## Mathematical Models for New Types of Cyberattack and Associated Defence Strategies

View this Special IssueResearch Article | Open Access

Fei Tang, Jiali Bao, Yonghong Huang, Dong Huang, Fuqun Wang, "Identity-Based Identification Scheme without Trusted Party against Concurrent Attacks", *Security and Communication Networks*, vol. 2020, Article ID 8820271, 9 pages, 2020. https://doi.org/10.1155/2020/8820271

# Identity-Based Identification Scheme without Trusted Party against Concurrent Attacks

**Academic Editor:**Chunming Zhang

#### Abstract

Identification schemes support that a prover who holding a secret key to prove itself to any verifier who holding the corresponding public key. In traditional identity-based identification schemes, there is a key generation center to generate all users’ secret keys. This means that the key generation center knows all users’ secret key, which brings the key escrow problem. To resolve this problem, in this work, we define the model of identity-based identification without a trusted party. Then, we propose a multi-authority identity-based identification scheme based on bilinear pairing. Furthermore, we prove the security of the proposed scheme in the random oracle model against impersonation under passive and concurrent attacks. Finally, we give an application of the proposed identity-based identification scheme to blockchain.

#### 1. Introduction

In identification schemes, the user, playing the role of a prover, can identity itself to any verifier in a protocol in which the verifier begins by holding only the corresponding public key. One of the purposes of identification is to promote access control to resources, when an access privilege is linked to a particular identity.

There are a lot of research studies on identification schemes. The fundamental work of identification scheme [1] was proposed by Fiat and Shamir, named FS scheme. The authors described an identification scheme in which any user can prove its identity to other users. They combined zero-knowledge interactive proofs with identity-based schemes. The key of FS scheme is to assume that there is a trusted center, such as computer center, government, and credit card company. This center gives smart cards to users after checking their physical identities. The FS scheme is based on the factorization problem. Feige et al. [2] proposed another identification scheme, named FFS scheme, which is also based on the factorization problem. Okamoto [3] presented a three-move interactive identification scheme and proved that the scheme has the same security as the discrete logarithm problem. Schnorr’s scheme [4] is one of the famous identification schemes. The GQ scheme which was proposed by Guillou and Quisquater [5] is based on the RSA-inversion problem. The formal proof of security for GQ and Schnorr schemes was realized by Bellare and Palacio [6]. They provided a proof for GQ scheme based on RSA-inversion assumption and a proof for Schnorr scheme based on one more discrete logarithm (OMDL) assumption. These two schemes are provably secure against impersonation under active and concurrent attacks. Girault [7] gave a modification of Schnorr’s identification scheme, in which each user can select his own secret key but the center can not get it from the public key. Kim and Kim [8] proposed a new identification scheme based on bilinear Diffie-Hellman problem, which is secure against passive and active attacks.

In traditional identification schemes, we need a certificate authority (CA) to authenticate prover’s public key in the setting of public key infrastructure (PKI). Shamir [9] introduced the notion of identity-based cryptography (IBC). The purpose of IBC is to simplify the management of certificates in PKI. Shamir pointed out that the key generation center (KGC) generates the corresponding secret key with the public identity and sends it to the user when he first joins in the system. Each user has a unique and meaningful identity as the public key and thus avoids the complicated certificate management problem. Then, Boneh and Franklin proposed an identity-based encryption (IBE) scheme [10], which is based on bilinear pairing. Since then, a large number of identity-based identification schemes have been proposed by using bilinear pairings.

The formal definition of identity-based identification (IBI) scheme was introduced by Kurosawa and Heng [11]. They constructed a transformation from any standard digital signature scheme to an IBI scheme. Then, in [12], they proposed two IBI schemes, one of which is provably secure against impersonation passive attacks, and the other is provably secure against impersonation active and concurrent attacks. The security model of IBI [11, 13] can be divided into three types, called security against impersonation under passive attacks, active attacks, and concurrent attacks, respectively. Then, Chin et al. [14] presented a provably secure IBI scheme in the standard model. The scheme of [14] is secure against impersonation under active and concurrent attacks based on one more computational Diffie-Hellman assumption. Barapatre and Rangan [15] proposed a general framework of IBI based on the identity-based key encapsulation mechanism. The scheme of [15] is secure against impersonation under active and concurrent attacks based on the -bilinear Diffie-Hellman inversion assumption.

It is well known that, the IBI schemes suffer the key escrow problem, which means that we need a trusted KGC to generate all users’ key. In order to solve this problem, in this work, we consider the IBI scheme without a trusted party. The main contributions of this work can be summarized as follows:(1)We give the formal definition of IBI scheme in the multi-authority setting. In our definition, there are authorities. The generation of users’ secret key needs at least authorities.(2)We construct an IBI scheme with multiple authorities based on the BLS signature scheme [16]. The security of the proposed scheme is provably against impersonation under passive and concurrent attacks in the random oracle model.(3)We consider the applications of the proposed multi-authority IBI scheme. We show that the scheme can be used to identification in blockchain.

The rest of this paper is organized as follows. In Section 2, we give the definitions of bilinear pairing and complexity assumptions. We also present the definition and security models of the IBI scheme in Section 2. Section 3 presents the details of IBI scheme. In Section 4, we prove the security of the proposed scheme. In Section 5, we describe the applications of the multi-authority IBI scheme in blockchain. Finally, we make a conclusion about this paper in section 6.

#### 2. Preliminaries

In this section, we describe the relevant definitions and security models.

##### 2.1. Bilinear Map and Complexity Assumptions

In the construction of our identity-based identification scheme, we use bilinear pairing as the basic tool. Therefore, we briefly introduce the concept of bilinear pairing.

Let and be two cyclic multiplicative groups, where is generated by an element , i.e., . Groups and have same prime order . We say that is an admissible bilinear pairing if it satisfies the following properties:(1)Bilinearity: for all .(2)Nondegeneracy: there exists , for , such that , where represents the identity element of the group .(3)Computability: there is an efficient algorithm to compute for all .

The security of our scheme relies on the following two difficult problems: Computational Diffie-Hellman (CDH) Problem and One More Discrete Logarithm (OMDL) Problem.

*Definition 1 (CDH). *Given for some , it is hard to compute .

*Definition 2 (OMDL) (see [17]). *The definition of the OMDL problem is defined by the following experiment .(i)Training: A polynomial-time adversary makes queries to the challenge oracle and queries to the Discrete-Logarithm (DL) oracle . Let .(ii)Output: If , where are random points in output by the challenge oracle , and , where denotes the number of queries to the DL oracle, then return 1. Otherwise, return 0.We define the advantage of adversary as . We say that OMDL problem is hard if is negligible in for any polynomial-time adversary.

##### 2.2. Definition of Multi-authority IBI

An identity-based identification (IBI) scheme is specified by four probabilistic polynomial-time algorithms, called Setup, Key-generation, Proving, and Verification, respectively. On input security parameter , returns system public parameters and the master secret key. is executed by the key generation center to generate a secret key corresponding to a given public identity. and are interactive algorithms that implement the prover and verifier. We call an identification protocol.

As far as we know, there is no IBI scheme in the setting of multiple authorities. The standard IBI schemes have a key generation center to produce all users’ secret key. Therefore, it is well known that identity-based cryptographic schemes have the key escrow problem. This work defines the notion of IBI scheme with multiple authorities. In our scheme, there has one more algorithm, Authority Setup, to generate all authorities’ master secret keys. The notion of IBI scheme with multiple authorities is consists of the following algorithms:(i)System-setup: This algorithm takes as input the security parameter and outputs the system public parameter .(ii)Authority-setup: The authority setup algorithm is interactively executed by all authorities. On input the system public parameter and identities , output their master secret keys .(iii)Key-generation: User makes queries to at least authorities, , where for key generation. Each authority takes as inputs the system public parameter , master secret key , and user’s identity and outputs user its partial key . Finally, user can compute the secret key by itself.(iv)Identification: receives as inputs , , and and receives as inputs , and ), where is the secret key corresponding to the public identity . After an interactive execution of , outputs 1 (accept) or 0 (reject).(v)Correctness: A legitimate should always be accepted, i.e., .

##### 2.3. Security Models

The accepted framework of security concepts for identification schemes was proposed by Feige et al. [2]. Then, the security definition for IBI scheme was presented in [11, 13]. This is an extension of the framework of [2]; that is, the three concepts of security for standard identification schemes are extended to IBI. Usually, we consider adversary goals, adversary capabilities or attacks. The adversary goal is impersonation that if the adversary interacts with the verifier playing the role of prover with identity and can persuade the verifier to accept with a nonnegligible probability. To achieve this goal, the adversary can carry out various attacks. We consider three kinds of attacks, namely, passive attacks [2], active attacks [2], and concurrent attacks [6]. These attacks should take place and complete before the impersonation attempt.

Passive attacks are the weakest one of the above three kinds of attacks for IBI schemes. In passive attacks, the adversary does not interact with the prover. The adversary just eavesdrops and obtains a transcript of a conversation between the prover and verifier. The definition of passive attacks of IBI schemes is defined by the following game which is executed by an adversary and a challenger .

*Definition 3 (Security against Impersonation under Passive Attacks). *Let be an impersonation adversary with passive attacks (imp-pa).(i)System-setup: The challenger runs the system setup algorithm on input a security parameter to generate system public parameters . Then, returns to .(ii)Authority-setup: The challenger runs the authority setup algorithm to generate master secret keys for all authorities .(iii)Queries: can issues some queries as follows:(1)Master secret key queries: issues a request for some authorities for their master secret key. For such a request, transmits to .(2)Key generation queries: issues some key generation queries . then returns the corresponding private key as the answer.(3)Transcript queries: can issue some transcript queries on . In passive attacks, returns the transcripts which denotes the conversations between the valid prover and other verifiers.(iv)Challenge: chooses a challenge identity . Then, plays the role of a cheating prover, trying to convince any verifier.We define that adversary succeeds in impersonating if it can make the verifier accepts. The advantage of an imp-pa adversary denoted by . We say that IBI scheme is secure against impersonation under passive attacks if is negligible in for any imp-pa adversary.

Different from passive attacks, in the active and concurrent attacks, the adversary first plays the role of the cheating verifier, interacting with the honest prover multiple times, trying to extract some useful information. Then it plays role of cheating prover, interacting with the honest verifier, trying to persuade the honest verifier to accept. It is easy to see that the security notions of active and concurrent attacks are stronger than the notion of passive attacks. Generally, we pursue stronger security notion for crytographic schemes, such as [18, 19].

Active attacks are a special case of concurrent attacks. In the active attacks, the next round of attack is carried out after one attack is completed, that is, the interaction is one by one. In the concurrent attacks, however, the adversary can interact with multiple different prover “replicas” concurrently. The replicas all have the same secret key but are initialized with independent coins and maintain their own state. Apparently, security against impersonation under concurrent attack implies security against impersonation under active attack.

*Difinition 4 (Security against Impersonation under Concurrent Attacks). *An impersonation under concurrent attacks (imp-ca) adversary is a pair of randomized polynomial-time algorithms, which denotes the cheating verifier and the cheating prover, respectively. The definition of the concurrent attacks of IBI schemes is defined by the following game which is played by a concurrent adversary and challenger .(i)System-setup: The challenger runs the system setup algorithm on input to generate system public parameters . Then, sends to different replicas of prover and adversary .(ii)Authority-setup: The challenger runs the authority setup algorithm to generate master secret keys for all authorities .(iii)Queries: can issues some queries as follows:(1)Master secret key queries: issues a request for some authorities for their master secret key. For such a request, transmits to .(2)Key generation queries: issues some key generation queries . then returns the corresponding private key as the answer.(3)Identification training: first plays the role of a cheating verifier to execute the identification protocols with the honest prover . In concurrent attacks, the adversary can issue the identification protocol at any time regardless of whether the last protocol is end or not. The difference between concurrent attack and active attack is that the active adversary only can issue a new identification protocol after the end of the last protocol. We denote the transcript of -th protocol as .(iv)Challenge: Finally, adversary plays the role of a cheating prover to execute the identification protocol with a valid verifier to try to convince that he is the valid prover.We define that adversary succeeds in impersonating if it can make the verifier accepts. The advantage of an imp-ca adversary denoted by . We say that IBI scheme is secure against impersonation under concurrent attacks if is negligible in for any imp-ca adversary.

#### 3. The Proposed Scheme

In this section, we give our multi-authority IBI scheme without a trusted party. Generally speaking, in traditional IBI schemes, there is a trusted party for the generation and distribution of user secret keys. To address the problem of no trusted party, we utilize distributed key generation (DKG) protocol to generate user secret keys. DKG was proposed by Gennaro et al. [20]. The core idea of DKG is threshold secret sharing. The concept of secret sharing was introduced by Shamir [21]. Secret sharing is used to share a secret among a group of participants, each of whom has partial information about secret. threshold secret sharing means that at least participate among participants can reconstructed the secret value.

In the DKG protocol, the participants jointly choose and generate a random secret share . Each participant chooses a random share , and then a random secret share can be recovered by at least participants. At the end of the protocol, the public key can be defined as . There is no trusted party, who owns the secret value in the secret sharing scheme. The secret value can only be reconstructed by the cooperation of at least participants.

The construction of our scheme refers to two article by Lin et al. [22] and Tang et al. [23]. Lin et al. proposed a threshold multi-authority attribute-based encryption scheme. In their scheme, they use threshold secret sharing to get the system secret key . Each authority only has the share about secret . Therefore, the system secret key is unknown to any authority. Tang et al. proposed an efficient multi-authority authentication scheme for electronic health records system based on blockchain.

##### 3.1. Construction

The construction of the scheme is outlined below:(i)System-setup: Given the security parameter as input, generates prime randomly to establish the system parameters. First of all, it chooses two multiplication cycles and with some prime order , and a bilinear map . Let be a generator of the group . Next, it chooses a cryptographic hash function . The system parameters are , where is the number of authorities in the system, and is the threshold value which denotes the number of authorities to generate secret key for users.(ii)Authority-setup: In this algorithm, all authorities take public parameters and their identities as inputs and establish their master secret keys . It consists of the following two phases:(a)Phase 1 (generation of the master secret key): Each authority generates the public key and private key, as well as the master public key of the system.(1)Each authority selects at random a polynomial of degree :(2) calculates for and then broadcasts .(3) computes secret value for , and then sends secretly to authority for .(4) verifies the equation holds or not. If it holds, the secret sharing from is valid. Otherwise, broadcasts a complaint against .(5)If authority is complained, then it needs to broadcast values that satisfy the equation. If the disclosed still does not match, has to keep proving itself to be honest until the equation is true.(6) computes its own private key and calculates its own public key . The master secret key can be recovered by any values in .(b)Phase 2 (generation of master public key): According to the above phase, each authority has broadcasted values for which can verified publicly. Therefore, the master public key can be computed as After the above two phases, each authority adds parameters and to the parameters .(iii)Key-generation: User makes key-generation request to at least authorities. Then, the authority generates the corresponding partial secret key and sends it to the user. After receiving the partial secret key, the user can verify its correctness using the public key of the corresponding authority. Finally, user computes his secret key by himself.(1)Phase 1 (generation of partial secret key): Each authority computes a value and secretly transmits it to user .(2)Phase 2 (verification of partial secret key): After receiving the partial secret key from authority , the user verifies the equation holds or not. If it holds, then the partial secret key is correct. Otherwise, the user exposes the partial secret key and requests other authorities to authenticate it. The authority needs to retransmit the correct value to satisfies the equation.(3)Phase 3 (generation of secret key): After receiving all partial secret keys, the user computes his own secret key as(iv)Identification: We consider two types of identification protocols which corresponding to the passive attack and concurrent (or active) attack, respectively.(a)Identification protocol against passive attacks:(1) The prover selects randomly, computes , and sends to verifier.(2) The verifier chooses randomly and sends it to prover .(3) The prover computes and returns it to verifier.(4) The verifier checks holds or not. If it holds, outputs accept; otherwise, outputs reject.(b)Identification protocol against active and concurrent attacks:(1) The prover blinds the secret key . Let , where is the blinding factor.(2) The prover randomly selects an integer , computes , and sends and to verifier.(3) The verifier chooses a random integer and sends it to prover .(4) The prover computes and sends to verifier.(5) The verifier checks holds or not. If it holds, outputs accept; otherwise, outputs reject.

##### 3.2. Correctness

The correctness of the identification protocol against passive attacks can be verified by the following equation:

The correctness of the identification protocol against concurrent attacks can be verified by the following equation:

#### 4. Security Proofs

In this section, we prove the security of the proposed multi-authority IBI scheme.

As said above, the proposed scheme is based on the distributed key generation technique [20] and a centralized IBI scheme. It seems that the security of the scheme directly holds based on the securities of the two schemes. It is not true because in the security proof of IBI scheme we need to embed the challenge instance to a fixed element which is one of the public parameters. However, the value which is generated by the distributed key generation technique [20] is randomly in the beginning.

To resolve this problem, we use the proof framework of [23] which introduced the approach of hybrid games for this kind of schemes. The core technique of [23] is that define three games. The first game corresponds to the honest execution of the security proof. Then, in the second game, we set the master key as where is the exponent of the CDH or OMDL instance and is the master secret key randomly generated by all authorities, respectively. No one knows and . In the last game, the challenger plays the role of all authorities, and thus it knows the value . Then, we can prove that the advantage of any probabilistic polynomial time (PPT) adversary in the first game is close to the another two games. Hence, if we can prove the advantage of any PPT adversary in the last game which corresponds to the proof of centralized IBI scheme is negligible, then we can obtain the security result that the advantage of any PPT adversary of the multi-authority IBI scheme is also negligible. Therefore, in this work, we only prove the security of the centralized IBI scheme. Please refer to [23] for details of the proof technique which describes the security from centralized scheme to the multi-authority setting.

Theorem 1. *The proposed multi-authority IBI scheme is secure against impersonation under passive attack in the random oracle model assuming that the CDH problem is hard.*

*Proof. *Let be a polynomial-time imp-pa impersonator that tries to break the IBI scheme. Let be a challenger that tries to break the BLS signature scheme under chosen message attack. takes as input , generates public parameters , where is a hash function modeled as a random oracle. chooses , computes , and then gives system public parameters to adversary .

If makes a key generation query on . then returns the corresponding private key as the answer. If makes a transcript query on . Then chooses , randomly and computes such that . then gives to as the transcript. Finally, chooses a challenge identity .

Now, plays the role as the cheating prover and interacts with challenger . can still issues some key generation queries and transcript queries in this phase, with the restriction that the query on the challenge identity is not allowed. runs to get the response . After receiving , selects randomly, runs to get its response and verifies the equation holds or not. If the equation holds, runs again with the same state but with different challenge value , obtains its response , and verifies the equation hold or not. If the equation holds, outputs as a forgery. Since we have and . Thus, is a valid signature on .

Theorem 2. *The proposed multi-authority IBI scheme is secure against impersonation under concurrent attack in random oracle model assuming that the OMDL problem is hard.*

*Proof. *Let be a polynomial-time imp-ca impersonator that tries to break the identity-based identification scheme. Let be an OMDL challenger. We assume that never repeats a request. takes as input and generates public parameters . chooses and computes and then outputs as system public parameters. returns to adversary .

If makes a key generation query on . then returns the corresponding private key as the answer.

Now, makes a identification training. First, challenger queries its challenge oracle to obtain a challenge point , where . now chooses an arbitrary identity . is hash function viewed as a random oracle. We set it as follows. chooses a random and sets . If , chooses a random and sets . next computes and sends it to adversary . Since for random , for random . Now, simulates an interaction between and the prover replicas as follows. A random tape is chosen for prover replicas . then initializes prover replicas with . first queries its challenge oracle to get the response . computes and sends this to . Since for random , we have . chooses random and returns to . makes the query to its discrete log oracle and get the response . sends to . verifies the equation hold or not. The correctness of the equation is as follows:After performing the above simulations, outputs some state information and stops interaction. Now, attempts to extract the discrete logarithm of challenge point . Then using this value, can further compute the discrete logarithm of other challenge points . To do so, runs in state obtaining , selects a random , and runs to get its response . then verifies the equation holds or not. If the equation holds, runs again with the same state but with different challenge value , obtains its response and verifies the equation hold or not. If the equation holds, computes . We show that is the discrete logarithm of . Observing thatFrom the above equation, we obtain . We now can further compute for . Finally, outputs .

#### 5. Applications

The proposed IBI scheme provides a good solution for scenarios where there is no trusted center, such as blockchain. Hence, in this section, we consider the application of the multi-authority IBI scheme in blockchain.

Blockchain technology was introduced by Nakamoto [24] in Bitcoin. Blockchain as the underlying technology of Bitcoin is essentially a type of distributed ledger. It can avoid the single point of failure. The advantages of blockchain are decentralization, anonymity, trustworthiness, and so on. According to different application scenarios and participants, blockchain can be divided into three categories, including public blockchain, consortium blockchain, and private blockchain [25]. In public blockchain, everyone can read and send transactions and everyone could join in the consensus process. For private blockchain, the node coming from a specific organization can be allowed to enter into the consensus process. The consortium blockchain is between public blockchain and private blockchain. It is a specific blockchain with authorized nodes. The consensus process is controlled by authorized nodes. The consortium blockchain is a community composed of member organizations, and each member runs a node. Only with the confirmation of of the member organizations can each block take effect. At present, many researchers are trying to utilize blockchain in different fields, such as healthcare [26, 27], Internet of things (IoT) [28], and so on. This will make data freedom from ideal to reality, and these data providers will become the buliders and users of blockchain. In order to achieve the security of data sharing and privacy protection and confirm that data usage is legitimate, it is necessary to reach a consensus on the identification to ensure the authenticity of the identity on the chain.

Traditional IBI schemes are centralized which have a trusted party to generate and distribute users’ key. However, the main feature of blockcahin is decentralization. Traditional IBI schemes are suitable for single authority instead of multiple authorities. There is no trusted party in blockchain. At the same time, we cannot build a trusted party in blockchain. Distrbuted identification is a way to address this problem. In distributed identification, we do not need to rely on the trusted third party for secret key generation and distribution and identity management.

Our multi-authority IBI scheme can provide a good solution for consortium blockchain. We describe the application of our IBI scheme in consortium blockchain. In the consortium blockchain, we can divide nodes into two types, authority and user. The member of consortium blockchain plays the role of the authority, and the user is assumed by other nodes that join the consortium blockchain. The identification protocol for blockchain based on multi-authority IBI scheme is as shown in Figure 1.

(1)System-setup: In the beginning, all authorities are cooperating to initialize the consortium blockchain system. In this phase, they generate the public parameters according to the security parameters. Meanwhile, all master secret keys can be generated by themselves. Finally, public parameters are published to all users in this system, and the master secret keys are secretly kept by all authorities.(2)User-registration: When a user wants to join the system, he submits his enrollment request to at least authorities. Then, the system assign an unique recognizable identity and corresponding partial secret key . Eventually, user verifies the validity of the partial secret key and computes its own secret key .(3)Identification: Finally, in some cases, the user needs to prove that he is a legitimate user of this system. Then he can use the identification protocol of the IBI scheme.

#### 6. Conclusion

In this paper, we propose an identity-based identification scheme without trusted party, which is provably secure in the random oracle model. Our scheme takes advantage of distributed key generation to generate the user’s secret key. By interacting with at least authorities, a legal user can generate his/her secret key. Thus, it avoids any one authority being a single-point bottleneck on security. The security analysis results show that our identity-based identification scheme is secure against impersonation under passive and concurrent attacks. Finally, we apply the proposed scheme to the blockchain.

#### Data Availability

No data were used during the study.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported in part by the National Key Research and Development Program (No. 2017YFB0802300), in part by the National Natural Science Foundation of China (Nos. 61702067, 61972124), in part by the Zhejiang Provincial Natural Science Foundation of China (No. LY19F020019), in part by the key project of science and technology research program of Chongqing Education Commission of China (No. KJZD-K201803701, in part by Chongqing Natural Science Foundation (No. cstc2019jcyj-msxmX0551), and in part by the science and technology research program of Chongqing Municipal Education Commission (No. KJQN201903701).

#### References

- A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,”
*Advances in Cryptology—CRYPTO 1986, LNCS*, vol. 263, Springer-Verlag, Berlin, Germany, 1987. View at: Google Scholar - U. Feige, A. Fiat, and A. Shamir, “Zero-knowledge proofs of identity,”
*Journal of Cryptology*, vol. 1, no. 2, pp. 77–94, 1988. View at: Publisher Site | Google Scholar - T. Okamoto, “Provably secure and practical identification schemes and corresponding signature schemes,”
*Advances in Cryptology-CRYPTO 1992, LNCS*, vol. 740, Springer, Berlin, Germany, 1993. View at: Google Scholar - C. P. Schnorr, “Efficient signature generation by smart cards,”
*Journal of Cryptology*, vol. 4, no. 3, pp. 161–174, 1991. View at: Publisher Site | Google Scholar - L. Guillou and J. Quisquater, “A practical zero-knowledge protocol fitted to security microprocessors minimizing both transmission and memory,”
*Advances in Cryptology—EUROCRYPT 1988, LNCS*, vol. 330, Springer-Verlag, Berlin, Germany, 1989. View at: Google Scholar - M. Bellare and A. Palacio, “GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks,”
*Advances in Cryptology—CRYPTO 2002 2002, LNCS*, vol. 2442, Springer-Verlag, Berlin, Germany, 2002. View at: Publisher Site | Google Scholar - M. Girault, “An identity-based identification scheme based on discrete logarithms modulo a composite number,”
*Advances in Cryptology—EUROCRYPT 1990, LNCS*, vol. 473, Springer, Berlin, Germany, 1991. View at: Google Scholar - M. Kim and K. Kim, “A new identification scheme based on the bilinear Diffie-Hellman problem,” in
*Proceedings of the 7th Australian Conference on Information Security and Privacy-ACISP 2002*, pp. 362–378, Melbourne, Australia, July 2002. View at: Google Scholar - A. Shamir, “Identity-based cryptosystems and signature schemes,”
*Advances in Cryptology-CRYPTO 1984, LNCS*, vol. 196, Springer-Verlag, Berlin, Germany, 1985. View at: Google Scholar - D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,”
*Advances in Cryptology—CRYPTO 2001, LNCS*, vol. 2139, Springer-Verlag, Berlin, Germany, 2001. View at: Google Scholar - K. Kurosawa and S. H. Heng, “From digital signature to ID-based identification/signature,”
*Public Key Cryptography—PKC 2004, LNCS*, vol. 2947, Springer-Verlag, Berlin, Germany, 2004. View at: Google Scholar - K. Kurosawa and S. H. Heng, “Identity-Based identification without random oracles,” in
*Proceedings of the Computational Science and Its Applications—ICCSA 2005, International Conference, LNCS*, vol. 3481, Springer, Singapore, 2005. View at: Google Scholar - M. Bellare, C. Namprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes,”
*Advances in Cryptology—EUROCRYPT 2004*, vol. 3027, Springer-Verlag, Berlin, Germany, 2004. View at: Publisher Site | Google Scholar - J. J. Chin, S. H. Heng, and B. M. Goi, “An efficient and provable secure identity-based identification scheme in the standard model,”
*Public Key Infrastructure—EuroPKI 2008, LNCS*, vol. 5057, Springer, Berlin, Germany, 2008. View at: Google Scholar - P. Barapatre and C. P. Rangan, “Identity-based identification schemes from ID-KEMs,”
*Security, Privacy and Applied Cryptography Engineering—SPACE 2013, LNCS*, vol. 8204, Springer, Berlin, Germany, 2013. View at: Google Scholar - D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,”
*Advances in Cryptology—ASIACRYPT 2001, LNCS*, vol. 2248, Springer, Berlin, Germany, 2001. View at: Google Scholar - J. Baek, R. Safavi-Naini, and W. Susilo, “Universal designated verifier signature proof (or how to efficiently prove knowledge of a signature),”
*Lecture Notes in Computer Science 2005, LNCS*, vol. 3788, Springer-Verlag, Berlin, Germany, 2005. View at: Publisher Site | Google Scholar - J. Chang, H. Wang, F. Wang, A. Zhang, and Y. Ji, “RKA security for identity-based signature scheme,”
*IEEE Access*, vol. 8, pp. 17833–17841, 2020. View at: Publisher Site | Google Scholar - J. Mo, Z. Hu, and Y. Lin, “Cryptanalysis and Security improvement of two authentication schemes for healthcare systems using wireless medical sensor networks,”
*Security and Communication Networks*, vol. 2020, Article ID 5047379, 11 pages, 2020. View at: Publisher Site | Google Scholar - R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed key generation for discrete-log based cryptosystems,”
*Advances in Cryptology—EUROCRYPT 1999, LNCS*, vol. 1592, Springer, Berlin, Germany, 1999. View at: Google Scholar - A. Shamir, “How to share a secret,”
*Communications of the ACM*, vol. 22, no. 11, pp. 612-613, 1979. View at: Publisher Site | Google Scholar - H. Lin, Z. Cao, X. Liang, and J. Shao, “Secure threshold multi authority attribute based encryption without a central authority,”
*Progress in Cryptology—INDOCRYPT 2008, LNCS*, vol. 5365, Springer, Berlin, Germany, 2008. View at: Google Scholar - F. Tang, S. Ma, Y. Xiang, and C. Lin, “An efficient authentication scheme for blockchain-based electronic health records,”
*IEEE Access*, vol. 7, pp. 41678–41689, 2019. View at: Publisher Site | Google Scholar - S. Nakamoto,
*Bitcoin: A Peer-to-Peer Electronic Cash System*, BN Publishing, New York City, NY, USA, 2008. - Z. Zheng, S. Xie, H. Dai, and H. Wang, “An overview of blockchain technology: architecture, consensus, and future trends,” in
*Proceedings of the 2017 IEEE International Congress on Big Data (BigData Congress)*, pp. 557–564, Honolulu, HI, USA, June 2017. View at: Publisher Site | Google Scholar - R. Guo, H. Shi, Q. Zhao, and D. Zheng, “Secure attribute-based signature scheme with multiple authorities for blockchain in electronic health records systems,”
*IEEE Access*, vol. 6, pp. 11676–11686, 2018. View at: Publisher Site | Google Scholar - Y. Sun, R. Zhang, X. Wang, K. Gao, and L. Liu, “A decentralizing attribute-based signature for healthcare blockchain,” in
*Proceedings of the 2018 27th International Conference on Computer Communication and Networks (ICCCN)*, pp. 1–9, IEEE, Hangzhou, China, July 2018. View at: Google Scholar - H. Huang, X. Chen, Q. Wu, X. Huang, and J. Shen, “Bitcoin-based fair payments for outsourcing computations of fog devices,”
*Future Generation Computer Systems*, vol. 78, pp. 850–858, 2018. View at: Publisher Site | Google Scholar

#### Copyright

Copyright © 2020 Fei Tang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.