Next Article in Journal
Partial Exposure Attacks on a New RSA Variant
Previous Article in Journal
A Multi-Candidate Self-Tallying Voting Scheme Based on Smart Contracts
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs

1
Center of Informatics Science, Faculty of Information Technology and Computer Science, Nile University, Giza 12588, Egypt
2
Informatics Department, Electronics Research Institute, Cairo 12622, Egypt
3
National Telecommunication Institute, Giza 12578, Egypt
4
National Telecommunications Regulatory Authority, Giza 12577, Egypt
*
Author to whom correspondence should be addressed.
Cryptography 2024, 8(3), 43; https://doi.org/10.3390/cryptography8030043
Submission received: 9 August 2024 / Revised: 10 September 2024 / Accepted: 10 September 2024 / Published: 17 September 2024

Abstract

:
Vehicular ad hoc networks (VANETs), which are the backbone of intelligent transportation systems (ITSs), facilitate critical data exchanges between vehicles. This necessitates secure transmission, which requires guarantees of message availability, integrity, source authenticity, and user privacy. Moreover, the traceability of network participants is essential as it deters malicious actors and allows lawful authorities to identify message senders for accountability. This introduces a challenge: balancing privacy with traceability. Conditional privacy-preserving authentication (CPPA) schemes are designed to mitigate this conflict. CPPA schemes utilize cryptographic protocols, including certificate-based schemes, group signatures, identity-based schemes, and certificateless schemes. Due to the critical time constraints in VANETs, efficient batch verification techniques are crucial. Combining certificateless schemes with batch verification leads to certificateless aggregate signature (CLAS) schemes. In this paper, cryptanalysis of Xiong’s CLAS scheme revealed its vulnerabilities to partial key replacement and identity replacement attacks, alongside mathematical errors in the batch verification process. Our proposed CLAS scheme remedies these issues by incorporating an identity authentication module that leverages chameleon hashing within elliptic curve cryptography (CHAM-CLAS). The signature and verification modules are also redesigned to address the identified vulnerabilities in Xiong’s scheme. Additionally, we implemented the small exponents test within the batch verification module to achieve Type III security. While this enhances security, it introduces a slight performance trade-off. Our scheme has been subjected to formal security and performance analyses to ensure robustness.

1. Introduction

In the contemporary global pursuit of intelligent cities, the Internet of Things (IoT) is the primary facilitator of device connectivity and communication, through which an immeasurable amount of data exchange and utilization occurs. A particular use case of the IoT is the Internet of Vehicles (IoV), which encapsulates cooperative intelligent transportation systems (C-ITSs) that employ vehicular ad hoc networks (VANETs). VANETs are self-organized networks that enable communication between the constituents of any C-ITS, namely vehicles, pedestrians, roadside units (RSUs), and possibly governing entities, which we will refer to as trusted authorities (TAs) [1,2]. The primary objective of a C-ITS is to facilitate a safer and more comfortable driving experience for all of its constituents by allowing vehicles to sense their surrounding environments and pool their collective resources to make reliable decisions [3].
The primary standards employed in vehicular communications are the Dedicated Short-Range Communications (DSRC) standard developed in the US and the Intelligent Transportation System (ITS-G5) protocol created by the European Telecommunications Standards Institute (ETSI) [3]. However, recent years have witnessed the emergence of a competitive alternative, Cellular Vehicle-to-Everything (C-V2X), which promises lower latency and high vehicle speed support [4]. Furthermore, developments to DSRC and C-V2X are already underway in pursuit of better efficiency and scalability, and new technologies like 802.11bd and New Radio V2X [5] promise to meet the stringent requirements of a maximum packet error rate of 10% with a minimum transmission radius of 300 m.
Owing to the significance of the data shared between different C-ITS constituents, guaranteeing security is as important as optimizing performance, since any breach with malicious intent can have disastrous consequences. Therefore, authentication, confidentiality, integrity, privacy, and revocability are non-negotiable security requirements to ensure the proper functioning of VANETs.
To that effect, a multitude of works have strived to create conditional privacy-preserving authentication (CPPA) schemes, which can be broadly classified into certificate-based schemes/public key infrastructure (PKI) schemes, identity-based schemes (IB), group signature (GS)-based schemes and certificateless (CL) schemes. Furthermore, to support scenarios of large vehicular densities, techniques to verify a batch of digital signatures simultaneously have been developed. This has led to the transformation of IB and CL schemes into identity-based batch verification (IBV) schemes and certificateless aggregated signature (CLAS) schemes, respectively.
Many recent CLAS schemes fail to guarantee adequate identity authentication, resulting in collusion, repudiation, and impersonation attacks. Furthermore, the same schemes fail to properly include a revocation check that prevents TA-revoked members from re-accessing the VANET. We show that these deficiencies exist in the recently published CLAS scheme [6] by Xiong and propose an alternative scheme that averts the associated risks and better meets VANET security requirements.
Accordingly, our contributions can be summarized as follows:
1-
We cryptanalyze Xiong’s scheme and point out that it cannot meet VANET security requirements.
2-
We propose an alternative CLAS scheme with an added identity authentication module based on chameleon hashing [7]. This module prevents repudiation attacks and fake identity attacks and ensures that revoked vehicles are denied access to the VANET.
3-
We conduct a formal security and performance analysis of our scheme.
The rest of this paper is set out as follows. Section 2 introduces a brief review of related works. Section 3 summarizes the background information, including VANET security requirements, cryptographic primitives utilized in the proposed scheme, and the network model. Section 4 presents a brief overview of Xiong’s scheme [6] as well as our cryptanalysis, suggested attacks, and modified scheme. Section 5 presents the formal security analysis of our proposed scheme. Section 6 presents the performance analysis of our scheme. Section 7 presents conclusions and future directions. A list of notations can be found in Table 1.

2. Related Works

As mentioned previously, CPPA schemes can be realized using various cryptographic approaches, including PKI, GS, IBV, or CLAS schemes.
PKI-based schemes typically involve significant overhead due to certificate storage and communication costs, not to mention the time-consuming process of certificate revocation checks. GS-based schemes also face challenges with revocation and high computational costs during signature verification.
In contrast, IB schemes are more efficient as they eliminate the need for certificate management. However, they suffer from the key escrow problem, where the key generation center (KGC) can access each member’s full private key.
CLAS schemes are a variant of IB schemes, where each member possesses a private key that combines a KGC-generated value and a secret value known only to the member. This resolves the key escrow issue, but it is at the expense of increased complexity in public key management, as the public key is no longer solely a function of publicly known information as in traditional IB systems. CLAS schemes are the most prominent tool for achieving CPPA, and significant recent literature has focused on deconstructing previous schemes and developing new ones with improved security.
CPPA schemes are an integral part of VANET security, and numerous surveys have been published in recent years [1,8,9,10] to extensively detail each scheme’s characteristics and conduct comparative analyses in terms of security and performance.
A survey specifically focused on CLAS schemes can be found in [11], which compares the performance of CLAS schemes based on bilinear pairings and CLAS schemes based on ECC. Since bilinear pairings are more computationally intensive and less efficient, we have implemented our CLAS scheme using ECC.
Our proposed scheme most closely resembles those of Zhao (2020) [12], Zhou (2023) [2], Zhu (2023) [13], Li (2020) [14], Thumbur (2020) [15], and finally Xiong (2022) [6], which we aim to analyze and improve in this paper. Accordingly, we will compare the performance of our scheme to those of existing schemes in Section 6.

3. Background

This section establishes the necessary background and prerequisites to our proposed scheme. We briefly overview the security requirements in Vehicular Ad hoc Networks (VANETs); then, we introduce the cryptographic primitives used in our scheme; and finally, we outline the network model upon which our scheme is based.

3.1. VANET Security Requirements

The aforementioned massive data exchange, which is the driving force behind the development of the Internet of Things (IoT) and the Internet of Vehicles (IoV), necessarily requires accompanying security measures to ensure the validity of the data before further use. The security requirements within VANETs are not uniform; instead, they are layered, with distinct demands and considerations at different levels. Table 2 comprehensively compares these layered security needs, categorized across various critical aspects. From the communication layer to the network and application layers, each aspect highlights the specific security demands, ensuring that VANETs operate securely and reliably. Key management, trust management, physical layer security, regulatory compliance, and lifecycle management aspects further underscore the multifaceted nature of securing VANETs. Understanding and addressing these diverse security requirements is essential to establish a resilient and trustworthy VANET ecosystem. Failure to do so could undermine the intended benefits and functionality of the IoT and IoV technologies.
To utilize the data exchanged between vehicles, the receiver must ensure three things:
  • The sender is legitimate and trustworthy.
  • The data have not been modified or tampered with.
  • The message is temporally relevant and up-to-date.
On the other hand, the sender will only participate in the message exchange if they are assured that their identity privacy is preserved. They want to be sure that only a legitimate governing authority can derive their real identity from the pseudo-identity used in the message transmission.
A combination of cryptographic approaches and intrusion detection methods addresses these requirements. Cryptographic protection is the first line of defense, providing proactive protection against potential attacks and holding the attacker accountable. However, intrusion detection techniques may be employed for mitigation if an attack does occur. This paper focuses exclusively on the cryptographic methods used to preserve secure communications in VANETs. Intrusion detection in VANETs has also been extensively studied in contemporary literature, and reviews of the contributions can be found in [16,17,18].

3.2. Cryptographic Preliminaries

This section provides a brief overview of the cryptographic primitives employed in our scheme.
(1)
Elliptic curves
We assume F p denotes a finite field with prime order p for elliptic curve E with the equation y 2 = x 3 + a x + b mod p, where 4 a 3 + 27 b 2 0 and a , b   F p . We presume that O denotes the point at infinity. The points of the ECC make an additive group G with order q and generator P.
Point addition: Let P and S be two random points on the ECC such that P ,   S G , where the point P generates the group G with sizeable prime order q. When P     S , R = P + S can be computed, where R denotes the intersection point of curve E and line PS. When P = S , R = P + S denotes the intersection of curve E with the tangent to E at P.
Scalar point multiplication: The scalar multiplication of E is defined as m P = P + P + + P   ( m   t i m e s ) , where m Z q * , m > 0 .
Elliptic curve discrete logarithm problem (ECDLP): Given two random points P, Q ∈G on curve E, where Q = x P , x Z q * ; it has proved difficult to calculate x given P, Q.
(2)
Chameleon Hashing
Chameleon hash functions were first proposed in 1998 [7] and are the foundational building block for chameleon signatures. Chameleon signatures facilitate the signer’s undeniable commitment to the contents of a signed document without allowing the recipient to disclose the contents to a third party without the signer’s consent.
Conceptually similar to undeniable signatures, chameleon signatures have the relative advantage of being non-interactive and not requiring zero-knowledge proofs. The key idea is that a sender’s signature allows the recipient to forge further signatures of the signer at the latter’s will. To achieve this, chameleon signatures employ a hash-then-sign method using chameleon hash functions, which are collision-resistant to all parties except those possessing the trapdoor.
In the original paper, two implementations of chameleon hash functions were proposed—one based on the intractability of factoring and the other on the discrete logarithm problem.
The latter methodology features a function C H y m , r = g m y r for the private key (trapdoor) x and the public key y = g x   m o d   p . Accordingly, the function is equivalent to C H y m , r = g m * g x r = g m + x r . To find a collision r for any given message m , the owner of the private key x solves m + x r = m + x r . Our scheme uses a conceptually similar model based on elliptic curve cryptography, discussed in greater detail in Section 3.

3.3. Network Model

The most common network architecture used to model VANET security is the two-layer model, which comprises a TA in the top layer and vehicles and RSUs in the bottom layer.
(1) Trusted authority (TA): Also known as the trusted third party (TTP) or the central authority (CA), the TA generally consists of a key generation center (KGC) and a tracing authority/tracing manager (TRA/TRM). The KGC generates public and private keys (or partial keys) for all members to enable digital signature verification. The TRM generates verifiable pseudo-identities for each member to enable traceability in the case of disputes. Some schemes propose redundant TAs with access to the same data repository to prevent single points of failure.
(2) Roadside units (RSUs): RSUs are connected to the TA via secure wired links and to vehicles via insecure wireless connections. Different schemes assume varying levels of RSU trustworthiness, with the predominant assumption being that RSUs are “honest but curious.” The role of RSUs varies across schemes, ranging from being mere gateways to relay messages between the TA and vehicles to acting as group managers that issue signing and verification keys to members within their domain and manage localized groups.
(3) Vehicles: Vehicles are assumed to be untrustworthy. They are equipped with on-board units (OBUs) that contain a tamper-proof device (TPD). Schemes diverge on the assumption of an ideal TPD (secure enough to store the system’s master secret key for self-authentication) or a realistic TPD (where only the user’s secret key is stored and authentication is performed elsewhere).

4. Xiong’s Scheme: Description, Cryptanalysis, and Our Proposed Improved Scheme

In this section, we provide a brief overview of Xiong’s scheme [6], followed by our cryptanalysis of the scheme, and finally, we propose our modified version of the scheme.

4.1. Overview of Xiong’s Scheme

Xiong’s scheme, like other CLAS (certificateless aggregate signature) schemes, comprises the following phases:
  • Setup;
  • Pseudo-identity generation;
  • Partial private key generation;
  • User secret key generation;
  • Signing;
  • Verification;
  • Aggregate signature/batch verification.
Figure 1 provides a summary of Xiong’s scheme.

4.2. Cryptanalysis

The core purpose of any authentication scheme is to enable the receiver of a message to trust its contents. This is achieved through a transitive trust relationship, where the receiver verifies that a trusted authority (TA) deemed the sender trustworthy at a particular time and has not revoked its trust in them since (authentication). Furthermore, to deter any network member from initiating malicious actions, a mechanism is required to ensure their accountability and prevent them from later denying their actions (traceability and non-repudiation). Unfortunately, Xiong’s scheme does not meet these criteria, as detailed in the following analysis.
To guarantee the trustworthiness of a sender, digital signatures are used to incorporate a TA’s contribution along with some identifying information about the signer. CLAS (certificateless aggregate signature) schemes are built on the premise that signatures are trustworthy based on the partial private key generated by the key generation center (KGC), which is incorporated into the digital signature. To resist forgeability, the KGC uses its master secret key (denoted as s ) and a randomly chosen value (denoted as α i ) to create a partial private key pair that the user cannot replicate. In Xiong’s scheme, the equation p p k i = α i + s . Q i m o d   q achieves this property, seeing that during verification (by the user or subsequently by any receiver of the user’s messages), the equation p p k i . P A i + Q i . P p u b is used. The idea is that the user cannot generate any pair ( p p k i * , A i * ) to satisfy this equation since Qi.Ppub binds these two values together, and the user cannot generate this since it is a function of the KGC’s master secret s . While this is successfully implemented in Xiong’s partial private key generation module, it is not used correctly in their signature generation module since A i is no longer subsequently used at all. In fact, once the user V i receives p p k i , A i from the KGC and performs the verification (to ensure that this is indeed a KGC-verified pair), the user can promptly discard A i since it does not come up again in any future modules. This renders the authentication property unsatisfactory since a malicious user can receive ppki,Ai from the KGC and then replace p p k i with p p k i * in all subsequent calculations without being detected. The simple fix to that is to incorporate A i in the verification equation.
Moreover, the pseudo-identities are generated in the vehicle, assuming that the TPD is ideal and cannot be tampered with, which is an impractical assumption. This is apparent in the scheme since at no point is the identity of the user V i verified by any entity, which makes it possible for a malicious user, Oscar, to replace his R I D O with a fictitious value R I D O * and accordingly compute P I D O * and still pass verification.
The fact that a malicious user, Oscar, can replace their real identity and partial private key with fictitious values renders the scheme incapable of satisfying the requirements of authentication and non-repudiation. This intuitively opens the scheme to bogus and repudiation attacks since any user can broadcast fake information under fake identities without considering the legal consequences of their actions. The attacks are shown in Figure 2.
Finally, we point out a minor mistake in the batch verification module of the original scheme: p k = v . P must become p k * = v . P p u b for the batch verification equation β = β * to work out. In their scheme, β = H 4 T 1 p k | | | | T n p k and β * = H 4 , so to pass verification, we must ensure that T i . p k = v . φ i . Since φ i = h i F i + U i = T i . P p u b , . Therefore, v . φ i = v . T i . P p u b = T i . p k * .

4.3. Our Improved Scheme

In our proposed scheme, we suggest the following improvements and modifications to avert the threats above:
(1)
Identity Authentication using Chameleon Hashing
We added an identity authentication module based on chameleon hashing to prevent an attacker from using a fake identity. The idea is to allow the KGC to ascertain that the TRM authenticates the pseudo-identity for generating a partial private key. The chameleon hashing procedure is carried out as follows.
During the setup phase, the trapdoor x is first randomly chosen by the TRM, in addition to two random points A , B on the elliptic curve. Then, a point C is calculated as C = A + x . B . The trapdoor x and the point C are shared securely between the T R M and the K G C . The T R M assigns an elliptic curve point D i to each member with identity I D 1 , i by solving the equation D i = C x . I D 1 , i . To prove to the KGC that they have obtained a legitimate identity from the TRM, the member submits D i and I D 1 , i to the KGC, which checks the equation D i + x :   I D i C before generating a partial private key for the user.
This guarantees that the partial private key is adopted with a legitimate pseudo-identity. It also gives the TRM a chance to review each member’s status before authenticating their identity, so revoked members are immediately excluded without being given the secret parameter Di, which they need to generate partial private keys.
(2)
Adjusting the individual verification equation to prevent partial private key switching
As stated earlier, the significance of the partial private key generation module is that it creates a key pair ( p p k ,   A i ) where p p k i = α i + s . h 2 i   m o d   q and A i = α i P . The idea is that any user cannot generate a partial private key that satisfies the equation since the KGC’s master secret s links the two parameters. In Xiong’s scheme, A i is not included in the individual verification equation, which allows any member to replace p p k i with any other value without being detected during verification. In our proposed scheme, A i is included in the verification equation, which ensures that the ppk used in signing is an authentic KGC-granted key. This also implicitly ensures that the pseudo-identity used to sign the message is genuine, thanks to the chameleon hashing authentication module introduced above.
(3)
Small exponent test in batch verification
We adopted the batch verification equation and introduced the small exponent test to ensure resilience against CLAS Type III attacks, which involve inserting forged signatures into a batch of valid signatures without detection. Section 4 elaborates on this and is where we conduct a formal security analysis of our proposed scheme. We provide a summary of our improved scheme in Figure 3.

5. Security Analysis

This section conducts a security analysis for our improved scheme. We introduce formal definitions and algorithm instantiations of CLAS systems, followed by CLAS’s security models and games. Then, we proceeded to obtain our formal security proof.

5.1. Definition of CLAS

Definition 1.
A CLAS comprises the following eight polynomial time algorithms, found in Table 3.

5.2. Security Models of CLAS

To define security models of CLAS, we consider three types of adversary attacks according to their different abilities.
Type I attacks: The adversary has the target user’s secret value x i and can replace the user’s public key u p k i with its choice. However, it does not know the KGC’s secret key s and the user’s partial secret key p p k i .
Type II attacks: The adversary owns the KGC’s secret key s and can generate the user’s partial secret key p p .     H o w e v e r , it does not know the user’s secret value x i .
Type III attacks: The adversary knows all signers’ secret keys x i , p p k i . The adversary cannot provide any invalid signatures σ i that can be used for computing a valid aggregate signature σ .
The security of a CLAS scheme is captured by the following three games between a challenger C and adversaries A 1 ,   A 2 ,   A 3 .
The associated queries are outlined in Table 4.
The security games are outlined in Table 5.
Definition 2.
A CLAS scheme is existentially unforgeable under adaptive chosen message attacks (EUF-CMA) if the probability of any probabilistic polynomial time (PPT) adversary winning any of the above three games is negligible.

5.3. Security Proof

Theorem 1.
Our CLAS scheme is EUF-CMA secure against any Type I adversary if ECDLP is hard in the random oracle model (ROM).
Proof.
Let A 1 be a Type I adversary who can break our underlying CLS scheme. We now construct another adversary B that can solve the ECDLP as the following:
Setup Phase:
B : Inputs security parameter 1 λ and generates G , q , P , P p u b , T p u b , H 1 3   . . It sets I D * as the challenged identity and maintains lists L 2 5 to store values queried by A 1 as outlined in Table 6
Forgery Phase: A 1 finally outputs a forgery σ i * = δ i * , U i * on m i * under I D * . If P I D i = P I D i * , B aborts and admits failure; otherwise, σ i * is valid and we have δ i * P = A i + h 3 , i * u p k i * + h 2 , i * P P u b + U i * .
By adopting the forking lemma [19], if B selects a different   h a s h and repeats the above process, A 1 can output another forgery σ i * = δ i * , U i * on m i * .
Then, we have δ i * P = A i + h 3 , i * u p k i * + h 2 , i * P P u b + U i * . Therefore, B can obtain a solution of ECDLP by computing s = δ i * δ i * h 2 , i * h 2 , i * 1 .
Proof.
δ i * P δ i * P = h 2 , i * P P u b h 2 , i * P P u b P ( δ i * δ i * ) = P P u b ( h 2 , i * h 2 , i * )   δ i * δ i * h 2 , i * h 2 , i * 1 = P P u b P 1 = s
Theorem 2.
The CLAS scheme is EUF-CMA secure against any Type II adversary if ECDLP is hard in ROM.
The exact proof, as Theorem 1, is omitted for space considerations.
Theorem 3.
The CLAS scheme is secure against any Type III adversary.
Proof.
Type III security of a CLAS scheme states that the scheme must resist information injection attacks in the aggregate verification phase. For instance, assume two malicious vehicles generate two valid signatures δ 1 and δ 2 and inject c and c in them, respectively. The batch verifier cannot detect this since c is countered by c in the aggregation phase. In our scheme, we utilize the simplified small exponent test in the aggregation process. By doing so, the randomness of x i necessitates that the verifier can detect any modification to the single signature δi. The rigorous proof can be found in [20]. Hence, Type III security is achieved. □
Theorem 4.
The CLAS scheme achieves CPP.
Proof.
The anonymity of the vehicle is ensured by the pseudo-identity I D i . Note that P I D i = ( I D i , , 1 , I D i , 2 , V T i ) , where I D i , 1 = k i P , I D i , 2 = R I D i H 1 ( k i . T P u b | | V T i ) and V T i is the validity period. To extract the real identity R I D i from I D i , 2 , the adversary needs to compute H 1 ( k i . T P u b | | V T i ) . Since k i is only known to V i (the owner of R I D i ) and securely transmitted to the TRA during the PID generation phase, it is impossible for an adversary to extract R I D i from I D i , 1 , I D i , 2 . Since k i is a random value that changes for every pseudonym, our scheme guarantees unlinkability since no two pseudo-identities can be traced back to the same real identity. Hence, this scheme achieves conditional privacy preservation since only the TRA can extract the real identity from a pseudo-identity, and no adversary can link two different pseudonyms to the same signer. □
This concludes our security analysis. In the following section, we conduct a performance analysis of our scheme and compare it to other ECC-based CLAS schemes.

6. Performance Analysis of Comparable CLAS Schemes

To ensure consistency, we evaluated all the schemes using the operation execution times reported in [2]. The authors employed the MIRACL cryptography library to measure the execution times on an Intel i5-6600 processor running at 3.3 GHz, with 8 GB of memory and a Windows operating system. The execution times they obtained are presented in Table 7.
Next, we evaluated the seven schemes in Table 8 to obtain the number of operations required to execute each scheme. The starred values indicate that we derived these through our analysis of the schemes, as they differed from the values stated in the authors’ performance analysis or were not provided by the authors at all. Our study focused on individual signatures and batch verifications, as particular (sequential) verification times are unlikely to occur in practical scenarios, except in scenarios with very low vehicle density, where the verification speed is insignificant due to the relatively few verifications that must be executed.
Batch verification times are compared in Figure 4.
Our scheme is comparable to Xiong’s in terms of performance but offers much more robust security guarantees. We note that our scheme’s performance is inferior to the schemes proposed by Zhao, Li, and Thumbur due to our use of the small exponent test. While this test incurs a higher computational cost, it is a necessary measure to prevent Type III attacks.

7. Conclusions and Future Work

This paper presents a cryptanalysis of Xiong’s recently published CLAS scheme [6]. We identify the causes of vulnerabilities in the original scheme and propose countermeasures. Based on this, we construct a new certificateless aggregate signature scheme, CHAM-CLAS, which addresses the identified issues. Finally, we conduct security and performance analyses of our proposed scheme.
While our scheme offers stronger security guarantees, it suffers from relative inefficiency due to the added cost of the small exponent test. This test must preserve batch verification capability against Type III attacks. One future research direction involves investigating approaches to achieve the same security level as our scheme but at a lower computational cost and simulating network performance. Additionally, we would like to explore the contextualization of our CLAS scheme within a blockchain-based VANET security system in future work.

Author Contributions

Conceptualization, A.K., M.A.A. and H.A.; methodology, A.K.; validation, H.A., M.A.A. and M.R.; formal analysis, A.K.; writing—original draft preparation, A.K.; writing—review and editing, H.A., M.A.A. and M.R.; supervision, H.A. and M.A.A.; funding acquisition, M.R. All authors have read and agreed to the published version of the manuscript.

Funding

This work is supported by National Telecom Regulatory Authority.

Data Availability Statement

No new data were created or analyzed in this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest to report regarding the present study.

References

  1. Nath, H.J.; Choudhury, H. Privacy-Preserving Authentication Protocols in Vanet. SN Comput. Sci. 2023, 4, 589. [Google Scholar] [CrossRef]
  2. Zhou, Y.; Wang, Z.; Qiao, Z.; Yang, B.; Zhang, M. An efficient and provably secure identity authentication scheme for VANET. IEEE Internet Things J. 2023, 10, 17170–17183. [Google Scholar] [CrossRef]
  3. Hammi, B.; Monteuuis, J.-P.; Petit, J. PKIs in C-ITS: Security functions, architectures, and projects: A survey. Veh. Commun. 2022, 38, 100531. [Google Scholar] [CrossRef]
  4. Mannoni, V.; Berg, V.; Sesia, S.; Perraud, E. A comparison of the V2X communication systems: ITS-G5 and C-V2X. In Proceedings of the 2019 IEEE 89th Vehicular Technology Conference (VTC2019-Spring), Kuala Lumpur, Malaysia, 28 April–1 May 2019; pp. 1–5. [Google Scholar]
  5. Cominetti, E.L.; Silva, M.V.M.; Simplicio, M.A., Jr.; Patil, H.K.; Ricardini, J.E. Faster verification of V2X basic safety messages via Message Chaining. Veh. Commun. 2023, 44, 100662. [Google Scholar] [CrossRef]
  6. Xiong, W.; Wang, R.; Wang, Y.; Wei, Y.; Zhou, F.; Luo, X. Improved certificateless aggregate signature scheme against collusion attacks for vents. IEEE Syst. J. 2022, 17, 1098–1109. [Google Scholar] [CrossRef]
  7. Krawczyk, H.; Rabin, T. Chameleon hashing and signatures. Cryptol. Eprint Arch. 1998. Available online: https://eprint.iacr.org/1998/010 (accessed on 9 September 2024).
  8. Sheikh, M.S.; Liang, J. A comprehensive survey on VANET security services in traffic management system. Wirel. Commun. Mob. Comput. 2019, 2019, 1–23. [Google Scholar] [CrossRef]
  9. Mundhe, P.; Verma, S.; Venkatesan, S. A comprehensive survey on authentication and privacy-preserving schemes in VANETs. Comput. Sci. Rev. 2021, 41, 100411. [Google Scholar] [CrossRef]
  10. Azam, F.; Yadav, S.K.; Priyadarshi, N.; Padmanaban, S.; Bansal, R.C. A comprehensive review of authentication schemes in a vehicular ad-hoc network. IEEE Access 2021, 9, 31309–31321. [Google Scholar] [CrossRef]
  11. Cahyadi, E.F.; Hwang, M.-S. A comprehensive survey on certificateless aggregate signature in vehicular ad hoc networks. IETE Tech. Rev. 2022, 39, 1265–1276. [Google Scholar] [CrossRef]
  12. Zhao, Y.; Hou, Y.; Wang, L.; Kumari, S.; Khan, M.K.; Xiong, H. An efficient certificateless aggregate signature scheme for the Internet of Vehicles. Trans. Emerg. Telecommun. Technol. 2020, 31, e3708. [Google Scholar] [CrossRef]
  13. Zhu, F.; Yi, X.; Abuadbba, A.; Khalil, I.; Huang, X.; Xu, F. A Security-Enhanced Certificateless Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks. IEEE Trans. Intell. Transp. Syst. 2023, 24, 10456–10466. [Google Scholar] [CrossRef]
  14. Li, C.; Wu, G.; Xing, L.; Zhu, F.; Zhao, L. An efficient certificateless aggregate signature scheme designed for VANET. J. Comput. Mater. Contin. 2020, 63, 725–742. [Google Scholar]
  15. Thumbur, G.; Rao, G.S.; Reddy, P.V.; Gayathri, N.; Reddy, D.K.; Padmavathamma, M. Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks. IEEE Internet Things J. 2020, 8, 1908–1920. [Google Scholar] [CrossRef]
  16. Sharma, S.; Kaul, A. A survey on Intrusion Detection Systems and Honeypot based proactive security mechanisms in VANETs and VANET Cloud. Veh. Commun. 2018, 12, 138–164. [Google Scholar] [CrossRef]
  17. Gonçalves, F.; Ribeiro, B.; Gama, O.; Santos, A.; Costa, A.; Dias, B.; Macedo, J.; Nicolau, M.J. A systematic review on intelligent intrusion detection systems for VANETs. In Proceedings of the 2019 11th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), Dublin, Ireland, 28–30 October 2019; pp. 1–10. [Google Scholar]
  18. Bangui, H.; Buhnova, B. Recent advances in machine-learning driven intrusion detection in transportation: Survey. Procedia Comput. Sci. 2021, 184, 877–886. [Google Scholar] [CrossRef]
  19. Pointcheval, D.; Stern, J. Security proofs for signature schemes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Saragossa, Spain, 12–16 May 1996; pp. 387–398. [Google Scholar]
  20. Hwang, J.Y.; Song, B.; Choi, D.; Jin, S.-H.; Cho, H.S.; Lee, M.-K.J.T.C.S. Simplified small exponent test for batch verification. Theor. Comput. Sci. 2017, 662, 48–58. [Google Scholar] [CrossRef]
  21. Li, X.; Yin, X.; Ning, J. RelCLAS: A Reliable Malicious KGC-Resistant Certificateless Aggregate Signature Protocol for Vehicular Ad Hoc Networks. IEEE Internet Things J. 2023, 10, 21100–21114. [Google Scholar] [CrossRef]
Figure 1. Visual diagram of Xiong’s scheme.
Figure 1. Visual diagram of Xiong’s scheme.
Cryptography 08 00043 g001
Figure 2. Attacks on Xiong’s scheme.
Figure 2. Attacks on Xiong’s scheme.
Cryptography 08 00043 g002
Figure 3. (A) Visual diagram of our CHAM-HASH-based CLAS scheme; (B) Batch verification component of our CLAS scheme and proof of correctness.
Figure 3. (A) Visual diagram of our CHAM-HASH-based CLAS scheme; (B) Batch verification component of our CLAS scheme and proof of correctness.
Cryptography 08 00043 g003
Figure 4. Batch verification time (in milliseconds) for different values of n (number of signatures).
Figure 4. Batch verification time (in milliseconds) for different values of n (number of signatures).
Cryptography 08 00043 g004
Table 1. Notations and definitions.
Table 1. Notations and definitions.
NotationDefinition
CACentral Authority
CHChameleon Hash
C-ITSCooperative Intelligent Transportation System
CLCertificateless (Scheme)
CLASCertificateless Aggregate Signature (Scheme)
CPPAConditional Privacy-Preserving Authentication
DSRCDedicated Short-Range Communications
EC(C) Elliptic Curve (Cryptography)
ECDLPElliptic Curve Discrete Logarithm Problem
GSGroup Signature
IBCIdentity-Based Cryptography
IBVIdentity-Based Batch Verification (Scheme)
IDSIntrusion Detection Systems
KGCKey Generation Center
OBUOn-Board Unit
PKIPublic Key Infrastructure
PIDPseudo-Identity
PWDPassword
RIDReal Identity
RSURoadside Unit
TA/TTPTrusted Authority/Trusted Third Party
TPDTamper Proof Device
TRA/TRMTracing Authority/Tracing Manager
VANETVehicular Ad Hoc Network
V2IVehicle-to-Infrastructure
V2VVehicle-to-Vehicle
V2XVehicle-to-Everything
Table 2. Security requirements across domains in VANETs.
Table 2. Security requirements across domains in VANETs.
Security DomainSecurity RequirementSolutionsDescription
Communication LayerAuthenticationDigital signatures, PKIVerify the identity of vehicles and infrastructure units.
Data integrityHMAC, digital signaturesEnsure data have not been tampered with during transmission.
ConfidentialityEncryption (e.g., AES)Protect sensitive information from eavesdropping.
Non-repudiationDigital signaturesPrevent entities from denying their actions.
Access controlRole-based access controlRestrict access to network resources based on permissions.
Network LayerRouting securitySecure routing protocolsPrevent malicious routing and forwarding of data.
DoS and DDoS mitigationRate limiting, intrusion detectionDefend against denial-of-service attacks.
Secure neighbor discoveryCryptographic neighbor discoveryEnsure vehicles can trust the identity of neighbors.
Application LayerVehicle-to-vehicle (V2V)Secure communication protocolsSecure communication between vehicles.
Vehicle-to-infrastructure (V2I)Secure communication with RSUsEnsure trust in roadside units.
Location privacyPseudonym management, mixed zonesProtect the privacy of vehicle location information.
Over-the-air updatesCode signing, secure channelsEnsure security when updating software/firmware.
Key ManagementKey generation and storageHardware security modules, key vaultsSecurely create and store cryptographic keys.
Key distributionPKI, certificate revocation listsSafely share keys with authorized entities.
Key revocationCertificate revocation listsDeactivate compromised or unauthorized keys.
Trust ManagementReputation systemsTrustworthiness metricsAssess the trustworthiness of other network entities.
Anomaly detectionIntrusion detection systemsDetect and respond to unusual network behavior.
Physical LayerJamming resistanceFrequency hopping, signal strength analysisProtect against signal jamming attacks.
Secure hardwareHardware security modulesEnsure the security of on-board vehicle equipment.
Regulatory ComplianceCompliance with standardsAdherence to industry standardsMeet legal and industry standards for VANET security.
Privacy regulationsData anonymization, consent managementAdhere to data protection laws and regulations.
Lifecycle ManagementSecure deploymentSecure boot process, firmware signingEnsure secure VANET deployment and initial setup.
Monitoring and auditingSecurity information and event management (SIEM)Continuously monitor and audit network activities.
Incident responseIncident response plansDevelop procedures to respond to security incidents.
Table 3. CLAS scheme algorithms.
Table 3. CLAS scheme algorithms.
AlgorithmInputsOutputsByNotations
Setup 1 λ s , α ,   p p a T A 1 λ :   Security   Parameter
s :   KGC   sec ret   key
α :   TRM   sec ret   key
p p a :   System   Parameters
C , x :   Chameleon   Hash   values
R I D i :   The   real   identity   of   vehicle   V i
p p k i :   Partial   Sec ret   Key
A i :   Partial   Public   Key
x i :   User   Sec ret   Key
u p k i :   User   Public   Key
t i :   Timestamp
M i :   Message
d :   Decision
δ i , U i : Signature
PIDGen p p a , R I D i P I D i V i
PIDAuth p p a , P I D i , C , x D i T R M
PKGen p p a ,   s ,   P I D i A i , p p k i K G C
UKGen p p a x i , u p k i V i
Sign p p a , I D i , p p k i , x i , M i δ i , U i V i
Verify p p a , I D i , u p k i , m i , A i , δ i , U i d [ 0,1 ] V j
Batch Verify p p a , I D i , u p k i , m i , A i , δ i , U i i = 1 n d [ 0,1 ] V j
Table 4. CLAS scheme queries.
Table 4. CLAS scheme queries.
QueryDefinition
Partial Key Given   a   user s   identity   I D i ,   C   executes   PKGen   to   obtain   the   partial   key   p p k i , A i   and   sends   it   to   A .
User Key Given   P I D i ,   C   invokes   UKGen   to   obtain   user   key   x i , u p k i   and   sends   it   to   A .   Note   that   C   will   return     to   A   if   I D i has already appeared in the Public Key Replace query.
Public Key Replace Upon   receiving   A s   query   on   P I D i ,   C   replaces   ( u p k i , A i )   with   ( u p k i , A i )   and   returns   ( u p k i , A i )   to   A .
Sign Upon   receiving   A s   query   on   P I D i , m i ,   C   executes   Sign   to   generate   a   signature   δ i , U i   and   returns   it   to   A .
Key Corrupt Upon   receiving   this   Query   on   P I D i ,   C   executes   PKGen   and   UKGen   to   generate   the   sec ret   key   ( p p k i , x i )   and   returns   it   to   A 3 .
Aggregate Verify Upon   receiving   this   query   of   δ   on   P I D i , A i , u p k i , m i , U i i : 1 n ,   C   executes   AggVerify   to   obtain   a   verification   decision   d [ 0,1 ]   and   returns   it   to   A 3
Table 5. CLAS security games.
Table 5. CLAS security games.
PhaseGame 1Game 2Game 3
Adversary   ( A ) A 1 A 2 A 3
Setup Phase A 1   receives   p p a A 2   receives   s , p p a A 3   receives   p p a
Query PhasePartial Key, User Key, Public Key Replace, SignPartial Key, User Key, SignKey Corrupt, Aggregate Verify
Forgery A 1   outputs   its   forgery   δ i * , U i *   for   m i *   under   ( P I D i * , A i * , u p k i * ) . A 2   outputs   its   forgery   δ i * , U i * f o r m i * u n d e r
( P I D i * , A i * , u p k i * ) .
A 3   outputs   a   forgery   δ *   on   P I D i * , U i * , A i , u p k i * , m i * i = 1 n .
A wins the game if ( 1 )   The   signature   δ i * , U i *   is   valid   on   m i *   under   P I D i * , A i *
( 2 )   P I D i *   and   ( P I D i * , m i * ) have not been submitted to the Partial Key and Sign query, respectively.
( 1 )   The   signature   δ i * , U i *   is   valid   on   m i *   under   P I D i * , A i * .
( 2 )   P I D i *   and   ( P I D i * , m i * ) have not been submitted to the User Key and Sign query, respectively.
( 1 )   All   sin gle   signatures   are   compressed   into   the   valid   δ * .
(2) At least one single signature cannot pass through the verification equation.
Table 6. Query–response protocols between A 1 and B : .
Table 6. Query–response protocols between A 1 and B : .
Notation
Query   by   A 1
B
Checks
ExistsDoes Not Exist
Z 2 = ( P I D i , A i ) H 2 :
Input: Z 2  
( Z 2 , h 2 , i ) L 2 Returns h 2 , i to A 1 Selects h 2 , i Z q *
Adds Z 2 , h 2 , i to   L 2
Returns h 2 , i to A 1
Z 3 = ( M i , P I D i , t i , u p k i ) H 3 :
Input Z 3
( Z 3 , h 3 , i ) L 3 Returns h 3 , i to A 1 Selects h 3 , i Z q *
Adds Z 3 , h 3 , i to   L 3
Returns h 3 , i to A 1
Z 4 = ( P I D i , A i , p p k i ) P a r t i a l   K e y
Q u e r y :
Input: P I D i
P I D i P I D *
Z 4 L 4
Returns Z 4 to A 1 Selects p p k i , h 2 , i Z q *
Sets A i = p p k i P h 2 , i P P u b
Sets h 2 , i = H 2 ( A i , I D i , 2 )
Adds I D i , A i , h 2 , i to   L 2
Adds Z 4 to L 4
Outputs Z 4
Z 5 = ( I D i , x i , u p k i , , ) U s e r   K e y    
Q u e r y :
Input: P I D i
P I D i P I D *
Z 5 L 5
Returns Z 5 to A 1 Selects x i Z q *
Computes u p k i = x i P
Adds Z 5 to   L 5
Outputs Z 5
P u b   K e y  
Q u e r y :
Input: P I D i
Operates Partial key Query and User key Query.
Returns u p k i , A i to A 1
Z 5 = I D i , x i , u p k i , , u p k i P u b   K e y  
R e p l a c e   Q u e r y :
Input: P I D i
Finds Z 5 in L 5
Replaces with Z 5
S i g n   Q u e r y :
Input: P I D i , m i
C h e c k s : P I D i P I D *
Traverses L 2 5 to get h 2 , i , h 3 , i , A i , u p k i respectively.
Selects δ i Z q *
Computes U i = h 4 , i 1 ( δ i P A i h 3 , i u p k i h 2 , i P P u b )
Sends σ i = δ i , U i to A 1
Table 7. Execution time of basic operations.
Table 7. Execution time of basic operations.
Symbol NotationTime (ms)
T m e c c Scalar multiplication in ECC0.3158
T a e c c Addition in ECC0.0026
T h Hash operation0.0008
Table 8. Performance comparison of ECC-based CLAS schemes.
Table 8. Performance comparison of ECC-based CLAS schemes.
Scheme T m e c c T a e c c T h Total
Zhao 2020 [12] S : 1 2 * 0.3174
B V : 2 n + 1 * 3 n * 2 n * 0.641 n + 0.3518
Zhou 2023 [2] S : 1 2 0.3174
B V : 3 n + 1 * 3 n 3 * 3 n 0.9576 n + 0.308
Zhu 2023 [13] S : 1 2 0.3174
B V : 3 n + 2 * 3 n * 3 n 0.9576 n + 0.6316
Li 2020 [14] S : 1 3 0.3182
B V : 2 n + 3 * 2 n * 3 n 0.6392 n + 0.9474
Li 2023 [21] S : 4 * 1 * 1 * 1.4106
B V : 2 n + 2 3 n 3 n 0.6418 n + 0.6316
Thumbur 2020 [15] S : 1 2 0.3174
B V : 2 n + 1 3 n 1 2 n * 0.641 n + 0.3132
Xiong 2022 [6] S : 1 * 1 * 0.3166
B V : 3 n + 1 * 2 n 1 * 2     0.9542 n + 0.3148
Our scheme S : 1 1 0.3166
B V : 3 n + 2 3 n n 0.956 n + 0.6316
n: number of operations. Time is measured in milliseconds.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kabil, A.; Aslan, H.; Azer, M.A.; Rasslan, M. CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs. Cryptography 2024, 8, 43. https://doi.org/10.3390/cryptography8030043

AMA Style

Kabil A, Aslan H, Azer MA, Rasslan M. CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs. Cryptography. 2024; 8(3):43. https://doi.org/10.3390/cryptography8030043

Chicago/Turabian Style

Kabil, Ahmad, Heba Aslan, Marianne A. Azer, and Mohamed Rasslan. 2024. "CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs" Cryptography 8, no. 3: 43. https://doi.org/10.3390/cryptography8030043

APA Style

Kabil, A., Aslan, H., Azer, M. A., & Rasslan, M. (2024). CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs. Cryptography, 8(3), 43. https://doi.org/10.3390/cryptography8030043

Article Metrics

Back to TopTop