WO2025065969A1

WO2025065969A1 - Method and apparatus for communication

Info

Publication number: WO2025065969A1
Application number: PCT/CN2024/071583
Authority: WO
Inventors: Bidi YING; Xu Li; Chenchen YANG
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2023-09-29
Filing date: 2024-01-10
Publication date: 2025-04-03
Anticipated expiration: 2026-03-29

Abstract

Embodiments of the present application provide a method and an apparatus that provide ID privacy protection of a device. In the present application, a device's real ID is stored in an IDM function that is responsible for ID mapping. When the device requests for a service in a network, first information and second information are used to replace a device's temporary IDs and are used for user identification implemented by different network functions so that linkability of temporary IDs is decoupled. Fifth information is used for service permission identification by a service provider to guarantee that the service is a subscribed one by the device from the service provider. These new features could provide anonymous service access and therefore provide ID privacy protection of the device.

Description

METHOD AND APPARATUS FOR COMMUNICATION

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is related to, and claims priority to, United States provisional patent application serial No. 63/541,525, entitled “SYSTEM AND METHOD ON USER IDENTIFICATION IN ANONYMOUS COMMUNICATION NETWORKS” , and filed on September 29, 2023. The disclosure of the aforementioned application is hereby incorporated by reference in their entireties.

TECHNICAL FIELD

Embodiments of the present application relate to the field of wireless technologies, and more specifically, to a method and an apparatus for communication.

BACKGROUND

A general data storage system can provide data storage services. To avoid user’s identifier (ID) being traced, temporary identifiers (IDs) are assigned to a user for communications with different providers or network functions (NFs) . For example, this system may include data service management function, and a data service profile function and at least one data service provider (SP) . An ID1 is assigned to a device for communication in the data service management function, an ID2 is assigned to the device for communications in the data service profile management, an ID3 is assigned to the device for communications in a data SP1, and an ID5 is assigned to the device for communications in a data SP2.

But linkability of these temporary IDs may still leak the device’s ID privacy.

SUMMARY

Embodiments of the present application provide a method and an apparatus for communication, which can provide device’s ID privacy protection.

According to a first aspect, there is provided a method for communication, and the method may be performed by a first apparatus or a chip installed in the first apparatus. The first network function is responsible for service management. The method includes: sending a first message to an IDM function, where the first message includes a second ID of a device, and the first message is used for requesting an ID mapping; and receiving a second message from the IDM function, where the second message includes first information, an ID of a first algorithm for generating the first information, second information, and an ID of a second algorithm for generating the second information; where the first information is used for user identification implemented by a second network function that is responsible for management on a service profile, the first information is generated by the IDM function according to the first algorithm and a first ID of the device that is only known by the IDM function and the second network function, the first ID being obtained by the IDM function according to the second ID and an ID of the second network function; or the first information is generated according to information provided by the second network function that is only known by the IDM function and the second network function; the second information is used for user identification implemented by a third network function that provides a service for the device, the second information is generated by the IDM function according to the second algorithm and a device’s ID in at least one third network function; and the first network function, the second network function and the third network function are provided by different providers.

According to the present application, first information and second information are introduced to replace device’s temporary IDs for communications. Network functions or entities in a communication system can identify a user (i.e. a device) with different temporary IDs, and the network functions or entities cannot link the temporary IDs to a specific user, which can provide device’s ID privacy protection. Reference can be made to the details in the specification, which will not be repeated herein.

In an implementation of the first aspect, the method further includes: sending a third message to the second network function, where the third message is used for requesting a service for the device, and the third message includes the first information, the ID of the first algorithm, and a service ID; and receiving a fourth message from the second network function, where the fourth message indicates a service permission for the device to access the service, the fourth message includes fifth information used for service permission determination by a third network function, an ID of a fifth algorithm used for generating the fifth information, and the fifth information is generated according to common information between the second network function and the third network function.

The service ID and a device’s ID are decoupled by introducing the new function of IDM function. A service profile is stored in the second network function and the temporary IDs are stored in the IDM function so that the proposed solution can provide service privacy protection and device’s ID privacy protection.

In an implementation of the first aspect, the fifth information includes a service profile ID or information derived from the service profile ID.

The fifth information is used to enable the third network function to have a capability to verify service permission.

In an implementation of the first aspect, the information provided by the second network function includes a nonce generated by the second network function.

In an implementation of the first aspect, the method further includes: sending a fifth message to the third network function, where the fifth message is used for requesting the service, the fifth message includes the second information, the fifth information, the service ID, an ID of the second algorithm, and an ID of the fifth algorithm.

The technical effect of any one of the second aspect to the eighth aspect can refer to that of the first aspect, and it will not be repeated in the following.

According to a second aspect, there is provided a method for communication, and the method may be performed by an IDM or a chip installed in the IDM function. The method includes: receiving a first message from a first network function that is responsible for service management, where the first message includes a second identifier (ID) of the device that is only known by the first network function and the IDM function, and the first message is used for requesting an ID mapping; obtaining a first ID of the device according to the second ID and an ID of the second network function; obtaining first information and second information, where the first information is used for user identification implemented by a second network function that is responsible for management on a service profile, the first information is obtained according to a first algorithm and the first ID of a device that is only known by the IDM function and the second network function, or the first information is obtained according to information provided by the second network function, and the second information is obtained according to a second algorithm and ID (s) of the device in at least one third network function; and sending a second message to the first network function, where the second message includes the first information, an ID of the first algorithm, the second information, and an ID of the second algorithm.

In an implementation of the second aspect, the method further includes: sending a sixth message to the second network function, where the sixth message is used for requesting information for computing the first information; and receiving the information provided by the second network function, where the information provided by the second network information includes a nonce generated by the second network function.

According to a third aspect, there is provided a method for communication, and the method may be performed by a second network function or a chip installed in the second network function. The second network function is responsible for management on a service profile. The method includes: receiving a third message from a first network function, where the third message is used for requesting a service for a device, and the third message includes first information, an ID of a first algorithm for generating the first information, and a service ID, the first information is generated by an IDM function according to the first algorithm and a first ID of the device that is only known by an IDM function and the second network function, the first ID is obtained by the IDM function according to a second ID of the device and an ID of the second network function, or the first information is generated according to information provided by the second network function that is only known by the IDM function and the second network function; performing user identification, and validating the device and the first service according to a service credential stored in the second network function, where the user identification is performed by comparing a first value and the received first information included in the third message, the first value is computed with the first algorithm and the first ID of the device or a nonce generated by the second network function; and sending a fourth message to the first network function after successful user identification and successful validation on the device and the service, where the fourth message indicates a service permission for the device to access the service, the fourth message includes fifth information used for service permission determination by a third network function and an ID of a fifth algorithm for generating the fifth information, and the fifth information is generated according to common information between the second network function and the third network function.

In an implementation of the third aspect, the fifth information includes a service profile ID or information derived from the service profile ID.

In an implementation of the third aspect, before receiving the third message from the first network function, the method further includes: receiving a sixth message from the IDM function, where the sixth message is used for requesting information for computing the first information; and providing information to the IDM function, where the information provided by the second network function includes a nonce generated by the second network function.

According to a fourth aspect, there is provided a method for communication, and the method may be performed by a third network function or a chip installed in the third network function. The third network function is responsible for providing service to a device. The method includes: receiving a fifth message from a first network function, where the fifth message is used for requesting a service, and the fifth message includes second information, fifth information, a service ID, an ID of a second algorithm for generating the second information, and an ID of a fifth algorithm for generating the fifth information, the second information is used for user identification implemented by the third network, the second information is generated by an IDM function according to a the second algorithm and device’s ID (s) in at least one third network function; performing user identification and service permission determination, where the user identification is performed according to the second algorithm and the second information included in the fifth message and a device’s ID in the third network function, the service permission determination is performed by comparing the fifth information included in the fifth message and a second value and, and the second value is computed according to the fifth algorithm included in the fifth message and information that is only known by the second network function and the third network function; and providing the service to the device after successful user identification and successful service permission determination; where the first network function, the second network function and the third network function are provided by different providers.

In an implementation of the fourth aspect, the method further includes: sending an indication of successful provision to the first network function.

According to a fifth aspect, there is provided a method for communication, and the method may be performed by a first network function or a chip installed in the first network function. The first network function is responsible for service management. The method includes: sending a first message to a second network function, where the first message includes third information, an ID of a third algorithm and a service ID, the third information is generated by the first network function using the third algorithm according to information that is only known by the first network function and an IDM function, and the third information is used for user identification implemented by the IDM function; and receiving a second message from the second network function, where the second message includes second information, an ID of a second algorithm, fifth information and an ID of a fifth algorithm, the second information is used for user identification implemented by a third network function, the second information is generated by the IDM function according to a device’s ID in at least one third network function and the second algorithm, the fifth information is used for service permission determination implemented by the third network function, and the fifth information is generated by the second network function using the fifth algorithm according to information that is only known by the second network function and the third network function; where the first network function, the second network function and the third network function are provided by different providers.

In an implementation of the fifth aspect, the method further includes: sending a third message to the third network function, where the third message includes the second information, an ID of the second algorithm, the fifth information, an ID of the fifth algorithm and a service ID.

In an implementation of the fifth aspect, the method further includes: receiving an indication from the third network function, where the indication is used to indicate a successful service provision.

According to a sixth aspect, there is provided a method for communication, and the method may be performed by an IDM function. The method includes: receiving a fourth message from a second network function, where the fourth message includes third information and an ID of a third algorithm, the third information is generated by a first network function using the third algorithm according to information that is only known by the first network function and the IDM function; obtaining, using the third algorithm, a second ID of a device by performing user identification based on the third information and information that is only known by the first network function and the IDM function, and obtaining a first ID of the device according to the second ID; and generating second information using a second algorithm and a device’s ID in at least one third network function, where the second information is used for user identification implemented by the third network function; and sending a fifth message to the second network function, where the fifth message includes second information, an ID of the second algorithm, and a first ID of the device.

According to a seventh aspect, there is provided a method for communication. The method may be performed by a second network function or a chip installed in the second network function that is responsible for management on a service profile. The method includes: receiving a first message from a first network function, where the first message includes third information, an ID of a third algorithm and a service ID, and the third information is generated by the first network function using the third algorithm according to information that is only known by the first network function and an IDM function; sending a fourth message to the IDM function, where the fourth message includes the third information and the ID of the third algorithm; and receiving a fifth message from the IDM function, where the fifth message includes second information, an ID of a second algorithm and a first ID of the device, the second information is used for user identification implemented by a third network function, the second information is generated by the IDM function using the second algorithm according to a device’s ID in at least one third network function; where the first network function, the second network function and the third network function are provided by different providers.

In an implementation of the seventh aspect, the method where the method further includes: performing service permission determination by checking a service profile according to the service ID; validating the device and a service according to a service credential stored in the service profile; and generating, using a fifth algorithm, fifth information according to information that is only known by the second network function and the third network function, where the fifth information is used for service permission determination implemented by the third network function.

In an implementation of the seventh aspect, the method further includes: sending a second message to the first network function, where the second message includes the second information, the fifth information, an ID of the second algorithm, and an ID of the fifth algorithm.

According to an eighth aspect, there is provided a method for communication. The method may be performed by a third network function that is responsible for providing service to a device. The method includes: receiving a third message from a first network function, where the third message includes second information, an ID of a second algorithm, fifth information, an ID of a fifth algorithm and a service ID, the second information is generated by an IDM function using the second algorithm according to a device’s ID in at least one third network function, and the fifth information is generated by the second network function using the fifth algorithm according to information that is only known by the second network function and the third network function; and performing user identification and service permission determination, where the user identification is performed according to the second information and the second algorithm, and the service permission determination is performed according to the fifth information and the fifth algorithm.

In an implementation of the eighth aspect, the method further includes: sending an indication of a successful service provision in case of that the user identification and the service permission determination is successful; or sending an indication of service rejection for the device to access the service.

According to a ninth aspect, there is provided a communication apparatus having a function or module to perform the method in any one of the first aspect to the eighth aspect, or any one of the implementations in these aspects.

According to a tenth aspect, there is provided a chip (or a chip system) . The chip includes at least one processor, the at least one processor is coupled to at least one memory. The at least one memory is configured to store one or more instructions and/or executable computer code. The at least one processor is configured to invoke the one or more instructions and/or executable computer code, so that a communication apparatus installed the chip performs the method in any one of the first aspect to the eighth aspect, or any possible implementation in these aspects. Optionally, the chip may further include the at least one memory. Optionally, the chip may further include a communication interface, and the communication interface is configured to input and/or output information or data.

According to an eleventh aspect, there is provided a communication apparatus. The communication apparatus includes one or more circuits and one or more communication interfaces. The one or more communication interfaces may include a first interface for receiving (that is, inputting) information and/or data that is to be processed by the one or more circuits and a second interface for transmitting (that is, outputting) information and/or data processed by the one or more circuit. The one or more circuits are configured to process the information and/or data that is to be processed so that the communication apparatus performs the method in any one of the first aspect to the eighth aspect, or any one of the implementations in these aspects.

According to a twelfth aspect, there is provided a communication system. The communication system may include the communication apparatus according to the ninth aspect or the eleventh aspect. For example, the communication system may include the one or more of: the IDM function, the first network function, the second network function or the second network function. The communication system may further include a device.

According to a thirteenth aspect, there is provided a computer storage medium that stores executable computer code, and the executable computer code is used to execute one or more instructions for the method according to the first aspect or any possible implementation of the first aspect, or the second aspect or any possible implementation of the second aspect.

According to a fourteenth aspect, there is provided a computer program product including one or more instructions, and when the computer product program runs on a computer, the computer performs the method according to the first aspect or any possible implementation of the first aspect, or the second aspect or any possible implementation of the second aspect.

DESCRIPTION OF DRAWINGS

One or more embodiments are exemplarily described by corresponding accompanying drawings, and these exemplary illustrations and accompanying drawings constitute no limitation on the embodiments. Elements with the same reference numerals in the accompanying drawings are illustrated as similar elements, and the drawings are not limited to scale, in which:

FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present application.

FIG. 2 illustrates an example of a communication system.

FIG. 3 illustrates another example of an electronic device (ED) and a base station.

FIG. 4 is an example of a channel model of a MIMO system.

FIG. 5 is an example of 6G system conceptual structure.

FIG. 6 is a scenario of a general data storage system.

FIG. 7 is a scenario of user identification triggered by a data service management function.

FIG. 8 is a schematic flow chart of a method for communication according to some embodiments of the present application.

FIG. 9 is a scenario of user identification triggered by a data service profile management function.

FIG. 10 is a schematic flow chart of a method for communication according to some embodiments of the present application.

FIG. 11 is an example of a network topology of the present application.

FIG. 12 is an example of a procedure of user identification according to some embodiments of the present application.

FIG. 13 is an example of a procedure of user identification according to some embodiments of the present application.

FIG. 14 is an example of a procedure of user identification according to some embodiments of the present application.

FIG. 15 is an example of a procedure of user identification according to some embodiments of the present application.

FIG. 16 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.

FIG. 17 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application.

DESCRIPTION OF EMBODIMENTS

In order to understand features and technical contents of embodiments of the present application in detail, implementations of the embodiments of the present application will be described in detail below with reference to the accompanying drawings, and the attached drawings are only for reference and illustration purposes, and are not intended to limit the embodiments of the present applications. In the following technical descriptions, for ease of explanation, numerous details are set forth to provide a thorough understanding of the disclosed embodiments.

The present application relates generally to wireless communications. Many new trends will trigger the consideration and design of a future wireless network, for example, a 6th generation (6G) wireless network. The 6G wireless communication proposed may meet the following requirements:

-new network infrastructure capability, e.g., cloud natured/friendly infrastructures that are broadly deployed;

-new (relative) matured techniques, e.g., artificial intelligence (AI) large scale models, data de-privacy, block chain, etc. that have made significant progresses and significantly impact on the entire society and human life;

-new apps and services, e.g., AI services, data (sensing) service, digital world service, etc. that are broadly applied in industry/business and used by individual customers;

-more global/open/collaborative operation trend, i.e., a more open and more collaborative operation mode are becoming common practice in many fields.

New expectation and stricter requirements on future networks also drive rethinking and development of new generation of wireless networks. These requirements may include:

-privacy and trustworthiness, etc;

-simplified standardization;

-rapid deployment;

-etc.

All of the above drives 6G network architecture research work. The proposed 6G network architecture (X-centric) are service-based architectures (SBA) (XaaS service) based and cloud-native. Requirements to 6G system network architecture design may include:

-the proposed 6G network architecture needs to support new 6G services which could be developed/deployed by 3rd parties;

-the proposed 6G network architecture needs to embrace more open ecosystem to open door to technical capable 3rd parties; and

-the proposed 6G network architecture needs to enable better trustworthiness management.

A solution to enable above requirements is needed.

Cloud-based storage services have been an outsourcing solution for both individuals and organizations to share data digitally. Despite the advantages, users must rely on storage services for data confidentiality, data access control, user privacy and data availability. Advanced encrypting algorithms can protect data confidentiality, but cloud-based servers could retrieve shared encryption keys, and have knowledges of data. What’s more, the identity of a user is often known to the services to verify its eligibility to access requested data according to the access control, thus making the user traceable in the data storage system. More importantly, lack of anonymous may make users reluctant to use such services in sensitive contexts.

we decouple service ID with user ID by introducing a new function of IDM. Service profile is stored in data service profile (which is a unified data management (UDM) function) , and temporary IDs are stored in an IDM. So that it could protect service privacy and user privacy.

The present application introduces user identification material (for example, info1 and info2 which will be elaborated in the following embodiments) to replace temporary IDs for communications, so that it is un-linkable with temporary IDs.

The present application introduces service permission identification material (for example, info5 which will be elaborated in the following embodiments) to ensure that the user subscribes the service with a data SP. Beneficial technical effects includes following ones:

(1) enhance privacy protection: decouple service subscription with ID profile, it could protect service privacy and ID privacy, and temporary IDs are replaced so that it could be un-linkable for IDs to a specific user.

(2) security: service permission identification material (i.e. info5) is used to enable the data SP to have a capability to verify the service permission.

(3) flexibility: data service management function and data service profile management function are responsible for service selection on behalf of user and service authorization on behalf of data SP. It is easy flexible for multiple service provider (SP) to join in the system.

Referring to FIG. 1, as an illustrative example without limitation, a simplified schematic illustration of a communication system is provided. The communication system 100 comprises a radio access network 120. The radio access network 120 may be a next generation (e.g. sixth generation (6G) or later) radio access network, or a legacy (e.g. 5G or 4G) radio access network. One or more communication electronic devices (EDs) 110a, 110b, 110c, 110d, 110e, 110f, 110g, 110h, 110i, 110j (generically referred to as 110) may be interconnected to one another or connected to one or more network nodes (170a, 170b, generically referred to as 170) in the radio access network 120. A core network 130 may be a part of the communication system and may be dependent or independent of the radio access technology used in the communication system 100. The communication system 100 also includes a public switched telephone network (PSTN) 140, the internet 150, and other networks 160.

FIG. 2 illustrates an example communication system 100. In general, the communication system 100 enables multiple wireless or wired elements to communicate data and other content. The purpose of the communication system 100 may be to provide content, such as voice, data, video, and/or text, via broadcast, multicast, groupcast, unicast, etc. The communication system 100 may operate by sharing resources, such as carrier spectrum bandwidth, between its constituent elements. The communication system 100 may include a terrestrial communication system and/or a non-terrestrial communication system. The communication system 100 may provide a wide range of communication services and applications (such as earth monitoring, remote sensing, passive sensing and positioning, navigation and tracking, autonomous delivery and mobility, etc. ) . The communication system 100 may provide a high degree of availability and robustness through a joint operation of a terrestrial communication system and a non-terrestrial communication system. For example, integrating a non-terrestrial communication system (or components thereof) into a terrestrial communication system can result in what may be considered a heterogeneous network comprising multiple layers. Compared to conventional communication networks, the heterogeneous network may achieve better overall performance through efficient multi-link joint operation, more flexible functionality sharing, and faster physical layer link switching between terrestrial networks and non-terrestrial networks.

The terrestrial communication system and the non-terrestrial communication system could be considered sub-systems of the communication system. In the example shown in FIG. 5, the communication system 100 includes electronic devices (ED) 110a, 110b, 110c, 110d (generically referred to as ED 110) , radio access networks (RANs) 120a, 120b, a non-terrestrial communication network 120c, a core network 130, a public switched telephone network (PSTN) 140, the Internet 150, and other networks 160. The RANs 120a, 120b include respective base stations (BSs) 170a, 170b, which may be generically referred to as terrestrial transmit and receive points (T-TRPs) 170a, 170b. The non-terrestrial communication network 120c includes an access node 172, which may be generically referred to as a non-terrestrial transmit and receive point (NT-TRP) 172.

Any ED 110 may be alternatively or additionally configured to interface, access, or communicate with any T-TRP 170a, 170b and NT-TRP 172, the Internet 150, the core network 130, the PSTN 140, the other networks 160, or any combination of the preceding. In some examples, ED 110a may communicate an uplink and/or downlink transmission over a terrestrial air interface 190a with T-TRP 170a. In some examples, the EDs 110a, 110b, 110c, and 110d may also communicate directly with one another via one or more sidelink air interfaces 190b. In some examples, ED 110d may communicate an uplink and/or downlink transmission over a non-terrestrial air interface 190c with NT-TRP 172.

The air interfaces 190a and 190b may use similar communication technology, such as any suitable radio access technology. For example, the communication system 100 may implement one or more channel access methods, such as code division multiple access (CDMA) , space division multiple access (SDMA) , time division multiple access (TDMA) , frequency division multiple access (FDMA) , orthogonal FDMA (OFDMA) , or single-carrier FDMA (SC-FDMA, also known as discrete Fourier transform spread OFDMA, DFT-s-OFDMA) in the air interfaces 190a and 190b. The air interfaces 190a and 190b may utilize other higher dimension signal spaces, which may involve a combination of orthogonal and/or non-orthogonal dimensions.

The non-terrestrial air interface 190c can enable communication between the ED 110d and one or multiple NT-TRPs 172 via a wireless link or simply a link. For some examples, the link is a dedicated connection for unicast transmission, a connection for broadcast transmission, or a connection between a group of EDs 110 and one or multiple NT-TRPs 172 for multicast transmission.

The RANs 120a and 120b are in communication with the core network 130 to provide the EDs 110a 110b, and 110c with various services such as voice, data, and other services. The RANs 120a and 120b and/or the core network 130 may be in direct or indirect communication with one or more other RANs (not shown) , which may or may not be directly served by core network 130, and may or may not employ the same radio access technology as RAN 120a, RAN 120b or both. The core network 130 may also serve as a gateway access between (i) the RANs 120a and 120b or EDs 110a 110b, and 110c or both, and (ii) other networks (such as the PSTN 140, the Internet 150, and the other networks 160) . In addition, some or all of the EDs 110a 110b, and 110c may include functionality for communicating with different wireless networks over different wireless links using different wireless technologies and/or protocols. Instead of wireless communication (or in addition thereto) , the EDs 110a 110b, and 110c may communicate via wired communication channels to a service provider or switch (not shown) , and to the Internet 150. PSTN 140 may include circuit switched telephone networks for providing plain old telephone service (POTS) . Internet 150 may include a network of computers and subnets (intranets) or both, and incorporate protocols, such as Internet Protocol (IP) , Transmission Control Protocol (TCP) , User Datagram Protocol (UDP) . EDs 110a 110b, and 110c may be multimode devices capable of operation according to multiple radio access technologies, and incorporate multiple transceivers necessary to support such.

FIG. 3 illustrates another example of an ED 110 and a base station 170a, 170b and/or 170c. The ED 110 is used to connect persons, objects, machines, etc. The ED 110 may be widely used in various scenarios including, for example, cellular communications, device-to-device (D2D) , vehicle to everything (V2X) , peer-to-peer (P2P) , machine-to-machine (M2M) , machine-type communications (MTC) , internet of things (IoT) , virtual reality (VR) , augmented reality (AR) , mixed reality (MR) , metaverse, digital twin, industrial control, self-driving, remote medical, smart grid, smart furniture, smart office, smart wearable, smart transportation, smart city, drones, robots, remote sensing, passive sensing, positioning, navigation and tracking, autonomous delivery and mobility, etc.

Each ED 110 represents any suitable end user device for wireless operation and may include such devices (or may be referred to) as a user equipment/device (UE) , a wireless transmit/receive unit (WTRU) , a mobile station, a fixed or mobile subscriber unit, a cellular telephone, a station (STA) , a machine type communication (MTC) device, a personal digital assistant (PDA) , a smartphone, a laptop, a computer, a tablet, a wireless sensor, a consumer electronics device, a smart book, a vehicle, a car, a truck, a bus, a train, or an IoT device, wearable devices (such as a watch, a pair of glasses, head mounted equipment, etc. ) , an industrial device, or an apparatus in (e.g. communication module, modem, or chip) or comprising the forgoing devices, among other possibilities. Future generation EDs 110 may be referred to using other terms. The base station 170a and 170b is a T-TRP and will hereafter be referred to as T-TRP 170. Also shown in FIG. 3, a NT-TRP will hereafter be referred to as NT-TRP 172. Each ED 110 connected to T-TRP 170 and/or NT-TRP 172 can be dynamically or semi-statically turned-on (i.e., established, activated, or enabled) , turned-off (i.e., released, deactivated, or disabled) and/or configured in response to one of more of: connection availability and connection necessity.

The ED 110 includes a transmitter 201 and a receiver 203 coupled to one or more antennas 204. Only one antenna 204 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 204 may alternatively be panels. The transmitter 201 and the receiver 203 may be integrated, e.g. as a transceiver. The transceiver is configured to modulate data or other content for transmission by at least one antenna 204 or network interface controller (NIC) . The transceiver is also configured to demodulate data or other content received by the at least one antenna 204. Each transceiver includes any suitable structure for generating signals for wireless or wired transmission and/or processing signals received wirelessly or by wire. Each antenna 204 includes any suitable structure for transmitting and/or receiving wireless or wired signals.

The ED 110 includes at least one memory 208. The memory 208 stores instructions and data used, generated, or collected by the ED 110. For example, the memory 208 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by one or more processing unit (s) (e.g., a processor 210) . Each memory 208 includes any suitable volatile and/or non-volatile storage and retrieval device (s) . Any suitable type of memory may be used, such as random access memory (RAM) , read only memory (ROM) , hard disk, optical disc, subscriber identity module (SIM) card, memory stick, secure digital (SD) memory card, on-processor cache, and the like.

The ED 110 may further include one or more input/output devices (not shown) or interfaces (such as a wired interface to the Internet 150 in FIG. 1) . The input/output devices or interfaces permit interaction with a user or other devices in the network. Each input/output device or interface includes any suitable structure for providing information to or receiving information from a user, and/or for network interface communications. Suitable structures include, for example, a speaker, microphone, keypad, keyboard, display, touch screen, etc.

The ED 110 includes the processor 210 for performing operations including those operations related to preparing a transmission for uplink transmission to the NT-TRP 172 and/or the T-TRP 170; those operations related to processing downlink transmissions received from the NT-TRP 172 and/or the T-TRP 170; and those operations related to processing sidelink transmission to and from another ED 110. Processing operations related to preparing a transmission for uplink transmission may include operations such as encoding, modulating, transmit beamforming, and generating symbols for transmission. Processing operations related to processing downlink transmissions may include operations such as receive beamforming, demodulating and decoding received symbols. Depending upon the embodiment, a downlink transmission may be received by the receiver 203, possibly using receive beamforming, and the processor 210 may extract signaling from the downlink transmission (e.g. by detecting and/or decoding the signaling) . An example of signaling may be a reference signal transmitted by the NT-TRP 172 and/or by the T-TRP 170. In some embodiments, the processor 210 implements the transmit beamforming and/or the receive beamforming based on the indication of beam direction, e.g. beam angle information (BAI) , received from the T-TRP 170. In some embodiments, the processor 210 may perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as operations relating to detecting a synchronization sequence, decoding and obtaining the system information, etc. In some embodiments, the processor 210 may perform channel estimation, e.g. using a reference signal received from the NT-TRP 172 and/or from the T-TRP 170.

Although not illustrated, the processor 210 may form part of the transmitter 201 and/or part of the receiver 203. Although not illustrated, the memory 208 may form part of the processor 210.

The processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory (e.g. in the memory 208) . Alternatively, some or all of the processor 210, the processing components of the transmitter 201, and the processing components of the receiver 203 may each be implemented using dedicated circuitry, such as a programmed field-programmable gate array (FPGA) , an application-specific integrated circuit (ASIC) , or a hardware accelerator such as a graphics processing unit (GPU) or an artificial intelligence (AI) accelerator.

The T-TRP 170 may be known by other names in some implementations, such as a base station, a base transceiver station (BTS) , a radio base station, a network node, a network device, a device on the network side, a transmit/receive node, a Node B, an evolved NodeB (eNodeB or eNB) , a Home eNodeB, a next Generation NodeB (gNB) , a transmission point (TP) , a site controller, an access point (AP) , a wireless router, a relay station, a terrestrial node, a terrestrial network device, a terrestrial base station, a base band unit (BBU) , a remote radio unit (RRU) , an active antenna unit (AAU) , a remote radio head (RRH) , a central unit (CU) , a distributed unit (DU) , a positioning node, among other possibilities. The T- TRP 170 may be a macro BS, a pico BS, a relay node, a donor node, or the like, or combinations thereof. The T-TRP 170 may refer to the forgoing devices or refer to apparatus (e.g. a communication module, a modem, or a chip) in the forgoing devices.

In some embodiments, the parts of the T-TRP 170 may be distributed. For example, some of the modules of the T-TRP 170 may be located remote from the equipment that houses the antennas 256 for the T-TRP 170, and may be coupled to the equipment that houses the antennas 256 over a communication link (not shown) sometimes known as front haul, such as common public radio interface (CPRI) . Therefore, in some embodiments, the term T-TRP 170 may also refer to modules on the network side that perform processing operations, such as determining the location of the ED 110, resource allocation (scheduling) , message generation, and encoding/decoding, and that are not necessarily part of the equipment that houses the antennas 256 of the T-TRP 170. The modules may also be coupled to other T-TRPs. In some embodiments, the T-TRP 170 may actually be a plurality of T-TRPs that are operating together to serve the ED 110, e.g. through the use of coordinated multipoint transmissions.

The T-TRP 170 includes at least one transmitter 252 and at least one receiver 254 coupled to one or more antennas 256. Only one antenna 256 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas 256 may alternatively be panels. The transmitter 252 and the receiver 254 may be integrated as a transceiver. The T-TRP 170 further includes a processor 260 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to the NT-TRP 172, and processing a transmission received over backhaul from the NT-TRP 172. Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. multiple input multiple output (MIMO) precoding) , transmit beamforming, and generating symbols for transmission. Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols. The processor 260 may also perform operations relating to network access (e.g. initial access) and/or downlink synchronization, such as generating the content of synchronization signal blocks (SSBs) , generating the system information, etc. In some embodiments, the processor 260 also generates an indication of beam direction, e.g. BAI, which may be scheduled for transmission by a scheduler 253. The processor 260 performs other network-side processing operations described herein, such as determining the location of the ED 110, determining where to deploy the NT-TRP 172, etc. In some embodiments, the processor 260 may generate signaling, e.g. to configure one or more parameters of the ED 110 and/or one or more parameters of the NT-TRP 172. Any signaling generated by the processor 260 is sent by the transmitter 252. Note that “signaling” , as used herein, may alternatively be called control signaling. Signaling may be transmitted in a physical layer control channel, e.g. a physical downlink control channel (PDCCH) , in which case the signaling may be known as dynamic signaling. Signaling transmitted in a downlink physical layer control channel may be known as Downlink Control Information (DCI) . Siganling transmitted in an uplink physical layer control channel may be known as Uplink Control Information (UCI) . Signaling transmitted in a sidelink physical layer control channel may be known as Sidelink Control Information (SCI) . Signaling may be included in a higher-layer (e.g., higher than physical layer) packet transmitted in a physical layer data channel, e.g. in a physical downlink shared channel (PDSCH) , in which case the signaling may be known as higher-layer signaling, static signaling, or semi-static signaling. Higher-layer signaling may also refer to Radio Resource Control (RRC) protocol signaling or Media Access Control –Control Element (MAC-CE) signaling.

The scheduler 253 may be coupled to the processor 260. The scheduler 253 may be included within or operated separately from the T-TRP 170. The scheduler 253 may schedule uplink, downlink, sidelink, and/or backhaul transmissions, including issuing scheduling grants and/or configuring scheduling-free (e.g., “configured grant” ) resources. The T-TRP 170 further includes a memory 258 for storing information and data. The memory 258 stores instructions and data used, generated, or collected by the T-TRP 170. For example, the memory 258 could store software instructions or modules configured to implement some or all of the functionality and/or embodiments described herein and that are executed by the processor 260.

Although not illustrated, the processor 260 may form part of the transmitter 252 and/or part of the receiver 254. Also, although not illustrated, the processor 260 may implement the scheduler 253. Although not illustrated, the memory 258 may form part of the processor 260.

The processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 258. Alternatively, some or all of the processor 260, the scheduler 253, the processing components of the transmitter 252, and the processing components of the receiver 254 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC.

Although the NT-TRP 172 is illustrated as a drone only as an example, the NT-TRP 172 may be implemented in any suitable non-terrestrial form, such as satellites and high altitude platforms, including international mobile telecommunication base stations and unmanned aerial vehicles, for example. Also, the NT-TRP 172 may be known by other names in some implementations, such as a non-terrestrial node, a non-terrestrial network device, or a non-terrestrial base station. The NT-TRP 172 includes a transmitter 272 and a receiver 274 coupled to one or more antennas 280. Only one antenna 280 is illustrated to avoid congestion in the drawing. One, some, or all of the antennas may alternatively be panels. The transmitter 272 and the receiver 274 may be integrated as a transceiver. The NT-TRP 172 further includes a processor 276 for performing operations including those related to: preparing a transmission for downlink transmission to the ED 110, processing an uplink transmission received from the ED 110, preparing a transmission for backhaul transmission to T-TRP 170, and processing a transmission received over backhaul from the T-TRP 170. Processing operations related to preparing a transmission for downlink or backhaul transmission may include operations such as encoding, modulating, precoding (e.g. MIMO precoding) , transmit beamforming, and generating symbols for transmission. Processing operations related to processing received transmissions in the uplink or over backhaul may include operations such as receive beamforming, demodulating received symbols, and decoding received symbols. In some embodiments, the processor 276 implements the transmit beamforming and/or receive beamforming based on beam direction information (e.g. BAI) received from the T-TRP 170. In some embodiments, the processor 276 may generate signaling, e.g. to configure one or more parameters of the ED 110. In some embodiments, the NT-TRP 172 implements physical layer processing, but does not implement higher layer functions such as functions at the medium access control (MAC) or radio link control (RLC) layer. As this is only an example, more generally, the NT-TRP 172 may implement higher layer functions in addition to physical layer processing.

The NT-TRP 172 further includes a memory 278 for storing information and data. Although not illustrated, the processor 276 may form part of the transmitter 272 and/or part of the receiver 274. Although not illustrated, the memory 278 may form part of the processor 276.

The processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may each be implemented by the same or different one or more processors that are configured to execute instructions stored in a memory, e.g. in the memory 278. Alternatively, some or all of the processor 276, the processing components of the transmitter 272, and the processing components of the receiver 274 may be implemented using dedicated circuitry, such as a programmed FPGA, a hardware accelerator (e.g., a GPU or AI accelerator) , or an ASIC. In some embodiments, the NT-TRP 172 may actually be a plurality of NT-TRPs that are operating together to serve the ED 110, e.g. through coordinated multipoint transmissions.

The T-TRP 170, the NT-TRP 172, and/or the ED 110 may include other components, but these have been omitted for the sake of clarity.

One or more steps of the embodiment methods provided herein may be performed by corresponding units or modules, according to FIG. 4. FIG. 4 illustrates units or modules in a device, such as in the ED 110, in the T-TRP 170, or in the NT-TRP 172. For example, a signal may be transmitted by a transmitting unit or by a transmitting module. A signal may be received by a receiving unit or by a receiving module. A signal may be processed by a processing unit or a processing module. Other steps may be performed by an artificial intelligence (AI) or machine learning (ML) module. The respective units or modules may be implemented using hardware, one or more components or devices that execute software, or a combination thereof. For instance, one or more of the units or modules may be a circuit such as an integrated circuit. Examples of an integrated circuit includes a programmed FPGA, a GPU, or an ASIC. For instance, one or more of the units or modules may be logical such as a logical function performed by a circuit, by a portion of an integrated circuit, or by software instructions executed by a processor. It will be appreciated that where the modules are implemented using software for execution by a processor for example, the modules may be retrieved by a processor, in whole or part as needed, individually or together for processing, in single or multiple instances, and that the modules themselves may include instructions for further deployment and instantiation.

Additional details regarding the EDs 110, the T-TRP 170, and the NT-TRP 172 are known to those of skill in the art. As such, these details are omitted here.

The solution described in the present application is applicable to a next generation (e.g. 6G or later) network, or a legacy (e.g. 5G or 4G) network.

The proposed 6G system architecture is defined to support 6G XaaS services by using techniques such as network function virtualization and network slicing. The 6G system architecture utilizes service-based interactions between 6G services.

The 6G system leverages service-based architecture and XaaS concept. XaaS services in the 6G system are categorized into three layers. The 6G system conceptual structure is shown in FIG. 5.

Infrastructure layer includes infrastructures supporting 6G services. Among them are wireless networks infrastructures (for example, RAN, CN) , cloud/data center infrastructures, satellite networks, storage/database infrastructures, sensing networks, and etc. These infrastructures can be provided by a single provider or by multiple providers.

Each of the infrastructures could have its control and management functions, denoted as control and management (C/M) functions, for infrastructure management. Each of these infrastructures is one type of infrastructure as a service.

The C /M layer includes control and management services of the 6G system. They are developed and deployed by using slicing techniques and utilizing resource provided by infrastructure layer. The 6G services in the C/M layer may include:

-resource management (RM) as a service provides a capability of life-cycle management of a variety of slices and over-the-air resource assignment to wireless devices;

-a 6G mission is defined as a service provided to customers by the 6G system. A mission can be a type of services which is provided by a single 6G XaaS service or a type of services that needs contributions from multiple XaaS services.

-mission management (MM) as a service provides a capability to program provisioning of XaaS services at service layer to provide mission services.

-confederation network (CONET) as a service provides a capability to enable multiple partners jointly provide 6G services. This capability is provided by confederation formation, mutual authentication, mutual authorization among partners and negotiation of agreement on recording and retracing of selected actions performed by partners, in order to assure a trustworthy environment of 6G system operations.

-service provisioning management (SPM) as a service provides a capability of control and management of 6G service access by customers and provisioning of requested services. The capability is provided by unified mutual authentication, authorization and policy, key management, quality of service (QoS) assurance and charging between any pair of XaaS service provider and customer. The customers include end-customers not only in physical world, but also digital representatives in digital world.

-connectivity management (CM) as a service leverages 5G connectivity management functions, but with extension to include digital world.

-protocol as a service provides a capability to design service customized protocol stacks for identified interfaces.

-The protocol stacks could be pre-defined for on-demand selection, or could be on-demand designed.

-network security as a service provides a capability for owners of infrastructures to detect potential security risks of their infrastructures.

-XaaS services in C/M layer support control and management of the 6G system itself and also provide support to verticals if requested. One example is that RM service can serve RAN for over-the-air resource management and can also provide service to a vertical for the vertical’s over-the-air resource allocation to its end-customers. The XaaS in C/M layer can be deployed by using slicing technique.

Service layer includes 6G services which provide services to customers. In the 6G system conceptual structure:

-AI service is denoted as NET4AI as a service. Artificial Intelligence service provides AI capability to support a variety of AI applications.

-service of data collection, data sanitization, data analysis and data delivery are denoted as DAM as a service, this service provides a capability of lifecycle management of statistic data, including acquisition, de-privatization, analysis and delivery of data which are information statistic data from any types of sensors, devices, network functions, and etc.

-service of storage and sharing of data is denoted as NET4Data as a Service, this service provides a capability to trustworthily storage and share data under the control of owners of data and following recognized authorities’ regulations on control of identified data.

-service to provide digital world is denoted as NET4DW as a Service, Digital World service provides a capability to construct, control and manage digital world. Digital world is defined as digital realization of physical world.

-6G block chain service is denoted as NET4BC as a Service. 6G connectivity service is denoted as NET4Con as a Service. This service provides a capability to support 6G block chain services.

-enhanced connectivity service, e.g., network for connectivity (NET4CON) as a service. This service provides a capability to support exchange of messages and data among new 6G services.

All XaaS services at this Layer are developed and deployed by using resource provided in infrastructure and utilizing Network Function Virtualization and Slicing techniques. The capability of each of 6G services is provided by its control and management functions and service specific data process functions.

In addition to support 6G XaaS services at Service Layer, 6G system leverages a 5G system for provisioning of vertical services. The difference between 6G XaaS services and other verticals are that a vertical is a pure customer which needs other XaaS services to enable its operation, while each of XaaS services provide their capabilities to 6G customers.

Any pair of XaaS services of the 6G system could also be mutual customer and provider of each other. Some of example are that an infrastructure owner provides its resource to XaaS services in Service Layer and C/M Layer; RM services may need the capabilities provided by NET4AI, DAM and NET4DW for its resource management for vertical slicing; CONET service and NET4Data service may need the capability provided by NET4BC for their operation.

The key concepts of 6G system may include:

-define basic XaaS services by decoupling comprehensive types of services into basic XaaS services. A basic XaaS service provides unique capability to enable a specific type of service, such as NET4AI service, NET4DW service, DAM service, NET4Data service, Block chain service, mission management service, etc.

-allow joint operation of the 6G system by multiple partners.

-define data plane of the 6G system which includes processing functions of data plane of XaaS services. Programing the interconnection of these functions, by mission management service, enables to support a variety of customized customer services.

-simplify the 6G system architecture by categorizing basic control services and management services and combining them as basic XaaS services in control and management (C/M) Layer.

-define C/M plane of the 6G system which includes C/M functions in XaaS services and may include 5G CP (e.g., AMF) depending on implementation options.

-define a basic architecture structure (BAS) which is a unified basic structure with minimized number of interfaces and is independent of types of infrastructures.

-simplify standardization, development and deployment of the 6G system using the BAS concept, while supporting a variety of infrastructure deployment scenarios.

-adapt to a variety of deployment scenarios by applying the BAS or a subset of it to infrastructures based on capability, capacity and requirement of the infrastructure networks.

-leverage SBI interface concept and apply SBI interaction in both 6G C/M plane and 6G data plane.

-simplify SBI interfaces by introducing trustworthy GWs in data plane and C/M plane of the 6G system.

-improve trustworthiness from perspectives of operation of the 6G system by introducing CONET capability, NET4BC capability and anonymous service provisioning provided by the trustworthy GWs in the C/M plane and data plane of the 6G system.

-improve trustworthiness from perspective of end customer privacy protection by unified mutual authentication, IDM, data sanitization and etc. provided by SPM service, DAM service and 6G block chain service.

-simplify roaming management of wireless devices, in physical world and digital world, by unified authentication including all participated partners and customers.

-support multiple development paths from 5G system to the 6G system by defining multiple architecture options without incurring much efforts due to the introduction of the BAS concept.

-support backward compatibility by utilizing benefits of SBA and its add-on feature. 5G users can use the 6G system to access 5G services.

-support future extension by adding new XaaS services with minimized impact on standardization and deployment, due to the introduced anonymous service provisioning concept implemented in trustworthy GWs in 6G C/M plane and in 6G data plane.

Related technologies and concepts are introduced here firstly in order to have a better understanding of technical solutions proposed by the present application.

The present application focuses on user identification when a user requests a service in a network. It is assumed that a user subscribes the service with the help of a third party or network.

A cloud-based storage service has been an outsourcing solution for both individuals and organizations to share data digitally. Despite the advantages, users must rely on storage services, data access control, user privacy and data availability for data confidentiality. Advanced encrypting algorithms can protect data confidentiality, but cloud-based servers could retrieve shared encryption keys, and have knowledge of data. What is more, the identity of a user is often known to the services to verify its eligibility to access requested data according to the access control, thus making the user traceable in the data storage system. More importantly, the lack of anonymity may make users reluctant to use such services in sensitive contexts. Note that, the cloud-based storage service is just an example of a scenario where the user’s ID privacy exists.

FIG. 6 is a scenario of a general data storage system. The general data storage system can provide data storage services. This data could be private data, confidential data, public data, and so on. This system includes a data service management function, a data service profile management function, a data service provider (SP) and an identifier management (IDM) function. These functions are deployed by different providers. The data service management function is responsible for service selection, service session creation, service session release. The data service profile management function is responsible for management on a service profile. The data service provider (SP) provides a service to a user. The IDM function is responsible for ID mapping, storing an ID’s credential used for authentication. To avoid the user being traced by different providers, temporary IDs are assigned to the user and these temporary IDs are used for communication with different entities or NFs. For example, an ID2 is assigned to the user for communications in data service management function, an ID1 is assigned to the user for communications in data service profile management function, an ID3 is assigned to the user for communication in data SP1, and an ID5 is assigned to the user for communications in data SP2. These temporary IDs are stored in the IDM function, and cannot be linked by the data service management function, the data service profile management function or the data SP.

The user’s real ID is stored in the IDM function, but the IDM function is interested in what service the user is subscribed. The data service management function honestly executes service provision process and responds to a user’s request, but is curious about user’s privacy, for example, the user’s real identities. The data service profile management function may send a fake service subscription, which results in misleading the data service management function, at the same time the data service profile management function is curious about user’s privacy, like user’s real identities. Data SPs are curious about the users who access their services frequently. Data SPs could be trusted to provide services to users. The data SP could provide different services for the user. A specific service could be provided by different providers.

As shown in the FIG. 6, the user requests a service from the data service management function with ID2. The data service management function could identify the ID2 of the user and a service ID for the service. The data service management sends a request to the data service profile management function with the ID2 of the user and the service ID. The data service profile management function cannot identify the ID2 of the user and then the data service profile management function sends an ID mapping request to the IDM function with the ID2 of the user. The IDM function sends an ID1 of the user back to the data service profile management function. Later, the data service profile management function checks the user’s service profile and sends back an indication of permission on accessing the service. After that, the data service management function sends a request to a data SP with the ID2 of the user and the service ID. Similarly, the data SP sends an ID mapping request with the ID2 of the user to the IDM function, and obtains an ID3 of the user. The data SP identifies the user according to the ID3, and provides services to the user.

In some cases, the data service management function sends an ID mapping request to the IDM function, and the request includes ID2, an ID of the data service profile management function, an ID of the data SP. In these cases, the data service management function obtains ID1 and ID3 from the IDM function. Secondly, the data service management function sends a request to the data service profile management function with the ID1 and the service ID, and obtains an indication of permission on accessing the service. Later, the data service management function sends a request to a data SP with the ID3 and the service ID, and the data SP provides the service to the user. Temporary IDs are used to protect user’s ID privacy, but the solution using the temporary IDs still has the following issues when identifying the user: (1) linkability (or traceability) of the temporary IDs may leak user’s ID privacy; (2) the data service profile management function may send a fake indication of permission on access to the service since the data SP has no capability to verify the indication.

To solve these issues, the present application provides a method that enables entities could identify a user with different temporary IDs and protects user ID privacy at the same time. Further, the method could protect service privacy.

The method proposed by the present application can be used in a system including an IDM function, a first network function, a second network function and a third network function. The system may further include other network functions, for example, a service log server, which is not limited.

The responsibilities of these network functions are as follows.

The first network function is responsible for: service identification; service session management, for example, service session creation, service session revoke, and so on; setting up or configuring a secure tunnel between a user and a service provider (refers to the third network function in the present application) .

The second network function is responsible for: user subscription registration; maintaining a list of user’s service profiles; user identification and validation on a user and a service; and constructing fifth information, which is described in detail in the following embodiments.

The third network function is responsible for: user identification; service permission determination that indicates whether a user has permission to access a requested service; and service provision.

The IDM function is responsible for: maintaining ID profiles; ID mapping; and constructing first information and second information, which is described in detail in the following embodiments.

In other words, the first network function is a function responsible for service management, the second network function is a function responsible for management on service profiles, and the third network function is a function that provides services to the users.

The present application focuses on user identification when a user requests for a service in the future network. In this paten, we assume that a user subscribes services with the help of a third party or network. The key technique is as followers: (1) To avoid user ID trace-ability, temporary IDs are used by different providers. (2) To prevent temporary IDs from linking to a specific user, user identification materials replace temporary IDs for communications. (3) we decouple service with user ID, so that it could protect service privacy and ID privacy. (4) we use service permission identification material to ensure that the user subscribes the service with a Data SP.

The basic concept of the present application is a method that enables entities could identify a user with different temporary IDs while protecting user ID privacy. In the concept, info1 replaces of ID1, info2 replaces of ID3, and info3 replaces of ID2. In other words, info1 is used for user identification by the data service profile management during a communication between data service management and data service profile management, info2 is used for user identification by the data SP during a communication between data service management and the data SP, and info3 is used for during a communication between data service management and data service profile management.

The proposed method can be applied in two different scenarios where the user identification could be triggered by the first network function or the second network function. The two different scenarios are introduced in the cloud-based storage system as an example. In this example, the first network function may be the data service management function, the second network function may be the data service profile management function, and the third network function may be the data SP.

In order to describe the proposed solution for the sake of brevity, information or parameters used in the following embodiments are introduced first. Details about the information or the parameters may be described in the following embodiments.

(1) information 1 (which is simplified as info1 in the following embodiments)

The info1 is generated by the IDM function using a first algorithm that is denoted by algorithm_info1. Inputs for generating the info1 include information that is only known by the IDM function and the data service profile management function, for example, the ID1 of the device, or information provided by the data service profile management function. An output of the algorithm_info1 is the info1.

(2) information 2 (which is simplified as info2 in the following embodiments)

The info2 is generated by the IDM function using a second algorithm that is denotated by algorithm_info2. Inputs for generating the info2 include all IDs of the device in at least one data SP. An output of the algorithm_info2 is a polynomial function.

(3) information 3 (which is simplified as info3 in the following embodiments)

The info3 is generated by the data service management function using a third algorithm that is denoted by algorithm_info3. Inputs for generating the info3 include information that is only known by the data service management function and the IDM function. An output of the algorithm_info3 is the info3.

(4) information of data owner (which is simplified as info_data_owner in the following embodiments)

The info_data_owner is generated by the IDM using an algorithm_info_data_owner. Inputs for generating the info_data_owner include all IDs of the data owner in at least one data SP. An output of the algorithm_info_data_owner is a polynomial function. The info_data_owner is used for user identification on the data owner that is implemented by a third network function during a communication between the first network function and the third network function.

(5) information 5 (which is simplified as info5 in the following embodiments)

The info5 is generated by the data service profile management function using a fifth algorithm that is denoted by algorithm_info5. Inputs for generating the info5 include information that is only known by the data service profile management function and a data SP.

Details of how to compute the above information will be described in the following embodiments.

A service profile includes one or more information elements as summarized in Table 1. The service profile is stored in a data service profile management function.

Table 1

In addition, an ID profile includes one or more information elements as summarized in Table 2. The ID profile is stored in the IDM function.

Table 2

A service_log profile includes one or more information elements summarized in Table 3.

Table 3

In embodiments of the present application, it is assumed that the services are deployed by different providers. Each service provider could provide a set of services. A user has different temporary IDs in different domains. The user already subscribes to services with the help of the data service profile management function that stores the user’s service profile.

In the present application, requirements of info1, info2 and info3 are as follows:

info1 is used for communications between data service management function and data service profile management. Info1 could be identified by data service management function, but cannot be identified by the data service management function and a data SP;

info2 is used for communications between the data service management function and the data SP. Info2 can be identified by a data SP, but cannot be identified by data service management function and the data service profile management function; and

info3 is used for communications between the data service management function and the data service profile management function. Info3 can be identified by IDM, but cannot be identified by the data service profile management function and a data SP.

There has common information between info1 and info2, so that data service profile management function cannot send a fake indication of a permission to access a service.

In addition, construction of above information are as follows.

1) info1

-generated by IDM using an algorithm_info1.

-inputs: information is only known by the IDM and the data service profile management, e.g., ID1.

-output: info1.

2) info2

-generated by IDM using an algorithm_info2.

-inputs: all IDs linked with a specific user.

-output: a polynomial function info2.

3) info5

-generated by data service profile management using an algorithm_Info5.

-inputs: information is only known by the data service profile management and the data SP.

-output: info5.

4) info3

-generated by data service management function using an algorithm_Info3.

-inputs: information is only known by the data service management function and IDM.

-output: Info3.

5) user identification on info1by data service profile management

-compute a value using an algorithm_info1.

-compare the value with info1.

6) user identification on info2 by data SP

-compute the polynomial function using an algorithm_info2.

-inputs: user ID in a data SP.

-output: 1 or 0.

7) user identification on info5 by data SP

-compute a value using an algorithm_info5.

-compare the value with info5.

8) user identification on info3 by IDM

-compute a value using an algorithm_Info3.

-compare the value with info3.

Prior arts provide solutions for data storage services using encryption algorithms to protect data confidentialities. But, the identity of a user is often known to the services to verify its eligibility to access requested data according to the access control, thus making the user traceable in the data storage systems. Temporary IDs are used for user privacy protection, but these temporary IDs can be linked to a specific user and thus disclose user ID privacy. Thus, we provide a system and method on user identification in data storage services, where network functions or entities could identify a user with different temporary IDs, and at the same time, these network functions or entities cannot link temporary IDs with a specific user.

FIG. 7 is a scenario of user identification triggered by the data service management function. In this scenario, the data service management function sends an ID mapping request to the IDM function. The data service management function obtains info1 and info2 from the IDM function. The info1 is used for user identification implemented by the data service profile management function during a communication between the data service management function and the data service profile management function. The info2 is used for user identification implemented by a data SP during a communication between the data service management function and a data SP. The data service management function sends a request to the data service profile management function with the info1 and a service ID, to obtain indication of permission to access the service. Later, the data service management function sends a request to a data SP with the info2 and the service ID, and then the data SP provides the service to the user. With help of the info1 and the info2, the issue stated above could be solved.

Details of a method procedure shown in FIG. 7 are given below in FIG. 8.

At step 301, a first network function sends a first message to an IDM function.

Correspondingly, the IDM function receives the first message from the first network function.

For example, the first network function may be the data service management function in FIG. 7, the second network function may be the data service profile management function in FIG. 7.

The first message is used for requesting an ID mapping. The first message includes a second ID of the device, for example, ID2. The first message may further include an ID of a second network function.

At step 302, the IDM obtains a first ID of the device according to the second ID and the ID of the second network function. The IDM further obtains first information (which is the info 1 in some embodiments) according to a first algorithm and obtains second information (which is the info 2 in some embodiments) according to a second algorithm.

The first information is used for user identification implemented by the second network function during a communication between the first network function and the second network function. The first information is obtained by the IDM function according to the first algorithm and information that is only known by the IDM function and the second network function. For example, the information that is only known by the IDM function and the second network function may include the first ID of the device, or a nonce generated by the second network function.

Therefore, the IDM obtains the first information according to the first algorithm and the first ID, or the IDM obtains the first information according to the first algorithm and the information provided by the second network function, for example, the nonce generated by the second network function.

The first information can be identified by the second network function, but cannot be identified by the first network function and the third network function.

The second information is used for user identification implemented by a third network function during a communication between the first network function and the third network function. The second information is obtained by the IDM function according to the second algorithm and device’s ID (s) in at least one third network function, for example, an ID3 in a third network function1 (e.g., the ID3 in data SP1) , and an ID5 in a third network function 2 (e.g., the ID5 in data SP2) . The second information can be identified by the third network function, but cannot be identified by the first network function and the second network function. For example, the third network function may be the data SP in FIG. 7.

There is common information between the first information and the second information, so that the second network function (for example, the data service profile management) cannot send a fake indication of permission to access a service.

At step 303, the IDM function sends a second message to the first network function. The first network function receives the second message from the IDM function.

The second message includes the first information, the second information, an ID of the first algorithm and an ID of the second algorithm.

At step 304, the first network function sends a third message to the second network function. The second network function receives the third message from the first network function.

The third message is a request that is used for requesting a service for the device, and the third message includes the first information, the ID of the first algorithm and a service ID. The service ID is obtained by the first network function according to service requirements included in a message from the device.

At step 305, the second network function performs user identification, validation on the device and the service, service permission determination (or service permission identification) , and computes fifth information.

Specifically, the user identification is performed by comparing the received first information and a first value. The first value is computed by the second network function using the first algorithm and information that is only known by the second network function and the IDM function, for example, the first ID. The second network function compares the first value and the first information. If they are the same, it means the user identification is successful, otherwise, it means the user identification has failed. What’s more, the second network function validates the device and the service according to a service credential stored in the second network function.

The service permission determination is performed by checking a service profile of the device according to the service ID. If it fails, the second network function sends an indication of service rejection for the device to access the service.

On the assumption that each of the user identification, the validation and the service permission determination is successful, the second network function computes the fifth information according to a fifth algorithm and information that is only known by the second network function and the third network function, for example, a service profile ID that is known by the second network function and the third network function. In other words, the fifth information is obtained according to common information between the second network function and the third network function. The fifth information is used for service permission determination by the third network function. In some embodiments, the fifth information may be a service profile ID, or the fifth information may be information derived from the service profile ID, for example, ciphertext of the service profile ID.

At step 306, the second network function sends a fourth message to the first network function. The first network function receives the fourth message from the second network function.

The fourth message is a response to the third message, and it indicates a service permission for the device to access the service. The fourth message includes the fifth information, an ID of the fifth algorithm.

At step 307, the first network function sends a fifth message to the third network function. The third network function receives the fifth message from the first network function.

The fifth message is used for requesting the service, and it includes the second information, the fifth information, the service ID, the ID of the second algorithm, and an ID of the fifth algorithm.

At step 308, the third network function performs user identification and service permission determination, and provides the service to the device.

Specifically, the third network function performs the user identification based on the second information, the second algorithm included in the fifth message, and a device’s ID in the third network function. The third network function computes the polynomial function using the second algorithm with the device’s ID as an input, and outputs one or zero. For example, if the output is one, it means user identification is successful, and if the output is zero, it means the user identification has failed.

Moreover, the third network performs the service permission determination by comparing the fifth information included in the fifth message and a second value. The second value is computed by the third network function according to the fifth algorithm and information that is only known by the second network function and the third network function. If the second value is the same as the received fifth information, the third network function allows the device to access the service. Otherwise, the third network function does not allow the device to access the service.

The first network function, the second network function and the third network function are provided by different providers.

On the assumption that both the user identification and the service permission determination are successful, the third network function provides the service to the device.

FIG. 9 is a scenario of user identification triggered by a data service profile management function. In this scenario, the data service management generates info3 that can be identified by an IDM function, and sends a request to the data service profile management function with the info3 and the service ID. The data service profile management function sends an ID mapping request to the IDM function with the info3 and ID1, and obtains info2 that is used for identifying the user by a data SP. Later, the data service management function sends a request to a data SP with the info2 and the service ID, and then the data SP provides the service to the user. With help of the info2 and the info3, the issue could be solved.

Details of a method procedure shown in FIG. 9 is given below in FIG. 10.

At step 401, a first network function sends a first message to a second network function. Correspondingly, the second network function receives the first message from the first network function.

For example, the first network function may be the data service management function in FIG. 9, the second network function may be the data service profile management function in FIG. 9.

The first message includes third information (which is the info 3 in some embodiments) , an ID of a third algorithm for generating the info3 and a service ID. The third information is generated by the first network function using the third algorithm according to information that is only known by the first network function and the IDM function, for example, a second ID of the device.

The third information is used for a communication between the first network function and the second network function. The third information can be identified by the IDM function, but cannot be identified by the second network function and the third network function.

At step 402, a second network function sends a second message including third information and an ID of a third algorithm to an IDM function.

The IDM function receives the second message from the second network function.

At step 403, the IDM function performs user identification, and ID mapping, and computes second information (info 2) .

Specifically, the IDM function performs the user identification by comparing a third value and the third information included in the second message. The IDM function computes the third value using the third algorithm and information that is only known by the first network function and the IDM function, and obtains the second ID of the device. Further, the IDM obtains a first ID of the device (ID1) according to the second ID of the device. The IDM function computes the second information according to a second algorithm and device’s ID (s) in at least one third network function (Data SP) . The second information is used for user identification implemented by the third network function.

At step 404, the IDM sends a third message to the second network function. The second network function receives the third message from the second network function.

The third message includes the second information, an ID of the second algorithm, and the first ID of the device.

At step 405, the second network function performs service permission determination, validation on the device and the service, and generates fifth information.

The second network function performs the service permission determination by checking a service profile according to the service ID. The second network function performs the validation on the device and the service according to a service credential stored in the second network function. The second network function generates the fifth information used for service permission determination by the third network function. The fifth information is generated using a fifth algorithm according to common information between the second network function and the third network function. The fifth information may be a service profile ID, or information derived from the service profile ID.

At step 406, the second network function sends a fourth message to the first network function. The first network function receives the fourth message from the second network function.

The fourth message includes the second information, the fifth information, the ID of the second algorithm, and an ID of the fifth algorithm.

At step 407, the first network function sends a fifth message to the third network function, the fifth message includes the second information, the ID of the second algorithm, the fifth information, the ID of the fifth algorithm and the service ID.

The third network function receives the fifth message from the first network function.

At step 408, the third network function performs user identification and service permission determination, and provides the service to the device.

The third network function performs the user identification according to the second information and the second algorithm. Specifically, the third network function computes the polynomial function using the second algorithm with a device’s ID (for example, a third ID of the device, that is ID3) as an input, and outputs one or zero. If the output is one, it means user identification is successful, and if the output is zero, it means the user identification has failed. The third network function performs the service permission determination by comparing a second value and the received fifth information. The second value is computed using the fifth algorithm and information that is only known by the second network function and the third network function.

Note that, names of the entities or NFs in FIG. 7 or FIG. 9 could be other ones. The above solutions could be used in other services, not limited to the data storage services. Therefore, the data service management function could be a function of service management, and the service may be a data storage service or a charging service or others. The data service profile management function could be a function of service profile management, for example, not only for the service profile, but also for a charging policy if a charging service is used. The data SP could be a function that provides a service to a user.

The present application is to provide a method that enables entities to identify a user (i.e. a device) with different IDs and protects user ID privacy at the same time. In FIG. 8, the info1 replaces the ID1, the info2 replaces the ID3, and the info3 replaces the ID2.

The present application provides a method of user identification in a system, in which network functions or entities can identify a user with different temporary IDs, and the network functions or entities cannot link temporary IDs to a specific user.

FIG. 11 is an example of a network topology of the present application. FIG. 11 describes a system model for user identification when a user requests a service. The user may be a terminal device or an end customer. This system includes one data service management function, one data service profile management function, multiple data SPs, one IDM function, and one service log server. The data service management function, the data service profile management function, the data SPs and the IDM function are deployed by different providers. The service log server may be integrated into the data service management function or the data service profile management function. The data service management function could request a service log record with ID2 from the service log server or the data service profile management function could request the service log record with ID1 from the service log server. The temporary IDs are used to identify the user in different entities. For example, the ID2 is assigned to the user to identify the user by the data service management function, the ID1 is assigned to the user to identify the user by the data service profile management function. The ID3 is assigned to the user to identify by the data SP1, and the ID5 is assigned to the user to identify the user by the data SP2.

The data service management function is responsible for service identification, service session management, for example, service session creation and service session revoke, and so on, and is responsible for setting up or configuring a secure tunnel between the user and the data SP.

The data service profile management is responsible for one or more of the following items: user subscription registration; maintaining a list of user’s service profiles; validation on user and service; and constructing info5.

The data SP is responsible for one or more of the following items: user identification; identification of a service permission that the user has permission to access its service; and service provision.

The service log server is responsible for maintaining service_log profiles.

The IDM function is responsible for one or more of the following items: maintaining ID profiles; ID mapping; and constructing info1 and info2.

FIG. 12 is an example of a procedure of the user identification in the system shown in FIG. 11. The procedure is as follows:

At step 501, a user sends a message 1 to a data service management function. The message 1 includes a temporary ID of the user, for example, an ID2, or service requirements. The message 1 may be a service request.

At step 502, a data service management function identifies a service to obtain a service ID according to the service requirements. The data service management function may further obtain a data SP that provides the service to the user.

At step 503, the data service management function sends a message 2 to the IDM function. The message 2 includes the ID2 of the user and an ID of the data service profile management function. The message 2 may be an ID mapping request.

At step 504, an IDM function implements ID mapping, selects algorithms for computing info1 and info2, and computes the info1 and the info2.

Specifically, the IDM implements the ID mapping according to the ID2 and the ID of the data service profile management function, to obtain another user ID, for example, ID1 of the user. In other words, the ID1 is obtained according to the ID2 and the ID of the data service profile management function.

In some embodiments, the IDM function may compute the info1 according to the ID1.

In some embodiments, the IDM function may compute the info1 according to information obtained from the data service profile management function. Specifically, the IDM function sends a request to the data service profile management function for information used as an input of computing the info1. The IDM function receives a response from the data service profile management function. The response includes the information (we call it information #A) used for computing the info1. For example, the information #A may be a nonce generated by the data service profile management function. After receiving the information #A, the IDM function computes the info1 using the information #A and the first algorithm.

At step 505, the IDM sends a message 3 to the data service management function.

The message 3 includes the info1, the info2, an ID of the algorithm_info1, and an ID of the algorithm_info2. The message 3 may be an ID mapping response.

Note that, the alogorith_info1 denotes the first algorithm for computing the info1, the alogorith_info2 denotes a second algorithm for computing the info2, and so on.

At step 506, the data service management function sends a message 4 to the data service profile management function.

The message 4 includes the info1, the service ID, and the ID of the algorithm_info1. The message 4 may further include an ID of the data SP. Note that, whether the message 4 includes the ID of the data SP may depend on a deployment location of the service log server. For example, if the service log server deploys in the data service management function, the message 4 includes the ID of the data SP; or if the service log server deploys in the data service profile management function, the message 4 does not include the ID of the data SP. The message 4 may be a permission request.

AT step 507, the data service profile management function implements the following actions.

The data service profile management function implements a first user identification by comparing the info1 and a first value. The first value is computed using the algorithm_info1 and information that is only known by the data service profile management function and the IDM function, for example, the ID1, or the information provided by the data service profile management function, for example, the nonce generated by the data service profile management function. Specifically, if the computed first value is the same as the received info1, it means user identification is successful, else, it means the user identification has failed. The data service profile management function validates the user and service according to a service credential included in the service profile.

If both the first user identification and the validation on the user and the service are successful, the data service profile management function further implements service permission determination by checking the service profile of the user, for example, the ID1, according to the service ID. If the service permission identification fails, the data service profile management generates an indication of the service rejection for the user to access the service. If the service permission identification is successful, the data service profile management function further computes info5.

The info5 is generated using an algorithm_info5 according to information that is only known by the data service profile management and the data SP. The algorithm_info5 is selected by the data service profile management function.

At step 508, the data service profile management function sends a message 5 to the data service management function.

The message 5 includes the info5, and the ID of the algorithm_info5. The message 5 may further include the ID of the data SP, and the reference can be made to the description of step 506. The message 5 may be a permission response corresponding to the message 4.

At step 509, the data service management function sends a message 6 to the data SP.

The message 6 includes the info2, the service ID, the ID of the algorithm_info2, the info5 and the ID of the algorithm_info5. The message 6 may be a service access request.

At step 510, the data SP implements the following actions.

The data SP implements second user identification based on the second information and the second algorithm. The data SP computes the polynomial function using the second algorithm with a device’s ID (for example, ID3) as an input, and outputs zero or one. If the output is one, it means user identification is successful, and if the output is zero, it means the user identification has failed.

The data SP implements service permission determination by comparing the received info5 and a second value. The second value is computed using the algorithm_info5 and information that is only known by the data service profile management function and the data SP.

If both the second user identification and the service permission identification are successful, the data SP implements step 511.

At step 511, the data SP sends a message 7 to the data service management function.

The message 7 is an indication of successful service provision. The message 7 may be a service access response corresponding to the message 6.

At step 512, the data service management writes a service log record to the service log server, and sets up a secure tunnel between the user and the data SP.

At step 513, the data service management function sends a service response to the user.

we add new features: (1) User identification by Data Service Profile Management and Data SP. Info1 or Info2 replaces a user’s temporary ID and is used by identification the user, so that it decouples the link-ability of temporary IDs. (2) Service permission identification by a Data SP. Info5 is used for a guarantee that a user subscribes services with the Data PS. These new features could provide an anonymous service access while providing ID privacy protection on the user.

In the present application, the user identification is implemented by the data service profile management function and the data SP. The info1 or the info2 replaces the user’s temporary IDs and is used for identification of the user, so that it decouples the linkability of the temporary IDs. The service permission identification is implemented by the data SP. The info5 is used for a guarantee that a user subscribes to services with the data SP. These changes could provide anonymous service access and provide ID privacy protection for the user at the same time.

To be addressed clearly, a data sharing service is taken as an example to describe the proposed solution.

FIG. 13 is an example of a procedure of user identification according to some embodiments of the present application. In this scenario, a user requires a data download service from a data storage system. For example, the user wants to download first data from the data storage system. There are three issues to be addressed: (1) both a user and a data owner need to be identified since temporary IDs are assigned to the user and the data owner. (2) a data service management function may not know the data SP in which data owner’s data is stored. (3) The data SP should check a data owner’s access rule to ensure that the user has a qualification to access the data owner’s data.

At step 601, a user sends a message1 to a data service management function.

The message 1 includes a user ID, for example, an ID2 of the device, and a data owner ID. The message 1 further includes service requirements.

At step 602, the data service management function identifies a service to obtain a service ID according to the service requirements. The data service management may obtain a data SP that provides the service to the user.

At step 603, the data service management function sends a message3 to an IDM function.

The message 3 includes the ID2, an ID of the data service profile management function, and the ID of the data owner.

At step 604, the IDM implements ID mapping according to a user ID (for example, the ID2) and an ID of the data service profile management function, to obtain another user ID (for example, the ID1) . Further, the IDM selects algorithms for computing info1, info2 and info_data_owner, and generates the info1, the info2, and the info_data_owner.

In some embodiments, the IDM function may compute the info1 using an algorithm_info1 and the ID1. The info1 is an input of the algorithm_info1. In some embodiments, the IDM function may compute the info1 using the algorithm_info1 and information provided by the data service profile management function, for example, a nonce generated by the data service profile management function. A procedure for the IDM function to obtain the information from the data service profile management function is described as steps 605～606.

The IDM function computes info2 using a second algorithm_info2 and device’s ID (s) in at least one data SP, for example, an ID3 of the device in a data SP1 and an ID5 of the device in a data SP2. The IDM function computes info_data_owner using an algorithm_info_data_owner. Inputs for generating the info_data_owner include IDs of all the data owners in at least one data SP. The info_data_owner is used for user identification on the data owner that is implemented by the data SP during the communication between the data service management function and the data SP.

At step 605, the IDM function sends a message 5 to the data service profile management function.

The message 5 is a request for information used for computing the info1. Also, the message 5 may be regarded as a request for common information between the IDM function and the data service profile management function. The message 5 includes the ID1.

At step 606, the data service profile management function sends a message 6 to the IDM function.

The message 6 may be a response to the message 5. The message 6 may include the nonce generated by the data service profile management function.

At step 607, the IDM sends a message 7 to the data service management function.

The message 7 includes the info1, the info2, the info_data_owner, an ID of the algorithm_info1, an ID of the alforithm_info2, and an ID of the algorithm_info_data owner.

At step 608, the data service management function sends a message 8 to the data service profile management function.

The message 8 can refer to the permission request described in step 506, which will not be repeated.

At step 609, the data service profile management function implements first user identification, validation on the user and the service, and service permission determination.

The details of step 609 can refer to step 507, which will not be repeated.

At step 610, the data service profile management function sends a message 10 to the data service management function.

The step 610 can refer to the step 508. The message 10 is an example of the permission response in the step 508, which is not repeated.

At step 611, the data service management function sends a message 11 to a data SP.

The message 11 includes the info2, the service ID, the ID of the algorithm_info2, the info5, the ID of the algorithm_info5, the info_data_owner and the ID of the algorithm_info_data_owner.

At step 612, the data SP implements second user identification and service permission identification, which can refer to the step 510. Compared to the step 510, the data SP may further validate the info_data_owner. Specifically, the data SP computes the polynomial function using the algorithm_info_data_owner with the data owner’s ID as an input, and outputs one or zero. For example, if an output is one, it means a successful validation on the info_data_owner, else, the validation on the info_data_owner failed. Further, the data SP may check the data owner’s access rule. If a service request from the device meets the data owner’s access rule, the service request will be allowed. The data SP may send a notification to the data owner that his/her data will be accessed.

At step 613, the data SP sends a message14 to the data service management function.

The message 14 may be an indication of successful service provision. The message 14 may further include parameters such as security materials. These security materials may include some keys for data encryption/decryption, or some inputs for the key generation. The message 14 may further include information on how to set up a tunnel between the user and the data SP.

Optionally, the procedure may further include the following steps 614～616.

At step 614, the data service management function may write a service log record to a server log server.

At step 615, the data service management function may send a message 16 to the data service profile management function.

The message 16 includes the info1, service ID, and the ID of the data SP.

At step 616, the data service profile management function may write a service log record to the server log server.

At step 617, the data service management function sets up a tunnel between the user and the data SP.

At step 618, the data service management function sends a message 18 to the user. The message 18 is an indication of successful data upload.

In data storage services, user identification parameters (e.g. the info1, or the info2) are used to replace user’s temporary IDs for communications, so that it could decouple linkability of the temporary IDs. Thus, the proposed method could avoid user being traced when users access data storage services. In addition, service permission identification parameters (e.g. the info5) are used to ensure that the user subscribes to services with a data SP. This could avoid a fake service profile by a data service profile management function.

FIG. 14 is an example of a procedure of the identification according to embodiments of the present application. In this scenario, a user requests a service from DN. The proposed procedure could be integrated into a PDU session establishment in the clause 4.3.2, 3GPP 23.502. The Data service management could be a session management function (SMF) , the data service profile management could be a unified data management (UDM) , the data SP could be data network-authentication, authorization and accounting (DN-AAA) , and the IDM function is a new function that is responsible for ID management.

At step 701, a user sends a message1 to a data service management function, for example, the SMF.

At step 702, the SMF sends a message2 to an IDM function.

At step 703, the IDM implements ID mapping according to the user ID (e.g., ID2) and ID of the data service profile management function, for example, the UDM, and obtains another user ID (e.g., ID1) .

The ID1 could be used to compute the info1. Optionally, the IDM function may obtain information for computing the info1 from the data service profile management function, which is as described in the following steps 704～705.

At step 704, the IDM sends a message 4 to a data service profile management function, for example, an UDM.

The message 4 includes the ID1.

At step 705, the UDM sends a message 5 to the IDM function.

The message 5 may include a nonce generated by the data service management function.

At step 706, the IDM function computes the info1 and info2.

Specifically, the IDM selects algorithms for computing info1 and info2, and then computes the info1 using the algorithm_info1 and computes the info2 using the algorithm info2.

At step 707, the IDM sends a message 7 to the SMF.

The message 7 includes the info1, the info2, an ID of the algorithm_info1, and an ID of the algorithm_info2.

At step 708, the SMF sends a message 8 to the UDM.

The message 8 includes the info1, the service ID, and the ID of the algorithm_info1.

At step 709, the UDM implements user identification and service permission determination.

Specifically, the UDM performs first user identification by comparing the received info1 and a first value computed according to the ID1 and the algorithm_info1. The UDM further performs service permission determination, which can refer to the step 507. In the case that the first user identification and the service permission determination are successful, the UDM further computes info5 using an algorithm_info5. An input for computing the info5 includes information that is only known by the data service profile management function and the data SP, for example, a service profile ID stored in the data service profile management function.

At step 710, the UDM sends a message10 to the SMF.

The message 10 includes info5 and an ID of the algorithm_info5. The message 10 may further include the ID of the data SP.

At step 711, the SMF sends a message 11 to a data SP, for example, a DN-AAA.

The message 11 includes the info2, service ID, an ID of the algortithm_info2, the info5 and the ID of the algorithm_info5. The message 11 may be an access service request.

At step 712, the DN-AAA implements a second user identification, service permission determination, and user authentication, authorization for the user to access the service.

The second user identification and the service permission determination can refer to description described in the step 510, which is not repeated.

At step 713, the DN-AAA sends a message 13 to the SMF.

The message 13 may be an access service response and is an indication of successful service provision.

At step 714, the SMF creates and configures a PDU session. Details can see the in the clause 4.3.2, 3GPP 23. 502 [1] , which is not limited herein.

At step 715, the SMF may send a message15 to the user.

The message 15 may be a PDU session establishment accept message, and is an indication of successful data upload.

In this embodiment, we provide a procedure about how to integrate user identification in a PDU session establishment in a 5G system. The user ID and service ID are decoupled so that this procedure could protect user ID privacy and service privacy compared to prior arts in 5G.

FIG. 15 is an example of another scenario of the present application. In this embodiment, a procedure about user identification which is corresponding to FIG. 9 is provided.

At step 801, a user sends a message 1 to a data service management function.

The message 1 may be a service request. The message 1 includes user ID, for example, the ID2 of the user, and service requirements.

At step 802, the data service management function obtains a service ID and generates info3.

The service ID is obtained according to the service requirements. The info3 is generated using an algorithm info3 with the user ID, for example, the ID2 of the user, as an input.

At step 803, the data service management function sends a message3 to a data service profile management function.

The message 3 may be a permission request. The message 3 includes the info3, the service ID, and an ID of the algorithm info3.

At step 804, the data service profile management function sends a message 4 to an IDM.

The message 4 includes the info3, and the ID of the algorithm info3.

At step 805, the IDM function implements first user identification and an ID mapping, and computes info2.

Specifically, the IDM function implements first user identification based on info3 and obtains a user ID, for example, an ID2 of a device. The IDM function implements an ID mapping according to the ID2 to obtain other device’s IDs used in at least one data SP and a device’s ID used in the service profile management function. For example, the IDM function obtains an ID3 of the device used in a data SP1 and an ID5 used in a data SP2, and further obtains an ID1 of the device used in the service profile management function. In addition, the IDM function further selects an algorithm_info2 for computing the info2, and computes the info2 according to the obtained device’s IDs used in the at least one data SP using the algorithm_info2, for example, the IDM function computes the info2 according to the ID3 and the ID5 using the algorithm 2. The ID1 of the device is used in t step below.

At step 806, the IDM sends a message 6 to the data service profile management function.

The message 6 may be an ID mapping response. The message 6 includes the info2, the ID1, an ID of the algorithm_info2.

At step 807, the data service profile management function implements service permission determination according to the ID1, and validation on the user and the service, and computes info5.

The service permission determination function is performed by checking the service profile of the user, for example, the ID1, according to the service ID. If it fails, the data service profile management function generates an indication of service rejection for the user to access the service. The validation on the user and the service is performed according to a service credential included in the service profile. The info5 is generated according to a service profile ID using the algorithm_info5.

At step 808, the data service profile management function sends a message 8 to the data service management function.

The message 8 includes the info2, an ID of the algorithm_info2, the info5, and an ID of the algorithm_info5. The message 8 may be a permission response.

At step 809, the data service management function sends a message 9 to a data SP.

The message 9 includes the info2, service ID, the ID of the algorithm_info2, the info5, and the ID of the algorithm_info5. The message 9 may be an access service request.

At step 810, the data SP implements second user identification, and service permission determination.

The user identification is implemented by comparing the received info2 and a second value that can be used to calculate a user ID, for example, an ID3 of the device, using the algorithm_info2.

The service permission determination is implemented by comparing the received info5 and a third value computed using the algorithm_info5.

At step 811, the data SP sends a message 11 to the data service management function.

The message 11 is an indication of successful service provision. The message 11 may be an access service response.

At step 812, the data service management function sets up a tunnel between the user and the data SP.

At step 813, the data service management function sends a message 13 to the user.

The message 13 is an indication of successful service provision. The message 13 may be a service response corresponding to the message 1 described in the step 801.

In this embodiment, we provide another solution about user identification when a user requests a service. In this scenario, info3 is used for user identification implemented by the IDM function, and replaces a temporary ID (e.g. ID2) that is identified by a data service management function. This could avoid the user ID being traced, and thus protect user privacy.

The method proposed in embodiments of the present application is described in detail above, and a communication apparatus provided by the present application will be described in detail below.

FIG. 16 is a schematic block diagram of a communication apparatus 10 according to an embodiment of the present application. The communication apparatus may be a communication device or an apparatus applied to the communication device capable of realizing corresponding functions of any one of the network functions in the embodiments of the present application, for example, the apparatus may be a chip, a chip system or a circuit, which is not limited. The communication device may be the first network function, the IDM function, the second network function or the third network function, or the chip installed in any one of these network functions.

The communication apparatus 10 includes a processing module 1001. The processing module 1001 may be a processor, a processing circuit, a processing board, a processing unit, or a processing device, et al. The processing module 1001 is configured to implement processing and/or operations implemented inside the communication apparatus except sending the receiving actions.

The communication apparatus 10 may further include a communication module 1002. The communication unit 1002 is configured to implement a sending action and/or a receiving action. The communication module 1002 also may be called a transceiver module, a transceiver, or a transceiver device, et al, and is configured to implement operations of receiving (which may be referred to as inputting) and/or sending (which may be referred to as an outputting) .

For example, if the communication apparatus 10 corresponds to the first network function in FIG. 8, the communication module 1002 is configured to send a first message to the IDM function, and receives a second message from the IDM function. The communication module 1002 is further configured to send a third message to the second network function, and receive a fourth message from the second network function.

For example, if the communication apparatus 10 corresponds to the second network function in FIG. 8, the communication module 1002 is configured to receive a third message from the first network function, and send a fourth message to the first network function. The processing module 1001 is configured to implement the step 305.

For example, if the communication apparatus 10 corresponds to the IDM in FIG. 8, the communication module 1002 is configured to receive a first message from the first network function, and send a second message to the first network function. The processing module 1001 is configured to implement the step 302. The communication module 1002 is further configured to send a second message to the first network function.

For example, if the communication apparatus 10 corresponds to the third network function in FIG. 8, the communication module 1002 is configured to receive a fifth message from the first network function. The processing module 1001 is configured to implement the step 308.

Briefly, the operations and/or functions of the apparatus 10 are intended to implement corresponding steps of the foregoing method embodiments.

FIG. 17 is a schematic block diagram of a communication apparatus according to an embodiment of the present application. The communication apparatus 20 includes at least one processor 21. The at least one processor 21 is coupled to at least one memory 22. The at least one memory 22 is configured to store one or more instructions and/or executable computer code. The at least one processor 21 is configured to invoke the one or more instructions and/or executable computer code, so that the communication apparatus 20 implements the method provided in the embodiments of the present application. Optionally, the communication apparatus 20 may further include the at least one memory 22. Optionally, the communication apparatus 20 may further include at least one communication interface 23, and the at least one communication interface 23 is configured to input and/or output information or data.

In an implementation, the communication apparatus 20 may be any one of the network functions in the method embodiments. For example, the communication apparatus 20 may be the first network function, the IDM function, the second network function or the third network function. In this implementation, the processor 21 may be a baseband apparatus, and the communication interface 23 may be a radio frequency apparatus.

In another implementation, the communication apparatus 20 may be a chip (or a chip system) installed at a communication device such as the first network function, the IDM function, the second network function or the third network function. In this implementation, the processor 21 may be a circuit, for example, a logic circuit, an integrated circuit, etc. The communication interface 13 may be a transceiver, an interface circuit, an input/output interface, a bus, a module, a pin, or other types of interfaces.

An embodiment of the present application further provides a communication system. The communication system may include any one of communication apparatuses according to any one of the method embodiments. For example, the communication system may include one or more of the following network functions: a first network function, an IDM function, a second network function and a third network function. The communication system may further include a terminal device or other network functions, which is not limited.

An embodiment of the present application further provides a computer storage medium, and the computer storage medium may store one or more instructions for executing any of the foregoing methods.

An embodiment of the present application further provides a computer program product, and the computer program product may store one or more instructions for executing any of the foregoing methods.

In the embodiments of this application, “and/or” describes an association relationship between associated objects and represents that three relationships may exist. For example, A and/or B may represent the following three cases: Only A exists, both A and B exist, and only B exists. The character “/” generally indicates an “or” relationship between the associated objects. “At least one” means one or more. “At least one of A and B” , similar to “A and/or B” , describes an association relationship between associated objects and represents that three relationships may exist. For example, at least one of A and B may represent the following three cases: Only A exists, both A and B exist, and only B exists.

Besides, the use of a singular form of “a” , “an” and “the” in the embodiments of the present application and the claims appended hereto is also intended to include a plural form, unless otherwise clearly indicated herein by context.

A person of ordinary skill in the art will be aware that, in combination with the examples described in the embodiments disclosed in this specification, units and algorithm steps may be implemented by using electronic hardware or a combination of computer software and electronic hardware. Whether the functions are performed by using hardware or software depends on particular applications and design constraint conditions of the technical solutions. A person skilled in the art may use different methods to implement the described functions for each particular application, but it should not be considered that the embodiment goes beyond the scope of this application.

It would be understood by a person skilled in the art that, for the purpose of convenience and brevity, in a detailed working process of the foregoing system, apparatus, and unit, reference may be made to a corresponding process in the foregoing method embodiments, and details are not described herein again.

In the several embodiments provided in this application, the disclosed system, apparatus, and method may be implemented in other manners. For example, the described apparatus embodiment is merely an example. For example, the unit division is a logical function division and other methods of division may be used in an actual embodiment. For example, a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented using various communication interfaces. The indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.

In addition, function units in the embodiments of this application may be integrated into one processing unit, each of the units may exist alone physically, or two or more units may be integrated into one unit.

When the functions are implemented in the form of a software functional unit and sold or used as an independent product, the functions may be stored in a computer-readable storage medium. The technical solutions of this application may be implemented in the form of a software product. The software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in the embodiments of this application. The foregoing storage medium includes any medium that can store program code, such as a USB flash drive, a removable hard disk, a ROM, a RAM, a magnetic disk, an optical disc or the like.

The units described as separate parts may be or may not be physically separate, and parts displayed as units may be or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected based on actual requirements to achieve the objectives of the solutions of the embodiments. In addition, functional units in the embodiments of this application may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.

The foregoing descriptions are merely specific implementations of this application, but are not intended to limit the protection scope of this application. Any variation or replacement readily figured out by a person skilled in the art within the technical scope disclosed in this application shall fall within the protection scope of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

A method for communication, performed by a first network function, wherein the first network function is responsible for service management, and the method comprises:

sending a first message to an identifier management (IDM) function, wherein the first message comprises a second identifier (ID) of a device, and the first message is used for requesting an ID mapping; and

receiving a second message from the IDM function, wherein the second message comprises first information, an ID of a first algorithm for generating the first information, second information, and an ID of a second algorithm for generating the second information,

wherein the first information is used for user identification implemented by a second network function that is responsible for management on a service profile, and the first information is generated by the IDM function according to the first algorithm and a first ID of the device that is only known by the IDM function and the second network function, the first ID being obtained by the IDM function according to the second ID and an ID of the second network function; or the first information is generated according to information provided by the second network function that is only known by the IDM function and the second network function;

the second information is used for user identification implemented by a third network function that provides a service for the device, and the second information is generated by the IDM function according to the second algorithm and a device’s ID in at least one third network function; and

the first network function, the second network function and the third network function are provided by different providers.
The method according to claim 1, wherein the method further comprises:

sending a third message to the second network function, wherein the third message is used for requesting a service for the device, and the third message comprises the first information, the ID of the first algorithm, and a service ID; and

receiving a fourth message from the second network function, wherein the fourth message indicates service permission for the device to access the service, the fourth message comprises fifth information used for service permission determination implemented by the third network function and an ID of a fifth algorithm used for generating the fifth information, and the fifth information is generated according to common information between the second network function and the third network function.
The method according to claim 2, wherein the fifth information comprises a service profile ID or information derived from the service profile ID.
The method according to any one of claims 1 to 3, wherein the information provided by the second network function comprises a nonce generated by the second network function.
The method according to any one of claims 2 to 4, wherein the method further comprises:

sending a fifth message to the third network function, wherein the fifth message is used for requesting the service, and the fifth message comprises the second information, the fifth information, the service ID, an ID of the second algorithm, and an ID of the fifth algorithm.
A method for communication, performed by an identifier management (IDM) function, comprising:

receiving a first message from a first network function that is responsible for service management, wherein the first message comprises a second identifier (ID) of a device that is only known by the first network function and the IDM function, and the first message is used for requesting an ID mapping;

obtaining a first ID of the device according to the second ID and an ID of the second network function;

obtaining first information and second information, wherein the first information is used for user identification implemented by a second network function that is responsible for management on a service profile, the first information is obtained according to a first algorithm and the first ID of the device that is only known by the IDM function and the second network function or according to information provided by the second network function, and the second information is obtained according to a second algorithm and a device’s ID in at least one third network function; and

sending a second message to the first network function, wherein the second message comprises the first information, an ID of the first algorithm, the second information, and an ID of the second algorithm.
The method according to claim 6, wherein the method further comprises:

sending a sixth message to the second network function, wherein the sixth message is used for requesting information for computing the first information; and

receiving the information provided by the second network function, wherein the information provided by the second network information comprises a nonce generated by the second network function.
A method for communication, performed by a second network function, wherein the second network function is responsible for management on a service profile, and the method comprises:

receiving a third message from a first network function, wherein the third message is used for requesting a service for a device, and the third message comprises first information, an identifier (ID) of a first algorithm for generating the first information, and a service ID, the first information is generated by an identifier management (IDM) function according to the first algorithm and a first ID of the device that is only known by the IDM function and the second network function, the first ID being obtained by the IDM function according to a second ID of the device and an ID of the second network function, or the first information is generated according to information provided by the second network function that is only known by the IDM function and the second network function;

performing user identification, and validating the device and the service according to a service credential stored in the second network function, wherein the user identification is performed by comparing a first value and the received first information comprised in the third message, the first value is computed with the first algorithm and the first ID of the device or a nonce generated by the second network function; and

sending a fourth message to the first network function after the user identification and the validation of the device and the service are successful, wherein the fourth message indicates service permission for the device to access the service, the fourth message comprises fifth information used for service permission determination by a third network function and an ID of a fifth algorithm for generating the fifth information, and the fifth information is generated according to common information between the second network function and the third network function.
The method according to claim 8, wherein the fifth information comprises a service profile ID or information derived from the service profile ID.
The method according to claim 8 or 9, wherein before the receiving the third message from the first network function, the method further comprises:

receiving a sixth message from the IDM function, wherein the sixth message is used for requesting information for computing the first information; and

providing information to the IDM function, wherein the information provided by the second network function comprises a nonce generated by the second network function.
A method for communication, performed by a third network function, wherein the third network function is responsible for providing a service to a device, and the method comprises:

receiving a fifth message from a first network function, wherein the fifth message is used for requesting a service, and the fifth message comprises second information, fifth information, a service identifier (ID) , an ID of a second algorithm for generating the second information, and an ID of a fifth algorithm for generating the fifth information, the second information is used for user identification implemented by the third network function, the second information is generated by an identifier management (IDM) function according to the second algorithm and a device’s ID in at least one third network function;

performing user identification and service permission determination, wherein the user identification is performed according to the second algorithm and the second information comprised in the fifth message and a device’s ID in the third network function, the service permission determination is performed by comparing the fifth information comprised in the fifth message and a second value, and the second value is computed according to the fifth algorithm comprised in the fifth message and information that is only known by the second network function and the third network function; and

providing the service to the device after the user identification and the service permission determination are successful;

wherein the first network function, the second network function and the third network function are provided by different providers.
The method according to claim 11, wherein the method further comprises:

sending an indication of successful provision to the first network function.
A method for communication, performed by a first network function, wherein the first network function is responsible for service management, and the method comprises:

sending a first message to a second network function, wherein the first message comprises third information, an identifier (ID) of a third algorithm and a service ID, the third information is generated by the first network function using the third algorithm according to information that is only known by the first network function and an identifier management (IDM) function, and the third information is used for user identification implemented by the IDM function; and

receiving a second message from the second network function, wherein the second message comprises second information, an ID of a second algorithm, fifth information and an ID of a fifth algorithm, the second information is used for user identification implemented by a third network function, the second information is generated by the IDM function according to a device’s ID in at least one third network function and the second algorithm, the fifth information is used for service permission determination implemented by the third network function, and the fifth information is generated by the second network function using the fifth algorithm according to information that is only known by the second network function and the third network function;

wherein the first network function, the second network function and the third network function are provided by different providers.
The method according to claim 13, wherein the method further comprises:

sending a third message to the third network function, wherein the third message comprises the second information, an ID of the second algorithm, the fifth information, an ID of the fifth algorithm and a service ID.
The method according to claim 13 or 14, wherein the method further comprises:

receiving an indication from the third network function, wherein the indication is used to indicate successful service provision.
A method for communication, performed by an identifier management (IDM) function, comprising:

receiving a fourth message from a second network function, wherein the fourth message comprises third information and an identifier (ID) of a third algorithm, the third information is generated by a first network function using the third algorithm according to information that is only known by the first network function and the IDM function;

obtaining, using the third algorithm, a second ID of a device by performing user identification based on the third information and information that is only known by the first network function and the IDM, and obtaining a first ID of the device according to the second ID; and

generating second information using a second algorithm and a device’s ID in at least one third network function, wherein the second information is used for user identification implemented by the third network function; and

sending a fifth message to the second network function, wherein the fifth message comprises second information, an ID of the second algorithm, and a first ID of the device.
A method for communication, performed by a second network function, wherein the second network function is responsible for management on a service profile, and the method comprises:

receiving a first message from a first network function, wherein the first message comprises third information, an identifier (ID) of a third algorithm and a service ID, and the third information is generated by the first network function using the third algorithm according to information that is only known by the first network function and an identifier management (IDM) function;

sending a fourth message to the IDM function, wherein the fourth message comprises the third information and the ID of the third algorithm; and

receiving a fifth message from the IDM function, wherein the fifth message comprises second information, an ID of a second algorithm and a first ID of a device, the second information is used for user identification implemented by a third network function, the second information is generated by the IDM function using the second algorithm according to a device’s ID in at least one third network function;

wherein the first network function, the second network function and the third network function are provided by different providers.
The method according to claim 17, wherein the method further comprises:

performing service permission determination by checking a service profile according to the service ID;

validating the device and a service according to a service credential stored in the service profile; and

generating, using a fifth algorithm, fifth information according to information that is only known by the second network function and the third network function, wherein the fifth information is used for service permission determination implemented by the third network function.
The method according to claim 18, wherein the method further comprises:

sending a second message to the first network function, wherein the second message comprises the second information, the fifth information, an ID of the second algorithm, and an ID of the fifth algorithm.
A method for communication, performed by a third network function, wherein the third network function is responsible for providing a service to a device, and the method comprises:

receiving a third message from a first network function, wherein the third message comprises second information, an ID of a second algorithm, fifth information, an identifier (ID) of a fifth algorithm and a service ID, the second information is generated by an identifier management (IDM) function using the second algorithm according to a device’s ID in at least one third network function, and the fifth information is generated by the second network function using the fifth algorithm according to information that is only known by the second network function and the third network function; and

performing user identification and service permission determination, wherein the user identification is performed according to the second information and the second algorithm, and the service permission determination is performed according to the fifth information and the fifth algorithm.
The method according to claim 20, wherein the method further comprises:

sending an indication of successful service provision in the case that the user identification and the service permission determination are successful; or

sending an indication of service rejection for the device to access the service.
A communication apparatus, wherein the communication apparatus comprises a processor, the processor is configured to execute one or more instructions stored in a memory, to enable the communication apparatus to implement the method according to any one of claims 1 to 5, or the method according to claim 6 or 7, or the method according to any one of claims 8-10, or the method according to claim 11 or 12; or

to enable the communication apparatus to implement the method according to any one of claims 13 to 15, or the method according to claim 16, or the method according to any one of claims 17-19, or the method according to claim 20 or 21.
The communication apparatus according to claim 22, wherein the communication apparatus further comprises the memory.
The communication apparatus according to claim 22 or 23, wherein the communication apparatus comprises a communication interface, and the communication interface is configured to input and/or output information or data.
A communication apparatus, wherein the communication apparatus comprises a function or unit to implement the method according to any one of claims 1-5, or the method according to claim 6 or 7, or the method according to any one of claims 8-10, or the method according to claim 11 or 12; or

to implement the method according to any one of claims 13 to 15, or the method according to claim 16, or the method according to any one of claims 17-19, or the method according to claim 20 or 21.
A communication apparatus, wherein the communication apparatus comprises a circuit and a communication interface, the communication interface is configured to receive information and/or data that is to be processed by the circuit, and transmit the information and/or data to the circuit; and the circuit is configured to implement the method according to any one of claims 1-5, or the method according to claim 6 or 7, or the method according to any one of claims 8-10, or the method according to claim 11 or 12; or

to implement the method according to any one of claims 13 to 15, or the method according to claim 16, or the method according to any one of claims 17-19, or the method according to claim 20 or 21.
The communication apparatus according to claim 26, wherein the communication interface is further configured to output information and/or data processed by the circuit.
A communication system, comprising one or more communication apparatuses of:

a communication apparatus that performs the method according to any one of claims 1-5;

a communication apparatus that performs the method according to claim 6 or 7;

a communication apparatus that performs the method according to any one of claims 8-10; and

a communication apparatus that performs the method according to claim 11 or 12.
A communication system, comprising one or more communication apparatuses of:

a communication apparatus that performs the method according to any one of claims 13-15;

a communication apparatus that performs the method according to claim16;

a communication apparatus that performs the method according to any one of claims 17-19; and

a communication apparatus that performs the method according to claim 20 or 21.
A computer readable storage medium, comprising one or more instructions, wherein when the one or more instructions are run on a computer, the computer implements the method according to any one of claims 1-5, or the method according to claim 6 or 7, or the method according to any one of claims 8-10, or the method according to claim 11 or 12; or

to implement the method according to any one of claims 13 to 15, or the method according to claim 16, or the method according to any one of claims 17-19, or the method according to claim 20 or 21.
A computer program product, comprising one or more instructions, wherein when the one or more instructions are run on a computer, the computer implements the method according to any one of claims 1-5, or the method according to claim 6 or 7, or the method according to any one of claims 8-10, or the method according to claim 11 or 12; or

to implement the method according to any one of claims 13 to 15, or the method according to claim 16, or the method according to any one of claims 17-19, or the method according to claim 20 or 21.