An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks Using Online/Offline Certificateless Aggregate Signature

Abstract

Vehicular ad hoc networks (VANETs) are fundamental components of building a safe and intelligent transportation system. However, due to its wireless nature, VANETs have serious security and privacy issues that need to be addressed. The conditional privacy-preserving authentication protocol is one important tool to satisfy the security and privacy requirements. Many such schemes employ the certificateless signature, which not only avoids the key management issue of the PKI-based scheme but also solves the key escrow problem of the ID-based signature scheme. However, many schemes have the drawback that the computational expensive bilinear pairing operation or map-to-point hash function are used. In order to enhance the efficiency, certificateless signature schemes for VANETs are usually constructed to support signature aggregation or online/offline computation. In this paper, we propose an efficient conditional privacy-preserving authentication scheme using an online/offline certificateless aggregate signature, which does not require bilinear pairing or map-to-point hash function, to address the security and privacy issues of VANETs. Our proposed scheme is proven to be secure with a rigorous security proof, and it satisfies all the security and privacy requirements with a better performance compared with other related schemes.

A Security Proof

Typically, for a certificateless signature scheme, we define two types of security, namely Type-I security and Type-II security, which corresponds to two types of adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\).

• Type-I Adversary: \(\mathcal {A}_1\) can launch a public key replacement attack by replacing the public key of any vehicle with a value of its choice. \(\mathcal {A}_1\) does not know the master secret key or the partial private key.

• Type-II Adversary: \(\mathcal {A}_2\) acts as a malicious-but-passive KGC, which knows the master key and the partial private key, but cannot replace any user’s public key.

Theorem 1

The proposed scheme is (\(\varepsilon , t, q_c, q_s, q_h\))- secure against the adversary \(\mathcal {A}_1\) in the random oracle model, assuming that DL assumption hold in G, where \(q_c, q_h, q_s\) are the numbers of Create, Hash and Sign queries that the adversary is allowed to make.

Proof

Assume there is a probabilistic polynomial-time forger \(\mathcal {A}_1\), we construct an algorithm \(\mathcal {F}\) that make use of \(\mathcal {A}_1\) to solve the discrete logarithm problem(DLP). Suppose \(\mathcal {F}\) is given the DLP instance (P, Q) to compute \(x \in Z^*_{q}\) such that \(Q=xP\). \(\mathcal {F}\) chooses a random identity \(ID^*\) as the challenged ID and answers the oracle queries from \(\mathcal {A}_1\) as follows:

• Setup(ID) query: \(\mathcal {F}\) sets \(P_{pub}=Q\) and sends the parameters \(\{P,p,q,E,G,H_2,H_3,P_{pub}\}\) to \(\mathcal {A}_1\).

• Create(ID) query: \(\mathcal {F}\) maintains a hash list \(L_c\) of tuple (\(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\)). When \(\mathcal {A}_1\) makes a query on ID, if ID is in \(L_c\), \(\mathcal {F}\) responds with (\(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\)). Otherwise, \(\mathcal {F}\) will simulate the oracle as follows. It randomly selects three value \(a,b,c \in Z^*_{q}\), and sets \(Q_{ID}=a\cdot P_{pub}+b\cdot P\), \(vpk_{ID}=c\cdot P\), \(psk_{ID}=b, x_{ID}=c, h_2=H_2(ID||Q_{ID}) \leftarrow -a (mod q) \). Then it responds with (\(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\)), and inserts (\(ID, Q_{ID},h_2\)) to \(L_{H_2}\). Note that the equation \(psk_{ID} \cdot P=Q_{ID}+{h_2} \cdot P_{pub}\) holds, which means that the partial secret key is valid.

• \(H_2\) query: When adversary makes a \(H_2\) query with (\(ID, Q_{ID}\)), if ID is already in the hash list \(L_{H_2}\), \(\mathcal {F}\) just returns the corresponding \(h_2\). Otherwise, \(\mathcal {F}\) runs Create(ID) to get \(h_2\), and send \(h_2\) to \(\mathcal {A}_1\).

• Partial-Private-Key-Extract(ID) query: If \(ID=ID^*\), \(\mathcal {F}\) stops the simulation. Otherwise, \(\mathcal {F}\) checks the hash list \(L_c\), if ID in the list, then \(\mathcal {F}\) response with \(psk_{ID}\). If ID is not in \(L_c\), \(\mathcal {F}\) queries Create(ID) to get the \(psk_{ID}\), and sends it to \(\mathcal {A}_1\).

• Public-Key(ID) query: On receiving the query on ID, if ID is already in \(L_c\), \(\mathcal {F}\) response with \(pk_{ID}=(Q_{ID}, vpk_{ID}\)). Otherwise, \(\mathcal {F}\) queries Create(ID) to get the (\(Q_{ID}, vpk_{ID}\)), and sends it to \(\mathcal {A}_1\).

• Public-Key-Replacement(\(ID,pk^{'}_{ID}\)) query: \(\mathcal {F}\) maintains a hash list \(L_R\) of tuple (\(ID, d_i, Q_{ID}, x_{ID}, vpk_{ID}\)). When \(\mathcal {A}_1\) queries with (\(ID, pk^{'}_{ID}\)), where \(Q^{'}_{ID}\) =\( d^{'}_{i}\cdot P\), \( vpk^{'}_{ID}=x^{'}_{ID}\cdot P\) and \(pk^{'}_{ID}=\)(\(Q^{'}_{ID}, vpk^{'}_{ID}\)), \(\mathcal {F}\) sets \(Q_{ID}=Q^{'}_{ID}\), \(vpk_{ID}=vpk^{'}_{ID}\), \(psk_{ID}=\perp \), and \(x_{ID}=x^{'}_{ID}\). Then \(\mathcal {F}\) updates the list \(L_R\) to be (\(ID, d^{'}_{i},Q^{'}_{ID}, vpk^{'}_{ID}, x^{'}_{ID}\))

• \(H_3\) query: \(\mathcal {F}\) maintains a hash list \(L_{H_3}\) of tuple (\(m,ID, R,vpk_{ID}, t, h_3\)). If the queries ID is in this list, \(\mathcal {F}\) just responds with \(h_3\). Otherwise it chooses a random \(h_3\), sets \(h_3=H_3(m||ID||vpk_{ID}||R||t)\), add it into \(L_{H_3}\) and responds with \(h_3\).

• Sign(ID, m) query: When \(\mathcal {A}_1\) makes a sign query on (ID, m), if ID is in \(L_R\), \(\mathcal {F}\) generates random numbers \(a,b,c \in Z^*_{q}\), sets \(s=a, R=P, h_3=H_3(m||ID||vpk_{ID}||R||t)\leftarrow (a-b-c) mod(q)\), inserts (\(m,ID, R,vpk_{ID}, t, h_3\)) into \(L_{H_3}\). The output signature is (R, s). If ID is not in \(L_R\), \(\mathcal {F}\) acts like the description of the scheme.

Finally, \(\mathcal {A}_1\) outputs a forged signature \(\sigma =(R, s_{\{1\}})\) on (ID, m), which satisfies the verification process of the verifier. If \(ID\ne ID^*\),\(\mathcal {F}\) fails and aborts. From the forking lemma in [20], \(\mathcal {F}\) rewinds \(\mathcal {A}_1\) to the point where it queries \(H_3\), and use a different value. \(\mathcal {A}_1\) will output another valid signatures (R, \(s_{\{2\}}\)) with the same R. Then we have:

$$\begin{aligned} s_{\{i\}}\cdot P=h_{3_{\{i\}}} \cdot R +vpk_{ID}+ Q_{ID}+ h_2 \cdot P_{pub}, \text { where } i=1,2 \end{aligned}$$

From these two linear equations, we can derive the value r by \(\frac{s_2 - s_1}{h_{3_{\{2\}}} - h_{3_{\{1\}}}}\). Another rewind on \(H_2\) will allow computation on x.

Probability Analysis: The simulation of Create(ID) oracle fails when the random oracle assignment \(H_2(ID||Q_{ID})\) causes inconsistency, which happens with the probability at most \(q_{h}/q\). The probability of successful simulation of \(q_c\) times is at least \((1-(q_{h}/q))^{q_c}\geqq 1-(q_{h}q_{c}/q)\). Also, the simulation is successful \(q_{h}\) times with the probability at least \((1-(q_{h}/q))^{q_h}\geqq 1-(q^2_{h}/q)\). And \(ID=ID^*\) with the probability \(1/q_{c}\). Therefore, the overall successful simulation probability is \((1-q_{h}q_{c}/q)(1-(q^2_{h}/q))(1/q_{c})\varepsilon \).

The time complexity of the algorithm \(\mathcal {F}\) is dominated by the exponentiations performed in the Create and Sign queries, which is equal to \(t+O\)(\(q_{c}+q{s}\))S, where S is the time of a scalar multiplication operation.

Theorem 2

The proposed scheme is (\(\varepsilon , t, q_c, q_s, q_h\))- secure against the adversary \(\mathcal {A}_2\) in the random oracle model, assuming that DL assumption hold in G, where \(q_c, q_h, q_s\) are the numbers of Create, Hash and Sign queries that the adversary is allowed to make.

Proof

Assume there is a probabilistic polynomial-time forger \(\mathcal {A}_2\), we construct an algorithm \(\mathcal {F}\) that make use of \(\mathcal {A}_2\) to solve the discrete logarithm problem(DLP). Suppose \(\mathcal {F}\) is given the DLP instance (P, Q) to compute \(y \in Z^*_{q}\) such that \(Q=yP\). \(\mathcal {F}\) chooses a random identity \(ID^*\) as the challenged ID and answers the oracle queries from \(\mathcal {A}_2\) as follows:

• Setup(ID) query: \(\mathcal {F}\) sets \(P_{pub}=x\cdot P, x \in Z^*_{q}\) and sends the parameters \(\{P,p,q,E,G,H_2,H_3,P_{pub}\}\) to \(\mathcal {A}_2\).

• Create(ID) query: \(\mathcal {F}\) maintains a hash list \(L_c\) of tuple (\(ID, Q_{ID}, vpk_{ID}, psk_{ID}, x_{ID}, h_2\)). When \(\mathcal {A}_1\) makes a query on ID, if ID is in \(L_c\), \(\mathcal {F}\) responds with (\(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\)). If \(ID=ID^*\), \(\mathcal {F}\) choose \(a,b \in Z^*_{q}\) randomly, sets \(Q_{ID}=aP, vpk_{ID}=Q, h_2=H_2(ID||Q_{ID}) \leftarrow b, psk_{ID}=a+x\cdot h_2, x_{ID}=\perp \). If \(ID\ne ID^*\), \(\mathcal {F}\) select three random number a, b, c, and sets \(Q_{ID}=aP,vpk_{ID}=bP, h_2=H_2(ID||Q_{ID}) \leftarrow c, psk_{ID}=a+x\cdot h_2, x_{ID}=b\). Finally, \(\mathcal {F}\) response the query with \(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\) and add \(ID, Q_{ID},h_2\) into the hash list \(L_{H_2}\)

• \(H_2\) query: When adversary makes a \(H_2\) query with (\(ID, Q_{ID}\)), if ID is already in the hash list \(L_{H_2}\), \(\mathcal {F}\) just returns the corresponding \(h_2\). Otherwise, \(\mathcal {F}\) runs Create(ID) to get \(h_2\), and send \(h_2\) to \(\mathcal {A}_1\).

• Partial-Private-Key-Extract(ID) query: On receiving the query on ID, \(\mathcal {F}\) checks the hash list \(L_c\), if ID in the list, then \(\mathcal {F}\) response with \(psk_{ID}\). If ID is not in \(L_c\), \(\mathcal {F}\) queries Create(ID) to get the \(psk_{ID}\), and sends it to \(\mathcal {A}_1\).

• Public-Key(ID) query: On receiving the query on ID, if ID is already in \(L_c\), \(\mathcal {F}\) response with \(pk_{ID}=(Q_{ID}, vpk_{ID})\). Otherwise, \(\mathcal {F}\) queries Create(ID) to get the (\(Q_{ID}, vpk_{ID}\)), and sends it to \(\mathcal {A}_1\).

• Secrety-Key-Extract(ID) query: If \(ID=ID^*\), \(\mathcal {F}\) aborts the simulation. Otherwise, if ID is already in \(L_c\), \(\mathcal {F}\) response with \(x_{ID}\).If ID is not already in \(L_c\), \(\mathcal {F}\) runs Create(ID) to get \(ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2\), and sends \(x_{ID}\)to the adversary.

• \(H_3\) query: \(\mathcal {F}\) maintains a hash list \(L_{H_3}\) of tuple (\(m,ID, R,vpk_{ID}, t, h_3\)). If the quries ID is in this list, \(\mathcal {F}\) just responds with \(h_3\). Otherwise it chooses a random \(h_3\), sets \(h_3=H_3(m||ID||vpk_{ID}||R||t)\), add it into \(L_{H_3}\) and responds with \(h_3\).

• Sign(ID, m) query: If \(ID\ne ID^*\), \(\mathcal {F}\) acts like the description of the scheme.Otherwise, \(\mathcal {F}\) generates random numbers \(a,b,f \in Z^*_{q}\), sets \(s=a, h_3=H_3(m||ID||vpk_{ID}||R||t) \leftarrow f, R=h^{-1}_{3}\cdot \) (\(bP_{pub}-Q\)), and response eith the signature as (R, s). This signature is valid as the equation \(s\cdot P=h_3\cdot R +Q_{ID}+vpk_{ID}+ h_2\cdot P_{pub}\) holds.

Finally, \(\mathcal {A}_2\) outputs a forged signature \(\sigma =(R, s_{\{1\}})\) on (ID, m), which satisfies the verification process of the verifier. From the forking lemma in [20], \(\mathcal {F}\) rewinds \(\mathcal {A}_2\) to the point where it queries \(H_3\), and use a different value. \(\mathcal {A}_2\) will output another valid signature (R, \(s_{\{2\}}\)) with the same R. Then we have:

$$\begin{aligned} \begin{array}{c} s_{\{i\}}\cdot P=h_{3_{\{i\}}} \cdot R +vpk_{ID}+ Q_{ID}+ h_2 \cdot P_{pub}, \text { where } i=1,2\\ s_{\{i\}}=h_{3_{\{i\}}} \cdot r+y+ d_{i}+ h_{2}x, i=1,2 \end{array} \end{aligned}$$

Only y, r are unknown. Hence, from these two linear equations, we can derive the two unknown value r, y, and output y as the solution of the DL problem.

Probability Analysis: The simulation of Create(ID) oracle fails when the random oracle assignment \(H_2(ID||Q_{ID})\) causes inconsistency, which happens with the probability at most \(q_{h}/q\). The probability of successful simulation of \(q_c\) times is at least \((1-(q_{h}/q))^{q_c}\geqq 1-(q_{h}q_{c}/q)\). Also, the simulation is successful \(q_{h}\) times with the probability at least \((1-(q_{h}/q))^{q_h}\geqq 1-(q^2_{h}/q)\). And \(ID=ID^*\) with the probability \(1/q_{c}\). Therefore, the overall successful simulation probability is \((1-q_{h}q_{c}/q)(1-(q^2_{h}/q))(1/q_{c})\varepsilon \).

The time complexity of the algorithm \(\mathcal {F}\) is dominated by the exponentiations performed in the Create and Sign queries, which is equal to \(t+O\)(\(q_{c}+q{s}\))S, where S is the time of a scalar multiplication operation.