Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identiﬁer in Metaverse Environment

: The metaverse provides a virtual world with many social activities that parallel the real world. As the metaverse attracts more attention, the importance of security and privacy preservation is increasing signiﬁcantly. In the metaverse, users have the capability to create various avatars, which can be exploited to deceive or threaten others, leading to internal security issues. Additionally, users attempting to access the metaverse are susceptible to various external security threats since they communicate with service providers through public channels. To address these challenges, we propose an authentication scheme using blockchain, a decentralized identiﬁer, and a veriﬁable credential to enable metaverse users to perform secure identity veriﬁcation and authentication without disclosing sensitive information to service providers. Furthermore, the proposed approach mitigates privacy concerns associated with the management of personal information by enabling users to prove the necessary identity information independently without relying on service providers. We demonstrate that the proposed scheme is resistant to malicious security attacks and provides privacy preservation by performing security analyses, such as AVISPA simulation, BAN logic, and the real-or-random (ROR) model. We also show that the performance of our proposed scheme is better suited for the metaverse environment by providing greater security and efﬁciency when compared to competing schemes.


Introduction
Various advanced technologies are rapidly evolving and being invented, leading to the emergence of the metaverse concept, which is envisioned as the next iteration of the Internet.Metaverse is a virtual realm that parallels the physical world, where people engage with the metaverse using wearable devices (such as a virtual reality (VR)/augmented reality (AR) devices) and manipulate digital avatars to engage with others.Furthermore, the advancement of cutting-edge communication and networking technologies, including wireless networks and 5G technology, plays an important role in moving the metaverse forward by enabling low-latency, high-speed, and reliable data exchange between devices and the network.In addition, AI technology also contributes to automating the creation of virtual environments and digital items, and extracting valuable insights from the vast amount of data generated within the metaverse [1,2].Blockchain, serving as a trust infrastructure in decentralized distributed networks, enables individual-centric digital asset transactions for metaverse users, not tied to traditional service providers' platforms.It can also contribute to achieving the compatibility of individual services held by various virtual spaces (or service providers) within the metaverse [3].The metaverse is anticipated to bring about great innovation in various aspects of life, including e-commerce, medical, education, entertainment, smart factory and other social services [4,5].
In the metaverse, users can create avatars to represent themselves virtually, and they can access various services through these avatars.However, in the current metaverse application, users possess the freedom to create any avatar to serve as their virtual representation, irrespective of their real-world identity.This characteristic presents avenues for malicious users to fabricate a similar avatar and cause serious security problems, such as identity leakage, theft, and virtual asset fraud during avatar interactions.In addition, issues such as stalking, harassment, and sexual assault can pose a threat to users by manipulating the avatar, as well as the potential privacy threat of using AI technology to monitor users, make inferences about them, or engage in impersonation [6][7][8].Furthermore, users need to exchange their information and data with third parties to access services offered in various virtual worlds within the metaverse.However, due to the aforementioned characteristics, the identity information of the third parties using the user's information is often unclear, making interactions for users challenging.Examples include qualifications to provide professional services such as medical or educational services, or adult verification to use certain data.Therefore, it is essential to design an authentication scheme that allow users to safely use services in the metaverse and remain secure from other security threats.
In current metaverse application, users have no direct means to verify the identity of other avatars as malicious or not, so they need help from the metaverse service provider.In the process of tracking these manipulators, the service provider mainly utilizes the manipulator's account and password as clues to track the manipulator from a specific avatar identity [9].However, employing password-dependent methods means that any player who knows the account password can successfully gain access, so if a malicious user obtains the password illegally through various means, he/she can log in illegally and manipulate the avatar of a legitimate player.For more secure user identification and assurance on the metaverse, users can provide a lot of personal information to service providers.However, service providers that collect sensitive information, such as users' voices and motions generated in the metaverse, can abuse this personal information and cause users' privacy violations and huge losses through advertisements, personal tracking, fraud, illegal use, etc.In addition, the users and platform servers communicate through public channels in metaverse environments.Thus, an external adversary can attempt to eavesdrop and forge messages transmitted over public channels and attempt various security attacks, including masquerade, replay and man-in-the-middle attacks.Therefore, sensitive user information should not be disclosed to external parties and should only be shared with specific stakeholders in specific circumstances.
In this paper, we propose a blockchain-based authentication scheme that utilizes decentralized identifiers and verifiable credentials technology to enhance system security and protect users from various security and privacy threats.Decentralized identifiers and verifiable credentials enable trustworthy identity verification and data exchange without intermediaries.We propose an authentication scheme where users can authenticate not only avatars but also real manipulators during the authentication process required before interactions between avatars, using the users' decentralized identifiers and verifiable credentials.Additionally, to ensure secure communication and avatar interactions in the metaverse environment, we propose an authentication method using blockchain between users and platform servers and between avatars.In our proposed scheme, the user and service provider establish security communication channels during the login phase through secure authentication and key agreement.Furthermore, we minimize user information exposed to service providers during interactions with other avatars and enhance user privacy protection by allowing only the necessary personal identification information for verification when interacting with different avatars in the metaverse.
Furthermore, in the metaverse, during the consensus process of validating and recording information on the blockchain, security attacks, such as 51% attacks and Sybil attacks, can occur [10][11][12].These attacks can undermine the trustworthiness of information recorded on the actual blockchain.However, in this paper, the consensus process occurs only once when the user initially creates a unique ID and registers it in the system.Subsequently, during the authentication process, users verify the required record information on the blockchain, and at this point, the blockchain's consensus process does not occur, minimizing the consensus process.Additionally, this paper assumes the security of the blockchain consensus process and focuses on security threats and privacy issues during the user registration phase and subsequent use of metaverse services.

Contributions
The main contributions of paper are as follows:

•
In the metaverse environment, users are exposed to threats, such as fraud through fake avatars and the risk of personal information leakage during data transmission through open channels.We propose a secure authentication method for the metaverse environment to ensure security against various threats arising from fake avatars or vulnerabilities in wireless communication channels, and provide forward secrecy, anonymity, and privacy preservation.

•
The proposed scheme utilizes decentralized identifiers and verifiable credentials to enhance user privacy protection.Metaverse users can provide only the necessary identity information to stakeholders without disclosing their information to external parties, thereby safeguarding their personal information.

•
We perform an informal analysis to ensure that the proposed scheme can provide security against various attacks, including impersonation, session key disclosure, replay, man-in-the-middle, and insider attacks.Additionally, we show that the proposed scheme can achieve mutual authentication, perfect forward secrecy, anonymity and privacy preservation.

•
The security of the proposed scheme is analyzed by performing informal and formal analyses, such as Burrows-Abadi-Nikoogadam (BAN) logic, the real-or-random (RoR) model, and the automated validation of internet security protocols and applications (AVISPA) simulation tool.We also compare the performance and security features with the related works to show that the proposed scheme is superior.

Organization
The organization of the paper is as follows.Section 2 reviews the existing authentication scheme applicable to the metaverse environment.Section 3 introduces relevant preliminaries.Section 4 presents a proposed system model and adversary model.The details of the proposed authentication scheme are depicted in Section 5. Section 6 analyzes the security of the proposed scheme in informal and formal proofs, and Section 7 analyzes the computation and communication costs of the proposed scheme and related works.Finally, we summarize the conclusion and the future works in Section 8.

Related Work
With the emergence of metaverse platforms (e.g., roblox and minecraft) and the increasing number of applications that utilize the metaverse, the security of the metaverse environment is discussed in several studies [13][14][15].According to the paper proposed by Vu et al. [13], in the virtual world, users may find themselves in a situation where they are required to present identity information in order to obtain certain services and activities.They argued that not only are authentication mechanisms required to ensure that metaverse users can access the platform with appropriate identities but IoT devices in the metaverse infrastructure (e.g., sensors and UAVs) also need effective mechanisms for authentication during operation.They asserted that blockchain technology can address metaverse security and privacy issues, including identity and authentication management.Patwe and Mane [14] argued the necessity of designing a secure authentication mechanism because impersonation, server spoofing, mutual authentication threats, and replay attacks can occur in the metaverse environment.And they proposed a blockchain-based architec-ture for avatar and user authentication in consideration of the decentralized nature of the metaverse.However, to date, there are no proposed specific system models and mutual authentication schemes for metaverse environments.
In the metaverse environment, where users use virtual services from the service provider's server using wearable devices, such as VR and AR, some mutual authentication methods for the IoT environment can be applied.Panda and Chattopadhyay [16] proposed an elliptic curve cryptography-based mutual authentication protocol to ensure secure communication between IoT devices and cloud servers.They argue that the proposed scheme is secure against various security threats (including impersonation attack, replay attack, etc.) by performing an informal analysis and using the AVISPA simulation tool.However, they did not consider the device-hijacking attack scenario.In the metaverse, there is a risk of maliciously capturing and tampering with a user's XR device to extract sensitive information or impersonate a legitimate user to gain access to the system.Li et al. [17] proposed a mutual authentication scheme based on blockchain for users and servers.Li et al.'s scheme solves the problem of SPoF that occurs in the centralized authentication structure by proposing a blockchain-based decentralized authentication scheme.They claimed that their scheme is secure against impersonation and man-in-the-middle attacks, and that it also provides perfect forward secrecy.However, security features such as insider attacks and anonymity are not covered.These schemes can be applied to authentication between a user's device and a service provider's server.However, it is difficult to apply these schemes to the authentication mechanism required for interactions between avatars in the metaverse environment.Ryu et al. [18] proposed an authentication scheme that can ensure secure communication in a metaverse environment and transparently manage user identification data using blockchain technology.They designed the necessary mutual authentication methods to provide secure communication between platform servers and users as well as secure interactions between avatars.However, users who manipulate avatars in the metaverse need to prove their real-world information (e.g., age, gender, occupation and account) to other avatars in specific situations.Ryu et al.'s avatar authentication scheme can expose a lot of personal information of users to metaverse service providers.If personal information is exposed, it is possible to track the avatar's user, or to impersonate a legitimate user by using a camouflage avatar.
Therefore, there is a need for research on authentication methods that can provide secure communication and privacy protection for users while considering the characteristics of the metaverse.We propose an authentication and key agreement scheme to enable metaverse users to securely utilize services from service providers.Furthermore, within the platform, we propose a secure authentication scheme between avatars that allows users to protect their privacy during avatar interactions without relying on the service provider.

Preliminaries
This section briefly introduces a fuzzy extractor, decentralized identifier (DID) and verifiable credential (VC).

Fuzzy Extractor
The fuzzy extractor [19] is widely acknowledged for confirming biometric validation.A biometric key can be constructed using a biometric outline, such as irises, facial features, and fingerprints.The characteristics of the fuzzy extractor are defined by the following two algorithms, including a probabilistic algorithm Gen(•), and a deterministic algorithm Rep(•) : • Gen(BIO) = (r, δ): The user's biometric information BIO is accepted as an input parameter to the algorithm.Then, the secret value r is output along with the public reproduction parameter δ.

•
Rep(BIO, δ) = (r): The algorithm accepts a noisy user biometric BIO from the user, controlling the noise using the public reproduction parameter δ.Then, Rep reproduces the original biometric secret value r.

Decentralized Identifier and Verifiable Credential
The decentralized identifier [20] is a concept designed to uniquely identify the digital identities of users and entities within a distributed network.It allows users to manage and verify their identities in a decentralized manner, without relying on central identity verification authorities.Users can confirm or show their DID ownership by employing cryptographic methods, such as digital signatures.DIDs are stored in conjunction with blockchains, ensuring their immutability and security.The features and operation of DIDs in the proposed scheme are as follows: 1. Decentralized identifier creation: Users or entities generate DIDs.DIDs are unique and can be created by users themselves, not centralized authentication authorities.2. Integration with blockchain: DIDs are stored in conjunction with a blockchain.
This ensures that DIDs are stored in a distributed registry, making duplication or alteration difficult.

Digital identity verification:
To log in to digital services or applications using their DID, users create a signature using their private key. 4. Distributed identity management: Users manage their DIDs and identity information in a distributed network.This information is stored on the blockchain, ensuring immutability, and users share it only when necessary.
A verifiable credential [21] is a concept and technology used to represent and verify personal identities and permissions in the digital realm.Verifiable credentials serve as an alternative to centralized identity verification systems, allowing individuals to manage and share identity information (credentials) issued by identity authorities.The features and operation of VCs in the proposed scheme are as follows: 1. Creation of VCs: Users process their identity-related data to generate VCs.These VCs include the user's identity information and the user's signature using the elliptic curve-based signature algorithm.

Issuer of VCs:
VCs are created by the party or institution that issues the information.
The issuer verifies the source of the information and signs the VC to ensure its integrity.

Storage and transmission of VCs:
VCs are stored in a digital format, and users share them only when necessary.VCs are securely transmitted and stored, often in encrypted form.

Verification of VCs:
When presenting VCs to a verifier, the verifier uses the issuer's public key to verify the signature of the VC and validate the accuracy of the information.This confirms the authenticity of the VC.

Selective sharing of VCs: Users can share only the necessary information through
VCs, enhancing personal data protection.They provide minimal information to third parties and perform required identity verification.

System Model
Our proposed secure and privacy-preserving authentication scheme using a decentralized identifier in the metaverse environment is composed of four entities, including certificate authority, service provider, user, and blockchain.We depict the proposed system model in Figure 1, and describe each entity as give below.

•
Certificate authority (CA): CA serves as a fully trusted entity that initializes and publishes system parameters.CA receives the user's decentralized identifier and personal information, which require verification.Then, CA verifies both and issues a credential to the user proving the user's personal information (occupation, age, etc.).The credential values must be authenticated between the users/avatars in the metaverse environment.• Service provider (SP): SPs offer services that enable users to engage in various activities in virtual spaces, such as education, gaming, healthcare, and more.The user first registers on the SP using the decentralized identifier.If a user attempts to access the SP, SP verifies the correct identity of the user.In addition, the SP is responsible for forwarding request and response messages that occur in its own virtual space during the avatar authentication phase.• User: The user creates his/her own decentralized identifier on the blockchain.The user sends his/her decentralized identifier and personal information to CA to receive credentials to prove their personal information.Then, the user registers with the SP to participate in the metaverse environment.At this time, the user transmits only minimal information to register with the SP, and no other personal information is transmitted.
The user can interact with other users by using avatars created in the virtual world, such as exchanging information with other users for various purposes.The user uses DID, public key, and verifiable credentials in the virtual space to mutually authenticate with other users' avatars to achieve secure interaction between avatars and avatars.• Blockchain: In the proposed authentication scheme, we adopt the public blockchain, which is a fully decentralized infrastructure.In the public blockchain network, every node can easily join blockchain networks without the need for a trusted authority.All blockchain members can read the ledger and upload transitions to the blockchain.To ensure that all entities participating in the system agree on a single source of truth, the public blockchain adopts proof-based consensus algorithms, including proof of work and proof of stake.In our system, the blockchain is adopted to store the information required for authentication, and it does not contain any other information other than DID documents.In the proposed scheme, we assume that the consensus process of the blockchain operates correctly and reliably.
The process flows of the proposed scheme are described as follows: • User setup phase: The user generates their own decentralized identifier.The CA issues a verifiable credential to the user that proves the user's personal information.
• User registration phase: The user registers with the SP using his/her own decentralized identifier.The SP verifies that the user's decentralized identifier is valid, and then the user's avatar is generated in virtual space.

•
Login phase: When the user attempts to access the SP, the user and SP authenticate each other.If the mutual authentication between the user and SP is completed and the session key is agreed upon, the user and SP establish a secure communication channel through the session key.

•
Avatar authentication phase: In the virtual space, the user can interact with other avatars.For secure avatar-to-avatar interactions, the user provides verifiable credentials, proving the personal information needed to perform the avatar authentication phase.

Adversary Model
The adversary can have the following capabilities based on the Dolev-Yao (DY) threat model.The Dolev-Yao threat model [22] is widely employed in the analysis of protocol security [23][24][25].The capabilities of an adversary are defined as follows: • An adversary can eavesdrop, intercept, modify, expunge, and forge the transmitted messages through a public channel.

•
An adversary can conjecture about either the identity or the password of a legitimate user, but it is incapable of conjecturing about both simultaneously.

•
An adversary can physically seize the user's XR devices and infer sensitive data through power analysis attacks [26][27][28].

•
An adversary can attempt to launch various attacks, including impersonation, replay attacks, and man-in-the-middle attacks.

•
An adversary can be an insider in the SP.
For this work, we also adopt a more stringent adversary model, known as the "Canetti-Krawczyk (CK) model" [29].In the CK model, the adversary not only has all the capabilities of the DY model but the adversary can obtain ephemeral session states and long-term values (including secret keys) by performing a session-hijacking attack.The adversary also creates a replica avatar in the metaverse environment to deceive others.

Proposed Scheme
This section presents the proposed secure and privacy-preserving authentication scheme using a decentralized identifier for the metaverse.The proposed scheme includes the initialization, user setup, registration, login, and avatar authentication phases.Table 1 describes the symbols used in the scheme.

Initialization Phase
First, CA initializes the system parameters.CA generates large prime numbers p, q, an additive group G, elliptic curve EC p over F p , a generator P, one-way hash functions H • , and a secret key sk CA , and it computes a public key PK CA corresponding to sk CA .After that, CA publishes the system parameters par = {p, q, G, EC p , P, PK CA , h(•)} to the network.

User Setup
The user generates their own decentralized identifier.CA issues a verifiable credential to the user that proves the user's personal information.This phase is performed over a secure channel.Figure 2 shows the user setup phase and detailed processes steps are as follows.• US-1: User U i inputs a unique ID j , password sk j and biometric information BIO i .Then, U i selects a random number sk i ∈ Z q as a private key and computes Gen(

Blockchain
Then, U i generates the U i 's own DID i that indicates the location of the DID document Doc i = {DID i , PK i } on the blockchain.• US-2: U i requests CA to issue a credential by sending DID i , personal information in f o i .CA checks a U i 's personal information and DID i , and issues a verifiable credential VC i = {DID i , DID CA , claim, Sig CA (claim), Exp i } that vouches for U i 's personal information, such as occupation, age, etc.Then, CA sends VC i to U i .After checking VC i , U i computes HVC i = (VC i ) ⊕ h(r i ||ID i ||HPW i ) and stores {DID i , HVC i , δ i } in the device.

User Registration Phase
User U i registers with SP using his/her own decentralized identifier.SP verifies that the user's decentralized identifier is valid, and then the user's avatar is generated in virtual space.This phase is performed over a secure channel.Figure 3 shows the user registration phase and detailed processes steps are as follows.

Login Phase
When the user U i attempts to access the SP, the user and SP authenticate each other.If mutual authentication between the user and SP is completed and the session key is established, the user and SP communicate using the session key to guarantee secure communication.Figure 4 presents the login phase and the detailed processes of this phase are as follows.• LA-1: User U i first enters ID i , PW i , and BIO i .Then, U i computes {r i } = Rep(BIO i , δ i ),

Service provider
and checks the A i = A i .If the equation is correct, U i selects a random nonce X i and a current timestamp T 1 , and computes LA-2: SP generates a current timestamp T 2 and checks the freshness of the timestamp.Next, SP retrieves {B i } from the database using RID i , and calculates (DID . SP checks the MS 2 ?= MS 2 , and selects a random nonce Y sp ∈ Z q and calculates RID new = h(DID i ||Y sp ||B i ), LA-3: After reception of the messages, U i checks the freshness of T 2 and computes . Then, U i checks the validity of MS 4 ?

Avatar Authentication Phase
In the virtual space, user U i can interact with other avatars U j .For secure avatarto-avatar interactions, the user provides the verifiable credentials proving the personal information to perform the avatar authentication phase.Figure 5 shows the avatar authentication phase and the detailed steps are as follows.• AA-1: U i first sends a request including DID i to U j .After reception of the request, U j retrieves {PK i } using DID i , and selects a random nonce n j and a current timestamp , and sends {DID j , MS 5 , MS 6 , N j , T 4 } to U i .• AA-2: After receiving the message {DID j , MS 5 , MS 6 , N j , T 4 }, U i checks the validity of T 4 , and retrieves {PK j } from the blockchain using DID j .Then, AA-3: Upon reception of message {MS 7 , MS 8 , M i , T 5 }, U j checks the freshness of T 5 and computes = MS 8 is correct and verifies VC i 's signature Sig CA (claim).

Security Analysis
In this section, we show the resilience of the proposed system against malicious security attacks through an informal analysis and AVISPA simulation.We also utilize BAN logic [30,31], which is a widely accepted formal security analysis, to prove that the proposed scheme is guaranteed for secure mutual authentication.Subsequently, we prove the session key secrecy utilizing the real-or-random (ROR) model.

Informal Security Analysis
We perform informal security analysis to demonstrate how the proposed protocol fulfills some of the security requirements, such as impersonation, replay, perfect forward secrecy, session key disclosure attacks, mutual authentication, etc.

Stolen XR Device Attack
Under the assumptions in Section 4.1, an adversary Adv can seize the user's XR device and extract the stored parameters {DID i , HVC i , δ i , HRID i , HB i , A i } to obtain sensitive information VC i , B i .However, all the stored sensitive information are masked with hash, XOR operations utilizing identity ID i , password PW i , and biometric information BIO i so that the Adv cannot obtain sensitive information.Thus, the proposed scheme is secure against stolen XR device attacks.

Offline Password-Guessing Attack
The Adv attempts to guess the user's password PW i using extracted values from the U i 's XR device and intercepts the transmitted messages on public channels.However, it is impracticable for Adv to guess PW i without knowledge of the real identity ID i and response value r i .PW i is constructed as HPW i = h(ID i ||PW i ||r i ), where r i is the response value from a fuzzy extractor with bio-information as the input.Therefore, our scheme is resistant to offline password-guessing attacks.

Impersonation Attack
Adv can create fake login messages {RID i , MS 1 , MS 2 , T 1 } and {MS 3 , MS 4 , T 2 } to impersonate legitimate user U i and gain unauthorized access to the metaverse environment supported by SP.However, Adv cannot forge the request message and compute the session key SK U−SP because it is infeasible for Adv to obtain B i and random nonces X i and Y sp , where B i , X i , and Y sp are masked and B i is shared by U i and the SP only.Therefore, the proposed protocol prevents impersonation attacks.

Avatar Impersonation Attack
In the metaverse, Adv creates a fake avatar in an attempt to impersonate a legitimate user U i 's avatar.Adv should be required to prove ownership of the legitimate U i 's decentralized identifier DID i and present verifiable credential VC i to others.However, Adv cannot impersonate the legitimate user of the avatar because Adv cannot obtain the private key corresponding to DID i and it is difficult to extract VC i , which is masked with the real identity ID i and password PW i .Furthermore, since the user can easily create a new DID, if a problem occurs with the existing DID, the user can obtain a new DID and VC and discard the existing DID.Therefore, the proposed scheme prevents an avatar impersonation attack.

Session Key Disclosure Attack
In the proposed scheme, Adv should obtain the secret value B i and the random nonces X i and Y sp to compute a common session key.However, it is infeasible for Adv to compute a valid session key SK U−SP because U i 's secret value B i is masked with the real identity ID i , password PW i , and biomatic information BIO i .In addition, random nonces X i and Y sp are masked with B i and DID i .Adv also cannot decrypt M 1 without U i 's private key r User .Therefore, the session key SK U−SP = h(X i ||Y SP ||B i ||DID i ) disclosure attacks are computationally infeasible in the proposed protocol.

Perfect Forward Secrecy
Even if the long-term secret keys sk i and sk sp are compromised, Adv does not obtain the previous session key SK U−SP = h(X i ||Y SP ||B i ||DID i ).Since DID i and B i are not revealed in messages transmitted on public channels, and random nonces X i and Y sp are refreshed every session, Adv cannot obtain the previous session key.Therefore, the proposed protocol guarantees perfect forward secrecy.Furthermore, if the secret key is compromised, the user can easily invalidate the existing DID associated with that key and create a new DID with a corresponding key pair.Subsequently, by re-registering with the system, the user can obtain a new VC from the CA.

Replay Attack and MITM Attack
Adv attempts replay and man-in-the-middle (MITM) attacks using previously transmitted messages.However, all the transmitted messages include the current timestamps T x are refreshed with each session, and U i and SP check the freshness of all transmitted messages.In addition, RID i is also updated every session.If the received messages are in-valid, the receiver terminates the current session.Therefore, the proposed protocol prevents replay and MITM attacks.

Insider Attack
According to Section 4.1, an internal Adv attempts to impersonate U i 's avatar using a fake avatar and intercepted messages DID i , {DID j , MS 5 , MS 6 , N j , T 4 } and {MS 7 , MS 8 , M i , T 5 }.However, it is infeasible for Adv to calculate without the private keys sk i , sk j and random nonces n j and m i .Thus, Adv cannot obtain verifiable credential VC without AUT 1 , AUT 2 .Therefore, Adv cannot disguise itself as another legitimate user in the metaverse without private key sk i and VC i corresponding to DID i .

Ephemeral Secret Leakage Attack
According to Section 4.1, Adv can obtain the ephemeral secret values, such as X i and Y sp .Then, the adversary can attempt to calculate the session key SK U−SP .However, Adv cannot calculate SK U−SP without B i and DID i .Therefore, the proposed protocol has resistance to the ephemeral key leakage attack.6.1.10.Mutual Authentication Sections 6.1.3and 6.1.5demonstrate that Adv cannot impersonate U i and obtain the session key.In the login phase, U i and SP verify all transmitted messages.When SP receives the login request message {RID Consequently, all entities are mutually authenticated so that the proposed system provides secure mutual authentication.

Anonymity
If Adv intercepts, modifies, and deletes the transmitted messages, it can execute Section 6.1.1 to extract U i 's real identity.However, it is impossible for Adv to obtain real identity ID i .The user's ID i is comprised of RID i = h(DID i ||HPW i ||sk sp ) by using hash and XOR functions.Therefore, the proposed protocol ensures the anonymity of U i .6.1.12.Privacy-Preservation In the proposed scheme, U i 's identity and sensitive personal information are managed by the user, and it is provided only to other relevant parties when access to specific services and data is required.The SP can only check some of U i 's information as a requirement to access the metaverse environment, and U i 's other information cannot be viewed without user consent.Therefore, the proposed scheme guarantees the privacy preservation of the user.

Untraceability
Nontraceability ensures that an external Adv cannot track the legitimate user U i .Because all messages are dynamic and unique using temporary identities RID x , random nonces X i and Y j , and timestamps T x in each session, where each parameters are updated every session in the login phase, the proposed scheme provides untraceability for U i .

Denial-of-Service (DoS) Attack
The Adv attempts to create a number of login request messages and transmit them to the SP to paralyze the network.However, since the SP checks the RID i and T i , which are updated each session, the Adv cannot create new valid messages.Even if the Adv attempts to resend past messages, SP considers them invalid and terminates the connection.Therefore, the proposed scheme ensures safety against DoS attacks.

Security Analysis Using BAN Logic
Over the BAN logic analysis, we prove that the proposed scheme guarantees secure mutual authentication between the user U i and SP.We also define the rules, goals, idealized forms, and assumptions for performing BAN logic analysis.Table 2 introduces the BAN logic notations.

Notation
Description

BAN Logic Rules
The BAN logic rules are as follows: 1.
Message meaning rule: Nonce verification rule: Freshness rule:

Goals
We present the following security goals to show that the proposed system guarantees a secure mutual authentication.The idealized forms are the following: We define the following initial assumptions for the BAN logic proof.
The detailed steps of the BAN logic proof are as follows: Step Step 2: Upon the message meaning rule with S 1 and A 4 , Step 3: Using the freshness rule with A 1 , Step 4: Using the nonce verification rule with S 2 and S 3 , Step 5: Since the session key Step 12: Utilizing the jurisdiction rule with S 13 and A 7 , Therefore, the proposed protocol achieves secure mutual authentication between the user and SP.

ROR Model
The ROR model, which is based on probabilistic game theory, is widely used to analyze the semantic security of an authenticated key agreement [32][33][34].Using the ROR model, we demonstrate that our proposed scheme ensures session key security against a malicious adversary within probabilistic polynomial time.We first present the fundamentals of the ROR model in Table 3.We follow this by proving the session key security of our proposed scheme.

Query Description
Execute(P t U , P t SP ) A using this query to tap the communication messages transmitted between P t U and P t SP .

Send(P t , M)
A sends a messages to the P t and receives a response messages from P t .

Reveal(P t )
A gets a current session key between P t and its partner.

Test(P t )
A guesses the probabilistic outcome for a flipped unbiased coin C. If the session key is fresh, A receives C = 0.If the session key is not fresh, A receives C = 0. Otherwise, A obtains null value (⊥).

Corrupt(P t U )
This query presumes an active attack.A extracts secret values stored in the XR devices by executing a power analysis.
In the ROR model, adversary A interacts with the t−th instance of an executing participant, P t .Then, we define P t U and P t SP as the participants of t-th U i and t-th SP.In the ROR model, the adversary can execute Execute, Send, Reveal, Test, and Corrupt to consider different queries presuming actual security attacks.The descriptions of each query are introduced in Table 3.Furthermore, a query of the collision-resistant one-way hash function is denoted as Hash.
Theorem 1.Before proving the session key security of the proposed scheme, we define q hash and q send as the number of Hash and Send queries, and |Hash| as the range space of the hash function.C and s denote Zipf's parameters [35], and l B is the number of bits in the biometric secret key r i .When adversary A obtains the session key in polynomial time, the adversary A breaches the semantic security of the proposed scheme, and its advantage is represented by Adv A (t). Adv A (t) is estimated by Proof.We consider the following games G i , i = [0, 3], and assume that Pr[Succ G i ] is A's advantage of winning the game G i .The detailed descriptions of each game are discussed as follows.
• Game 0: G 0 presents the A's real attacks against our proposed scheme in the ROR model.A selects the bit c at the starting of G 0 .Adv A (t) is as follows.
• Game 1: G 1 is modeled such that A implements an eavesdropping attack.In this game, A executes the Execute(•) query to steal the communicated messages {RID i , MS 1 , MS • Game 2: G 2 is modeled as an active attack.In this game, A executes the Send and Hash queries to guess the hash collision.However, all exchanged messages are protected using the one-way hash function h(•) and consist of secret credentials and random numbers.Moreover, it is difficult for Adv to derive secret credentials and a random nonce because it is a computationally infeasible problem depending on the properties of h(•).So, using the birthday paradox, we obtain the following inequality: • Game 3: G 3 is modeled such that an active attack is implemented by A. In this game, A executes the Corrupt(P t V , P t EP ) query to extract the secret values {DID i , HVC i , δ i , HRID i , HB i , A i } from the user's XR devices.Subsequently, to derive credential VP i and U i 's secret key sk i , A must guess the unknown password PW i through operating the Send query.However, it is computationally infeasible for A to guess the password PW i through the Send query without V i 's identity ID i and secret nonce x i .In the absence of password-guessing attacks, games G 2 and G 3 are identical.The probability of A winning the game G 4 using Zip's law is After all of the games are executed, A conjectures the correct bit c.Hence, we obtain Considering Equations ( 2) and (3), we obtain Then, we consider Equations ( 4) and ( 5) and obtain the following inequality: Consequently, the stipulated result Adv A (t) is presented by multiplying both sides of Equation ( 8): q send 2 l B }. (9)

Avispa Simulation Tool
AVISPA is a well-known security simulation tool that analyzes the protocols' ability to resist replay and MITM attacks [36][37][38].The AVISPA tool employs the high-level protocols specifications language (HLPSL) for outlining the actions of each participant.Afterword, the HLPSL code of the protocol is converted into the intermediate format (IF) through the HLPSL2IF translator.Then, IF data are input to implement AVISPA on one of four backends, such as "the CL-based attack searcher (CL-AtSe)", "the on-the-fly-model checker (OFMC)", "the tree Automata-based protocol analyzer (TA4SP)", and "the SAT-based model checker (SATMC)".When IF data are passed through the selected backend, the simulation result is output following the output format (OF).In this paper, we perform AVISPA simulations of the proposed scheme using OFMC and the CL-AtSe backend, which provide the XOR operation.In OF, if the SUMMARY segment indicates SAFE, it means that the analyzed scheme is resistant to replay and MITM attacks.
Figure 6 describe the user's role in HLPSL code form.The other parties (service provider and certificate authority) are also coded in a format similar to Figure 6. Figure 7 indicates the goals and environment of the proposed protocol and the role of the session.Figure 8 presents the AVISAP simulation result of the proposed protocol using CL-AtSe and OFMC.The results under the CL-AtSe and OFMC backends show that the proposed protocol is safe.Therefore, the proposed protocol can be resilient against man-in-the-middle and replay attacks.

Conclusions
In this paper, we propose a secure authentication scheme for metaverse environments to provide a secure avatar interactions and prevent against various security attacks.In our scheme, users can utilize DID and VC to prove their identity to other avatars in the metaverse without revealing irrelevant personal information to service providers.Furthermore, the proposed scheme provides a secure communication channel against various attacks through secure authentication and key agreement between the user and service provider.The proposed scheme is resistant to various security attacks (including stolen XR devices, offline password guessing, user and avatar impersonation, etc.) by performing the ROR oracle security analyses, the well-known AVISPA simulation, and BAN logic analyses.Next, the proposed scheme provides lower computation and communication costs than other related schemes for the metaverse environment by the comparison of computation costs and communication costs.Therefore, the proposed scheme can be applied to practical metaverse environments to provide high security and privacy preservation.In the future, we intend to research authentication protocols for a secure and trusted metaverse environment, taking into consideration potential security issues that may arise in the blockchain.

Figure 1 .
Figure 1.The proposed system model.

Figure 5 .
Figure 5. Avatar authentication phase of the proposed scheme.

Table 1 .
Symbols and their meanings.

Table 2 .
Notations for BAN logic.
and β may use shared key K to communicate

Table 3 .
Various queries and descriptions.
2, T 1 } and {MS 3 , MS 4 , T 2 } between U i and SP.At the end of this game, A executes Reveal and Test queries to check whether the derived session key SK U−SP is an actual or random key.A needs the long-term secret values (such as the private keys sk i and sk sp ), and the short-term secret values (such as the random nonces X i and Y sp ) to extract the SK U−SP .However, it is impracticable for A to obtain these secret values, even if A obtains all communicated messages.As shown, the eavesdropping messages {RID i , MS 1 , MS 2 , T 1 } and {MS 3 , MS 4 , T 2 } do not increase the probability of a winning game G 1 .Therefore, because games G 1 and G 0 are indistinguishable, we obtain Pr