An Efficient Anonymous Authentication Scheme for Mobile Pay-TV Systems

,


Introduction
With the rapid development of wireless communication technology, pay-TV systems have attracted a lot of attention as a component of mobile communication. According to Ref. [1], the number of users who used the pay-TV system reached 3.45 million in 1994, in England. Four years later, that number has doubled. TV service is developing from socialization to personalization, which means that users are able to watch their favourite TV programs anytime, anywhere. The pay-TV systems can meet the personalized needs of users. These changes have prompted the emergence of many communication systems for mobile TV services [2,3].
In a pay-TV system, there are two entities, a service provider and a user. When a user needs a TV service, she interacts with the head end system (HES) of the service provider. The pay-TV system generally uses a conditional access system (CAS) to handle interactions between end users and service providers. Figure 1 shows the main components of CAS, which controls the reception of TV services by encrypting transmission services to ensure that only authorized users can access certain services. The transmitter (TX) and the receiving module (RX) are subsystems responsible for signal transmission and reception, respectively. The multiplexer (MUX) is responsible for multiplexing audio and video into the MPEG-2 transport stream, while the demultiplexer (DEMUX) is responsible for separating audio and video from the MPEG-2 transport stream. The subscriber authorization system (SAS) and subscriber management system (SMS) authorize and manage users separately.
Encryption and authentication play significant roles in CAS for mobile pay-TV systems. Obviously, we can see encryption and authentication processes Figure 1. The encryptor and the decryptor are responsible for encryption. When a user needs to obtain a service, she sends subscription and authentication messages to HES. In detail, the encryption keys must be distributed to all subscribers so that they can receive and decrypt the broadcasts they are entitled to under the terms of their subscriptions. Each receiver first filters the corresponding EMM messages and decrypts the SK and then decrypts ECM using SK. After the authorized user gets CW from ECM, she could descramble the content.
As for highly distributed mobile TV service delivery architectures [4], cloud computing models are unable to meet demands. The massive data generated by various access devices has made cloud network bandwidth even more limited, causing greater data bottlenecks [5]. For example, delay-sensitive business systems do not work well in cloud computing. These delay-sensitive services are often located at the edge of the data centers and can use nearby computing resources to complete calculations or reduce delays.
On the other hand, data generated by the terminal TV devices usually involves personal privacy information. Uploading these data to the cloud data center not only consumes a lot of bandwidth resources but also increases the risk of user privacy leakage [6,7]. In order to deal with this problem, the user's identity and password are involved in anonymous authentication protocols. The role of usergenerated passwords is becoming more prominent in wireless mobile networks [8]. Two-factor anonymous authentication schemes have been proposed to wireless networks for a long time [9,10]. Moreover, three-factor authentication and key agreements have also been widely used for cloud environment [11,12]. Besides, fuzzy commitment with low latency can also be employed to ensure high efficiency [13].
In recent years, mobile pay-TV systems have risen in popularity due to their extensive application. The most challenging issue is providing secure authentication [14]. There have been many studies on anonymous authentication schemes used for HES. In Ref. [15], Far and Alagheband designed a lightweight anonymous authentication protocol. We found that this protocol is suffering from the risk of revealing user's password. Besides, there is still room for improvement in storage. The main contributions of our paper are listed below: (i) We reveal Far and Alagheband's protocol is suffering from the risk of revealing user's privacy. Besides, there is still room for improvement in storage (ii) We propose a new efficient anonymous authentication scheme based on Far and Alagheband's protocol (iii) The proposed anonymous authentication scheme in the paper performs better in computing efficiency and storage, which is more suitable for resourceconstrained devices in edge computing environment The rest of the paper is planned as follows. In Section 2, we describe related authentication schemes used in pay-TV systems. In Section 3, the preliminaries needed in protocol design are listed. The proposed anonymous authentication scheme is described in detail in Section 4. In Section 5, we give analysis of security proof and security features. Performance comparison is shown in Section 6. The conclusion is given in Section 7.

Related Work
In this section, we first introduce secure CASs and categorize pay-TV systems in three groups. Encryption-based pay-TV systems are the most classic category. Signature-based pay-TV systems are the most practical application. Authentication schemes for pay-TV systems are the most important point of our attention. Table 1 shows the relationships of some related works in chronological order.
2.1. Secure CASs. In 1992, ITU first proposed the standards for CASs in pay-TV systems [16]. However, this standard does not provide authentication capabilities for service providers. Since then, in order to further strengthen security, the academic community has proposed some CASs based on symmetric cryptography. In this type of CASs, users must share group keys used to encrypt and decrypt.
Zhu proposed a one-to-many CAS [17]. This system adopted the word-counting model for the first time, which improved the overall efficiency of the system to some extent. However, because the number of keys that a user needs to save was directly proportional to the number of related users, the storage and distribution of keys became very complicated, so this type of CASs was not suitable for practical applications. In general, CASs based on symmetric encryption could not avoid complicated key distribution problems. At the same time, such systems could not provide nonrepudiation.

Wireless Communications and Mobile Computing
In 2019, Pal and Alam proposed a channel package free centralized key distribution scheme, which was based on dynamicity of the groups [18]. The scheme used finite state machine (FSM) and optimal binary search tree (OBST) data, providing leaving and joining mechanisms for both batch users and single user. Recently, Kumar et al. [19] designed a key management protocol for access control for the pay-TV system, using the theory of numbers. The protocol is said to achieve the minimum communication complexity and storage overhead.

Encryption-Based
Pay-TV Systems. In 2004, Huang et al. divided users into different groups according to their various preferences, and each group shared the key [20]. However, Wang and Laith found that Huang et al.'s protocol was vulnerable to key leakage attack [21]. To enhance security, they proposed an improved key distribution scheme. In the same year, Sun et al. introduced a four-layer key hierarchy model, supporting more users to make flexible choices [22]. These CASs have a common feature in that one request message corresponds to one reply request, so they cannot respond to multiple requests in a short time. The one-tomany CASs, which can respond to many service requests at the same time, have become a new research direction.
In 2005, Yeung et al. constructed a new CAS based on the RSA algorithm. In their protocol, the media service provider and the proxy service provider needed to jointly encrypt the TV programs [23]. Several years later, Yeu and Huang presented an attribute-based encryption-based access control scheme and extended it with a revocation mechanism [24]. However, the scheme was pointed to be vulnerable to collusion attacks by Rial [25].

2.3.
Signature-Based Pay-TV Systems. As one of the cryptographic primitives, signature provides the integrity and authentication of messages [26,27]. To solve this kind of problem, Lee et al. proposed an authentication protocol based on digital signature technology [28]. However, this protocol could not provide anonymity for service providers. To strengthen its security, Song and Korba designed an improved version of the authentication protocol, using RSA blind signature technology [29]. Since then, Roh and Jung also adopted RSA-based proxy signature technology and designed a new authentication scheme [30]. However, the communication cost of their scheme was relatively high and it was not suitable for practical application.

Authentication Schemes for
Pay-TV Systems. The authentication scheme applicable to pay-TV systems cannot be directly applied to mobile pay-TV systems. Yang and Chang designed an authentication scheme for mobile pay-TV systems using elliptic curve cryptography [31]. However, Chen et al. [32] pointed out that there were security issues in Yang and Chang's scheme and proposed an anonymous authentication protocol to solve the insecure risks. They claimed that their protocol is better for applications with low power-consuming devices and high security requirements. However, Kim and Lee showed that Chen et al.'s protocol suffers the risks in password guessing attack and impersonation attack and gave an improved version [33]. In 2018, Far and Alagheband also enhanced the security in Chen et al.'s protocol to alleviate its security risks [15].
To improve the performance, Sun and Leu designed the first one-to-many authentication scheme in 2009 [34]. The scheme also used elliptic curve cryptography, suitable for access control in mobile pay-TV systems. However, Wang and Qin found that Sun and Leu's scheme had security risks [35]. The adversary could not only pretend to be a mobile set (MS) to deceive HES but also pretend to be MS to deceive HES. Moreover, Sun and Leu's scheme could not prevent unauthorized entities from accessing mobile TV programs. In order to strengthen security, Wang and Qin proposed a strengthened authentication protocol and claimed that their protocol could resist various common attacks. Based on Wang and Qin's scheme [34], Arshad et al. designed an encryption-based authentication scheme for mobile pay-TV. This scheme did not use bilinear pairings and was easily implemented on FPGA boards [36].
In 2013, Liu and Zhang designed an identity-based encryption scheme based on bilinear pairings [37]. In addition, the batch verification technique allowed the service provider to authenticate various requests from different subscribers.
Sabzinejad et al.'s scheme was also designed using a bilinear pair in 2016 [38]. Its running time was shorter than previous solutions, but it was not suitable for lightweight devices. Kuo proposed an authentication scheme based on smart cards and biometrics for mobile pay-TV, which could be used on lightweight smart card devices for multiserver environments [39]. Wu et al. proposed an authentication scheme based on user signatures for mobile pay-TV, but this scheme could not guarantee user anonymity [40]. Zhu presented a deniable authentication protocol for pay-TV system based on chaotic maps, which is called DAP-TV [41]. In 2020,

Schemes
Year Base article Contribution Song and Korba [29] 2003 Lee et al. [28] Designed an improved version using RSA blind signature technology Wang and Laith [21] 2008 Huang et al. [20] Proposed an improved key distribution scheme Sun and Leu [34] 2009 Yang and Chang [31] Designed the first one-to-many authentication scheme Wang and Qin [35] 2012 Sun and Leu [34] Presented an enhanced scheme against impersonation attacks Kim and Lee [33] 2012 Chen et al. [32] Gave an improved version against password guessing attack and impersonation attack Arshad et al. [36] 2017 Wang and Qin [35] Designed an authentication scheme without bilinear pairings Far and Alagheband [15] 2018 Chen et al. [32] Proposed a strengthened scheme to alleviate its security risks

Wireless Communications and Mobile Computing
Kumaravelu et al. [14] designed an anonymous scheme which can authenticate both users and HES, with low computational cost.

System Model and Security Requirements
In this section, the operating mechanism of mobile pay-TV systems is explained at first. The security features required in anonymous authentication schemes and adversary capabilities are then briefly explained.

Anonymous Authentication Model for Mobile Pay-TV
Systems. Table 2 shows notations of entities and parameters. The mobile pay-TV system consists of two important components, the head end system (HES) and the mobile set (MS). HES not only has powerful service content processing capabilities but also contains SAS/SMS. SAS/SMS is mainly responsible for authentication and key management, payment management, and subscription information management. MS is a user equipment that can use the mobile Internet connection to HES to obtain TV services.
In general, when a user wants to purchase a mobile pay-TV service, she needs to register the private information in HES, such as an ID number and email address. When the user needs TV services, his MS will send a request message for MS authentication and a service content request to HES. If the MS passes the HES authentication, the HES will broadcast a request message for the HES authentication to all nearby mobile sets. After the MS completes the authentication of the HES, the user can obtain service rights and enjoy the mobile pay-TV service. When the user wants to switch to another TV service, the MS and HES need to conduct mutual authentication again.
More specifically, there are four steps in the process of mobile TV and HES authentication and subscription services. In the initialization phase, DBS is responsible for generating system parameters and secret parameters required by MS. All HESs can obtain the parameters stored in DBS, which are generated in the initialization phase. In the issue phase, MS sends a log-in request to one HES to obtain a service then authenticates with this HES. As a result, the HES will issue a token for MS, which will be used in the subscription phase to subscribe a service. When the mobile TV wants to move to another area covered by other HES, all the MS needs to do is to authenticate with the new HES, not to reregister or send a log-in request. These four steps are shown in Figure 2.

Security
Requirements. The anonymous authentication protocols used in mobile pay-TV systems need to provide mutual authentication, forward security, and privacy protection of each entity. In addition, the importance of user anonymity and user untraceability is more emphasized in mobile pay-TV systems.
3.2.1. Mutual Authentication. HES and MS need to perform mutual authentication, to conduct subsequent key management, payment management, and subscription management. For resource-constrained devices, the efficiency of authentication should be taken into consideration.

Forward Security.
One of the characteristics of mobile users is frequent log-in and log-out. Therefore, when a mobile user leaves a communication network, others cannot infer any user information from the encrypted message left by the user. Forward security means that the authenticated keys generated from each session are independent of each other.

User Anonymity.
User anonymity is the most basic requirement in an anonymous authentication protocol, which hides the user's identity and communication relationship in the communication process through a certain method. This usually means that the user's identity cannot be obtained by anyone, whether he is an internal attacker or an external attacker. In other words, the identity of the user cannot be publicly transmitted in plaintext. Malicious attackers or other users cannot determine which servers a user has logged in to or how many times a user has logged in to a server. Untraceability can ensure that even if the user reveals his identity at a certain stage, it will not help the adversary to identify the user at other stages. An effective way to achieve untraceability is to randomize the information transmitted in each step of the authentication phase.

Privacy Protection.
Privacy protection means that the information of both MS and HES should be unavailable to others. In mobile pay-TV systems, the user logs in anonymously and does not want anyone to know her identity information. This requires that the identity information cannot be stored and transmitted in plain text.

Adversary Capabilities.
As defined in other anonymous authentication protocols for mobile pay-TV systems, adversaries have the ability to do all passive attacks, such as eavesdropping on messages in public channel. Moreover, the adversary is allowed to obtain all parameters stored in DBS.
In order to prove that our scheme has more advantages in security, we have given adversaries the ability to obtain stored sets. That means the information stored in smart cards of MS and HES is not secure anymore.
The capabilities of adversaries are described briefly below:

The Proposed Scheme
In this section, we explain an improved scheme of Far and Alagheband's scheme. Our improved scheme also has four phases as depicted in Section 3, the initialization phase, issue phase, subscription phase, and hand-off phase. The initialization phase is performed on secure channel, while the other three phases can be performed on public channel. These four phases are described, respectively, as below. The notations used in this section are shown in Table 2.

Initialization Phase.
In the initialization phase, the MS should register in SAS/SMS through DBS, which stores data in HES. This phase needs to be performed on a secure channel. More details are listed as follows. MS: chooses a random number b and generates its password PW, then computes PWB = hðPWkbÞ. After that, it sends ID and PW to DBS of HESn.
DBS: after receiving ID and PW from the MS, DBS computes Q = hðIDkxÞ ⊕ PWB, R = hðPWBkIDÞ ⊕ hðIDkxÞ, and t = hðPWBkhðIDkxÞÞ. Here, x is the secret key of the DBS, which is generated by HESn. Finally, DBS stores R and t, then sends Q and R to MS.
MS: after receiving Q and R from DBS, MS stores Q and R .
The initialization phase is shown in Figure 3.

Issue
Phase. Before a mobile TV wants to obtain a service, the MS needs to send a service start request to HESn, that is, log-in request. After sending a log-in request, MS and HESn authenticate each other in the issue phase. As a result, HESn will issue a token for MS, which will be used in the subscription phase. The detailed authentication process is described in  HESn: receives message at T 2 . It first checks T 2 − T 1 ≤ ΔT, then verifies W = hðt ⊕ T 1 Þ and C = hðRkW ⊕ hðWkT 1 ÞkT 1 Þ. Next, it chooses a token Θ and computes D = hðR ⊕ WkW ⊕ hðWkT 1 ÞkT 2 Þ, E = Θ ⊕ hðRkT 2 kR ⊕ W ⊕ T 1 Þ, and finally sends m 2 = fD, E, T 2 g to MS at T 3 .

Subscription Phase.
Once the MS has obtained the token from the HESn, it can use it to subscribe to the service. Except for the token Θ from the issue phase to participate in the Checks: Checks:

Security Analysis
Security analysis is composed of two subsections. First, we prove our improved scheme to be secure using the formal method in Section 5.1. Then, the main security features in our scheme are shown in Section 5.2.

Formal Security Analysis.
In this subsection, we will show that our improved scheme can resist eavesdropping attack, stored set attack, and internal attack. The approaches proposed in literature [15,42,43] are employed in this part. The adversary capabilities are given in Section 3.
First, we give the definition that the adversary successfully breaks the scheme [42]. The first thing is to explain notations:

Succ = Pr EXP function
Theorem 2. The adversary A eavesdrop on messages in public channel. A can break the scheme with probability Pr ½EXP hash ≤ ε, where ε is negligible.
Proof of Theorem 1. A can eavesdrop m 1 = fW, C, T 1 g in public channel. We describe the subsequent actions of A in Algorithm 1, which consists of set up, challenge, and guess. It is obviously to see that A must correctly guess the value of ID, x, PW, b to pass the algorithm. The probability of correctly guessing these four values is less than ð1/2Þ length : Checks: Figure 6: Hand-off phase. The hand-off phase can be performed on public channel.

Theorem 3. The adversary A can achieve the stored set of MS.
A can break the scheme with probability Pr ½EXP hash ≤ ε, where ε is negligible.
Proof of Theorem 3. A can achieve the stored set of MS. We describe the subsequent actions of A in Algorithm 2 and Algorithm 3, which represents the situation when A obtains R, b and Q, b, respectively.
The key to successfully passing Algorithm 2 is to correctly guess the value of PW * , ID * , x * . The probability of correctly guessing these four values is less than ð1/2Þ length : Succ ID = Pr EXP hash−ID Thus, A can break the scheme with probability: Pr ½ EXP hash ≤ ð1/2Þ ðPWkIDkxÞ−length ≤ ε, where ε is negligible.
The key to successfully passing Algorithm 3 is to correctly guess the value of PW * , ID * , x * . The probability of correctly guessing these four values is less than ð1/2Þ length : Thus, A can break the scheme with probability: Pr ½ EXP hash ≤ ð1/2Þ ðPWkIDkxÞ−length ≤ ε, where ε is negligible. Proof of Theorem 4. A can be a malicious server, as an internal attacker. Even so, A has no way of knowing identity of the user. We describe the subsequent behavior of A in Algorithm 4.
Since the hash functions we use are one-way secure, if A wants to know the value of ID, b to pass the algorithm, they can only guess. The probability of correctly guessing these two values is less than ð1/2Þ length : Therefore, A can break the scheme with probability: Pr ½EXP hash ≤ ð1/2Þ ðIDkbÞ−length ≤ ε, where ε is negligible.
In summary, our improved scheme can resist eavesdropping attack, stored set attack, and internal attack.

Security Features.
In this subsection, we first explain the main changes in our improved scheme compared with Far and Alagheband's scheme.
(i) Bind x to R and Q In the initialization phase of Far and Alagheband's protocol, R and Q are stored directly in DBS. The user's identity is hidden in R and Q so that the user does not need to reveal its identity when logging in and out. However, there are security risks in storing R, Q, and Q ⊕ PWB in the DBS. As long as the adversary reveals DBS, she can obtain PWB by exclusive OR. This not only brings the leakage of user identity but also causes the risk of user untraceability. In our new scheme, we add the server's secret key x and make slight changes when calculating R and Q. Thus, the adversary can no longer recover user's privacy information through data in DBS.
(ii) Remove the random numbers n in the issue phase and subscription phase The introduction of random numbers is to ensure that the authentication keys generated by each session are independent of each other, in order to meet the forward security of the anonymous authentication protocol. In Far and Alagheband's protocol, the random numbers n is used. Actually, each time a session generates an authentication key, a time stamp is required. Here, the time stamp T i ði = 1 , ⋯, 6Þ not only provides the function of mutual authentication, but also introduces freshness. Therefore, our scheme can still guarantee forward security without using random numbers.
As a result of the changes, the security of the new scheme has been improved in terms of user untraceability and privacy protection. Table 3 shows the comparison of our improved scheme and Far and Alagheband's scheme.
Set up: Input fW, C, T 1 g eavesdropped from public channel. If success, output 1. Otherwise, output 0. Challenge: (i) Receive fW, C, T 1 g from public channel (ii) Searches R and t, where t = hðPWBkhðIDkxÞÞ (iii) Choose randomly PW * , ID * , b * , x * (iv) Compute R * = hðhðPW * kb * ÞkID * khðID * kx * Þ, t * = hðhðPW * kb * ÞkhðID * kx * Þ Guess: If R * = R or t * = t, accepts the value of ID * , b * . Return 1. Otherwise, returns 0.   In each session, HES and MS must first perform mutual authentication, using the preassigned R, Q, and t. We bind the server's secret key x and the user's identity ID when calculating R, Q, and t, to ensure the confidentiality of them. The one-way hash function also provides an efficient method for mutual authentication.

Forward Security.
Forward security means that the authenticated keys generated from each session are independent of each other. In our new scheme, the time stamps T i ði = 1, ⋯, 6Þ introduce the freshness of each session. Different T i ði = 1, ⋯, 6Þ participating in the operation will generate different authentication keys.

User Anonymity.
User anonymity means that the user's identity ID cannot be obtained by internal attackers or external attackers. In our new scheme, the identity ID of the user is not be publicly transmitted in plaintext, while it is placed in a hash function. Moreover, the server has no access to recover the user's identity ID from R and t stored in DBS.

User Untraceability.
In our scheme, all HESs can obtain R and t stored in DBS when they need them. Thus, the adversary can no longer determine whether the user has logged in, by comparing the stored set of each HES. Moreover, messages m 1 , m 2 transmitted in public channel are diverse from each other. 5.2.5. Privacy Protection. In our new scheme, we add the server's secret key x and make slight changes when calculating R and Q. Thus, the adversary can no longer recover user's privacy information through data in DBS. The proposed scheme can provide user privacy protection.

Performance Comparison
Various anonymous authentication schemes have been presented in recent years. In this section, we choose a few schemes that use only hash functions and compare them with our scheme in terms of execution efficiency.
We define the execution time of one hash operation is 0.13 μs according to Ref. [36]. The number of hash operations of each scheme is shown in Table 4. Since the subscription phase and hand-off phase are similar with the issue phase, we only compare hash operations in the initialization phase and issue phase.
From Table 4, our scheme performs better in terms of execution time. Moreover, the number of parameters transmitted on public channel is minimal, which means our scheme performs better in computing storage. In order to Scheme in [32] Scheme in [33] Scheme in [15] Our scheme show the comparison of execution efficiency more clearly, we show the execution time in μs and parameter numbers in Figure 7. It is obvious to see that our scheme has the shortest execution time under the same conditions.

Conclusion
The security of pay-TV systems is facing the challenge of explosive growth of users and service content. To prevent unauthorized access in mobile pay-TV systems, anonymous authentication technologies are commonly used for secure media delivery and channel protection. In this paper, we review Far and Alagheband's protocol and find that this protocol is suffering from risks of revealing user's privacy. Besides, there is still room for improvement in storage. We alleviate the security risks of Far and Alagheband's protocol. Our improved scheme can resist stored set attack and user traceability attack. Performance comparison shows that our scheme performs better in terms of execution time and storage, which means it is suitable for resource-constrained devices in edge computing environment.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that there is no conflict of interest regarding the publication of this paper.