Graduate School of Science and Technology, University of Tsukuba, Tsukuba, Japan.
Faculty of Engineering, Information and Systems, University of Tsukuba, Tsukuba, Japan.
PLoS One. 2024 Sep 12;19(9):e0310094. doi: 10.1371/journal.pone.0310094. eCollection 2024.
In the development of web applications, the rapid advancement of Internet technologies has brought unprecedented opportunities and increased the demand for user authentication schemes. Before the emergence of blockchain technology, establishing trust between two unfamiliar entities relied on a trusted third party for identity verification. However, the failure or malicious behavior of such a trusted third party could undermine such authentication schemes (e.g., single points of failure, credential leaks). A secure authorization system is another requirement of user authentication schemes, as users must authorize other entities to act on their behalf in some situations. If the transfer of authentication permissions is not adequately restricted, security risks such as unauthorized transfer of permissions to entities may occur. Some research has proposed blockchain-based decentralized user authentication solutions to address these risks and enhance availability and auditability. However, as we know, most proposed schemes that allow users to transfer authentication permissions to other entities require significant gas consumption when deployed and triggered in smart contracts. To address this issue, we proposed an authentication scheme with transferability solely based on hash functions. By combining one-time passwords with Hashcash, the scheme can limit the number of times permissions can be transferred while ensuring security. Furthermore, due to its reliance solely on hash functions, our proposed authentication scheme has an absolute advantage regarding computational complexity and gas consumption in smart contracts. Additionally, we have deployed smart contracts on the Goerli test network and demonstrated the practicality and efficiency of this authentication scheme.
在 Web 应用程序的开发中,互联网技术的飞速发展带来了前所未有的机遇,并增加了对用户身份验证方案的需求。在区块链技术出现之前,建立两个陌生实体之间的信任依赖于可信第三方进行身份验证。然而,这样的可信第三方的故障或恶意行为可能会破坏这种身份验证方案(例如,单点故障、凭据泄露)。安全授权系统是用户身份验证方案的另一个要求,因为在某些情况下,用户必须授权其他实体代表其行事。如果对身份验证权限的转移没有进行充分的限制,则可能会发生权限未经授权转移到实体等安全风险。一些研究提出了基于区块链的去中心化用户身份验证解决方案来应对这些风险,并提高可用性和可审计性。然而,正如我们所知,大多数允许用户将身份验证权限转移给其他实体的提议方案在智能合约中部署和触发时需要大量的 gas 消耗。为了解决这个问题,我们提出了一种仅基于哈希函数的可转移性身份验证方案。通过将一次性密码与 Hashcash 相结合,该方案可以在确保安全性的同时限制权限可以被转移的次数。此外,由于我们的提议方案仅依赖于哈希函数,因此在智能合约的计算复杂性和 gas 消耗方面具有绝对优势。此外,我们已经在 Goerli 测试网络上部署了智能合约,并展示了这种身份验证方案的实用性和效率。
