ANAA-Fog: A Novel Anonymous Authentication Scheme for 5G-Enabled Vehicular Fog Computing

Abstract

Vehicular fog computing enabled by the Fifth Generation (5G) has been on the rise recently, providing real-time services among automobiles in the field of smart transportation by improving road traffic safety and enhancing driver comfort. Due to the public nature of wireless communication channels, in which communications are conveyed in plain text, protecting the privacy and security of 5G-enabled vehicular fog computing is of the utmost importance. Several existing works have proposed an anonymous authentication technique to address this issue. However, these techniques have massive performance efficiency issues with authenticating and validating the exchanged messages. To face this problem, we propose a novel anonymous authentication scheme named ANAA-Fog for 5G-enabled vehicular fog computing. Each participating vehicle’s temporary secret key for verifying digital signatures is generated by a fog server under the proposed ANAA-Fog scheme. The signing step of the ANAA-Fog scheme is analyzed and proven secure with the use of the ProfVerif simulator. This research also satisfies privacy and security criteria, such as conditional privacy preservation, unlinkability, traceability, revocability, and resistance to security threats, as well as others (e.g., modify attacks, forgery attacks, replay attacks, and man-in-the-middle attacks). Finally, the result of the proposed ANAA-Fog scheme in terms of communication cost and single signature verification is 108 bytes and 2.0185 ms, respectively. Hence, the assessment metrics section demonstrates that our work incurs a little more cost in terms of communication and computing performance when compared to similar studies.

1. Introduction

The World Health Organization (WHO) reports that annually 1.25 million individuals lose their lives in traffic-related incidents [1,2]. The fifth generation (5G) technology, vehicular networks, and fog computing have been deployed lately on a wide scale in several nations’ transportation systems to improve driving safety and manage increasingly congested traffic scenarios. Vehicles equipped with a wireless device, known as onboard units (OBUs), are a type of intelligent transportation system (ITS) that collects, processes, and disseminates traffic data within the context of networked vehicles [3,4].

Participants in 5G-enabled vehicular fog computing communicate information about traffic conditions (such as road difficulties, congestion situations, and temperature conditions) and vehicle conditions (such as location, speed, traffic status, etc.) [5,6]. Emergency vehicles, such as traffic control centres, depend on these messages to make life-or-death decisions. Congestion and potential accidents will result if an attacker modifies or inserts harmful messages into the network. It is crucial, then, that 5G-enabled vehicular fog computing pay close attention to privacy and security concerns [7,8].

Drivers’ needs are changing as urban cars proliferate. Hence, the VANET under 5G mobile networks can meet current application requirements for capacity and coverage. Vehicular networks have many difficulties and opportunities. In general, 5G wireless networks have data transmission rates of 20 Gb/s and 100 Mb/s [9,10].

Using a fog server in place of an RSU is one way in which fog computing can help satisfy the need for adopting vehicular networks, as stated by the authors in [11]. The fog server is assumed to not be completely trustworthy despite its access to essential services, such as computation and storage. Meanwhile, writers mention [12] as evidence that fog computing can help meet the demand for rolling up 5G networks. Our study introduces a fog computing-based pseudonym authentication (FC-PA) method to reduce the load on 5G-enabled vehicle networks. For 5G-enabled vehicle networks, the authors in [13] propose a technique for removing pseudonyms via fog computing that is based on the Chebyshev polynomial.

A lot of authentication schemes fail to address privacy and security altogether. Additionally, performance efficiency is still more vulnerable. These techniques have massive performance efficiency issues withauthenticating and validating the exchanged messages. Therefore, this paper presents a novel anonymous authentication (ANAA-Fog) scheme to reduce the overhead of the system and achieve privacy and security requirements. The main contributions of this paper are listed as follows.

• A new ANAA-Fog scheme is proposed for 5G-enabled vehicular fog computing in which the trusted authority (TA) saves the master key in the fog server to generate the temporary secret key to each participating vehicle.
• The proposed ANAA-Fog scheme uses a fog server instead of RSU to generate and issue temporary keys for each vehicle located within the 5G-base station.
• By using a shared key, vehicle and fog servers can together achieve a mutual authentication process.
• Security analysis uses the ProfVerif simulator to prove the security of ANAA-Fog scheme formality. Additionally, this work satisfies authentication of the signer, integrity of the message, conditional privacy-preserving, unlinkability, traceability and revocability, and security attacks resistance in terms of modification, forgery, replay, and man-in-the-middle attacks.
• The efficiencies of our ANAA-Fog scheme in achieving privacy and security are dominated in terms of communication and computation overheads.

The rest of this paper is organized as follows: Section 3 provides the background. Section 2 reviews the existing schemes. The proposed ANAA-Fog scheme is explained in Section 4. Section 5 lists the numerical example of our approach. The security analysis of our work is shown in Section 6. Section 7 describes evaluation metrics. Lastly, the conclusions of this paper are provided in Section 8.

2. Related Work

2.1. Security and Privacy Research

Information shared by vehicles always involves driver safety; information requires validation and authentication before revealing the inside content. Zhong et al. [14] constructed a certificateless aggregate signature scheme with full aggregation to provide communication security in a vehicular network. Bayat et al. [15] constructed an anonymous authentication scheme based on the roadside unit (RSU) to authenticate vehicles during the joining process. Liu et al. [16] proposed a distributed computing based on a proxy-based authentication scheme to verify multiple messages with a verification function simultaneously. Asaar et al. [17] highlighted the limitation existing in the scheme of Liu et al. [16] that message authenticity is not satisfied, which is vulnerable to modification and forgery attacks. Li et al. [18] constructed a provable authentication scheme to provide both the privacy and security required in a vehicular network.

Recently, Zhang et al. [19] created a simple traffic route management system for fog-based VANETs. For this plan, automobiles will encrypt their travel plans with homomorphic encryption before transmitting them to a fog node. The fog node aggregates encrypted traffic data, which is then sent to the traffic management centre (TMC), where it is decrypted and used for traffic control without the TMC needing to know the specific routes taken by each vehicle. Cui et al. [20] created the Internet of Autonomous Vehicles (IoAV) paradigm to address the issues caused by these constraints. It is important to implement a trustworthy authentication mechanism that is applicable in IoAV to encourage safe remote control of the AV. We present a method for providing secure remote control features for AVs using authenticated key agreement (CMAKA) based on chaotic maps. Chen et al. [21] provided SAABS-CR, an efficient server-aided ABS that is also resistant to collusion and may be used for IoV. Server-assisted computing technology reduces the computational load on verifiers while remaining perfectly resistant to collusion attacks between signers and between the signer and the aided server.

2.2. Fog Computing Research

The traditional technology of cloud computing is not qualified for the case where an extension of information is generated. Xiao et al. [22] presented the concept of fog computing to the Internet of Things (IoT) area. This concept is acquired publicly and is growing and being applied in different service domains, including industrial IoT [23]. The fog computing of IoT indicates the producer and the consumer, i.e., some traditional cloud applications can be transferred to the fog server of the system, which can satisfy some valid effects, such as lower latency, better offloading, and so on. Zhang et al. [24] suggested an architecture vehicular edge computing framework based on cloud computing for offloading. In their work, a Stackelberg game model is used for optimizing resource allocation among vehicle fog/edge computing applications. Cui et al. [11] introduced the concept of fog computing to propose an anonymous authentication scheme for the vehicular network by using a fog server and group administrator. Tang et al. [25] presented the idea of resource pooling into vehicular fog computing (VFC) to jointly save computational applications in a community.

Table 1. Summarizing Related Work.

Paper Reference	Year	Approach	Disadvantages
[14]	2019	Bilinear Pairing Cryptography	Massive communication costs; requires bilinear pair, requires several scalar multiplication operations and requires several point addition operations
[15]	2019	Bilinear Pairing Cryptography	Massive computation and communication costs; requires map-to-point operations
[17]	2018	Elliptic Curve Cryptography	Several scalar multiplication operations
[18]	2018	Elliptic Curve Cryptography	Several scalar multiplication operations

summarises related works in terms of the year, approach, and disadvantages.

Therefore, this paper introduces the concept of fog computing for 5G-enabled vehicular fog computing by proposing a novel anonymous authentication (ANAA-Fog) scheme to address security and privacy issues.

3. Background

This section describes the design model, security objectives, and mathematical requirements of our work for 5G-enabled vehicular fog computing as follows.

3.1. Design Model

As shown in Figure 1, there are four main entities for our work, namely, one trusted authority (TA), some fog servers, some 5G-base stations (5G-BSs), and many vehicles equipped with an onboard unit (OBU). The functional work of these entities is explained in the following steps.

• Trusted Authority (TA): The TA is fully trusted in the system and has powerful measurement and sufficient storage. The TA not only works to issue the cryptographic parameters, but also traces the malicious third party when the forged message is reported.
• Fog Server: The fog server is a reliable third party that assists the TA in revealing the signers’ identities. Pseudonym IDs for vehicles are generated by mutual authentication via 5G-BS, with the master key preloaded on the fog server by the TA. The public key of the fog server is utilized in our work as the basis for verification.
• A 5G-Base Station (5G-BS): The 5G-BS is a reliable roadside infrastructure. It is a communication medium between entities without data storage or processing capabilities.
• Vehicle: Each vehicle has a wireless device, namely, an onboard unit (OBU), to exchange messages among entities. The OBU supports the 5G standard to save security parameters obtained from the fog server.

3.2. Security Objectives

The following security objectives need to be met for 5G-enabled vehicular fog computing security.

• Authentication of Signer: To verify that the message is coming from trusted sources;
• Integrity of Message: Aiming to guarantee that the message is delivered unaltered;
• Conditional Privacy-Preserving: To make sure that no third party can reveal the true identity of the vehicle;
• Unlinkability: To ensure no third party can link two or more messages sent from the same signer;
• Traceability: If necessary, the TA can divulge the signer’s identity to protect against internal attacks;
• Revocability: The TA can disable the signer’s identification and revoke any further use of their signature if necessary.
• Security Attacks Resistance: To ensure that our work is resisting common security attacks, such as modification, forgery, man-in-the-middle, and replay attacks.

3.3. Mathematical Requirements

Presume that the item $E/F_p$ stands for an ECC over a field of prime finite $F_p$ such that p is several large primes. The curve ECC is determined as below.

$$y^2=x^3+ax+b$$

(1)

where a, b ∈$F_p$, and $\delta =4a^3+27b^2\ne 0$ is the real-valued. The points on $E/F_p$ with an extra point at infinity O form a cyclic additive group of ECC:

$$G=\{(x,y):x,y\in F_p,E(x,y)=0\}\cup \left\{O\right\}$$

(2)

G is the point addition ‘+’ -based group of cyclic additive described as follows: Let $P,Q\in G,l$ be the connected line P and Q (tangent line to $E/F_p$ if $P=Q$), and R be the third intersection point of l with $E/F_p$. Let $l^{-}$ be the connected line R and O.

Then, $P+Q$ is the point such that $l^{-}$ intersects $E/F_p$ at R and O. A form of scalar multiplication based on $E/F_p$ can be measured as follows:

$$tP=P+P+\dots +P\left(ttimes\right)$$

(3)

where t $\in F_p$ and P ∈ G.

• It is difficult to quantify $abP\in G$ when given P, $aP$, and $bP\in G$, which is the case for any a, b $in{Z}_q^{*}$ in the Computational Diffie–Hellman (CDH) Problem.
• Calculating the value 0 ≤ l ≤ q − 1 on an elliptic circle complex (ECC) with P and Q of order q on ECC such that $Q=lP$ is known as the “Elliptic Curve Discrete Logarithm” (ECDL) Problem.

4. The Proposed Scheme

The proposed ANAA-Fog scheme consists of four phases: TA initialization, mutual authentication, vehicle signature, and message verification phases, as shown in Figure 2.

4.1. TA Initialization Phase

In this phase, the TA executes system initialization as outlined in the following five steps.

• $Ste{p}_1$: Let G be an additive group with a generator P and $p,q$ be large prime numbers. Let $E:$$y^2=x^3+ax+b$ $mod$ p be an elliptic curve, where $a,b\in Z_q^{*}$.
• $Ste{p}_2$: The TA picks a secure message authentication code (MAC) function $MAC(·)$ and three secure hash functions $H_1(·),H_2(·)$, and $H_3(·)$ as $H_1:G\to Z_q^{*}$, $H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times G\to Z_q^{*}$, $H_3:{\{0,1\}}^{*}\to Z_q^{*}$.
• $Ste{p}_3$: The TA picks the randomly chosen number ${\xi }_{ta}\in Z_q^{*}$ as the secret key and computes the corresponding public key $Pu{b}_{ta}={\xi }_{ta}·P$.
• $Ste{p}_4$: The TA publishes and saves the system parameters $\psi$ =$\{G,a,b,P,p,q,H_1,H_2,H_3,Pu{b}_{ta},MAC(·)\}$ into OBUs and fog servers.
• $Ste{p}_5$: Finally, the TA sets the randomly chosen number ${\xi }_{fo{g}_j}\in Z_q^{*}$ as the secret key for each fog server $Fo{g}_j$ and then saves both secret keys ${\xi }_{ta}$ and ${\xi }_{fo{g}_j}$ on the fog server $Fo{g}_j$.

4.2. Mutual Authentication Phase

The following nine stages detail how an $OB{U}_i$ can access the temporary secret key of a fog server $Fo{g}_j$ while joining the 5G-BS coverage area.

• $Ste{p}_1$: $OB{U}_i$ sets the randomly chosen number $\mu \in Z_q^{*}$ and generates its anonymous-ID $\left(AI{D}_i\right)$ as follows.

  $$\begin{array}{cc}\hfill & AI{D}_i=\langle AI{D}_i^1,AI{D}_i^2\rangle \hfill \\ \hfill & AI{D}_i^1=\mu ·P\hfill \\ \hfill & AI{D}_i^2=I{D}_i\oplus H_1(\mu ·Pu{b}_{ta})\hfill \end{array}$$

  (4)
  $Ste{p}_2$: Next, $OB{U}_i$ sends its anonymous-ID $\left(AI{D}_i\right)$ to close $Fo{g}_j$ located on the area covered by 5G-BS.
• $Ste{p}_3$: While receiving $\left(AI{D}_i\right)$ from $OB{U}_i$, $Fo{g}_j$ reveals the real identity of $OB{U}_i$ by using the TA’s secret key as follows.

  $$I{D}_i=AI{D}_i^2\oplus H_1({\xi }_{ta}·AI{D}_i^1)$$

  (5)
• $Ste{p}_4$: Next, $Fo{g}_j$ verifies legitimate $I{D}_i$ by checking whether $I{D}_i$ exists on the certificate revocation list (CRL). The TA periodically sends CRL to $Fo{g}_j$ to ensure that $I{D}_i$ is not revoked.
• $Ste{p}_5$: Once $I{D}_i$ is legitimate, $Fo{g}_j$ sets the randomly selected number $a\in Z_q^{*}$ and calculates $A=a·P$, $R=a·AI{D}_i^1=a·\mu ·P$, $k_{ij}=H_1\left(R\right)$ as the same save key among $OB{U}_i$ and $Fo{g}_j$, where A helps $OB{U}_i$ to generate the same save key among $OB{U}_i$ and $Fo{g}_j$.
• $Ste{p}_6$: $Fo{g}_j$ generates the new temporary secret key as ${\xi }_{Tke{y}_j}=H_1({\xi }_{fo{g}_j}\left|\right|t{s}_{Tkey})$ and computes the corresponding public key of a temporary secret key as $Pu{b}_{fo{g}_j}={\xi }_{Tke{y}_j}·P$, where $t{s}_{Tkey}$ is the valid timestamp. Note that $Fo{g}_j$ periodically broadcasts its public key ($Pu{b}_{fo{g}_j}$) with its timestamp $t{s}_{Tkey}$ on its area covered by 5G-BS.
• $Ste{p}_7$: Next, $Fo{g}_j$ encrypts its new temporary secret key ${\xi }_{Tke{y}_j}$ as $En{c}_{fo{g}_j}=MA{C}_{K_{ij}}\left({\xi }_{Tke{y}_j}\right)$ and transmits $(A,En{c}_{fo{g}_j})$ to $OB{U}_i$.
• $Ste{p}_8$: While receiving $(A,En{c}_{fo{g}_j})$ from $Fo{g}_j$, $OB{U}_i$ first calculates the shared secret key $k_{ij}$ as follows.

  $$k_{ij}=H_1(\mu ·A)=H_1(\mu ·a·P)=H_1(a·AI{D}_i^1)$$

  (6)
• $Ste{p}_9$: Next, $OB{U}_i$ decrypts $De{c}_{OB{U}_i}=MA{C}_{K_{ij}}\left(En{c}_{fo{g}_j}\right)$ to obtain the temporary secret key ${\xi }_{Tke{y}_j}$. Note that $OB{U}_i$ saves the temporary secret key ${\xi }_{Tke{y}_j}$ into a tamper-proof device (TPD).

4.3. Vehicle Signature Phase

To generate the signature of message $Ms{g}_i$, this phase executes the vehicle signature, as outlined in the following four steps where $t{s}_i$ is the current timestamp.

• $Ste{p}_1$: $OB{U}_i$ sets the randomly chosen number ${\varrho }_i\in Z_q^{*}$ and generates its public anonymous-ID $\left(PAI{D}_i\right)$ as follows.

  $$\begin{array}{cc}\hfill & PAI{D}_i=\langle PAI{D}_{i,1},PAI{D}_{i,2}\rangle \hfill \\ \hfill & PAI{D}_{i,1}={\varrho }_i·P\hfill \\ \hfill & PAI{D}_{i,2}=I{D}_i\oplus H_1({\varrho }_i·Pu{b}_{fo{g}_j})\hfill \end{array}$$

  (7)
• $Ste{p}_2$: $OB{U}_i$ calculates signature key $S{K}_i$ as follows.

  $$\begin{array}{c}\hfill S{K}_i={\xi }_{Tke{y}_j}·H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)\end{array}$$

  (8)
• $Ste{p}_3$: $OB{U}_i$ generates signature ${\sigma }_i$ as follows.

  $$\begin{array}{c}\hfill {\sigma }_i={\varrho }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)+S{K}_i\end{array}$$

  (9)
• $Ste{p}_4$: $OB{U}_i$ broadcasts $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$ to the recipient for 5G-enabled vehicular fog computing.

4.4. Message Verification Phase

While receiving $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$, the recipient checks if both Equations (10) and (11) hold and accepts $Ms{g}_i$ if it does.

$$t{s}_i>t{s}_r-t{s}_{▽}$$

(10)

where $t{s}_r$ is the received time of $Ms{g}_{OB{U}_i}$, and $t{s}_{▽}$ is the predefined delay time.

$$\begin{array}{cc}\hfill & {\sigma }_i·P\stackrel{?}{=}\left({\varrho }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)+S{K}_i\right)·P\hfill \\ \hfill & \stackrel{?}{=}\left({\varrho }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)+{\xi }_{Tke{y}_j}·H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)\right)·P\hfill \\ \hfill & \stackrel{?}{=}{H}_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·{\varrho }_i·P+H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·{\xi }_{Tke{y}_j}·P\hfill \\ \hfill & \stackrel{?}{=}{H}_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·PAI{D}_{i,1}+H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·Pu{b}_{fo{g}_j}\hfill \end{array}$$

(11)

In addition, while receiving n of $Ms{g}_{OB{U}_i}=$$({Ms{g}_i}^1,{PAI{D}_{i,1}}^1,{PAI{D}_{i,2}}^1,{t{s}_i}^1,{{\sigma }_i}^1)$, …, $({Ms{g}_i}^n,{PAI{D}_{i,1}}^n,{PAI{D}_{i,2}}^n,{t{s}_i}^n,{{\sigma }_i}^n)$ from n $OBUs$, the recipient should check the freshness of n timestamps ${t{s}_i}^n$ and the validity of n signatures ${{\sigma }_i}^n$ simultaneously. The recipient uses $\lambda =\{{\lambda }_1,{\lambda }_2,\dots ,{\lambda }_n\}$ as the small exponent test technology [26,27] to satisfy non-reputation in the batch signature verification. Thereby, the recipient should check the freshness of n timestamp ${t{s}_i}^n$ and the validity of n signature ${{\sigma }_i}^n$ by verifying whether both Equations (10) and (12) hold or not.

$$\begin{array}{cc}\hfill & \left(\sum _{i=1}^n{\lambda }_i·{\sigma }_i\right)·P\stackrel{?}{=}\sum _{i=1}^n{\lambda }_i·\left({\varrho }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)+S{K}_i\right)·P\hfill \\ \hfill & \stackrel{?}{=}\sum _{i=1}^n{\lambda }_i·\left({\varrho }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)+{\xi }_{Tke{y}_j}·H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)\right)·P\hfill \\ \hfill & \stackrel{?}{=}\sum _{i=1}^n{\lambda }_i·\left(H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·{\varrho }_i·P+H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·{\xi }_{Tke{y}_j}·P\right)\hfill \\ \hfill & \stackrel{?}{=}\sum _{i=1}^n{\lambda }_i·H_3(Ms{g}_i\left|\right|PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)·PAI{D}_{i,1}+\left(\sum _{i=1}^n{\lambda }_i·H_2(PAI{D}_{i,1}\left|\right|PAI{D}_{i,2}\left|\right|t{s}_i)\right)·Pu{b}_{fo{g}_j}\hfill \end{array}$$

(12)

5. Numerical Example

The signing and verifying processes that make up the entirety of the proposed scheme are all laid out here with specific examples to help clarify each step. Parameters used in the examples along with their corresponding values are listed in

Table 2. Parameters and their corresponding example values.

Parameters	Assigned Value
q	6277101735386680763835789423207666416083908700390324961279
b	2455155546008943817740293915197451784769108058161191238065
a	−3
P	(6060605759586981745225298306331506106605906434158077881180, 73105973664259701842662865334749264593111963840112646527)
p	6277101735386680763835789423207666416083908700390324961279
$I{D}_i$	MahmoodArif
$t{s}_i$	0:00:59
$Ms{g}_i$	Accident Zone

.

5.1. Signing Process

At the signing phase, the following procedures are carried out in order to authenticate VANET messages sent by a vehicle:

• The vehicle selects integer r = 112 and then computes
  $PAI{D}_{i,1}$= (5372685509794581430923519157983926567841610621689800376346, 184358346550176987 8476663486030087545328000639358916891123)
  $PAI{D}_{i,2}$= 17252a1e7c5d2705773689bd03c4653bab4076c4c605e505a;
• Lastly, the recipient receives the message –signature $(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$, where $t{s}_i$ is the date and time of the transmission, for example 2023-04-08 03:00:00 pm.

5.2. Verifying Process

The following procedures are carried out by the vehicle throughout the process of verifying messages:

• The authenticity of the timestamp $T_i$ initial.
• Then, the verifying receiver utilises ${\sigma }_i$ of the message–signature tuple $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$ to verify safety-related message $Ms{g}_i$.
• When the conditions below are met, the message is validated. If it does not, the reader will probably ignore this message; ${\sigma }_i·Pu{b}_{fo{g}_j}$ = (2472674792501583155433812416 893176943027481117926105568348, 206620733875689682980121563189488726285961007 1567012052768) + (695964802647003559697395103815408855146214996023865488517, 3264385455095969240554282193442456079956073210000018226187).
• To ensure the authenticity of a large number of messages in a single batch, the recipient can utilize ${\sigma }_i$ of the message–signature tuple $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$ to verify safety-related message $Ms{g}_i$.
• To check many messages about risk concurrently, hone in on the following techniques. ${\sum }_{i=1}^n{\lambda }_i·{\sigma }_{i}Pu{b}_{fo{g}_j}$ = ${\sum }_{i=1}^n({\lambda }_i·$ (2472674792501583155433812416893176943027481117926 105568348, 2066207338756896829801215631894887262859610071567012052768))
  + ${\sum }_{i=1}^n({\lambda }_i·$ (695964802647003559697395103815408855146214996023865488517,
  3264385455095969240554282193442456079956073210000018226187)).

6. Security Analysis

This section analyses our work concerning a ProVerif protocol verifier as well as security requirements.

6.1. ProVerif Protocol Verifier

ProVerif is an automatic cryptographic protocol to evaluate the property of security methods, including anonymous authentication, security gusset attacks resistance, confidentiality, etc., by using correspondence assertions and observational equivalence concepts. In the ProVerif specification language [28], a, b, c, …and x, y, z, …denote terms name and variables name, respectively. $Enc(M_1,M_2,\dots )$ denote the function application to process terms. The major general process is described as follows.

• O: Process with no effect.
• $P|Q$: Methods that run in concurrently.
• $!P$: The ability to repeatedly do something indefinitely.
• New $a:P$: Creation of a random number generator procedure a in P.
• Let $x=MinP$: Process P will continue after the assignment of $x=M$.
• Event (N): The actual happening (N).
• If C, then P, or else Q: Conditionals.
• In $(M,x)$: P: Process P will continue until M has been received on channel M.
• Out $(M,N)$: P: Process P will continue after receiving message N on channel M.

The Dolev–Yao adversary is carried out in the ProVerif tool to analyze the proposed ANAA-Fog scheme. This adversary not has full control power of the environment, but also can delete, modify reads, and inject exchanged information through the communication channel. Nevertheless, the adversary can run primitives only based on primitive definitions. For instance, unless decryption primitives are explicitly described, he/she will be unable to decrypt a message.

The ProVerif tool supports security primitives, such as hash function, digital signatures, and symmetric and asymmetric encryption/decryption. By utilizing terms, variables, and functions, other primitives can be modelled to rewrite equations and rules [29]. Protocols are transformed to horn clauses [30].

In the proposed ANAA-Fog scheme, the $OB{U}_i$ should receive the temporary secret key ${\xi }_{Tke{y}_j}$ from $Fo{g}_j$. If ok, the $Fo{g}_j$ is validated for $OB{U}_i$. To verify the fact that the same ${\xi }_{Tke{y}_j}$ that is transmitted by $Fo{g}_j$, is the one received by $OB{U}_i$, this paper uses the following query by ProVerif:

$$Queryinj-event:end(x1,x2)==>inj-event:begin(x1,x2).$$

In order to determine if $eventend(s,sessionkey)$ from $OBUi$ is the same as $eventbegin(SFogT,x)$, a query is run to see if the arguments (secret key ${\xi }_{Tke{y}_j}$ and encryption key = $H_1\left(aAI{D}_i^1\right)$) are the same.

In agreement with the formal analysis of the proposed ANAA-Fog scheme, ProVerif verifies the claims of the authentication of Fog to OBU. The output of the ProVerif is as follows.

$$Resultqueryend(x1,x2)==>begin(x1,x2)istrue.$$

It should be stressed that consensus on the identities of $OBUi$ and $Fo{g}_j$ is not crucial to the success of the proposed ANAA-Fog strategy. Therefore, note that their identities are not included in the events. The full ProVerif authentication script is referred to in the Appendix A.

Observational Equivalence

The ProVerif tool has the ability to analyze and prove whether intractability, unlinkability, anonymity, etc., hold. These ideas are captured by observational equivalence [31]. Informally, it relates to whether or not two components of the attacker are indistinguishable. The “choice” concept accomplishes this by comparing two arguments and determining whether they are equivalent to the attacker or not. The signing phase of the proposed ANAA-Fog scheme is carried out by using the choice construct as follows.

• $Choice\left[\right(Paid,Paid1),(Paid,Paid2\left)\right]$: The first tuple $(Paid,Paid1)$ indicates to one sender with public anonymous-IDs $Paid$, $Paid1$ who signs safety messages $m1$, $m2$ with different signature keys, whereas the second tuple $(Paid,Paid2)$ indicates to two different senders with public anonymous-IDs $Paid$, $Paid21$ who sign safety messages $m1$, $m2$. Due to distinct public anonymous-IDs chosen to sign different safety messages, the output should be true. Therefore, the adversary does not have the ability to distinguish between the two tuples.
• $Choice\left[\right(\delta (sk1,h(m1\left)\right),\delta (sk11,h(m2\left)\right)),(\delta (sk1,h(m3\left)\right),\delta (sk123,h(m4\left)\right)\left)\right]$:
  The first tuple $\delta (sk1,h(m1\left)\right)$ of the first argument $\left(\delta \right(sk1,h\left(m1\right)),\delta (sk11,h\left(m2\right)\left)\right)$ of $choice$ construct is the signature of the initial sender with the signature key $sk1$ who signs the message $m1$, whereas the second tuple $\delta (sk1,h(m1\left)\right)$ of the first argument $\left(\delta \right(sk1,h\left(m1\right)),\delta (sk11,h\left(m2\right)\left)\right)$ indicates to the same sender with the signature key $sk11$ to sign message $m2$. The second argument $\left(\delta \right(sk1,h\left(m3\right)),\delta (sk123,h\left(m4\right))$ indicates to two signatures for the two senders with signature keys $sk1$ and $sk123$, respectively. For the attacker, the two arguments should be observationally equivalent.
• $Choice\left[\right(m1,m2),(m1,m2\left)\right]$: Plainly, the attacker cannot distinguish between the two tuples $(m1,m2),(m1,m2)$ due to the random messages. Therefore, the claim of the proposed ANAA-Fog scheme is true by ProVerif as shown in Figure 3.

6.2. Security Attacks Resistance

• Security Attacks Resistance: The proposed ANAA-Fog scheme resists the common security attacks as follows. Note that Figure 4 elaborates on how your proposed scheme is secure against these active and passive attacks.

  -

  Modify Attacks: Since each message’s signature includes the master key of the $Fo{g}_j$ and the dynamic random value, the attacker cannot obtain the master key of the $Fo{g}_j$ and the dynamic random value. The attacker cannot modify the message. Otherwise, the receiver’s signature authentication is not legal. This means that our work resists modified attacks.

  -

  Forgery Attacks: According to the above proof, no third party can impersonate a valid signature message if he/she does not have the master key of $Fo{g}_j$. This means that our work resists forgery attacks.

  -

  Replay Attacks: A timestamp $t{s}_i$ is included in the signature of each message $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$, and the signature ${\sigma }_i$ cannot be modified. The message receiver can test for replay attacks by checking the signature. This means that our work resists replay attacks.

  -

  Man-In-The-Middle Attacks: According to the above proof, no third party can intercept the communication among nodes (sender and receiver) for 5G-enabled vehicular fog computing. This means that our work resists man-in-the- middle attacks.

6.3. Security Service Comparison

In this subsection,

Table 3. Comparison of security service.

Security Service	[14]	[15]	[17]	[18]	ANAA-Fog
Authentication	Yes	Yes	Yes	Yes	Yes
Integrity of Message	Yes	Yes	Yes	Yes	Yes
Conditional Privacy-Preserving	Yes	Yes	Yes	Yes	Yes
Unlikability	No	Yes	No	No	Yes
Traceability	No	Yes	Yes	Yes	Yes
Revocability	Yes	No	No	No	Yes
Low Efficiency	No	No	No	No	Yes

shows security service comparison in terms of authentication, the integrity of the message, conditional privacy-preserving, unlikability, traceability, revocability, and low efficiency. These schemes have massive efficiency in terms of computational and communication costs.

Meanwhile, every functionality (security service) explains how exactly our approach will provide for vehicle fog computing enabled by fifth-generation (5G) wireless networks as follows.

• Authentication of Signer and Integrity of Message: Based on the proof analysis in Section 6.1, no third party can forge a valid signature. Thus, the recipient can test the message integrity received from other vehicles by calculating Equations (11) or (12) for verifying single message or batch messages, respectively. Thus, this work achieves the requirements of authentication of the signer and integrity of the letter.
• Conditional Privacy-Preserving: The proposed ANAA-Fog scheme satisfies the requirement of conditional privacy-preserving in two steps.

  -

  To prevent an adversary from tracking a $OB{U}_i$ as it moves between distinct 5G-BSs, each of which has its own unique $Fo{g}_j$, the $OBUi$ must issue a new public anonymous-ID $\left(PAI{D}_i\right)$ by its true identity and the system’s public parameters for the period $t{s}_{Tkey}$.

  -

  Once a $OB{U}_i$ joins the area covered by 5G-BS, it acquires the temporary secret key of $Fo{g}_j$ during period $t{s}_{Tkey}$. To protect this key, the $OBUi$ and the $Fo{g}_j$ both use a symmetric secret key, denoted by $k_{ij}$. Next, it issues a new public anonymous-ID $\left(PAI{D}_i\right)$ and its matching signature key as in Equation (8) by the temporary private key of $Fogj$ valid in $t{s}_i$, a random value, and its real identity. Since the message is signed with a separate signature key, no third party except $the$$TA$ and $Fogj$ has the capacity to construct a link among the signatures and public anonymous-ID $\left(PAI{D}_i\right)$ of $OB{U}_i$. When $the$$TA$ and $Fo{g}_j$ know the system’s private key, they can construct a link among the signatures and public anonymous-ID $\left(PAI{D}_i\right)$ of $OB{U}_i$.

• Unlinkability: Each time an $OB{U}_i$ signs a message, it issues a new public anonymous-ID $\left(PAI{D}_i\right)$ to broadcast information. Anonymous-ID is updated regularly. Moreover, dynamic random value is inserted to the signature as Equation (9). Thus, it is so difficult for an attacker to link two messages from the same source.
• Traceability and Revocability: Consider the following scenario to better grasp the need for our work to be traceable and reversible. In the event of an accident, the TA can use Equation (5) to determine the genuine identification of the victim vehicle. After the victim vehicle’s genuine identification has been added to the CRL, the TA updates the CRL and sends it to all fog servers. Hence, the impassable vehicle cannot enter the 5G-BS area, where the temporary private key of $Fo{g}_j$ is kept to sign any messages. Therefore, the goals of traceability and revocability are met with this work.

7. Evaluation Metrics

This section analyses the performance of the proposed ANAA-Fog scheme with respect to two evaluation metrics (i.e., computational overhead and communication overhead) for 5G-enabled vehicular fog computing.

7.1. Analysis of Computational Overhead

Concerning the time and energy needed to verify signed messages individually and in bulk, we compare the proposed ANAA-Fog method to some of the most recent alternatives [14,15,17,18]. We build the 80-bit security level for the bilinear pairings-based techniques in  [14,15] by using the bilinear pairing e: $G_1$ * $G_1$→$G_2$, where $G_1$ is an additive group with a huge prime $q-$ generated by a point $p-$ on super-singular ECC. The duration of individual cryptographic procedures is listed in

Table 4. The time required for various cryptographic operations.

Abbr.	Execution Time (ms)	Definition
$P_{bp}$	5.811	How long a $G_1$ bilinear pairing takes in time.
$M_{bp}$	1.5654	The amount of time needed to do a scalar multiplication in the $G_1$
$A_{bp}$	0.0106	Time taken to perform a point-sum calculation in $G_1$
$H_{mtp}$	4.1724	The amount of time needed by a map-to-point hash function in $G_1$
$M_{ecc}$	0.6718	The amount of time needed to do a scalar multiplication in G
$A_{ecc}$	0.0031	Time taken to perform a point-sum calculation in G

.

The overhead of computation for the schemes of Zhong et al. [14] and Bayat et al. [15] are based on a bilinear pair as follows. A vehicle $Ve{h}_i$ in the scheme of Zhong et al. [14] signs a message $Ms{g}_i$ with 4 scalar multiplication ($4M_{bp}$) operations and 2 A point addition ($2A_{bp}$) operations. Consequently, the vehicle $Ve{h}_i$ in the scheme of Zhong et al. [14] needs a cost of $4M_{bp}+2A_{bp}\approx 6.2828$ ms in the vehicle signature process. While a recipient $Ve{h}_j$ requires 2 bilinear pair ($2P_{bp}$), 5 scalar multiplication ($5M_{bp}$) operations, and 2 A point addition ($2A_{ecc}$) operations to verify the concerned signature ${\sigma }_i$. Consequently, the vehicle $Ve{h}_j$ in the scheme of Zhong et al. [14] needs a cost of $2P_{bp}+5M_{bp}+2A_{bp}\approx 19.4702$ ms in a single message verification process. To verify the concerned batch signatures ${{\sigma }_i}^n$ from batch messages sent, a recipient $Ve{h}_j$ needs (n + 1) bilinear pair ($(n+1)P_{bp}$), (5n) scalar multiplication ($\left(5n\right)M_{bp}$) operations, and (2n) A point addition ($\left(2n\right)A_{bp}$) operations. Consequently, the vehicle $Ve{h}_j$ in the scheme of Zhong et al. [14] needs a cost of $(n+1)P_{bp}+\left(5n\right)M_{bp}+\left(2n\right)A_{bp}\approx 5.811+13.6592n$ ms in a batch message verification process.

A vehicle $Ve{h}_i$ in the scheme of Bayat et al. [15] signs a message $Ms{g}_i$ with 1 scalar multiplication ($1M_{bp}$) operation and 1 point addition ($1A_{bp}$) operation. Consequently, the vehicle $Ve{h}_i$ in the scheme of Bayat et al. [15] needs a cost of $1M_{bp}+1A_{bp}\approx 1.576$ ms in the vehicle signature process. While a recipient $Ve{h}_j$ requires 3 bilinear pair ($3P_{bp}$), 1 scalar multiplication ($1M_{bp}$) operation, 1 point addition ($1A_{ecc}$) operation, and 1 map-to-point function ($1H_{mtp}$) to verify the concerned signature ${\sigma }_i$. Consequently, the vehicle $Ve{h}_j$ in the scheme of Bayat et al. [15] needs a cost of $3P_{bp}+1M_{bp}+1A_{bp}+1H_{mtp}\approx 23.1814$ ms in a single message verification process. To verify the concerned batch signatures ${{\sigma }_i}^n$ from batch messages sent, a recipient $Ve{h}_j$ needs (3) bilinear pair ($\left(3\right)P_{bp}$), (n) scalar multiplication ($\left(n\right)M_{bp}$) operations, (n) A point addition ($\left(n\right)A_{bp}$) operations and n map-to-point function ($\left(n\right)H_{mtp}$). Consequently, the vehicle $Ve{h}_j$ in the scheme of Bayat et al. [15] needs a cost of $\left(3\right)P_{bp}+\left(n\right)M_{bp}+\left(n\right)A_{bp}+\left(n\right)H_{mtp}\approx 17.433+5.7484n$ ms in a batch message verification process.

The overhead of computation for the schemes of Asaar et al. [17], Li et al. [18], and our work are based on elliptic curve cryptography as follows. A vehicle $Ve{h}_i$ in the scheme of Asaar et al. [17] signs a message $Ms{g}_i$ with 7 scalar multiplication ($7M_{ecc}$) operations. Consequently, the vehicle $Ve{h}_i$ in the scheme of Asaar et al. [17] needs a cost of $7M_{ecc}\approx 4.7026$ ms in a vehicle signature process. While a recipient $Ve{h}_j$ requires 12 scalar multiplication ($12M_{ecc}$) operations and 8 A point addition ($8A_{ecc}$) operations to verify the concerned signature ${\sigma }_i$, the vehicle $Ve{h}_j$ in the scheme of Asaar et al. [17] needs a cost of $12M_{ecc}+8A_{ecc}\approx 8.0864$ ms in a single message verification process. To verify the concerned batch signatures ${{\sigma }_i}^n$ from batch messages sent, a recipient $Ve{h}_j$ needs (4n + 10) scalar multiplication ($(4n+10)M_{ecc}$) operations and (6n + 2) A point addition ($(6n+2)A_{ecc}$) operations. Consequently, the vehicle $Ve{h}_j$ in the scheme of Asaar et al. [17] needs a cost of $(4n+10)M_{ecc}+(6n+2)A_{ecc}\approx 6.7242+2.6934n$ ms in a batch message verification process.

A vehicle $Ve{h}_i$ in the scheme of Li et al. [18] signs a message $Ms{g}_i$ with 1 scalar multiplication ($1M_{ecc}$) operations. Consequently, the vehicle $Ve{h}_i$ in the scheme of Li et al. [18] needs a cost of $1M_{ecc}\approx 0.6718$ ms in the vehicle signature process. While a recipient $Ve{h}_j$ requires 4 scalar multiplication ($4M_{ecc}$) operations and 1 A point addition ($1A_{ecc}$) operation to verify the concerned signature ${\sigma }_i$, the vehicle $Ve{h}_j$ in the scheme of Li et al. [18] needs a cost of $4M_{ecc}+1A_{ecc}\approx 2.6903$ ms in a single message verification process. To verify the concerned batch signatures ${{\sigma }_i}^n$ from batch messages sent, a recipient $Ve{h}_j$ needs (2n + 2) scalar multiplication ($(2n+2)M_{ecc}$) operations and (n) A point addition ($\left(n\right)A_{ecc}$) operation. Consequently, the vehicle $Ve{h}_j$ in the scheme of Li et al. [18] needs a cost of $(2n+2)M_{ecc}+\left(n\right)A_{ecc}\approx 1.3436+1.3467n$ ms in a batch message verification process.

A vehicle $Ve{h}_i$ in the proposed ANAA-Fog scheme signs a message $Ms{g}_i$ with 2 scalar multiplication ($2M_{ecc}$) operations and 1 point addition ($1A_{ecc}$) operation. Consequently, the vehicle $Ve{h}_i$ in the proposed ANAA-Fog scheme needs a cost of $2M_{ecc}+1A_{ecc}\approx$ 1.3467 ms in the vehicle signature process. While a recipient $Ve{h}_j$ requires 3 scalar multiplication ($3M_{ecc}$) operations and 1 A point addition ($1A_{ecc}$) operation to verify the concerned signature ${\sigma }_i$, the vehicle $Ve{h}_j$ in the proposed ANAA-Fog scheme needs a cost of $3M_{ecc}+1A_{ecc}\approx 2.0185$ ms in a single message verification process. To verify the concerned batch signatures ${{\sigma }_i}^n$ from batch messages sent, a recipient $Ve{h}_j$ needs (n + 2) scalar multiplication ($(n+2)M_{ecc}$) operations and (n − 1) A point addition ($(n-1)A_{ecc}$) operation. Consequently, the vehicle $Ve{h}_j$ in the proposed ANAA-Fog scheme needs a cost of $(n+2)M_{ecc}+(n-1)A_{ecc}\approx 1.3405+0.6749n$ ms in a batch message verification process.

The overhead of computational of the proposed ANAA-Fog scheme and the most recent works in [14,15,17,18] with respect to a message signing, single verification, and batch verification are compared graphically in Figure 5, Figure 6 and Figure 7.

7.2. Analysis of Communication Overhead

For the bilinear pairings-based schemes in  [14,15], the sizes of prime numbers $p^{-}$, $q^{-}$ are 128 bytes, and 64 bytes, respectively, since it runs an equation $y^2=(x^3+x)$ with embedding degree 2. For the proposed ANAA-Fog scheme and the scheme in [17,18], the size of prime numbers p, q is 64 bytes since it runs an equation $y^2=x^3+xmodp$. Moreover, the size of the timestamp’s output is 4 bytes, and the general hash function is 20 bytes. Figure 8 shows the communication overhead of authentication schemes.

In Zhong et al. [14], the tuple of a message shared by vehicles is $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PI{D}_i,vp{k}_i,t_i,{\sigma }_i)$, where ${\sigma }_i=R_i,T_i$, $(PI{D}_i=PI{D}_{i,1},PI{D}_{i,2})$, $(PI{D}_{i,1},R_i,vp{k}_i\in G_1)$, $(T_i\in Z_q^{*})$, and two timestamps $(t_i,V{P}_i)$; therefore, the total overhead of communication is 3 · 128 + 20 + 8 = 412 bytes.

In Bayat et al. [15], the tuple of a message shared by vehicles is $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,pi{d}_i,{\sigma }_i)$, where $(pi{d}_i=PI{D}_{i,l}^1,PI{D}_{i,l}^2)$, $(PI{D}_{i,l}^1\in G_1)$, and $(PI{D}_{i,l}^2,{\sigma }_i\in Z_q^{*})$; therefore, the total overhead of communication is 128 + 2 · 20 = 168 bytes.

In Asaar et al. [17], the tuple of a message shared by vehicles is $Ms{g}_{OB{U}_i}=$$(Cer{t}_k,sig,Y_k)$; therefore, the total overhead of communication is 3 · 40 + 3 · 20 + 4 = 184 bytes.

In Li et al. [18], the tuple of a message shared by vehicles is $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PI{D}_{i,l},P{K}_{i,l},R_i,T_i,si{g}_i)$, where $(P{K}_{i,l},R_i,si{g}_i\in G_1)$, $(PI{D}_{i,l}^1{\sigma }_i\in Z_q^{*})$, and $T_i$ is a timestamp; therefore, the total overhead of communication is 3 · 40 + 20 + 4 = 144 bytes.

In our work, the tuple of the message shared by vehicles is $Ms{g}_{OB{U}_i}=$$(Ms{g}_i,PAI{D}_{i,1},PAI{D}_{i,2},t{s}_i,{\sigma }_i)$, where $(PAI{D}_{i,1}\in G)$, $(PAI{D}_{i,2},{\sigma }_i\in Z_q^{*})$, and one timestamp $\left(t{s}_i\right)$; therefore, the total overhead of communication is 64 + 2 · 20 + 4 = 108 bytes.

In summary, our work needs smaller communication overheads than other schemes when the message is shared by vehicle broadcasts to others in 5G-enabled vehicular fog computing.

8. Conclusions

In this research, we suggested a new anonymous authentication strategy for 5G-enabled vehicle fog computing: the ANAA-Fog technique. This scheme is based on a fog server to generate the temporary secret key to each participating vehicle for a signature verification process. The security analysis section shows that the signing phase of the proposed ANAA-Fog scheme is carried out by using the ProVerif simulator to choose the message construct. Additionally, this work satisfies authentication of the signer, the integrity of the message, conditional privacy-preserving, unlinkability, traceability, revocability, and security attacks resistance in terms of modification, forgery, replay, and man-in-the-middle attacks. The evaluation metrics section shows that our work has low performance overhead compared to related works.

In future work, we will investigate the related results to use a lightweight algorithm instead of ECC for 5G-enabled vehicular fog computing. Meanwhile, we extend this work by adding a complete numerical example with a handshake model explanation and using a network simulator (OMNeT++) and road traffic (SUMO) for the experiment environment.