A Novel RLWE-Based Anonymous Mutual Authentication Protocol for Space Information Network

Currently, space information network (SIN) has become an increasingly important role in real life. As a large heterogeneous wireless network, SIN can better provide global mobile services to users anytime and anywhere, even in extreme geographic environments. In addition, there is no need to build the communication base-stations every few kilometers on the ground to ensure high service quality, which greatly reduces the construction costs and can be used as an economical communication method in sparsely populated areas. So there is a trend that more and more end users are more likely to get SIN services than traditional terrestrial cellular networks. However, due to the openness and publicity of the satellite wireless channel and the limited resources of the satellite nodes, the privacy and security cannot be perfectly guaranteed and may even be vulnerable to attacks initiated by the adversary such as replay attacks, impersonation attacks, and eavesdropping attacks. To improve the access security of SIN, researchers have proposed a series of authentication protocols based on different cryptographic assumptions. Nevertheless, existing research shows that these protocols cannot meet the requirements of higher and higher security and short authentication delay. In addition, these protocols are mainly based on public key cryptography mechanisms such as DLP and ECDLP, which can be solved by postquantum computers in polynomial time, so these protocols will no longer be secure. To solve the vulnerability of these protocols, in this paper, we propose a new RLWE-based anonymous mutual authentication and key agreement protocol, which guarantees higher security with low computational overhead even in the postquantum era. Detailed security analysis shows that our protocol meets security requirements and is resistant to a variety of known attacks. Besides, combining security comparison and performance analysis, our proposed protocol is more practical than other protocols in SIN.


Introduction
With the continuous development of globalization, users are increasingly demanding communication and are required to establish high-quality communication connections with others. In this context, SIN is proposed to meet the needs of users for reliability and availability globalization services [1]. As a large heterogeneous network covering the globe, SIN includes various satellite constellations to provide navigation, communication, weather, reconnaissance, and other services for numerous users. In the future, SIN will not only serve the Earth users, but also serve space satellites and interstellar spacecraft with advanced space technology [2]. Compared with traditional terrestrial cellular networks, SIN has the following three characteristics [3]. First, SIN covers a wider range and can provide the stable signal in cities, villages, and even extreme environments. Second, as long as the device has the ability to communicate with satellites, it can join SIN as an end user or service provider anywhere in the world, which greatly improves scalability.
ird, SIN does not require the laying of large amounts of ground facilities like a terrestrial network, and the signals are not affected by the terrain. SIN is a scarce resource for present and future, so the United States and Europe have carried out a series of key national research projects such as uraya [4], MUOS [5], ISICOM [6], and TSAT [7].
As a key communications architecture in marine, aerospace, military, and remote IoT applications, confidential and internal information will be transmitted to each other through SIN wireless channels [3]. Because security is not a primary concern when initially deploying SIN, the current research on security is still insufficient. At present, researchers have begun to shift from researching the functional requirements to the security requirements, and access authentication is the focus of their research [8,9]. Accessing authentication is the first step for the end user to apply for service to the satellite node; it is even more necessary to take some light mechanisms to ensure the security and the quality of service (QoS). ere are two key factors affecting the security and performance of the authentication protocol: one is the openness of the satellite wireless channel, the public channel will result in data being easily captured by adversaries, and the cryptographic mechanism should be used to resist the attack initiated by the malicious node. e other is the authentication delay caused by messages transmission and computing overhead. For delay-sensitive users who require real-time communication, the authentication delay should be as small as possible, even if the signal delay caused by satellites located 500 to 3,000 kilometers above the ground is unavoidable.
Currently, hardware technology is developing rapidly, and satellites can already carry more complex computing devices [10]. e three-party or two-party authentication protocols proposed in other research areas can provide a reference for designing authentication protocols suitable for SIN but cannot be directly applied. For example, in mobile pay-TV systems, [11] proposes a time slot-based key distribution mechanism that divides 24 hours by 45 minutes and arranges them in a binary tree. Service providers can provide up to 16 communication keys for a single user. However, when the number of users increases, it will occupy a lot of storage space of the service provider, which is not suitable for satellite with shortage of resources. In global mobility networks, [12] proposed a roaming authentication scheme based on the chaotic map-based discrete logarithm problem (CMBDLP). When a user and the foreign agent authenticate with each other, they need to transfer information four times with the participation of home agent, which increases the user's waiting time, and this does not meet the SIN low-latency requirement. Other scholars have also proposed many authentication protocols based on difficult problems such as elliptic curve discrete logarithm problem (ECDLP) [13], discrete logarithm problem (DLP) [14], large integer factorization problem (LIFP) [15,16], and hash function [17], but these protocols still cannot be directly applied to SIN unless high security and efficiency are not considered. Furthermore, with the advent of the postquantum era, most authentication protocols that rely on public key cryptography have the potential to be resolved in polynomial time. So these authentication protocols may present security risks in the future. erefore, this paper proposes a novel RLWE-based anonymous mutual authentication protocol for space information network, which can meet the requirements of high security and efficiency. In our protocol, LEO satellites serve as nodes that end users want to access. Terrestrial control station (TCS) provides system registration services for end users and LEO satellites. In the process of mutual authentication between the end user and the LEO satellite, the temporary identity is used so that the true identity is not revealed, and TCS does not participate in the authentication process as an offline node, which greatly reduces the authentication delay. In addition, the authentication protocol is based on the RLWE assumption which has been shown to be as difficult as the worst-case problem in the ideal lattice [18] and is also resistant to quantum computing with less computational overhead [19]. It is worth mentioning that our proposed protocol has the following main contributions: (1) We propose a novel RLWE-based anonymous mutual authentication protocol that enables both the end user and the LEO satellite to authenticate each other. In addition, TCS does not participate in the authentication process, which greatly reduces the communication delay to better meet the needs of delay-sensitive users. (2) is is the first anonymous authentication protocol for antiquantum computing in SIN. Moreover, in this paper, detailed security analysis proves that our protocol can meet the security requirements based on the well-known Dolev-Yao threat model [20] and resist various attacks by adversaries. (3) Considering the linkability of the user identity may be known by the adversary with background knowledge during the temporary identity transmission process, our protocol allows the end user to apply for a new temporary identity from TCS in the public channel, which enhances anonymity and unlinkability. e rest of this paper is organized as follows: in Section 2, we first briefly discuss related work.
en we show the background information related to the protocol in Section 3. In Section 4, we describe the proposed protocol in detail. Detailed analysis of the security and performance of the proposed protocol is provided in Sections 5 and 6, respectively. Finally, Section 7 presents the conclusion of this paper.

Related Work
In recent years, researchers have been enthusiastic about security and privacy issues in the authentication protocol for space information network (SIN). In 1996, Cruickshank [21] proposed the first authentication protocol in satellite networks using the public key cryptosystem to authenticate the legitimate identity of the end user and the satellite, respectively, and uses the symmetric key system to encrypt the communication data. However, the protocol requires terrestrial control station (TCS) to participate during the authentication process, which results in a large delay in the authentication process, and the use of four complicated encryption and decryption operations results in large computational overhead. en Hwang et al. [22] proposed an authentication protocol that uses the symmetric key to encrypt the message transmission in the mutual authentication phase without the need for a public key mechanism. Although the computational overhead is reduced, the shared key in each authentication is only determined by the TCS, and the end user does not participate in generating the shared key, without enabling the end user to trust the security of the shared key. To overcome the weaknesses in [22], Chang and Chang [23] proposed an authentication scheme with only hash functions and XOR operations. is scheme greatly reduces the computational complexity and ensures that the shared key is jointly generated by both parties, but still cannot overcome the problem of TCS participating in the authentication process which will result in the increase of TCS computing load and a large delay of authentication. In 2012, Zheng et al. [24] proposed a more effective protocol to reduce the computational complexity of TCS, but proved in [25] that [24] cannot resist the denial of service (DoS) attack and the identity spoofing attack. Recently, Yang et al. [10] proposed a new anonymous fast authentication protocol based on the q-SDH problem and elliptic curve digital signature algorithm (ECDSA) for authenticating roaming users in foreign domains. In the authentication stage, the protocol does not compromise the anonymity of the user's identity and can resist replay attacks, man-in-the-middle attacks, and modification attacks. Unfortunately, the protocol does not have user login authentication, which will result in that if the user's device is stolen, the adversary can use the user's device to impersonate as a legitimate user. Besides, in the postquantum era, the difficult problems that [10] relies on have been proven to be resolved in polynomial time, and the anonymity and communication security will be invalid. Feng et al. [26] first proposed an anonymous authentication protocol based on ideal lattices and resistant to quantum computing. However, there are two defects in [26] that cannot be applied. First, when the adversary intercepts the message sent by the user in authentication phase and the message is directly replayed or modified, then the server will spend a lot of computational overhead to check whether it is a legitimate message. If the adversary sends a large number of forged authentication messages, it will consume a lot of system resources. Secondly, server provides both registration and user authentication functions, while satellite nodes in SIN cannot simultaneously undertake heavy computing and storage tasks due to limited resources. In summary, previous authentication protocols based on hash or classic hard problems cannot meet the anonymity, security, and low-latency requirements.
erefore, in this paper, we design an access authentication and key agreement protocol, which can guarantee the anonymity of users and has lower transmission delay.

Preliminaries
In this section, we give a review of background information and the notations on RLWE and then briefly describe the system model and threat model that the protocol relies on. Finally, the security requirements are presented.

Ring Learning with Errors.
Let n � 2 k , where k ∈ Z. e rings of polynomials over Z and Z q , respectively, are denoted by Z[x] and Z q [x], where q is an odd prime number and qmod2n � 1. Consider the two rings R � Z[x]/(x n + 1) and R q � Z q [x]/(x n + 1). For any polynomial element y in R or R q , denote it by its coefficient vector in Z n and Z n q , respectively. Given a fixed positive real β , the discrete Gaussian distribution over R q is denoted by χ β . We refer to [19,27,28] for a more description of RLWE with the following lemmas.
For an odd prime q > 2, let Z q � − ((q − 1)/ 2), . . . , ((q − 1)/2)} and the subset E � − q/4 , . . . , q/4 as the middle set of Z q . For any x ∈ Z q , the characteristic function Cha of the set E complement is defined as e auxiliary modular function Mod 2 : , with the following lemma for these two functions.

Lemma 3.
Given an odd prime number q, we have two ring elements v, e ∈ Z q such that |e| < q/8. en, the equation e two functions Cha and Mod 2 can be extended to the ring R q by applying coefficients to ring elements and can also follow the lemmas mentioned above. Given a ring element where the absolute value of each element in e is less than q/8 [30]. Definition 1. Ring learning with errors (RLWE) assumption: let R q and χ β be defined as above. v, e are randomly selected from R q and χ β , respectively. e RLWE assumption states that it is hard for any PPT algorithm to distinguish R q × χ β from the uniform distribution on R 2 q . e hardness of the RLWE assumption can be reduced to the Shortest Independent Vectors Problem (SIVP) over ideal lattices [31]. Figure 1, SIN contains a total of three types of entities: terrestrial control station (TCS), satellite node, and end user. e following details describe the functions of each entity.

System Model. As shown in
(i) TCS is a control center to provide registration services to end users and satellite nodes. Moreover, TCS is considered a trusted entity with the highest level of firewall and intrusion detection system. Any attack can be detected and taken with corresponding security measures to prevent attacker from intruding into TCS.

Security and Communication Networks
(ii) Satellite node is the service provider for end users in SIN. In order to reduce the delay of users accessing SIN, LEO satellites that are closer to the ground are usually used. LEO satellites are not all legal service providers, and there may be some LEO satellites controlled by malicious adversaries. (iii) End user is user with the smart device and has the ability to compute, store, and communicate with satellites. e end user will request access to the SIN to get the subscribed service. It needs to be reminded that the smart device is at risk of being lost or stolen.

reat Model.
In our protocol we make use of the Dolev-Yao threat model, which means that the adversary will control all openness and public channels in SIN. e adversary can arbitrarily monitor, intercept, modify, and replay messages transmitted between nodes and has unlimited storage space to store all the information monitored. e protocol we designed is to allow legitimate nodes to authenticate each other's identity, deny illegal access, and ensure that secrets are not obtained by adversaries under the Dolev-Yao threat model.

Security Requirements.
According to the characteristics of the previously proposed authentication protocol in SIN, a well-designed protocol should meet the following security requirements.

Mutual Authentication.
Satellite nodes should have the ability to verify the legal identity of the end user and prevent access by nonlegitimate users. Similarly, the end user should also have the same ability to verify access to legitimate satellites.

Identity Anonymity.
e identity of the end user should remain anonymous, and no one other than TCS and the end user himself can know the true identity of the user.

Key Establishment.
After successful mutual authentication of the satellite and the end user, they should jointly construct a shared key to protect future communication.

Perfect Forward Secrecy.
e authentication protocol also needs to meet the requirement that the shared key leakage does not lead to the previous and future session key leaks.

Attack Resistance.
In the authentication process, in order to ensure the accuracy and security of authentication, the protocol should be able to withstand various attacks initiated by the adversary such as replay attack, modification attack, eavesdropping attack, and impersonation attack.

Our Proposed Protocol
In this section we present a novel RLWE-based anonymous authentication protocol. e detailed protocol description will be introduced in the order of system initialization phase, registration phase, authentication phase, password update phase, and temporary identity update phase.

System Initialization Phase.
In the system initialization phase, TCS generates the master key pair and some system public parameters according to the following steps: (1) TCS sets system security parameters k (2) TCS chooses an odd prime number q and an integer n, where n is a power of 2 and qmod2n � 1 (3) TCS chooses a discrete Gaussian distribution χ β and a random ring element a, where β is a fixed positive number and a ∈ R q (4) TCS randomly samples s, e ⟵ χ β and computes the master public key p TCS � a · s + 2 · e, where s is the master private key (5) TCS chooses a security hash function publishes the system parameters q, n, χ β , a, p TCS , h to the public and securely stores the master private key s e system initialization phase is performed once when the system is laid out and not during other phases. Since it is only executed once, the computational overhead of the system initialization phase can be considered negligible.

Registration Phase.
e registration phase is the process by which TCS interacts with trustworthy end users and satellite nodes. In this phase, the satellite and the end user need to submit the true identity ID and other necessary parameters to TCS. It is worth noting that end users also need to generate the temporary identity TID that masks the true identity during the authentication phase.
en TCS generates the parameters needed for mutual authentication in the future for the end user and the satellite node, respectively. We briefly show this process in Figure 2 and the more detailed steps will be described in Algorithm 1 and the rest of this section. We assume that the satellite set is S LEO with N 1 satellites and the end user set is S user with N 2 users. For a clearer presentation, in the following description, we (1) LEO j generates the true identity ID L j and computes the master public key pm L j � a · sm L j + 2 · em L j , where sm L j and em L j are randomly sampled from χ β . sm L j is assumed to be the master private key and is stored securely by LEO j . Finally, LEO j sends the message ID L j , pm L j } to TCS. It needs to be reminded that the identity of the ID L j satellite node is not private, so there is no need to anonymize it. (2) u i generates the true identity ID u i , temporary identity TID u i , and password PW u i and then chooses the satellite node ID L j which it wants to communicate with. e function of PW u i is used for login verification and it will be required in authentication phase, password update phase, and temporary identity update phase. Next, u i computes the master public key pm u i � a · sm u i + 2 · em u i , where sm u i and em u i are randomly sampled from χ β . sm u i is assumed to be the master private key and is stored securely by u i . en u i computes TWD u i � h(TID u i , PW u i ), which is to protect the PW u i from being known by the TCS. Finally, u i sends the message after receiving the registration message of u i . en TCS sends the messages DP u i , V u i , pm L j } to u i and TID u i , pm u i } to LEO L j . V u i is used to check if the temporary identity TID u i and password PW u i entered are correct when u i logs into the smart device. e function of the DP u i is to enable u i to update the password PW u i as wishes and detailed in the password update phase. e function of DI u i is to prevent u i from changing TID u i by himself. If u i is free to update the temporary identity TID u i , the legal identity of u i cannot be distinguished during the authentication phase. By binding the master private key s of the TCS to TID u i , even if u i attempts to update TID u i , it cannot change DI u i , DP u i , and V u i without TCS. Finally, TCS stores ID u i , TID u i , pm u i and ID L j , pm L j }. (4) u i stores the message DP u i , V u i , pm L j }. (5) LEO j stores the message TID u i , pm u i }. Figure 3, in this phase, u i and LEO j mutually authenticate each other's legal identity in accordance with the following steps and negotiate a shared session key to encrypt future communications. It is Figure 2: Registration phase.

Authentication Phase. As shown in
(1) LEO j : (2) Generates the true identity ID L j ; (3) Randomly samples sm L j , em L j and computes the master public key pm L j � a · sm L j + 2 · em L j ; (4) Stores the master private key sm L j ; (5) Submits ID L j , pm L j } to TCS; (6) LEO j END (7) u i : (8) Generates the true identity ID u i , temporary-ID TID u i , password PW u i and chooses the satellite node ID L j ; (9) Randomly samples sm u i , em u i and computes the master public key pm u i � a · sm u i + 2 · em u i ; (1) u i needs to input the temporary identity TID u i ′ and password PW ' u i to login the smart device before requesting authentication. e device computes If they are not equal, the access request is terminated immediately; otherwise the following steps are continued according to the protocol. is process is to prevent the device from falling into the adversary and being disguised as u i . Next, the smart device computes k L � pm L j · sm u i , w L � Cha(k L ), σ L � Mod 2 (k L , w L ), and α L � h(TID u i , w L , σ L , ts 1 ). Finally, u i sends the message TID u i , w L , ts 1 , α L to LEO j . ts 1 is the timestamp used to prevent the replay attacks by the adversary. e rest of the timestamps in this paper have the same function as ts 1 .
(2) After receiving the message TID u i , w L , ts 1 , α L , LEO j first checks the timestamp ts 1 and compares it with the current time to see if it is within the time allowed. If the timestamp is not within the allowed range, the access request is denied; otherwise LEO j computes k L ′ � pm u i · sm L j , σ L ′ � Mod 2 (k L ′ , w L ), and α L ′ � h(TID u i , w L , σ L ′ , ts 1 ). en it checks whether α L ′ � α L . If they are not equal, the end user who sent the access request is not legitimate and LEO j rejects the access request; otherwise the next steps of the authentication protocol are continued. Next, LEO j computes p L j � a · s L j + 2 · e L j and α 0 � h(TID u i , w L , σ L ′ , p L j , ts 2 ), where s L j and e L j are randomly sampled from χ β . Finally, LEO j sends the message p L j , ts 2 , α 0 to u i . (3) After receiving the message p L j , ts 2 , α 0 , u i first checks the timestamp ts 2 and compares it with the current time to see if it is within the time allowed. If the timestamp is not within the allowed range, the access request is denied; otherwise u i computes α 0 ′ � h(TID u i , w L , σ L , p L j , ts 2 ). en u i checks whether α 0 ′ � α 0 . If they are not equal, u i will assume that the satellite requested to access during the authentication phase is not the true LEO j and actively stops the access request; otherwise it continues to compute (4) After receiving the message p u i , w i , aid, ts 3 , α i , LEO j performs the same timestamp check process as steps 2 and 3. If the timestamp is not within the allowed range, the access request is denied; otherwise . en LEO j checks α i ′ � α i . If they are not equal, the received message is not sent by the real ID u i or modified by malicious nodes, and then the access request is immediately terminated; otherwise it computes DP u i

Password Update Phase.
When u i wants to change the old password PW Old u i to the new password PW New u i , an attempt as shown in Algorithm 2 is made to perform the password update phase. Firstly, u i needs to input the temporary identity TID u i and the correct old password PW Old u i . en the smart device computes will be used as the

Temporary Identity Update Phase.
is phase is only performed when the previous temporary identity TID Old u i is no longer sufficient for their identity anonymity and security requirements. As shown in Figure 4, u i finally obtains a new legal temporary identity TID New u i through two message exchanges and updates the parameters associated with the temporary identity TID such as DI, TWD, DP, and V. We note that all messages between TCS and u i are transmitted in the public channel.
(1) u i needs to input the correct TID u i and PW u i . After the verification is successful, u i chooses a new temporary identity TID New u i and then computes k TCS � p TCS · sm u i , w TCS � Cha(k TCS ), σ TCS � Mod 2 (k TCS , w TCS ), α i � TID New u i ⊕h(TID Old u i , w TCS , σ TCS , ts 4 ), and α � h(TID Old u i , TID New u i , w TCS , α i , ts 4 ). Finally, u i sends the message TID Old u i , w TCS , ts 4 , α i , α} to TCS.
(2) After receiving the message TID Old u i , w TCS , ts 4 , α i , α}, TCS first checks the timestamp ts 4 and compares it with the current time to see if it is within the time allowed. If ts 4 is valid, TCS computes k TCS

Security Analysis
In this section, we analyze and discuss the security requirements of our protocol and prove that our protocol is sufficiently secure to resist insider attacks, replay attacks, modification attacks, eavesdropping attacks, and impersonation attacks. As shown in Table 1, we also compared the security attributes with other related protocols.

Mutual Authentication.
In step 2 of authentication phase, LEO j authenticates the legal identity of u i by checking Since LEO j has securely stored the temporary identity TID u i and the public key pm u i in registration phase, only the user whose temporary identity is TID u i and has the public-private key pair pm u i , sm u i can compute the same σ L as LEO j and then can pass the check. No one can compute the matching private key sm u i by TID u i and pm u i unless the SIVP assumption can be solved with PPT algorithm. Similarly, in step 3 of authentication phase, u i authenticates the legal identity of LEO j by checking α 0 ′ � α 0 , where α 0 � h(TID u i , w L , σ L , p L j , ts 2 ). Since u i has securely stored the ID L j and the public key , the adversary can only disguise as LEO j if it solves the SIVP assumption in polynomial time. In addition, as [26], the secure hash function is used to ensure the integrity of the messages in the public channel transmission. erefore, the authentication protocol can meet the security requirements of mutual authentication.

Identity
Anonymity. In the whole system, only u i and TCS know the true identity ID u i . Whether in the authentication phase or in the temporary identity update phase, the temporary identity TID u i is transmitted in the public channel. ID u i has no relevance to TID u i and cannot be inferred from TID u i . e adversary can only obtain the true identity of the user from TCS which preserves the relationship between TID u i and ID u i . However, the highest level of security protection of TCS makes it impossible for adversary. erefore, the authentication protocol can meet the security requirements of identity anonymity.

Key Establishment.
In step 3 and step 4 of authentication phase, u i and LEO j independently generated the final shared session key h(DP u i , TID u i , w L , σ L , p u i , p L j , w i , σ i , α i ), where nonpublic parameters σ L � Mod 2 (k L , w L ) and σ i � Mod 2 (k i , w i ) require both parties to participate to compute k and avoid the shared key being determined by the single party. Moreover, the adversary cannot guess k from the public key unless there is a more efficient algorithm to solve the SIVP assumption. erefore, the authentication protocol can meet the security requirements of key establishment.

Perfect Forward Secrecy.
In our protocol, the shared key negotiated by the two parties is h(DP u i , TID u i , w L , σ L , p u i , p L j , w i , σ i , α i ), except for σ L , σ i , and DP u i , which are parameters that can be directly intercepted in the public channel. σ L and DP u i can be regarded as long-term secrets of u i and LEO j . In addition, σ i is generated by s u i and e u i randomly sampled from χ β at each authentication. Even if long-term secrets are captured by the adversary, due to the randomness of s u i and e u i , the adversary cannot know the previous session key. erefore, the authentication protocol provides perfect forward secrecy.

Login Authentication.
Only after entering the correct temporary identity TID and password PW can the user perform the access authentication in accordance with the steps. When the user's device is lost, the adversary cannot use the device, which avoids the security threat of the adversary pretending to be a legitimate user. Moreover, it can not only deny malicious access directly at the device side, but also reduce the computational cost of SIN.

Resistance of Insider Attacks.
Although TCS is a trusted entity in the SIN, it is inevitable that the possibility of insiders stealing the user's password exists. During the registration phase, the user did not submit the password PW directly to TCS but TWD � h(TID, PW). Due to the oneway security of the hash function h, insiders cannot get PW from TWD. erefore, the authentication protocol can meet the security requirements of resistance of insider attacks.

Resistance of Replay Attacks.
It is noted that each message transmission contains a timestamp ts, which is hashed with σ. σ can only be known by both parties to the authentication and the adversary cannot know, which ensures that the message cannot be modified. So even if the adversary replays the authentication message, the user or satellite node can check whether it is the replay attack in two steps. First, check if the timestamp ts is within the allowed range; then compute the hash value α of the message and compare it with α ′ sent by the other party. Even if the adversary modifies the timestamp ts in the message and passes the first step of checking but cannot get σ, it is impossible to forge the correct hash value with the modified ts. Furthermore, parameters s L j , e L j , s u i , e u i } are randomly sampled, which results in different public keys p and hash values α for each session. u i and LEO j can also detect replay attacks by verifying these parameters. erefore, the authentication protocol can meet the security requirements of resistance to replay attacks.

Resistance of Modification Attacks.
During the authentication phase, each step contains a final message hash α which is the hash value of the message transmitted this time and some key data previously negotiated. For example, the message p L j , ts 2 , α 0 is transmitted by LEO j to u i in the second step, where α 0 � h(TID u i , w L , σ L , p L j , ts 2 ). α 0 contains not only the message p L j and the timestamp ts 2 but also the previously negotiated parameters TID u i , w L , and σ L . Due to the security features of the hash function h, any changes to the message can be verified. erefore, the authentication protocol can meet the security requirements of resistance of modification attacks.

Resistance of Eavesdropping Attacks.
In our whole protocol, the adversary can only obtain data such as TID u i , w L , p L j , p u i , w i , and a series of hash values and timestamps. Due to the security of the hash function, the adversary cannot get any useful information from the hash value. In addition, the final shared key is h( where σ L and σ i cannot compute by the known parameters such as TID u i , w L , p L j , p u i , w i unless the SIVP assumption is solved. erefore, the authentication protocol can meet the security requirements against eavesdropping attacks.

Resistance of Impersonation
Attacks. An adversary may impersonate a legitimate user or satellite node to submit or respond to access requests. However, the adversary can only obtain the public key of both parties, but cannot obtain the private key for authentication and negotiation of shared key, so it is impossible to forge hash values to pass authentication. erefore, the authentication protocol can meet the security requirements of resistance to impersonation attacks.

Performance Analysis
In this section, we present the performance analysis of the protocol for authentication delay and communication overhead. Because our proposed protocol is the first postquantum anonymous authentication scheme for SIN, we just choose to compare it with the classic authentication scheme [23] and the latest proposed protocol [10]. Furthermore, to make the comparison more intuitive and consider the practicality of the protocol for smart devices, we set the parameters in the protocol as [19]. e integer n is 1024 and the odd prime number q is 12289. For discrete Gaussian distribution parameter β is set to log β � 17.1. Finally, choose the secure hash function SHA3 with output of 512 bits.

Authentication Delay.
Authentication delay refers to the sum of the total computing time and the transmission time of both devices from the beginning to the end in the mutual authentication phase. Before discussing the authentication delay of our proposed protocol in detail, we need to use the following symbols to represent the average time overhead caused by different operations. T Ge is used to represent the sampling time from the discrete Gaussian distribution χ β . T smul and T pmul represent multiplication with scalar and multiplication time in R q , respectively. T pma represents the time of the multiplication and addition operation in R q . T Cha indicates the time when the Cha function is executed once. T h is the time when the SHA3 hash function is executed once. To better analyze the performance of our proposed protocol, we quote the overhead time of various computation operations in [26]. e satellite node and the end user in the proposed protocol correspond to the server and the mobile device in [26], respectively. e machine is equipped with 3.4 GHz Intel Core i7-6700 processor and 8 GB RAM as the satellite node and the end user with 1.4 GHz Quad-core Exynos 4412 processor and 1 GB RAM. Both parties used the LatticeCrypto library and the MIRACL library when implementing the protocol. e experimental results are shown in Table 2 and it is worth mentioning that the computation overhead of Mod 2 function is small enough to be neglected. In addition, since LEO satellites are usually located 500 km-3000 km from the ground, it is reasonable to set the single message delivery time to T u− LEO � 5ms. e following is the analysis of the computing time according to the steps in the authentication phase.
(1) In the first step, after TID ' u i and PW ' u i entered by u i , the device performs two hash operations to check whether they are correct. If the verification passes, u i also needs to perform one multiplication operation in R q , one Cha function in R q , and one hash operation. erefore, the total computing time overhead of u i is 3 × T h u + T pmul u + T Cha u � 591.459ns.
(2) In the second step, after receiving the message, LEO j first needs to perform one multiplication operation in R q and one hash operation to check the validity of the message. If the verification passes, it also needs to continue to perform two random sampling operations in χ β , one multiplication with scalar in R q , one multiplication and addition operation in R q , and one hash operation. erefore, the total computing time (3) Next, after u i receives the response message from LEO j , u i first performs one hash operation to check the validity of the message. If the verification passes, u i also needs to perform two sampling operations in χ β , one multiplication with scalar in R q , one multiplication and addition operation in R q , one multiplication time in R q , one Cha function in R q , and three hash operations. erefore, the total computing time overhead of u i is 4 × T h u + 2 × T Ge u + T smul u + T pma u + T pmul u + T Cha u � 1931.549ns. (4) Finally, after LEO j receives the response message from u i , it first performs one multiplication operation in R q and one hash operation to check the validity of the message. If the verification passes, LEO j also needs to continue to perform two hash operations. erefore, the total computing time overhead of LEO j is 3 × T h L + T pmul L � 42.577ns.
In general, the two parties of authenticating the identity and building the session key need to execute 2523.008 ns at the end user and 220.917 ns at the satellite node, respectively. e total computing time required for the protocol is 2743.925 ns. Besides, the three messaging times required for the authentication phase are 3 × T u− LEO � 15ms. So the authentication delay of our proposed protocol is 15.003 ms and the computing time is only a small part of the authentication delay.
In [23], the computing time depends on the maximum number of accesses N and the j − th access. In order to achieve the shortest time, we set N � 1, j � 1. erefore, both the end user and the satellite node of the authentication process need to perform four hash operations and the computing times aare 4 × T h u � 723.856ns and 4 × T h L � 56.36ns, respectively. Besides, the five messaging times required for the authentication phase are 5 × T u− LEO � 25ms. So, the authentication delay of [23] is 25.001 ms. However, in general, in order to reduce the computational task of TCS, N is set to a larger value which makes the authentication delay greatly increase and the performance of the protocol degrade.
In [10], the protocol is based on the q − Strong Diffie-Hellman problem [32] where the execution of the protocol requires pairing operation, multiplication operation, and exponentiation operation in the additive cyclic group. e experimental results of these operations in [26] are as described in Table 3. In the authentication phase, the end user needs to execute the total of nine multiplication operations, three exponentiation operations, two pairing operations, and one hash operation, so the computing time of end user is 9 × T mul u + 3 × T exp u + 2 × T pair u + T h u � 115.485ms. e satellite node executes five multiplication operations, four exponentiation operations, two pairing operations, and one hash operation, so the computing time of satellite node is 5 × T mul L + 4 × T exp L + 2 × T pair L + T h L � 18.202ms. e total computing time required for the protocol is 133.687 ms. Besides, the two messaging times required for the authentication phase are 2 × T u− LEO � 10ms. So, the authentication delay of [10] is 143.687 ms. Table 4 shows the comparison of the authentication delays of our proposed protocol with the other two protocols. It can be seen from the table that the authentication delay of our proposed protocol is significantly lower than [10,23], which is a more effective authentication scheme.

Communication Overhead.
According to the security of the protocol and the support for the device mentioned earlier, we set the size of elements in R q to 4096 bits, the output of the SHA3 function is 512 bits, and the length of the identity and the timestamp is 100 bits.
In [23], both parties need to transmit six hash values and six identity messages, so the total transmission overhead is 6 × 512 + 6 × 100 � 3672 bits. In [10], assume that the length of element in cycle group and all signatures is 160 bits. erefore, according to the communication overhead in [10], it can be concluded that the total of 2480 bits of messages needs to be transmitted during the authentication phase.
It is worth noting that the communication overhead of the proposed protocol is greater than other protocols because the protocol is based on RLWE, and a common flaw in the ring R q is that the key size is larger than the traditional encryption system. Considering that satellite network bandwidth has grown significantly and the authentication delay is small enough for delay-sensitive users, so we believe

Conclusion
In this paper we propose a novel RLWE-based anonymous mutual authentication protocol for SIN which is an antiquantum computing protocol. In the security analysis, we elaborated that the proposed protocol can meet the security requirements of SIN access authentication and compare the security with other related protocols. e analysis results show that our protocol is more secure than other protocols. Moreover, in the performance analysis, it is further stated that the authentication delay of our proposed protocol is very small. Although the communication overhead is slightly larger, the protocol we proposed under the trade-off communication delay and communication overhead is practical for SIN in the future.

Data Availability
e data used to support the findings of this study are included within the paper.

Conflicts of Interest
e authors declare no conflicts of interest.