SSINsAuth: Fast Batch Handover Authentication Protocol in Space-Sea Integrated Networks

Abstract

Low Earth Orbit (LEO) satellite constellations are well-suited for space-sea integrated networks (SSINs) due to their low communication latency and worldwide coverage. These constellations serve as the first line of defense in ensuring the information security of SSINs by providing access authentication services to maritime users. However, the rapid orbital movement of LEO satellites results in limited observable duration for fixed maritime users, necessitating frequent authentication handovers between nodes in the constellation to ensure continuous and secure communication. This paper addresses the challenges in the scenarios with large-scale maritime users, where the computational and communicational costs of traditional authentication protocols are significantly high. We propose a novel rapid batch handover authentication protocol leveraging pre-authentication, taking advantage of the predictability of satellite orbits. By pre-loading credentials from subsequent satellites onto the current one and proposed a batch authentication protocol based on Pedersen commitment scheme, our approach significantly reduces costs associated with frequent handovers and enhances authentication efficiency for large entities. Security analysis of the protocol shows that our protocol satisfies some basic security properties. Efficiency analysis shows that our proposed protocol reduces the average communication costs by 30% and the average computation costs by 40% compared to existing similar protocol, which greatly improves the efficiency of initial access and handover authentication for users.

A Formal Security Analysis

1.1 A.1 Security Model

In this section we provide proofs of the security of the SSINsAuth scheme under the stochastic predication model. This paper follows the security definition of [17] as shown in Definition 1.

Definition 1 (EU-CMA)

If no adversary \(\mathcal {A}\) breaks the ECDLP in probabilistic polynomial time by a non-negligible margin, then the SSINsAuth scheme is EU-CMA, and \(\mathcal {A}\) interacts with the challenger \(\mathcal {C}\) through the following game process to obtain a formal definition of the existence of unforgeability.

• Setup: \(\mathcal {C}\) executes this setup algorithm, saves the system master key \(\alpha \), and sends to \(\mathcal {A}\) the system public parameter Para and the pseudonym list.

• Queries: the adversary \(\mathcal {A}\) adaptively asks the challenger \(\mathcal {B}\) a polynomially bounded number of queries as follows.

  1. (1)

     Hash query: adversary \(\mathcal {A}\) submits a hash query; challenger \(\mathcal {B}\) then replies with the hash value of the query and saves the tuple in lists.

  2. (2)

     Extraction query: the adversary \(\mathcal {A}\) executes this extraction query algorithm on \(PID_i\). Afterwards, the challenger \(\mathcal {C}\) replies to \(\mathcal {A}\) with the corresponding key \(SK_i\) and stores the tuple in the list.

  3. (3)

     Sign query: adversary \(\mathcal {A}\) makes an extraction query for the message \(M_{i,1}^{\prime }\) under \(PID_i\); Then, challenger \(\mathcal {C}\) executes the program and returns the valid signature \(\delta _{s,1}\) to adversary \(\mathcal {A}\).

• Forging phase: \(\mathcal {A}\) interacts with \(\mathcal {C}\) until the above process has ended, and then \(\mathcal {A}\) outputs the signature \(\delta _{s,1}\). The adversary \(\mathcal {A}\) wins if, during the signature lookup phase, \(\mathcal {A}\) never looked up a signature on \(M_{i,1}^{\prime }\) = 1 and the forged signature \(\delta _{s,1}\) is valid.

1.2 A.2 Security Proof

In order to prove that the SSINsAuth scheme is EU-CMA, we need to show that \(\delta _{s,1}\) is unforgeable (as defined in Definition 1) for attacker \(\mathcal {A}\).

Theorem 1

If adversary \(\mathcal {A}\) has successfully forged a valid signature in probabilistic polynomial time (PPT) with at most \(q_e\) and \(q_s\) times of adaptive querying, this implies that the adversary has an advantage in the process. Then, challenger \(\mathcal {C}\) is also able to solve the ECDLP problem within a similar timeframe by interacting with adversary \(\mathcal {A}\) and utilizing the adversary’s capabilities. In other words, if the adversary is able to successfully forge the signature, it means that there is a vulnerability in the scheme because it means that Challenger \(\mathcal {C}\) can crack the ECDLP problem.

Proof

Assuming that adversary \(\mathcal {A}\) is an attacker that can break our SSINsAuth scheme, we now construct another challenger \(\mathcal {C}\) that can solve the ECDLP as follows:

• Setup Query: The setup algorithm takes as input the security parameter \(\lambda \), \(\mathcal {C}\) sets a randomly chosen number \(\alpha \in \mathbb {Z}_{q}^{*} \) as its private key and then computes the public key \(P_{pub} =\alpha P\). After that, \(\mathcal {C}\) sends \(\{\mathbb {G},q,P,B,Q\) \(,P_{pub},H_{i} \}\) to \(\mathcal {A}\).

• \(H_2\) Query: After \(\mathcal {A}\) submits the \(H_2\) query on \((PID_i,D_i,TS_{exp})\), \(\mathcal {C}\) checks whether this tuple already exists in the list \(L_{H_2}\). If it exists in \(L_{H_2}\), \(\mathcal {C}\) returns the corresponding \(H_{i,1}\) to \(\mathcal {A}\); otherwise, \(\mathcal {C}\) chooses a random \(H_{i,1}\in \mathbb {Z}_{q}^{*} \) and returns \(H_{i,1}\) to \(\mathcal {A}\). Finally, \((H_{i,1},PID_i,D_i,TS_{exp})\), is stored in list \(L_{H_2}\).

• \(H_3\) Query: After \(\mathcal {A}\) submits the \(H_3\) query about \((PID_i, D_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime },\) \( R_i)\), \(\mathcal {C}\) checks whether this tuple already exists in the list \(L_{H_3}\). If it exists in \(L_{H_3}\), \(\mathcal {C}\) returns the corresponding \(H_{i,2}\) to \(\mathcal {A}\); otherwise, \(\mathcal {C}\) chooses a random \(H_{i,2}\in \mathbb {Z}_{q}^{*} \) and returns \(H_{i,2}\) to \(\mathcal {A}\). Finally, \((H_{i,2},PID_i, D_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime }, R_i)\), is stored in list \(L_{H_3}\).

• Sign Query: For the query \((PID_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime })\), \(\mathcal {C}\) first chooses the random numbers \(y_i\in \mathbb {Z}_{q}^{*} \) and \(\delta _{s,1} \in \mathbb {Z}_{q}^{*}\), and then computes \(R_i = y_iP\) and \(D_i = \delta _{s,1} P-H_{ i,1} P_{pub}-H_{i,2} R_i\). Subsequently, \(\mathcal {C}\) returns \((\delta _{s,1}, R_i, D_i)\) to \(\mathcal {A}\) on the message \((PID_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime })\) Otherwise, return \(\bot \).

• Forgery Phase: After sending the above query, assume that \(\mathcal {A}\) outputs the forged signature \((\delta _{s,1}, R_i, D_i)\) on the messages \((PID_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime })\). If \(\mathcal {A}\) does not perform a signature query on the inputs of \((PID_i, M_{i,1},TS_{exp_i}, C_{i}^{\prime })\), the forgery is incorrect.

Analysis: Since \(\varepsilon \) is non-negligible, \(\mathcal {C}\) can solve the ECDLP by \(Adv_C\) with non-negligible advantage. However, solving the ECDLP in polynomial time is undoubtedly difficult and the induction process can be referred to [17]. Therefore, the proposed SSINsAuth has EU-CMA.