An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks Using Online/Offline Certificateless Aggregate Signature

Kang Li; Man Ho Au; Wang Hei Ho; Yi Lei Wang

doi:10.1007/978-3-030-31919-9_4

International Conference on Provable Security

ProvSec 2019: Provable Security pp 59-76 | Cite as

An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks Using Online/Offline Certificateless Aggregate Signature

Authors
Authors and affiliations

Kang Li
Man Ho Au
Wang Hei Ho
Yi Lei Wang

Conference paper

First Online: 26 September 2019

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11821)

Abstract

Vehicular ad hoc networks (VANETs) are fundamental components of building a safe and intelligent transportation system. However, due to its wireless nature, VANETs have serious security and privacy issues that need to be addressed. The conditional privacy-preserving authentication protocol is one important tool to satisfy the security and privacy requirements. Many such schemes employ the certificateless signature, which not only avoids the key management issue of the PKI-based scheme but also solves the key escrow problem of the ID-based signature scheme. However, many schemes have the drawback that the computational expensive bilinear pairing operation or map-to-point hash function are used. In order to enhance the efficiency, certificateless signature schemes for VANETs are usually constructed to support signature aggregation or online/offline computation. In this paper, we propose an efficient conditional privacy-preserving authentication scheme using an online/offline certificateless aggregate signature, which does not require bilinear pairing or map-to-point hash function, to address the security and privacy issues of VANETs. Our proposed scheme is proven to be secure with a rigorous security proof, and it satisfies all the security and privacy requirements with a better performance compared with other related schemes.

This is a preview of subscription content, to check access.

A Security Proof

Typically, for a certificateless signature scheme, we define two types of security, namely Type-I security and Type-II security, which corresponds to two types of adversaries $\mathcal {A}_1$ and $\mathcal {A}_2$.

Type-I Adversary: $\mathcal {A}_1$ can launch a public key replacement attack by replacing the public key of any vehicle with a value of its choice. $\mathcal {A}_1$ does not know the master secret key or the partial private key.
Type-II Adversary: $\mathcal {A}_2$ acts as a malicious-but-passive KGC, which knows the master key and the partial private key, but cannot replace any user’s public key.

Theorem 1

The proposed scheme is ($\varepsilon , t, q_c, q_s, q_h$)- secure against the adversary $\mathcal {A}_1$ in the random oracle model, assuming that DL assumption hold in G, where $q_c, q_h, q_s$ are the numbers of Create, Hash and Sign queries that the adversary is allowed to make.

Proof

Assume there is a probabilistic polynomial-time forger $\mathcal {A}_1$, we construct an algorithm $\mathcal {F}$ that make use of $\mathcal {A}_1$ to solve the discrete logarithm problem(DLP). Suppose $\mathcal {F}$ is given the DLP instance (P, Q) to compute $x \in Z^*_{q}$ such that $Q=xP$. $\mathcal {F}$ chooses a random identity $ID^*$ as the challenged ID and answers the oracle queries from $\mathcal {A}_1$ as follows:

Setup(ID) query: $\mathcal {F}$ sets $P_{pub}=Q$ and sends the parameters $\{P,p,q,E,G,H_2,H_3,P_{pub}\}$ to $\mathcal {A}_1$.
Create(ID) query: $\mathcal {F}$ maintains a hash list $L_c$ of tuple ($ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$). When $\mathcal {A}_1$ makes a query on ID, if ID is in $L_c$, $\mathcal {F}$ responds with ($ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$). Otherwise, $\mathcal {F}$ will simulate the oracle as follows. It randomly selects three value $a,b,c \in Z^*_{q}$, and sets $Q_{ID}=a\cdot P_{pub}+b\cdot P$, $vpk_{ID}=c\cdot P$, $psk_{ID}=b, x_{ID}=c, h_2=H_2(ID||Q_{ID}) \leftarrow -a (mod q) $. Then it responds with ($ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$), and inserts ($ID, Q_{ID},h_2$) to $L_{H_2}$. Note that the equation $psk_{ID} \cdot P=Q_{ID}+{h_2} \cdot P_{pub}$ holds, which means that the partial secret key is valid.
$H_2$ query: When adversary makes a $H_2$ query with ($ID, Q_{ID}$), if ID is already in the hash list $L_{H_2}$, $\mathcal {F}$ just returns the corresponding $h_2$. Otherwise, $\mathcal {F}$ runs Create(ID) to get $h_2$, and send $h_2$ to $\mathcal {A}_1$.
Partial-Private-Key-Extract(ID) query: If $ID=ID^*$, $\mathcal {F}$ stops the simulation. Otherwise, $\mathcal {F}$ checks the hash list $L_c$, if ID in the list, then $\mathcal {F}$ response with $psk_{ID}$. If ID is not in $L_c$, $\mathcal {F}$ queries Create(ID) to get the $psk_{ID}$, and sends it to $\mathcal {A}_1$.
Public-Key(ID) query: On receiving the query on ID, if ID is already in $L_c$, $\mathcal {F}$ response with $pk_{ID}=(Q_{ID}, vpk_{ID}$). Otherwise, $\mathcal {F}$ queries Create(ID) to get the ($Q_{ID}, vpk_{ID}$), and sends it to $\mathcal {A}_1$.
Public-Key-Replacement($ID,pk^{'}_{ID}$) query: $\mathcal {F}$ maintains a hash list $L_R$ of tuple ($ID, d_i, Q_{ID}, x_{ID}, vpk_{ID}$). When $\mathcal {A}_1$ queries with ($ID, pk^{'}_{ID}$), where $Q^{'}_{ID}$ =$ d^{'}_{i}\cdot P$, $ vpk^{'}_{ID}=x^{'}_{ID}\cdot P$ and $pk^{'}_{ID}=$($Q^{'}_{ID}, vpk^{'}_{ID}$), $\mathcal {F}$ sets $Q_{ID}=Q^{'}_{ID}$, $vpk_{ID}=vpk^{'}_{ID}$, $psk_{ID}=\perp $, and $x_{ID}=x^{'}_{ID}$. Then $\mathcal {F}$ updates the list $L_R$ to be ($ID, d^{'}_{i},Q^{'}_{ID}, vpk^{'}_{ID}, x^{'}_{ID}$)
$H_3$ query: $\mathcal {F}$ maintains a hash list $L_{H_3}$ of tuple ($m,ID, R,vpk_{ID}, t, h_3$). If the queries ID is in this list, $\mathcal {F}$ just responds with $h_3$. Otherwise it chooses a random $h_3$, sets $h_3=H_3(m||ID||vpk_{ID}||R||t)$, add it into $L_{H_3}$ and responds with $h_3$.
Sign(ID, m) query: When $\mathcal {A}_1$ makes a sign query on (ID, m), if ID is in $L_R$, $\mathcal {F}$ generates random numbers $a,b,c \in Z^*_{q}$, sets $s=a, R=P, h_3=H_3(m||ID||vpk_{ID}||R||t)\leftarrow (a-b-c) mod(q)$, inserts ($m,ID, R,vpk_{ID}, t, h_3$) into $L_{H_3}$. The output signature is (R, s). If ID is not in $L_R$, $\mathcal {F}$ acts like the description of the scheme.

Finally, $\mathcal {A}_1$ outputs a forged signature $\sigma =(R, s_{\{1\}})$ on (ID, m), which satisfies the verification process of the verifier. If $ID\ne ID^*$,$\mathcal {F}$ fails and aborts. From the forking lemma in [20], $\mathcal {F}$ rewinds $\mathcal {A}_1$ to the point where it queries $H_3$, and use a different value. $\mathcal {A}_1$ will output another valid signatures (R, $s_{\{2\}}$) with the same R. Then we have:

$$\begin{aligned} s_{\{i\}}\cdot P=h_{3_{\{i\}}} \cdot R +vpk_{ID}+ Q_{ID}+ h_2 \cdot P_{pub}, \text { where } i=1,2 \end{aligned}$$

From these two linear equations, we can derive the value r by $\frac{s_2 - s_1}{h_{3_{\{2\}}} - h_{3_{\{1\}}}}$. Another rewind on $H_2$ will allow computation on x.

Probability Analysis: The simulation of Create(ID) oracle fails when the random oracle assignment $H_2(ID||Q_{ID})$ causes inconsistency, which happens with the probability at most $q_{h}/q$. The probability of successful simulation of $q_c$ times is at least $(1-(q_{h}/q))^{q_c}\geqq 1-(q_{h}q_{c}/q)$. Also, the simulation is successful $q_{h}$ times with the probability at least $(1-(q_{h}/q))^{q_h}\geqq 1-(q^2_{h}/q)$. And $ID=ID^*$ with the probability $1/q_{c}$. Therefore, the overall successful simulation probability is $(1-q_{h}q_{c}/q)(1-(q^2_{h}/q))(1/q_{c})\varepsilon $.

The time complexity of the algorithm $\mathcal {F}$ is dominated by the exponentiations performed in the Create and Sign queries, which is equal to $t+O$($q_{c}+q{s}$)S, where S is the time of a scalar multiplication operation.

Theorem 2

The proposed scheme is ($\varepsilon , t, q_c, q_s, q_h$)- secure against the adversary $\mathcal {A}_2$ in the random oracle model, assuming that DL assumption hold in G, where $q_c, q_h, q_s$ are the numbers of Create, Hash and Sign queries that the adversary is allowed to make.

Proof

Assume there is a probabilistic polynomial-time forger $\mathcal {A}_2$, we construct an algorithm $\mathcal {F}$ that make use of $\mathcal {A}_2$ to solve the discrete logarithm problem(DLP). Suppose $\mathcal {F}$ is given the DLP instance (P, Q) to compute $y \in Z^*_{q}$ such that $Q=yP$. $\mathcal {F}$ chooses a random identity $ID^*$ as the challenged ID and answers the oracle queries from $\mathcal {A}_2$ as follows:

Setup(ID) query: $\mathcal {F}$ sets $P_{pub}=x\cdot P, x \in Z^*_{q}$ and sends the parameters $\{P,p,q,E,G,H_2,H_3,P_{pub}\}$ to $\mathcal {A}_2$.
Create(ID) query: $\mathcal {F}$ maintains a hash list $L_c$ of tuple ($ID, Q_{ID}, vpk_{ID}, psk_{ID}, x_{ID}, h_2$). When $\mathcal {A}_1$ makes a query on ID, if ID is in $L_c$, $\mathcal {F}$ responds with ($ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$). If $ID=ID^*$, $\mathcal {F}$ choose $a,b \in Z^*_{q}$ randomly, sets $Q_{ID}=aP, vpk_{ID}=Q, h_2=H_2(ID||Q_{ID}) \leftarrow b, psk_{ID}=a+x\cdot h_2, x_{ID}=\perp $. If $ID\ne ID^*$, $\mathcal {F}$ select three random number a, b, c, and sets $Q_{ID}=aP,vpk_{ID}=bP, h_2=H_2(ID||Q_{ID}) \leftarrow c, psk_{ID}=a+x\cdot h_2, x_{ID}=b$. Finally, $\mathcal {F}$ response the query with $ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$ and add $ID, Q_{ID},h_2$ into the hash list $L_{H_2}$
$H_2$ query: When adversary makes a $H_2$ query with ($ID, Q_{ID}$), if ID is already in the hash list $L_{H_2}$, $\mathcal {F}$ just returns the corresponding $h_2$. Otherwise, $\mathcal {F}$ runs Create(ID) to get $h_2$, and send $h_2$ to $\mathcal {A}_1$.
Partial-Private-Key-Extract(ID) query: On receiving the query on ID, $\mathcal {F}$ checks the hash list $L_c$, if ID in the list, then $\mathcal {F}$ response with $psk_{ID}$. If ID is not in $L_c$, $\mathcal {F}$ queries Create(ID) to get the $psk_{ID}$, and sends it to $\mathcal {A}_1$.
Public-Key(ID) query: On receiving the query on ID, if ID is already in $L_c$, $\mathcal {F}$ response with $pk_{ID}=(Q_{ID}, vpk_{ID})$. Otherwise, $\mathcal {F}$ queries Create(ID) to get the ($Q_{ID}, vpk_{ID}$), and sends it to $\mathcal {A}_1$.
Secrety-Key-Extract(ID) query: If $ID=ID^*$, $\mathcal {F}$ aborts the simulation. Otherwise, if ID is already in $L_c$, $\mathcal {F}$ response with $x_{ID}$.If ID is not already in $L_c$, $\mathcal {F}$ runs Create(ID) to get $ID, Q_{ID},vpk_{ID}, psk_{ID}, x_{ID}, h_2$, and sends $x_{ID}$to the adversary.
$H_3$ query: $\mathcal {F}$ maintains a hash list $L_{H_3}$ of tuple ($m,ID, R,vpk_{ID}, t, h_3$). If the quries ID is in this list, $\mathcal {F}$ just responds with $h_3$. Otherwise it chooses a random $h_3$, sets $h_3=H_3(m||ID||vpk_{ID}||R||t)$, add it into $L_{H_3}$ and responds with $h_3$.
Sign(ID, m) query: If $ID\ne ID^*$, $\mathcal {F}$ acts like the description of the scheme.Otherwise, $\mathcal {F}$ generates random numbers $a,b,f \in Z^*_{q}$, sets $s=a, h_3=H_3(m||ID||vpk_{ID}||R||t) \leftarrow f, R=h^{-1}_{3}\cdot $ ($bP_{pub}-Q$), and response eith the signature as (R, s). This signature is valid as the equation $s\cdot P=h_3\cdot R +Q_{ID}+vpk_{ID}+ h_2\cdot P_{pub}$ holds.

Finally, $\mathcal {A}_2$ outputs a forged signature $\sigma =(R, s_{\{1\}})$ on (ID, m), which satisfies the verification process of the verifier. From the forking lemma in [20], $\mathcal {F}$ rewinds $\mathcal {A}_2$ to the point where it queries $H_3$, and use a different value. $\mathcal {A}_2$ will output another valid signature (R, $s_{\{2\}}$) with the same R. Then we have:

$$\begin{aligned} \begin{array}{c} s_{\{i\}}\cdot P=h_{3_{\{i\}}} \cdot R +vpk_{ID}+ Q_{ID}+ h_2 \cdot P_{pub}, \text { where } i=1,2\\ s_{\{i\}}=h_{3_{\{i\}}} \cdot r+y+ d_{i}+ h_{2}x, i=1,2 \end{array} \end{aligned}$$

Only y, r are unknown. Hence, from these two linear equations, we can derive the two unknown value r, y, and output y as the solution of the DL problem.

Probability Analysis: The simulation of Create(ID) oracle fails when the random oracle assignment $H_2(ID||Q_{ID})$ causes inconsistency, which happens with the probability at most $q_{h}/q$. The probability of successful simulation of $q_c$ times is at least $(1-(q_{h}/q))^{q_c}\geqq 1-(q_{h}q_{c}/q)$. Also, the simulation is successful $q_{h}$ times with the probability at least $(1-(q_{h}/q))^{q_h}\geqq 1-(q^2_{h}/q)$. And $ID=ID^*$ with the probability $1/q_{c}$. Therefore, the overall successful simulation probability is $(1-q_{h}q_{c}/q)(1-(q^2_{h}/q))(1/q_{c})\varepsilon $.

The time complexity of the algorithm $\mathcal {F}$ is dominated by the exponentiations performed in the Create and Sign queries, which is equal to $t+O$($q_{c}+q{s}$)S, where S is the time of a scalar multiplication operation.

References

1.
Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_29CrossRefGoogle Scholar
2.
Au, M.H., Mu, Y., Chen, J., Wong, D.S., Liu, J.K., Yang, G.: Malicious KGC attacks in certificateless cryptography. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 302–311. ACM (2007)Google Scholar
3.
Bayat, M., Barmshoory, M., Rahimi, M., Aref, M.R.: A secure authentication scheme for vanets with batch verification. Wirel. Netw. 21(5), 1733–1743 (2015)CrossRefGoogle Scholar
4.
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26CrossRefGoogle Scholar
5.
Cui, J., Zhang, J., Zhong, H., Shi, R., Xu, Y.: An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Inf. Sci. 451, 1–15 (2018)MathSciNetGoogle Scholar
6.
Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 263–275. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_24CrossRefGoogle Scholar
7.
He, D., Chen, J., Zhang, R.: An efficient and provably-secure certificateless signature scheme without bilinear pairings. Int. J. Commun Syst 25(11), 1432–1442 (2012)CrossRefGoogle Scholar
8.
He, D., Zeadally, S., Xu, B., Huang, X.: An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE Trans. Inf. Forensics Secur. 10(12), 2681–2691 (2015)CrossRefGoogle Scholar
9.
Horng, S.-J., Tzeng, S.-F., Huang, P.-H., Wang, X., Li, T., Khan, M.K.: An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Inf. Sci. 317, 48–66 (2015)MathSciNetCrossRefGoogle Scholar
10.
Horng, S.-J., et al.: b-SPECS+: batch verification for secure pseudonymous authentication in VANET. IEEE Trans. Inf. Forensics Secur. 8(11), 1860–1875 (2013)CrossRefGoogle Scholar
11.
Hubaux, J.-P., Capkun, S., Luo, J.: The security and privacy of smart vehicles. IEEE Secur. Priv. 3, 49–55 (2004)CrossRefGoogle Scholar
12.
Jia, X., He, D., Liu, Q., Choo, K.-K.R.: An efficient provably-secure certificateless signature scheme for internet-of-things deployment. Ad Hoc Netw. 71, 78–87 (2018)CrossRefGoogle Scholar
13.
Kamil, I.A., Ogundoyin, S.O.: An improved certificateless aggregate signature scheme without bilinear pairings for vehicular ad hoc networks. J. Inf. Secur. Appl. 44, 184–200 (2019)Google Scholar
14.
Li, X.-X., Chen, K.-F., Sun, L.: Certificateless signature and proxy signature schemes from bilinear pairings. Lith. Math. J. 45(1), 76–83 (2005)MathSciNetCrossRefGoogle Scholar
15.
Liu, D., Shi, R.-H., Zhang, S., Zhong, H.: Efficient anonymous roaming authentication scheme using certificateless aggregate signature in wireless network. J. Commun. 37(7), 182–192 (2016)Google Scholar
16.
Liu, J.K., Baek, J., Zhou, J., Yang, Y., Wong, J.W.: Efficient online/offline identity-based signature for wireless sensor network. Int. J. Inf. Secur. 9(4), 287–296 (2010)CrossRefGoogle Scholar
17.
Lo, N.-W., Tsai, J.-L.: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks without pairings. IEEE Trans. Intell. Transp. Syst. 17(5), 1319–1328 (2015)CrossRefGoogle Scholar
18.
Lu, R., Lin, X., Zhu, H., Ho, P.-H., Shen, X.: ECPP: efficient conditional privacy preservation protocol for secure vehicular communications. In: IEEE INFOCOM 2008-The 27th Conference on Computer Communications, pp. 1229–1237. IEEE (2008)Google Scholar
19.
Malhi, A.K., Batra, S.: An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks. Discrete Math. Theor. Comput. Sci. 17(1), 317–338 (2015)MathSciNetzbMATHGoogle Scholar
20.
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefGoogle Scholar
21.
Tsai, J.-L., Lo, N.-W., Wu, T.-C.: Weaknesses and improvements of an efficient certificateless signature scheme without using bilinear pairings. Int. J. Commun Syst 27(7), 1083–1090 (2014)CrossRefGoogle Scholar
22.
Yeh, K.-H., Su, C., Choo, K.-K.R., Chiu, W.: A novel certificateless signature scheme for smart objects in the internet-of-things. Sensors 17(5), 1001 (2017)CrossRefGoogle Scholar
23.
Yum, D.H., Lee, P.J.: Generic construction of certificateless signature. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 200–211. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_18CrossRefGoogle Scholar
24.
Zhang, C., Lu, R., Lin, X., Ho, P.-H., Shen, X.: An efficient identity-based batch verification scheme for vehicular sensor networks. In: IEEE INFOCOM 2008-The 27th Conference on Computer Communications, pp. 246–250. IEEE (2008)Google Scholar
25.
Zhong, H., Han, S., Cui, J., Zhang, J., Xu, Y.: Privacy-preserving authentication scheme with full aggregation in vanet. Inf. Sci. 476, 211–221 (2019)CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Kang Li
- 1
- 2
Man Ho Au
- 2
Email author
Wang Hei Ho
- 3
Yi Lei Wang
- 2

1.Research Institute for Sustainable Urban DevelopmentThe Hong Kong Polytechnic UniversityHung HomHong Kong
2.Department of ComputingThe Hong Kong Polytechnic UniversityHung HomHong Kong
3.Department of Electronic and Information EngineeringThe Hong Kong Polytechnic UniversityHung HomHong Kong

An Efficient Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks Using Online/Offline Certificateless Aggregate Signature

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper