A Trust Value Sharing Scheme in Heterogeneous Identity Federation Topologies

: Recent developments in heterogeneous identity federation systems have heightened the need for the related trust management system. The trust management system evaluates, manages, and shares users’ trust values. The service provider (SP) members of the federation system rely on users’ trust values to determine which type and quality of service will be provided to the users. While identity federation systems have the potential to help federated users save time and energy and improve service experience, the benefits also come with significant privacy risks. So far, there has been little discussion about the privacy protection of users in heterogeneous identity federation systems. In this paper, we propose a trust value sharing scheme based on a proxy ring signature for the trust management system in heterogeneous identity federation topologies. The ring signature schemes can ensure the validity of the data and hide the original signer, thereby protecting privacy. Moreover, no group manager participating in the ring signature, which naturally matches with our decentralized heterogeneous identity federation topologies. The proxy signature can reduce the workload of the private key owner. The proposed scheme shortens the calculation time for verifying the signature and then reduces the overall time consumption in the process of trust sharing. Our studies prove that the proposed scheme is privacy-preserving, efficient, and effective.


Introduction
Since traditional identity authentication systems only can manage identities for a single service provider (SP), a user may own many identities and access services that are offered by the corresponding SPs. To obtain numerous services, users have to register, remember, and manage various identities of different systems, which are repetitive and complicated tasks. Therefore, identity federation systems came into being to prevent users from getting into such kind of troubles. The users who want to obtain services from federated SPs only need to be authorized by the identity provider once [Lutz and Stiller (2013)]. The researches of identity federation systems have received a lot of attention in many areas [Perez-Mendez, Pereniguez-Garcia, Marin-Lopez et al. (2014)]. Many successful research projects have been carried out, such as deploying authorization mechanisms for federated services (DAMe), secure widespread identities for federated telecommunications (SWIFT), and secure management of information across multiple stakeholders (SEMIRAMIS). Some studies investigated the trust management of heterogeneous identity federation systems in recent years. Yang et al. [Yang, Li, Li et al. (2019)] have proposed a unified identity information identification model for heterogeneous identity federation systems based on blockchain. Their study investigated cross-domain access. In order to obtain the users' trust values, in the first step, each SP member of the federation system needs to calculate the users' trust values individually, and then the smart contract or the third-party audit on the federation chain will collect the trust values from every SP and calculate the final comprehensive trust values. In this architecture, a trust model and a risk assessment method for cross-domain authentication based on the cloud model were proposed by Dong et al. [Dong, Chen and Li (2019)]. Their research focuses on trust evaluation and delivery. Their study assesses users' trust values according to the related certification. Users' dynamic behavior is not taken into consideration when conducting the trust evaluation. Most studies about the trust system of the heterogeneous identity federation system mainly focus on the trust evaluation, only a few studies about the process of sharing the trust value have been carried out. Privacy-preserving is one of the primary concerns in the identity federated system [Sanchez, Almenares, Arias et al. (2012)]. These researches have not been able to establish a trust data sharing scheme that can protect users' behavior privacy in the heterogeneous identity federation systems. It is now well known that the cryptography mechanism is effective at ensuring the validity and protecting privacy [Xiong and Shi (2018)]. In the trust management system of the heterogeneous identity federation architecture, each SP member needs to sign the newly added block during conducting trust value updates. The signature can ensure the validity of the updated trust value since only the members of the identity federation have the private key to make a valid signature. Also, the anonymous ring signature helps to hide the original signer, who modifies the user's trust value according to users' behavior, thereby protecting the behavior privacy of the user. Furthermore, our proposed scheme, based on the proxy ring signature, can decentralize the authority of signing new blocks of the trust chain to the staff of SP, which will increase the effectiveness of the trust management process.

Overview of ring signatures
In this paper, we propose a trust value sharing scheme for protecting the validity and privacy of trust values in the heterogeneous identity federation topologies. The identitybased proxy ring signature is utilized to achieve the aim of this study. The original ring signature schemes leak secret and keep anonymous. The ring signature was formalized by Rivest et al. [Rivest, Shamir and Tauman (2001)] to a simplified group signature. Unconditional anonymity of the ring signature provides natural privacy protection for the actual signers. The original ring signature does not consider that the management of public key certificate verification is complicated and time-consuming. To improve the efficiency, Zhang et al. [Zhang and Kim (2002)] introduced the concept of identity-based to the ring signature. This scheme is proven to be secure in the random oracle model. The concept of proxy was introduced to the ring signatures much later than the identity-based one. Proxy signatures allow Alice to delegate her signing authority to Bob, and Bob can sign a message on behalf of Alice, lead to improved overall efficiency. Most of the ring signatures proposed after 2007 are pairing-based cryptosystems [Awasthi and Lal (2007); Wu and Li (2009) ;Ajmath, Reddy, Rao et al. (2012); Sarde and Banerjee (2017); Gu, Jia and Zhang (2017); Boyen and Haines (2018)]. These schemes rely on less analyzed computational assumptions in their security analyses compared with those based on traditional assumptions [Asaar, Salmasizadeh and Susilo (2015a)]. In 2015, Asaar et al. [Asaar, Salmasizadeh and Susilo (2015a)] proposed the first provably secure identity-based proxy ring signature (PSIPRS) based on RSA. In the same year, a shorter solution, a short identity-based proxy ring signature (SIPRS) scheme from RSA, was available [Asaar, Salmasizadeh and Susilo (2015b)]. Also, the ring signature has been used to protect the privacy of the blockchain, by protecting the information of the transaction initiator [Li, Mei, Gong et al. (2020)]. However, both schemes need the identity information of the proxy signer in the process of signing. The identity of the proxy signer is displayed in the signature. In the scenario of the identity federation system, the leakage of the identity of the proxy signer could put users' privacy at risk. In addition, the timestamp is not considered in these schemes. Moreover, the time required for signature verification in both schemes is relatively long. When the signature needs to be verified by every member of the federation, the overall time consumption is relatively high.

Trust management system of the heterogeneous identity federation system
In order to provide users with a variety of services, the heterogeneous identity federation system brings different SPs together. Based on the users' trust value, SP decides which kind of content and quality of services can be provided. SPs usually use independent trust management system. However, in the identity federation system, each SP needs to conduct the same trust management process on users, such as trust evaluation, storage, and sharing. The structure of the trust management system for the heterogeneous identity federation is illustrated in Fig. 1. The heterogeneous identity federation system is mainly composed of three parts: users, SP members, and the trust chain. SP members provide services to the federated users, and they are linked by the trust chain which is a blockchain-based technology. Only SP members can add new blocks to the trust chain. Each of them has the permission and ability to verify whether any block is true. When users need to obtain services, SP members can access the federation trust management system to determine whether to provide services to them. Fig. 2 shows an example of a process in which a user requests service from an SP member of a heterogeneous federation system. First, the user should submit the service request to the SP member. The SP member formulates the received request to a transaction. Then, the SP member broadcasts this transaction to the federation of members, those members later act as the distributed policy decision point (PDP), and they accept or reject the transaction. The PDP evaluates the request and then executes a smart contract which is already deployed in the trust chain. The execution of the smart contract leads to decide whether the request should be permitted or denied. Finally, SP members will allow or deny the request based on the executed result. When updating the trust value of a user, a new block is created and added at the end of the trust chain by the corresponding SP member. An example of the trust chain is shown in Fig. 3.

Figure 3: The blocks of the trust chain
The trust chain is made up of concatenation of blocks. The n-th block is composed of four parts. 1. Identity of the user: It indicates the user whose trust value will be modified.

T:
It is the timestamp when the block is added. 3. Signed trust value: The SP member calculates the trust value and makes a signature for proving the validity. 4. Hash value: It is a classic part of the blockchain, which ensures the block unforgeable. Our scheme focusses on the third part of the block. Our scheme can ensure that the user's trust value will only be adjusted by the SP member of this federation, and avoid malicious modification. Only SPs of the federation, which have the specific key, can add a new block to the trust chain, and verify that the signer is indeed the member in the federation. In our proposed method, identity-based ring signatures are used instead of ordinary signatures, which can provide users with anonymity, so that the sources of changes in trust values will not be exposed. Finally, due to the use of a blockchain-like structure and smart contract, the trust management system achieves a decentralized structure, which further improves the security of trust value management. Based on the proxy ring signature method, the proxy staff of SP members can generate the signature for the modified trust values, which will increase the efficiency of trust management.

Strong RSA assumption
Let N be a k-bit RSA modulus, namely N pq = , where p and q are strong primes.
Given an element n x Z ∈ , it happens with probability ( ) neg k for a computationally bounded adversary A to find 1 y > and such that mod y a x N = .

Forking lemma for ring signature schemes
Herranz et al. [Herranz and Sáez (2003)] introduce the forking lemmas to the ring signature. The processes of the forking lemmas are as follows.
Let k be the security parameter, H be a hash function that outputs k-bit long elements.

Our scheme
Our signature scheme implements an identity-based proxy ring signature from RSA. Staffs of SPs act as proxies to sign the block (including the changed trust value). The signature can be validated by other SPs. Tab. 1 describes the symbolic parameters used in the scheme process. , and add the block into the trust chain of their service, and update the trust value of the corresponding user. Otherwise, reject the signature.

Analysis of the scheme
In this section, we will prove the security of our scheme. The first is correctness, which indicates our scheme can produce a valid signature. Then anonymity, which indicates the signature cannot reveal the identity of the actual signer. The actual signer must be one of the SP members, but the probability of each member to be the actual signer is equal. The last is unforgeability, which indicates only SP members or someone who has the delegation of SP members can produce a valid signature.

Correctness
Every SP member of the identity federation has received the new block with the signature after the block has been correctly generated.
First, they can compute Then, they have Finally, the correctness of the proposed scheme is proved.

Anonymity
We can see that only SP members of the federation can produce a valid signature. The actual signer must be one of those SP members. Due to the scheme is completely symmetrical, the probability of each member being the actual signer is equal. Even if all private keys of SP members were leaked, no one could able to find the actual signer. Therefore, the scheme can realize unconditional anonymity for the SP members.

Unforgeability
We assume that P is an SP member or a staff of SP members. If someone wants to forge a signature of P, the most direct method is to get the private key of P from the data owner. However, that is impracticable.
In the case of the verified message of P ( , the message is clearly identifiable and configurable, but it is difficult to obtain the e-th root of the constructed value.
In addition, we assume F is a non-deterministic polynomial-time Turing machine, who gives public data as input. Modeling the hash function as a random oracle, and F can make Q queries to the random oracle.
Thus, he successfully solves the RSA problem. Therefore, the proposed ring signature scheme is unforgeable.  [Asaar, Salmasizadeh and Susilo (2015a)]. BID S refers to the size of the BID in our scheme. In general, BID S is much smaller than 1 l .

Comparison
Regarding the total time cost of producing a ring signature, if the number of members in the ring is less than 6, our solution will consume the least time. But if there are more than 6 ring members, SIPRS only needs almost half the computational complexity of PSIPRS or our scheme. In our scheme, the main time-consuming part of the signature work is conducted by the staff. Only one step, Delegation Generation, requires the participation of the SP members. At this step, our scheme is the least time-consuming one among the three schemes. In addition, in terms of signature verification, our scheme has the lowest time complexity. This is very important for reducing overall time consumption of the trust management system, since each SP member of the federation needs to verify the signature, which means that this step will be replayed ( ) 1 n − times.
In terms of the size of the signature of three schemes, there is no significant difference among the three schemes.

Conclusion
In this work, we propose a trust value sharing scheme based on a proxy ring signature. The aim is to provide an efficient trust value sharing method for better privacy-preserving in heterogeneous identity federation topologies. The unconditional anonymity, which is provided by the identity-based ring signature algorithm, prevents the source signer from being exposed, thereby protecting users' privacy. We also prove that our scheme is verifiable, signer anonymous, unforgeable, and effective.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.