An Identity Management and Authentication Scheme Based on ...staff.ustc.edu.cn/~kpxue/paper/TVT-jiexu-2020.4-earlyaccess.pdf · They focus on user oriented paradigm, called user-centric

0018-9545 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TVT.2020.2986041, IEEETransactions on Vehicular Technology

1

An Identity Management and AuthenticationScheme Based on Redactable Blockchain for

Mobile NetworksJie Xu, Kaiping Xue, Senior Member, IEEE, Hangyu Tian, Student Member, IEEE, Jianan Hong,

David S.L. Wei, Senior Member, IEEE, Peilin Hong

Abstract—More and more users are eager to obtain morecomprehensive network services without revealing their privateinformation. Traditionally, in order to access a network, a useris authorized with an identity and corresponding keys, whichare generated and managed by the network operator. All users’personally identifying information are centralized stored by thenetwork operator. However, this approach makes users losethe control of their personally identifying information. Usersare concerned about who can access these sensitive data andwhether they have been compromised. In this paper, we proposea blockchain-based identity management and authenticationscheme for mobile networks, where users’ identifying informationare controlled by the users themselves. Our scheme let usersgenerate their self-sovereign identities (SSIs) and correspondingpublic keys and private keys. The private key used to authenticatethe user’s identifying information is only known to the user. Weuse blockchain to record SSIs and public keys of legitimate user,and adopt chameleon hash to delete illegal users’ information onthe blockchain, while keeping the blockchain head unchanged.Furthermore, other service providers can obtain the user’sSSI and public key and authenticate users by querying theblockchain. Experimental results confirm that our scheme cangreatly reduce the revocation overhead and communicationoverhead.

Index Terms—Identity management, mutual authentica-tion, chameleon hash, fine-grained access control, redactableblockchain.

I. INTRODUCTION

W ITH advances in wireless communication technology,users are eager to obtain more efficient and compre-

hensive mobile network services. In order to prevent usersfrom illegally accessing or attacking the network, identitymanagement and access authentication play a critical rolein mobile network security. In general, users can only usetheir credentials, such as identity cards, to register with theirlocal network operator to obtain their unique InternationalMobile Subscriber Identification Number (IMSI) and thecorresponding symmetric keys for accessing network [1].

However, there are many shortcomings in existing service-centric wireless mobile network architecture. First of all,mutual authentication between users and operators is basedon symmetric encryption system, which means that users can

J. Xu, K. Xue, and H. Tian are with Department of Electronic Engineeringand Information Science, University of Science and Technology of China,Hefei, Anhui 230027, China. J. Hong is with Huawei Shanghai ResearchInstitute, Shanghai 201206, China. D. Wei is with Department of Computerand Information Science, Fordham University, New York, NY 10458, USA.

Corresponding Author: K. Xue (Email: [email protected])

only be authenticated by their local network operators throughsymmetric key. In order to authenticate users, the local networkoperator has to store all the authenticated users’ symmetric keyin its Authentication Center (AuC) [2], which is a databasein its core network. Each time a user accesses the mobilenetwork, the user’s authentication request needs to be sent tothe core network. Centralized authentication leads to a singlepoint bottleneck problems. The security of the operator’s AuCis critical, and once it is compromised, it may affect millions ofusers of the network. Secondly, in the service-centric wirelessmobile network architecture, if users want to access othernetwork services, they must rely on local operators to providetheir own information to other service providers. Thus, usershave no control over how much their information is exposed.Users’ identity information is very sensitive and needs to bestrictly controlled [3]. Operator’s coarse-grained exposure ofthe user’s information for commercial benefit or other reasonsmay cause serious damage of privacy violation to the user.Even worse, users cannot effortlessly change their networkoperators without giving up their original digital identities. Inother words, once a user changes his or her network provider,he or she must give up the personal information in otherapplications associated with the original identity. As a result,users have less control over their identity, the relationshipbetween operators and users is difficult to change, and marketcompetition decreases.

Self-Sovereign Identity (SSI) can be seen as an identitymanagement model where the user’s identity is fully owned,controlled and managed by the entity to which the identitybelongs [4]. Unlike traditional identity management schemes,such as isolated identity model or federated identity model,each user can not only control the secure storage and accessof personally identifying information, but also add or deletehis/her personally identifying information. Therefore, thiskind of identity management infrastructure does not need totrust any central authority and can exist in a decentralizedenvironment that does not belong to or be controlled by acentralized authority. In addition, SSI is portable and can neverbe taken away from the owner.

Meanwhile, blockchain [5] can be treated as a public,digitized, and distributed ledger built on peer-to-peer network.In blockchain system, data generated by participating entitiesare published as a transaction, and transactions are packagedinto a block. Blocks are added to the blockchain by minersin chronological order. It is worth noting that miners who add

Authorized licensed use limited to: University of Science and Technology of China. Downloaded on April 11,2020 at 04:38:33 UTC from IEEE Xplore. Restrictions apply.



2

data are independent individuals, and there are no centralizedthird-party authorities in the blockchain. All participatingentities store the blockchain and periodically update theblockchain. It is easy to share information among multipleparticipating entities. Blockchain helps with implementinga system with no need of a semi-trusted party such as acentral Certification Authority (CA). Therefore, blockchainis an ideal mechanism to serve as a decentralized publicpublishing and query platform for users’ self-sovereignidentities management.

Motivated by the above observations, we introduce ablockchain-based self-sovereign identity management and au-thentication scheme to enable users to manage personally iden-tifying information. In our user-centric identity management,users generate their SSI and obtain personally identifyinginformation associated with the SSI from distributed trustentities. Network operators authenticate users through SSIsand their personally identifying information (recorded asclaim). The SSIs and corresponding public keys of legitimateusers are added to blockchain by network operators forothers to query. To defend illegal use of network servicesby users, user dynamic revocation is an essential part of useridentity management schemes. However, a trivial solution bywhich network operators maintain and update the revocationlist requires heavy storage overhead. In order to reducestorage overhead, network operators utilize chameleon hash[6] to remove illegal users’ information on blockchain insteadof maintaining revocation lists to implement dynamic userrevocation.

The main contributions of this paper can be summarized asfollows:

◦ We propose a self-sovereign identity management schemefor wireless mobile networks. By introducing self-sovereignidentity, even if a user changes his/her operator, he/shecan still retain control over his/her identity and personallyidentifying information.

◦ We design a lightweight authentication protocol basedon blockchain between users and network operators orservice providers. Network operator or service provider canauthenticate user and negotiate session key by queryingblockchain. There is no need for service provider tomaintain a database to save users’ keys; and the usercan authenticate with service provider without creating aredundant identity.

◦ We further provide an efficient and fine-grained dynamicuser revocation method by utilizing the chameleon hash.The network operator can revoke users at any time bymodifying users’ register information on blockchain withno need of maintaining the revocation list, thereby reducingthe authentication delay, and storage overhead.

The rest of this paper is organized as follows. We reviewrelated work in Section II, and introduce the system model,threat model and design goals in Section III. Then, we describethe detailed construction of our proposed scheme in Section V.Security analysis and performance evaluation are presented inSection VI and Section VII, respectively. Finally, we concludethis paper in Section VIII.

II. RELATED WORK

In this section, we discuss the related work in termsof identity management and traditional authentication forwireless mobile networks.

A. Identity Management Scheme

Centralized infrastructures are the most common identitymanagement [7–9], where users’ personally identifyinginformation are controlled by an organization rather thanthe user himself/herself. It means that the organization maydisclose the information of the user at any time. Once anorganization’s database is compromised, the adversary canenter into each user’s account. In addition, the centralizedsystem is a closed system, making it difficult to transfer users’personally identifying information from one application toanother [10]. In order to solve the problem of centralization,some studies have proposed federated identity management[11, 12]. Users are allowed to log into multiple services withinthe federated domain using one identity. Although federatedidentity management achieve identity portability to someextent, the identity of users is still controlled and managed byfederated service providers. Meanwhile, there have been quitea few proposed schemes contributing to meet the user privacyprotection requirements [13–15]. They focus on user orientedparadigm, called user-centric identity management, enablingusers to selectively authorize personal data under variousconditions and reveal the credentials presented in responseto authentication requests. In the literature [13], Singh et al.proposed a user-centric model, which is recorded as a privacy-aware Personal Data Storage (PDS). By active learning, PDScan automatically make privacy-aware decisions on third-partyaccess requests based on user preferences.

However, the user-centric model does not enable users tofully control and manage their personally identifying infor-mation, while self-sovereign identity management achieves itusing blockchain technology. In 2017, Alboaie et al. [16]introduced a private data system, in which all private dataare encrypted and stored in nodes throughout the Internet. Theuser has full control over the decryption key and can share andrevoke access to private data at any time. After that, Othmanet al. [17] combined a decentralized SSI ecosystem withBiometric Open Protocol Standard (BOPS). In [17], any entitycan access the user’s personally identifying information onlyafter successful biometric authentication. In 2019, Ferdous etal. [18] aimed at giving a comprehensive and rigorous conceptof self-sovereign identity. They also demonstrated severalenvisaged self-sovereign identity management processes.However, it is just a rough idea and there is no detaileddesign. In addition, there are also several projects that combinedistributed ledger technology (DLT) and SSI, such as uPort[19], Sovrin [20] and ShoCard [21].

Although [16–21] can solve the problem of users’ losing thecontrol of their identifying information [7–15], these schemesare unable to let the network operator revoke users wheneverthe network operator controls users access to the network. Inthis paper, we introduce a self-sovereign identity managementscheme for mobile networks. It allows the network operator




3

to revoke users, while the user’s identity is still valid in otherservice application even if the user is revoked by the networkoperator.

B. Authentication Schemes for Wireless Mobile Networks

Due to the open access characteristics of wirelessmobile networks, it is important to perform network accesscontrol to thwart malicious attacks. Although public keyinfrastructure (PKI) has been widely used to implementmutual authentication between users and servers, it is stilla big challenge for PKI to establish a trust authority tomanage all certificates. Recent research [22, 23] indicates thatIdentity-Based Cryptography (IBC) authentication system caneliminate heavy certificate management burden based on PKI.While IBC-based works show great advantages for applicationscenarios involving devices with restricted resources, thesework assume that a trusted centralized Private Key Generator(PKG) exists. This means that all participants are required tofully trust the centralized PKG to generate private keys, whichmay lead to single-point bottleneck. In [24] and [25], authorspropose to authenticate users by using group signatures, butthese schemes may not be suitable for some IoT devices withlimited computing resource because of the high computationaloverhead of group signatures.

Nowadays, in order to provide users with a wider rangeof network services, many studies have done a great deal ofwork on roaming authentication, such as [25–29]. In theseschemes, a user only have one identity and its correspondingkey generated by the local domain server for network access.When a user roam to a foreign network, the user sends accessnetwork requests to the foreign operator, and the foreignoperator forwards the user’s authentication request to user’slocal domain server for authentication. The local domainserver authenticates the user and returns the authenticationresult to the foreign domain server [25–27]. However,since authentication of the user requires the participationof the user’s local server, authentication delay caused bycommunication between the foreign server and the local serveris inevitable. Thus, some research [28, 29] are committed totwo-party roaming protocols, so that user authentication doesnot require local network operators to be online in real time.Unfortunately, in these schemes, the foreign domain servercannot discover the users revoked by the local domain in time,resulting in illegal access.

In addition, it is worth noting that all of the aboveauthentication schemes must involve the central server. Thismeans that once the central server crashes, the entire systembreaks down. Therefore, in this paper, we propose a distributedauthentication scheme, which can authenticate users at theedge of the network, thus eliminating single point bottleneckand enhancing robustness.

III. SYSTEM MODEL, THREAT MODEL, AND DESIGNGOALS

In this section, we introduce the system model, threat model,and design goals of our proposed scheme.

User

SPIssuer

Network Operator

Verifiable Claim Claim

Claim

Trust relationship Trust relationship

Register

Authorization

QueryQuery Revocation

User

SPIssuer

Network Operator

Verifiable Claim Claim

Claim

Trust relationship Trust relationship

Register

Authorization

QueryQuery Revocation

Fig. 1. System model

A. System Model

As depicted in Fig. 1, there are mainly five components,which are described in detail as follows:• User: The user is the owner of an SSI. A user generates SSI

and its corresponding public key, uniquely and completelycontrol and manage SSI. A user can have multiple SSIs atthe same time, and there is no connection between SSIs.The user stores claims related to his/her SSI locally, andpresents them to the service provider as needed.

• Issuer: The issuers are distributed trust entities such asschools, banks, companies, etc. They issue verifiable claimsfor certain attributes of the SSI owner. These verifiableclaims include the issuer’s signature for verification byothers.

• Network operator: It verifies users’ verifiable claims anddetermines whether users can access the network. Allparticipating network operators form a consortium to jointlymaintain the blockchain. Network operators can also revokeusers by modifying transactions on blockchain. There is anexisting trust relationship between the verifier and the issuer.

• Service provider (SP): It obtains the user’s SSI andcorresponding public key by querying the blockchain. Userscan prove their own SSIs to SPs by signing with their privatekeys.

• Blockchain: It is a consortium blockchain maintained bynetwork operators for publishing users’ SSIs and publickeys. Any entity can read the information on the blockchain.The transactions in a block constitute a merkle hash tree,where the first layer of hash is a chameleon hash. Networkoperators can modify transactions while keeping blockheaders unchanged.

B. Threat Model

We assume that there may be passive attack and activeattack in wireless mobile networks. Active adversaries mayinvolve modifying messages or disrupting communicationsbetween user and network operator or service provider.Typical active attacks include replay attacks, injection attacks,DoS attacks, and DDoS attacks. An active adversary maybe a user, performing various attacks in order to illegallyoccupy network resources. Unlike active attacks, passive




4

adversaries do not actively interrupt user communications.The passive adversaries may get user’s private information byeavesdropping on user messages or by analyzing user traffic.

In addition, we assume that there are 3f + 1 networkoperators in the consortium to maintain the blockchain, andthere are no more than f malicious nodes in the consortium.

C. Design Goals

We aim to achieve a secure and efficient identitymanagement and authentication in wireless mobile networks.Specifically, our design goals include the following:

• Identity security: For confidentiality, personally identifyinginformation interactions must be transmitted over a securechannel. Only users themselves have the private keycorresponding to their own SSI. No adversary canimpersonate a user to apply for claims or present claims.Identity security also includes the availability of identity.Even if a user’s SSI is revoked by network operator, the userstill controls his or her SSI and related claims, which meansthat the user can still use his/her SSI in other applications.

• Mutual Authentication: The authentication scheme includesmutual authentication between users and network operators,and also between users and SPs. Network operators andSPs only provide services to users who have successfullyauthenticated. Meanwhile, users only trust the services ofsuccessful network operators and SPs.

• Session Key Security: After successful authentication, anetwork operator and a user negotiate a session key. Thesession keys satisfy forward security and backward security, that is, even if the current session key is compromised, theprevious or subsequent session keys remain secret.

• Portability:An SSI can be used in multiple platforms at thesame time. Moreover, users can start or quit using SSI onthe platforms at any time. Even if an SSI of the user isrevoked in one platform, it does not affect the SSI used inother platforms.

• Scalability: There is no single point bottleneck problem. Thesystem can support large-scale user identity managementand handle a large number of identity authenticationrequests at the same time.

IV. PRELIMINARIES

In this section, we illustrate background knowledge usedin this paper, including definition of discrete logarithm andits security assumptions, chameleon hash algorithm, anddescription of verifiable claim.

A. Discrete Logarithm

Definition 1 (Discrete Logarithm Problem (DLP)). LetG be a cyclic multiplicative group generated by g with theprime order q. For any Probabilistic Polynomial Time (PPT)adversary A, the probability of finding x ∈ Z∗q to satisfy theequation y = gx is negligible, when giving the parameters gand y.

B. Chameleon Hash

Chameleon hash was first proposed by Krawczyk andRabin in 2000 [6]. It is an important function of chameleonsignature, which was originally designed to not allow therecipient to disclose the contents of the signed informationto anyone without the consent of the signer. Chameleon hashcan be viewed as a cryptographic hash function that containsa trapdoor. If there is no trapdoor, it is collision-resistant,but is collision tractable with the knowledge of the trapdoorinformation. Later, Ateniese et al. [30] proposed an approachthat uses chameleon hash to replace the hash function inblock head to make blockchain redactable. After that, Derleret al.[31] further uses policy-based chameleons to implementtransaction-level rewriting, thereby supporting the fine-grainedand controllable modification.

Next, we give the definition of Chameleon hash, andthen show the detailed chameleon hash generation process inAlgorithm 1, which is according to the work done by Atenieseet al. [30].

Definition 2 (Chameleon-Hash). This chameleon hashCH consists of four algorithms (Gen,Hash, V er, Col). Thealgorithm details are as follows:• (hk, tk) ← CH.Gen(1κ):The key generation algorithm

takes the security parameter κ ∈ N as input, and outputsa public hash key hk and a secret trapdoor key tk.

• (h) ← CH.Hash(hk,m; r, s): The Chameleon hashalgorithm takes the hash key hk, a message m, and (h, r, s),where r and s denote the random number used to generatethe hash value as input, and outputs a chameleon hash h.• d ← CH.Ver(hk,m, (h, r, s)):The verification algorithm

takes the hash key hk, a message m, and (h, r, s) as input,and returns d = 1 if and only if CH.Hash(hk,m; r, s) = h.Otherwise, d equals 0.• (r′, s′)← CH.Col(tk, h,m′):The collision finding algorith-

m takes the trapdoor key tk, a chameleon hash h, anda new message m′ as input, and returns a new pair of(r′, s′) such that h=CH.Hash(hk,m′; r′, s′). If (tk, h,m′)is invalid, then the algorithm returns NULL.

Algorithm 1: Chameleon HashInput: Message m, public hash key y, and secret

trapdoor key x;Output: Chameleon hash h;

1 Select prime p, q where p = 2q + 1;2 Select prime g, which is a generator for the subgroup of

quadratic residues QRp of Z∗p;3 Select random value r and s, where r, s ∈ Zq;4 Compute chameleon Hash value h = r − (yH(m||r) · gsmod p) mod q, where H : {0, 1}∗ → Zq is astandard-collision resistant hash function;

5 return (h, r, s);

C. Claim

Definition 3 (Claim). Claims are assertion that describevarious attributes related to an entity.




5

Definition 4 (Verifiable Claim). Verifiable Claims are claimsmade by a third party about another entity. Verifiable claimscan be verified by the public key associated with the issuer’sSSI, and cannot be denied. An entity can have multipleverifiable claims at the same time, and stored them locally.

V. OUR PROPOSED SCHEME

In this section, we first give the overview of our pro-posed self-sovereign identity management and authenticationscheme. In the following, we provide a detailed description ofour scheme, which mainly consists of five phases: InitializationPhase, Consensus Phase, User Authentication Phase, DynamicRevocation, and Payment Phases.

A. Overview

In self-sovereign identity management, users generate theirself-sovereign identities ID and the corresponding public andprivate keys (pk, sk). Before a user requests service froma network operator, the user should sends (ID, pk) to theissuer trusted by the network operator for verifiable claims.It is noteworthy that a user can generate several different(ID, pk, sk) to be authenticated by different issuers to obtainmultiple verifiable claims. In order to access the network,the user provides the verifiable claim to the network operatorfor authorization. The network operator packages authorizedusers’ SSI and public keys into a transaction. The transactionis eventually added to the consortium blockchain maintainedby network operators. After that, not only the network operatorbut also any third party, such as a service provider, can usethe user’s public key obtained by querying the blockchainto authenticate the user. After authentication, the networkoperator and the user negotiate for session keys by sharingsecret parameters to ensure the privacy of subsequent sessioninformation, and so does between the service provider and theuser.

If a user is detected illegally accessing network, the networkoperator who allows the user to access network can revoke theuser. More precisely, the network operator first generates a newtransaction that does not contain the revoked user’s registrationinformation to replace the original transaction that containedthe revoked user’s registration information. Then, the networkoperator generates a chameleon hash of the new transaction,broadcasting the new transaction and the new chameleon hashparameters to other network operators in the consortium. Aftersuccessfully verifying the chameleon hash parameters, othernetwork operators replace the original stored transaction withthe new one. Therefore, users on blockchain are now legitimateusers, there is no need to maintain a revocation list.

B. Details of Our Proposed Scheme

Here we give a detailed description of our proposed system,which can be divided into five phases: 1) Initialization phase,2) Consensus phase, 3) User authentication phase, 4) Dynamicuser revocation phase, and 5) Payment phases.

Algorithm 2: Operator initializationInput: Security parameter κ;Output: Secret trapdoor key x and public hash key y;

1 Select prime p, q, where p = 2q + 1;2 Select g, which is a generator for the subgroup of

quadratic residues QRp of Z∗p;3 Select a random value x ∈ [1, q − 1] as the secret

trapdoor key;4 Set the public hash key y = gx;5 return (x, y);

1) Initialization Phase: The initialization phase can bedivided into two parts. One part is the network operatorinitialization, which generates the network operator’s secrettrapdoor key and public hash key through Algorithm 2.

The other part is user initialization part, which is illustratedin Fig. 2. The detailed steps are described as follows.(1) User Ui generates his/her identity IDUi and the

corresponding public key pkUi and private key skUi byusing a public key algorithm such as RSA. Then, the usersends (IDUi

, pkUi) to the issuer through a secure channel.

(2) Upon receiving the user’s message, the issuer I firstlyverifies (IDUi

, pkUi). If IDUi

has already been registeredor it is invalid, the issuer rejects the request. Otherwise,the issuer generates a verifiable claim claim and itssignature σUi

= SigskI{H(IDUi, pkUi

, claim,LT )} forUi, where LT is the lifetime for the verifiable claim. Then,I sends {IDUi

, pkUi, claim,LT, σUi

} to Ui through asecure channel.

(3) Upon receiving σUi from the issuer, the user can sendnetwork access requests to network operator Oj . Firstly,the user generates a timestamp ts1, and then computesEclaim = Enc(pkOj

, {claim,LT}) and signature SUi=

SigskUi{H(ts1, claim,LT, σUi

)}. Finally, the user sends{IDUi , pkUi , ts1, Eclaim, σUi , SUi} to Oj .

(4) Upon receiving the message from Ui, Oj verifies whetherthe timestamp ts1 is within the allowed range comparedto current time. If not, Oj rejects the request; otherwise,Oj continues to check whether the lifetime LT is withinthe allowed time. If not, Oj stops the session. Otherwise,Oj decrypts Eclaim to get the claim, and verifies thesignature SUi . If the signature is valid, Oj authorizes Uito access the network.

Similarly, a user can generate several SSIs and correspond-ing public and private keys to obtain verifiable claims ofdifferent issuers and store them locally. Besides, a user canuse one SSI to register with multiple network operators forauthorization at the same time. Thus, the user can hand over todifferent networks according to external network environmentwithout changing his/her identity.

2) Consensus Phase: After a network operator authorizesa user, the network operator adds the user’s registrationinformation to blockchain, which is a consortium blockchainmaintained by network operators. To improve efficiency, eachnetwork operator periodically packs the information of itsauthorized users in a time slot into a transaction. Algorithm 3




6

Issuer User

Network Operator

Verifiable claim request:

User

Access network request:

6. , , , ,i i iU U UID pk claim LT

2. ,i iU UID pk

14. , , , , ,i i i iU U U UID pk ts Eclaim S

1. Generate identity ,

and correspnding private key

and public key: ,

i

i i

U

U U

ID

sk pk

3. Verify SSI;

4. Generate

5. Compute signature:

, , ,i I i iU sk U U

claim

Sig H ID pk claim LT

1

1

1. Generate timestamp

2. Compute ( ,{ , })

3. Compute signature:

, , ,

j

i iUi

O

U sk U

ts

Eclaim Enc pk claim LT

S Sig H ts claim LT

15. Verify timestamp

6. Decrypt

7.Verify , and signature

8. Add information to blockchain

ts

Eclaim

LT claim

Fig. 2. User initialization

illustrates the detail of the process of transactions generation.After the transaction is generated, the network operatorbroadcasts {tOj

} to other network operators in the consortium.

Algorithm 3: Transactions generationInput: All the authorized users’ identities, public keys,

operator’s public hash key y;Output: Transaction txOj ;

1 foreach authorized user IDUido

2 Set σij = {IDOj

Ui, pkUi

};3 end4 Set wj = {σ1j , ..., σij};5 Set message m = {IDOj

, wj , Sigskj{H(wj)}};6 Select random value r and s, where r, s ∈ Zq;7 Compute Chameleon hash value h = r − (yH(m||r) · gsmod p) mod q, where H : {0, 1}∗ → Zq is astandard-collision resistant hash function;

8 Set txOj= {m,h};

9 return tOj ;

Blockchain is a distributed system that does not depend ona central authority. Therefore, an algorithm is needed to enablenetwork operators in the consortium to reach a consensus. Inour proposed scheme, the consensus of consortium blockchainis Practical Byzantine Fault Tolerance (PBFT) [32]. Weassume that there are a total of 3f + 1 network operators inthe consortium. There is only one leader in each time period,and the leader is rotated by network operators.

Every once in a while, network operators verify the validityof the received transaction with the corresponding (r, s).Then, each network operator multicasts the verification resultsof the transactions. After the pre-prepare, prepare, commit,and reply phase of the PBFT consensus, legal transactionsare added to the consortium blockchain maintained by allnetwork operators. It is important to highlight that the hashof transaction is chameleon hash. As it can be seen from Fig.3, the first level of merkle tree is the chameleon hash valueh, which are contained in transactions.

Prehash Time

Merkle_root

Index Nonce

1tx 2tx 3tx 4tx

1htx 2htx 3htx 4htx

5tx 6tx 7tx 8tx

5htx 6htx 7htx 8htx

12hash 34hash

1234hash

56hash 78hash

5678hash

1kBlock 1kBlock

Chameleon

Hash

Fig. 3. Structure of block with chameleon hash

3) User Access Phase: After a user’s SSI and public keyare added to blockchain, the user can authenticate with anetwork operator or a service provider to negotiate a sessionkey to encrypt communication message. The detailed processfor the user Ui to access the network operator Oj’s network isas follows, and the process of the user Ui requiring the servicefrom SP is similar.

(1) User Ui first generates random value r1, timestamp ts2,and computes signature αUi = SigUi{H(r1, ts2)}. Then,Ui sends {IDUi

, r1, ts2, αUi} to network operator Oj .

(2) Upon receiving the message from Ui, Oj first verifiesthe timestamp. If ts2 is not within the allowed rangecompared to current time, Oj rejects the access request;otherwise, Oj searches for pkUi on blockchain with IDUi .If there is no pkUi

, Oj rejects user’s access request.Otherwise, Oj verifies the signature αUi

with pkUi. If

αUiis not valid, Oj stops the session; otherwise, Oj

randomly generates the seed of session key for Ui,and timestamp ts3. Then, Oj computes the signatureβOj = SigOj{H(ts3, SigOj (r1), Enc(pkUi , seed))} andthe session key SKij = H(IDUi

||IDOj||ts2||ts3||seed).

Finally, Oj sends {ts3, SigOj(r1), Enc(pkUi

, seed), βOj}

to Ui.(3) Upon receiving the message from Oj , Ui checks if ts3

is within the allowed range compared to the currenttime. If so, Ui queries the network operator’s public keyon blockchain, and then verifies the received signatureβOj

. If βOjis valid, Ui decrypts the Enc(pkUi

, seed)to get the seed, and computes the session key SKij =H(IDUi ||IDOj ||ts2||ts3||seed); otherwise, Ui restarts theaccess request.

It should be pointed out that if any other service provideror foreign network operator trusts the local network operatorOj to verify the user’s claim, the service provider or foreignnetwork operator can trust the user on the blockchain addedby Oj and not verify the user’s claim again. Therefore, theycan search for pkUi from the blockchain to authenticate userUi, and support the user accessing service. As a result, theuser can have access to multiple services with one identityIDUi

and the corresponding private key.4) Dynamic Revocation: Considering that some users

may illegally access network, and network operators need torevoke these illegal users and prevent them from accessingnetwork. In general, each network operator needs to maintainand periodically update a revocation list. However, it might




7

bring heavy storage overhead and communication overhead.In our scheme, we utilize chameleon hash to delete illegalusers’ registration information stored on blockchain insteadof revocation list. If there is no public key of a user on theblockchain, the user can be considered as an illegal networkuser. In order to delete the registration information on theblockchain, the network operator who authorizes users toaccess the network, generates a new transaction that doesnot contain illegal user’s registration information in place ofthe transaction containing the legitimate user’s registrationinformation on the blockchain. After the new transactionis verified by other network operators in network operatorconsortium, it replaces the original transaction. The specifictransaction replacement steps are as follows:(1) If Oj needs to revoke user Ui, whose registration informa-

tion is contained in txOj, Oj first generates a new message

m′ = {IDOj, σ1j , ..., σi−1j , Sigskj{H(w′j)}}, where

σkj = {IDUk, pkUk

}, w′j = {IDOj , σ1j , ..., σi−1j}. m′is the same as m except that m′ does not contain theregistration information of Ui. Then, Oj generates a newtransaction tx′Oj

with m′ as described in Algorithm 3.(2) Oj generates chameleon hash collision with m′ and its

private trapdoor key. Algorithm 4 illustrates the processof the chameleon hash collision.

(3) After executing Algorithm 4, Oj can obtain r′ and s′.Then, Oj generates a new transaction tx′Oj

= {m′, h}.Oj broadcasts {tx′Oj

, r′, s′} to other operators.(4) After other network operators received the new trans-

action, they first verify whether h is equal to r′ −(yH(m′||r′) · gs′ mod p) mod q. If so, other networkoperators store the new transactions tx′Oj

and delete theoriginal transaction txOj

.

Algorithm 4: Chameleon collisionInput: Updated message m′, chameleon hash h,

operator’s secret trapdoor key x;Output: updated (r′, s′);

1 Select a random value k ∈ [1, q − 1];2 Compute updated r′ = h+ (gk mod p) mod q;3 Compute updated s′ = k −H(m′||r′) · x mod q;4 return (r′, s′);

5) Payment Phase: Cryptocurrency can provide usersand network operators with more convenient and securetransaction methods of trading. However, the processingspeed of cryptocurrency transactions is limited and transactionfees is overwhelming even for small value transactions.Instead, micropayment channel [33] is the most promisingsolution to significantly reduce transaction time and savetransaction costs. As shown in Fig. 4, we propose to utilizemicropayment channel to conduct secure payments offchain.The detail of micropayment channel can be found in [33]. Themicropayment channel scheme mainly consists of three steps:establish channel, update channel, and close channel.(1) User Ui first creates a funding transaction on bitcoin

blockchain. Ui pays an amount of bitcoins b0 to a P2SH

Funding Transaction Settlement Transaction

Network OperatorUser

Refund Transaction

......

Commitment Transaction

Commitment Transaction

Fig. 4. The structure of Userchain

output in funding transaction, whose 2 − of − 2 multi-signature redeem script requires signatures from bothUi and Oj . the user sends the transaction to Oj , andOj hold the bitcoin hostage. User Ui creates a refundtransaction, whose input is the input of the fundingtransaction, and the output is the address of the user. UserUi sends the refund transaction to SP for signature. IfOj checks that the refund transaction is valid, then Ojsigns the refund transaction and sends it to Ui. Finally,Ui broadcasts funding transaction and refund transaction.The refund transaction is invalid until the time-lock in thetransaction is unlocked. Thus, the micropayment channelis established.

(2) If a user needs to pay b bitcoins to Oj every minuteas service fee, then the user generates a commitmenttransaction every minute. The input of the commitmenttransaction generated by the user for the first time isthe input of the funding transaction, that is b0, and theoutput is b for Oj and b0 − b for Ui. Ui signs thefirst commitment transaction and sends it to Oj . Afterverifying the commitment transaction, Oj continues toprovide service. The input of the commitment transactiongenerated by the user for the second time is b0, and theoutput is 2 · b for Oj and b0 − 2 · b for the user. Theuser signs the second commitment transaction and sendsit to Oj . After verifying the commitment transaction, Ojcontinues to provide service. So on and so forth, the inputof the commitment transaction generated by the user forthe kth time is b0, and the output is k·b for Oj and b0−k·bfor the user.

(3) After k′ times service, if b0 − (k′ + 1) · b < 0, Oj couldclose the channel. To close the channel, Oj broadcaststhe most updated commitment transaction, which is as thesettlement transaction. After the miners add the settlementtransaction to the blockchain, Oj and the user can get theoutput of the settlement transaction. In this way, Oj canget k′ ·b bitcoins, and user can get back b0−k′ ·b bitcoins.

It is worth noting that the settlement transaction needs tobe broadcast before the time lock takes effect. Otherwise,the micropayment channel might close and all the bitcoins




8

may return to the user. As described above, only thefunding transaction and settlement transaction are on-chain,and all commitment transactions are off-chain. Therefore,micropayment channel could improve the scalability andreduce the transaction fees while ensuring the fairness.

VI. SECURITY ANALYSIS

In this section, we analyze the security of our proposedscheme according to the design goals described in III-C.

A. Identity Security

It is worth mentioning that in our proposed scheme, user’s i-dentity Ui, public key pkUi , and private key skUi are generatedby the user him/herself. The issuer authenticates the user andissues claim and σUi

= SigskI{H(IDUi, pkUi

, claim,LT )},which contains (IDUi

, pkUi) that cannot be tampered with

by any adversary. Network operator authorizes the user andadds the user’s (IDUi , pkUi) to blockchain, so it cannot betampered with by any adversary. Thus, each legal identity ofthe user has exactly one pair of authenticated (pkUi

, skUi).

For any probabilistic polynomial-time (PPT) adversary, he/shecannot derive the private key according to the correspondingpublic key or encrypted messages. Moreover, the user onlyuses the private key to decrypt or sign during all authenticationprocesses, and does not reveal the private key, so the user’sprivate key is only controlled by the user. Consequently, ourproposed scheme offers identity security.

B. Mutual Authentication

In initialization phase, Ui obtains σUi , which containsIDUi and pkUi signed by the issuer. The network operatorauthenticates the user by verifying signature σUi

and SUi.

Since the user’s private key is only controlled by the userand we assume that the issuer’s private key is secure. Thus,no adversary without skI and skUi

can forge a feasible σUi

and SUi to pass validation by the network operator.In user access phase, the network operator authenticates

the user by verifying the signature αUiwith the pkUi

,where pkUi is the result of querying the blockchain withIDUi . Since we have proved that skUi is only controlledby the user, without skUi

, no adversary can forge a feasibleαUi

= SigUi{H(r1, ts2)} to pass validation by the network

operator. The user authenticates the network operator throughthe challenge-response method. As the network operator’sskOj is secure, no adversary without skOj can forge thenetwork operator’s signature on r1. Therefore, our schemeachieve mutual authentication.

C. Session Key Security

In each session between the user and the network operator,operator Oj randomly generates seed for the session withsession key SKij = H(IDUi ||IDOj ||ts2||ts3||seed). Due tothe one-way nature of the hash, no adversary can get the seeddirectly. Adversaries can only get the seed that is encryptedby the user’s public key. Thus, no adversary without skUi

can decrypt Enc(pkUi , seed) to get seed. For this reason,

no adversary can directly intercept and decrypt the messageto obtain seed. Furthermore, in each session, the seed israndomly generated, and thus has no correlation with the seedof the previous session and nor with the seed of the subsequentsession. This means that all session keys are independent.Even if an adversary obtains one of the session keys, he/shecannot decrypt the messages of other sessions between theuser and the network operator. Overall, our scheme couldprovide session key security, including the forward securityand backward security.

D. Portability

In our scheme, the user generates his/her own identity andprivate key, and sends it to the issuer for verification to obtaina verifiable claim. The verifiable claim corresponding to theidentity is securely stored by the user him/herself, and only theuser can prove the control of the verifiable claim with his/herprivate key. Since user’s identity and verifiable claim havenothing to do with network operators and service providers,the user can always manage and use his/her own identity andcorresponding verifiable claims to other service providers toobtain services. Therefore, the user’s identity is independentof each other in different services. An identity can be used notonly in multiple services at the same time, but also in otherservices after being revoked by one service.

E. Scalability

There is no central authority in the proposed scheme,and users obtain personally identifying information fromdistributed trust entities. Thus, there is no single pointbottleneck problem, and the system can support large-scaleuser identity management. In addition, mutual authenticationis based on the public key found on the blockchain, so theedge nodes of the network can authenticate users without theinvolvement of the central server. This approach improves theefficiency of authenticating users and supports handling large-scale authentication requests.

F. Security Comparison

We compare our scheme with four other representativeauthentication schemes for wireless mobile networks interms of mutual authentication, privacy preservation, sessionkey security, dynamic revocation, portability, scalability, andcentralized trusted authority. As shown in Table I, we concludethat only our scheme does not need a centralized trustauthority, and still achieves portability and scalability.

TABLE ISECURITY COMPARISON WITH RELATED WORK

Schemes [23] [24] [26] [28] Our SchemeMutual Authentication YES YES YES YES YESPrivacy Preservation YES YES YES YES YESSession Key Security YES YES YES YES YESDynamic revocation NO YES NO YES YES

Portability NO NO NO NO YESScalability NO NO NO NO YES

Centralized Trusted Authority YES YES YES YES NO




9

0 2 0 4 0 6 0 8 0 1 0 09

1 0

1 1

1 2

1 3

1 4

1 5

0 2 0 4 0 6 0 8 0 1 0 09

1 0

1 1

1 2

1 3

1 4

1 5

Time c

ost (m

s)

S a m p l e s e q u e n c e(a) Chameleon hash keys Generation

0 2 0 4 0 6 0 8 0 1 0 00 . 0 2 4

0 . 0 2 6

0 . 0 2 8

0 . 0 3 0

0 . 0 3 2

0 . 0 3 4

0 . 0 3 6

0 2 0 4 0 6 0 8 0 1 0 00 . 0 2 4

0 . 0 2 6

0 . 0 2 8

0 . 0 3 0

0 . 0 3 2

0 . 0 3 4

0 . 0 3 6

Time c

ost (m

s)

S a m p l e s e q u e n c e(b) Chameleon hash

0 2 0 4 0 6 0 8 0 1 0 0

0 . 0 1 4

0 . 0 1 5

0 . 0 1 6

0 . 0 1 7

0 . 0 1 8

0 . 0 1 9

0 . 0 2 0

0 . 0 2 1

0 2 0 4 0 6 0 8 0 1 0 0

0 . 0 1 4

0 . 0 1 5

0 . 0 1 6

0 . 0 1 7

0 . 0 1 8

0 . 0 1 9

0 . 0 2 0

0 . 0 2 1

Time c

ost (m

s)

S a m p l e s e q u e n c e(c) Collision Generation

Fig. 5. Time Cost for Chameleon Hash Algorithm

VII. PERFORMANCE EVALUATION

In this section, we conduct experiments to evaluate theeffectiveness and feasibility of our scheme. Firstly, we testthe performance of chameleon hash. Then, we compare ourscheme with the scheme using revocation list in terms ofrevocation overhead.

A. Chameleon Hash Algorithm Implementation

In order to show the performance of chameleon hashmore clearly, we tested the computational overhead ofvarious functions of chameleon hash. Specifically, it includeschameleon hash key generation, chameleon hash calculation,and chameleon hash collision generation. Considering that thecomputational overhead of chameleon hash key generationis equivalent to the computational overhead of the networkoperator initialization, the methods for generating chameleonhash keys, calculating chameleon hash, and calculatingchameleon hash conflict are shown in Algorithm 2,Algorithm 1, and Algorithm 4 respectively.

The experiment environment is a standard 64-bit Linux Mintrelease 17, Linux version 3.13.0-24-generic with Intel (R)Core (TM) i7-4790, 3.60 GHz processor. All our evaluationswere performed by programs in C. Furthermore, the algorithmsrelated to discrete logarithms and big number calculation arerealized with OpenSSL 1.0.1f.

In order to ensure the reliability of the experiment, wedefine the running time of an algorithm as the average timeof executing the algorithm 1000 times. Then, we conducted100 experiments. Therefore, we obtained 100 experimentaldata, and each experimental data represents the averagecomputation overhead of the algorithm running 1000 times.All experimental data obtained are shown in Fig. 5. Fig. 5(a)represents the overhead of the network operator for chameleonhash key generation in initialization phase, and Fig. 5(b)represents the overhead of calculating the chameleon hashwhen the network operator generates a transaction. Fig. 5(c)indicates the overhead of the network operator for a chameleonhash collision generation to replace a specific transaction.Finally, we have that the average time for the network operatorto generate the chameleon hash keys is 12.126ms, the averagetime for calculating the chameleon hash is 0.027ms, and theaverage time for generating the chameleon hash collision is0.015ms.

B. Comparison of revocation overhead

The most common means of user revocation is CertificateRevocation Lists (CRLs) . The main contents of the CRLsinclude a list of triples (certificate identity, revocation time,revocation reason), and signatures of these triples signed byCAs [34]. Network operators not only need to store thecertificates of the currently valid users, but also need tostore the information about all users who have been revokedin the past. Users need to periodically download and cacheCRLs to use them when authenticating other users. However,in our scheme, network operators do not need to maintainCRLs, and users do not need to download the CRLs. Table IIilluminates the key parameters in CRLs and certificates, whichare designed according to bitcoin [5]. In addition, accordingto the design of the original Bitcoin block [5], we assume thatthe size of the block is 1MB, and each transaction contains1000 users’ information.

The comparison of network operator’s storage overhead oftraditional CRL-based scheme and our proposed scheme areshown in Fig. 6. In both schemes, the storage cost of thenetwork operator increases with the increase of the number ofexisting users. However, when the number of revoked usersincreases, the CRL-based scheme storage overhead increasesand our scheme remains unchanged. In general, the storageoverhead of the CRL-based scheme is much higher than thestorage overhead of our scheme.

TABLE IIKEY PARAMETERS IN CRL

Parameters IDU IDO ts hash SignatureLength (Bytes) 32 32 4 32 128

VIII. CONCLUSION

In this paper, we proposed a self-sovereign identitymanagement and authentication scheme for wireless mobilenetworks, which is based on redactable blockchain. Inour user-centric identity management, users’ identifyinginformation is completely controlled and managed by theowner, thereby reducing the leakage of privacy. We adoptedblockchain to record SSI and public key to achieve userauthentication and session key negotiation without redundantregistration. Furthermore, network operators can dynamically




10

00

100

200

200

1000

stor

age

over

head

(M

B)

300

400 800

Number of revoked users (103)

400

600

Number of current users (103)

600

500

400800 200

1000 0

CRL-based schemeOur proposed scheme

Fig. 6. storage overhead

revoke users access to the network, and maintain a redactableblockchain instead of using revocation lists. Performanceevaluation showed that our scheme not only reduces thestorage overhead of network operators, but also reduces thenetwork access delay for users.

ACKNOWLEDGMENT

This work is supported in part by the National NaturalScience Foundation of China under Grant No. 61972371,and Youth Innovation Promotion Association of the ChineseAcademy of Sciences (CAS) under Grant No. 2016394.

REFERENCES

[1] M. Khan and V. Niemi, “Privacy enhanced fast mutualauthentication in 5G network using identity based encryption,”Journal of ICT Standardization, vol. 5, no. 1, pp. 69–90, 2017.

[2] Y. Huang, C. Shen, and S. W. Shieh, “S-AKA: A provableand secure authentication key agreement protocol for UMTSnetworks,” IEEE Transactions on Vehicular Technology, vol. 60,no. 9, pp. 4509–4519, 2011.

[3] Y. Zhang, R. Deng, E. Bertino, and D. Zheng, “Robust anduniversal seamless handover authentication in 5G hetnets,”IEEE Transactions on Dependable and Secure Computing,2019. [Online]. Available: https://doi.org/10.1109/TDSC.2019.2927664

[4] K. C. Toth and A.-P. Alan, “Self-sovereign digital identity: Aparadigm shift for identity,” IEEE Security & Privacy, vol. 17,no. 3, pp. 17–27, 2019.

[5] S. Nakamoto. (2008) Bitcoin: A peer-to-peer electroniccash system. Accessed on: Nov. 2019. [Online]. Available:http://www.bitcoin.org/bitcoin.pdf

[6] H. Krawczyk and T. Rabin, “Chameleon signatures,” inProceedings of the 7th Network and Distributed System SecuritySymposium (NDSS), 2000.

[7] Y. Zhang, J. Yu, R. Hao, C. Wang, and K. Ren, “Enablingefficient user revocation in identity-based cloud storage auditingfor shared big data,” IEEE Transactions on Dependable andSecure Computing, 2018.

[8] Z. Liu, Z. Liu, Z. Lin, and X. Lin, “MARP: A distributed MAClayer attack resistant pseudonym scheme for VANET,” IEEETransactions on Dependable and Secure Computing, 2018.

[9] K. Xue, P. He, X. Zhang, Q. Xia, D. S. L. Wei, H. Yue,and F. Wu, “A secure, efficient, and accountable edge-based

access control framework for information centric networks,”IEEE/ACM Transactions on Networking, vol. 27, no. 3, pp.1220–1233, June 2019.

[10] R. Dhamija and L. Dusseault, “The seven flaws of identitymanagement: Usability and security challenges,” IEEE Security& Privacy, vol. 6, no. 2, pp. 24–29, 2008.

[11] J. Carretero, G. Izquierdo-Moreno, M. Vasile-Cabezas, andJ. Garcia-Blas, “Federated identity architecture of the EuropeaneID system,” IEEE Access, vol. 6, pp. 75 302–75 326, 2018.

[12] U. Premarathne, I. Khalil, Z. Tari, and A. Zomaya, “Cloud-based utility service framework fortrust negotiations usingfederated identity management,” IEEE Transactions on CloudComputing, vol. 5, no. 2, pp. 290–302, 2017.

[13] B. C. Singh, B. Carminati, and E. Ferrari, “Privacy-awarepersonal data storage P-PDS: Learning how to protect userprivacy from external applications,” IEEE Transactions onDependable and Secure Computing, 2019, accessed on: Nov.2019. [Online]. Available: https://doi.org/10.1109/TDSC.2019.2903802

[14] H. Gunasinghe and E. Bertino, “PrivBioMTAuth: Privacypreserving biometrics-based and user centric protocol for userauthentication from mobile phones,” IEEE Transactions onInformation Forensics and Security, vol. 13, no. 4, pp. 1042–1057, 2018.

[15] P. Bramhall, M. Hansen, K. Rannenberg, and T. Roessler, “User-centric identity management: New trends in standardization andregulation,” IEEE Security & Privacy, vol. 5, no. 4, pp. 84–87,2007.

[16] S. Alboaie and D. Cosovan, “Private data system enabling self-sovereign storage managed by executable choreographies,” inProceedings of IFIP International Conference on DistributedApplications and Interoperable Systems. Springer, 2017, pp.83–98.

[17] A. Othman and J. Callahan, “The Horcrux protocol: a methodfor decentralized biometric-based self-sovereign identity,” inProceedings of International Joint Conference on NeuralNetworks (IJCNN). IEEE, 2018, pp. 1–7.

[18] M. S. Ferdous, F. Chowdhury, and M. Alassafi, “In search ofself-sovereign identity leveraging blockchain technology,” IEEEAccess, vol. 7, pp. 103 059–103 079, 2019.

[19] C. Lundkvist, R. Heck, J. Torstensson, Z. Mitton, and M. Sena.(2017) Uport: A platform for self-sovereign identity. Accessedon: Nov., 2019.

[20] Sovrin. Accessed on: Nov., 2019. [Online]. Available: https://sovrin.org

[21] ShoCard. Accessed on: Nov., 2019. [Online]. Available:https://shocard.com

[22] N. Lo and J. Tsai, “An efficient conditional privacy-preservingauthentication scheme for vehicular sensor networks withoutpairings,” IEEE Transactions on Intelligent TransportationSystems, vol. 17, no. 5, pp. 1319–1328, 2015.

[23] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme forvehicular ad hoc networks,” IEEE Transactions on InformationForensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.

[24] D. He, S. Chan, and M. Guizani, “An accountable, privacy-preserving, and efficient authentication framework for wirelessaccess networks,” IEEE Transactions on Vehicular Technology,vol. 65, no. 3, pp. 1605–1614, 2015.

[25] D. He, J. Bu, S. Chan, C. Chen, and M. Yin, “Privacy-preservinguniversal authentication protocol for wireless communications,”IEEE Transactions on Wireless Communications, vol. 10, no. 2,pp. 431–436, 2010.

[26] C. Chang and H. Tsai, “An anonymous and self-verifiedmobile authentication with authenticated key agreement forlarge-scale wireless networks,” IEEE Transactions on WirelessCommunications, vol. 9, no. 11, pp. 3346–3353, 2010.

[27] G. Yang, Q. Huang, D. S. Wong, and X. Deng, “Universalauthentication protocols for anonymous wireless communica-




11

tions,” IEEE Transactions on Wireless Communications, vol. 9,no. 1, pp. 168–174, 2010.

[28] H. J. Jo, J. H. Paik, and D. H. Lee, “Efficient privacy-preservingauthentication in wireless mobile networks,” IEEE Transactionson Mobile Computing, vol. 13, no. 7, pp. 1469–1481, 2013.

[29] Q. Yang, K. Xue, J. Xu, J. Wang, F. Li, and N. Yu,“AnFRA: Anonymous and fast roaming authentication forspace information network,” IEEE Transactions on InformationForensics and Security, vol. 14, no. 2, pp. 486–497, 2018.

[30] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactableblockchain–or–rewriting history in bitcoin and friends,” in2017 IEEE European Symposium on Security and Privacy(EuroS&P). IEEE, 2017, pp. 111–126.

[31] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, “Fine-grained and controlled rewriting in blockchains: Chameleon-hashing gone attribute-based,” in Proceedings of the 26thNetwork and Distributed System Security Symposium (NDSS),2019.

[32] M. Castro and B. Liskov, “Practical Byzantine fault tolerance,”in Proceedings of the 3rd Symposium on Operating SystemsDesign and Implementation (OSDI). The Advanced ComputingSystems Association, 1999, pp. 173–186.

[33] J. Poon and T. Dryja. (2016) The bitcoin lightning network:Scalable off-chain instant payments. Accessed on: Nov.2019. [Online]. Available: https://www.bitcoinlightning.com/wp-content/uploads/2018/03/lightning-network-paper.pdf

[34] L. Zhang, D. Choffnes, D. Levin, T. Dumitras, A. Mislove,A. Schulman, and C. Wilson, “Analysis of SSL certificatereissues and revocations in the wake of Heartbleed,” inProceedings of the Conference on Internet MeasurementConference. ACM, 2014, pp. 489–502.

Jie Xu received her B.S. degree from the departmentof Information Security, University of Science andTechnology of China (USTC) in July, 2017. Sheis currently a graduated student in Communicationand Information System from the Department ofElectronic Engineering and Information Science(EEIS), USTC. Her research interests includeNetwork security and Cryptography.

Kaiping Xue (M’09-SM’15) received his B.S.degree from the Department of Information Security,University of Science and Technology of China(USTC), in 2003 and received his Ph.D. degreefrom the Department of Electronic Engineering andInformation Science (EEIS), USTC, in 2007. FromMay 2012 to May 2013, he was a postdoctoralresearcher with Department of Electrical and Com-puter Engineering, University of Florida. Currently,he is an Associate Professor in the School of Cybersecurity and the Department of EEIS, USTC. His

research interests include next-generation Internet, distributed networks andnetwork security. He serves on the Editorial Board of several journals,including the IEEE Transactions on Wireless Communications (TWC), theIEEE Transactions on Network and Service Management (TNSM), Ad HocNetworks, IEEE Access and China Communications. He has served as a guesteditor of the IEEE Journal on Selected Areas in Communications (JSAC) anda lead guest editor of IEEE Communications Magazine. He is an IET Fellowand an IEEE Senior Member.

Hangyu Tian received his B.S. degree from thedepartment of Information Security, University ofScience and Technology of China (USTC) in July,2018. He is currently a graduated student inCommunication and Information System from theDepartment of Electronic Engineering and Informa-tion Science(EEIS), USTC. His research interestsinclude Network security and Cryptography.

Jianan Hong received the B.S. degree from thedepartment of Information Security, University ofScience and Technology of China (USTC), in 2012and received his Ph.D. degree from the Departmentof Electronic Engineering and Information Science(EEIS), USTC, in 2018. Now he is a researchengineer in Huawei Shanghai Research Institute,Shanghai. His research interests include secure cloudcomputing and mobile network security.

David S.L. Wei (SM’07) received his Ph.D. degreein Computer and Information Science from theUniversity of Pennsylvania in 1991. From May1993 to August 1997 he was on the Faculty ofComputer Science and Engineering at the Universityof Aizu, Japan (as an Associate Professor andthen a Professor). He has authored and co-authoredmore than 100 technical papers in various archivaljournals and conference proceedings. He is currentlya Professor of Computer and Information ScienceDepartment at Fordham University. His research

interests include cloud computing, big data, IoT, and cognitive radio networks.He was a guest editor or a lead guest editor for several special issues in theIEEE Journal on Selected Areas in Communications, the IEEE Transactionson Cloud Computing and the IEEE Transactions on Big Data. He also servedas an Associate Editor of IEEE Transactions on Cloud Computing, 2014-2018,and an Associate Editor of Journal of Circuits, Systems and Computers, 2013-2018.

Peilin Hong received her B.S. and M.S. degreesfrom the Department of Electronic Engineering andInformation Science (EEIS), University of Scienceand Technology of China (USTC), in 1983 and 1986.Currently, she is a Professor and Advisor for Ph.D.candidates in the Department of EEIS, USTC. Herresearch interests include next-generation Internet,policy control, IP QoS, and information security. Shehas published 2 books and over 150 academic papersin several journals and conference proceedings.


Documents

An Identity Management and Authentication Scheme Based on ...staff.ustc.edu.cn/~kpxue/paper/TVT-jiexu-2020.4-earlyaccess.pdf · They focus on user oriented paradigm, called user-centric