Abstract

Owing to the security requirements of Internet of vehicles (IOV), it is necessary to design a secure privacy-preserving scheme for communication. Traditional privacy-preserving schemes have two deficiencies. One is the high cost of computation and communication. Another is the inability to prevent the spread of malicious or modified messages. Motivated by those facts, we proposed a trust-based authentication scheme for certificateless privacy-preserving of IOV, based on the advantages of the short key, fast speed, and high security performance of elliptic curve cryptography (ECC). We proposed a method to replace the revocation list by authenticating trust to prevent broadcasting fake and altered massages. Our scheme can encrypt the message sent by the node while adopting a certificateless authentication method to complete the anonymous authentication function, which protects the privacy of the node information and effectively reduces the system storage load. In addition, aggregate signatures can effectively reduce computational and communication overhead. It is proven theoretically that the proposed scheme can satisfy correctness, anonymity, confidentiality of messages, and unforgeability of signatures. Therefore, this scheme is more suitable for the deployment and application of physical IOV.

1. Introduction

Internet of vehicles (IOV) are applications of mobile ad hoc networks (MANETs) and wireless sensor networks in the field of intelligent transportation to implement the communication between intelligent vehicles and increase the safety and efficiency of road traffic. The key features that distinguish IOV from other MANETs are vehicle density, self-organization, multihop, rapid change of network topology, limited network capacity, no power and storage constraints, predictable node mobility patterns owing to fixed roads and lanes, and a large number of nodes in urban traffic [1]. A typical IOV architecture usually includes three components: service center, road side unit (RSU), and a vehicle node that configures the onboard unit (OBU), where the OBU is mounted on the vehicle to provide wireless communication capabilities. The RSU is used to provide a wireless and radio-covered vehicle interface [2]. As networks become more common, there is a growing need for vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications [3], and the communication between V2V and V2I is realized by dedicated short range communication (DSRC) [4] systems. Most importantly, the IOV is a promising technology for providing effective traffic management solutions, navigation-based services, infotainment, and vehicle safety.

Privacy and security issues in IOV have attracted a significant amount of attention. Since IOV supports emergent real-time applications and processes vital message, relevant schemes should meet security requirements such as privacy, confidentiality, integrity, and nonrepudiation to provide secure communication to attackers and malicious nodes [5]. All Kinds of security attacks such as denial of service (DOS), Sybil attack, illusion attack, and wormhole attack will affect the privacy of the vehicle and possibly lead to traffic congestion, misinformation dissemination, positioning and identity leakage, disguise or forgery of data, and intrusion of private information. Therefore, data security and privacy-preserving issues in the IOV environment have become the focus of attention [2, 6].

A number of asymmetric cryptography-based security authentication schemes have been proposed to prevent such attacks. Anonymous authentication is one of the basic methods used for preserving privacy. The typical anonymous authentication mechanisms in IOV include pseudonyms, random silence, group signatures, ring signatures, blind signatures, and smart cards. In recent years, scholars have proposed a variety of anonymous schemes for IOV security authentication, such as digital signature scheme [7] and group signature scheme [8] based on public key infrastructure (PKI). However, these traditional anonymous authentication schemes have the following disadvantages. (1) The computational and communication costs of message authentication are large. In the case of high traffic density, there will be more delay, and a large number of messages will get lost. (2) Requirement for vehicle to store a large number of certificates and dependence on the revocation list to achieve vehicles revocation. It results in a large storage overhead of the system. Therefore, improving the efficiency of anonymous authentication based on ensuring security is also one of the principal challenges facing IOV [9].

Except for efficiency issues, authentication mechanism also has a major limitation, as it only ensures that the messages are transmitted from a legitimate sender, and does not prevent legitimate senders from maliciously spreading false or modified information to other vehicles. False or altered messages can reduce traffic efficiency and, at worst, threaten people’s lives. The question to be considered is how a vehicle decides whether to believe a message sent by a dependable vehicle. In order to prevent the above problems from causing improper behavior of the vehicle, misconduct detection mechanisms [10] and reputation systems [11] have been put forward. Trust vehicles can be distinguished from untrusted vehicles by building trust relationships and detecting malicious behavior in IOV, thereby preventing the vehicle from being misdirected by other malicious vehicles. Therefore, trust is essential to protect IOV. Anonymous authentication trust is becoming a compelling method of preserving privacy in IOV. Nevertheless, there is a lack of research on this topic, especially for the IOV system. Trust management of IOV [12] has been studied and attempted.

In this study, we propose a certificateless anonymous authentication scheme based on the trust of the IOV. In our scheme, the trust value is combined with the traditional encryption scheme for preserving privacy. Only if the vehicle generating the message has a certain trust value, the message is thought to be reliable. The proposed method can not only ensure the effective communication of vehicles in the vehicle network but also make sure the vehicles receive information that is reliable. The basic principle of the scheme is to allow a trusted authority (TA) or authorized parties (AP) to announce the latest aggregate list of integrated node trust (INT) and verify the node trust without certificates. In our proposed scheme, a TA updates the trust value of each vehicle, stores the values in the trust value table using hashing techniques, and then broadcasts the trust value table. Thus, all vehicles can obtain the trust value of the adjacent vehicle by querying the trust value table to strengthen security. Depending upon the location of the trust value in the INT aggregation list, the receiving node can verify the sender’s message anonymously and without a certificate, and aggregate signatures can effectively reduce the computational costs and communication overhead. Furthermore, multiple APs may flexibly coordinated to achieve trust authentication while supporting aggregation signature verification. The method can provide fast, anonymous authentication and preserve privacy, and can ensure the reliability of the message of V2V communication.

1.1. Our Contributions

The main contributions of the proposed scheme are summarized:(i)We propose a scheme to guarantee the security of communication and the reliability of messages in IOV by combining trust with traditional privacy-preserving encryption scheme. We demonstrated that the proposed method was secure, and evaluated the performance by analyzing the proposed scheme.(ii)We propose a method to replace the revocation list by authenticating trust, and our scheme does not involve PKI certificates, thus reducing the storage burden of the system vehicles. It also does not involve complex bilinear pairing operations, which effectively improves authentication efficiency.

1.2. Organization

The rest of this article is arranged as following: Section 2 describes the related work of the proposed scheme. Section 3 introduces preliminaries and background information. In Section 4, we described the proposed scheme in detail. Section 5 gives a proof of the security in the random oracle model under ECDLP. Security analysis and performance evaluation are described in detail in Section 6. Finally, Section 7 summarizes the future work of this paper.

2. Related Work

In the last several years, scholars have done a lot of research on the preserving privacy and data security of nodes in IOV.

2.1. Anonymous Authentication

Many anonymous authentication schemes have been proposed for IOV, which can be divided into five categories based on the encryption mechanism employed: public key infrastructure (PKI), certificateless signature, symmetric cryptography, identity-based signature, and group signature.

To realize preserving privacy and security in IOV, in 2007, Raya and Hubaux [13] used anonymous certificates to hide the identity of users and a PKI-based scheme is proposed. Raya advises to store huge amounts of public/private keys and corresponding certificates in each vehicle, and the vehicle randomly selects the certificate to sign the message. The privacy of the vehicle is protected by regular replacement of keys and certificates. In 2008, Lu et al. [2] proposed an efficient conditional privacy preservation (ECPP) protocol based on bilinear mapping. The main limitation of ECPP is the large latency of RSU in generating pseudonym. In 2012, Shim proposed an identity-based signature scheme [14], which stores the master key in the vehicle’s tamper-proof device. The vehicle can use the system master key to generate pseudo-names and other information. In 2013, Horng et al. proposed a scheme [15] to use RSU to generate different pseudo-names for vehicles to generate a distinctive anonymous authentication scheme, avoiding the use of a great deal of public and private key pairs by using pseudonym communication. However, guaranteeing the security of the RSU is also a problem. Shao et al. [16] through the use of the new group signature scheme proposed new IOV authentication protocol. However, it can cause random tracking, which reduces user privacy. In 2018, Li et al. [17] proposed an anonymous conditional privacy-preserving authentication scheme based on pseudoidentity method. Each OBU should prestore pseudoidentity in order to maintain their identity privacy. Liu et al. [18] designed a distributed MAC layer antiattack pseudonym scheme. In 2019, Liu et al. [19] designed an anonymous authentication scheme based on group signature, where area TA provided anonymous authentication services. Boualouache et al. [20] proposed an effective pseudonym changing and management framework. This approach can keep the message integrity, and the sender’s privacy, but it also has some disadvantages. When the vehicle’s private key has been revoked, the system needs to be updated regularly for vehicle certificate; it may take time. Key distribution, management, and storage are challenges. To solve these problems, Du et al. [21] designed a certificateless signature scheme combined with certificateless public key cryptography. Zhong et al. [22] presented a full aggregation authentication scheme for VANETs, which achieved conditional privacy protection by using pseudonyms. In 2020, Bayat et al. [23] proposed a new security and privacy protection scheme based on RSU. In this scheme, the TA stored the master key in the temper-proof device of the RSU, and the verifier used the public key of the RSU instead of the system to check whether the signature is valid. Therefore, vehicles cannot check the signatures of other vehicles on the road from other RSUs. However, bilinear pairing and map-to-point operations are used in the scheme, which results in high computational overhead. Verma et al. [24] proposed the pairing-free certificate-based aggregated signature scheme. Xu et al. [25] proposed a certificateless signature scheme based on the CDH assumption. However, the scheme utilized the expensive map-to-point hash function, which also increased computational and communication overhead. To reduce computational and bandwidth costs, Mei et al. [26] proposed a conditional privacy certificateless signature scheme, which achieved full aggregation. But the scheme is also based on bilinear pairing. To further reduce the overhead of the vehicle, Chen et al. [27] designed a certificateless aggregated signature scheme without the expensive map-to-point hash function and bilinear pairing operations. Ali et al. [28] proposed a certificateless short signature-based conditional privacy-preserving authentication scheme based on ECC, which supported the batch signature verification method. Table 1 provides the nature of the above scheme for the sake of clarity.

However, only anonymity is not sufficient to prevent an attacker from illegally tracking, even if the broadcast message remains completely anonymous [29]. In addition, traditional public key infrastructure (PKI) guarantees user identity authentication in IOV; however, PKI cannot distinguish untrustworthy information from authorized users. Therefore, a trust evaluation is necessary to guarantee the trustworthiness of information by distinguishing malicious users from networks.

2.2. Trust

The issue of trust stems from the field of security and social psychology. In the past decade, the concept of trust has been suggested to introduce information and communication technology (ICT). There is little research about trust management of IOV during the preceding years. In 2014, MC Chuang and Lee [30] proposed a lightweight authentication scheme for distributed trust extension, called trust extension authentication mechanism, applicable to the vehicle network, with good anonymity and security. In fact, they are designed to further enhance the performance of the authentication process by using the concept of passing trust relationships. Nevertheless, because of the selfish and malicious nodes, the security of mobile ad hoc networks has been greatly reduced. Then, Sugumar et al. [31] proposed a trust-based authentication protocol for cluster-based IOV in 2016. The vehicles are clustered and the trust level of each node is estimated. Inspired by the estimated trust, the cluster head is selected. Because the CRL check requires time, the group signature-based scheme has a long computing delay. In 2018, Yan et al. [32] proposed a scheme to anonymously verify the trust of pervasive social networking (PSN) nodes in a semi-distributed way. It was emphasized that trust plays an important role in maintaining pervasive social networking. It can be seen that anonymous authentication of trust is emerging as a novel way to ensure privacy. In 2020, Liang et al. [33] proposed a reputation scheme based on implicit generalized mixed transition distribution model, which can evaluate the credibility of neighbor vehicles. Begriche et al. [34] proposed a vehicle-mounted network reputation system node based on Bayesian statistical filter that would establish a profile based on the behavior of its neighbors. However, there are only two categories of vehicle states. In the same year, Awan et al. [35] proposed a centralized trust-based clustering mechanism, using multiple parameters to select reliable cluster head and a backup cluster head, thus improving network security. In addition, the method selects a backup cluster head to achieve stable clusters. However, the scheme relies on the RSU. Alnasser et al. [36] proposed a recommendation-based trust model. The trust of this model comes from two methods: direct trust and indirect trust, but the trust value is calculated in the way of weighted sum, which cannot resist collusion attacks. Chen et al. [37] proposed a decentralized trust management system based on blockchain. The trust model only allows trusted nodes to participate in the verification and consensus process, and a trusted execution environment is applied to protect the trust evaluation process and an incentive model for incentivizing more participation and punishing malicious behavior. Gao [38] proposed a trust management scheme. In the scheme, the trust of nodes includes direct trust and recommendation trust. Direct trust is computed dynamically through history and Bayesian inference. Recommendation trust takes into account the trust and reputation of other nodes and their reputation. Ahmad et al. [39] proposed a hybrid trust management scheme called NOTRINO, which calculates the trust value of nodes at the transport layer and calculates the trust value of data at the application layer.

Unlike all the previous work, this paper combines IOV application scenarios based on the research trust-based [32] and encryption scheme [40], a certificateless anonymous authentication scheme suitable for preserving privacy is proposed for IOV.

3. Preliminaries

In this section, we will briefly cover the mathematical foundations, system model, security and authentication requirements.

3.1. Mathematical Foundations

This subsection describes some of the basics associated with anonymous authentication protocols, namely, elliptic curve cryptography (ECC) and mathematical assumptions.

3.1.1. Elliptic Curve Cryptography (ECC)

After elliptic curve cryptography was proposed by Koblitz [41] and Miller [42] in 1986, respectively, ECC began to be commonly used in security-related fields such as encryption and protocols. In the following sections, we briefly introduce elliptic curve cryptography, which is extensively used to design many encryption and security schemes because of its availability in computing and communication costs. In the case that the safety strength provided is the same as that of the discrete logarithm system, the parameters required by ECC are far less than those of the discrete log-based system [43]. The elliptic curve can be characterized by the set of solutions of a two element equation.

If the group is a finite cyclic group on the elliptic curve , its order is and the generator is . Let be a prime number greater than 3, and the elliptic curve on consist of a group of solutions based on congruence and an exceptional point called infinite point, where comprises two constants satisfying . In addition, has two rules of operation:(1)Addition : let , if , , then is the point where the line crosses and and ; if , , then is the intersection of the tangent of and ; if , there is .(2)Scalar multiplication : let , , and have a scalar multiplication of ( times in total).

3.1.2. Difficult Problem

Let be a finite cyclic group with large prime on an elliptic curve and be a generator. To demonstrate the security of our scheme, two difficult problems are defined. The mathematical difficulties of participating in the proposed scheme are shown.

Definition 1. Elliptic curve discrete logarithm problem (ECDLP): random point on are presented, and , output .

Definition 2. Computation of Diffie–Hellman problem (CDHP): given , where , calculate .

If the algorithm of the ECDLP or the CDHP on the group cannot be solved by a nonnegligible probability within the time , then the ECDLP or the CDHP is difficult in the group .

3.2. System Model

We describe the system model of the proposed anonymous authentication scheme in Figure 1. The trusted authority (TA) has adequacy functions and is trusted to provide identity management and trust management. What is more, TA or IOV nodes that are more stable and dependable than other vehicle nodes (for example, wi-fi access points and base stations) can act as authorizers (AP). AP uses adequate information about nodes to estimate the trust value of the node. In order to achieve instant communication, the nodes interact with each other. Because message integrity and privacy are important, it is necessary to verify node trust anonymously for reliable communication and preserving privacy. TA is used by vehicle nodes to manage the correspondence among real identity, pseudonym, key and trust in the cloud to save computing and storage costs. When the TA is inaccessible, the IOV node can use some of the IOV nodes as APs to correspond to each other.(1)Trusted authority (TA): it is based on the assumption that TA is fully trusted and has sufficient computing and storage capacity. Through a secure channel, entities (vehicles and RSU) must register with the TA using some personal credentials that uniquely identify the entity. TA is responsible for the registration of fixed RSU on the roadside and mobile OBU installed on vehicles and can reveal the true OBU identity of secure messages.(2)Road side units (RSU): suppose the RSUs are widely deployed on the road and can be viewed as the router between the TA and vehicle nodes. RSU are not entirely credible, so they have to be supervised by TA.(3)Vehicles (OBU): each vehicle is equipped with OBU which has a shorter communication range and less computing power than RSU. With the built-in OBU and DSRC protocols, each vehicle can communicate with neighboring vehicles, RSU and TA. The real identity of the vehicle and some secret information about the operation are stored in the OBU.

Figure 1 

The system model of IOV.

3.3. Security Requirements

Because messages are transported in an open access environment, security and privacy issues related to IOV must be considered. For anonymous authentication on trust in IOV, the following safety requirements must be met [6]:

3.3.1. Authentication

This requirement consists of vehicle authentication and message integrity. Vehicle authentication allows the receiver to verify the authenticity of the sender, and the message integrity ensures that the message is not changed during the transmission.

3.3.2. Anonymity

The system proposed in this scheme is shown in Figure 1. No entity other than TA can know any information about the real identity of the vehicle, that is, only TA can reveal the real identity of the participating vehicle.

3.3.3. Traceability

This function is used to identify malicious vehicles that may transmit false messages. Vehicles and RSU have no way to know the real sender of the received message, but TA can recover the true identity of the sender in case of an accident, which is called conditional traceability in IOV.

3.3.4. Unlinkability

The user’s unlinkability means that the attacker could not judge whether any two messages are from the same vehicle.

3.3.5. Replaying Resistance

Malicious vehicles cannot collect and send messages that have been received by the recipient.

3.4. Authentication Requirements

In order to ensure the safety of IOV communication, the following authentication requirements must be met:(1)The computational and communication overhead of digital signatures must be low(2)Authentication should be robust and extensible(3)The process of reauthentication and revocation should be provided

4. The Proposed Scheme

In this section, we describe a trust-based authentication scheme proposed in this paper, which can authenticate node trust and verify node signature by anonymous method, which is suitable for secure V2V communication in IOV. Specifically, after system settings and node registration, authorized parties (AP) issue aggregated lists of INT values and INT hash (in short, aggregated lists) to each IOV node. On the basis of INT, nodes generate their one-time key pairs to sign their messages. Based on previous research on trust in IOV, we can assume that the trust of a node is a specific value, such as context-aware trust generation [12].

The scheme is divided into seven phases: system initialization, node registration, issue trust value, aggregate list, one-off key pair generation, signature generation, and verification. The symbols used in the proposed scheme are given in Table 2. Detailed procedures for the proposed scheme are as follows:

4.1. System Initialization

In this subsection, TA generates system parameters and loads them to the vehicle node. The system initialization of the scheme is the responsibility of TA, which consists of two parts, namely, key generation center (KGC) and tracing authorization (TRA), assuming that both parties have enough storage space and computing capacity. Since we assume that TA is reliable in this paper, we can conclude that KGC and TRA are also reliable.(1)Given the safety parameter , TAs use two large prime numbers , and an elliptic curve defined by .(2)The KGC chooses point from and generates group through . KGC selects the random number and calculates where is the secret value stored in KGC and is the master key used to extract part of the key.(3)The TRA picks point from and produces the group through . TRA selects the random number and calculates where is the secret value stored in TRA and the master key for traceability.(4)TAs choose four secure hash functions , , , , .(5)They publish the system parameters : When the system is initialized, these public system parameters, , are reloaded into the tamper-proof device in the vehicle node.

4.2. Node Registration

In this subsection, when each vehicle node registers with the system (TA), it needs to rely on its unique real identity (. In addition, the public key can be authenticated using the aggregation list distributed by AP, thus achieving certificateless, trust-based authentication. Therefore, the proposed scheme does not need the public key certificate (Figure2).(1)The vehicle selects a random number and calculates TRA receives from the vehicle, and the communication channel between the two parties is safe, where the vehicle node can be uniquely identified through .(2)When TRA receives from vehicle , where is the real identity of , it first checks for and then calculates where indicates the validity period of this pseudoidentity. The TAs choose random , TAs also provide certificate . The node uses this certificate to request its trust value from TAs. Going down this, KGC can receive pseudoidentity and in a secure manner.(3)When KGC obtains the pseudoidentity , it calculates part of the private key after selecting a random number and computing . The vehicle receives from KGC in a secure manner, including the pseudoidentity, partial private key, and certificate.

Figure 2 

Registration of vehicle node.

4.3. Issue Trust Value and Aggregate List

First of all, each AP (executed by TA or IOV nodes) delivers an original trust value with a valid period and the aggregate list of INT hashes for node in the system; the AP then notifies all vehicle nodes of the newly generated aggregation list. The AP first inspects the validity of the previous trust value before deciding whether to reissue the trust value. In this subsection, one of its essential components is nodes to verify the trust values of other nodes during communication. Nodes request and receive INT in a trustworthy way. In addition, AP will use its signature to distribute the latest INT summary list. Based on its current INT, the trusted processor can produce a one-time public and private key pair.

The trust value of the vehicle can be obtained by analyzing the message records issued by the vehicle collected by AP. At AP, the information collector saves the results in a database after collecting and processing message records from the vehicle nodes. The trust evaluator is used to evaluate the trust value of the vehicle node and detect the malicious vehicle node. The trusted publisher issues an aggregated list of INT hash values for all nodes on the IOV node on a regular or per request basis. When a vehicle node is registered, TAs issue an original trust value on the basis of the behavior of the vehicle node. The TAs collaborate with APs to determine the node’s INT and track its true identity without revealing the node’s true identity to any other IOV node. The TA database also holds the trust value of each node and its true identity. The AP can communicate with the TA more stably and reliably than a normal node.

After the AP reevaluates the trust, a new trust value is obtained, and it then stores the hash value of the new INT value to the appropriate location of or . When the value of trust expires, the trust value is re-requested, and the AP deletes the old value. Its corresponding INT is saved to the appropriate location in the latest aggregation list. The AP then publishes the updated list to all vehicle nodes. All AP simultaneously broadcasts its latest INT summary list. The value of the node’s trust can be verified through the presence and location or of the aggregation list ( or ). Because INT values are sorted in the list (for example, in ascending order), the node during the message authentication is easy to compare trust value. The following will be described separately in two cases, as described in detail below.(1)AP is executed by TAs: in this phase, based on the true identity of the vehicle, the TAs construct an original or new INT value for the vehicle node. When the current period of trust value expires, a new trust value is requested, at which point TA reevaluates the trust value of and publishes it to using the authentication code . The vehicle node transmits a random number and its certificate to TAs to request a trust value. The shared session key between TA and is established using the Diffie–Hellman key agreement protocol, and is selected by TA. Afterwards TAs transmit parameters: , where is due at . The list of INT hashes is produced periodically by TAs: , where . And then all the nodes will receive from TAs.(2)AP is carried out by the IOV node: AP can be played by node to assess the others’ trust value in IOV. In the same way, Diffie–Hellman key agreement protocol is adopted to establish the shared session key between AP and . Afterwards transmits parameters: to , where is due at . In this case, also can be authenticated with by node . If there are multiple APs, is produced periodically by . And publish it to all nodes after signing: with his private key. Of which

4.4. One-Off Key Pair Generation

In this subsection, vehicle nodes can construct its one-off key pair on INT to sign the messages it sends. Receivers can verify received messages individually or aggregately.

Be based on , one-off anonymous public and private key pairs ( and ) can be constructed by . The production of one-off anonymous key pairs is depicted in Algorithm 1. By randomly changing the nonce , can produce a distinctive key pair for a new one-off public and private key pair. Therefore, if is the same, different key pairs can be generated to achieve advanced privacy.

4.5. Signature Generation

In this subsection, the vehicle must sign the message with the one-off private key before sending the message, in order to authenticate and preserve the integrity of a message. Vehicle first randomly selects pseudo from memory and selects the latest timestamp . The updated timestamp protects signature messages from replay attacks. Given the signature key and message , the following steps will be performed by vehicle .(1)The node sends the message by calculating and signing on using the private key .(2)After that, outputs the final message and uses the following format to send to other nodes

4.6. Aggregate

If different nodes send many messages to the same node over a period of time, we can calculate multiple signature combinations as for getting a collection of individual certificateless signatures at a receiver.

4.7. Verification

When adjacent vehicles communicate with each other and send messages, the receiving vehicle needs to check the signature of the message to ensure that the corresponding vehicle does not attempt to propagate a false message (Figure3).(1)Individual verify: when the node receives the message, the receiver first extracted from : and calculates to verify the trust value of according to the location in the list. Once the authenticity of the sender’s trust value is verified, the recipient performs signature verification. The receiver uses system common parameters to validate the sender’s signature by computing and , then checks if the following equation is met, , and if satisfied, the recipient accepts this certificateless signature. Since , , , , and . We obtain(2)Aggregate verify: when the node receives the message, the receiver first calculates: Extract from and calculate to verify the trust value of according to the location in the list, in which . Once the authenticity of the sender’s trust value is verified, the recipient performs signature verification. The receiver uses system common parameters to validate the sender’s signature by computing and , which , then check that the following equation is met, , and if satisfied, the recipient accepts this certificateless signature. Since , , , , and . We can get

Figure 3 

Anonymous authentication process based on trust.

4.8. Identity Tracking

Once a vehicle sends a malicious message, the TRA can track the identity of the vehicle. Through the pseudoidentity , TRA calculates the equation to trace the vehicle’s true identity. At the same time, the AP will reevaluate the trust of the vehicle and publish the updated list to all vehicle nodes. In addition, TA will update its database.

5. Security Proof and Analysis

Before we show that the proposed scheme has the security and privacy requirements, existential unforgeability of the signature, , is proved in the random oracle model.

5.1. Security Model

The security model of the proposed scheme is to design a game between challenger and adversary , that is, whether adversary can win the challenge given by challenger in polynomial time with a nonnegligible probability. Adversary performs the query described below in the game.(i): challenger creates the public key and gives it to .(ii): in this query, challenger chooses a random and then adds into the hash list . Finally, sends to .(iii): challenger picks random , inserts tuple , , into and responds to with , in query .(iv): in this query, challenger picks random , inserts the tuples , , , into and responds to with in query .(v): in this query, challenger picks random , inserts the tuple , , to and responds to with .(vi): in this query, challenger calculates and then the value is outputted to .(vii): after receiving the message , generates the request message and sends it to .

The probability that may violate the authentication of proposed scheme is expressed as .

Definition 3. The proposed scheme for IOV is secure if is negligible for any polynomial adversary .

5.2. Security Proof

In this subsection, to prove unforgeability of the proposed scheme, we need to show that it is unforgeable against adversary . If and only if CDHP is difficult, our scheme is safe under adaptive selective message attack in the random prediction model.

Theorem 1. Unforgeability: make the prime order group into CDH group, which implies that no challenger can destroy CDHP on it. Therefore, the proposal is that the existence of an attack on adaptive selection is -secure, and , and and is constant, where is the basis of the natural logarithm.

: adversary has the advantage of and time . Suppose queries times for , times for , times for , times for , times for , and times for . And then, a challenger who has the advantage of at least and runtime:to solve CDHP.

Proof. Challenger gives parameters , , and random instance of CDHP, which is , , , whereas is a random generator of with order , and are random in . Let be the solution for CDHP. Challenger interacts with to find the solution through the following query.
Setup: challenger creates and gives it to . This is , , and , which is a random oracle controlled by , as follows:
: when makes a query with parameter , checks whether tuples already exist in the hash list . In that case, transfers to . If not, selects a random and then adds into the hash list . Finally, sends to .
: challenger can query the public key . In response to queries, challenger keeps tuple list , , called . At first, it was empty. selects random , and calculates . It then adds the tuples , , into and when querying , it responds to with and .
: in response to queries, challenger maintains list in tuple , , , . picks random and sets . Then, it adds the tuples , , , into and when querying , it responds to with .
: in response to queries, challenger keeps tuple list , , , called . At first, it was empty. To respond to the query , challenger will do the following:(1)If it already exists in the tuple , , in when is queried, responds to (2)Otherwise, only produces random bit , which will be determined later for in (3) selects random number . If , it then sets . If , it then sets . Afterwards, adds the tuple , , to and responds to with . Note that is homogeneous in and independent of .: queries partial private key for pseudoidentity , calculates and then examines if the tuple already exists in the hash list , where is a random number. When the corresponding tuple is not found, will output a failure and stop because the query cannot be answered coherently. Or else evaluates and outputs to . It is worth noting that by calling this part of the partial private key query, cannot obtain the of the target user through .
: the signature oracle is simulated by maintaining the list of tuples , , in response to any message signature query. We call this list , which was initially empty. When uses the message to query oracle , responds to the query.(1)If the query already exists in the tuple , , in , challenger responds with .(2)Besides, inspects whether , , , and exist. Otherwise, executes -queries to obtain , -queries to gain , -queries to obtain , and -queries to gain . Next, picks two random numbers and . If , . If , it sets , value of placeholder. Finally, it adds tuple to list and replies to .: challenger publishes the signature query . Challenger obtains by running the above algorithm in response to queries. Note that can use the public key to run to obtain , , , , which can be converted into a valid Diffie–Hellman tuple.
: stops, admit defeat, or forged signature , , where , for some where does not query the signature. If is successfully forged, it means that CDHP is solved. At this time, outputs “success.” Otherwise, the output “fails.” performed exactly as expected in the game model. Thus,By modifying, if cannot create forgery, will also fail. But if finds ’s forgery successfully, claims success only at , and use index to sign oracle query for messages with (for , will stop immediately after the failure is declared), then .
Therefore, challenger uses signature forger to solve CDHP, which has the advantage of and time . The maximization of function is at , of which it has the following values:For large , .
Meanwhile, ’s running time consists of ’s running time and the additional overhead, in which the group multiplication to evaluate each signature and hash request from is the main part. Any such multiplication can be done by using up to time units on . may have to answer a request like . Therefore, its overall runtime is .
If there is a forgery that breaks our proposed scheme on , then there is a challenger that can destroy CDHP, where and . On the contrary, if the group is a -CDH group, no challenger could break the proposed scheme, where and .