A Certificateless Online/Offline Aggregate Signcryption Scheme against Collusion Attacks Based on Fog Computing

Abstract

The certificateless online/offline aggregate signcryption scheme combines the characteristics of the certificateless aggregate signcryption scheme and the online/offline encryption scheme, which can increase efficiency while simultaneously reducing consumption. Some schemes can meet the requirements of confidentiality and real-time transmission of the data in ad hoc networks (VANETS). However, they are unable to withstand collusion attempts. A brand-new certificateless aggregate signcryption approach is suggested to overcome this problem. First, combining fog computing with online/offline encryption (OOE) technology can increase efficiency while simultaneously reducing consumption. Second, we may achieve effective information authentication and vehicle identification using aggregation and vehicle pseudonym systems. Third, the anti-collusion component is suggested as a viable defense against collusion assaults since certain methods are unable to withstand such attacks. Additionally, it is demonstrated that the technique has unforgeability and secrecy, and can fend off collusion attacks using the random oracle model. The findings demonstrate that our system can not only ensure the confidentiality and the real-time transmission of data but also resist collusion attacks without raising computational costs.

1. Introduction

With the development of science and technology, autonomous driving technology has been implemented; however, further research is needed on how to achieve reliable autonomous driving in various weather and road conditions. In order to detect external information such as road conditions and provide better service for users, vehicular ad hoc networks (VANETs) have been created [1].

To better process these data in VANETS, Eric Schmidt, then Google’s CEO, first proposed the concept of cloud computing at the Search Engine Conference in 2006. In the cloud architecture, as shown in Figure 1, all data are first sent to the cloud, processed by the cloud server, and then returned to the user. However, global mobile data are showing exponential growth, and some new applications have higher requirements for data transmission speed and efficiency, for example, autonomous driving. This has led to the gradual emergence of cloud computing issues based on cloud architectures. The process of transmitting data from sensing devices to cloud servers for data processing requires a long communication link, which can result in high latency. This characteristic is not suitable for VANETs that require high real-time data requirements.

Based on the above issue, Carnegie Mellon University proposed the concept of micro-clouds in 2009 [2], this can be said to be the embryonic form of fog computing. Cisco first proposed the concept of “fog computing” at the Cisco Live 2014 conference [3]. Fog computing is an extended concept of cloud computing; as shown in Figure 2, it is located between cloud servers and end users and provides them with services [4]. In the fog architecture, fog nodes are composed of a large number of weaker and more dispersed computable devices that can perform preliminary processing and analysis of data from users near the edge [5], and finally send the final results to the cloud center for long-term storage. In summary, the fog-based architecture supports mobility, location awareness, and low latency, which is suitable for VANETs.

With the development of the Internet of Vehicles, there are not only increasingly improved technologies but also inevitable safety issues, and thus the safety issues of the Internet of Vehicles have attracted more and more of people’s attention [6]. For example, in the Internet of Vehicles, attackers can eavesdrop on public channels to obtain some identity information related to vehicle users or directly eavesdrop on sent messages for further attacks. Similarly, attackers can also intercept the information sent by vehicle users and tamper with it before sending it to the fog node. In this way, the fog node will feedback to the user with incorrect decisions, and in severe cases, it can also cause irreversible results. To avoid the aforementioned attacks, it is essential to sign, authenticate, and encrypt messages, as well as authenticate user identities during communication in the Internet of Vehicles. However, the massive amount of data in the Internet of Vehicles can result in significant computing and communication costs. Thus, building a more efficient and secure solution is well worth exploring.

In previous schemes, signature and encryption were separated, but over time, signcryption technology gradually evolved. It achieves both signature and encryption in one step, reducing costs while achieving confidentiality, integrity, authenticity, reliability, and nonrepudiation [7,8]. In recent years, there have been many algorithms based on public key infrastructure (PKI) cryptography that fall under public-key cryptography. However, due to the exponential growth of intelligent devices in the Internet of Vehicles, this signcryption algorithm can cause serious certificate management problems. Although identity-based cryptography (IDBC) algorithms solve the problem of digital certificate management in the Internet of Vehicles, the concern of key escrow still persists. To address the above issues, Al-Riyami et al. [9] proposed a new scheme. In this scheme, KGC only generates a portion of the user’s public and private keys, and the complete public and private keys are generated by themselves. Even KGC cannot acquire the user’s complete private key, which fundamentally solves the problem of key escrow.

The certificateless aggregate signcryption system (CLASC) and online/offline encryption (OOE) are presented in order to further increase the workpiece ratio. While aggregation technology can combine several ciphertexts into one for batch verification in CLASC, signcryption technology can accomplish the signature and encryption in one step, saving time consumption. Online/offline encryption enhances efficiency while further enhancing the security of the scheme. A better CLASC was suggested by Eslami et al. [10] and Basudan et al. [11], considerably enhancing security. The developers of the technique [12] proposed an identity-based online/offline scheme that drastically reduced computational costs.

1.1. Related Work

In this section, the advancement of the fog architecture is reviewed first, and then CLASC and OOE encryption technologies are introduced. Ultimately, we explain a prevalent attack in the Internet of Vehicles known as a collusion attack and how our system utilizes these technologies to defend against collusion attacks.

1.1.1. Fog Architecture

With the exponential growth of data, traditional methods of sending data to cloud servers for processing can no longer meet people’s real-time demands. This problem has been effectively solved by the appearance of fog computing [13]. The framework of fog computing is made up of three layers, including the end user layer, cloud server layer, and fog node layer. The fog nodes are located between cloud servers and end users and provides them with services [4]. In the fog architecture, fog nodes are constituted of a large number of weaker and more dispersed computable devices that can perform preliminary processing and analysis of data from users near the edge, and finally send the final results to the cloud center for long-term storage [14]. Dastjerdi et al. [14] introduced the idea of fog computing, and represented the point of fog computing and its lurking applications in IoT. Fog computing can be applied in multiple fields of IoT, including smart cities, health care, intelligent traffic systems, and so on. Especially in VANETs, fog computing decreases the waiting time. Erskine et al. [15] combined fog computing with other algorithms, which enhanced the security and efficiency in VANETs. Furthermore, one of the top advantages of fog computing is that it has the capability to back sensor networks on a large scale. In summary, the fog-based architecture supports mobility, location awareness, and low latency, which is suitable for VANETs.

1.1.2. Scheme for Certificateless Aggregate Signcryption

Key escrow is no longer an issue because of the development of certificateless aggregate signcryption technology, which also resolves user public key distribution and digital certificate management issues [16]. Batch verification is accomplished by combining numerous ciphertexts using aggregation technology, which significantly increases the verification efficiency. A CLASC system was proposed by Lu and Xie [17], whilst a CASCF scheme was proposed by Kim et al. [18]. Nevertheless, both of them were inefficient since they needed bilinear pairings. Thus, it is imperative to design the CLASC scheme without bilinear pairings [19] in order to maximize efficiency. The authors in [16] throughly examined some of the most popular certificateless aggregation signcryption schemes in terms of computation and communication costs. From the scheme in [16], we can draw the conclusion that it is necessary to design a scheme without using bilinear pairings in the recent stage. To make sure of the safe and strong communication in the transportation networks, a pairing-free certificateless aggregate signcryption scheme was designed in [19]. Without using pairings, this scheme improved efficiency compared with other schemes.

1.1.3. Technology for Online and Offline Encryption

There are two stages in the OOE process: offline and online. It performs a large number of labor-intensive tasks while offline without knowing the encrypted message. However, it only performs light actions during the online phase. Online encryption will thus likely advance quickly. An online/offline heterogeneous signcryption technique that offers a workable solution for disparate mechanisms between CLC and PKI was presented by Hou et al. [20]. Additionally, a more effective and cost-effective online/offline encryption system based on identification with brief ciphertext was presented by Lai et al. [21]. In [22], a certificateless online/offline signcryption scheme proposed by An et al. was designed to ensure data unforgeability and confidentiality, enabling secure, lightweight data sharing in smart home systems. Compared with other schemes, it reduced communication costs as well as computation costs.

1.1.4. Collusion Attack

Collusion attacks often occur in the Internet of Vehicles, such as two attackers maliciously exchanging their signcryption information, which can be verified successfully. This can have the potential to be highly dangerous and even cause irreversible damage to the vehicles. Cui et al. [23] proposed an efficient and safe road condition monitoring scheme, which was very suitable for the Internet of Vehicles; however, it could not resist collusion attacks. Combined with Pan et al. [24] and Cui et al. [23], we propose a new certificateless online/offline aggregate signcryption scheme based on fog computing, which is not only suitable for the Internet of Vehicles but also can resist collusion attacks.

1.2. Research Contributions

Nowadays, some schemes cannot meet the requirement of real-time transmission of the data in VANETs or cannot resist collusion attacks [23]. In [23], the authors proposed a certificateless aggregate signcryption scheme combined with online/offline encryption to monitor the condition of the road, which made real-time transmission possible. First, by using fog computing, their scheme can well support low latency, and this is very important in VANETS. Second, their scheme combined the certificateless aggregate signcryption scheme with online/offline encryption, which not only enhanced the security of the scheme, but also reduced the cost of time at the same time. However, the proposed scheme in [23] cannot resist collusion attacks. The discovered disadvantage means that the vehicles may be dangerous in some conditions when attackers deliberately trade their signcryption information. To better overcome the above issue, our scheme is proposed. The details of the contribution of our scheme are listed below.

• We suggest the anti-collusion component to thwart this type of assault, which is known as a collusion attack, taking into account that in particular schemes two vehicles might deliberately trade their signcryption information. This exchange can be successfully validated. Compared with the existing the scheme in [23], our proposed scheme can effectively resist collusion attacks;
• Based on the proposed scheme, we use fog computing to design a certificateless online/offline aggregate signcryption, which enhances the security of data and increases efficiency in the VANETs. The scheme realizes mutual authentication, anonymity, undeniability, untraceability, and confidentiality;
• In VANETs, the authentication of vehicle identity and the privacy of the messages as well as vehicles are both important [25]. In our scheme, we not only protect the privacy of messages but also use a vehicle pseudonym system to secure the privacy of vehicles as well as realize vehicle identification.

1.3. Paper Structure

The remainder of the paper is constructed as below. To begin with, we introduce the system model, attack model, and design objectives in Section 2. In Section 3, we list some essential knowledge. Our scheme is described in Section 4. In Section 5 and Section 6, the security analysis and performance analysis of our scheme are presented. Lastly, we present the conclusion of the whole paper.

2. System Model, Attack Model, and Design objectives

The following is a description of the proposed scheme’s detailed system model, attack model, and design objectives.

2.1. System Model

Our scheme sets up a total of five entities in combination with the Internet of Vehicles scenario, e.g., intelligent devices, RSU as a fog device, the TA as the trust authority, KGC as the key generation center, and CS as the cloud server. The architecture of our scheme is shown in Figure 3.

• Intelligent devices are always embedded in vehicles to send signals, location, and road events and accept relevant information;
• The RSU is regarded as a fog device since it is closer than a cloud. It can process data in real-time while having less computational and storage capacity than the cloud;
• The system’s cloud server is designated as CS. The data will be sent here for long-term storage following processing at the RSU. Fog devices offer mobility, location awareness, and low latency in contrast to transmitting all of the sensor’s data straight to the cloud;
• The TA is a trusted authority, playing a crucial role in system initialization and vehicle pseudonym generation;
• KGC, a dependable organization, is in charge of setting up the system and producing a portion of the customers’ private keys. In particular, it cannot access the private data of RSUs and sensors.

2.2. Attack Model

In this article, we make the assumption that RSU and user communication takes place over unsecured channels. It is clear that security risks exist for data transferred by the sensor or RSU. There are typically two different types of attacks in the LoV: passive attacks and active attacks.

Passive assaults, commonly referred to as eavesdropping, target a system’s secrecy. The content of the communication can be obtained by two different passive assaults: message attacks and traffic analysis attacks.

• Attack obtaining the content of the message: Attackers can obtain user identity information or encrypted messages through eavesdropping on public channels or for further attacks;
• Traffic analysis attack: By observing and analyzing message patterns, the attackers can obtain the format of the message and determine the location and identity of both communication parties, which is sensitive to drivers.

Active attacks are initiated by attackers, including replay attacks, tampering attacks, and denial of service.

• Reply attack: The attacker sends the ciphertext that the RSU has received and verified successfully to deceive the system;
• Tampering attack: Attackers may modify the information originally sent, causing the RSU to receive incorrect information and make incorrect decisions;
• Denial of service: The attacker delivers the ciphertext that the RSU has successfully received and validated in a reply to trick the system.

2.3. Design Objectives

This study proposes a new collusion-resistant certificateless online/offline aggregate signcryption system based on fog computing. We want to fulfill the following requirements [26,27]:

• Mutual authentication: It is required between the RSU and the user in order to confirm the legitimacy of the network’s members;
• Vehicle identity verification: By verifying the vehicle’s identity through the TA, the sender of the message can be determined, enabling the tracking of malicious users to ensure the security of the vehicle’s environment;
• The user anonymity: All users who send messages must be anonymous to ensure the privacy of their information;
• Untraceability: Although the enemy intercepted the communication message, they were unable to track the user’s behavior;
• Undeniability: When a vehicle is involved in the authentication scheme, no vehicle can deny its behavior;
• Low computing cost: In the context of limited bandwidth, it is necessary to meet the requirement of low computing cost. Our proposed scheme is combines with CLASC and OOE, greatly reducing the computing overhead;
• Quick verification: Batch validation can be achieved through aggregation technology;
• Resist collusion attacks: In part of the schemes, two vehicles can maliciously exchange their signcryption information, which can be verified successfully. This can be very dangerous and even cause irreversible damage to the vehicles in the vehicular ad hoc networks (VANETs). Thus, it is very important to design a scheme that can resist collusion attacks.

3. Preliminaries

We provide some essential complexity assumptions in this section.

• The elliptic curve discrete logarithmic problem (also known as the elliptic curve discrete logarithm problem, or ECDLP): Given any point Q ∈ G, an a ∈ $Z{q}^{*}$ on the elliptic curve, and a set of elements $\left(P,aP\right)$, solving a is challenging. G is an additive group on the elliptic curve of q-order and P is the generator of G;
• The elliptic curve computational Diffie–Hellman problem (also known as the EC-CDH assumption) is defined as follows: G is an additive group on the elliptic curve of q-order. Let P be one of G’s generators. Given $aP$, $bP\in G$, and a, $b\in Z{q}^{*}$, it is difficult to compute $abP$;
• Hash collision resistance: Finding x and $x^{\prime }$ such that $H\left(x\right)=H\left(x^{\prime }\right)$ is a challenging task for a hash function.

4. Proposed Scheme

In this section, a secure scheme is proposed. The scheme process diagram is shown in Figure 4, and the description of symbols is shown in

Table 1. Description of symbols.

Symbol	Descritption
K	Security parameter
G	q–order additive group
P	Generator of G
$m_{sk}$	System master private key
$P_{pub}$	System master public key
$V_i$	Vehicle
$R_{IDi}$	Authentic identity of $V_i$
$R_{IDr}$	Authentic identity of receiver
$P_{IDi}$	Pseudonym of $V_i$
$P_{IDr}$	Pseudonym of receiver
$(X_{IDi},Y_{IDi})$	Full public key of $V_i$
$(x_{IDi},D_{IDi})$	Full private key of $V_i$
$(X_{IDr},Y_{IDr})$	Full public key of receiver
$(x_{IDr},D_{IDr})$	Full private key of receiver
n	Number of signcrypted messages
$T_i$	Timestamp

.

4.1. Set Up

Taking the security parameter K as input, the KGC and the TA are performed respectively as follows to generate system parameters.

• A q-order additive group G on the elliptic curve is chosen, where q is a 160-bit prime number, and its generator is a 512-bit prime number P;
• KGC selects $m_{sk}$ stochastically from $Z{q}^{*}$ as a master private key, and then the master public key is computed as $P_{pub}=m_{sk}P$;
• The TA selects n ∈ $Z{q}^{*}$ randomly, and computes $T_{pub}=nP$;
• Six cryptographic hash functions $h_0$ are chosen: ${\left\{0,1\right\}}^{*}\to Z_q^{*}$, $h_1$: ${\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^n$ (n represents the bit-length of plaintexts), $h_2$: ${\left\{0,1\right\}}^{*}\to Z_q^{*}$, $h_3$: ${\left\{0,1\right\}}^{*}\to Z_q^{*}$, $h_4$: $G\to Z_q^{*}$, and $h_5$: $G\times {\left\{0,1\right\}}^{*}\to Z_q^{*}$;
• The KGC and the TA each secretly store $m_{sk}$ and n and publish $Params$.
  $Params=\left\{q,P,P_{pub},T_{pub},h_0,h_1,h_2,h_3,h_4,h_5\right\}$.

4.2. Generation of Vehicle Pseudonym

This is performed jointly by the vehicle $\left(V_i\right)$ with true identity $RI{D}_i$ and the TA (Algorithm 1).

• $V_i$ selects $t_i$ ∈ $Z_q^{*}$ randomly, and computes $PI{D}_{i,1}$ = $t_{i}P$, $O_i$ = $t_i{T}_{pub}\oplus RI{D}_i$;
• $V_i$ sends $PI{D}_{i,1}$ and $O_i$ to the TA, and the TA verifies the identity of $V_i$ by checking if $RI{D}_i$ = $O_i\oplus nPI{D}_{i,1}$ is true;
• The TA calculates another part of the pseudonym of $V_i$: $PI{D}_{i,2}=RI{D}_i\oplus h_5(nPI{D}_{i,1},T_i)$, and then sends the pseudonym $PI{D}_i=\left\{PI{D}_{i,1},PI{D}_{i,2}\right\}$ and the pseudonym’s effective time $T_i$ secretly to KGC.

Algorithm 1 Generation of vehicle pseudonym by the TA

Input: $t_i$

Output: $PI{D}_i$

1. Computes $PI{D}_{i,1}=t_{i}P$, $O_i=t_i{T}_{pub}\oplus RI{D}_i$

2. Calculates $PI{D}_{i,2}=RI{D}_i\oplus h_5(nPI{D}_{i,1},T_i)$

3. Sends $PI{D}_i=\left\{PI{D}_{i,1},PI{D}_{i,2}\right\}$ to KGC

When a vehicle accedes to the network, it has to register to the TA with its own unique and authentic identity $RI{D}_i$, and after that, the TA saves the $Params$ to the vehicle’s OBU. Following the same method, the recipient’s pseudonym can be obtained.

4.3. The User Key Generation

The user $I{D}_i$, which refers to the pseudonym of the vehicle $PI{D}_i$, selects $x_{I{D}_i}\in Z_q^{*}$ stochastically as his or her secret value, then his or her public key is computed as $X_{I{D}_i}=x_{I{D}_i}P$.

4.4. Partial Key Extraction

• KGC selects $y_{I{D}_i}$ ∈ $Z_q^{*}$ stochastically, and computes $Y_{I{D}_i}=y_{I{D}_i}P$ as his or her partial public key;
• The partial private key is computed by KGC $D_{I{D}_i}=m_{sk}{Q}_i$, where $Q_i=h_0\left(I{D}_i\right)$, and returns $\left(Y_{I{D}_i},D_{I{D}_i}\right)$ to the user through the secure channel.

4.5. Private Key Verification

• By checking if $D_{I{D}_i}P=P_{pub}{h}_0\left(I{D}_i\right)$ is true, the user can verify the validity of its partial private key;
• Lastly, the whole public key of vehicle user $I{D}_i$ is $\left(X_{I{D}_i},Y_{I{D}_i}\right)$ and the whole private key is $(x_{I{D}_i},D_{I{D}_i})$.

4.6. Offline

The user $I{D}_i$ selects $r_i$ ∈ $Z_q^{*}$ randomly, and $R_i$ can be acquired as $R_i=r_{i}P$.

4.7. Signcrypt

This is executed by $I{D}_i$, which transmits message $m_i$ to the recipient with the identity $I{D}_r$. By performing this algorithm, $m_i$ can be signcrypted (△ represents the trouble information of road conditions).

• The user figures out $L_i=r_i{P}_{pub}{Q}_r$;
• The user figures out $h_{ic}=h_1(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i,△)$;
• The user figures out part of the ciphertext $K_i=h_{ic}\oplus (m_i\Vert I{D}_i)$;
• The user calculates another hash function $h_{ie}=h_2(I{D}_i,I{D}_r,R_i,K_i,X_{I{D}_i},Y_{I{D}_i},X_{I{D}_r},Y_{I{D}_r})$;
• Then calculates $h=h_3(△)$;
• The user calculates another part of the ciphertext $W_i=D_{I{D}_i}+r_i{h}_{ie}+x_{I{D}_i}h$;
• Finally, the user obtains ciphertext $C_i=(R_i,K_i,W_i)$.

4.8. Aggregate

This is run by the fog device RSU (Algorithm 2).

• The RSU computes $V=h_4(X_{I{D}_r}{W}_1\Vert X_{I{D}_r}{W}_2\Vert \cdots \Vert X_{I{D}_r}{W}_n)$, which is used to verify whether there is a collusive attack;
• The RSU computes $W={\sum }_{i=1}^n{W}_i$ to aggregate;
• Lastly, the RSU acquires the aggregate ciphertext $C=\left(V,W,R_1,\cdots ,R_n,K_1,\cdots ,K_n\right)$.

Algorithm 2 Aggregation by fog device RSU

Input: $X_{IDr}$, $C_i=(R_i,K_i,W_i)$

Output: C

1. Computes $V=h_4(X_{IDr}{W}_1\Vert X_{IDr}{W}_2\Vert \dots X_{IDr}{W}_n)$

2. Computes $W={\sum }_{i=1}^n{W}_i$

3. Acquires the aggregate ciphertext $C=(V,W,R_1,\dots ,R_n,K_1,\dots ,K_n)$

4.9. Verification

This is carried out by the recipient $I{D}_r$.

• To begin with, the receiver computes $h_{ie}=h_2(I{D}_i,I{D}_r,R_i,K_i,X_{I{D}_i},Y_{I{D}_i},X_{I{D}_r},Y_{I{D}_r})$ where $i=1,\cdots ,n$;
• Secondly, it calculates $h=h_3(△)$;
• Then, in the most crucial step, the receiver calculates the anti-collusion factor $b_i=P_{pub}{Q}_i+R_i{h}_{ie}+X_{I{D}_i}h$, $V^{\prime }=h_4(x_{I{D}_r}{b}_1\Vert x_{I{D}_r}{b}_2\Vert \cdots \Vert x_{I{D}_r}{b}_n)$;
• The receiver $I{D}_r$ determines the collusion attack by checking if $V=V^{\prime }$ is true. If not, there is a collusive attack here;
• In the end, the receiver checks $WP={\sum }_{i=1}^n\left(P_{pub}{Q}_i+R_i{h}_{ie}+X_{I{D}_i}h\right)$, and if the equation holds, validation is successful.

4.10. Unsigncryption

This is carried out by the recipient $I{D}_r$ (if all the above verifications are passed) (Algorithm 3).

• First, the receiver computes $L_i^{\prime }=R_i{D}_{I{D}_r}$;
• Second, using the given parameters, it calculates $h_{ic}^{\prime }=h_1(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i^{\prime },△)$;
• Then, the receiver can obtain $m_i^{\prime }\Vert I{D}_i=K_i\oplus h_{ic}^{\prime }$;
• Finally, it obtains $\left\{m_i^{\prime }\Vert I{D}_i\right\}{}_{i=1}^n$.

Algorithm 3 Unsigncryption by recipient $I{D}_r$

Input: C

Output: ${\left\{m_i^{\prime }\Vert I{D}_i\right\}}_{i=1}^n$

1. Computes $L_i^{\prime }=R_i{D}_{I{D}_r}$

2. Computes $h_{ic}^{\prime }=h_1(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i^{\prime },△)$

3. Obtains ${\left\{m_i^{\prime }\Vert I{D}_i\right\}}_{i=1}^n$

5. Security Analysis

In this part, our scheme is proven to be safe under the security model and then it is shown to achieve our design goals.

5.1. Security Model

From the scheme in [10], we can find two kinds of adversaries: $\alpha$ and $\beta$, which are external and inner attackers. Meanwhile, our security model diagram is shown in Figure 5.

5.2. Provable Security

• Correctness: First, we prove the proposed scheme to be correct.

  a.

  User authentication

  $RI{D}_i=O_i\oplus nPI{D}_{i,1}$

  $RI{D}_i=t_i{T}_{pub}\oplus RI{D}_i\oplus n{t}_{i}P$

  $RI{D}_i=t_i{T}_{pub}\oplus RI{D}_i\oplus t_i{T}_{pub}$

  $RI{D}_i=RI{D}_i$;

  b.

  Private key verification

  $D_{IDi}P=P_{pub}{h}_0\left(I{D}_i\right)$

  $D_{IDi}P=m_{sk}P{h}_0\left(I{D}_i\right)$

  $D_{IDi}P=D_{IDi}P$;

  c.

  Verification of the existence of anti collusion attacks

  $V=h_4\left(X_{IDr}{W}_1\Vert X_{IDr}{W}_2\Vert \cdots \Vert X_{IDr}{W}_n\right)$

  $V=h_4\left(x_{IDr}P{W}_1\Vert x_{IDr}P{W}_2\Vert \cdots \Vert x_{IDr}P{W}_n\right)$

  $W_1=D_{ID1}+r_1{h}_{ie}+x_{ID1}h,P{W}_1=b_1$

  $W_2=D_{ID2}+r_2{h}_{ie}+x_{ID2}h,P{W}_2=b_2$

  $W_n=D_{IDn}+r_n{h}_{ie}+x_{IDn}h,P{W}_n=b_n$;

  $V=h_4\left(x_{IDr}{b}_1\Vert x_{IDr}{b}_2\Vert \cdots \Vert x_{IDr}{b}_n\right)=V^{\prime }$

  d.

  Unsigncrypt verification

  $m_i^{\prime }\Vert I{D}_i=k_i\oplus h_{ic}^{\prime }$

  $m_i^{\prime }\Vert I{D}_i=h_{ic}\oplus \left(m_i\Vert I{D}_i\right)\oplus h_{ic}^{\prime }$

  $m_i^{\prime }\Vert I{D}_i=m_i\Vert I{D}_i$.

• Resisting collusion attacks: Second, we demonstrate that our scheme can resist collusion attacks.

Proof. 

Challenger ${\wp }^{\prime }$s goal is to use adversary $\gamma$ to break the collision resistance of hash function $h_4$. □

Setup: Challenger ℘ imports safety parameter l, sets a as the master private key, calculates $P_{pub}=aP$, runs the setup algorithm to form system parameters $prms=(q,P,G,P_{pub},T_{pub},h_0,h_1,h_2,h_3)$, and sends them to $\gamma$.

Query phrase: $\gamma$ adaptively executes the following oracle machine queries. For better performances, ℘ maintains the following six lists: $L_{h0}$, $L_{h1}$, $L_{h2}$, $L_{h3}$, $L_s$, $L_{sk}$, and $L_{pk}$, $L_{rp}$, which are used to record the query data of $\gamma$ for $h_0$, $h_1$, $h_2$, and $h_3$, as well as secret value extraction, partial private key extraction, public key extraction, and public key replacement. Initially they are empty.

$h_0$ queries: When $\gamma$ executes $h_0$ queries for $I{D}_i$, $Q_i$ turns back to $\gamma$ if there is a relational tuple $(I{D}_i,Q_i,c_i)$ in the list $L_{h0}$; if not, ℘ stochastically chooses $c_i\in \left\{0,1\right\}$, and sets $P_r\left[c_i=1\right]=\delta$, $P_r\left[c_i=0\right]=1-\delta$. If $c_i=0$, ℘ stochastically selects $Q_i\in Z_q^{*}$, and adds $(I{D}_i,Q_i,0)$ to the list $L_{h0}$, and then turns $Q_i$ back; if $c_i=1$, ℘ creates $Q_i=k$, adds $(I{D}_i,k,1)$ to the list $L_{h0}$, and turns $Q_i$ back.

$h_1$ queries: When $\gamma$ executes $h_1$ queries for $\left(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i,△\right)$, $h_{ic}$ is turned back to $\gamma$ if there is a relational tuple $(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i,△,h_{ic})$ in the list $L_{h1}$; if not, ℘ stochastically selects $h_{ic}\in Z_q^{*}$, adds $(I{D}_r,R_i,X_{I{D}_r},Y_{I{D}_r},L_i,△,h_{ic})$ to the list $L_{h1}$, and turns $h_{ic}$ back.

$h_2$ queries: When $\gamma$ executes $h_2$ queries for $(I{D}_i,I{D}_r,R_i,K_i,X_{I{D}_i},Y_{I{D}_i},X_{I{D}_r},Y_{I{D}_r})$, then $h_{ie}$ is turned back to $\gamma$. If there is no relational tuple $(I{D}_i,I{D}_r,R_i,K_i,X_{I{D}_i},Y_{I{D}_i},X_{I{D}_r},Y_{I{D}_r},h_{ie})$ in the list $L_{h2}$, ℘ stochastically selects $h_{ie}\in Z_q^{*}$, adds $(I{D}_i,I{D}_r,R_i,K_i,X_{I{D}_i},Y_{I{D}_i},X_{I{D}_r},Y_{I{D}_r},h_{ie})$ to list the $L_{h2}$, and turns $h_{ie}$ back.

$h_3$ queries: When $\gamma$ executes $h_3$ queries for △, h is turned back to $\gamma$ if there is a relational tuple $(△,h)$ in the list $L_{h3}$; if not, ℘ stochastically selects $h\in Z_q^{*}$, adds $(△,h)$ to the list $L_{h3}$, and turns h back.

ExtractSecretValue queries: When $\gamma$ executes ExtractSecretValue queries for $I{D}_i$, $x_{I{D}_i}$ is turned back to $\gamma$ if there is a relational tuple $(I{D}_i,x_{I{D}_i})$ in the list $L_s$; if not, ℘ stochastically selects $x_{I{D}_i}\in Z_q^{*}$, adds $(I{D}_i,x_{I{D}_i})$ to the list $L_s$, and turns $x_{I{D}_i}$ back.

ExtractPartialPrivateKey queries: When $\gamma$ performs ExtractPartialPrivateKey queries for $(I{D}_i,X_{I{D}_i})$, $(Y_{I{D}_i},D_{I{D}_i})$ is turned back to $\gamma$ if there is a relational tuple $(I{D}_i,X_{I{D}_i},Y_{I{D}_i},D_{I{D}_i})$ in the list $L_{sk}$; if not, ℘ stochastically selects $D_{I{D}_i}$, $Y_{I{D}_i}\in Z_q^{*}$, adds $(I{D}_i,X_{I{D}_i},Y_{I{D}_i},D_{I{D}_i})$ to the list $L_{sk}$, and turns $(Y_{I{D}_i},D_{I{D}_i})$ back.

ExtractPublicKey queries: When $\gamma$ executes ExtractPublicKey queries for $I{D}_i$, $(X_{I{D}_i},Y_{I{D}_i})$ is turned back to $\gamma$ if there is a relational tuple $(I{D}_i,X_{I{D}_i},Y_{I{D}_i})$ in the list $L_{pk}$; if not, ℘ stochastically selects $x_{I{D}_i}\in Z_q^{*}$, calculates $X_{I{D}_i}=x_{I{D}_i}P$, and then executes ExtractPartialPrivateKey queries to acquire $(I{D}_i,X_{I{D}_i},Y_{I{D}_i},D_{I{D}_i})$, adds $(I{D}_i,X_{I{D}_i},Y_{I{D}_i})$ to the list $L_{pk}$, and turns $(X_{I{D}_i},Y_{I{D}_i})$ back.

ReplacePublicKey queries: $\gamma$ chooses a new public key $(X_{I{D}_i}^{\prime },Y_{I{D}_i}^{\prime })$ to substitute for the initial public key $(X_{I{D}_i},Y_{I{D}_i})$.

Signcrypt queries: When $\gamma$ executes signcrypt queries for $(I{D}_i,I{D}_r,m_i)$, ℘ queries $(I{D}_i,Q_i,c_i)$ in the list $L_{h0}$. If $c_i=0$, ℘ performs the Signcrypt algorithm, signcrypts $m_i$, and turns the ciphertext $C_i=(R_i,K_i,W_i)$ back to $\gamma$; if $c_i=1$, ℘ stochastically chooses $r_i^{\prime }$, $a_1\in Z_q^{*}$, extracts $x_{I{D}_i}$, $h_{ic}$, $Q_i$, $h_{ie}$, and h from querying the lists $L_s$, $L_{h0}$, $L_{h1}$, $L_{h2}$, and $L_{h3}$. Then, ℘ calculates $R_i=r_i^{\prime }P$, $W_i=a_1+r_i^{\prime }{h}_{ie}+x_{I{D}_i}h$, and $K_i=h_{ic}\oplus \left(m_i\Vert I{D}_i\right)$ and turns the ciphertext $C_i=(R_i,K_i,W_i)$ back to $\gamma$.

Forge Phrase: After the queries, it is easy for us to know that each of the users $I{D}_u$ can generate $C^{*}=\left(V^{*},W^{*},R_1^{*},R_2^{*},\dots ,R{n}^{*},K_1^{*},K_2^{*},\dots ,K_n^{*}\right)$, and $V^{*}=h_4(X_{I{D}_u}{W}_1\Vert X_{I{D}_u}{W}_2\Vert \cdots \Vert X_{I{D}_u}{W}_n)$. If $V^{*}=V^{\prime }=$ $h_4(x_{I{D}_u}{b}_1\Vert x_{I{D}_u}{b}_2\Vert \cdots \Vert x_{I{D}_u}{b}_n)$, in which $b_i=P_{pub}{Q}_i+R_i{h}_{ie}+X_{I{D}_i}h$. Assuming $C_i^{*}$ is an invalid signcryption, then $W_i^{*}P\ne P_{pub}{Q}_i^{*}+R_i^{*}{h}_{ie}^{*}+X_{I{D}_i}^{*}h$, so $X_{I{D}_u}{W}_i^{*}\ne x_{I{D}_u}\left[P_{pub}{Q}_i+R_i{h}_{ie}+X_{I{D}_i}h\right]$, therefore including the two different inputs $X_{I{D}_u}{W}_i^{*}$ and $x_{I{D}_u}[P_{pub}{Q}_i+R_i{h}_{ie}+X_{I{D}_i}h]$; however, $h_4(X_{I{D}_u}{W}_1\left|\right|X_{I{D}_u}{W}_2\Vert \cdots \left|\right|X_{I{D}_u}{W}_n)=$$h_4(x_{I{D}_u}[P_{pub}{Q}_1+R_1{h}_{ie}+X_{I{D}_1}h]$$\Vert x_{I{D}_u}[P_{pub}{Q}_2+R_2{h}_{ie}+X_{I{D}_2}h]\Vert \cdots$ $\Vert x_{I{D}_u}[P_{pub}{Q}_n+R_n{h}_{ie}+X_{I{D}_n}h])$. For this reason, ℘ successfully solved the collision resistance problem of $h_4$.

• Unforgeability and confidentiality: Additionally, the proofs that our scheme can realize unforgeability and confidentiality under attacks from these two kinds of adversaries are the same as for the scheme in [23] and in [10]; thus, the concrete procedures are not given here.

5.3. Analysis of Security Requirements

Lastly, we prove that our scheme satisfies the security demands detailed in Section 2.3.

• Mutual authentication: Participants can identify each other by checking if the message they receive is activating;
• Vehicle identity verification: The decrypted plaintext package contains the user’s pseudonym. At this time, the TA can trace the user’s true identity back to the user’s real identity through the pseudonym, its own private key, and timestamp to complete user identity verification, and this operation can only be performed by the TA;
• User anonymity: Due to the use of pseudonyms throughout the entire process and the fact that the user’s true identity can only be acquired by trusted institutions, the anonymity of the user’s identity is ensured;
• Untraceability: The user chooses the stochastic number $r_i$, calculates $R_i=r_{i}P$ and $W_i=D_{I{D}_i}+r_i{h}_{ie}+x_{I{D}_i}h$, and then computes $K_i$ to acquire ciphertext $C_i$. Hence, the attackers cannot follow the trail of vehicle users. At the same time, due to the use of pseudonyms throughout the entire process, attackers will not track information related to the user’s identity;
• Nondeniability: The received message contains the identity $I{D}_i$ of the sender and $I{D}_r$ of the receiver, and the identity $I{D}_i$ of the sender is also included in the decryption result, so the vehicle user cannot deny participation.
• Resist collusion attacks: Because of the collision resistance of the hash function, collusion attacks can be detected by utilizing the anti-collusion factor.

6. Performance Analysis

Performance analysis is introduced in three parts in this section. The description includes the functionality, computational cost, and communication cost. In VANETs, ensuring the confidentiality, validity, and vehicle identity of messages is crucial, and achieving fast authentication in resource-constrained environments is also essential. Due to the fact that the schemes in [19,23,28,29,30] basically have the above functions, it is more meaningful to compare the proposed schemes with them in the context of vehicle networking. However, based on the scheme in [23], we propose a new scheme that can resist collusion attacks, due to the fact that our scheme and the scheme in [23] have similar communication and computational costs, and we only compare our plan with the scheme in [19,28,29,30] here.

6.1. Functionality

Message Confidentiality, Message Verifiability, Vehicle Verifiability, Key Escrow Resilience, Quick Verification, and Resist Collusion Attack are all supported by our approach alone, as shown in

Table 2. Functional comparison.

Schemes	[28]	[23]	[29]	[30]	[19]	Our Scheme
Message Confidentiality	√	√	√	×	√	√
Message Verifiability	√	√	√	√	√	√
Vehicle Verifiability	×	×	×	√	√	√
Key Escrow Resilience	√	√	√	√	√	√
Quick Verification	√	√	√	√	√	√
Resist Collusion Attack	×	×	×	√	×	√

(× represents not having this feature, while the opposite is true for the √). The schemes in [28,29] cannot resist collusion attacks and do not provide vehicle verifiability. Although the scheme in [30] can support vehicle verifiability and resist collusion attacks, it cannot ensure the confidentiality of messages because it is an aggregate signature scheme. Thus, from here on the scheme in [30] will only be discussed about communication costs.

6.2. Computational Cost

The specific experimental environment for our simulation is shown in

Table 3. Experimental environment.

Hardware	CPU	Apple M1
Hardware	Memory	8 GB
Software	Operating System	macOS Big Sur 11.6
Software	Program Language	C 17 and JAVA 1.8.0
Software	Library	MIRACL 5.5.4 and JPBC 2.0.0

. We used an Apple M1, 8 GB, macOS Big Sur 11.6 operating system; the code running environment was Ubuntu 18. By using MIRACL 5.5.4 and JPBC 2.0.0, we obtained the time of one laborious operation.

One laborious operation is taken into consideration, as indicated in

Table 4. Operation time.

Symbol	Computing Operation	Executing Time (ms)
$t_s$	Scalar multiplication in G	1.248

. The vehicle user in the scheme in [28] conducts seven scalar multiplications during the signcryption stage, whereas the unsigncrypt method performs two scalar multiplications. The overall costs in [28] comprise nine scalar multiplications. The vehicle user conducts three scalar multiplications in the signcryption stage of the scheme in [29], and the unsigncrypt algorithm likewise performs three scalar multiplications. The overall cost in [29] includes six scalar multiplications. In scheme [19], the user conducts three scalar multiplications in the signcryption stage, four scalar multiplications in the unsigncryption stage, and the total costs are more than six scalar multiplications. The vehicle user only performs one scalar multiplication throughout the signcryption procedure for our scheme, the RSU must perform one scalar multiplication, and the overall cost incurred only consists of two scalar multiplications.

The calculation costs at different stages are compared in Figure 6,

Table 5. Computational cost Analysis.

Schemes	Signcrypt	Unsigncrypt	Total Cost
[28]	7$t_s$	2$t_s$	$9n{t}_s$
[29]	3$t_s$	3$t_s$	$6n{t}_s$
[19]	3$t_s$	4$t_s$	$(6n+1)t_s$
Our Scheme	1$t_s$	1$t_s$	$2n{t}_s$

, and the entire computation costs are compared in Figure 7, Table 5. We selected $n=5000$, which represents the number of signcrypted messages. It is evident from the figure that our scheme has the lower computational overhead in every stage.

6.3. Communication Cost

Assume that $\left|G\right|=160\mathrm{bit}$, $n=5000$, and $\left|m\right|=512\mathrm{bit}$ respectively indicate the length of values of G and the message sent. The scheme in [30] can resist collusion attacks but cannot ensure the confidentiality of the message. At the same time, sending the message and aggregated signature results together to the receiver incurs significant communication costs. The receiver must obtain the ciphertext $C=\left(R_1,\dots ,R_n,K_1,\dots ,K_n,W\right)$ in the schemes in [28,29]. In the scheme in [19], the communication costs are the lowest. While our scheme undoubtedly increases the size of the signcryption result due to the verification factors for resisting collusion attacks, it also fully complies with the requirements of VANETs’ features and is even more secure than the schemes in [19,28,29]. Nevertheless, in order to verify if there is a collusion attack, the receiver must receive the ciphertext $C=\left(R_1,\dots ,R_n,K_1,\dots ,K_n,W,V\right)$. To sum up, the suggested plan is suitable for VANETs. The details are shown in

Table 6. Communication cost analysis.

Schemes	Communication Cost
[19]	$n\left|G\right|+n\left|m\right|$
[28]	$\left(n+1\right)\left|G\right|+n\left|m\right|$
[29]	$\left(n+1\right)\left|G\right|+n\left|m\right|$
[30]	$\left(n+7\right)\left|G\right|+n\left|m\right|$
Our Scheme	$\left(n+2\right)\left|G\right|+n\left|m\right|$

. In order to further evaluate the proposed scheme, the relationship between the vehicle density and communication cost under different schemes is shown in Figure 8. It can be seen that as the density of vehicles increases, the communication overhead also increases, which is in line with the scenario of vehicle networking. The scheme proposed in this paper has certain advantages over the scheme in [30] and is closer to other schemes. Without adding too much overhead, it also fully complies with the requirements of VANET’s features and is even more secure.

7. Conclusions

In order to provide a safer environment for the Internet of Vehicles, we propose a brand-new certificateless online/offline aggregate signcryption scheme against collusion attacks based on fog computing. It can successfully enable mobility, location awareness, and low latency. Mutual authentication, anonymity, verifiability, untraceability, and secrecy are only a few of the security requirements that the scheme can satisfy. Due to the significance of security in VANETs, we establish the security of the scheme in the random oracle model. The security analysis and performance study demonstrate that our scheme can resist collusion attacks without raising computational complexity, which is crucial for resource-constrained VANETs. Concurrently, the data provided by our scheme, which meet the requirements of confidentiality and real-time transmission, are essential to achieving reliable driving in all types of weather and road conditions. Therefore, our method is suitable for the Internet of Vehicles and completely aligns with VANET criteria. However, the communication expenses of our scheme are a little high. Future research will work even harder to cut communication costs, such as by shortening the ciphertext length without affecting the effect. At the same time, we will focus on how to effectively recognize coordinated assaults in order to further enhance the security of the internet of vehicles.