, resilience, and privacy preservation. In recent years, the development of decentralized system has attracted wide attention from both academia and industry. Authentication in decentralized system adopts a distributed way to achieve reliable data access privilege management by relying on the several cryptographic techniques such as secure multiparty computation and consensus mechanism [2, 3, 5]. But most of the existing works relevant to decentralized authentication can hardly satisfy both the demands of the flexible access privilege management and the low communication overheads at the same time. On the one hand, fine grained authentication can be achieved by leveraging the technique of fuzzy identify based cryptography with multiple authorities, but the key extraction and the authentication processes require frequent interactions among the user and servers. This will add considerable overheads to the whole communication system. Besides, some sensitive information related to the user’s attributes will be leaked during the authentication. On the other hand, some proposals constructed on password based threshold authentication can improve the efficiency of authentication process [20], but the user’s identity is defined by a single string which somehow lacks the flexible description of the user’s access privileges.

1.2 Constructions

To best satisfy the efficiency, flexibility and the privacy preserving properties of the authentication, in this paper, we present a new cryptographic notion named designated private set [4, 6] based trapdoor authentication (DPSBTA) for flexible and efficient trust management in decentralized systems. In our DPSBTA, there are no trusted authorities or KGC and the servers are operated in a fully decentralized manner. A user’s access privilege is defined by the private set he owns. During the authentication process, each server can designate an element set and only if a user holds adequate elements which are contained in the designated set can he obtain a credential from the server.

The designed DPSBTA is equipped with the following features:

Decentralized trapdoor authentication management: The system is distributed and decentralized with no need for a trusted authority or key generation center. The authentication is conducted in a double threshold manner: on the one hand, a user will obtain a credential segment from a server only if the number of designated elements in the set intersection exceeds the trapdoor value preset by the server; on the other hand, the user will successfully complete the authentication process only if the number of credential segments he gains exceeds the threshold value which is negotiated by the desterilized servers in the system.

Privacy preserving credential delivery: In the credential delivery and authentication phases, the servers do not know whether a user holds sufficient elements or the credential generated from a certain server. This property provides privacy preserving authentication for the users.

Round optimal communication: During the delivery of credential, the user and each server only need to conduct two rounds of communication, which achieves round optimal property: one round to send the encrypted elements and another round to receive the designated set along with the encrypted credential. The property relieves the servers from the frequent interactions with massive users thereby reducing the risk of the potential bottleneck occurrence in the traffic links.

Specifically, the following works are established in this paper:

We review the related works and raise new functional demands of authentication management in decentralized systems.

We propose a new paradigm named designated private set based trapdoor authentication (DPSBTA). We give the generic construction of this paradigm and define the security models accordingly by analyzing the potential threats carried out by adversaries.

We instantiate our DPSBTA by defining the syntax and designing the concrete algorithms of DPSBTA along with its correctness proof.

We discuss the security and efficacy of the proposed DPSBTA by presenting security proofs and evaluate its performance with respect to the theoretical analysis and the simulation results.

1.3 Outline

The remainder of this paper is structured as follows: Sect. 2 presents a review of the related works on trust management and authentication in decentralized systems, including the private set intersection technique. Section 3 discusses the preliminaries necessary for the construction of our scheme. Section 4 details the constructions of the proposed scheme, encompassing its architecture, syntax, security models, and the specific algorithms. Section 5 provides an evaluation of the scheme’s security, efficiency, and other functional properties. Section 6 identifies the current limitations of this research and offers future research directions. Finally, Sect. 7 concludes the paper.

2 Related works

In this section we will review the related works in terms of trust management and authentication in decentralized systems along with the private set intersection mechanism.

2.1 Trust management and authentication in decentralized systems

Hong et al. in [7] proposed a secure multiparty transaction scheme for blockchain. Their scheme allowed different clients to member in one exchange simultaneously by utilizing secret sharing component, accordingly the estimation cost for correspondence collaboration and overheads could be pointedly diminished. All the connected data alluding to an exchange were kept in the same block, which made it effective to lead record discernibility. Wang et al. in [8] presented a universal solution to decentralized identity authentication in TEE by taking the merits of blockchain and smart contract. By empirical evaluations, the proposed scheme was able to realize secure registration and cross-platform authentication with high calculation efficiency. Lavanya et al. in [9] analyzed the applicability of deploying blockchain based authentication to IoT systems and pointed out that the most current authentication techniques required the assistance of a trusted server. This property brought about extra communication cost and privacy evasion related issues. They presented a decentralized authentication architecture without introducing a trusted third party by leveraging blockchain technique which guaranteed the security of IoT devices. The proposed architecture had been implemented on Ethereum and achieved several functional properties. Khashan et al. in [10] presented a blockchain-based framework which provide identification and authentication learners and their IoT devices in a decentralized manner. It prevented the unauthorized modification of stored learning records in a distributed university network. Zhang et al. in [11] designed a consortium blockchain architecture for providing trust authentication among different platforms. They introduced attribute based access control method and developed a prototype system which achieved high efficiency and low latency. Khalid et al. designed a novel authentication mechanism for IoT systems which provides secure communication between devices both from internal and external systems [12]. The presented mechanism utilized the distributed nature of the blockchain technique and took the merits of fog computing to solve the latency related issues. Narayanan et al. in [13] proposed a decentralized blockchain based security scheme for secure data transmission in Cloud-IoT environment which comprised three phases: authentication, encryption and data retrieval. The authors gave the clear definitions of each phase along with the detailed interaction processes among them. The experiment results demonstrated the promising improvements of the encryption, time decryption time and storage efficiency.

Shiny et al. in [14] proposed a decentralized access control scheme with multiple layer authentication which relied on various credentials such as token, password, PIN, etc. Hidden policy was utilized in their scheme to provide the anomity of the user’s identity. The decentralized architecture indicated that several key distribution centers were involved thus enhancing the robustness of the whole system. Zubaydi et al. in [15] applied the decentralized authentication technique to digital healthcare application and proposed a decentralization consensus secure framework. They defined the detailed workflows of the framework which effectively protected the privacy information generated in wearable healthcare IoT environment. Rashid et al. in [16] designed a novel role-centric authentication and resource access control scheme for decentralized systems. It was distinct from the conventional proposals by virtue of developing a specific feature for role creation and management to conduct RABC for the distributed entities. Furthermore, it was equipped with some other functional properties such as role authentication and validation. Vazquez et al. in [17] proposed an authentication scheme for decentralized secure mail management systems. The scheme leveraged PAKE technique to achieve entity authentication and key management without a trusted key infrastructure. Furthermore, it promoted the automatic management of significant key lifecycle assignments such as refreshing and validation which reduced the influence brought by the error prone human behaviors. Kostoulas et al. in [18] proposed a decentralized reputation based model to build trust and provide reliable communication in complex systems. The model utilized a decentralized recommendation algorithm which enabled participants of a first response network to measure the trust value of other users. Gutscher et al. in [19] designed a new trust model which supported expressive descriptions of the keys and user identities. By integrating the authentication function into the trust model, a signer of a trust server was able to modify the length of trust chains and the trust values. Aref et al. in [21] presented a decentralized trust evaluation model which reduced the burden of locating witness and enhanced the extendibility for distributed systems. It enabled the integration of both direct and indirect sources of trust information and provided an aggregated trust evaluation.

2.2 Private set intersection

Generally, PSI schemes can be constructed on three mechanisms: traditional public key cryptography (PKC), garbled circuit (GC) and oblivious transfer protocol (OT).

The main construction of PKC based PSI is to map the elements in a set to the roots of a polynomial, then performing ciphertext calculation over the encrypted polynomial referring to each set using certain technique such as oblivious polynomial evaluation. Schemes constructed on PKC have low communication overheads while occupying higher computation complexity. The main idea of GC based PSI is to simulate any functions using Boolean circuit. The output of the private set intersection circuit can be connected to the input of other functional circuits thus the metrics of the private set intersection can be calculated. Schemes constructed on GC are equipped with commendable extensibility. OT based PSI schemes are to test the equality of elements in different sets by leveraging OT extended protocols. Since OT based protocols contains more symmetrical encryption operations, OT based PSI schemes are equipped with more calculation. Based on the above three mechanisms, researchers have designed many functional PSI schemes. Qian et al. in [22] proposed a fine-grained profile matching scheme based on PSI. Their scheme introduced proxy re-encryption mechanism and allowed a semi trusted server to calculate over the ciphertexts without leaking any sensitive information. To make the best use of medical data as well as comply with the privacy policy, Mishima et al. in [23] designed a practical multiparty PSI calculation scheme. The experiments had obtained optimal parameters for parallel processing regardless of the bloom filter’s size. Ruan et al. in [24] presented a high efficient PSI protocol based on homomorphic encryption. It did not require secure channels for data transmission and the computation burden remained constant regardless of the data set. The proposed scheme was appropriate for data sharing in data outsourcing scenarios such as cloud computing. Lu et al. in [25] applied PSI addressed the data privacy issues by applying multi party PSI to vertical federated learning scenarios. Their scheme allowed different parties to jointly complete a training task without leaking each party’s own sensitive task. Kumar et al. in [26] proposed a secure PSI scheme in the malicious environment without adopting any random oracle models. Besides, their scheme achieved linearly calculation complexity with the growth of the set sizes. Wang et al. in [27] analyzed the MP-PSI problem by means of the information theory. They demonstrated that the MP-PSI could be a specific extension of MM-SPIR problem by associating each party’s data set into an incidence vector. Zhao et al. in [28] presented a generic PSI framework and gave the security models in both honest and semi-honest model. The experiment results also demonstrated the high efficiency of the proposed mechanism. Wei et al. in [29] designed a novel MP-PSI protocol which was `suitable for small sets by adding new features to the one-round two-party key negotiation. The simulation showed that the calculation complexity was only associated with the set size and could be effectively deployed to applications under the small sets. Abadi et al. in [30] pointed out that the existing works rarely satisfied the demand of efficient updating on outsourced sets. To fulfill this technical gap, they presented a lightweight delegated PSI which allowed the users to upload their private sets and delegate the calculation tasks to the cloud. Liu et al. in [31] presented a novel PSI protocol based on the quantum Fourier convention. In their scheme, accuracy examination demonstrated the way that the convention could come by the outcome accurately. What’s more, the security of the convention was additionally examined and was able to oppose the vast majority of outside attacks.

3 Preliminaries

In this section, we will introduce the mathematical preliminaries which are essential for the constructions of our DPSBTA framework.

3.1 Secret sharing

A secret sharing scheme typically consists of a secret distributor and a number of participants. The plan comprises of the accompanying two conventions:

Protocol for secret distribution: For each participant, the secret sharing components are generated by the secret distributor in this protocol.

Protocol for secret reconstruction: In this convention, adequate members can help out one another to reproduce the secret by taking the secret part he possesses as information.

A complete \(\:(t,n)\) secret sharing plan ought to be furnished with two properties simultaneously: from one viewpoint, any \(\:t\) members can help out one another to recuperate the first confidential; Then again, in the event that the quantity of members is not as much as\(\:\:t\), it’s impossible for anyone to acquire the secret regardless of whether they give out their private components.

3.2 Decisional Diffie-Hellman problem (DDH)

Given\(\:\:g\in\:G,\) integers\(\:a,b,c\in\:{Z}_{q}^{*}\), no probabilistic polynomial-time (PPT) algorithm can distinguish the tuples \(\:\{{g}^{a},{g}^{b},{g}^{ab}\}\) and \(\:\{{g}^{a},{g}^{b},{g}^{c}\}\) with a non-negligible probability.

3.3 Computational Diffie-Hellman problem (CDH)

For \(\:\:a,b\in\:{Z}_{q}^{\text{*}}\), given (,\(\:{\:g}^{a},{g}^{b}\)), no probabilistic polynomial-time (PPT) algorithm can calculate the value of \(\:{g}^{ab}\:\)with a non-negligible probability.

4 Constructions

In this section, we will provide the detailed constructions of our DPSBPA framework. This will involve outlining the system architecture, defining the syntax and components of the system, describing the security models that underpin the framework, and presenting the concrete algorithms that implement the various functionalities of the DPSBTA.

4.1 Architecture

The architecture of our DPSBTA is illustrated in Fig. 1. It consists of two parties: the user and the servers. The whole system is distributed and decentralized without a trusted authority or key generation center. During the authentication, the user sends the elements he owns and obtains a segment from a server only if the number of designated elements in the set intersection exceeds the trapdoor value preset by the server. Then the user aggregates these segments to generate a credential and sends it to the distributed servers which jointly verify if the credential is a valid one.

Fig. 1
figure 1

The architecture of DPSBTA

Full size image

4.2 Algorithm model

The proposed DPSBTA consists of four algorithms: Setup, Elements delivery, Credential reconstruction and Verify.

Setup: This algorithm is run by the system. It takes a parameter as input and outputs the system’s parameters. Besides, each server constructs the parameters which are utilized to authentication.

Elements delivery: This algorithm is an interaction between a user and the servers. The user firstly sends the elements he owns to the servers then receives the segments returned by each server.

Credential reconstruction: This algorithm is run by the user. It takes the segments as input and outputs the credential used to conduct the verification process.

Verify: This algorithm is run by servers. It takes the user’s credential as input and outputs an assertion whether the credential is valid.

4.3 Security definitions

We define the following security models which may be conducted by adversaries from both elements forgery and unfaithful servers. In the elements forgery, we assume that the adversary does not possess enough elements to generate a credential but he attempts to forge one during the challenge game. In the selective credential model, we assume that the adversary outputs an invalid credential but he attempts to succeed in verification with the collusion of unfaithful servers.

Definition 1

Our DPSBTA has the existential security under elements forgery model if no polynomially bounded adversary has a non-negligible advantage in the following game played by a challenger and an adversary.

Setup: The challenger obtains the essential system parameters and sends to the adversary. The adversary claims an element set.

Elements delivery query: The adversary can make the elements delivery queries to the challenger. The challenger generates the segments according to the query contents and returns the results to the adversary.

Challenge: The adversary attempts to forge a valid credential for the given element set. If the credential is valid, then the adversary wins the game.

Definition 2

Our DPSBTA has the existential security under selective credential model if no polynomially bounded adversary has a non-negligible advantage in the following game played by a challenger and an adversary.

Setup: The challenger obtains the essential system parameters and sends to the adversary. The adversary claims an element set.

Credential reconstruction query: The adversary makes the credential reconstruction queries to the challenger. The challenger verifies and returns the result to the adversary.

Challenge: The challenger outputs two credentials (one is valid and the other is invalid) for the given element set. The adversary wins the game if he can select the valid credential.

4.4 Concrete algorithms

Setup: Let \(\:G\) be a cyclic group with prime order \(\:q\) and \(\:g\:\)is a generator. Assume that the system includes \(\:{n}_{s}\:\)servers. Each server \(\:j\) randomly picks \(\:{s}_{j},{y}_{j}\in\:{Z}_{q}^{\text{*}}\) and lets \(\:cre\:j={y}_{j}\).

Then each server firstly constructs two polynomials, the first one is a \(\:T\)-order polynomial formatted like (1):

$$\:\:{p}_{j}\left(x\right)={y}_{j}+{a}_{j,1}x+{a}_{j,2}{x}^{2}+\cdots\:+{a}_{j,T-1}{x}^{T-1}$$
(1)

The second is a \(\:t\)-order polynomial constructed on the elements a server holds and formatted like (2):

$$\:{q}_{j}\left(x\right)={s}_{j}+{b}_{j,1}x+{b}_{j,2}{x}^{2}+\cdots\:+{b}_{j,t-1}{x}^{t-1}$$
(2)

Note that \(\:\left\{{a}_{j,1},{a}_{j,2}\dots\:{a}_{j,T-1}\right\}\) and \(\:\{{b}_{j,1},{b}_{j,2}\dots\:{b}_{j,\text{t}-1}\}\) are picked randomly by each server. The above two polynomials implicitly set the threshold of the system to be \(\:T\) and \(\:t\) respectively.

Elements delivery: Assume that a user \(\:i\:\)holds a set \(\:\left\{{A}_{i,0},{A}_{i,1},\dots\:,{A}_{i,m}\right\}\) and a server \(\:j\) holds a set \(\:\{{B}_{j,0},{B}_{j,1},\dots\:{B}_{j,n}\}\). The process of credential transfer is as follows:

  1. 1)

    Server \(\:j\) picks \(\:{r}_{2}\in\:{Z}_{q}^{\text{*}}\) and broadcasts \(\:\left\{{{B}_{j,n}}^{{r}_{2}}\right\}\).

  2. 2)

    The user picks \(\:{r}_{1}\in\:{Z}_{q}^{\text{*}}\) and calculates \(\:{{A}_{i,m}}^{{r}_{1}}\), then sends \(\:\left\{{{A}_{i,m}}^{{r}_{1}}\right\}\) to server \(\:j\).

  3. 3)

    Server \(\:j\) returns \(\:\left\{{{A}_{i,m}}^{{r}_{1}{r}_{2}}\right\}\:\)and \(\:{S}_{j}=cre\:j\oplus\:{H}_{1}\left({g}^{{s}_{j}}\right),\left\{{g}^{{q}_{j}\left({B}_{j,n}\right)\bullet\:{B}_{j,n}}\right\}\) to the user.

Credential reconstruction: The user calculates \(\:{\left({{A}_{i,m}}^{{r}_{1}{r}_{2}}\right)}^{{{r}_{1}}^{-1}}\) and compares with \(\:\left\{{{B}_{j,n}}^{{r}_{2}}\right\}\) to obtain the elements in the set intersection. Assume that the user has least\(\:\:\:t\) elements \(\:\{{A}_{i,1},{A}_{i,2},\dots\:,{A}_{i,t}\}\) in the set intersection, then he can obtain \(\:{g}^{{q}_{j}\left({B}_{j,n}\right)}\) and recover the value of \(\:{g}^{{s}_{j}}\) using Lagrange interpolation function (denote \(\:{\varDelta\:}_{n}\) to be the Lagrange interpolation coefficient):

$$\:{g}^{{s}_{j}}={g}^{\sum\:_{n=0}^{t-1}{q}_{j}\left({B}_{i,n}\right)\bullet\:{\varDelta\:}_{n}}$$
(3)

Then the user can obtain \(\:cre\:j\) by calculating:

$$\:cre\:j={S}_{j}\oplus\:{H}_{1}\left({s}_{j}\right)$$
(4)

The user obtains \(\:\sum\:cre\:j\) and sets a polynomial formatted like (5):

$$\:u\left(x\right)=\sum\:cre\:j+{u}_{1}x+{u}_{2}{x}^{2}+\cdots\:+{u}_{{n}_{s}-1}{x}^{{n}_{s}-1}$$
(5)

Then the user distributes the value of \(\:\{{g}^{u\left(x\right)},x=\left[\text{1,2}\dots\:{n}_{s}-1\right]\}\) to the servers.

Verify: Let \(\:{y}_{j}={a}_{j,0}\). Each server computes \(\:\{{p}_{j}\left(z\right),z=\left[1,\:2\dots\:{n}_{s}-1\right]\}\) and sends the corresponding value to the other servers. Besides, each server broadcasts \(\:\left\{{{g}^{{a}_{j,0}},g}^{{a}_{j,1}},\dots\:{g}^{{a}_{j,T-1}}\right\}\).

The servers firstly verify if the following Eq. (6) holds:

$$\:{g}^{{p}_{j}\left(z\right)}=\prod\:_{n=0}^{T-1}{g}^{{a}_{j,n}{z}^{n}}$$
(6)
$$\:{g}^{{p}_{j}\left(z\right)}={g}^{{a}_{j,0}+{a}_{j,1}z+{a}_{j,2}{z}^{2}+\cdots\:+{a}_{j,T-1}{z}^{T-1}}$$
$$\:={g}^{{a}_{j,0}}{\bullet\:g}^{{a}_{j,1}z}\dots\:{\bullet\:g}^{{a}_{j,T-1}{z}^{T-1}}$$
$$\:=\prod\:_{n=0}^{T-1}{g}^{{a}_{j,n}{z}^{n}}$$
(7)

Then the servers generate the credential \(\:CRE\) via calculating (8):

$$\:CRE={g}^{\sum\:_{j=0}^{{n}_{s}-1}\sum\:_{n=0}^{T-1}{p}_{j,n}\left(z\right){\bullet\:\varDelta\:}_{z}}$$
(8)

Since\(\:\:\sum\:cre\:j=\sum\:{y}_{j}\), if the number of credential a user gained exceeds the threshold, then the authentication of the user succeeds and (9) holds:

$$\:{g}^{\sum\:_{j=0}^{{n}_{s}-1}u\left(j\right){\bullet\:\varDelta\:}_{j}}=CRE$$
(9)

The correctness proof of (9) is presented as below:

$$\:{g}^{\sum\:_{j=0}^{{n}_{s}-1}u\left(j\right){\bullet\:\varDelta\:}_{j}}={g}^{\sum\:_{j=0}^{T-1}{y}_{j}{\bullet\:\varDelta\:}_{j}}$$
$$\:={g}^{\sum\:_{j=0}^{{n}_{s}-1}\sum\:_{n=0}^{T-1}{p}_{j,n}\left(z\right){\bullet\:\varDelta\:}_{z}}$$
$$\:={g}^{\sum\:_{n=0}^{t-1}{y}_{j}\bullet\:{\varDelta\:}_{n}}$$
$$\:=CRE$$
(10)

5 Discussions

In this section, we will discuss the performance of DPSBTA in terms of its security, efficiency, and functional properties. This analysis is crucial to evaluate the practicality and effectiveness of the scheme in real-world applications.

5.1 Security proof

We will present the proofs for the security models defined in Sect. 4.3.

Theorem 1

If there exists an adversary which has a non-negligible probability in breaking the security of the elements forgery model, then the simulator can be constructed to solve DDH problem.

Proof 1

The simulator is constructed as follows.

Setup: Let \(\:G\) be a cyclic group with prime order \(\:q\) and \(\:g\:\)is a generator.

The simulator picks\(\:\:{s}_{j},{y}_{j},a,b\in\:{Z}_{q}^{\text{*}}\).

Besides, it simulates \(\:{n}_{s}\:\)servers which have elements \(\:\{{B}_{j,0},{B}_{j,1},\dots\:{B}_{j,n}\}\) respectively. The simulator picks \(\:{r}_{2}\in\:{Z}_{q}^{\text{*}}\) and sends \(\:\{{{B}_{j,n}}^{{r}_{2}},{g}^{a},{g}^{b}\:\}\) to the adversary.

Then the simulator constructs polynomials\(\:\:{p}_{j}\left(x\right),\:{q}_{j}\left(x\right)\) for each server formatted like (1), (2) and implicitly sets \(\:\sum\:_{n=0}^{t-1}{q}_{j}\left({B}_{i,n}\right)\bullet\:{\varDelta\:}_{n}=a\bullet\:b\).

Elements delivery query: Assume that the adversary holds a set\(\:\:\left\{{A}_{i,0},{A}_{i,1},\dots\:,{A}_{i,m}\right\}\). The process of elements delivery query is as follows:

  1. 1)

    The adversary picks \(\:{r}_{1}\in\:{Z}_{q}^{\text{*}}\) and sends \(\:\left\{{{A}_{i,m}}^{{r}_{1}}\right\}\) to the simulator.

  2. 2)

    Simulator picks \(\:{r}_{2}\in\:{Z}_{q}^{\text{*}}\), calculates \(\:\:{{B}_{j,n}}^{{r}_{2}}\:,\:{{A}_{i,m}}^{{r}_{1}{r}_{2}}\) and returns \(\:\left\{{{B}_{j,n}}^{{r}_{2}}\right\},\left\{{{A}_{i,m}}^{{r}_{1}{r}_{2}}\right\}\) and \(\:{S}_{j}={y}_{j}\oplus\:{H}_{1}\left({g}^{{s}_{j}}\right),\left\{{g}^{{q}_{j}\left({B}_{j,n}\right)\bullet\:{B}_{j,n}}\right\}\) to the adversary.

Challenge: The adversary generates a polynomial formatted like (5) and sends the value of \(\:\{{g}^{u\left(x\right)},x=\left[\text{1,2}\dots\:{n}_{s}-1\right]\}\) to the simulator. If the adversary successfully forges a valid credential then the simulator outputs \(\:{g}^{\sum\:_{j=0}^{{n}_{s}-1}u\left(j\right){\bullet\:\varDelta\:}_{j}}\) to be the solution of CDH problem.

Theorem 2

If there exists an which has a non-negligible probability in breaking the security in the unfaithful server model, then a simulator can be constructed to solve DDH problem.

Proof 2

The simulator is constructed as follows.

Setup: Let \(\:G\) be a cyclic group with prime order \(\:q\) and \(\:g\:\)is a generator.

The simulator picks \(\:\:{s}_{j},{y}_{j},a,b\in\:{Z}_{q}^{\text{*}}\) and implicitly sets \(\:\sum\:_{n=0}^{t-1}{y}_{j}\bullet\:{\varDelta\:}_{n}=a\bullet\:b\).

Besides, it simulates \(\:{n}_{s}\:\)servers which have elements \(\:\{{B}_{j,0},{B}_{j,1},\dots\:{B}_{j,n}\}\) respectively. The simulator picks \(\:{r}_{2}\in\:{Z}_{q}^{\text{*}}\) and sends \(\:\{{g}^{a},{g}^{b}\:\}\) to the adversary.

Then the simulator constructs polynomials \(\:\:{p}_{j}\left(x\right),\:{q}_{j}\left(x\right)\) for each server formatted like (1), (2).

Credential reconstruction query: For a given set \(\:\:\left\{{A}_{i,0},{A}_{i,1},\dots\:,{A}_{i,m}\right\}\), the simulator obtains the set intersection with each server. If the intersection exceeds the threshold value then the simulator returns \(\:{y}_{j}\) otherwise returns a random value \(\:{c}_{j}\).

Challenge: The challenger outputs two credentials \(\:{g}^{\sum\:_{n=0}^{t-1}{y}_{j}\bullet\:{\varDelta\:}_{n}}\) and \(\:{g}^{\sum\:_{n=0}^{t-1}{c}_{j}\bullet\:{\varDelta\:}_{n}}\). Without loss of generality, let \(\:\sum\:_{n=0}^{t-1}{c}_{j}\bullet\:{\varDelta\:}_{n}=c\), then the two credentials equal to tuple \(\:\{{g}^{ab},{g}^{c}\}\) and the target of the adversary is to distinguish the tuple which is equivalent to DDH problem.

5.2 Efficiency evaluation

Then we will compare our DPSBTA with the relevant schemes [24, 26, 32] which deployed PSI technique to remote servers. For the clearness of description, we introduce the metrics employed in PSI calculation to assess the efficacy of our scheme, which are detailed in Table 1.

Table 1 Abbreviations and notations
Full size table

In our DPSBTA, the set intersection calculation phase needs to run \(\:4n\) times of exponential operations, 1 hash operation and \(\:n\) times of multiplication operations. The comparison results are shown in Table 2.

Table 2 Efficiency comparison
Full size table

From Table 2, it can been seen that all the schemes have the same communication complexity\(\:\:O\left(n\right)\). Our DPSBTA requires a higher number of exponential operations but significantly reduces the total count of group and multiplication operations. Besides, our DPSBTA does not need to introduce extra encryption mechanism, which relives the overall calculation burden.

The simulation experiments involving our DPSBTA algorithms were conducted by utilizing the PBC library on a Windows 11 operating system equipped with an Intel Core i7, 2.2 GHz processor, and 8 GB of memory. We employed the elliptic curve Type A to establish the group structure, setting the group size to 128 bits. The execution times for each algorithm are presented in Figs. 123 and 4 respectively. One can note that the execution time of each algorithm increases roughly linearly with the expanding size of the set, yet it remains reasonable, as the total verification time is less than 3 s even when the set contains 100 elements. Overall, the time consumption is acceptable in practical application scenarios.

Fig. 2
figure 2

a Time consumption of elements delivery (client side).  b Time consumption of elements delivery (server side)

Full size image
Fig. 3
figure 3

Time consumption of credential reconstruction

Full size image
Fig. 4
figure 4

Time consumption of verify

Full size image

5.3 Analysis of functional properties

Apart from the tangible security and efficiency, our DPSBTA also has the following functional properties.

The first is the fully decentralized robust authentication manner. Our DPSBTA operates without a central trusted authority or a key generation center, distributing the authentication process across servers. This is achieved through a dual threshold mechanism: a user is granted a credential segment by a server only if the number of elements in the intersection of their designated sets exceeds a predefined trapdoor value set by the server. Conversely, the user’s authentication is successful only if they accumulate enough credential segments, which is determined by a threshold value negotiated among the dedicated servers within the system.

The second is the privacy protection of the data sets a user holds. The system preserves user privacy in the delivery and authentication phases, as the servers are unaware of whether a user possesses enough elements or the credential issued by a specific server. This ensures that user authentication remains private.

The third is the reduction of the communication rounds. The communication process during credential delivery is optimized, requiring only two rounds between the user and each server. This round-optimal property is achieved by one round for transmitting encrypted elements and another for receiving the designated set along with the encrypted credential. This reduces the servers’ interaction with numerous users, mitigating the risk of potential traffic bottlenecks and enhancing the overall efficiency of the system.

6 Limitations and prospects

Our DPSBTA realizes round optimal, privacy persevering and robust authentication for decentralized systems. Nevertheless, one limitation is that the calculation burden goes linearly with the amount of public parameters. When the sizes of private sets involved in the servers grow large, the computation workload during the authentication will also increase.

Our future work will continue to investigate the authentication mechanism in decentralized system and attempt to optimize the performance of DPSBTA. An ideal situation is that the calculation burden remains at a rough constant level despite the changing sizes of the private set thus promoting the efficiency of the whole decentralized system.

7 Conclusion

In the paper, we present a new cryptographic concept named designated private set based trapdoor authentication (DPSBTA), which provides flexible and efficient trust management in decentralized systems. The DPSBTA framework offers a decentralized authentication mechanism that does not rely on a trusted authority, which is a common requirement in many existing authentication systems. The DPSBTA framework’s advantages lie in its ability to provide a secure and decentralized authentication process without the need for a central authority, which is particularly beneficial in scenarios where centralization could be a vulnerability. It also offers a method to manage access control in a manner which is flexible and adaptable to the specific needs of different users and systems. The theoretical proof and the experimental results demonstrate the high security level and satisfactory performance of our DPSBTA.