基于区块链的隐私保护跨域认证协议

doi:10.3969/j.issn.1671-1122.2025.12.010

摘要/Abstract

摘要：

在物联网环境下，跨域认证面临隐私保护不足和依赖可信第三方等问题。为应对这些挑战，文章提出基于区块链的隐私保护跨域认证协议。在区块链技术的支持下，该协议实现了不同参数域实体之间的身份认证与密钥交换，同时有效减轻了服务器和用户端的性能负担。具体而言，用户的生物特征向量经过模糊提取器生成秘密值，结合格加密技术计算密钥，从而在保护用户生物特征隐私的同时完成隐式身份认证。此外，用户在跨域访问过程中生成的伪身份、公钥及各信任域的公共参数被上传至区块链，以确保协议参与方验证结果的正确性和行为的不可抵赖性。在随机预言模型下，基于判定性Learning with Error困难问题和离散对数难题，证明了该协议能够抵抗多项式敌手攻击。与同类协议相比，文章所提协议能够较好地兼容现有安全机制，并具有较低的计算与通信开销，从而为跨域认证提供一种高效且安全的解决方案。

关键词: 生物特征认证, 隐私保护, 区块链, 跨域认证

Abstract:

In the Internet of things environment, cross-domain authentication faces the problems of privacy protection and reliance on a trusted third party. To address these challenges, a blockchain-based privacy-preserving cross-domain authentication protocol was proposed. With the support of blockchain technology, this protocol realized identity authentication and key exchange between entities in different parameter domains, and effectively reduced the performance burden of the server and the user. Specifically, the user’s biometric vector was generated by the fuzzy extractor to generate a secret value, and the key was calculated by combining the lattice encryption technology, so as to complete the implicit identity authentication while protecting the user’s biometric privacy. In addition, the pseudo-identity, public key and public parameters of each trust domain generated by the user in the process of cross-domain access were uploaded to the blockchain to ensure the correctness of the verification results and the non-repudiation of the behavior of the participants in the protocol. In the random oracle model, based on the decisional learning with error problem and the discrete logarithm problem, the semantic security of the protocol under the polynomial adversary ability was proved. Compared with the similar protocols, the proposed protocol is compatible with the existing security mechanisms, and has low computation and communication overhead, thus providing a new solution for cross-domain authentication with high efficiency and security.

Key words: biometric authentication, privacy preserving, blockchain, cross-domain authentication

中图分类号:

TP309

张观平, 魏福山, 陈熹, 顾纯祥. 基于区块链的隐私保护跨域认证协议[J]. 信息网络安全, 2025, 25(12): 1948-1960.

ZHANG Guanping, WEI Fushan, CHEN Xi, GU Chunxiang. Blockchain-Based Privacy-Preserving Cross-Domain Authentication Protocol[J]. Netinfo Security, 2025, 25(12): 1948-1960.

图/表 10

图1

图2

表1

图3

图4

表2

表3

表4

图5

表5

参考文献 25

[1]	SHAMIR A. Identity-Based Cryptosystems and Signature Schemes[C]// Springer. Advances in Cryptology-CRYPTO 1984. Heidelberg:Springer, 1984: 47-53.
[2]	BONEH D, FRANKLIN M. Identity-Based Encryption from the Weil Pairing[C]// Springer. Advances in Cryptology-CRYPTO 2001. Heidelberg: Springer, 2001: 213-229.
[3]	HORWITZ J, LYNN B. Toward Hierarchical Identity-Based Encryption[C]// Springer. Advances in Cryptology-EUROCRYPT 2002. Heidelberg: Springer, 2002: 466-481.
[4]	AL-RIYAMI S S, PATERSON K G. Certificateless Public Key Cryptography[C]// Springer. Advances in Cryptology -ASIACRYPT 2003. Heidelberg: Springer, 2003: 452-473.
[5]	SHEN Meng, LIU Huisen, ZHU Liehuang, et al. Blockchain-Assisted Secure Device Authentication for Cross-Domain Industrial IoT[J]. IEEE Journal on Selected Areas in Communications, 2020, 38(5): 942-954. doi: 10.1109/JSAC.49 URL
[6]	CHEN Jing, ZHAN Zeyi, HE Kun, et al. XAuth: Efficient Privacy-Preserving Cross-Domain Authentication[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 19(5): 3301-3311. doi: 10.1109/TDSC.2021.3092375 URL
[7]	WANG Linjie, TIAN Youliang, ZHANG Duo. Toward Cross-Domain Dynamic Accumulator Authentication Based on Blockchain in Internet of Things[J]. IEEE Transactions on Industrial Informatics, 2022, 18(4): 2858-2867. doi: 10.1109/TII.2021.3116049 URL
[8]	TONG Fei, CHEN Xing, WANG Kaiming, et al. CCAP: A Complete Cross-Domain Authentication Based on Blockchain for Internet of Things[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3789-3800. doi: 10.1109/TIFS.2022.3214733 URL
[9]	CUI Jie, LIU Nan, ZHANG Qingyang, et al. Efficient and Anonymous Cross-Domain Authentication for IIoT Based on Blockchain[J]. IEEE Transactions on Network Science and Engineering, 2022, 10(2): 899-910. doi: 10.1109/TNSE.2022.3224453 URL
[10]	LIU Yizhong, LIU Andi, XIA Yu, et al. A Blockchain-Based Cross-Domain Authentication Management System for IoT Devices[J]. IEEE Transactions on Network Science and Engineering, 2023, 11(1): 115-127. doi: 10.1109/TNSE.2023.3292624 URL
[11]	WANG Fengqun, CUI Jie, ZHANG Qingyang, et al. Blockchain-Based Lightweight Message Authentication for Edge-Assisted Cross-Domain Industrial Internet of Things[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 21(4): 1587-1604. doi: 10.1109/TDSC.2023.3285800 URL
[12]	SU Yuan, WANG Yuheng, LI Jiliang, et al. Oracle Based Privacy-Preserving Cross-Domain Authentication Scheme[J]. IEEE Transactions on Sustainable Computing, 2024, 9(4): 602-614. doi: 10.1109/TSUSC.2024.3350343 URL
[13]	WANG Mei, HE Kun, CHEN Jing, et al. Biometrics-Authenticated Key Exchange for Secure Messaging[C]// ACM. 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021: 2618-2631.
[14]	WU Yongdong, WENG Jian, WANG Zhengxia, et al. Attacks and Countermeasures on Privacy-Preserving Biometric Authentication Schemes[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(2): 1744-1755. doi: 10.1109/TDSC.2022.3162623 URL
[15]	NANDAKUMAR K, JAIN A K. Biometric Template Protection: Bridging the Performance Gap between Theory and Practice[J]. IEEE Signal Processing Magazine, 2015, 32(5): 88-100.
[16]	DAUGMAN J. Information Theory and the IrisCode[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(2): 400-409. doi: 10.1109/TIFS.2015.2500196 URL
[17]	REGEV O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography[J]. Journal of the ACM, 2009, 56(6): 1-40.
[18]	ALBRECHT M R, PLAYER R, SCOTT S. On the Concrete Hardness of Learning with Errors[J]. Journal of Mathematical Cryptology, 2015, 9(3): 169-203. doi: 10.1515/jmc-2015-0016 URL
[19]	BABAI L. On Lovasz Lattice Reduction and the Nearest Lattice Point Problem[J]. Combinatorica, 1986, 6(1): 1-13. doi: 10.1007/BF02579403 URL
[20]	AGGARWAL D, DADUSH D, STEPHENS-DAVIDOWITZ N. Solving the Closest Vector Problem in 2n Time: The Discrete Gaussian Strikes Again![C]// IEEE. 2015 IEEE 56th Annual Symposium on Foundations of Computer Science. New York: IEEE, 2015: 563-582.
[21]	DODIS Y, OSTROVSKY R, REYZIN L, et al. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data[J]. SIAM Journal on Computing, 2008, 38(1): 97-139. doi: 10.1137/060651380 URL
[22]	DAUGMAN J G. High Confidence Visual Recognition of Persons by a Test of Statistical Independence[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1993, 15(11): 1148-1161. doi: 10.1109/34.244676 URL
[23]	ABDALLA M, FOUQUE P A, POINTCHEVAL D. Password-Based Authenticated Key Exchange in The Three-Party Setting[C]// Springer. Public Key Cryptography-PKC 2005: The 8th International Workshop on Theory and Practice in Public Key Cryptography. Heidelberg: Springer, 2005: 65-84.
[24]	WEI Xin, WANG Xinyan, YU Zhuo, et al. Cross Domain Authentication for IoT Based on Consortium Blockchain[J]. Journal of Software, 2021, 32(8): 2613-2628.
	魏欣, 王心妍, 于卓, 等. 基于联盟链的物联网跨域认证[J]. 软件学报, 2021, 32(8): 2613-2628.
[25]	WEI Songjie, LI Shasha, WANG Jiahe. A Cross-Domain Authentication Protocol by Identity-Based Cryptography on Consortium Blockchain[J]. Chinese Journal of Computers, 2021, 44(5): 908-920.
	魏松杰, 李莎莎, 王佳贺. 基于身份密码系统和区块链的跨域认证协议[J]. 计算机学报, 2021, 44(5): 908-920.

参数符号	说明
$q$	生物特征向量分量取值参数
${{q}_{1}}$	安全参数所生成的大素数
${{G}_{1}}$	阶为${{q}_{1}}$的循环群
${{g}_{1}}$	群${{G}_{1}}$的生成元
$m$	模糊提取器输出秘密值的向量维数
$l$	选取的随机向量维数
${{H}_{1}}$	哈希函数${{H}_{1}}:{{\{0,1\}}^{}}\to {{\{0,1\}}^{}}$
${{H}_{2}}$	哈希函数${{H}_{2}}:F_{q}^{l}\to {{\mathbf{Z}}_{q}}$
${{H}_{3}}$	哈希函数${{H}_{3}}:G\times {{\{0,1\}}^{}}\to {{\{0,1\}}^{}}$
$P{{K}_{\text{A}}}$	长期公钥$P{{K}_{\text{A}}}=g_{1}^{s{{k}_{\text{A}}}}$，$s{{k}_{\text{A}}}$是私钥

功能与安全属性	文献[5]方案	文献[8]方案	文献[11]方案	本文协议
抗重放攻击	—	√	√	√
抗仿冒攻击	√	√	√	√
抗内部攻击	√	—	—	√
前向安全性	√	√	√	√
匿名性	√	√	√	√
身份追踪	√	√	√	√
参数兼容性	—	√	√	√

运算操作	符号表示	平均耗时/ms
哈希	hash	0.046
椭圆曲线点加	pa	0.263
椭圆曲线标量乘	pm	0.270
乘方	exp	0.283
双线性配对	bp	1.703
调用链码	cc	0.110

方案	hash /次	pa /次	pm/次	exp/次	bp /次	cc /次	总耗时/ms
文献[5]方案	10	2	9	4	6	2	14.986
文献[8]方案	8	2	大于10	大于50	6	2	大于28.182
文献[11]方案	23	6	19	8	11	3	29.093
本文协议	14	0	0	11	0	2	3.977

方案	发包数量/个	峰值通信量/B	总通信量/B
文献[5]方案	14	164	952
文献[8]方案	12	大于1388	大于2196
文献[11]方案	16	168	1192
本文协议	5	168	592