Efficient Certificateless Aggregate Signature Scheme for Performing Secure Routing in VANETs

Xu, Zhiyan; He, Debiao; Kumar, Neeraj; Choo, Kim-Kwang Raymond

doi:https://doi.org/10.1155/2020/5276813

Security and Communication Networks

On this page

Abstract Introduction Related Works Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 5276813 | https://doi.org/10.1155/2020/5276813

Efficient Certificateless Aggregate Signature Scheme for Performing Secure Routing in VANETs

Zhiyan Xu,^1,2Debiao He ,^2,3Neeraj Kumar,^4,5,6and Kim-Kwang Raymond Choo⁷

Academic Editor: A. Peinado

Received20 Sept 2019

Accepted06 Jan 2020

Published12 Feb 2020

Abstract

Certificateless public key cryptosystem solves both the complex certificate management problem in the public key cryptosystem based on the PKI and the key escrow issue in the public key cryptosystem based on identity. The aggregator can compress n different signatures with respect to n messages from n signers into an aggregate signature, which can help communication equipments to save a lot of bandwidth and computing resources. Therefore, the certificateless aggregate signature (CLAS) scheme is particularly well suited to address secure routing authentication issues in resource-constrained vehicular ad hoc networks. Unfortunately, most of the existing CLAS schemes have problems with security vulnerabilities or high computation and communication overheads. To avoid the above issues and better solve the secure routing authentication problem in vehicular ad hoc networks, we present a new CLAS scheme and give the formal security proof of our scheme under the CDH assumption in the random oracle model. We then evaluate the performance of our proposed CLAS scheme, and the results demonstrate that our proposal is more practical in resource-constrained vehicular ad hoc networks.

1. Introduction

Vehicular ad hoc networks (VANETs) have drawn comprehensive attention in recent years as they help enhance driving safety and optimize transportation systems [1, 2]. Figure 1 shows a typical VANET architecture in a vehicle-road cooperative system. The VANET is based on sensor detection and wireless communication technology to obtain vehicle road information, which is usually composed of road trusted authorities (TAs), road side units (RSUs) along the roads, and on-board units (OBUs) installed in the vehicles. Through vehicle-vehicle and vehicle-road information exchange and sharing, the traffic control center can effectively understand the traffic environment, further realize the intelligent cooperation between vehicles and the infrastructure, and finally achieve the goal of optimizing system resources and improving road traffic.

Just as everything has two sides, VANETs are bringing convenience to people’s lives while also facing great security challenges. On the one hand, mobile VANETs, by exchanging information between vehicles, can enhance the safety of the vehicle and thus ensure passenger safety. On the other hand, dynamic topology and lack of centralized management features make it difficult for users to identify nodes that have malicious behavior in VANETs. VANETs may suffer from malicious attacks such as message tampering, false message sending, and denial of service (DOS) [3]. This means that, in a VANET, there may be malicious nodes broadcasting false information to other nodes and attempting to disrupt route discovery or data transmission, and because the VANET is a network where vehicles are constantly changing positions, secure routing is essential.

To defend against the intruder’s attack, VANETs’ security design should meet the security attributes such as authenticity, privacy, and integrity. Among them, authenticity can ensure the reliability of a message by correctly identifying the identity of the sender, which can be used to solve the problem of secure routing authentication. Privacy refers to the private communication by using pseudonyms between communication entities. Integrity is the mechanism by which information cannot be tampered with or discarded as it is transmitted from the sender to the receiver. The above attributes are important factors that enable the public to accept and successfully deploy VANETs.

Digital signature [4, 5] can provide routing authentication, integrity detection, and nonrepudiation. Anyone should be able to verify the validity of the signature through the signer’s public key, which helps to achieve efficient and secure communication between nodes in the VANET. However, RSUs and traffic control centers in the VANET (generally verified by TAs) all need to verify a large number of route-related signatures in high-density communication scenarios [2], which will result in higher computational burden for nodes, especially for the node in resource-constrained networks. In these situations, it is best to limit the digital signature’s communication requirements (i.e., size). One accepted solution is the aggregate signature technology which is the best choice to solve the above problems.

Because the aggregate signature can reduce the node authentication overhead and the certificateless cryptosystem can solve certificate management and key escrow problems existing in the traditional cryptosystem, many researchers combine certificateless cryptography and aggregate signature to further propose various CLAS schemes. The CLAS can not only prevent the routing information from being forged, tampered, and impersonated but also ensure the integrity of the routing information and provide authentication and nonrepudiation for the routing information sender. In this paper, we put forward a CLAS scheme for the practical application environment of the VANETs.

1.1. Our Research Contributions

In this paper, we put forward a novel CLAS scheme which could better support the reliable routing information delivery in the highly dynamic VANETs. The main contributions of this paper are summarized as follows:(i)Firstly, we define a typical VANET architecture for an emergency linkage scheduling environment, which is more close to the actual application scenario.(ii)Secondly, we present a CLAS scheme for VANETs, and our new scheme can provide secure routing for VANETs while meeting the security requirements.(iii)Finally, we prove the security and evaluate the performance of the newly proposed CLAS scheme.

1.2. Organization of the Paper

The remainder of this paper is organized as follows: Section 2 describes the related work. Section 3 gives the problem statement related to our paper, and then we present details of the proposed CLAS scheme in Section 4. Furthermore, in Sections 5 and 6, the security proof and the performance analysis are presented. Finally, we give the conclusion of our work in Section 7.

To achieve the identity authentication of the message sender and then establish a trust relationship between the nodes, many digital signature schemes have been put forward successively. In a traditional PKI-based public key cryptosystem [6–8], each user has a key pair, public key, and private key, where the former remains public and the latter remains secret. To ensure the correspondence between the user’s public key and his/her identity, the certificate authority (CA) needs to issue and maintain a certificate for the user, which involves various certificate management issues such as certificate distribution, storage, and revocation.

In the identity-based public key cryptosystem (ID-PKC) [9–12], the public key is selected by the user himself/herself, and the user’s private key is produced by the private key generator (PKG) based on his/her identity information. Because no certificate is required, the ID-PKC can eliminate the problem of certificate management in the PKI. However, since the PKG can obtain any user’s private key, the ID-PKC suffers from a key escrow issue which means it must be fully trusted by all users, and this assumption is too strong in some applications.

To solve the problems existing in the above two cryptosystems, researchers in [13] first put forward a certificateless public key cryptosystem (CL-PKC). In the CL-PKC, the user’s public key is produced by the user himself/herself, and the user’s full private key is generated by the cooperation between the KGC and the user. The former is responsible for generating the partial private key based on the user’s identity, and the latter is responsible for generating the secret value. Therefore, CL-PKC can not only solve the complex certificate management problem in the PKI-based cryptography but also solve the inherent key escrow issue in the identity-based cryptography [14].

The advantages of the CL-PKC have aroused the enthusiasm of researchers, and many certificateless signature (CLS) schemes have been proposed [2, 15, 16]. Huang et al. [15] demonstrated that the CLS scheme proposed in [13] could not resist the public key replacement attack and further proposed an improved CLS scheme. Yum and Lee [2] introduced a generic CLS construction. However, Hu et al. [16] indicated that their scheme is insecure and further proposed an improved CLS scheme. Au et al. [17] proposed an enhanced security model that allows the malicious KGC to produce key pairs in any way. Nevertheless, the certificateless signature schemes proposed in [18, 19] have been found to be insecure against malicious KGC attacks.

Boneh et al. [20] proposed the concept of aggregate signature in Eurocrypt 2003. The aggregator can compress n different signatures with respect to n messages from n different signers into an aggregate signature. The verifier can authenticate the multiple senders simply by verifying the short aggregate signature, which can save the bandwidth and computational cost of mobile devices in VANETs. Because aggregate signatures greatly shorten the length of the signature, they are especially suitable for applications in resource-constrained VANETs.

Gong et al. [21] combined the certificateless public-key cryptosystem with the aggregate signature and then proposed the first CLAS scheme, but they did not present the formal security proof of the scheme. After the groundbreaking work [21], many CLAS schemes [22–27] were proposed for various practical application scenarios. Zhang and Zhang [22] redefined the concept and security model for the CLAS scheme and proposed a new CLAS scheme, but their scheme has been proven to not resist malicious KGC attacks.

Xiong et al. [23] proposed a CLAS scheme, but He et al. [24] found that their scheme was falsifiable and further put forward a new CLAS scheme. The researchers [26, 27] have found that the CLAS scheme proposed in [25] is insecure for malicious KGC attacks. Horng et al. [28] proposed a CLAS scheme, but we found that the scheme cannot resist any type of adversary in the certificateless security model and the signature is falsifiable. More recently, Li et al. [29] demonstrated that there is a security defect in the CLAS scheme proposed in [24] and further put forward an improved CLAS scheme.

3. Problem Statement

In this section, we first describe the bilinear map and relational difficult problems and then introduce the system model of our proposed CLAS scheme. Finally, the system components of the CLAS scheme are given.

3.1. Bilinear Map

Suppose that and are two cyclic groups, where prime number q is the order of and and P is the generator of . is a bilinear map. For all , , and e should satisfy the following properties:(1)Bilinearity: and .(2)Nondegeneracy: there exists such that .(3)Computability: there exists an efficient algorithm to calculate .

3.2. Complexity Assumption

3.2.1. Computational Diffie–Hellman (CDH) Problem

Given a generator P of an additive cyclic group with the order q and a random instance , it is difficult to calculate , where a and b remain unknown.

3.2.2. Computational Diffie–Hellman (CDH) Assumption

There does not exist adversary A, and the problem can be decided in probabilistic polynomial time with a nonnegligible probability , where is a very small number.

3.3. System Model

In this paper, we take the application of VANETs in the emergency linkage scheduling (ELS) environment as an example and give the corresponding VANET architecture that is shown in Figure 2. There are six types of entities in the VANET architecture: on-board unit (OBU), road side unit (RSU), key generation center (KGC), emergency command center (ECC), signature aggregator (SA), and trusted authority (TA). The entities are specifically defined as follows.

3.3.1. On-Board Unit

On-board unit is a device installed in the vehicle. Let denote the identity and denote the key pair of an OBU. Each OBU can use its private key to generate a signature for the relevant routing information and then send the signature to the signature aggregator.

3.3.2. Road Side Unit

Road side unit is a device installed on the side of the road, which can generate signatures for related messages, realize the exchange and sharing of the vehicle-road information, and further provide local real-time traffic information to the emergency command center.

3.3.3. Key Generator Center

Key generator center is a device that is responsible for generating system parameters and the partial private key for each OBU or RSU corresponding to his/her identity and then secretly sends to the OBU or RSU.

3.3.4. Emergency Command Center

Emergency command center is a device with strong computing power and plenty of storage space, which can obtain information on the accident scene and surrounding road conditions from OBUs or RSUs through the vehicle network emergency linkage system and further give corresponding emergency measures to improve rescue efficiency.

3.3.5. Signature Aggregator

Signature aggregator refers to a certain computing power of a device. It is responsible for collecting a single route-related signature from OBUs or RSUs and then generating an aggregate signature and sending it to the corresponding TA.

3.3.6. Trusted Authority

Trusted authority is a device with a certain computing power. It is responsible for verifying the route-related aggregate signature and then outputting a verification result.

3.4. System Components

Our CLAS scheme for performing secure routing in VANETs is a collection of the following seven polynomial time algorithms:(i)Setup is a probabilistic algorithm executed by the KGC, where k is the security parameter, is the system parameter list, s is the system master key, and is the system master public key.(ii)Partial-Key-Gen is a probabilistic algorithm executed by the KGC, where is the system parameter list, is a user’s identity, and is the partial private key corresponding to the user’s identity .(iii)User-Key-Gen is a randomized algorithm executed by the user with identity , where is the system parameter list, is the partial private key corresponding to the identity , and is the key pair of the user with the identity .(iv)Sign is a randomized algorithm executed by the signer, where is the system parameter list, is the key pair of the signer, is the signer’s identity, is the message, and is the signature on the message .(v)Verify is a probabilistic algorithm executed by the verifier, where is the system parameter list, is the signer’s identity, is the public key of the signer, is the message, and is the signature on the message ; 1 or 0 is the output to indicate whether the signature is validated.(vi)Aggregate is a deterministic algorithm executed by the signature aggregator, where is the system parameter list, is the signer’s identity, is the public key of the signer, is the message, and is the signature on the message .(vii)Aggregate-Verify is a deterministic algorithm executed by the aggregate verifier, where is the system parameter list and σ is the aggregate signature on the message with the identity and the public key . 1 or 0 is the output to indicate whether the aggregate signature σ is validated.

4. Our Proposed CLAS Scheme

To improve the security of routing information in VANETs, we propose a new CLAS scheme. Compared to previous works, our new scheme strives to achieve the following two goals: (1) to ensure the unforgeability of the signature scheme and (2) to improve the performance of the scheme. Our CLAS scheme includes seven phases: , --, --, , , , and -. The scheme details are described below.

4.1. Setup

The KGC generates system parameters after obtaining the security parameter k by executing the following operations:(1)The KGC generates two cyclic groups and with the order q, where q is a prime number. P is a generator of . is a bilinear pairing.(2)The KGC randomly selects as the master key and calculates as the public key.(3)The KGC selects four hash functions: , , , and .(4)The KGC maintains s secret and public.

4.2. Partial-Key-Gen

The KGC produces the user’s partial private key by executing the following operations:(1)Given as a user’s identity, the KGC first calculates and then computes the user’s partial private key .(2)The KGC secretly sends to the corresponding user.

4.3. User-Key-Gen

A user with the identity generates his/her full private key and public key by executing the following operations:(1)The user randomly selects as the secret value.(2)The user sets as a user’s full private key.(3)The user computes as a user’s public key.

4.4. Sign

A signer with the identity produces a signature on the message by executing the following operations:(1)The signer inputs system parameters , signature key pairs , and the message .(2)The signer selects randomly and then computes .(3)The signer computes , , and .(4)The signer computes .(5)The signer outputs as the signature on the message .

4.5. Verify

The verifier verifies the signature on the message with identity by executing the following operations:(1)The verifier computes , , , and .(2)The verifier verifies the following:(3)If equation (1) holds, it emits 1 and the verifier accepts ; otherwise, it emits 0 and the verifier rejects .

4.6. Aggregate

The aggregator generates the aggregate signature σ from user-message-public key-signature pairs by executing the following operations:(1)The aggregator inputs n tuples , where .(2)The aggregator computes .(3)The aggregator outputs as the aggregate signature, where .

4.7. Aggregate-Verify

The aggregate verifier verifies the validity of the aggregate signature by executing the following operations:(1)The aggregate verifier inputs the tuples and the aggregate signature .(2)The aggregate verifier computes ; furthermore, for , the aggregate verifier computes , , and .(3)The aggregate verifier verifies the following:(4)If equation (2) holds, it emits 1 and the verifier accepts the aggregate signature σ; otherwise, it emits 0 and the verifier rejects σ.

Our proposed CLAS scheme is correct if and only if the single signature and aggregate signature generated using our scheme can satisfy equations (1) and (2), respectively, where the correctness of the scheme is elaborated as follows:

5. Security Analysis

In this section, we analyze the security of our proposed CLAS scheme. We first give the security model of a CLAS scheme and then prove that our proposal can satisfy signature unforgeability under the security model. At last, we demonstrate a comparative summary of the security between our CLAS scheme and three recently published CLAS schemes.

5.1. Security Model

There exist two types of adversaries in the CLAS security model: and . simulates an outside attacker, who cannot obtain the system master key but can replace any user’s public key. simulates a KGC, an internal attacker, who can obtain the system master key but cannot replace any user’s public key.

Definition 1. The security model of a CLAS scheme is defined by two games (denoted by Game1 and Game2) played between an adversary and a challenger ; more details are defined below.
can access the following six random oracle machines in the security model.

5.1.1. Setup

executes the algorithm to generate the system master key s and . For different types of adversaries, will make a corresponding response.

5.1.2. Reveal-Partial-Key

When the challenger receives a partial private key query from for a user with the identity , first checks if holds. If it holds, it aborts; otherwise, it checks if there is a record corresponding to the identity in the list . If it exists, then is sent to ; otherwise, it generates , sends it to , and stores it in the list .

5.1.3. Reveal-Secret-Key

When the challenger receives a secret value query from for a user with the identity , first checks if holds. If it holds, it aborts; otherwise, it checks if there is a record corresponding to the identity in the list . If it exists, then is sent to ; otherwise, it generates , sends it to , and stores it in the list .

5.1.4. Reveal-Public-Key

When the challenger receives a public key query from for a user with the identity , first checks if there is a record corresponding to the identity in the list . If it exists, then is sent to ; otherwise, it generates , sends it to , and stores it in the list .

5.1.5. Replace-Public-Key

When the challenger receives a query that replaces the public key on the identity with choice of public key , first checks if there is a record corresponding to the identity in the list . If it exists, then it updates the corresponding item to in the list ; otherwise, it aborts.

5.1.6. Sign

When the challenger receives a signature query on the message with the signer’s identity , first checks whether the target user has been created. If the user has not been created, it aborts; otherwise, if the target user has been created and the related user public key has not been replaced, then a valid signature is returned; otherwise, if the target user has been created and the corresponding user public key has been replaced with , then a signature is returned.

We next define two games to describe two different types of attackers in the CLAS scheme.

(1) Game1. The challenger interacts with the adversary as follows:(1) inputs a security parameter k and generates the system master key s and the system parameter list by running the algorithm. Then, sends to and keeps s secret.(2) can access any hash oracle and , , , , and queries at any phase.

(2) Forgery. outputs an aggregate signature with respect to n pairs , where . We say that wins Game1 if and only if the following conditions are met:(1) is a valid aggregate signature with respect to pairs , where .(2)The targeted identity has not been submitted during the query.(3) has not been submitted during the query.

(3) Game2. The challenger interacts with the adversary as follows:(1) inputs a security parameter k and generates the system master key s and the system parameter list by running the algorithm. Then, returns and s to .(2) can access any hash oracle and , , and queries at any phase.

(4) Forgery. outputs an aggregate signature with respect to pairs , where . We say that wins Game2 if and only if the following conditions are met:(1) is a valid aggregate signature with respect to user-message-public key-signature pairs , where .(2)The targeted identity has not been submitted during the query.(3) has not been submitted during the query.

5.2. Security Proof

In the section, we will prove that our proposed CLAS scheme is secure under the security model presented in Section 5.1. Our security proof consists of the following two parts: (1) the CLAS scheme is unforgeable to type 1 adversary and (2) the CLAS scheme is unforgeable to type 2 adversary .

Theorem 1. Our proposed CLAS scheme is existentially unforgeable against the adversary , if the CDH problem is difficult to solve in .

Proof. We can prove the unforgeability of our CLAS scheme against with Game1 that involves an adversary and a simulator C.
Given a random instance of the CDH problem , where P is a generator of , our goal is to calculate the value of by solving the CDH problem. The specific proof process is as follows:(i)Setup: C randomly selects as the identity of the target user challenged, sets , and generates and sends the system parameter to . executes the following queries.(ii) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether the tuple exists in ; if it exists, it sends to ; otherwise, C randomly selects and . If , ; otherwise, if , . It sends to and stores to .(iii) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with from , it checks if a tuple exists in ; if it exists, it sends Z to ; otherwise, C randomly selects and computes . It sends Z to and stores to .(iv) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the tuple from , it checks whether a tuple exists in ; if it exists, it sends to ; otherwise, C randomly selects . It returns to and stores to .(v) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the tuple from , it checks if a tuple exists in ; if it exists, it sends to ; otherwise, C randomly selects . It returns to and stores to .(vi)Reveal-Partial-Key queries: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether ; if it holds, it outputs ; otherwise, it checks if a tuple exists in ; if it exists, it sends to ; otherwise, C recalls the corresponding tuple from the list and computes . It sends to and stores to .(vii)Reveal-Secret-Key queries: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether ; if it holds, it outputs ; otherwise, it checks if a tuple exists in ; if it exists, it sends to ; otherwise, C randomly selects . It sends to and stores to .(viii)Reveal-Public-Key queries: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether a tuple exists in ; if it exists, it sends to ; otherwise, C accesses to get and computes . It sends to and stores to .(ix)Replace-Public-Key queries: when C receives a query with the tuple from , in response, C replaces the real public key of with chosen by in .(x)Sign queries: when C receives a query with the tuple from , C accesses , , , and to get , , Z, , and respectively. Furthermore, C chooses a random and computes ; if , C computes ; otherwise, if , C computes . C sends to as the signature on the message with the identity and the public key .(xi)Forgery: finally, outputs a forged aggregate signature from message-identity-public key pairs , where . If all holds, aborts; otherwise, without loss of generality, let , that is, , , , and then the forged signature can make the following equation hold:where , , , , and .Furthermore, the derivation process is shown asHowever, this is in contradiction with the CDH assumption, so the single signature and the aggregate signature generated by our proposed scheme satisfy the unforgeability.

Theorem 2. Our proposed CLAS scheme is existentially unforgeable against the adversary , if the CDH problem is difficult to solve in .

Proof. We can prove the unforgeability of our CLAS scheme against with Game2 that involves an adversary and a simulator C.
Given a random instance of the CDH problem , where P is the generator of , our goal is to calculate the value of by solving the CDH problem. The specific proof process is as follows:(i)Setup: C randomly selects as the identity of the target user challenged, sets , and generates and sends and system master key λ to . executes the following queries: , , and Reveal-Secret-Value queries are the same as the corresponding queries in Theorem 1 Since can access the system master key, there is no need for the Reveal-Partial-Key queries and Replace-Public-Key queries.(ii) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether the tuple exists in ; if it exists, it sends to ; otherwise, C randomly selects , sets , sends to , and stores to .(iii) query: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with from , it checks if a tuple exists in ; if it exists, it sends Z to ; otherwise, C randomly selects and computes . It sends Z to and stores to .(iv)Reveal-Public-Key queries: C maintains a list whose structure is , and all the elements in are initialized to null. When C receives a query with the identity from , it first checks whether a tuple exists in ; if it exists, it sends to ; otherwise, C selects a random value ; if , C accesses to get and computes ; otherwise, if , C randomly chooses and computes . It sends to and stores to .(v)Sign queries: when C receives a query with the tuple from , C accesses , , , and to get , , Z, , and , respectively. Furthermore, C chooses a random and computes ; if , C computes ; otherwise, if , C computes . It sends to as the signature on the message with the identity and the public key .(vi)Forgery: finally, outputs a forged aggregate signature from message-identity-public key pairs , where . If all holds, aborts; otherwise, without loss of generality, let , that is, , , and then the forged signature can make the following equation hold:where , , , , , and .Furthermore, the derivation process is shown asHowever, this is in contradiction with the CDH assumption, so the single signature and the aggregate signature generated by our proposed scheme satisfy the unforgeability.

6. Security Comparisons and Performance Analysis

In this section, we first compare the security of the new CLAS scheme and the other three CLAS schemes and then further analyze the performance advantages of the new CLAS scheme by evaluating the computation overhead.

6.1. Security Comparisons

In the section, we compare the security of our proposed CLAS scheme with that of the other three CLAS schemes [21, 25, 29]. For ease of description, let and denote the type 1 and the type 2 adversaries, respectively. Furthermore, the two types of adversaries are divided into three levels [30], where denotes general adversary, denotes strong adversary, and denotes superadversary, respectively, and ; the value of i corresponds to the type i adversary. denotes it can satisfy the corresponding security requirement, and denotes it cannot satisfy the corresponding security requirement. denotes the weaker security, and S denotes the stronger security under the corresponding attack types. denotes the security performance. The security comparison of various schemes is shown in Table 1.

From Table 1, we can find that the first two schemes (i.e., Gong et al.’s scheme [21] and Liu et al.’s scheme [25]) cannot meet all security attributes. Especially for Gong et al.’s two CLAS schemes [21], under the attacks of and adversaries, none of them could satisfy the security level of . In contrast, Li’s CLAS scheme and our proposed CLAS scheme can meet all the security requirements.

6.2. Performance Analysis

In this section, we performed a performance analysis of the newly proposed CLAS scheme by comparing the computation overhead of our scheme with that of Li et al.’s scheme. To achieve a credible security level, we select q and p as 160-bit and 512-bit prime numbers, respectively. An Ate pairing is used in our experiments, where and are two cyclic groups with the same order q, defined on the supersingular elliptic curve .

We have implemented Li et al.’s scheme and our new scheme with the MIRACL library [31] on a Lenovo computer with Windows 7 operating system. And its hardware configuration is Intel I5-3470 3.20 GHz CPU and 4G bytes of memory. For the sake of simplicity, we firstly define the corresponding relation-related symbol-operation-execution time, as shown in Table 2.

Because Setup, Partial-Key-Gen, and Private-Key-Gen phases are executed by the PKG or user, and all of them are one-time operation, we focus on the analysis and comparison of computational costs in Sign, Verify, Aggregate, and Aggregate-Verify phases. Since the addition and multiplication of numbers in will only generate less computational overhead, we can ignore them.

In the phase, the user in Li et al.’s scheme needs to perform two general hash operations in , one map-to-point hash operation in , three point addition operations in , and five point multiplication operations in . Therefore, the time for generating a signature in the phase is , whereas the user in our proposal needs to perform two general hash operations in , one map-to-point hash operation in , two point addition operations in , and three point multiplication operations in . Therefore, the time for generating a signature in the phase is milliseconds.

In the phase, the verifier in Li et al.’s scheme needs to execute two general hash operations in , two map-to-point hash operations in , two point addition operations in , two point multiplication operations in , and three bilinear pairing operations. Therefore, the time for verifying a signature in the phase is , whereas the verifier in our proposal needs to perform two general hash operations in , two map-to-point hash operations in , one point addition operation in , two point multiplication operations in , and three bilinear pairing operations. Therefore, the time for verifying a signature in the phase is milliseconds.

In the phase, the aggregator in Li et al.’s scheme needs to execute point addition operations in , whereas the aggregator in our proposal needs to execute point addition operations in . We can find that the running time of the phase in the two schemes is equal to milliseconds.

In the phase, the aggregate verifier in Li et al.’s scheme needs to execute general hash operations in , map-to-point hash operations in , point addition operations in , point multiplication operations in , and three bilinear pairing operations. Therefore, the running time of the phase is milliseconds, whereas the verifier in our proposal needs to perform general hash operations in , map-to-point hash operations in , point addition operations in , point multiplication operations in , and three bilinear pairing operations. Therefore, the running time of the phase is milliseconds.

Suppose that , that is, there are 100 signatures that need to be generated, verified, aggregated, and aggregate-verified. From the results in Figure 3, we can see that Li et al.’s scheme has the same computation overhead as our new CLAS scheme in the phase, whereas in , , and phases, the computation cost of our scheme is lower than that of Li et al.’s scheme. Especially in the phase, the computation cost of our scheme is reduced by 26 percentage points compared with that of Li et al.’s scheme. In summary, our presented CLAS scheme reduces the computation cost while meeting security requirements.

7. Conclusion

Digital signature can provide secure routing authentication, privacy protection, integrity, and nonrepudiation. To solve the above problems, several CLAS schemes have been introduced recently. Unfortunately, most existing CLAS schemes have been found to have security flaws or have unsatisfactory performance in computation and communication costs. To avoid the above issues and better fix the problem of secure routing authentication in resource-constrained VANETs, we put forward a new CLAS scheme. The security analysis demonstrates that the new CLAS scheme is provably secure and is able to satisfy the security attributes in VANETs. The specific performance evaluation shows that the new CLAS scheme can achieve a novel security level while reducing the computation cost. Our CLAS scheme is robust against all types of attacks, which makes it more suitable for performing secure routing in resource-constrained VANETs.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Nos. 61902115, 61972294, and 61932016) and the Opening Project of Guangdong Provincial Key Laboratory of Data Security and Privacy Protection (No. 2017B030301004-11).

References

Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing mobile ad hoc networks with certificateless public keys,” IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 386–399, 2006.
View at: Publisher Site | Google Scholar
D. H. Yum and P. J. Lee, “Generic construction of certificateless signature,” in Proceedings of the Australasian Conference on Information Security and Privacy Springer, Sydney, pp. 200–211, Australia, July 2004.
View at: Publisher Site | Google Scholar
J. A. Misener, “Vehicle-infrastructure integration (vii) and safety: rubber and radio meets the road in California,” Intellimotion, vol. 11, no. 2, pp. 1–3, 2005.
View at: Google Scholar
E. S. Ismail, N. M. F. Tahat, and R. R. Ahmad, “A new digital signature scheme based on factoring and discrete logarithms,” Journal of Mathematics and Statistics, vol. 4, no. 4, pp. 222–225, 2008.
View at: Publisher Site | Google Scholar
Q. Lin, J. Li, Z. Huang, W. Chen, and J. Shen, “A short linearly homomorphic proxy signature scheme,” IEEE Access, vol. 6, pp. 12966–12972, 2018.
View at: Publisher Site | Google Scholar
M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computer Security, vol. 15, no. 1, pp. 39–68, 2007.
View at: Publisher Site | Google Scholar
R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: efficient conditional privacy preservation protocol for secure vehicular communications,” in Proceedings of the 27th Conference on Computer Communications, INFOCOM 2008, pp. 1229–1237, IEEE, Phoenix, AZ, USA, April 2008.
View at: Publisher Site | Google Scholar
Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, “An efficient pseudonymous authentication scheme with strong privacy preservation for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 7, pp. 3589–3603, 2010.
View at: Publisher Site | Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the 1984 Workshop on the Theory and Application of Cryptographic Techniques, pp. 47–53, Springer, Santa Barbara, CA, USA, August 1984.
View at: Publisher Site | Google Scholar
K.-A. Shim, “An ID-based aggregate signature scheme with constant pairing computations,” Journal of Systems and Software, vol. 83, no. 10, pp. 1873–1880, 2010.
View at: Publisher Site | Google Scholar
J. Li, J. Li, X. Chen, C. Jia, and W. Lou, “Identity-based encryption with outsourced revocation in cloud computing,” IEEE Transactions on Computers, vol. 64, no. 2, pp. 425–437, 2015.
View at: Publisher Site | Google Scholar
J. Li, H. Yan, and Y. Zhang, “Efficient identity-based provable multi-copy data possession in multi-cloud storage,” IEEE Transactions on Cloud Computing, p. 1, 2019.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 452–473, Springer, Taipei, Taiwan, November 2003.
View at: Publisher Site | Google Scholar
J. Li, H. Yan, and Y. Zhang, “Certificateless public integrity checking of group shared data on cloud storage,” IEEE Transactions on Services Computing, p. 1, 2018.
View at: Publisher Site | Google Scholar
X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of certificateless signature schemes from Asiacrypt 2003,” in Proceedings of the International Conference on Cryptology and Network Security, pp. 13–25, Springer, Xiamen, China, December 2005.
View at: Publisher Site | Google Scholar
B. C. Hu, D. S. Wong, Z. Zhang, and X. Deng, “Key replacement attack against a generic construction of certificateless signature,” in Proceedings of the 2006 Australasian Conference on Information Security and Privacy, pp. 235–246, Springer, Melbourne, Australia, July 2006.
View at: Publisher Site | Google Scholar
M. H. Au, Y. Mu, J. Chen, D. S. Wong, J. K. Liu, and G. Yang, “Malicious KGC attacks in certificateless cryptography,” in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 302–311, ACM, Singapore, March 2007.
View at: Google Scholar
X. Li, K. Chen, and L. Sun, “Certificateless signature and proxy signature schemes from bilinear pairings,” Lithuanian Mathematical Journal, vol. 45, no. 1, pp. 76–83, 2005.
View at: Publisher Site | Google Scholar
J. K. Liu, M. H. Au, and W. Susilo, “Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model,” in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 273–283, ACM, Singapore, March 2007.
View at: Google Scholar
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 416–432, Springer, Warsaw, Poland, May 2003.
View at: Publisher Site | Google Scholar
Z. Gong, Y. Long, X. Hong, and K. Chen, “Two certificateless aggregate signatures from bilinear maps,” in Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007, vol. 3, pp. 188–193, IEEE, Qingdao, China, July 2007.
View at: Publisher Site | Google Scholar
L. Zhang and F. Zhang, “A new certificateless aggregate signature scheme,” Computer Communications, vol. 32, no. 6, pp. 1079–1085, 2009.
View at: Publisher Site | Google Scholar
H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
View at: Publisher Site | Google Scholar
D. He, M. Tian, and J. Chen, “Insecurity of an efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 268, pp. 458–462, 2014.
View at: Publisher Site | Google Scholar
H. Liu, S. Wang, M. Liang, and Y. Chen, “New construction of efficient certificateless aggregate signatures,” International Journal of Security and Its Applications, vol. 8, no. 1, pp. 411–422, 2014.
View at: Publisher Site | Google Scholar
L. Cheng, Q. Wen, Z. Jin, H. Zhang, and L. Zhou, “Cryptanalysis and improvement of a certificateless aggregate signature scheme,” Information Sciences, vol. 295, pp. 337–346, 2015.
View at: Publisher Site | Google Scholar
F. Zhang, L. Shen, and G. Wu, “Notes on the security of certificateless aggregate signature schemes,” Information Sciences, vol. 287, pp. 32–37, 2014.
View at: Publisher Site | Google Scholar
S.-J. Horng, S.-F. Tzeng, P.-H. Huang, X. Wang, T. Li, and M. K. Khan, “An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks,” Information Sciences, vol. 317, pp. 48–66, 2015.
View at: Publisher Site | Google Scholar
J. Li, H. Yuan, and Y. Zhang, “Cryptanalysis and improvement for certificateless aggregate signature,” Fundamenta Informaticae, vol. 157, no. 1-2, pp. 111–123, 2018.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
M. Scott, Miracla Multiprecision Integer and Rational Arithmetic C/C++ Library, Shamus Software Ltd., Dublin, Ireland, 2003, http://indigo.ie/mscott.

Copyright

Copyright © 2020 Zhiyan Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1186

Downloads

1156

Citations

Security and Communication Networks

Efficient Certificateless Aggregate Signature Scheme for Performing Secure Routing in VANETs

Abstract

1. Introduction

1.1. Our Research Contributions

1.2. Organization of the Paper

2. Related Works

3. Problem Statement

3.1. Bilinear Map

3.2. Complexity Assumption

3.2.1. Computational Diffie–Hellman (CDH) Problem

3.2.2. Computational Diffie–Hellman (CDH) Assumption

3.3. System Model

3.3.1. On-Board Unit

3.3.2. Road Side Unit

3.3.3. Key Generator Center

3.3.4. Emergency Command Center

3.3.5. Signature Aggregator

3.3.6. Trusted Authority

3.4. System Components

4. Our Proposed CLAS Scheme

4.1. Setup

4.2. Partial-Key-Gen

4.3. User-Key-Gen

4.4. Sign

4.5. Verify

4.6. Aggregate

4.7. Aggregate-Verify

5. Security Analysis

5.1. Security Model

5.1.1. Setup

5.1.2. Reveal-Partial-Key

5.1.3. Reveal-Secret-Key

5.1.4. Reveal-Public-Key

5.1.5. Replace-Public-Key

5.1.6. Sign

5.2. Security Proof

6. Security Comparisons and Performance Analysis

6.1. Security Comparisons

6.2. Performance Analysis

7. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright