DCAGS-IoT: Dynamic Cross-Domain Authentication Scheme Using Group Signature in IoT

Abstract

Cross-domain authentication requires that there is no trust gap between different trust domains that can cause cross-domain devices to exceed the security control scope of the original trust domain and further expose cross-domain authentication systems to security threats. In addition, as relying on the traditional cross-domain authentication means built by centralized institutions cannot meet the data security needs in a big data environment. Therefore, it is necessary to design a secure dynamic cross-domain authentication scheme. In this paper, we propose a dynamic cross-domain authentication scheme (DCAGS-IoT) in the Internet of Things environment using the group signature technology and the distributed system architecture of blockchain. Specifically aiming at the problem of increasing and revoking users in dynamic cross-domain authentication, a user update algorithm with the complexity of O (logN) was designed to manage users in the trust domain. Moreover, we used the characteristics that group signature users can sign on behalf of a group to protect the users’ privacy and track suspicious users. Since the size of the signature generated by the scheme is independent of the number of group members N and only depends on the security parameters λ, the efficiency of the protocol implementation is improved, and the security and availability of the authentication scheme are guaranteed.

1. Introduction

To meet the application needs such as smart medical care, Internet of Vehicles (IoV) [1], smart home, industrial production, energy and power, Internet of Things (IoT) focuses on achieving communication between people, between people and things, and between things, providing Internet users with a more immersive application experience [2]. However, in recent years, as a large number of devices are continuously connected to the IoT, security problems in the IoT environment have emerged in an endless stream. Malicious attackers may use the insecure cross-domain authentication of devices, making network security problems more serious. Therefore, it is particularly important to design a secure and effective dynamic cross-domain authentication scheme in the IoT environment to protect the privacy of users.

Cross-domain authentication [3] refers to the process of user or device identity authentication between multiple trust domains. This process not only needs to establish the credibility of the relationship between each trust domain, maintain the efficiency of the authentication process and ensure the reliability of the authentication system, but also needs to ensure the security authentication and real-time management of legal devices between each trust domain. In the real-time scenario of distributed systems, we can divide cross-domain authentication into two types: static cross-domain authentication and dynamic cross-domain authentication. Static cross-domain authentication refers to the authentication performed by user to access an information service entity in the target trust domain without leaving the trust domain to which it belongs. For example, the cross-domain authentication scenario in which devices in different factories are cooperatively produced in the Industrial IoT. The dynamic cross-domain authentication is the authentication performed by the user who moves to the target trust domain to access the information service entity. For example, in the Internet of Vehicles environment, in order to have a better travel experience, vehicles need to constantly interact with roadside units. At present, many schemes only consider static cross-domain authentication without discussing dynamic cross-domain authentication.

Motivations and benefits. Traditional cross-domain authentication frameworks rely on centralized servers [4] such as using Public Key Infrastructure (PKI) and Identity-Based Cryptograph (IBC) to design the authentication architecture. However, the centralized authentication architecture is prone to single point of failure issues and is vulnerable to denial-of-service attacks. The emergence of blockchain has promoted the development of identity authentication, thus the authentication architecture is not limited to a centralized architecture, but its openness and transparency exposes user privacy to the public. To solve some problems existing in the existing cross-domain authentication schemes in the IoT environment, this paper proposed a dynamic cross-domain authentication scheme based on the group signature technology, combined with the distributed peer-to-peer network architecture of blockchain technology. Since the size of the signature generated by the scheme is independent of the number of group members and only depends on the security parameters, the efficiency of protocol implementation is improved, and the security and availability of the authentication scheme are guaranteed.

The main contributions of this paper are as follows:

(1)

Aiming at the difficulty of user joining and revocation in the dynamic cross-domain authentication environment, an effective update algorithm with complexity O(logN) is provided in the static Merkle tree accumulator to realize the dynamic addition and revocation of users.

(2)

We used group signature technology to allow members of a group to sign messages on behalf of the entire group, thus protecting user privacy from being leaked. Moreover, users are responsible for the issued signatures as tracking agencies can be used to identify them.

(3)

Blockchain distributed ledger storage is used to realize cross-domain authentication between trust domains. The analysis proves that the protocol is secure in the random oracle model, and the size of the signature generated by the scheme is independent of the number of group members N, and only depends on the security parameter λ, which effectively improves the operating efficiency of the protocol.

Organization Structure

This paper introduces the related works on cross-domain authentication in the Section 2, introduces the proposed dynamic cross-domain authentication scheme in Section 3, and presents the analysis of the proposed protocol in Section 4. The conclusions are given in Section 5.

2. Related Work

A cross-domain authentication protocol in the IoT environment has been proposed by researchers for a long time. However, most of the traditional schemes are PKI-based and IBC-based. Zhou et al. [5] proposed combining threshold secret sharing and identity-based encryption to construct a certificate authority domain that minimizes the length of the verification path and improves the authentication efficiency. Aiming at the large computational cost of the bilinear pairing operation in the elliptic curve and the certificate management in the PKI, Wang et al. [6] designed a efficient and secure authenticated key agreement protocol based on the identity-based public key cryptography algorithm and the GDH difficulty problem on the elliptic curve addition group. Ning et al. [7] also proposed a new bilinear-free, IBC-based two-party cross-domain authenticated key agreement protocol.

Devices have higher requirements for the versatility of cross-domain authentication systems between different cryptosystems. Zhang et al. [8] proposed a complete cross-domain authentication scheme that could be used by participants in different domains with completely different settings, and the underlying design of the scheme was based on blockchain technology. Jiang et al. [9] proposed a cross-domain identity authentication scheme based on PKI and certificateless cryptography (CLC) to achieve mutual identity authentication and secure access between users of the two public key cryptosystems. Lin et al. [10] proposed a secure and effective fog computing key negotiation and user authentication scheme that could establish secure sessions between different entities, and users could achieve cross-domain access to other fog servers. Jiang et al. [11] proposed a proxy-blind signature-based approach for cross-domain identity authentication schemes based on public key infrastructures of different systems and certificateless public key cryptosystems that could not satisfy identity blindness and efficient heterogeneous cross-domain authentication. Wei et al. [12] combined blockchain technology with an identity-based cryptographic system to provide a cross-domain authentication scheme that solves the problem of devices in trust domains with different authentication mechanisms when cooperating with each other. These centralized cross-domain authentication protocols usually require a lot of computing or communication resources and have problems such as relying on trusted third parties to issue certificates and key escrow.

The core advantage of blockchain decentralization has promoted the development of the field of identity authentication. Therefore, in order to solve the above problems, there are many solutions that use blockchain technology to improve them. Bagga et al. [13] designed a new blockchain-based batch authentication scheme in IoV-based smart city deployments that enabled vehicle-to-vehicle (V2V) authentication and allowed a group of clustered vehicles to authenticate through it. Singh et al. [14] proposed a blockchain-based decentralized trust management system where the RSUs at the edge cooperatively maintain updated, reliable, and consistent vehicle trust values to reduce the workload from the master-maintained blockchain.

However, due to the fact that wireless communication channels may be destroyed and taken over by malicious adversaries, and the open and transparent characteristics of blockchain, data in transit may be eavesdropped, modified, and replayed. Protecting user privacy and secure authentication are important prerequisites for ensuring secure communication as well as an important requirement for dynamic cross-domain authentication. Li et al. [15] proposed a certificate-free CPPA protocol to support privacy and security requirements in IoV systems where the vehicle and trusted authority (TA) do not need to store any certificates separately for verification and tracking. Zhang et al. [16] uploaded the hash value calculated by the certificate of the mobile device to the blockchain. During identity authentication, it is only necessary to verify whether the hash value of the certificate provided by the device is the same as the stored hash, avoiding the tedious verification process of the authentication mechanism. Li et al. [17] designed a secure cross-domain authentication and key agreement protocol for heterogeneous wireless networks with different security parameters based on blockchain. Dong et al. [18] designed a user identity credibility initialization method by using the entropy-based probability weighted subjective trust and risk evaluation method for the user’s identity credibility problem in heterogeneous domain cross-domain authentication. The trustworthiness of various users in heterogeneous domains was calculated and described. Ghane et al. [19] proposed a differentially private data flow system to address privacy issues in distributed edge computing. Yang et al. [20] proposed a cross-domain identity authentication scheme for cloud service providers in different trust domains based on the group signature scheme, and used the Chinese remainder theorem to solve the problem where the traditional identity authentication model cannot be applied to cloud computing, which simplified the calculation process. Ali et al. [21] analyzed and identified some serious security flaws in the SAKA-FC authentication key exchange scheme and made improvements. Shehzad et al. [22] proposed a secure message authentication protocol for information exchange between IoV entities based on secure symmetric lightweight hash functions and cryptographic operations.

At the same time, most cross-domain authentication schemes only consider the situation that the device accesses other trust domains in the trust domain to which it belongs, and does not discuss the scenario where the device moves to other trust domains for resource access. In addition, many solutions do not involve the addition and deletion of users, and the efficiency of the solution will also decrease as the number of users increases, affecting the user experience. Luo et al. [23] proposed a cross-domain certificateless authentication GKA protocol for 5G network slicings that supports dynamic group user management. This scheme requires only one round of communication and allows group users from different network domains with different cryptosystem parameters to jointly negotiate the group session key. Tan et al. [24] utilized homomorphic encryption to solve the VANET cross-domain authentication problem under the new RSU edge network assumption to dynamically update anonymous vehicle identities. Xu et al. [25] designed a blockchain-based authentication and key agreement protocol for the multi-TA network model, which shifted the computational load of the TA down to the RSU to improve the authentication efficiency. Zhang et al. [26] proposed a two-way anonymous traceability group authentication protocol in IoV, where the RSU in the group can anonymously trace the identity of malicious vehicles. The scheme uses the blockchain to quickly revoke their identity, and can also freely change the ID of users who reveal their true identities. Ahmed et al. [27] allowed IoV nodes in a certificateless encryption (CLC) environment to send messages to servers in a public key infrastructure (PKI) environment to secure the communication between the server and the IOV. Since there is no paired computation, the protocol has an efficient advantage over existing protocols. Trivedi et al. [28] proposed a new authentication scheme to jointly achieve effective authentication and partial trust management through scalability in a distributed IoT environment, but this scheme only considers user additions within a single trust domain.

3. Proposed Dynamic Cross-Domain Authentication Scheme

In this section, we first describe the system model, and then introduce our update algorithm, which was designed to implement user join and revoke in a dynamic cross domain authentication environment. Finally, we describe the proposed scheme in detail, which mainly includes three stages: system initialization, registration, and cross domain authentication.

3.1. System Model

The cross-domain authentication scenario mainly includes the group manager (GM), tracking manager (TM), a group of member users, and the blockchain. The specific cross-domain authentication system model is shown in Figure 1. The GM is responsible for the management of group members, establishing group resources, and generating the corresponding group public key gpk, which is open to all users in the entire system, and maintains a registration list and revocation list. It stores the identities of registered and revoked group members. Group members are all legal users in a distributed system. The blockchain exists in the system as a storage medium to ensure that the data will not be tampered with. GM acts as a full node in the system. As long as no more than half of the GM in the world is destroyed, the security of the blockchain can be guaranteed. The tracking administrator (TM) can open the signatures of group members, regulate the illegal behavior of users, acts the supervision department in the group, supervise the behavior of members in the group, and complete the behavior responsibility identification and responsibility judgment when the group members are found to have illegal behaviors.

3.2. User Update Algorithm

We used a simple and effective update algorithm to implement the dynamic addition and removal of users. The main idea is to make each leaf node represent a user, where the current value of the leaf node is the binary string of the public key held by the user. When the user state changes, it only needs to modify all the values in the path from the leaf to the root, without changing the entire Merkel tree. As shown in Figure 2, we provide an example of a tree with 2³ = 8 leaf nodes. When the status of the user u₁₀₁ changes, we only need to change the values of the yellow nodes. It can be seen that the time complexity of the proposed algorithm is O(logN).

3.3. Our Scheme

In this paper, the idea of a dynamic group signature was introduced into the cross-domain authentication scheme, and an on-lattice dynamic cross-domain authentication scheme with join and revocation mechanism was proposed. For the scheme parameters, this paper selected them according to the literature [29]. In this section, we describe the proposed scheme in detail. It consists of three phases: the initialization phase, registration phase, and cross-authentication phase. When the system starts up, the GM performs the initialization phase. Before users can enter the system, they must be registered in the GM through the registration phase.

Table 1. Description of the symbols.

Symbol	Meaning
GM	Group manager
TM	Track manager
U	User
gpk	Group public key
gsk	Group signing key
pp	Public parameter
λ	Safety parameters
Reg	Registration list
ik	Issue key
ok	Open key
upk	Public key
usk	Private key

describes the symbols used in the solution, and the protocol flow is shown in Figure 3. The details of the above three stages are as follows:

3.3.1. System Initialization

System setup: Randomly select security parameters, GM runs the algorithm to generate public parameters, group public key, signature key, and tracking key, initialize internal State L and Registry Reg. Then, the public key gpk of the group is published to the blockchain, and anyone can find the public key of the group from the blockchain, and send ok to the tracking administrator TM, which will be used to regulate the daily behavior of users in the future.

The specific process is as follows:

• Select $\mathrm{n}=\mathcal{O}\left(\mathsf{\lambda }\right)$, and n is a power of 2. The modulus $\mathrm{q}=\tilde{\mathcal{O}}\left({\mathrm{n}}^4\right)$, $\mathrm{R}=\mathbb{Z}\left[\mathrm{X}\right]/\left({\mathrm{X}}^{\mathrm{n}}+1\right)$, ${\mathrm{R}}_{\mathrm{q}}=\mathrm{R}/\mathrm{qR}$, where q = 3k, k is a positive integer). Then, set $\ell =\log \lfloor \frac{\mathrm{q}-1}{2}\rfloor +1$, $m\ge 2\lceil \log \mathrm{q}\rceil$, $\overline{m}=m+\mathrm{k}$.
• Choose an integer $\mathrm{d}\ge {\log }_{\mathrm{c}}\left(\mathsf{\omega }\left(\log \mathrm{n}\right)\right)$ and a strictly increasing sequence of integers, $\left\{{\mathrm{c}}_0,{\mathrm{c}}_1,\dots ,{\mathrm{c}}_{\mathrm{d}}\right\}$, where ${\mathrm{c}}_0=0$, ${\mathrm{c}}_{\mathrm{i}}=\left|{\mathsf{\alpha }}_0{\mathrm{c}}^{\mathrm{i}}\right|$, $\mathrm{i}\in \left[\mathrm{d}\right]$.
• Choose an integer $\mathsf{\beta }=\tilde{\mathcal{O}}\left(\mathrm{n}\right)$, $\mathsf{{\rm B}}=\tilde{\mathcal{O}}\left({\mathrm{n}}^{5/4}\right)$, $\mathsf{\chi }$ for the bounded distribution of B on R.
• ${\mathscr{H}}_{\mathrm{FS}}:{\left\{0,1\right\}}^{*}\to {\left\{1,2,3\right\}}^{\mathcal{K}}$, where $\mathcal{K}=\mathsf{\omega }\left(\log \mathsf{\lambda }\right)$ is an anti-collision hash function.
• COM is a statistical hidden and computationally bound commitment scheme.
• Uniform random matrix $\mathsf{{\rm B}}\in {\mathrm{R}}_{\mathrm{q}}^{1\times \mathrm{m}}$.
• Generate a verification key $\mathsf{A}$, ${\mathrm{F}}_0\in {\mathrm{R}}_{\mathrm{q}}^{1\times \tilde{\mathrm{m}}}$; ${\mathsf{A}}_{\left[0\right]}$, …, ${\mathsf{A}}_{\left[\mathrm{d}\right]}\in {\mathrm{R}}_{\mathrm{q}}^{1\times \mathrm{k}}$; $\mathrm{F}$, ${\mathrm{F}}_1\in {\mathrm{R}}_{\mathrm{q}}^{1\times \ell }$; $u\in {\mathrm{R}}_{\mathrm{q}}$, a signature key $\mathrm{R}\in {\mathrm{R}}_{\mathrm{q}}^{\mathrm{m}\times \mathrm{k}}$.
• Set ${\mathrm{s}}_1$, ${\mathrm{s}}_2\leftarrow \mathsf{\chi }$, ${\mathrm{e}}_1$, ${\mathrm{e}}_2\leftarrow {\mathsf{\chi }}^{\ell }$, $\mathrm{a}\stackrel{\$}{\leftarrow }{\mathrm{R}}_{\mathrm{q}}^{\ell }$.
• Calculate ${\mathrm{b}}_1=\mathrm{a}·{\mathrm{s}}_1+{\mathrm{e}}_1\in {\mathrm{R}}_{\mathrm{q}}^{\ell }$; ${\mathrm{b}}_2=\mathrm{a}·{\mathrm{s}}_2+{\mathrm{e}}_2\in {\mathrm{R}}_{\mathrm{q}}^{\ell }$.

Then, the public parameters pp, group public key gpk, ik, and ok are as follows:

$$\mathrm{pp}=\left\{n,\mathrm{q},\mathrm{k},\mathrm{R},{\mathrm{R}}_{\mathrm{q}},\ell ,m,\overline{m},\mathsf{\chi },\mathrm{d},{\mathrm{c}}_0,{\mathrm{c}}_1,\dots ,{\mathrm{c}}_{\mathrm{d}},\mathrm{B},\mathsf{\beta },\mathcal{K},{\mathscr{H}}_{\mathrm{FS}},\mathrm{COM},\mathrm{B}\right\}$$

$$\mathrm{gpk}=\left\{\mathrm{pp},\mathsf{A},{\left\{{\mathsf{A}}_{\left[\mathrm{j}\right]}\right\}}_{\mathrm{j}=0}^{\mathrm{d}},\mathrm{F},{\mathrm{F}}_0,{\mathrm{F}}_1,u,\mathrm{a},{\mathrm{b}}_1,{\mathrm{b}}_2\right\}$$

$$\mathrm{ik}=\mathrm{R}$$

$$\mathrm{ok}=\left({\mathrm{s}}_1,{\mathrm{e}}_1\right)$$

3.3.2. Registration Stage

When a new group member joins the trust domain, it first registers with the GM. The specific steps for the user are as follows:

• ${\mathrm{M}}_{1\left(\mathrm{U}\to \mathrm{BC}\right)}:\left({\mathrm{T}}_1,{\mathrm{ID}}_{{\mathrm{GM}}_{\mathrm{i}}},{\mathrm{Request}}_1\right)$: Before sending the registration request to the user, the user requests the BC to query the gpk at the time T1, which is convenient for generating the user’s own public and private key pair.
• ${\mathrm{M}}_{2\left(\mathrm{BC}\to \mathrm{U}\right)}:\left({\mathrm{T}}_2,\mathrm{gpk},{\mathrm{Respond}}_1\right)$: The blockchain returns $\mathrm{gpk}$ to user U at ${\mathrm{T}}_2$.
• ${\mathrm{GKgen}}_{\mathrm{U}}\left(\mathrm{gpk}\right)\to \left(\mathrm{upk},\mathrm{usk}\right)$: After the user receives the group public key gpk of the domain and the ${\mathrm{Respond}}_1$, enter the gpk, and perform the following operations: the user randomly selects $\mathrm{x}\in {\mathrm{R}}^{\mathrm{m}}$ and calculates $\mathrm{p}=\mathrm{B}·\mathrm{x}\in {\mathrm{R}}_{\mathrm{q}}$. Then, the user’s own key pair is $\left(\mathrm{upk}=\mathrm{p},\mathrm{usk}=\mathrm{x}\right)$.
• ${\mathrm{M}}_{3\left(\mathrm{U}\to {\mathrm{GM}}_{\mathrm{i}}\right)}:\left({\mathrm{T}}_3,\mathrm{upk},{\mathrm{Request}}_2\right)$: After the key pair is generated, the user sends a join request at ${\mathrm{T}}_3$ to ${\mathrm{GM}}_{\mathrm{i}}$.
• $\mathrm{Join}\left(\mathrm{gpk},\mathrm{upk},\mathrm{pp}\right)\to \mathrm{gsk}$: When a user with public key upk = p sends a request to join the trust domain, ${\mathrm{GM}}_{\mathrm{i}}$ first checks whether the user with upk = p has been registered before, if not, register the user in the trust domain to which they belongs, and the user becomes a group member. Finally, output the user’s group signature key gsk.

  (1)

  Set label $\mathrm{t}={\left({\mathrm{t}}_0,{\mathrm{t}}_1\dots ,{\mathrm{t}}_{{\mathrm{c}}_{\mathrm{d}}-1}\right)}^{\top }\in {\mathcal{T}}_{\mathrm{d}}$, calculate ${\mathrm{A}}_{\mathrm{t}}=[\mathrm{A}\mid {\mathrm{A}}_{\left[0\right]}+{{\displaystyle \sum }}_{\mathrm{i}=1}^{\mathrm{d}}{\mathrm{t}}_{\left[\mathrm{i}\right]}{\mathrm{A}}_{\left[\mathrm{i}\right]}]\in {\mathrm{R}}_{\mathrm{q}}^{1\times \left(\overline{\mathrm{m}}+\mathrm{k}\right)}$;

  (2)

  Using the signing key $\mathrm{R}$, generate a signature $\left(\mathrm{t},\mathrm{r},\mathrm{v}\right)$, where $\mathrm{r}\in {\mathrm{R}}^{\overline{\mathrm{m}}}, \mathrm{v}\in {\mathrm{R}}^{\overline{\mathrm{m}}+\mathrm{k}}$, and

  $$\{\begin{array}{l}{\mathrm{A}}_{\mathrm{t}}\cdot \mathrm{v}=\mathrm{F}\cdot \mathrm{rdec}\left({\mathrm{F}}_0\cdot \mathrm{r}+{\mathrm{F}}_1\cdot \mathrm{rdec}\left(\mathrm{p}\right)\right)+\mathrm{u}\hfill \\ \parallel \mathrm{r}{\parallel }_{\infty }\le \mathsf{\beta }, \parallel \mathrm{v}{\parallel }_{\infty }\le \mathsf{\beta }\hfill \end{array}$$

  The ${\mathrm{GM}}_{\mathrm{i}}$ then sets the user’s group signing key to $\mathrm{gsk}=\left(\mathrm{t},\mathrm{r},\mathrm{v},\mathrm{x}\right)$, and forwards it to the user, records it, and then updates $\mathrm{S}$ to $\mathrm{S}+1$.
• $\mathrm{UpdateGroup}\left(\mathrm{gpk} ,\mathrm{upk},\mathrm{S},\mathrm{reg}\right)\to \left({\mathrm{info}}_{\mathrm{new}}\right)$: If a new user joins or leaves, ${\mathrm{GM}}_{\mathrm{i}}$ runs the algorithm to update the group information, the algorithm returns the new public group information and updates the GM’s info.
• ${\mathrm{M}}_{4\left({\mathrm{GM}}_{\mathrm{i}}\to \mathrm{U}\right)}:\left({\mathrm{T}}_4,\mathrm{gsk},{\mathrm{Respond}}_2\right)$: ${\mathrm{GM}}_{\mathrm{i}}$ feedbacks the user’s registration ${\mathrm{Respond}}_2$ to the user, where 0 means failure, and 1 means success.

3.3.3. Cross-Domain Authentication

• $\mathrm{Sign}\left(\mathrm{gpk},{\mathrm{gsk}}_{\mathrm{i}},\mathrm{M}\right)\to \mathsf{\Pi }$: When the local user U wants to access the services of other trust domains, the algorithm is first executed, and the output group signature $\mathsf{\Pi }$ is generated using the ${\mathrm{gsk}}_{\mathrm{i}}$, $\mathrm{gpk}$, and message M of the given user. Specific steps are as follows:

  (1)

  For $\mathrm{i}\in \left\{1,2\right\}$, instantiate ${\mathrm{g}}_{\mathrm{i}}\hookleftarrow \mathsf{\chi },{\mathrm{e}}_{\mathrm{i},1}\hookleftarrow {\mathsf{\chi }}^{\ell }$ and ${\mathrm{e}}_{\mathrm{i},2}\hookleftarrow {\mathsf{\chi }}^{\ell }$;

  (2)

  Calculate

  $$\begin{array}{ll}{\mathrm{c}}_{\mathrm{i}}& =\left({\mathrm{c}}_{\mathrm{i},1},{\mathrm{c}}_{\mathrm{i},2}\right)\\ & =\left(\mathrm{a}\cdot {\mathrm{g}}_{\mathrm{i}}+{\mathrm{e}}_{\mathrm{i},1},{ \mathrm{b}}_{\mathrm{i}}\cdot {\mathrm{g}}_{\mathrm{i}}+{\mathrm{e}}_{\mathrm{i},2}+\lfloor \mathrm{q}/4\rfloor \cdot \mathrm{rdec}\left(\mathrm{p}\right)\right)\in {\mathrm{R}}_{\mathrm{q}}^{\ell }\times {\mathrm{R}}_{\mathrm{q};}^{\ell }\end{array}$$

  (3)

  Calculate ${\mathsf{\Pi }}_{\mathrm{gs}}=({\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\mathrm{CH},{\left\{{\mathrm{RSP}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }})$, where

  $$\mathrm{CH}={\mathscr{H}}_{\mathrm{FS}}(\mathrm{M},{\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\mathsf{\xi })$$

  $$\mathsf{\xi }=\left(\mathrm{A},{\mathrm{A}}_{\left[0\right]},\dots ,{\mathrm{A}}_{\left[\mathrm{d}\right]},\mathrm{F},{\mathrm{F}}_0,{\mathrm{F}}_1,\mathrm{u},\mathrm{B},\mathrm{a},{\mathrm{b}}_1,{\mathrm{b}}_2,{\mathrm{c}}_1,{\mathrm{c}}_2\right);$$

  (4)

  Output $\mathsf{\Pi }=\left({\mathsf{\Pi }}_{\mathrm{gs}},{\mathrm{c}}_1,{\mathrm{c}}_2\right)$.

• ${\mathrm{M}}_{5\left(\mathrm{U}\to {\mathrm{GM}}_{\mathrm{n}}\right)}:\left({\mathrm{T}}_5,\mathrm{M},{\mathrm{Request}}_3\right)$: The user makes an authentication ${\mathrm{Request}}_3$ at ${\mathrm{T}}_5$.
• $\mathrm{Verify}\left(\mathrm{gpk},\mathrm{M},\mathsf{\Sigma }\right)\to \left(1/0\right)$: The algorithm checks whether it is a valid group signature on M for the group information information, and outputs a bit: 1 means accept, 0 means reject. Specific steps are as follows:

  (1)

  Calculate $\mathsf{\Sigma }=({\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\left({\mathrm{Ch}}_1,\dots ,{\mathrm{Ch}}_{\mathsf{\kappa }}\right),{\left\{\mathrm{RSP}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},{\mathrm{c}}_1,{\mathrm{c}}_2);$

  (2)

  IF $({\mathrm{Ch}}_1,\dots ,{\mathrm{Ch}}_{\mathsf{\kappa }})\ne {\mathscr{H}}_{\mathrm{FS}}\left(\mathrm{M},{\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\mathsf{\xi }\right)$, Return 0;

  (3)

  For each $\mathrm{i}\in \left[\mathsf{\kappa }\right]$, run the verification phase of the protocol and return 0 if any of the conditions are not true, return 0;

  (4)

  Otherwise, return 1.

• ${\mathrm{M}}_{6\left({\mathrm{GM}}_{\mathrm{n}}\to \mathrm{U}\right)}:\left({\mathrm{T}}_6,{\mathrm{Respond}}_3\right)$: Return the authentication result to the user at ${\mathrm{T}}_6$.
• ${\mathrm{M}}_{7\left({\mathrm{GM}}_{\mathrm{n}}\to {\mathrm{TM}}_{\mathrm{n}}\right)}:\left({\mathrm{T}}_7,\mathrm{M},{\mathrm{Requset}}_4\right)$: If abnormal behavior is found, ${\mathrm{GM}}_{\mathrm{n}}$ sends a request to verify M at ${\mathrm{T}}_7$.
• $\mathrm{Open}\left(\mathrm{gpk},\mathrm{ok},\mathrm{reg},\mathrm{M},\mathsf{\Sigma }\right)\to \left(\mathrm{p}\prime ,{\mathsf{\Pi }}_{\mathrm{open}}\right):$ After the tracking administrator receives the request, execute the Open algorithm, which takes the group public key gpk, ok, Reg, message M, and signature as input, and returns the proof of the user. If the algorithm cannot attribute the signature to a specific group member, it will return (⊥,), indicating that the signature is the signature of an illegal user, and set the attribute. Specific steps are as follows:

  (1)

  Set ok $=\left({\mathrm{s}}_1,{\mathrm{e}}_1\right), \mathsf{\Sigma }=\left({\mathsf{\Pi }}_{\mathrm{gs}},{\mathrm{c}}_1,{\mathrm{c}}_2\right)$;

  (2)

  Use ${\mathrm{s}}_1$ to decrypt ${\mathrm{c}}_1=\left({\mathrm{c}}_{1,1},{\mathrm{c}}_{1,2}\right)$ according to the following steps;

  • Calculate ${\mathrm{p}}^{″}=\frac{{\mathrm{c}}_{1,2}-{\mathrm{c}}_{1,1}\cdot {\mathrm{s}}_1}{|\mathrm{q}/4|}$,
  • For each coefficient of ${\mathrm{p}}^{″}$,
    Returns 0 if it is closer to 0 than −1 and 1;
    Returns −1 if it is closer to −1 than to 0 and 1;
    Returns 1 if it is closer to 1 than −1 and 0,
  • ${\mathrm{p}}^{″}$ is the coefficient of ${\mathrm{p}}^{\prime }\in {\mathrm{R}}_{\mathrm{q}}^{\ell }$,
  • Set ${\mathrm{p}}^{\prime }\in {\mathrm{R}}_{\mathrm{q}}$ and make $\mathsf{\tau }\left({\mathrm{p}}^{\prime }\right)=\mathrm{H}\cdot \mathsf{\tau }\left({\mathrm{p}}^{\prime }\right)$.

  (3)

  If Reg does not include ${\mathrm{p}}^{\prime }$, return $\left(\perp ,\perp \right)$.

  (4)

  Otherwise, generate ${\mathsf{\Pi }}_{\mathrm{open}}$ for proving possession $\left({\mathrm{s}}_1,{\mathrm{e}}_1,\mathrm{y}\right)\in {\mathrm{R}}_{\mathrm{q}}\times {\mathrm{R}}_{\mathrm{q}}^{\ell }\times {\mathrm{R}}_{\mathrm{q}}^{\ell }$.

  $$\{\begin{array}{l}\Vert {\mathrm{s}}_1\Vert {}_{\infty }\le \mathrm{B};\Vert {\mathrm{e}}_1\Vert {}_{\infty }\le \mathrm{B};\parallel \mathrm{y}{\parallel }_{\infty }\le \lceil \mathrm{q}/10\rceil \hfill \\ \mathrm{a}\cdot {\mathrm{s}}_1+{\mathrm{e}}_1={\mathrm{b}}_1\hfill \\ {\mathrm{c}}_{1,2}-{\mathrm{c}}_{1,1}\cdot {\mathrm{s}}_1=\mathrm{y}+\lfloor \mathrm{q}/4\rfloor \cdot \mathrm{rdec}\left({\mathrm{p}}^{\prime }\right)\hfill \end{array}$$

  (1)

  ${\mathsf{\Pi }}_{\mathrm{Open} }=\left({\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\mathrm{CH},{\left\{\mathrm{RSP}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }}\right)$, where $\mathrm{CH}={\mathscr{H}}_{\mathrm{FS}}\left({\left\{{\mathrm{CMT}}_{\mathrm{i}}\right\}}_{\mathrm{i}=1}^{\mathsf{\kappa }},\mathrm{a},{\mathrm{b}}_1,\mathrm{M},\mathsf{\Sigma }, {\mathrm{p}}^{\prime }\right)\in {\{1,2,3\}}^{\mathsf{\kappa }}$.

  (5)

  Output $\left({\mathrm{p}}^{\prime },{\mathsf{\Pi }}_{\mathrm{Open}}\right)$.

• $\mathrm{Judge}\left(\mathrm{gpk},\mathrm{M},\mathsf{\Sigma }, {\mathrm{p}}^{\prime },{\mathsf{\Pi }}_{\mathrm{Open}}\right)\to 1/0$: This algorithm is used by the TM to check the validity of the signature ${\mathsf{\Pi }}_{\mathrm{Open} }$. The output is 1 for valid and 0 for invalid.
• ${\mathrm{M}}_{8\left({\mathrm{TM}}_{\mathrm{n}}\to {\mathrm{GM}}_{\mathrm{n}}\right)}:\left({\mathrm{T}}_8,{\mathrm{Respond}}_4\right)$: After executing the algorithm, ${\mathrm{TM}}_{\mathrm{n}}$ will feedback the result of whether it is a suspicious user at ${\mathrm{T}}_8$.
• Revoke: This algorithm is executed by the group administrator ${\mathrm{GM}}_{\mathrm{n}}$. When the user actively or passively leaves the trusted domain, the user will be revoked from the registration list, and a new registration list will be updated and published. If the algorithm output is 1, the revocation is successful, otherwise the output is 0.

4. Analysis of Proposed Protocol

4.1. Security Attribute Analysis

(1)

Anonymity

The scheme is based on the group signature scheme. Any group member in a trust domain can sign a message on behalf of the entire group in an anonymous manner, and the receiver does not know that the signature is signed by the group member in the group. Like other digital signatures, group signatures are publicly verifiable and can be verified using only a single group public key. Given a group signature, it is impossible for anyone other than the group administrator to know the identity of the actual signer.

(2)

Resist replay attack

The validity of the interactive message is guaranteed by the timestamp. After the message receiver receives the interactive message, it first checks whether it is valid, and then performs subsequent operations. Since the timestamp cannot be tampered with, if the attacker reuses the intercepted message, the verification will fail due to the invalid timestamp, so replay attacks can be effectively prevented.

(3)

Traceability

In the event of an argument, a group manager can open a signature to determine the identity of the actual signer, and the signer cannot prevent the opening of the signature, so it is traceable.

(4)

Privacy protection

The scheme uses a group signature scheme to hide user identity information, and does not use their real identity when interacting with other devices, and the privacy of the participants will be protected in the subsequent process. In the process of data sharing, no entity will disclose the identity information of the participants. The verifier only knows the trust domain to which the message sender belongs instead of the original identity information. The group administrator can trace the disputed membership, but the blockchain keeps information consistent, so it can effectively protect privacy.

(5)

Avoid single point of failure

The heterogeneous inter-domain scheme adopts a decentralized storage architecture. The blockchain structure composed of GM in each trust domain replaces the location of a trusted third party, ensures the consistency of information storage, builds inter-domain trust, and completes cross-domain authentication, thus effectively solving the single point of failure problem.

In addition, the dynamic cross-domain authentication scheme based on group signature proposed in this paper and other existing cross-domain authentication schemes can avoid single point of failure, efficiency, privacy protection, anonymity, traceability, and other aspects. Comparisons were made, as shown in

Table 2. A comparison of the security attribute analysis with other schemes.

Reference	Privacy Protection	Efficiency is Independent of the Number of Members	Anonymity	Traceable	Dynamic User Addition
Ref [8]	×	√	×	√	×
Ref [14]	√	√	×	×	×
Ref [20]	√	×	√	×	√
Ref [24]	√	×	√	√	×
Ref [26]	√	×	√	√	√
Ours	√	√	√	√	√

. The authentication scheme based on the group signature proposed by Yang et al. [20] could effectively solve the security problem of user identity authentication in a heterogeneous cloud environment. Zhang et al. [26] proposed a two-way anonymous traceability group authentication protocol in IoV. The RSU in the group can anonymously trace the identity of malicious vehicles and use the blockchain to quickly revoke their identity. However, the efficiency of the schemes in [20,26] was restricted by the number of group members. Zhang et al. [8] proposed a complete cross-domain authentication scheme based on blockchain. Participants from different trust domains can directly access the chain code in the blockchain, reducing the computational burden of the verification server. Wei et al. [14] proposed a cross-domain identity authentication scheme based on the identity cryptosystem on the consortium chain based on the IBC identity cryptosystem, aiming at the problem of cross-domain identity authentication when users access network services in different trust domains. However, the schemes in [8,14] are easy to leak user privacy. Tan et al. [24] proposed a pairless authentication and key management scheme for dynamic cross-domain authentication that achieved low latency and high reliability of vehicle-to-RSU transmission and ensured that vehicle privacy was not leaked, but did not achieve the traceability function.

4.2. Efficiency Analysis

We first analyzed the efficiency of the scheme described in Section 4 in terms of the security parameters. The time complexity of the group public key gpk was $\mathcal{O}\left(\lambda \cdot lo{g}^2\lambda \right)=\tilde{\mathcal{O}}\left(\lambda \right)$, the time complexity of the signature key gsk was $\mathcal{O}\left(\lambda \cdot lo{g}^2\lambda \right)=\tilde{\mathcal{O}}\left(\lambda \right)$, and the size of the signature was $\mathcal{O}\left(\lambda \cdot lo{g}^3\lambda \right)\cdot \omega \left(log\lambda \right)=\tilde{\mathcal{O}}\left(\lambda \right)$.

Table 3. A comparative analysis with the other group signature schemes.

Reference	Signature Size	Group Public Key Size	Signer’s Private Key Size	Functional
[30]	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left({\mathsf{\lambda }}^{\mathbf{2}}+\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\cdot \ell \right)$	Static
[31]	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left({\mathsf{\lambda }}^{\mathbf{2}}\cdot \ell \right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)$	Partial dynamics
[32]	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left({\mathsf{\lambda }}^{\mathbf{2}}\cdot \ell \right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)$	Dynamics
[33]	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left({\mathsf{\lambda }}^{\mathbf{2}}+\mathsf{\lambda }\cdot \ell \right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)+\ell$	---
Ours	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)$	$\tilde{\mathcal{O}}\left(\mathsf{\lambda }\right)$	Dynamics

shows the efficiency comparison between this scheme and other group signature schemes.

4.3. Security Analysis

(1)

Correctness analysis

Specifically, for an honest user, when they sign a message on behalf of the group, they are required to be able to prove possession of a valid tuple $\xi$. The verify algorithm accepts $\Pi gs$ with probability 1. Regarding the correctness of the open algorithm, please note

$$\begin{array}{ll}{c}_{\mathbf{1},\mathbf{1}}-c_{\mathbf{1},\mathbf{2}}\cdot s_{\mathbf{1}}\hfill & =b_{\mathbf{1}}\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{2}}+\lfloor q/\mathbf{4}\rfloor \cdot rdec\left(p\right)-\left(a\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{1}}\right)\cdot s_{\mathbf{1}}\hfill \\ \hfill & =\left(a\cdot s_{\mathbf{1}}+e_{\mathbf{1}}\right)\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{2}}+\lfloor q/\mathbf{4}\rfloor \cdot rdec\left(p\right)-\left(a\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{1}}\right)\cdot s_{\mathbf{1}}\hfill \\ \hfill & =e_{\mathbf{1}}\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{2}}-e_{\mathbf{1},\mathbf{1}}\cdot s_{\mathbf{1}}+\lfloor q/\mathbf{4}\rfloor \cdot rdec\left(p\right)\hfill \end{array}$$

Among them $\Vert e_{\mathbf{1}}\Vert {}_{\mathbf{\infty }}\le B,\Vert s_{\mathbf{1}}\Vert {}_{\mathbf{\infty }}\le B,\Vert g_{\mathbf{1}}\Vert {}_{\mathbf{\infty }}\le B,\Vert e_{\mathbf{1},\mathbf{1}}\Vert {}_{\mathbf{\infty }}\le B,\Vert e_{\mathbf{1},\mathbf{2}}\Vert {}_{\mathbf{\infty }}\le B.$ For $B=\tilde{\mathcal{O}}\left(n^{\mathbf{5}/\mathbf{4}}\right)$ and $q=\tilde{\mathcal{O}}\left(n^{\mathbf{4}}\right)$,

Therefore,

$$\Vert e_{\mathbf{1}}\cdot g_{\mathbf{1}}+e_{\mathbf{1},\mathbf{2}}-e_{\mathbf{1},\mathbf{1}}\cdot s_{\mathbf{1}}{\Vert }_{\mathbf{\infty }}\le \mathbf{2}n\cdot B^{\mathbf{2}}+B=\tilde{\mathcal{O}}\left(n^{\mathbf{3.5}}\right)\le \lceil \frac{q}{\mathbf{10}}\rceil =\tilde{\mathcal{O}}\left(n^{\mathbf{4}}\right)$$

In the case of probability 1, the open algorithm recovers rdec(p) and outputs the actual signer p. Therefore, the GM can identify the signer of the signature, thus guaranteeing the correctness of the open algorithm.

When the TM correctly restores rdec(p) and p, it also has a valid tuple (s1, e1, y) that satisfies the condition in (1). Then, Πopen is generated according to the perfect completeness of the demonstration system, and the TM will accept the open result output by the GM, so the correctness of the judge algorithm is established.

(2)

Security analysis

Theorem 1.

Under the random oracle model, under the assumptions of RLWE and RSIS, it is proven that the proposed dynamic cross-domain authentication scheme based on group signature satisfies traceability.

In the random oracle model, the proof of the theorem relies on the following facts:

• The zero-knowledge parameters used are simulation-sound.
• For a correctly generated user key pair$\left(\mathit{x},\mathit{p}\right)$, it is impossible to find${\mathit{x}}^{\prime }\in {\mathit{R}}_{\mathit{q}}^{\mathit{m}}$ so that $\Vert {\mathit{x}}^{\prime }{\Vert }_{\mathbf{\infty }}\le \mathbf{1},{\mathit{x}}^{\prime }\ne \mathit{x}$ and $\mathit{B}\cdot {\mathit{x}}^{\prime }=\mathit{p}$.

Proof of Theorem 1.

The proof of the theorem is proved by the lemma given below. □

Lemma 1.

Assumptions$\mathit{R}\mathit{S}\mathit{I}{\mathit{S}}_{\mathit{n},\overline{\mathit{m}},\mathit{q},\tilde{\mathcal{O}}\left({\mathit{n}}^{\mathbf{2}}\right)}^{\mathbf{\infty }}$problems are hard to solve. Then, it is proved that the given group signature scheme is traceable in the random oracle model.

Proof of Lemma 1.

We prove traceability by contradiction. Assuming that the adversary $\mathcal{A}$ succeeds with a non-negligible advantage $\mathsf{ϵ}$, we then construct a PPT algorithm $\mathcal{B}$, based on the complexity of the problem $RSI{S}_{n,\overline{m},q,\tilde{\mathcal{O}}\left(n^{\mathbf{2}}\right)}^{\mathbf{\infty }}$, which breaks the unforgeability of the signature scheme with a non-negligible probability. Then, we prove that our construction is traceable. □

When a verification key for a signature scheme is given, the simulator faithfully runs the experiments when given the verification key for the signature scheme. $ℬ$ can answer $\mathcal{A}$ all oracle queries. However, it is possible to resort to the query on the signature scheme. In both cases, the corresponding user is registered to the group. When $\mathcal{A}$ is stopped, it outputs $\left(M^{*},{\Pi }_{gs}^{*},c_{\mathbf{1}}^{*},c_{\mathbf{2}}^{*}\right)$. $\mathcal{A}$ wins the experiment with a non-negligible probability. Parse $\left({\left\{CM{T}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa },C{H}^{*},{\left\{RS{P}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa }\right)$. Let ${\xi }^{*}=\left(A,A_{\left[\mathbf{0}\right]},\dots ,A_{\left[d\right]},F,F_{\mathbf{0}},F_{\mathbf{1}},u,B,a,b_{\mathbf{1}},b_{\mathbf{2}},c_{\mathbf{1}}^{*},c_{\mathbf{2}}^{*}\right)$.

Then, $C{H}^{*}={\mathscr{H}}_{FS}\left(M^{*},{\left\{CM{T}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa },{\xi }^{*}\right)$ and $RS{P}_i^{*}$ is a valid response w.r.t. $CM{T}_i^{*}$ and for each $i\in \left[\kappa \right]$, $C{H}_i^{*}$ the fact that $\mathcal{A}$ wins and $\left({\Pi }_{gs}^{*},c_{\mathbf{1}}^{*},c_{\mathbf{2}}^{*}\right)$ is therefore a valid signature on $M^{*}$.

We think $\mathcal{A}$ made a query $\left(M^{*},{\left\{CM{T}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa },{\xi }^{*}\right)$ to the hash oracle ${\mathscr{H}}_{FS}$ with overwhelming probability. Otherwise, the probability of guessing the correct value of ${\mathscr{H}}_{FS}\left(M^{*},{\left\{CM{T}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa },{\xi }^{*}\right)$ is at most ${\mathbf{3}}^{-\kappa }$, which is negligible. Therefore, there is a probability of ${\mathsf{ϵ}}^{\prime }=\mathsf{ϵ}-{\mathbf{3}}^{-\kappa }$ querying ${\mathscr{H}}_{FS}$. ${\theta }^{*}\in \left\{\mathbf{1},\mathbf{2},\dots ,Q_H\right\}$ is the index for a particular query, where $Q_H$ is the total number of hash queries $\mathcal{A}$ made.

The algorithm $ℬ$ is then run at most $\mathbf{32}\cdot Q_H/{\mathsf{ϵ}}^{\prime }$ times. For each new run, it is exactly the same as the original run until the ${\theta }^{*}$th query of ${\mathscr{H}}_{FS}$. From this point of view, for each new run, the returned hash query has uniformly random and independent values. This guarantees that the input to the ${\theta }^{*}$th query is a tuple $\left(M^{*},{\left\{CM{T}_i^{*}\right\}}_{i=\mathbf{1}}^{\kappa },{\xi }^{*}\right)$ for each new run, while the output of this hash query is consistently random and independent for each new run. Thus, the same tuple with pairwise distinct hash values $C{H}_{{\theta }^{*}}^{\left(\mathbf{1}\right)},C{H}_{{\theta }^{*}}^{\left(\mathbf{2}\right)},C{H}_{{\theta }^{*}}^{\left(\mathbf{3}\right)}\in {\{\mathbf{1},\mathbf{2},\mathbf{3}\}}^{\kappa }$ and corresponding valid responses $RS{P}_{{\theta }^{*},j}^{\left(\mathbf{1}\right)},RS{P}_{{\theta }^{*},j}^{\left(\mathbf{2}\right)},RS{P}_{{\theta }^{*},j}^{\left(\mathbf{3}\right)}$ are obtained with greater than or equal to probability $\mathbf{1}/\mathbf{2}$. A simple calculation shows that there is a probability $\mathbf{1}-{\left(\frac{\mathbf{7}}{\mathbf{9}}\right)}^{\kappa },$ proof that for each $j\in$ $\left\{\mathbf{1},\mathbf{2},\dots ,\kappa \right\}$, there is $\left\{C{H}_{{\theta }^{*},j}^{\left(\mathbf{1}\right)},C{H}_{{\theta }^{*},j}^{\left(\mathbf{2}\right)},C{H}_{{\theta }^{*},j}^{\left(\mathbf{3}\right)}\right\}=\left\{\mathbf{1},\mathbf{2},\mathbf{3}\right\}$.

Therefore, for all challenges $\mathbf{1},\mathbf{2},\mathbf{3}$ w.r.t. the same $CM{T}_j^{*}$, there are three valid responses $RS{P}_{{\theta }^{*},j}^{\left(\mathbf{1}\right)},RS{P}_{{\theta }^{*},j}^{\left(\mathbf{2}\right)},RS{P}_{{\theta }^{*},j}^{\left(\mathbf{3}\right)}$. $ℬ$ is able to extract witnesses due to $COM$ being computationally binding

$$t^{*}\in {\mathcal{T}}_d;r^{*}\in R_q^{\overline{m}};v^{*}\in R_q^{\overline{m}+k};p^{*}\in R_q^{\ell },$$

make $\Vert r^{*}\Vert {}_{\mathbf{\infty }}\le \beta ,\Vert v^{*}\Vert {}_{\mathbf{\infty }}\le \beta ,\Vert p^{*}\Vert {}_{\mathbf{\infty }}\le \mathbf{1}$ and

$$A_{t^{*}}\cdot v^{*}=F\cdot rdec\left(F_{\mathbf{0}}\cdot r^{*}+F_{\mathbf{1}}\cdot p^{*}\right)+u,$$

$c_{\mathbf{1}}^{*},c_{\mathbf{2}}^{*}$ are the correct encryption of $p^{*}$.

As a result of $\mathcal{A}$ winning the competition, we either have (i) the open algorithm output $\left(\perp ,\perp \right),$ or (ii) the open algorithm output $\left(p^{\prime },{\Pi }_{open}^{*}\right)$, $p^{\prime }\ne \perp$, but the judge algorithm rejects the open result.

Case (i), if $c_{\mathbf{1}}^{*}$ is decrypted as $p^{\prime }$ and $p^{\prime }\in R_q$ so that $\tau \left(p^{\prime }\right)=$ $H\cdot \tau \left(p^{\prime }\right)\in {\mathbb{Z}}_q^n$, $p^{\prime }$ is not in the registry. From the decryption, we know that $p^{*}$ will be decrypted by the correctness of our encryption scheme. Therefore, the middle open result is $p^{\prime }$ = $p^{*}$. On the other hand, the fact that $p^{\prime }$ is not in the registry means that the group is not joined. All in all, $ℬ$ without querying the signature on $p^{\prime }$ and extracting the signature $\left(t^{*},r^{*},v^{*}\right)$ on $p^{\prime }$, making $\tau \left(p^{\prime }\right)=H\cdot \tau \left(p^{\prime }\right)$. Hence $\left(p^{*},t^{*},r^{*},v^{*}\right)$ is a valid forgery of the signature scheme.

Case (ii), if $c_{\mathbf{1}}^{*}$ is decrypted as $p^{\prime }$ and $p^{\prime }\in R_q$ makes $\tau \left(p^{\prime }\right)=H\cdot \tau \left(p^{\prime }\right)\in {\mathbb{Z}}_q^n$, $p^{\prime }$ is in the registry and ${\Pi }_{\mathrm{open} }^{*}$ is not accepted by the judge algorithm. From decryption, we know that $p^{*}$ will be decrypted by the correctness of our encryption scheme. Hence, the middle open result is $p^{\prime }=p^{*}$. On the other hand, we think $rdec\left(p^{\prime }\right)\ne p^{\prime }=p^{*}$. Otherwise, $dec\left(p^{\prime }\right)=p^{\prime }=p^{*}$, $ℬ$ has a valid proof to generate ${\Pi }_{open}^{*}$. Due to the perfect completeness generated by the underlying argument system, it will be accepted by the judge algorithm with probability 1. This is contradictory, so we obtain $rdec\left(p^{\prime }\right)\ne p^{\prime }=p^{*}$. Recall that in the join algorithm, the issuer only generates signatures on $rdec\left(p^{\prime }\right)$. Therefore, only the signatures on $rdec\left(p^{\prime }\right)$ are queried, so $\left(p^{*},t^{*},r^{*},v^{*}\right)$ is a valid forgery of the signature scheme.

Therefore, the unforgeability $\frac{\mathbf{1}}{\mathbf{2}}\cdot \left(\mathsf{ϵ}-{\mathbf{3}}^{-\kappa }\right)\left(\mathbf{1}-{\left(\frac{\mathbf{7}}{\mathbf{9}}\right)}^{\kappa }\right)$ of the signature scheme is broken at least with a non-negligible probability, and the proof is complete.

Discussion and limitation. This paper used blockchain distributed ledger storage to achieve cross domain authentication between trust domains and can be applied to the distributed power grid management scenarios for production consumers mentioned in [34] such as mutual authentication between different communities. However, traditional blockchain technology requires miners’ nodes to have strong computing power and sufficient storage space to ensure the consensus and tamper resistance of transaction ledgers across the entire network, which limits resource constrained devices (such as power grid nodes) from joining the blockchain. Therefore, our future work is to utilize lightweight blockchain technology to achieve cross domain authentication.

5. Conclusions

Aiming at the privacy protection of cross-domain authentication between different authentication mechanisms in the IoT environment, this paper proposed a dynamic cross-domain authentication scheme by using group signature technology and the distributed peer-to-peer network architecture of blockchain technology, and proved the security of the protocol under the random oracle model. The analysis shows that the protocol was proven to be secure in the random oracle model, and the size of the signature generated by the scheme was independent of the number of group members N and only depended on the security parameters λ. It effectively improved the operation efficiency of the protocol and proved that the scheme has good security and effectiveness. In the future, we will focus on using lightweight blockchain for dynamic cross-domain authentication in IoT.