Vehicular ad-hoc networks (VANETs) are the crucial part of intelligent transportation systems (ITS), which are brought to enhance the security, efficiency, and comfort of transportation. VANETs have aroused extensive attention in the world recently. One of the challenges in practice is real time and low delay, which strongly requires VANETs to be efficient. Existing schemes have properly solved the problem which is how to aggregate the signatures and verify the aggregated signature. However, few solutions are proposed to pinpoint all invalid signatures if existing. The algorithms that can find all invalid signatures are not efficient enough. Following consideration of the above deficiencies of existing approaches, this paper proposes a factorial bitwise divisions (FBD) algorithm and its optimized version and early-stopping factorial bitwise divisions (EFBD) algorithm. Both algorithms are parallel-friendly. Compared with the binary-based batch verification algorithm, the experimental results demonstrate that the proposed algorithms achieve better performance in both theory and practice at low invalid signatures’ rate. Especially, in the parallel condition, when the number of invalid signatures is 1, the proposed algorithms cost only one aggregation-verification delay, while the comparison is more than times.

1. Introduction

Vehicular ad-hoc networks (VANETs) were created by applying the principles of the mobile ad-hoc networks (MANETs), which is a spontaneous creation of wireless networks for data exchange in the vehicle domain. In the early 21st century, VANETs were considered direct implementation of the MANETs, and since then, because of the particularity of VANETs, they have developed into an independent field of study. By 2015, the focus was still on spontaneous networking, not to mention roadside units (RSUs) or cellular networks. The vehicle that joins the network becomes a wireless node or a wireless route. It allows vehicles spaced 100 to 300 meters from each other to form a decentralized and dynamic network automatically. When one vehicle is out of range and off the network, other vehicles can join and link to each other, creating new mobile networks [13]. Nowadays, VANETs have become an important part of the Internet of things (IoT) and they have a broad application prospect.

Although it seems that VANETs own a lot of merits, there are still many problems to overcome to achieve a wide application. One of the obstacles is that VANETs require strong timeliness. Existing single verification methods can verify a signature one by one. However, in the area of heavy traffic, there are too many vehicles to be fully verified, which may lead to potential hazards. Batch verification and aggregate verification emerged at the right moment. In the batch verification mode, signatures are aggregated simultaneously at first; then, the aggregated signatures need to be verified. Compared with the validation process, the aggregation process takes very little time that it can be ignored. In this approach, if the aggregate signature can be verified, then all individual signatures are considered legal. However, all the individual signatures will be rejected when there exists one or more illegal signature, which will cause a great waste of time and cannot take full advantage of batch verification [46].

In recent years, some researchers try to propose a few solutions to the aforementioned problem. Some just discard all signatures or verify them individually. Huang et al. [7, 8] use binary search to solve the problem. Indeed, it is easy to understand. Huang et al. [9] proposed a matrix-detection algorithm to reduce the escape probability of bad signatures, but it only applies to a batch of signatures which has less than four or odd number of bad signatures. However, the method still fails to achieve high efficiency. Ferng et al. [10] proposed a dynamic batch verification scheme. However, it cannot fully address the problem and has a relatively low efficiency. In addition, in the binary search algorithm, the number of layers is which is not parallel-friendly. Therefore, binary search cannot have a relatively good performance in practice.

To solve the problem, this paper proposes a factorial bitwise divisions’ algorithm (FBD) and an early-stopping factorial bitwise divisions’ (EFBD) algorithm. According to the index of each signature, they can be divided into a few groups; the details of the grouping strategy will be covered in Section 4. Then, each group will be verified aggregately. If the aggregate validation passes, all signatures in this group are supposed to be legitimate. Therefore, in the later aggregate verification process, we can exclude all signatures in this group. In Section 4, we show that the size of each group is half the size of the input. Thus, half of the signatures are verified at least. Eventually, we will get a set including all illegitimate signatures and good signatures. The aforementioned algorithm is recursively executed until the input and output are completely same. Later, two algorithms execute differently. FBD will reorder each group, make them as the input, and recursively execute the algorithm, whereas EFBD will singly verify all signatures in the final output set when the size of the set is less than . Our main contributions in this paper are as follows:(i)Propose FBD and EFBD algorithms which are recursive and parallel-friendly for aggregate verification in VANETs and adopt a classical bitwise method(ii)Through simulation experiments, the proposed algorithms are effective in a real application scenario

The rest of this paper is organized as follows. In Section 2, we will introduce the related work, mainly about how the binary search algorithm works in batch verification. In Section 3, we describe some related concepts in VANETs and the problem definition of our work. Then, we present our proposed algorithms in Section 4 in detail. Time complexity analysis is described in Section 5. Experiments are performed and analyzed in Section 6. Finally, we will draw a conclusion of this paper in Section 7.

In this section, we will cover several famous grouping strategies, especially the binary search algorithm.

Heidari et al. [11] propose a novel population-based, nature-inspired optimization paradigm, which is called Harris Hawks Optimizer (HHO). Yang et al. [12] propose a general-purpose population-based optimization technique called Hunger Games Search (HGS). It has a simple structure, special stability features, and very competitive performance to realize the solutions of both constrained and unconstrained problems more effectively. Li et al. [13] propose a new stochastic optimizer called slime mould algorithm (SMA) which is based on the oscillation mode of slime mould in nature.

To detect all invalid requests, Huang et al. [8] proposed a binary divisions’ detection (BDD) algorithm, which is based on the “divide-and-conquer” approach. It is shown in Algorithm 1. When BDD is applied in the signature verification process, it can easily and efficiently find all invalid signatures, and it is easy to understand. A full BDD tree is shown in Figure 1, where the dark red and dark purple grids represent the invalid signatures and the blue group of signatures indicates that all signatures in the group are valid, and the detecting branch should be terminated.

Input: Nonempty Set , start index , end index
Output: Set F
(1) function BDD ()
(2)  if Verify () then
(3)   return
(4)  end if
(5)  if then
(6)   return
(7)  end if
(10)  return
(11) end function

The algorithm is described as follows. Firstly, aggregate the input and verify the aggregated signature. If the verification passes, it reveals all are valid, and the function returns an empty set; if not, it will divide the input into two batches. Then, treat each batch as the new input of the algorithm and call the BDD recursively. Once the input contains only one signature, the algorithm should be terminated. Eventually, the algorithm will return a set which exactly includes all invalid signatures.

A randomly selected test was proposed by Guan et al. [14], the approach randomly chooses half of the signature and aggregates them into a batch. Bellare et al. [15] proposed a small exponent test, which also randomly selects 1, 2, 4, … signatures in each verification process. It improves the efficiency a little. Later, Hwang et al. [16] simplified the approach. Both are inefficient when we care about the exact invalid signatures.

3. Preliminaries

This section presents the basics related to signature verifications in VANETs. Note that this paper is based on popular and efficient schemes: certificateless signature (CLS) scheme and certificateless aggregate signature (CL-AS) scheme [4, 17]. The notations are listed in Table 1.

3.1. Elliptic Curve Cryptography

As widely used in cryptographic, elliptic curve cryptography (ECC) is an excellent algorithm which has an extremely high efficiency and a relatively excellent security [18, 19]. It can use much fewer bits, less time, and memory to encrypt messages than RSA algorithm in the field of public key cryptography. Thanks to the excellent advantages, ECC can be perfectly applied to the application scenarios of VANETs [20]. We will make the following three definitions to describe ECC.

Definition 1. (elliptic curve definition). Assume that is a finite field of the module , where is a large prime number. The elliptic curve over a finite field can be defined as , where and .

Definition 2. (addition of elliptic curves). Assume that , where is a point of the elliptic curve , and is the negative point of . Suppose , , and we can define a line passes through and and intersects the elliptic curve at a point , The symmetrical point about the x-axis with is ; then, we can define .

Definition 3. (elliptic curve discrete logarithm problem). Firstly, the discrete logarithm problem should be defined. If are known, how to get from the equation is a question. Assume that is a point on the elliptic curve on the finite field , and select a random number . Then, we can calculate . In this case, it is straightforward to calculate according to Definition 2. However, given the description of elliptic curve discrete logarithm problem (ECDLP), it is scarcely possible to get according the above equations.

3.2. System Model

In this section, we will try to describe the system model of VANETs in detail. As shown Figure 2, there are four main participants: trusted authority (TA), key generation center (KGC), roadside unit (RSU), and vehicle, which can be divided into two layers: the upper layer includes TA and KGC, both are of more powerful computation, and the lower layer consists of RSUs and vehicles. The demonstration of each participant is as follows:TA: it is a fully trusted third party that is responsible for system initialization, user registration, system parameter generation, and system security implementation. If necessary, it can track malicious behavior and catch malicious nodes. In addition, it also has enough computing power and storage capacity.KGC: it is a partially trusted party used for generating partial private key. It can help vehicle generate partial secret key which contributes to its privacy security. It also has sufficient memory, processing, and computing capabilities the same as TA.RSU: it is a smart application device installed on the roadside, which is able to transmit and submit information to TA, KGC, vehicles, or other RSUs in a secure wired connection and plays the role of an intermediary agent. Unlike TA or KGC, RSU usually has limited computing power and storage capacity.Vehicle: it is the major and basic member in VANETs, which is generally equipped with a smart device which can perform the basic functions such as transmitting the vehicle’s messages and performing a simple calculation. In addition, vehicles commonly have limited computing power and storage capacity. The most obvious feature of the vehicle is that the network connection between vehicles is always in dynamic change.

Note that TA and KGC are distinct entities in function and logical; however, the two usually are deployed on a single server in physics if the scale of VANETs is small.

3.3. Certificateless Aggregate Signature Scheme

Generally, a CLS scheme and a CL-AS scheme consist of the following seven algorithms [21, 22].Setup: the KGC and TA will execute a probabilistic algorithm, which needs a security parameter . Then, it generates an elliptic curve , the public key and , and the master secret key and , respectively. After the security parameters for ECC are generated, a number of system parameters which is used for ensuring the system in order are transmitted between each participant.ParitialPrivateKeyGeneration: in this algorithm, firstly, the vehicle transmits a tuple, which consists of a real identity and a partial pseudoidentity, to TA. Then, the TA generates a complete pseudoidentity with the tuple and sends it to the KGC for calculation. Eventually, the KGC transmits the partial private key to the vehicle in a secure channel [23].VehicleKeyGeneration: the vehicle selects a random as its secret key and calculates its public key .IndividualSign: this algorithm is used by each vehicle ; after generating a message , the vehicle tries to calculate a set of variables. Then, it sends the signature to the verifier.IndividualVerify: this algorithm is executed by the verifier such as RSU. When the inputs, including signature , pseudoidentity , and current time , are received, the verifier will check the validity of the timestamp firstly. Then, the algorithm will output true if the signature is valid or false otherwise.AggregateSign: in this algorithm, generally, the aggregate signature generator is RSU in the system. For an aggregating set of vehicles , the pseudoidentity of each vehicle is the list , the corresponding public key of , and message signature tuples of , respectively. The aggregate signature generator will generate signature ; then, it will transmit the tuple including the signature, , and timestamp list to the verifier.AggregateVerify: in general, this algorithm is executed by another RSU. It takes an aggregated set of vehicles , the pseudoidentity of each vehicle . The verifier will check the timestamp validity for each vehicle firstly. Then, it will output true if the signature is valid or false otherwise.

To demonstrate the whole communication process, Figure 3 shows the certificateless aggregate signature scheme.

As shown in Figure 3, there are two main steps for CL-AS, aggregation and verification, which cause some delays in VANETs. For convenience, the delay brought by the aggregation of signatures is defined as , while is the total time in a cryptographic operation of the verification process. Without loss of generality, in the following algorithm, the tokens, rather than the actual number, will be used in the relevant calculation because different schemes adopt different algorithms and different time costs. and of different VENETs schemes are shown in Table 2 for reference. From the table, we can conclude that is much smaller than in whichever scheme. Even in some schemes, is almost 1000 times of . Therefore, in the following sections, can be ignored and is not calculated.

3.4. Problem Definition

Batch verification is widely used in VANETs [5, 9, 26]. There are two major research aspects about the batch verification: one is about the correctness and security of the encryption algorithm and how to aggregate the signatures into one and verify the aggregated one correctly and the other is about the strategy of grouping. An appropriate strategy will benefit the aggregation and verification process with significant time savings.

This paper focuses on the latter one, the strategy of grouping, that is, how to divide all signatures into one or more batches to determine all invalid signatures as soon as possible. Here, the problem can be converted into a logical problem, given an input set whose size is . In the set, all elements are either true or false, and assume that they are distributed randomly and testing an element is true or false costs much more time than other operations, such as AND. The number of false elements is , and the number of true elements is . The problem is how can we design an algorithm to determine exactly all false elements as efficiently as possible.

In summary, the problem is as follows: given a signatures’ set which includes a certain number of valid signatures and invalid signatures, find a set only including all invalid signatures, i.e., is verified true and minimized to .

4. The Proposed Bitwise Divisions’ Algorithm

In this section, factorial bitwise divisions’ (FBD) algorithm and early-stopping factorial bitwise divisions’ (EFBD) algorithm will be fully introduced. In addition, three theorems will be proved to support FBD and EFBD.

4.1. Description of FBD

FBD is a recursive algorithm, and the maximal recursion time is . Note that the output set equals to the input set in the beginning. First of all, it will check whether all signatures are valid or not. If so, it will return the full set , which means all signatures in the input set are valid. And if the size of the set is 1, it means that the algorithm has gone into the final layer and the algorithm will return (Algorithm 2).

Input: nonempty Set
Output: set
(1) function
(2)  if then
(3)   if Verify () then
(4)    return
(5)   else
(6)    return
(7)   end if
(8)  end if
(12)  if then
(13)   return
(14)  end if
(15)  if then
(16)   return
(17)  end if
(18)  if then
(19)   choose two groups on random bit
(22)  else
(24)  end if
(25)  return
(26) end function

Figure 4 shows the FBD algorithm flow which selects a sample to demonstrate the entire process. Function DivideByBits is utilized to divide the set to groups. It is a bitwise operation. For example, a signature whose index is 12 and the binary representation is 001010. Therefore, it is expected to be divided into groups . The superscript represents that the group is divided by 0 or 1, and the subscript represents which bit is used to divide the set. All groups in are verified and the set includes all invalid groups. Then, we can filter and make it smaller. Recursive boundary is the size of is 1 or 0. If no signatures are filtered, then the algorithm randomly selects a certain bit and gets two original groups and reorders them and makes them as input to recursively call the algorithm. If some signatures are filtered, then use the output set as an input to recursively call the algorithm until the filter does not work.

A few proofs will be necessary to demonstrate to support FBD and EFBD algorithms. Theorems 1 and 2 prove the recursive boundary, and Theorem 3 proves that the result is correct. With the following four proofs, FBD and EFBD can work normally and efficiently.

Theorem 1. If the output set is an empty set, then the algorithm is supposed to be terminated.

Proof. As described in the algorithm, if the output set is an empty set, then all signatures are filtered and there exist no invalid signatures in set . Therefore, the original proposition is correct.

Theorem 2. If the output set has just one signature, then the algorithm is supposed to be terminated.

Proof. As the algorithm goes, if the output set has only one invalid signature, it means that the number of both invalid and valid groups definitely is . According to FBD, one valid group can half the size of and valid groups can cut the size of to 1. Therefore, the algorithm can return the output set and the original proposition is true.

Theorem 3. The output set consists of all invalid signatures.

Proof. Assume that the output set does not consist of all invalid signatures, which means that the algorithm has omitted certain invalid signatures. According to the algorithm, the only way to filter from the set is that the group is verified as true. However, when there exist invalid signatures in a certain group, it will definitely not pass the verification, and the whole group will not be filtered which contradicts the assumption. Therefore, the original proposition is correct.

Theorem 4. In the output set , if the number of invalid signatures is greater than that of valid signatures, then the scale of will not be reduced.

Proof. Assume that the number of input set is , the number of invalid signatures is , and the number of valid signatures is which is small than . In the grouping of certain bit , and can be seen as two boxes whose capacity is . When the number of invalid signatures is greater than the capacity of one box, the other box surely has at least one invalid signature whatever the distribution is. Since both boxes have at least one invalid signature, then they will both be verified failed. Also, the inference is true for other bits. Eventually, all groups are false and no more signatures can be removed from the output set . Therefore, the original proposition is correct.
Consider its contrapositive. In the output set , if the scale of can be reduced, then the number of valid signatures is greater than that of invalid signatures. Indeed it is true. However, it is converse. In the output set , if the number of valid signatures is greater than that of invalid signatures, then the scale of which can be reduced is obviously false. Unfortunately, it is exactly what FBD needs. It can easily find its counterexample which can be called repulsion number.
The filter will definitely be invalid and cannot filter any valid signatures. Then, the algorithm will reorder each group. The group can go back to FBD as the group recursively. Eventually, the algorithm will go to the recursive boundary which can be seemed as a single verification.

4.2. Description of EFBD

In FBD, it is usual that the majority of the output set are invalid signatures. As FBD goes, it will branch to the final layer which is a waste of time. As an optimized algorithm for FBD, EFBD adopts single verification when the size of the set is less than . The algorithm is designed specially for parallel calculation, and verifications can be calculated at a time. The specific algorithm is shown in Algorithm 3.

Input: nonempty Set
Output: set
(1) function EFBD ()
(2)  if then
(3)   if Verify () then
(4)    return
(5)   else
(6)    return
(7)   end if
(8)  end if
(12)  if then
(13)   return
(14)  end if
(15)  if then
(16)   return
(17)  end if
(18)  if then
(19)   return SingleVerify (F)
(20)  end if
(21)  if then
(22)   choose two groups on random bit
(25)  else
(27)  end if
(29)  return
(30) end function

Most part of EFBD is completely consistent with FBD. The difference is that when the loop terminates, it will singly check each signature in which will filter all valid signatures. Eventually, it will get a final set including exactly all invalid signatures.

Definition 4. For two or more binary codes, if both 0 and 1 appear in every bit, then they are called repulsion numbers.

If there exist false repulsion numbers, as EFBD algorithm goes, they will be divided into different groups no matter which bit is used to group. As a result, all groups will be verified false and the filter will be invalid.

5. Performance Analysis

In this section, the performance and time complexity will be analyzed. In addition, our discussion is based on a parallel calculation. For convenience, we define which equals to the number of groups in a bitwise partition. For BDD algorithm, it can calculate at most nodes in the same layer at a time. However, it cannot execute cross-layer computing. For FBD and EFBD, they can also calculate nodes at a time.

If there exist no invalid signatures, then both algorithms need only one verification. Then, one invalid signature circumstance can be idealized. Time complexity of binary search is reproduced below:

In general, is always greater than or equal to 2. Therefore, equation (1) can be further simplified:

According to the algorithm, the time complexity of FBD is .

Considering the worst case, that is, all signatures are invalid; BDD algorithm will branch on each leaf. Its time complexity is as follows:

Time complexity of FBD is as follows:

6. Simulation Analysis

In the simulation experiment, BDD, FBD, and EFBD are simulated to count and , respectively, in different scales and invalid signatures. In addition, the parallel calculation is adopted and the scale .

For different invalid signatures and scales, the performance of the three algorithms is shown in Tables 3 and 4. The number of signatures is from 4 () to 128 () and the invalid signatures are 1, 2, 3, 4, and 5, respectively. Because the distribution of invalid signatures greatly influences the result, the simulation is repeated 1000 times and the result is equilibrated to avoid randomness.

As shown in Table 3, when the number of signatures is 4, EFBD only uses for the reason that it will use single verification when the size of the input set is less than or equal to . In addition, when the number of false nodes is 1, FBD and EFBD only need because of their unique filtering structure. BDD has a relatively constant number because of its regular hierarchic execution. In comparison, FBD and EFBD have a high performance when the number of invalid signatures is less than 2 and 4, respectively. BDD has to go through layers to find the invalid signatures. However, as described in Section 4, FBD and EFBD can be seen as a filter, and it can efficiently filter most of the valid signatures and get a set containing invalid signatures when there exist a few invalid signatures. In Table 4, although the number of of our algorithms is bigger than that of BDD, is defined as a much smaller time cost compared to , which makes no difference in the circumstance.

Furthermore, Figure 5 shows the total time cost comparison among the three algorithms. It should be noted that the total time cost includes both aggregation time and verification time. In our work, is 0.036 ms, and is 2.2899 ms which is much bigger than . Therefore, in Figure 5, the rank of different algorithms is the same as the rank in Table 3. From the figures, when the number of elements and the number of false elements are small, the two proposed algorithms are better than the BDD significantly. Actually, in a real scene, the number of elements and the number of false elements is small. Therefore, FBD and EFBD algorithm can achieve high efficiency in real application scenarios.

7. Conclusion

To solve the problem that batch verification has low efficiency in the process of message verification, FBD and EFBD are proposed, and they are featured by parallel calculation and filtering. They show their high efficiency after simulation experiments. However, FBD and EFBD have relatively low efficiency performance in serial computing and only have high efficiency in parallel calculation. And, they cannot outperform BDD when invalid signatures are more than a certain number. According to the experiments, when the number of invalid signatures is more than 4, FBD and EFBD have low efficiency. In the future, FBD and EFBD can be simulated in a more real scene and some factors can be considered. Furthermore, they can be implemented in the hardware that supports parallel computing. Due to repulsion number problem, they can also be optimized to attain higher performance.

Data Availability

The data used to support the findings of the study are included within the article.


This paper was presented in Journal of Physics: Conference Series, Volume 1856, 2021 International Conference on Computer Network Security and Software Engineering (CNSSE 2021), February 26–28 2021, Zhuhai, China.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work is supported by Key international cooperation projects of the National Natural Science Foundation of China (No. 61520106007).