Practical V2I Secure Communication Schemes for Heterogeneous VANETs

Abstract

Since the roadside infrastructure and vehicles come from different manufacturers, vehicular ad hoc networks (VANETs) now are extremely heterogeneous. It is difficult to communicate securely for heterogeneous facilities in VANETs because secure communication needs to concurrently realize confidentiality, authentication, integrity, and non-repudiation. To meet the above security attributes in one logical step, four bi-directional signcryption schemes are proposed for specific heterogeneous vehicle to infrastructure (V2I) communication in this paper. The first scheme supports batch verification, which allows multiple vehicles registered in a public key infrastructure (PKI) system to transmit messages to a receiver in an identity-based cryptosystem (IBC), both which are the mainstream public key cryptosystems. The second scheme supports a sender in a PKI to securely broadcast a message to multiple vehicles in an IBC. The communication direction of the latter two schemes is opposite to the former two schemes (i.e., from IBC to PKI). All these schemes can be proved to satisfy confidentiality and unforgeability based on the assumptions of decisional and computational Diffie-Hellman problems in the random oracle model. Furthermore, numerical analyses and simulation results demonstrate the computation costs, communication costs, storage, and the aggregate ciphertext length of our schemes are better than the existing ones.

1. Introduction

Smart transportation is one of the most important aspects of smart city, and vehicular ad hoc networks (VANETs) have recently been regarded as a promising smart transportation technique that can provide road safety, traffic management, and so on. VANETs consist of smart vehicles with on-board units (OBUs) and roadside units (RSUs). In VANETs, the vehicles can be regarded as mobile nodes and the communication between these nodes can be conducted by dedicated short-range communications (DSRC) technology [1]. There are two main communication ways: Vehicle to infrastructure (V2I) and vehicle to vehicle (V2V) [2]. V2V communication can exchange information among neighboring vehicles. V2I communication allows vehicles send messages to RSUs in driving. Vehicles or drivers can obtain the traffic information of a region or even a wider scope. After information integration, V2I provides comprehensive driving guidance and early warning services for each driver, which is more advantageous than V2V communication from this point of view. For example, if a traffic accident happened, the accident vehicles will firstly transmit the accident information to a nearby RSU; next, the RSU broadcasts the information to other RSUs and more vehicles in its management region. All kinds of messages can spread faster to prevent traffic jams because RSUs have higher power and stronger information broadcasting ability. Hence, V2I secure communication is a promising technology and attracts more and more attention.

However, a critical problem is the security of V2I communication. Generally speaking, confidentiality, authentication, integrity, and non-repudiation are the key security requirements for secure V2I communication. Confidentiality can keep messages secret except for those who are authorized. Authentication and integrity can ensure the messages are not tampered by any unauthorized user. Non-repudiation can prevent the denial of prior behaviors. Generally, encryption can be used to realize confidentiality and digital signature can be used to realize authentication, integrity, and non-repudiation. Due to the openness of wireless communication in V2I, an adversary can easily control the communication links and modify session messages, which may lead to serious consequences. Hence, the above security requirements are the main concerns for V2I secure communication and are worth studying urgently.

In the paper, considering the aforementioned security attributes of V2I communication, we construct four practical bi-directional signcryption schemes, which offer heterogeneous V2I secure and efficient communication, in which the vehicles and the RSUs are registered in public key infrastructure (PKI) or identity-based cryptosystem (IBC), respectively. For this purpose, we mainly combine the signcryption and aggregation techniques to construct our schemes and permit the communicating parties sharing the same system parameters to achieve high efficiency according to current practices and traditions. To be specific, two many-to-one signcryption schemes can realize n vehicles in PKI/IBC system transmit messages to an RSU in the IBC/PKI system, which fit into the scenario where an RSU might receive multiple messages from different vehicles at almost the same time. In turn, two one-to-many signcryption schemes can support an RSU in PKI/IBC system transmitting one message m to n vehicles in IBC/PKI system, which applies to the scenario where an RSU broadcasts one message to multiple vehicles. All schemes have been proved to be indistinguishable against adaptive chosen ciphertext attacks (IND-CCA2) and existential unforgeability against adaptive chosen messages attacks (EUF-CMA) based on two difficulty assumptions of decisional Diffie–Hellman problem (DDHP) and computational Diffie–Hellman problem (CDHP), respectively. The main contributions of this work are summarized as follows:

(1)

Two many-to-one heterogeneous signcryption schemes are proposed, which allow a large number of vehicles registered in the PKI/IBC freely communicating with a RSU registered in IBC/PKI. Two other one-to-many heterogeneous signcryption schemes are proposed, which allow a sender RSU in PKI/IBC freely broadcasts a message to many vehicles in IBC/PKI, which are especially designed for a RSU broadcasting message to vehicles in V2I communication scenario of VANETs.

(2)

Inspired by the idea of signcryption and aggregation, our proposed many-to-one heterogeneous aggregate signcryption schemes support batch verification, which not only can save a lot of time compared with the traditional sequential verifications, but also can save the computational, communicational, and storage cost. In addition, all the proposed schemes can realize confidentiality, authentication, integrity, and non-repudiation at the same time.

(3)

Numerical analyses and simulation results show the computation costs, communication costs, storage, and the aggregate ciphertext length of our proposed schemes are preferable to the existing ones.

The organization of our article is shown below: A survey of related work is described in Section 2. Some preliminaries are provided in Section 3. Four practical, heterogeneous signcryption proposals are presented in Section 4. The security proof and performance analysis are presented in Section 5 and Section 6, respectively. In the end, we summarize the conclusions in Section 7.

2. Related Work

Considering the security requirements of V2I secure communication in VANETs, it is natural to utilize encryption to realize confidentiality and digital signature to realize authentication, integrity. and non-repudiation. The traditional approach, named the signature-then-encryption method, is first to sign a message and then to encrypt it, or first to encrypt a message and then to sign it, named the encryption-then-signature method. Zheng first presented a new cryptographic primitive termed as signcryption [3], which simultaneously realizes the functions of encryption and digital signature. In addition, its cost is much smaller than the encryption-then-signature or signature-then-encryption techniques. An et al. proposed the general constructions of signcryption [4] and Baek et al. studied the formal proofs for the security of signcryption [5]. In addition, Baek et al. proved the security of the scheme in [3]. The performance advantage of signcryption makes it widely studied and used. Up to now, signcryption and its extension schemes have been put forward in several cryptosystem, such as the PKI-based cryptosystem [6,7], identity-based cryptosystem (IBC) [8,9,10,11,12], and certificateless cryptosystem [13,14,15]. Aggregate signcryption is one of the latest extensions of signcryption, which can combine multiple signcryption ciphertexts and verify them in batch. Compared with the traditional sequential verifications, it not only can save a lot of time, but also can save the computational, communicational, and storage cost. Hence, aggregate signcryption is very suitable for many-to-one mode of distributed communication, such as VANETs and routing protocol.

Today, vehicles and RSUs are extremely heterogeneous and may be registered with different public key cryptosystems. To ensure the secure V2I communication between these extreme heterogeneous devices, cryptographic schemes should be constructed to provide authentication, confidentiality, integrity, and non-repudiation, so signcryption naturally becomes the first choice. So far, a few signcryption schemes for heterogeneous environments have been proposed [16,17,18,19,20,21,22,23,24,25,26]. Many of these schemes consider two mainstream public key cryptosystems PKI and IBC. In the PKI system, a certificate authority (CA) issues the digital certificates for users, which bundle the public keys and users’ real identities. However, certificates management has become a burden due to the storage, revocation, and distribution of certificates. However, in IBC, the email addresses, telephone numbers, or social security numbers of users are used to produce the public keys. The users’ private keys are provided by a trusted third party named private key generator (PKG). IBC solves the problem of certificates management and becomes a more promising public key cryptosystem.

Sun and Li put forward two heterogeneous signcryption schemes. The first one supports a sender in a PKI system to transmit one message to a receiver in an IBC and the second is opposite (i.e., from IBC to PKI) [21]. In addition, the paper gives a discussion on the multi-receiver constructions from PKI to IBC. Unfortunately, their schemes do not support non-repudiation and cannot resist insider attacks. Later, a heterogeneous signcryption scheme against insider attacks is proposed in [22]. However, it simply permits a user in an IBC to transmit one message to the recipient in a PKI system. Schemes presented in [23,24] also do not allow users in a PKI system to send messages to recipient in an IBC. Recently, two new signcryption schemes are presented to support V2I mutual communication for heterogeneous PKI and IBC cryptosystem [25]. However, both schemes cannot protect the privacy of the senders. The scheme put forward in [26] gives a provable aggregate signcryption for heterogeneous PKI and IBC systems to improve the efficiency of computation and transmission. Unfortunately, it simply permits a user in a PKI system to transmit one message to the recipient in an IBC. Actually, it is not easy to design practical mutual many-to-one or one-to-many signcryption schemes for heterogeneous V2I communication because it needs to meet the security requirements and maintain high efficiency.

Similar to the above schemes, we mainly consider how to realize the secure and efficient V2I communication of heterogeneous devices registered in PKI and IBC. Different from the aforementioned schemes, we consider the most common scenario that a static RSU often receives multiple messages from different mobile vehicles almost at the same time; it needs to verify the integrity and authenticity of these messages in a batch way for the potential traceability, which can save a lot of time compared with the traditional sequential verifications. That is the reason that we design many-to-one aggregate signcryption schemes (as in Figure 1). In turn, two one-to-many signcryption schemes are designed to meet an application scenario of an RSU that broadcasts a message to a great number of vehicles. Therefore, our schemes are quite suitable for the heterogeneous secure V2I communication.

3. Preliminaries

3.1. Mathematical Background

Let G₁/G₂ be the additive/multiplicative group of prime order q and P is a generator of G₁; $e:G_1\times G_1\to G_2$ is referred as a bilinear map if it meets the attributes as follows:

(1)

Bilinearity: $\forall P,Q\in G_1$ and $a,b\in Z_q^{*}$, $e(aP,bQ)=e{(P,Q)}^{ab}$.

(2)

Non-degeneracy: There exist $P,Q\in G_1$, s.t. $e(P,Q)\in 1_{G_2}$.

(3)

Computability: There is an algorithm to calculate $e(P,Q)\in G_2$, $\forall P,Q\in G_1$.

Decisional Diffie–Hellman problem (DDHP): For a tuple $(P,aP,bP,cP)\in G_1$, where P as the generator of G₁ having order q and $a,b,c\in Z_q^{\ast }$, it is difficult to decide whether $ab=c\mathrm{mod}q$ is held.

Computational Diffie–Hellman problem (CDHP): For a tuple $(P,aP,bP)\in G_1$, where P as the generator of G₁ having order q and $a,b\in Z_q^{\ast }$, it is hard to calculate abP.

3.2. Formal Definitions

(a) A many-to-one heterogeneous signcryption scheme contains six algorithms, as follows:

Setup: After taking a security parameter l, PKG chooses a master secret key msk and outputs the public system parameters params.

PKI-KG: A user in PKI selects a secret key sk and computes the corresponding public key pk. The pk has a certificate issued by the CA.

IBC-KG: A user in IBC sends his identity ID to the PKG. The PKG calculates the corresponding secret key sk and sends it to the user via a secure channel. Under these circumstances, the user’s identity ID naturally served as his public key pk.

Signcrypt: Input params, a message m, a sender’s secret key sk_i, a recipient’s public key pk_r emits a signcryption ciphertext ${\sigma }_i$.

Aggregate-Verify: The algorithm firstly aggregate n ciphertexts ${\{{\sigma }_i=(R_i,c_i,S_i)\}}_{i=1}^n$ to a final ciphertext $\sigma$. Then, it verifies the validity of aggregate signcryption $\sigma$ and outputs true or false.

Unsigncrypt: Input $\sigma$, the sender’s public key pk_i, the recipient’s secret key sk_r, outputs ${\left\{m_i\right\}}_{i=1}^n$ or ⊥ that means decryption failure.

(b) A one-to-many heterogeneous signcryption scheme contains five algorithms, as follows:

The algorithms of Setup, PKI-KG, and IBC-KG are the same as those in (a).

Signcrypt: Input params, a message m, the sender’s secret key sk, and multiple receivers’ public keys ${\left\{p{k}_{r_i}\right\}}_{i=1}^n$, then the algorithm computes a signcryption ciphertext $\sigma$ and sends it to receivers.

Unsigncrypt: Each receiver takes $\sigma$ and the corresponding secret keys $s{k}_{r_i}$ as inputs, then computes the broadcasting message m after a series of verifications.

Here, we omit the security model of heterogeneous signcryption scheme because of the limited space.

4. Four Heterogeneous Signcryption Schemes for V2I Communication Scenarios

In this section, four heterogeneous signcryption schemes are presented to support secure heterogeneous V2I communication. For brevity, we make PKI→IBC to indicate a sender in a PKI system transmits a message to a recipient in an IBC. In turn, IBC→PKI indicates a sender registered in an IBC transmits a message to a receiver in a PKI system. Many-to-one or one-to-many means the sender is multiple or single, and the receiver is single or multiple, which correspond to the two most common scenarios extracted from real V2I communication. The first scheme is called MOHSC-I (many-to-one heterogeneous signcryption), which is suitable for an RSU in an IBC to receive n ciphertexts of ${\left\{m_i\right\}}_{i=1}^n$ from n vehicles who are in a PKI system. In turn, the second construction is named OMHSC-I (one-to-many heterogeneous signcryption), which is suitable for the condition that an RSU in a PKI system to broadcast the cipher of m to n vehicles who are in IBC. The direction of the latter two schemes is opposite to the former schemes i.e., from IBC to PKI. The third scheme is named MOHSC-II (many-to-one heterogeneous signcryption) and the fourth construction is called OMHSC-II (one-to-many heterogeneous signcryption).

4.1. PKI$\to$IBC Many-to-One Signcryption (MOHSC-I)

Setup: Input a security parameter l, PKG selects the additive/multiplicative group G₁/G₂ of prime order q (P be a generator of G₁), a bilinear map $e:G_1\times G_1\to G_2$, and three cryptographic hash functions $H_1:{\{0,1\}}^{\ast }\to G_1$, $H_2:G_2\to {\{0,1\}}^n$,$H_3:G_1^3\times {\{0,1\}}^n\to Z_q^{*}$. Then, it selects $s\in Z_q^{\ast }$ randomly as the master secret key and computes the master public key $P_{pub}=sP$. Finally, PKG will publish params = {q, G₁, G₂, e, P, P_pub, H₁, H₂, H₃} while keeping s secret.

PKI-KG: A vehicle V in the PKI selects $x_V\in Z_q^{\ast }$ randomly as the secret key $s{k}_V$ and calculates $p{k}_V=x_{V}P$ as the public key. Let V_i’s public/secret key is $p{k}_i=x_{i}P$/$s{k}_i=x_i$ below.

IBC-KG: An RSU in an IBC first sends its identity ID_r to the PKG, then PKG calculates the secret key $s{k}_{I{D}_r}=s{H}_1(I{D}_r)=s{Q}_{I{D}_r}$, and transmits $s{k}_{I{D}_r}$ to RSU via a secure channel. Let the identity of RSU be ID_r and the public/secret key $p{k}_r=H_1(I{D}_r)=Q_r$/$s{k}_r=s{Q}_r$ below.

Signcrypt: Taking params, a random message m_i, the sender V_i’s secret key sk_i, the receiver RSU’s public key pk_r as inputs, the algorithm performs the following steps:

• Randomly choose $r_i\in Z_q^{\ast }$ and calculate $R_i=r_{i}p{k}_i$;
• Calculate $k_i=e(r_{i}s{k}_i{P}_{pub},p{k}_r)$, $c_i=m_i\oplus H_2(k_i)$;
• Calculate $h_i=H_3(p{k}_i,p{k}_r,R_i,c_i)$, $S_i=s{k}_i{h}_i{P}_{pub}$;
• Output the signcryption ciphertext ${\sigma }_i=(R_i,c_i,S_i)$ to a nearby RSU.

Aggregate-Verify: A receiver RSU firstly act as an aggregate signcryption generator to save the verification costs. After receiving multiple ciphertexts ${\sigma }_i=(R_i,c_i,S_i)$ ($i=1,2,\dots ,n$), the RSU computes $S={\displaystyle {\sum }_{i=1}^n{S}_i}$, and get the final aggregate signcryption ciphertext $\sigma =(R_1,\dots ,R_n,c_1,\dots ,c_n,S)$. Then, the RSU performs the following procedures to verify the ciphertext $\sigma$ by using n sender vehicles’ public keys ${\left\{p{k}_i\right\}}_{i=1}^n$, the aggregate signcryption ciphertext $\sigma$ and the receiver RSU’s public key pk_r.

• Compute $h_i=H_3(p{k}_i,p{k}_r,R_i,c_i)$,$i=1,2,\dots ,n$;
• Verify

  $$e(S,P)=e({\displaystyle \sum _{i=1}^n{h}_{i}p{k}_i,P_{pub}});$$

  (1)
• If (1) is held, emits true, which means $\sigma$ is valid. Otherwise, emits false and abort.

Unsigncrypt: If Aggregate-Verify algorithm emits true, the receiver RSU’s performs the following steps based on the aggregate signcryption $\sigma$ and its secret key sk_r.

• Calculate

  $$k_i^{\prime }=e(R_i,s{k}_r);$$

  (2)
• Calculate $m_i=c_i\oplus H_2(k_i^{\prime })$, and get the message m_i.

4.2. PKI$\to$IBC One-to-Many Signcryption (OMHSC-I)

The Setup is the same as the above MOHSC-I algorithm, except the PKI-KG and IBC-KG algorithms have slight changes, i.e., the sender RSU’s public/secret key $pk=xP$/$sk=x$ in PKI and n receivers V_i’s key pairs ${\{p{k}_{ri}=H_1(I{D}_{ri})=Q_{ri},s{k}_{ri}=s{Q}_{ri}\}}_{i=1}^n$ in IBC.

Signcrypt: Taking params, a random message m, the RSU’s secret key sk, multiple receivers’ public keys ${\left\{p{k}_{ri}\right\}}_{i=1}^n$ as input, the algorithm performs the following steps (repeat 2, 3 steps n times):

• Choose a random $r\in Z_q^{\ast }$ and compute $R=r\cdot pk$;
• Compute $k_i=e(r\cdot sk\cdot P_{pub},p{k}_{ri})$, $c_i=m\oplus H_2(k_i)$;
• Calculate $h_i=H_3(pk,p{k}_{ri},R,c_i)$, $S_i=sk\cdot h_i{P}_{pub}$.
• Broadcast $\sigma =(R,c_1,\dots ,c_n,S_1,\dots ,S_n,\Omega )$ to ${\left\{V_i\right\}}_{i=1}^n$, where $\Omega$ is a label which includes message about how c_i and S_i are associated with the receivers.

Unsigncrypt: Any receiver V_i takes (R, c_i, S_i) from $\sigma$ according to the label $\Omega$. Input V_i’s secret keys $s{k}_{ri}$, the sender’s pk and params, then the algorithm executes the following procedures:

• Compute $h_i=H_3(pk,p{k}_{ri},R,c_i)$;
• Verify

  $$e(S_i,P)=e(h_i\cdot pk,P_{pub});$$

  (3)
  If (3) is established, emits true which means $\sigma$ is valid. Or else, emits false and abort.
• Calculate

  $$k_i^{\prime }=e(R,s{k}_{ri});$$

  (4)
• Compute $m=c_i\oplus H_2(k_i^{\prime })$, and get the message m.

4.3. IBC$\to$PKI Many-to-One Signcryption (MOHSC-II)

The Setup is the same as the above MOHSC-I algorithm. PKI-KG and IBC-KG algorithms have slight changes, i.e., the sender V_i’s key pair ($p{k}_i=H_1(I{D}_i)=Q_i$,$s{k}_i=s{Q}_i$) in an IBC, the recipient RSU’s public/secret key ($p{k}_r=x_{r}P/s{k}_r=x_r$) in a PKI system.

Signcrypt: Taking params, a random message m_i, V_i’s secret key sk_i, and RSU’s public key pk_r as inputs, the algorithm executes the following procedures:

• Select a random $r_i\in Z_q^{\ast }$ and compute $R_i=r_i{P}_{pub}$;
• Compute $k_i=e(p{k}_r,r_{i}s{k}_i)$, $c_i=m_i\oplus H_2(k_i)$;
• Calculate $h_i=H_3(p{k}_i,p{k}_r,R_i,c_i)$, $S_i=s{k}_i{h}_i$;
• Transmit the signcryption ciphertext ${\sigma }_i=(R_i,c_i,S_i)$ to a nearby RSU.

Aggregate-Verify: Upon receiving the ciphertexts ${\left\{{\sigma }_i\right\}}_{i=1}^n$, the RSU computes $S={\displaystyle {\sum }_{i=1}^n{S}_i}$ to get the final aggregate signcryption ciphertext $\sigma =(R_1,\dots ,R_n,c_1,\dots ,c_n,S)$. Then, the RSU executes the following procedures to verify $\sigma$ by inputting the aggregate signcryption $\sigma$, n vehicles’ public keys ${\left\{p{k}_i\right\}}_{i=1}^n$ and the receiver RSU’s public key pk_r:

• Compute $h_i=H_3(p{k}_i,p{k}_r,R_i,c_i),1\le i\le n$;
• Verify

  $$e(S,P)=e({\displaystyle \sum _{i=1}^n{h}_{i}p{k}_i,P_{pub}});$$

  (5)
• If (5) is held, emits true, which means $\sigma$ is valid. Otherwise, emits false and abort.

Unsigncrypt: If the Aggregate-Verify algorithm outputs true, the receiver RSU takes the aggregate signcryption ciphertext $\sigma$, its secret key sk_r and n vehicles’ public keys ${\left\{p{k}_i\right\}}_{i=1}^n$ as inputs, then performs as follows:

• Compute

  $$k_i^{\prime }=e(p{k}_i,s{k}_r{R}_i);$$

  (6)
• Compute $m_i=c_i\oplus H_2(k_i^{\prime })$, and get the message m_i.

4.4. IBC$\to$PKI One-to-Many Signcryption (OMHSC-II)

The Setup is the same as the above MOHSC-I algorithm. PKI-KG and IBC-KG algorithms have slight changes, i.e., the sender RSU’s key pair is ($pk=H_1(ID)=Q$,$sk=sQ$) in IBC and the receivers V_i’s $(i=1,2,\dots ,n)$ key pairs ($p{k}_{ri}=x_{ri}P,s{k}_{ri}=x_{ri}$) in PKI.

Signcrypt: Taking params, a random message m, RSU’s secret key sk, and multiple receivers’ public keys ${\left\{p{k}_{ri}\right\}}_{i=1}^n$ as input, the algorithm performs as follows (repeat 2, 3 steps n times):

• Randomly choose $r\in Z_q^{\ast }$ and compute $R=r\cdot P_{pub}$;
• Calculate $k_i=e(p{k}_{ri},r\cdot sk)$, $c_i=m\oplus H_2(k_i)$;
• Calculate $h_i=H_3(pk,p{k}_{ri},R,c_i)$, $S_i=sk\cdot h_i$;
• Broadcast $\sigma =(R,c_1,\dots ,c_n,S_1,\dots ,S_n,\Omega )$ to multiple receivers ${\left\{V_i\right\}}_{i=1}^n$, where $\Omega$ is a label, which includes a message about how c_i and S_i are associated with the receivers.

Unsigncrypt: Any receiver V_i takes (R, c_i, S_i) from $\sigma$. Take V_i’s secret keys $s{k}_{ri}$, the sender’s pk, and params as inputs, then this algorithm performs the following steps:

• Compute $h_i=H_3(pk,p{k}_{ri},R,c_i),1\le i\le n$;
• Verify

  $$e(S_i,P)=e(h_i\cdot pk,P_{pub});$$

  (7)
  If (7) is held, emits true, which means $\sigma$ is valid. Or else, emits false and abort.
• Calculate

  $$k_i^{\prime }=e(pk,s{k}_{ri}\cdot R);$$

  (8)
• Calculate $m=c_i\oplus H_2(k_i^{\prime })$, and get the message m.

5. Security Proof

The correctness and security of our proposed schemes will be discussed in this section.

5.1. Correctness

A. 

The correctness of the Equations (1) and (2) in HMOSC-I are proven below.

$$\begin{array}{ll}e(S,P& )=e({\displaystyle \sum _{i=1}^{n}s{k}_i{h}_i}{P}_{pub},P)\hfill \\ & =e({\displaystyle \sum _{i=1}^n{h}_i}s{k}_{i}P,P_{pub})\\ & =e({\displaystyle \sum _{i=1}^n{h}_i}p{k}_i,P_{pub})\end{array}$$

(9)

$$\begin{array}{ll}\hfill k_i& =e(r_{i}s{k}_i{P}_{pub},p{k}_r)\hfill \\ & =e(r_i{x}_{i}sP,p{k}_r)\\ & =e(r_i{x}_{i}P,s{Q}_r)\\ & =e(r_{i}p{k}_i,s{Q}_r)\\ & =e(R_i,s{k}_r)=k_i^{\prime }\end{array}$$

(10)

B. 

Equations (3)–(8) can be easily proved. Here we omit them for the limit space.

5.2. Security Proof

In the subsection, we will demonstrate our proposed schemes are secure. For each proposed signcryption scheme, we must prove its confidentiality (i.e., indistinguishability against adaptive chosen ciphertext attacks, short for IND-CCA2) and unforgeablity (i.e., existential unforgeability against adaptive chosen messages attacks, short for EUF-CMA) in a random oracle model due to its encryption and signature functions, respectively, which will make our paper very long because we proposed four schemes in all. Therefore, we mainly prove the confidentiality and unforgeability of MOHSC-I (PKI$\to$IBC many-to-one signcryption) scheme as an example to illustrate our reduction idea. In the following, t_m and t_p indicate the time to calculate one scalar multiplication and a bilinear pairing in G₁, respectively, and n is the number of messages.

Theorem 1.

(Confidentiality of MOHSC-I scheme): A is a probabilistic polynomial-time (PPT) adversary with an advantage$\epsilon$against the IND-CCA2 security within running time t, and asking at most q_i times H_i (i = 1, 2, 3) queries, q_k times key-generation queries, q_u times unsigncrypt queries, then there exists an algorithm C that can solve a DDHP instance with probability${\epsilon }^{\prime }\ge \tau {(1-\tau )}^{q_k+q_u}\epsilon$in a time$t^{\prime }\le t+O(q_u)t_p+O(2q_{H_1}+2q_k)t_m$.

Proof. 

Here, we show how C uses A to settle a given DDHP example (P, aP, bP, cP). □

Initial: C firstly executes the Setup algorithm to set P_pub=aP and PKI-KG algorithm to get n senders’${\{p{k}_i^{*},s{k}_i^{*}\}}_{i=1}^n$, then sends the system parameters and ${\{p{k}_i^{*},s{k}_i^{*}\}}_{i=1}^n$ to A.

Phase 1: C keeps the lists L₁, L₂, and L₃ to simulate H₁, H₂, and H₃ oracles. Assume that H₁ queries are different and the challenged identity $I{D}_r^{\ast }$ is sent to H₁ sometime. A queries H₁(ID) before ID is applied to other inquiries.

–

H₁ queries: The list L₁ with structure $\{I{D}_r,{\alpha }_r,Q_r,s{k}_r,{\xi }_r\}$ is maintained by C. When A performs the query with ID_r, C examines whether $\{I{D}_r,{\alpha }_r,Q_r,s{k}_r,{\xi }_r\}$ is already in L₁. If so, C returns Q_r to A. Otherwise, C flips a coin ${\xi }_r\in \{0,1\}$ that returns 0 with possibility $\tau$ (which will be determined later) and 1 with possibility $1-\tau$:

(1)

If ${\xi }_r=1$, C computes $Q_r=bP,{\alpha }_r=\perp ,s{k}_r=\perp$;

(2)

Otherwise, C chooses a random ${\alpha }_i\in Z_p^{*}$, computes $Q_r={\alpha }_{r}P,$ $s{k}_r={\alpha }_{r}aP$, adds $\{I{D}_r,{\alpha }_r,Q_r,s{k}_r,{\xi }_r\}$ to L₁, and returns Q_r to A.

–

H₂ queries: The list L₂ has the tuples of $\{k_i,{\rho }_i\}$, which is maintained by C. When A submits a k_i and issues H₂ query, the same answer from L₂ will be given if the query has been queried before. Otherwise, C chooses ${\rho }_i\in {\{0,1\}}^n$ at random, then adds $\{k_i,{\rho }_i\}$ into L₂ and sends ${\rho }_i$ to A.

–

H₃ queries: The list L₃ has the tuples of $\{p{k}_i,p{k}_r,R_i,c_i,h_i\}$. When A issues a query $\{p{k}_i,p{k}_r,R_i,c_i\}$ to H₃, C examines whether $\{p{k}_i,p{k}_r,R_i,c_i,h_i\}$ is already in L₃; if so, C returns h_i to A. Otherwise, C chooses a random value $h_i\in Z_q^{*}$ as answer and adds $\{p{k}_i,p{k}_r,R_i,c_i,h_i\}$ to L₃.

–

Key-generation queries: When A performs the query with IDr, if $I{D}_r=I{D}_r^{\ast }$, C returns ⊥. Otherwise, C requests a H₁ query at first and gets $\{I{D}_r,{\alpha }_r,Q_r,s{k}_r,{\xi }_r\}$ from L₁ list. Then, C returns D_r.

–

Unsigncrypt queries: A gives the recipient V_r’s identity $I{D}_r$ and a ciphertext $\sigma$. If $I{D}_r=I{D}_r^{\ast }$, C returns ⊥. Otherwise, C performs Unsigncrypt $(\sigma ,{\left\{p{k}_i^{\ast }\right\}}_{i=1}^n,s{k}_{I{D}_r})$ and returns the corresponding results.

Challenge: A produces two equal length plaintexts (m_i0, m_i1) and a receiver’s identity $I{D}_r^{\ast }$, which will be challenged. If $I{D}_r\ne I{D}_r^{\ast }$, C outputs ⊥. Otherwise, C selects a bit $\beta \in \{0,1\}$ and $r_i^{*}\in Z_q^{\ast }$ randomly, calculates $R_i^{*}=r_i^{*}p{k}_i^{*}$, $c_i^{\ast }=H_2(e(r_i^{*}p{k}_i^{*},cP))\oplus m_{i\beta }$, $h_i^{*}=H_3(p{k}_i^{*},p{k}_r,R_i^{*},c_i^{*})$, and $S_i^{*}=s{k}_i^{*}{h}_i^{*}{P}_{pub}$. Then, C computes $S^{*}={\displaystyle \sum _{i=1}^n{S}_i^{*}}$, returns ${\sigma }^{*}=(R_1^{*},\dots ,R_n^{*},c_1^{*},\dots ,c_n^{*},S^{*})$ to A.

Phase 2: A can make a mass of queries as Phase 1. However, A cannot submit the key-generation query on $I{D}_r^{\ast }$ and the unsigncrypt query on ${\sigma }^{*}$ to obtain the plaintexts.

Guess: A outputs the bit ${\beta }^{\prime }$ after enough inquiries. If $\beta ={\beta }^{\prime }$, C emits 1, which means (P, aP, bP, cP) are DH tuples. Otherwise, it outputs 0, which means the (P, aP, bP, cP) are random tuples. If A’s guess is correct, A should have asked H₂ oracle with $e(r_i^{*}p{k}_i^{*},abP)$ and C added $\{e(r_i^{*}p{k}_i^{*},abP),{\rho }_i^{*}\}$ into L₂ list. As can be seen from the above, abP is equal to cP.

Further, we will analyze the probability of C success. Define the events E₁, E₂ E₃, and E₄ in the following:

E₁: A does not perform the key-generation query with identity $I{D}_r^{\ast }$.

E₂: C does not abort the unsigncryption queries.

E₃: A selects $I{D}_r^{\ast }$ as the recipient’s identity during the challenge phase.

E₄: A can successfully guess $\beta ={\beta }^{\prime }$.

C succeeds if the aforementioned events happen. It is easy to get $\mathrm{Pr}[E_1]={(1-\tau )}^{{\mathrm{q}}_{\mathrm{k}}}$, $\mathrm{Pr}[E_2|E_1]={(1-\tau )}^{{\mathrm{q}}_{\mathrm{u}}}$, $\mathrm{Pr}[E_3|E_1{E}_2]\ge \tau$, and $\mathrm{Pr}[E_4|E_1{E}_2{E}_3]\ge \epsilon$, so $\mathrm{Pr}[E_1\wedge E_2\wedge E_3\wedge E_4]$ $\ge \tau {(1-\tau )}^{q_k+q_u}\epsilon$.

The computation time of C comes from A’s computation time. We can get that 2, 2 scalar multiplications and 1 pairing calculation are needed in the H₁ query, key generation query, unsigncrypt query. So, the time of C solving the DDHP instance is $t^{\prime }\le t+O(q_u)t_p+O(2q_H{}_{{}_1}+2q_k)t_m$.

Theorem 2.

(Unforgeability of MOHSC-I scheme): F is a forger with a non-negligible advantage$\epsilon$to forge an aggregate signcryption of the MOHSC-I scheme within running time t, and F requests q_i queries to H_i (i = 1, 2, 3) oracles, q_k queries to key-generation oracle, q_s queries to signcrypt oracle, then the CDHP will be settled by an algorithm C with probability${\epsilon }^{\prime }\le \epsilon \tau {(1-\tau )}^{q_k+n-1}$in a time$t^{\prime }\le t+O(2q_H{}_{{}_1}+q_k+2q_s+n+1)t_m+O(q_s)t_p$.

Proof. 

Here, we show that how C uses F to settle a given CDHP example (P, aP, bP). □

Initial: C executes the Setup algorithm to sets Ppub = aP, then transmits params and s to F. C also executes the PKI-KG algorithm and sends the senders’ public keys ${\left\{p{k}_i^{*}\right\}}_{i=1}^n$ to F.

Attack: C keeps four lists L₁, L₂, L₃, and L_k to simulate the hash oracles H₁, H₂, H₃, and the key- generation oracle.

–

H₁ queries: The list L₁ with structure $\{I{D}_r,{\alpha }_r,Q_r,D_r\}$ is maintained byC. C randomly chooses ${\alpha }_r\in Z_p^{\ast }$ and computes $Q_r={\alpha }_{r}P$,$D_r={\alpha }_{r}aP$. Then, it adds $\{I{D}_r,{\alpha }_r,Q_r,D_r\}$ to L₁ list and returns Q_r, D_r.

–

H₂ queries and H₃ queries are the same as in Theorem 1, so we will not describe the details.

–

Key-generation queries: The list L_k with structure $\{I{D}_i,x_i,p{k}_i,s{k}_i,d_i\}$ is maintained by C. When F requests the query with ID_r, C examines whether $\{I{D}_i,x_i,p{k}_i,s{k}_i,d_i\}$ is already in L_k. If so, C transmits pk_i and sk_i to F. Otherwise, C flips a coin $d_i\in \{0,1\}$ that returns 0 with probability $\tau$ and 1 with probability $1-\tau$. If $d_i=0$, C sets $s{k}_i=bP$,$s{k}_i=\perp$, adds $\{I{D}_i,\perp ,\perp ,s{k}_i,d_i\}$ to L_k. Otherwise, C randomly picks $x_i\in Z_p^{\ast }$, sets $s{k}_i=x_i$,$p{k}_i=x_{i}P$, adds $\{I{D}_i,x_i,p{k}_i,s{k}_i,d_i\}$ to L_k, transmits pk_i and sk_i to F.

–

Signcrypt queries: F submits one message m_i, the sender V_i’s identity ID_i, the receiver’s identity ID_r to C. If $d_i=0$, C returns $\perp$. Otherwise, C selects randomly $r_i\in Z_p^{\ast }$, computes $R_i=r_i{x}_i{P}_{pub}$,$k_i=e(R_i,Q_r)$. Then, C makes a H₂ query on $k_i$ and gets $({\rho }_i,k_i)$ from L₂ list, C computes $c_i=m_i\oplus {\rho }_i$, $S_i=s{k}_i{h}_i{P}_{pub}=x_i{h}_{i}aP$, and returns ${\sigma }_i=(c_i,R_i,S_i)$ to F.

Forgery: F returns n senders’ identities ${\left\{I{D}_i^{*}\right\}}_{i=1}^n$, a receiver’s identity $I{D}_r^{*}$, and a new aggregate signcryption ciphertext ${\sigma }^{*}$ on messages $m^{*}=(m_1^{*},m_2^{*},\dots ,m_n^{*})$. F wins the game if and only if:

(1)

The output of Unsigncrypt $({\sigma }^{*},{\left\{p{k}_i\right\}}_{i=1}^n,s{k}_{I{D}_r^{*}})$ is valid. The advantage of the forger F can be defined as its probability of winning the game.

(2)

At least one sender, without losing generality, let $I{D}_1^{*}$ has not been requested in the key-generation query. In addition, $({\left\{p{k}_i^{*}\right\}}_{i=1}^n,{\left\{m_i^{*}\right\}}_{i=1}^n,I{D}_r^{*})$ have never been asked in the Signcrypt queries.

For all $1\le i\le n$, C gets tuples $\{I{D}_i^{\ast },x_i^{\ast },s{k}_i^{\ast },p{k}_i^{\ast },d_i^{\ast }\}$,$\{p{k}_i^{\ast },p{k}_r^{\ast },R_i^{\ast },c_i^{\ast },h_i^{\ast }\}$ from L_k and L_3, respectively. If $d_1^{\ast }=0$ and $d_i^{\ast }=1(i=2,\dots ,n)$, C continues. Otherwise, C aborts. Since ${\sigma }^{*}$ meets the Equation (1), then

$$e(h_1^{\ast }p{k}_1^{\ast },P_{pub})=e(S^{\ast },P)e({\displaystyle \sum _{i=2}^n{h}_i^{\ast }p{k}_i^{\ast }},-P_{pub}).$$

Since $p{k}_1^{\ast }=bP$, $P_{pub}=aP$ and $p{k}_i^{\ast }=x_i^{\ast }P$ for all $2\le i\le n$, it can be transformed into:

$$e(h_1^{\ast }abP,P)=e(S^{\ast },P)e(-{\displaystyle \sum _{i=2}^n{h}_i^{\ast }{x}_i^{\ast }aP,P)}.$$

Hence,C can compute

$$abP={(h_1^{\ast })}^{-1}(S^{\ast }-{\displaystyle \sum _{i=2}^n{x}_i^{\ast }{h}_i^{\ast }}aP).$$

Further, we will analyze the possibility of C success. Define the events E₁, E₂, and E₃ in the following:

E₁: C does not abort all queries of key-generation.

E₂: F produces a valid and nontrivial forged aggregate ciphertext.

E₃: E₂ happens, and $d_1^{\ast }=0,d_i^{\ast }=1(2\le i\le n)$.

C is successful as long as the above events happened. The probability is $\mathrm{Pr}[E_1\wedge E_2\wedge E_3]$.

We know that

$$\mathrm{Pr}[E_1]\ge {(1-\tau )}^{q_k},\mathrm{Pr}[E_2|E_1]\ge \epsilon ,\mathrm{Pr}[E_3|E_1\wedge E_2]\ge \tau {(1-\tau )}^{n-1}.$$

So that

$$\mathrm{Pr}[E_1\wedge E_2\wedge E_3]\ge {(1-\tau )}^{q_k}\epsilon \tau {(1-\tau )}^{n-1}=\epsilon \tau {(1-\tau )}^{q_k+n-1}.$$

The computation time of C comes from F’s computation time, which contains the time C responses queries and the time that C calculates the CDHP example. We can get that 2, 1, 2 scalar multiplications are needed in the H₁ query, key-generation query and signcrypt query, respectively. In addition, 1 pairing calculation is needed in the signcrypt query. n+1 scalar multiplication is needed in C calculating the CDHP example. Therefore, the CDHP example will be settled within time $t^{\prime }\le t+O(2q_H{}_{{}_1}+q_k+2q_s+n+1)t_m+O(q_s)t_p$.

The proof process of confidentiality and unforgeability MOHSC-II, OMHSC-I, and OMHSC-II are very similar to Theorem 1 and Theorem 2, respectively. Therefore, here we omit the detailed proof due to the limited space.

6. Performance Analysis

Figure 2 gives a specific application scenario of the proposed schemes. If vehicle V_A collides with vehicle V_B, V_A, V_B, and V_C signcrypt the traffic information including collision messages to a nearby RSU by our many-to-one signcyption schemes (MOHSC-I or MOHSC-II) just in order to avoid traffic jams, and these steps are repeated in a short time interval according to DSRC protocol [1]. Then, the nearby RSU unsigncrypted the messages from V_A, V_B, and V_C after authenticating the messages integrity and vehicles’ identities, which is just to ensure that the vehicles will be responsible for messages. Further, by using our one-to-many signcryption schemes (OMHSC-I or OMHSC-II), the RSU signcrypts and broadcasts the integrated information to other adjacent vehicles in time and makes them go around early. As a result, other cars can avoid joining this traffic congestion and make traffic management more convenient. Compared with the other current broadcast technology, our schemes can guarantee the integrity and tamper-resistance of message and the authentication of message sources, which can improve the credibility of message.

To guarantee the authenticity and confidentiality of message, the sender signcrypts message in our schemes. Upon receiving messages from many vehicles, the RSU first verifies the authenticity of these messages and then discards the error or distorted messages. Although some methods in [21,22,23,24,25,26] achieve heterogeneous communication, they have different disadvantages, which are given in Related Work. The function comparisons of all the schemes are depicted in

Table 1. Function comparisons.

Scheme	Cryptosystem	Provable Security	n Ciphertexts Length
HOOSC [23] SEDT [24] HSC-I [25] HSC-II [25] MHSC [26] MOHSC-I MOHSC-II	IBC$\to$PKI IBC$\to$PKI PKI$\to$IBC IBC$\to$PKI PKI$\to$IBC PKI$\to$IBC IBC$\to$PKI	Yes Yes Yes Yes Yes Yes Yes	n(|m| + 3|G1|) n|m| + (n2 + 3n)|G1| n(|m| + 2|G1|) n(|m| + 2|G1|) n|m| + (n + 1)|G1| n|m| + (n + 1)|G1| n|m| + (n + 1)|G1|

. In addition,

Table 2. Computation comparisons (public key infrastructure (PKI)$\to$ identity-based cryptosystem (IBC)).

Scheme	PKI Setup	IBC Setup	Signcryption	Unsigncryption	Total
HSC-I [25]	n(2tm + tinv)	n(tm + tinv)	n(te + 3tm)	n(2tp + te + tinv)	2ntp + 2nte + 3ntinv + 6ntm
MHSC [26]	ntm	n(tm + tinv)	n(te + 4tm)	(n + 2)tp + ntm	(n + 2)tp + nte + ntinv + 7ntm
MOHSC-I	ntm	ntm	n(tp + 3tm)	(n + 2)tp + ntm	(2n + 2)tp + 6ntm

and

Table 3. Computation comparisons (IBC$\to$ PKI).

Scheme	PKI Setup	IBC Setup	Signcryption	Unsigncryption	Total
HOOSC [23]	n(2tm + tinv)	n(tm + tinv)	n(te + 2tm + tinv)	n(2tp + te + 2tm + tinv)	2ntp + 2nte + 4ntinv + 7ntm
HSC-II [25]	n(tm + tinv)	n(2tm + tinv)	n(te + 2tm)	n(2tp + te + tm + tinv)	2ntp + 2nte + 3ntinv + 6ntm
MOHSC-II	ntm	ntm	n(tp + 3tm)	(n + 2)tp + ntm	(2n + 2)tp + 6ntm

and Figure 3 and Figure 4 mainly focus on the comparison of computation costs, Figure 5 and Figure 6 give the comparison of energy consumption because both vehicles and RSUs are computation-limited and energy-constrained devices, and the computation costs and energy consumption directly affect the practicability of our schemes.

From Table 1, we see only the schemes from [25] and our schemes can achieve bi-directional heterogeneous communication. Since our MOHSC-I and MOHSC-II schemes simultaneously send n messages but the schemes in [23,24,25] send one message to the receiver, their ciphertexts length should be multiplied by n just to ensure the fairness of comparisons. Obviously the aggregate ciphertext length from n messages in our MOHSC-I and MOHSC-II schemes is the shortest, regardless of the size of m and G₁ that are selected. So, the communication costs and storage in our schemes have also been reduced.

In Table 2 and Table 3, t_m, t_p, t_inv, and t_e, respectively, represent the time of performing a scalar multiplication, one pairing calculation in G₁, an inverse operation in $Z_q^{\ast }$, and an exponent operation in G₂ individually. We do not consider other less time-consuming operations, such as the XOR operation. For the fairness of comparison, we extend schemes in [23,25,26] to n senders sending n messages to a receiver in Table 2 and Table 3. Since other schemes in [23,26] only provide one-way heterogeneous communication, the comparisons are divided into PKI$\to$IBC in Table 2 and IBC$\to$PKI in Table 3 just for more scientific and elaborate results.

From Table 2 and Table 3, we can see our MOHSC-I and MOHSC-II schemes require a smaller total computation time (the sum of PKI setup, IBC setup, signcryption, and unsigncryption) when n messages are involved. The more intuitive analyses are given in Figure 3 and Figure 4 for schemes in [23,25,26] and our schemes. We implement the experiment on MICA2 platform (same as [24]). We can get t_p, t_e, and t_m takes 1.9 s, 0.9 s, and 0.81 s, respectively [24]. Note that a t_inv operation needs roughly 0.9 s, although, theoretically, a t_inv operation is more time-consuming than a t_e operation. Finally, according to Table 2 and Table 3, we can compute the total computation time of HSC-I, MHSC, MOHSC-I, HOOSC, HSC-II, and MOHSC-II are 2n × 1.9 + (2n + 3n) × 0.9 + 6n × 0.81 = 13.16ns, (n + 2) × 1.9 + 2n × 0.9 + 7n × 0.81 = 9.37n + 3.8s, (2n + 2) × 1.9 + 6n × 0.81 = 8.66n + 3.8s, 2n × 1.9 + (2n + 4n) × 0.9 + 7n × 0.81 = 14.87ns, 2n × 1.9 + (2n + 3n) × 0.9 + 6n × 0.81 = 13.16ns, and (2n + 2) × 1.9 + 6n × 0.81 = 8.66n + 3.8s, respectively. The comparisons of total computational time are shown in Figure 3 and Figure 4.

Since vehicles and RSUs are both energy-constrained devices, we must consider the energy consumption. According to [24], a t_p operation consumes 45.6 mJ, a t_e operation consumes 21.6 mJ, and a t_m operation consumes 19.44 mJ; here, we suppose t_inv also consumes 21.6 mJ. So, the computational energy consumption of HSC-I, MHSC, HMOSC-I, HOOSC, HSC-II, and HMOSC-II schemes are 2n × 45.6 + (2n + 3n) × 21.6 + 6n × 19.44 = 315.84n mJ, (n + 2) × 45.6 + 2n × 21.6 + 7n × 19.44 = 224.88n + 91.2 mJ, (2n + 2) × 45.6 + 6n × 19.44 = 207.84n + 91.2 mJ, 2n × 45.6 + (2n + 4n) × 21.6 + 7n × 19.44 = 356.88n mJ, 2n × 45.6+ (2n + 3n) × 21.6 + 6n × 19.44 = 315.84n mJ, and (2n + 2) × 45.6 + 6n × 19.44 = 207.84n + 91.2 mJ, respectively. For the communication energy consumption, as in [24], a sensor consumes 0.052 mJ and 0.019 mJ to transmit and receive a 1-byte message (namely the total energy consumption of communicating a one-byte message is 0.071 mJ). Combined with the ciphertext length in Table 1 and the common assumptions that |G₁| = 160 bits and |m| = 160 bits, which can be reduced to 20 bytes, the communication energy consumption of HSC-I, MHSC, MOHSC-I, HOOSC, HSC-II, and MOHSC-II schemes are (20 + 2 × 20) × 0.071 × n = 4.26n mJ, 20 × 0.071 × n + (n + 1) × 20 × 0.071 = 2.84n + 1.42 mJ, 20 × 0.071 × n + (n + 1) × 20 × 0.071 = 2.84n + 1.42 mJ, (20 + 3 × 20) × 0.071 × n = 5.68n mJ, (20 + 2 × 20) × 0.071 × n = 4.26n mJ, and 20 × 0.071 × n + (n + 1) × 20 × 0.071 = 2.84n + 1.42 mJ, respectively. In a word, the total energy consumption of HSC-I, MHSC, MOHSC-I, HOOSC, HSC-II, and MOHSC-II schemes are 315.84n + 4.26n = 320.1n mJ, 224.88n + 91.2 + 2.84n + 1.42 = 227.72n + 92.62 mJ, 207.84n + 91.2 + 2.84n + 1.42 = 210.68n + 92.62 mJ, 356.88n + 5.68n = 362.56n mJ, 315.84n + 4.26n = 320.1n, and 207.84n + 91.2 + 2.84n + 1.42 = 210.68n + 92.62 mJ, respectively. The comparisons of total energy consumption are shown in Figure 5 and Figure 6.

As can be seen from the Table 1, Table 2 and Table 3 and Figure 3, Figure 4, Figure 5 and Figure 6, our schemes have the minimum aggregate ciphertext length, total computation costs, and total energy consumption among these schemes. It is very viable and sound for the practical application of VANETs.

7. Conclusions

In the article, two many-to-one heterogeneous signcryption schemes and two one-to-many heterogeneous signcryption schemes for secure V2I communication in VANETs are proposed. These schemes can all construct a secure channel between heterogeneous vehicles and a RSU to support confidentiality, authentication, integrity, and non-repudiation services in a logical step. Specifically, the many-to-one signcryption schemes adopt the aggregate method to support batch verification when multiple vehicles in the PKI (IBC) system transmit messages to a nearby RSU in the IBC (PKI) system, and the one-to-many schemes support a RSU in the PKI (IBC) broadcasts a message to multiple vehicles registered in IBC (PKI) system. All the schemes can be proven to be IND-CCA2 and EUF-CMA secure. Furthermore, the numerical analyses and simulation results, which are shown in Table 1, Table 2 and Table 3 and Figure 3, Figure 4, Figure 5 and Figure 6, can demonstrate the aggregate ciphertext length, communication costs, total computation costs, and total energy consumption of our schemes are better than the existing ones. The analyses show our schemes are more suitable for the practical heterogeneous V2I communication in VANETs.