Identity-Based Identification Scheme without Trusted Party against Concurrent Attacks

College of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China School of Cyber Security and Information Law, Chongqing University of Posts and Telecommunications, Chongqing 400065, China Chongqing Vocational and Technical University of Mechatronics, Chongqing 402760, China Department of Mathematics, Hangzhou Normal University, Hangzhou 311121, China Westone Cryptologic Research Center, Beijing 100071, China


Introduction
In identification schemes, the user, playing the role of a prover, can identity itself to any verifier in a protocol in which the verifier begins by holding only the corresponding public key. One of the purposes of identification is to promote access control to resources, when an access privilege is linked to a particular identity.
ere are a lot of research studies on identification schemes. e fundamental work of identification scheme [1] was proposed by Fiat and Shamir, named FS scheme. e authors described an identification scheme in which any user can prove its identity to other users. ey combined zero-knowledge interactive proofs with identity-based schemes. e key of FS scheme is to assume that there is a trusted center, such as computer center, government, and credit card company. is center gives smart cards to users after checking their physical identities. e FS scheme is based on the factorization problem. Feige et al. [2] proposed another identification scheme, named FFS scheme, which is also based on the factorization problem. Okamoto [3] presented a three-move interactive identification scheme and proved that the scheme has the same security as the discrete logarithm problem. Schnorr's scheme [4] is one of the famous identification schemes. e GQ scheme which was proposed by Guillou and Quisquater [5] is based on the RSA-inversion problem. e formal proof of security for GQ and Schnorr schemes was realized by Bellare and Palacio [6]. ey provided a proof for GQ scheme based on RSA-inversion assumption and a proof for Schnorr scheme based on one more discrete logarithm (OMDL) assumption. ese two schemes are provably secure against impersonation under active and concurrent attacks. Girault [7] gave a modification of Schnorr's identification scheme, in which each user can select his own secret key but the center can not get it from the public key. Kim and Kim [8] proposed a new identification scheme based on bilinear Diffie-Hellman problem, which is secure against passive and active attacks.
In traditional identification schemes, we need a certificate authority (CA) to authenticate prover's public key in the setting of public key infrastructure (PKI). Shamir [9] introduced the notion of identity-based cryptography (IBC). e purpose of IBC is to simplify the management of certificates in PKI. Shamir pointed out that the key generation center (KGC) generates the corresponding secret key with the public identity and sends it to the user when he first joins in the system. Each user has a unique and meaningful identity as the public key and thus avoids the complicated certificate management problem. en, Boneh and Franklin proposed an identity-based encryption (IBE) scheme [10], which is based on bilinear pairing. Since then, a large number of identity-based identification schemes have been proposed by using bilinear pairings. e formal definition of identity-based identification (IBI) scheme was introduced by Kurosawa and Heng [11]. ey constructed a transformation from any standard digital signature scheme to an IBI scheme. en, in [12], they proposed two IBI schemes, one of which is provably secure against impersonation passive attacks, and the other is provably secure against impersonation active and concurrent attacks. e security model of IBI [11,13] can be divided into three types, called security against impersonation under passive attacks, active attacks, and concurrent attacks, respectively. en, Chin et al. [14] presented a provably secure IBI scheme in the standard model. e scheme of [14] is secure against impersonation under active and concurrent attacks based on one more computational Diffie-Hellman assumption. Barapatre and Rangan [15] proposed a general framework of IBI based on the identity-based key encapsulation mechanism. e scheme of [15] is secure against impersonation under active and concurrent attacks based on the q-bilinear Diffie-Hellman inversion assumption.
It is well known that, the IBI schemes suffer the key escrow problem, which means that we need a trusted KGC to generate all users' key. In order to solve this problem, in this work, we consider the IBI scheme without a trusted party. e main contributions of this work can be summarized as follows: (1) We give the formal definition of IBI scheme in the multi-authority setting. In our definition, there are n authorities. e generation of users' secret key needs at least t authorities. (2) We construct an IBI scheme with multiple authorities based on the BLS signature scheme [16]. e security of the proposed scheme is provably against impersonation under passive and concurrent attacks in the random oracle model. (3) We consider the applications of the proposed multiauthority IBI scheme. We show that the scheme can be used to identification in blockchain. e rest of this paper is organized as follows. In Section 2, we give the definitions of bilinear pairing and complexity assumptions. We also present the definition and security models of the IBI scheme in Section 2. Section 3 presents the details of IBI scheme. In Section 4, we prove the security of the proposed scheme. In Section 5, we describe the applications of the multi-authority IBI scheme in blockchain. Finally, we make a conclusion about this paper in section 6.

Preliminaries
In this section, we describe the relevant definitions and security models.

Bilinear Map and Complexity Assumptions.
In the construction of our identity-based identification scheme, we use bilinear pairing as the basic tool. erefore, we briefly introduce the concept of bilinear pairing.
Let G and G T be two cyclic multiplicative groups, where G is generated by an element g, i.e., G � 〈g〉. Groups G and G T have same prime order p. We say that (e: G × G ⟶ G T ) is an admissible bilinear pairing if it satisfies the following properties: (1) Bilinearity: e(g a , g b ) � e(g, g) ab for all (a, b ∈ Z p ).
(2) Nondegeneracy: there exists (g c , g d ∈ G), for (c, d ∈ Z p ), such that e(g c , g d ) ≠ 1 G T , where 1 G T represents the identity element of the group G T . (3) Computability: there is an efficient algorithm to compute e(g a , g b ) for all (a, b ∈ Z p ).
e security of our scheme relies on the following two difficult problems: Computational Diffie-Hellman (CDH) Problem and One More Discrete Logarithm (OMDL) Problem.
Definition 1 (CDH). Given (g, g a , g b ) for some (a, b ∈ Z p ), it is hard to compute g ab .
. . , h n ) are random points in G output by the challenge oracle C(·), and n < m, where n denotes the number of queries to the DL oracle, then return 1. Otherwise, return 0.
We define the advantage of adversary A as (Adv omdl A (k) � Pr[Exp omdl (k)] � 1). We say that OMDL problem is hard if Adv omdl A (k) is negligible in k for any polynomial-time adversary.

Definition of Multi-authority IBI.
An identity-based identification (IBI) scheme IBI � (S, K, P, V) is specified by four probabilistic polynomial-time algorithms, called Setup, Key-generation, Proving, and Verification, respectively. On input security parameter k, S returns system public parameters and the master secret key. K is executed by the key generation center to generate a secret key corresponding to a given public identity. P and V are interactive algorithms that implement the prover and verifier. We call (P, V) an identification protocol.
As far as we know, there is no IBI scheme in the setting of multiple authorities. e standard IBI schemes have a key generation center to produce all users' secret key. erefore, it is well known that identity-based cryptographic schemes have the key escrow problem. is work defines the notion of IBI scheme with multiple authorities. In our scheme, there has one more algorithm, Authority Setup, to generate all authorities' master secret keys. e notion of IBI scheme with multiple authorities is consists of the following algorithms: is algorithm takes as input the security parameter k and outputs the system public parameter params. (ii) Authority-setup: e authority setup algorithm is interactively executed by all authorities. On input the system public parameter params and identities P 1 , . . . , P n , output their master secret keys SK 1 , . . . , SK n . (iii) Key-generation: User id makes queries to at least t authorities, for key generation. Each authority P i j takes as inputs the system public parameter params, master secret key SK i j , and user's identity i d and outputs user its partial key psk id,i j . Finally, user id can compute the secret key sk id by itself. (iv) Identification: P receives as inputs (params), id, and (sk id ) and V receives as inputs (params), and (id)), where sk id is the secret key corresponding to the public identity id. After an interactive execution of (P, V), V outputs 1 (accept) or 0 (reject). (v) Correctness: A legitimate P should always be accepted, i.e., 〈P(K(msk, id)), V〉(params, id) ⟶ 1.

Security Models.
e accepted framework of security concepts for identification schemes was proposed by Feige et al. [2]. en, the security definition for IBI scheme was presented in [11,13]. is is an extension of the framework of [2]; that is, the three concepts of security for standard identification schemes are extended to IBI. Usually, we consider adversary goals, adversary capabilities or attacks. e adversary goal is impersonation that if the adversary interacts with the verifier playing the role of prover with identity id * and can persuade the verifier to accept with a nonnegligible probability. To achieve this goal, the adversary can carry out various attacks. We consider three kinds of attacks, namely, passive attacks [2], active attacks [2], and concurrent attacks [6]. ese attacks should take place and complete before the impersonation attempt.
Passive attacks are the weakest one of the above three kinds of attacks for IBI schemes. In passive attacks, the adversary does not interact with the prover. e adversary just eavesdrops and obtains a transcript of a conversation between the prover and verifier. e definition of passive attacks of IBI schemes is defined by the following game which is executed by an adversary A � (V, P) and a challenger C.
Definition 3 (Security against Impersonation under Passive Attacks). Let A � (V, P) be an impersonation adversary with passive attacks (imp-pa).
(i) System-setup: e challenger C runs the system setup algorithm on input a security parameter k to generate system public parameters params. en, C returns params to A.
(ii) Authority-setup: e challenger C runs the authority setup algorithm to generate master secret keys SK 1 , SK 2 , . . . , SK n for all authorities P 1 , P 2 , . . . , P n . (iii) Queries: A can issues some queries as follows: (1) Master secret key queries: A issues a request for some authorities P i for their master secret key. For such a request, C transmits SK i to A. (2) Key generation queries: A issues some key generation queries id i . C then returns the corresponding private key sk id i as the answer. (3) Transcript queries: A can issue some transcript queries on id. In passive attacks, C returns the transcripts T which denotes the conversations between the valid prover id and other verifiers.
(iv) Challenge: A chooses a challenge identity id * . en, A plays the role of a cheating prover, trying to convince any verifier.
We define that adversary A succeeds in impersonating if it can make the verifier accepts. e advantage of an imp-pa adversary A denoted by ADV imp−pa IBI,A (k). We say that IBI scheme is secure against impersonation under passive attacks if Adv imp−pa IBI,A (k) is negligible in k for any imp-pa adversary.
Different from passive attacks, in the active and concurrent attacks, the adversary first plays the role of the cheating verifier, interacting with the honest prover multiple times, trying to extract some useful information. en it plays role of cheating prover, interacting with the honest verifier, trying to persuade the honest verifier to accept. It is easy to see that the security notions of active and concurrent attacks are stronger than the notion of passive attacks. Generally, we pursue stronger security notion for crytographic schemes, such as [18,19].
Active attacks are a special case of concurrent attacks. In the active attacks, the next round of attack is carried out after one attack is completed, that is, the interaction is one by one. In the concurrent attacks, however, the adversary can interact with multiple different prover "replicas" concurrently. e replicas all have the same secret key but are initialized with independent coins and maintain their own state. Apparently, security against impersonation under concurrent attack implies security against impersonation under active attack.
Difinition 4 (Security against Impersonation under Concurrent Attacks). An impersonation under concurrent attacks (imp-ca) adversary A � (V, P) is a pair of randomized polynomial-time algorithms, which denotes the cheating verifier and the cheating prover, respectively. e definition of the concurrent attacks of IBI schemes is defined by the following game which is played by a concurrent adversary and challenger C.
(i) System-setup: e challenger C runs the system setup algorithm on input k to generate system public parameters params. en, C sends params to different replicas of prover P and adversary A � (V, P).
(ii) Authority-setup: e challenger C runs the authority setup algorithm to generate master secret keys SK 1 , SK 2 , . . . , SK n for all authorities P 1 , P 2 , . . . , P n . (iii) Queries: A can issues some queries as follows: (1) Master secret key queries: A issues a request for some authorities P i for their master secret key. For such a request, C transmits SK i to A. (2) Key generation queries: A issues some key generation queries id i . C then returns the corresponding private key sk id i as the answer. (3) Identification training: A first plays the role of a cheating verifier to execute the identification protocols with the honest prover id. In concurrent attacks, the adversary A can issue the identification protocol at any time regardless of whether the last protocol is end or not. e difference between concurrent attack and active attack is that the active adversary only can issue a new identification protocol after the end of the last protocol. We denote the transcript of i-th protocol as T i .
(iv) Challenge: Finally, adversary plays the role of a cheating prover P to execute the identification protocol with a valid verifier V to try to convince that he is the valid prover.
We define that adversary A succeeds in impersonating if it can make the verifier accepts. e advantage of an imp-ca adversary A denoted by Adv imp−ca IBI,A (k). We say that IBI scheme is secure against impersonation under concurrent attacks if Adv imp−ca IBI,A (k) is negligible in k for any imp-ca adversary.

The Proposed Scheme
In this section, we give our multi-authority IBI scheme without a trusted party. Generally speaking, in traditional IBI schemes, there is a trusted party for the generation and distribution of user secret keys. To address the problem of no trusted party, we utilize distributed key generation (DKG) protocol to generate user secret keys. DKG was proposed by Gennaro et al. [20]. e core idea of DKG is (t, n) threshold secret sharing. e concept of secret sharing was introduced by Shamir [21]. Secret sharing is used to share a secret among a group of participants, each of whom has partial information about secret. (t, n) threshold secret sharing means that at least t participate among n participants can reconstructed the secret value.
In the DKG protocol, the participants jointly choose and generate a random secret share s. Each participant P i chooses a random share s i , and then a random secret share s can be recovered by at least t participants. At the end of the protocol, the public key can be defined as y � g s . ere is no trusted party, who owns the secret value s in the secret sharing scheme. e secret value s can only be reconstructed by the cooperation of at least t participants.
e construction of our scheme refers to two article by Lin et al. [22] and Tang et al. [23]. Lin et al. proposed a threshold multi-authority attribute-based encryption scheme. In their scheme, they use (t, n) threshold secret sharing to get the system secret key a 0 . Each authority only has the share a i0 about secret a 0 . erefore, the system secret key a 0 is unknown to any authority. Tang et al. proposed an efficient multi-authority authentication scheme for electronic health records system based on blockchain.

Construction.
e construction of the scheme is outlined below: (i) System-setup: Given the security parameter k as input, generates prime p randomly to establish the system parameters. First of all, it chooses two multiplication cycles G and G T with some prime order p, and a bilinear map (e: G × G ⟶ G T ). Let g be a generator of the group G. Next, it chooses a cryptographic hash function H: 0, 1 { } * ⟶ G. e system parameters are params � p, g, e, G, G T , H, n, t , where n is the number of authorities in the system, and t is the threshold value which denotes the number of authorities to generate secret key for users. (ii) Authority-setup: In this algorithm, all authorities take public parameters params and their identities P 1 , . . . , P n as inputs and establish their master secret keys SK 1 , . . . , SK n . It consists of the following two phases: (a) Phase 1 (generation of the master secret key): Each authority generates the public key and private key, as well as the master public key of the system. (1) Each authority P i selects at random a polynomial F i (x) ∈ Z * p of degree (t − 1): (2) P i calculates (A ik � g a ik ) for (k � 0, 1, . . . , t − 1) and then broadcasts A ik .

Security and Communication Networks
(3) P i computes secret value y ij � F i (P j ) for (j � 1, 2, . . . , n), and then sends y ij secretly to authority P j for j ≠ i. (4) P j verifies the equation g y ij � t−1 k�0 (A ik ) P k j holds or not. If it holds, the secret sharing from P i is valid. Otherwise, P j broadcasts a complaint against P i . (5) If authority P i is complained, then it needs to broadcast values y ij that satisfy the equation. If the disclosed y ij still does not match, P i has to keep proving itself to be honest until the equation is true. (6) P j computes its own private key SK j � n i�1 y ij and calculates its own public key PK j � g SK j . e master secret key s can be recovered by any t values in PK 1 , . . . , PK n .
(b) Phase 2 (generation of master public key): According to the above phase, each authority has broadcasted values PK i � g SK i for (i � 1, 2, . . . , n) which can verified publicly. erefore, the master public key can be computed as After the above two phases, each authority adds parameters y and (P i , PK i ) n i�1 to the parameters params: � p, g, e, G, G T , H, y, n, t, (P i , PK i ) n i�1 . (iii) Key-generation: User id i makes key-generation request to at least t authorities. en, the authority generates the corresponding partial secret key and sends it to the user. After receiving the partial secret key, the user can verify its correctness using the public key of the corresponding authority. Finally, user id i computes his secret key sk id i by himself.
(1) Phase 1 (generation of partial secret key): Each authority P j computes a value psk id i ,j � H(id i ) SK j and secretly transmits it to user id i .
(2) Phase 2 (verification of partial secret key): After receiving the partial secret key psk id i ,j from authority P j , the user id i verifies the equation e(psk id i ,j , g) � e(H(id i ), PK j ) holds or not. If it holds, then the partial secret key is correct. Otherwise, the user exposes the partial secret key and requests other authorities to authenticate it. e authority P j needs to retransmit the correct value to satisfies the equation. (3) Phase 3 (generation of secret key): After receiving all partial secret keys, the user id i computes his own secret key as (iv) Identification: We consider two types of identification protocols which corresponding to the passive attack and concurrent (or active) attack, respectively.
(a) Identification protocol against passive attacks: (1) e prover id i selects (r ∈ Z * p ) randomly, computes U � H(id i ) r ∈ G, and sends U to verifier. (2) e verifier chooses (c ∈ Z * p ) randomly and sends it to prover id i . (3) e prover id i computes (V � sk r+c id i ∈ G) and returns it to verifier. (4) e verifier checks (e(V, g) � e(U, y)· e (H(id i ) c , y)) holds or not. If it holds, outputs accept; otherwise, outputs reject.
(b) Identification protocol against active and concurrent attacks: (1) e prover id i blinds the secret key sk id i .
is the blinding factor. (2) e prover id i randomly selects an integer (r ∈ Z * p ), computes (X � e(H(id i ), y) r ), and sends X and sk id i to verifier. (3) e verifier chooses a random integer (c ∈ Z * p ) and sends it to prover id i . (4) e prover id i computes t � r + cz (mod p) and sends t to verifier. (5) e verifier checks (e(H(id i ), y) t � X · e(sk id i , g) c ) holds or not. If it holds, outputs accept; otherwise, outputs reject.

Correctness.
e correctness of the identification protocol against passive attacks can be verified by the following equation: e correctness of the identification protocol against concurrent attacks can be verified by the following equation:

Security Proofs
In this section, we prove the security of the proposed multiauthority IBI scheme. As said above, the proposed scheme is based on the distributed key generation technique [20] and a centralized IBI scheme. It seems that the security of the scheme directly holds based on the securities of the two schemes. It is not Security and Communication Networks true because in the security proof of IBI scheme we need to embed the challenge instance to a fixed element y which is one of the public parameters. However, the value y which is generated by the distributed key generation technique [20] is randomly in the beginning.
To resolve this problem, we use the proof framework of [23] which introduced the approach of hybrid games for this kind of schemes. e core technique of [23] is that define three games. e first game corresponds to the honest execution of the security proof. en, in the second game, we set the master key as y: � g as where a is the exponent of the CDH or OMDL instance and s is the master secret key randomly generated by all authorities, respectively. No one knows a and s. In the last game, the challenger plays the role of all authorities, and thus it knows the value s. en, we can prove that the advantage of any probabilistic polynomial time (PPT) adversary in the first game is close to the another two games. Hence, if we can prove the advantage of any PPT adversary in the last game which corresponds to the proof of centralized IBI scheme is negligible, then we can obtain the security result that the advantage of any PPT adversary of the multi-authority IBI scheme is also negligible. erefore, in this work, we only prove the security of the centralized IBI scheme. Please refer to [23] for details of the proof technique which describes the security from centralized scheme to the multi-authority setting.

Theorem 1.
e proposed multi-authority IBI scheme is secure against impersonation under passive attack in the random oracle model assuming that the CDH problem is hard.
Proof. Let A � (V, P) be a polynomial-time imp-pa impersonator that tries to break the IBI scheme. Let C be a challenger that tries to break the BLS signature scheme under chosen message attack. C takes as input k, generates public parameters (p, g, e, G, G T , H), where (H: 0, 1 { } * ⟶ G) is a hash function modeled as a random oracle. C chooses (x ∈ Z ⋆ p ), computes (y � g x ∈ G), and then gives system public parameters params � (p, g, e, G, G T , H, y) to adversary A.
If A makes a key generation query on id i . C then returns the corresponding private key sk id i as the answer. If A makes a transcript query on id j . en C chooses (c j ∈ Z * p ), (V j ∈ G) randomly and computes U j such that e(V j , g) � e(U j , y) · e(H(id j ) c j , y).
C then gives (U j , c j , V j ) to A as the transcript. Finally, A chooses a challenge identity id * . Now, A plays the role as the cheating prover and interacts with challenger C. A can still issues some key generation queries and transcript queries in this phase, with the restriction that the query on the challenge identity id * is not allowed. C runs A to get the response U. After receiving U, C selects (c ∈ Z * p ) randomly, runs A to get its response V and verifies the equation e(V, g) � e(U, y) · e(H(id * ) c , y) holds or not. If the equation holds, C runs A again with the same state but with different challenge value (c ′ ∈ Z * p ), obtains its response V ′ , and verifies the equation e(V ′ , g) � e(U, y) · e(H(id * ) c′ , y) hold or not. If the equation holds, C as a forgery. Since we have e proposed multi-authority IBI scheme is secure against impersonation under concurrent attack in random oracle model assuming that the OMDL problem is hard.
Proof. Let A � (V, P) be a polynomial-time imp-ca impersonator that tries to break the identity-based identification scheme. Let C be an OMDL challenger. We assume that V never repeats a request. C takes as input k and generates public parameters (p, g, e, G, G T ). C chooses (x ∈ Z * p ) and computes (y � g x ∈ G) and then outputs params � (p, g, e, G, G T , y) as system public parameters. C returns params to adversary A.
If A makes a key generation query on id i . C then returns the corresponding private key sk id i as the answer. Now, A makes a identification training. First, challenger C queries its challenge oracle B(·) to obtain a challenge point (W 0 � g r 0 ∈ G), where (r 0 ∈ Z * p ). C now chooses an arbitrary identity (id ∈ 0, 1 { } * ). H: 0, 1 { } * ⟶ G is hash function viewed as a random oracle. We set it as follows. C chooses a random (l ∈ Z * p ) and sets (H(id) � g l ∈ G). If (id ′ ≠ id), C chooses a random (l ′ ∈ Z * p ) and sets H(id ′ ) � g l′ ∈ G. C next computes (sk id � W lx 0 ) and sends it to adversary A. Since . Now, C simulates an interaction between V and the prover replicas as follows. A random tape R i is chosen for prover replicas i. C then initializes prover replicas i with (params, R i ). C first queries its challenge oracle B(·) to get the response W i . C computes X i � e(W lx i , g) and sends this to V. Since (W i � g r i ) for random (r i ∈ Z * p ), we have (X i � e(W lx i , g) � e(g r i lx , g) � e(g r i l , g x ) � e(g l , g x ) r i � e(H(id), y) r i ). V chooses random (c i ∈ Z * p ) and returns to C. C makes the query W i W c i 0 to its discrete log oracle DL p,g (·) and get the response t i . C sends t i to V. V verifies the equation e(H(id), y) t i � X i · e(sk id , g) c i hold or not. e correctness of the equation is as follows: e(H(id), y) t i � e g l , g x r i +c i r 0 � e g l , g x r i · +e g l , g x c i r 0 After performing the above simulations, V outputs some state information and stops interaction. Now, C attempts to extract the discrete logarithm r 0 of challenge point W 0 . en using this value, C can further compute the discrete logarithm r 1 , r 2 , . . . , r n of other challenge points (W 1 , W 2 , . . . , W n ). To do so, C runs P in state St obtaining X, selects a random (c ∈ Z * p ), and runs P to get its response t. C then verifies the equation (e(H(id), y) t � X · e(sk id , g) c ) holds or not. If the equation holds, C runs P again with the same state St but with different challenge value (c ′ ∈ Z * p ), obtains its response t ′ and verifies the equation e(H(id), y) t′ � X · e(sk id , g) c′ hold or not. If the equation holds, C computes ((t − t ′ )/(c − c ′ )(modp)). We show that ((t − t ′ )/(c − c ′ )(modp)) is the discrete logarithm of W 0 . Observing that From the above equation, we obtain (r 0 � ((t − t ′ )/(c − c ′ ))(modp)). We now can further compute (r i � t i − c i r 0 (modp)) for (i � 1, 2, . . . , n). Finally, C outputs (r 1 , r 2 , . . . , r n ).

Applications
e proposed IBI scheme provides a good solution for scenarios where there is no trusted center, such as blockchain. Hence, in this section, we consider the application of the multi-authority IBI scheme in blockchain.
Blockchain technology was introduced by Nakamoto [24] in Bitcoin. Blockchain as the underlying technology of Bitcoin is essentially a type of distributed ledger. It can avoid the single point of failure. e advantages of blockchain are decentralization, anonymity, trustworthiness, and so on. According to different application scenarios and participants, blockchain can be divided into three categories, including public blockchain, consortium blockchain, and private blockchain [25]. In public blockchain, everyone can read and send transactions and everyone could join in the consensus process. For private blockchain, the node coming from a specific organization can be allowed to enter into the consensus process. e consortium blockchain is between public blockchain and private blockchain. It is a specific blockchain with authorized nodes. e consensus process is controlled by authorized nodes. e consortium blockchain is a community composed of n member organizations, and each member runs a node. Only with the confirmation of (2/3) of the member organizations can each block take effect. At present, many researchers are trying to utilize blockchain in different fields, such as healthcare [26,27], Internet of things (IoT) [28], and so on. is will make data freedom from ideal to reality, and these data providers will become the buliders and users of blockchain. In order to achieve the security of data sharing and privacy protection and confirm that data usage is legitimate, it is necessary to reach a consensus on the identification to ensure the authenticity of the identity on the chain.
Traditional IBI schemes are centralized which have a trusted party to generate and distribute users' key. However, the main feature of blockcahin is decentralization. Traditional IBI schemes are suitable for single authority instead of multiple authorities. ere is no trusted party in blockchain. At the same time, we cannot build a trusted party in blockchain. Distrbuted identification is a way to address this problem. In distributed identification, we do not need to rely on the trusted third party for secret key generation and distribution and identity management.
Our multi-authority IBI scheme can provide a good solution for consortium blockchain. We describe the application of our IBI scheme in consortium blockchain. In the consortium blockchain, we can divide nodes into two types, authority and user. e member of consortium blockchain plays the role of the authority, and the user is assumed by other nodes that join the consortium blockchain. e identification protocol for blockchain based on multi-authority IBI scheme is as shown in Figure 1.
(1) System-setup: In the beginning, all n authorities are cooperating to initialize the consortium blockchain system. In this phase, they generate the public parameters according to the security parameters. Meanwhile, all master secret keys can be generated by themselves. Finally, public parameters are published to all users in this system, and the master secret keys are secretly kept by all authorities. (2) User-registration: When a user wants to join the system, he submits his enrollment request to at least t authorities. en, the system assign an unique recognizable identity id and corresponding partial secret key psk id,j . Eventually, user verifies the validity of the partial secret key and computes its own secret key sk id . (3) Identification: Finally, in some cases, the user needs to prove that he is a legitimate user of this system. en he can use the identification protocol of the IBI scheme.

Conclusion
In this paper, we propose an identity-based identification scheme without trusted party, which is provably secure in the random oracle model. Our scheme takes advantage of distributed key generation to generate the user's secret key.
By interacting with at least t authorities, a legal user can generate his/her secret key. us, it avoids any one authority being a single-point bottleneck on security. e security analysis results show that our identity-based identification scheme is secure against impersonation under passive and concurrent attacks. Finally, we apply the proposed scheme to the blockchain.

Data Availability
No data were used during the study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.