An Anonymous Access Authentication Scheme Based on Proxy Ring Signature for CPS-WMNs

Access security and privacy have become a bottleneck for the popularization of future Cyber-Physical System (CPS) networks. Furthermore, users’ need for privacy-preserved access during movement procedure is more urgent. To address the anonymous access authentication issue for CPSWireless Mesh Network (CPS-WMN), a novel anonymous access authentication scheme based on proxy ring signature is proposed. A hierarchical authentication architecture is presented first.The scheme is then achieved from the aspect of intergroup and intragroup anonymousmutual authentication through proxy ring signaturemechanism and certificateless signaturemechanism, respectively.We present a formal security proof of the proposed protocol with SVO logic.The simulation and performance analysis demonstrate that the proposed scheme owns higher efficiency and adaptability than the typical one.


Introduction
With the prosperous development of mobile communication and versatile mobile devices [1,2] and the diversification of the network environment [3][4][5], the requirement of accessing ubiquitous network becomes more and more imperative for Cyber-Physical Systems (CPS) [6].Owing to the advantages of low cost, expansible, self-healing, fine mobility support, and high efficiency, Wireless Mesh Network (WMN) is regarded as a critical accessing technology of the next generation CPS network [7,8].As for the open nature of transmission medium free users' movement, as well as the multihop transmission method, WMN suffers from security issues in both wired and wireless environment.Efficient and secure access authentication technology forms the baseline of CPS-WMN's security.Moreover, user's privacy should also be preserved during the access authentication process.Thus, the security and privacy in CPS-WMNs become the research focus recently [9].
In the past few years, a lot of researches have been carried out for WMN's access authentication.The authors in [10] present an efficient identity-based authentication scheme for WMN using tickets, which avoids multihop wireless communications in order to minimize the authentication delay, while in a complex network environment, with the increasing number of MRs, handover authentication efficiency decreases.The authors of [11] propose an authentication scheme for WMN based on EAP-TLS, although the scheme offers mutual authentication and robustness against malicious attacks.But the asymmetric cryptography mechanisms result in high computation cost.The author [12] improves the access control function of IEEE 802.1X by the port operation so that user may acquire message through the dynamic channel under current or previous access point.However, the requirement of keeping the channel alive during the authentication procedure limits the adaptability of the scheme.Some distributed authentication schemes to reduce the authentication delay have been discussed in [13], while the scheme performs poorly when handling multiple mobile users.A symmetric key generation scheme based on hierarchical multivariable function for WMN is presented in [14], which achieves efficient mutual authentication and key generation for entities, whereas the scheme is not suitable for the scenario when the network users grow rapidly.The identity information of

Preliminaries
2.1.Bilinear Pairing.Let  be an additive group and let   be a multiplicative group of the same prime order  and   is the generator of   .Assume that the discrete logarithm problem is hard on both  and   [16].A mapping : × →   which satisfies the following properties is called bilinear pairing: (1) Bilinearity: for all ,  ∈  and ,  ∈  *  , (, ) = (, ) = (, )  .
(1) BB1-Setup.Given a security parameter  ∈  *  , the algorithm works as the following steps.
Step 2. Pick a random  ∈  *  and set  pub = .

Certificateless
Signature.Certificateless signature (CLS) [18] allows that users' private key is comprised by the key issued by system and the secret generated by user.In addition, users' public key is conducted by their own secret which avoids key escrow problem.The CLS scheme is mainly used in the Intra-WMN authentication in this paper.The algorithms of CLS [18] are shown as follows.
2.4.Proxy Ring Signature.Proxy ring signature (PRS) [19] allows an original signer delegate authorization to a group of signers in which every member in the group can represent the original signer to sign the message and is able to keep anonymous.In this paper, we incorporate proxy ring signature into the access authentication process of WMN, which not only achieves mutual authentication between mobile user and accessed network but also solves the problem of privacy preserving for mobile user.The algorithms of PRS are as follows.
(2) PRS-Generation.Original signer  chooses  0 ∈  *  as the private key and calculates the public key   =   .  belonging to proxy signer group  randomly chooses private key   ∈  *  and calculates the public key   =   .
(6) PRS-Verify-Sign.After receiving  from the proxy signer, the verifier checks if the following equation holds with the public key  0 ,  1 , . . .,   : If yes,  is valid.Otherwise,  is invalid.

Anonymous Mutual Authentication Scheme
3.1.Hierarchical Mobile Network Architecture.As shown in Figure 1, a hierarchical mobile network architecture is designed for CPS-WMNs.In the first level, Trusted Root (TR), as original signer who can delegate signing right to proxy signers, is creditable to all of the network entities.In the second level, there are many WMNs that each one can be regarded as a group of proxy signers including Gateway (GW), Mesh Routers (MRs), and mobile Mesh Clients (MCs).MC is able to handover across different WMNs or between different MRs in the same WMN.To achieve mutual authentication between MC and visiting network based on PRS, we build the group of proxy rings for network entities in terms of the hierarchical mobile network architecture shown above.Assuming that a group of the proxy ring (abbreviated as a ring) is composed of GW, MRs (connected with the GW), and MCs (connected with the MRs).We denote ring ID as RID  in Figure 1 (RID 1 means ring 1 and RID 2 means ring 2).GW takes the role of a manager of the ring and is responsible for managing and maintaining the members in the ring.
The symbols used sections are shown in Table 1.

Trust Model.
As shown in Figure 2, the trust model is presented according to the mobile network architecture.TR is trusted by all the entities.GW in different CPS-WMNs does not trust each other.Moreover, different MR belonging to the same GW does not own trust relationship, the same as the MRs in different CPS-WMNs.In addition, we assume that GW is trusted by the MR which is connected to itself.MC only trusts the MR in its home CPS-WMN.The main objective of our proposed scheme is to set up the trust relationship between MC and the accessed MR during MC's roaming.

System Initialization.
As the trusted root, TR generates Param and broadcasts it to all entities.Param = { 1 ,  2 ,  : where  is the order of  1 and  2 and  is the master key of TR.All entities' public key in the ring should be delivered to TR.In addition, GW generates the ring's public and private keys through random choosing of SK_  ∈  *  as the private key; the corresponding public key is PK_  = SK_  ⋅ .PK_  is shared by all the members in the ring, while SK_  is only allocated to the legitimate members who are authenticated by TR in system initialization phrase.

Inter-WMN Authentication Protocol.
When MC wants to leave the WMN it belonged to and accesses another WMN, the MC needs to achieve mutual Inter-WMN authentication with the visiting WMN.As shown in Figure 1, when the MC in WMN 1 wants to access WMN 2 and connect to MR 2 , MC triggers mutual authentication with MR 2 .The mutual authentication details are shown in Figure 3.

Intra-WMN Authentication Protocol. After finishing
Inter-WMN authentication, MC will obtain   2 issued by GW.When MC moves from one MR to another in the same WMN, we use CLS [14] to achieve efficient Intra-WMN authentication.As shown in Figure 1, assuming that MC and MR 2 finished Inter-WMN authentication, when MC wants to move from MR 2 to MR 3 , the Intra-WMN authentication protocol is triggered as shown in Figure 4.

Security Analysis of the Proposed Scheme
In order to prove the security of our scheme, we first take a fundamental security analysis.Then we choose SVO logic [20] to analyze the proposed protocols.SVO logic was presented by Syverson and van Oorshot in 1994 based on BAN logic, GNY logic, AT logic, and VO logic [21].SVO holds the features of complete semantics, expansibility, and practicality.

Fundamental Security Analysis.
According to the mobile network architecture shown in Figure 1, we will first present fundamental security analysis of the proposed scheme in the following aspects: anonymity, unforgeability, and reliability.
Anonymity.During Inter-WMN authentication, the accessed network checks the legality of MC through verifying the signature  1 = SIGN_PRS_SK MC {TS 1 } offered by MC.The accessed network is able to know the ring where MC comes from but cannot tell the real identity of MC since it is hidden in the ring.So the anonymity of MC is guaranteed.In addition, when handover occurred, accessed network verifies the certificateless signature   =  − ℎ(   + SK_  ) to authenticate MC.In this paper, the proposed scheme adopts enhanced certificateless signature mechanism:  =  2 (RID  ‖ PK_  ), ℎ =  2 (TS 2 ‖  ‖ RID  ‖ PK_  ), and   =  − ℎ(   + SK_  ).Thus, with the help of the ring, the identity of MC is also kept private to achieve anonymity.
Unforgeability.Firstly, only TR can calculate the authority for the proxy group.If the adversary does not know TR's private key, he fails to compute the legal authority.Secondly, the only legal proxy signer can generate legal proxy ring signature.If the adversary cannot obtain the authority, he cannot generate the legal signature.Thus, the proxy ring signature is unforgeable.Finally, only trusted GW can issue    to foreign MC, if the adversary does not know GW's private key for certificateless signature, the legal cannot be computed.Moreover, if the adversary cannot obtain the other part of the private key SK_  , the legal certificateless signature also cannot be computed.Consequently, certificateless signature is unforgeable based on the security of related entity's private key.
Reliability.In Inter-WMN authentication, if adversary does not know the BB1 secret key of GW 2 , then  1 = ENCR_BB1_PK GW 2 {  } cannot be decrypted.The adversary thus cannot negotiate the correct key with MC.So GW 2 is legal.Likewise, if adversary does not know MR 2BB1_SK , he fails to decrypt  2 = ENCR_BB1_PK MR 2 { 1 } to obtain  1 , thus MR 2 is legal.Furthermore, the legal proxy ring signature cannot be generated since adversary does not know MC PRS_SK , so the Inter-WMN authentication protocol is reliable.In addition, during Intra-WMN authentication, adversary fails to generate legal signature  2 , if he cannot obtain   2 , then MC is thus legal.

Security
Proof of the Proposed Protocols under SVO.SVO logic is not only semantic sound, but also convenient.In terms of our scheme, SVO owns advantages over other logic analysis methods in the following aspects: (1) The axioms in SVO can be adjusted or expanded easily to meet the security proof needs rather than BAN or other logical approaches.
(2) SVO is detailed and legible which helps to accurately express the actual meaning of the protocol and thus avoid the misunderstandings.(3) SVO is rigorous and reliable, and the semantics is clear.We first give the grammatical components of SVO logic as follows.
believes : indicating that  believes that proposition is right. received : indicating that  received the message including .  says : indicating that  sends a message including .
controls : indicating that  is a trusted authority on . sees : indicating that  possesses message .fresh(): indicating that  is random number generated in running scheme.  ← → : indicating that  is a key shared exclusively by  and .{}  : indicating that the ciphertext is output by encrypting  through key.
[]  : indicating that the message is generated by signing  through key.PK  (, ): indicating that  is the public signature verification key associated with principal .
PK  (, ): indicating that  is the key agreement key associated with principal .
PK  (, ): indicating that  is the public encryption key associated with principal .
SV(, , ): indicating that given signed message , applying  to it as a signature verification key verifies  as the message signed with the corresponding private key.SVO logic includes two initial rules and twenty axioms, part of which are regular axioms and others are axiom templates that include formula variables.We only present part of the axioms used in the following security proof.All the axioms can be found in [20].
Two inference rules are as follows: (1) Modus ponens MP:  and  ⊃  infer (2) Necessitation Nec: ⊢  infer ⊢  believes   and  are metalinguistic symbols used to refer to arbitrary formula.⊢ is a metalinguistic symbol.⊢  means that  is a theorem.
There are twenty SVO axioms.We list only several axioms associated with this article.For any principal ,  and formula , : In SVO, some generic goals should be satisfied.This does not mean a definitive list of the goals that our protocol should meet.In our paper, we should achieve the mutual authentication between MC and MR.For this purpose, we just need that MR and MC could make sure of the legality for each other.So on the basis of the generic goals, we make the appropriate modifications.The goals of Inter-WMN authentication protocol could be described as follows.From (P24), (P21), (P22), ( 13), (A1), (A2), and Nec, we have From ( 14), (P23), and (A1), we have the following.MC believes [(PK MR )] −1  GW ; (G4  ) is thus proved.

Simulation and Performance Analysis
CPS-WMN has limited resource in the computation ability of nodes and operating bandwidth, so the performance of authentication scheme plays an important role in the practicability of CPS-WMNs.The simulation and performance analysis focus on the efficiency of system initialization and the handover process.In addition, in order to demonstrate the high efficiency of our scheme, we give a comparison analysis between our scheme and PEACE [15].

Simulation Environment.
We do simulations for PRS and PEACE using OMNET++ (4.4) simulation platform to get average results based on 20-time experiments.In the process of bilinear group instantiation, we use Tate pairing in the MNT curve [22].As shown in Figure 5, the initial topological structure of simulation environment is composed of one TR, two GWs, three APs, and one host.These nodes are arranged in a 420 m 300 m simulation space according to the hierarchical network architecture.The TR generates initial parameters for the system.The wireless covering radius is 100 m.AP represents MR, whose covering radius is 45 m.TR, GW, and AP are fixed nodes.Host represents MC, which will take a movement from coordinate (10,250) to coordinate (400,250) by speed 1 m/s.During this process, host firstly accesses the coverage of AP1 and triggers the Inter-WMN authentication.Then, host leaves AP1 to AP2 and the Inter-WMN authentication takes place again.When host moves on from AP2 to AP3, the Intra-WMN authentication protocol should be executed.The details of the parameters and values are shown in Table 2.
(1) The internal structure of the network node shown in Figure 6.
(2) Wlan and eth module: implementation of ethernet and 802.11 capabilities.
(3) NetworkLayer: to achieve network-level functions and as the interface of upper and lower layer.

Performance Analysis of System
Initialization.The delay of system initialization is the period from the simulation start to the first movement of the host.The relationship between the number of nodes and system initialization delay is shown in Figure 7, where the number of nodes could be adjusted as needed.The system initialization includes authorization from original signer to proxy signers, the public key registration for ring members, and the generation of public and private keys for the ring members.Figure 6 shows that the delay of system initialization would increase with the increasing network scale.

Performance Analysis of Authentication Protocols.
In this section, we focus on the delay of Inter-WMN authentication and Intra-WMN authentication.The delay of Inter-WMN authentication means the period from AP receiving an access requirement of a new host to the end of Inter-WMN authentication.The delay of Intra-WMN authentication is the period from AP receiving a handover requirement of a host to the end of Intra-WMN authentication.
Figure 8 shows the relationship between the number of ring members and the delay of access authentication scheme.From the result we can see that the efficiency of Intra-WMN authentication is higher than that of Inter-WMN authentication with the increasing number of ring members.During Inter-WMN authentication, the main cost is from verifying the proxy ring signature.For the use of highefficient ring setup policy, the verifier could acquire all ring members' public keys from TR at once, which help to reduce the delay of communication.In addition, in the process of Intra-WMN authentication, the utilization of certificateless signature makes the scheme independent of the number of ring members that would not lead to obvious delay.

The Efficiency Analysis of Intra-WMN Authentication
Protocol.As shown in Figure 9, we make the comparison analysis of Intra-WMN authentication delay between PRS   and PEACE [15].The delay of PRS is obviously lower than PEACE since PEACE adopts multiple bilinear pairing operations and exponential operations which lead to high computation cost.In the Intra-WMN authentication, we use more efficient certificateless signature which only includes two scalar multiplications in group and one hash operation.Moreover, we just need one bilinear pairing operation, two exponential operations, and one hash operation during the verification process.Thus, the computation cost is obviously reduced in PRS.
In short, the main cost of PRS is from the process of system initialization, while the access authentication delay is obviously dropped down.In addition, the delay of access authentication will not elevate much with the increasing number of nodes in the ring.Although the delay of system initialization increases with the increasing number of ring members, the result of simulation shows that the delay would be controlled in a reasonable range.Comparing to the typical scheme (PEACE), our proposed scheme performs more efficiently, especially during the Intra-WMN authentication.
We further compared the computational overhead of PRS scheme and PEACE scheme during the signing and

Figure 3 :
Figure 3: The workflow of Inter-WMN authentication protocol.

Figure 8 :
Figure 8: Relationship between authentication delay and the number of ring members.

Figure 9 :
Figure 9: Comparison of the Intra-WMN authentication delay between PRS and PEACE.

Table 2 :
Parameters and values.