1. Introduction
The rapid popularization of smart devices has spawned a large number of Internet of Things (IoT) applications, one of which is the Internet of Vehicles (IoV). The reason why vehicles tend to outsource computing tasks that include road conditions and vehicle information to cloud servers during their travel is that the computing resources are limited. Edge computing can improve the response speed and user experience. As a bridge between users and cloud servers, on the one hand, they improve response speed by sharing part of the cloud computing, while users with the limited resource can rely on them to reduce computing pressure. One specific implementation is the Intelligent Transport System (ITS) [
1,
2], as shown in
Figure 1, which is used to help users receive the best driving plan in current road and traffic conditions as soon as possible. There are four participants in ITS: User, road side unit (RSU, which can be seen as an edge server), cloud server, and car manufacturers. The car manufacturer dispatches functions for making a driving plan for the cloud server. The edge server downloads the function from the cloud server. The user sends vehicle parameters to the edge server. The edge server returns results to the user.
However, ITS has the following problems: (1) The cloud server may tamper with the functions uploaded by the car manufacturer, and the edge server may provide users with incorrect results [
3]. (2) When a user is driving, the vehicle needs to switch among RSUs that serve different areas. To verify signature messages from a specific RSU, a large public key list is needed [
4]. This results in overhead storage for users and overhead computation for finding public keys (3) Once a user receives messages from an edge server that it has never met, frequent communication brought by public key transmission will cause delays (4) If the identity of the edge server is exposed, adversaries can use the same attack method to threaten edge servers with similar configurations.
From the example of IoV, the requirements for edge computing are as follows: (1) Results returned by the edge server should be verifiable, and a dishonest edge server can be revoked. (2) The time for the user to verify the result and the number of keys stored should be minimized. (3) Key transmission processes between users and new edge servers should be minimized. (4) The identity of the edge server should be anonymous to users.
For requirement 1, verifiable computation (VC) [
5] can be used to ensure the result is correct. However, the verifier in VC schemes can only be the user or the one he specified. Other participants cannot believe in the verification processes or the reliability of results. Therefore, Parno [
6] first proposed publicly verifiable computation (PVC) to solve these defects. Since then, Fiore [
7] expanded PVC to evaluate the higher-degree polynomial and matrix multiplication. Catalano [
8] introduced a one-way function and RSA mathematical hypothesis to improve the computing speed. However, the verification process of the former uses low-efficiency bilinear pairing, and the practical implementation of the latter is very complex. Polynomial commitment [
9] achieves two basic goals: making a commitment to a polynomial and providing proof that a specific point belongs to the polynomial. Therefore, the polynomial commitment can be used to improve the efficiency of existing PVC solutions. To revoke dishonest edge servers, James [
10] applies the revocable key policy attribute encryption [
11,
12] to PVC. However, such schemes are based on time-consuming operations such as encryption and decryption, as meanwhile, the revoking process will cause other participants to synchronize the key list. In addition, the latest research [
13,
14,
15] requires either a trusted computing environment such as SGX or specific hardware support, thus, the scope of their application is limited. Therefore, revocable group signatures are recommended to revoke dishonest edge servers.
For requirements 2–4, group signature schemes are suitable. That is because any group member can make signatures stand for the whole group, and anyone outside the group cannot forge the signature. Verifiers can verify the signature with only one group public key. The verifier only knows that the signature is from a member of the group, but cannot distinguish the specific signer. The group manager can open a group signature to trace the specific signer. When applied to an edge computing scenario, edge servers can form a group and set up a group manager. For users, only one group public key is required to verify any edge server signed results, thus, reducing delay and key storage. There will be no key transmission process between users and the new edge server, moreover, the identity of the edge server is anonymous to users. The group manager can trace the signature of incorrect results to find the dishonest edge servers, so, a revocable group signature is recommended for revoking their computing ability.
The classical group signature scheme proposed by Camenisch [
16] cannot revoke group members. To make group signature revocable, Song [
17] proposed a revocable group signature scheme to ensure forward security. However, the time cost increases linearly with the number of group members. Camenisch [
18] proposed an accumulator solution, but once the group members join or quit the group frequently, the members still in the group need to update their credentials continually. Inspired by Boneh [
19], Brickell [
20] presents a revocation list (RL) solution that keeps members in the group from frequently updating their credentials. However, the final signature of this scheme contains nine parts, which leads to the extremely tedious verification process. Moreover, the drawback of the latest research [
21] is that there is not an extremely strong privacy demand in an IoV scenario, which will cause resource waste. At the same time, ref. [
22,
23] based on merkle hash tree, suggested that the storage and computational overhead vary superlinearly along with the number of users who frequently join or quit An attribute tree using secret sharing [
24] and Lagrange interpolation impels the users satisfying certain attributes and can decrypt messages under the broadcast encryption [
25]. The idea of subset covering or subset difference [
26,
27] in an attribute tree to reduce search time and communication cost can be used to improve revocable group signature.
Our contributions are as follows:
We propose a revocable publicly verifiable computation (RPVC) model. Its main ideas are: Using the properties of PVC to ensure the results returned by the edge server are reliable. Using the properties of group signature to reduce the cost of verification and key storage for users, and keep edge server identity anonymous. If the group signature is revocable, the group manager can trace and revoke the dishonest edge server.
After analyzing the RPVC threat model, four security goals of the RPVC model are summarized according to possible attack methods and available information for adversaries: function binding, result reliability, anonymity, and revocability.
An RPVC scheme is given. The scheme speeds up the PVC proof generation and verification time with the help of polynomial commitment and improves the revocable group signature with a subset covering idea. Finally, the correctness analysis and security proof of the scheme are provided.
We implemented the RPVC scheme, and experiments show that the time delay and storage cost of the RPVC scheme is acceptable when it is applied to edge computing scenarios.
7. Performance Analysis
In
Table 2, we compare other existing group signature schemes in the IoV scenario with RPVC. The results in
Table 2 show that our scheme uses a superior audit method to find the dishonest participants, and the core cryptographic algorithm is the non-interactive zero-knowledge signature, which is mainly based on a hash function that is more efficient than existing schemes. Besides, RPVC updates the SCST at a regular time, which provides participants with more fault tolerance.
Some basic assumptions in the experiments are as follows: The service radius of RSU is about 2.5 km [
47], users’ vehicle speed is not more than 180 km/h. 3G network speed is about 300 KB/s, 4G network speed is about 2.4 MB/s [
48]. The reaction time of a driving human to brake is 600–1400 ms [
49].
The test contains two parts: One is the process of the edge server applying to join edge computing and the auditor revokes a dishonest edge server, the other one is the user asking for outsourcing computing and receiving verifiable reliable results. The former has three test items: (1) The execution time for the auditor. (2) The size of which the user received from the auditor. (3) The storage space consumed by the user. The latter also has three test items: (4) The extra cost for the edge server to apply RPVC. (5) The time consumed for user verification. (6) The total time delay after applying RPVC.
For test item 1, the execution time for the auditor can be divided into the time to add the edge server into the group and the time to generate
. As shown in
Table 3, the time to add an edge server into the group is about 27.996 ms, which is independent of the scale of the edge server. As shown in
Table 4, with edge servers scale increase in the group, the time of the auditor adding or removing an edge server increases proportionally. However, even if the number of edge server reaches
(RSU service can cover about 321,700 km
), the auditor can generate
within 1 ms. The driving distance is only 1.45 m during the user vehicle receives
at the highest speed, far less than the service radius of RSU. That is, users have enough time to safely synchronize the current valid edge server. For test item 2, as shown in
Table 4, the size of
is independent from the scale of the edge server,
is only about 5 kB. For test item 3, the local storage space for the user is multiplied with the increase of the edge server scale, which is shown in
Table 5. However, even when the number of edge servers comes up to
, storage is less than 15 MB.
In test items 4–6, we set the degree of polynomial and input
x as independent variables, the time cost as dependent variable (default is ns,
s). The rule to choose the independent variable
x is: randomly select a value from each range, ranges including
. Results of test item 4 are shown in
Figure 6a, the extra cost of applying the RPVC proportionally tothe polynomial degree, the larger the
x, the smaller the curve fluctuation. For test item 5, as shown in
Figure 6b, the time of user verification fluctuates between 36 ms and 38 ms, which is less affected by independent variables.
Figure 6c indicates the total extra time delay brought by the RPVC application. Even if the degree of a polynomial function is up to 100, the total delay is less than 100 ms, which is far less than the driver’s reaction time [
49].
From the above six test items, it is clear that the RPVC can be used to improve the security of existing edge computing applications. We can summarize the key influencing factor from
Figure 7: if the polynomial degree is larger than 40, the performance of the edge server takes the most portion of total time delay, the portion gets larger with the increase of degree. So, a better edge server may expand the application scope of the RPVC.
8. Discussion
For the requirements of edge computing in the IoV scenario, the RPVC first achieves the goal of results returned by the edge server being verifiable. At the same time, the identity of the edge server is anonymous to user vehicles and a dishonest edge server can be revoked. From the test results, when a new edge server takes part in outsourced computing, user vehicles do not need to exchange keys with it. The time in which the auditor adds one edge server into the group can be fixed, nearly 28 ms that is independent of the scale of the edge server. The time of user vehicles receiving SCST mainly depends on the communication delay because the generated speed of SCST is less than 1 ms. Though the total delay for user vehicles increases with the degree of the polynomial, it is less than 95 ms when the degree is up to 100 (a very complex computation). Furthermore, the storage overhead is acceptable for user vehicles, even if the number of edge servers comes up to , storage demand is less than 15 MB.
The low delay and overhead are owed to the subset covering complete tree and non-interactive zero-knowledge signature. SCST makes user queries faster than iterating local revoke lists at a small cost. Besides, the non-interactive zero-knowledge signature is mainly based on the hash function, which is more efficient than other large number or exponent multiply schemes. The practical applications of the research can be used to assist the construction of intelligent transportation or vehicle networking.
For future work, we will first reduce the size of SCST for the larger scale of the edge server. Next, machine learning and federated learning can be introduced to improve the performance of edge servers, good solutions can be found in [
50,
51,
52]. In addition, different regions have different traffic rules and habits, these should be considered. Finally, we will extend the outsource function to varied forms, such as verifiable matrix computation.
9. Conclusions
In this article, we proposed an RPVC model for the edge computing scenario which can be used in IoV applications. The RPVC model cannot only ensure the results returned by edge servers are reliable, but can also revoke dishonest edge servers. The following security proofs show that the RPVC has characteristics of function binding, result reliability, anonymity, and revocability. Experiments show that a new edge server which takes part in edge computing does not need transfer keys to users, and an auditor can approve the request in a fixed time (28 ms). Due to the SCST, users have a low overhead storage and a faster query time, even when the number of edge servers came up to , storage demand is less than 15 MB. Because of the non-interactive zero-knowledge signature, even the degree of outsource function up to 100, the total delay of users is about 95 ms. Thus, applying RPVC to existing IoV applications is acceptable. In the future, we are committed to reducing the size of SCST, trying to introduce machine learning or federated learning to improve the performance of edge servers and supporting verifiable matrix computation.