Metaverse Authentication: Privacy-Preserving Cross-Metaverse Scheme
advertisement
2022 IEEE Smartworld, Ubiquitous Intelligence & Computing, Scalable Computing & Communications, Digital Twin, Privacy Computing, Metaverse, Autonomous & Trusted Vehicles (SmartWorld/UIC/ScalCom/DigitalTwin/PriComp/Meta) | 979-8-3503-4655-8/22/$31.00 ©2022 IEEE | DOI: 10.1109/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00340 2022 IEEE Smartworld, Ubiquitous Intelligence & Computing, Scalable Computing & Communications, Digital Twin, Privacy Computing, Metaverse, Autonomous & Trusted Vehicles (SmartWorld/UIC/ScalCom/DigitalTwin/PriComp/Metaverse) Yingying Yao Beijing Key Laboratory of Security and Privacy in Intelligent Transportation Beijing Jiaotong University Beijing, China yyyao@bjtu.edu.cn Xiaolin Chang Beijing Key Laboratory of Security and Privacy in Intelligent Transportation Beijing Jiaotong University Beijing, China xlchang@bjtu.edu.cn Lin Li Beijing Key Laboratory of Security and Privacy in Intelligent Transportation Beijing Jiaotong University Beijing, China lilin@bjtu.edu.cn Jiqiang Liu Beijing Key Laboratory of Security and Privacy in Intelligent Transportation Beijing Jiaotong University Beijing, China jqliu bjtu.edu.cn Computer Science Department Ryerson University Toronto, Ontario, Canada jmisic@ryerson.ca Computer Science Department Ryerson University Toronto, Ontario, Canada vmisic@ryerson.ca Abstract The recent advances of emerging technologies including artificial intelligence, 5G, 6G, extended reality and blockchain promote the rapid development of next-generation Internet. As an evolving paradigm of next-generation Internet, metaverse, a fully immersive, hyper spatiotemporal and selfsustaining virtual shared space, is moving from imagination to the coming reality. However, its massive data flow, pervasive user profiling activities and other intrinsic features can lead to a lot of security and privacy concerns, which will hinder its further deployment. Specially, since the identities of users/avatars in the metaverse can be illegally stolen, impersonated, and interoperability issues can be encountered in authentication across metaverses, this paper designs a lightweight and privacy-preserving seamless cross-metaverse authentication and key agreement scheme named MetaverseAKA to meet the challenges. Metaverse-AKA can not only realize the seamless cross-metaverse authentication but also assure the users privacy by achieving the anonymity and unlinkability. In addition, Metaverse-AKA also has the following advantages: (i) Realizing the traceability for users in physical world. (ii) Resistance to multiple attacks like impersonation attack, man-in-the-middle attack and replay attack. (iii) Adopting lightweight cryptographic primitives and having better performance through experiment verification and comparison. Keywords metaverse, privacy-preserving, cross-metaverse authentication, lightweight, seamless I. INTRODUCTION Metaverse is a virtual shared space integrating physics, human beings and the digital world. It takes digital life as its basic form. Metaverse is defined as a large-scale interoperable network of real-time 3D virtual world in some studies [1]. 2021 can be called the first year of the metaverse. In this year, relevant elements in the meta universe are gathered. And in October of the same year, Facebook officially changed its name to Metaverse. The metaverse has gradually become a new specification for social networks and three-dimensional (3D) virtual worlds, where users can live like digital natives and experience another life in the virtual world. In addition to the field of social networks, it has great potential in the industrial, commercial, educational, medical, military and government sectors [2]. Although metaverse has great development potential and bright prospects, security and privacy issues will be the main issues that limit its further development [3]. In this paper, we focus on the threats to authentication in metaverse. Firstly, the identities of users/avatars in the metaverse are at risk of being illegally stolen, which can be more serious than that in traditional information systems since the identity is related to is associated with vital private information including digital life, digital assets, social relationships and so on. Once the identity in metaverse is stolen, these vital private information will also be disclosed. In Opensea non-fungible token (NFT) were attacked, marketplace, 17 users resulting in a loss of $1.7 million in 2022 [4]. Secondly, the authorized users in metaverse may be subject to impersonation attack. When an authorized user is carried out impersonation attack by an attacker, the attacker can access the services of the metaverse and leverage the user's legal identity to do illegal things in virtual world. For example, attackers impersonate trusted endpoints through Bluetooth impersonation attacks [5] and insert a malicious wearable device into the established Bluetooth pairing to gain illegal access to the metaverse services. Thirdly, it is very important for users/ avatars to conduct trusted and interoperable asset exchange and seamless avatar transfer in different metaverses, for example, between Roblox and Fortnite. In addition, the identity authentication across distinct metaverse (services run by distinct virtual service providers) is critical to deliver seamless metaverse services for users. Thus, ensuring lightweight and trusted cross-metaverse identity authentication is a challenge for the widely deployment of metaverse. A lot of cross-domain authentication schemes in different fields have been put forward, for example, Shen et al. [6] proposed a blockchain-assisted secure device authentication 979-8-3503-4655-8/22/$31.00 ©2022 IEEE 2421 DOI 10.1109/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00340 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. for cross-domain industrial Internet of Things, and Chen et al. [7] put forward the XAuth which is an efficient privacypreserving cross-domain authentication scheme based on public key infrastructure. However, the existing cross-domain authentication schemes in different fields did not consider the key characteristics of metaverse and cannot directly be directly applied to the identity authentication of metaverse. The technology of identity authentication for metaverse is still in the exploratory stage and is a promising topic [3]. Therefore, facing the above mentioned authentication challenges in metaverse, this paper designs a lightweight and privacy-preserving seamless cross-metaverse authentication and key agreement scheme (Metaverse-AKA). The contributions of this paper are as follows. quickly due to that VCs are digital and signed by a trusted authority. VC is more suitable for long-distance mutual trust building [8]. C. Elliptic-Curve Cryptography (ECC) Let denote a large prime integer, be an cyclic group with generator (base point) , and its order is . Elliptic curve discrete logarithm problem (ECDLP) [10]: Given two points , finding an such that is computationally infeasible. III. SYSTEM MODEL AND THREAT MODEL This section details the system model and threat model of our proposed scheme. 1) Metaverse-AKA scheme provides the services of mutual authentication and seamless cross-metaverse authentication. A. System Model The simplified system model is shown in Fig.1, and it includes three entities, which are users, avatars and the metaverse. Their roles and responsibilities are as follows. 2) Metaverse-AKA scheme assures achieving the anonymity and unlinkability. 3) Metaverse-AKA scheme realizes the traceability. The users whose avatars in virtual world have illegal behavior like money laundering can be traced in physical world. 4) Metaverse-AKA scheme can withstand the well-known security attacks including impersonation attack, man-in-themiddle attack, replay attack. 5) Metaverse-AKA scheme is lightweight through adopting simple cryptographic primitives and achieving seamless cross-metaverse authentication. The structure of the rest paper is as follows. Section II introduces the preliminaries. Section III describes the system model and threat model. The details of our proposed Metaverse-AKA scheme are presented Section IV. Section V analyzes the features of security and evaluates the performance of Metaverse-AKA scheme. Section VI summarizes the whole paper. II. PRELIMINARES Fig. 1. System model This section introduces the concepts used in our proposed scheme. Trusted Issuer (TI). TI is fully trusted and it offers root of trust for the system. At the same time, TI is responsible for issuing VCs for users. A. Decentralized Identifiers (DID) DID is a type of decentralized identifier without a centralized trusted issuer. DID is generated and controlled by the users themselves, which makes a user have full control and ownership his/her identity [8]. And a user can generate multiple different DIDs to be used for different applications or activities to prevent being tracked. A DID of a user can be parsed into a DID document, which contains information describing the user, f public key. W3C [9]. For more information about DID, please refer to the standard. User (U). Users wearing smart wearable devices such as VR/AR helmets can control their digital avatars through extended reality (XR) and human-computer interaction (HCI) technologies to socialize, work, play and interact with other avatars or virtual entities in the metaverse. Avatar (A). metaverse. And users can create various avatars in different sub-metaverses. In addition, an avatar can cross different submetaverses for different metaverse services. B. Verifiable Credential (VC) Since there is no centralized trusted issuer of the identities and the DID is generated by the user, a proof is required to verify the validity of the DID. VC can provide the function of the proof. And it is tamper-resistant, reliable and transmitted Metaverse. The metaverse can consist of multiple interconnected distributed sub-metaverses (SMs), and each sub-metaverse can provide specific kinds of virtual environments, virtual services and virtual goods for avatars, for example, virtual cities, virtual museum, NFT and so on. 2422 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. More details about the architecture and components of the metaverse can refer to ISO/IEC 23005 [11] and IEEE 2888 standards [12]. When an avatar would like to enjoy the services, the sub-metaverse needs to authenticate it. stored in its DID document, which is recorded on the blockchain. Finally, TI keeps secretly and publishes the public parameters . B. Threat Model The threat model adopted in this paper is CK-model [13]. In the model, the main objective of the attacker is to gain unauthorized access to the metaverse. And the attacker tries to acquire sensitive information through passive or active attack on the communicated information between the communication parties through the common channel. The attacker can monitor all traffic on the Internet. In addition, the following conditions are also considered. B. Registration Phase This phase focuses on the registration process of users and sub-metaverses, which is only executed once. Here we take and as representation to introduce the registration process. 1) User Registration In this phase, the user register with TI to obtain the VCs of his/her identities and public key, and the communication is through a secure channel. For each sub-metaverse, unique keys are used to limit the damage of an attack. Firstly, The sub-metaverses can collide with each other, but determining the true identity of a user is impossible. , and then randomly selects as its private key and computes its corresponding public key . Then it submits the message A pseudo-identity cannot link to the DID, and the different pseudo-identities cannot be linked to a same user. containing its real identity IV. USING THE TEMPLATE This section details our proposed scheme, which consists of seven phases: Initialization Phase, Registration Phase, Avatar Creation Phase, User Login Phase, Mutual Authentication Phase, Cross-Metaverse Authentication Phase, and Tracing Phase. TABLE I gives the symbols used in our scheme. The description of each phase is as following. TABLE I generates a set of unlinkable pseudo-identities RIDU i , a set of pseudo-identities and current timestamp keeps its private key to TI. At the same time, secretly. When receiving the message authenticity of the real identity timestamp SYMBOLS , public key from , TI verifies the and the validity of the . If they check pass, TI first calculates and signs and with its private key to get the signature . Then TI calculates signs , and with its private key signatures returns , and to and and to get the . Then TI , where . At the same time, TI stores the tuple . After receiving the denoted as denoted as private key. Its corresponding public key containing its public key is 2) Sub-metaverse Registration Similarly, the communication between the sub-metaverse and TI is also through a secure channel during the registration process. . After that, TI generates its DID , and then randomly selects generates its DID stored in its DID document, which is recorded on the blockchain. A. Initialization Phase To initialize the system, firstly, TI inputs security parameter to generate a cyclic group with base point and prime order q , and initialize a cryptographic hash function . The , as its is 2423 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. Firstly, key randomly selects and as its private computes its corresponding . Then it submits containing its real identity public , which is stored in key device. D. User Login Phase When a user would like to enter a sub-metaverse using the avatar , needs to input his/her DID , public key and current timestamp to TI. At the same time, keeps its private key secretly. , password When receiving from TI verifies the authenticity of the real identity and biometrics smart wearable device to initiate the login request. , Firstly, and the inputs , validity of the timestamp . If they check pass, TI calculates and signs and with wearable device calculates its private key the device will check if , to get the signature . Then TI returns . denoted as , . The , generates its DID containing its public key is chooses a pseudo-identity and , parameters the , Then and to same session key securely. and returns from , and of the created avatar by to enjoy the metaverse services in F. Cross-Metaverse Authentication Phase When the user would like to move its avatar from sub-metaverse to another sub-metaverse . To realize the seamless access metaverse services in other submetaverse, the cross-metaverse authentication process needs to be performed. computes . Then the parameter in , the device computes holds. If the equation does not hold, the process will be terminated. Otherwise, the mutual authentication is finished and can communicate with through the . After receiving returns the message . and checks if . stores and verifies , , satisfies. If the n 2 ) . After that, calculates Ui then it check if to the device of by searching the DID of TI on the blockchain. After successful verification, [VC TI ]x . And After receiving , first calculates and compute sends through a secure channel. When receiving the request and , . equation does not hold, the process will be terminated. Otherwise, will randomly choose , and set with an avatar creation request to to When receiving , and . After that, , extracts . After that, it sends the message . Then from satisfies. If , and calculates , a random number and inputs its biometrics (e.g., iris) , and then . Then, it randomly selects C. Avatar Creation Phase This phase is the process of a user creating an avatar in a sub-metaverse. Still, we take and as representation to introduce this process. chooses a password , the smart E. Mutual Authentication Phase After initializing the smart wearable device, the device search the blockchain to get the DID of , that is stored in its DID document, which is recorded on the blockchain. Firstly, and the equation holds, the smart wearable device is initialized. to After receiving the into his/her is 2424 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. Firstly, searches the blockchain for the DID of that is , , and then it randomly selects which requires the attacker can get the and and biometrics to through the secure channel established with the session key . of Secondly, only TI knows the real identity of the user in the scheme, and TI is fully trusted issuer, who is assumed not to disclose any information of users. And all the SMs cannot obtain any identifiable information of a user, including utilizes the public key stored in to encrypt and obtains the ciphertext . After that, the unlinkable pseudo-identity PDID through sends to . At the same time, it returns a confirmation message to Then and decrypt the ciphertext . ciphertext and calculates its Acquiring the private key is infeasible for the attacker according to the ECDLP. using Afterwards, sends the message in mutual authentication phase and cross-metaverse authentication phase respectively. Even if a sub-metaverse discloses the current PDID of the user to an attacker, the attacker still requires and private key to construct . computes . After that, it randomly selects . It is very difficult for the attacker to obtain these information, especially biometric information like iris. sends a cross-metaverse request After receiving the request, of , password to Therefore, the proposed Metaverse-AKA scheme is resistant to impersonation attack. and calculates the session key . 2) Resistance to man-in-the-middle attack will use its private key received from to decrypt Since an attacker can listen to all exchanged messages between users and SMs on the public channel, there is risk of man-in-the-middle attack. In Metaverse-AKA scheme, the exchanged messages over public channel between a user and a sub-metaverse include and . Then it calculates and compares it with received from . If they are equal, it will continue using its private key decrypt received from key with , that is In this way, to in mutual authentication phase. The attacker can obtain and understand the values in the above messages, where , and calculate the same session . and can use the new session key and sk ' that only they know to communicate securely. . However, the SM j G. Tracing Phase When an avatar has some illegal behaviors, for example, money laundering, the SM will furnish the , value of and cannot be acquired by the attacker, who cannot utilize the values to compute the parameters to reply the communication parties and also cannot get the exchanged messages encrypted with . and additional evidence to TI for arbitration. TI will find the tuple to trace and Therefore, Metaverse-AKA scheme is resistant to man-inthe-middle attack. 3) Resistance to replay attack punish the user in physical world. The attacker may try to utilize the previously sent message to perform replay attack. Also during the mutual authentication phase and cross-metaverse authentication phase, the messages that can be replayed include , , V. SECURITY AND PERFORMANCE ANALYSIS This section first discusses the features of MetaverseAKA in terms of security and privacy. Then the performance is evaluated. A. Security Analysis The proposed scheme satisfies the following features of security and privacy. and . But even if the attacker replays the above messages to the communication parties, it still cannot get , , and n 4 to compute and 1) Resistance to impersonation attack . The process will be terminated. Firstly, if an attacker wants to impersonate a legitimate user , it needs to first log on the smart wearable device, sk Therefore, Metaverse-AKA scheme is resistant to replay attack. 2425 U i licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. Authorized times on the experiment platform. The average execution time of each operation is presented in TABLE III. 4) Anonymity, unlinkability and treaceability Firstly, as mentioned above, only TI knows the real identity of the user in the scheme, and TI is fully trusted issuer, who is assumed not to disclose any information of users. TABLE III COSTS OF CRYPTOGRAPHIC OPERATIONS (MS) Symbols Secondly, each avatar of a user has its own PDID with unique VC in avatar creation phase. Thus the PDIDs cannot link to each other and also cannot be link to the DID of the user. In addition, SMs can get the PDID through PDIDUx i h5 and decrypt the ciphertext in mutual authentication phase and crossmetaverse authentication phase respectively. Even if SMs collude, they only can get the avatars corresponding to the Costs 0.698 Hash operation (SHA-256) 0.000508 Signature generation (ECDSA) 0.10265 Signature verification (ECDSA) 0.10305 Asymmetric encryption (EC-ElGamal) 1.458 Asymmetric encryption (EC-ElGamal) 0.729 Exclusive OR - 2) Computation Overhead In Initialization Phase, TI needs to perform one point scalar multiplication operation, that is ms. The users and SMs have no operations. to a same user. Thirdly, according to the introduction of tracing phase in Section IV.G, the users with illegal behaviors can be traced. In Registration Phase, TI needs to perform hash operations and signature generation operations, that is ms. A user and a SM all need to perform one point scalar multiplication operation, that is ms. Therefore, the proposed Metaverse-AKA scheme satisfies anonymity, unlinkability and traceability. 5) Seamless cross metaverse As the description in Section IV.F, when an avatar of a user wants to access services of another sub-metaverse, it does not need to repeat the mutual authentication process. The current SM will assist the avatar to establish a new session key with another SM and the current SM cannot know the session key, which realizes the seamless cross metaverse and new communication secrecy. In Avatar Creation Phase, TI has no operations. To create an avatar, a user needs to perform three hash operations and two exclusive OR operations, that is ms. A SM needs to perform four hash operations and one exclusive OR operation, that is ms. Therefore, Metaverse-AKA scheme realizes seamless cross metaverse. In User Login Phase, TI and SMs have no operations. A user also needs to perform three hash operations and two exclusive OR operations, that is ms. B. Performance Analysis This sub-section first measure the cryptographic operations used in Metaverse-AKA scheme. Then we evaluate the performance of our proposed scheme in terms of computation, and communication overhead to illustrate that Metaverse-AKA scheme has better efficiency. In Mutual Authentication Phase, TI has no operations. A user also needs to perform four hash operations and two exclusive OR operations, that is ms. A SM needs to perform five hash operations and one exclusive OR operation, that is ms. 1) Experimental settings We measure the basic cryptographic operation on a personal computer, the configurations of which is presented in TABLE II. TABLE II Operations Point scalar multiplication in In Cross-Metaverse Authentication Phase, TI has no operations. A user also needs to perform two hash operations and one asymmetric encryption operation, that is ms. A SM needs to perform two hash operations, one asymmetric encryption operation and two asymmetric decryption operations, that is ms. EXPERIMENTAL CONFIGURATIONS There is no computation operation in Tracing Phase. TABLE IV presents the computation overhead of TI, a user and a SM. The experiment is implemented by using Go language based on package bn256 [14] and golang elliptic library [15]. The hash function adopted in the experiment is SHA-256. And the parameter settings in the scheme includes 32-bit timestamp, 160-bit RID/DID/PDID, 128-bit random number. Each relevant cryptographic operation is performed 1000 From the results in TABLE IV, we can get that our proposed Metaverse-AKA scheme is lightweight. A user only needs 1.459 ms to finish the cross-metaverse authentication phase, which has better efficiency than 47.896 ms in scheme of [6] and 9 ms in scheme [7]. 2426 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply. TABLE IV COMPUTATION OVERHEAD (MS) Entity Phase Initialization Phase Registration Phase Avatar Creation Phase User Login Phase Mutual Authentication Phase Cross-Metaverse Authentication Phase Total ACKNOWLEDGMENT TI User SM 0.698 0.103(N+2) - 0.698 0.0015 0.0015 0.002 0.698 0.002 0.0025 - 1.459 2.917 0.103N+0.904 2.162 3.6195 This work was supported by Henan Key Laboratory of Network Cryptography Technology under Grant LNCT2020A07 and National Key Research and Development Program of China under Grant 2020YFB2103802. REFERENCES [1] Matthew Ball. "Framework for the Metaverse." MatthewBall.vc, https: //www.matthewball.vc/all/forwardtothemetaverseprimer. (Accessed at Aug. 15, 2022). [2] Thippa Reddy Gadekallu, Thien Huynh-The, Weizheng Wang, Gokul Yenduri, Pasika Ranaweera, Quoc-Viet Pham, Daniel Benevides da Costa, and Madhusanka Liyanage. "Blockchain for the Metaverse: A Review." arXiv preprint arXiv:2203.09738 (2022). [3] Yuntao Wang, Zhou Su, Ning Zhang, Dongxiao Liu, Rui Xing, Tom H. Luan, and Xuemin Shen. "A Survey on Metaverse: Fundamentals, Security, and Privacy." arXiv preprint arXiv:2203.02662 (2022). [4] Nate Nelson. "NFT Investors Lose $1.7M in OpenSea Phishing Attack." https://threatpost.com/nft-investors-lose-1-7m-in-openseaphishing-attack/178558/. (Accessed at Aug. 15, 2022). [5] Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. "BIAS: Bluetooth Impersonation Attacks." In 2020 IEEE Symposium on Security and Privacy (SP), pp. 549-562. IEEE, 2020. [6] Meng Shen, Huisen Liu, Liehuang Zhu, Ke Xu, Hongbo Yu, Xiaojiang Du, and Mohsen Guizani. "Blockchain-assisted Secure Device Authentication for Cross-domain Industrial IoT." IEEE Journal on Selected Areas in Communications 38, no. 5 (2020): 942-954. [7] Jing Chen, Zeyi Zhan, Kun He, Ruiying Du, Donghui Wang, and Fei Liu. "XAuth: Efficient Privacy-Preserving Cross-domain Authentication." IEEE Transactions on Dependable and Secure Computing (2021). [8] Rohini Poolat Parameswarath, Prosanta Gope, and Biplab Sikdar. "User-empowered Privacy-preserving Authentication Protocol for Electric Vehicle Charging based on Decentralized Identity and Verifiable Credential." ACM Transactions on Management Information Systems (TMIS) (2022). [9] Decentralized Identifiers (DIDs). https://www.w3.org/TR/did-core/. (Accessed at Aug. 15, 2022). [10] Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone. "Guide to Elliptic Curve Cryptography." Springer Science & Business Media, 2006. [11] ISO/IEC 23005 (MPEG-V) Standards. https://mpeg.chiariglione.org/ standards/mpeg-v. (Accessed at Aug. 15, 2022). [12] IEEE 2888 Standards. https://sagroups.ieee.org/2888/. (Accessed at Aug. 15, 2022). [13] Ran Canetti, and Hugo Krawczyk. "Universally Composable Notions of Key Exchange and Secure Channels." In International Conference on the Theory and Applications of Cryptographic Techniques, pp. 337351. Springer, Berlin, Heidelberg, 2002. [14] Package bn256. https://godoc.org/github.com/cloudflare/bn256. [15] Golang elliptic library. https://github.com/glycerine/fast-ellipticcurve-p256.git. 3) Communication Overhead Firstly, there is no communication cost in Initialization Phase, User Login Phase and Tracing Phase. In Registration Phase, a user sends -bit message to TI and receives -bit message from TI. A SM sends 704-bit message to TI and receives 1024-bit message from TI. In Avatar Creation Phase, a user sends 1440-bit message to a SM and receives 768-bit message from the SM. In Mutual Authentication Phase, a user sends 640-bit message to a SM and receives 384-bit message from the SM. In Cross-Metaverse Authentication Phase, a user sends 1216-bit message to SMs. And a SM sends 512-bit message to another SM. Therefore, the communication overhead in our scheme is significantly smaller than 1,536 bytes in scheme of [6] and 288 bytes in scheme [7], which are not in an order of magnitude. To sum up, Metaverse-AKA scheme has better efficiency. VI. CONCLUSION This paper designs a lightweight and privacy-preserving seamless cross-metaverse authentication and key agreement scheme (Metaverse-AKA) for metaverse. Our proposed Metaverse-AKA scheme can provide the seamless crossprivacy by achieving the anonymity and unlinkability. In addition, Metaverse-AKA scheme also can trace the users of the physical world with illegal behaviors in virtual world. -AKA scheme can resist multiple attacks like impersonation attack, man-in-the-middle attack and replay attack. Finally, the proposed scheme is lightweight by adopting lightweight cryptographic primitives and conducting experiments to evaluate the performance of our scheme. 2427 Authorized licensed use limited to: Sogang University Loyola Library. Downloaded on May 29,2024 at 06:07:17 UTC from IEEE Xplore. Restrictions apply.
