Research Article A Reputation-Based Identity Management Model for Cloud Computing

Transcription

1 Mathematical Poblems in Engineeing Volume 2015, Aticle ID , 15 pages Reseach Aticle A Reputation-Based Identity Management Model fo Cloud Computing Lifa Wu, 1 Shengli Zhou, 1,2 Zhenji Zhou, 1 Zheng Hong, 1 and Kangyu Huang 1 1 College of Command Infomation System, PLAUST, Nanjing , China 2 Infomation Depatment, Zhejiang Police College, Hangzhou , China Coespondence should be addessed to Shengli Zhou; @qq.com Received 21 Mach 2015; Revised 27 May 2015; Accepted 30 May 2015 Academic Edito: Bao Rong Chang Copyight 2015 Lifa Wu et al. This is an open access aticle distibuted unde the Ceative Commons Attibution License, which pemits unesticted use, distibution, and epoduction in any medium, povided the oiginal wok is popely cited. In the field of cloud computing, most eseach on identity management has concentated on potecting use data. Howeve, uses typically leave a tail when they access cloud sevices, and the esulting use taceability can potentially lead to the leakage of sensitive use infomation. Meanwhile, malicious uses can do ham to cloud povides though the use of pseudonyms. To solve these poblems, we intoduce a eputation mechanism and design a eputation-based identity management model fo cloud computing. In the model, pseudonyms ae geneated based on a eputation signatue so as to guaantee the untaceability of pseudonyms, and a mechanism that calculates use eputation is poposed, which helps cloud sevice povides to identify malicious uses. Analysis veifies that the model can ensue that uses access cloud sevices anonymously and that cloud povides assess the cedibility of uses effectively without violating use pivacy. 1. Intoduction Cloud computing is a computing model fo enabling ubiquitous, convenient, on-demand netwok access to a shaed pool of configuable computing esouces (e.g., netwoks, seves, stoage, applications, and othe sevices) that can be apidly povisioned and eleased with minimal management effot o cloud sevice povide () inteaction [1]. Lage numbes of uses may simultaneously engage in cloud computing sevices, making the multitenant featue an impotant popety of cloud computing accoding to the Cloud Secuity Alliance (CSA) [2]. Howeve, the multitenant popety bings the following new poblems: (i) Pivacy leaks because of extenal use data: in an open envionment, uses must be authenticated to access cloud sevices. If uses employ thei actual names (o fixed usenames) to log in, sensitive infomation such as login names o even long-tem behavio may be evealed by data mining o othe techniques and used illegally by the. (ii) Management poblems caused by an excessive numbeoftenants:topesevepivacy,usesmustemploy diffeent pseudonyms to access each cloud computing session. In this case, it is difficult fo uses to ecall a lagenumbeofpseudonymsandpasswods.meanwhilesingle-usepseudonymsmakenocontibution to the development of a use s eputation. (iii) Secuity theats to the caused by multiple tenants: by accessing cloud sevices, malicious uses maytaketheoppotunitytoattackthethough activities such as stealing data, pefoming vulneability scanning, and launching denial of sevice (DoS) attacks. In paticula, if allowed to log in by a pseudonym, malicious uses can launch whitewash attacks, whee the malicious use can continue to visit the nomally afte an attack o initiate anothe attack by ceating a new pseudonym. Consideing the above poblems, taditional identity management mechanisms that stoe use identities in a database diectly ae no longe applicable [3]. In this pape, we design a new identity management model based on use eputation, which is heein denoted as eputation-based identity management (RIM). The main contibutions of RIM ae listed as follows:

2 2 Mathematical Poblems in Engineeing (i) Anonymous use access: in RIM, we design a method in which each use takes a diffeent pseudonym fo each session when accessing cloud sevices. No link between a use identity and a coesponding pseudonym is povided, and no link is povided between the pseudonyms of a single use. Pseudonym usage does not affect use attestation, and it deceases the input of pivate use infomation, endeing it impossible fo tenants to spy on each othe. (ii) Use attestation: in ou model, uses fistly egiste with an identity povide (IdP), which povides the use with a fomal identity cetificate. The identity cetificate is the basis fo the use to pove thei legitimate status to the. (iii) Reputation attestation: RIM ecods and detemines use eputations as use activities accumulate with access to successive cloud computing sessions and povides poof of the eputation. The poof assues the cedibility of the eputation, ensuing that the eputation indeed belongs to its owne. The poof also guaantees nonepudiation; that is, a use cannot deny the eputation assigned to them. As such, the poof ensues unfogeability. Uses cannot pomote thei eputation without the authoization of the IdP. The intoduction of a eputation does not affect the anonymity of uses. The emainde of this pape is oganized as follows. Section 2 descibes elated wok. Section 3 intoduces the backgound and technology of cloud computing along with identity management. Section 4 intoduces the poposed RIM and descibes its design and ealization. Section 5 analyzes the coectness and secuity of ou model. Finally, the last section concludes the pape and poposes futue wok. 2. Related Wok The focus of identity management fo cloud computing is use pivacy. In [4], the authos poposed an appoach to peseve the pivacy of uses based on zeo-knowledge poof potocols and semantic matching techniques. The appoach also enhanced the inteopeability acoss multiple domains. Although the study ealized the goal of concealing use identities, the could still obtain sensitive infomation though data mining techniques because use identities wee consistent thoughout the entie pocess. In [5], the authos poposed an entity-centic appoach fo identity managementincloudcomputing.theappoachwasbasedon pesonally identifiable infomation (PII) and on anonymous identification to mediate inteactions between uses and cloud sevices. Although the identification was anonymous, the PII eleased pivacy elated infomation. In [6], the authos took advantage of attibute-based encyption and signatue technology to conceal use identities in cloud computing. Howeve, because uses must employ a single unchanging cetificate to obtain authentication fom the, an attacke may ascetain a use s identity easily though the static cetificate. In [7], the authos impoved the appoach poposed in [4], whee the egisty cente was not equied to be online at all times. Howeve, the impoved appoach had the same disadvantages with espect to use pivacy potection as the oiginal appoach. In [8, 9], the authos designed and intoduced a method that integated blind signatue and hash chain techniques to potect use pivacy in cloud computing. Howeve, in evey session, uses employ the same pseudonym to log in, which esults in linkability between diffeent sessions. Although the above studies achieve the goal of use identity concealment, the successive behavios of individual uses can be associated. Thus, though analyzing use behavios, the can potentially compomise use pivacy. In [10], the authos poposed a method fo anonymity using goup digital signatue technology. Because this method intoduced no coelation between use signatues, this method is an impovement ove the afoementioned methods. Howeve, the use of goup digital signatue technology fobids membes fom joining and leaving a goup dynamically, which conflicts with the openness of cloud computing. In this pape, we popose an appoach that achieves use identity anonymity. Moeove, by this appoach, the is unable to link use behavio to use identity. While the anonymity of identity potects use pivacy, it tends to enable attack by malicious uses because the is unable to tace the uses involved in the attack. Theefoe, ou appoach intoduces tust management to addess the shotcomings of identity anonymity. The appoach detemines use eputations and binds the eputation to use identity. The utilizes use eputation to distinguish malicious uses and to educethetheatofattackbymalicioususes[11]. Pevious eputation eseach has focused on pee to pee (P2P) systems, which has been developed into vaious systems, fo example, the EigenTust [12], the PeeTust [13], and the PoweTust [14] systems. Along with the development of electonic business, eputation eseach has had a sevice oiented focus, whee the eputation of sevice povides has been evaluated to potect consumes. In [15, 16], eputation was employed as a means of choosing sevice povides. In cloud computing, most eseach has focused on potecting the, such as what was done in [17, 18]. Howeve, the use of a eputation model to manage uses in cloud computing, such as that employed in this pape, has not been the subject of pevious eseach. In [19], the authos designed an identity management model fo a noncloud computing envionment. The model supposed that uses must be peviously egisteed, which conflicts with the equied openness of cloud computing. In [20, 21], the authos designed a eputationbased identity management model that used online systems fo applications in, fo example, electonic business and foums. The online system must ecognize use identities o unique identifies to accumulate eputation data. Howeve, tacking use identities tends to leak use infomation, which theatens pivacy. This is why these appoaches cannot be applied to cloud computing. Ou poposed RIM intoduces eputation to manage uses and simultaneously potects use pivacy, which has not been investigated by othe eseaches.

3 Mathematical Poblems in Engineeing 3 Use Management sevices Coe sevices SaaS Application 1 Application n Identity management sevice PaaS Data pocess model QoS guaantee Mass data stoage IaaS Data cente devices Netwok esouces Vitualization sevices Compute nodes Secuity assuance. Figue 1: Cloud sevices achitectue. Use pivacy potection equies a use identity to be anonymous such that it cannot be tacked. Howeve, the detemination of eputation must confim use identity and tack use tansaction histoy. Theefoe, eputation management and identity anonymity appea to be contadictoy [22]. In [22], the authos alleviated this contadiction and designed an anonymous eputation system in a P2P envionment using electonic cash technology to povide feedback to uses accoding to behavio. Howeve, accoding to this appoach, theamountoffeedbackoneusegivestoanotheisesticted by the quantity of electonic coins in the fome use s possession. A use with no electonic coins is theefoe baed fom involvement in the tansaction. As such, this method contadicts with the openness of cloud computing. In [23], the authos used blind signatue technology to achieve a eputation-based identity management appoach in the C-S mode. This appoach povides the sevice povide with use eputations while guaanteeing use anonymity. Howeve, unde this appoach, a sevice povide can confim that odes deive fom the same use and accumulate the histoy of use actions, esulting in the potential violation of use pivacy. In [24], authos achieved an anonymous eputation system based on zeo-knowledge authentication and digital signatue technology. Howeve, [4] the sessions between the use and sevice povide unde this appoach ae linkable, enabling sevice povides to violate use pivacy. Fom the above analysis, we can see that these last two examples [25] manage to povide use eputation only by divulging use identity. Ou RIM ovecomes these shotcomings by detemining use eputation while ensuing that use identity and pseudonyms ae unlinkable. 3. Technology Backgound 3.1. Cloud Computing Achitectue. Cloud computing povides thee main sevice delivey models to the public, including the following [2]: (i) Softwae as a Sevice (SaaS): this is a softwae delivey model in which softwae and its associated data ae hosted in the cloud and ae typically accessed by uses using a thin client. (ii) Platfom as a Sevice (PaaS): this is the delivey of a computing platfom and solution stack as a sevice, which povides all the facilities equied to suppot thecompletelifecycleofbuildinganddeliveingweb applications and sevices fom the Intenet. (iii) Infastuctue as a Sevice (IaaS): this delives compute infastuctue (typically a platfom vitualization envionment) as a sevice, along with aw stoage and netwoks. Rathe than puchasing seves, softwae, data-cente space, o netwok equipment, clients puchase the esouces as a fully outsouced sevice. Based on the above appoach, a numbe of simila abstact sevice models have been ecently pomoted, such as Hadwae as a Sevice (HaaS), Data as a Sevice (DaaS), and Communication as a Sevice (CaaS). Cloud computing management sevices ensue the eliability, availability, and secuity of coe sevices. Figue 1 [26, 27]illustatesthebasic sevice achitectue of cloud computing. Cloud identity management takes chage of identity management thoughout the entie cloud sevices stack. Identity management can be divided into thee categoies [28]: isolated use identity model, fedeated use identity model, and centalized use identity model, which ae defined as follows: (i) Isolated use identity model: in this model, the sevice povide acts as both cedential povide and identifie povide to thei clients. A use obtains sepaate unique identifies fom each sevice/identifie povide tansacted with. (ii) Fedeated use identity model: this can be defined as the set of ageements, standads, and technologies that enable a goup of sevice povides to ecognize use identifies and entitlements fom othe sevice povides within a fedeated domain.

4 4 Mathematical Poblems in Engineeing Ced2 Use 1 Use 2. Ced1 Ced1 Ced1 Ced2 Ced2 Common identifie and cedentials povide VM1 SaaS VM1 PaaS IaaS VM... VM2 SaaS PaaS IaaS VM2. Figue 2: Centalized use identity model in cloud computing. (iii) Centalized use identity model: this model employs a single identifie and cedential povide that is used by all sevice povides to povide identifies and cedentials to uses. In the centalized use identity model, the job of identity management has been taken ove by an identity povide fom the sevice povide. This educes the buden of the sevice povide and also educes the numbe of cetificates equied by uses to hold. In addition, the centalized use identity model facilitates the delivey of the identity management sevice fom the to the uses. In an identity povide management domain, uses fist obtain a fomal cetificate and then access cloud sevices in the same domain using this cetificate. This popety makes the centalized use identity model suitable fo cloud computing, and, theefoe, we employ a centalized model in ou design, as shown in Figue Basic Technology. We intoduce identity-based signatue, blind signatue, and zeo-knowledge authentication technology to implement RIM. The identity-based signatue was poposed by Shami [29] in Hee, a use s identity is fist disclosed as a public key and then used to geneate a pivate key. In [29], the authos designed a conceptual model but did not povide fo any eal implementation. Since then, studies of the identitybased signatue have been conducted, but no efficient and povable signatue scheme was concluded until Boneh et al. [30, 31] pomoted an identity-based encyption scheme. Identity-based signatue compises fou stages: setup, pivate key extaction, signatue, and veification. Using an identity as a public key has a natual legitimacy, which can simplify the pocess of key distibution. The concept of blind signatue was suggested by Chaum [32]. The appoach ensues that the signe does not know the specific content of the message and that the message owne can obtain the signatue of the message. Blind signatue consists of thee opeations: blinding, signing, and blindness emoval. Blind signatue has many chaacteistics conducive to potecting use pivacy such as (1) blindness, whee the signe does not know the specific content of the message to be signed and (2) untaceability, whee, if a signatue is leaked, the signe has no idea of when and by whom the message was signed. Zeo-knowledge poof authentication technology efes to a pove s assuance of owneship of some secet infomation, without evealing any useful knowledge about the secet infomation to the veifie. Well-known zeo-knowledge authentication schemes mainly include the Feige-Fiat-Shami [33] scheme, the Guillou-Quisquate [34] scheme, and the Schno [35]scheme. The poposed RIM achieves an identity management modelthatissuitablefocloudcomputingbyemploying methods elated to the above techniques that ae most suitable fo specific application scenaios. In Section 4.3, we give a detailed exposition of ou design. 4. Model Design and Implementation In this section we fistly give some assumptions fo RIM and then explain the detailed implementation of the model Assumptions. We must make some easonable assumptions to ensue pope RIM functionality. Fistly, we assume the existence of an independent abitation agency whose function is simila to a govenmental authoity that can ensue use pivacy while simultaneously poviding a secue souce of anonymous use infomation unde vey specific cicumstances. As such, the agency poposed heein is diffeent fom a tusted thid paty in an odinay sense. The agency need not have a continual online pesence. Moeove, the agency does not collude with othe uses, and use infomation is potected fom malicious uses. Because cloud sevices ae open to the public as a paid sevice, it is necessay to eveal anonymous use infomation when a suffes an attack o has economic disputes with uses. Theefoe, RIM must be able to identify anonymous uses to addess these specific poblems. If a seeks anonymous infomation, it must povide a ange of cetificates and follow pescibed secuity potocols to ensue that the application submitted is legitimate. Anothe impotant assumption is that the communication channel in RIM is secue. SSL and IPSec potocols can be used to ensue the secuity of the channel Model Design. Fou oles ae managed in RIM: Use,, IdP, and deanonymizing authoity (DA), which ae defined as follows: (i) Use: the consume of cloud sevices who equests identity anonymity and benefits fom the sevice. (ii) : the sevice povide who, afte the tansaction between the Use and, povides feedback egading the tansaction. (iii) IdP: the sevice povide who not only povides egistation sevices to the Use but also detemines the Use eputation, which is indicative of the degee

5 Mathematical Poblems in Engineeing 5 U P u (1) Use egiste (3) Identity authentication (4) Sevices access IdP U (8) Reputation update confimation IdP (7) Blind signatue (6) Applying fo eputation update P u (5) Reputation backfeeding (4) Sevices access (2) Pseudonym geneation (a) (b) Figue 3: Schematic of the anonymous access and eputation update pocess. of tust, based on the feedback obtained fom the. The IdP issues the Use eputation cetificate. (iv) DA: an authoity that can eveal Use pseudonyms and povide Use identity-elated infomation to the. RIM has five stages, namely, Envionment Initialization, Use Registation, Identity Authentication, Reputation Computation, and Pseudonym Disclosue. In the Envionment Initialization stage, RIM fist ceates the public paametes of the IdP, DA, and. It then geneates the public and pivate keys used fo signatues. The opeations of key geneation ae as follows: λ is the secuity paamete, PK denotes the public key, and SK denotes the pivate key. The following descibes the pobabilistic polynomial time algoithm: (i) (PK Id s,sk Id s ) SetupIdP Idsign(1 λ ):itisakeygeneation algoithm that takes λ as the input and outputs a pai (PK Id s,sk Id s ) of public and secet keys used by the IdP to sign the identity cetificate. (ii) (PK Id b,sk Id b ) Setup IdP blind(1 λ ):giventhe secuity paamete λ,itceatesapaiofkeys(pk Id b, SK Id b ) whichisusedbytheidptogeneateablind signatue. (iii) (PK,SK ) Setup(1 λ ):itoutputsapai of keys (PK,SK ) which is used by the to ceate a feedback cetificate. (iv) (PK DA,SK DA ) Setup DA(1 λ ):itgivesthedaa pai of keys (PK DA,SK DA ) which is used to encypt and decypt Use identities. Keys (PK Id s,sk Id s ) and (PK Id b,sk Id b ) can be combined into a single pai. Howeve, in such a situation, if the keys ae disclosed, the IdP will collapse. When they ae sepaated, if one pai of keys is compomised, fo example, if theblindsignatuekeyiscompomised,onlythecedibilityof the eputation is affected while the identity cetificate emains valid. Owing to secuity consideations, we maintain these twokeypaisassepaate. The Registation opeation and Veification opeation contained in the Use Registation stage ae defined as follows: (i) Registation: the Use initiates the opeation (C Id, ep, C ep ) Registe(SK Id s,id)to egiste with the IdP. The Use obtains an identity (Id)astheinputand then eceives the identity cetificate C ep,eputation (ep), and eputation cetificate C ep.hee,ep is the initial eputation value fo new uses given by the IdP. (ii) Veification: the opeation 1/ CheckReg(PK Id s, C Id,ep,C ep ) is employed by the Use to authenticate C Id, ep,andc ep. This opeation takes the IdP public key PK Id s as one of the inputs, which will confim the legitimate souce of these cetificates. If veified, 1 will be etuned as the esult; othewise, will be etuned. The fist time a Use entes the cloud sevice system, the Use must egiste with the IdP using thei own identity. The IdP will detemine whethe the identity is edundant o on the blacklist. If the answe is no, the veification is passed. The IdP gives the Use an initial eputation value and issues an identity cetificate and eputation cetificate. The identity that egisteed to the IdP is known to the public. It can be a URL o addess associated with the Use. The public identity caies less pivacy and is easily veified by the IdP. Because of the openness of cloud sevices, the ules fo accessing cloud sevices cannot be ovely stict. In RIM, all uses that meet the basic safety equiements ae allowed access. Afte Registation, the Veification opeation is pefomed to veify theidentitycetificateandtheeputationcetificate.the above pocesses ae illustated in Step 1 of Figue 3(a). AftetheUsehasaecognizablevalididentity,access is ganted to the using the pseudonym geneated accoding to this valid identity, and the will authenticate the pseudonym. The Identity Authentication stage includes the Pseudonym Geneation opeation and Authentication opeation shown in steps 2 and 3 of Figue 3(a), whichae descibed as follows:

6 6 Mathematical Poblems in Engineeing (9) Reputation withdawal IdP IdP (11) Identity mapping U P u Resume (2 8) (10) Anonymity emoval (a) (b) DA Figue 4: Schematic of the standad access pocess and Pseudonym Disclosue. (i) Pseudonym Geneation: taking Id, the Use identity cetificate C Id, and ep as the inputs, the opeation P u Gen pny(id, C Id,ep) outputs the Use pseudonym P u, which is the only identification pesented to the. (ii) Authentication: the opeation 1/ Authenticate(P u,c ep ) is used to authenticate the Use identity though P u by the. This opeationisalsousedtoconfimthecedibilityof the Use eputation. The Pseudonym Geneation opeation encypts Id using the public key povided by the DA. As such, if a dispute aises between the Use and the, RIM would decypt P u with thepivatekeypovidedbythedatoestoetheuseid.the Authentication opeation applies the Σ-potocol to conduct the authentication. Duing the pocess, the can extact P u, C ep,andep but not the Use Id. Afte the tansaction between the Use and the, RIM entes the Reputation Computation stage, whee the Use ep is updated on the basis of feedback povided by the. This stage includes a seies of opeations including the Reputation Backfeeding opeation, Blinding opeation, Applying fo Reputation Update opeation, Blind signing opeation, and Reputation Update Confimation opeation, which ae defined as follows: (i) Reputation Backfeeding: the calls (ep new, C ep new ) Gan(P u ) and povides eputation feedback ep new and its cetificate C ep new accoding to the pefomance of P u.thec ep new guaantees that ep new is fom the. (ii) Blinding: P u andomly selects the blind facto Nonce as the input of the opeation Nonce blind Blind(Nonce) to obtain the blinded value Nonce blind. (iii) Applying fo Reputation Update: given the inputs ep new, C ep new,nonce blind, P u calls 1/ Update(ep new, C ep new,nonce blind) to apply fo eputation updating. The IdP veifies the eputation feedback based on ep new and C ep new. A successful opeation etuns 1; othewise, it etuns. (iv) Blind Signing: the IdP calls C blind Blind sign(nonce blind) to geneate the blind signatue C blind of the value Nonce blind. (v) Reputation Update Confimation: the Use emoves the blindness of C blind and obtains the cetificate C Nonce of Nonce. Then, the Use calls 1/ Confim Update(C Nonce ) to submit the equest fo confiming the update of eputation to the IdP. If the IdP successfully updates the Use ep, it etuns 1; othewise, it etuns. The povides feedback to P u using the Reputation Backfeeding opeation, as illustated by Step 5 in Figue 3(b). The Applying fo Reputation Update Confimation opeation submits the eputation feedback ep new and a blinded andom value Nonce blind to the IdP and expects that the IdP will update ep. This opeation is illustated by Step 6 in Figue 3(b). The IdP veifies the feedback and detemines that it is valid. Howeve, the IdP cannot detemine fo whom the feedback is designated because the IdP cannot tack the feedback to the Use Id. The IdP uses the Blind Signing opeation to sign Nonce blind andgivestheesultc blind back to P u,asillustatedbystep7 in Figue 3(b). Becausethe Use geneates P u diectly, the Use can locate thei own P u. The Use obtains C blind though P u andthenemovesthe blindness of C blind to obtain C Nonce. The Use subsequently calls the Reputation Update Confimation opeation and submits C Nonce to the IdP to confim the updating of ep, which is illustated by Step 8 in Figue 3(b). TheIdPveifies C Nonce,and,ifpassed,thevalueofep is updated. The IdP cannot link Nonce to Nonce Blind, whichiswhytheblind signatue is intoduced. This method ensues that, even in the case of collusion between the IdP and, the IdP cannot obtain the Use Id though P u. The afoementioned pocesses addess the entie pocess of new use access to cloud sevices, including Use Registation, accessing sevices, and eputation update. The Use who is aleady egisteed must fist call the Reputation Withdawal opeation to acquie a value fo ep fom the IdP and then follow all subsequent opeations, as the afoementioned. The Reputation Withdawal opeation is illustated in Figue 4(a), which is descibed as follows:

7 Mathematical Poblems in Engineeing 7 (i) Reputation Withdawal: the Use acquies ep and C ep by the opeation (ep, C ep ) Withdaw(Id) using its own Id. The last stage is the Pseudonym Disclosue stage. If the Usehasdonehamtothe,themustgainaccess to the Use Id. This stage includes the Anonymity Removal opeation and the Identity Mapping opeation, which ae descibed as follows: (i) Anonymity Removal: when the opeation g Id De Anonymity(P u,sk DA ) is called, the DA opens P u using its pivate key SK DA.Theoutputofthis opeation is not the Use Id itself but g Id,whichis geneated by the IdP, whee g is one of the public paametes. (ii) Identity Mapping: IdP calls Id Map(g Id ) to map g Id to the Use Id and then esolves the disputes offline. The submits a malicious behavio epot fo the Use and pseudonym P u to the DA and applies fo opening apseudonym,asillustatedinstep10 in Figue 4(b). The DA uses the Anonymity Removal opeation to open P u and obtains g Id.TheDAsubmitsg Id to the IdP. Then the IdP calls the Identity Mapping opeation and etieves the Use Id,as illustated by Step 11 in Figue 4(b). Theefoe, fo secuity consideations, the DA does not ecove the Id diectly. This isoneofthemethodsthatensueusepivacyandpevent the misuse of a use s identity. The above povides an oveview of RIM. The following povides a concete ealization of ou model RIM Realization. In this section we povide a desciption of the concete ealization of RIM based on Hidden Identity-Based Signatuespoposed by Kiayias and Zhou [36]. Hidden Identity-Based Signatues meet use equiements fo anonymity in a cloud computing envionment, but they do not satisfy the need fo a unique use pseudonym fo each session. We theefoe extended Hidden Identity-Based Signatues by intoducing eputation and blind signatue to fulfill the equiements mentioned above. In RIM, we achieve blind signatue using the Schno scheme [25]. The public paametes discussed peviously [25, 36] ae identical, so the RIM is made moe compehensive by combining the two techniques. In the Envionment Initialization stage, we geneate public paametes p,g,g,g T,e,wheeG and G T ae cyclic goups of pime ode p, g is a geneato fo G and G T, e is a bilinea map, e:g G G T,and G = G T. h is selected fom G\{1}andomly. H is a hash function, H:{0,1}.TheopeationSetup IdP Idsign(1 λ ) andomly selects x, y Z p and computes X = gx, Y = g y,wheethe public and pivate key pais ae given as PK Id s = (X,Y), SK Id s =(x,y). Similaly, the opeation Setup IdP blind(1 λ ) geneates the key pai PK Id b = M, SK Id b = m,whee m Z p and M=g m. Setup (1 λ ) geneates the key pai PK =(I,J), SK = (i, j) fo feedback signatue using the same method descibed above. The key pai geneation of Setup DA(1 λ ) is moe complicated. It andomly selects u, V G, w G\{1} and b, d Z p,esultinginw=ub = V d, which povides the key pai PK DA =(u,v,w), SK DA =(b,d). Afte the keys ae geneated, RIM publishes the public keys andkeepsthepivatekeyssecet. In the Use Registation stage, the IdP povides the Use with the identity cetificate, eputation, and eputation cetificate. We intoduce the technology of shot signatues [37] to issue these cetificates. The IdP andomly selects, q Z p and then issues identity cetificate C Id (g 1/(x+Id+y),)and eputation cetificate C ep (g 1/(x+ep+yq),q),notingthatId and ep denote the identifie and eputation belonging to the Use. Afte that, the IdP gives the Use a tiple C Id,C ep,ep. The Use veifies these cetificates using the IdP public key. When the equation e(g 1/(x+Id+y),Xg Id Y ) = e(g, g) holds, the Use accepts the identity cetificate. In the same way, the Use veifies the eputation cetificate. If the two cetificates ae both valid, the opeation CheckReg(PK Id s,c Id,ep,C ep ) etuns1.ifeithecetificate is invalid, both cetificates ae discaded. The Pseudonym Geneation and Authentication opeations in the Identity Authentication stage ae usually caied out togethe in pactice. In this pape, we extend the method intoduced in [36] to authenticate the Use identity, Use identity cetificate, and the link between the Use identity and identity cetificate. Ou appoach equies veification that the eputation geneated fom the pseudonym belongs totheusewehavejustauthenticated.thespecificpocessis descibed as follows: (i) The Use employs linea encyption [37] to commitid in (U, V, W). It satisfies the constaints U=u k, V=V l, W= w k+l g Id,wheel and k ae andomly selected: K, l. (ii) The Use commits C Id in (S, R); that is, S=g 1 C Id and R=g 2 h 1 Y,whee 1 and 2 ae andomly selected: 1, 2. (iii) The Use authenticates thei identity using the zeoknowledge poof technique [35], as descibed in Figue 5. Finally, if the equation holds, the Use is assued of possessing a legitimate identity, although the would have no knowledge of that identity. (iv) The pocess of authenticating the Use identity cetificate is descibed in Figue 6. Iftheequationshold,the Use is assued of possessing a legitimate identity cetificate, althoughthewouldhavenoknowledgeofthatcetificate. (v) It must also be veified that the identity and the identity cetificates belong to the same Use. The veification pocess is descibed in Figue 7. If the equations ae tue, the identity is bound to the identity cetificate. (vi) Moeove, the legitimacy of the eputation and that the eputation belongs to the Use must also be veified. The eputation is open to the public, so it is authenticated using the IdP public key. When veifying that the eputation belongs to the Use, the Use identity is hidden. To this end, a secet message is selected, and owneship of the eputation cetificate can be veified only if the Use has the secet

8 8 Mathematical Poblems in Engineeing Use K, l U=u k V= l W=w k+l g Id θ Id,θ l,θ k B 1 =u θ k B 2 = θ l B 3 =w (θ k+θ l ) g θ Id ξ Id =θ Id +σ Id ξ k =θ k +σ k ξ l =θ l +σ l Use 1, 2 S=g 1 C Id R=g 2 h 1 Y θ 1,θ 2,θ B 4 =g θ 2 h θ 1Y θ ξ 1 =θ 1 +σ 1 ξ 2 =θ 2 +σ 2 ξ =θ +σ U, V,W Show the pomise B 1, B 2, B 3 Give the challenge σ Show the answe ξ Id, ξ k, ξ l Figue 5 S, R Show the pomise B 4 Give the challenge σ σ B 1 = U σ u ξ k B 2 = V σ v ξ l B 3 = W σ w (ξ k+ξ l ) g ξ Id σ Show the answe ξ 1, ξ 2, ξ B 4 = R σ g ξ 2 h ξ 1Y ξ Figue 6 message, as descibed in Figue 8(a).Linkabilitybetween the eputation cetificate and the Use identity is then veified, as descibed in Figue 8(b).Iftheequationshold,theeputation and eputation cetificate ae concluded to belong to the Use. (vii) Finally, we veify that the encypted identity cetificate is fom the IdP accoding to the encypted identity. We assume that B 11 =e(g,xwr) θ 1 e (S, w) θ k+θ l e(g,w) (θ δ 1 +θ δ2 ) e(s,g) θ 2 e (g, g) θ δ 3 e (S, h) θ 1 e(g,h) θ δ4, ξ=e(g,xwr) ξ 1 e (S, w) (ξ k+ξ l ) e(g,w) (ξ δ 1 +ξ δ2 ) e(s,g) ξ 2 e (g, g) ξ δ 3 e (S, h) ξ 1 e(g,h) ξ δ4 σ e (g, g) (( e (S, XWR) ) ), whee, if B 11 =ξ, the abovementioned conclusion is veified becauseiftheidppivatekeyisinput,weobtaintheoutput e(c Id,Xg Id Y ) = e(g, g). (1) Thus fa, the legitimacy of the Id, C Id, C ep C Id,andC ep has been veified. Moeove, the linkability between the Id and the C Id and C ep has been veified. Though the Id has been encypted, it can be veified that the C Id deives fom the IdP. Togethe with the veification of the legitimacy of the eputation, all of the above compise the opeation Authenticate(P u,c ep ). Because the eputation need not besecet,theeputationcanbeauthenticatedsimplyby inputting the IdP public key. Next, we addess the e(c ep,xg ep Y q ) = e(g, g) opeation Gen pny(id, C Id,ep).Hee,thepseudonymP u is just the andom challenge σ used by the fo authenticating the Use. P u meets cloud computing secuity equiements. The secuity analysis will be conducted in the next section. Ou implementation of the Reputation Computation stage is descibed as follows: (i) Reputation Withdawal: the opeation Withdaw(Id) etuns the eputation cetificate, which is signed by the IdP. The specific implementation of the eputation cetificate is equivalent to that of the identity cetificate. (ii) Reputation Backfeeding: we continue to use the shot signatue [38]tosignthefeedbackgivenbythe; that is, C ep new g 1/(i+ep new+jn),n,wheen is andomly selected: n Z p. (iii) Blinding: this opeation is pefomed by the Use and the IdP. The IdP possesses the key pai (M, m), whee M=g m. The IdP andomly selects b and computes x b = g b.then,p u obtains x b fom theidpandselectsaandomnumbenonce that is to be signed. P u computes x b = g u b M d b x b, e b = H(x b, Nonce),ande b =e b +d b,wheed b,u b.theuseassignse b as the blind signatue of Nonce;thatis,Nonce blind = e b. (iv) Applying fo Reputation Update. The IdP veifies the eputation feedback, which is signed by the. If the equation e(g 1/(i+ep new+jn),ig ep new J n ) = e(g, g) holds, we conclude that the veification has passed. (v) Blind Signing: the IdP computes y b = b +e b mand C blind =y b. This is also the pocess of signing the blind andom numbe Nonce blind. The IdP does not know the plaintext of Nonce thoughout the pocess. (vi) Reputation Update Confimation: the Use emoves the blindness of C blind (i.e., y b )thoughcomputing y b =y b+u b.then,thepai(e b,y b ) is obtained, which is the signatue of Nonce denoted by C blind.finally, the Use calls Confim Update(C Nonce, Nonce) to confim the update of the eputation. The IdP detemines if the equation x b =g y b M e b holds. If so, the IdP then examines the equation e b =H(x b, Nonce). When both equations hold, the IdP concludes that the signatue is valid.

9 Mathematical Poblems in Engineeing 9 Use δ 1 = 1 k, δ 2 = 1 l, δ 3 = 1 2, δ 4 = 2 1, δ 5 = 1 θ δ1,θ δ2,θ δ3,θ δ4,θ δ5 B 5 =U θ 1u θ δ 1 B 6 =V θ 1 θ Show the pomise B δ 2 5, B 6, B 7 B 7 =R θ 1g θ δ 3 h θ δ 4 Y θ δ 5 Give the challenge σ ξ δ1 =θ δ1 +σ δ 1 ξ δ2 =θ δ2 +σ δ 2 ξ δ3 =θ δ3 +σ δ 3 ξ δ4 =θ δ4 +σ δ 4 ξ δ5 =θ δ5 +σ δ 5 Show the answe ξ δ1, ξ δ2, ξ δ3, ξ δ4, ξ δ5 Figue 7 B 5 = U ξ 1u ξ δ 1 B 6 = V ξ 1 ξ δ 2 B 7 = R ξ 1g ξ δ 3 h ξ δ 4 Y ξ δ 5 Use t T=g t Y q θ t,θ q B 8 =g θ t Y θ q ξ t =θ t +σ t ξ q =θ q +σ q T Show the pomise B 8 Give the challenge σ Show the answe ξ t, ξ q (a) B 8 = T σ g ξ t Y ξ q Use λ 1 =tk, λ 2 =tl θ λ1,θ λ2 B 9 =U θ t u θ λ 1 B 10 =V θ t θ λ 2 Show the pomise B 9, B 10 Give the challenge σ ξ λ1 =θ λ1 +σ λ 1 Show the answe ξ λ1, ξ λ2 ξ λ2 =θ λ2 +σ λ 2 B 9 = U ξ t u ξ λ 1 (b) B 10 = V ξ t ξ λ 2 Figue 8 Afte veifying the blind signatue, the IdP pefoms the actual eputation updating opeation. We intoduce the feedback based eputation calculation method [39] toestimate the Use eputation. Hee, thee factos detemine the total value of Use tustwothiness, that is, ep new, ep h, ep u, whee ep new epesents the new eputation feedback the povides afte the tansaction, ep h is the histoy feedback povided by the peviously accessed, and ep u is the oveall eputation the Use had pio to the cuent tansaction. Afte accessing the sevice, the Use eputation is calculated by ep = (W new ep new) + (W h eph) + (W u epu). Toegulatethevalueof the eputation, we let ep new, ep h, ep u be nomalized to values in [0, 1]. W new, W h, W u denote the new feedback weight, the updated histoy feedback weight, and the updated oveall eputation weight pio to the cuent tansaction, espectively. All the weights have values in [0, 1] and satisfy the constaint W new+ W h+wu=1. The details have been descibed in [39]. In the Pseudonym Disclosue stage, the DA and IdP decypt the Use pseudonym and then estoe the Use Id. The details of the two opeations ae as follows: (i) Anonymity Removal: the DA decypts the secet infomation (U, V, W) using the secet key (b, d) in the possession of the DA to estoe g Id ;thatis,g Id = W/(U b V d ). (ii) Identity Mapping: the IdP maps g Id to the Use Id using the intenal mapping table that is built at the beginning. Though the abovementioned opeations, we can delive an identity management sevice. The Use geneates a pseudonym using this sevice and then employs the pseudonym as the identity fo accessing cloud sevices without exposing any eal identity infomation. The Use eputation, within a cetain ange, indicates to what extent the can tust the use, based on the possibility that the Use may cay out malicious activities. 5. Model Analysis In this section, we veify the coectness and povide a detailed secuity analysis of the poposed model.

10 10 Mathematical Poblems in Engineeing 5.1. Coectness of the Model. The coectness of the model includes Use Registation coectness, Reputation Calculation accuacy, Identity Authentication coectness, and Pseudonym Disclosue coectness. Definition 1. Use Registation coectness is descibed as follows. If the identity cetificate and the eputation cetificate can be veified with a pobability of 1, then one concludes that the Use Registation is coect. This is given by the following: P [ (PK Id s, SK Id s ) SetupIdP Idsign (1 λ ) [ (C Id,ep,C ep ) Registe(SK Id s,id) ] [ CheckReg (PK Id s,c Id,ep,C ep )=1 ] =1. Theoem 2. RIM Use Registation is coect. (2a) Poof. Iftheabovepobabilityis1,thentheoutputofeach opeation must be coect, and the identity cetificate and the eputation cetificate can pass the veification using the public keys in the possession of the IdP. The validity of the identity cetificate was veified in [38], and we need only to veify the validity of the eputation cetificate. The following fomula (3) confims that e(g 1/(x+ep+yq),Xg ep Y q ) = e(g, g), veifying the eputation cetificate is valid. Conside e(g 1/(x+ep+yq),Xg ep Y q ) =e(g 1/(x+ep+yq),g x g ep (g y ) q ) =e(g 1/(x+ep+yq),g x+ep+yq ) = e (g, g). Definition 3. Identity Authentication coectness is descibed as follows. The authenticates the Use though the Use pseudonym P u. If all the opeations etun coect outputs with a pobability of 1, we conclude that the Identity Authentication is coect. This is given by the following: (PK Id s,sk Id s ) SetupIdP Idsign (1 λ ) (C Id,ep,C ep ) Registe(SK Id s,id) P CheckReg (PK Id s,c Id,ep,C ep )=1 [ P u Gen Pny (Id, C Id,ep) ] [ Authenticate (P u,c ep )=1 ] =1. Theoem 4. RIM Identity Authentication is coect. (3) (2b) Poof. The must authenticate the Use identity, the validity of the identity cetificate, the linkability of the identity and identity cetificate, the validity of the eputation cetificate, and the linkability of the identity and eputation cetificate. All of the above have been poven in [25] with the exception of the linkability of the Id and eputation cetificate. Theefoe, we only veify hee the linkability of the Id and eputation cetificate. The veification follows the same appoach as that of fomula (3) but is conducted by the.veifying the linkability of the Id and eputation cetificate follows accoding to fomula (4), whichindicates that the Use owns the eputation cetificate, and fomulas (5) and (6), which veify that the Use identity is linked with eputation cetificate. Conside T σ g ξ t Y ξ q =(g t Y q ) σ g (θt+σ t) Y (θ q+σ q) =g tσ Y σq g σt Y σq g θ t Y θ q =g θ t Y θ q =B 8 U ξ t u ξ λ 1 =U (θ t +σ t) u θ λ 1 +σ λ 1 =U θ t u θ λ 1 U σ t u σ tk (4) =U θ t u θ λ 1 U σ t U σ t =U θ t u θ λ 1 =B9 (5) V ξ t V ξ λ 2 =V (θ t +σ t) V θ λ 2 +σ λ 2 =V θ t V θ λ 2 V σ t V σ tl =V θ t V θ λ 2 V σ t V σ t =V θ t V θ λ 2 =B10. The Reputation Computation accuacy involves two aspects: (1) the coectness of the opeations such as eputation acquisition, eputation feedback, and eputation update; and (2) the fact that the eputation evaluation algoithm can accuately calculate the use degee of tustwothiness. The accuacy of the evaluation algoithm has been veified in [39]. Theefoe, in this pape, we only define the coectness of the opeations. Definition 5. Reputation Calculation coectness is descibed as follows. If the eputation-elated opeations etun coect outputs with a pobability of 1, one concludes that the Reputation Calculation is coect. This is given by the following: (PK Id s,sk Id s ) SetupIdP Idsign (1 λ ) (PK Id b,sk Id b ) SetupIdP blind (1 λ ) (PK,SK ) Setup (1 λ ) (ep, C ep ) Withdaw (Id) CheckReg (PK Id s,c Id,ep,C ep )=1 P P u Gen Pny (Id, C Id,ep) Authenticate (P u,c ep )=1 (ep new, C ep new ) Gant (P u ) Nonce blind Blind (Nonce) Update (ep new, C ep new,nonce blind) = 1 [ C blind Bl ind sign (Nonce blind) ] [ Confim Update (C blind )=1 ] =1. (6) (2c)

11 Mathematical Poblems in Engineeing 11 Theoem 6. RIM Reputation Calculation opeations ae coect. Poof. The opeation Withdaw(Id) and the subsequent veification steps of the eputation ae equivalent to the egistation opeations. The veification of the eputation feedback is simila to that given in fomula (3). Becausethe coectness of the egistation opeations has been poven in Theoems 2 and 4, weheepoveonlythecoectness of the blind signatue. Fomula (7) emoves the blindness of the signatue, obtaining the intemediate value x b.ifthe equation e b = H(x b, Nonce) holds, we conclude that the blind signatue is coect. Along with Theoems 2 and 4,the poof veifies the coectness of the eputation opeations. One has g y b M e b =g y b+u b M e b =g b+e b m+u b M e b d b =x b g e b m g u b g m(e b d b ) =x b g e b m g u b g m e b g m( d b) =x b g u b M d b =x b. Definition 7. Pseudonym Disclosue coectness is descibed as follows. The DA decypts the pseudonym to estoe the Use Id with a pobability of 1. This is given by the following: (PK Id s,sk Id s ) SetupIdP Idsign (1 λ ) (PK DA,SK DA ) SetupDA (1 λ ) (ep, C ep ) Withdaw (Id) CheckReg (PK P Id s,c Id,ep,C ep )=1 P u Gen Pny (Id, C Id,ep) Authenticate (P u,c ep )=1 g Id De Anonymity (P [ u,sk DA ) ] [ Id Map (g Id ) ] =1. Theoem 8. RIM Pseudonym Disclosue is coect. (7) (2d) Poof. Opeations conducted pio to the Pseudonym Disclosue pocess have been poven in Theoems 2, 4, and 6. The coectness of decypt (U, V, W) hasbeenpovenin[36]. Finally, the IdP queies the mapping table to obtain the Use Id. Theefoe, we conclude that the Pseudonym Disclosue is coect Secuity of the Model Secuity of Reputation. Befoe discussing the secuity of eputation, we assume that the pivate keys of the IdP,, andusehavenotbeenleaked.ifthepivatekeysweeleaked, therimwouldbeopentothepublic.thedataoftheidp aestoedinacloudenvionment,andthecloudseviceis open to the public. Theefoe, an attacke can obtain an Id and eputation pai, theeby conducting a plaintext attack by analyzing them. In this pape, we will not conside a situation whee an attacke modifies the eputation though the cloud undelying infastuctue, and the attacks ae all chosen as plaintext attacks. Unfogeability of eputation efes to the fact that an unauthoized use has no way of modifying thei own o anothe s eputation value. If the attacke (o Advesay; AdV) wishes to modify a eputation value without pemission, the AdV must foge a eputation cetificate issued by the IdP o a feedback cetificate signed by the. Next, we povide a fomal definition of eputation unfogeability. Definition 9. If a pobabilistic polynomial-time advesay AdV has the advantage AdVantage unf (λ) = P[(PiVK unf (λ) = 1) 1/2], which is negligible in λ, then one concludes that the eputation value is unfogeable. The expeiment PiVK unf (λ) is defined as follows: (i) AdV is given the public paametes p,g,g,g T,e,as descibed in the Envionment Initialization stage. The egiste andom oacle O eg povides AdV with a Use identity, eputation value, and eputation cetificate. The feedback andom oacle O povides AdV with eputation feedback and the feedback cetificate. The pseudonym andom oacle O Id povides AdV with the Use pseudonym P u. (ii) The AdV geneates (Id 0,ep 0 ), (Id 1,ep 1 ) and ((P u ) 0,ep new 0 ), ((P u ) 1,ep new 1 ). (iii) The challenge andomly selects b fom {0, 1}; that is, b {0,1}. Then, the challenge calls (ep b,(c ep ) b ) Withdaw(Id b ) and (ep new b, (C ep new ) b ) Gant((P u ) b ) to acquie the pai (ep b,(c ep ) b ) and (ep new b,(c ep new ) b ). (iv) The AdV gives a guess b,andifb=b,thenoutputis 1; othewise, output is 0. Now, we educe this AdV to an advesay (AdV) b fo the BB signatue. Fistly, (AdV) b initializes a hash table H fo the simulation of the andom oacles O eg and O that ae employed by AdV. IfAdV queies (Id, ep) o (P u,ep new), (AdV) b would esot to H.Ifthequeyhasaleadybeenonthe table, (AdV) b would etun the coesponding value; if not, (AdV) b wouldsamplea(id, ep) o (P u,ep new) and place it in H and etun it in the end. When AdV queies a eputation signatue included in (Id, ep) o (P u,ep new), (AdV) b fowads the quey to BB-signing oacle O BB and etuns the esponse. Afte sufficient queies, AdV challenges the challenge using (Id 0,ep 0 ), (Id 1,ep 1 ),o((p u ) 0,ep new 0 ), ((P u ) 1,ep new 1 ). (AdV) b extacts the pai (ep 0,ep 1 )o (ep new 0,ep new 1 )andchallengesthebb-signingchallenge. The BB-signing challenge picks a numbe b in {0, 1}. (AdV) b then etuns (C ep ) b o (C ep new ) b to AdV. AdV makes aguessofb andgivesittothebb-signingchallengethough (AdV) b.ifb = b, then not only does AdV have the ability to foge a eputation cetificate but also (AdV) b can foge a

12 12 Mathematical Poblems in Engineeing BB signatue. Accoding to the above mentioned method, we educe AdV to (AdV) b, and we conclude that if the BB signatue is secue, then the eputation cetificate cannot be foged. Veifiable Reputation means that the eputation indeed belongs to the authenticated use. If the advesay can foge a pseudonym and the pseudonym can pass veification by the while the DA cannot open the pseudonym o only open it as an unegisteed identity, then we conclude that the advesay is successful. This popety is guaanteed by Hidden Identity-Based (HIB) Signatues [25]. Definition 10. If a pobabilistic polynomial-time advesay AdV has the advantage AdVantage Ve (λ) = P[(PiVK Ve (λ) = 1) 1/2], which is negligible in λ, then one concludes that the eputation value is veifiable. The expeiment PiVK Ve (λ) is defined as follows: (i) The egiste andom oacle O eg povides AdV with a Use identity, eputation value, and eputation cetificate, and the pseudonym andom oacle O Id povides AdV with a Use pseudonym P u. AdV obtains the public paametes p,g,g,g T,e as descibed in the Envionment Initialization stage. (ii) AdV geneates the pai (Id 0,(C Id ) 0,ep 0 ) and (Id 1,(C Id ) 1,ep 1 ) and then gives it to the challenge. (iii) The challenge andomly selects b fom {0, 1}; that is, b {0,1}. Then, he calls (P u ) b Gen Pny(Id b,(c Id ) b,ep b ) to acquie the pseudonym (P u ) b. (iv) AdV gives a guess of b, and if b = b, 1 Authenticate((P u ) b,(c ep ) b ) and De Anonymity((P u ) b,sk DA ) hold, and then output is 1; othewise, output is 0. Now, we assume that an advesay (AdV) H is against the HIB signatue. Using thee andom oacles, namely, the egistation andom oacle RegOacle(Id), the Use identity andom oacle CouptOacle(Id), andthesignatueoacle SignOacle(Id, cet id,m), (AdV) H acquies the Use identity, identity cetificate, and the signatue of a message signed by the Use. Moeove, these thee andom oacles can simulate O eg and O Id.In[36], the andom oacle CouptOAOacle() was used fo disclosing a pseudonym to pefom a ciphe text attack. Howeve, in this pape, we assume that the DA is tustwothy. Theefoe, we simulate only a plaintext attack. If AdV can disclose a pseudonym, then (AdV) H must be able to beak the HIB signatue. Now, we begin the pocess of educing AdV to (AdV) H. (AdV) H emoves the pat elevant to eputation fom (Id 0,(C Id ) 0,ep 0 ) and (Id 1,(C Id ) 1,ep 1 ) povided by AdV andthenpoceedswiththehibsignatue pocess. Duing the authentication pocess, we maintain a constant challenge facto σ. The eputation was included when σ was geneated. By analyzing the Σ-potocol, we know that σ is andomly selected, so its value does not affect the final esult of authentication. Finally, (AdV) H takes σ as a pseudonym (P u ) b and etuns it to AdV. (P u ) b contains the infomation egading a Use identity. AdV gives a guess of b, and if AdV can successfully foge a pseudonym, then (AdV) H can cack the HIB signatue with the same pobability. Nonepudiation means that, unde any cicumstances, the Use must admit that the eputation that has been submitted belongs only to the Use, and, theefoe, egadless of how low the eputation value, the Use can neve deny owneship. If the advesay has the ability to foge a pseudonym and thedaopensittofindthatitcoespondstoalegitimate egisteed use identity, then we conclude that the advesay is successful. Definition 11. If a pobabilistic polynomial-time advesay AdV has the advantage AdVantage ne (λ) = P[(PiVK ne (λ) = 1) 1/2], which is negligible in λ, then one concludes that the eputation value has the popety of Nonepudiation. The expeiment PiVK ne (λ) is defined as follows: (i) AdV is given the public paametes p,g,g,g T,e as descibed in the Envionment Initialization stage. The egiste andom oacle O eg povides AdV with a Use identity, eputation value, and eputation cetificate. The pseudonym andom oacle O Id povides AdV with a Use pseudonym P u. (ii) AdV geneates (Id 0,(C Id ) 0,ep 0 ) and (Id 1,(C Id ) 1, ep 1 ) andthengivesittothechallenge. (iii) The challenge andomly selects b fom {0, 1}; that is, b {0,1}. Then, the challenge calls (P u ) b Gen Pny(Id b,(c Id ) b,ep b ) to acquie the pseudonym (P u ) b. (iv) AdV gives a guess b, and if b = b, 1 Authenticate((P u ) b,(c ep ) b ) and 1 De Anonymity((P u ) b,sk DA ) ae tue, and then output is 1; othewise, output is 0. The method that educes AdV to an advesay fo the HIB signatue is equivalent to the method used in the analysis of Veifiable Reputation. We theefoe omit the educing pocess Secue Anonymity. In addition to the afoementioned eputation secuity, it is necessay to conside the secuity of anonymity. To this end, we assume that the IdP is not safe;namely,itspivatekeyscanbeleaked.also,weassume that the IdP and can collude togethe to compomise anonymity. These assumptions comply with the actual situation, fo the IdP and may belong to the same institution. Howeve, in the Reputation Calculation pocess, we assume that pivate keys in the possession of the IdP cannot be leaked totheusebutcanbeleakedtothebecauseeputation is used to constain the Use, and the IdP and Use ae antithetical. Anonymity secuity includes the unlinkability not only between pseudonyms (denoted as P u -unlinkability) but also between a pseudonym and a Use Id (denoted as Id-P u - unlinkability). P u -unlinkability includes the unlinkability betweenthepseudonymsofthesameuseandtheunlinkability between the pseudonyms of diffeent uses.