A Post-Quantum Cross-Domain Authentication Scheme Based on Multi-Chain Architecture

Yi-Bo Cao ,Xiu-Bo Chen ,Yun-Feng He ,Lu-Xi Liu ,Yin-Mei Che ,Xiao Wang ,Ke Xiao,Gang Xu and Si-Yi Chen

1Information Security Center,State Key Laboratory of Networking and Switching Technology,Beijing University of Posts and Telecommunications,Beijing,100876,China

2Information Center of China North Industries Group Corporation,Beijing,100089,China

3School of Information Science and Technology,North China University of Technology,Beijing,100144,China

ABSTRACT Due to the rapid advancements in network technology,blockchain is being employed for distributed data storage.In the Internet of Things(IoT)scenario,different participants manage multiple blockchains located in different trust domains,which has resulted in the extensive development of cross-domain authentication techniques.However,the emergence of many attackers equipped with quantum computers has the potential to launch quantum computing attacks against cross-domain authentication schemes based on traditional cryptography,posing a significant security threat.In response to the aforementioned challenges,our paper demonstrates a post-quantum crossdomain identity authentication scheme to negotiate the session key used in the cross-chain asset exchange process.Firstly,our paper designs the hiding and recovery process of user identity index based on lattice cryptography and introduces the identity-based signature from lattice to construct a post-quantum cross-domain authentication scheme.Secondly,our paper utilizes the hashed time-locked contract to achieves the cross-chain asset exchange of blockchain nodes in different trust domains.Furthermore,the security analysis reduces the security of the identity index and signature to Learning With Errors (LWE) and Short Integer Solution (SIS) assumption,respectively,indicating that our scheme has post-quantum security.Last but not least,through comparison analysis,we display that our scheme is efficient compared with the cross-domain authentication scheme based on traditional cryptography.

KEYWORDS Cross-domain identity authentication;lattice-based cryptography;blockchain;hashed time-locked contract

1 Introduction

With the acceleration of informatization,the volume of data on the network is increasing exponentially,and how to securely and efficiently share data has become an urgent issue.Blockchain technology offers an excellent solution to this problem.Due to its decentralized,tamper-proof,and traceable characteristics,it has gained favor among many researchers in data sharing [1–5] and data protection [6–8].In IoT scenarios,the introduction of blockchain enables many entities from different industries to jointly participate in data management,which improve the data reliability and shareability.Since different participants may maintain multiple blockchains,there is a requirement to enable the exchange of asset and value data among different blockchains within multi-chain environments.

Cross-chain technology plays a vital role in achieving interoperability among different blockchains,which primarily encompasses notary technology,side chain/relay technology,distributed private key control,and hashed time-locked contract (HTLC).However,notary technology exhibits a strong centralized feature,rendering the entire system non-distributed.Side chain/relay technology necessitates the introduction of a blockchain cross-chain network,which can be challenging to implement.Distributed private key control technology can result in transaction delays,significantly increasing communication consumption.On the other hand,HTLC,originally derived from the lightning network [9],offers a straightforward implementation,quick response,and the ability to facilitate asset exchanges between different blockchains without the involvement of an additional party.This characteristic has garnered substantial attention from researchers.Mohanty et al.[10]introduced a secure payment channel protocol,named New Hashed Time-Locked Contract (n-HTLC),which does not require the sender to send messages to each intermediate user along the payment route.In 2022,Shamili et al.[11] proposed an off-chain hash time lock commitment called the Federation Payment Tree (FPT),which employed a payment channel to provide a zeroknowledge hash lock commitment and allowed interaction between parties without a consensus protocol.Monika et al.[12] proposed a swap scheme between blockchains through HTLC and calculated the time-lock equations based on the confirmation time of the probabilistic blockchain.To address the inefficiencies associated with multiple participants exchanging tokens between blockchains simultaneously,Barbàra et al.[13] introduced MP-HTLC,demonstrating that the number of transactions remains independent of the number of participants on the UTXO blockchain.Subsequently,Wadhwa et al.[14] proposed a lightweight HTLC scheme called He-HTLC,which is inert to stimulus manipulation attacks and has excellent security.

In real-world scenarios,asset exchanges may involve entities located in different trust domains.Blockchain nodes from a foreign domain can access entities only after passing identity authentication by the authentication server in the local domain.This setup prevents blockchain nodes from different domains from interacting directly.To address these challenges,cross-domain authentication has emerged,enabling identity authentication of entities in distinct trust domains through various cryptographic primitives and facilitating session key negotiation to ensure entity identity credibility and communication confidentiality.Existing cross-domain authentication schemes primarily fall into three categories: based on symmetric cryptography,public key infrastructure (PKI),and identity cryptography.Numerous researchers have developed cross-domain authentication schemes using these cryptographic primitives.For instance,Sirbu et al.[15] proposed a cross-domain authentication scheme using public key cryptography to encrypt identity information.Liu et al.[16] integrated the ElGamal algorithm into a cross-domain authentication protocol,enabling key negotiation between participants.Zhang et al.[17] established a cross-domain authentication protocol based on PKI architecture by introducing an elliptic curve digital signature algorithm.Furthermore,identity-based cross-domain authentication schemes have gained prominence due to their ability to effectively reduce certificate management overhead,and several identity-based cross-domain authentication protocols have been developed.Peng [18] introduced an identity-based multi-trust domain authentication model,analyzing the security and anonymity of the identity authentication process.Luo et al.[19]implemented an identity-based cross-domain authentication scheme incorporating an elliptic curve signature,thereby achieving user identity anonymity.More recently,Wei et al.[20]applied blockchain certificate authority (BCCA) in each domain as nodes in consortium blockchain to realize crossdomain authentication.Zhou et al.[21]proposed an authentication scheme employing identity-based encryption and secret sharing,suitable for deployment on public channels within virtual enterprises.In the Industrial Internet of Things (IIoT),Cui et al.[22] introduced an anonymous cross-domain authentication scheme,which improves authentication efficiency while meeting traceability,scalability,forward privacy,and identity anonymity requirements.

In the aforementioned scenario,cross-domain identity authentication of blockchain nodes is an indispensable component before performing cross-chain asset exchange based on HTLC between blockchains located in different trusted domains.As is widely recognized,the reliability of crossdomain authentication schemes primarily depends on the security of cryptographic algorithms.However,the advent of quantum computers has introduced a significant threat to traditional cryptography,as the Shor algorithm[23]can solve the discrete logarithm problem in probabilistic polynomial time(PPT).This poses a grave challenge to the security of traditional cryptographic methods,and the trustworthiness of cross-domain authentication schemes is no longer assured.Researchers have delved into the post-quantum cryptography as a response to this threat.Among these endeavors,latticebased cryptography has emerged as the leading post-quantum cryptographic algorithm due to its rapid operational efficiency.Various researchers have devised lattice-based cryptosystems to withstand quantum computing attacks.For instance,Rückert[24]created the first identity-based signature using lattice techniques,which exhibited strong unforgeability in the standard model.In 2014,Tian et al.[25]developed an innovative identity-based signature scheme over lattice,with security grounded in the SIS hardness assumption.In this scheme,we apply lattice-based cryptography to construct a crossdomain identity authentication scheme with post-quantum security,realize the cross-domain identity authentication of access nodes in the multi-chain architecture,and utilize the hashed time-locked contract to complete the cross-chain asset exchange between domains.

To sum up,the contribution of our paper is described as follows:

(1) This paper constructs a post-quantum secure cross-domain identity authentication scheme based on the multi-chain architecture,improves the traditional cross-domain authentication and applies the cross-chain technology based on HTLC,to achieve the identity authentication of crossdomain access nodes in the multi-chain architecture and the cross-chain asset exchange of nodes in different trust domains.

(2)This paper designs the hiding and recovery of the identity index based on lattice cryptography and introduces the identity-based signature on lattice in[25],which is used for the authentication server to check the identity of nodes,ensures the security and reliability of the cross-domain authentication process,and can resist quantum computing attacks.

(3) In security analysis,the IND-CPA of the identity index and the unforgeability of signature can be reduced to Learning With Errors (LWE) and Short Integer Solution (SIS) assumption,respectively.This scheme is efficient in terms of operation number and time consumption of the user and authentication server compared with other cross-domain authentication schemes through the comparison analysis.

2 Preliminary

2.1 Lattice

Definition 1(Lattice):GivenA=(a1|a2|...|am)∈Zn×mis an×m-dimension matrix containingnlinearly independent vectorsa1,a2,...,am∈Zn.Then-dimension lattice Λ is generated by A,expressed as:

where A is called the basis of Λ.

Definition 2(Full-rank integer lattice):Given a matrix A ∈Zn×m,whereqis a prime,mandnis a positive integer,define the full-rank lattice generated by A:

2.2 Discrete Gaussian Distribution

2.3 Hardness Assumption on Lattice

2.4 The Trapdoor and Sampling Lemma on Lattice

2.5 Rejection Sampling

To output a signature independent of the secret key,we introduce the Rejection Sampling technique.Letkis the secret key of the signer,yis selected from a random distribution,sis the candidate signature computed byyadding to the function ofk,fis the distribution of outputted signature,gis the distribution of candidate signature.For allxandM >0,iff(x)≤Mg(x),the candidate signature is outputted with probability.According to[28],the expected number of times to generate a valid signature isM.

3 System Model and Security Model

3.1 System Model

Fig.1 shows the specific process of our scheme by taking the entity interaction between two domains as an example.In this example,we assume that domain A is the local domain and domain B is the external domain.The entities of each domain include an authentication server,private key generation center,and blockchain.The functions of each entity are as follows:

(1)Authentication server(AS):AS is responsible for the identity registration and identity authentication of the blockchain nodes in the local domain,and maintains the identity list of the local domain.AS has its identity information that is exposed to each domain.The private key can be obtained from the private key generation center of the local domain.When an access request is made by a node in the foreign domain,the AS will send a request for assistance to the foreign AS.When the local AS receives the assistance authentication request from the foreign domain,it will authenticate the identity of the local node and return the authentication results to the foreign AS.In this scheme,the authentication server of domain A is referred to as AS1,and the authentication server of domain B is referred to as AS2.

(2)Private key generation center(PKG):PKG is responsible for generating the private key of the local AS and blockchain node.After receiving the identity information of the AS or blockchain node,the private key corresponding to this identity information is calculated and returned.In this scheme,the private key generation center of domain A is called PKG1for short,and the private key generation center of domain B is called PKG2.

(3)Blockchain:Blockchain is a decentralized network composed of many nodes,and this scheme adopts a consortium blockchain based on Hyperledger Fabric.The blockchain node has its identity information.It can obtain the private key from PKG of the local domain,complete the identity registration with the local AS,submit a cross-domain access request to the foreign AS,and exchange cross-chain assets based on HTLC with the foreign blockchain node after the identity authentication is successful.Smart contracts can automatically execute function codes and provide interfaces and function encapsulation for HTLC.In this scheme,the blockchain of domain A is referred to as blockchain A,and the blockchain of domain B is referred to as blockchain B.

Figure 1:System architecture

3.2 Security Model

The IND-CPA secure of a post-quantum secure cross-domain identity authentication scheme is defined as a series of games between challenger C and adversary A as follows:

(1)Setup:Challenger C executes the System initialization algorithm and generates public parametersppto send to adversary A.

(2)Phase 1:In this phase,adversary A can conductH2and private key inquiries with challenger C,and C visits theH2queryoraclePrivate key queryoracle and returns the results to A.

H2query: Adversary A queriesH2(IDi)corresponding to identity IDifori-th query,while challenger C maintains the query listLand calculatesH2(IDi)to return to A.

Private key query: Adversary A queriescorresponding to identity IDifori-th query,while challenger C maintains the query listLand calculatesto return to A.

(3)Challenge:Adversary A selects∈{0,1}mand sends it to challenger C.Then,C selectsξ∈{0,1}and calculates(R0?,R1?)corresponding to.Finally,C sends(R0?,R1?)to A.

(4)Phase 2:Adversary A acquires the private key exceptQ?through calling the Private key query oracle.

(5)Guess: After receiving(R0?,R1?),adversary A selects a bitξ?∈{0,1},and wins this game ifξ?=ξ.

Moreover,the advantage of adversary A breaking our scheme is defined as:

Definition 6(The IND-CPA security of a post-quantum secure cross-domain identity authentication scheme):Assuming that a post-quantum secure cross-domain identity authentication scheme is INDCPA secure,if and only if the advantageis negligible for any PPT adversary A.

4 Our Proposed Scheme

Assume that domain A is the local domain and domain B is the external domain.Node AN1of blockchain A makes a cross-domain access request to domain B and wants to exchange cross-chain assets with node BN1of blockchain B.Moreover,AS1and AS2are honest and credible,and there is a secure and confidential channel between them.The specific process of our scheme is described as follows.

4.1 System Initialization

This section is responsible for creating the functions required for cross-chain in the blockchain smart contract,and setting the public parameters in the cross-domain process.

(1)Blockchain initialization: Blockchain in each domain deploys smart contracts and creates corresponding functions for cross-chain asset exchange of nodes.Smart contracts can automatically execute the created functions without human intervention.

4.2 Private Key Generation

In this section,PKG generates private keys for authentication servers and blockchain nodes.

4.3 Registration

In this section,the blockchain nodes in each domain interact with AS in the local domain to generate the identity index and add it to the identity list.

Similarly,domain B blockchain node BN1can also interact with AS2and register identity.

4.4 Identity Authentication

In this section,the blockchain node in the local domain makes a cross-domain request and sends it to the foreign domain AS.The foreign domain AS requests the local domain AS to assist in authenticating the node’s identity and negotiating the session key.

4.5 Cross-Chain Asset Exchange

After the cross-domain access request is allowed,the blockchain nodes in the local domain and the foreign domain conduct cross-chain asset exchange between domains based on HTLC.

(1)Cross-chain preparation: After receiving the messagefrom AS2,AN1calculates the session keyand decrypts.IfT4is timely,AN1knows that the identity authentication is successful and can exchange cross-chain assets with BN1.At the same time,after receiving the message{IDBN1,Cross-chain Asset Exchange,SHA256}from AS2,BN1is ready for asset exchange.

(2)Cross-chain asset exchange between domains: As shown in Fig.2,firstly,AN1generateshrandomly,calculates its hash valueH=SHA256(h),and sends it to BN1through the cross-domain channel.Secondly,AN1selects the timet1and uses the hash valueHand timet1to lock the assetato be exchanged,and BN1selects the timet2such thatt2

(3)Timeout asset return:As shown in Fig.2,if one of the two nodes fails to unlock the assets within the specified time,the smart contract will return the assets to the nodes in the respective domain.

5 Security Analysis

5.1 Correctness

In this paper,the correctness of the cross-domain identity authentication scheme depends on the correctness of signature verification and identity index recovery described in Eqs.(5) and (6),respectively.

The correctness of signature verification:

The correctness of identity index recovery:

As described in[27],each component of the vectorx-skASTxis less than.Consequently,each bit of the identity indexIANcan be recovered correctly.

Figure 2:The cross-chain asset exchange process of our scheme

5.2 The Unforgeability of the Signature Process

Theorem 1Assuming that an adversary A can break the unforgeability of the signature process in polynomial time,a challenger C is executing a PPT algorithm that can break the SIS assumption.

Analysis: To sign the cross-domain message in our scheme,we introduce the identity-based signature algorithm from lattice in [25].The detailed proof ofTheorem 4in [25] has demonstrated that this algorithm can achieve the unforgeability under adaptive chosen message and identity attacks in the random oracle model,which can be reduced to SIS assumption.

Consequently,the signature process in our scheme is unforgeable and post-quantum secure to ensure the authenticity and credibility of identity in quantum computing circumstances.

5.3 The IND-CPA of the Hiding and Recovery of Identity Index

Theorem 2Assuming that adversary A can break the IND-CPA security of the hiding and recovery of identity index in polynomial time,challenger C is executing a PPT algorithm that can break the LWE assumption.

Proof:Let adversary A have a non-negligible advantageεto break the IND-CPA security of the hiding and recovery of identity index.Fori=0,1,...,m,ui∈andx←χ,challenger C maintains a series of LWE instances,named（ui,R0,i）such thatR0,i=uiTs+x.After that,challenger C and adversary A interact according to the IND-CPA game described in Section 3.2.

(1)Setup:Challenger C executes TrapGen algorithm inSystem initializationto obtain the matrixA=(u1,u2,...,um)and basisB∈of Λ(A),and definesH1:×{0,1}?→{-1,0,1}m,H2: {0,1}?→,H3: {0,1}?×Zm×m→{0,1}m,andH4: {0,1}m→{0,1}κ.Then,C sends the public parameterspp={A,H1,H2,H3,H4}to adversary A.

(2)Phase 1:In this phase,adversary A can conductH2and private key inquiries with challenger C,and C visits theH2queryoraclePrivate key queryoracle and returns the results to A.

(4)Phase 2:Adversary A acquires the private key through calling thePrivate key query,and cannot query about the private keys corresponding to ID0and ID1.

(5)Guess: After receiving(R0?,R1?),adversary A selects a bitξ?∈{0,1}.Ifξ?=ξ,A wins this game.

Analysis:If（ui,R0,i）is a solution of LWE assumption,(R0?,R1?)is calculated as follows:

Obviously,(R0?,R1?)is valid,and for adversary A,the probability that adversary A outputsξ?=ξis Pr[ξ?=ξ]=+ε.If(R0?,R1?)is selected randomly,the probability that A outputsξ?=ξis Pr[ξ?=ξ]=.Consequently,the advantage that adversary A makes correct judgment is:

Considering the successful execution of the IND-CPA game,the advantage of solving the LWE assumption is,which is negligible for adversary A.

To sum up,the hiding and recovery of the identity index in our scheme has IND-CPA security,making the cross-domain identity authentication process secure and reliable in quantum scenarios.

6 Comparison Analysis

Table 1 compares the security features of references[19,20,29,30]and our scheme.Resistance to counterfeit attacks means that the authentication server in each domain can verify the identity of the node and the authentication server in the foreign domain to avoid the attack of the fake user on the system.Resistance to replay attacks means that the message is verified to be timely by introducing a timestamp in the message to avoid the replay attack of the attacker.Post-quantum computing attacks refer to a cross-domain authentication scheme based on post-quantum cryptography to avoid quantum computing attacks launched by attackers equipped with quantum computers.To sum up,the lattice-based cross-domain authentication scheme proposed in our paper meets the above three security characteristics,and the unforgeability of signature and the IND-CPA security of identity index is reduced to SIS and LWE assumptions,respectively.

Table 1:Feature comparison with other cross-domain authentication schemes

In Table 2,many notations in our scheme are defined.Table 3 defines the symbol and meaning of the operation,and compares the operation number of the key generation,signature process,and verification process of our scheme with[19,20,29].It is evident that our scheme has fewer operation number than [19,20] and [29] in the aforementioned three areas.After that,Table 4 compares this scheme with[20]and[30]in terms of the user and authentication server time consumption.Our scheme realizes cross-domain identity authentication through the interaction of authentication servers in the local domain and the foreign domain.Therefore,the time consumption of the authentication server is divided into the local domain authentication server (AS1) and the foreign domain authentication server(AS2).Obviously,the operation designed in our scheme is mainly the multiplication of matrices,and its efficiency is much higher than the pairing operation on groups in[20]and[30].

Table 2:Symbol definition

Table 3:The comparison of operation number

Table 4:The comparison of time consumption of the user and authentication server

7 Conclusion

To solve the problem of entity authentication between domains,we propose a post-quantum crossdomain authentication scheme by designing the transmission and recovery process of the identity index based on lattice cryptography and introducing the identity-based signature from lattice in our scheme.In addition,we apply HTLC to realize the cross-chain asset exchange between blockchain nodes in different trust domains.Moreover,security analysis shows that our scheme meets the correctness,unforgeability of signatures,and IND-CPA security for identity index under quantum computing.Finally,comparison analysis shows that our scheme can resist counterfeit attacks and replay attacks,and is more efficient in terms of operation number and time consumption of the user and authentication server compared to many schemes based on traditional cryptography.

Acknowledgement:All authors would like to thank the anonymous reviewers for their constructive suggestions,which improve the quality of this work.

Funding Statement:This work was supported by the Defense Industrial Technology Development Program(Grant No.JCKY2021208B036).

Author Contributions:The authors confirm contribution to the paper as follows:study conception and design:Yi-Bo Cao,Xiu-Bo Chen;security proofs:Yi-Bo Cao,Gang Xu;analysis and interpretation of results:Yi-Bo Cao,Si-Yi Chen;draft manuscript preparation:Yun-Feng He,Lu-Xi Liu,Yin-Mei Che,Xiao Wang,Ke Xiao.All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials:Not applicable.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.