Abstract

Vehicular Ad hoc NETwork (VANET) is a multi-hop and high-speed mobile wireless communication network. In order to realize the security authentication of the information transmission between vehicle nodes in vehicular ad hoc networks, a certificateless aggregate signature scheme is designed. The proposed scheme uses certificateless cryptography, which eliminates the complex maintenance cost of certificate and solves the problem of key escrow. Communicating through pseudonyms and nodes around the roadside units generated, the conditional privacy protection is achieved for vehicle users. Then, the efficiency of the scheme is analyzed, and the relationship between the traffic density in VANETs environment and the time delay of message verification is simulated. The results show that the scheme satisfies the message authentication, anonymity, unforgeability and traceability, as well as the higher communication efficiency and the shorter delay of message verification, which is more suitable for dynamic vehicular ad hoc network environment.

Keywords: Vehicular ad hoc NETwork, aggregate signature, certificateless cryptosystem

1. Introduction

As the basis of future intelligent transportation, VANET provides a very important network environment for vehicle-to-vehicle communication, which can effectively solve the problems of road safety, traffic management and traffic congestion. It is a research direction that scientists are keen on at present. The on-board network is mainly composed of on-board units (OBU) installed on the vehicle and road-side units (RSU) deployed on the infrastructure around the road. Users communicate through vehicles-to-vehicle (V2V) and between vehicles and infrastructure (Vehicle-to-Infrastructure, V2I) to share information and access various services provided by nearby infrastructure [1]. The network model is shown in Figure 1 .

Figure 1. The network model of VANETs (Source [10]

Due to its own characteristics, such as resource limitation, high-speed movement of nodes, and communication delay should be short enough, the VANETs make their security issues very fragile, including eavesdropping, tampering, tracking user privacy, etc. [2]. If the messages in the vehicular network cannot be authenticated in a timely manner, the packet loss rate will increase, resulting in poor communication efficiency. Therefore, reducing the delay of message verification is a key requirement of the vehicle network for the efficiency of the authentication protocol. On the other hand, vehicle users are not willing to let their privacy and other sensitive information be illegally tracked and maliciously analyzed. When a traffic accident occurs or the owner commits a crime, the law enforcement authorities should be able to retrieve or track the owner’s information to reveal their identity, which is called conditional privacy protection [3].

Digital signatures can provide non-repudiation，authentication and integrity of messages. In the communication of the vehicle network with high traffic density, each RSU or traffic control center needs to verify a large amount of vehicle information, which will cause a large amount of calculation overhead. But in many cases, these calculations must be done in a resource-constrained environment with low bandwidth and low storage space. Aggregate signature is a hot spot that has been paid attention in recent years [4]. Using aggregation signature in VANET can greatly reduce the burden of RSU (Roadside unit). The signature based on the traditional PKI (Public Key Infrastructure) is based on the certificate system. CA (Certificate Authority) needs to bind the user and his public key, and the cost of managing and protecting certificates is very large, which is not suitable for the vehicle network. Identity-based aggregate signatures can avoid complicated certificate problems and can be applied to wireless networks and other fields [5-10]. But, that exits a key escrow problem in the identity-based aggregation signature scheme. The key generation center holds each user's private key, and there is a security problem of maliciously forging the signature. In recent years, some effective certificateless aggregation signature schemes have been proposed [11-20], which are provably secure in random predictions, but its high computational cost makes it unsuitable for dynamic wireless networks, such as VANETs. Horng et al. [3] proposed a privacy preserving aggregation signature model, which is based on certificateless cryptography. However, it has been proved that their scheme is not safe for malicious KGC. However, the authors themselves have always claimed that their scheme is provably secure and can resist adaptively choosing message attack. But, in fact, their scheme is insecure against a malicious-but-passive KGC under existing security model. In 2016, Nie et al. proposed a distributed certificateless aggregation signature scheme [4], but it has not been well applied in VANETs and cannot resist signature forgery attacks. The scheme in [9] does not use the hash function mapped to the point, and does not use the bilinear pair, but there is an inherent key escrow problem. Lai et al. [18] proposed group handover authentication, which better realized the overhead of instruction delivery and reduced the delay, but with the increase of vehicle density and mobile speed, the communication cost may also increase. Liu et al. And Zhang et al. For the first time, the secure communication in heterogeneous vehicle network is realized, however their schemes require OBUs (On Board Units) with high computation power [19,20]. In 2020，Ikram Ali's scheme can also effectively protect conditional privacy, However, as in [9], there is a key escrow problem. So far, the authentication scheme suitable for vehicular network has not been solved satisfactorily.

In this paper, an effective certificateless aggregation signature scheme suitable for vehicle network is proposed. In our scheme, the vehicle generates a pseudonym through RSU and communicates with surrounding nodes through the pseudonym. When necessary, law enforcement authorities can track the true identity of vehicle users through pseudonyms, realizing conditional privacy protection. Not only that, the experimental results show that the delay of message verification in our scheme is relatively low, but the computational cost is not high.

2. Basic theory and definition

2.1 Bilinear pair

Let ${\textstyle l}$ be a secure parameter, ${\textstyle q}$ be a ${\textstyle l}$ -bit prime number, ${\textstyle G_{1}}$ is a cyclic addition group of order ${\textstyle q}$ generated by ${\textstyle P}$, ${\textstyle G_{2}}$ is a cyclic addition group of order ${\textstyle q}$ generated by ${\textstyle Q}$, and ${\textstyle G_{T}}$ has the same order ${\textstyle q}$ cyclic multiplication group. Let the discrete logarithm problem in groups ${\textstyle G_{1}}$, ${\textstyle G_{2}}$, ${\textstyle G_{T}}$ be a difficult problem. The mapping ${\textstyle e:G_{1}\times G_{2}\rightarrow G_{T}}$ is called a bilinear pair, if ${\textstyle e}$ satisfies the following properties:

1. Bilinearity: For arbitrary ${\textstyle a,b\in Z_{q}^{\ast }}$, satisfy ${\textstyle e(aP,bQ)=e{\left(P,Q\right)}^{ab}}$;
2. Non-degenerate: ${\textstyle e(P,Q)\not =1}$;
3. Easy to calculate properties: There is an effective algorithm to calculate ${\textstyle e(P,Q)}$.

In the above definition, if ${\textstyle G_{1}\not =G_{2}}$, the mapping ${\textstyle e:G_{1}\times G_{2}\rightarrow G_{T}}$ is called an asymmetric bilinear pair; if ${\textstyle G_{1}=G_{2}=G_{T}}$, the mapping ${\textstyle e:G_{1}\times G_{2}\rightarrow G_{T}}$ is called a symmetric bilinear pair which can be seen as a special case of asymmetric bilinear pairs. The bilinear map ${\textstyle e}$ can be defined by Weil pairs or Tate pairs on a Special elliptic curve called hyper-singular curve on a finite field.

2.2 Aggregate signature

Aggregate signature is a variant of digital signature, which has the function of aggregation. That is to say, given ${\textstyle n}$ users ${\textstyle u_{i}}$ to individual signatures of ${\textstyle n}$ messages ${\textstyle m_{i}}$, the generator of aggregate signature can aggregate these ${\textstyle n}$ individual signatures into a unique short Signature ${\textstyle \sigma }$. Furthermore, given the aggregate signature, the identity ${\textstyle u_{i}}$ of the participating signers, and the original message ${\textstyle m_{i}}$, it can believe that the user ${\textstyle u_{i}}$ signed the message ${\textstyle m_{i}}$. Let AS={Setup, Key, Sign, Verify, AggS, AggV} be a six-tuple of polynomial time algorithm, where Setup, Key, Sign and Verify are common signature algorithms. The remaining algorithms are described as follows:

• AggS:The algorithm of aggregate signature generation implements at least three sub-functions: First, it can implement ordinary signature functions. Secondly, it can realize the aggregation function of message vector group ${\textstyle \left(m_{1},m_{2},\cdots ,m_{n}\right)}$, user vector group ${\textstyle \left(u_{1},u_{2},\cdots ,u_{n}\right)}$ and individual signature vector group ${\textstyle \left({\sigma }_{1},{\sigma }_{2},\cdots ,{\sigma }_{n}\right)}$. Finally, it can aggregate and add new individual signatures.

• AggV: The algorithm of aggregate signature verification. Assuming that each user owns a private key ${\textstyle SK}$ and a public key ${\textstyle PK}$,

if

${\textstyle AggV(PK_{1},\cdots ,PK_{n},m_{1},\cdots ,m_{n},AggS(PK_{1},\cdots ,PK_{n},m_{1},\cdots ,m_{n},Sign(SK_{1},m_{1}),\cdots ,Sign(SK_{n},m_{n})))=}$${\displaystyle 1}$,

It outputs "True", otherwise it outputs "False".

Aggregate signatures can also support incremental aggregation, that is, signatures ${\textstyle {\sigma }_{1}}$, ${\textstyle {\sigma }_{2}}$ can be aggregated into ${\textstyle {\sigma }_{12}}$, and then can be aggregated with ${\textstyle {\sigma }_{3}}$ to ${\textstyle {\sigma }_{123}}$. The schematic diagram of the principle of aggregate signature is shown in Figure 2 .

Figure 2. Schematic diagram of aggregate signature

Aggregate signatures can provide security services such as identity authentication, data integrity, and non-repudiation. In aggregate signatures, aggregation and signature are combined into one step, and the efficiency advantage is very obvious. Compress the signatures of any number of users into one signature, which greatly shorten the length of signature, and also reduce the network bandwidth requirements for transmitting signatures. Simplify the verification of any numbers of signatures to one verification, greatly reducing the workload of signature verification, so aggregate signatures greatly improve the efficiency of signature verification and transmission.

3. Design of certificateless aggregate signature scheme

Generally, the certificateless aggregate signature is composed of a key management center PKG, a signer, a signature aggregator, and a signature verifier. The scheme is composed of algorithms {System initialization, Key generation, Sign, Verify, Aggregate, Batch verification}. In addition to the above steps, the certificateless aggregation signature algorithm based on the VANETs designed in this paper also includes the vehicle registration algorithm, pseudonym generation algorithm and message verification algorithm. The specific description is as follows:

3.1 System initialization

Input the security parameter ${\textstyle l}$, the key management center KGC selects the additive cyclic group ${\textstyle G_{1}}$ and the multiplicative cyclic group ${\textstyle G_{2}}$ whose order is prime ${\textstyle q}$, and defines the bilinear mapping ${\textstyle e:G_{1}\times G_{1}\rightarrow G_{2}}$, and selects the generator ${\textstyle P\in G_{1}}$ of group ${\textstyle G_{1}}$. Then KGC randomly selects the master key ${\textstyle s\in Z_{q}^{\ast }}$, and calculates the public key ${\textstyle P_{K}=s\cdot P}$ of KGC, finally selects the secure hash function ${\textstyle H_{1},H_{2}:{\left\{0,1\right\}}^{\ast }\rightarrow Z_{q}^{\ast }}$. The message set ${\textstyle M={\left\{0,1\right\}}^{\ast }}$. Each RSU selects its secret value ${\textstyle y_{i}\in Z_{q}^{\ast }}$ and calculates the public key ${\textstyle {\overline {P}}_{i}=y_{i}\cdot P}$, then send to KGC. The parameter list ${\textstyle params}$ of the system is disclosed as follows:

${\textstyle params=\lbrace G_{1},G_{2},e,P,P_{K},H_{1},H_{2},PR_{i}\rbrace }$

3.2 Vehicle registration algorithm

The algorithm is executed by the Road and Transport Authority (RTA). For each vehicle user whose identity information is ${\textstyle ID_{i}}$, in order to protect their privacy, RTA generates their false identity ${\textstyle I{D^{'}}_{i}}$. RTA selects hash function ${\textstyle H_{3}:{\left\{0,1\right\}}^{\ast }\rightarrow G_{1}}$ and calculates ${\textstyle I{D^{'}}_{i}=H_{3}(ID_{i})}$. When law enforcement agencies want to track down vehicles that are responsible, RTA can show the true identity of the vehicle.

3.3 Key generation algorithm

KGC executes this algorithm. KGC inputs the parameter list ${\textstyle params}$, master key ${\textstyle s}$, and identity ${\textstyle I{D^{'}}_{i}}$ to calculate part of the private key ${\textstyle p_{i}=s\cdot I{D^{'}}_{i}}$ of the vehicle user. The vehicle user can determine the correctness by verifying whether ${\textstyle e(p_{i},P)=e(I{D^{'}}_{i},P_{K})}$ is true, because

${\textstyle e(p_{i},P)=e(s\cdot I{D^{'}}_{i},P)=e(I{D^{'}}_{i},s\cdot P)=}$${\displaystyle e(I{D^{'}}_{i},P_{K})}$

The algorithm generates the secret value and public key of the vehicle user in VANETs, and once the vehicle travels to a new area, the new RTA can update the user's false identity. The user ${\textstyle U_{i}}$ randomly selects a secret value ${\textstyle x_{i}\in Z_{q}^{\ast }}$ and calculates its public key ${\textstyle P_{i}=x_{i}\cdot P}$.

3.4 Pseudonym generation algorithm

The algorithm is executed by the roadside unit RSU. RSU inputs the identity ${\textstyle I{D^{'}}_{i}}$ of the vehicle user ${\textstyle U_{i}}$ and parameter ${\textstyle params}$, and randomly chooses ${\textstyle a_{i}\in Z_{q}^{\ast }}$, then calculates

${\textstyle {\mbox{M1}}_{i}=a_{i}\cdot I{D^{'}}_{i}}$

(1)

${\textstyle W_{i}=H_{2}({\mbox{M}}1_{i})}$

(2)

${\textstyle {\mbox{M}}2_{i}=a_{i}\cdot W_{i}}$

(3)

Finally, RSU outputs the pseudonym

${\textstyle {\mbox{M}}_{i}={\mbox{M}}1_{i}+{\mbox{M}}2_{i}}$

(4)

3.5 Signature algorithm

To sign the outgoing message ${\textstyle m_{i}}$, the vehicle user ${\textstyle U_{i}}$ needs to perform the following calculation process. ${\textstyle U_{i}}$ randomly chooses ${\textstyle r_{i}\in Z_{q}^{\ast }}$, and calculates

${\textstyle U_{i}=r_{i}\cdot P}$

(5)

${\textstyle h_{i}=H_{1}(m_{i},{\mbox{M}}1_{i},P_{i},U_{i})}$

(6)

${\textstyle V_{i}=p_{i}\cdot {\mbox{M}}2_{i}+h_{i}\cdot r_{i}\cdot P_{K}+h_{i}\cdot x_{i}\cdot {\overline {P}}_{i}}$

(7)

${\textstyle {\sigma }_{i}=(U_{i},V_{i})}$

(8)

and outputs the signature of this message ${\textstyle \left(m_{i},{\sigma }_{i}\right)}$.

3.6 Verification algorithm

Inputs the signature of this message ${\textstyle \left(m_{i},{\sigma }_{i}\right)}$, Public key ${\textstyle P_{i}}$, Partial pseudonym ${\textstyle {\mbox{M}}1_{i}}$ and parameter ${\textstyle params}$. The signature verification process needs to calculate the following values:

${\displaystyle h_{i}=H_{1}(m_{i},{\mbox{M}}1_{i},P_{i},U_{i})}$

(9)

${\displaystyle W_{i}=H_{2}({\mbox{M}}1_{i})}$

(10)

${\displaystyle e(V_{i},P){\overset {?}{=}}e({\mbox{M}}1_{i}\cdot W_{i}+h_{i}\cdot U_{i},P_{K}){\mbox{ }}e(h_{i}\cdot P_{i},{\overline {P}}_{i})}$

(11)

If the equation holds, the signature is valid, otherwise the signature verification fails. The correctness is proved as follows:

${\displaystyle {\begin{array}{ll}L.H.S&\!\!\!=e(p_{i}\cdot {\rm {M}}2_{i}+h_{i}\cdot r_{i}\cdot P_{k}+h_{i}\cdot x_{i}\cdot {\bar {P}}_{i},P)\\&=e(p_{i}\cdot {\rm {M}}2_{i},P)\;e(h_{i}\cdot r_{i}\cdot P_{k},P)\;e(h_{i}\cdot x_{i}\cdot {\bar {P}}_{i},P)\\&=e(s\cdot ID'_{i}\cdot a_{i}\cdot W_{i},P)\;e(h_{i}\cdot r_{i}\cdot s\cdot P,P)\;e(h_{i}\cdot x_{i}\cdot y_{i}\cdot P,P)\\&=e(a_{i}\cdot ID'_{i}\cdot W_{i},s\cdot P)\;e(h_{i}\cdot r_{i}\cdot P,s\cdot P)\;e(h_{i}\cdot x_{i}\cdot P,y_{i}\cdot P)\\&=e({\rm {M}}1_{i}\cdot W_{i},P_{K})\;e(h_{i}\cdot U_{i},P_{K})\;e(h_{i}\cdot P_{i},{\bar {P}}_{i})\\&=e({\rm {M}}1_{i}\cdot W_{i}+h_{i}\cdot U_{i},P_{K})\;e(h_{i}\cdot P_{i},{\bar {P}}_{i})=R.H.S\end{array}}}$

3.7 Aggregate signature algorithm

After inputs the signatures of ${\textstyle n}$ vehicle users ${\textstyle \left(m_{i},{\sigma }_{i}\right)}$, the aggregator outputs signature ${\textstyle \left(m,\sigma \right)}$, where ${\textstyle m=\lbrace m_{1},m_{2},\cdots ,m_{n}\rbrace }$, ${\textstyle \sigma =(U_{1},U_{2},\cdots ,U_{n},V)}$, ${\textstyle V={\sum }_{i=1}^{n}V_{i}}$.

3.8 Batch verification algorithm

After receiving the aggregated signatures of ${\textstyle n}$ users, the RSU verifies through the following steps:

${\textstyle h_{i}=H_{1}(m_{i},{\mbox{M}}1_{i},P_{i},U_{i})}$

(12)

${\textstyle W_{i}=H_{2}({\mbox{M}}1_{i})}$

(13)

${\displaystyle e(V,P){\overset {?}{=}}e({\sum }_{i=1}^{n}\left({\mbox{M}}1_{i}\cdot W_{i}+\right.}$${\displaystyle \left.h_{i}\cdot U_{i}\right),P_{K})e({\sum }_{i=1}^{n}\left(h_{i}\cdot P_{i}\right),{\overline {P}})}$

(14)

If the above equation is true, it indicates that the aggregation signature is valid, otherwise the signature verification fails.

4. Analysis of security and efficiency

We compare the aggregate signature scheme proposed in this paper with several schemes currently used in VANET. In contrast, the verification algorithm of scheme in [4] requires a large computational cost and cannot resist signature forgery attacks. Schemes in [19,20] have high computational efficiency, but they do not satisfy the traceability of signatures. Moreover, schemes in [9,10] are identity-based cryptosystems and suffer from inherent key escrow problem. In addition to satisfying the authentication of messages and the unforgeability of signatures, the scheme proposed in this paper has the following two characteristics.

4.1 Anonymity

Every vehicle user ${\textstyle U_{i}}$ needs to register at the RTA of the Road Traffic Administration. RTA uses the hash function ${\textstyle H_{3}}$ to associate the user ’s real ${\textstyle ID_{i}}$ and false ${\textstyle ID_{i}{}^{'}}$, while the roadside unit RSU selects the random number ${\textstyle a_{i}\in Z_{q}^{\ast }}$ as the false ${\textstyle ID_{i}^{'}}$. A pseudonym ${\textstyle M_{i}}$ was generated. Therefore, no one except RSU can associate the user's false ${\textstyle ID_{i}^{'}}$ and pseudonym ${\textstyle M_{i}}$, and no one except RTA can associate the user's real ${\textstyle ID_{i}}$ and false ${\textstyle ID_{i}{}^{'}}$. Therefore, the scheme proposed in this paper satisfies the anonymity of vehicle users.

4.2 Traceability

In the signature scheme proposed in this article, once the verification algorithm fails or the vehicle user commits a crime, the RSU can submit the false identity ${\textstyle ID_{i}{}^{'}}$ of the vehicle user ${\textstyle U_{i}}$ to RTA. The RTA queries the registration information of the vehicle user to track the corresponding true identity ${\textstyle ID_{i}}$. In the event of disputes or doubts, RTA uses the one-way nature of the hash function to verify the true identity of malicious vehicle users by calculating ${\textstyle I{D^{'}}_{i}=H_{3}(ID_{i})}$, which enables traceability of illegal vehicle users. Table 1 gives a comparison of the security of several schemes. It can be seen that the scheme in this paper has the above-mentioned excellent properties.

	[4]	[9]	[10]	Our scheme
Communication mode	V2I	V2I	V2V	V2I
Authentication	Yes	Yes	Yes	Yes
Anonymity	Yes	Yes	No	Yes
Traceability	No	No	Yes	Yes
Resist forgery attack	Yes	Yes	Yes	Yes
Certificateless	Yes	No	No	Yes

We give a comparison of the calculation costs of several certificateless aggregate signature schemes currently used in VANET, as shown in Table 2. We only select four of the more time-consuming operations. Let ${\textstyle B}$, ${\textstyle S}$, ${\textstyle P_{M}}$, and ${\textstyle E}$ represent the operation of a bilinear map, a scalar multiplication, a modular exponentiation, and a point multiplication respectively in G. These four operations run on an Intel i7 3.07GHz machine with approximately 3.21ms, 1.79ms, 0.442ms, 1.9ms. It can be seen that when there is more traffic, the calculation cost of our scheme is relatively low. The calculation time of other operations such as the hash function is very small and can be ignored. In the table, Sync represents the normal transmission mode, Ad hoc represents the ad hoc network transmission mode, and ${\textstyle n}$ represents the number of vehicle users.

Scheme	Type	Signature	Verification	Aggregate verification
[4]	Sync	3B	4B+S	4B+nS
[19]	Adhoc	2B	2B+3P${\displaystyle _{M}}$	2B+3nP${\displaystyle _{M}}$
[20]	Adhoc	3E	4E	(3n+1)E
Our scheme	Adhoc	3S	3B+2S	3B+2nS

We simulated the proposed scheme in windows + OPNET IT Guru release 9.1.a and compared several VANET-based certificateless aggregate signature schemes, as shown in Figure 3. By comparing the traffic flow entering the same roadside unit RSU with the verification delay time, we can see that when the traffic load increases, our scheme verifies the most signatures, that is, the information loss rate is the lowest.

Figure 3. Traffic density versus verification delay

5. Conclusion

The algorithm of aggregate signature aggregates the signatures of many different users into one signature, and only needs to verify the aggregated signature to determine whether the received signature is legal, which greatly improves the efficiency of message verification. This advantage makes it self-organized in the vehicle. It has good application value in the network. The secure and effective certificateless aggregate signature scheme proposed in this paper has the double advantages of certificateless cryptosystem and aggregate signature. The scheme in this paper effectively combines the privacy protection of vehicle users and the traceability of illegal users, so-called conditional privacy protection. According to the results of simulation, compared with other existing solutions, the solution in this paper has the advantages of low communication cost, low calculation cost and short verification delay, so it is more suitable for resource-constrained network environments such as VANETs.

Acknowledgement

This work has been partially supported by Outstanding Young Talent Program in Universities of Anhui (grant no. gxyqZD2016330).

Conflicts of Interest

The authors declare no conflict of interest.

References