Traffic data security sharing scheme based on blockchain and traceable ring signature for VANETs

Vehicular ad hoc networks (VANETs) is the hotspot research field of wireless mobile ad hoc network, it provides a new opportunity to create a safe and efficient transportation environment. However, as an open network where information has to interact frequently, it is difficult to ensure the security of data transmitted in VANETs and protect the privacy of drivers. Many existing information-sharing schemes use complex encryption algorithms to enable secure traffic data sharing. Nevertheless, these schemes are not suitable for VANETs because of their high computational overhead and lack of corresponding tracking mechanisms for malicious vehicles. Therefore, a traffic data security sharing scheme is designed that combines blockchain technology and traceable ring signature algorithms to secure the transmitted messages. The traceable ring signature algorithm is formulated in combination with bilinear pairing, enabling conditional privacy protection instead of traditional ring signature. To improve the efficiency of VANETs, this scheme introduces edge computing technology to reduce the computational burden of Road Side Units (RSUs) by offloading most of the computational tasks to the servers via edge nodes. In addition, we use smart contract to track malicious vehicles. Security analysis and performance comparison show that our scheme is more efficient and secure for drivers than other existing related schemes.


Introduction
Intelligent transportation system [1] integrates electronic, communication and computer technologies to build a realtime, accurate and efficient traffic operation frame.Vehicular ad hoc networks (VANETs) describe the mobility and coexistence of each node vehicle-to-vehicle and vehicleto-roadside communication architectures, and provide selforganized data transmission, safety precaution, navigation and other roadside services [2].Vehicles exchange data through short-range wireless communication, this real-time information interaction (such as traffic information, weather conditions and road status, etc.) can help vehicles or traffic control centers to take on-line action to reduce traffic accidents or road congestion.Therefore, more and more scholars are devoted to the research of VANETs to improve people's quality of life and work efficiency.
In VANETs, all vehicles are equipped with On-Board Units (OBUs) and Tamper-Proof Devices (TPDs) [3,4].The OBUs are mainly organized by components such as resource processors, storage units, sensors and correspondence interface moduls, which are responsible for information exchange with surrounding vehicles and roadside infrastructure.The TPDs are used to store the encrypted information of the vehicle and prevent attackers from maliciously tampering with raw information or confidential data.With the continuous emergence of the Internet of Things, 5G, big data, cloud computing and other high-technolog, the communication performance of VANETs has been raised to a higher level.Vehicles equipped with OBU can realize vehicle-to-everything (V2X) mobile communication, which mainly includes vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) information interaction.They adopt Dedicated Short-Range Communication (DSRC) protocol [5], and usually have a communication range of less than 1000 m.
In order to enhance the vehicle's ability to dynamically update its driving status, it often functions as a network node that gathers relevant information and utilizes wireless communication techniques to transmit this data to other nearby vehicles.This way enables the vehicle to proactively avoid potential accidents and mitigate traffic congestion, thereby improving overall driving efficiency.In addition, the vehicle will also send the collected information to Road Side Units (RSUs), which will summarize its own basic data and then upload them to the traffic control center (TCC).TCC is in charge of processing the data and then controlling the road signals or broadcasting vehicles' status to improve the efficiency of traffic.However, due to the open nature of VANETs, vehicle nodes share data in insecure channels, which can be intercepted, relayed or even tampered the transmitted data by malicious entities [6], the result is information suspicious or traffic chaos.And due to the limited computing and storage resources of the OBU, the rapid movement of the vehicle leads to real-time changes in the network topology, resulting in untimely message processing and undesirable consequences.
Therefore, secure authentication of messages transmitted and reduced system latency in VANETs is a very critical requirement, Chen and Chen [7] offer a private information visit only from trusted authority (TA), even though the traffic management department (TMD) wants to access or obtain the private messages.The convergence of blockchain and edge computing paradigms [8] can overcome the existing security and scalability issues.The scheme proposed by Ayaz et al. [9] uses edge nodes as mining nodes to solve the hash problem in the blockchain generation process.In the past few years, many scholars have proposed privacypreserving anonymous authentication protocols [10][11][12].However, we observe that the previously proposed protocols are highly dependent on a centralized server.
Blockchain technology [13,14] derived from Bitcoin is a distributed database jointly maintained by multiple parties, with advantages such as decentralization, immutability, and traceability compared to traditional databases.Edge computing (EC) [15] is envisioned as a promising paradigm for processing massive amounts of data generated by ubiquitous mobile devices to enable intelligent services with artificial intelligence (AI).Multi-Access Edge Computing (MEC) [16,17] is emerging as a key technology to provide low latency, high speed and high capacity network services for VANETs.The foundation of VANETs is information sharing [18], but due to the lack of trust between vehicles and the insecurity of the communication environment, blockchain technology has emerged to provide a viable scheme for these problems.
Due to the nature of blockchain technology, drivers are able to remain anonymous in order to protect their privacy, but this prevents messages transmitted in VANETs from being verified, so digital signature [19] are a great way to verify messages.
Based on the above analysis, we propose a traffic data secure sharing scheme based on blockchain and traceable ring signature for VANETs.The main contributions of this work are as follows: 1. We propose a traceable ring signature algorithm by combining bilinear pairing and a ring signature algorithm.
The algorithm uses the idea of distributed key generation to generate the user's key.In addition, the signature algorithm achieves conditional anonymity, this is to prevent disruption of normal traffic orders by malicious vehicles in VANETs.2. We design a traffic data security sharing scheme.The scheme combines blockchain and the proposed traceable ring signature algorithm to enable secure sharing of traffic data with source traceability and conditional privacy protection.3. Edge computing incorporated into our scheme.Through edge nodes, most computing and storage tasks are outsourced to cloud servers.It can effectively deal with the insufficient computing and storage capacity of its OBUs by using them as light nodes.The cloud is able to reduce the latency of VANETs and improve traffic efficiency since it has more computing power and storage capacity. 4. We use smart contract to track malicious users.We write the proposed traceable ring signature algorithm into a smart contract and deploy it on Ethereum.When the system detects information that disrupts normal traffic, the smart contract will trace the sender of the information and return it to TA. 5. We develop a mechanism to punish malicious users.For users who send messages that disrupt normal traffic, TA will determine punishment measures based on the number of times the user has done evil to ensure other vehicles' safety when sharing information.
This paper is organized as follows: In Section 2, we review some related works on data security and privacy protection for VANETs.In Section 3, we introduce the relevant technologies used in the scheme.In Section 4, we present the system overview.In Section 5, we describe the proposed security traffic data sharing scheme based on blockchain and traceable ring signature for VANETs and perform correctness.In Section 6, we perform a secure analysis of the scheme.In Section 7, we evaluate the performance of the scheme and present the simulation results.In Section 8, we draw conclusions of this article.

Related works
In recent years, more and more scholars have devoted themselves to the research of VANETs to address the security issues of data storage and sharing in VANETs as well as the privacy protection of drivers.To protect the sensitive information transmission and authentication in VANETs, suitable public key infrastructures (PKI) was embedded [20,21] in real-time, and a certification authority (CA) issues anonymous certificates to hide the real identity of vehicles during the communication process.As PKI cannot provide location privacy and achieve an equitable distributed revocation mechanism, Wasef et al. [22] introduced random encryption periods to protect the location privacy of vehicles and proposed an efficient decentralized revocation protocol, which enables a group of neighboring vehicles to revoke malicious vehicles in their vicinity.Benarous et al. [23] pointed out the existing PKI infrastructure is centralized, then put forward a blockchain-based pseudonym management framework for VANETs.Those schemes prevented malicious vehicles from entering VANETs, minimized the cost of certificate and signature verification, and designed a tracking mechanism to revoke vehicles that behave continuously in VANETs.However, PKI-based authentication schemes all have similar shortcomings: 1) need a trusted CA to issue certificates; 2) high computational cost of certificate and signature verification; 3) certificate storage and key management are difficult.
Several researchers have proposed ID-based privacy preserving authentication schemes to solve the problems encountered in PKI-based schemes in VANET applications, these schemes reduce communication costs effectively.In 1984, Shamir [24] proposed an ID-based cryptosystem, where the user's public key exists by itself (e.g., the user's ID, email address, etc.) and the key generation center generates the corresponding private key based on the user's identity information and transmits it to the user.Deng et al. [25] pointed out current ID-based two-party authenticated key agreement schemes are not necessarily safe in real life.To accomplish the energy-efficient privacy of communicators and security of communication, Akram et al. [26] designed an identity-based authentication system for vehicular cloud computing and it also uses radio frequency identification.Since ID-based authentication schemes rely on CAs to generate private keys based on users' information, key management is considered the cornerstone of the security framework in VANETs and has become the focus of researchers' research.Lei et al. [27] and Ma et al. [28] presented a corresponding framework for secure key management, which combines the distributed idea of blockchain to design a key management scheme suitable for VANETs.Malhi et al. [29] proposed an efficient privacy-preserving scheme using an aggregated signature verification scheme.Rasheed et al. [30] put forward a group-based adaptive zero-knowledge proof authentication protocol that is lightweight and supports users for trade-off selection.Li et al. [31] and Coruh and Bayat [32] implemented an authentication scheme for VANETs with a revocation mechanism.Given the respective advantages of PKI-based and ID-based schemes, Wang et al. [33] combined the advantages of both schemes and proposed a hybrid conditional privacy-preserving authentication protocol for VANETs.The protocol based on the PKI certificate and identity-based signature to achieve the goal of user authentication.
Recently, the natural features of blockchain such as decentralization, immutability and traceability have attracted the interest of researchers, and many of them use blockchain to solve the problems of privacy protection, identity authentication and secure transmission in VANETs.Based on the current technical challenges of VANETs, Li et al. [34] designed a novel decentralized VANETs architecture using the natural advantages of blockchain, thereby avoiding centralization and entities' mutual distrust in VANETs.Addressing the security of transmissions in VANETs and the collection of private driver information, according to Shrestha et al. [35], a new blockchain can solve the problem of information security exchange by creating a local blockchain with national boundaries.Feng et al. [36] and Lin et al. [37] used blockchain technology for privacy-preserving authentication of VANETs to achieve conditional privacy protection by exploiting the traceable nature of blockchain.The corresponding revocation mechanism is designed in their proposed scheme, and the registration information can be revoked by the TA for misbehaving vehicles.Gong et al. [38] constructed a blockchain privacy protection scheme based on ring signature.Through this scheme, data authorized to be shared in the IoT is transmitted through the system in the form of ciphertext, and the identity information of the data sender is protected.However, no tracking mechanism was designed into the scheme.If vehicles in VANETs send false messages, the TA cannot identify the specific source through the signature on the message.Therefore, utilizing blockchain technology for traceability can achieve data security protection and trusted resource sharing.

Bilinear pairing
We denote three (multiplicative) cyclic groups G 1 , G 2 and G T with the same order q generated by the generating element P. Let's denote g 1 be a generator of G 1 , g 2 be a generator of G 2 .The bilinear pairing e ∶ G 1 × G 2 → G T , need to satisfy the following three properties: • Bilinearity: For all a, b ∈ Z * q and g 1 ∈ G 1 , g 2 ∈ G 2 ,there is e ag 1 , bg 2 = e(g 1 , g 2 ) ab .

Ring signature
In 2001, the concept of ring signature was first introduced by Rivest et al. [39].A ring signature can protect the privacy of the signer by specifying a set of possible signers without revealing the identity of the actual signer.We refer to a set of possible signers as "ring", and the ring member that generates the actual signature as "signer".The signer signs the message with his own private key and the public keys of other ring members, and the other members of the ring are called "non-signer".We assume that there are n possible signers in a set, the ring signature scheme is defined as follows [40]: 1. Keygen: A probabilistic polynomial time algorithm, input safety parameter , system parameters param = x i , y i , where x i ,y i are the private key and public key of ring member u i .Different driver's public and private key may come from different PKI. 2. Ringsign: A probabilistic polynomial time algorithm, user u i inputs the message m and the public keys L = y 1 , y 2 , ⋯ , y n of the other ring members and his pri- vate key x i , output a signature R to the message m, cer- tain parameters in the signature form a ring according to certain rules.3. Ringverify: A deterministic algorithm, input (m, R), if R is the ring signature of message m, output "True", otherwise, output "False".
Ring signatures, when first proposed by Rivest et al, got their name from the fact that a certain hidden parameter in the signature forms a ring according to certain rules.Subsequently, many schemes proposed by researchers do not require that certain parameters in the signature need to form a ring, as long as the formation of a signature satisfies the spontaneity, anonymity and group properties, it is also called a ring signature.

Blockchain and smart contract
Blockchain is the core data storage structure of our proposed scheme.It is essentially a distributed ledger in which all transactions are not easily tampered with, and has the characteristics of decentralization, immutability and traceability.
The data in VANETs are recorded in blocks in chronological order, and then the newly generated blocks are appended to the blockchain by a consensus algorithm.Depending on the permission settings, blockchains can be divided into public blockchain, consortium blockchain and private blockchain.In our proposed scheme, we choose Ethereum as the underlying network architecture, and any vehicle registered through TA can access the VANETs data stored in Ethereum.
In addition, Ethereum can efficiently process transactions and support a Turing-complete smart contract.The smart contract is a computerized transactional protocol that enforces the terms of a contract.As embedded in the blockchain, it enables the agreement to be executed automatically without the intervention of a trusted third party.In general, it offers some appealing features when combined with blockchain, such as automatic execution, immutability, and decentralization.In our scheme, we use smart contract to track illegal vehicles in VANETs, providing the corresponding application binary interface (ABI) to access the TA's secure database, and the ABI supports querying the user's tracking private key.When a traffic-disrupting message is found in VANETs, the smart contract is automatically executed to track down the real signer and then submit the relevant information to the TA.Moreover, we require that only the smart contract can determine the real signer.The TA decides how to dispose of these illegal vehicles, and then records the result in the blockchain.

Edge computing
Edge computing [41] is a novel computing paradigm for performing computational tasks at the edge of the network that emphasizes being closer to the user and closer to the data source.Edge computing can provide low-latency computing, high-speed caching and location-aware services for vehicles, and can enable real-time information interaction for VANETs.Nowadays, the main schemes to implement vehicle edge computing (VEC) include mobile edge computing and fog computing in VANETs.Mobile edge computing is a promising approach to deploy computationally intensive and time-sensitive tasks in VANETs where computational resources are provided to vehicles by an enhanced network infrastructure and network routers are upgraded by deploying hardware devices with more computational power.Fog computing in VANETs, on the other hand, treats vehicles as infrastructure that performs a large number of computing tasks close to the drivers.It makes full use of the idle communication and computing power of the vehicles in the network to maximize the resources of these vehicles.
In order to facilitate the network functions of VANETs and improve traffic efficiency, the VEC technology is introduced in our proposed scheme.The addition of VEC can offload tasks such as message authentication, identity tracking and user revocation from systems to edge computing through enhanced RSUs to reduce latency in VANETs and enable real-time interaction of information.Only operations related to driver privacy need to be performed in OBU, e.g., key generation, message signing.When a vehicle needs to synchronize data, it can access the blockchain to obtain the information.

System overview
In this section, we introduce the system model, security model and scheme framework used in our proposed scheme.

System model
The system model of the proposed scheme mainly consists of seven entities: trusted authority (TA), vehicles, RSUs, traffic management department (TMD), edge computing, blockchain, and smart contract.A complete model of our system is shown in Fig. 1.

Trusted authority (TA):
TA has powerful computing and storage capabilities and is responsible for the daily maintenance of VANETs.For other entities in VANETs, TA is considered fully credible and uncompromising to any adversary.TA is also responsible for the initialization of VANETs, generating system parameters and providing registration to vehicles.When vehicles want to join VANETs, they need to submit registration applications to TA first, and only vehicles with approved applications can join VANETs.When a vehicle sends a false message to disturb the normal traffic order, TA will track the signed vehicle based on the digital signature in the message and hand over the vehicle information to the TMD for penalty.TA will revoke the registration information of the vehicle when the vehicle is repeatedly misbehaving.
2. Vehicle: Vehicles in VANETs are equipped with OBU and TPD.Vehicles are considered to be data collection devices in VANETs, where vehicles can communicate with other vehicles and RSUs to share road messages through OBU.When a vehicle applies for registration with TA, TA will preload the initialization parameters in OBU.The TPD in OBU will ensure that these parameters are secure and will not be tampered with by attackers at will.

Security model
A secure and efficient ring signature privacy protection authentication scheme needs to satisfy both anonymity and unforgeability.According to Bender et al.'s security definition of anonymity and unforgeability of different strength ring signature [42], we study the definition of security models for recent privacy-preserving authentication schemes for VANETs.Combined with more secure traceability, we propose the traffic data security sharing scheme.The scheme's security model should meet four security requirements: unforgeability, anonymity, traceability, and resistance to cyberattacks: • Unforgeability: Unforgeability means that no one other than a ring member can generate a legitimate ring signature for the identity set L unless it has access to the corresponding private key of the ring member.Even if an attacker can obtain the signature of a message from a random oracle that generates a ring signature, its probability of successfully forging a legitimate ring signature is negligible.• Anonymity: After a vehicle is registered with TA as a legal user, the true identity of each vehicle is hidden from other entities in VANETs.Since the anonymity of ring signature is unconditionally anonymous, the attacker determines the real signer is negligible even if he obtains the private keys of all ring members.• Traceability: In contrast to other ring signature schemes, this paper proposes a traceable ring signature scheme where the anonymity of the driver is conditionally anonymous.TA can obtain information about vehicles that misbehave (such as driving illegally, sending false information, etc.) and penalize them accordingly.TA will revoke the registration information of vehicles that have repeatedly done evil.

Scheme framework
In this section, we focus on how our proposed scheme can protect vehicle privacy in VANETs.In our VANETs model, the TA is mainly responsible for the initialization of the system and the generation of vehicle tracking key, the vehicle registration and key generation of which is shown in Fig. 2. Any vehicle that wishes to join VANETs needs to submit a registration application to TA, and TA will generate a pseudonym for the vehicle, which is used for vehicle communication in VANETs.When a vehicle enters the RSU area, the vehicle sends a ring request to the RSU, and the RSU stores its public key pk i in the ring set R and its tracking public key in the set Y. Once the vehicle needs to send a message, it randomly selects a subset R 1 of n valid public keys and the correspond- ing tracking public key Y ′ to sign the message.Fig. 3 dis- plays the process of generating and verifying signature.
The system detects a disturbance of normal traffic order or a false message, smart contract traces the signer through the signature in the message, and then the TA executes the corresponding penalty.When the number of vehicle misbehaviors is less than the system setting, TA will submit the vehicle information to the TMD, which will penalize the vehicle and record it on the blockchain.TA will revoke the vehicle registration once the number of misbehaviors reaches a certain level.The tracking and penalty for the vehicle is shown in Fig. 4.
The details of the system framework are as follows: 1. TA executes System setup to generate system parameters, conducts blockchain deployments, and deploys

Proposed traffic data sharing scheme
In this section, we design a security traffic data sharing scheme based on blockchain and traceable ring signature for VANETs and verify its correctness.Table 1 is the symbol description involved in our scheme.

Design of our scheme
This scheme mainly comprises of the following night parts: system setup, smart contract deployment, vehicle registration, traceable key generation, vehicle key generation signature generation, signature verification, signer tracking, and signer discipline and revocation.Fig. 5 is the flowchart of our proposed scheme.
1. System setup: Input security parameter , TA initializes the system as follows: 1. TA chooses two multiplicative cyclic groups G 1 , G T with same order q, where q is a large prime.Let's consider P be a generator of G 1 , and the bilinear pairing e ∶ G 1 × G 1 → G T .2. TA select random number MSK = a ∈ Z * q as its master secret key and compute its master public key MPK = aP.3. TA pick six general one-way hash functions Fig. 4 Vehicle tracking and penalty

Smart contract deployment:
TA takes inputs of track smart contract drafts, compiles, and deploys them into the blockchain.After being verified by blockchain, track smart contract get their unique addresses and when a vehicle in VANETs sends a false message, the smart contract will automatically track the sender of the message and submit its real identity to the TA.

Vehicle registration: Every vehicle V i that wants to join
VANETs submits its real identity to the TA for registration, and TA generates the pseudonym PID i for V i as following steps: 1. Vehicle V i randomly choose a constant l i ∈ Z * q , and computes s ID i is legal, TA will generate the pseudonym for vehicle, it computes PID i = H 1 (a‖OID i ) ⊕ ID i and submit PID i to vehicle.3. V i preloads PID i into OBU.

Tracking key generation:
In order to track vehicle's real identity in case of a dispute, TA generates the tracking key Y i for each successfully registered vehicle V i as fol- lowing algorithm: 1. TA randomly picks a constant r i ∈ Z * q and computes , where t i is the validity period of con- stant x i .
2. Then TA computes Y i = x i (P + PID i ) , and it secretly sends x i , Y i to vehicle V i through a secure channel.3. V i preloads x i , Y i into OBU, and Y i as its tracking public key.4. TA stores x i , Y i , PID i in its security database.

Vehicle key generation: Vehicle V i randomly selects
a number n i ∈ Z * P and computes its private key sk i = H 3 (n i ‖PID i ) , pk i = sk i P. 6. Signature generation: Assuming that the signer in the system is s, the message to be signed is m ∈ {0, 1} * , s selects a public key set R 1 = pk 1 , pk 2 , ⋯ , pk n of n drivers in the system, and the corresponding tracking public key set Y � = Y 1 , Y 2 , ⋯ , Y n and the correspond- ing pseudonym set M = PID 1 , PID 2 , ⋯ , PID n , then generate a signature on message m by following steps.
1.For each public key pk i generate correspond attrib- ute values L i , K i , s randomly picks different number u i , v i ∈ Z * q , and computes the following: Among them: I s = sk s H o (pk S ) , which is a signature image of the message m, is used to prevent double spending attacks in the system.2. Signer s calculate h = H 4 (m‖R 1 ) , and generates partial signatures c i , d i of message m by following algorithm: (1) 3. Signer s selects a random number w i ∈ Z * q for generating partial signatures that tracing signer's real identity.The detailed steps are described as follows: 4. The traceable signature of message m signed by signer s output as: 5. Finally, s sends the message m, T to the RSU.

Signature verification:
The signature verification of message m is done by RSUs, they can obtain the public keys of all members of the ring signature, and verify the signature T output by signer s by the following: Determine whether the above formula is valid, if the formula validation passes, receive the message m and record it in the newly generated block, otherwise, it refuses to receive the message m. 8. Signer tracking: When a false message sent by a malicious vehicle is detected, the smart contract deployed in the blockchain identifies the signer s of the faked message through the traceable ring signature T in the mes- sage.
1.The smart contract accesses the TA's security database through an interface to obtain the traceable keys x i , Y i of all ring members, and When the T i value is obtained, verify the validity of T i by bilinear mapping e TK i , P + PID i = e(T i , Y i ) .If all T i are valid, then compute E = ∑ n i=1 T i .3. After the above steps, the real signer can be determined e T, P + PID i = e E, Y i .

Signer discipline and revocation:
After determining the true signer s of the invalid message, the smart contract (3) submits the vehicle ID, signer and other information to the TA via a secure channel, and the TA will decide the penalties for vehicle who sends invalid message.If the vehicle has only just started sending false message, TA will submit its relevant information to the TMD, it agency to impose penalties on vehicle, penalty results are recorded in the newly generated block, it will be added to the blockchain after passing the consensus algorithm verification.If the vehicle repeatedly sends inaccurate messages into VANETs, the TA revokes the vehicle's registration information, and they cannot access any data in VANETs.To ensure the security of VANETs, vehicles deregistered by TA for malicious acts cannot be re-registered for a certain period of time.During the re-registration process, TA will conduct a strict review of the registration application submitted by the vehicle, and only those who pass the review will be reregistered into VANETs.

Proof of correctness
The correctness of signature T in message m is proved as follows: when i ≠ s , the conversion of i , i is as follow: when i = s , the conversion of i , i is as follow: Thus, the above relationships can be used to verify the correctness of the traceable ring signature scheme proposed in this scheme: In the trace signer stage, the smart contract will access the TA's security database and calculate T i , which must be veri- fied by the formula e TK i , P + PID i = e(T i , Y i ) , the proof of correctness is as below: After T i has been verified, the signer is be found by for- mula e T, P + PID i = e(E, Y i ) , the proof of correctness is as below:

Security analysis
According to the security model given in Section 4 of this paper, we present a provable security analysis of our proposed scheme.
In the random oracle model, the attacker A can adaptively choose a message to attack.S is a challenger who can use A 's ability to solve Elliptic Curve Discrete Logarithm Problem (ECDLP).Assume that attacker A attacks the scheme with a non-negligible probability, and asks a series of queries to challenger S .Given P, Q = aP , S 's goal is to output a scheme s of ECDLP by interacting with A .For this, S chooses PID * i as the challenge anonymous-identity, the interaction between challenger S and attacker A is shown below: 1. System setup: Given a security parameter , S initial- izes system parameters params = q, P, e, G 1 , G T , MPK, H 0 , H 1 , H 2 , H 3 , H 4 , H 5 by running system setup algorithm and sets MPK = Q = aP .Then, keep a as its private key and sends params to A. 2. H 0 queries: S maintains a list L H 0 ∶ (pk i , h i0 ) , which is set empty in the initial stage.After receiving the query on H 0 (pk i ) , S look up it in the list L H 0 .If it exits, S returns h i0 ∈ Z * q to A .Otherwise, S randomly selects a number h i0 ∈ Z * q as well as sets h i0 = H 0 (pk i ) and returns h i0 to A .Finally, S adds the tuple which is set empty in the initial stage.After receiving the query on (a, OID i ) , S look up it in the list L H 1 .If it exits, S returns h i1 ∈ G 1 to A .Otherwise, S randomly selects a number h i1 ∈ G 1 as well as sets h i1 = H 1 (a‖OID i ) and returns h i1 to A .Finally, S adds the tuple (a, OID i , h i1 ) in the list L H 1 . 4. H 2 queries: S maintains a list L H 2 ∶ (r i , t i , h i2 ) , which is set empty in the initial stage.After receiving the query on (r i , t i ) , S look up it in the list L H 2 .If it exits, S returns h i2 ∈ Z * q to A .Otherwise, S randomly selects a number h i2 ∈ Z * q as well as sets h i2 = H 2 (r i ‖t i ) and returns h i2 to A .Finally, S adds the tuple (r i , t i , h i2 ) in the list L H 2 .

H 3 queries:
which is set empty in the initial stage.After receiving the query on (n i , PID i ) , S look up it in the list L H 3 .If it exits, S returns h i3 ∈ Z * q to A .Otherwise, S randomly selects a number h i3 ∈ Z * q as well as sets h 3 = H 3 (n i ‖PID i ) and returns h i3 to A .Finally, S adds the tuple (n i , PID i , h i3 ) in the list L H 3 . 6. H 4 queries: S maintains a list L H 4 ∶ (m, R 1 , h i4 ) , which is set empty in the initial stage.After receiving the query on (m, R 1 ) , S look up it in the list L H 4 .If it exits, S returns h i4 ∈ Z * q to A .Otherwise, S randomly selects a number h i4 ∈ Z * q as well as sets h i4 = H 4 (m‖R 1 ) and returns h i4 to A .Finally, S adds the tuple (m, R 1 , h i4 ) in the list L H 4 .7. H 5 queries: S maintains a list L H 5 ∶ (h, L 1 , ⋯ , L n , K 1 , ⋯ , K n , h i5 ) , which is set empty in the initial stage.

3
After receiving the query on (h, L 1 , ⋯ , L n , K 1 , ⋯ , K n ) , S look up it in the list L H 5 .If it exits, S returns h i5 ∈ Z * q to A .Otherwise, S randomly selects a number h i5 ∈ Z * q as well as sets 8. Vehicle public key queries: S maintains a list L pk ∶ (PID i , r i , Y i , n i , pk i ) .This list is initially empty.When the attacker A make a public key query to the challenger S , S looks up it in the list L pk .If it exits, S return (Y i , pk i ) to A .Otherwise, S recovers the tuple (r i , t i , h i2 ) from L H 2 , and also recovers the tuple (n i , PID i , h i3 ) from L H 3 , respectively.Then, it ran- domly selects two constant r i , n i ∈ Z * p and calculates Finally, S set tuple (Y i , pk i ) as its pub- lic key and sends it to A , and also inserts the tuple (PID i , r i , Y i , n i , pk i ) to L pk .9. Vehicle private key queries: When attacker A makes a public key query to S , if PID i = PID * i , S aborts this operation, otherwise S returns the corresponding pri- vate key (x i , sk i ) to A. 10.Signature queries: When A wants to query the sig- nature on i , S runs the signature generation algorithm to produce the corresponding signature T and return it to Then, the attacker A uses the public key set R 1 , the tracking public key set Y ′ , and the pseudonym set M, randomly selects u i , v i ∈ Z * q , and then performs the following steps: Finally, the traceable ring signature for message m is output as

Forgery:
The attacker A output the signature of another message m * for the signer PID * i , with the similar construction, the S can get the same result, two valid ring signatures are output as T and T * .The S output the result of a = MSK as a scheme of the ECDLP.However, ECDLP is intractable, so both are contradictory.That is the scheme in this paper satisfies unforgeability.

Anonymity
Theorem 2: The signature is Anonymity of the signer in our proposed scheme.
Proof: The ring signature in this paper has the anonymity of the signer for any sets R 1 = pk 1 , pk 2 , ⋯ , pk n and a random pk s ∈ R 1 , the probability Pr pk i = pk * i = 1/2, where T) is a traceable ring signature generate produced by pk s .

D u r i n g t h e c o m m u n i c a t i o n p ro c e s s , ve h icles use pseudonyms to hide their true identity as
and s is TA's master private key, which is stored in TA's secure database.The tracking key generated by TA is stored in the secure database, as Y i = x i (P + PID i ) , x i = H 1 (r i ‖t i ) , and t i is the validity period of tracking key.When the tracking key expires, the TA regenerates the tracking key for the vehicle and sends it to the vehicle over a secure channel.The trace key stored in the OBU is overwritten by the newly generated.Except for TA, no adversary can obtain the true identity of the vehicle from the (PID i , Y i , pk i ) .In the signature generate, the values of u i , v i are chosen at random from Z * q , and the number needed to generate the signer's private key is chosen randomly from Z * q .Therefore, the signature T will not expose the information of the signer.

Traceability
Theorem 3: The proposed scheme achieves conditional traceability.
Proof: When false message m is found, smart contract can track the real identity of signer.Smart contract accesses the TA's security database to get the T i value of the corre- sponding ring members, after getting all T i values, the smart contract verifies their validity.Then traces the real signer by the tracking public key.Finally, it sends the signer's ID to the TA through secure channel.Only smart contract can access TA's secure database through the interface to get the corresponding parameters of the traceable ring signature members, the who satisfies the equation T, P + PID i = e E, Y i is the real signer and it will send the result to the TA.Therefore, only TA can know the true identity of the signer, and no one else can trace the true identity of the signer.

Resistance to cyberattacks
Theorem 4: The proposed scheme can resist cyberattacks.
Proof: We designed scheme to inherit the resistance of blockchain technology to cyberattacks, which means that any modification to the smart contract can be prevented.Blockchain is distributed, and the system we designed uses blockchain as the underlying architecture, with the complete data required for the system stored in multiple nodes, system can function even if some points are down.Applying blockchain to system can eliminate single point of failure, effectively resist DDoS attacks and guarantee the overall security of the system.
Furthermore, tracking of the real signer is performed by a smart contract deployed in the blockchain, which is executed automatically within the blockchain, even if it is blocked at some point in VANETs.

Performance analysis
In this section, we compare the computational cost, communication overhead, and performance evaluation of our designed scheme with other existing schemes.
We set the security parameters to 80 bits, that is, = 80, the system parameters for the bilinear pairing as "qbits=512" and " rbits=160 ", The experimental running hardware con- figurations are i7-10870H CPU@2.20GHz,16GB RAM on a HP laptop.Software environment is based on Ubuntu 18.04 OS, using Python version 3.6 and PYPBC version 0.2 for implementation, which uses the PBC library Type A class curves to construct symmetric prime order bilinear groups.
For different signature operations, we tested 100 rounds using the PYPBC library and took their averages as the final results and listed them in Table 2, where T p denotes a bilin- ear pairing operation time, T m denotes a point multiplication operation time, T e denotes an exponential operation time, T h denotes a Hash to group operation time.

Computational cost
According to the efficiency analysis based on the specific steps in this scheme, the time spent in the vehicle registration phase is 3nT m + nT h , in the key generation phase is 2nT m + nT e , including tracking key generation phase is nT m + nT m and vehicle key generation phase is nT m , in the signature generation phase is 4nT m + 3nT e , in the signature verification phase is 2nT m , in the vehicle tracking phase is nT m + nT e + 2nT p .According to the time consumption for each operation in Table 2 and the specific steps in our scheme, we calculate the time consumption of the five steps in the scheme with the number of ring members n from 20 to 100, the result is shown in Fig. 6.The computation cost of the schemes [43][44][45][46] in key generation, signature generation, signature verification, and tracking processes are computed and the calculation results are listed in Table 3.
Compared with et al.'s [45] signature generation and verification processes, the computational complexity is almost O(n 2 ) when n is the number of ring members.The relationship between computational cost and the number of ring members is not linear.Its computational cost rises sharply as the number of ring members increases.Therefore, we do not compare Mao et al.'s scheme's computational overhead in the signature and verification process with other schemes.Moreover, its scheme is not designed with a malicious user tracking mechanism and does not achieve conditional privacy protection.In key generation process, the Fujisaki and Suzuki's scheme [43] needs n point multiplication operations, two hash to group operations and 2n + 1 exponential operations, and the total time cost is about nT m + 2T h + (2n + 1)T e .We set the number of ring members n = 100 , compared with Fujisaki and Suzuki's scheme [43], Bouakkaz and Semchedine's scheme [44], and Lai et al.'s scheme [46], the key generation consumption of our scheme is reduced by about 31.65% , 61.84% , and 70.34% , respectively.Although, the key generation process cost of our scheme is longer than Mao et al.'s scheme [45].However, the tracking key and vehicle key of our scheme is generated in advance by the TA and the vehicle during the vehicle registration process, and stored in the OBU of the vehicle, so it does not affect the communication efficiency of VANETs.We set the number of ring members n from 20 to 100, our scheme and other ring signature schemes' computational cost is shown in Fig. 7.
Fig. 8 is a comparison of the computational cost of calculating the signature generation between our scheme and other ring signature schemes [43,44,46].There is a linear relationship between the calculation cost of generating the signature and the number of ring members.Compared to other ring signature schemes, our computational cost is the lowest.When there are 100 ring members, our scheme takes only 256.22 ms to generate ring signatures, which saves the time for signature swapping generation and improves the efficiency of VANETs.In Fujisaki and Suzuki's scheme [43], it requires more point multiplication operations, exponential operations and two additional hash to group operations, resulting in large computational costs, and it takes (3n − 2)T m + (5n + 1)T e + 3T h to generate a ring signa- ture.Compared with our scheme, we set the ring members n = 100, our computational cost is reduced by 62.84%.
A comparison of the computational cost of signature verification is shown in Fig. 9.It illustrates that as the number of ring members increases, so does the computational cost.The computational consumption of signature verification in the present study is least than that in Fujisaki and Suzuki's scheme [43], Bouakkaz and Semchedine's scheme [44], and Lai et al.'s scheme [46].In our proposed scheme, the signature verification process is performed by RSUs deployed on both sides of the road, and Edge computing enhances the A comparison of the computational cost of tracking process is shown in Fig. 10.As the number of ring members increases, the time consumed for the tracking process also increases.In our scheme, when there are 100 ring members, we need 324.88 ms to trace the real signer of message m.Compared with Bouakkaz and Semchedine's scheme [44] and Lai et al.'s scheme [46], our scheme has a lower computational overhead.According to Fujisaki and Suzuki's scheme [43], when the number of ring members n ≤ 42 , our scheme has the ability to trace the real signer in a shorter time, when the number of ring members n > 42 , our scheme has a greater computational overhead in the tracking process.

Communication overhead
This section analyses and compares the communication overhead of our scheme and other ring signature schemes [43][44][45][46] is shown in Table 4.According to Chen and Chen's paper [7], the size of elements in Z * q and G 1 are 20 × 2 = 40 bytes and 64 × 2 = 128 bytes, respectively.In our scheme, the transmitted parameters in vehicle registration, key generation, and signature generation processes mainly include: vehicle pseudonym PID i ∈ G 1 , tracking private key x i ∈ Z * q , vehicle public key Y i ∈ G 1 , the message's signature T and so on.We set ring members n from 20 to 100, the communication overhead of our scheme is shown in Fig. 11.
In our proposed scheme, the communication overhead is mainly in the signature transmission process, most of the other processes are generated during the vehicle registration process, or in the background operation of the system, and do not affect the efficiency of vehicle data sharing, so we compare the communication overhead of the signature transmission process with Fujisaki änd Suzuki's scheme [43], Bouakkaz and Semchedine's scheme [44], Mao et al.'s

Scheme
Single ring member (bytes) N ring members (bytes) scheme [45], and Lai et al.'s scheme [46], and the calculation results are listed in Table 4. Figure 12 compares the communication overhead required by different schemes when transfer of the signature.As ring membership increases, the communication overhead grows.The computational consumption of signature verification in the present study is less than in other schemes [43][44][45][46].The communication complexity of Mao et al.'s scheme [45] is almost O(n 2 ) , so as the number of ring members increases, the storage and communication overhead required for the ring signature generated by the signature algorithm increases rapidly.As a result, the overall efficiency of the system decreases.When setting the ring members n to 100, the communication overhead of our scheme takes only 20968 bytes, which is a 29.86% reduction in communication overhead compared to Lai et al.'s scheme [46].

Performance evaluation
In the scheme, we use blockchain as the underlying framework of the system to achieve distributed information storage.The driver's privacy information is stored in TA's secure database, which safeguards the driver's privacy.
For drivers who disrupt the normal traffic condition, we deploy smart contracts on the blockchain, which can track these drivers through the signature in the false message.Our scheme introduces vehicle edge computing, which can effectively reduce system latency, process road information faster, and better adapt to the environment where VANETs' network topology changes in real time.Also, edge computing allows data handling locally, which decreases leakage or other security issues, it reduces the system's bandwidth demands, and it enables the system to work even when the network is jammed.
Table 5 compares and analyzes our scheme with other schemes [43][44][45][46] in seven aspects: unforgeability, anonymity, traceability, distributed framework, privacy protection, use smart contract and use edge computing.The comparison shows that our solution has better performance and feasibility.
To further illustrate the efficiency of our system operation, we analyze the system overhead.We use Ganache to emulate the Ethernet platform with Node and Web3 as the execution script and write smart contract using the Solidity language.After that, the smart contract are compiled with the truffle framework and deployed in Ethereum.TA's account address is 0x5B38Da6a701c568545dCfcB-03FcB875f56beddC4, the address of the smart contract is 0xd9145CCE52D386f254917e481eB44e9943F39138.
The overhead of the blockchain system we designed is mainly based on gas consumed by transactions and smart contracts.Gas is a unit of measurement used to gauge the computational power of executing transactions on the Ethereum platform.All transactions on the Ethernet platform consume a certain amount of gas, and the more complex the task, the more gas is consumed.The cost analysis of the scheme mainly considers the deployment of smart contracts, obtain traceable keys, track signers, and return signers to TA.The dollar consumption in the table refers to the ether price on March 25, 2023, 1eth = 10 18 wei = 1744dollars.
The REMIX IDE and Solidity version 0.8.0 with a specification of Ubuntu 18.04, 16 GB RAM, Intel Core i7-10870H CPU@2.20GHz,64-bit OS are used for experimental validation.Each execution requires a gas price cap and a unit price per gas.The miner determines the gas price Performance Ref [43] Ref [44] Ref [45] Ref [46] Our scheme and if the execution operation gas price is lower than the price determined by the miner, the miner will refuse to perform this operation.The costs measured by the experiment are shown in Table 6.As described in the table, the smart contract deployment is only performed once and the cost is $1.8128e-9.The costs of Obtain traceable keys, Tracking signer, and Return signer to TA operation is $1.3935e-10, $3.6565e-10, and $1.0946e-10, respectively.

Conclusion
In this paper, we have proposed a traffic data security sharing scheme based on blockchain and traceable ring signature for VANETs.The scheme uses smart contract to track the illegal vehicles and return the results to trusted authority (TA).The TA holds the source of the signature message and determines the penalties.This facilitates safeguarding the privacy of drivers and improving the security of VANETs with sharing messages.Edge computing is utilized to solve the problem of low computing power of VANETs.Vehicle registration and signer tracking can be offloaded through edge nodes to cloud servers with greater computer storage capacity, they can also improve the efficiency of VANETs.The security analysis shows that the proposed traceable ring signature algorithm has strong security and anonymity.Compared with other schemes, our scheme has better features such as signer tracking, use of smart contract, etc. Performance analysis shows that our proposed scheme has smaller computational cost and communication overhead.

3 .
RSU: RSUs are installed on both sides of the road and support the DSRC protocol, allowing communication with vehicles within a specific range.Specifically, RSUs can receive messages from vehicles, validate them, forward the validated messages to other vehicles and store them in the blockchain.The RSUs are interconnected and they exchange messages over a secure wired network.4. Traffic management department (TMD): The traffic management department manages the vehicles in VANETs.It receives drivers' information from TA, penalizes the misbehaving vehicles accordingly, and records the results of the penalties, through node consensus, in the blockchain. 5. Edge computing: With powerful computing and storage capabilities, edge computing processes data at the edge of the network, reducing network latency while improving data security and privacy.Edge computing enhances the efficiency of VANETs by accessing RSUs, TAs and other entities in VANETs through edge nodes and offloading most of the data computation to cloud servers through edge nodes.6. Blockchain: We use the public blockchain as the decentralized underlying architecture for our scheme to instantiate VANETs.It is verified by RSUs based on consensus algorithms for messages, and registered vehicles can

Fig. 1
Fig. 1 System model of our scheme

Fig. 5
Fig. 5 Flowchart of our scheme

( 13 )
s = d s P + c s pk s = (u s − c s sk s )P + c s pk s = u s P = L s(14)

Fig. 9
Fig. 9 Computational cost comparison of signature verification

Fig. 11
Fig. 11 Communication overhead for each step

Fig. 12
Fig. 12 Communication overhead comparison of signature generation

Table 1
Key symbol and definition Finally, TA keeps MSK, as well as public the system parameters params = q, P, e, G 1 , G T , MPK, H 0 , H 1 , H 2 , H 3 , H 4 , H 5 .

Table 2
Operation time consumption