## User Authentication in the IoE Era: Attacks, Challenges, Evaluation, and New Designs

View this Special IssueResearch Article | Open Access

Yanan Chen, Zhenyu Lu, Hu Xiong, Weixiang Xu, "Privacy-Preserving Data Aggregation Protocol for Fog Computing-Assisted Vehicle-to-Infrastructure Scenario", *Security and Communication Networks*, vol. 2018, Article ID 1378583, 14 pages, 2018. https://doi.org/10.1155/2018/1378583

# Privacy-Preserving Data Aggregation Protocol for Fog Computing-Assisted Vehicle-to-Infrastructure Scenario

**Academic Editor:**Qi Jiang

#### Abstract

Vehicle-to-infrastructure (V2I) communication enables moving vehicles to upload real-time data about road surface situation to the Internet via fixed roadside units (RSU). Thanks to the resource restriction of mobile vehicles, fog computation-enhanced V2I communication scenario has received increasing attention recently. However, how to aggregate the sensed data from vehicles securely and efficiently still remains open to the V2I communication scenario. In this paper, a light-weight and anonymous aggregation protocol is proposed for the fog computing-based V2I communication scenario. With the proposed protocol, the data collected by the vehicles can be efficiently obtained by the RSU in a privacy-preserving manner. Particularly, we first suggest a certificateless aggregate signcryption (CL-A-SC) scheme and prove its security in the random oracle model. The suggested CL-A-SC scheme, which is of independent interest, can achieve the merits of certificateless cryptography and signcryption scheme simultaneously. Then we put forward the anonymous aggregation protocol for V2I communication scenario as one extension of the suggested CL-A-SC scheme. Security analysis demonstrates that the proposed aggregation protocol achieves desirable security properties. The performance comparison shows that the proposed protocol significantly reduces the computation and communication overhead compared with the up-to-date protocols in this field.

#### 1. Introduction

Most of road anomalies, that is, potholes, bumps and slipperiness, are potentially hazardous to the commuters and vehicles [1]. Naturally, the condition of road surface is considered to be an important criterion for assessing the quality of transportation infrastructure [2]. The continuous development of sensing technique provides a promising approach to build an autonomous system for monitoring road surface condition [3]. Specifically, the mobile sensors embedded in mobile vehicles are used to sense the real-time data about road surface condition [4]. With the V2I communication [5], the data collected by the vehicles can be uploaded to the backend server via the RSUs installed at road intersections. By collecting and analyzing these real-time road surface data, the congestion of traffic and car crashes can be reduced significantly. Thanks to the resource restraint of mobile vehicles, the vehicular cloud networking [6, 7] has been introduced to ease the cost of vehicles, where the sensed data are stored in the remote cloud centers. It is easy to observe that the delivery of these data to the cloud servers located in the core network is commonly considered to be cumbersome due to the unreliable latency and network congestion [8]. To address these issues, the fog computing [9–11] has been introduced as an alternative for cloud computing. Different from cloud computing, elastic and virtual cloud resources are extended to one or more collaborative edge devices in the fog computing. In this sense, the collected data can be preprocessed and aggregated by the edge devices, which are instantiated by the resource-abundant RSU, before uploading to the data analytic center [12]. Therefore, the real-time road surface data can be efficiently processed with the support of fog computing-assisted V2I communication.

However, the fog computing-based V2I communication scenario cannot be accepted and deployed widely if the security of the transmitted data has not been considered appropriately. It is desirable to achieve data confidentiality such that the transmitted data can only be accessed by the intended RSU [13]. Otherwise, the collected data may be abused by the malicious adversary without any cost. Besides, it is also necessary to achieve message unforgeability such that the adversary is computationally infeasible to impersonate any vehicle [14]. Otherwise, the result about the analysis of collected data may be polluted by the forged data. To fulfill the mentioned security goals, it is naturally to introduce the public key encryption and signature to generate the ciphertext on the transmitted data. According to [15], signcryption is a promising primitive that achieves the security goals of encryption and signature simultaneously. It is realized by combining the public key encryption and digital signatures in one logical step. Moreover, this technique entails minimized computation and communication overhead compared with the sign-then-encrypt paradigm [16]. Since its introduction, the signcryption primitive has been studied in several cryptosystems, that is, traditional public key infrastructure- (PKI-) based cryptosystem [15], identity-based cryptosystem [17], and certificateless cryptosystem [16]. In the traditional PKI-based cryptosystem, the certificate management is a burdensome task. To alleviate the overhead of this task, the identity-based public key cryptosystem [18] has been introduced, where a trusted third party termed as private key generator is adopted to issue private keys for the users. This paradigm results in key escrow problem since the private key generator knows the private keys of all users in the system [18]. The certificateless cryptosystem [19] inherits from identity-based cryptosystem, whereas it eliminates the demand for the private key generator with key escrow capability. In this cryptosystem, a trusted third party named key generation center (KGC) is adopted to generate the private keys for users. Only a partial private key is issued by the KGC for each user. The full private key of a user is composed of the partial private key received from KGC and a secret value selected by his/herself. Because the full private key of a user is not held by the KGC, certificateless public key cryptosystem solves the key escrow problem of the identity-based cryptosystem. Thus, certificateless signcryption seems to be a promising primitive to ensure the security of the V2I communication.

Based on the idea of certificateless signcryption, Basudan et al. [20] proposed an anonymous aggregation protocol to secure the V2I communication recently. Unfortunately, in this paper, the protocol of [20] is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data. Besides, this protocol is constructed by utilizing the expensive bilinear pairings, which makes this protocol inefficient. Therefore, it is fair to regard the construction of anonymous aggregation protocol for the fog computing-based V2I communication scenario as an open issue.

Motivated by the practical needs, a privacy-preserving protocol for the V2I communication scenario with fog computing is proposed in this paper. The major contributions of this paper are summarized as follows:(i)Firstly, Basudan et al.’s [20] protocol is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data. In this sense, the aggregation protocol in [20] does not provide unforgeability as they claimed.(ii)Next, a light-weight and anonymous aggregation protocol for the V2I communication scenario with fog computing is proposed by elaborately combining a CL-A-SC scheme and the fog computing architecture. Specifically, the suggested protocol is realized without resorting to the costly bilinear pairings. Besides, the proposed protocol is proved secure under the standard computational Diffie–Hellman assumption and elliptic curve discrete logarithm problem in the random oracle model. Furthermore, the proposed aggregation protocol proved to be able to achieve desirable security properties including confidentiality, unforgeability, mutual authentication, anonymity, and key escrow resilience.(iii)The practical performance of the proposed protocol and Basudan et al.’s protocol is presented through the experimental simulation. According to the simulation results, the proposed protocol outperforms Basudan et al.’s protocol in terms of computation and communication overhead.

The organization of this paper is summarized as follows: the next section describes the system model, mathematical background, design objectives, the notion, and the security model of CL-A-SC scheme. In Section 3, Basudan et al.’s protocol is briefly reviewed. After that, the forgery attack against this protocol is presented. The proposed protocol is introduced in Section 4. Furthermore, the security of the proposed protocol is discussed in Section 5, where the comparison of the practical performance of the proposed protocol and Basudan et al.’s protocol is also provided. Finally, Section 6 concludes this paper.

#### 2. Preliminaries

The background information is introduced in this section.

##### 2.1. System Model

The considered system is comprised of three types of entities: control center, mobile sensors and RSUs. For ease of understanding, the system model is depicted in Figure 1. The definitions of the entities are described as follows:(i)Control center (CC): CC is considered to be a trustee which is able to initialize the whole system and generate the partial private key for mobile sensors and RSUs.(ii)Mobile sensors: the devices are embedded into the vehicles to generate the report about the road event, that is, potholes, slipperiness and bumps.(iii)RSU: each RSU is able to receive and process the messages sent by the mobile sensors.

##### 2.2. Mathematical Background

###### 2.2.1. Elliptic Curve Group

Let an elliptic curve over a prime finite field denote a set of points , which are defined by the equation with the discriminant mod . This set of points and the point at infinity (denoted by ) form a group . Particularly, is an additive cyclic group formed by and the point addition law, which is denoted by + and defined as follows. Let , , and be three elements in , where is the intersection of the line and . Specifically, connects and (tangent line to if ). Let be another line, which connects and . The sum of is denoted by the intersection of and . Moreover, the scalar multiplication on is calculated as .

###### 2.2.2. Bilinear Maps

Let be an additive cyclic group of prime order , be a multiplicative cyclic group of the same order, be an admissible bilinear map and denote a generator of . is considered to have the following features:(1)Bilinearity: for all and , .(2)Nondegeneracy: there exists such that .(3)Computability: for all , there exists an efficient algorithm to calculate .

###### 2.2.3. Cryptographic Assumptions

Given the mathematical background described above, the cryptographic assumptions are defined as follows.

*Definition 1 (computational Diffie–Hellman assumption). *This assumption is denoted as CDH. Given a tuple (), the CDH assumption in is to calculate .

*Definition 2 (elliptic curve discrete logarithm problem). *This assumption is denoted as ECDLP. Given a tuple (), the ECDLP assumption in is to calculate .

##### 2.3. The CL-A-SC Scheme

###### 2.3.1. Definition

Let denote a set of users. The user with identity is assumed to be the message receiver. The scheme consists of the following algorithms:(i)CL-A-SC.Setup: on inputting the security parameter, this algorithm generates the public parameters* params* and the master private key .(ii)CL-A-SC.Key-Generation: this algorithm is carried out by each and KGC interactively.(1)Given , each generates his/her user public/private key pair .(2)Given , , the identity of , and its corresponding user public key , KGC generates the partial public/private key pair .(3) and are set to be the full public key and full private key of , respectively.(iii)CL-A-SC.Signcryption: this algorithm is carried out by each . On inputting , a message , full private key of , and the public key of the user with identity , this algorithm outputs signcryption on .(iv)CL-A-SC.Aggregate: on inputting a set of signcryption schemes , this algorithm outputs aggregate signcryption on messages .(v)CL-A-SC.Aggregate-Verification: on inputting , aggregate signcryption and the set of users with its public keys, this algorithm outputs true if is valid or false otherwise.(vi)CL-A-SC.Designcryption: on inputting an aggregate signcryption and the full private key of the user with identity , this algorithm outputs a set of messages .

###### 2.3.2. Security Model

There are two types of adversaries considered in the certificateless cryptosystem [19]. A Type I adversary is able to replace the public key of a legitimate user with a bogus one but cannot access the master private key. A Type II adversary is able to access the master private key but cannot execute the public key replacement. According to the protocol of [22], the security notions of data confidentiality and mutual authentication for the CL-A-SC scheme are captured by the indistinguishability and the existential unforgeability of the signcryption, respectively. By using the same security model provided in [22], the ability of the adversaries is modeled by the following four interactive games.

*Game 3. *This game is played by a challenger and a Type I adversary .(i)* Initializing*: executes CL-A-SC.Setup algorithm to obtain the public parameters and the master private key . After that, sends to .(ii)* Training*: is able to query the following oracles (these oracles model the capability of in reality) in an adaptive manner:(a)Secret-Value-Extraction: on receiving the query on , this oracle returns the corresponding secret value to .(b)Partial-Private-Key-Extraction: on receiving the query on , this oracle returns the corresponding partial private key to .(c)Public-Key-Extraction: on receiving the query on , this oracle returns the corresponding public key to .(d)Public-Key-Replacement: on receiving the query on , this oracle updates the public key into .(e)Signcryption: on receiving the query on , , and a message , this oracle prompts to execute CL-A-SC.Signcryption algorithm to get signcryption on , where and are considered to be identity of the sender and the receiver, respectively. After that, returns to .(f)Designcryption: on receiving the query on , and aggregate signcryption , where and are considered to be identity of the senders and the receiver, respectively. This oracle prompts to execute the CL-A-SC.Aggregate-Verification algorithm on . If the output of this execution is false, this oracle returns “NULL” to ; otherwise, executes CL-A-SC.Designcryption algorithm on and returns the output of this execution to .(iii)*Challenging*: sends to . On receiving this message, randomly chooses a bit , generates the aggregate signcryption on , and then sends to . After that, adaptively queries the same oracles as the* Training* phase.(iv)* Guessing*: a bit is outputted by .

is considered to win this game iff(1), where and are defined as above;(2)The oracle Partial-Private-Key-Extraction has never been queried;(3)The oracle Designcryption has never been queried, where there exists such that .

’s advantage to win this game is defined as .

*Game 4. *This game is played by a challenger and a adversary .(i)*Initializing*: this phase is the same as the first phase in Game 3, while sends to .(ii)*Training*: in this phase, queries the same oracles (except the Public-Key-Replacement oracle) and receives the same responses as the second phase in Game 3.(iii)*Guess*: this phase is the same as the third phase in Game 3, where a bit is outputted by .

is considered to win this game iff(1), where and are defined as above;(2)The oracle Secret-Value-Extraction has never been queried;(3)The oracle Designcryption has never been queried, where there exists such that .

’s advantage to win this game is defined as .

*Definition 5. *A CL-A-SC scheme is considered to be secure against the adaptively chosen ciphertext attacks if there is no adversary of Type I or Type II has a nonnegligible advantage to win Game 3 or Game 4, respectively.

*Game 6. *This game is played by a challenger and a Type I adversary .(i)*Initializing*: this phase is the same as the first phase in Game 3.(ii)*Training*: in this phase, queries the same oracles and receives the same responses as the second phase of Game 3.(iii)*Forgery*: sends a forged aggregate signcryption on to , where and are considered to be identity of the senders and the receiver, respectively.

is considered to win this game iff(1)The output of the execution of Aggregate-Verification algorithm on is true;(2)There exists such that the Signcryption oracle or Partial-Private-Key-Extraction oracle has not been queried.

*Game 7. *This game is played by a challenger and a Type II adversary .(i)*Initializing*: this phase is the same as the first phase in Game 4.(ii)*Training*: this phase is the same as the second phase in Game 4.(iii)*Forgery*: this phase is the same as the third phase in Game 6.

is considered to win this game iff(1)The output of the execution of Aggregate-Verification algorithm on is true;(2)There exists such that the Signcryption oracle or Secret-Value-Extraction oracle has not been queried.

*Definition 8. *A CL-A-SC is considered to be existentially unforgeable against the adaptively chosen-message attack if there is no adversary of Type I or Type II has a nonnegligible advantage to win Game 6 or Game 7, respectively.

##### 2.4. Objectives

The design goals of the proposed protocol are defined as follows:(1)Data confidentiality and integrity: it is desirable to secure the transmitted data from revealing the sensitive information about the source mobile sensor. Besides, it is required to ensure the data has not been tampered [23].(2)Mutual authentication: it is desirable that the RSU and the mobile sensor are allowed to authenticate each other [24].(3)Anonymity: it is desirable to hide the real identity of the mobile sensor during the transmission [25, 26].(4)Key escrow resilience: it is desirable that the adversary is unable to obtain the full private key of any mobile sensor even if CC has been compromised [27].

#### 3. Cryptanalysis of Basudan et al.’s CL-A-SC Scheme

In this section, Basudan et al.’s CL-A-SC scheme is briefly reviewed. After that, their scheme is demonstrated to be insecure against the public-key-replacement attack.

##### 3.1. Notations

To ensure the consistency, the notations are defined in the Symbols. Concretely, each sensor is able to generate a real-time message when sensing the road condition . After that, generates signcryption on to construct the road condition report and then sends to the nearest RSU.

##### 3.2. Review of Basudan et al.’s CL-A-SC Scheme

The CL-A-SC scheme in the protocol of [20] consists of the following algorithms:(i)Setup: let be an additive cyclic group of prime order , be a multiplicative cyclic group of the same order, be an admissible bilinear map, and denote a generator of . Let , , , and be four cryptographic hash functions such that , , , and , where is assumed to be the bit length of messages. Randomly choose as the master private key and calculates . The public parameters .(ii)Key-Generation:(1)For ranges from 1 to , each mobile sensor randomly chooses and calculates , . After that, sends to CC.(2)Upon receiving from , CC randomly chooses and calculates , . After that, CC sends to .(3)Upon receiving from CC, checks if . If the verification holds, and are set to be the full public key and full private key of , respectively.(iii)Signcryption: the RSU with identity is assumed to be the message receiver. For ranges from 1 to , randomly chooses and calculates , , , , , , , and , where is the state information and . After that, constructs , and sends to the RSU with identity .(iv)Aggregate: upon receiving , the RSU with identity calculates .(v)Aggregate-Verification: for ranges from 1 to , RSU calculates and , where . RSU checks if .(vi)Designcryption: if the verification in the Aggregate-Verification algorithm holds, RSU calculates , , , and for ranges from 1 to .

##### 3.3. Forgery Attack against Basudan et al.’s CL-A-SC Scheme

Basudan et al. [20] claimed that their CL-A-SC scheme proved to be able to achieve indistinguishability and unforgeability against the Type I and Type II adversary. However, the adversary of Type I is able to forge signcryption on any message by launching a public-key-replacement attack, which is described as follows:(i)Public-Key-Replacement: given a mobile sensor , randomly chooses and calculates , , where . After that, is set to be the full public key of .(ii)Signature-Forgery: randomly chooses and calculates , , , , , , , , and , where is forged by under the state information and . After that, constructs , and sends to the RSU with identity .(iii)Aggregate: the RSU calculates .(iv)Aggregate-Verification: for ranges from 1 to , the RSU calculates and , where . After that, the RSU checks if .

The correctness of can be easily verified since

Thus, the verification holds. The message is recovered by the RSU according to the specification of Designcryption algorithm.

*Remark 9. *The fundamental flaw of Basudan et al.’s CL-A-SC scheme against this forgery attack is due to the unreasonable position of the value . As described above, is allowed to generate to replace ’s public key. According to the specification of the protocol in [20], , and thus . calculates and then successfully forges the signcryption . It is noted that this type of adversary has not been mentioned in their security proof. Hence, the proof fails.

#### 4. Our Proposed Protocol

In this section, a concrete CL-A-SC scheme is proposed, which is the building block of our data aggregation protocol.

##### 4.1. The Proposed CL-A-SC Scheme

This scheme consists of the following algorithms:(i)CL-A-SC.Setup: let and be two large primes such that divides , be an elliptic curve over a finite field , and be an additive cyclic group formed by with the point addition law. Let be a generator of and , , be three cryptographic hash functions. Randomly choose as the master private key and calculates . The system parameter .(ii)CL-A-SC.Key-Generation:(1)The user randomly chooses and calculates . After that, the user sends to KGC.(2)KGC randomly chooses and calculates , . After that, KGC sends to the user with identity .(3)The user with identity checks if , where . If the verification holds, and are set to be the full public key and full private key of the user, respectively.(iii)CL-A-SC.Signcryption: the user randomly chooses and calculates , , , and , where and , where . After that, the user sends the ciphertext to the user with identity .(iv)CL-A-SC.Aggregate: upon receiving , the user with identity calculates .(v)CL-A-SC.Aggregate-Verification: for ranges from 1 to , the user with identity calculates . After that, this user checks if .(vi)CL-A-SC.Designcryption: if the verification in the Aggregate-Verification algorithm holds, the user with identity calculates , , and for ranges from 1 to .

##### 4.2. The Data Aggregation Protocol

In this part, our data aggregation protocol is proposed, which involves the CC, RSU, and mobile sensors. The suggested protocol is comprised of four phases: system initialization, data generation and transmission, aggregate verification, and data retrieval.

###### 4.2.1. System Initialization

In this phase, CC performs the CL-A-SC.Setup algorithm to initialize the system. The system parameter . After that, the mobile sensors and the RSUs are allowed to register to CC by performing the following steps:(1)For ranges from 1 to , each mobile sensor randomly chooses and calculates . After that, sends to CC.(2)Upon receiving from , CC randomly chooses and calculates , . After that, CC sends to .(3)Upon receiving from CC, checks if , where . If the verification holds, and are set to be the full public key and full private key of , respectively.

It is worth noting that the format of the road condition report is defined by CC in this phase. Concretely, each mobile sensor is able to generate when sensing the road condition , where is the time when sensed , is the location where occurred, and is the action signal about . After that, generates signcryption on to construct the road condition report .

###### 4.2.2. Data Generation and Transmission

In this phase, is allowed to generate signcryption on to construct . After that, is sent to the nearest RSU. The identity of this RSU is assumed to be . This phase consists of the following steps:(1) randomly chooses and calculates , , , and , where , , and .(2) sends to the RSU with identity .

To protect private information of mobile sensors, the real identity of each cannot be retrieved from . In this way, the anonymity of mobile sensors is preserved.

###### 4.2.3. Aggregate Verification

Upon receiving the reports from the sensors on a road condition , the RSU is allowed to aggregate the ciphertexts and then verify the authenticity of the aggregate data. The identity of this RSU is assumed to be . The aggregation and verification procedures are carried out by performing the following steps:(1)The RSU calculates .(2)For ranges from 1 to , the RSU calculates . After that, this RSU checks if .

If the equation holds, this RSU accepts the received reports and executes the next phase. Otherwise, this RSU aborts these reports.

###### 4.2.4. Data Retrieval

If the verification in the previous phase holds, the RSU retrieves as follows:(1)For ranges from 1 to , the RSU calculates and .(2)This RSU calculates for ranges from 1 to .

#### 5. Analysis and Comparison

The correctness and security properties of the proposed protocol are analyzed in this section. After that, the comparison in terms of efficiency and security properties of the proposed protocol and the related works is presented.

##### 5.1. Correctness Analysis

The correctness of the decryption procedure is presented as follows:The correctness of the verification procedure is presented as follows:

##### 5.2. Security Proof

In this part, the security proof of the proposed protocol is given under the random oracle model [28].

Lemma 10. *The proposed protocol is indistinguishable against the chosen ciphertext attacks Ind-CCA-II of the Type I adversary in the random oracle model under the CDH assumption.*

*Proof. *See Appendix A.

Lemma 11. *The proposed protocol is indistinguishable against the chosen ciphertext attacks Ind-CCA-II of the Type II adversary in the random oracle model under the CDH assumption.*

*Proof. *The proof of this lemma is omitted since it follows the proof of Lemma 10.

Theorem 12. *The proposed protocol achieves IND-CCA security under the CDH assumption.*

*Proof. *Theorem 12 is derived directly from Lemmas 10 and 11.

Lemma 13. *The proposed protocol is existentially unforgeable against adaptive chosen-message attacks EUF-CMA-II of the adversary in the random oracle model under the ECDLP assumption.*

*Proof. *See Appendix B.

Lemma 14. *The proposed protocol is existentially unforgeable against adaptive chosen-message attacks EUF-CMA-II of the Type II adversary in the random oracle model under the ECDLP assumption.*

*Proof. *The proof of this lemma is omitted since it follows the proof of Lemma 13.

Theorem 15. *The proposed protocol achieves EUF-CMA security under the ECDLP assumption.*

*Proof. *Theorem 15 is derived directly from Lemmas 13 and 14.

##### 5.3. Security Strength

(1)Data confidentiality and integrity: each is calculated as , where , can only be recovered by the RSU. The confidentiality of the data is proved in Theorem 12. Moreover, the RSU is able to decrypt and verify the received data. Thus, the integrity of the data is ensured.(2)Mutual authentication: each mobile sensor authenticates itself by sending to the RSU. Only the RSU which keeps the private key () can recover . Besides, the RSU authenticates each sensor by verifying the received data. The unforgeability of the data is proved in Theorem 15.(3)Anonymity: according to the specification of the proposed protocol, the real identity of each mobile sensor cannot be retrieved from the ciphertext. Thus, the proposed protocol achieves anonymity.(4)Key escrow resilience: the proposed protocol is designed under the certificateless cryptosystem. Specifically, CC is only allowed to issue the partial private key for each mobile sensor . The adversary is unable to obtain the full private key () of even if CC is compromised. Thus, this protocol achieves key escrow resilience.

##### 5.4. Comparison

The comparison of the security properties is presented in Table 1, which includes data confidentiality and integrity (DCI), mutual authentication (MA), anonymity (AN), key escrow resilience (KER), and timing attack resilience (TAR). The timing attack is considered as a kind of side-channel attack [29]. In the execution of the cryptographic protocols, variations of the executing timing can leak some information if sensitive data is involved. By measuring the time which the sensors take to perform the cryptographic operations, the adversary is able to obtain some secret parameters of the sensors. It is required to reduce the computation overhead of the sensors. According to this comparison, it can be concluded that the proposed protocol is able to achieve all of the security goals, while Basudan et al.’s [20] protocol fails to achieve mutual authentication.

The comparison of the communication overhead is presented in Figure 2. To get an intuitive comparison of the efficiency, the practical performance of the protocols is presented in Figures 3–5, respectively. To ensure the consistency, the 80-bit security level (RSA-1024 bit, ECC-160 bit equivalent) is adopted for both protocols. The implementation is based on a common hardware platform with Intel Core i5-4460 CPU at 3.2 GHz using the PBC library [30]. According to this comparison, it can be concluded that the proposed protocol outperforms the related works in terms of communication and computation overhead.

#### 6. Conclusion

The security and privacy concerns are essential and challenging issues in road surface condition monitoring system. In this paper, the security flaw of a certificateless data aggregation protocol in [20] for monitoring system is pointed out. After that, a light-weight and anonymous data aggregation protocol is introduced, which is constructed by combining a CL-A-SC scheme and the fog computing architecture. The proposed protocol is proved secure under the random oracle model and achieves desirable security properties including data confidentiality, mutual authentication, anonymity and key escrow resilience. Besides, an experimental simulation of the proposed protocol and the protocol in [20] is presented. According to the comparison results, the proposed protocol is efficient and more practical for the road surface condition monitoring system.

#### Appendix

#### A. Proof of Lemma 10

Given an input of the assumption, the task of the challenger is to calculate with the support of adversary . Assume is able to break the Ind-CCA-II security with the advantage .

##### A.1. Setup

randomly chooses and sets and the public parameters , where , , and are considered to be random oracles. Let denote the maximum number of queries on . randomly chooses .

##### A.2. Training

and interactively play the game as follows:(i) query: an initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(ii) query: let denote the maximum number of queries on . An initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(iii) query: let denote the maximum number of queries on . An initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(iv)Secret-Value-Extraction: let denote the maximum number of queries on this oracle. An initially empty list associated with this query is maintained by . Upon receiving this query on such that , aborts this simulation. Otherwise, performs as follows: If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and calculates . After that, adds the tuple into and returns to .(v)Partial-Private-Key-Extraction: an initially empty list associated with this query is maintained by . If , randomly chooses and calculates . After that, adds the tuple into and returns to as the response of the input . Otherwise, performs the following steps. If there is a tuple in , returns to . Otherwise, randomly chooses and calculates . After that, adds the tuple into and into and returns to .(vi)Public-Key-Extraction: if there is a tuple in , returns to as the response of the input . Otherwise, queries the Partial-Private-Key-Extraction and returns to .(vii)Public-Key-Replacement: if there is a tuple in , also updates into , in .(viii)Signcryption: let denote the maximum number of queries on this oracle. , are considered to be the identity of sender and receiver, respectively. This query is executed as follows:(1)If and , the algorithm is executed by , who knows .(2)Else if and , randomly chooses