Sage Journals: Discover world-class research

Abstract

In the vehicular ad hoc network, moving vehicles can keep communicating with each other by entering or leaving the network at any time to establish a new connection. However, since many users transmit a substantial number of messages, it may cause reception delays and affect the entire system. A certificateless aggregate signature scheme can provide a signature compression that keeps the verification cost low. Therefore, it is beneficial for environments constrained by time, bandwidth, and storage, such as vehicular ad hoc network. In recent years, several certificateless aggregate signature schemes have been proposed. Unfortunately, some of them still have some security and privacy issues under specific existing attacks. This article offers an authentication scheme that can improve security, privacy, and efficiency. First, we apply the certificateless aggregate signature method to prevent the onboard unit devices from leaking sensitive information when sending messages. The scheme is proven to be secure against the Type-1 $(A_{1})$ and Type-2 $(A_{2})$ adversaries in the random oracle model under the computational Diffie–Hellman problem assumption. Then, the performance evaluation demonstrates that our proposed scheme is more suitable for deployment in vehicular ad hoc network environments.

Keywords

Adversaries authentication certificateless aggregate signature security and privacy vehicular ad hoc network

Introduction

The vehicular ad hoc network (VANET) is derived from the concept of the mobile ad hoc network (MANET).¹ It has two communication methods: vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. All smart cars are equipped with onboard units (OBU), which can communicate with each other wirelessly through dedicated short-range communication (DSRC) protocol.² The device can alert the driver in emergencies (e.g. the vehicle is too close to the vehicle in the front) and issue a collision warning to avoid accidents. In V2I communication, a vehicle can communicate with a roadside unit (RSU) and make a service request. The combination of vehicles and a global positioning system (GPS) obtains road traffic conditions through the transmission of messages and plans a perfect driving route.³ As a result, road congestion is reduced, and the driving experience is improved.

VANET’s infrastructure consists of three main components: OBU, RSU, and trusted authority (TA) (i.e. trace authority (TRA), and key generator center (KGC)).⁴ For a legal member in the VANET environment, an OBU must be equipped to enable it as a network node and communicate with other legal devices. The OBU contains the user interface, DSRC communication media, GPS, a computing power processor, an event data recorder (EDR), sensors, storage devices, and tamper-proof devices (TPD).⁵ RSU allows OBU to communicate with TRA. The RSU communicates with the OBU through open and insecure wireless network channels, while, on the other hand, it connects to the TRA through a secure channel. TRA is responsible for registering RSU and vehicle, generating pseudonyms for the vehicle, and in case of dispute, it can trace the vehicles’ real identity. Meanwhile, KGC is in charge of producing public system parameters and preloading them on RSUs and OBUs in the off-line/on-line mode. It also generates and distributes the partial private keys for RSUs and vehicles. The general topology of VANET is shown in Figure 1.

Figure 1.

The topology of VANET.

Despite all the convincing features provided by VANET, it also has several challenges in its security and privacy.^6,7 In VANET, V2V and V2I communications are taking place on the open wireless communication channel, which is naturally not secure. Therefore, the message must be acknowledged to ensure that it was sent by a legitimate device and withstand various attacks during the transmission. The transmitted message contains sensitive personal information and cannot be leaked. When a large number of OBU devices send messages to the other OBUs and RSU simultaneously, this large number of messages must be verified. This process will increase the verification time, resulting in a reception delay of other road traffic emergencies and essential messages. In addition, another issue that needs to be considered is the significant mobility of vehicles on the road. This condition makes VANETs’ topology rapidly shift, resulting in the connection between vehicles that can change at any time. If the excessive load can disable services for each device, then the VANET environment will be severely affected. Therefore, a robust and lightweight authentication mechanism is critically needed to satisfy the security, privacy, and efficiency of the information dissemination and verification processes in VANET.

In traditional public-key cryptography (PKC), each public key must generate a corresponding digital certificate.^8,9 When a user wants to send a message to a receiver, they must first obtain the recipient’s public key and then use a certificate to validate the user’s identity. He or she then uses this public key to encrypt the message and send it to the recipient. Not only does this require certification management, but it also increases verification time. In 1984, Shamir¹⁰ proposed a new concept called ID-based public-key cryptography (ID-PKC) to solve the above problems. The public key in ID-PKC consists of the user’s identity information, such as phone number and email address. Therefore, there is no need to generate a certificate, thereby solving the traditional PKC problem.¹¹ However, the private key corresponding to the public key is caused by a KGC. If the KGC is compromised, the attacker will obtain all the private keys. Thus, attackers can arbitrarily decrypt other people’s encrypted messages or forge signatures. This attack is called a key escrow problem.

To solve the key escrow problem in ID-PKC, in 2003, Al-Riyami and Paterson¹² introduced a new concept known as certificateless public key cryptography (CL-PKC). Although CL-PKC also requires a key generating center (KGC), it only generates part of the user’s private key, while the other part is generated by the user locally. As a result, key escrow is overcome, and CL-PKC does not need to create certificates. Furthermore, a scheme called aggregate signature can aggregate multiple signatures generated by different users for different messages into a single signature. This approach not only reduces the length of the signature but also improves verification efficiency. Therefore, based on CL-PKC and aggregate signature advantages, some scholars combined these two methods and proposed a certificateless aggregate signature (CLAS) scheme. This scheme will effectively improve the problem of verifying a large number of messages in VANET.

Related work

The idea of CLAS was first introduced by Castro and Dahab,⁹ by combining the benefits of aggregate signatures and CL-PKC. Since then, many CLAS schemes have been proposed.^9,13–33 From all of these methods, several scholars pay attention to specific applications on VANET.^{18,19,21,23–33}

In 2015, Horng et al.¹⁹ proposed a new CLAS scheme based on the certificateless signature scheme (CLS) method for V2I communication in VANET. They claimed that their approach could achieve conditional privacy protection, more efficient in the verification process. Moreover, a small amount of constant pair of calculations can resist forgery on adaptively selected message attacks in the random oracle model (ROM). However, in 2016, Li et al.²¹ showed that Horng et al.’s¹⁹ scheme is vulnerable to “malicious but passive” KGC attacks. In 2018, Cui et al.²⁴ proposed a pairing-free CLAS scheme that has an obvious advantage in efficiency over Horng et al.’s¹⁹ scheme. However, Zhao et al.,²⁸ Kamil and Ogundoyin,²⁶ and Li et al.³¹ found out that Cui et al.’s²⁴ schemes cannot withstand a malicious KGC attack. Zhao et al.²⁸ also pointed out that Horng et al.’s¹⁹ scheme cannot withstand users’ public-key replacement attack. Meanwhile, Ming and Shen³⁴ showed that Horng et al.’s¹⁹ scheme could not provide authentication and message integrity and failed to resist common attacks such as replay, modification, impersonation, and man-in-the-middle (MITM) attacks. Kamil and Ogundoyin²⁶ proposed their full aggregation pairing-free CLAS scheme and made cryptanalysis to Cui et al.’s²⁴ scheme. However, Zhao et al.²⁸ found out that Kamil and Ogundoyin’s²⁶ scheme cannot resist Type-1 and Type-2 adversary attacks.

In the same year as Horng et al.,¹⁹ Malhi and Batra¹⁸ also proposed their CLAS scheme. They aimed for a low computational cost approach that still maintained its security reliability. They demonstrated that theirs could withstand the unforgeability attack and have a low computational cost. So, they emphasized that their scheme is very suitable for VANET. However, Kumar and Sharma²³ found that Malhi and Batra’s¹⁸ scheme is vulnerable to malicious KGC attacks. Meanwhile, Zhang et al.³⁵ also found out that Malhi and Batra’s¹⁸ scheme cannot provide identity privacy-preserving.

In 2019, Zhong et al.²⁵ proposed a full aggregation CLAS scheme for VANET and claimed it has better efficiency than Malhi-Batra’s¹⁸ scheme. However, Li et al.,³¹ Mei et al.,³² and Kamil and Ogundoyin²⁹ found out that Zhong et al.’s²⁵ scheme cannot withstand a malicious KGC attack. In the same year, Kumar et al.²⁷ proposed their CLAS scheme in VANET and claimed to be unforgeable against adaptive chosen-message attacks. In 2021, Mei et al.³² proposed a full aggregation CLAS scheme in VANET that claimed more efficient than Kumar and Sharma’s²³ and Kumar et al.’s²⁷ schemes. Kamil and Ogundoyin²⁹ also proposed their full aggregation CLAS scheme in VANET and made cryptanalysis to Zhong et al.’s²⁵ scheme. They show if Zhong et al.’s²⁵ and Kumar et al.’s²⁷ schemes are vulnerable to the signature-forgery attack by a malicious KGC and forgery attack, respectively. Xu et al.³⁰ proposed their CLAS scheme in VANET that claimed unforgeable against adaptive chosen-message and identity attacks. Recently, Thumbur et al.³³ proposed the newest pairing-free CLAS scheme and compared it to the other CLAS schemes in VANET that employ computational Diffie-Hellman problem (CDHP) complexity assumption. The scheme results in apparent advantages in computation cost.

The other significant authentication schemes related to the CLAS mechanism in VANET are also published in recent years. Bouakkaz and Semchedine³⁶ recently introduced an efficient certificateless ring signature (BV-CLRS) with batch verification, a conditional privacy preservation authentication system for use in VANET that is based on traceable certificateless ring signatures. The scheme has significantly decreased computation and communication overhead due to the usage of batch verification. It also claimed to be secure against five types of adversaries. In 2020, Cui et al.³⁷ suggested a privacy-preserving data downloading scheme with edge computing in VANET. Their method allows the RSU to discover common data by recording encrypted requests sent from adjacent nodes while maintaining the download requests’ secrecy. Elliptic-curve cryptography (ECC), TESLA broadcast authentication, and additive homomorphic encryption algorithms are used to build the scheme. Very recently, Zhang et al.³⁸ proposed a Chinese remainder theorem (CRT)-based conditional privacy-preserving authentication (PA-CRT) protocol to establish secure communication between vehicles in VANET. The scheme eliminates the requirement for TPDs to hold long-term system secrets. The CRT in this scheme is also claimed to greatly reduce the computational complexity of the TA.

A comparative summary of existing state-of-art CLAS authentication schemes for VANET discussed above is presented in Table 1. In addition, the table elaborates the topology CLAS methods in VANETs, including the number of implemented algorithms (further discussion in Section “Preliminaries”), cryptanalysis improvements over other schemes, and the main contribution of security efficiency.

Table 1.

Literature survey.

Authors	Literature	Main feature and contribution
Malhi and Batra¹⁸	An efficient certificateless aggregate signature scheme for vehicular ad hoc networks.	The scheme comprises nine algorithms: Setup, Registration, Partial-Private-Key-Gen, Vehicle-Key-Gen, Pseudonym-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. Together with Horng et al.,¹⁹ they become the first two CLAS schemes in VANET with partial aggregation. First, however, Zhang et al.³⁵ found out if Malhi-Batra’s scheme cannot provide identity privacy-preserving.
Horng et al.¹⁹	An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks.	The scheme comprises seven algorithms: Setup, Pseudonym-Gen/Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. As a result, this scheme is more efficient than the other CLAS schemes.^9,13,15
Li et al.²¹	Cryptanalysis and improvement of certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks.	The scheme comprises seven algorithms: Setup, Pseudonym-Gen/Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. Li et al.²¹ make cryptanalysis and improvement to the Horng et al.’s¹⁹ scheme. They show if that scheme is vulnerable to malicious-but-passive KGC attacks.
Kumar and Sharma²³	On the security of certificateless aggregate signature scheme in vehicular ad hoc networks.	The scheme comprises seven algorithms: Setup, Partial-Private-Key-Gen, Vehicle-Key-Gen, Pseudonym-Gen, Sign, Verify, and Aggregate-Verify. Partial aggregation CLAS scheme. Kumar and Sharma²³ make cryptanalysis and improvement to the Malhi and Batra’s¹⁸ scheme. They show if that scheme is insecure against Type-2 adversary $(A_{2})$ .
Cui et al.²⁴	An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks.	The scheme comprises seven algorithms: Setup, Pseudonym-Gen/Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. As a result, this scheme is more efficient than the other CLAS schemes.^9,13,15,19
Zhong et al.²⁵	Privacy-preserving authentication scheme with full aggregation in VANET.	The scheme comprises eight algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme provided a complete aggregation and claimed more efficiency than the other CLAS schemes.^13,15,18
Kamil and Ogundoyin²⁶	An improved certificateless aggregate signature scheme without bilinear pairings for vehicular ad hoc networks.	The scheme comprises nine algorithms: Setup, Registration, Partial-Private-Key-Gen, Pseudonym-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme provided a complete aggregation and claimed more efficiency than other CLAS schemes in VANET.^{18,19,21,24,27} Kamil and Ogundoyin²⁶ make cryptanalysis and improvement to the Cui et al.’s²⁴ scheme. Moreover, they show if that scheme is vulnerable against forgery attack in Type-2 adversary $(A_{2})$ .
Zhao et al.²⁸	An efficient certificateless aggregate signature scheme for the internet of vehicles.	The scheme comprises nine algorithms: Setup, Registration, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme is more efficient than other CLAS schemes in VANET^{19,24,26,27,31} make cryptanalysis and improvement to Kamil-Ogundoyin’s²⁶ scheme. They show if that scheme is vulnerable to Type-1 and Type-2 adversary attacks. Zhao et al. also claim if Horng et al.’s¹⁹ scheme suffered from Type-1 adversary $(A_{1})$ .
Kamil-Ogundoyin²⁹	On the security of privacy-preserving authentication scheme with full aggregation in vehicular ad hoc network.	The scheme comprises eight algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme provided a full aggregation. Kamil-Ogundoyin²⁹ makes cryptanalysis and improvement to Zhong et al.’s²⁵ scheme. They show if Zhong et al.’s²⁵ and Kumar et al.’s²⁷ schemes are vulnerable against a signature-forgery attack by Type-2 adversary $(A_{2})$ and forgery attack, respectively.
Li et al.³¹	An efficient certificateless aggregate signature scheme designed for VANET.	The scheme comprises eight algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme is more efficient than other CLAS schemes in VANET.^23,25–27 Li et al.³¹ make cryptanalysis and improvement to the Zhong et al.’s²⁵ scheme. They show if that scheme is vulnerable against forgery attack in Type-2 adversary $(A_{2})$ .
Mei et al.³²	Efficient certificateless aggregate signature with conditional privacy preservation in IoV.	The scheme comprises eight algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. This scheme provides a complete aggregation and is claimed more efficient than the other CLAS schemes.^16,23,27
Thumbur et al.³³	Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks.	The scheme comprises nine algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Set-Secret-Value, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify. Compared to other CLAS schemes in VANETs that employ CDHP complexity assumption, the scheme has apparent advantages inefficiency.

CLAS: certificateless aggregate signature; VANET: vehicular ad hoc network; KGC: key generator center; CDHP: computational Diffie–Hellman problem.

Our contributions

Our main contributions are summarized as follows:

We propose a new CLAS scheme that aims to make the computation cost a top priority and provide a secure and more effective CLAS scheme for V2V and V2I communications in VANET.

Our scheme provides a significant cost efficiency in the individual and aggregate verification, particularly compared to the other CDHP-based CLAS schemes.^{19,25,27,29,32}

Our scheme realizes mutual authentication between vehicle and TRA to confirm that they are the corresponding legal entities.

Our scheme could provide pseudonymity, identity privacy-preserving, mutual authentication, message authentication, non-repudiation, traceability, unlinkability, and user location privacy. It also could withstand the Type-1 and Type-2 adversary attacks, replay attacks, MITM attacks, masquerade attacks, and impersonation attacks.

Organization

For a better understanding, the rest of this article is arranged as follows. In section “Preliminaries,” we provide preliminaries about the system model of CLAS, the concepts of bilinear maps, the complexity assumption we used, an outline of the CLAS scheme, security model, and other common security and privacy requirements in VANET. Then, the construction of our proposed scheme and its correctness is described in section “Our proposed CLAS scheme.” Next, section “Security proof and analysis” gives the security proof, analysis, and comparison toward other schemes, followed by the performance analysis in section “Performance analysis.” Finally, the conclusion is conveyed in section “Conclusion.”

Preliminaries

This section discusses the concept of bilinear maps, complexity assumptions, the outline of the CLAS scheme, security model, and other basic security and privacy requirements.

System model

As mentioned in section “Introduction,” in general, the topology of VANET is made up of three main components that are structured as the two-level architecture. In the CLAS scheme of VANET, we have an application server (AS) and TA (i.e. KGC and tracking authorities (TRA)) which make up the higher layer. Meanwhile, RSUs and OBUs cover the lower layer (see Figure 2). In the CLAS-VANET, AS is a trusted entity that serves as a traffic-related server for vehicles (traffic control and analysis center). It will collect traffic-related messages from the RSU and conduct additional traffic analysis. AS communicates with TA and RSU using a secure wired connection. In this scheme, RSU acts as the verifier of the signatures $(σ_{1}, σ_{2}, \dots, σ_{n})$ on messages $(M_{1}, M_{2}, \dots, M_{n})$ sent by vehicles, and aggregate them into an aggregate signature $σ$ , then send it to the AS. The AS will collect and verify the aggregate signature $σ$ from RSUs, make a further analysis, and provide them back with some preferred services.

Figure 2.

Aggregate signature in VANET.

The bilinear maps

The bilinear map $\hat{e}$ can be obtained from the modified Weil pairing³⁹ or Tate pairing⁴⁰ on elliptic curves. Its security and complexity lie in the CDHP, which is difficult to solve.⁴¹ Let $G_{1}$ be denoted as a cyclic additive group generated by $P$ , and $G_{2}$ is a cyclic multiplicative group with the same prime order $q$ . Let $\hat{e} : G_{1} \times G_{1} \to G_{2}$ be a bilinear map if it satisfies the following properties:

Bilinear: For all $P, Q, R \in G_{1}$ , we have $\hat{e} (Q, P + R) = \hat{e} (P, Q + R) = \hat{e} (Q, P) \cdot \hat{e} (Q, R)$ . For any $a, b \in Z_{q}^{*}$ , $\hat{e} (aQ, bP) = \hat{e} (bQ, aP) = \hat{e} (Q, P)^{ab}$ .

Computable: For any $P, Q \in G_{1}$ , there is an efficient algorithm to compute $\hat{e} (P, Q)$ .

Non-degenerate: $\hat{e} (P, Q) \neq 1$ .

Complexity assumption

In CDHP, $G_{1}$ is a cyclic additive group generated by $P$ , with given $P, aP, bP, cP \in G_{1}$ , and $a, b, c \in Z_{q}^{*}$ are unknown values. The CDHP is difficult to solve by adversary $A$ , because there is no polynomial time algorithm that can discover $abcP \in G_{1}$ .

Outline of CLAS scheme

Generally, a CLAS scheme includes eight following algorithms: Setup, Pseudonym-Gen, Partial-Private-Key-Gen, Vehicle-Key-Gen, Sign, Verify, Aggregate, and Aggregate-Verify.

Setup: TRA and KGC run this algorithm with a security parameter $l \in Z_{q}^{*}$ as input to produces master public key $P_{pub}$ , master secret key $s$ , and public parameters $params$ .

Pseudonym-Gen: TRA run this algorithm by inputs vehicles’ real identity $I D_{i}$ and outputs vehicles’ pseudo-identity $PI D_{i}$ .

Partial-Private-Key-Gen: KGC inputs vehicle’s identity $PI D_{i}$ and $params$ to produces respective partial private key $ps k_{I D_{i}}$ .

Vehicle-Key-Gen: Vehicle takes $params$ and its $ps k_{I D_{i}}$ to generates private key $vs k_{I D_{i}}$ , and its public key $vp k_{I D_{i}}$ .

Sign: Vehicle inputs $params$ together with its $PI D_{i}$ , $ps k_{I D_{i}}$ , $vs k_{I D_{i}}$ , and the message $M_{i}$ . It returns the signature $σ_{i}$ on the message $M_{i}$ .

Verify: RSU (V2I) or recipient vehicle (V2V) takes $σ_{i}$ , $PI D_{i}$ , $vp k_{I D_{i}}$ as the input. If $σ_{i}$ is valid, the receiver accepts it, otherwise rejects.

Aggregate: The aggregator inputs $n$ vehicle’s signatures $(σ_{1}, σ_{2}, \dots, σ_{n})$ on $n$ distinct messages $(M_{1}, M_{2}, \dots, M_{n})$ . Then, the algorithm outputs the aggregate signature $σ$ on $(M_{1}, M_{2}, \dots, M_{n})$ .

Aggregate-Verify: The verifier inputs $n$ vehicles’ public keys $(vp k_{I D_{1}}$ , $vp k_{I D_{2}}$ , ⋯, $vp k_{I D_{n}})$ , the vehicle’s identity $(PI D_{1}, PI D_{2}, \dots, PI D_{n})$ , and the corresponding aggregate signature $σ$ on the message set $(M_{1}, M_{2}, \dots, M_{n})$ . Finally, if this signature is valid, the verifier accepts it, otherwise rejects.

Security model

Depending on the behavior of adversary $A$ , we consider two types of adversaries, called Type-1 adversary $(A_{1})$ and Type-2 adversary $(A_{2})$ .

Type-1 adversary $(A_{1})$

The Type-1 adversary $A_{1}$ serves as an outsider who can compromise or replace a user’s public key with any value but cannot access KGC’s master secret key. It is also known as the public-key replacement attack.

Type-2 adversary $(A_{2})$

The Type-2 adversary $A_{2}$ takes on the role of the KGC. It can access the KGC’s master key but cannot replace the user’s public key. It is also known as the malicious KGC attack.

A CLAS scheme is said to be existentially unforgeable against adaptive chosen-message and identity attacks by considering the following two games, $Game - 1$ and $Game - 2$ , against $A \in {A_{1}, A_{2}}$ . Both $A_{1}$ and $A_{2}$ can access the following five oracles:

CreateUser: After receiving a $PI D_{i}$ , this oracle returns $vp k_{PI D_{i}}$ to $A$ .

RevealPartialPrivateKey: After receiving a vehicle’s $I D_{i}$ , the corresponding $ps k_{I D_{i}}$ is returned to $A$ by this oracle.

RevealPrivateKey: After receiving a vehicle’s $PI D_{i}$ , the corresponding $vs k_{PI D_{i}}$ is returned to $A$ by this oracle.

RevealPseudonym: $A$ makes a request for the pseudonym of the vehicle with $I D_{i}$ . The challenger $C$ searches the list $L_{K}$ and responds with $PI D_{i}$ if the entry exists, otherwise it returns ⊥.

ReplaceKey: After receiving a new public key ${vpk}_{PI D_{i}}^{'}$ chosen by $A$ and a $PI D_{i}$ , this oracle updates vehicle’s $vp k_{PI D_{i}}$ with ${vpk}_{PI D_{i}}^{'}$ .

Sign: After receiving $PI D_{i}$ and $M_{i} \in {(0, 1)^{*}}$ , a $σ_{i}$ of $M_{i}$ is returned to $A$ by this oracle.

Game-1

The challenger $C$ deals with $A_{1}$ executes the following steps.

Setup: $C$ runs Setup algorithm, which takes $l$ to generate $s$ and $params$ . The $params$ is sent by $C$ to $A_{1}$ while keeps $s$ as secret to itself.

Query: $A_{1}$ is allowed to runs CreateUser, RevealPartialPrivateKey, RevealPrivateKey, and $Sign$ oracles.

Forgery: Finally, $A_{1}$ outputs an aggregate signature $σ^{'}$ on the messages set $(M_{1}^{'}$ , $M_{2}^{'}$ , ⋯, $M_{n}^{'})$ corresponding to a targeted identities $({PID}_{1}^{'}$ , ${PID}_{2}^{'}$ , ⋯, ${PID}_{n}^{'})$ with public keys $(vp k_{{ID}_{1}^{'}}$ , $vp k_{{ID}_{2}^{'}}$ , ⋯, $vp k_{{ID}_{n}^{'}})$ .

In this case, $A_{1}$ wins Game-1 if:

$σ^{'}$ is a valid aggregate signature on $(M_{1}^{'}$ , $M_{2}^{'}$ , ⋯, $M_{n}^{'})$ with identities $({PID}_{1}^{'}$ , ${PID}_{2}^{'}$ , ⋯, ${PID}_{n}^{'})$ and public keys $(vp k_{{ID}_{1}^{'}}$ , $vp k_{{ID}_{2}^{'}}$ , ⋯, $vp k_{{ID}_{n}^{'}})$ .

The ${PID}_{i}^{'}$ has not queried partial private key $ps k_{{ID}_{i}^{'}}$ during RevealPartialPrivateKey queries.

Sign oracle has never been queried with ${PID}_{i}^{'}$ and $M_{i}^{'}$ .

Definition 1

If $A_{1}$ cannot win Game-1 with non-negligible advantage in polynomial time, the CLAS scheme is secure against $A_{1}$ .

Game-2

The challenger $C$ deals with $A_{2}$ executes the following steps.

Setup: $C$ runs $Setup$ algorithm, which takes $l$ to generate $s$ and $params$ . The both $s$ and $params$ are sent by $C$ to $A_{2}$ .

Query: $A_{2}$ is allowed to runs CreateUser, RevealPrivateKey, ReplaceKey, and Sign oracles in this phase. The $A_{2}$ is no longer needs RevealPartialPrivateKey since it has the access to $s$ .

Forgery: Finally, $A_{2}$ outputs an aggregate signature $σ^{'}$ on the message set $(M_{1}^{'}$ , $M_{2}^{'}$ , ⋯, $M_{n}^{'})$ corresponding to a targeted identities $({PID}_{1}^{'}$ , ${PID}_{2}^{'}$ , ⋯, ${PID}_{n}^{'})$ with public keys $(vp k_{{ID}_{1}^{'}}$ , $vp k_{{ID}_{2}^{'}}$ , ⋯, $vp k_{{ID}_{n}^{'}})$ .

In this case, $A_{2}$ wins Game-2 if:

The ${PID}_{i}^{'}$ has not queried private key $vs k_{{ID}_{i}^{'}}$ during RevealPrivateKey queries.

Sign oracle has never been queried with ${PID}_{i}^{'}$ and $M_{i}^{'}$ .

Definition 2

If $A_{2}$ cannot win Game-2 with non-negligible advantage in polynomial time, the CLAS scheme is secure against $A_{2}$ .

From Definition 1 and Definition 2 above, a CLAS scheme is claimed to be existentially unforgeable under an adaptive chosen message attack, if there exists no polynomial-time adversary $A_{1}$ and $A_{2}$ with a non-negligible advantage in $Game - 1$ and $Game - 2$ , respectively.

Other security and privacy requirements

As depicted in Figure 1, the V2V and V2I communication occur under an open wireless communication channel, so it is vulnerable to various attacks. To design a secure authentication mechanism, we define the security and privacy requirements that need to be met in VANET as follows.^3,4,11,12,42

Pseudonimity

TRA can create a unique pseudo-identity from the vehicle’s real identity to protect the user’s privacy.

Identity privacy-preserving

Since the pseudonym covers the message’s sender’s identity, it would be anonymous, and only TRA can reveal their real identity.

Mutual authentication

Two parties can authenticate each other simultaneously to be assured and certain doing business exclusively with legitimate entities.

Message authentication

The receiver must be capable of differentiating the original message from the bogus message.

Non-repudiation

Messages’ senders cannot deny the information they have sent.

Traceability

TRA must be able to reveal the real identities of the pseudo-identities $PI D_{i}$ of the user in the case of a dispute.

Unlinkability

An adversary (vehicle or RSU) should not link two or more subsequent pseudonym messages of the same vehicle.

Replaying attack resistance

The networks could endure a passive data capture and subsequent retransmission to produce an unauthorized message by the adversaries.

MITM attack resistance

The networks could endure the eavesdropper to intercept a message and sometimes alter the intended message. Mutual authentication can prevent MITM attacks because both the sender and recipient verify each other before sending them.

Masquerade attack resistance

The networks could endure a fake identity that tries to gain unauthorized access to transmitted information through legitimate access identification.

Impersonation attack resistance

The networks could endure toward the attacker who tries to assume or impersonate the legitimate vehicles’ identity in VANET to generate the signature for any messages.

User location privacy

The networks could prevent other parties from learning the vehicle’s past, current, or next destination location.

Our proposed CLAS scheme

It is necessary to design an effective VANET authentication scheme in an environment where the communication channels are not protected. To enhance the security and improve message verification efficiency of V2V and V2I communication in VANET, we propose a CLS (Setup, Registration, Partial-Private-Key-Gen, Vehicle-Key-Gen, Pseudonym-Gen, Sign, Verify) scheme followed by an efficient CLAS (Aggregate, Aggregate-Verify) scheme. To comprehend the scheme’s procedure, notations throughout this article are presented in Table 2.

Table 2.

Notations of this article.

Notation	Definition
KGC	Key generator center
TRA	Trace authority
OBU	On-board unit
TPD	Tamper-proof device
RSU	Road-side unit
$G_{1}$	A cyclic additive group
$G_{2}$	A cyclic multiplicative group
$q$	Prime order of $G_{1}$ and $G_{2}$
$P$	Generator point of $G_{1}$
$\hat{e}$	A bilinear pairing
	$\hat{e} : G_{1} \times G_{1} \to G_{2}$
$H (\cdot), h (\cdot)$	MapToPoint hash function, $H (\cdot) : {0, 1}^{} \to G_{1}$ and one-way hash function, $h (\cdot) : {0, 1}^{} \to Z_{q}^{*}$
$α, P_{pub}$	KGC’s master private and public keys
$β, T_{pub}$	TRA’s private and public keys
$y_{i}, P_{rs u_{i}}$	RSU’s private and public keys
$I D_{i}$	Vehicle’s identity
$ps k_{I D_{i}}$	Vehicle’s partial private key
$PI D_{i}$	Vehicle’s pseudo-identity
$T_{i}, t_{i}$	A current timestamp
$vs k_{I D_{i}}, vp k_{I D_{i}}$	Vehicle’s private and public keys

Construction

Our proposed nine-phase CLAS scheme is described as follows.

Setup

This phase aims to generate the system’s public parameters and the secret parameters of TRA and KGC. They are used for message encryption and signature generation. These parameters are used to generate a pseudo-identity of the device in the future and perform proper verification on the message’s signature. The KGC first selects a security parameter $l \in N$ and then generates a cyclic addition group $G_{1}$ , a cyclic multiplication group $G_{2}$ , a generator point $P$ that belongs to $G_{1}$ , and a bilinear pairing function $\hat{e} : G_{1} \times G_{1} \to G_{2}$ . Both $G_{1}$ and $G_{2}$ have the same prime order of $q$ . KGC then selects a secret value $α \in Z_{q}^{*}$ as the master key and calculates $P_{pub} = α P$ as the public key. KGC then chooses six secure one-way hash functions $h_{1}, h_{2}, h_{3}, h_{4}, h_{5}, h_{6} : {0, 1}^{*} \to Z_{q}^{*}$ .

Meanwhile, TRA selects a secret value $β \in Z_{q}^{*}$ to calculates its public key $T_{pub} = β P$ . Each RSU in VANET needs to select a private key $y_{i} \in Z_{q}^{*}$ for calculating their public key $P_{rs u_{i}} = y_{i} P$ , and sends it to KGC. After receiving $P_{rs u_{i}}$ , KGC sends the public parameters $params = {q, G_{1}, G_{2}, P, \hat{e}, P_{pub}, h_{1}, h_{2}, h_{3}, h_{4}, h_{5}, h_{6}, P_{rs u_{i}}}$ to every vehicle in the network, which will be preloaded into their TPD. The process is shown in Figure 3.

Figure 3.

Setup phase.

Registration

In this phase, every vehicle equipped with the OBU device needs to register itself to the TRA. So, in the case of dispute, the TRA can track the vehicle’s pseudo-identity and determine which vehicle owns that pseudo-identity. First, TRA chooses a hash function $H (\cdot) : {0, 1}^{*} \to G_{1}$ . When a new vehicle needs to register, the driver must personally go to the TRA in his or her area to provide personal identity information (offline mode). Then the TRA picks the vehicle’s identity $I D_{i}$ and a random number $r_{i} \in Z_{q}^{*}$ to relate it with their new actual identity $Q_{I D_{i}} = H (I D_{i}, r_{i})$ that will be used in all further communications. The TRA sends ${Q_{I D_{i}}, r_{i}}$ to the vehicle under a secure communication channel. After the vehicle receives this information, it selects a random value $nonce$ and calculates the password $pas s_{I D_{i}} = h_{1} (r_{i}, nonce)$ . Finally, $pas s_{I D_{i}}$ is transmitted to the TRA under the secure communication channel. The TRA stores $pas s_{I D_{i}}$ to complete the registration of the vehicle. The process of this phase is shown in Figure 4.

Figure 4.

Registration—Partial-Private-Key-Gen phases.

Partial-Private-Key-Gen

The KGC performs this phase to generate a partial private key $ps k_{I D_{i}} = α Q_{I D_{i}}$ of the vehicle according to the vehicle’s identity $Q_{I D_{i}}$ and KGC’s secret parameters $α$ . When a vehicle needs to send messages or requests in the future, it can use $ps k_{I D_{i}}$ to calculate a legal signature. KGC transmits $ps k_{I D_{i}}$ to the vehicle via a secure communication channel. The vehicle can verify whether $Q_{I D_{i}}$ and $ps k_{I D_{i}}$ are generated by legitimate TRA and KGC through $\hat{e} (ps k_{I D_{i}}, P) = \hat{e} (Q_{I D_{i}}, P_{pub})$ . The process of this phase is shown in Figure 4.

Vehicle-Key-Gen

When the vehicle needs to apply for a pseudo-identity to the TRA, first, it has to generate a private and public keys on its own. The vehicle selects a random number $x_{i} \in Z_{q}^{*}$ as its private key $vs k_{I D_{i}}$ , therefore, $vs k_{I D_{i}} = x_{i}$ . Then it uses the public parameter $P$ to calculate the public key $vp k_{I D_{i}} = x_{i} P$ . Subsequently, vehicle needs to generate a one-time password $(OTP)$ ⁴³ for a mutual authentication with TRA. The vehicle first joins the current timestamp $T_{i}$ with $pas s_{I D_{i}}$ and $Q_{I D_{i}}$ to calculate the one time password $OTP = h_{2} (pas s_{I D_{i}} \oplus Q_{I D_{i}} \oplus T_{i})$ . This $OTP$ can only be used once, and it must be regenerated every time when applying for pseudo-identities later. Afterward, vehicle sends $(m, OTP, I D_{i}, T_{i}, vp k_{I D_{i}})$ to the TRA by encrypting it with TRA’s public key $T_{pub}$ , with $m$ refers to the number of pseudo-identities stored in the vehicle’s OBU device. The operation is expressed in equation (1)

\begin{matrix} 〈 E_{T_{pub}} (m, OTP, I D_{i}, T_{i}, vp k_{I D_{i}}) 〉 \end{matrix}

(1)

After receiving (1), TRA then decrypts the message with its private key $β$ and verifies whether $T_{i}$ is within a reasonable time interval or not. If yes, TRA computes $Q_{I D_{i}} ° = H (I D_{i}, r_{i})$ and $OT P ° = h_{2} (pas s_{I D_{i}} \oplus Q_{I D_{i}} ° \oplus T_{i})$ . If $OT P ° = OTP$ , then TRA can authenticates the vehicle. The whole process is shown in Figure 5.

Figure 5.

Vehicle-Key-Gen—Pseudonym-Gen phases.

Pseudonym-Gen

After the mutual authentication process between TRA and vehicle is successful, the TRA will generate a pseudo-identity $PI D_{i}$ for the vehicle. First, the TRA calculates $C_{i} = h_{3} (β, I D_{i}, T_{i} °)$ to creates pseudo-identity $PI D_{i} = Q_{I D_{i}} C_{i}$ . Next, TRA calculates $D_{i} = h_{4} (PI D_{i})$ and $K_{i} = C_{i} D_{i}$ . Vehicles need to preload with multiple pseudo-identities, and a single of them cannot be reused. Each time a message sends to another vehicle, different pseudo-identities are used. When the vehicles are at intersections or parking lots where many vehicles are gathered, this method will make a legitimate vehicle difficult to track by malicious attackers. The TRA will measure how many pseudo-identities to generate based on the number of current pseudo-identities stored in the OBU device. Each application will generate multiple pseudo-identities $(PI D_{i, 1}, PI D_{i, 2}, \dots, PI D_{i, n})$ . Then, TRA calculates $j = h_{5} (Q_{I D_{i}}, T_{i} °)$ , and with vehicle’s public key $vp k_{I D_{i}}$ to encrypt the message

\begin{matrix} 〈 E_{vp k_{I D_{i}}} ((PI D_{i, 1}, K_{i, 1}), (PI D_{i, 2}, K_{i, 2}), \dots, \\ (PI D_{i, n}, K_{i, n}), j, T_{i} °) 〉 \end{matrix}

(2)

Message (2) is transmitted to the vehicle via RSU. After vehicle receives the message, it decrypts the message using its private key $vs k_{I D_{i}}$

\begin{matrix} 〈 D_{vs k_{I D_{i}}} (E_{vp k_{I D_{i}}} ((PI D_{i, 1}, K_{i, 1}), (PI D_{i, 2}, K_{i, 2}), \\ \dots, (PI D_{i, n}, K_{i, n}), j, T_{i} °)) 〉 \end{matrix}

(3)

and verifies whether $T_{i} °$ is in reasonable time interval. If yes, vehicle calculates $j ° = h_{5} (Q_{I D_{i}}, T_{i} °)$ and verifies whether $j ° = j$ . If the verification is successful, both vehicle and TRA are mutually authenticated, and the vehicle stores the pseudo-identities and $K$ . Because the OBU device must store a sufficient number of pseudo-identities, the vehicle needs to re-apply to the TRA at an appropriate time to avoid having no pseudo-identities. The whole process of this phase is shown in Figure 5.

Sign

At this phase, when a vehicle wants to send a message or request, it needs to produce a valid certificateless signature. The receiver can verify the signature to determine whether to receive the message or not. The vehicle selects a random number $u_{i} \in Z_{q}^{*}$ and calculates $U_{i} = u_{i} P \in G_{1}$ . Then OBU computes

h_{i} = h_{6} (M_{i}, PI D_{i}, vp k_{I D_{i}}, U_{i}, t_{i})

(4)

S_{i} = ps k_{I D_{i}} K + vs k_{I D_{i}} P_{pub} + h_{i} u_{i} P_{rs u_{i}}

(5)

to generate a certificateless signature $σ_{i} = (U_{i}, S_{i})$ on message $M_{i}$ . Finally, vehicle broadcasts final message $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ , with $t_{i}$ is the timestamp. The process of this phase is shown in Figure 6.

Figure 6.

Sign—Verify phase.

Verify

At this phase, RSU acts as the verifier. It verifies whether a legitimate vehicle generated the signature and whether it has been tampered with during the transmission or not. When it senses the message transmitted by vehicles, the $t_{i}$ is first verified to check whether the message is signed within a reasonable time interval. If it is not, it will not be accepted, and the message will be discarded. If yes, then computes $h_{i} = h_{6} (M_{i}, PI D_{i}, vp k_{I D_{i}}, U_{i}, t_{i})$ and $D_{i} = h_{4} (PI D_{i})$ . Finally, RSU verifies whether equation (6) holds or not

\hat{e} (S, P) = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})

(6)

If equation (6) holds, the certificateless signature is received. If the check fails, the message may have been tampered with and not accepted. The process of this phase is shown in Figure 6. To speed up the verification of frequently visited RSU, the proposed scheme pre-stores the parameter $P_{rs u_{i}}$ in OBU. However, if the memory of OBU is limited, some parameters of visiting RSU that are not frequently visited are not stored. In this case, if vehicles visit this RSU, the vehicles can send a request to KGC to obtain the parameters of this RSU.

Aggregate

RSU acts as an aggregator. On receiving $n$ message-signature pairs $(M_{1} ~ M_{n}, σ = (U_{1} ~ U_{n}, S_{1} ~ S_{n}), t_{1} ~ t_{n})$ from several vehicles with pseudo-identities $(PI D_{1} ~ PI D_{n})$ and corresponding public keys $(vp k_{I D_{1}} ~ vp k_{I D_{n}})$ , RSU computes (7) and returns $σ = (U_{1} ~ U_{n}, S)$ as an aggregate signature. Finally, RSU sends $(M_{1} ~ M_{n}, PI D_{1} ~ PI D_{n}, vp k_{I D_{1}} ~ vp k_{I D_{n}}, σ, t_{1} ~ t_{n})$ to AS. This process is shown in Figure 7

S = \sum_{i = 1}^{n} S_{i}

(7)

Figure 7.

Aggregate—Aggregate-Verify phases.

Aggregate-verify

This phase is used to verify the legality of the aggregated signature by checking whether the legal device generates the signature and has not been tampered with during transmission. On receiving $σ = (U_{1} ~ U_{n}, S)$ from RSU, as the aggregate verifier, AS computes $h_{i}$ in equation (4) and $D_{i}$ for $i = 1, 2, \dots, n$ . Finally, AS verifies whether

\begin{matrix} \hat{e} (S, P) = \hat{e} (\sum_{i = 1}^{n} PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \\ \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} U_{i}, P_{rs u_{i}}) \end{matrix}

(8)

If the verification fails, the message may have been tampered with and not accepted. If the verification hold, the CLAS is accepted. The process of this phase is shown in Figure 7.

When a vehicle’s density is high, such as at the intersection, the CLAS scheme enables many vehicle broadcast messages to verify and receive after aggregated. Thus, compared to verifying the signatures one by one, CLAS will increase verification efficiency.

Correctness

Our proposed CLAS scheme is correct if and only if the Verify and Aggregate-Verify phases can satisfy equations (6) and (8), respectively. The correctness of both phases is elaborated as follows:

Verify

\begin{matrix} \hat{e} (S, P) = \\ = \hat{e} (ps k_{I D_{i}} K + vs k_{I D_{i}} P_{pub} + h_{i} u_{i} P_{rs u_{i}}, P) \\ = \hat{e} (ps k_{I D_{i}} K, P) \cdot \hat{e} (vs k_{I D_{i}} P_{pub}, P) \cdot \hat{e} (h_{i} u_{i} P_{rs u_{i}}, P) \\ = \hat{e} (α Q_{I D_{i}} C_{i} D_{i}, P) \cdot \hat{e} (x_{i} α P, P) \cdot \hat{e} (h_{i} u_{i} P_{rs u_{i}}, P) \\ = \hat{e} (PI D_{i} D_{i}, P_{pub}) \cdot \hat{e} (vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}}) \\ = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}}) \end{matrix}

Aggregate-Verify

\begin{matrix} \hat{e} (S, P) = \\ = \hat{e} (\sum_{i = 1}^{n} ps k_{I D_{i}} K + vs k_{I D_{i}} P_{pub} + h_{i} u_{i} P_{rs u_{i}}, P) \\ = \hat{e} (\sum_{i = 1}^{n} ps k_{I D_{i}} K, P) \cdot \hat{e} (\sum_{i = 1}^{n} vs k_{I D_{i}} P_{pub}, P) \\ \cdot \hat{e} (\sum_{i = 1} h_{i} u_{i} P_{rs u_{i}}, P) \\ = \hat{e} (\sum_{i = 1}^{n} α Q_{I D_{i}} C_{i} D_{i}, P) \cdot \hat{e} (\sum_{i = 1}^{n} x_{i} α P, P) \\ \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} u_{i} y_{i} P, P) \\ = \hat{e} (\sum_{i = 1}^{n} PI D_{i} D_{i}, P_{pub}) \cdot \hat{e} (\sum_{i = 1}^{n} vp k_{I D_{i}}, P_{pub}) \\ \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} U_{i}, P_{rs u_{i}}) \\ = \hat{e} (\sum_{i = 1}^{n} PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \\ \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} U_{i}, P_{rs u_{i}}) \end{matrix}

Security proof and analysis

In this section, we give the security proof of the proposed scheme against two types of adversaries $A_{1}$ and $A_{2}$ , as well as a challenger $C$ . First, the security models of CLAS are defined by simulating the behavior of potential $A_{1}$ and $A_{2}$ . Then, we analyze the other basic security and privacy requirements described in section “Preliminaries.” Finally, we give a security and privacy comparison between our proposed scheme and the others in Table 3.

Table 3.

Comparison of the security and privacy.

Scheme	$A_{1}$	$A_{2}$	M. auth.	Ano.	Unlink.	Trace.	RAR	IAR
Malhi and Batra¹⁸	V	X	X	X	X	V	X	X
Horng et al.¹⁹	X	X	X	V	V	V	X	X
Kumar and Sharma²³	V	X	V	V	V	V	V	V
Kamil and Ogundoyin²⁶	X	X	V	V	V	V	V	V
Zhong et al.²⁵	V	X	V	V	V	V	V	V
Kumar et al.²⁷	X	X	V	V	X	V	X	V
Ours	V	V	V	V	V	V	V	V

V: The scheme is secure or supports feature; X: The scheme is insecure or does not support feature; M. Auth: Message authentication; Ano: Anonymity; Unlink: Unlinkability; Trace: Traceability; RAR: Resistance to replaying attack; IAR: Impersonation attack resistance.

Security proof

As mentioned in Definition 1 and Definition 2, the CLAS scheme is secure against $A_{1}$ and $A_{2}$ if it cannot win Game-1 and Game-2 with non-negligible advantage in polynomial time, respectively.

Theorem 1

Our proposed CLAS scheme is existentially unforgeable against $A_{1}$ in the ROM under the intractability of the CDH problem. If $A_{1}$ can forge a valid CLS during time $t$ with a non-negligible probability $ϵ$ after making $q_{H}$ and $q_{h_{i}}$ queries, with $i = 1, 2, \dots, 6$ , CreateUser queries $q_{c}$ , RevealPartiaPrivatelKey queries $q_{ps k_{I D_{i}}}$ , RevealPrivateKey queries $q_{vs k_{I D_{i}}}$ , Sign queries $q_{s}$ , then there is exists $C$ who can solve CDH problem $abcP \in G_{1}$ with probability $\frac{ϵ}{q_{ps k_{I D_{i}}} e}$ within a time $t^{'} = t + (q_{c} + q_{H} + q_{h_{i}} + q_{ps k_{I D_{i}}} + q_{vs k_{I D_{i}}} + q_{s}) t_{m}$ , with $e$ is the base of the natural logarithm, and $t_{m}$ is the time for scalar multiplication.²⁹

Proof

We can prove the unforgeability of our CLAS scheme against $A_{1}$ in Game-1 that also involves $C$ . Let $X = aP$ , $Y = bP$ , and $P_{rs u_{i}} = cP$ where $P$ is the generator of $G_{1}$ with prime order $q$ and $a, b, c \in Z_{q}^{*}$ are unknown to $A_{1}$ .

Setup: $C$ randomly selects ${PID}_{i}^{'}$ as the challenged identity and submits public parameters $params = {q, G_{1}, G_{2}, P, \hat{e}, P_{pub}, h (\cdot), P_{rs u_{i}}}$ to $A_{1}$ . Following by sets $P_{pub} = X = aP$ . The hash functions $H (\cdot)$ and $h_{i} (\cdot)$ , with $i = 1, 2, \dots, 6$ , are considered random oracles. $C$ also manages eight lists $L_{H}$ , $L_{h_{1}}$ , $L_{h_{2}}$ , $L_{h_{3}}$ , $L_{h_{4}}$ , $L_{h_{5}}$ , $L_{h_{6}}$ , and $L_{K}$ , as follows.

$L_{H}$ contains the tuple $(I D_{i}, r_{i}, Q_{I D_{i}})$ .

$L_{h_{1}}$ contains the tuple $(r_{i}, nonce, pas s_{I D_{i}})$ .

$L_{h_{2}}$ contains the tuple $(pas s_{I D_{i}}, Q_{I D_{i}}, T_{i}, OTP)$ .

$L_{h_{3}}$ contains the tuple $(β, I D_{i}, T_{i} °, C_{i})$ .

$L_{h_{4}}$ contains the tuple $(PI D_{i}, D_{i}, μ_{i})$ .

$L_{h_{5}}$ contains the tuple $(Q_{I D_{i}}, T_{i} °, j)$ .

$L_{h_{6}}$ contains the tuple $(M_{i}, PI D_{i}, vp k_{I D_{i}}, U_{i}, t_{i}, h_{i})$ .

$L_{K}$ contains the tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ .

CreateUser queries: Suppose $A_{1}$ makes a query on $PI D_{i}$ , with $i \in [1, q_{c}]$ . If list $L_{K}$ includes $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , $C$ will check whether $vp k_{I D_{i}} = ⊥$ . If true, $C$ picks a random value $v_{i} \in Z_{q}^{*}$ as $vs k_{I D_{i}}$ and computes $vp k_{I D_{i}} = v_{i} P$ . Then, $C$ sends $vp k_{I D_{i}}$ to $A_{1}$ , and updates $(vp k_{I D_{i}}, vs k_{I D_{i}})$ into $L_{K}$ . Otherwise, if $vp k_{I D_{i}} \neq ⊥$ , $C$ directly sends $vp k_{I D_{i}}$ to $A_{1}$ . In another case, if $L_{K}$ does not include $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , $C$ sets $vp k_{I D_{i}} = ⊥$ , picks $v_{i} \in Z_{q}^{*}$ as $vs k_{I D_{i}}$ , and computes $vp k_{I D_{i}} = v_{i} P$ . Then, $C$ sends $vp k_{I D_{i}}$ to $A_{1}$ , and includes $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ into $L_{K}$ .

RevealPartialPrivateKey queries: When $A_{1}$ makes a RevealPartialPrivateKey query on $PI D_{i}$ , with $i \in [1, q_{psk}]$ , $C$ computes $Q_{I D_{i}} = H (I D_{i}, r_{i})$ and examines whether the tuple $(I D_{i}, r_{i}, Q_{I D_{i}})$ is already in the list $L_{H}$ or not. If yes, $C$ computes $ps k_{I D_{i}} = α Q_{I D_{i}}$ , then output the value to $A_{1}$ . Otherwise, $C$ outputs failure and halts because it is unable to coherently answer the query.

RevealPseudonym queries: The corresponding tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ is recovered from $L_{K}$ . If $L_{K}$ contains $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , $C$ checks if $PI D_{i} = ⊥$ or not. If $PI D_{i} \neq ⊥$ , $C$ returns $PI D_{i}$ to $A_{1}$ . Otherwise, $C$ randomly chooses $k_{i} \in Z_{q}^{*}$ and computes $PI D_{i} = k_{i} c_{i}$ , where $c_{i}$ corresponds to $L_{h_{3}} = (β, I D_{i}, T_{i} °, C_{i})$ . $C$ returns $PI D_{i}$ to $A_{1}$ and adds $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ to $L_{K}$ . If $L_{K}$ does not contains $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , then $C$ sets $PI D_{i} = ⊥$ , picks $k_{i} \in Z_{q}^{*}$ , and computes $PI D_{i} = k_{i} c_{i}$ from corresponding $L_{h_{3}} = (β, I D_{i}, T_{i} °, C_{i})$ . $C$ answers $PI D_{i}$ to $A_{1}$ and adds to $L_{K}$ . $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ .

RevealPrivateKey queries: When $A_{1}$ makes a RevealPrivateKey query on $PI D_{i}$ , with $i \in [1, q_{vsk}]$ , $C$ checks whether the tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ is included in list $L_{K}$ or not. If yes, then $C$ checks whether $vp k_{I D_{i}} = ⊥$ . If true, $C$ makes a CreateUser query, picks a random value $v_{i} \in Z_{q}^{*}$ as $vs k_{I D_{i}}$ , and computes $vp k_{I D_{i}} = v_{i} P$ . Then, $C$ sends $vp k_{I D_{i}}$ to $A_{1}$ , and updates $(vp k_{I D_{i}}, vs k_{I D_{i}})$ into $L_{K}$ . Otherwise, if $vp k_{I D_{i}} \neq ⊥$ , $C$ directly sends $vp k_{I D_{i}}$ to $A_{1}$ . In another case, if $L_{K}$ does not include $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , $C$ makes a CreateUser query, sends $vs k_{I D_{i}}$ to $A_{1}$ , and includes $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ into $L_{K}$ .

ReplaceKey queries: When $A_{1}$ submits query on $PI D_{i}$ , $C$ checks if list $L_{K}$ includes $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ , sets $vs k_{I D_{i}} = ⊥$ , and replaces $vp k_{I D_{i}}$ to ${vpk}_{I D_{i}}^{'}$ .

$H$ query: When $A_{1}$ queries the oracle of $H$ , $C$ searches $L_{H}$ for the tuple $(I D_{i}, r_{i}, Q_{I D_{i}})$ . If it can be found, $C$ submits $Q_{I D_{i}}$ to $A_{1}$ ; otherwise, it randomly picks $Q_{I D_{i}} \in Z_{q}^{*}$ , adds $(I D_{i}, r_{i}, Q_{I D_{i}})$ to $L_{H}$ , and eventually, submits $Q_{I D_{i}}$ to $A_{1}$ .

$h_{1}$ query: When $A_{1}$ queries the oracle of $h_{1}$ , $C$ searches $L_{h_{1}}$ for the tuple $(r_{i}, nonce, pas s_{I D_{i}})$ . If it can be found, $C$ submits $pas s_{I D_{i}}$ to $A_{1}$ ; otherwise, it randomly picks $pas s_{I D_{i}} \in Z_{q}^{*}$ , adds $(r_{i}, nonce, pas s_{I D_{i}})$ to $L_{h_{1}}$ , and eventually, submits $pas s_{I D_{i}}$ to $A_{1}$ .

$h_{2}$ query: When $A_{1}$ queries the oracle of $h_{2}$ , $C$ searches $L_{h_{2}}$ for the tuple $(pas s_{I D_{i}}, Q_{I D_{i}}, T_{i}, OTP)$ . If it can be found, $C$ submits $OTP$ to $A_{1}$ ; otherwise, it randomly picks $OTP \in Z_{q}^{*}$ , adds $(pas s_{I D_{i}}, Q_{I D_{i}}, T_{i}, OTP)$ to $L_{h_{2}}$ , and eventually, submits $OTP$ to $A_{1}$ .

$h_{3}$ query: When $A_{1}$ queries the oracle of $h_{3}$ , $C$ searches $L_{h_{3}}$ for the tuple $(β, I D_{i}, T_{i} °, C_{i})$ . If it can be found, $C$ submits $C_{i}$ to $A_{1}$ ; otherwise, it randomly picks $C_{i} \in Z_{q}^{*}$ , adds $(β, I D_{i}, T_{i} °, C_{i})$ to $L_{h_{3}}$ , and eventually, submits $C_{i}$ to $A_{1}$ .

$h_{4}$ query: When $A_{1}$ queries the oracle of $h_{4}$ , $C$ searches $L_{h_{4}}$ for the tuple $(PI D_{i}, D_{i}, μ_{i})$ . If it can be found, $C$ submits $D_{i}$ to $A_{1}$ ; otherwise, if $PI D_{i} = {PID}_{i}^{'}$ , $C$ picks a random $μ_{i} \in Z_{q}^{*}$ , calculates $D_{i} = μ_{i} Y \in G_{1}$ , inserts it in $L_{h_{4}}$ , and returns in to $A_{1}$ . If $PI D_{i} \neq {PID}_{i}^{'}$ , $C$ picks a random $μ_{i} \in Z_{q}^{*}$ , calculates $D_{i} = μ_{i} P \in G_{1}$ , inserts it in $L_{h_{4}}$ , and returns in to $A_{1}$ .

$h_{5}$ query: When $A_{1}$ queries the oracle of $h_{5}$ , $C$ searches $L_{h_{5}}$ for the tuple $(Q_{I D_{i}}, T_{i} °, j)$ . If it can be found, $C$ submits $j$ to $A_{1}$ ; otherwise, it randomly picks $j \in Z_{q}^{*}$ , adds $(Q_{I D_{i}}, T_{i} °, j)$ to $L_{h_{5}}$ , and eventually, submits $j$ to $A_{1}$ .

$h_{6}$ query: When $A_{1}$ queries the oracle of $h_{6}$ , $C$ searches $L_{h_{6}}$ for the tuple $(M_{i}, PI D_{i}, vp k_{I D_{i}}, U_{i}, t_{i}, h_{i})$ . If it can be found, $C$ submits $h_{i}$ to $A_{1}$ ; otherwise, it randomly picks $h_{i} \in Z_{q}^{*}$ , adds $(M_{i}, PI D_{i}, vp k_{I D_{i}}, U_{i}, t_{i}, h_{i})$ to $L_{h_{6}}$ , and eventually, submits $h_{i}$ to $A_{1}$ .

Sign: When $A_{1}$ makes a Sign query on $(PI D_{i}, M_{i})$ , $C$ examines all eight lists $L_{H}$ , $L_{h_{1}}$ , $L_{h_{2}}$ , $L_{h_{3}}$ , $L_{h_{4}}$ , $L_{h_{5}}$ , $L_{h_{6}}$ , $L_{K}$ . If the tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ is not present in $L_{K}$ , then $C$ sets $vp k_{I D_{i}} = ⊥$ , picks $v_{i} \in Z_{q}^{*}$ as $vs k_{I D_{i}}$ , and computes $vp k_{I D_{i}} = v_{i} P$ , so $C$ generates $(vs k_{I D_{i}}, vp k_{I D_{i}})$ pair. Then, $C$ inserts tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ in $L_{K}$ . Otherwise, if the tuple $(PI D_{i}, ps k_{I D_{i}}, vs k_{I D_{i}}, vp k_{I D_{i}})$ is present in $L_{K}$ , then $C$ checks whether $vs k_{i} = ⊥$ . If true, $C$ executes ReplaceKey query to obtain $vp k_{I D_{i}} = v_{i} P$ , where $v_{i} \in Z_{q}^{*}$ . Otherwise, $C$ returns $vp k_{I D_{i}}$ to $A_{1}$ .

Forgery: To generate $σ_{i} = (U_{i}, S_{i})$ , $C$ executes the following:

If $PI D_{i} = {PID}_{i}^{'}$ , $C$ picks $v_{i} \in Z_{q}^{*}$ , sets $U_{i} = h_{i} Y$ , $S_{i} = k_{i} c_{i} μ_{i} X + v_{i} X + h_{i} h_{i} cY$ , and returns $σ_{i} = (U_{i}, S_{i})$ to $A_{1}$ . Finally, $σ_{i} = (U_{i}, S_{i})$ can be verified as follows

\begin{matrix} \hat{e} (S, P) = \\ = \hat{e} (k_{i} c_{i} μ_{i} X + v_{i} X + h_{i} h_{i} cY, P) \\ = \hat{e} (k_{i} c_{i} μ_{i} X, P) \cdot \hat{e} (v_{i} X, P) \cdot \hat{e} (h_{i} h_{i} cY, P) \\ = \hat{e} (PI D_{i} μ_{i} P, X) \cdot \hat{e} (v_{i} P, X) \cdot \hat{e} (h_{i} h_{i} Y, cP) \\ = \hat{e} (PI D_{i} D_{i}, P_{pub}) \cdot \hat{e} (vp k_{I D_{i}}, P_{pub}) \cdot \\ \hat{e} (h_{i} U_{i}, P_{rs u_{i}}) \\ = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}}) \end{matrix}

If $PI D_{i} \neq {PID}_{i}^{'}$ , $C$ picks $u_{i}, v_{i} \in Z_{q}^{*}$ , sets $U_{i} = u_{i} P$ , $S_{i} = k_{i} c_{i} μ_{i} X + v_{i} X + h_{i} c U_{i}$ , and returns $σ_{i} = (U_{i}, S_{i})$ to $A_{1}$ .

By using Forking lemma,¹⁰ after replaying $A_{1}$ with the same random string but different choice of $h_{6}$ -oracle, $C$ can gain two valid signatures $σ_{i}^{'} = (U_{i}^{'}, S_{i}^{'})$ and $σ_{i}^{' *} = (U_{i}^{' *}, S_{i}^{' *})$ within a polynomial time, where $S_{i}^{'} = {psk}_{I D_{i}}^{'} K^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{'} u_{i}^{'} P_{rs u_{i}}^{'}$ and $S_{i}^{' *} = {psk}_{I D_{i}}^{'} K^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{' *} u_{i}^{'} P_{rs u_{i}}^{'}$ . We set ${psk}_{I D_{i}}^{'} = C_{i}^{'} D_{i}^{'}$ , where $D_{i}^{'} = μ_{i}^{'} Y^{'}$ , and $Y^{'} = b P^{'}$ . Then, ${vsk}_{I D_{i}}^{'} = v_{i}^{'} a P^{'}$ . From $S_{i}^{'}$ and $S_{i}^{' *}$ , we have

\begin{matrix} S_{i}^{'} - S_{i}^{' *} = {psk}_{I D_{i}}^{'} K^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{'} u_{i}^{'} P_{rs u_{i}}^{'} - \\ {psk}_{I D_{i}}^{'} K^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{' *} u_{i}^{'} P_{rs u_{i}}^{'} \\ = (C_{i}^{'} D_{i}^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{'} u_{i}^{'} P_{rs u_{i}}^{'}) - \\ (C_{i}^{'} D_{i}^{'} + {vsk}_{I D_{i}}^{'} P_{pub}^{'} + h_{i}^{' *} u_{i}^{'} P_{rs u_{i}}^{'}) \\ = (μ_{i}^{'} Y^{'} + v_{i}^{'} aP' + h_{i}^{'} c P^{'}) - \\ (μ_{i}^{'} Y^{'} + v_{i}^{'} a P^{'} + h_{i}^{' *} c P^{'}) \\ = (μ_{i}^{'} b P^{'} + v_{i}^{'} aP' + h_{i}^{'} c P^{'}) - \\ (μ_{i}^{'} b P^{'} + v_{i}^{'} a P^{'} + h_{i}^{' *} c P^{'}) \\ = ((μ_{i}^{'} + v_{i}^{'} + h_{i}^{'}) - (μ_{i}^{'} + v_{i}^{'} + h_{i}^{' *})) abc P^{'} \end{matrix}

Therefore, with $abc P^{'} = abcP$ , $C$ returns $abcP = (S_{i}^{'} - S_{i}^{' *}) - ((μ_{i}^{'} + v_{i}^{'} + h_{i}^{'}) - (μ_{i}^{'} + v_{i}^{'} + h_{i}^{' *}))^{- 1}$ , as the solution to the CDHP with a probability of at least $\frac{ϵ}{q_{cu} e}$ analyzed as follows.

There are three events that required for $C$ to succeed in the game:

$E_{1}$ : $C$ does not quit during the game.

$E_{2}$ : $A_{1}$ forges a valid signature.

$E_{3}$ : $A_{1}$ produce a valid signature and $C$ not terminating the game.

When all the above events happen, the probability of $C$ winning the game is $P [E_{1} \land E_{2} \land E_{3}] = P [E_{1}] P [E_{2} | E_{1}] P [E_{3} | E_{2} \land E_{1}]$ , with $P [E_{1}] \geq {(1 - \frac{1}{(q_{ps k_{I D_{i}} + 1})})}^{q_{ps k_{I D_{i}}}}$ ; $P [E_{2} | E_{1}] = ϵ$ ; $P [E_{3} | E_{2} \land E_{1}] \geq \frac{1}{q_{ps k_{I D_{i}}} + 1}$ . Hence, we have

\begin{matrix} P [E_{1} \land E_{2} \land E_{3}] \geq \\ \geq {(1 - \frac{1}{(q_{ps k_{I D_{i}}} + 1)})}^{q_{ps k_{I D_{i}}}} (\frac{1}{(q_{ps k_{I D_{i}}} + 1)}) ϵ \\ \geq {(1 - \frac{1}{(q_{ps k_{I D_{i}}} + 1)})}^{q_{ps k_{I D_{i}}}} (\frac{1}{(q_{ps k_{I D_{i}}} + 1)}) \\ \frac{1}{q_{ps k_{I D_{i}}}} ϵ \\ \geq \frac{1}{q_{ps k_{I D_{i}}}} {(1 - \frac{1}{(q_{ps k_{I D_{i}}} + 1)})}^{q_{ps k_{I D_{i}}} + 1} ϵ \end{matrix}

For adequately large $q_{ps k_{I D_{i}}}$ , $(1 - \frac{1}{(q_{ps k_{I D_{i}}} + 1)}) \to \frac{1}{e}$ . Therefore, $C$ solves the CDHP complexity with a probability of $\frac{ϵ}{q_{c} e}$ , within a time $t^{'} = t + (q_{c} + q_{H} + q_{h_{i}} + q_{ps k_{I D_{i}}} + q_{vs k_{I D_{i}}} + q_{s}) t_{m}$ .

Theorem 2

Our proposed CLAS scheme is existentially unforgeable against $A_{2}$ in the ROM under the intractability of the CDH problem. If $A_{2}$ can forge a valid CLAS during time $t$ with a non-negligible probability $ϵ$ after making $q_{H}$ and $q_{h_{i}}$ queries, with $i = 1, 2, \dots, 6$ , RevealPartiaPrivateKey queries $q_{ps k_{I D_{i}}}$ , RevealPrivateKey queries $q_{vs k_{I D_{i}}}$ , ReplaceKey queries, Sign queries $q_{s}$ , then there is exists $C$ who can solve CDHP with probability $\frac{ϵ}{q_{ps k_{I D_{i}}} e}$ within a time $t^{'} = t + (q_{c} + q_{H} + q_{h_{i}} + q_{ps k_{I D_{i}}} + q_{vs k_{I D_{i}}} + q_{s}) t_{m}$ .²⁹

Proof

Because the Type-2 secure proof is comparable to the Type-1 secure proof, the proof process is omitted.

Analysis of security requirements

Because V2V and V2I communication is carried out under open wireless communication channels, VANET is vulnerable to various attacks. To design a secure authentication scheme, we define the security and privacy that need to be met in VANET.^3,4,12,13,43 This section analyzes whether our scheme satisfies security and privacy and then illustrates what problems we solve.

Pseudonymity

In our proposed scheme, each OBU device in a vehicle must apply multiple pseudo-identities $PI D_{i}$ to the TRA once and preload into the vehicle. TRA uses its secret value $β$ to generate unique $PI D_{i}$ for different vehicles, and only TRA can generate them. If there is a traffic or regulation violation in the future, TRA can reveal the real identity of the corresponding $PI D_{i}$ . Since pseudo-identity can protect the user’s real identity, our proposed scheme satisfies pseudonymity.

Identity privacy preservation

In our method, the final message $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ does not contains the vehicles’ real identity. So, the recipient cannot identify the owners of the pseudo-identity. When the pseudo-identity changes, the private and public keys are regenerated. It is difficult for an attacker to infer whether different messages belong to the same vehicle or not. Under the insecure communication channel, we use the public key to encrypt messages. So, only the device with the corresponding private key can decrypt it to ensure that the personal information is not leaked during the message’s transmission.

Mutual authentication

Our proposed scheme uses signature encryption and $OTP$ to perform mutual authentication between vehicle and TRA to confirm that they are the corresponding legal entities. When the vehicle wants to apply for $PI D_{i}$ , it must first generate an $OTP = h_{2} (pas s_{I D_{i}} \oplus Q_{I D_{i}} \oplus T_{i})$ . Then it uses TRA’s public key $T_{pub}$ to encrypt messages $〈 E_{T_{pub}} (m, OTP, I D_{i}, T_{i}, vp k_{I D_{i}}) 〉$ and sends it to TRA. The TRA can use the previously registered $pas s_{I D_{i}}$ of vehicle and calculates $Q_{I D_{i}}$ , then obtain $OTP$ and compare it. This process can verify the identity of the vehicle. After successful verification, TRA will generate $PI D_{i}$ for this vehicle and calculates $j = h_{5} (Q_{I D_{i}}, T_{i} °)$ . Finally, TRA encrypts the message with the vehicle’s public key $vp k_{I D_{i}}$ and transmits it back to the vehicle through the RSU. After the vehicle receives it, it decrypts the message with its private key $vs k_{I D_{i}}$ and verifies the timestamp $T_{i} °$ . Then vehicle calculates $j ° = h_{5} (Q_{I D_{i}}, T_{i} °)$ to verify TRA. Since $Q_{I D_{i}}$ is generated using vehicle’s $I D_{i}$ and the parameter $r_{i}$ is selected by TRA, so only TRA can calculate $Q_{I D_{i}}$ , and resulting $j ° = j$ . Therefore, our scheme satisfies mutual authentication.

Message authentication

Each message created by the vehicle must be signed before being delivered to the nearest RSU, so that the RSU can verify that the message has not been falsified or modified by an attacker $A$ . According to Theorem 1 , the CDHP is hard, hence no polynomial adversary can forge a valid message. As a result, the verifier can check the legitimacy and integrity of $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ , by verifying whether $\hat{e} (S, P) = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})$ holds.

Non-repudiation

In our method, each vehicle must register itself to the TRA to obtain the identity $I D_{i}$ and $Q_{I D_{i}}$ . Then it uses $Q_{I D_{i}}$ to apply for partial private key $ps k_{I D_{i}} = α Q_{I D_{i}}$ to KGC. The TRA also generates the vehicle’s $PI D_{i}$ based on the vehicle’s identity $Q_{I D_{i}}$ . The $σ_{i}$ and $PI D_{i}$ generation are contained information representing the unique identity of the vehicle, such as $Q_{I D_{i}}$ and $ps k_{I D_{i}}$ . The TRA can know the true identity of the vehicle based on $PI D_{i} = Q_{I D_{i}} C_{i}$ , which makes the vehicle sending the message unable to deny that he or she did not address the message. Therefore, our proposed scheme satisfies the non-repudiation.

Untraceability

In Pseudonym-Gen phase, TRA generates $PI D_{i}$ based on the vehicle’s real identity $Q_{I D_{i}}$ when it sends a message. The TRA can trace the attacker’s real identity and whereabouts based on the malicious message’s virtual identity. Other entities who receive the messages cannot trace that vehicle based on the messages. Therefore, our scheme satisfies untraceability.

Unlinkability

In our scheme, each virtual identity can only be used once. Each time the OBU sends a message, it uses a different $PI D_{i}$ . This pseudo-identity makes it more difficult for the receiver to know the sender’s real identity and suggests it be sent by different vehicles. Therefore, our scheme satisfies the unlinkability.

Resistance to replay attack

In order to resist replay attacks, vehicles need to be verified before applying for a $PI D_{i}$ . In equation (1), the vehicle transmits $〈 E_{T_{pub}} (m, OTP, I D_{i}, T_{i}, vp k_{I D_{i}}) 〉$ to the TRA, and TRA replies with $〈 E_{vp k_{I D_{i}}} ((PI D_{i, 1}, K_{i, 1})$ , $(PI D_{i, 2}, K_{i, 2})$ ,⋯, $(PI D_{i, n}, K_{i, n}), j, T_{i} °) 〉$ , which both of the messages using a timestamp. The generation of certificateless signatures adds timestamp $t_{i}$ to calculate equations (4) and (5). Finally, signer generates $σ_{i} = (U_{i}, S_{i})$ and message include timestamp $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ . The verifier can verify whether the timestamp $t_{i}$ is within a reasonable time interval. Therefore, our proposed scheme can resist replay attack.

Resistance to MITM attack

In order to resist MITM attack, the vehicle is required to generate a legal signature $σ_{i} = (U_{i}, S_{i})$ when it wants to transmit messages $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ in V2V or V2I communications. If $A$ intercepts this message and modifies the content, the verification process will not pass because the signature $σ_{i}$ is generated by the legal vehicle’s partial private key $ps k_{I D_{i}}$ , private key $vs k_{I D_{i}}$ , $K$ , and so on. So, these messages are only known by the legal vehicle. Besides that, the $PI D_{i}$ also changes every time. When the vehicle wants to apply for $PI D_{i}$ to the TRA, it needs to perform V2I communication with the RSU, and the RSU then forwards the service request to the TRA. When the TRA returns the generated virtual identity to the vehicle, it also needs to pass through the RSU. Between the vehicle and the RSU, there is an open wireless communication channel. In our scheme, the TRA generates a unique parameter $r_{i}$ for the vehicle. The vehicle also generates a unique parameter $pas s_{I D_{i}} = h_{1} (r_{i}, nonce)$ and sends to the TRA. Only vehicle and TRA who know $r_{i}$ and $pas s_{I D_{i}}$ . Therefore, they can verify each other’s identity. Thus, our scheme can resist the MITM attack.

Resistance to masquerade attack

In our proposed CLAS scheme, each vehicle broadcasts the final message using it’s $PI D_{i}$ , and $σ_{i}$ needs to be verified. If an attacker uses other people’s $PI D_{i}$ , he or she cannot check successfully because the attacker could not know the $ps k_{I D_{i}}$ and $K_{i}$ , so he or she could not calculate the legal signature. Furthermore, our scheme uses a different $PI D_{i}$ each time when a vehicle transmits a message. Therefore, our scheme effectively resists the masquerade attack.

Resistance to impersonation attack

To be able to impersonate a valid vehicle, $A$ must be able to forge a valid message $(M_{i}, PI D_{i}, vp k_{I D_{i}}, σ_{i}, t_{i})$ , that satisfying the verification $\hat{e} (S, P) = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})$ or $\hat{e} (S, P) = \hat{e} (\sum_{i = 1}^{n} PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} U_{i}, P_{rs u_{i}})$ . However, according to Theorem 1 , this is infeasible based on the hardness assumption of the CDHP. Therefore, our proposed scheme could withstand impersonation attack.

User location privacy

As mentioned in the Pseudonym-Gen phase, vehicles need to preload with multiple pseudo-identities $PI D_{i}$ , and a single of them cannot be reused. Each time a vehicle sends a message to the other vehicles, it will use a different $PI D_{i}$ . This method will make a legitimate vehicle difficult to track by $A$ , particularly in the area when the vehicle’s density is high. At this point, the TRA will measure how many $PI D_{i}$ to generate based on the number of current stored ones in the OBU device.

Security and privacy comparison

Lu et al.⁴⁴ distinguished the privacy-preserving authentication of VANET into five categories, including certificateless signature. Based on Lu et al.’s classification, we compared the security and privacy of our proposed scheme with the other existing CLAS schemes in VANET.

In Table 3, we compare the security of our proposed CLAS scheme with the other six CLAS schemes for VANET.^{18,19,23,25–27} For ease of description, let $A_{1}$ and $A_{2}$ denote if the scheme could withstand the Type-1 and the Type-2 adversaries, respectively. We can find that all of the first six schemes^{18,19,23,25–27} cannot withstand $A_{2}$ adversary, with Horng et al.’s¹⁹, Zhong et al.’s²⁵, and Kumar et al.’s²⁷ schemes also cannot withstand $A_{1}$ adversary either. In addition, for the security and privacy requirements expressed in Table 3 that comprises message authentication, anonymity, unlinkability, traceability, replaying attack resistance, and impersonation attack resistance, Horng et al.’s¹⁹ scheme also lacks mutual authentication and is vulnerable to MITM attacks. Meanwhile, Malhi and Batra’s¹⁸ scheme lacks mutual authentication and user location privacy. Both mentioned schemes are the first two CLAS mechanisms specifically designed for VANET. After comparing all of those schemes with our proposed one, it is clear that our scheme satisfies all the above security and privacy requirements.

Performance analysis

To provide a fair comparison, particularly in terms of computation and communication costs, we compare our proposed scheme with the existing CDHP-based CLAS schemes in VANET.^{18,25,27,29,32}

Computation overhead

To equally assess the performance of our proposed scheme, we take the other CDHP-based CLAS schemes in VANET,^{18,25,27,29,32} which also employ bilinear maps in their Verify and Aggregate-Verify phases as the benchmark. We adopt the experiment in previous works,^{19,25,27,45,46} which observes the processing time for the Tate pairing on a 159-bit subgroup of an MNT curve with an embeds degree 6 at an 80-bit security level and running on an Intel i7 3.07 GHz CPU. Let $PC$ denote the time of a pairing operation cost, $SC$ is the time of a scalar multiplication cost in bilinear operation $G_{1}$ , $HC$ is the time of a MapToPoint hash operation cost, and $n$ in Aggregate-Verify cost is the number of the verified messages. In CDHP, $PC$ is the most time-consuming one compared to $SC$ and $HC$ . The obtained results for $PC$ , $SC$ , and $HC$ are 3.21, 0.39, and 0.09 ms, respectively. We only consider these three operations regarding their significance.

Table 4 shows the comparison of the computation cost between our scheme and the other schemes,^{18,25,27,29,32} in terms of Sign, Verify, and Aggregate-Verify cost. Our scheme uses $3 SC$ in the Sign phase, which is relatively the same with some schemes.^18,25,27,29 We can see the $S_{i} = ps k_{I D_{i}} K_{i} + vs k_{I D_{i}} P_{pub} + h_{i} u_{i} P_{rs u_{i}}$ in certificateless signature $σ_{i} = (U_{i}, S_{i})$ . The first one is $ps k_{I D_{i}} K_{i}$ , the second is $vs k_{I D_{i}} P_{pub}$ , and the third is $h_{i} u_{i} P_{rs u_{i}}$ . In the Verify phase, we use $3 PC$ and $2 SC$ . Our scheme needs to calculate $\hat{e} (S_{i}, P) = \hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})$ . We can divide $\hat{e} (PI D_{i} D_{i} + vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})$ into $\hat{e} (PI D_{i} D_{i}, P_{pub}) \cdot \hat{e} (vp k_{I D_{i}}, P_{pub}) \cdot \hat{e} (h_{i} U_{i}, P_{rs u_{i}})$ , so it is $3 PC$ . Then, the $2 SC$ are composed of $PI D_{i} D_{i}$ and $h_{i} U_{i}$ . In the Aggregate-Verify phase, we use $3 PC$ and $2 nSC$ . The pairing operation cost of Aggregate-Verify and Verify are the same. The scalar multiplication cost is based on the number of $n$ . We can see from $\hat{e} (S, P) = \hat{e} (\sum_{i = 1}^{n} P I D_{i} D_{i} + v p k_{I D_{i}}, P_{p u b}) \cdot \hat{e} (\sum_{i = 1}^{n} h_{i} U_{i}, P_{r s u_{i}})$ . Figures 8 –10 visualize the comparison of Sign, Verify, and Aggregate-Verify cost for all the schemes, respectively.

Table 4.

Comparison of the computation cost.

Scheme	Sign	Verify	Aggregate-Verify
Malhi and Batra¹⁸	$3 SC$	$3 PC + 3 SC$	$3 PC + 3 nSC$
	= 1.17 m	= 10.8 ms	= (9.63 + 1.17 $n$ ) ms
Zhong et al.²⁵	$3 SC$	$3 PC + 2 SC + HC$	$3 PC + 2 nSC + nHC$
Zhong et al.²⁵	= 1.17 ms	= 10.5 ms	= (9.63 + 0.87 $n$ ) ms
Kumar et al.²⁷	$3 SC$	$3 PC + 3 SC$	$3 PC + 3 nSC$
Kumar et al.²⁷	= 1.17 ms	= 10.8 ms	= (9.63 + 1.17 $n$ ) ms
Kamil and Ogundoyin²⁹	$3 SC$	$3 PC + 2 SC + HC$	$3 PC + 2 nSC + nHC$
Kamil and Ogundoyin²⁹	= 1.17 ms	= 10.5 ms	= (9.63 + 0.87 $n$ ) ms
Mei et al.³²	$4 SC + 2 HC$	$4 PC + 2 SC$	$4 PC + 2 nSC$
Mei et al.³²	= 1.74 ms	= 13.62 ms	= (12.84 + 0.78 $n$ ) ms
Ours	$3 SC$	$3 PC + 2 SC$	$3 PC + 2 nSC$
Ours	= 1.17 ms	= 10.41 ms	= (9.63 + 0.78 $n$ ) ms

$PC$ : Pairing operation cost (3.21 ms).

$SC$ : Scalar multiplication cost (0.39 ms).

$HC$ : MapToPoint hash function cost (0.09 ms).

Figure 8.

Sign cost.

Figure 9.

Verify cost.

Figure 10.

Aggregate-Verify cost.

From the Verify and Aggregate-Verify cost comparison in Table 4, it is apparent if our proposed scheme is more efficient than the already existing CDHP-based CLAS schemes.^{18,25,27,29,32}

Communication overhead

Meanwhile, to evaluate the communication cost of one successful information exchanged in V2I or V2V communication, we follow the general parameters mentioned in most related schemes.^26,34,47 We consider the length of a cyclic additive group $G_{1}$ and multiplicative group $G_{2}$ as 128 Bytes and 40 Bytes, respectively. Let the output length of the general one-way hash function and number in $Z_{q}^{*}$ are 20 Bytes, and the length of the timestamp is 4 Bytes. Referred to IEEE Trial-Use standard,⁴⁸ the length of the traffic-related message VANET is 67 Bytes.

In Malhi and Batra’s¹⁸ scheme, vehicle sends final message containing $PI D_{i} = (PI D_{i, 1} \in G_{1}, PI D_{i, 2} \in Z_{q}^{*}), (vp k_{I D_{i}}, ps k_{I D_{i}}, σ_{i} = (U_{i}, V_{i}) \in G_{1})$ , and $M_{i}$ . Thus, the total communication cost is 727 Bytes. In Zhong et al.’s²⁵ scheme, vehicle sends final message contains of $PI D_{i} = ((PI D_{i, 1}, PI D_{i, 2} \in G_{1}), (T_{i})),$ $(vp k_{I D_{i}},$ $σ_{i} = (U_{i}, S_{i}) \in G_{1})$ , $t_{i}$ , and $M_{i}$ to a RSU. Hence, the total communication cost is 715 Bytes. In Mei et al.’s³² scheme, vehicle sends final message contains of ${PID}_{i} = ((PI D_{i, 1}, PI D_{i, 2} \in G_{1}), (T_{i}))$ , $RS U_{I D_{i}} \in Z_{q}^{*},$ $(vp k_{I D_{i}},$ $σ_{i} = (U_{i}, S_{i}) \in G_{1}),$ $t_{i}$ and $M_{i}$ . Hence, the total communication cost is 735 Bytes. In Kamil and Ogundoyin’s²⁹ scheme, vehicle broadcasts final message that contains $PI D_{i} = ((PI D_{i, 1}, PI D_{i, 2} \in G_{1}), (T_{i})),$ $(vp k_{I D_{i}},$ $σ_{i} = (U_{i}, S_{i}) \in G_{1})$ , $t_{i}$ , and $M_{i}$ to a RSU. Hence, the total communication cost is 715 Bytes. In Kumar et al.’s²⁷ scheme, vehicle sends final message contains of $PI D_{i} = (PI D_{i, 1} \in G_{1}, PI D_{i, 2} \in Z_{q}^{*}), (vp k_{I D_{i}}, ps k_{I D_{i}}, σ_{i} = (U_{i}, S_{i}) \in G_{1})$ , and $M_{i}$ . Thus, the total communication cost is 727 Bytes. Finally, in our proposed scheme, a vehicle broadcasts final message that consists of $M_{i}, t_{i}, (PI D_{i}, vp k_{I D_{i}}, σ_{i} = (U_{i}, S_{i}) \in G_{1})$ . Therefore, the total communication cost of our scheme is the most efficient of them all, that is 583 Bytes. The comparison of communication cost of all schemes is shown in Figure 11 and Table 5.

Figure 11.

Communication cost for a single message.

Table 5.

Comparison of the communication cost.

Scheme	Single message	$n$ messages
Malhi and Batra¹⁸	727 bytes	727 $n$ bytes
Zhong et al.²⁵	715 bytes	715 $n$ bytes
Kumar et al.²⁷	727 bytes	727 $n$ bytes
Kamil and Ogundoyin²⁹	715 bytes	715 $n$ bytes
Mei et al.³²	735 bytes	735 $n$ bytes
Ours	583 bytes	583 $n$ bytes

Conclusion

In this article, we proposed a CLAS scheme to improve security and privacy in VANET, with efficiency becoming the main spotlight. Our proposed scheme could solve the mentioned issues by satisfying all security and privacy requirements such as pseudonymity, message authentication, untraceability, unlinkability, privacy preservation, and resistance to some common attacks. According to an extensive performance study, our proposed scheme is substantially more efficient in terms of computation and communication costs than the existing reputable schemes. Hence, it is more suitable for both V2V and V2I communication in VANET.

Footnotes

Handling Editor: Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was partially supported by the Ministry of Science and Technology, Taiwan (ROC), under contract numbers MOST 109-2221-E-468-011-MY3 and MOST 110-2622-8-468-001-TM1.

ORCID iD

Min-Shiang Hwang

References

Faisal

Zaidi

. Timestamp based detection of sybil attack in VANET. Int J Netw Sec 2020; 22(3): 399–410.

Jiang

Delgross

. IEEE 802.11p: towards an international standard for wireless access in vehicular environments. In: VTC Spring 2008—IEEE vehicular technology conference, Singapore, 11–14 May 2008, pp.2036–2040. New York: IEEE, 2008.

Wang

Yang

. Intelligent transportation spaces: vehicles, traffic, communications, and beyond. IEEE Commun Mag 2010; 48(11): 136–142.

Vijayakumar

Azees

Kannan

, et al. Dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks. IEEE T Intell Transp 2016; 17(4): 1015–1028.

Cahyadi

Hwang

M-S

. An improved efficient anonymous authentication with conditional privacy-preserving scheme for VANETs. PLoS ONE 2021; 16(9): e0257044.

Xie

Wang

Pan

, et al. Blockchain-based trust evaluation mechanism for internet of vehicles nodes. Int J Netw Sec 2021; 23(6): 1065–1073.

Xie

Wang

Yang

, et al. Location privacy protection algorithm based on PageRank and differential privacy in internet of vehicles. Int J Netw Sec 2021; 23(6): 1049–1057.

Ibrahim

Hamdy

Shaaban

. Towards an optimum authentication service allocation and availability in VANETs. Int J Netw Sec 2017; 19(6): 955–965.

Castro

Dahab

. Efficient certificateless signatures suitable for aggregation. IACR Cryptology 2007, https://eprint.iacr.org/2007/454.pdf

10.

Shamir

. Identity-based cryptosystem and signatures schemes. In: Blakley

Chaum

(eds) Advances in cryptology. CRYPTO 1984. LNCS 196. Berlin, Heidelberg: Springer, 1984, pp.47–53.

11.

Cahyadi

Hwang

M-S

. A comprehensive survey on certificateless aggregate signature in vehicular ad hoc networks. IETE Technical Review 2022. DOI: 10.1080/02564602.2021.2017800.

12.

Al-Riyami

Paterson

. Certificateless public key cryptography. In: Laih

(eds) Advances in cryptology—ASIACRYPT 2003. LNCS 2894. Berlin, Heidelberg: Springer, 2003, pp.452–473.

13.

Zhang

Qin

, et al. Efficient many-to-one authentication with certificateless aggregate signatures. Comput Netw 2010; 54(14): 2482–2491.

14.

Shim

. On the security of a certificateless aggregate signature scheme. IEEE Commun Lett 2011; 15(10): 1136–1138.

15.

Xiong

Guan

Chen

, et al. An efficient certificateless aggregate signature with constant pairing computations. Inform Sciences 2013; 219: 225–235.

16.

Tian

Chen

. Insecurity of an efficient certificateless aggregate signature with constant pairing computations. Inform Sciences 2014; 268: 458–462.

17.

Huang

. Reattack of a certificateless aggregate signature scheme with constant pairing computations. Sci World J 2014; 2014: 343715.

18.

Malhi

Batra

. An efficient certificateless aggregate signature scheme for vehicular ad hoc networks. Discrete Math Theor Comput Sci 2015; 17(1): 317–338.

19.

Horng

Tzeng

Huang

, et al. An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Inform Sciences 2015; 317: 48–66.

20.

Cheng

Wen

Jin

, et al. Cryptanalysis and improvement of a certificateless aggregate signature scheme. Inform Sciences 2015; 295(C): 337–346.

21.

Yuan

Zhang

. Cryptanalysis and improvement of certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Cryptology ePrint archive: report 2016/692, 2016, https://eprint.iacr.org/2016/692

22.

Deng

, et al. A new certificateless signature with enhanced security and aggregation version. Concurr Comp: Pract E 2016; 28(4): 1124–1133.

23.

Kumar

Sharma

. On the security of certificateless aggregate signature scheme in vehicular ad hoc networks. In: Pant

Ray

Sharma

, et al. (eds) Soft computing: theories and applications. AISC 583. Singapore: Springer, 2018, pp.715–722.

24.

Cui

Zhang

Zhong

, et al. An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Inform Sciences 2018; 451–452: 1–15.

25.

Zhong

Han

Cui

, et al. Privacy-preserving authentication scheme with full aggregation in VANET. Inform Schemes 2019; 476: 211–221.

26.

Kamil

Ogundoyin

. An improved certificateless aggregate signature scheme without bilinear pairings for vehicular ad hoc networks. J Inform Sec Appl 2019; 44: 184–200.

27.

Kumar

Kumari

Sharma

, et al. Secure CLS and CL-AS schemes designed for VANETs. J Inform Sec Appl 2019; 75: 3076–3098.

28.

Zhao

Hou

Wang

, et al. An efficient certificateless aggregate signature scheme for the internet of vehicles. Trans Emerging Tel Tech 2019; 31: e3708.

29.

Kamil

Ogundoyin

. On the security of privacy-preserving authentication scheme with full aggregation in vehicular ad hoc network. Sec Privacy 2020; 3: e104.

30.

Kumar

, et al. Efficient certificateless aggregate signature scheme for performing secure routing in VANETs. Sec Commun Netw 2020; 2020: 5276813.

31.

Xing

, et al. An efficient certificateless aggregate signature scheme designed for VANET. CMC—Comput Mater Con 2020; 63(2): 725–742.

32.

Mei

Xiong

Chen

, et al. Efficient certificateless aggregate signature with conditional privacy preservation in IoV. IEEE Syst J 2021; 15(1): 245–256.

33.

Thumbur

Rao

Reddy

, et al. Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks. IEEE Internet Things 2021; 8(3): 1908–1920.

34.

Ming

Shen

. PCPA: a practical certificateless conditional privacy preserving authentication scheme for vehicular ad hoc networks. Sensors 2018; 18: 1573.

35.

Zhang

Deng

Han

, et al. Secure smart health with privacy-aware aggregate authentication and access control in internet of things. J Netw Comput Appl 2018; 123: 89–100.

36.

Bouakkaz

Semchedine

. A certificateless ring signature scheme with batch verification for applications in VANET. J Inform Sec Appl 2020; 55: 102669.

37.

Cui

Wei

Zhong

, et al. Edge computing in VANETs—an efficient and privacy-preserving cooperative downloading scheme. IEEE J Sel Area Comm 2020; 38: 1191–1204.

38.

Zhang

Cui

Zhong

, et al. PA-CRT: Chinese remainder theorem based conditional privacy-preserving authentication scheme in vehicular ad-hoc networks. IEEE T Depend Secure 2021; 18: 722–735.

39.

Boneh

Franklin

. Identity-based encryption from the Weil pairing. In: Proceedings of Crypto, 2001, LNCS 2139. Berlin, Heidelberg: Springer2001, pp.213–229.

40.

Miyaji

Nakabayashi

Takano

. New explicit conditions of elliptic curve traces for FR-reduction. IEICE T Fund 2001; E84: 1234–1243.

41.

Boneh

Lynn

Shacham

. Short signatures from the weil pairing. In: Proceedings of Asiacrypt, 2001, LNCS 2248. Berlin, Heidelberg: Springer, 2001, pp.514–532.

42.

Cahyadi

Damarjati

Hwang

M-S

. Research on identity-based batch verification schemes for security and privacy in VANETs. Journal of Electronic Science and Technology 2022; 20(3): 1–19.

43.

Freudiger

Raya

Felegyhazi

, et al. Mix-zones for location privacy in vehicular networks. In: ACM workshop on wireless networking for intelligent transportation systems (WiN-ITS), Vancouver, BC, Canada, 14 August 2007, pp.514–532, https://infoscience.epfl.ch/record/109437/?ln=en

44.

Liu

. A survey on recent advances in vehicular network security, trust, and privacy. IEEE T Intell Transp 2019; 20(2): 760–776.

45.

Shim

. CPAS: an efficient conditional privacypreserving authentication scheme for vehicular sensor networks. IEEE T Veh Technol 2013; 61(4): 1874–1883.

46.

Horng

Tzeng

Pan

, et al. b-SPECS+: batch verification for secure pseudonymous authentication in VANET. IEEE T Inf Foren Sec 2013; 8(11): 1860–1875.

47.

Ali

Gervais

Ahene

, et al. A blockchain-based certificateless public key signature scheme for vehicle-to-infrastructure communication in VANETs. J Syst Architect 2019; 99: 101636.

48.

IEEE draft trial-use standard for wireless access in vehicular environments (WAVE)—resource manager. In: IEEE Std P1609.1/D17, July 2006, pp.1–66, https://ieeexplore.ieee.org/document/406714.

A certificateless aggregate signature scheme for security and privacy protection in VANET

Abstract

Keywords

Introduction

Related work

Our contributions

Organization

Preliminaries

System model

The bilinear maps

Complexity assumption

Outline of CLAS scheme

Security model

Type-1 adversary ( A 1 )

Type-2 adversary ( A 2 )

Game-1

Definition 1

Game-2

Definition 2

Other security and privacy requirements

Pseudonimity

Identity privacy-preserving

Mutual authentication

Message authentication

Non-repudiation

Traceability

Unlinkability

Replaying attack resistance

MITM attack resistance

Masquerade attack resistance

Impersonation attack resistance

User location privacy

Our proposed CLAS scheme

Construction

Setup

Registration

Partial-Private-Key-Gen

Vehicle-Key-Gen

Pseudonym-Gen

Sign

Verify

Aggregate

Aggregate-verify

Correctness

Security proof and analysis

Security proof

Theorem 1

Proof

Theorem 2

Proof

Analysis of security requirements

Pseudonymity

Identity privacy preservation

Mutual authentication

Message authentication

Non-repudiation

Untraceability

Unlinkability

Resistance to replay attack

Resistance to MITM attack

Resistance to masquerade attack

Resistance to impersonation attack

User location privacy

Security and privacy comparison

Performance analysis

Computation overhead

Communication overhead

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References

Type-1 adversary $(A_{1})$

Type-2 adversary $(A_{2})$