Cryptanalysis of an Efficient and Secure Certificateless Aggregate Signature-Based Authentication Scheme for Vehicular Ad Hoc Networks

Yang, Xiaodong; Chen, Aijia; Wang, Zhisong; Du, Xiaoni; Wang, Caifen

doi:https://doi.org/10.1155/2022/4472945

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy for Edge-Assisted Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 4472945 | https://doi.org/10.1155/2022/4472945

Cryptanalysis of an Efficient and Secure Certificateless Aggregate Signature-Based Authentication Scheme for Vehicular Ad Hoc Networks

Xiaodong Yang,¹Aijia Chen,¹Zhisong Wang,¹Xiaoni Du,¹and Caifen Wang^1,2

Academic Editor: Ding Wang

Received27 Aug 2021

Revised09 Feb 2022

Accepted23 Mar 2022

Published14 Apr 2022

Abstract

Vehicular ad hoc networks (VANETs) apply the Internet of Things technology to provide secure communication among the vehicles, thereby improving the safe driving of vehicles, the utilization of traffic resources, and the efficiency of information services. Due to the openness and vulnerability of wireless networks in VANETs, messages in sharing and transmission are easily attacked and destroyed. Therefore, a large number of schemes for VANETs were proposed to protect the privacy of vehicles and ensure the authentication, integrity, and nonrepudiation of messages. However, most of these schemes have serious security flaws or poor performance issues. Recently, Thumbur et al. presented an efficient certificateless aggregate signature-based authentication scheme for VANETs and then gave the detailed security proof (IEEE Internet of Things Journal, vol. 8, no. 3, pp. 1908–1920, 2021). In this article, we analyze the security of Thumbur et al.’s scheme and demonstrate that it has significant security problems. Specifically, their scheme cannot resist public key replacement attacks from external adversaries, and it is not secure against coalition attacks from malicious vehicles. Then, we improve Thumbur et al.’s scheme to address the security weaknesses. According to the security and performance analysis, the improved scheme enhances the security while maintaining the performance of the original scheme.

1. Introduction

As a new type of mobile network, vehicular ad hoc networks (VANETs) utilize the Internet of Things technology and intelligent transportation mechanisms to achieve secure communication among the vehicles. As a result, it can efficiently improve the safety of vehicle driving, minimize road traffic congestion, avoid traffic accidents, reduce the work intensity of drivers, and provide secure, economic, comfortable, and fast transportation services [1]. VANETs generally involve four types of entities: vehicles with on-board units (OBUs), roadside units (RSUs) installed along the road, a trusted authority (TA) for system initialization, and application servers (ASs) for data analysis [2]. In VANETs, a vehicle employs an OBU to periodically broadcast its vehicle-related information (such as speed, direction, mileage, fuel consumption, location, and brake pad pressure) and real-time road condition information to nearby vehicles and RSUs every 100–300 milliseconds.

However, VANETs face numerous security challenges and privacy threats while improving traffic management and road safety [3–5]. Because wireless networks in VANETs are open, the information shared among the vehicles is easy to be attacked and destroyed, such as forgery, tampering, injection, and replay attack. If false traffic information is transmitted by an attacker, it will cause a potential traffic accident or even endanger the safety of drivers and passengers [6]. Hence, it is critical to ensure the integrity and authenticity of traffic data in VANETs. Furthermore, the vehicle’s private information, such as its real identity, should be protected to prevent it from being misused, leaked, or accessed by unauthorized entities. At the same time, TA is capable of tracking down the real identity of the vehicle that issued a controversial message [7, 8]. Therefore, conditional privacy must be provided by VANETs.

Digital signature is a cryptographic technology that provides data integrity, anonymity, nonrepudiation, identity authentication, and other security services. Various signature technologies, such as PKC-based and identity-based cryptographic frameworks, are used to construct authentication schemes for VANETs to ensure identity authentication, message integrity, privacy, and traceability. When these schemes are deployed in real-world circumstances, there are some problems, such as complex certificate management or inherent key escrow [9]. Certificateless aggregation signature (CLAS) can not only solve these problems in PKC-based and identity-based settings but also aggregate different signatures of multiple messages into a short signature [10]. Hence, CLAS greatly reduces the computational and communication overhead of signature verification and improves storage efficiency. Due to the advantages of CLAS in terms of security and performance, CLAS is considered to be an efficient and viable solution to some security problems in VANETs.

In recent years, researchers have proposed some CLAS-based authentication schemes for VANETs. Unfortunately, most of these schemes [4, 11–14] are not suitable for VANETs due to time-consuming bilinear operations. Based on the additive elliptic curve group, Cui et al. [15] proposed an authentication scheme for VANETS without pairings. However, Kamil and Ogundoyin [16] found that Cui et al.’s scheme [15] is unable to withstand attacks from a malicious key generation centre (KGC) and presented an improved scheme. Zhao et al. [17] showed that the improved authentication scheme of Kamil and Ogundoyin [16] is still insecure against forgery attacks and then constructed an improved scheme to remedy these security vulnerabilities. In 2021, the flaws in the design of Zhao et al.’s scheme [17] were discovered by Thumbur et al. [18]. Furthermore, Thumbur et al. [18] presented a novel pairing-free CLAS-based authentication scheme for VANETs. Unfortunately, we prove that their scheme is not secure by giving concrete attacks; hence, it fails to achieve the expected security goals.

In this article, we analyze the security of Thumbur et al.’s scheme [18] and demonstrate that it is not secure against public key replacement attacks of external attackers and coalition attacks of malicious vehicles. To overcome these two kinds of forgery attacks, we also give an improved scheme. The main contributions of our work are as follows:(1)We show that the CLAS-based authentication scheme for VANETs of Thumbur et al. [18] cannot resist public key replacement attacks(2)We provide an attack method to demonstrate that Thumbur et al.’s scheme [18] is not secure against coalition attacks launched by malicious vehicles.(3)We improve Thumbur et al. ’s scheme [18] to address the security issues(4)Our enhanced scheme meets various security requirements in VANETs

The rest of this article is organized as follows. Section 2 describes some preliminaries. Section 3 introduces Thumbur et al.’s scheme [18], and its cryptanalysis is given in Section 4. Section 5 presents our improved scheme and discusses its security and efficiency. Finally, Section 6 concludes this article.

2. Preliminaries

In this section, we briefly introduce the elliptic curve group, the system model, and the formal definition of the CLAS-based scheme for VANETs. Some key symbols are listed in Table 1.

2.1. Elliptic Curve Group and Computational Assumption

Assume that the order of a finite field is a prime . All solutions of the equation form an elliptic curve , where and . The cyclic elliptic curve group is composed of all points on and an infinite point O. According to the chord-and-tangent rule [19], the addition operation in G is defined as , where . The operation (k times) is called a scalar multiplication in G. For convenience, let P be a generator of G. The computational assumption in G is described as follows.

Elliptic Curve Discrete Logarithm Problem (ECDLP). Given two elements P and in G, it is intractable to calculate in polynomial time.

2.2. System Model

As described in Figure 1, the system model of a CLAS-based authentication scheme for VANETs contains five participants: TA, KGC, AS, RSU, and the vehicle equipped with OBU. Communication modes can be divided into two types: upper-level and lower-level. The communication between TA, KGC, AS, and RSU mainly adopts the upper-level mode, which is carried out over a secure wired communication network. The lower-level communication uses the dedicated short-range communication (DSRC) protocol (such as IEEE 802.11P), which mainly occurs in the communication between the vehicle and another, as well as between the vehicle and the RSU. It is worth noting that TA, KGC, and AS are three entities with sufficient computing power, communication bandwidth, and storage capacity. OBU is a resource-constrained device, but RSU outperforms OBU in terms of battery, computation, communication, and storage. The five participants are described in detail below.(1)TA. It initializes the system, registers vehicles and RSUs, issues pseudonym identities for vehicles, and traces the real identities of malicious vehicles. Because TA is usually the vehicle management department of the local government, it is regarded as a trustworthy authority.(2)KGC. It is an entity independent of TA, which is primarily responsible for producing each vehicle’s partial private key.(3)AS. It is an application server that collects and analyzes traffic-related messages sent by RSUs.(4)RSU. This kind of wireless communication equipment is typically situated on the side of a road or at a crossroads and is mainly responsible for managing the communication of all vehicles within its communication range.(5)Vehicle. It uses the DSRC protocol to broadcast traffic-related messages frequently, such as road conditions, vehicle speed, and location.

2.3. Formal Definition of the CLAS-Based Authentication Scheme for VANETs

As defined in [16, 18], a CLAS-based authentication scheme for VANETs is made up of the nine following algorithms:(1)System Setup. Given a security parameter , TA and KGC execute this algorithm to produce system parameters params, two system master keys (s, b), and two system master public keys .(2)Pseudonym Identity Generation. On receiving the real identity of a vehicle V_i, TA executes this algorithm to create the pseudoidentity for V_i.(3)Partial Private Key Generation. Upon receiving the pseudoidentity of a vehicle V_i, this algorithm is executed by KGC to create a partial private key for V_i.(4)Set Secret Value. This algorithm is run by a vehicle V_i to create its secret value x_i.(5)Vehicle Key Generation. A vehicle V_i runs this algorithm to produce its private key and corresponding public key .(6)Signature Generation. This algorithm is executed by a vehicle V_i. Given a message m_i, V_i uses its private key to create a single signature on m_i.(7)Signature Verification. Taking a message m_i, a single signature , and the pseudonym identity and public key pairs as inputs, the RSU or other vehicles execute this algorithm to output True if is a valid single signature or False otherwise.(8)Aggregate Signature Generation. Taking n single signatures on n messages as inputs, RSU executes this algorithm to generate an aggregate signature .(9)Aggregate Signature Verification. Upon receiving an aggregate signature , n messages , and the pseudoidentity and public key pairs of n vehicles, the AS runs this algorithm to output True if is a valid aggregate signature or False otherwise.

As described in [16–18], an authentication scheme for VANETs achieves a wide range of security requirements, such as identity anonymity, traceability, message integrity, and authenticity. Based on these security requirements, a secure CLAS-based authentication scheme for VANETs can withstand the following attackers:(1)Type I Adversary. This is a type of external attacker that can carry out public key replacement attacks. The attacker has the ability to get the vehicle’s secret value or replace its public key. However, the attacker is not allowed to know the KGC’s master secret key and the vehicle’s partial private key.(2)Type II Adversary. The attacker is usually a malicious KGC and thus possesses KGC’s master key. However, the attacker is unable to compromise the vehicle’s secret value and replace the vehicle’s public key.(3)Inside Adversary. This type of attacker is two or more malicious vehicles that launch the coalition attack. The attackers can create a legitimate aggregate signature by providing a few invalid single signatures.

3. Review of Thumbur et al.’s Scheme

In this section, we briefly describe the CLAS-based authentication scheme for VANETs proposed by Thumbur et al. [18].(1)System Setup. The following operations are carried out in collaboration between TA and KGC:(a)TA and KGC negotiate to choose an elliptic curve group G with prime order p and select a generator P of G and four hash functions .(b)KGC selects a random value as its master secret key and calculates the corresponding master public key .(c)TA randomly picks as its master secret key and then sets as its master public key.(d)Output system parameters .(2)Pseudonym Identity Generation. To protect the privacy of the identity, the vehicle uses the pseudoidentity issued by TA to hide the real identity for anonymous message communication.(a)A vehicle V_i selects a random value from and calculates ; then it hides its unique real identity by calculating and finally transmits to TA.(b)TA uses its master secret key b to obtain V_i’s real identity by calculating . If is legal, TA calculates , sets V_i’s pseudonym identity , and transmits it to KGC, where is the validity period of .(3)Partial Private Key Generation. Upon receipt of the pseudonym identity for a vehicle V_i, KGC executes the following steps:(a)Pick at random and calculate .(b)Calculate .(c)Calculate the partial private key of V_i as .(d)Send to V_i secretly. Note that V_i checks the validity of from KGC by verifying whether holds.(4)Set Secret Value. A vehicle V_i randomly picks as its secret value and calculates .(5)Vehicle Key Generation. A vehicle V_i performs the following to produce its private key and public key:(a)Calculate .(b)Calculate .(c)Set its public key .(d)Set its private key .(6)Signature Generation. To achieve secure communication, vehicle V_i with performs the following signature operations on each traffic-related message m_i sent by itself:(a)Pick at random and calculate .(b)Calculate .(c)Calculate , where is the current timestamp.(d)Calculate .(e)Output a single signature on .(f)Send to the nearby RSU.(7)Signature Verification. Given a single signature on a message at timestamp under a pseudonym and a public key , the verifier performs the following verification operations if of and are both valid:(a)Calculate .(b)Calculate .(c)Check the single signature verification equation below: The verifier accepts if it holds; otherwise, is considered invalid.(8)Aggregate Signature Generation. After receiving n single signatures on messages from n vehicles, the RSU performs the following aggregation signature operations:(a)Calculate .(b)Output the aggregate signature on as .(9)Aggregate Signature Verification. Given an aggregate signature on messages under n tuples , the AS performs the following aggregate signature verification operations if and are in the period of validity:(a)Calculate for all .(b)Calculate for all .(c)Check the aggregation signature verification equation below: If it holds, the AS accepts and stores messages since is valid.

4. Cryptanalysis of Thumbur et al.’s Scheme

Thumbur et al. [18] claimed that their CLAS-based authentication scheme for VANETs is capable of withstanding forgery attacks and achieves various security requirements. Nevertheless, in this section, we provide two attack methods to demonstrate that their scheme is vulnerable to public key replacement attacks and coalition attacks.

4.1. Public Key Replacement Attack

Assume that V_i is the target vehicle selected by a Type I adversary ₁. ₁ obtains V_i’s pseudoidentity and public key and then uses the following attack steps to forge a valid single signature of a message :(1)Calculate .(2)Pick randomly and calculate .(3)Replace the new public key of the target vehicle as .(4)Pick randomly and calculate .(5)Select a desired message and calculate , where is the current timestamp.(6)Calculate .(7)Set as a forged single signature on .

Obviously, is a valid single signature on at under , since

In the above attack, ₁ only replaces the public key of the target vehicle, but the partial private key of the target vehicle is unknown to ₁. Therefore, the CLAS-based authentication scheme for VANETs of Thumbur et al. [18] cannot resist public key replacement attacks. The reason why ₁ can attack successfully is that is offset by in .

4.2. Coalition Attack

Two or more malicious vehicles can produce a valid aggregate signature by providing some false single signatures. Without loss of generality, suppose that V₁ and V₂ are two malicious vehicles. The coalition attack launched by and is as follows:(1) arbitrarily selects a message and creates a single signature on by invoking the Signature Generation algorithm in Thumbur et al.’s scheme [18].(2) arbitrarily selects a message and creates a single signature on by invoking the Signature Generation algorithm in Thumbur et al.’s scheme [18].(3) and exchange and in and to obtain two invalid single signatures and .(4)After receiving and sent by and , respectively, the RSU invokes the Aggregate Signature Generation algorithm in Thumbur et al.’s scheme [18] to output an aggregate signature on , where .

Clearly, is an invalid single signature on at timestamp under the pseudonym and the public key , where . However, is a valid aggregate signature for under , since

Therefore, two incorrect single signatures jointly constructed by V₁ and V₂ can be used to produce a valid aggregate signature . It is concluded that Thumbur et al.’s scheme [18] cannot resist coalition attacks from malicious vehicles. Malicious vehicles can successfully launch coalition attacks because there is no restriction on the order exchange of in . If a CLAS-based authentication scheme for VANETs is vulnerable to coalition attacks, the AS is unable to determine whether a few incorrect single signatures produce a valid aggregate signature, and TA cannot track down the vehicle that sent a contentious message.

5. Improved Authentication Scheme for VANETs

To enhance the security of the CLAS-based authentication scheme for VANETs proposed by Thumbur et al. [18], we present an improved scheme on the basis of the original scheme and analyze its security and performance.

5.1. Our Improved Scheme

We mainly revise the Signature Generation method and the definition of hash function H₂ in Thumbur et al.’s scheme [18] to resist the forgery attacks described in Section 4. Our improved scheme is described as follows:(1)The algorithms System Setup, Pseudonym Identity Generation, Partial Private Key Generation, and Set Secret Value are the same as those in the scheme in [18]. Note that a hash function is added to the System Setup algorithm in the revised scheme.(2)Vehicle Key Generation. A vehicle V_i sets its private key and the corresponding public key . Similarly, the AS sets its private key and the corresponding public key .(3)Signature Generation. Vehicle V_i with utilizes its private key to sign a traffic-related message m_i as follows:(a)Pick at random and calculate .(b)Calculate and , where is the current timestamp.(c)Calculate .(d)Output a single signature on .(e)Send to the nearby RSU.(4)Signature Verification. Given a single signature on a message at timestamp under a pseudonym and a public key , the verifier performs the following verification operations if and are both valid:(a)Calculate .(b)Calculate and .(c)Check the single signature verification equation below: The verifier accepts if it holds; otherwise, is considered invalid. correctness,(5)Aggregate Signature Generation. After receiving n single signatures on messages from n vehicles, the RSU utilizes AS’s public key to aggregate single signatures.(a)Calculate .(b)Set as the aggregate signature on .(6)Aggregate Signature Verification. Given an aggregate signature on messages under n tuples , the AS utilizes its secret value to perform the following aggregate signature verification operations if and in each message are in the period of validity:(a)Calculate for all .(b)Calculate and for all .(c)Check the aggregation signature verification equation below: If it holds, AS accepts and stores these messages since is valid.

5.2. Security Analysis

Similar to Theorems 1 and 2 in [18], we use the following Theorems 1 and 2 to show that our enhanced scheme is secure for Type I and II attackers in the random oracle model. In addition, Theorem 3 proves that the aggregate signature is secure in the enhanced scheme as long as the individual signatures participating in the aggregation are secure.

Theorem 1. In the random oracle model, our improved scheme is existentially unforgeable against Type I attackers under the intractability of the ECDLP.

Proof. Assuming that a Type I attacker ₁ can forge a legitimate signature with probability , there exists an algorithm ₁ that successfully solves the ECDLP using the forged signature of ₁. Given a random ECDLP instance , where is unknown to ₁, in order to calculate y, ₁ plays the following interactive game with ₁:(1)Initialization Phase.₁ chooses as the challenged pseudonym identity of the target user. Then, ₁ picks at random as the master secret key of KGC and calculates . After that, ₁ runs the System Setup algorithm to produce parameters and sends to ₁.(2)Queries Phase.₁ creates six initially empty lists , , , , , and . ₁ adaptively initiates a series of queries, and ₁ responds to them in the following ways:(1)H₀-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ picks at random, assigns , transmits to ₁, and stores in .(2)H₁-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ picks at random, assigns , transmits to ₁, and stores in .(3)H₂-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ picks at random, assigns , transmits to ₁, and stores the tuple in .(4)H₃-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ picks at random, assigns , transmits to ₁, and stores the tuple in .(5)H₄-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ picks at random, assigns , transmits to ₁, and stores in .(6)Create-User-Queries. When ₁ initiates an inquiry about , ₁ submits to ₁ if there exists the tuple in list . Otherwise, ₁ executes as follows:(a) If , ₁ randomly picks and sets , , , , and . Then, ₁ transmits to ₁ and stores in and in .(b) If , ₁ randomly picks , calculates , , and , and sets . Then, ₁ transmits to ₁ and stores in and in .(7)Partial-Private-Key-Queries. When ₁ submits an inquiry about , ₁ aborts if . Otherwise, ₁ searches the tuple in and transmits to ₁.(8)Set-Secret-Value-Queries. When ₁ submits an inquiry about , ₁ searches the tuple in and transmits to ₁.(9)Replace-Public-Key-Queries. When ₁ submits an inquiry about , ₁ finds the tuple in and replaces with .(10)Sign-Queries. When ₁ submits an inquiry about , ₁ does the following:(a) If , ₁ runs the Signature Generation algorithm to output a single signature on and transmits to ₁.(b) If , ₁ picks at random and the current timestamp . Then, ₁ recovers and from and , respectively. After that, ₁ sets , transmits to ₁, and stores in and in .(3)Forgery Phase. After initiating a limited number of the above-mentioned inquiries, ₁ creates a valid single signature on a message under and . If , ₁ aborts. Otherwise, according to the Forking lemma [20], ₁ can obtain another valid signature with the same random tape and a different value assigned by . Since and are valid, the following equations hold:Since , , and , the following equations can be easily derived from the above two equations:Then, we have . Hence, ₁ calculates the solution of the given ECDLP instance as .
Let denote the total number of partial private key queries initiated by ₁ in the whole game. In Partial-Private-Key-Queries, the probability of ₁ completing the game is at least . In Forgery Phase, the probability that ₁ does not terminate the game is at least . If ₁ can forge a legitimate signature with probability , then ₁ successfully solves the ECDLP with probability . However, the ECDLP is intractable in polynomial time; hence, our improved scheme is secure against Type I attacks. ▪

Theorem 2. In the random oracle model, our enhanced scheme is existentially unforgeable against Type II attackers under the intractability of the ECDLP.

Proof. Assuming that a Type II attacker ₂ can forge a legitimate signature with probability , there exists an algorithm ₂ that successfully solves the ECDLP by using the forged signature of ₂. Given a random ECDLP instance , where is unknown to ₂, in order to calculate y, ₂ plays the following interactive game with ₂.(1)Initialization Phase.₂ chooses at random as KGC’s master secret key and calculates . Then, ₂ runs the System Setup algorithm to output parameters . Following that, ₂ returns and s to ₂.(2)Queries Phase.₂ chooses as the challenged pseudonym identity of the target user. Similar to Theorem 1, ₂ creates six initially empty lists , , , , , and . ₂ adaptively initiates a series of queries, and ₂ responds to them in the following ways:(1)H₀-Queries, H₁-Queries, H₂-Queries, H₃-Queries, and H₄-Queries are the same as Theorem 1.(2)Create-User-Queries. When ₂ initiates an inquiry about , ₂ submits to ₂ if there exists the tuple in list . Otherwise, ₂ executes as follows:(a) If , ₂ picks at random and sets , , , , and . Then, ₂ transmits to ₂ and stores in and in .(b) If , ₂ randomly picks , calculates , , and , and sets . Then, ₂ transmits to ₂ and stores in and in .(3)Partial-Private-Key-Queries. When ₂ submits an inquiry about , ₂ looks for the tuple in and transmits to ₂.(4)Set-Secret-Value-Queries. When₂ submits an inquiry about , ₂ aborts if . Otherwise, ₂ finds the tuple in and transmits to ₂.(5)Sign-Queries is the same as Theorem 1.(3)Forgery Phase. After initiating a limited number of the above-mentioned inquiries, ₂ generates a valid single signature on a message under and . If , ₂ aborts. Otherwise, according to the Forking lemma [20], ₂ can obtain another valid signature with the same random tape and a different value assigned by . Since and are valid, the following equations hold:Since , , and , the following equations can be easily derived from the above two equations:Then, we have . Hence, ₂ calculates the solution of the given ECDLP instance as .
Let denote the total number of secret value queries initiated by ₂ in the whole game. In Set-Secret-Value-Queries, the probability that ₂ completes the game is at least . In Forgery Phase, the probability that ₂ does not terminate the game is at least . If ₂ can forge a legitimate signature with probability , then ₂ successfully solves the ECDLP with probability . However, the ECDLP is intractable in polynomial time; hence, our enhanced scheme is resistant to Type II attacks. ▪

Theorem 3. Our improved scheme can withstand the coalition attack from malicious vehicles if H₄ is a collision-resistant hash function.

Proof. If is a valid aggregate signature, then satisfies the following aggregate signature verification equation:From the Aggregate Signature Generation algorithm in the improved scheme, it is easy to getAccording to the collision resistance of H₄, we can obtainSince , we haveHence, we can obtainThis shows that each single signature used to generate is valid.
On the other hand, if is a valid single signature, then must satisfy the following single signature verification equation:Then, we can obtainFrom the above equations, we can easily deriveHence, we haveThis shows that the aggregate signature constructed with is valid.
In our improved scheme, it can be seen from the above analysis that an aggregate signature is valid if and only if every single signature participating in the aggregation is valid. Therefore, our enhanced scheme is secure against coalition attacks from malicious vehicles. ▪
We show that the improved scheme satisfies the following security requirements in VANETs:(1)Resistance to Forgery Attacks. In the Signature Generation algorithm of our improved scheme, the master public key of KGC is an input of , and the public key of the vehicle is an input of . Furthermore, in , is bound to the partial private key , and is bound to the secret value . If either or is changed in the Signature Verification algorithm, the single signature verification equation will fail. Hence, it is not feasible for an attacker to forge a single signature by bypassing the secret value or the partial private key of the vehicle. As a result, our improved scheme can withstand the public key replacement attack described in Section 4 as well as the forgery attack from a malicious KGC. More importantly, in the Aggregate Signature Generation algorithm, the collision resistance of the hash function ensures that the exchange or illegal modification of any single signature value cannot pass the aggregate signature verification equation in the Aggregate Signature Verification algorithm. Therefore, our scheme is resistant to the coalition attack given in Section 4.(2)Unlinkability. In our improved scheme, vehicle V_i with the pseudoidentity transmits message m_i and the corresponding signature to the RSU, where and . Furthermore, value used in the signature is random, so the attacker is unable to associate two different messages transmitted by the same vehicle. That is, our improved scheme achieves the unlinkability of messages.(3)Replay Attack. Because of the openness of wireless networks in VANETs, the signature transmitted by the vehicle to the RSU can be easily obtained by an attacker. Timestamp is embedded in and , and is a component of signature . The RSU uses to check the freshness of message and then verifies the validity of signature . Hence, our revised scheme is resistant to replay attacks.(4)Message Authenticity, Nonrepudiation, and Integrity. Compared with the scheme of Thumbur et al. [18], the algorithms Pseudonym Identity Generation, Partial Private Key Generation, and Set Secret Value in our improved scheme are the same as those in the original scheme. Furthermore, we only modify in the enhanced scheme, and the remainder of the Signature Generation algorithm is the same as that of the original scheme. The existential unforgeability of our improved scheme is guaranteed by Theorems 1 and 2. Furthermore, the identity information of the vehicle is embedded in the signature, so that the vehicle cannot deny any previous messages. Therefore, the improved scheme can guarantee authenticity, nonrepudiation, and integrity of messages among the vehicles.(5)Anonymity and Traceability. To achieve the anonymity of the vehicle during communication, the vehicle uses a pseudonym to communicate with RSU or other vehicles. When a controversial traffic-related message occurs, TA uses its master key b and the vehicle’s pseudonym to obtain the real identity . Thus, our improved scheme provides anonymity and traceability of the vehicle. It is generally assumed that TA is trustworthy. To further limit the rights of TA, a smart contract can be introduced to store the vehicle’s pseudoidentity and relevant information on the blockchain during the vehicle’s registration and traceability [21]. The data on the blockchain cannot be tampered with, so it can effectively prevent TA from abusing its rights.

5.3. Efficiency Analysis

We evaluate the computational efficiency of our enhanced scheme by adopting the experimental data in [22]. Table 2 provides the measured value of the running time of every cryptographic operation. To evaluate the performance of the scheme based on bilinear pairing, the super singular elliptic curve was picked, where the length of prime is 521 bits and the length of an element in G₁ is 1024 bits. In order to achieve the same security level, the Koblitz elliptic curve was chosen to evaluate the performance of the scheme without bilinear pairing, where the length of p is 160 bits and the length of an element in G is 320 bits.

We compare the computational overhead of the improved scheme with the other four CLAS-based authentication schemes in VAENTs [4, 13, 14, 18] in signing a message, verifying the signature of a message and verifying the aggregate signature of n messages. The comparison results are shown in Table 3. We do not consider the computational overhead of ordinary hash function, the modular addition operation, and the modular multiplication operation because their execution time is very short.

The time cost of our improved scheme and Thumbur et al.’s scheme [18] to generate a single signature is 0.168785 ms, which is the minimum time overhead among all schemes [4, 13, 14, 18]. In addition, the time cost of verifying a single signature and an aggregate signature in [18] is slightly lower than that in the proposed scheme. Nevertheless, in Section 4, we have shown that Thumbur et al.’s scheme [18] is insecure; hence, it cannot be practically applied to VANETS.

As demonstrated in Figure 2, in the generation and verification phase of a single signature, the computational cost of our scheme and Thumbur et al.’s scheme [18] is lower than those of the other three schemes [4, 13, 14]. Furthermore, our scheme requires somewhat more processing time to validate the legality of a single signature compared to Thumbur et al.’s scheme [18], but our scheme has the ability to resist all kinds of attacks given in Section 4.

Table 4 and Figure 3 provide the comparison results of the five schemes regarding communication costs. As can be seen from Table 4 and Figure 3, our improved scheme and Thumbur et al.’s scheme [18] have the shortest single signature length, so the vehicle has a lower communication overhead. However, with the exception of our improved scheme, the other four schemes [4, 13, 14, 18] are incapable of resisting the coalition attack described in Section 4.2. Hence, our improved scheme enhances the security while maintaining the communication performance of the original scheme.

6. Conclusions

In 2021, Thumbur et al. [18] presented an efficient CLAS-based authentication scheme for VANETS. In this article, we cryptanalyze their scheme and find that it is insecure against public key replacement attacks and coalition attacks. To improve the security of their scheme, we also present the corresponding improvement scheme. Furthermore, the analysis results demonstrate that the improved scheme meets a variety of security requirements. However, some security properties such as identity revocation and authentication [23–25] are not considered in the enhanced and original schemes. Hence, our future work is to design a CLAS-based authentication scheme that supports the revocation mechanism of the vehicle’s identity.

Data Availability

The data used to support the findings of this study are available at https://ieeexplore.ieee.org/document/9031715/.

Conflicts of Interest

All authors have no conflicts of interest.

Acknowledgments

This research was supported by the China Postdoctoral Science Foundation (no. 2017M610817) and the Gansu Science and Technology Planning Project (no. 20CX9ZA076).

References

S. Mohamed Hatim, S. Jamel Elias, N. Awang, and M. Y. Darus, “VANETS and Internet of Things (IoT): a discussion,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 12, no. 1, pp. 218–224, 2018.
View at: Publisher Site | Google Scholar
H. Lu and J. Li, “Privacy-preserving authentication schemes for vehicular ad hoc networks: a survey,” Wireless Communications and Mobile Computing, vol. 16, no. 6, pp. 643–655, 2016.
View at: Publisher Site | Google Scholar
S. O. Ogundoyin, “An autonomous lightweight conditional privacy-preserving authentication scheme with provable security for vehicular ad-hoc networks,” International Journal of Computers and Applications, vol. 42, no. 2, pp. 196–211, 2020.
View at: Publisher Site | Google Scholar
P. Kumar, S. Kumari, V. Sharma, X. Li, A. K. Sangaiah, and S. H. Islam, “Secure CLS and CL-AS schemes designed for VANETs,” The Journal of Supercomputing, vol. 75, no. 6, pp. 3076–3098, 2019.
View at: Publisher Site | Google Scholar
F. Qu, Z. Wu, F. Wang, and W. Cho, “A security and privacy review of VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 16, no. 6, pp. 2985–2996, 2015.
View at: Publisher Site | Google Scholar
A. B. S. Ahamed, N. Kanagaraj, and M. Azees, “EMBA: an efficient anonymous mutual and batch authentication schemes for vanets,” in Proceedings of the Second International Conference on Inventive Communication and Computational Technologies, pp. 1320–1326, New Delhi, India, May 2018.
View at: Publisher Site | Google Scholar
M. Azees, P. Vijayakumar, and L. J. Deboarh, “EAAP: efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 9, pp. 2467–2476, 2017.
View at: Publisher Site | Google Scholar
S. M. Pournaghi, B. Zahednejad, M. Bayat, and Y. Farjami, “NECPPA: a novel and efficient conditional privacy-preserving authentication scheme for VANET,” Computer Networks, vol. 134, pp. 78–92, 2018.
View at: Publisher Site | Google Scholar
P. Vijayakumar, M. Azees, and L. J. Deborah, “CPAV: computationally efficient privacy preserving anonymous authentication scheme for vehicular ad hoc networks,” in Proceedings of the IEEE 2nd International Conference on Cyber Security and Cloud Computing, pp. 62–67, New York, NY, USA, November 2015.
View at: Publisher Site | Google Scholar
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 416–432, Warsaw, Poland, May 2003.
View at: Publisher Site | Google Scholar
H. Zhong, S. Han, J. Cui, J. Zhang, and Y. Xu, “Privacy-preserving authentication scheme with full aggregation in VANET,” Information Sciences, vol. 476, pp. 211–221, 2019.
View at: Publisher Site | Google Scholar
I. A. Kamil and S. O. Ogundoyin, “On the security of privacy-preserving authentication scheme with full aggregation in vehicular ad hoc network,” Security and Privacy, vol. 3, no. 3, Article ID e104, 2020.
View at: Publisher Site | Google Scholar
Q. Mei, H. Xiong, J. Chen, M. Yang, S. Kumari, and M. K. Khan, “Efficient certificateless aggregate signature with conditional privacy preservation in IoV,” IEEE Systems Journal, vol. 15, no. 1, pp. 245–256, 2020.
View at: Google Scholar
Z. Xu, D. He, N. Kumar, and K. K. R. Choo, “Efficient certificateless aggregate signature scheme for performing secure routing in VANETs,” Security and Communication Networks, vol. 2020, Article ID 5276813, 11 pages, 2020.
View at: Google Scholar
J. Cui, J. Zhang, H. Zhong, R. Shi, and Y. Xu, “An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks,” Information Sciences, vol. 451-452, pp. 1–15, 2018.
View at: Publisher Site | Google Scholar
I. A. Kamil and S. O. Ogundoyin, “An improved certificateless aggregate signature scheme without bilinear pairings for vehicular ad hoc networks,” Journal of Information Security and Applications, vol. 44, pp. 184–200, 2019.
View at: Publisher Site | Google Scholar
Y. Zhao, Y. Hou, L. Wang, S. Kumari, M. K. Khan, and H. Xiong, “An efficient certificateless aggregate signature scheme for the Internet of Vehicles,” Transactions on Emerging Telecommunications Technologies, vol. 31, no. 5, Article ID e3708, 2020.
View at: Publisher Site | Google Scholar
G. Thumbur, G. S. Rao, P. V. Reddy, N. B. Gayathri, D. V. R. K. Reddy, and M. Padmavathamma, “Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks,” IEEE Internet of Things Journal, vol. 8, no. 3, pp. 1908–1920, 2021.
View at: Publisher Site | Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
A. Maria, V. Pandi, J. D. Lazarus, M. Karuppiah, and M. S. Christo, “BBAAS: blockchain-based anonymous authentication scheme for providing secure communication in VANETs,” Security and Communication Networks, vol. 2021, Article ID 6679882, 11 pages, 2021.
View at: Publisher Site | Google Scholar
J. Liu, L. Wang, and Y. Yu, “Improved security of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks,” IEEE Internet of Things Journal, vol. 7, no. 6, pp. 5256–5266, 2020.
View at: Publisher Site | Google Scholar
Q. Wang, D. Wang, C. Cheng, and D. He, “Quantum2fa: efficient quantum-resistant two-factor authentication scheme for mobile devices,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2022.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Google Scholar
J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano, “The quest to replace passwords: a framework for comparative evaluation of web authentication schemes,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 553–567, San Francisco Bay Area, CA, USA, May 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Xiaodong Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

367

Downloads

494

Citations