SANS: Self-sovereign Authentication for Network Slices

5G communications proposed significant improvements over 4G in terms of efficiency and security. Among these novelties, the 5G Network Slicing seems to have a prominent role: deploy multiple virtual network slices, each providing a different service with different needs and features. Like this, a Slice Operator (SO) ruling a specific slice may want to offer a service for users meeting some requirements. It is of paramount importance to provide a robust authentication protocol, able to ensure that users meet the requirements, but providing at the same time a privacy-by-design architecture. This makes even more sense having a growing density of Internet of Things (IoT) devices exchanging private information over the network. In this paper, we improve the 5G network slicing authentication using a Self-Sovereign Identity (SSI) scheme: granting users full control over their data. We introduce an approach to allow a user to prove his right to access a specific service without leaking any information about him. Such an approach is SANS, a protocol that provides non-linkable protection for any issued information, preventing an SO or an eavesdropper from tracking users' activity and relating it with their real identities. Furthermore, our protocol is scalable and can be taken as a framework for improving related technologies in similar scenarios, like authentication in the 5G Radio Access Network (RAN) or other wireless networks and services. Such features can be achieved using cryptographic primitives called Zero-Knowledge Proofs (ZKP). Upon implementing our solution using a state-of-the-art ZKP library and performing several experiments, we provide benchmarks demonstrating that our approach is affordable in speed and memory consumption.


Abstract
5G communications proposed significant improvements over 4G in terms of efficiency and security. Among these novelties, the 5G Network Slicing seems to have a prominent role: deploy multiple virtual network slices, each providing a different service with different needs and features. Like this, a Slice Operator (SO) ruling a specific slice may want to offer a service for users meeting some requirements. It is of paramount importance to provide a robust authentication protocol, able to ensure that users meet the requirements, but providing at the same time a privacy-by-design architecture. This makes even more sense having a growing density of Internet of Things (IoT) devices exchanging private information over the network. In this paper, we improve the 5G network slicing authentication using a Self-Sovereign Identity (SSI) scheme: granting users full control over their data. We introduce an approach to allow a user to prove his right to access a specific service without leaking any information about him. Such an approach is SANS, a protocol that provides non-linkable protection for any issued information, preventing an SO or an eavesdropper from tracking users' activity and relating it with their real identities. Furthermore, our protocol is scalable and can be taken as a framework for improving related technolo-This work has been accepted to be published in the special issue Trustworthy Networking for Beyond 5G Networks 2020 of the journal Security and Communication Networks.

Introduction
5G communications enhanced the way how mobile devices are connected to cellular networks. They not solely improved the 4G Radio Access Network (RAN), but also introduced a new paradigm where devices with different specifications are routed through different physical and logical networks, called network slices. This opened new business models, for instance, creating network slices for specific services offered by third parties. Like this, a Slice Operator (SO) ruling a network slice may want to offer a service to users meeting some requirements (e.g., users enrolled in a governmental program, users who have paid for using such a service, etc.). Among the growing density of Internet of Things (IoT) devices using 5G communications, we can find exam-ples of devices sharing sensitive data over the network: medical devices exchanging private information or autonomous cars sharing their location with a network slice. Needless to say, this data should not be traced by any SO or eavesdropper. In such a scenario, traditional authentication schemes leak all this data to the SO. As such, Self-Sovereign Identity (SSI) [1] becomes an important feature to implement: systems where users can control, access, and transparently consent their identities, preventing entities from tracking and gathering their personal data. Likewise, the main idea behind SSI systems is to provide a unique mechanism for users to authenticate into different services, providing only the required information, information which shall be non-traceable.
Contributions. We introduce SANS, a novel self-sovereign authentication approach where a user demonstrates his right to access a service, without leaking any information about him. Our approach is an underlying protocol to be integrated into existing SSI systems, avoiding any user activity to be linked with any other activity done in the past or the future. Moreover, it also prevents the SO or an attacker impersonating him from tracking users' activity. Our protocol grants the user with these main features: • Anonymity: the SO has no way to relate any digital identity with a real identity.
• Proof of Requirements: the user can prove that he meets the requirements needed for using a specific service.
• Non-linkable activity: the SO has no way to relate any user activity with another activity done in the network.
To achieve the aforesaid key features, we use Zero-Knowledge Proofs (ZKPs), cryptographic primitives gaining a lot of momentum in the last years. Since the seminal paper in [2], demonstrating how ZKPs can prove knowledge of a secret without leaking any information about it, several applications have been envisioned. However, during decades, they were far from being used in real-life applications due to nonexistent efficient implementations. Nevertheless, recently, many efficient ZKPs have broken into the scene, revolutionizing not only the state-of-the-art in the area but also the market in scenarios like cryptocurrencies (e.g., Zcash [3]) or smart-contracts (e.g., Ethereum [4]). Using ZKPs, we can ensure selfsovereign authentication in 5G network slices, as a user would be able to prove his right to access a specific service, requested by an SO, without leaking any information about him.
Roadmap. In Section 2, we expose the background required to understand the context of the problem and also our solution. In Section 3, we introduce the relevant work done concerning our topic. In Section 4, we present our protocol with all details, including the security analysis, the implementation and the performed experiments. Conclusions are provided in Section 5.

Background
In this section, we first introduce the basics of 5G network slicing, and later, for the sake of completeness, we provide an overview of what ZKPs are and how they could be applied to our protocol.

5G Network Slicing
5G is the fifth generation of mobile communications [5], which achieves faster speeds than LTE networks and more reliable service. The 5G network is split into different network slices, which are independent networks dedicated and optimized for specific services. This new architecture is built employing Software-Defined Networking (SDN) and Network Functions Virtualization (NFV), along with the physical infrastructure. All these changes lead to higher performance: higher speeds, lower delays, and much less network latency. As depicted in Figure 1, different kinds of User Equipment (UE) are part of different slices, depending on their specifications or the services they are willing to use. In a nutshell, the main network slices are: • eMBB slice: The enhanced Mobile Broadband (eMBB) slice is meant for services that require high bandwidth, like Internet browsing, high definition video streaming, virtual reality, etc. • mMTC slice: The massive Machine Type Communications (mMTC) slice aims to group a high density of devices, which do not have other essential requirements like a low latency or a high bandwidth. Examples of this are IoT devices, specifically in the context of smart cities.
• uRLLC slice: The ultra-Reliable and Low-Latency Communications (uRLLC) slice aims to provide very low network latency, a crucial requirement for services like autonomous driving or remote management.
As depicted in Figure 1, users connect their UE to the small 5G cells of the 5G RAN, which forward the connections to the 5G core network, split into different software-defined networks (i.e., eMBB, mMTC, uRLLC...).
Furthermore, access to the 5G core network is allowed not solely from the new 5G RAN, but also from other networks like the 4G RAN or optical fiber connections, depending on the requirements of the service. As such, we understand 5G as a heterogeneous network (HetNet), a network interconnecting devices with different specifications and protocols, where a common and trustworthy authentication scheme would be a desirable feature.

Zero-Knowledge Proofs
A Zero-Knowledge Proof (ZKP) [2] is a cryptographic primitive which allows a prover P to convince a verifier V that a statement is true, without leaking any secret information. In particular, ZKPs must satisfy 3 properties: • Completeness: If the statement is true, P must be able to convince V .
• Soundness: If the statement is false, P must not be able to convince V that the statement is true, except with negligible probability.
• Zero-knowledge: V must not learn any information from the proof beyond the fact that the statement is true.
Moreover, V may also be interested in an additional property, the proof of knowledge, which guarantees that P knows the secret information about the statement. This secret information that the prover knows is usually called witness w. In other words, P wants to prove knowledge of a secret witness w for which a set of operations hold. Such operations are defined by a circuit, a graph composed of different wires and gates, which leads to a set of equations relating to the inputs and the outputs of these gates. Each of these equations is called a constraint.
To achieve their goal, both P and V need to interact several times. However, as iterating is not always a desirable property, another kind of ZKPs called Non-Interactive ZKP (NIZKP) [6] arose. In this case, P proves a statement to V by sending him a single message, without interaction. First NIZKP schemes were far from being implemented, due to their impractical computing requirements. Here is where one of the most popular ZKPs arose, zk-SNARKs, which are Zero-Knowledge Succinct and Non-interactive ARguments of Knowledge [7]. This kind of proof is short and succinct: it can be verified in a few milliseconds. In this scheme, a trusted setup is required, in order to get some public parameters used either by P and V as a reference to generate and verify proofs. These parameters are called the Common Reference String (CRS). If an attacker was able to get the secret random values τ used to generate the CRS, he would be able to generate false proofs. For this reason, the initial setup is commonly made through a secure Multi-Party Computation (MPC) [8], which generates the required parameters using a distributed computation protocol. Therefore, zk-SNARKs are composed of three algorithms: setup, prove and verify. The computing complexity of some of these elements depends on the number of gates n, which is the number of operations that we do for proving a specific statement.
There are also other interesting kinds of ZKPs rather than zk-SNARKs, like Bulletproofs [9]. As shown in Table 1, Bulletproofs are constructions whose proof size is larger than zk-SNARKs, where the complexity is O(log n) versus the constant proof size complexity of zk-SNARKs. Moreover, zk-SNARKs are also faster in verifying time complexity. Even when Bulletproofs have linear proving time complexity, the large number of operations required for every constraint leads to a high proving time in practice. As such, the main advantage of Bulletproofs is that they do not require a trusted setup.
Another interesting kind of ZKPs are zk-STARKs (Zero-Knowledge Succinct Transparent ARgument of Knowledge) [10], whose size is much higher than zk-SNARKs and Bulletproofs (O(log 2 n)). One of their main advantages is that like Bulletproofs, they do not require a trusted setup. Another advantage of zk-STARKs is that they are supposed to be postquantum secure, which is not the case of zk-SNARKs and Bulletproofs.
Regarding the security of the schemes described above, the soundness property of each scheme relies on different security assumptions [11]. As shown in Table 1, zk-SNARKs use a strong assumption, the q-Power Knowledge of Exponent (q-PKE) assumption, while Bulletproofs or zk-STARKs use better approaches: the Discrete Logarithm Problem (DLP) and Collision Resistant Hash Functions (CRHF), respectively.
However, one of the most important improvements regarding ZKPs is the zk-SNARK construction introduced in [12], which introduces the most efficient zk-SNARK designed so far. One of its main improvements is that the verifier has to evaluate a single equation, using only three pairings, instead of five equations and twelve pairings, as done in [7]. Such improvements led to a huge usage of this construction in different applications like Zcash.
Another critical research topic is resilience against quantum attacks. An essential contribution regarding this topic has been done in [13,14], where a new zk-SNARK constructions believed to be postquantum secure is introduced.
Regarding the scalability of the implementations, a significant contribution has been done in [15]. They propose Sonic, a zk-SNARK construction which requires a trusted setup, but with the difference that such a setup supports different circuits and is also updatable, meaning that the scheme can be continuously improved. As during the setup, a CRS is made public, by using an updatable CRS model [16] any user can update the CRS, and he can also prove that it was done correctly, employing a proof of correctness. If this proof is verified, the new CRS can be trusted as long as either the old CRS or the user who did the update was honest. Moreover, zk-SNARK constructions without the need for a trusted setup have also been designed, like the one in [17].
Having in mind the schemes described above, the ZKP construction that best fits our solution (at the

Related Work
Self-Sovereign Identity (SSI) has gained a lot of interest in the last years. The author in [18] envisioned an SSI system where users can control, consent, and widely use their identities among different services, along with other properties. These properties were redefined in [1] by the Sovrin Foundation 0 . They introduced the guidelines on how SSI systems can be implemented along with blockchain technologies, providing a distributed architecture of trust without central authorities managing users' data. In this regard, SSI authentication schemes like the one proposed in [19] make use of blockchain technologies for deploying a decentralized and private authentication system. A good review of the state-of-the-art regarding this topic is done in [20]. As they state, ZKPs allow a user to prove ownership of an identity, i.e., proving knowledge of a secret key related to a public key stored in a blockchain.
As stated previously, the core of network slicing relies on an SDN-based architecture. In this re-0 https://sovrin.org/ gard, interesting research is addressed in [21], where a novel authentication scheme preventing multiple types of SDN authentication attacks is introduced. This makes even more sense in the context of a medical cloud sharing sensitive information, a fact that has led to schemes [22] guaranteeing a secure authentication in this scenario.
A more specific use case related to our approach is introduced in [23]. They state some of the benefits of SSI for IoT devices, like the fact that the identities of the owners of different devices are stored locally in the devices, rather than on a centralized entity (i.e., the SO in our scenario). As explained by the authors, SSI provides a layered authentication system separating application authentication from channel authentication, where the former handles the trust requirements. This grants a more reliable end-to-end security, where secure communication is established among different protocols.
Among the aforesaid studies regarding SSI, to the best of our knowledge, there are no solutions applied to 5G network slices. In this regard, we propose a solution to integrate SSI into network slices in the next section.

Our solution: SANS
In this section, we first explain our approach with all the required details. Later we analyze the security of our protocol, its computing constraints, and its benchmarks.

Protocol description
We start with a high-level description of SANS, and later move to a more detailed one: a user willing to join a network slice to use its service may be required to meet some requirements, like having paid a subscription fee. As such, the user is a prover P willing to prove to a verifier V , the SO, that he has paid such an amount (the statement). Our protocol accomplishes this purpose. To do so, an important requirement of our protocol is being able to prove knowledge of contracts signed using a given secret key: P must convince V that he knows a contract and its signature, which is verified using a public key. The contract can be a secret value, and still, V must be convinced. In order to be efficient, the used signing algorithms have to be ZKP-friendly, and this means that its operations can be reduced to a low number of constraints. For instance, the Edwards-curve Digital Signature Algorithm (EdDSA) [24] is a fast signing algorithm widely used with zk-SNARKs. Moreover, signature algorithms in zk-SNARKs must be combined with efficient hashing functions as well. One of the most efficient zk-SNARK-friendly hashes to the date is Poseidon [25], which needs 8 times fewer constraints for its circuit than the widely used Pedersen hash.
Our authentication scheme is divided into two protocols, depicted altogether in Figure 2. The first one is the service registration protocol, to be performed for each issued payment. Its steps are as follows: Protocol 1 Service registration 1. P provides V some requested information req (e.g., a statement from the bank stating that a payment has been issued).
2. After verifying req, V generates a unique bytearray token identifying the user, and sends it to him along with a timestamp t exp representing the contract expiration date. Moreover, V provides a signature S = sign(token, t exp ) and its public key pk SO .
After having registered into the service, the user can use the provided parameters to authenticate into the service each time it needs to use it, and thus, create a new session into the service. Moreover, in order to avoid replay attacks [26]  proof must include the hash of the secret token concatenated to a variable public parameter c. Further details of such an approach are discussed in Section 4.2. The session authentication protocol is performed as follows: Protocol 2 Session authentication 1. P computes a proof π whose circuit inputs are: • c (public input) • token (private input) 2. V verifies the proof π and grants the service.
The generated proof π proves knowledge of the secret inputs of the circuit depicted in   shown, we prove knowledge of the hash of a secret token concatenated to its expiration date t exp . This is our contract, and we also prove that we know its secret signature (signed by V ) using the public key pk SO . This outputs 0/1 if the signature is verified or not respectively, and this value is multiplied by the output of hash(c, token). If all is correct, the circuit will output a hash, otherwise, the output will be 0.

Security Analysis
In this section, we analyze the security of our solution. We also detail how to overcome some possible attacks.
False proofs generation. The main drawback of some ZKP constructions like zk-SNARKs is the need for a trusted setup. In many scenarios, like in Zcash, an untrusty setup could lead to huge losses of money if a malicious party gets the trapdoor τ and starts to create false transactions. However, this is not a problem in our solution: a different setup can be generated by each SO. If the SO keeps and spreads the trapdoor τ , anyone knowing τ will be able to ac-cess the service by generating false proofs. As such, the protocol is secure as long as the setup is generated only by the SO and he destroys τ . Furthermore, as stated previously, the ZKP construction that best fits our solution at the moment of writing this is the Groth'16 zk-SNARK. As such, the security of SANS depends on a q-PKE assumption.
Elliptic curve attacks. The security of our solution also relies on the security of elliptic curves. One of the most used curves in ZKPs is a Barreto-Naehrig curve [27] called BN128, which security level in practice is estimated to be 110-bits [28]. This means that an attacker willing to break BN128 shall perform 2 110 operations. Other curves like BLS12-381 [3] estimate around 128-bits of security, with the drawback of heavier group operations. Breaking the security of the used elliptic curve would lead to being able to generate false proofs.
Account sharing. Every computed proof is different since it is generated using random parameters, allowing the user to generate different proofs with the same inputs. As such, the user could generate multiple proofs for other users, which would access the service with a single subscription. To overcome this issue, a simple solution is integrated into our protocol: every proof must include the hash of the secret token concatenated to a variable public parameter c. Ideally, this parameter could be a timestamp with a specific accuracy, for instance, the date in format yyyy/mm/dd plus the time in format hh:mm without seconds. Such a hash should be multiplied by the output of the verification of the signature (1 or 0, if verified or not, respectively), and if everything is correct the circuit should output a hash. Like this, an SO receiving the same hash more than once could identify that those proofs have been computed using the same token. As such, if two users are trying to use the service at the very same time, the SO can relate and reject both connections.
5G RAN authentication. One of the main concerns about our solution is to provide a fully private authentication, where the SO cannot learn the identity of the user. In this scenario, we still have another party, the Internet Service Provider (ISP), who acts as an SDN controller providing the architecture and the workflows for optimal network slicing. As such, the ISP learns the identities of the users from the moment that the UE accesses the 5G RAN. To overcome this, we envision the usage of SANS when the UE is required to authenticate for accessing the 5G RAN. In other words, the UE would be proving his right to access the 5G RAN, for instance by proving that the user has paid the last month bill to the ISP.

Efficiency Analysis
This section describes several efficiency considerations of SANS.
Computational complexity. As we saw in Section 2, the setup protocol depends only on the number of gates, so this protocol has a linear computing complexity O(n). The most consuming operation done by the prover is to compute the coefficients of a polynomial H(x), which can be computed more efficiently employing Fast Fourier Transform (FFT) techniques [29], leading to a computing complexity of O(n log n). The verifier has to do a constant computation of group exponentiations and an equation composed of three pairings.

Prover optimizations.
There are different operations performed by the zk-SNARK prover which can be parallelized in order to improve its efficiency. This means that CPU and GPU multiprocessing techniques can be applied to speed up the implementations. Even so, the usage of external computing resources as done in [30] can be taken into account. For instance, in the case of a prover being a smartwatch with low computing resources, the heaviest computations could be precomputed by the user's phone, whose computing power should be higher.
Circuit size. Our circuit contains a single EdDSA signature combined with two hashes (to the date of writing this, Poseidon seems the best option). The authors of circomlib 1 developed optimal EdDSA and Poseidon circuits, which leads our solution to a total size of 7565 constraints and affordable computing times as shown in the next subsection.

Implementation and Benchmarks
We implemented 2 our solution using snarkjs, a JavaScript and WASM framework for implementing zk-SNARK applications. The reason for choosing this option is its simplicity for implementing circuits and its portability in web environments. In this regard, we deployed our implementation in a web server, to be executed by different devices using different web browsers. Overall, the number of constraints of this implementation is 7565, and as depicted in the chart of Figure 4, our solution outperforms in highperformance CPUs (i7-8750H), either using Mozilla Firefox or Google Chrome. As such, our solution could be used in desktop applications with no problems with regards to performance. On the other hand, the proving time increases notably in low-performance processors (Intel Atom x7-Z8750), achieving timings higher than 2 seconds both in Firefox and Chrome. An interesting fact is how Chrome performs slightly better than Firefox in its desktop version, which does not apply to mobile CPUs (Snapdragon 845). Regarding Snapdragon 845, even when it is a top mobile processor, we can see as the results are not as good as i7-8750H. However, the achieved results prove that our solution is feasible in performance, especially when the portability is a priority. Moreover, the memory consumption has been in all tests between 150 and 200MB (not taking into account what is consumed by default by the browsers).
Furthermore, we also tested libsnark 3 , a welloptimized C++ zk-SNARKs library achieving excellent benchmarks, but with the drawback of not being as portable as other solutions like snarkjs. For instance, as the authors of libsnark state, the library is not well-optimized for ARM architectures (e.g. Snapdragon 845), and the BN128 curve is not supported in this architecture.
We implemented a circuit with the same amount of constraints that our solution has, and we executed the prover in multi-core mode using Groth'16 and the BN128 curve. The obtained results are shown in the chart of Figure 5. As can be seen, libsnark achieves much better results than snarkjs, so implementing SANS using this library would be even more feasible. Regarding the memory consumption, libsnark performs better as well: around 20 MB in both tested devices. Furthermore, optimized libraries for mobiles and embedded systems would lead to additional performance improvement, so future work in this regard would be an exciting research topic.

Conclusions
In this paper, we have introduced SANS, a protocol for proving the right of a user to access a specific 5G network slice, without leaking any information about him beyond the fact that he possesses such a right. Our solution is an underlying protocol to be integrated into existing SSI schemes. Moreover, it could be easily extended to other scenarios, like 5G RAN authentication, other kinds of wireless communications, or distributed applications. Even when some ZKP schemes like zk-SNARKs require costly 3 https://github.com/scipr-lab/libsnark computing operations, we have proved our solution to be affordable in terms of efficiency and memory consumption by implementing SANS using existing libraries. Furthermore, we proved the portability of our implementation by testing it on several devices. Nevertheless, future work on optimized ZKP libraries for embedded systems would be interesting, to spread the usage of this protocol.