Cryptography-based location privacy protection in the Internet of Vehicles

Abstract

The evolution of the Internet of Things paradigm in recent years demonstrate a significant impact on the transportation sector, leading to the emergence of a new research field, known as the Internet of Vehicles (IoV). In the IoV, vehicles can exchange information with each other and with the roadside units making use of Vehicular Ad Hoc Networks (VANETs). As this technology reaches near-to-market maturity levels, several issues arise related to the protection of users’ privacy, while the interest of adversaries for such private user data in IoV environments gets stronger. This paper aims to present a review of the state-of-the-art techniques tackling the protection of location privacy in IoV environments, as well as experimental evaluation findings regarding the usage of various cryptographic algorithms for the protection of information exchange in these networks. In the conducted evaluations, the AES algorithm has been used as the main standard, which has been coupled with several other encryption/decryption algorithms, such as RSA, ECC and NTRU. The metrics used for the evaluation include measurements over the key generation process, the certificate generation, the encryption/decryption times, the signature generation/verification times, etc. Moreover, the size of messages in the negotiation, the pseudonym exchange and the new pseudonym enabling phases has been recorded, while the energy consumption in the exchange pseudonyms phase has also been measured. All previous experiments have been carried out mainly on NS-3 and SUMO open-source software aiming to have an estimation of how the aforementioned algorithms behave under constrained resources such as CPU usage and power.

1 Introduction

The Internet of Things (IoT) is a technological paradigm that has rapidly evolved and gained momentum. It has been exploited in several application domains with a lot of success, such as the health sector, the environment and agrifood sector, the transportation sector, etc. More specifically, in the field of Intelligent Transportation, integration with IoT demonstrates significant scientific challenges and commercial opportunities. The usage of IoT (Raj et al. 2022; Patel et al. 2019) in the transportation sector can facilitate the prevention of accidents, the improvement of road conditions (traffic management for preventing congestion, schedule update) and the provision of a wealth of valuable applications to drivers (ranging from smart context aware navigation to automatic tolls payment). Enriching vehicles with IoT technologies have led to the establishment of a vehicular network and the emergence of the well-known Internet of Vehicles (IoV) (Ji et al. 2020; Qureshi et al. 2020), a challenging field having the potential to greatly impact people’s everyday lives.

As in any other field penetrated by IoT technologies, the need for securing IoV against internal and external risks rises strong. In this respect, securing the data of all parties in IoV is critical and very demanding (Sharma et al. 2018; Malik et al. 2022; Alharthi et al. 2022). Moreover, further motivated by the recent regulations and directives towards the protection of data privacy worldwide, several research groups are investigating methods aiming to ensure data privacy in various fields of technology, including the Internet of Vehicles.

In the IoV, vehicles can exchange information with each other, as well as with roadside units making use of Vehicular Ad Hoc Networks (VANETs) (Hamdi et al. 2020; Eze et al. 2016). VANETs are used extensively in intelligent transportation systems facilitating the provision of a wealth of static and dynamic information to the interested users (e.g., safety information, details about street positions, the nodes that move in high speed, the topological framework that changes frequently, …) (Shahwani et al. 2022). As data that have been falsified and sent over the VANET can cause harm to lives of both drivers and passengers (Obaidat et al. 2020), it becomes apparent that data security and privacy protection are of paramount importance in IoV environments (Kaur et al. 2018; Afzal et al. 2020).

The added value of this paper is the following:

• Depicts the necessity of lightweight asymmetric protocols such as the ECC in contrast to the long-decade established RSA

• Shows the effects that post-quantum cryptographic protocols (such as NTRU) have in an IoV network

• Promotes the impact that the different asymmetric cryptographic have in battery in an IoV network

• There is an extensive analysis of how energy consumption through the exchange of pseudonyms

All previous experiments have been carried out mainly on NS-3 and SUMO open-source software aiming to have an estimation of how the aforementioned algorithms behave under constrained resources such as CPU, RAM and power, where the usage of lightweight protocols is critical.

The main reason for selecting AES is that in the problem studied, there is the need for fast encryption/decryption ensuring a high security level. 3DES and DES are not sufficiently secure. Asymmetric cryptography is used at the beginning of the communication of two entities via an insecure channel. Then, symmetric cryptography is engaged. It should also be highlighted that AES was implemented on all 3 schemes (RSA, ECC, NTRU). By using the same symmetric protocol for encryption/decryption, and on top of this use an asymmetric protocol, it was easy to measure various metrics that appeared during the experiments in each asymmetric cryptographic protocol.

Dealing with privacy threats in IoV is a major challenge (Zavvos et al. 2022; Sun et al. 2015), as passive and active attacks aiming to retrieve private data are quite frequently observed. When a passive attack takes place, the intruder searches the data that are public for essential information. On the other hand, when an active attack takes place, the attacker targets on gaining access on private data where he tries to alter or infer them. For instance, in a data poisoning attack, the intruder’s target is to introduce or change regular data. The latter has consequences on the performance during the training stage when there is use of machine learning or deep learning algorithm processing, such as FDIA (False Data Injection Attacks) (Kumar et al. 2021).

Comparing traditional Public-key encryption or IBE (Identity Based Encryption) with ABE (Attribute Based Encryption) the latter, can successfully provide one-to-many encryption mode that suits more the distributed areas where there are many receivers. By implementing many thresholds and logic operations, ABE provides more flexible access control in order to manage the privileges of the various users. Because of this main advantage, ABE is used in many applications in the area of distributed data management, specified broadcast or data storage related to 3rd parties. Also, ABE is very critical when verifying its security properties via the use of alternative protocols (Bat-Erdene et al. 2022). The public key encryption is widely accepted in order to secure various systems. The main drawback of the Public Key encryption is the public key management from the PKI (Public Key Infrastructure). In identity-based encryption, better known as IBE, any value, such as an ID can find use as a public key. So, anyone is able to encrypt messages and can communicate with any user in order to send the encrypted text, given that the sender has the receiver’s ID and a master public key (mpk) Because it needs to restrict who can produce secret keys, a KGC ( key generation center) publishes a secret key sk_ID for an ID via the use of a master secret key msk. Before the issue of a sk_ID the key generation center approves that the ID is valid. The idea of using IBE was started by Shamir, and the first implementation was made by Boneh and Franklin Boneh (Ema et al. 2021).

The main added value of this paper is the introduction and evaluation of an efficient method which ensures location privacy in IoV. Based on the evaluation findings, the proposed method has been modified and extended aiming for better performance on practical metrics such as the size and the time for message processing or the energy consumption. Special emphasis was given in cryptographic protocols used in message exchange.

The rest of this paper is structured as follows. Section 2 provides an overview of the related state of the art work on ensuring location privacy in VANETs. Section 3 briefly presents the proposed approach that is based on the Mix-Group privacy protection scheme. Subsequently, Sect. 4 elaborates on the evaluation results of the conducted experiments regarding the performance of the proposed approach coupled with three cryptographic techniques in IoV environments. Finally, in Sect. 5, the paper’s conclusions are drawn and future plans are exposed.

2 Related state of the art

In (Babaghayou et al. 2021), a mechanism is proposed that informs nearby vehicles and blocks intruders from finding users via Basic Safety Messages (BSMs), while it lowers the transmission range so that the signal can reach only the vehicles in the vicinity. The proposed scheme is called WHISPER is related to road-safety because the various vehicles are occasionally not “seen” from the tracker, while they are almost always “seen” from the nearby vehicles. The paper also elaborates on the various protocols and techniques used in order to configure the range of transmission and enable pseudonym change. Finally, WHISPER is evaluated against famous schemes in the privacy-preserving area, such as CPN (Cooperative Pseudonym Change) or RSP (Random Silent Period) and SLOW (Silence at LOW speeds) via the use of a model that contains Manhattan-grid, with various densities, QoS and location privacy.

The work presented in (Kang et al. 2016) focuses on informing about the attacks on VM (Virtual Machines) mapping in CE-IoV (Cloud-Enabled Internet of Vehicles) and proposes a scheme that guards VM location privacy via the use of random Virtual Machine identifiers. The proposed approach exploits the concept of QoP (Quality of Privacy) evaluating the level of location privacy preserved, while they claim that the proposed approach increases the QoP achieved.

In (Yang et al. 2019), a new scheme is proposed that builds on the notion of dynamic pseudonym swap zone (DPSZ), in order to secure vehicles’ location privacy. In this scheme, each vehicle can settle a provisional pseudonym, by taking advantage of the DPSZ. The latter vehicle can permute its pseudonym with a randomly selected vehicle inside the zone. The procedure of choosing randomly pseudonyms blocks the DPSZ from exposing identities of the users to the manager of their group. In order to mitigate the large computation and communication overhead, the approach carries out the respective pseudonym swaps in such a way so that new and previous pseudonyms are not linked. DPSZ can be adjusted to the changing environment of IoVs aiming to decrease the cost of communication in cases where the population of vehicles is too high.

A Spatial Crowdsourcing (SC) scheme for IoV is proposed in (Zhang et al. 2020), which is based on decentralization of location and privacy maintenance. The presented SC scheme uses blockchain technology to mitigate via the SC server the control of the data caused by the user of the vehicle. It uses homomorphic encryption (Gupta et al. 2019) and verifies the vehicle’s location using a circle-based approach, in order to obtain confidentiality of the task concerning the policies of the area they are located in. In order to manage privacy for users’ locations in a multi-level context, the SC scheme allocates a privacy level to each user and visualises this on a grid. In order to prevent workers from illegally obtaining rewards by forging their driving positions, the proposed approach exploits the order-preserving encryption and non-interactive zero-knowledge proof.

In (Benarous et al. 2021), the Concerted Silence-based Location Privacy Preserving Scheme (CSLPPS) is introduced that supports anonymity in IoV networks. It enables unlinkability when users participate in services based on location and also applications related to safety for networks of vehicles. There is a synchronization mechanism established by this scheme, which takes place when there is a change of the identifier between the users that get into the silent period at the same time and before there is any interaction with new identifiers. The authors carried out series of simulations in order to identify how the proposed scheme performs including situations such as GPAs (global passive attackers).

A vehicle Trajectory Privacy Preservation method based on Caching and Dummy locations, abbreviated as TPPCD, is introduced in (Huang et al. 2022) that aims to enable location privacy protection and is based on false locations and caching in IoV environments. In the proposed approach, when users need to use location-based services (LBS), they expose dummy location for maintaining its privacy. Road-Side Units (RSUs) implement caching in order to mitigate the exchange of information among RSUs and the server that provides the LBSs. They use two types of caching: “active cache update” and “passive cache update”. The former is based on popularity and the latter on false (dummy) locations, both aiming to ensure location privacy and enhance cache. As indicated via the evaluations in (Huang et al. 2022), the proposed approach can withstand Long-term Statistical Attacks (LSAs), as well as Location Correlation Attacks (LCAs), while it can manage large hit rate in cache.

In (Kong et al. 2019), a modified Paillier Cryptosystem is proposed that uses the RSU to gather and transfer the sensed data constructed by the vehicles. The proposed scheme collects data operating as privacy-preserving vehicular in IoV. It enables a vehicle to make a structure of data gathered at different locations and transform it to a composite data report that consumes reduced communication and computation resources. The proposed scheme allows RSUs to gather the privacy-preserving data reports and numbering how many reports of data are contained in every data dimension. The aggregated sensory data can be accessed and encrypted again for further processing via the management authority that is trusted. The proposed scheme identifies a data vehicle that gathers the sensed data regarding the rest of vehicles inside the network. There is no involvement of management authorities, while RSUs can re-encrypt the collected information into new ciphertexts that can be decrypted only by the data vehicles. The latter does not require the disclosure of the vehicles’ location. Moreover, the paper estimates the probability of data query failures, evaluates how secure the proposed scheme is regarding location privacy preservation, examines the aspects of integrity and the resistance in collusion attack and claims that it drastically reduces the requirements for computational and communication resources.

The work presented in (Kong et al. 2021) proposes a monitoring mechanism capable of preserving privacy in IoV that exploits blockchain technology and achieve dissemination and acquisition between MaaS (Mobility as a Service) users. The proposed approach aims to support privacy protection and verify the aggregated data. It employs the modified Paillier cryptography mechanism and uses identity signature to verify record gathering. It can therefore authenticate and accumulate someone’s history of performance. Moreover, it exploits blockchains that contain proof-of-stake (PoS) unison for sharing unchanged performance record, as well as a Bloom filter to store pseudonyms, aiming for prompt transaction identification. The pseudonyms of the driver are generated via one-way hash function and then an identity-based signature is used to authenticate them. Oblivious protocol is then used to get the performance history of the scheme. The advantages of the proposed scheme with regards to computation efficiency and resource consumption are verified via series of performance tests (Kong et al. 2021). Their respective results indicate that the proposed scheme operates much better than traditional schemes from a computational perspective. Finally, they capture the efficiency and privacy trade-off to identify a suitable number of performance records in each transaction.

3 Robustness and complexity analysis of the cryptographic protocols used.

In the current section the robustness of the used protocols (RSA, ECC, NTRU, AES) takes place. Moreover, the complexity of each scheme is presented which is very essential in order to achieve the needed robustness.

RSA algorithm belongs to the area of asymmetric cryptography, is different from symmetric encryption which use the same key for encrypting or decrypting a message. The main advantage of any asymmetric algorithm is the fact that it encompasses strong encryption that makes decryption of the actual message infeasible and cannot predicted from hackers (Mallouli et al. 2019). To obtain enough security the key size must be greater than 1024 bits, so that it is very difficult from an attacker to identify the real text (the decrypted message) (Mallouli et al. 2019). Ιt is very difficult to factorize very long prime numbers (Ma 2021). It operates on the speed of computing very large prime numbers but infeasible in human time to calculate the factor of the long primes. The time complexity of RSA is O((log₂x))³ (Chandel et al. 2020).

ECC scheme provides similar level of security RSA or systems based on discrete logarithm, with shorter operands, for instance 160–256 bits against 1024–3072 bits. ECC is based on the DLP (discrete logarithm problem), so DL-schemes such as Diffie-Hellman key exchange can also be implemented using elliptic curves (Paar et al. 2009). The famous NIST (National Institute of Standards and Technology), which is a federal agency, part of the U.S. Commerce Department’s Technology Administration gives the following information about the ECC, which is considered as safe: elliptic curves in the field: 2¹⁶³, 2²³³, 2²⁴⁸, 2⁴⁰⁹, and 2⁵⁷¹ (Bafandehkar et al. 2013). Elliptic Curve Cryptography is based on finding the separate of a random elliptic Curve, where Elliptic Curves related to finite fields give an inexhaustible source because of their rich structure. More specifically, ECC is believed to be the higher part of ‘one-way’ algorithm which is easy to go in the one way, but extremely difficult to follow the opposite way. While an encryptor can choose a graph in order to assign the graph, it is impossible to discover the solutions. The only solution in order to identify the solution is to try random numbers. Also, brute force tactic is not a good solution, although there are options for every bit size (Ma 2021). The time complexity of ECC is: O (\(\sqrt{x}\)) (Chandel et al. 2020).

NTRU protocol uses the rationale of the lattice-based SVP and is chosen due to the high security, speed and less complexity it provides. As far as the available data are concerned, NTRU has more strength in relation to RSA concerning quantum attacks (Bansod et al. 2022). NTRU is based on the rationale of smallest vector in lattices and its related operations are based on tailless polynomial convolution ring which encompasses integer coefficient having N maximum degree. Concerning a Z polynomial with variable X, the R ring is scrimped up to N-1 as shown below (Bansod et al. 2022):

$$\mathrm{R }=\frac{Z[X]}{XN-1}$$

The time complexity of NTRU scheme is O(NlogN) (Agrawal et al. 2016).

AES algorithm was made in order to secure government in many areas. The AES protocol uses the least cipher blocks possible from 128-bit input blocks and 3 types of key sizes: 128-bit, 192-bit and 256-bit keys. The encryption operation consists of 4 types of transformation in bytes, these are the following: SubBytes, ShiftRows, MixColumns and AddRoundKey. When starting the process of encryption, the input that was previously used into the state will incur a transformation such as reiterated SubBytes, ShiftRows, Mixcolumns and AddRoundKey, Nr. The operarion in the AES algorithm is named round function. The last round differs from the previous levels, because in the last round, the state does not incur MixColumns transformation (Fernando et al. 2019).

Time and space complexity for AES is O (1) (Orhanou et al. 2011).

In (Su´arez-Albela et al. 2018) the authors include in their research paper a table which compares different symmetric and asymmetric protocols for the same security level.

In another research (Ma 2021) the authors included in their article a table where again is obvious the relation between RSA and ECC for the same security level in bits, as well as the ratio of ECC in comparison to RSA (last column).

In (Bansod et al. 2022) the researchers included a table that compares ECC, RSA and NTRU protocols for the same security level.

How the key lengths affect the security level.

RSA and ECC are based on functions related to number theory. What separates them is the fact that they need very long operands and keys. Without surprise a system becomes more secure when the operands and keys are longer. So, in order to have a comparison of the different algorithms, there appears the security level. So, when there is reference to a cryptographic scheme that possess “security level of n bits” it basically means that the optimal/best attack needs 2ⁿ steps. This is a standard explanation due to the fact that symmetric cryptographic schemes with security level of n are related to a key of length n bits. However, when referring to asymmetric cryptography the relation between cryptographic strength and security is not that obvious. Table 1 depicts the different cryptographic schemes both for asymmetric and symmetric cryptography and the different security levels (80 bit, 128 bit, 192 bit, 256 bit) they provide for different bit lengths (D¨oring et al. 2022). It is obvious that for the same security level, ECC uses significant smaller key length than RSA or DH/DSA/ElGamal.

Table 1 Comparison of asymmetric and symmetric protocols in relation to different security levels (D¨oring et al. 2022)

It is not strange or uncommon that for instance a digital signature is 2–3 times slower than the encryption of one block that operates using either AES or 3DES. Also, the computational complexity of the asymmetric algorithms presented in Table 1 increases abruptly with the cube bit length. For instance, by rising the bit length from 1024 to 3076 bit in the RSA cryptographic scheme, software outcomes in an execution time that needs 3³ = 27 more time (D¨oring et al. 2022).

From the aforementioned it is obvious the robustness of the cryptography protocols used in the current research paper and the comparison of the different protocols for the same security level gives an estimation of how the protocols can offer the same level of security with different keys size.

4 Comparison of the RSA, ECC, NTRU with current asymmetric protocols

In the current paragraph there is a comparison of the asymmetric protocols that the current research paper delegates with other protocols that are referred to the literature at most 2–3 years old. To start with, the El Gamal asymmetric cipher is presented.

Below, in Table 2 someone can observe the various asymmetric protocols until the time of writing the current paper (2023). The first two protocols, RSA and ECC are coming from the classical cryptography theory, while the rest of them belong to the rationale of Post-Quantum Cryptography. The first column shows the protocol family, the second column depicts the variant of each protocol, whereas the 3rd column gives an estimation of the level of security that each protocol provides with respect to AES and SHA algorithms, which are known to be unbreakable with the current computers.

Table 2 Comparison of state-of-the-art Post Quantum Cryptographic Schemes with the traditional cryptographic schemes concerning the difficulty to be broken by an attacker (D¨oring et al. 2022)

From the Table 2, two famous protocols were chosen to be analyzed below, so that the reader have an idea of the related mathematics and how they provide security by avoiding the classical approach of cryptographic protocols such as: RSA, ECC and offering alternative algorithms. Below, the algorithms for PKE (Public Key Encryption) and KEM (Key Encapsulation Mechanism) are presented.

Cryptosystems that rely on classical Cryptography such as RSA and ECC can be penetrated by attackers using large-scale quantum computers. So, there is the need to design cryptographic algorithms that can withstand quantum computing attacks. These are widely known as Post Quantum Cryptography (PQC). The famous NIST has begun to standardize PQC schemes and the Hamming Quasi-Cyclic (HQC) which is code-based and was analyzed before. Code-based encryption schemes are based on error-correcting codes. Its security is based on decoding vectors with small size of random-based quasi-cyclic codes.

The KYBER protocol fits its security protocol via changes on the k parameter that can take 3 different values, these are 2, 3 or 4. Key production computation need 2 k NTT computations and k² CWM computations. Encryption computation needs k NTT, k² + k CWM and k + 1 INTT operations. Decryption takes k NTT, k CWM and 1 INTT operations. CRYSTALS-KYBER is a lattice-based cryptography algorithm. Such kind of cryptosystems operate with polynomial rings and implement costly polynomial arithmetic, for instance multiplication of two polynomials with large-degree (Yaman et al. 2021).

In the current section a reference of different asymmetric protocols of the classical cryptography such as ECC, RSA, El Gamal and new, Post-Quantum Cryptography algorithms, such as: Hamming Quasi-Cyclic and CRYSTALS-KYBER, took place. Moreover, the PQC algorithms are able to withstand the power of a Quantum Computer that is possible to decrypt the classical cryptographic protocols. A table was represented that sums the last PQC schemes related to asymmetric encryption, with the related level of security that offer in relation to classical cryptographic protocols. Thus, the reader/researcher has an idea of their robustness.

5 Proposed approach

In this section, the proposed location privacy protection approach in IoV is presented, which builds on the efficient MixGroup technique (Yu et al. 2016). A large number of messages that are exchanged during the MixGroup’s operation contain encrypted information in order to ensure the integrity of the data, senders’ identification and the protection from eavesdroppers. So, the choice of encryption method is critical for the operation and model’s efficiency and it should contribute as much as possible to improve coverage of security requirements. Moreover, due to the requirement for quick response via constraint resources in IoV environments, there employed scheme should consume minimal computational and power resources, limiting the size of data size to be processed. Therefore, the choice of suitable method for the specific privacy model is vital. In this framework, the following applications have been employed: (1) Keys generation, (2) Encryption and decryption of messages, (3) Construction and verification of digital signatures, (4) Construction and verification of security verification.

The Mix-Group scheme was proposed in (Yu et al. 2016) and builds on the following assumptions: (1) Few vehicles are met in global social spots, since the majority of the vehicles are met in different points during their movements in the road network; and (2) Most vehicles contain individual social spots in which they meet the larger number of vehicles inside the day. Moreover, those points remain stable in deep time, as the moment of the day through which they visit them. The latter occurs in the social nature of the drivers, because such points are often the home, the work space and other similar places. Based on the assumptions above, the social points are distinguished in global and personal. In order to achieve maximum privacy, it is necessary to take advantage of those two characteristics. The proposed Mix-Group-based technique aims at the combination of global and personal social points in the route of a vehicle in order to build an area of pseudonym exchange. Inside that area, a vehicle can exchange continuously pseudonyms aiming at achieving maximum secrecy of the vehicle’s identity. The vehicles that enter the area are becoming member of a team and use a common identity for the communication with the other vehicles and the infrastructure while they are moving inside the specified area. This way they take advantage of both types of social points, as they are positioned in the extended area and are valid points of pseudonyms exchange.

More specifically, the proposed scheme is built on the following steps: (1) An area is specified that is used as Mix-Group and contains a number of global and personal social points. (2) All the vehicles that enter this area, request of becoming members of a joint team and receive a group identity, which they then use in order to broadcast messages. (3) At the same time, they are provided with a sum of temporary and exchange identity, which they use in pseudonym exchange procedure with other vehicles of the same team. (4) Every vehicle, when it starts moving inside the area, it calculates the privacy gain it perceives by exchanging pseudonyms. (5) Pseudonyms exchange is carried out under the cover of the temporary identities and vehicles. (6) After leaving the team, each vehicle enables its new pseudonym and uses it for its future communications.

The proposed scheme offers sufficient protection against attacks of various types. First of all, the use of standardized type of encryption and authentication guarantees protection against depletion search attacks, since it is computationally infeasible for someone to export useful information with having the requisite keys. Moreover, the use of digital signatures prevents an attacker from impersonating a valid vehicle or altering messages. Similarly, it is difficult to forge an identity and the messages of RSUs. Replay attacks are infeasible thanks to the use of timestamps. An eavesdropper is not in position to continuously follow a vehicle that enters an area until it exits the area, as the adversary cannot link the new pseudonym generated after vehicle exit with the one it had upon entering the area.

In case an internal adversary sends messages with false position information, aiming at producing chaos and accidents in the system, the signature of each message helps in finding the adversary and assign to him responsibilities. Similarly, an attack forms someone in the reliability of a vehicle, who copies the identity is prevented by signing the messages making use of certificates published by Register Authority (RA). Lastly, the system is durable in the case of an internal and external adversary combination. In that attack, the internal adversary after the exchange with a vehicle he transfers the exchanged information to the external eavesdropper in order to monitor him. The latter can be prevented if the observed vehicle exchanges again pseudonyms, which is very likely.

The reason why the authors chose the Mix-Group is the following: The success of a vehicle is enhanced from the suitable combination of Group and Mix-Zone techniques. Mix-Group provides satisfactory levels of privacy even in situations of low traffic, because of the accumulation of pseudonym exchange in social points, something that does not happen in Mix-Zone. Also, the use of teams lets the continuing of transmission of security messages so that there is no increase in the probability of collisions. From these it is more than obvious the capabilities of that scheme in order to achieve the best location privacy.

For the simulations and for better construction and ease of use, the implemented scheme allows for alternation between the examined methods via the use of a simple logic variable. In other words, every different cryptography method studied lies in a separate file/library that contains the C/C +  + functions that implement the previously mentioned applications. Below every method is described.

AES (Advanced Encryption Standard): AES has been used as the base algorithm for every encrypted message, because it was used in order to encrypt information for transmission, and then the symmetric key was encrypted with one of the messages studied. This means that all three methods studied exploit the AES for the essential information encryption. The specific AES algorithm implementation used is based on the free library Crypto +  + ¹where these parameters apply: (1) Operation method: Cipher Block Chaining (CBC), (2) Key size: 256 bits, (3) Block size: 128 bits. The implementation procedure of symmetric encryption, during which it produces a random symmetric key of size 256 bits and it is initialized with an initialization vector. Then, the text is translated to hexadecimal form and it is given as input to the encryption algorithm. At the end of the procedure an encrypted text in hexadecimal form is constructed. For the decryption, the inverse procedure is adopted, i.e.: the text is transformed from hexadecimal form to byte representation, and since the symmetric key is decrypted via the use of one of the three public key algorithms studied, then the message is decrypted. Hereafter, the respective implementation is detailed.

RSA (Rivest–Shamir–Adleman) protocol: As in the case of AES, the RSA algorithm implementation of the Crypto +  + library has been used. That library is implemented in C +  + and is supported by the NS-3 simulation tool. The only parameter affected in the simulation carried out was the algorithm’s key size that has taken three discrete values: 1024, 2048 and 3072 bits. Subsequently, the individual application points of the RSA are analyzed together with the corresponding pieces of code.

ECC (Elliptic Curve Cryptography) protocol: For the ECC protocol implementation the open-source library easy-ecc² has been used. That library is implemented in C, which is supported by simulation tool NS-3, and supports the following elliptic curves: secp128r1, secp192r1, secp256r1 and secp384r1. In the implemented approach secp256r1 has been used that offers security level of 128 bits, so the private key size is 256 bits (32 bytes), and as the specific library uses compressed representation, the public key size is 264 bits (33 bytes).

NTRU (Number Theory Research Unit) protocol: For the NTRU protocol implementation the open-source library NTRU-Crypto³ has been used and more specifically C programming language of NTRUEncrypt public key encryption algorithm. The library supports all the system parameters that are defined in protocol IEEE1363.1. The total of parameters that were used followed EES449EP1, which supports 128 bits security with 623 bytes public key size and 713 bytes private key size. NTRUEncrypt algorithm needs the existence of a cryptographically secure source of random bits. To address this, the deterministic random bit generator (DRBG) has been exploited, making use of the special file /dev/urandom⁴ that is available in the Linux OS. Generator is initialized once at the beginning of every cryptographic process. It should be noted that NTRU has not been used for the implementation of digital signature and public key certificates. The digital signature algorithm NTRUSign is not sufficiently secure, as the probability of private key leakage is not minimal. Improved signature algorithms with the use of NTRU have been proposed for prototyping from NIST, but they haven’t been approved yet. Therefore, it has been decided not to use any NTRU algorithm for digital signature handling.

5.1 Energy model implementation

The NS-3 tool provides mechanisms that simulate different source models, consumption and energy renewal.⁵ Those models can be implemented in every simulated node and extract useful conclusions based on those data. The proposed approach focuses on measuring vehicles’ energy consumption during the process of pseudonym exchange, in order to get an estimation of cost for different techniques used. The model that was used is called Wifi Radio Energy Model and simulates energy consumption of a device with Wifi capability. That model supports the possible states of the device in the physical layer: Idle, CcaBusy, Tx, Rx, ChannelSwitch, Sleep, Off. Each of these states is connected to a current consumption value (measured in Amperes) and upon each transition from one state to another the remaining battery power of the device is calculated. Moreover, there is the capability of updating the device upon the exhaustion of the remaining power, in order for the device to stop the reception and transmission of messages, thus simulating a realistic scenario of resource exhaustion. The respective implementation is structured as follows: each vehicle is connected to an energy source, which is initialized with a random level of energy available, high enough to enable the completion of the simulation. Then, in each message exchange for each vehicle they collect the difference between the previous and current energy level, thus measuring the energy consumption per message (in Joules). After the process of a message, function update_entry_EnergyMap_Recv is called that updates a fragmentation matrix, which records every vehicle along with the consumed energy for a specific type of message. The energy_pivot starts from an initial source value and updates with every new message.

5.2 Implementation of road network and vehicle traffic

For the implementation of road network and vehicle traffic inside that network the SUMO tool was used. Inspired by similar initiatives,⁶ a grid topology 10 × 10 has been implemented, where each node was 500 m far away from its neighbor nodes, covering a 10 km² overall area. 40 out of the 100 nodes of the topology have been selected to operate as crossroads and based on this, the final road network has been constructed by cutting off deadlocks and empty edges. The selection has been made via the grid_generator software for generating random coordinates. Maximum velocity was defined at 19.45 m/s or 70 km/h, the width of the traffic lanes was defined at 3 m and the roads were constituted from 2 one-way lanes that were counterbalanced. Subsequently, the routes of the vehicles inside that network have been designed with the use of python script randomTrips.py, which generates random routes for a random number of vehicles. The files containing the network morphology and the routes of the vehicles were given as inputs to the SUMO, which executed the simulation and produced a file with the positions of each vehicle during the execution. The latter file, with the use of another script—traceExporter.py, was transformed to a form suitable for been given as input in NS-3.

5.3 Implementation of communication network

Communication between the network entities has been implemented via the NS-3 platform using C and C +  + . Initially, a collection of nodes has been constructed for each of the network entities, i.e., the RSU and RA. Then, the vehicle nodes were matched with the input file produced by SUMO, whereas RSU and RA were positioned statically in specific locations. More specifically, RA was positioned at the center of the topology and the RSUs were scattered depending to their number in equal distances inside the grid. Subsequently, vehicles and RSUs were enabled with WiFi 802.11p connectivity with the suitable IPs (in sub-network 10.1.0X.X), and the RSUs and RAs connected to CSMA in another sub-network (192.168.0.X). Communication between different entities was implemented with the use of UDP sockets, meaning that all the nodes were equipped with two types of sockets: send and receive. For the conducted simulation, security messages have been generated per 1 set for vehicles and RSUs. The messages have been controlled via the use of callback functions that were called in the reception of each message.

The separation of messages and the selection of each control function was implemented with the use of specific headers. These headers extend the class header of NS-3 and play a critical role. Essentially, the entire information was embedded in headers encapsulated with a certain order over a dummy message, and were retrieved in message destination. In Figs. 1, 2, 3, 4, 5, the example of a simple security message is presented.

Fig. 1

The proposed scheme as it operated on the current experiments

Fig. 2

The AES operation presented in a flow diagram

Fig. 3

MixGroup Scheme

Fig. 4

Mix-Group operation

Fig. 5

Representation of a header message

6 Experimental evaluation

In this section, the experimental findings obtained regarding the efficiency of various cryptographic techniques in IoV environments are elaborated upon. For time calculation counters have been used that were calling the function gettimeofday() at the beginning and at the end of each calculation. In the diagrams presented average values of the measurements for every vehicle are recorded, ignoring the vehicles which did not take part in an exchange. For the calculation of the size of each message generated during the pseudonym exchange, the approach employed is described in Sect. 3. Every vehicle maintained two fragmentation matrices: one matrix that recorded the total size of each message it received and another matrix carrying the number of every message type. In both matrices, the key was the message type, so it was easy at the end of the simulation to recover the average message size for every different type. Similar method was used also for the energy consumption measurement per message. The simulations⁷ were implemented in Ubuntu Linux 14.0.4 virtual environment, running on Windows 10, 4 GB available RAM, 1-core Ryzen R7 2700X with frequency 3.7 GHz. The following software was used: (1) NS-3: 3.25, (2) Netanim: 3.107, (3) SUMO: 0.31.0.

As indicated in Fig. 6, throughout the experiments it has been observed that for the same level of security, the NTRU cryptographic algorithm is about three times faster than the ECC with respect to the key pair generation and more than 400 times faster than the RSA, which demonstrates a well-known drawback in this aspect. Another evaluation metric used is the time required by each algorithm for generating certificates (ms) (Fig. 7). In this respect, due to the fact that NTRU lacks a standardized signature/certificate algorithm, the performance of only the RSA and the ECC have been compared. More specifically, three key sizes for each algorithm have been selected, in order to better illustrate the degradation of performance as the key size increases. The respective results illustrated in Fig. 8 clearly indicate that RSA is significantly affected by the key size, while its impact on the performance of ECC is considerably slimmer. Moreover, for the 128-bit security level that requires key sizes of 256 and 3072 bits for the ECC and the RSA respectively, RSA is 3 times slower regarding certification generation compared to ECC. It should be highlighted that the certificates used are simple digital signatures, so the known RSA weakness on signature generation has again been confirmed. So, it is obvious that the larger the key size the more time the signature generation time. This is why the ECC is used nowadays even more, because for the same security level the key size in ECC is lower than the RSA. The latter is obvious from the Table 3, 4,5 where the comparison between the different asymmetric protocols is presented.

Fig. 6

Time required for the key generation process (in ms)

Fig. 7

Certificate generation time(ms)

Fig. 8

Encryption time (ms)

Table 3 Comparison of the different key sizes or RSA and ECC for the same security level (Su´arez-Albela et al. 2018)

Table 4 Comparison of the different key sizes or RSA and ECC for the same security level and the related ratio of their key size (Ma 2021)

Table 5 Comparison of the different key sizes or RSA, ECC and NTRU for the same security level (Bansod et al. 2022)

Regarding the performance of the three algorithms based on the encryption time required (Fig. 8), it is indicated that ECC demonstrates about 10 times longer encryption time than NTRU and RSA throughout the encryption process. In this respect, the poor performance of ECC is explained by the assumption that two nodes calculate their Diffie-Hellman shared secret every time they communicate, instead of keeping it static after the first time. Regarding the decryption process, as depicted in Fig. 9, the NTRU algorithm is proven to be the most efficient of the three approaches, since it is 9 times faster than ECC and 25 times faster than the RSA.

Fig. 9

Decryption time (ms)

The signature generation time is another evaluation metric used (Fig. 10). As indicated in Fig. 10, the experimental findings obtained are similar to the ones observed regarding the certificate generation. The only difference is that the measurements used to generate the diagram in Fig. 10 originated from vehicles, while the certificates in Fig. 7 have been produced solely by the Register Authority (RA) node. Overall, the ECC algorithm remains the most efficient regarding the signature generation time required, thus confirming the theoretical and experimental facts of the presented in the recent related literature. It should be noted that that there the resources of RA and the vehicles are comparable, which is also reflected to the negligible difference of the respective generation times, as illustrated in Figs. 7 and 10.

Fig. 10

Signature generation time (ms)

However, with regards to the signature verification time required, the behaviour of the algorithms is rather diverging. As indicated in Fig. 11, the RSA algorithm greatly outperforms the ECC algorithm, being for example 29 times faster than the ECC for 128 bit level of security (ECC_256/RSA_3072). Moreover, it is easily observed that the ECC is more heavily affected by the key size with regards to the RSA, since for example for double key size, the ECC signature verification time increases by 4.8 times, while the respective time for the RSA increases by 3.6 times.

Fig. 11

Signature verification time (ms)

In order to simulate the network communication and the exchange of pseudonyms, several different types of messages have been used. These message types extend the respective approach in (Kong et al. 2019) and are detailed below:

• HEADER_TYPE_BROADCAST: The security message that the vehicles transmit periodically. It carries location information, their signature and the certificate of the team that the vehicle belongs to.

• HEADER_TYPE_EXCHANGE_REQ: It expresses a pseudonym exchange request that a vehicle A sends, aspiring to increase its privacy. It carries the temporary public key and the sender’s certificate, the team’s certificate and a timestamp.

• HEADER_TYPE_EXCHANGE_PROP: The pseudonym exchange suggestion message that vehicle B sends in order to exchange pseudonyms with a random neighbour A. It consists of the public key and the encrypted certificate with the respective signature and timestamp.

• HEADER_TYPE_RESPONSE_CONF: Once the pseudonym exchange suggestion is verified and is beneficial for vehicle A, the latter sends a message that includes the public key of B and all the encrypted information that will be necessary in the pseudonym exchange process, i.e., the public key and the exchange certificate of A, along with the respective signatures and timestamps.

• HEADER_TYPE_REPLY: This is the actual response to the message above and carries the respective information from the point of view of vehicle B (key and exchange certificate, signatures, timestamp)

• HEADER_TYPE_PSEUDO_1: This is the message capturing the information of vehicle A (identity, certificate, signature), all encrypted with the public exchange key of vehicle B.

• HEADER_TYPE_PSEUDO_2: Similar to the above, this is the message carrying the information of vehicle B, encrypted with vehicle A’s public key. It includes the first double signature, i.e., the data signature that A has sent.

• HEADER_TYPE_PSEUDO_3: This message represents the verification response of vehicle A, via which the encrypted double signature is sent, as well as the timestamp when this action took place.

• HEADER_TYPE_RECORD: This message is exchanged between vehicles A and B and includes the exchange certificates for both vehicles, along with the exchanged identities. The entire message is encrypted with the RA’s public key.

• HEADER_TYPE_RECORD_CONF: This is actually the confirmation message that the two records that vehicles A and B now have, are identical.

• HEADER_TYPE_RSU_BROADCAST: This is the message that each RSU transmits periodically to all the vehicles within its range, carrying its position and its public key.

• HEADER_TYPE_RSU_ACTIVATION: This is the message that a vehicle transmits to the nearest RSU in order to activate its new pseudonym and carries all the exchanged data, encrypted with the RA’s public key.

• HEADER_TYPE_RA_ACTIVATION: This is the message forwarded by the RSU to the RA and it is similar to the HEADER_TYPE_RSU_ACTIVATION message.

• HEADER_TYPE_RA_NEW_KEYS: This message is the RA’s response to a vehicle’s pseudonym activation request. It includes the vehicle’s new identity, along with the key couple and its certificate. All data are encrypted with the vehicle’s public key.

In the diagrams of Figs. 12, 13 and 14 the size of the message of all types are depicted, as these have been measured in the experiments conducted, for all three encryption algorithms investigated (i.e., RSA, ECC and NTRU).

Fig. 12

Messages size (bytes) in the negotiation phase

Fig. 13

Messages size (Bytes) in pseudonym exchange phase

Fig. 14

Messages size (bytes) in new pseudonym enabling phase

As indicated in the diagrams above, the ECC approach produces messages of the smallest size, which was actually expected, given that those messages contain keys and certificates. Encrypted payload information accounts for a large part of each message, so the message size is linked to the size of the public key that each algorithm uses. The public key size for the ECC is 33 bytes, for NTRU is 623 bytes and for RSA is 384 bytes. Based on this, the difference observed between the ECC and the RSA can be justified. Regarding the NTRU, the digital signature overhead has not been taken into account, which would suggest further increase of the message size if the digital signature were to be considered.

With regards to the energy resource consumption measurement (in Joules), the experiments focused on the exchange pseudonym phase since it is the most stable one. In the negotiating phase the messages that are received or sent may greatly vary, since some of the vehicles may not exchange messages and other vehicles may send requests to many others. The activation phase, on the other hand, concerns basically the infrastructure nodes and the vehicles do not have a large load, so there is not much interest in the energy consumption for the vehicles in this specific phase. In the diagram of Fig. 15, the energy consumption estimations during the pseudonym exchange phase are presented.

Fig. 15

Energy consumption (in Joules) in the exchange pseudonyms phase

As indicated in this diagram, the RSA demonstrates the highest energy consumption, followed by the NTRU, while ECC is clearly the one outperforming the other two consuming considerably lower energy resources. Studying the diagrams of Fig. 12, 13, 14, 15, one may easily observe that there is a clear correlation between the size of the messages and the energy consumption induced. This correlation may be attributed to packet fragmentation, which due to large message sizes occurs more intensively in the NTRU and RSA implementations, thus increasing the respective energy consumption.

For the last round of experiments conducted, a fixed number of 5 internal adversaries has been assumed, which eliminated the entropy of the vehicles with which they were exchanging pseudonyms. Measurements for 150 vehicles have been collected in 30 s time frames. As observed, the entropy of the system increases quickly at the beginning, and over the course of time it gets stable. The latter occurs because as time passes, more and more vehicles reach the desirable level of anonymity. The respective findings are depicted in Fig. 16.

Fig. 16

Overall entropy of vehicles over time (sec)

7 The novelty in the current paper in comparison to the state-of-the-art papers described in the related section

The proposed solution uses mainly cryptographic algorithms such as RSA, ECC, NTRU, AES, that consist the traditional way of securing an entity, as occurs with vehicles. Moreover, the ECC approach maintains secure an IoV network with many vehicles and RSU consuming as less energy as possible, thus, can be used to machines that operate with batteries, such as cars, motorcycles and other vehicles. The low size messages it incorporates as well as the little time on many cryptographic operations makes the ECC the straightforward solution. The papers depicted in Table 6 are using different approaches where there is not known either the hardware, they used on realizing each approach or the disadvantages of the cryptographic protocols used. From another point of view due to the fact that RSA, and ECC are vulnerable to Quantum Computing attacks, NTRU cryptosystem was used, that is known to withstand attacks from Quantum Computers, something that the literature presented in previous did not present any experiments in order to use it for Privacy preserving, as it is also observable in Table 6.

Table 6 Overall comparison of the different proposed methods concerning the papers presented related to Location Privacy Protection in the Internet of Vehicles (Babaghayou et al. 2021; Kang et al. 2016; Yang et al. 2019; Zhang et al. 2020; Gupta et al. 2019, Benarous et al. 2021; Huang et al. 2022; Kong et al. 2019; Kong et al. 2021)

8 Expected impact of the proposed solution

In the current paper there was an analysis of the MixGroup mechanism with the capability of using 3 discrete cryptographic schemes: RSA, ECC and NTRU with the auxiliary use of AES as the base, in order to be able to be compared. Moreover, a presentation and an analysis took place regarding the outputs of the experiments for each cryptographic protocol being used. The impact of all these is that by using ECC protocol there is a significant diminish in the time of; key generation, certificate generation, decryption, signature generation, signature verification. Also concerning the size of bytes, there is the least number of bytes used in: exchange handshake, pseudonym exchange and pseudonym activation. As far as the energy is concerned the ECC showed the least possible energy consumption among the three asymmetric schemes tested. So, the idea is that if someone needs to use a reliable cryptography scheme that would offer the level of security of the well-known RSA or the quite new NTRU, and have the advantages of decreased time in computation, decreased size usage or decreased energy consumption, in areas where the aforementioned parameters are very critical, such as battery related devices or constrained CPU usage, or constraint bandwidth usage, the ECC scheme is the right choice. The current paper indicates that all the above can be implemented in real situations, such as cars, motorcycles, etc. in an overall IoV network.

9 Conclusions and future plans

Based on the experimental results obtained, valuable conclusions can be drawn regarding the optimization of the MixGroup scheme via its coupling with the most suitable encryption technique. On the one hand, the NTRU is proven to demonstrate the fastest cryptographic key generation process for the level of security studied. In IoV environments, the entity responsible for this procedure is the Register Authority, which generates these keys upon system initialization. However, during the system operation, there is often the need to generate new keys, because of the entrance of a new vehicle or due to a set of keys having leaked, in which case the procedure should be as fast as possible, making NTRU an ideal choice. On the other hand, regarding the RSA, the experimental results confirm its known advantages and drawbacks. Thus, it is verified that it underperforms regarding the key generation, while being the slowest of the three algorithms on message decryption. However, with regards to messages encryption it outperforms the other two approaches, somehow balancing the aforementioned decryption delays. Finally, the ECC algorithm proves to be more efficient in key generation, while being pretty fast in decryption and quite slow in encryption, outperforming the RSA by demonstrating 30% shorter aggregated encryption & decryption times in average for 128-bit security level. Similarly, considering the usage of signatures, the ECC proves to be slower in validation than in signing, demonstrating 25% shorter overall duration than the RSA for 128-bit security level. The slow signature validation time is a significant drawback in the specific implementation, since the entire system is overloaded and delayed.

The authors plan to extend their work to consider the “social nature” of vehicles that has an impact on the group formulation, maintenance and evolution. Therefore, they plan to investigate how the nature and the lifecycle of the vehicle groups affects the performance of the proposed mechanisms and identify improvements of the designed model. Moreover, the authors plan to investigate the implementation of digital signatures via the usage of the NTRU, thus obtaining a more integrated assessment of its performance. NIST is anticipated to standardize such a method quite soon, since on July 2020 they announced that two NTRU implementations are undergoing the 3rd round of evaluation.⁸ In case any of these gets approved soon, the authors plan to use it to progress their research coupled with the NTRUEncrypt, in order to evaluate the respective performance over end-to-end use cases. Finally, the authors plan to deal with certain problems detected during the conducted experiments, such as the vehicles’ synchronization and the packet loss due to collisions. In this respect, a significant future improvement is the establishment of an experimental network of vehicles in the real world aiming at verification of our results in real operational environments. This will enable extensive testing of the proposed implementation in larger operational topologies aiming to improve the location privacy protection mechanisms, to promote the establishment of secure Internet of Vehicles environments.

Appendix Α

1.1 A.1. RSA pseudocode

The algortihm operates as following (Mallouli et al. 2019):

• Initially two prime numbers a and b are selected.

• The modulus for the public, and private keys called n are multiply by b.

• An e should be chosen which stands for the public key and it is not a factor of (α—1) · (b—1).

• The encryption is computed as C = M·e mod n where C is the encrypted text and M stands for the actual (original) text.

• The decrypted is computed by the following equation: M = C·d mod n, where C stands for the encrypted text and M stands for the original text.

1.2 A.2. El Gamal pseudocode

El Gamal (Varfolomeev et al. 2020) is close to the famous Diffie-Hellman, where the common key K is produced based on long-term keys. So, for instance, supposing there are the 2 entities, the A, which represents the sender and the B which represents the receiver. The algorithm is as following:

$$A: {y}_{a}={g}^{{x}_{a}}(mod\,\, p)$$

$${B: y}_{b}= {g}^{{x}_{b}}(mod\,\,p)$$

$$A: K={\left({g}^{{x}_{a}}\right)}^{{x}_{b}}(mod\,\, p)$$

$$B:K={\left({g}^{{x}_{b}}\right)}^{{x}_{a}}(mod \,\,p)$$

In El Gamal protocol the long-term secret key x_α is substituted with a one-time key k, in order to be used right away for encryption.

To analyze more the various symbols:

\({Z}_{p}^{*}=(g)\): stands for the multiplicative group of the residue ring Z_p modulo p, where p represents a large prime number.

g: is cyclic group generator.

x_b: represents the long-term private key of user B.

\({y}_{b}= {g}^{{x}_{b}}(mod\,\, p)\): is the user B’s public key.

The steps of the encryption of plaintext M are as demonstrated below:

A: \(K= {y}_{b}^{k} (mod \,\,p)\),where k stands for the one-time private key

$${C}_{1}= {g}^{k} (mod \,\,p)$$

$${C}_{2}=K\cdot M \left(mod\,\, p\right)$$

$$C= {C}_{1}||{C}_{2}$$

The decryption of the ciphertext C is given by the following:

$${\text{B}}: K= {C}_{1}^{{x}_{b}} (mod\,\, p)$$

$$M= \frac{{C}_{2}}{K} (mod\,\, p)$$

1.3 A.3. El Gamal modified pseudocode

The authors in (Varfolomeev et al. 2020) propose an algorithm in order to transform the classical ElGamal scheme to an asymmetric cryptosystem. First of all, the researchers assume that the value of p cannot get more than 512 bits. This guides to the fact that solving the DLP (Discrete Logarithm Problem) and identifying the long-term private key x_b can be achieved from a computational perspective for the selected attacker. A serious finding from all open texts for many encrypted texts can be acquired from the following formula:

$$M=\frac{{C}_{2}^{{x}_{b}}}{{C}_{1}} (mod\,\, p)$$

When a one-time private key is found from the equation:

$${C}_{1}={g}^{k}(mod \,\,p)$$

This lets the attacker to identify a plaintext related with the following equation:

$$M= \frac{{C}_{2}}{{y}_{b}^{k}} (mod \,\,p)$$

User B in order to confront these attacks, he produces N number of public long-term keys, such as: y1_b, y2_b,….,yN_b, where number N stands for an extra security parameter. In order to let the one-time private key be more complicate, user A separates a part of the ciphertext C₁ in two parts: \({C}_{1}= {C1}_{s}||{C1}_{r}\), where the C1_r is not sent.

As far as the encryption of message M (plaintext) is concerned, the following steps take place:

A: Choose randomly the public key yJ_b from a pool of public keys: {y1_b, y2_b, …,yN_b} and generates the following:

$$K={y{J}_{b}}^{k} (mod\,\, p)$$

where the k stands for the one-time private key.

$${C}_{1}= {g}^{k}(mod\,\, p)$$

$${C}_{2}={\rm K}\cdot {\rm M} (mod \,\,p)$$

\(C= {C}_{1}||{C}_{2}\)—ciphertext. where: \({C}_{1}= {C1}_{s }||{C1}_{r}\) and part \({C1}_{r}\) is not sent. Concerning the decryption phase of ciphertext C the following take place:

B: enumerates the unidentified part C1_r, and yi_b for i coming from the range: {1,…,N}.

$$M= {{(C1}_{s}||{C1}_{r})}^{{xi}_{b}} (mod\,\, p)$$

The fact whether the choice of C1_r and yi_b is correct or not is based on the structure of the plaintext. For instance, the plaintext can contain its hash h(M) for a few hash-functions that are resistant to collisions. The B user should go via unidentified options, and, for every choice to operate one exponentiation of polynomial complexity.

1.4 A.4. ECC pseudocode

Below are presented parts of ECC algorithm (Bansod et al. 2022).

Key generation: considering the Elliptic Curve E and the points P and Q on curve, n is the maximum limit, so a C should be chosen in the range n[(1-(n-1))]. As a result, the Public key is produced as G = c·Q and the Private key is c.

Encryption: the sender sends the message displayed on the curve. He selects randomly j in the range 1 to (n-1).

C1 = j·Q and C₂ = M + j·G.

Decryption: it is realized as following: M = C₂—c·C₁, with C₂—c·C₁ = (M + j·G)—c ·(j·Q) = M + j·c·Q- c·j·Q = M.

1.5 A.5. HQC pseudocode

In this section HQC (Hamming Quasi-Cyclic) scheme is analyzed (Tu et al. 2023). HQC cannot be recognized under Chosen Ciphertext Attack (IND-CCA). The protocol is made, based on the difficulty of a decision version that takes place on syndrome decoding on structured codes. It uses the C [n, k] decodable code and a random double-circulant [2n, n] which describes an accurate upper bound for the analysis related to the upper bound.

Let (·) declare SHAKE256-512 (B7||G_FCT_DOMAIN), (·) declare SHAKE256-512 (B7||H_FCT_DOMAIN), and (·) declare SHAKE256-512 (B7||K_FCT_DOMAIN).

Algorithm 1

HQC.PKE

Algorithm 2

HQC.KEM

1.6 A.6. CRYSTALS-KYBER pseudocode

Below there is analysis of another new PQC protocol, the CRYSTALS-KYBER scheme. The KYBER scheme is based in polynomial ring R_q, where φ(x) equals xⁿ + 1, q equals 3329 and n equals 256. The following algorithms present Key generation, Encryption and Decryption. The traditional polynomial multiplication has O(n²) complexity; however, NTT (Number Theoretic Transform) drops the complexity to quasi-linear making it feasible to be used in lattice-based schemes that contain the problem of high complexity arithmetic (Yaman et al. 2021).

1.6.1 Key Generation

For \(\overline{A} \leftarrow R_{q}^{k \times k}\) and s, e \(\stackrel{\boldsymbol{\$}}{\leftarrow }\) \({\mathbf{R}}_{q}^{k}\), (pk, sk) = (Ā NTT(s) + N(e), NTT (s)).

1.6.2 Encryption

For \(\overline{A} \leftarrow R_{q}^{k \times k}\), r, e₁ \(\stackrel{\boldsymbol{\$}}{\leftarrow }\) \({\mathbf{R}}_{q}^{k}\), e₁\(\stackrel{\boldsymbol{\$}}{\leftarrow }{\mathbf{R}}_{\mathbf{q}}\), pk and mϵ\({\mathbf{R}}_{\mathbf{q}}\),

ct = (u, v) =  JNTT (ĀT NTT(r)) + e₁, JNTT (pkT NTT (r)) + e2 + m).

1.6.3 Decryption

For sk = \(\overline{{\varvec{s}} }\) and ct = (u, v), m = v – JNTT (skT N (u)).