A Secure Anonymous Identity-Based Virtual-Space Agreement Method for Crowds-Based Anonymous Communicate Scheme

. Anonymous data exchange is in great demand in many situations, especially in remote control systems, in which a stable, secure, and secret data channel must be established between the controlling and controlled parties to distribute control commands and return data. In the previous work, we built a two-level Virtual-Space anonymous communication scheme based on the Crowds System for performing secret data exchange in remote control systems. However, as an essential part of security and anonymity, participating nodes ’ identity declaration and session key agreement phases were not well designed. In this paper, we redesign the identity agreement and declaration process and design an identity-based Virtual-Space agreement method using the extended Chebyshev Chaotic Maps. In this approach, we transform the identity declaration process into a multilevel Virtual-Space agreement problem, where a series of security-progressive Virtual-Space addresses are negotiated between the controller and the controlled nodes. The protocol can handle the case where there are multiple controllers in the system, and the negotiated Virtual-Space depends on the identity of the controller and the controlled node, so different controllers do not affect each other. The designed protocol is veri ﬁ ed on Freenet, and we conclude this paper with a detailed security analysis of the method to prove that the method satis ﬁ es forward security.


Introduction
The development of the Internet has dramatically reduced the cost of data exchange, making the exchange of data over ultra-long distances an extremely low-cost affair.Messaging using the Internet requires that the location information of the sender and receiver of the message be encoded in the transmitted message in some way so that the message can arrive as expected.In the development of the Internet, data transmission has gradually changed from the initial plaintext transmission to encrypted transmission, and encrypted transmission techniques, including Transport Layer Securities, have been adopted to protect the contents of the communication content.
However, the anonymity of the communicating parties' identity information is as important as the security of the communication content in some scenarios, such as network attacks and remote control, in which the attacker needs to protect his identity from being discovered and, therefore, needs to use covert methods to communicate with the attacked object.In addition, some users also need to access some network services covertly without revealing their identities.There are various methods to hide the identity information of the communicating parties from the intermediate nodes of the network, such as using proxies or virtual private networks.To provide stronger anonymity protection, scholars have designed specialized anonymous communication systems, such as Tor [1], I2P [1] based on the mix [2] mechanism, and Freenet [3] based on the Crowds [4] mechanism, to achieve anonymous Internet-based communication, which prevents intermediate processing nodes of messages or network eavesdroppers from analyzing the identities of the communicating parties.
Since the anonymity provided by these anonymous communication systems fits the requirement of anonymity of communication for remote control systems, we try to use these anonymous communication systems to build an anonymous control system for remote control system command distribution and data return.In our previous work [5], we designed an anonymous control scheme based on the Crowds system.
In the scheme designed by Sun et al. [5], the controller's identity is the most critical information, so its protection is of top priority.A two-level Virtual-Space-based anonymous control scheme is designed for the exchange of data between the controller and the controlled nodes by Sun et al. [5], where the first level Virtual-Space, called identity space, is used for identity announcement and identity information exchange, and the second level Virtual-Space, called message space, is used for message transmission.
The identity space is computed periodically based on the common knowledge shared between the controller and the controlled node, and the address of the message space is encrypted by each node and published into the computed identity space.The use of Virtual-Space for communication makes any node in the remote control system unaware of the real identity of the controller; they can verify that a message is from a legitimate controller but cannot obtain any relevant information about the controller.The main problem with this scheme is that the identity space is generated in an overly simple way that anyone who gets the common knowledge as long as the algorithm can calculate the address of the identity space and obtain the number of online nodes from the identity space.In addition, the scheme lacks flexible control authority control, in which only one controller identified by a public key precoded in all controlled nodes is allowed in the system.In order to remedy the problems mentioned above of the scheme by Sun et al. [5], this paper designs an identity agreement and declaration protocol for Virtual-Spaces and uses a digital certificate-based authentication scheme to achieve flexible controller permission control.Considering that the original scheme can be applied to the Internet of Things (IoT) environment, where most smart terminals are resource-constrained devices, the data agreement protocol in this paper is based on the Chebyshev Chaotic Map (CCM), which can minimize the computational overhead while achieving high security [6].Based on the discrete logarithm problem and the Diffie-Hellman problem of Chebyshev chaotic mapping, the proposed protocol can negotiate confidential data in an insecure communication channel for both the controller and the controlled node, which is known only to the communicating parties.A thorough theoretical analysis of the protocol demonstrates that the design protocol in this paper is secure and can protect the controller's identity information in the presence of active attackers in the network.The protocol is proved to be practically usable by constructing experiments on Freenet.The main contributions of this paper are as follows: (i) A multilevel Virtual-Space-based identity and Virtual-Space agreement mechanism is designed to improve our previously designed Virtual-Spacebased anonymous control scheme, providing stronger security for this anonymous control scheme; (ii) Considering the computational resource limitation of the nodes in the remote control scheme, Chebyshev chaotic mapping is used as a mathematical tool for negotiating secret data, thus reducing the computational resource consumption in the agreement process.(iii) A detailed security analysis of the proposed identity agreement scheme is provided, demonstrating that the scheme meets the security requirements of the anonymous remote control system.
The remainder of the paper is organized as follows: Section 2 introduces some existing works related to anonymous key agreement protocols and anonymous authentication protocols associated with CCM; Section 3 presents some background knowledge of the paper, including an introduction to CCM and an introduction to Virtual-Spaces; Section 4 gives the detailed design of the protocol; Section 5 discusses the security of the protocol in detail; Section 6 implements the protocol prototype in Freenet and analyzes the operational efficiency of the prototype; and finally, Section 7 concludes the paper.

Related Work
A chaotic system is defined as a system that is highly sensitive to initial conditions [7], whose sensitive dependence on initial conditions and similarity to random behavior are essentially the same as required by several cryptographic primitives [8].CCM, also known as Chebyshev polynomials, originating from the cosine and sine functions of multiplicative angles, have a simple implementation, low computation cost, and good chaotic behavior [9].Since Chebyshev polynomials have two computationally hard problems, chaotic map-based discrete logarithm problem (CMBDLP) and chaotic map-based diffie-hellman problem (CMBDHP), Chebyshev polynomials can be used for designing key agreement protocols or authentication protocols with high security while minimizing computational cost [6].Researchers have been focusing on developing lightweight cryptographic protocols due to the increasing use of wireless sensor network (WSN) and IoT technology.This is because most of the devices used in these networks are resource-constrained, and using traditional cryptographic algorithms could overload them, which may lead to additional risks [10].In this context, the Chebyshev polynomial has gained much attention due to its lightweight nature and has been used to design lightweight cryptographic protocols such as key agreement protocols and authentication protocols.
Lee et al. [11] proposed an efficient anonymity key agreement protocol based on Chebyshev polynomials, which ensures user anonymity while also achieving mutual authentication between the server and the user.Most importantly, their protocol overcomes the weaknesses of previous authentication protocols designed by Xiao et al. [12].Abbasinezhad-Mood and Nikooghadam [13] designed an efficient anonymous password-authenticated key exchange protocol using extended Chebyshev polynomials, which can be applied in smart grid environments with limited computational resources.Cui et al. [14] proposed a full session key agreement scheme based on

IET Information Security
Chebyshev polynomials for the vehicular ad-hoc network, which avoids the modular multiplication index or scalar multiplication on the elliptic curve by using Chebyshev polynomials.Wang et al. [15] developed a secure authentication key agreement scheme for smart grid environments.Guo et al. [16] proposed a three-factor authentication scheme based on Chebyshev polynomials for session initiation protocol, which can provide secure mutual authentication between a user and the remote server.Lee et al. [17] proposed an efficient single-sign-on authentication mechanism using extended Chebyshev polynomials, which can be used to authenticate users in a distributed environment, reduces the amount of data transfer and computing resources required during the authentication process while ensuring security Meshram et al. [18] proposed an efficient online/ offline ID-based short signature procedure using extended Chebyshev polynomials that have very minimum operation in every process, which is very suitable for resource-constrained environment such as WSN.Zhang et al. [6] adopted a square matrix-based binary exponentiation algorithm to compute Chebyshev polynomials and then proposed an energy-efficient authentication scheme for smart grid environments.Meshram et al. [19] proposed an efficient remote authentication scheme by combining convolution-CCM with biometric techniques.Similarly, Nyangaresi [20] developed a message authentication protocol for WSN environments by combining biometrics with extended CCM.
Thanks to the lightweight nature of Chebyshev polynomials, most of these schemes or protocols based on Chebyshev chaotic achieve better computational performance than similar schemes designed using other cryptographic algorithms, such as RSA.These protocols require fewer computational or communication resources than others.However, With the growing use of Chebyshev chaotic in designing lightweight asymmetric cryptographic schemes, there are other related issues that require attention, such as cryptographic models designed for existing public key cryptography (PKC) infrastructures that may need to be modified.Meshram et al. [21] proposed a robust and secure identity-based encryption transformation model for PKC using CCM.
However, public key crypto-systems constructed using Chebyshev polynomials working on real number fields are noted to be insecure [7].In order to implement more secure and practical public key algorithms, Chebyshev polynomials are extended from the real domain to finite fields and finite rings [22].Liao et al. [23] then analyzed Chebyshev polynomials working on the finite field Z N and proved that Chebyshev polynomials working on the integer ring Z N are not secure in the sense of cryptology when N is not chosen properly [23,24].They also point out that Chebyshev polynomials working on the integer ring Z N can achieve sufficient security when N is carefully chosen and that N is several strong primes' products with small powers.In other words, N ¼ ∏ n i¼1 p e i i , in which p i is a prime with p − 1 ¼ 2q 1 and p þ 1 ¼ 2q 2 where q 1 and q 2 are also primes.To reduce the time complexity of computing Chebyshev polynomials, Zhang et al. [6] proposed a binary exponentiation algorithm based on square matrices.

Background
3.1.Extended Chebyshev Chaos Map.CCM (also known as Chebyshev polynomials, which are used in the rest of the paper) can be defined as follows [6,9]: where n 2 N, and x 2 ½ − 1; 1.Alternatively, Chebyshev polynomials can also be defined recursively as follows: Equation ( 3) is an example of the Chebyshev polynomials when n is taken from 2 to 5 [11].
Zhang [25] enhances the Chebyshev polynomials and extends the range of x to ð − 1; þ1Þ.When x 2 Z N , extended Chebyshev polynomials can be defined recursively as follows [6,24]: 3.1.1.Properties of Chebyshev Polynomials.Chebyshev polynomials have two significant properties, which are the chaotic property and the semigroup property.
(2) The Semigroup Property.The semigroup property of Chebyshev polynomials can be described as follows: where r abd s are both positive integers and x 2 ½− 1; 1 [8,17,24].This property allows compounding Chebyshev polynomials to obtain a new polynomial [15].

Computational Problems of Chebyshev Polynomials.
Chebyshev polynomials present two challenging computational IET Information Security problems that make them suitable for designing cryptographic protocols like key agreement and remote authentication.These issues are referred to as CMBDLP and CMBDHP [6,13,15,19].
(1) Chaotic Map-Based Discrete Logarithm Problem.Given x and y, it is not feasible to compute or find n in polynomial time that makes T n ðxÞ ¼ y.
(2) Chaotic Map-Based Diffie-Hellman Problem.Given T v ðxÞ and T u ðxÞ, it is not feasible to compute or find T vu ðxÞ in polynomial time.
3.2.Virtual-Space.Virtual-Space is a concept that we have proposed in our previous work [5].Specifically, [5] designed an anonymous communication scheme based on the Crowds system for a remote control scenario, in which the data is stored in a set of nodes that can be indexed by a static key Key.Logically, each Key corresponds to a space in the network, and a large number of files can be stored in each space.In this scheme, the operation of sending data can be considered as depositing data in the network space identified by a given Key, while requesting data can be considered as retrieving specific data from the space identified by a given Key.But in reality, there is no space in the network, and that is the reason for the Virtual.
Actually, each Key identifies a location value, and according to the Key a set of nodes with location values similar to the location value identified by the Key can be found, and these nodes will store the data corresponding to the Key.Since the existence of Key well abstracts the specific details of data storage, the users of the scheme need not care about the specific data storage location but only need to know that a Key can be used to store a set of data, so a Key can be considered a Virtual-Space.

The Identity Agreement and Declaration Method
A traditional remote control system can be seen as a starshaped network model, with a central controller node and many controlled nodes, in which controlled nodes are only responsible to the central controller node.In contrast, the method described next describes a distributed control model in which multiple controllers are allowed to perform control operations on all controlled nodes simultaneously, and these controllers can use the same or different nodes to issue control commands.There are no controller nodes in the model but only controlled nodes and controllers.The identity declaration process of the controlled nodes is treated as a process of negotiating Virtual-Spaces with the controller, in which each controlled node independently negotiates a series of Virtual-Space addresses with increasing security with the controller, of which the most secure Virtual-Space will be used to exchange the private data.Table 1 lists some of the notations used in the remainder of this section, and Figure 1 depicts the overall flow of the scheme, the details of which are described later in this section.The jth identity declaration cycle Public knowledge for C j .In particular, the K j obtained by U n is noted as The first level of identity space The second level of identity space between U n and Node i of C j SM j i;n The message space between U n and Node i of C j IF For any U n , he can arbitrarily pick Node * 2 N to give control commands to G. Before U n can start the control operation for every identity declaration cycle C j , U n must complete the identity declaration and then negotiate a data space SM j i;n shared with each Node i 2 N.For any i 1 ≠ i 2 or n 1 ≠ n 2 , SM j i 1 ;n 1 ≠ SM j i 2 ;n 2 , thus, for any C j , there will be up to m × N Virtual-Spaces SM j .The identity declaration and the agreement of SM j will be described specifically in the next section.
The set of all ID i s of N is denoted as I. ID i is only shared between the U r and the Node i and is not available to anyone else, including U n .After U r issues the digital certificate D n for U n , U r will use D n to calculate a HID n i for each Node i using Equation (7), and then give D n to U n together with all the HID n i .Due to the use of D n in the calculation process, HID n i has the same validity period as D n .
The process of Virtual-Space agreement can be divided into three steps: public knowledge acquisition, identity declaration, and secret space agreement.Each process will output a Virtual-Space address, increasing the output Virtual-Space security.The Virtual-Space address produced by the secret space agreement step is shared only between U n and Node i to transmit confidential data.

Public Knowledge Acquisition.
In the first step of Virtual-Space agreement of C j , U n , and Node i need to acquire the same public knowledge K j and use K j as a seed to generate a shared Virtual-Space, that is, SI j * ;n , through a shared function f ðxÞ.SI j * ;n is calculated as shown in Equation ( 8) K j should satisfy the following two properties: (i) For any C j 0 ðj 0 <jÞ, it is almost impossible for different participants to obtain the same K j .(ii) For any C j 0 ðj 0 ≥ jÞ, different participants can always obtain the same K j .
In other words, K j should be unpredictable, and there is no efficient way to obtain K j of the future.For these reasons, K j should be obtained from an unpredictable public data source, such as a publicly published unpredictable data source on the Internet.
In addition, the selected public data source should have sufficient access traffic that any Internet participant should have a very high incentive to access the data source and obtain K j to ensure that U n and Node i will not reveal their identities because of requesting K j .An example data source for K j is the opening stock price of Google Inc.Since the stock market is tough to predict, K j obtained by querying the opening stock price can be approximated as unpredictable.

IET Information Security
Due to the large size of the stock market, there is sufficient incentive for any nodes to obtain Google's stock price at any point in time.

Identity Declaration.
The SI j * is insecure because both K j and f ðxÞ are public, which means that anyone can calculate the same SI j * based on K j and f ðxÞ and then can read or write the data in the SI j * .Therefore, SI j * cannot be used to transfer confidential data, and a more secure Virtual-Space needs to be further negotiated between U n and Node i .After calculating the SI j * , U n selects a random number p and a large prime number m and then calculates its identity data IM j n using Equation ( 9) where T p ðxÞ is Chebyshev polynomials function, and K n is the public knowledge acquired by U n .Subsequently, U n uses D priv n to sign the IM j n with m to obtain the signature file DS n , and get the identity file IF j n by Equation ( 10) U n then uploads the IF j n to the SI j * in order to announce itself to N. Subsequently, U n calculates secondary identity space for every Node i 2 N using Equation ( 11) Node i periodically retrieves the SI j * until it fetches the identity file IF j n uploaded by U n .Once Node i gets the IF j n , it verifies the legitimacy of the D n using the built-in CA public key CA pub and then uses the D n to verify the legitimacy of the DS n .When all checks pass, Node i calculates the SI j i;n using Equation (11).SI j i;n is more secure than SI j * since SI j i;n is calculated from the confidential attribute HID i of Node i , which is known only to U root , U n , and Node i .However, since U n and Node i need a Virtual-Space shared only between them, they need to negotiate further to get more secure Virtual-Space.4.2.3.Secret Space Agreement.After Node i computes the SI j i;n , it picks a random number q and computes q i through Equation ( 12) Node i then encrypts q i using D n to obtain Eq i ¼ E D n ðq i ‖SALTÞ, where SALT is a large, random string that U n can easily distinguish from q i to protect Eq i from chosenplaintext attack.Node i uploads Eq i to SI j i;n and waits for U n to retrieve Eq i .
Finally, Node i and U n can calculate the final Virtual-Space SM j i;n by IM j n and q i , which is shown as below: ;n is secure enough to be used to transmit secret data, as SM j i;n is shared only between U n and Node i .Since both U n and Node i have permission to write data to SM j i;n , U and Node can subsequently communicate using an asymmetric key-based Virtual-Space and publish the data read address of the Virtual-Space in SM j i;n without worrying about other nodes or users other than U n or Node i getting the data.

Security Discussion
This section discusses the security of the proposed method from a theoretical point of view.First, the threat model is given, followed by an analysis of the security requirements in the threat model to show that the protocol can satisfy these security requirements.

Threat Model.
The threat model in this paper is based on the widely accepted Canetti and Krawczyk (CK) threat model [26], also known as the CK threat model.In this threat model, a probabilistic polynomial-time attacker has full control over the communication link and can eavesdrop, alter, drop, delay, and inject into the transmitting information.The attacker can also control the scheduling of all protocol events, including the initiation of protocols and message delivery.In addition, an attacker can compromise one of the protocol participants P and thus obtain all the local states stored in the P about the session.In this paper, there exist two types of participants P, namely Node i and U n .According to the summary of the CK threat model by Abbasinezhad-Mood and Nikooghadam [13] and Wang et al. [15], there are seven operations that attacker A can carry out, which include: (1) ExecuteðNode i ;U n Þ.This operation represents passive eavesdropping attacks and returns information exchanged between Node i and U n .(2) SendðP;mÞ.This operation represents active attacks that A can send any messages to protocol participants P and receive the response from P.
(3) ESRevealðPÞ.This operation allows A to obtain the ephemeral key of the specified participant P and the internal state of the specified session stored in P. (4) SKRevealðPÞ.This operation allows A to obtain the final session key of P. (5) CorruptðPÞ.This operation allows A to obtain all the information about P, including P's long-term secret.( 6) ExpireðPÞ.This operation allows P to completely delete all information related to a specified session, including the session key, and the deleted information can no longer be accessed in any way.(7) TestðPÞ.This operation can be used to test the semantic security of the session key.Upon receiving (iv) Disguise as U n and release data to Node i .This attack assumes that A has all the protocol's key algorithms but cannot obtain or use the identity information of any Node i .A will create an identity message in this case and attempt to protocol with U n or U r .
Before further analyzing the scheme's security, we give the assumptions for the analysis.First, we assume that U n and U r are honest but curious.They do not wish to interrupt other controllers' sessions but are interested in the messages transmitted to Node i by other controllers.Second, we assume that U n and U r are secure and that the nodes they use are not compromised by A, which is a reasonable assumption because U n and U r , as the controllers of the remote control system, will always be in a secure place and use a secure node to distribute messages to the controlled.

Session. The further analysis uses
Session to represent a temporary data exchange period between the controller U n and the node Node i that uses SM j i;n to exchange data.A session can be defined as follows: Definition 1 (Session).A session S i;n;j is a temporary information interchange between controller U n and Node i during identity declaration cycle C j , which can be represented as a ternary: Two sessions S ¼ S i;j;n and S 0 ¼ S i 0 ;j 0 ;n 0 are considered consistent iff i ¼ i 0 , j ¼ j 0 , and n ¼ n 0 .5.3.Anonymity.Before further security analysis, it is necessary to explain a key security concept, the anonymity.There is a slight difference in the meaning of anonymity in anonymous communication systems and anonymous authentication protocols.In an anonymous communication system, anonymity is the state of being not identifiable within a set of the anonymity set [27], and related concepts include unobservability and pseudonymity.Anonymity in anonymous communication systems can be described in a variety of ways, such as the degree of anonymity [4,28] and the description from the attackers' perspective [29].Meanwhile, there exist various ways to measure the anonymity of an anonymous communication system, such as methods based on information theory [28,[30][31][32][33][34].Overall, anonymized communication systems primarily consider observers who are not directly involved in the communication, and anonymity in an anonymized communication system describes the ability of an observer to obtain information about the identity of the users who are communicating with each other.The higher the anonymity is, the more difficult for an observer to associate network traffic with specific users.
In an anonymous authentication protocol or an anonymous key exchange protocol, the meaning of anonymity is much simpler than that in anonymous communication systems.Unlike the anonymity of anonymous communication networks, which has been exhaustively formalized and extensively discussed, the anonymity of such protocols lacks a formal definition.However, from the security analysis of much anonymous authentication protocols/anonymous key exchange protocols, in most instances, the anonymity of such protocols means that the participants' real identities are not involved in authentication and data transmissions [35], the probability that an attacker can determine the true identities of the protocol participants by executing the protocol [36] or observing the packets generated during the execution of the protocol is negligible [37].In some protocols, pseudonyms are utilized to safeguard the anonymity of users, such as [37,38].Cao and Wei [36] defined user anonymity as shown in Equation (14).The definition of anonymity for this paper can be obtained by modifying the definition method of Cao and Wei [36] for a two-factor protocol.The user anonymity in our protocol can be defined as follows: Definition 2 (Anonymity).The protocol achieves user anonymity if the following equation holds: where c 0 is the identity of the protocol participant guessed by probabilistic polynomial-time adversary A by up to q times active or passive attacks, c is the true identity of the protocol participant, and ε is a sufficiently small negligible constant.
To summarize, in anonymous authentication or key exchange protocols, anonymity means that none of the participants in the session can gather information about the true identity of other participants P. In such protocols, anonymity only considers the information in the packets generated during the protocol interaction.It does not consider the case IET Information Security where an attacker A uses information outside the protocol, such as the IP address of the transmission process or data traffic characteristics, to obtain the true identity of P, which is considered by an anonymous communication system.
The work in this paper is to provide a set of Virtual-Space agreement methods [5] for a previously designed anonymous communication system, which incorporates authentication of the participating communication nodes.Thus, the essence of the work in this paper is an anonymous key agreement and anonymous authentication protocol.With the discussion of anonymity above, analyzing anonymity in the subsequent security analysis does not consider the case where an attacker A uses information outside the protocol to infer the identity of a protocol participant P. In the subsequent analysis, we assume that P uses the anonymous communication system commonly and securely, and communication characteristics such as P's IP address and traffic characteristics are invisible to A. A can only obtain the true identity of P by interacting with the protocol, interpreting its contents, and implementing the attack methods defined in Section 5.1.

Security Analysis.
The next part of this section analyzes the security of the proposed method in the following aspects and discusses whether it can cope with the previously introduced threat model.[39] first introduced the concept of forward security in 1989 that even if the secret key K of a key authentication center is known by accident, the confidentiality of past messages in sessions constructed from K can not be compromised.Colin and Kai [40] classify forward security, namely Absolute Forward Security, Delayed Forward Security, and Null Forward Security, based on the period of data that an adversary can obtain after the confidentiality of K was compromised.Ran Canetti and Hugo Krawczyk [26], in the discussion of the nature of perfect forward secrecy (PFS), argue that a key-exchange protocol that has a mechanism for expiring a session (see ExpireðPÞ in Section 5.1) can get proof automatically that this protocol guarantees PFS if this protocol can be proved by the definition of SK-secure.

Forward Security. Günther
Ran Canetti and Hugo Krawczyk define SK-secure as well as SK-secure without PFS as follows [26]: Definition 3 (SK-Secure).A key-exchange protocol is called SK-secure if the following properties hold for any adversary A in the Unauthenticated Links Model: (1) If two protocol participants completed the protocol under the same session, then they will both output the same key.(2) The probability that A guesses correctly the bit b, that is, b 0 ¼ b, is no more than 1=2 plus a negligible fraction in the security parameter.

Definition 4.
A key-exchange protocol is called SK-secure without PFS if the key-exchange protocol is SK-secure but is not allowed to expire keys.
It is clear that both parties involved in the protocol outputting the same Virtual-Space, T pq ðHashðK n ÞÞ mod m.As the second point of Definition 3, due to the chaotic property of CCM, it can be considered that it is equally likely that each bit of the final output is taken to be either 0 or 1, that is, Prfb ¼ 0g ¼ Prfb ¼ 1g ¼ 1=2, thus the attacker's probability of guesses correctly for each bit is 1=2.As introduced in Section 2, CCM has been widely used in the design of key agreement/authentication protocols, and the security of CCM is given a detailed analysis in the study of Liao et al. [23]; therefore, it can be considered secure to apply CCM.Thus, the protocol proposed in this paper satisfies the definition of SK-Secure, and the discussion of PFS of the protocol can be translated into the discussion of whether the protocol supports session expiration.
Theorem 1.The protocol in this paper allows for session expiration.Once expired, the session key SM j i;n of the expired session cannot be recovered in any way.
Proof.As the definition of the Session in Definition 1, it is easy to see that different identity declaration cycles C j will generate different sessions, and session S j will expire when C j ends.Thus, the proof focuses on showing that the session key SM j i;n is unrecoverable, even if the long-term secret of the control group G leakage.
The protocol has three types of long-term secret data: CA priv , D priv n , and the list of all node identities, I. Consider the worst-case scenario, where the attacker A can access all three types of secret data.In this scenario, A has access to all the data before the secret space agreement step, including IM j n , IF j n , SI j i;n , and q i .To recover the session key SM j i;n , all A needs to do is complete the computation of Equation ( 13).However, due to CMBDLP, it is difficult for A to compute in polynomial time through IM j n and q i to obtain the random numbers p and q selected by U n and Node i , respectively, which are never transmitted on the network.Also, due to CMBDHP, it is not feasible for A to get the value of SM j i;n through IM j n and q i .Thus, even in the worst case, A cannot recover an expired session key using the secret information obtained.The other case, where A gets only one or two types of secret data, is included in the worst scenario and can easily get that A cannot recover the expired session key SM j i;n □ From the proof of Theorem 1, it is easy to conclude that for an active attacker A who can carry out operations ExecuteðNode i ;U n Þ, SendðP;mÞ, ExpireðPÞ, and TestðPÞ defined on Section 5.1, SM j i;n is secure since A cannot obtain the random numbers p and q.
Corollary 1.For any attacker A, the session key SM j i;n is secure when A cannot obtain the random numbers p and q.
In conclusion, the protocol satisfies Definition 3 and has a mechanism for expired sessions, where expired session keys cannot be recovered, so the protocol can get proof automatically that the protocol guarantees PFS through the discussion of Ran Canetti and Hugo Krawczyk.

IET Information Security
Corollary 2. The protocol in this paper satisfies SK-secure with PFS.

Anonymity of Node i .
Based on the discussion of anonymity in Section 5.3, the anonymity of Node i in this protocol mainly refers to the security of Node i 's identity, that is, whether U n or a polynomial attacker A can obtain Node i 's identity ID i during the protocol.Since ID i is the confidential information allocated by U r and shared only between Node i and U r , which affects the result of the protocol, we can consider that the protocol satisfies the anonymity of Node i if no one except Node i and U r can obtain ID i in any way during the protocol.
Theorem 2. For anyone, except Node i and U r , guessed node identity ID 0 i , the probability that ID 0 i satisfies ID i ¼ ID 0 i is no more than ε, which is negligible.
Proof.For any i ≠ i 0 , ID i ≠ ID 0 i .The information available to U n related to the identity of the Node i is the HID n i calculated by U r , as shown in Equation ( 7), and for any n 0 ≠ n, HID n 0 i ≠ HID n i .In other words, at the initiate status of the protocol, only U r knows the real identity ID i of Node i , while U n only knows the pseudonym of Node i , HID n i .Thus, for Node i , the only way he can obtain ID i is to get ID 0 i by HID n i , making HID i ¼ HashðID 0 i ‖HashðD n ÞÞ.Due to the collision-resistance [41] nature of a cryptographic hash function, the probability that Node i can find a ID 0 i which satisfies HID i ¼ HashðID i ‖HashðD n ÞÞ ¼ HashðID 0 i ‖HashðD n ÞÞ is negligible.
During the protocol execution, ID i does not participate in the agreement in any way and is not transmitted over the network, including encrypted-form or hashed-form, whereas HID n i only participates in the identity declaration step, which is only used as a parameter to the one-way hash function in the computation of SI j i;n .Therefore, it is much more difficult for A or any others U n to get ID i since the only ID i -related information he could access during protocol execution is SI j i;n , which performs two independent hash operations using HID n i as a parameter, and the result is XOR together as the argument of the function f ð⋅Þ.Thus, the probability that A and any others can get ID i by SI j i;n is much smaller than the probability that U n gets ID i form HID i , which is negligible.
Consider the last case, where Node i or A try to guess each bit of ID i , and get ID 0 i .In this case, the probability Pr½ID 0 i ¼ ID i depends on the length of ID i , that is, how many bits ID i has.For any single bit, the probability of guessing correctly is 1=2, and for n bits, Pr½ID 0 i ¼ ID i ¼ ð1=2Þ n , which can be negligible if ID i has enough bits.
In conclusion, the probability that Node i or A can obtain ID i is negligible, and thus the protocol satisfies the anonymity of Node i .

□
An active attacker can steal ID i directly from Node i or U n by executing CorruptðPÞ listing in the threat model defined in Section 5.1.When P of CorruptðPÞ represent U n , A can only obtain the pseudonym HID n i , and A can obtain the real identity ID i of Node i only if P represent Node i .As assumed in Section 5.1, we consider U n to be secure, and thus A can only operate CorruptðPÞ to Node i .Section 5.4.4 will further analyze the security of the scenario where Node i was corrupted.Now, consider the not-so-serious case where A does not use the CorruptðPÞ operation but, somehow, gets ID i leaked by Node i or U r .In this scenario, information obtained from the ID i is minimal for A. A can get nothing about Node i or other nodes through the ID i for which ID i is only a random value generated by U r and not related to any information about the Node i .A can neither get the Node i 's location or runtime environment through ID i , nor can he get the Node i 0 's ID ID i 0 through ID i .A can use ID i to obtain HID n i through Equation ( 7) since D n is public, and then he can calculate the SI j i;n between Node i and all subsequent actual controllers C through Equation (11).However, this will result in only a limited impact since C still cannot obtain the final SI j i;n because the key information q i used for computing SI j i;n is encrypted by D n and the attacker cannot decrypt it.More discussion about this serious can be found in Section 5.4.1.Also, A cannot insert a malicious node into the controlled group G by fabricating an ID 0 because A cannot insert the fabricated ID 0 into the list of nodes N which is held by U r .For U r and U n , the Node 0 corresponding to ID 0 does not exist in the N, so no agreement process with the Node 0 will be carried out.In addition, D n must contain a valid signature from U r to be valid, so it is impossible that A can gain control of U n by forging a D n without C A priv .Each D n has a validity period, which means that in each identity declaration cycle C j , U n needs to update D n and request a new signature from U r for the updated D n .In addition, U r has the authority to revoke any U n 's certificate by simply posting a certificate revocation request in SI j * .5.4.4.Reverse Attack on Node i .The different attack operations that an attacker A can perform are enumerated in the threat model in Section 5.1, in which ESRevealðPÞ, SKRevealðPÞ and CorruptðPÞ imply that an attacker A can steal information from both parties involved in the protocol to varying degrees.CorruptðPÞ is the attack operation in which A can obtain the most information, and it is also the IET Information Security most serious attack faced by both participants involved in the protocol.Since we assume that U n and U r are secure in the attack model, the ESRevealðPÞ, SKRevealðPÞ, and CorruptðPÞ attacks target the controlled node Node i , and CorruptðPÞ indicates that A can ultimately compromise Node i through reverse engineering or similar techniques, and obtain all the sensitive data stored in Node i as well as the details of the protocol.In these attack scenarios, A may have access to C j , ID i of the compromised node Node i , SM j i;n as well as any information exchanged between Node i and U n , CA pub , and D pub n .However, A cannot get the ID ID 0 i of the other node Node 0 i in N where i 0 ≠ i, nor can it get any information related to the real identity of U n , U r , since CA pub , D pub n are all randomly generated.A is also unable to gain control of G since A is unable to obtain or forge CA priv or D priv n , which are never transmitted over the network.
However, A does have methods to interfere with the execution of the protocol.A can interfere with the normal operation of G by inserting a large amount of meaningless data into SI j * to interfere with the identity agreement process between U n and N, since SI j * is wholly public and all nodes in N can send data to it.A can make SI j * full of garbage data so that Node i has to find the only valid data from a pile of garbage in SI j * , which will reduce the possibility of a triumphant identity declaration and even threaten the security of Node i since Node i has to request SI j * numerous times in a short period, which may be a risk of deanonymization from the point of view of an anonymous communication system.A special warning mechanism can be used to handle the above situation.Specifically, U r can specify an alarm threshold ξ for all Node i 2 N, which represents the upper limit of the number of times Node i tries to negotiate identity using SI j * .For any C j , once Node i finds ξ controller identity files IF * that do not contain legitimate digital signatures in SI j * cumulatively, Node i goes to the alert state, in which state nodes no longer request any data in SI j * but instead calculate a particular identity space SI j * ;i , which is computed as follows: From the computational procedure of SI j * ;i , it is clear that SI j * ;i is shared between Node i and U r , and for i ≠ i 0 , SI j * ;i ≠ SI j * ;i 0 .After calculating SI j * ;i , Node i first writes an alert message into SI j * ;i , then waits for U r to issue a special control instruction to SI j * ;i .Once getting control instructions, Node i performs a restore to normal state operation or an update operation according to U r 's special control instruction.Meanwhile, when U n finds that some nodes are abnormally not negotiating their identity, or when U n also finds a large amount of false data in SI j * , U n can request U r to check SI j * ;i .Once U r finds an early alert message sent by Node i in SI j * , U r can infer that G has anomalies.By the number of nodes sending alert messages, U r can evaluate the status of G and indicate accordingly, e.g., let the node restore its normal state when U r considers this alert as a miscalculation or let the node perform an update operation on the acquisition of K j or the calculation of SI j * .The protocol using SI j * ;i is too computationally expensive and inflexible, which requires the controller to compute an SI j * ;i for each Node i and issue a copy of IM j n for every SI j * ;i .However, since SI j * ;i of different nodes do not affect each other, it is appropriate to use SI j * ;i as an alternative when an attack against SI j * is detected.The above analysis shows that after A compromises a node, he can use the compromised node to interfere with the identity declaration phase, thus affecting the agreement protocol.However, A's influence on other nodes is limited, and according to the analysis in Section 5.4.1,A also cannot recover the expired session, so A cannot obtain the encrypted data that was previously transmitted.5.4.5.Other Security Requirements.The security analysis in the previous section addresses the data steganography and identity anonymity of U r , U n , and Node i , which the attacker tries to compromise in the threat model shown in Section 5.1.Other security requirements considered by the proposed protocol include the security of the control nodes, resilience to replay attacks, and the integrity of the transmitted data.
In the protocol, the identity of the controller U n is identified by the digital certificate D n issued for it by U r .Node i only checks whether the identity file IF j n issued by U n contains a legitimate D n and the digital signature DS n , without caring which node U n uses to issue IF j n .In fact, in the Crowds system, Node i does not have access to information related to the reallocation of U n or the type of node used by U n .In this way, the controller can use any node for control operations without being associated with a specific node; the only thing the controller needs is a legal D n .
Replay attacks are meaningless for this protocol since all data generated within the protocol depends on parameters associated with C j , such as D n or K j .In addition, all data published to the Virtual-Space receives protection from cryptographic algorithms using digital signatures or asymmetric encryption, which means any tampering by an attacker will be immediately detected.

Implementation and Evaluation
Since there have been a large number of results on the comparison of Chebyshev polynomials with other cryptographic algorithms, such as [6,13,42], here we focus on evaluating the protocol designed in this paper at Freenet, which is named Hyphanet (https://www.hyphanet.org/index.html)now, on verifying the feasibility of the protocol.The prototype of the proposed protocol was written in C and Python, which uses OpenSSL (https://www.openssl.org)to implement cryptographic arithmetic operations, uses the algorithm of Zhang et al. [6] to compute Chebyshev polynomials, and uses PyFreenet3 (https://github.com/hyphanet/pyFreenet)library to communicate with Freenet.The prototype is running on a computer with an Intel(R) Core(TM) i5-12400 CPU and 32 GB of RAM, running Ubuntu 20.03, and the Freenet node is running on a cloud server powered by vultr (https:// www.vultr.com)with 1 vCPU and 1,024 MB of RAM, running Ubuntu 22.04 LTS.The Critical Configuration of Freenet during the experiment is shown in Table 2.

IET Information Security
The experiment runs two Freenet instances with the same configuration, keeping around 15 peers connected to each instance.The first instance is denoted as I 1 , and its set of peers is denoted as P 1 , and the second instance is denoted as I 2 with P 2 as its peers set.It is guaranteed that P 1 ∩ P 2 ¼ ;.I 1 is labeled as a controller-operated node, and its position of Freenet is fixed to 0, while I 1 is labeled as a controlled node with a position from 0 to 0:5.Thus, the logical distance between I 1 and I 2 is 0 to 0:5, which covers the minimum logical distance 0 and maximum logical distance 0:5 possible in Freenet.Due to the extensive network fluctuations in Freenet, each set of experiments was conducted three times independently, and the results were averaged.The result of the experiments is shown in Figure 2.
The results show that the protocol elapsed time is minimally affected by the bit length of the Chebyshev polynomial when executing the protocol in practice Freenet since Freenet, as a medium-to-high latency anonymous file-sharing system, has file upload and download delays on the order of minutes, while the time consumption of the protocol on the order of milliseconds.Compared to the latency of network IO, the time consumed by the protocol can be negligible.
To describe the execution of the protocol in Freenet in more detail, we divide a single execution into five phases, as shown in Figure 3.Each phase starts from the end of the previous phase (Phase 1 starts from the beginning of the protocol) to a specific timing event, where the timing event for Phase 1 is the successful uploading of IF j n by U n to the Freenet, the timing event for Phase 2 is the successful requesting of IF j n by Node i from the Freenet, the timing event for Phase 3 is the successful uploading of Eq i by Node i , the timing event for Phase 4 is the requesting of Eq i by U n , and the last timing event is the successful computation of the SM j i;n .As can be seen from the results, the upload operation is the most time-consuming during the execution of the complete protocol, and the retrieval of data from Freenet is significantly less time-consuming than the upload operation.The final computation operation takes negligible time.
To realistically reflect the protocol computation time consuming, we remove all Freenet IO in the prototype at the end and convert the data upload/download operations to memory operations.The protocol runtime after removing Freenet IO operations is shown in Table 3.We ran the protocols 1,000 times for each length and got the average result.Since converting CPU clocks to milliseconds introduces additional error, we keep CPU clocks as units in our results.

Conclusion
In this work, we remedy the deficiencies of previous work by designing an identity-based Virtual-Space agreement method The identity file of U n in C j and the identity message of U n in C j E k ðxÞ Cipher obtained by encrypting x with key k ⊕ , ‖, HashðxÞ XOR, concatenation, and one-way hash function, respectively 4 IET Information Security G without actually participating in it.For the jth identity declaration cycle C j , U r create a set of controllers C with N actual controllers and issues a digital certificate D n using CA priv for each U n 2 C, and the validity period c j n of D n satisfies C j ≤ c j n <C jþ1 .

FIGURE 1 :
FIGURE 1: Overall flow of the scheme.

5. 4 . 3 .
Anonymity of U n .Similar to the anonymity of Node i , the anonymity of U n mainly refers to the security of U n 's identity.The identity of U n is identified by the digital certificate D n issued by U r , which consists of two parts: the public key D pub n and the private key D priv n .D pub n is public and all nodes, including attackers, can easily obtain D pub n from the SI j * at the identity declaration step, while D priv n is private and securely held by U n .Due to the nature of asymmetric cryptography, it is feasible to calculate D , since private keys for asymmetric cryptography algorithms typically have a sufficient bit length, Pr½G priv n ¼ D priv n is negligible.Similar to ID i , D n only represents the control authority of U n over the controlled group G and has no connection with the real identity of U n , so A cannot obtain the real identity of U n through the information in the protocol.

TABLE 1 :
Notations definition.Digital certificate issued by U r for U n , its private key and public key G, N G represents a controlled group, and N represents the set of all controlled nodes G contains Node iThe ith controlled node ID i , I Identifier of Node i , and I is the set of all ID i s of N P toss a unbiased coin b, b← R f0;1g.ifb¼ 1, the actual session key is returned; otherwise, a random value with the same length is returned.Combined with the application scenario of the scheme in this paper, we assume that attack goals of A are as follows:(i)To obtain the identities of Node i .If A compromises a node Node j , A will try to use Node j to discover the identity of other nodes Node i , where i ≠ j. (ii) To obtain the identities of U n or U r by various methods.A can eavesdrop on messages traveling through the network, compromise a node, and infer the identities of U n or U r from the session-local state stored in the node.(iii) To obtain the SM j i;n address negotiated between N and Un.This attack only considers the case where A has not compromised Node i .When A compromises Node i , it can read SM j i;n from Node i 's memory, and then A's attack goal is to obtain the message space SM j k;n negotiated by other nodes Node k ðk ≠ iÞ and U n .

TABLE 2 :
Critical configuration of Freenet.

TABLE 3 :
Execution time of prototype without Freenet.Virtual-Space-based remote control scheme based on Chebyshev polynomials.The protocol achieves two-way authentication between controlled and controlling nodes and Virtual-Space agreement for transmitting messages anonymously.The designed protocol supports independent Virtual-Space agreement of multiple controllers to multiple controlled nodes, and different nodes are free from each other.By conducting validation experiments on Freenet and performing a detailed security analysis, we demonstrate that the agreement method described in this paper can meet the security requirements of the Virtual-Space-based anonymous control scheme.