ananonymousauthenticationschemeinvanetsofsmartcity...

Research ArticleAn Anonymous Authentication Scheme in VANETs of Smart CityBased on Certificateless Group Signature

Yuanpan Zheng 12 Guangyu Chen1 and Liguan Guo3

1School of Computer and Communication Engineering Zhengzhou University of Light Industry Zhengzhou 450001 China2Henan Province Engineering Laboratory for Information Technology of Emergency Platform Zhengzhou 450001 China3Henan Xinanli Security Technology Co Ltd Zhengzhou 450001 China

Correspondence should be addressed to Yuanpan Zheng ypzhengzzulieducn

Received 28 March 2020 Revised 13 May 2020 Accepted 27 May 2020 Published 29 June 2020

Guest Editor Zhihan Lv

Copyright copy 2020 Yuanpan Zheng et al (is is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited

With the change of the network communication environment in vehicular ad hoc networks (VANETs) of a smart city vehiclesmay encounter security threats such as eavesdropping positioning and tracking so appropriate anonymity protection is requiredBased on the certificateless cryptosystem and group signature ideas this paper proposes a certificateless group signatureanonymous authentication scheme for the VANETs of a smart city In this scheme it can implement the process of addingsigning verifying and revoking group members only by simple multiplication of the elliptic curve and synchronization factortechnology which shortens the length of the signature and improves the efficiency of the signature From the proofs of correctnessand security we know that it does not only has anonymity and traceability of the group signature scheme but also hasunforgeability and forward security According to the performance verification this scheme has lower calculation overhead andhigher authentication efficiency

1 Introduction

Vehicular ad hoc networks (VANETs) [1] of a smart city as atypical application of the Internet of (ings technologyenable real-time traffic information interaction betweenvehicles and vehicles and between vehicles and the infra-structure And it has played a positive role in reducing trafficaccidents and has been widely developed in the field ofintelligent transportation With the continuous change ofthe network environment a variety of information securityand privacy leakage issues have also emerged seriouslythreatening the personal safety and personal privacy ofvehicle users (erefore it is necessary to provide corre-sponding security policies which can effectively protect thecommunication security and personal privacy of vehicleusers while providing fast services for vehicle users

At present anonymous authentication technologies inVANETs mainly include PKI-based authentication identity-based authentication and group signature-based

authentication In the early days the public key infra-structure- (PKI-) based public key certificate scheme pro-posed by Raya and Hubaux [1] in 2007 was mainly used(isscheme requires a large number of public-private keypairings and related certificates to be stored in the vehiclesBy occupying a large amount of storage space it increasescommunication and computational overheads and causescertificate management problems Shim [2] proposed anidentity-based batch authentication scheme (e schemeuses a pseudonym to represent vehicle identity informationand uses a pseudonym replacement strategy for each mes-sage signature to achieve message traceability However inthis scheme PKG knows the private keys of all users so it isinevitable that the key escrow problem will occur

In 1991 Chaum and Heyst [3] first proposed the conceptof the group signature It allows group members to signanonymously on behalf of the group (e group adminis-trator is responsible for the creation and distribution ofgroup member keys(e group members use group member

HindawiComplexityVolume 2020 Article ID 1378202 7 pageshttpsdoiorg10115520201378202

certificates to sign on messages (e group public key is usedto verify its authenticity (e verifier can only verify that thesigner is from a member of the group but cannot determinethe identity of specific members in the group therebyprotecting the group membersrsquo identity In addition thegroup administrator can open the signature and reveal thetrue identity of the signing members to resolve the dis-pute But it is computationally infeasible to distinguishwhether two different group signatures come from thesame signer (erefore the group signature technologyhas been widely used and it has been gradually introducedinto the anonymous authentication scheme in VANETs[4ndash7] Shao et al [5] proposed a threshold anonymousauthentication protocol capable of implementing batchauthentication based on the group signature Zheng et al[6] introduced a lightweight group signature technologywhich made the group public key and signature lengthfixed and did not depend on the number of groupmembers Zhao [7] proposed a revocable group signaturescheme based on the Chinese remainder theorem inVANETs When members join and revoke they only needto regenerate a new group public key without changing thekey pairings of other members improving the efficiency ofmember joining and revoking However in these schemeseach member needs to generate a corresponding groupmember certificate which will increase storage overheadand computational overhead

In 2003 Al-Riyami and Paterson [8] first proposed acertificateless cryptosystem In the system a part of the userkey is provided by the key generation center and the rest isgenerated by the user to form the user key which ensuresthat the key generation center does not know all the userrsquosprivate keys and it solves the problem of certificate man-agement in traditional public key cryptosystems and keyescrow in identity-based cryptosystems Based on the groupsignature technology Chen et al [9] and Li et al [10]proposed different certificateless group signature schemesAt the same time certificateless group signature schemesapplied to VANETs have also been proposed [11ndash17] whichhas also become a hotspot in the security of VANETs Zhanget al [12] and Chen et al [14] used bilinear pairings to studythe application of the certificateless group signature inVANETs avoiding the problem of key escrow without theneed for certificate management effectively reducing thesystem storage load

However the current certificateless group signatureschemes are implemented with the help of bilinear pairingoperations which increases the overhead of the systemoperation (erefore this paper proposes a certificatelessgroup signature scheme based on elliptic curves which useselliptic curves instead of bilinear pairings for operations(is scheme not only inherits the security and anonymity ofgroup signature schemes but also greatly reduces thecomputational overhead In particular the introduction ofthe synchronization factor technology in this scheme makesit unnecessary to modify the public key information of thegroup administrator when the members in the groupchange Only the group synchronization factor and groupmembersrsquo synchronization factor are calculated and

modified which greatly reduces the calculation steps whengroup members join and revoke

2 Preliminaries

21 SystemModel In the general mode the systemmodel ofVANETs consists of fixed RSUs (road side units) at the roadside mobile OBUs (on-board units) equipped in vehiclesand a TA (trusted authority) as shown in Figure 1

OBUs access the VANETs through the road side de-ployment infrastructure RSUs and periodically broadcasttheir own vehicle information to other vehicles includingsafety information such as the location speed directionacceleration road conditions traffic events and timestamps so that other OBUs can quickly obtain useful in-formation on the road RSUs can broadcast and receive somesignature information in the group and provide variousservices for the OBUs And when needed they reveal thereal identification of some illegal vehicles and broadcast theidentification information of revoked vehicles RSUs havetheir own storage space and computing capabilities (e TAas a third-party trusted agency in this scheme saves the realidentity information of OBUs and RSUs and generatespublic and private key pairings of OBUs and RSUs foridentification in VANETs

22 Elliptic Curve (e elliptic curve is an encryption al-gorithm in the current public key encryption system and itis also the encryption algorithm that can provide the highestencryption strength for data (e encryption strength cor-responding to the encryption calculation using the 160-bitkey length is equivalent to the encryption length corre-sponding to the RSA algorithm using the 1024-bit key lengthin the public key encryption system However the ellipticcurve has the characteristics of fewer calculation parametersshorter key length and faster operating speed(erefore it isappropriate to apply the elliptic curve encryption algorithmto the VANETs with limited computing capacity storagespace and transmission bandwidth

Definition 1 (elliptic curve definition) (is scheme uses a160-bit elliptical encryption algorithm Assume that q is alarge prime number and Fq is a finite field of the module qAn elliptic curve over a finite field Fq can be defined asE y2 equiv x3 + ax + b(modq) where a b x andy isin Fq andΔ 4a3 + 27b2 ne 0

Definition 2 (addition of elliptic curves) Assume that thepoint of an elliptic curve P (x1 y1) isin E minusP (x1 minusy1) isthe negative point of P Q (x2 y2) isin E Qne minus P the line l

passes through P and Q and it intersects the elliptic curve ata point Rprime (x3 minusy3) (e symmetrical point about the x-axis with Rprime is R (x3 y3) and R P + Q (e additioncyclic group of the prime order q on the elliptic curve E isGq (x y) a b x y isin Fq (x y) isin Fq (a b)1113966 1113967 where G is agenerator on the elliptic curve E and the scalar multipli-cation operation on the elliptic curve iskP P + P + P + middot middot middot + P(k k isin Zlowastq )

2 Complexity

Definition 3 (elliptic curve discrete logarithm problem(ECDLP)) (ere are two points P1 and P2 on the ellipticcurve E on the finite field Fq and there exists k isin Zlowastq suchthat P1 kP2 it is feasible to calculate P1 from k and P2 butit is not advisable to calculate k from P1 and P2

3 Establishment of an AnonymousAuthentication Scheme Based onCertificateless Group Signature

Design Idea In this paper the certificateless design idea isintegrated into the scheme based on the group signaturewhich simplifies the member joining process and can resistpublic key replacement attacks During the member joiningprocess the member A uses the private key to sign SKAobtains the identity signature information hA and sends(IDAYAhAvAbA) to RSU and RSU obtains Arsquos public keyfrom TA to verify the identity information sent by A It notonly proves the legitimacy of A but also avoids public keyreplacement attacks In addition in the process of generatingthe groupmember certificate the vehicle user needs to verifythe identity of the group administrator RSU before acceptingthe member certificate to enhance the credibility of thecertificate

(e certificateless group signature anonymous authen-tication scheme includes system initialization public andprivate key generation for group administrators and groupmembers group member joining signature generationsignature verification member revocation and openingsignature (e specific work is as follows

(1) System Initialization TA chooses the system pa-rameters and generates the master key and its ownpublic key and public key information is madepublic

(2) Public and Private Key Generation for GroupAdministrators and Group Members TA generatesrelevant public and private keys for administratorsRSU and vehicle users OBU (e

administrator generates an initial group synchro-nization factor T

(3) Member Joining(e new member A joins accordingto the group joining method and generates a self-synchronization factor and updates the group syn-chronization factor

(4) Signature Generation Group member A signs themessage M based on the signature algorithm

(5) Signature Verification In VANETs the verifierverifies the message signature through making in-formation and signature information public andconfirms that the signedmessage is signed and issuedby a member of the group

(6) Member Revocation When a member in the groupleaves the group for some reason RSU recalculatesthe synchronization factor Tprime in the group accordingto the identity information of the member A whichleft the group and sends the new synchronizationfactor Tprime and related information of Arsquos synchro-nization factor to other members B in the groupwhich updates their synchronization factor to TB

rsquo

according to the information(7) Opening Signature When A finds that the message

signature sent by the group member vehicle user isfalse information or a dispute occurs between thegroup members the signature is calculated byopening the signature to reveal the identity of theuser

4 Proposed Scheme

41 Initialization Based on the selected security parameterk TA generates two large prime numbers p and q such thatq|p minus 1 Choose the generator P on the cyclic group G on theelliptic curve of the order q (en choose two collision-freehash functions H 0 1 lowast ⟶ Zlowastq andH1 0 1 lowast times G⟶ Zlowastq TA chooses a random parameterz isin Zlowastq as the system master key and calculates Pz zP asthe public key TA makes system parametersparams p q G P Pz H H11113864 1113865 public and secretly saves thesystem master key z

42 Public and Private Key Generation

(1) In this scheme RSU acts as a group manager to managevehicle members in the group Assume that the identityinformation of the group manager RSU is IDRSU thenRSU randomly chooses xRSU isin Zlowastq calculatesPRSU xRSUP and sends P(IDRSU PRSU) to TA TArandomly chooses rRSU isin Zlowastq calculates RRSU rRSUP

and SRSU rRSU + zH1(IDRSUPRSURRSU) and sends(RRSU sRSU) to RSU secretly where RRSU is a partialpublic key of RSU and sRSU is a partial private key ofRSU RSU receives the information verifies whethersRSUP RRSU + PzH1(IDRSUPRSURRSU) is estab-lished and judges the validity of the partial private keysRSU At this time RSU gets a complete private keypairing SKRSU (xRSU sRSU) and a complete public key

TA

RSU RSU

OBU

OBU

VANET

Figure 1 (e system model of VANETs

Complexity 3

pairing PKRSU (xRSUP sRSUP) (PRSU SRSU) TAsaves the corresponding information (IDRSU PRSU

SRSU sRSU) of RSU and saves the public key to the publiclist

(2) Assume that the identity information of the userOBUA is IDA(rough the above process the privatekey pairing SKA (xA sA) and the public keypairing PKA (PA SA) of the user OBUA aregenerated and the public key PKA is made public(e hash function H1 is used to generate a part of theprivate key

(3) (e group manager RSU randomly chooses e isin Zlowastqand calculates T0 eP as the initial group syn-chronization factor of the group and the engagedsynchronization factor is T

43 Joining

(1) When the user OBUA wants to join the group OBUA

randomly chooses yA isin Zlowastq and bA isin Zlowastq and cal-culates YA yAP hA H(IDAPKAYAbA) andvA yA minus hA middot SKA (e user OBUA sends(IDAYAhAvAbA) to RSU

(2) RSU sends IDA to TA obtains OBUArsquos public keyPKA verifies that whether YA

prime vAP + hAPKA YA

is established and generates a certificate for OBUA ifit holds

(3) RSU randomly chooses eA isin Zlowastq calculatesEA YA + eAP (eA + yA)P hRSU H(EA

PKRSUT) and sRSU eA + SKRSU middot hRSU sends(EA hRSU sRSU T) to OBUA and stores(IDA PKA YA bA EA EAP eA hA sA) into thegroup member information list

(4) OBUA verifies RSUrsquos public key PKRSU and calcu-lates that whether EA

prime (sRSU + yA)Pminus hRSUPKRSU

EA is established If it holds the user OBUA joins thegroup and generates the group member certificate as(IDA PKRSU YA EA bA T)

(5) RSU sends (T bA) to other members in the groupand member OBUB updates their synchronizationfactor TB Assuming that OBUBrsquos certificate is(IDB PKRSU YB EB bB TB) OBUB calculates a newsynchronization factor as TB

prime T + TB(bB minus bB) andOBUBrsquos new certificate is (IDB PKRSU

YB EB bB TBprime)

(6) RSU updates the synchronization factor asTprime T middot (bA + xRSU)

44Other Steps (e remaining four steps in the scheme arein order signature generation signature verificationmember revocation and signature opening

441 Signature Generation Assume that the group memberOBUA generates a signature on message M calculates C1

EAP + TAPKRSU and C2 TAP C3 bAEA randomlychooses r1 r2 r3 r4 isin Zlowastq and calculates

d1 r1C1 minus r2PKRSU d2 r1C2 + r3SRSU d3 r3Pd4 r3PKRSU + r4P c H(PKRSUMC1C2C3d1d2

d3d4) s1 r1 minus cbA s2 r2 minus cbATA s3 r3 minus cTA ands4 r4 minus cEA the output signature is RM (c s1 s2 s3

s4 C1 C2 C3)

442 Signature Verification (e verifier calculatesd1prime s1C1 minus s2PKRSU + cPC3 d2prime s1C2 + s3SRSU + cTPd3prime s3P + cC2 d4prime cC1 + s4P + s3PKRSU andcprime H(PKRSUmC1C2C3d1primed2primed3primed4prime) based on(c s1 s2 s3 s4 C1 C2 C3) If the equation cprime c holds theverification passes

443 Member Revocation To revoke the user OBUA RSUcalculates a new synchronization factor Tprime T middot (bA+

xRSU)minus 1 based on (T bA) (en RSU sends (Tprime bA) to othermembers in the group OBUB and OBUB updates theirsynchronization factor TB to TB

prime whereTBprime (TB minus Tprime) middot (bA minus bB)minus 1

444 Signature Opening When RSU finds that the messagesignature sent by the group member vehicle user is falseinformation or a dispute occurs between the group mem-bers it calculates EAP C1 minus C2SKRSU based on the signedmessage RM (c s1 s2 s3 s4 C1 C2 C3) and the groupmanagerrsquos private key SKRSU (xRSU sRSU) and then findsthe corresponding identity of the group member

5 Anonymous Scheme Analysis

51 Correctness Analysis

511 Correctness of Key Distribution After the groupmanager RSU receives (RRSU sRSU) it verifies whethersRSUP RRSU + PzH1(IDRSUPRSURRSU) is establishedSince sRSUP rRSUP+ zPH1(IDRSUPRSURRSU)

RRSU + PzH1(IDRSUPRSURRSU) the verification result isconsistent with the result of the signature generation al-gorithm so the signature scheme satisfies the correctness

Similarly after the user OBUA receives OBUA it verifieswhether sAP RA + PzH1(IDAPARA) is establishedSince sAP rAP + zPH1(IDAPARA)

RA + PzH1(IDAPARA) the signature scheme satisfies thecorrectness

512 Correctness of Signature in Joining After RSU receivesthe signature information (IDAYAhAvAbA) from theuser OBUA if (hA vA) is a legitimate signature the equationYAprime vAP + hAPKA yAP minus hASKAP + hAPKA YA

holds and then RSU calculates hAprime H(IDAPKAYA

primebA)

based on YAprime and gets hA

prime hA And so the r4P minus cEAP +

r3PK signature is valid that is the identity of the user OBUA

is validSimilarly when OBUA receives the message

(EA hRSU sRSU T) sent by RSU and calculates EAprime (sRSU +

yA)P minus hRSUPKRSU based on RSUrsquos public key PKRSU and

4 Complexity

sRSU eA + SKRSU middot hRSU then the equation EAprime EA holds

And so the signature is valid

513 Correctness of Group Signature If(c s1 s2 s3 s4 C1 C2 C3) is a legitimate signature theverifier calculates d1prime s1C1 minus s2PKRSU + cPC3 r1C1minus

cbAEAPminus cbATAPKRSU minus r2PKRSU + cbATAPKRSU + cbA

EAP r1C1 minus r2PKRSU d1 d2prime s1C2 + s3SRSU + cTP

r1C2 minus cbATAP+ r3SRSU minus cTASRSU + cTP r1C2+ r3SRSU

d2 d3prime s3P + cC2 r3P minus cTAP + cTAP r3P d3 andd4prime cC1 + s4P + s3PKRSU cEAP + cTAPKRSU + r4Pminus

cEAP + r3PKRSU minus cTAPKRSU r3PKRSU + r4P d4 basedon TP TA(bA + xRSU)P TAbAP + TASRSU and gets cprime c from the existing public information so the signatureverification algorithm is correct

52 Unforgeability Unforgeability means that the groupcertificate of the members in the group is unforgeable

In this scheme RSUrsquos private key pairing isSKRSU (xRSU sRSU) wheresRSU rRSU + zH1(IDRSUPRSURRSU) the group certificatefor the group member OBUA is(IDA PKRSU YA EA bA TA) whereEA YA + eAP (eA + yA)P YA yAP and the synchro-nization factor of the group T and the synchronization factorof the group member OBUA have the following relationshipT TA(bA + xRSU) yA bA xRSU and eA are private to groupmembers OBUA and RSU respectively so no single partycan complete the group member certificate creation inde-pendently (erefore the group certificate is unforgeable

53 Forward Security When group member OBUA joins thegroup the group synchronization factor T is updated asfollows Tprime T middot (bA + xRSU) based on bA provided byOBUA and the synchronization factors of other membersOBUB in the group are updated as followsTBprime T + TB(bB minus bB) when the group member OBUA is

revoked the group synchronization factor T is updated asfollows Tprime T middot (bA + xRSU)minus 1 and the synchronizationfactors of other members OBUB in the group are updated asfollows TB

prime (TB minus Tprime) middot (bA minus bB)minus 1 It can be seen that thesignature in the verification phase and the synchronizationfactor used in the verification phase will be updated syn-chronously according to the membership addition andrevocation After the update the previous signature verifi-cation equation will not be established so the forward se-curity can be guaranteed

54 Performance Analysis In this section performanceanalysis will be performed in terms of communication costsand calculation costs For this scheme the communicationcost needs to consider the length of the group managerrsquospublic key and the length of the group memberrsquos signatureIn the calculation aspect the cost of joining the group thecost of revoking the group the cost of computing the sig-nature and the cost of verifying the signature are consideredCompared with other group signature schemes some

performance analysis comparisons are made as given inTable 1 where N represents the number of current groupmembers and the number of joined and revoked memberseach time is set to 1

In this scheme the length of the group managerrsquos publickey and the length of the group memberrsquos signature in-formation are not directly related to the number of membersin the group and are constant

In this scheme when joining and revoking the syn-chronization factor of each user needs to be updated so thecost of joining and revoking is O (N)

In this scheme the efficiency of the calculation cost of theinformation signature and the verification cost of the sig-nature information are both constant and the number ofgroup members does not affect the time spent on signatureand verification

For this scheme the performance analysis mainlyconsiders the cost of group membership joining and rev-ocation the cost of information signature and the cost ofverifying signature information

According to the literature [15] we choose a hardwareplatform consisting of Intel I7-6700 and Windows7 with 8Gprocessor memory By performing elliptic curvebilinearpairing simulation experiments multiple times and takingthe average value of the results the operation executionschedule can be obtained as shown in Table 2 (e com-parison of this paperrsquos average execution time of simulationoperations is shown in Figure 2

Considering the overall performance of the scheme wewill focus on analyzing the time overhead in the signaturegeneration and signature verification process (is scheme iscompared with the existing schemes [14 15] In the sig-nature generation phase scalar multiplication of bilinearpairs is mainly used in the scheme [14 15] (e overallmultiplication operation is less than this scheme but thelength of a single multiplication operation is longer than theelliptic curve multiplication and modular multiplicationoperations used in this scheme and the overall time over-head is greater than the time overhead of this schememoreover in the signature generation the calculation of2TEC MUL + 2TMUL is a fixed calculation and it does notneed to participate in each calculation process which canfurther reduce the calculation cost of group members whenperforming signature generation In the signature verifica-tion phase the time-consuming bilinear operation in thescheme [14 15] increases the time overhead and the sig-nature verification process of this scheme is not muchdifferent from the signature generation calculation over-heads as shown in Table 3 (e comparison of signaturegeneration and signature verification overhead for the threeschemes is shown in Figure 3

In the process of the group member joining since thegroup members and the group management need to verifythe identity of each other the group members need toperform four elliptic curve multiplication operations andtwo hash comparisons During the joining and revocationstages of groupmembers the group management broadcaststhe synchronization coefficients of new members and themembers within the group update their respective

Complexity 5

Table 3 Signature generation and verification calculation overhead

SchemeSignature generation Signature verification

Calculation overhead Time overhead (ms) Calculation overhead Time overhead (ms)Scheme [14] 2TPB + 1TH + 10TPB SM 193416 2TPB + 1TPB SM 119874Scheme [15] 5TPB SM 4085 4TPB + 2TPB SM 239748(is scheme 4TMC MUL + 12TMUL + TH 15344 4TMC MUL + 7TMUL + TH 14749

0

5

10

15

20

25

30

Scheme [14] Scheme [15] is scheme

Tim

e ove

rhea

d (m

s)

Signature cost (ms)Verification cost (ms)

Figure 3 Comparison of signature generation and signature verification overhead

Table 1 Performance analysis

Scheme Length of public key Signature length Joining cost Revocation cost Signature cost Verification costLPY [4] O (1) O (1) O (N) O (1) O (1) O (1)YJD [11] O (1) O (1) O (N) O (1) O (Nlog n) O (1)(is scheme O (1) O (1) O (N) O (N) O (1) O (1)

Table 2 Average execution time of simulation operations

Symbol Description Execution time (ms)TMC MUL Multiplication on elliptic curves 03476TMC ADD Addition on elliptic curves 0002TMUL Modular multiplication 00119TH General hash function operations 00012TPB SM Scalar multiplication 0817TPB Bilinear operation 55852

00001

001

1

100

Exec

utio

n tim

e (m

s)

TMC_MUL TMULTMC_ADD TH TPB_SM TPB

Figure 2 Comparison of average execution time of simulation operations

6 Complexity

synchronization factors Without modifying the grouppublic key the calculation costs caused by changes in themembers of the group will be spent allocating sales tomembers in the group and reducing the calculation re-quirements for group management

6 Conclusion

Aiming at the problem of low authentication efficiency in theanonymous authentication scheme in VANETs this paperproposes a certificateless elliptic curve anonymous au-thentication scheme (ough based on a certificateless sig-nature scheme this scheme does not have to considercertificate maintenance and key escrow issues It also useselliptic curves to perform calculations on the basis of cer-tificatelessness and introduces synchronization factortechnology to further improve computing efficiency ofgroup members when joining revoking and signing (eanalysis of the scheme shows that the proposed scheme cannot only ensure the anonymity and traceability of the groupsignature scheme but also ensure unforgeability and forwardsecurity under the premise of correctness (e partial keygeneration scheme adopted in this scheme effectively en-sures the security of user keys and there is no need to savetoo much certificate information in the system and thecalculation and storage overhead is low (erefore it is verysuitable for OBUs and RSUs with very limited computingand storage space in the VANETs

Data Availability

No data were used to support this study

Conflicts of Interest

(e authors declare that they have no conflicts of interest

Acknowledgments

(is work was supported by the Natural Science Foundationof China (grant no 51404216) and the Henan ProvincePrograms for Science and Technology Development (grantnos 202102210180 172102310670 and 152102310374)

References

[1] M Raya and J-P Hubaux ldquoSecuring vehicular ad hoc net-worksrdquo Journal of Computer Security vol 15 no 1 pp 39ndash682007

[2] K-A Shim ldquoReconstruction of a secure authenticationscheme for vehicular ad hoc networks using a binary au-thentication treerdquo IEEE Transactions on Wireless Commu-nications vol 12 no 11 pp 5386ndash5393 2013

[3] D Chaum and V E Heyst ldquoGroup signaturesrdquo Advances inCryptologymdashEUROCRYPTrsquo91 Springer Berlin Germanypp 257ndash265 1991

[4] C I Fan W Z Sun S W Huang W Juang and J HuangldquoStrongly privacy-preserving communication protocol forVANETsrdquo in Proceedings of the 2014 Ninth Asia Joint Con-ference on Information Security IEEE Wuhan China Sep-tember 2014

[5] J Shao X Lin R Lu and C Zuo ldquoA threshold anonymousauthentication protocol for VANETsrdquo IEEE Transactions onVehicular Technology vol 65 no 3 pp 1711ndash1720 2016

[6] M Zheng Y Duan and H Lyu ldquoResearch on identity au-thentication protocol group signature-based in Internet ofvehiclesrdquo Advanced Engineering Sciences vol 50 no 4pp 130ndash134 2018

[7] Z Zhao Reserrch on Efficient Group Signatures Schemes inVANET Xidian University Xirsquoan China 2015

[8] S S Al-Riyami and K G Paterson ldquoCertificateless public keycryptographyrdquo Advances in CryptologyndashASIACRYPT 2003Springer Berlin Germany pp 452ndash473 2003

[9] H Chen C Zhu and R Song ldquoJournal of computer researchand developmentrdquo Journal of Computer Research and De-velopment vol 47 no 2 pp 231ndash237 2010

[10] F Li P Liu and Z Zhu ldquoCertificateless signature and groupsignature schemes based on bilinear pairingsrdquo ComputerEngineering vol 37 no 24 pp 18ndash21 2011

[11] J YineResearch on Certificateless Authenticated Group KeyManagement in Ad Hoc Network Beijing Institute of Tech-nology Beijing China 2016

[12] X Zhang Y Xu and J Cui ldquoAnonymous authenticationprotocol based on certificateless signature for vehicular net-workrdquo Computer Engineering vol 42 no 3 pp 18ndash28 2016

[13] C Song M Zhang W Peng Z Jia Z Liu and X YanldquoResearch on pairing-free certificateless batch anonymousauthentication scheme for VANETrdquo Journal on Communi-cations vol 38 no 11 pp 35ndash43 2017

[14] Y Chen X Cheng S Wang and M Gao ldquoResearch oncertificateless group signature scheme based on bilinearpairingsrdquo Netinfo Security vol 3 pp 53ndash58 2017

[15] N Zhao G Zhang and X Gu ldquoCertificateless aggregatesignature scheme for privacy protection in VANETrdquo Com-puter Engineering vol 46 no 1 pp 114ndash128 2020

[16] Y Gan K Wang and L He ldquoRFID tag dynamic ownershiptransfer protocol of multi-owner with TTP weightrdquo Journal ofLight Industry vol 33 no 1 pp 72ndash78 2018

[17] Y Xiao J DuMWen K Zhou J Jiao and J Pei ldquoTraffic signdetection and recognition based on color features and im-proved support vector machine algorithmrdquo Journal of LightIndustry vol 33 no 3 pp 57ndash65 2018

Complexity 7

certificates to sign on messages (e group public key is usedto verify its authenticity (e verifier can only verify that thesigner is from a member of the group but cannot determinethe identity of specific members in the group therebyprotecting the group membersrsquo identity In addition thegroup administrator can open the signature and reveal thetrue identity of the signing members to resolve the dis-pute But it is computationally infeasible to distinguishwhether two different group signatures come from thesame signer (erefore the group signature technologyhas been widely used and it has been gradually introducedinto the anonymous authentication scheme in VANETs[4ndash7] Shao et al [5] proposed a threshold anonymousauthentication protocol capable of implementing batchauthentication based on the group signature Zheng et al[6] introduced a lightweight group signature technologywhich made the group public key and signature lengthfixed and did not depend on the number of groupmembers Zhao [7] proposed a revocable group signaturescheme based on the Chinese remainder theorem inVANETs When members join and revoke they only needto regenerate a new group public key without changing thekey pairings of other members improving the efficiency ofmember joining and revoking However in these schemeseach member needs to generate a corresponding groupmember certificate which will increase storage overheadand computational overhead

In 2003 Al-Riyami and Paterson [8] first proposed acertificateless cryptosystem In the system a part of the userkey is provided by the key generation center and the rest isgenerated by the user to form the user key which ensuresthat the key generation center does not know all the userrsquosprivate keys and it solves the problem of certificate man-agement in traditional public key cryptosystems and keyescrow in identity-based cryptosystems Based on the groupsignature technology Chen et al [9] and Li et al [10]proposed different certificateless group signature schemesAt the same time certificateless group signature schemesapplied to VANETs have also been proposed [11ndash17] whichhas also become a hotspot in the security of VANETs Zhanget al [12] and Chen et al [14] used bilinear pairings to studythe application of the certificateless group signature inVANETs avoiding the problem of key escrow without theneed for certificate management effectively reducing thesystem storage load

However the current certificateless group signatureschemes are implemented with the help of bilinear pairingoperations which increases the overhead of the systemoperation (erefore this paper proposes a certificatelessgroup signature scheme based on elliptic curves which useselliptic curves instead of bilinear pairings for operations(is scheme not only inherits the security and anonymity ofgroup signature schemes but also greatly reduces thecomputational overhead In particular the introduction ofthe synchronization factor technology in this scheme makesit unnecessary to modify the public key information of thegroup administrator when the members in the groupchange Only the group synchronization factor and groupmembersrsquo synchronization factor are calculated and

modified which greatly reduces the calculation steps whengroup members join and revoke

2 Preliminaries

21 SystemModel In the general mode the systemmodel ofVANETs consists of fixed RSUs (road side units) at the roadside mobile OBUs (on-board units) equipped in vehiclesand a TA (trusted authority) as shown in Figure 1

OBUs access the VANETs through the road side de-ployment infrastructure RSUs and periodically broadcasttheir own vehicle information to other vehicles includingsafety information such as the location speed directionacceleration road conditions traffic events and timestamps so that other OBUs can quickly obtain useful in-formation on the road RSUs can broadcast and receive somesignature information in the group and provide variousservices for the OBUs And when needed they reveal thereal identification of some illegal vehicles and broadcast theidentification information of revoked vehicles RSUs havetheir own storage space and computing capabilities (e TAas a third-party trusted agency in this scheme saves the realidentity information of OBUs and RSUs and generatespublic and private key pairings of OBUs and RSUs foridentification in VANETs

22 Elliptic Curve (e elliptic curve is an encryption al-gorithm in the current public key encryption system and itis also the encryption algorithm that can provide the highestencryption strength for data (e encryption strength cor-responding to the encryption calculation using the 160-bitkey length is equivalent to the encryption length corre-sponding to the RSA algorithm using the 1024-bit key lengthin the public key encryption system However the ellipticcurve has the characteristics of fewer calculation parametersshorter key length and faster operating speed(erefore it isappropriate to apply the elliptic curve encryption algorithmto the VANETs with limited computing capacity storagespace and transmission bandwidth

Definition 1 (elliptic curve definition) (is scheme uses a160-bit elliptical encryption algorithm Assume that q is alarge prime number and Fq is a finite field of the module qAn elliptic curve over a finite field Fq can be defined asE y2 equiv x3 + ax + b(modq) where a b x andy isin Fq andΔ 4a3 + 27b2 ne 0

Definition 2 (addition of elliptic curves) Assume that thepoint of an elliptic curve P (x1 y1) isin E minusP (x1 minusy1) isthe negative point of P Q (x2 y2) isin E Qne minus P the line l

passes through P and Q and it intersects the elliptic curve ata point Rprime (x3 minusy3) (e symmetrical point about the x-axis with Rprime is R (x3 y3) and R P + Q (e additioncyclic group of the prime order q on the elliptic curve E isGq (x y) a b x y isin Fq (x y) isin Fq (a b)1113966 1113967 where G is agenerator on the elliptic curve E and the scalar multipli-cation operation on the elliptic curve iskP P + P + P + middot middot middot + P(k k isin Zlowastq )

2 Complexity












rsquo



4 Proposed Scheme





TA

RSU RSU

OBU

OBU

VANET


Complexity 3





43 Joining













YB EB bB TBprime)







s4 C1 C2 C3)














primebA)







4 Complexity























Complexity 5




0

5

10

15

20

25

30


Tim

e ove

rhea

d (m

s)







00001

001

1

100

Exec

utio

n tim

e (m

s)



6 Complexity


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7












rsquo



4 Proposed Scheme





TA

RSU RSU

OBU

OBU

VANET


Complexity 3





43 Joining













YB EB bB TBprime)







s4 C1 C2 C3)














primebA)







4 Complexity























Complexity 5




0

5

10

15

20

25

30


Tim

e ove

rhea

d (m

s)







00001

001

1

100

Exec

utio

n tim

e (m

s)



6 Complexity


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7





43 Joining













YB EB bB TBprime)







s4 C1 C2 C3)














primebA)







4 Complexity























Complexity 5




0

5

10

15

20

25

30


Tim

e ove

rhea

d (m

s)







00001

001

1

100

Exec

utio

n tim

e (m

s)



6 Complexity


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7























Complexity 5




0

5

10

15

20

25

30


Tim

e ove

rhea

d (m

s)







00001

001

1

100

Exec

utio

n tim

e (m

s)



6 Complexity


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7




0

5

10

15

20

25

30


Tim

e ove

rhea

d (m

s)







00001

001

1

100

Exec

utio

n tim

e (m

s)



6 Complexity


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7


6 Conclusion


Data Availability




Acknowledgments


References


















Complexity 7

ananonymousauthenticationschemeinvanetsofsmartcity...

Documents