Abstract
Development of Internet of Vehicles (IoV) has aroused extensive attention in recent years. The IoV requires an efficient communication mode when the application scenarios are complicated. To reduce the verifying time and cut the length of signature, certificateless aggregate signature (CL-AS) is used to achieve improved performance in resource-constrained environments like vehicular ad hoc networks (VANETs), which is able to make it effective in environments constrained by bandwidth and storage. However, in the real application scenarios, messages should be kept untamed, unleashed, and authentic. In addition, most of the proposed schemes tend to be easy to attack by signers or malicious entities which can be called coalition attack. In this paper, we present an improved certificateless-based authentication and aggregate signature scheme, which can properly solve the coalition attack. Moreover, the proposed scheme not only uses pseudonyms in communications to prevent vehicles from revealing their identity but also achieves considerable efficiency compared with state-of-the-art work, certificateless signature (CLS), and CL-AS schemes. Furthermore, it demonstrates that when focused on the existential forgery on adaptive chosen message attack and coalition attack, the proposed schemes can be proved secure. Also, we show that our scheme exceeds existing certification schemes in both computing and communication costs.
1. Introduction
With the rapid development of communication technology, various vehicles with powerful smart devices can communicate with each other. Therefore, such a novel application has aroused extensive interest in the society. This kind of application is commonly referred to as vehicle ad hoc networks (VANETs), which can provide guarantee for the distance between vehicles and reduce the probability of vehicle collision accidents, help car drivers navigate in real time, and improve the efficiency of traffic operation by communicating with other vehicles and network systems [1].
Although VANETs have a lot of merits, it has a long way to achieve a wide application. One of the obstacles is that the privacy is violated. Without proper privacy protection, malicious adversaries can collect vehicle information, such as routes or status, to perform attacks. Fortunately, using pseudonyms in communications can avoid this problem. Then, the vehicle can communicate with each other or with roadside unit (RSU) using a pseudonym, and no one can obtain the true identity of the vehicle except for the trusted authority (TA). Even if the messages between the vehicles and the RSUs are collected by hackers, it will not reveal identity privacy. VANETs have other problems such as privacy issues and being vulnerable to attack.
Recently, some novel schemes and algorithms are proposed to solve these problems. Lin et al. [2] proposed a blockchain-based protocol to reduce the verification cost and storage cost for vehicles. Kumar et al. [3] proposed an efficient scheme using path signature to resist Sybil attack. Jiang et al. [4] proposed an anonymous authentication scheme (AAAS) in VANETs, which adopts group signature mechanism to provide more efficient anonymous authentication service for vehicles. Zheng et al. [5] demonstrated a certificateless group signature anonymous authentication scheme for VANETs, which shortens the length of the signature and improves the efficiency of the signature. Among various schemes, we find that Kamil et al.’s scheme [6] has a significant efficiency. However, we find that the scheme cannot resist coalition attack which is launched by two collusive vehicles. For example, two vehicles can maliciously exchange their locations to generate their signatures which can be verified successfully so that they can hide their real locations which may lead to serious consequences. The detailed description and analysis are shown in Subsection 4.3. We make the RSU both the aggregator and the verifier and add a random list to properly solve the problem. Our main contributions in this paper are as follows: (i)Prove that Kamil et al.’s schemes are not secure enough to defend against attacks from malicious vehicles and propose a solution to settle the problem(ii)Propose an improved certificateless-based authentication and aggregate signature scheme in VANETs, and prove that the scheme can perfectly resist the coalition attacks and its correctness(iii)Use the efficiency analysis and simulation to show the superiority of our scheme in efficiency and practicality
The rest of this paper is organized as follows. In Section 2, we discuss related works of CLS and CL-AS schemes in VANETs. In Section 3, we describe related concepts and models. In Section 4, we analyze Kamil et al.’s scheme and prove that the scheme cannot resist the coalition attack. We propose our proposed scheme in Section 5 in detail. Experiments and results analysis are described in Section 6. We conclude this paper in Section 7.
2. Related Works
To settle the problem of security and some privacy requirements in VANETs, a number of professors and scholars [7–9] proposed a kind of new scheme called Public Key Infrastructure-based (PKI-based) authentication schemes. In their schemes, they either tried to make vehicles compute more to verify the signatures from other vehicles or assume that there exists a trusted certificate authority to issue and maintain certificates of various vehicles. However, the assumption may be unrealistic because a single node cannot afford the oceans of calculation.
Later, a new kind of signature scheme called identity-based signature (IBS) scheme is widely discussed. For example, Liu et al. [10] proposed an IBS scheme which can take the user’s identity as the public key, and the private key is generated by public key generation PKG, which can reduce a single node’s burden. However, IBS has inherent problems about key escrow which is generated by user’s identity.
In Al-Riyami and Paterson’s scheme [11], they firstly introduce the certificateless public key cryptography. In recent years, a lot of researches on CLS and CL-AS schemes with bilinear pairing have been carried on by relevant researchers [12–14]. In their schemes, key generation center (KGC) uses its master key and the user’s identity information to calculate a part of the private key and send it to the user, whereafter the user combines part of the private key and his/her secret value together to generate the user’s real private key which can protect the user’s privacy and make the system secure. The above scheme uses the bilinear pairing which costs relatively large computation.
The elliptic curve cryptography is chosen to use in the CLS and CL-AS because of its high efficiency. In Xie et al.’s scheme [15], they proposed rigorous security proof that shows the scheme is able to resist various malicious attacks and ensure privacy protection. In the field of health care, Du et al. [16] proposed a CLAS scheme with high efficiency and low latency which can be more suitable to apply to the field of healthcare. In 2018, Cui et al. [17] demonstrated their novel CLS and CL-AS scheme with ECC, which significantly reduces computing time during sign and verification process. Kamil et al. [6] declared that the scheme proposed by Cui et al. is not secured against the signature forgery attack, and they advanced an improved signature scheme for VANETs. They claimed that their proposed scheme can address all the needs of VANETs about security and privacy. However, we will demonstrate and prove that their scheme cannot resist coalition attacks and our improved scheme can resist the attack and achieves a better performance.
3. Preliminaries
3.1. Elliptic Curve Cryptography
As widely used in the cryptographic, the elliptic curve cryptography is an excellent algorithm which has an extremely high efficiency and a relatively excellent security. It can use much fewer bits to encrypt messages of the same length than the RSA algorithm in the field of public key cryptography. Because of its fewer calculation parameters, shorter bond length, and less time cost, the elliptic curve cryptography can be perfectly applied to application scenarios of VANETs. We will give the following three definitions to describe the elliptic curve cryptography.
Definition 1 (Elliptic curve definition). Our scheme uses an elliptical encryption algorithm with 160 bits. Assume that is a finite field of the module , where is a large prime number. The elliptic curve over a finite field can be defined as follows: (mod ), where and (mod ).
Definition 2 (Addition of elliptic curves). Assume that , where is a point of the elliptic curve and (mod ) is the negative point of . Suppose , ; we can define a line passes through and , and intersects the elliptic curve at a point , The symmetrical point about the x-axis with is ; then we can define . In addition, scalar multiplication operation on the elliptic curve can be described as follows:
Definition 3 (Elliptic curve discrete logarithm problem). Assume that is a point on the elliptic curve on the finite field , and select a random number . Then, we can calculate . In this case, there is the feasibility of the calculation of according to Definition 2. According to the elliptic curve discrete logarithm problem (ECDLP), however, it is hardly possible to get according the above equation.
3.2. Forking Lemma
Definition 4 (Forking lemma [18]). Suppose that is a probabilistic polynomial time turing machine, and its input includes public data. We use and to symbolize the number of queries that can ask to the random oracle and the number of queries that can ask to the signer, respectively. Suppose that over a period of time , can generate a legitimate signature within probability . If someone do not know the private key, but successfully forge the signature with an indistinguishable distribution probability, then we can imagine a machine, which can get the secret information from the machine and obtain and replace the interaction with the signer by simulation. Eventually, it can generate two legitimate signatures and such that in expected time .
3.3. Certificateless (Aggregate) Signature Scheme
Generally, a certificateless signature (CLS) scheme and a certificateless aggregate signature (CL-AS) scheme consist of the following seven algorithms. (1)Setup: the KGC and TA will execute this probabilistic algorithm, which needs a security parameter , then generates a elliptic curve , public keys and , and master secrets key , respectively, then publishes a number of system parameters which is used for ensuring the system in order.(2)ParitialPrivateKeyGeneration: in this algorithm, firstly, the entity transmits a tuple which includes its real identity and partial pseudo identity to TA. Then TA sends a whole pseudo identity to KGC with calculation. Eventually, KGC transmits the paitial private key to entity in a secure channel.(3)VehicleKeyGeneration: the entity selects random as its secret key and calculates its public key .(4)IndividualSign: this algorithm is used by each entity ; after generating a message , the entity tries to calculate a set of varieables. Then it sends the signature to the verifier.(5)IndividualVerify: this algorithm is executed by the verifier such as RSU. When receiving input including signature , pseudo identity and current time , the RSU will check the time validity firstly. Then the algorithm will output true if the signature is valid or false otherwise.(6)AggregateSign: in this algorithm, generally the aggregate signature generator is RSU in our system. For an aggregating set of entities , the pseudo identity of each vehicle as list , the corresponding public key of , and message signature tuples from , respectively. The aggregate signature generator will generate signature ; then it will transmit the tuple including the signature, the list , and time list to the verifier.(7)AggregateVerify: in general, this algorithm is executed by another RSU. It takes an aggregating set of entities , the pseudo identity of each entity . The verifier will check the time validity for each entity firstly. Then it will output true if the signature is valid or false otherwise.
3.4. Security Model
In this section, we will demonstrate the security model of CLS and CL-AS schemes. We consider two different types of adversaries: Type and Type . To be specific, adversary is able to replace a user’s public key or private key but cannot access or even replace the master secret key of KGC. And adversary is able to access the master secret key of KGC, which can be called an internal attacker. However, it cannot replace or access the public key of a certain user.
Generally, we use two games to model the security of CLS and CL-AS schemes, which is played between an adversary and a challenger . can access five oracles to get what he needs. The details are as follows: (1)GenerateUser: given a user’s ID and request for its public key , returns the public key of .(2)RevealPartialPrivateKey: given a user’s pseudo identity , outputs the corresponding partial secret key .(3)RevealSecretKey: given a user’s pseudo identity , submits the user’s secret key .(4)ReplaceKey: given a user’s pseudo identity and the public key , will replace the public key with .(5)Sign: given a message , uses the algorithm to generate a signature corresponding to user on message and submits it to .
We construct the following two games, Game I and Game II, for our schemes: (Game I)A Type adversary and a challenger will try to play the game as follows:
Step 1. runs the Setup algorithm to generate a master secret key , a list of system parameters, and the system public key . It then sends the system parameters to and keeps secret.
Step 2. queries the GenerateUser, RevealPartialSecretKey, RevealSecretKey, and Sign oracles in order.
Step 3. generates the corresponding public key and a signature of a user with identity .
will win the game if the following conditions are met: (i)It neither uses to access the RevealPartialSecretKey query nor obtains the partial private key(ii) is a valid signature of the user with the identity and the corresponding public key (iii)It never uses to query the Sign oracle(Game II)A Type adversary and a challenger will try to play the game as follows:
Step 1. runs the Setup algorithm to generate a master secret key , a list of system parameters, and the system public key . It then sends the system parameters, , and to .
Step 2. queries the GenerateUser, RevealPartialSecretKey, RevealSecretKey, and Sign oracles in order.
Step 3. generates the corresponding public key and a signature of a user with identity .
will win the game if the following conditions are satisfied: (i)It never use to access the RevealSecretKey or ReplaceKey query to obtain the partial private key(ii) is a valid signature of user with identity and the corresponding public key (iii)It never uses to query the Sign oracle
Definition 5. The CLS scheme is provably secure, if neither polynomial time adversary or is able to win Game I and Game II, respectively with a non-negligible advantage.
We construct the following two games, Game III and Game IV, for our CL-AS scheme. (Game III)A Type adversary and a challenger will try to play the game as follows:
Step 1. runs the Setup algorithm to generate the master secret key , system parameter, and the system public key . It then sends the system parameter to and keeps secret.
Step 2. queries the GenerateUser, RevealPartialSecretKey, RevealSecretKey, and Sign oracles in order.
Step 3. outputs an aggregate signature of users with identity and the corresponding public key on messages .
wins the game if the following conditions are satisfied: (i)At least one of the identities has not been submitted to the RevealPartialSecretKey query to obtain the partial secret key(ii) is a valid signature on messages of users with identities and the corresponding public key .(iii)It never uses to query the Sign oracle(Game IV)A Type adversary and a challenger will try to play the game as follows:
Step 1. runs the Setup algorithm to generate the master secret key , system parameter, and the system public key . It then sends the system parameter, , to .
Step 2. queries the GenerateUser, RevealPartialSecretKey, RevealSecretKey, and Sign oracles in order.
Step 3. outputs an aggregate signature of users with identity and the corresponding public key on messages .
will win the game if the following conditions are satisfied: (i)It has not used all of the identities to access the RevealPartialSecretKey query to obtain the partial private key.(ii) is a legitimate signature on messages of users with identities and the corresponding public key .(iii)It never uses to query the Sign oracle
Definition 6. The CL-AS scheme is provably secure, if neither polynomial time adversary or is able to win Game III and Game IV, respectively, with a nonnegligible advantage.
4. Overview of Kamil et al.’s CLS and CL-AS Scheme
In the scheme proposed by Kamil et al. [6], there mainly exist four entities including TA, regional transport management authority (RTMA), which is a trusted party responsible for partial secret key generation, RSU, and vehicle. The scheme is reviewed as follows:
4.1. Overview of Kamil et al.’s CLS Scheme
(1)Setup: the TA selects a security parameter , two secure primes and , an elliptic curve which can be defined by the equation mod , where , a generator with order of additive group consisting of all the points on , and five hash functions, , , , , and . Then, it picks as its master secret key and calculates its public key . Also, TA defines a time-function , where is the current time. TA publishes the .(2)UserRegistration: the RTMA executes the following algorithm to register a vehicle with an identity . Firstly, vehicle sends its identity to the RTMA. Then RTMA randomly selects and calculates hash chain set , , where .(3)PartialSecretKeyGeneration: after receiving and a vehicle with identity , RTMA runs as follows:(4)PseudonymGeneration: after receiving the tuple from the RTMA, the vehicle executes the following algorithm:(5)UserKeyGeneration: vehicle with uses the algorithm to generate its private key:(6)Sign: after receiving , , , and , a vehicle with pseudo identity can sign on a message as follows:(7)Verify: after receiving the tuple , verifier can use the algorithm to verify any signature with following steps:
Step 1. The RTMA generates its public key , where secret key is randomly selected.
Step 2. Calculate , , , and .
Step 3. Compute and .
Step 4. Publish , send to the vehicle and to TA.
Step 1. Compute , and .
Step 2. Check is valid or not with the equation holds.
Step 3. Compute its pseudonym set as at timeslot , where .
Step 1. Choose in random.
Step 2. Calculate and .
Step 3. Output and as its private and public keys, respectively.
Step 1. Randomly pick and calculate .
Step 2. Calculate , , and .
Step 3. Calculate , , , and .
Step 4. Output signature on message and transmits , where is the current timestamp.
Step 1. Check whether the time delay equation holds. If it holds, then is valid and it will accept the signature; otherwise, it will reject it.
Step 2. Calculate .
Step 3. Check whether the following equation holds. if this equation holds, then the signature is valid; otherwise, it will be discarded.
4.2. Overview of Kamil et al.’s CL-AS Scheme
The Setup, UserRegistration, PartialPrivateKeyGeneration, PseudonymGeneration, VehicleKeyGeneration, Sign, and Verify algorithms are the same as the above CLS scheme. In addition, the Aggregate and AggregateVerify algorithms are described as follows: (1)Aggregate: in general, the roadside unit (RSU) acts as the aggregator. When receiving certificateless signatures on messages from pseudo identities under the state information , the RSU calculates and , then outputs an aggregate certificateless signature .(2)AggregateVerify: generally another RSU or AS acts as the verifier. When receiving a certificateless aggregate signature signed by vehicles. Then it will run as follows:
Step 1. Check whether the timestamp is valid, if not, it aborts, and if it holds, it runs the following steps.
Step 2. Compute .
Step 3. Check whether the following equation holds. if it holds, it receives all the signatures; otherwise, the signature is rejected.
4.3. Cryptanalysis of Kamil et al.’s CL-AS Scheme
The security problem in the scheme proposed by Kamil et al. [6] mainly lies in the coalition attack, which is a kind of attack by a number of collusive vehicles.
As is described in Figure 1, in the coalition attack, two or more vehicles secretly change a part of their messages such as locations to hide their real locations and routes since the RSU (verifier) receives the exchanged signature. Then something of the collusive vehicles is exchanged officially. Which will definitely harm the system and even worse cause a serious accident.
We describe the coalition attack on Kamil et al.’s CL-AS scheme to illustrate its security flaws.
Assume that two users have pseudonym and message , respectively. We show that two users can cooperate to generate valid aggregate signatures even if their individual signature is invalid. Two users can implement the coalition attack by executing the following algorithms.
Step 1. The user randomly picks and calculates .
Step 2. Calculate , , , , , , , , , and .
Step 3. Then, sends to ; likewise, sends to in a secure channel. Then calculates ; likewise, calculates .
Step 4. Eventually, they can output signature and transmits .
Obviously, the signature is not a valid signature. However, when the RSU or AS aggregates the signature as , it will be a valid signature which satisfies the following equation.
Therefore, the above analysis shows that two malicious users can collude with each other to forge an aggregate signature. Actually, the coalition attack is originally caused by commutative law of addition. Similarly, users can also forge an aggregate signature with the same algorithms. Hence, Kamil et al.’s CL-AS scheme cannot resist coalition attacks.
5. Our Proposed CLS and CL-AS Schemes
5.1. System Model
In this section, we will try to describe our system model in detail including specific explanations. In order to be more specific, the system model is shown in Figure 2. There are four participants in total: trusted authority (TA), key generation center (KGC), road-side unit (RSU), and vehicle, which can be divided into two layers: the upper layer includes TA and KGC, and the lower layer consists of RSUs and vehicles. The demonstration of each participant is as follows: (1)TA: it is a fully trusted third party that is responsible for system initialization, user registration, system parameter generation, and system security implementation. If necessary, it can track malicious behavior and catch malicious nodes. In addition, it also has enough computing power and storage capacity.(2)KGC: it is a partially trusted party used for generating partial private key. It can help a vehicle generate partial secret key which contribute to its privacy security. Like the TA, it also has sufficient memory, processing, and computing capabilities.(3)RSU: it is a smart application device installed in the roadside, which is able to transmit and submit information to TA, KGC, vehicles, or other RSUs in a secure wired connection. In addition, RSU commonly has limited computing power and storage capacity.(4)Vehicle: it is the major and basic member in VANETs, which is generally equipped with a smart device which can perform the basic function such as transmitting the vehicle’s message and performing simple calculation. In addition, vehicle commonly has limited computing power and storage capacity.
Note that TA and KGC are functionally two completely different entities that can be deployed on a single server during deployment.
5.2. Design Requirements
For the safety of communication in VANETs, security and privacy are crucial. According to the latest research in this field, the proposed scheme for VANETs must satisfy the following security requirements: (1)Message Integrity and Authentication: an eligible vehicle should be able to check that whether a message is sent and signed by a legitimate vehicle and is not forged or modified by the malicious entity.(2)Identity Privacy Preservation: a vehicle should remain anonymous in all circumstances, which means that other malicious entities cannot infer its identity by taking and analyzing multiple pieces of messages about it.(3)Traceability: the TA must have the ability to trace and obtain the vehicle’s real identity, even if the vehicle’s identity is anonymous.(4)Unlinkability: a potentially malicious vehicle must not cross-link two messages sent by the same vehicle to prevent them from extrapolating the route of the vehicle from the information.(5)Resistance to Attacks: a reasonable scheme should have the ability to withstand various general attacks such as the coalition attack, the impersonation attack, the modification attack, and the replay attack.
5.3. Our Proposed CLS Scheme
Our proposed CLS scheme includes five algorithms: Setup, PartialPrivateKeyGeneration, VehicleKeyGeneration, Sign, and Verify. The Notation to be used is listed in Table 1, and descriptions for algorithms are vividly shown in Figure 3 and described as follows: (1)Setup: when given an appropriate security parameter , TA will use the to generate and output the param by executing the following algorithms:(2)PartialPrivateKeyGeneration: the algorithm will eventually generate the vehicle’s partial private key through the algorithms as follows:(3)VehicleKeyGeneration: after receiving the partial private key , the vehicle check if the equation holds. If it holds, the partial private key is valid. The vehicle randomly selects its private key , then calculates its public key .(4)Sign: in order to achieve authentication and message integrity, when the message is received by any entity, it has to be signed and verified. A vehicle uses its pseudo identity and picks the latest timestamp . The updated timestamp protects a signed message against replay attacks. Given the signing key and a traffic related message , the vehicle performs the following steps, which are repeated every ms in accordance with DSRC protocol [20]:(5)Verify: when an RSU or other entity receives the signature and the tuple from the vehicle , it can execute the algorithms to verify the message as follows:
Step 1. Firstly, select two secure prime numbers and , then choose ,, which generate an ellipic curve defined by the equation mod , where (mod ) and generator of the additive group consisting of all the points on .
Step 2. Choose in random, which serves as the master secret key and computes master public key . KGC selects in random, then calculates which is the public key of KGC.
Step 3. Select three secure hash functions in random: .
Step 4. Store its master secret key in its repository and keep it safe. Then publish all the system parameter:
Step 1. The vehicle with its real identity randomly selects as its private key and calculates its partial pseudo identity . Then vehicle transmits (, ) to TA.
Step 2. After receiving the tuple, TA calculates another pseudo identity , where is the system state information [19]; then TA sends the vehicle’s pseudo identity to KGC in a secure way.
Step 3. KGC calculates , and the vehicle’s partial private key (mod ). At last, KGC transmits the tuple to vehicle .
Step 1. Choose a random number and calculate .
Step 2. Calculate , where timestamp is used to confirm time, and mod .
Step 3. The signature on message is ; then the vehicle transmits the signature and to the verifier.
Step 1. Check whether the TS is valid, if not, the algorithm aborts; otherwise, execute the next step.
Step 2. Calculate and
Step 3. Check whether the following equation holds or not; if it holds, then the RSU or other entity will accept the signature and the massage; otherwise, it will reject the message.
5.4. Our Proposed CL-AS Scheme
The Setup, PartialPrivateKeyGeneration, VehicleKeyGeneration, Sign, and Verify algorithms of CL-AS are similar to the proposed CLS scheme. In addition, the Aggregate and AggregateVerify are described as follows. Note that the Aggregate and AggregateVerify algorithms are usually executed by the same RSU to transmit less data in the communication process. (1)Aggregate: when an aggregator such as a RSU receives vehicles’ messages , signatures , timestamps , , public key of each vehicle , , and pseudo identities . It can execute the following algorithms to aggregate the signature:(2)AggregateVerify: after aggregating vehicles’ messages, the same RSU will execute the following algorithms to verify the aggregate signature as follows:
Step 1. Randomly choose a random list , where . Note that the random list is firstly introduced in [21, 22] and used for resisting coalition attacks here.
Step 2. Calculate and .
Step 3. Outputs the signature and transmits to the verifier.
Step 1. Check whether the timestamp list is valid, if not, the algorithm aborts; otherwise, it executes next step.
Step 2. For every vehicle, calculate and .
Step 3. Check whether the following equation holds or not, if it holds, then the RSU or other entity will accept the signature and the message, then the RSU can transmit them to other entities; otherwise, it will reject the message.
5.5. Correctness of Individual Message Verification
The individual verification in the proposed scheme is correct. The correctness proof is as follows:
5.6. Correctness of Aggregate Message Verification
The aggregate verification in the proposed scheme is correct. The correctness proof is as follows:
5.7. Security Proof of the Proposed CLS Scheme
According to Definition 3, it is extremely hard to solve ECDLP. Therefore, we can prove that our CLS scheme is able to enforce nonforgery.
On the basis of Definition 4, assume that a probabilistic polynomial-time forger can forge a signature with an advantage . In addition, denotes random oracles for , denotes the Generate-User oracle, denotes Partial-Private-Key oracle, and denotes the Secret-Key oracle. Then, we can know that a challenger can solve ECDLP during a time scope , where , if . (1)Setup: chooses and calculates which serves as its private key and master public key. Then, will generate the system parameters , and transmit it to .(i) Hash Query: will examine whether the hash list has the corresponding tuple if it receives the query with parameter from . If not, will select a random number and put it in the list . If so, it needs to transmit to .(ii) Hash Query: will examine whether the hash list has the corresponding tuple if it receives the query with parameter from . If not, will choose a random number and put the tuple in the list . If so, it will transmit to . Eventually, will transmit to .(2)Partial-Private-Key Query: after receiving a query about the identity from , will calculate , where is randomly selected, and check whether the hash list has the corresponding tuple . If so, will calculate mod and transmit the pairial private key of vehicle to . If not, it will halt.(3)User-Generation Query: suppose that the query is on the basis of the pseudo identity (i) will check whether exists in the list , if the list includes . If not, a random number will be selected and will calculate . If so, it will transmit to . Eventually, the chanllenger will transmit to and update the list(ii) will set if the tuple does not exist in the list . Then, a random number will be chosen and will be calculated and will be regarded as a private key. Eventually, will transmit to and put the tuple to the list (4)Private-Key Query:(i) will check whether exists in the list , if the list includes . If not, it will access a UserGeneration query to output the public key . Eventually, the chanllenger will transmit to and update the list(ii) will access a User-Generation query if the tuple does not exist int he list . Eventually, will transmit to and put the tuple to the list (5)Sign Query: after receiving a legitimate query about the message of pseudo identity , will check the tuple in the hash list . Hence, it can easily get the value from the tuple and select two random numbers and . Then, will choose another two random numbers and . Furthermore, will calculate and . Eventually, it will transmit to and put the tuple in the list .
Theorem 7. According to the random oracle, when faced with an adaptive chosen message attack, our proposed scheme has the capacity of unforgeability.
Proof. Assume that an ECDLP sample is given, the elliptic curve holds two points and , and an adversary is able to forge message . Hence, we start a game between a challenger and the adversary , which can execute and manipulate to solve ECDLP with a nonnegligible probability.
We know the forking lemma in Definition 4 and apply it to our proposed scheme. After using the same random elements to replay , succeeds in getting two legitimate signatures and during a polynomial time period, where (mod ) and (mod ) by computing.
In conclusion, if , then is able to break the ECDLP during a time period which is less than . However, this conclusion is inconsistent with the difficulty of solving the ECDLP. Therefore, we can define that our proposed CLS scheme can resist a forgery attack.
5.8. Security Proof of the Proposed CL-AS Scheme
According to Definition 3, it is extremely hard to solve ECDLP. Therefore, we can prove that our scheme is able to enforce nonforgery. Furthermore, we will prove that our CL-AS scheme can also resist coalition attack. (1)Setup: a random number is selected as the master secret key, and the public key can also be calculated as . Then, the oracle simulation is ready to run. In this whole game, maintains a list and responds to s oracle as follows.(i) Query: after receiving a pseudo identity , will throw a coin , where holds a probability , and holds a probability , then will select . If , will output . Otherwise, it will define . will put the tuple in a list to trace what the queries respond no mather what the value is.
Theorem 8. According to the random oracle, when faced with an adaptive chosen message attack, our proposed CL-AS scheme has the capacity of unforgeability.
Proof. Suppose that our CL-AS scheme can be broken by forger . We can construct a challenger using forgery algorithm . Challenger is able to execute the following steps by interacting with .
Then, will transmit vehicles with identities from the list , public keys from the list , messages , a random list , and a certificateless aggregate signature . At the beginning, will select the tuples for in the list and precede only and for . Note that the Sign oracle has not received the tuple . Otherwise, will halt and fail. This success case signifies that and for . In addition, the aggregate signature is supposed to satisfy the aggregate verification equation .
Accordingly, checks the tuples in the list and the tuple from . Later, it calculates mod , which will satisfy for . Eventually, constructs as , for and for . will select a random number and calculate .
Hence, the hash value is defined as . It will use until it does not repeat if the list holds the tuple . Consequently, the signature is a legitimate certificateless signature on message for the reason that the equation below:
Eventually, can get the signature as a forgery of the certificateless signature scheme. However, this conclusion is inconsistent with the difficulty of solving the ECDLP. Therefore, we can define that our proposed CLS scheme can resist a forgery attack.
Theorem 9. The proposed certificateless aggregate signature (CL-AS) scheme can resist coalition attacks.
Proof. Assume that there are two malicious vehicles and with pseudonyms and and messages and , respectively, and that all other system params are published by TA and KGC. According to the description in Subsection 4.3, two vehicles and would like to execute similar algorithms to forge valid signatures. However, our proposed scheme can perfectly resist the coalition attacks; the detailed descriptions are as follows:
To begin with, two vehicles pick their own private key and calculate their corresponding public key .
According to the aforementioned algorithms in Subsection 5.7, two malicious vehicles execute the algorithms in order but secretly exchange their , which is a part of the signature. Eventually, two vehicles transmit their messages , signatures , timestamp , and pseudo identity to the aggregator.
When the aggregator receives the above information, it will aggregate the signature as follows: firstly choose a random list , where , then calculate and . Finally, the aggregator will output the signature and transmits to the verifier.
In the last step, the verifier will check the equation holds or not. Unfortunately, the equation is impossible as follows:
One can find that the random list plays an important role in resisting the coalition attacks. And the 2-vehicle situation can also be developed to vehicles simply with a fully the same method and algorithm, which can prove that our proposed certificateless aggregate signature (CL-AS) scheme can resist coalition attacks.
6. Performance and Security Analysis
6.1. Security Analysis
(1)Traceability: in the proposed scheme, only TA has the real identity of the certain vehicle. After submitting the pseudo identity , TA can easily trace back to the vehicle’s real identity in accordance with the equation . Therefore, according to the list, TA can trace back to the certain vehicle , even revoke it. ()(2)Message integrity and authentication: according to Definition 3, the ECDLP problem is hard, so that no polynomial adversary can forge a valid message. Therefore, the verifier can verify the validity and integrity of the message by verifying whether the equation holds or not. Therefore, our proposed scheme for VANETs provides message authentication and integrity.(3)Resistance to replay attacks: the proposed scheme can resist the replay attack for the reason that the tuple includes the timestamp . RSU and other vehicles will check the validity of the signature, so they are able to detect the replay of the message. Hence, our proposed scheme for VANETs can resist replay attacks.(4)Resistance to coalition attacks: our proposed scheme can resist the coalition attacks, because we improve the signature generation process. To be specific, we choose a random list to change the ratio in the equation . Therefore, our scheme uses this method to resist the coalition attacks.(5)Resistance to stealing of the check table: in the proposed scheme, TA, KGC, vehicles, and RSUs do not require a check list. Therefore, an attacker cannot complete an attack by stealing any checklist. Hence, the proposed scheme can resist the attack of the checklist.
6.2. Performance Analysis
In this section, we will discuss the performance of the proposed scheme and related schemes and make a comparison in detail. We adopt the method of computation evaluation where the bilinear pairing on the security level of 80 bits is created as follows: , where is an additive group generated by a point with order on a super singular elliptic curve mod with embedding degree 2, is a 512-bit prime number, is a 160-bit prime number [25]. The ECC on the security of 80 bits is constructed as follows: is an additive group with order that is generated on a nonsingular elliptic curve mod , where are 160-bit primes and , . The experiment is conducted using the well-known python cryptographic library PyCryptodome on a desktop running Intel I5-9400 @ 2.90 GHz processor, with 16 GB memory running Windows 10 operating system. The notations of the cryptographic operations used in this paper and their running times are given in Table 2. Table 3 shows the summary of the computation costs in terms of signing a message, verifying a single message, and verifying messages.
In [13, 24], their schemes choose to use bilinear pairing, which significantly increases their operation time. As a contrast, other four schemes [6, 12, 17, 23] do not use bilinear pairing, which can substantially reduce computation time.
In our scheme, uses a scalar multiplication in ECC operation and the calculation of uses a one-way hash function during the individual sign process. In individual verification, we use three scalar multiplication operations for , , and , three addition operations, and two one-way hash function operations for the calculations of and . In aggregate verification process, we use scalar multiplication operations for , , and , two addition operations, and 2n one-way hash function operations for each and . By comprision, our scheme has low time complexity and high efficiency. In addition, our scheme can resist coalition attacks, which are a special and security feature that no other scheme has.
We use the data in Table 3 to generate three figures, which can intuitively compare other related schemes with our scheme. In Figures 4(a)–4(c), we can get the conclusion that our scheme has a considerably low delay in sign and verification procedure, which reveals that our scheme has a much higher efficiency.
(a) Individual sign cost
(b) Individual verification cost
(c) Aggregate verification cost
7. Conclusion
Since real application scenarios of VANETs require high efficiency, an efficient certificateless-based anonymous authentication and aggregate signature scheme are proposed. The proposed CLS and its improved scheme CL-AS are appropriate for VANETs duo to analysis and testing. In addition, there is still some work to do in the future such as the low efficiency caused by the illegitimate signature in the aggregate verification process.
Data Availability
The proposed algorithm and its comparison rely on theoretical analysis. No additional test data sets are required in this paper.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work is supported by the Key International Cooperation Projects of the National Natural Science Foundation of China (No. 61520106007).