Secure and Efficient Communication in VANETs Using Level-Based Access Control

Thorncharoensri, P.; Susilo, W.; Chow, Y.

doi:https://doi.org/10.1155/2022/8736531

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 8736531 | https://doi.org/10.1155/2022/8736531

Secure and Efficient Communication in VANETs Using Level-Based Access Control

P. Thorncharoensri,¹W. Susilo,¹and Y. Chow¹

Academic Editor: Iftikhar Ahmad

Received02 Sept 2021

Revised06 Dec 2021

Accepted22 Dec 2021

Published29 Mar 2022

Abstract

In recent years, the development of vehicular ad-hoc networks (VANETs) has received much attention in intelligent transportation systems (ITS). Unlike traditional ad-hoc networks, VANETs are emerging with unique characteristics that share similar technology with autonomous vehicles (AVs) and automated driving systems (ASDs). Communication between vehicles and the surrounding infrastructure unit, such as a roadside unit (RSU), must be secured, concise, and authentic. Hence, an access control system for the ad-hoc environment is required. We introduced a level-based controlled signcryption (LBS) scheme, which can be easily constructed and implemented into an access control system for VANETs environment. Our encrypted message has a short and constant size, which is better when compared with other attribute-based signcryption or encryption. Confidentiality, privacy, and authenticity are also provided in our scheme to ensure secure and authentic communication. Therefore, our scheme has addressed communication cost, scalability, security, and privacy issues in VANETs. This primitive can be applied to simplify attribute-based access control, as the only attribute required is an integer representing the security level. Our objective is to improve the quality and security of VANET communication. Moreover, an optional privacy mechanism in our scheme provides flexibility in controlling node privacy in VANETs.

1. Introduction

Vehicular ad-hoc networks (VANETs) are a key enabling technology in the development of autonomous vehicle technology and intelligent transportation systems (ITS). A VANET is a form of communication network that connects vehicles-to-vehicles and vehicles to roadside infrastructure. For example, Figure 1 shows communication between roadside units (RSUs) and vehicles. It also shows that vehicles can access information at the edge of an ITS server or the Internet. VANETs together with ITS and the Internet deliver a wide range of services, such as route guidance, traffic conditions (e.g., average vehicle density and speed), safety alerts, proximity advertisements, location-based positioning information, and entertainment. In general, vehicles in VANETs need to connect wirelessly to ITS applications and the Internet via RSUs. Vehicles exchange information with edge ITS servers to access a variety of local environmental data. For example, a subject’s location positioning data are obtained through real-time point cloud data from LiDAR devices and cameras. This crucial information is particularly important for vehicles to be aware of any hidden out-of-sight vehicles/subjects that cannot be observed by the vehicle itself [1].

This is the fundamental information distribution system for autonomous vehicles (AVs). Despite the fact that VANETs and AV networks share similarities in communication and security issues, research in both areas have typically been conducted separately [2]. Secure broadcast communication plays a significant role in both systems. Whether using purely cellular, purely ad-hoc, or a hybrid architecture [3], VANETs need a confidential, efficient, concise, and precise communication protocol and access control.

To date, many security mechanisms have been proposed for VANETs. Insight on security issues related to VANETs can be found in surveys conducted by Malhi et al. [4] and Engoulou et al. [5]. The security challenges described in Malhi et al. [4] are the dependence on infrastructure, RSU range of communication, high mobility, difficulty in trust management, huge amount of data, scalability, and high cost. Our work aims to provide an efficient primitive for access control and secure communication, which will solve many of the security challenges related to the communication aspect of VANETs. For example, an efficient primitive should be able to work efficiently in architectures for high mobility, and it should provide a high degree of scalability for secure network access and have low communication overhead to reduce the amount of data in the network. An attribute-based access control where an integer representing the security level is the only attribute in the system will help simplify the hierarchical structure of a VANET. We call this level-based access control. The purpose of clustering protocols in VANETs aims to improve the performance of target tracking, traffic estimation, misbehaviour detection, privacy preservation, and certificate revocation, which makes significant contribution toward the dependence on infrastructure issue [6]. By providing an optional privacy mechanism in our primitive, it is easy to construct secure revocable local cluster communication.

Other than secure, fast, and efficient communication in VANETs, authentication, integrity, confidentiality, access control, and privacy are security requirements that are important in VANETs. Nevertheless, security requirements are application dependent. For example, message broadcasts from an RSU and message broadcasts from/to neighbouring vehicles may need to use two different primitives to satisfy VANET security requirements. To emphasise the importance of broadcast communication in VANETs, a survey on the quality-of-service (QoS) in relation to broadcast protocols is summarised [7]. It is an unavoidable fact that broadcast protocols play a significant role in VANETs for delivering emergency messages for the safety of vehicles or for reducing ad-hoc communication overhead. Due to the nature of VANETs that comprise of transient nodes and often unexpected changes in network topology, level-based access control can significantly improve broadcast performance.

Let us illustrate this based on the following example. The Bell–LaPadula model can be used for simple but efficient access control in sharing resources and communication in a VANET (or ad-hoc network) environment. However, based on the aforementioned reason, we argue that multilevel security can help to make communication in VANETs simple but secure. For example, let us consider a VANET with a number of security levels, such as top-security level, high-security level, operator security level, and general user level. An ambulance, which is a node in the VANET, wants a roadside unit to arrange the best route to a hospital. The roadside unit, which has the operator security level, only needs to know that the ambulance is a high-security level node in order for it to help manage the route and traffic. Assuming that all vehicles on the road are autonomous vehicles, the roadside unit may request that other vehicles make way for the ambulance due to its high-security level.

1.1. Related Work

There are three areas of work that closely relate to our work. These are reviewed in this section.

First, there is attribute-based and policy-based cryptography. Sahai and Waters were the first to propose attribute-based encryption in [8]. However, the implementation is not flexible and is only limited to particular systems. Later, Goyal et al. formalised and demonstrated a more general key-policy design for attribute-based encryption in [9]. An attribute-based encryption (ABE) scheme is a cryptographic primitive that only allows users who satisfy the fine-grained access structure to decrypt the ciphertext. A ciphertext is generated by encrypting a message along with a public string . By using a decryption key associated with a Boolean predicate function , the ciphertext can be decrypted only when is true. Their ABE scheme can be classified as a key-policy attribute-based encryption (KP-ABE). Basic KP-ABE uses threshold gates to express the access policy.

In later work on ABE schemes, logic gates (AND/OR) and threshold gates were used to construct the policy in ABE. A ciphertext-policy attribute-based encryption (CP-ABE) scheme was first proposed by Bethencourt et al. [10]. This primitive allows the policy to be constructed with a combination of numerical comparison and logic gates. Attribute-based access control benefited from this primitive in practice. Hence, their work is used for comparison with our work in a later section. Following their work, much research on CP-ABE has been published within the last decade. Recently, a CP-ABE scheme for a complex constructed attribute with multiauthorities was proposed by Rouselakis and Waters [11]. Their scheme supports any string for the attribute in the policy, and it can combine multiple trusted authorities in a single policy. This is an efficient and practical scheme that can cover a wide range of users, on the condition that the attributes and the policy must not be complicated. Hence, this work was also included for comparison with our scheme. Another CP-ABE scheme, which is constructed without a bilinear function, was proposed by Yao and others [12]. Their scheme achieves significantly fast computation, which is suitable in the Internet of thing (IoT) and wireless sensor network (WSN). Therefore, our work is also compared with this primitive in the comparison section of this study. Moreover, Xue et al. proposed a comparable attribute-based encryption scheme (CABE) in [13]. The CABE scheme provides a new way for attribute comparison which is an inspiration for our work. It allows the system to test whether an attribute is equal to, more than, or less than the given policy.

Similar to attribute-based cryptography, Bagga and Molva [14] introduced the notion of policy-based cryptography (policy-based encryption and policy-based signature schemes). The policy in CP-ABE proposed by Bethencourt et al. [10] is conceptually similar to policy-based encryption. However, the access structure and complexity of the policy are more comprehensive, which can easily be used in an access control system. Due to the nature of applications in our work, we only applied the concept of a policy tree implementing integer comparison. With only an integer attribute in the policy (no AND/OR logic gates), our scheme achieves a constant size ciphertext.

Bellare and Fuchsbauer later formally defined the security definition of policy-based signatures [15]. Like the attribute-based signature, a signer in the policy-based signature can sign on a message only if he/she meets the policy’s requirement (or attributes). From a signer’s point of view, both attribute-based and policy-based signatures ensure message integrity and authenticity properties. The authenticity and integrity of the message can be validated by only a verifier. Nevertheless, the signature cannot be generated or forged by other beside the signer who met the policy requirements. A variant policy-controlled signature scheme was proposed in [16], where authenticity was done in a reversed manner and limited to only the attribute-credential holder (verifier). In contrast to attribute-based and policy-based signatures, policy-controlled signatures guarantee that only verifiers, who hold credentials that satisfy the policy or attributes, can verify the authenticity and integrity of the message and the nonreputability of the signer.

Closely related work on an attribute-based signature (ABS) scheme was presented in 2008 by Maji et al. [17]. They also proposed an ABS scheme in the standard model in [18]. In this primitive, a signer reveals nothing about their identity in the signing process. It shows only their specific attributes. Many variant ABS schemes were put forward based on Maji et al.’s works. These are presented in [19–26]. Shahandashti and Safavi-Naini [19] and Li et al. [27] independently published their work on the same topic of ABS with threshold predicate. Escala and others [22] also presented an ABS scheme with threshold predicate. Their scheme was equipped with a revocation method. They also formalised the adaptive unforgeability property for their ABS scheme. Additionally, a constant size ABS with threshold predicate was proposed by Herranz et al. [21]. Later, an ABS scheme with arbitrary circuits, which is supposed to be more efficient than the ABS schemes proposed by Maji et al. [18, 25], was presented by Sakai et al. [26]. This is true only when we increase the gate numbers. Their construction is based on the combination of a witness indistinguishable, an extractable noninteractive proof system and an existentially unforgeable signature scheme.

As mentioned above, many ABE and ABS schemes were proposed in the last decade. It seems that a simple solution for the aforementioned problems can easily be achieved by applying attribute-based or policy-based cryptography to encrypt a message and its signature. Only qualified users, who hold the proper credentials, can recover the message from an encrypted message. However, this is not entirely true since authentication of the signature can be transferred to a third party. Since the products after the decryption process are the signature and the message, they can be verified by any party. From the aforementioned scenario, signcryption’s ability to authenticate and decrypt should be limited to verifiers who hold credentials that satisfy the security level.

The second related topics is the hierarchical identity-based signature and encryption scheme (HIBS and HIBE). HIBE is a concept that combines an identity-based encryption (IBE) scheme and a hierarchical system. In the hierarchical system, a user’s identity at the security level is able to generate a secret key for the identity of its descendants. It also can decrypt a ciphertext meant for its descendants but not for other identities. Hence, it can provide a similar solution to the aforementioned problems about multilevel security. Our work has a slightly similar aspect; however, it differs in key generation and distribution. For example, every level in our scheme only has a single branch, but it can generate multiple private keys for the branch. Following the introduction of HIBE, there has been much subsequent work in this area [28, 29]. As a natural conversion from the HIBE scheme, the hierarchical identity-based signature (HIBS) scheme also inherits its properties. The ancestor’s identity can generate a secret key for the identity of its descendants, and it can generate the signature of behalf of its descendants as well. However, it cannot generate a signature on a message on behalf of other identities.

Boneh et al. was the first to propose a HIBE scheme with a constant size ciphertext in [30]. Our work on a constant size ciphertext was inspired by their work. Zhang et al. [28] proposed a compact size HIBE with a constant size private key. Their scheme’s distinct feature is having a constant size for both private key and ciphertext. Our scheme achieves this feature as well. A review of existing HIBS schemes can be found in [29]. Chen et al. provided a performance comparison between four HIBS schemes. Our work uses a similar approach for comparison with various schemes. In general, the benefit of using HIBE and HIBS in the network system that applied the identity-based public key system is to mitigate the bottleneck in the communication. Moreover, it is also to limit the key escrow. Nevertheless, similar to ABS schemes, HIBS only provides authenticity and message integrity for a signer, but not nonrepudiation and authorisation for a verifier.

The final related area of work is signcryption and attribute-based signcryption. Zheng was the first to proposed the signcryption scheme in [31]. This primitive provides both authenticity and secrecy. The first attribute-based signcryption (ABSC) scheme with threshold predicate was presented by Gagné et al. [32]. The primitive is a solution to the problems mentioned earlier, but is much less efficient when compared to our scheme in term of communication overhead and computation. Following the above work, several researchers proposed some works [33–35] to improve ABSC schemes in terms of applications and concrete construction in the standard model, efficient constructions, and formal security models, respectively. Pandit et al. [33] provided an ABSC scheme in a standard model. Their scheme proved to be secure in the IND-CCA in the adaptive-predicate model. The ABSC-based linear codes secret sharing scheme was introduced by Song et al. in [34]. The access control system based on ABSC scheme was proposed by Zheng et al. in [35]. They showed that the key agreement scheme, an important tool for the access control system, can be constructed efficiently with ABSC. Rao [36] proposed an attribute-based online/offline signcryption scheme, which reduced the computation signing time when needed. A certificateless threshold signcryption scheme proposed by Yu et al. in [37] allows t-out-of-n senders to work together to generate the signcryption for applications such as petition, voting. Wang et al. [38] proposed an efficient signcryption with a designated equality test. It allows a trusted third party to check the validity of ciphertext with a given message. Later on, Le et al. put forward a signcryption scheme in the standard model in [39], which adopted the concept of the designated equality test by Wang et al. in [38]. Nevertheless, in Wang et al.’s scheme [38], a signature on a message can easily be extracted from a signcrypted ciphertext. Hence, a signcrypted ciphertext can be linked to the sender identity. Recently, Yu et al. [40] introduced a lightweight hybrid ABSC scheme for IoT systems. Their schemes allow a low-power and low-computation device to pass the heavy computation in the signing and encrypting process to the edge node before returning the partial output. However, its communication cost (ciphertext size) is linear to the attributes; hence, it is only suitable for a simple access control system for the IoT system. The features comparison between signcryption, HIBE, ABE, ABSC, and our LBS schemes are given in Table 1.

Finally, the access control schemes for ad-hoc networks or the Internet of Things are reviewed. There are many access control systems that have been proposed recently [41–44]. Vijayakumar et al. [41] proposed an access control scheme that can be secure against attacks such as message reply attack, Sybil attack, masquerading attack, integrity attacks, and collusion attacks. Wazid et al. [42] proposed an access control scheme that is secured in the fog computing environment. Recently, Xia et al. [43] introduced an efficient authentication and key agreement scheme for a secure and anonymous access control system. It allows users to identify themselves without revealing their identity. This anonymous property is intriguing the optional anonymity in our scheme. Our scheme is designed to easily apply with the access control system, which allows users to securely and privately transmit their broadcast messages or private data to other users. It also reduces the process of encryption and signing in the existing access control schemes mentioned above. To further the benefits from privacy-preserving in our scheme, we believe that our scheme can integrate with AI-enabled blockchain-based access control proposed by Bera [44]. Hence, the anonymity in intrusion detection systems that detect and mitigate malicious attacks for the Internet of Everything (IOE) environment can be constructed. Moreover, our scheme can be designed for the access control system in an ad-hoc environment, such as VANETs, since a node can prove itself to another node that it holds a valid credential. Moreover, the proof cannot be replicated and transferred to other parties. Hence, it provides another privacy protection layer on top of it.

1.2. Our Contributions

To tackle the secrecy and privacy issue in communication over VANETs or AV networks, we propose a level-based controlled signcryption (LBS) scheme for level-based access control systems. This primitive provides access control with a hierarchical structure or a simple multilevel access control. Level-based access control can be viewed as a simplified version of attribute-based access control where the only attribute is an integer representing the security level. Our aim is to flexibly and efficiently allow nodes to communicate with other nodes securely and privately. Hence, we provide an optional privacy mechanism in the signcrypting (sign with encrypt) and unsigncrypting (verify with decrypt) processes. The security of this primitive is also formalised in this study. The notion of LBS schemes allows receivers, who hold a credential of a certain security level specified by the sender, to verify the authenticity of the ciphertext and to decrypt it. Moreover, with optional privacy, higher levels of confidentiality can be provided in the LBS scheme. LBS with optional privacy provides privacy between two or more parties when required. Nodes in VANETs can securely, confidentially, and flexibly send messages to an individual node, a group of node, or all nodes (message broadcasts are often use in VANETs to get the current routing in the network). Hence, the LBS scheme is suitable for mass encryption with authenticity and privacy.

We organized our study as follows. Some preliminaries and definitions are defined in the next section. In Section 3, the formal definition of level-based controlled signcryption is presented. The security model is described as well in the same section. The construction detail of LBS scheme is described with its security proofs in Section 4. Finally, a comparison of our concrete scheme with ABS schemes and the conclusion of this study are presented in the last two sections.

2. Preliminaries

2.1. Notation

The rest of this study will use the following notations. We said that a function is negligible, if , and for all sufficiently large , . is a deterministic polynomial function. Let represent a series of numbers (or indexes), e g., if is integer, then . Let be a polynomial function. The security parameter is denoted by , and the polynomial time is denoted by . We say that if .

A process that randomly selects the element from a set is denoted by . Let be a collision-resistant hash function that maps a string to . Let be a collision-resistant hash function that maps a string to .

2.2. Bilinear Pairing

Let us define , , and cyclic multiplicative groups. The generators of and groups are and , respectively. is defined as a prime number and the order of all generators. is denoted as an efficient algorithm that maps . We call this function a bilinear mapping function.

The bilinear mapping function has the following properties:(1)Bilinearity: (2)Nondegeneracy: : (3)Computability:

is defined as an existing function mapping to in a one-time unit. It is also true in another way around.

2.3. Complexity Assumptions

Definition 1 (Computational Diffie–Hellman (CDH) problem). With a triple as input and as output, we said that an algorithm with an advantage probability breaks the CDH problem ifNote that the probability is taken over the random bits used by and the arbitrarily selected random integers .

Assumption 1. Computational Diffie–Hellman assumption.
The -CDH assumption is intact if the probabilistic polynomial time-bound (PPT) algorithm with time complexity and a probability advantage of at least breaking the CDH problem does not exist.

Definition 2 (Decisional bilinear Diffie–Hellman (DBDH) problem). With a random quadruple and a random integer as input, determine if or not. An algorithm solves the DBDH problem in within , if runs in time , andNote that the above probability is taken over the random bits used by , random integers , a random group .

Assumption 2. Decisional bilinear Diffie–Hellman assumption.
The -DBDH assumption in holds only if no PPT algorithm solving the DBDH problem does not exist.

3. Level-Based Signcryption Schemes with Optional Privacy (LBS)

There are three main players in the level-based signcryption (LBS) scheme. A sender generates a ciphertext that can only be verified and decrypted by a receiver who holds a credential that satisfies the level-based security policy. This scenario can be used to ensure communication among authorised users. It can be used for message broadcasts in VANETs. It can also be used in secure group chats. However, if a sender wants to limit verification of the ciphertext to a particular receiver, the sender needs to place a personal receiver’s public key in the signcryption. We called this “optional privacy.” The “optional privacy” scenario is useful for sending private messages between the sender and the receiver. This solution can also be applied to a group of receivers where they share a group secret key, which is not affected by a member’s secret key. The last player is a trusted authority . In this level-based security system, a credential is generated by , where it associated the credential with the given security level.

Notations on security level and level-based policy are defined as follows: is a security level that specified in the level-based security policy. is defined as a level-based security policy that contains a security level as a security clearance of a verifier. Let us consider the following example. means is the minimum security level, and the policy is set such that is the minimum level that can decrypt the ciphertext. Note that other types of index or symbol, such as A, B, C, and D, also can be used to indicate the security level in . We assume that the security levels are in ascending order, which means that the higher the number, the higher the security clearance.

An LBS scheme is a sextuple (, , , , , ).

System parameter generation : with a security parameter as input, , a probabilistic function, generates the system parameter as follows:

key generator : With as input, , a probabilistic function, generates the private key and the public parameter of a trusted authority as follows:

Signer key generator : with and as input, , a probabilistic function, generates the private key and the public parameter of a signer as follows:

Verifier credential generator : with , , and an assertion indicating the security level of a verifier as input, , a probabilistic function, generates a verifier’s credential as follows:

Signcryption : with , , , , a message , and a level-based security policy as input, , a probabilistic function, generates a sender’s ciphertext , that is,

Unsigncryption : with , , , , , and as input, , a deterministic function, returns with the decisional output , that is,

Signcryption with optional privacy : with , , , , , a message , and a level-based security policy as input, , a probabilistic function, generates a sender’s ciphertext as follows:

Unsigncryption with optional privacy : with , , , , , , and as input, , a deterministic function, determines the validity of the input and returns the decisional output , that is,

3.1. Unforgeability

The unforgeability property in LBS provides an assurance that an attacker allowed to access the credential queries that cannot generate a valid level-based signcryption , which seems to be signed by the sender on a new message . The attacker is allowed to access the signing oracle and the verifying oracle . The and is also known to the attacker; however, a signer’s secret key is restricted. Even the attacker can arbitrarily select a message , the entire credentials, and a level-based security level policy as input, a valid signcryption on a new message cannot be generated. We called this a security against existential unforgeability under the adaptive chosen message and credentials exposure attack .

Let us define some notations before given a formal definition. Let be the adaptively chosen message and credentials exposure adversary. We assume that is an adversary who attacks the unforgeability of the LBS scheme. is defined as a simulator who run the attack simulation with . Note that is defined as the credentials of the entire security level, for example, if the system has 15 security levels, then . The and oracles that describe the ability of adversaries to break the unforgeability of an LBS scheme are illustrated as follows. : at most times, when a query for a signcryption on its choice of message and a signer corresponding to is issued, runs the algorithm to generate a signcryption on a message corresponding to , , and . Finally, responses to the query with . : at most times, when a query for credential corresponding to the arbitrarily chosen security level is issued, responses with the corresponding credentials .

	Input: A security parameter
	Output: The success of the attack.
(1)
(2)
(3)
(4)	Phase I: learning
(5)
(6)	Phase II: challenging
(7)
(8)	If has never been executed; then
(9)	return 1
(10)	else
(11)	return 0
(12)	end

The formalisation of unforgeability is now defined in the following statements. For a level-based signcryption, an adversary is associated with the experiment given in Algorithm 1. has two functions, namely, stage and stage. Using an adaptive strategy, , in the stage, arbitrarily chooses a message and makes queries to the signing oracle and the credential oracle . The query processes are allowed repeatedly according to ’s strategies. At the end of this stage, outputs a message and a level-based security policy along with some state information to be used in the state. In the second stage, takes as input and outputs a valid level-based signcryption . wins the above experiment if(1) results a forged signcryption on a new message corresponding to and (2)(3) never makes a request for a level-based signcryption with to the oracle

denotes the probability that successfully passes the winning condition in the above simulation.

Definition 3. Under a chosen message and credentials exposure attack model, an LBS scheme is -secure existential unforgeability, if the PPT adversary success in the attack the nonnegligible (within ) probabilitydoes not exist. Let runs at most times and makes at most signing queries and credential queries.

3.2. Indistinguishability

The indistinguishable property is modelled on the indistinguishability of ciphertext in the selective-credential exposed model. The attack models can be divided into two different models, which are the chosen plaintext attack and the (active) chosen ciphertext attack. The first attack model aims to prevent a group of corrupted credential holders (malicious receivers) from verifying and decrypting a level-based ciphertext on a message with a level-based security policy , where these malicious receivers do not have enough credentials to satisfy the security level indicated in . In the second attack model, an attacker has the added power to query for verification of any signature because excepted for the challenge signature, he/she does not have credentials that satisfy the level-based security policy to verify it by himself/herself.

Before describing the formal definition of these models, some definitions are first defined. is defined as the adaptive chosen plaintext (or ciphertext) and chosen level-based security policy distinguisher.

3.2.1. Chosen Plaintext Attack (IND-CPA)

The signcryption oracle , credential generator oracle , and verification oracle are used to describe the abilities of breaking the chosen plaintext attack in the selective-credential exposed model . The and oracles are described as follows: : at most times, when a query for the credential corresponding to the arbitrarily chosen security level is issued, responses with the corresponding credentials .(i): at most times, can arbitrarily choose a message and make a query for a ciphertext . responses with the result of the algorithm generating a ciphertext corresponding to a message , , , and .

	Input: A security parameter and a random bit
	Output: The success of the attack.
(1)	Setup parameters:
(2)
(3)
(4)
(5)	Phase I: learning

(6)	Prechallenge:
If , then

(7)	else,

end
(8)	Phase II: challenging

If and have never been executed, then
(9)	If
, then return 1
else return 0
else
return
end

Formalisation of indistinguishability under the adaptive chosen plaintext attack model of an LBS scheme is described as follows. The experiment that is associated with an adversary of a level-based signcryption scheme is illustrated in Algorithm 2. has two functions that are stage and stage. Using an adaptive strategy, in the stage, arbitrarily chooses a message and makes queries to the signing oracle and the credential oracle . The query processes are allowed repeatedly according to ’s strategies. outputs two messages , a level-based security policy and some state information used in the state at the end of the stage. Based on a previously set bit , the experiment runs with a message as an input and outputs a valid level-based ciphertext . In the second stage (Phase 2), takes as input and outputs a guess bit (1 or 0). Note that still can make queries to the oracle before outputting a guess, and if the following conditions are not satisfied, the experiment will be aborted.(1) never issues a query for a level-based ciphertext with and as input to the oracle(2)With a restriction that , can only make a request for credentials with a security level to the oracle

Let be the success probability of breaking the indistinguishability under the adaptive chosen plaintext attack in the selective-credential exposed model of an LBS scheme.

Definition 4. An LBS scheme is -secure indistinguishability under a chosen plaintext attack in the selective-credential exposed model if the PPT distinguisher success in the attack with a nonnegligible (within ) probabilitydoes not exist. Note that runs at most times and makes at most signcryption queries and credential queries.

3.2.2. Chosen Ciphertext Attack (IND-CCA)

Before formalising this attack, we first give some definitions and outline the oracles. Let be indistinguishability under a chosen plaintext attack in the selective-credential exposed model. The signing oracle , credential generator oracle , and unsigncryption oracle are used to describe the abilities of breaking of an LBS scheme. The and oracles have been depicted in Section 3.2.1. The oracle, however, is described as follows.

: with a ciphertext and a level-based security policy as input, can request up to queries for the decryption and verification of a ciphertext . returns a decisional result that is either regrading the authenticity of ciphertext or a message .

	Input: a security parameter and a random bit
	Output: the success of the attack.
	Setup parameters: the setup process is same with Algorithm 2.
	Phase I: learning

	Prechallenge: the prechallenge process is same with Algorithm 2.
(1)	Phase II: challenging
	if
	and
	and
	have never been executed, then
	If , then return 1
	else return 0
	else
	return
	end

Formalisation of indistinguishability under the adaptive chosen ciphertext attack model of an LBS scheme is described as follows. The experiment in Algorithm 3 depicts an adversary of a level-based signcryption scheme. There are two functions that are a stage and a stage, which can execute. In the first stage, , with some elastic and pliable strategies, chooses a message and issues a request to the credential queries , the signing queries , and the unsigncryption queries . The query processes are allowed repeatedly according to ’s strategies. outputs two messages , a level-based security policy , and some state information used in the state at the end of the stage. The experiment runs with a message as an input and outputs a valid level-based ciphertext . In the stage (Phase 2), takes as input and outputs a guess bit (1 or 0). Note that can still make queries to and oracles before outputting a guess. However, if the following conditions are not satisfied, the experiment will be aborted.(1) never issues a query for a level-based ciphertext with and or as input to the oracle(2) never issues a query with as input to the oracle(3)With a restriction that , can only make a request for credentials with a security level to the oracle

Let be the success probability of breaking indistinguishability under the adaptive chosen ciphertext attack in the selective-credential exposed model of an LBS scheme.

Definition 5. An LBS scheme is -secure indistinguishability of ciphertext under a chosen ciphertext attack in the selective-credential exposed model if a distinguisher success in the attack with a nonnegligible (within ) probabilitydoes not exist. Note that runs at most times and makes at most signcryption queries, credential queries, and unsigncryption queries.

4. The Level-Based Signcryption (LBS) Scheme

In this section, we present our concrete construction of the LBS scheme. The scheme is described as follows. : with as the input, randomly selects a prime . select three groups , , and of the prime order . constructs a bilinear mapping function that maps and to . The above mapping function is defined as . Choose a random generator , . Construct a hash function , such that . Finally, the system parameter is composed of . is returned as a response of the queries. : the total security level is denoted by . Given as input, computes a private key and a public key randomly for each security level as follows: choose random integers . Let denote a public key. Then, returns , as the trusted authority’s private key and as the trusted authority’s public key. Note that , , and are the symbols that represent the set of vectors , , and , respectively. : on input of a system parameter and a public key of the trusted authority, randomly generates a private key and a public key as follows: first, choose a random integer . Let . Let be the signer’s private key and be the signer’s public key. At the end, outputs . : denotes a list that contains the generated credentials. A security level of a verifier, for example, ‘D″ or “5” is denoted by . Given , , , and , randomly generates a credential with the following processes. arbitrary chooses . Then, generates a credential at a security level of by computed . stores in and returns as a credential of to the verifier.

: given , , , , and a message , an encryptor computes a ciphertext as follows:

The level-based ciphertext is . publishes .

: a receiver possesses a credential , where . Given , , , , decrypt as follows:(1)Compute(2)Check whether or not the following equation holds.(3)If the equation in (1) holds, then decrypt the ciphertext as follows.

: in optional privacy, the security policy needs to be set to the lowest level to cover all possible users, since the ciphertext is intended for a single receiver or a group with a shared secret key. Given , , , , , , , and a message , an encryptor who possesses a credential for a security level assertion , where , computes a ciphertext as follows:

The level-based ciphertext is . publishes .

: a receiver who possesses a credential for a security level assertion , where . Given , , , , decrypts as follows:(1)Compute(2)Check whether or not the following equation holds.(3)If the equation in (1) holds, then decrypt the ciphertext as follows.

Note that , , , , , and are precomputed and can be reused in the signcryption or signcryption process of other signcryption. Hence, only one pairing computation is needed in the unsigncryption algorithm. The optional privacy process has similar computation costs, where the computation of the bilinear paring component in , and can be precomputed once and saved or reused later.

4.1. Completeness

The signcryption and unsigncryption algorithms can be verified its completeness with the following equations.

4.2. Unforgeability

Theorem 1. Under the adaptive chosen message and credential exposure attack model, the level-based signcryption scheme is existentially unforgeable if and only if the CDH assumption is intact under the random oracle model.

Proof. We start with the assumption that a forger algorithm that can win the existential unforgeability model described in Section 3.1 exists. Using this , we can construct an adversary algorithm to break the CDH problem.
We now begin with the construction of oracles. First, on input , , and as an instance of the CDH problem, runs , sets , and obtains . then runs to obtain ’s public-private keys and sets as the signer’s public key . The following algorithms are the construction of queries that are later used in the simulation.
oracle: given a string as input, if it is a request for a hash value of , checks whether or not is in the queried list. If it exists in the list, then return the corresponding value; otherwise, randomly chooses and then returns . Note that keeps in the list, and this list can only be accessed by .
queries: given as input, executes for the credential , where . outputs .
queries: given and a message as input, generated a level-based signcryption with the following equations.Note that has access to the list via . uses this advantage to update to the list in . then responds with .
Optional privacy: let as the receiver’s public key . generated a level-based signcryption with the following equations.Note that does not need to be computed. It only needs to be verified by the following equation when submits the query of the hash value for .If it matches with in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new .
We start the simulation by allowing to access the above queries. In fact, always issues a request of query to queries before outputting the forgery. Let us denote this potential forgery by . With any adaptive strategy, interacts with the simulator and eventually outputs a forgery.
successfully completes the challenge, if, with a message and as input, generates a valid signcryption . Note that this forgery should not be a result of queries.
The success probability of winning the simulation is denoted by . Let the base of the natural logarithm be denoted by . In the random oracle, the input of every query made for a signcryption is a result of a query to oracle. Hence, . Let solve the CHD problem using the forgery generated by . The forking technique in [45, 46] is applied in the following technique for the probability analysis.
First, a signcryption on message where is obtained in the first round.
Then, resets to the initial state and repeats the above simulation again. Note that in the second simulation, uses a different hash value .
Therefore, eventually should generate another signcryption on message where .
With these two signcryptions, computes is defined as the success probability that solves the CDH problem. We base this on the forking lemma theorem in [45, 46] and obtain the success probability that uses to solve the CDH problem as follows:Note that , since the simulation behaves naturally, and it does not need to abort the experiment in any event. is omitted since it is negligible. To summarise the probability, wins the above game and outputs a signcryption on a message with a probability less than . Therefore, the results of the above probability analysis lead us to conclude that the success of breaking the existential unforgeability of the LBS scheme is nonnegligible due to the probability of breaking the CDH problems that are nonnegligible in the random oracle model.

4.3. Indistinguishability

Theorem 2. Against the adaptive chosen ciphertext distinguisher in the selective-credential exposed attack model, the cyphertext of the level-based signcryption scheme is existentially indistinguishable if CDH and DBDH assumptions hold in the random oracle model.

Proof. Let us assume that an adversary exists. It runs the existentially indistinguishable game defined in Section 3.2. Then, it successfully outputs a correct guess. We will demonstrate that we can use an adversary to output a solution to the DBDH problem by using as a tool. Given , , , , and as an instance of the DBDH problem, runs and sets and obtains .
assigns and runs to obtain ’s public-private keys. also sets and runs to obtain the signer’s public key . Assume that there exists an algorithm managing the list of each query, and such algorithms will be omitted. builds the queries in the following functions.
oracle: given a string as input, checks whether or not is in the queried list for a hash value request of . If it exists in the list, then return the corresponding value; otherwise, randomly chooses and then returns . Note that keeps in the list and only can access the list.
queries: randomly chooses an integer . On input , if , then output . Otherwise, randomly chooses the integer , if has yet to be selected. is computed as follows: then returns .
queries: let be the list that stores generated signcryption. On input and a message , if , then output . Otherwise, generates a level-based signcryption ciphertext with the following algorithms.Note that has an access to the list of via . uses this advantage to update to the list in . then responds with and keeps in .
Optional privacy: let be the receiver’s public key and be the sender’s public key . generates a level-based signcryption with the following algorithms.Note that does not need to be computed. It only needs to be verified by the following equation when submits the query of the hash value for .If it matches with in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new .
queries: on input , and , if , then responses with from the corresponding in the list. Otherwise, responses with “reject.” Note that this setting is based on the assumption that the unforgeability of LBS holds. Hence, all signcryption ciphertexts that are not generated by are all invalid signcryption ciphertexts. If the adversary aborts, due to an unnatural simulation, we can then use this adversary to run the unforgeability simulation to solve the CDH problem.
At the beginning of a game, is given access to the above oracles. Next, we run the simulation between and as modelled in Section 3.2:(1)Phase 1: with adaptive strategy makes queries to , , and oracles. The oracles responses are as we previously described.(2)Challenge: at the end of the first phase, decides to challenge and outputs , and . aborts the game if(1)On input , and , makes a query for a level-based signcryption ciphertext to queries(2) has a credential that is equal or higher than the security level assigned in the level-based security policy Otherwise, selects a random bit and computes a response as follows: Note that has access to the list . uses this advantage to update to the list in . then responds with to . Optional privacy: let be the receiver’s public key and be the sender’s public key . computes the challenge ciphertext as follows: Note that does not need to be computed or it can be obtained from the previous queries by computing . It only needs to be verified by the following equation when submits the query of the hash value for . If it matches with in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new .(3)Phase 2: in this phase, can go back to Phase 1 as many as it requires. However, will abort the game if(1)On input , and , issues a request for a level-based signcryption ciphertext to queries(2)On input and , issues a request for an unsigncryption query to (3) has a credential that is equal or higher than the security level assigned to the level-based security policy (4)Guessing: on the valid challenge , finally outputs a guess Let be an advantage probability that wins the challenge in the above simulation. A upper bound of queries in polynomial time that request a hash value to the oracle is denoted as . Note that and . Since only and access before it outputs a response, we can conclude that . Therefore, we can analyze the advantage that ’s guess is correct and wins the above game as follows:(i): during the request of queries to , did not abort. Let be the highest security level that issues to the oracle, rather than the number of queries that it makes to the oracle. Since can only make one query for the security level , can use this credential to verify and decrypt ciphertexts with the entire security level except for the security level . Note that is a random integer chosen at the beginning of the game and is the upper bound of the security level. The fact is that can make a request for credentials, up to the security level , to the oracle, and the value of is in range of . However, if , then will always terminate the experiment. Otherwise, , and will not terminate the experiment. To choose and randomly, the probability that chooses is and the probability that chooses is Therefore, the probability of this event is .(ii): after the request of queries to , did not abort. Let be the success probability of solving the CDH problem. Since the probability of breaking unforgeability is equal to , the probability of this event is more than .(iii): after Phase 1 and Phase 2, did not abort. Since we have assumed that follows the experiment and outputs a guess with a valid challenge , the probability of this event is 1.The advantage that successfully completes the challenge in the above simulation and generates a right educational guess is .
Let an advantage probability in solving the DBDH problem be denoted by . is using ’s guess to answer the DBDH problem. Due to the condition that can choose a challenge level-based security policy , cannot have the credential above the security level in the challenge level-based security policy . Hence, there is an event where ’s guess in the game is not the right guess for the DBDH problem, where . This event probability is . To conclude, the advantage probability of using to produce a correct solution for the DBDH problem is . Against the adaptive chosen message and selective-credential exposure attack model, the advantage probability of breaking the existential indistinguishability of the LBS scheme is . Note that . Therefore, the results of the above probability analysis lead us to conclude that the success of breaking the existential indistinguishability of the LBS scheme is nonnegligible due to the probability of breaking the CDH and DBDH problems is nonnegligible in the random oracle model.

5. Theoretical Analysis

We introduced the notion of a level-based signcryption (LBS) scheme to capture the need for confidential and authenticated messages sent to a specific group of verifiers that satisfy the required security level. The LBS scheme has a short ciphertext, a constant credential size, and an efficient signcrypting algorithm. The encryption security of our LBS scheme is CCA-secure and relies on the CDH and DBDH assumptions.

The communication and computation cost of our scheme and related schemes are compared, as given in Table 2. is denoted as a security level which is specified in the level-based security policy . The total security levels or the total number of attributes are denoted by , and let be the number of attribute specified in the policy.

The computation cost for the exponential in groups or is denoted by , while the computation cost of the multiplication in groups or is denoted by . The computation cost for the bilinear pairing function is denoted as . Computation for hash functions in is denoted as . A computation unit given in Table 2 is equivalent to the XOR operation’s computation. For lightweight cryptography, denotes a unit of time used for computing a symmetric encryption scheme such as AES.

We implemented our scheme based on the pairing-based cryptography (PBC) library. The comparison with the existing efficient schemes in PBC is shown in Figures 2 and 3. Noted that, the results of some scheme may not be accurate due the original code not provided in the PBC library, Hence, only selected efficient ABE schemes in Table 2 are implemented. Moreover, from Table 2, our scheme’s ciphertext size is constant compared to other schemes, which increase due to the attributes.

(a)

(b)

(c)

(d)

(a)

(b)

(c)

(d)

The code was written in Python using the charm-crypto framework developed by Akinyele and others [48] for rapid cryptography development. The first experiment was conducted on an Intel 10th Gen Core i5-10400 with 6 cores and 12 threads configuration with 32 gigabytes of DDR4 memory. The operating system used in the experiment was Ubuntu 18.04. The results of this experiment are presented on the left side of each figure.

The second experiment was conducted on a Raspberry Pi 4 Cortex-A72 (ARM v8) 64 bit SoC with a 1.5 GHz CPU clock speed, 4 cores, and 4 gigabytes of DDR4 memory. Raspbian was the operation system used in the second experiment. The results are presented on the right side of each figure.

The experiments were executed with two different types of curves, namely, type A and type A1. Type A curve is a curve that produces the fastest bilinear pairing computation, and it achieves security comparable to 1024 bits of discrete logarithm (DLog) security. On the other hand, type A1 provides higher security, which is 2048 bits of DLog security. Comparison results using the type A and A1 curves are shown in Figures 2 and 3. Meanwhile, our scheme’s performances for the rest of the results are quite good. Only the result where our scheme consumes more time than others is in the setup process. However, this is still acceptable for access control in VANETs.

The parameters of these two curves are given in Table 3. The experiment was conducted 500 times for each scheme to find the average time consumed in each computation process. The message used in the experiments was randomly generated in the domain. From the result in Figures 3 and 2, our scheme shows a significant boost in the encryption and verification in both curve types. Even when compared with a lightweight ABE scheme in [12], our scheme did not have much difference in the performance. Moreover, the size of our ciphertext is constant when the number of attributes increased. Meanwhile, the other schemes are linear to the number of attributes.

6. Conclusion

Privacy issues regarding information shared in organisations without an efficient and proper control mechanism have motivated us to provide a scheme to solve this. The notion of a level-based signcryption scheme provides simplicity, confidentiality, and privacy, enhancing secure communication in VANETs or any ad-hoc network that often needs to broadcast messages. With LBS, the communication among the VANET’s nodes, such as RSU nodes and vehicles, is now efficient, secure, and private. LBS ensure the confidentiality, authenticity, and data for RSU to securely broadcast message to nodes. On the other hand, the vehicle node can be confident that its message communicates with RSU that cannot be read by other nodes eventhough it sometimes needs to communicate with RSU via other nodes. Similar to WSN and IoT networks, LBS provides secure broadcast communication among IoT devices. The IoT node can choose to securely and privately communicate with its peer or have private communication with the primary access point units or any devices with a high-level policy setting such as the organisation’s server, workstation, or mobile.

Moreover, the proposed scheme is an ideal tool for enabling access control systems or secure shared document systems for a large organisation where a hierarchical structure is applied. A file can be shared or transmitted to the same peer or higher-level security users via a broadcast channel. LBS scheme enables the above scenario securely. Even the message revel to the public, it will not be able to link the signer. In the event of credential disputes or discloses to others, our scheme did not provide a credential revocation mechanism. To resolve this issue, the system should resolve it without reissuing a new credential to other users. Our scheme can use the group key as a key to revoke the credential without affecting honest users. Nevertheless, this is not an ideal solution to this issue. Hence, this will be addressed in our future work.

Data Availability

The source code and some data generated from the experiment are found in the GitHub link (https://github. com/yourchkung/LBSOP).

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

Y. Maalej, S. Sorour, A. Abdel-Rahim, and M. Guizani, “Vanets meet autonomous vehicles: multimodal surrounding recognition using manifold alignment,” IEEE Access, vol. 6, pp. 29026–29040, 2018.
View at: Publisher Site | Google Scholar
E. Yurtsever, J. Lambert, A. Carballo, and K. Takeda, “A survey of autonomous driving: common practices and emerging technologies,” IEEE Access, vol. 8, pp. 58443–58469, 2020.
View at: Publisher Site | Google Scholar
S. Kumar and A. K. Verma, “Position based routing protocols in VANET: a survey,” Wireless Personal Communications, vol. 83, no. 4, pp. 2747–2772, 2015.
View at: Publisher Site | Google Scholar
A. Kaur Malhi, S. Batra, and H. Singh Pannu, “Security of vehicular ad-hoc networks: a comprehensive survey,” Computers & Security, vol. 89, 2020.
View at: Publisher Site | Google Scholar
R. G. Engoulou, M. Bellaïche, S. Pierre, and A. Quintero, “VANET security surveys,” Computer and Communications, vol. 44, no. 1–13, 2014.
View at: Publisher Site | Google Scholar
A. Katiyar, D. Singh, and R. S. Yadav, “State-of-the-art approach to clustering protocols in VANET: a survey,” Wireless Networks, vol. 26, no. 7, pp. 5307–5336, 2020.
View at: Publisher Site | Google Scholar
A. Mchergui, T. Moulahi, B. Alaya, and S. Nasri, “A survey and comparative study of qos aware broadcasting techniques in VANET,” Telecommunication Systems, vol. 66, no. 2, pp. 253–281, 2017.
View at: Publisher Site | Google Scholar
S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Springer, Aarhus, Denmark, May 2005.
View at: Google Scholar
V. Goyal, O. Pandey, S. Amit, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98, ACM, Alexandria, VA, USA, October 30 - November 3 2006.
View at: Publisher Site | Google Scholar
J. Bethencourt, S. Amit, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, pp. 321–334, IEEE Computer Society, Oakland, California, USA, May 2007.
View at: Publisher Site | Google Scholar
Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” in Rainer Böhme and Tatsuaki Okamoto, editors, Financial Cryptography and Data Security - 19th International Conference, FC 2015, pp. 315–332, Springer, San Juan, Puerto Rico, January 2015.
View at: Publisher Site | Google Scholar
X. Yao, Z. Chen, and Y. Tian, “A lightweight attribute-based encryption scheme for the internet of things,” Future Generation Computer Systems, vol. 49, pp. 104–112, 2015.
View at: Google Scholar
K. Xue, J. Hong, Y. Xue, D. S. L. Wei, N. Yu, and P. Hong, “Cabe: a new comparable attribute-based encryption construction with 0-encoding and 1-encoding,” IEEE Transactions on Computers, vol. 66, no. 9, pp. 1491–1503, 2017.
View at: Publisher Site | Google Scholar
W. Bagga and R. Molva, “Policy-based cryptography and applications,” Financial Cryptography and Data Security, Springer, pp. 72–87, 2005.
View at: Publisher Site | Google Scholar
M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in Public-Key Cryptography - PKC 2014 - 17th International Conference on Practice and Theory in Public-Key Cryptography, pp. 520–537, Springer, Buenos Aires, Argentina, March 2014.
View at: Publisher Site | Google Scholar
P. Thorncharoensri, W. Susilo, and Y. Mu, “Policy-controlled signatures and their applications,” Computer Standards & Interfaces, vol. 50, pp. 26–41, 2017.
View at: Publisher Site | Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: achieving attribute-privacy and collusion-resistance,” IACR Cryptology ePrint Archive, vol. 328, p. 2008, 2008.
View at: Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures,” in Topics in Cryptology - CT-RSA 2011 - the Cryptographers’ Track at the RSA Conference 2011, pp. 376–392, Springer, San Francisco, CA, USA, February 2011.
View at: Google Scholar
S. Shahandashti and R. Safavi-Naini, “Threshold attribute-based signatures and their application to anonymous credential systems,” in Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology, pp. 198–216, Springer, Africa, Gammarth, Tunisia, June 2009.
View at: Google Scholar
J. Herranz, “Attribute-based signatures from RSA,” Theoretical Computer Science, vol. 527, pp. 73–82, 2014.
View at: Publisher Site | Google Scholar
J. Herranz, F. Laguillaumie, B. Libert, and C. Ràfols, “Short attribute-based signatures for threshold predicates,” in Topics in Cryptology - CT-RSA 2012 - the Cryptographers’ Track at the RSA Conference 2012, pp. 51–67, Springer, San Francisco, CA, USA, February 27 - March 2, 2012.
View at: Google Scholar
A. Escala, J. Herranz, and P. Morillo, “Revocable attribute-based signatures with adaptive security in the standard model,” in Progress in Cryptology - AFRICACRYPT 2011 - 4th International Conference on Cryptology in Africa, pp. 224–241, Springer, Dakar, Senegal, July 2011.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” in Public-Key Cryptography - PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, pp. 125–142, Springer, Nara, Japan, February 26 - March 1, 2013.
View at: Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” IEEE Transactions on Cloud Computing, vol. 2, no. 4, pp. 409–421, 2014.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” in Proceedings of the Public Key Cryptography - PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, pp. 35–52, Springer, Taormina, Italy, March 6-9, 2011, Proceedings, volume 6571 of Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
Y. Sakai, N. Attrapadung, and G. Hanaoka, “Attribute-based signatures for circuits from bilinear map,” in Proceedings of the Public-Key Cryptography - PKC 2016 - 19th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 283–300, Springer, Taipei, Taiwan, March 6-9, 2016, Proceedings, Part I, volume 9614 of Lecture Notes in Computer Science.
View at: Google Scholar
Li Jin, M. Ho Au, W. Susilo, D. Xie, and K. Ren, “Attribute-based signature and its applications,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 60–69, ACM, Beijing, China, April 13-16, 2010.
View at: Google Scholar
L. Zhang, Y. Mu, and Q. Wu, “Compact anonymous hierarchical identity-based encryption with constant size private keys: table 1,” The Computer Journal, vol. 59, no. 4, pp. 452–461, 2016.
View at: Publisher Site | Google Scholar
P. Chen, Y. Wu, J. Su, and X. Wang, “Comparing performance of hierarchical identity-based signature schemes,” IEICE - Transactions on Info and Systems, vol. E99.D, no. 12, pp. 3181–3184, 2016.
View at: Publisher Site | Google Scholar
D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” EUROCRYPT, Volume 3494 of Lecture Notes in Computer Science, Springer, pp. 440–456, 2005, Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
Y. Zheng, “Digital signcryption or how to achieve cost(signature & encryption) ≪ cost(signature) + cost(encryption),” Advances in Cryptology - CRYPTO '97, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 165–179, 1997.
View at: Publisher Site | Google Scholar
M. Gagné, S. Narayan, and R. Safavi-Naini, “Threshold attribute-based signcryption,” Security and Cryptography for Networks, 7th International Conference, SCN 2010, amalfi, Italy, september 13-15, 2010, Springer, pp. 154–171, 2010, Lecture Notes in Computer Science. Proceedings, Volume 6280 of Lecture Notes in Computer Science.
View at: Publisher Site | Google Scholar
T. Pandit, S. K. Pandey, and R. Barua, “Attribute-based signcryption: signer privacy, strong unforgeability and IND-CCA security in adaptive-predicates model (extended version),” J. Internet Serv. Inf. Secur., vol. 6, no. 3, pp. 61–113, 2016.
View at: Google Scholar
Y. Song, Z. Li, Y. Li, and J. Li, “Attribute-based signcryption scheme based on linear codes,” Information Sciences, vol. 417, pp. 301–309, 2017.
View at: Publisher Site | Google Scholar
H. Zheng, J. Qin, J. Hu, and Q. Wu, “Threshold attribute-based signcryption and its application to authenticated key agreement,” Security and Communication Networks, vol. 9, no. 18, pp. 4914–4923, 2016.
View at: Google Scholar
Y. S. Rao, “Attribute-based online/offline signcryption scheme,” International Journal of Communication Systems, vol. 30, no. 16, Article ID e3322, 2017.
View at: Publisher Site | Google Scholar
H. Yu and S. Wang, “Certificateless threshold signcryption scheme with secret sharing mechanism,” Knowledge-Based Systems, vol. 221, Article ID 106981, 2021.
View at: Google Scholar
Y. Wang, H. Pang, R. H. Deng, Y. Ding, Q. Wu, and B. Qin, “Securing messaging services through efficient signcryption with designated equality test,” Information Sciences, vol. 490, pp. 146–165, 2019.
View at: Publisher Site | Google Scholar
L. Huy Quoc, D. Dung Hoang, and R. Partha Sarathi, “Lattice-based signcryption with equality test in standard model,” Computer Standards and Interfaces, vol. 76, 103515 pages, 2021.
View at: Google Scholar
J. Yu, S. Liu, S. Wang, Y. Xiao, and B. Yan, “LH-ABSC: a lightweight hybrid attribute-based signcryption scheme for cloud-fog-assisted IoT,” IEEE Internet of Things Journal, vol. 7, no. 9, pp. 7949–7966, 2020.
View at: Publisher Site | Google Scholar
P. Vijayakumar, M. Azees, A. Kannan, and L. Jegatha Deborah, “Dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 4, pp. 1015–1028, 2016.
View at: Publisher Site | Google Scholar
M. Wazid and S. Mohammad, “Obaidat, ashok kumar das and pandi vijayakumar. “Sac-fiiot: secure access control scheme for fog-based industrial internet of things”,” in Proceedings of the IEEE Global Communications Conference, GLOBECOM 2020, Virtual Event, pp. 1–6, IEEE, Taiwan, December 7-11, 2020.
View at: Google Scholar
X. Xia, S. Ji, P. Vijayakumar, J. Shen, J. Joel, and P. C. Rodrigues, “An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities,” International Journal of Distributed Sensor Networks, vol. 17, no. 6, Article ID 155014772110268, 2021.
View at: Publisher Site | Google Scholar
B. Bera, A. K. Das, M. S. Obaidat, P. Vijayakumar, K.-F. Hsiao, and Y. Park, “AI-enabled blockchain-based access control for malicious attacks detection and mitigation in IoE,” IEEE Consumer Electronics Magazine, vol. 10, no. 5, pp. 82–92, 2021.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 390–399, ACM, Alexandria, VA, USA, October 30 - November 3, 2006.
View at: Publisher Site | Google Scholar
PBC Library, http://crypto.stanford.edu/pbc.
A. Joseph, G Christina, and M Ian, ““Charm: a framework for rapidly prototyping cryptosystems”,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Google Scholar

Copyright

Copyright © 2022 P. Thorncharoensri et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

323

Downloads

348

Citations