Privacy-Preserving Data Aggregation Protocol for Fog Computing-Assisted Vehicle-to-Infrastructure Scenario

Chen, Yanan; Lu, Zhenyu; Xiong, Hu; Xu, Weixiang

doi:https://doi.org/10.1155/2018/1378583

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Analysis Conclusion Appendix Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

User Authentication in the IoE Era: Attacks, Challenges, Evaluation, and New Designs

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 1378583 | https://doi.org/10.1155/2018/1378583

Privacy-Preserving Data Aggregation Protocol for Fog Computing-Assisted Vehicle-to-Infrastructure Scenario

Yanan Chen,^1,2Zhenyu Lu,³Hu Xiong,^3,4and Weixiang Xu¹

Academic Editor: Qi Jiang

Received30 Aug 2017

Revised20 Oct 2017

Accepted09 Nov 2017

Published18 Apr 2018

Abstract

Vehicle-to-infrastructure (V2I) communication enables moving vehicles to upload real-time data about road surface situation to the Internet via fixed roadside units (RSU). Thanks to the resource restriction of mobile vehicles, fog computation-enhanced V2I communication scenario has received increasing attention recently. However, how to aggregate the sensed data from vehicles securely and efficiently still remains open to the V2I communication scenario. In this paper, a light-weight and anonymous aggregation protocol is proposed for the fog computing-based V2I communication scenario. With the proposed protocol, the data collected by the vehicles can be efficiently obtained by the RSU in a privacy-preserving manner. Particularly, we first suggest a certificateless aggregate signcryption (CL-A-SC) scheme and prove its security in the random oracle model. The suggested CL-A-SC scheme, which is of independent interest, can achieve the merits of certificateless cryptography and signcryption scheme simultaneously. Then we put forward the anonymous aggregation protocol for V2I communication scenario as one extension of the suggested CL-A-SC scheme. Security analysis demonstrates that the proposed aggregation protocol achieves desirable security properties. The performance comparison shows that the proposed protocol significantly reduces the computation and communication overhead compared with the up-to-date protocols in this field.

1. Introduction

Most of road anomalies, that is, potholes, bumps and slipperiness, are potentially hazardous to the commuters and vehicles [1]. Naturally, the condition of road surface is considered to be an important criterion for assessing the quality of transportation infrastructure [2]. The continuous development of sensing technique provides a promising approach to build an autonomous system for monitoring road surface condition [3]. Specifically, the mobile sensors embedded in mobile vehicles are used to sense the real-time data about road surface condition [4]. With the V2I communication [5], the data collected by the vehicles can be uploaded to the backend server via the RSUs installed at road intersections. By collecting and analyzing these real-time road surface data, the congestion of traffic and car crashes can be reduced significantly. Thanks to the resource restraint of mobile vehicles, the vehicular cloud networking [6, 7] has been introduced to ease the cost of vehicles, where the sensed data are stored in the remote cloud centers. It is easy to observe that the delivery of these data to the cloud servers located in the core network is commonly considered to be cumbersome due to the unreliable latency and network congestion [8]. To address these issues, the fog computing [9–11] has been introduced as an alternative for cloud computing. Different from cloud computing, elastic and virtual cloud resources are extended to one or more collaborative edge devices in the fog computing. In this sense, the collected data can be preprocessed and aggregated by the edge devices, which are instantiated by the resource-abundant RSU, before uploading to the data analytic center [12]. Therefore, the real-time road surface data can be efficiently processed with the support of fog computing-assisted V2I communication.

However, the fog computing-based V2I communication scenario cannot be accepted and deployed widely if the security of the transmitted data has not been considered appropriately. It is desirable to achieve data confidentiality such that the transmitted data can only be accessed by the intended RSU [13]. Otherwise, the collected data may be abused by the malicious adversary without any cost. Besides, it is also necessary to achieve message unforgeability such that the adversary is computationally infeasible to impersonate any vehicle [14]. Otherwise, the result about the analysis of collected data may be polluted by the forged data. To fulfill the mentioned security goals, it is naturally to introduce the public key encryption and signature to generate the ciphertext on the transmitted data. According to [15], signcryption is a promising primitive that achieves the security goals of encryption and signature simultaneously. It is realized by combining the public key encryption and digital signatures in one logical step. Moreover, this technique entails minimized computation and communication overhead compared with the sign-then-encrypt paradigm [16]. Since its introduction, the signcryption primitive has been studied in several cryptosystems, that is, traditional public key infrastructure- (PKI-) based cryptosystem [15], identity-based cryptosystem [17], and certificateless cryptosystem [16]. In the traditional PKI-based cryptosystem, the certificate management is a burdensome task. To alleviate the overhead of this task, the identity-based public key cryptosystem [18] has been introduced, where a trusted third party termed as private key generator is adopted to issue private keys for the users. This paradigm results in key escrow problem since the private key generator knows the private keys of all users in the system [18]. The certificateless cryptosystem [19] inherits from identity-based cryptosystem, whereas it eliminates the demand for the private key generator with key escrow capability. In this cryptosystem, a trusted third party named key generation center (KGC) is adopted to generate the private keys for users. Only a partial private key is issued by the KGC for each user. The full private key of a user is composed of the partial private key received from KGC and a secret value selected by his/herself. Because the full private key of a user is not held by the KGC, certificateless public key cryptosystem solves the key escrow problem of the identity-based cryptosystem. Thus, certificateless signcryption seems to be a promising primitive to ensure the security of the V2I communication.

Based on the idea of certificateless signcryption, Basudan et al. [20] proposed an anonymous aggregation protocol to secure the V2I communication recently. Unfortunately, in this paper, the protocol of [20] is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data. Besides, this protocol is constructed by utilizing the expensive bilinear pairings, which makes this protocol inefficient. Therefore, it is fair to regard the construction of anonymous aggregation protocol for the fog computing-based V2I communication scenario as an open issue.

Motivated by the practical needs, a privacy-preserving protocol for the V2I communication scenario with fog computing is proposed in this paper. The major contributions of this paper are summarized as follows:(i)Firstly, Basudan et al.’s [20] protocol is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data. In this sense, the aggregation protocol in [20] does not provide unforgeability as they claimed.(ii)Next, a light-weight and anonymous aggregation protocol for the V2I communication scenario with fog computing is proposed by elaborately combining a CL-A-SC scheme and the fog computing architecture. Specifically, the suggested protocol is realized without resorting to the costly bilinear pairings. Besides, the proposed protocol is proved secure under the standard computational Diffie–Hellman assumption and elliptic curve discrete logarithm problem in the random oracle model. Furthermore, the proposed aggregation protocol proved to be able to achieve desirable security properties including confidentiality, unforgeability, mutual authentication, anonymity, and key escrow resilience.(iii)The practical performance of the proposed protocol and Basudan et al.’s protocol is presented through the experimental simulation. According to the simulation results, the proposed protocol outperforms Basudan et al.’s protocol in terms of computation and communication overhead.

The organization of this paper is summarized as follows: the next section describes the system model, mathematical background, design objectives, the notion, and the security model of CL-A-SC scheme. In Section 3, Basudan et al.’s protocol is briefly reviewed. After that, the forgery attack against this protocol is presented. The proposed protocol is introduced in Section 4. Furthermore, the security of the proposed protocol is discussed in Section 5, where the comparison of the practical performance of the proposed protocol and Basudan et al.’s protocol is also provided. Finally, Section 6 concludes this paper.

2. Preliminaries

The background information is introduced in this section.

2.1. System Model

The considered system is comprised of three types of entities: control center, mobile sensors and RSUs. For ease of understanding, the system model is depicted in Figure 1. The definitions of the entities are described as follows:(i)Control center (CC): CC is considered to be a trustee which is able to initialize the whole system and generate the partial private key for mobile sensors and RSUs.(ii)Mobile sensors: the devices are embedded into the vehicles to generate the report about the road event, that is, potholes, slipperiness and bumps.(iii)RSU: each RSU is able to receive and process the messages sent by the mobile sensors.

2.2. Mathematical Background

2.2.1. Elliptic Curve Group

Let an elliptic curve over a prime finite field denote a set of points , which are defined by the equation with the discriminant mod . This set of points and the point at infinity (denoted by ) form a group . Particularly, is an additive cyclic group formed by and the point addition law, which is denoted by + and defined as follows. Let , , and be three elements in , where is the intersection of the line and . Specifically, connects and (tangent line to if ). Let be another line, which connects and . The sum of is denoted by the intersection of and . Moreover, the scalar multiplication on is calculated as .

2.2.2. Bilinear Maps

Let be an additive cyclic group of prime order , be a multiplicative cyclic group of the same order, be an admissible bilinear map and denote a generator of . is considered to have the following features:(1)Bilinearity: for all and , .(2)Nondegeneracy: there exists such that .(3)Computability: for all , there exists an efficient algorithm to calculate .

2.2.3. Cryptographic Assumptions

Given the mathematical background described above, the cryptographic assumptions are defined as follows.

Definition 1 (computational Diffie–Hellman assumption). This assumption is denoted as CDH. Given a tuple (), the CDH assumption in is to calculate .

Definition 2 (elliptic curve discrete logarithm problem). This assumption is denoted as ECDLP. Given a tuple (), the ECDLP assumption in is to calculate .

2.3. The CL-A-SC Scheme

2.3.1. Definition

Let denote a set of users. The user with identity is assumed to be the message receiver. The scheme consists of the following algorithms:(i)CL-A-SC.Setup: on inputting the security parameter, this algorithm generates the public parameters params and the master private key .(ii)CL-A-SC.Key-Generation: this algorithm is carried out by each and KGC interactively.(1)Given , each generates his/her user public/private key pair .(2)Given , , the identity of , and its corresponding user public key , KGC generates the partial public/private key pair .(3) and are set to be the full public key and full private key of , respectively.(iii)CL-A-SC.Signcryption: this algorithm is carried out by each . On inputting , a message , full private key of , and the public key of the user with identity , this algorithm outputs signcryption on .(iv)CL-A-SC.Aggregate: on inputting a set of signcryption schemes , this algorithm outputs aggregate signcryption on messages .(v)CL-A-SC.Aggregate-Verification: on inputting , aggregate signcryption and the set of users with its public keys, this algorithm outputs true if is valid or false otherwise.(vi)CL-A-SC.Designcryption: on inputting an aggregate signcryption and the full private key of the user with identity , this algorithm outputs a set of messages .

2.3.2. Security Model

There are two types of adversaries considered in the certificateless cryptosystem [19]. A Type I adversary is able to replace the public key of a legitimate user with a bogus one but cannot access the master private key. A Type II adversary is able to access the master private key but cannot execute the public key replacement. According to the protocol of [22], the security notions of data confidentiality and mutual authentication for the CL-A-SC scheme are captured by the indistinguishability and the existential unforgeability of the signcryption, respectively. By using the same security model provided in [22], the ability of the adversaries is modeled by the following four interactive games.

Game 3. This game is played by a challenger and a Type I adversary .(i) Initializing: executes CL-A-SC.Setup algorithm to obtain the public parameters and the master private key . After that, sends to .(ii) Training: is able to query the following oracles (these oracles model the capability of in reality) in an adaptive manner:(a)Secret-Value-Extraction: on receiving the query on , this oracle returns the corresponding secret value to .(b)Partial-Private-Key-Extraction: on receiving the query on , this oracle returns the corresponding partial private key to .(c)Public-Key-Extraction: on receiving the query on , this oracle returns the corresponding public key to .(d)Public-Key-Replacement: on receiving the query on , this oracle updates the public key into .(e)Signcryption: on receiving the query on , , and a message , this oracle prompts to execute CL-A-SC.Signcryption algorithm to get signcryption on , where and are considered to be identity of the sender and the receiver, respectively. After that, returns to .(f)Designcryption: on receiving the query on , and aggregate signcryption , where and are considered to be identity of the senders and the receiver, respectively. This oracle prompts to execute the CL-A-SC.Aggregate-Verification algorithm on . If the output of this execution is false, this oracle returns “NULL” to ; otherwise, executes CL-A-SC.Designcryption algorithm on and returns the output of this execution to .(iii)Challenging: sends to . On receiving this message, randomly chooses a bit , generates the aggregate signcryption on , and then sends to . After that, adaptively queries the same oracles as the Training phase.(iv) Guessing: a bit is outputted by .

is considered to win this game iff(1), where and are defined as above;(2)The oracle Partial-Private-Key-Extraction has never been queried;(3)The oracle Designcryption has never been queried, where there exists such that .

’s advantage to win this game is defined as .

Game 4. This game is played by a challenger and a adversary .(i)Initializing: this phase is the same as the first phase in Game 3, while sends to .(ii)Training: in this phase, queries the same oracles (except the Public-Key-Replacement oracle) and receives the same responses as the second phase in Game 3.(iii)Guess: this phase is the same as the third phase in Game 3, where a bit is outputted by .

is considered to win this game iff(1), where and are defined as above;(2)The oracle Secret-Value-Extraction has never been queried;(3)The oracle Designcryption has never been queried, where there exists such that .

’s advantage to win this game is defined as .

Definition 5. A CL-A-SC scheme is considered to be secure against the adaptively chosen ciphertext attacks if there is no adversary of Type I or Type II has a nonnegligible advantage to win Game 3 or Game 4, respectively.

Game 6. This game is played by a challenger and a Type I adversary .(i)Initializing: this phase is the same as the first phase in Game 3.(ii)Training: in this phase, queries the same oracles and receives the same responses as the second phase of Game 3.(iii)Forgery: sends a forged aggregate signcryption on to , where and are considered to be identity of the senders and the receiver, respectively.

is considered to win this game iff(1)The output of the execution of Aggregate-Verification algorithm on is true;(2)There exists such that the Signcryption oracle or Partial-Private-Key-Extraction oracle has not been queried.

Game 7. This game is played by a challenger and a Type II adversary .(i)Initializing: this phase is the same as the first phase in Game 4.(ii)Training: this phase is the same as the second phase in Game 4.(iii)Forgery: this phase is the same as the third phase in Game 6.

is considered to win this game iff(1)The output of the execution of Aggregate-Verification algorithm on is true;(2)There exists such that the Signcryption oracle or Secret-Value-Extraction oracle has not been queried.

Definition 8. A CL-A-SC is considered to be existentially unforgeable against the adaptively chosen-message attack if there is no adversary of Type I or Type II has a nonnegligible advantage to win Game 6 or Game 7, respectively.

2.4. Objectives

The design goals of the proposed protocol are defined as follows:(1)Data confidentiality and integrity: it is desirable to secure the transmitted data from revealing the sensitive information about the source mobile sensor. Besides, it is required to ensure the data has not been tampered [23].(2)Mutual authentication: it is desirable that the RSU and the mobile sensor are allowed to authenticate each other [24].(3)Anonymity: it is desirable to hide the real identity of the mobile sensor during the transmission [25, 26].(4)Key escrow resilience: it is desirable that the adversary is unable to obtain the full private key of any mobile sensor even if CC has been compromised [27].

3. Cryptanalysis of Basudan et al.’s CL-A-SC Scheme

In this section, Basudan et al.’s CL-A-SC scheme is briefly reviewed. After that, their scheme is demonstrated to be insecure against the public-key-replacement attack.

3.1. Notations

To ensure the consistency, the notations are defined in the Symbols. Concretely, each sensor is able to generate a real-time message when sensing the road condition . After that, generates signcryption on to construct the road condition report and then sends to the nearest RSU.

3.2. Review of Basudan et al.’s CL-A-SC Scheme

The CL-A-SC scheme in the protocol of [20] consists of the following algorithms:(i)Setup: let be an additive cyclic group of prime order , be a multiplicative cyclic group of the same order, be an admissible bilinear map, and denote a generator of . Let , , , and be four cryptographic hash functions such that , , , and , where is assumed to be the bit length of messages. Randomly choose as the master private key and calculates . The public parameters .(ii)Key-Generation:(1)For ranges from 1 to , each mobile sensor randomly chooses and calculates , . After that, sends to CC.(2)Upon receiving from , CC randomly chooses and calculates , . After that, CC sends to .(3)Upon receiving from CC, checks if . If the verification holds, and are set to be the full public key and full private key of , respectively.(iii)Signcryption: the RSU with identity is assumed to be the message receiver. For ranges from 1 to , randomly chooses and calculates , , , , , , , and , where is the state information and . After that, constructs , and sends to the RSU with identity .(iv)Aggregate: upon receiving , the RSU with identity calculates .(v)Aggregate-Verification: for ranges from 1 to , RSU calculates and , where . RSU checks if .(vi)Designcryption: if the verification in the Aggregate-Verification algorithm holds, RSU calculates , , , and for ranges from 1 to .

3.3. Forgery Attack against Basudan et al.’s CL-A-SC Scheme

Basudan et al. [20] claimed that their CL-A-SC scheme proved to be able to achieve indistinguishability and unforgeability against the Type I and Type II adversary. However, the adversary of Type I is able to forge signcryption on any message by launching a public-key-replacement attack, which is described as follows:(i)Public-Key-Replacement: given a mobile sensor , randomly chooses and calculates , , where . After that, is set to be the full public key of .(ii)Signature-Forgery: randomly chooses and calculates , , , , , , , , and , where is forged by under the state information and . After that, constructs , and sends to the RSU with identity .(iii)Aggregate: the RSU calculates .(iv)Aggregate-Verification: for ranges from 1 to , the RSU calculates and , where . After that, the RSU checks if .

The correctness of can be easily verified since

Thus, the verification holds. The message is recovered by the RSU according to the specification of Designcryption algorithm.

Remark 9. The fundamental flaw of Basudan et al.’s CL-A-SC scheme against this forgery attack is due to the unreasonable position of the value . As described above, is allowed to generate to replace ’s public key. According to the specification of the protocol in [20], , and thus . calculates and then successfully forges the signcryption . It is noted that this type of adversary has not been mentioned in their security proof. Hence, the proof fails.

4. Our Proposed Protocol

In this section, a concrete CL-A-SC scheme is proposed, which is the building block of our data aggregation protocol.

4.1. The Proposed CL-A-SC Scheme

This scheme consists of the following algorithms:(i)CL-A-SC.Setup: let and be two large primes such that divides , be an elliptic curve over a finite field , and be an additive cyclic group formed by with the point addition law. Let be a generator of and , , be three cryptographic hash functions. Randomly choose as the master private key and calculates . The system parameter .(ii)CL-A-SC.Key-Generation:(1)The user randomly chooses and calculates . After that, the user sends to KGC.(2)KGC randomly chooses and calculates , . After that, KGC sends to the user with identity .(3)The user with identity checks if , where . If the verification holds, and are set to be the full public key and full private key of the user, respectively.(iii)CL-A-SC.Signcryption: the user randomly chooses and calculates , , , and , where and , where . After that, the user sends the ciphertext to the user with identity .(iv)CL-A-SC.Aggregate: upon receiving , the user with identity calculates .(v)CL-A-SC.Aggregate-Verification: for ranges from 1 to , the user with identity calculates . After that, this user checks if .(vi)CL-A-SC.Designcryption: if the verification in the Aggregate-Verification algorithm holds, the user with identity calculates , , and for ranges from 1 to .

4.2. The Data Aggregation Protocol

In this part, our data aggregation protocol is proposed, which involves the CC, RSU, and mobile sensors. The suggested protocol is comprised of four phases: system initialization, data generation and transmission, aggregate verification, and data retrieval.

4.2.1. System Initialization

In this phase, CC performs the CL-A-SC.Setup algorithm to initialize the system. The system parameter . After that, the mobile sensors and the RSUs are allowed to register to CC by performing the following steps:(1)For ranges from 1 to , each mobile sensor randomly chooses and calculates . After that, sends to CC.(2)Upon receiving from , CC randomly chooses and calculates , . After that, CC sends to .(3)Upon receiving from CC, checks if , where . If the verification holds, and are set to be the full public key and full private key of , respectively.

It is worth noting that the format of the road condition report is defined by CC in this phase. Concretely, each mobile sensor is able to generate when sensing the road condition , where is the time when sensed , is the location where occurred, and is the action signal about . After that, generates signcryption on to construct the road condition report .

4.2.2. Data Generation and Transmission

In this phase, is allowed to generate signcryption on to construct . After that, is sent to the nearest RSU. The identity of this RSU is assumed to be . This phase consists of the following steps:(1) randomly chooses and calculates , , , and , where , , and .(2) sends to the RSU with identity .

To protect private information of mobile sensors, the real identity of each cannot be retrieved from . In this way, the anonymity of mobile sensors is preserved.

4.2.3. Aggregate Verification

Upon receiving the reports from the sensors on a road condition , the RSU is allowed to aggregate the ciphertexts and then verify the authenticity of the aggregate data. The identity of this RSU is assumed to be . The aggregation and verification procedures are carried out by performing the following steps:(1)The RSU calculates .(2)For ranges from 1 to , the RSU calculates . After that, this RSU checks if .

If the equation holds, this RSU accepts the received reports and executes the next phase. Otherwise, this RSU aborts these reports.

4.2.4. Data Retrieval

If the verification in the previous phase holds, the RSU retrieves as follows:(1)For ranges from 1 to , the RSU calculates and .(2)This RSU calculates for ranges from 1 to .

5. Analysis and Comparison

The correctness and security properties of the proposed protocol are analyzed in this section. After that, the comparison in terms of efficiency and security properties of the proposed protocol and the related works is presented.

5.1. Correctness Analysis

The correctness of the decryption procedure is presented as follows:The correctness of the verification procedure is presented as follows:

5.2. Security Proof

In this part, the security proof of the proposed protocol is given under the random oracle model [28].

Lemma 10. The proposed protocol is indistinguishable against the chosen ciphertext attacks Ind-CCA-II of the Type I adversary in the random oracle model under the CDH assumption.

Proof. See Appendix A.

Lemma 11. The proposed protocol is indistinguishable against the chosen ciphertext attacks Ind-CCA-II of the Type II adversary in the random oracle model under the CDH assumption.

Proof. The proof of this lemma is omitted since it follows the proof of Lemma 10.

Theorem 12. The proposed protocol achieves IND-CCA security under the CDH assumption.

Proof. Theorem 12 is derived directly from Lemmas 10 and 11.

Lemma 13. The proposed protocol is existentially unforgeable against adaptive chosen-message attacks EUF-CMA-II of the adversary in the random oracle model under the ECDLP assumption.

Proof. See Appendix B.

Lemma 14. The proposed protocol is existentially unforgeable against adaptive chosen-message attacks EUF-CMA-II of the Type II adversary in the random oracle model under the ECDLP assumption.

Proof. The proof of this lemma is omitted since it follows the proof of Lemma 13.

Theorem 15. The proposed protocol achieves EUF-CMA security under the ECDLP assumption.

Proof. Theorem 15 is derived directly from Lemmas 13 and 14.

5.3. Security Strength

(1)Data confidentiality and integrity: each is calculated as , where , can only be recovered by the RSU. The confidentiality of the data is proved in Theorem 12. Moreover, the RSU is able to decrypt and verify the received data. Thus, the integrity of the data is ensured.(2)Mutual authentication: each mobile sensor authenticates itself by sending to the RSU. Only the RSU which keeps the private key () can recover . Besides, the RSU authenticates each sensor by verifying the received data. The unforgeability of the data is proved in Theorem 15.(3)Anonymity: according to the specification of the proposed protocol, the real identity of each mobile sensor cannot be retrieved from the ciphertext. Thus, the proposed protocol achieves anonymity.(4)Key escrow resilience: the proposed protocol is designed under the certificateless cryptosystem. Specifically, CC is only allowed to issue the partial private key for each mobile sensor . The adversary is unable to obtain the full private key () of even if CC is compromised. Thus, this protocol achieves key escrow resilience.

5.4. Comparison

The comparison of the security properties is presented in Table 1, which includes data confidentiality and integrity (DCI), mutual authentication (MA), anonymity (AN), key escrow resilience (KER), and timing attack resilience (TAR). The timing attack is considered as a kind of side-channel attack [29]. In the execution of the cryptographic protocols, variations of the executing timing can leak some information if sensitive data is involved. By measuring the time which the sensors take to perform the cryptographic operations, the adversary is able to obtain some secret parameters of the sensors. It is required to reduce the computation overhead of the sensors. According to this comparison, it can be concluded that the proposed protocol is able to achieve all of the security goals, while Basudan et al.’s [20] protocol fails to achieve mutual authentication.

The comparison of the communication overhead is presented in Figure 2. To get an intuitive comparison of the efficiency, the practical performance of the protocols is presented in Figures 3–5, respectively. To ensure the consistency, the 80-bit security level (RSA-1024 bit, ECC-160 bit equivalent) is adopted for both protocols. The implementation is based on a common hardware platform with Intel Core i5-4460 CPU at 3.2 GHz using the PBC library [30]. According to this comparison, it can be concluded that the proposed protocol outperforms the related works in terms of communication and computation overhead.

6. Conclusion

The security and privacy concerns are essential and challenging issues in road surface condition monitoring system. In this paper, the security flaw of a certificateless data aggregation protocol in [20] for monitoring system is pointed out. After that, a light-weight and anonymous data aggregation protocol is introduced, which is constructed by combining a CL-A-SC scheme and the fog computing architecture. The proposed protocol is proved secure under the random oracle model and achieves desirable security properties including data confidentiality, mutual authentication, anonymity and key escrow resilience. Besides, an experimental simulation of the proposed protocol and the protocol in [20] is presented. According to the comparison results, the proposed protocol is efficient and more practical for the road surface condition monitoring system.

Appendix

A. Proof of Lemma 10

Given an input of the assumption, the task of the challenger is to calculate with the support of adversary . Assume is able to break the Ind-CCA-II security with the advantage .

A.1. Setup

randomly chooses and sets and the public parameters , where , , and are considered to be random oracles. Let denote the maximum number of queries on . randomly chooses .

A.2. Training

and interactively play the game as follows:(i) query: an initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(ii) query: let denote the maximum number of queries on . An initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(iii) query: let denote the maximum number of queries on . An initially empty list associated with this query is maintained by . If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and adds the tuple into . After that, returns to .(iv)Secret-Value-Extraction: let denote the maximum number of queries on this oracle. An initially empty list associated with this query is maintained by . Upon receiving this query on such that , aborts this simulation. Otherwise, performs as follows: If there is a tuple in , returns to as the response of the input . Otherwise, randomly chooses and calculates . After that, adds the tuple into and returns to .(v)Partial-Private-Key-Extraction: an initially empty list associated with this query is maintained by . If , randomly chooses and calculates . After that, adds the tuple into and returns to as the response of the input . Otherwise, performs the following steps. If there is a tuple in , returns to . Otherwise, randomly chooses and calculates . After that, adds the tuple into and into and returns to .(vi)Public-Key-Extraction: if there is a tuple in , returns to as the response of the input . Otherwise, queries the Partial-Private-Key-Extraction and returns to .(vii)Public-Key-Replacement: if there is a tuple in , also updates into , in .(viii)Signcryption: let denote the maximum number of queries on this oracle. , are considered to be the identity of sender and receiver, respectively. This query is executed as follows:(1)If and , the algorithm is executed by , who knows .(2)Else if and , randomly chooses , calculates , and sets , where is obtained by either searching in or asking the query. Note that, if such query has been responded with a different value before, aborts this simulation. The tuples and are outputted by searching and , respectively. calculates , and searches in . If there is no such tuple in , randomly chooses and adds the tuple into . After that, calculates and returns to .(ix)Designcryption: , are considered to be the identity of sender and receiver, respectively. This query is executed as follows:(1)If and , the Designcryption algorithm is executed by , who knows .(2)If and , queries and searches the tuple in such that . checks if . If the verification holds, returns to . Otherwise, aborts this simulation.

A.3. Challenge

Eventually, sends to . It is required that there exists such that . Thus, the solution of the CDH problem is calculated by as follows:(1) randomly chooses . For ranges from 1 to , queries to get . After that, randomly chooses and calculates , , where is defined as . sets , and constructs .(2) generates the aggregate signcryption on and then sends to .

adaptively queries the same oracles as the Training phase. Note that, is not allowed to query the Designcryption oracle on with the receiver whose identity is .

A.4. Guess

Returns to . If , calculates the solution of the instance as

To solve the CDH problem, it is required that the following events are executed successfully by :(i): any of ’s Secret-Value-Extraction query is not aborted by .(ii): any of ’s Signcryption query is not aborted by .(iii): there exists such that in .(iv): the returned by is valid.

The probability that solves the CDH problem is denoted as , which is decomposed as

Claim A.1. The probability that any of ’s Secret-Value-Extraction query is not aborted by is at least . Thus, .

Proof. Upon receiving a Secret-Value-Extraction query, aborts the simulation if the query is on . Obviously, the probability that does not abort a Secret-Value-Extraction query is . Since is able to ask at most times of such queries, the probability of this event is as least .

Claim A.2. The probability that any of ’s Signcryption query is not aborted by is at least . Thus, .

Proof. Upon receiving a Signcryption query, aborts the simulation if the included query on oracle has been responded with a different value before. Obviously, the probability that does not abort a Signcryption query is . Since is able to ask at most such queries, the probability of this event is as least .

Claim A.3. The probability that there exists such that in is at least .

Proof. If , occur, aborts the simulation unless there exists in . Thus .

Claim A.4. The probability that the is valid is at least . Thus, .

Proof. Because is able to break the Ind-CCA-II security with the advantage , can check the validity of with advantage . Thus, the probability of this event is as least .

In this way, the probability that solves the CDH problem is calculated as

B. Proof of Lemma 13

Given an input of the assumption, the task of the challenger is to calculate with the support of adversary . Assume is able to forge a valid signcryption with advantage .

B.1. Setup

randomly chooses and calculates . After that, sets the public parameters and sends to , where , , and are considered to be random oracles. Let denote the maximum number of queries on . randomly chooses .

B.2. Training

In this phase, queries the same oracles and receives the same responses as the proof of Lemma 10.

B.3. Forgery

Eventually, returns a forged aggregate signcryption on messages with mobile sensors, where . Note that identities and public keys of the mobile sensors form the lists , , respectively, and the messages form the list . It is required that there exists such that and the oracle Signcryption has not been queried. Moreover, the forged aggregate signcryption must be valid. Thus, the solution of the problem is calculated by as follows:(1)If these is a tuple in such that , , , retrieves . Otherwise, aborts this game.(2)If the verification holds in Aggregate-Verification algorithm by inputting , replays this game with the same random tape with different choices of , oracles. Thus, another two forged aggregate signcryption schemes and are returned by . The following equations hold if these signatures are valid: In this equation, . Because , , , , (B.1) is denoted as In (B.1) and (B.2), the values of , , and are unknown to . The value of is calculated as follows: Consequently, the value of is calculated as

To solve the problem, it is required that the following events are executed successfully by :(i): any of ’s Secret-Value-Extraction query is not aborted by .(ii): any of ’s Signcryption query is not aborted by .(iii): the forged aggregate signcryption generated by is valid.(iv): if occurs, there exists such that .

The probability that solves the ECDLP problem is denoted as , which is decomposed asHere, is calculated as the proof of Lemma 10.

Claim B.1. The probability that generates a valid forged aggregate signcryption is at least . Thus, .

Proof. If ’s Secret-Value-Extraction query and Signcryption query are not aborted by , is able to forge signcryption with advantage . Thus, the probability of this event is as least .

Claim B.2. The probability that does not abort the simulation on receiving a valid forged signcryption is at least .

Proof. If , , and occur, aborts the simulation unless returns a forgery such that . Thus .

In this way, the probability that solves the ECDLP problem is calculated as

Symbols

:	The road condition report generated by on
:	The th road condition
:	The th mobile sensor with identity
:	The time when sensed
:	The location where occurred
:	The action signal about
:	The realtime message generated by on .

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Science Foundation of China (nos. 61370026, U1401257, 61672002, 61672135, 61602096, 61502087), Science and Technology Project of Guangdong Province (no. 2016A010101002), 13th Five-Year Plan of National Cryptography Development Fund for Cryptographic Theory of China (MMJJ20170204), Sichuan Science-Technology Support Plan Program (nos. 2016JZ0020, 2016GZ0065, 2016GZ0063), and Fundamental Research Funds for the Central Universities (nos. ZYGX2016J091, ZYGX2015J072).

References

M. Perttunen, O. Mazhelis, F. Cong et al., “Distributed road surface condition monitoring using mobile phones,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 6905, pp. 64–78, 2011.
View at: Publisher Site | Google Scholar
M. Ndoye, A. M. Barker, J. V. Krogmeier, and D. M. Bullock, “A recursive multiscale correlation-averaging algorithm for an automated distributed road-condition-monitoring system,” IEEE Transactions on Intelligent Transportation Systems, vol. 12, no. 3, pp. 795–808, 2011.
View at: Publisher Site | Google Scholar
L. Zhou, R. Q. Hu, Y. Qian, and H.-H. Chen, “Energy-spectrum efficiency tradeoff for video streaming over mobile ad hoc networks,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 5, pp. 981–991, 2013.
View at: Publisher Site | Google Scholar
Q. Jiang, Z. Chen, B. Li, J. Shen, L. Yang, and J. Ma, “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing, 2017.
View at: Publisher Site | Google Scholar
G. Mauri, M. Gerla, F. Bruno, M. Cesana, and G. Verticale, “Optimal Content Prefetching in NDN Vehicle-to-Infrastructure Scenario,” IEEE Transactions on Vehicular Technology, vol. 66, no. 3, pp. 2513–2525, 2017.
View at: Publisher Site | Google Scholar
S. Bitam, A. Mellouk, and S. Zeadally, “VANET-cloud: A generic cloud computing model for vehicular Ad Hoc networks,” IEEE Wireless Communications Magazine, vol. 22, no. 1, pp. 96–102, 2015.
View at: Publisher Site | Google Scholar
C.-C. Lee, Y.-M. Lai, and P.-J. Cheng, “An efficient multiple session key establishment scheme for VANET group integration,” IEEE Intelligent Systems, vol. 31, no. 6, pp. 35–43, 2016.
View at: Publisher Site | Google Scholar
C.-T. Li, C.-C. Lee, and C.-Y. Weng, “A Secure Cloud-Assisted Wireless Body Area Network in Mobile Emergency Medical Care System,” Journal of Medical Systems, vol. 40, no. 5, article no. 117, 2016.
View at: Publisher Site | Google Scholar
F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing and its role in the internet of things,” in Proceedings of the 1st ACM Mobile Cloud Computing Workshop, MCC 2012, pp. 13–15, Finland, August 2012.
View at: Publisher Site | Google Scholar
S. Yi, C. Li, and Q. Li, “A survey of fog computing: concepts, applications and issues,” in Proceedings of the Workshop on Mobile Big Data (Mobidata '15), pp. 37–42, ACM, Hangzhou, China, June 2015.
View at: Publisher Site | Google Scholar
O. Osanaiye, S. Chen, Z. Yan, R. Lu, K.-K. R. Choo, and M. Dlodlo, “From Cloud to Fog Computing: A Review and a Conceptual Live VM Migration Framework,” IEEE Access, vol. 5, pp. 8284–8300, 2017.
View at: Publisher Site | Google Scholar
I. Stojmenovic, “Fog computing: A cloud to the ground support for smart things and machine-to-machine networks,” in Proceedings of the 2014 Australasian Telecommunication Networks and Applications Conference, ATNAC 2014, pp. 117–122, Australia, November 2014.
View at: Publisher Site | Google Scholar
C.-C. Lee, I.-E. Liao, and M.-S. Hwang, “An efficient authentication protocol for mobile communications,” Telecommunication Systems, vol. 46, no. 1, pp. 31–41, 2011.
View at: Publisher Site | Google Scholar
X. Li, J. Peng, S. Kumari, F. Wu, M. Karuppiah, and K. Raymond Choo, “An enhanced 1-round authentication protocol for wireless body area networks with user anonymity,” Computers & Electrical Engineering, 2017.
View at: Publisher Site | Google Scholar
Y. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) cost(signature) + cost(encryption),” in Advances in Cryptology—CRYPTO '97. Proceedings 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17–21, 1997, vol. 1294 of Lecture Notes in Computer Science, pp. 165–179, 1997.
View at: Publisher Site | Google Scholar
M. Barbosa and P. Farshim, “Certificateless signcryption,” in Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS '08), pp. 369–372, ACM, March 2008.
View at: Publisher Site | Google Scholar
S. S. D. Selvi, S. S. Vivek, J. Shriram, S. Kalaivani, and C. P. Rangan, “Identity based aggregate signcryption schemes,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 5922, pp. 378–397, 2009.
View at: Publisher Site | Google Scholar
C. Gentry and A. Silverberg, “Hierarchical {ID}-based cryptography,” in Advances in cryptology---{ASIACRYPT} 2002, vol. 2501 of Lecture Notes in Comput. Sci., pp. 548–566, Springer, Berlin, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
S. Basudan, X. Lin, and K. Sankaranarayanan, “A privacy-preserving vehicular crowdsensing based road surface condition monitoring system using fog computing,” IEEE Internet of Things Journal, no. 99, pp. 1–1, 2017.
View at: Publisher Site | Google Scholar
H. Xiong and Z. Qin, “Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1442–1455, 2015.
View at: Publisher Site | Google Scholar
Z. Eslami and N. Pakniat, “Certificateless aggregate signcryption: Security model and a concrete construction secure in the random oracle model,” Journal of King Saud University - Computer and Information Sciences, vol. 26, no. 3, pp. 276–286, 2014.
View at: Publisher Site | Google Scholar
Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
View at: Publisher Site | Google Scholar
C.-C. Lee, Y.-M. Lai, C.-T. Chen, and S.-D. Chen, “Advanced Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks,” Wireless Personal Communications, vol. 94, no. 3, pp. 1281–1296, 2017.
View at: Publisher Site | Google Scholar
X. Li, A. K. Sangaiah, S. Kumari, F. Wu, J. Shen, and M. K. Khan, “An efficient authentication and key agreement scheme with user anonymity for roaming service in smart city,” Personal and Ubiquitous Computing, vol. 21, no. 5, pp. 791–805, 2017.
View at: Publisher Site | Google Scholar
D. Wang, N. Wang, P. Wang, and S. Qing, “Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity,” Information Sciences, vol. 321, Article ID 11496, pp. 162–178, 2015.
View at: Publisher Site | Google Scholar
H. Xiong, “Cost-effective scalable and anonymous certificateless remote authentication protocol,” IEEE Transactions on Information Forensics & Security, vol. 9, no. 12, pp. 2327–2339, 2014.
View at: Publisher Site | Google Scholar
M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, November 1993.
View at: Google Scholar
C. Chen, T. Wang, and J. Tian, “Improving timing attack on {RSA}-{CRT} via error detection and correction strategy,” Information Sciences, vol. 232, pp. 464–474, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
B. Lynn, Pbc library, Online: http://crypto. stanford. edu/pbc.

Copyright

Copyright © 2018 Yanan Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1405

Downloads

1131

Citations