Lattice-Based Lightweight Quantum Resistant Scheme in 5G-Enabled Vehicular Networks

Abstract

Both security and privacy are central issues and need to be properly handled because communications are shared among vehicles in open channel environments of 5G-enabled vehicular networks. Several researchers have proposed authentication schemes to address these issues. Nevertheless, these schemes are not only vulnerable to quantum attacks but also use heavy operations to generate and verify signatures of messages. Additionally, these schemes need an expensive component RoadSide Unit (RSU)-aided scheme during the joining phase. To address these issues, we propose a lightweight quantum-resistant scheme according to the lattice method in 5G-enabled vehicular networks. Our proposal uses matrix multiplication instead of operations-based bilinear pair cryptography or operations-based elliptic curve cryptography to generate and verify signatures of messages shared among vehicles. Our proposal satisfies a significant reduction in performance, which makes it lightweight enough to handle quantum attacks. Our proposal is based on 5G technology without using any RSU-aided scheme. Security analysis showed that our proposal satisfies privacy and security properties as well as resists quantum attacks. Finally, our proposal also shows favorable performance compared to other related work.

1. Introduction

5G-enabled vehicular networks play an important role in Intelligent Transportation Systems (ITSs) by providing safe road environments to drivers and passengers [1,2,3]. The use and evolution of 5G cellular systems, supported by significant government development in many countries, is the most recent trend in the development of wireless communication technologies [4,5]. Due to the characteristics of 5G, which boosts node information per unit region by 1 k times with a broadcast rate as high as 10 Gbps, a 5G network satisfies a multiple-fold improvement in velocity compared to existing 4G systems [6,7]. Additionally, 5G reduces latency by five times and doubles battery life, which creates a wealth of opportunities for vehicular networks [8,9].

In an intelligent vehicle, a wireless device called an OnBoard Unit (OBU) is installed to generate, broadcast, and obtain information among other participating vehicles. This information includes its speed, direction, traffic status, road condition, etc. Since the message is shared among vehicles in open channel environments of 5G-enabled vehicular networks, both safety and preserving are central issues that need to be properly handled [10,11,12]. Hence, many researchers have proposed authentication schemes to address these issues. However, their work is not only vulnerable to quantum attacks but also uses heavy operations (e.g., cryptographies of bilinear pairs and elliptic curves) to generate and verify signatures of the message. Additionally, their work needs an expensive component RoadSide Unit (RSU)-aided scheme during the joining phase [13,14].

To resolve this issue, we propose a lightweight quantum-resistant scheme based on the lattice method in 5G-enabled vehicular networks. Our proposal uses matrix multiplication instead of operations-based bilinear pair cryptography or operations-based elliptic curve cryptography to generate and verify signatures of messages shared among vehicles. The main contributions of our proposal are as follows.

• We propose a lightweight quantum-resistant scheme based on the lattice method in 5G-enabled vehicular networks.
• Our proposal uses matrix multiplication to generate and verify signatures of messages shared among vehicles.
• Without using any RSU-aided scheme, our proposal is based on 5G technology that has the responsibility to connect the TA and vehicles within its wide-range communication domain by using the 5G standard.
• Based on the hardness of SIS/ISIS problems, our proposal achieves strong security against adversaries under the random oracle model.
• Security analysis showed that our proposal satisfies privacy and security properties as well as resisting quantum attacks.
• Our proposal satisfies a significant reduction in the performance, which makes it lightweight enough to handle quantum attacks.

The rest of this paper is arranged as follows. Section 2 highlights the limitations of the previous existing works. Section 3 introduces the preliminaries of this paper. We provide the five phases of our proposal in Section 5, prior to describing the framework and security model in Section 4. The security analysis and performance evaluation are presented in Section 6 and Section 7, receptively. Lastly, we conclude the paper in Section 8.

2. Related Work

In this section, some authentication schemes are proposed to cope with privacy and security properties in a vehicular network. These schemes are established on either cryptography of bilinear pair or elliptic curve to generate and verify signatures of the messages sent among vehicles. Therefore, in the next two sections, we classify the existing schemes based on these cryptography algorithms.

2.1. Bilinear Pair Cryptography Based

Ali et al. [15] combined public key infrastructure-based and certificates cryptosystem-based schemes to propose a conditional privacy-preserving hybrid signcryption scheme for providing communication security in the system. This scheme supports batch signature verification to verify a large number of signatures simultaneously.

To resist impersonation attacks from broadcasting fake messages in the vehicular network, Al-Shareeda et al. [16] presented a secure authentication scheme by frequently updating the vehicle’s true identity saved on a tamper poof device (TPD) vehicle.

Bayat et al. [17] presented a privacy-preserving scheme without using a large number of pseudonym-IDs, online RSU, or signer’s group in the system.

Pournaghi et al. [18] combined TPD-based and RSU-based schemes to propose an NECPPA scheme by issuing and updating temporary secret keys saved on vehicles.

2.2. Elliptic Curve Cryptography Based

Several researchers [19,20,21,22,23,24,25,26,27,28] have proposed schemes based upon elliptic curve cryptography as follows.

Alshudukhi et al. [19] suggested a lightweight authentication with a privacy-preserving scheme by saving the system’s master private key in each TPD of RSU instead of the TPD of OBU for satisfying privacy and security properties in the vehicular network.

Cui et al. [24] suggested a content-sharing scheme by downloading demands to speedily filter the adjacent vehicles to select properly proxy vehicles and demand them for communication security in the system.

Zhang et al. [28] designed the concept of edge computing vehicle to propose a fuzzy logic mathematical for satisfying mutual authentication between ordinary vehicles and edge computing.

To prevent insider attacks, Al-Shareeda et al. [20] suggested a privacy-preserving scheme by preloading a pool of pseudonym IDs and the concerned private key from a Trusted Authority (TA) for generating and verifying the signature of messages shared among vehicles.

2.3. Critical Discussion

According to Section 2.1 and Section 2.2, these schemes are established by cryptographies of bilinear pair and elliptic curve, respectively, that are proposed to resist security attacks in a vehicular network. However, the operations applied to these algorithms are considered time-consuming and complicated to operate. As a result, these algorithms are not suitable to deploy in the system due to rapid-movement vehicle change topology in the vehicular network. Additionally, these schemes are vulnerable to quantum attacks since these schemes are based on easily solving hard mathematical problems such as elliptic-curve discrete, discrete logarithm, and integer factorization problems by running Shor’s algorithm. Besides, these schemes require an RSU-aided scheme for the mutual authentication process, which is considered an expensive device in the system.

To reduce the overhead of the system and resist quantum attacks, this paper proposes a lightweight quantum-resistant scheme using a lattice (more details in Section 3.3) instead of cryptographies of bilinear pair and elliptic curves. In our proposal, the vehicle applies a metric multiplication based on the lattice to generate and verify signatures of messages shared among vehicles (more details in Section 5). Security analysis not only shows that our proposal satisfies privacy and security properties but also that it resists quantum attacks (more details in Section 7). The operations used based on the lattice are considered lightweight operations (more details in Section 6).

For simplicity, this paper summarizes the comparison of relevant works’ properties of privacy and security in

Table 1. Comparison of relevant works’ properties of privacy and security.

Property	Ali et al. [15]	Cui et al. [24]	Al-Shareeda et al. [20]	Proposal
Authentication and Integrity	Yes	Yes	Yes	Yes
Identity Privacy-Preserving	Yes	Yes	Yes	Yes
Traceability	Yes	Yes	Yes	Yes
Unlinkability	Yes	Yes	Yes	Yes
Common Security Attack Resistant	Yes	Yes	Yes	Yes
Quantum Attacks	No	No	No	Yes
Lightweight Operations	No	No	No	Yes
No RSU-Aided Scheme	No	Yes	No	Yes

. These properties should be satisfied on our proposal (more details in Section 3.2) for the 5G-enabled vehicular network. Based on Table 1, we can observe that the existing schemes do not support the mentioned properties of privacy and security in terms of quantum attacks and lightweight operations for vehicular networks. While the schemes in [15,20] need expensive components and an RSU-aided scheme during the joining process, our proposal satisfies a significant reduction in performance, which makes it lightweight enough to handle quantum attacks. Meanwhile, our proposal is based on 5G technology without using any RSU-aided scheme.

3. Preliminaries

3.1. System Model

As shown in Figure 1, the system model of our proposal consists of three major components, namely a trusted authority (TA), 5G-base station (5G-BS), and onboard unit (OBU) for the 5G-enabled vehicular network. The description of these components is as follows.

• TA: A trusted management to issue system parameters and register vehicles in the system. Additionally, the TA is in charge of carrying out the traceability process.
• 5G-BS: Deployed along the roadside and has the responsibility to connect between the TA and vehicles within its wide-range communication domain by using the 5G standard.
• OBU: Each vehicle contains a wireless device called an OBU that allows it to process, send, and receive messages using the DSRC protocol and 5G standard to communicate with other vehicles and 5G-BS, respectively. Based on our assumption in this paper, each OBU has a very strong TPD device to save the system’s master private key that is preserved by the TA during the registration process. Therefore, the third part does not have the ability to reveal the system’s saved master private key.

3.2. Security Design

In this section, we detail the properties of privacy and security that must be supported in our proposal for a vehicular network based on 5G.

• Authentication and integrity: Make sure that message is sent without any modification.
• Identity privacy-preserving: The vehicle’s true identity should be hidden.
• Traceability: Only the TA can reveal the vehicle’s true identity from the message sent.
• Unlinkability: Adversary tries to link more than two signatures sent from the same sender.
• Security attack resistant:

  -

  Replay attacks: Adversary tries to replay messages sent from registered vehicles.

  -

  Modify attacks: Adversary tries to modify/change the content of the message.

  -

  Forgery attacks: Adversary tries to impersonate a valid signature.

  -

  Man-in-the-middle attacks: Adversary tries to intercept communication among vehicles.

• Quantum attacks: Adversary tries to easily solve hard mathematical problems such as elliptic-curve discrete, discrete logarithm, and integer factorization problems by running Shor’s algorithm.

3.3. Lattice-Based Cryptography

Ajtai [29] first introduced the lattice-based problem in 1996. Nevertheless, many research [30,31] works in this approach assume the difficulty of the short integer solution (SIS) or independent SIS (ISIS) problems. For these structures, worst-case to average-case hardness-based mathematical security proofs are given. The hard difficulties of finding the short vector in the integer subspace of the m-dimensional Euclidean space $R^m$ serve as the foundation for the cryptographies security.

3.4. Lattice

For some positive integer n, a lattice is a discrete additive subgroup of $R^n\left(R\right)$ known as real space. The following is a definition of the lattice [32].

Explanation 1.

Assuming that $b_1,b_2,\dots ,b_n\in R^m$ are linearly independent vectors, then the discrete set is a lattice $\mathcal{L}$ produced by basis vectors $b_1,b_2,\dots ,b_n$ as Equation (1).

$$\mathcal{L}(b_1,b_2,\dots ,b_n)=\sum _{i=1}^n{j}_i{b}_i:j_i\in Z.$$

(1)

The dimension of the provided lattice is an integer $\alpha$, and its rank is an integer $\beta$. The shortest nonzero vector in a particular lattice’s length is the minimum $distanc{e}^3$ as Equation (2).

$$D_{min}\left(\mathcal{L}\right)=min\left|\right|b\left|\right|,whereb\in \mathcal{L}-0.$$

(2)

Explanation 2.

A lattice $\mathcal{L}$ issued by a basis $B\in Z^{\alpha \times \beta }$ is $\mathcal{L}$. We are aware that premise B is not special. B and $BU$ produce the same lattice $\mathcal{L}\left(B\right)$ if $U\in Z^{\alpha \times \beta }$ is a unimodular matrix.

Lemma 1.

A discrete additive subgroup of $R^m$ is a lattice if it is a subset of $R^m$.

Explanation 3

(Short integer solution). Find the shortest nonzero vector $b\in \mathcal{L}$ with b having the lowest norm in the discrete additive subgroup of $R^m$, given any basis $B\in Z^{\alpha \times \beta }$ of a lattice $\mathcal{L}\left(B\right)$.

Explanation 4

(Closest vector problem). Finding $b\in \mathcal{L}$ such that $\left|\right|\mathit{a}-b\left|\right|$ has the lowest norm is the closest vector problem given a basis $B\in Z^{\alpha \times \beta }$ of a lattice $\mathcal{L}\left(B\right)$ and a vector a that is not in $\mathcal{L}$.

Theorem 1.

The following are equal if $B\in R^{\beta \times \alpha }$ and $B^{-}\in R^{\beta \times \alpha }$ are two complete rank bases.

• $\mathcal{L}\left(B\right)=\mathcal{L}(B^{{}^{\prime }})$.
• $U\in R^{\beta \times \alpha }$ such that $B^{-}=BU$, where U is unimodular.

Proof. 

Assume $\mathcal{L}\left(B\right)=\mathcal{L}\left(B^{{}^{\prime }}\right)$, and there are integer matrices Q and $Q^{{}^{\prime }}$; then, we demonstrate the unimodularity of Q and $Q^{{}^{\prime }}$. Here, it can be observed that $B^{{}^{\prime }}=BQ=B^{{}^{\prime }}\left(Q^{{}^{\prime }}Q\right)$. Due to $B^{{}^{\prime }}$ being the entire rank matrix, it can be multiplied by $B^{{}^{\prime }-1}$, and result in $Q{Q}^{{}^{\prime }}=1$. Thus, both Q and $Q^{{}^{\prime }}$ are non-singular with integer inputs. Lastly, it can be observed from here that either det(Q) = det($Q^{{}^{\prime }}$) = −1 or det(Q) = det($Q^{{}^{\prime }}$) = 1. Therefore, Q and $Q^{{}^{\prime }}$ are considered unimodularity matrices. □

Contrarily, consider Q to be a unimodular matrix such that $B^{{}^{\prime }}$ = BQ. Thus, $\mathcal{L}\left(Q^{{}^{\prime }}\right)\subseteq \mathcal{L}\left(Q\right)$, since Q is an integer matrix. Additionally, we can observe that each column of $Q^{{}^{\prime }}$ is a linear combination of columns in Q. Here, Q = $Q^{{}^{\prime }}$$U^{-1}$, as u is a unimodular matrix. Thus, $\mathcal{L}\left(Q\right)\subseteq \mathcal{L}\left(Q^{{}^{\prime }}\right)$, and it can be concluded that $\mathcal{L}\left(Q\right)=\mathcal{L}\left(Q^{{}^{\prime }}\right)$.

3.5. Lattice of q-ary

The term “Lattice of q-ary” refers to an integer lattice $\mathcal{L}$ that includes a q times integer lattice vector and achieves $Z_q^{\alpha }\subseteq \mathcal{L}\subseteq Z_{\beta }$ for some integer q. The lattice of q-ary is actually equipment utilized in security proofs that are according to problems based on the lattice.

Definition 1.

M-dimensional q-ary lattices come in two different varieties depending on the matrix modulo q = poly(m), represented by $E\in Z_q^{\alpha \times \beta }$ as Equation (3).

$$\begin{array}{cc}\hfill {\Lambda }_q^t& =\{e\in Z^{\beta }:Ee=0\left(modq\right)\}\hfill \\ \hfill {\Lambda }_q& =\{e\in Z^{\beta }:e=E^{t}b\left(modq\right)|b\in Z^{\alpha }\}\hfill \end{array}$$

(3)

where $\alpha ,\beta$, and q are integers and $\alpha >\beta$. In order to create cryptographic schemes, these q-ary lattices are applied.

Theorem 2.

In the typical case, approximating the issue $GapSV{P}_y$ [33,34] in an β-dimensional lattice within a factor of $y=\theta 0^{{}^{\prime }}\left(\sqrt{\beta }\right)$ is harder than solving SIS problems with a given $\theta =poly\left(\alpha \right)>0$, where α is the dimension, β is the rank of the lattice, and prime $q\ge \theta .\sqrt{\alpha \beta }$.

4. Framework and Security Model

In this section, we discuss the framework and security model for our proposal in 5G-enabled vehicular networks.

4.1. Framework

We construct our proposal generically via the following phases: Setup, VehReg, GenSig, SSigVerify, and BSigVerify.

• Setup: This phase provides a security parameter $1^k$ that is used to calculate master private keys s and system parameters $param$ for TA.
• VehReg: The vehicle $v_i$ runs this phase that takes $param$ and $S_x$ from the TA after submitting the true identity $TI{D}_{v_i}$ to the system.
• GenSig: This phase is carried out by vehicle $v_i$ with the pseudonym-ID $PI{D}_i$. It takes as inputs $param$, message $M_i\in {\{0,1\}}^{*}$, the system’s private keys $S_x$, and its private key $S{K}_i$, and outputs a signature ${\sigma }_i$ and $D_i$.
• SSigVerify: A verifier preforms this phase by taking $param$, single message $M_i$ with the single pseudonym-ID $PI{D}_i$, single signature ${\sigma }_i$, and $D_i$ from single vehicle $v_i$ and outputs true if ${\sigma }_i$ is valid; otherwise it responds false.
• BSigVerify: A verifier preforms this phase by taking $param$, batch messages $\{M_1,M_2,\dots ,M_n\}$ with the batch pseudonym-IDs $\{PI{D}_1,PI{D}_2,\dots ,PI{D}_n\}$, and batch signatures $\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\}$ and $\{D_1,D_2,\dots ,D_n\}$ from batch vehicles $\{v_1,v_2,\dots ,v_n\}$, and outputs true if $\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\}$ are valid; otherwise it responds false.

4.2. Security Model

With the use of a game, the components of our proposal’s security model are explained. In the game, a challenger ($\mathbf{C}$) and an adversary ($\mathbf{Adv}$) are probabilistic polynomial-time (PPT) algorithms that try to undermine the proposed security model. This is a list of PPT questions that an adversary ($\mathbf{Adv}$) in the game asks.

• Setup: Challenger $\mathbf{C}$ takes $1^k$ and issues the system’s parameters. Additionally, $\mathbf{C}$ sends these parameters to adversary $\mathbf{Adv}$.
• Query ($H_1$): In this query, $\mathbf{C}$ randomly picks the number $d\in Z_q^{*}$ and issues ($M_i$, d). This pair is recorded into a table $Lis{t}_{h_1}$ and d is sent to $\mathbf{Adv}$.
• Query ($H_2$): In this query, $\mathbf{C}$ randomly picks the number $d\in Z_q^{*}$ and issues (m, d). This pair is recorded into a table $Lis{t}_{h_2}$ and d is sent to $\mathbf{Adv}$.
• Query ($H_3$): In this query, $\mathbf{C}$ randomly picks the number $d\in Z_q^{*}$ and issues (m, d). This pair is recorded into a table $Lis{t}_{h_3}$ and d is sent to $\mathbf{Adv}$.
• Signing Query: In this query $\mathbf{Adv}$ sends a message $M_i$ to $\mathbf{C}$. In an output, $\mathbf{C}$ issues and sends $\{M_i,PI{D}_i,T_i,D_i,{\delta }_i\}$ to $\mathbf{Adv}$, who can compromise the authenticity of our proposal if he/she can properly issue a login demand. Consider $At{t}_{\mathbf{Adv}.Auth}^{Proposal}\left(k\right)$ be the advantage of $\mathbf{Adv}$ to compromise our proposal. Our proposal in a 5G-enabled vehicular network satisfies authentication security for any $\mathbf{Adv}$,

  $$At{t}_{\mathbf{Adv}.Auth}^{Proposal}\left(k\right)\le ϵ$$

  (4)

5. Proposed Scheme

This section proposes a lattice-based lightweight quantum-resistant scheme in 5G-enabled vehicular networks. Our proposal has five phases, called setup, VehReg, GenSig, SSigVerify, and BSigVerify, as shown in Figure 2. These phases are proposed as follows.

5.1. Setup Phase

This phase generates public system parameters by the TA as follows.

• The TA picks a prime q and two positive integers $\alpha ,\beta$.
• The TA picks a matrix $\mathcal{A}\in Z_q^{\alpha \times \beta }$ with integer entries.
• The TA randomly selects $S_x\in Z_q^{\alpha }$ as the system’s master private key and then computes the corresponding public key as $Pub=S_x^t\mathcal{A}\in Z_q^{1\times \beta }$.
• The TA chooses three secure hash functions as $h_1:Z_q^{\alpha }\to Z_q$, $h_2:{\{0,1\}}^{*}\to Z_q$, and $h_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times Z_q^{1\times \alpha }\times {\{0,1\}}^{*}\to Z_q$.
• Finally, the TA sets the public system parameters as $param=\{\alpha ,\beta ,q,\mathcal{A},Pub,h_1,h_2,h_3\}$.

5.2. VehReg Phase

This phase registries the participating vehicle before leaving the factory as follows.

• A user submits the true identity $TI{D}_{v_i}$ of vehicle $v_i$ to the TA through a secure channel.
• The TA first checks the validity and authenticity of the vehicle’s true identity $TI{D}_{v_i}$.
• The TA preloads the public system parameters as $param=\{\alpha ,\beta ,q,\mathcal{A},Pub,h_1,h_2,h_3\}$ to the OBU of vehicle $v_i$.
• The TA saves its master private key $S_x$ into TPD of OBU on vehicle $v_i$. Note that the attacker does not have the ability to reveal any data saved on the TPD, according to the assumption in this paper.

5.3. GenSig Phase

This phase is executed by vehicle $v_i$ as follows.

• Vehicle $v_i$ randomly picks number $r_i\in Z_q^{\alpha }$ and then calculates pseudonym-IDs $PI{D}_{v_i}$ as Equation (5) by using system’s master private key $S_x$ saved on its TPD.

  $$\begin{array}{cc}\hfill PI{D}_{v_i}& =(PI{D}_{i,1},PI{D}_{i,2})\hfill \\ \hfill & =(r_i^t\mathcal{A},TI{D}_{v_i}\oplus h_1(S_x\left|\right|PI{D}_{i,1}\left)\right)\hfill \end{array}$$

  (5)
• Vehicle $v_i$ calculates parameter ${\eta }_i=h_2(PI{D}_{i,1}\left|\right|T_i)$ private key $S{K}_i=r_i+S_x·{\eta }_i$, where $T_i$ is a freshness timestamp.
• Vehicle $v_i$ randomly picks number $d_i\in Z_q^{\alpha }$ and then computes $D_i=d_i^t\mathcal{A}$, ${\sigma }_i=h_3(PI{D}_{i,1}\left|\right|T_i\left|\right|D_i\left|\right|M_i)$.
• Vehicle $v_i$ computes the message signature as Equation (6).

  $${\delta }_i=S{K}_i+d_i·{\sigma }_i\in Z_q^{\beta }$$

  (6)
• Finally, vehicle $v_i$ sends to other vehicles with the message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$.

5.4. SSigVerify Phase

This phase verifies the single message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ sent from a single source by the verifying recipient $v_j$ at a time as follows.

• Once receiving message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$, verifying recipient $v_j$ checks the freshness timestamp $T_i$ in order to resist a replay attack in our proposal.
• Verifying recipient $v_j$ checks the authenticity and integrity of message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ by computing Equation (7).

  $$\begin{array}{cc}\hfill {\delta }_i^t\mathcal{A}& =(S{K}_i^t+d_i^t·{\sigma }_i)·\mathcal{A}\hfill \\ \hfill & ={(r_i+S_x·{\eta }_i)}^t·\mathcal{A}+d_i^t·{\sigma }_i·\mathcal{A}\hfill \\ \hfill & =r_i^t\mathcal{A}+{\eta }_i·S_x^t·\mathcal{A}+{\sigma }_i·d_i^t·\mathcal{A}\hfill \\ \hfill & =PI{D}_{i,1}+{\eta }_i·Pub+{\sigma }_i·D_i.\hfill \end{array}$$

  (7)
  It accepts a message if the verification is successful; otherwise, it refuses.

5.5. BSigVerify Phase

After receiving $\{PI{D}_{v_1},M_1,D_1,T_1,{\delta }_1\}$, $\{PI{D}_{v_2},M_2,D_2,T_2,{\delta }_2\}$, …, $\{PI{D}_{v_n},M_n,D_n,T_n,{\delta }_n\}$, this phase verifies the large number of message that were sent from a large number of vehicles simultaneously. This process is as follows.

• Once receiving message-tuple $\{PI{D}_{v_n},M_n,D_n,T_n,{\delta }_n\}$, verifying recipient $v_j$ checks the freshness timestamp $T_n$ in order to resist a replay attack in our proposal.
• Verifying recipient $v_j$ randomly tests vector ${\gamma }_i=\{{\gamma }_1,{\gamma }_2,\dots ,{\gamma }_n\}$, where $i\in \{1,2,3,\dots ,n\}$.
• Verifying recipient $v_j$ checks the authenticity and validity of message-tuple $\{PI{D}_{v_n},M_n,D_n,T_n,{\delta }_n\}$ by computing Equation (8).

  $$\left(\sum _{i=1}^n{\gamma }_i{\delta }_i^t\right)\mathcal{A}\stackrel{?}{=}\sum _{i=1}^n{\gamma }_{i}PI{D}_{i,1}+\left(\sum _{i=1}^n{\gamma }_i{\eta }_i\right)Pub+\left(\sum _{i=1}^n{\gamma }_i{\sigma }_i\right)D_i.$$

  (8)
  It accepts a the message if verification is successful; otherwise, it refuses.

6. Security Analysis

6.1. Random Oracle Model

The following Random oracle model ensures the security of our proposal in a 5G-enabled vehicular network.

Theorem 3.

Under adaptively chosen message attacks in the random oracle model, our proposal satisfies security against a PPT attacker under two problems of ISIS and SIS.

Proof. 

Assume adversary $\mathbf{Adv}$ impersonates the valid message $\{M_i,PI{D}_i,T_i,D_i,{\delta }_i\}$; then, challenger $\mathbf{C}$ is created in such a way that it can assist $\mathbf{Adv}$ to compromise the ISIS or SIS problems with a non-negligible advantage to win the game. As a lattice problem with the values $(P,B=S_x^t\mathcal{A})$, challenger $\mathbf{C}$ responds to $\mathbf{Adv}$’s inquiries as follows:

• Setup: Challenger $\mathbf{C}$ assigns $Pub\leftarrow B=S_x^t\mathcal{A}$ and parameters $\{M,q,\mathcal{A},Pub,h_1,h_2,h_3\}$ are sent to $\mathbf{Adv}$.
• Query ($H_1$):$\mathbf{C}$ maintains a table $Lis{t}_{h_1}$ with the inputs ($\varphi ,\nu$). At first, this list $Lis{t}_{h_1}$ is given empty. Then, $\mathbf{Adv}$ requests a query as query-($H_1$) with a message $\varphi$. In output, $\mathbf{C}$ tests table $Lis{t}_{h_1}$ for ($\varphi ,\nu$) and, if it exists, transmits $h_1\left(\varphi \right)$ = $\nu$ to $\mathbf{Adv}$; otherwise, $\mathbf{C}$ selects a random number $\nu \in Z_p^{*}$, inserts ($\varphi ,\nu$) into $Lis{t}_{h_1}$, and returns $h_1\left(\varphi \right)$ = $\nu$ to $\mathbf{Adv}$.
• Query ($H_2$):$\mathbf{C}$ maintains a table $Lis{t}_{h_2}$ with the inputs ($PI{D}_i,T_i,\nu$). At first, this list $Lis{t}_{h_2}$ is given empty. Then, $\mathbf{Adv}$ requests a query as query-($H_2$) with a message $(PI{D}_i,T_i)$. In output, $\mathbf{C}$ tests table $Lis{t}_{h_2}$ for ($PI{D}_i,T_i,\nu$) and, if it exists, transmits $h_2(PI{D}_i\left|\right|T_i)$ = $\nu$ to $\mathbf{Adv}$; otherwise, $\mathbf{C}$ selects a random number $\nu \in Z_p^{*}$, inserts ($PI{D}_i,T_i,\nu$) into $Lis{t}_{h_2}$, and returns $h_2(PI{D}_i\left|\right|T_i)$ = $\nu$ to $\mathbf{Adv}$.
• Query ($H_3$):$\mathbf{C}$ maintains a table $Lis{t}_{h_3}$ with the inputs ($PI{D}_i,T_i,D_i,M_i,\nu$). At first, this list $Lis{t}_{h_3}$ is given empty. Then, $\mathbf{Adv}$ requests a query as query-($H_3$) with a message $(PI{D}_i,T_i,D_i,M_i)$. In output, $\mathbf{C}$ tests table $Lis{t}_{h_3}$ for ($PI{D}_i,T_i,D_i,M_i,\nu$) and, if it exists, transmits $h_3(PI{D}_i\left|\right|T_i\left|\right|D_i\left|\right|M_i)$ = $\nu$ to $\mathbf{Adv}$; otherwise, $\mathbf{C}$ selects a random number $\nu \in Z_p^{*}$, inserts ($PI{D}_i,T_i,D_i,M_i,\nu$) into $Lis{t}_{h_3}$, and returns $h_3(PI{D}_i\left|\right|T_i\left|\right|D_i\left|\right|M_i)$ = $\nu$ to $\mathbf{Adv}$.
• Signing Query: In this step, $\mathbf{Adv}$ transmits a traffic-related $M_i$ to $\mathbf{C}$. Then, $\mathbf{C}$ randomly picks ${\delta }_i\in Z_q^{\alpha }$, ${\eta }_i$, ${\sigma }_i\in Z_q^{*},PI{D}_{i,2}$ and calculates $PI{D}_{i,1}={\delta }_i^t\mathcal{A}-{\eta }_{i}Pub-{\sigma }_i{D}_i$. Lastly, the message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ is sent to $\mathbf{Adv}$ by $\mathbf{C}$. Meanwhile, we can observe that ${\delta }_i^t\mathcal{A}=PI{D}_{i,1}+{\eta }_{i}Pub+{\sigma }_i{D}_i$ holds. Therefore, an input signature creation method performed by $\mathbf{C}$ is identical to a valid signature scheme performed by registered vehicles.

□

Finally, $\mathbf{Adv}$ issues a response $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ and $\mathbf{C}$ verifies Equation (9).

$${\delta }_i^t\mathcal{A}=PI{D}_{i,1}+{\eta }_i·Pub+{\sigma }_i·D_i.$$

(9)

If Equation (9) does not hold, $\mathbf{C}$ ends the procedure. If the aforementioned procedure is now repeated with $h_2$, $\mathbf{Adv}$ issues another message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$. Therefore, $\mathbf{C}$ checks Equation (10).

$${\delta }_i^{{}^{\prime }t}\mathcal{A}=PI{D}_{i,1}+{\eta }_i^{{}^{\prime }}·Pub+{\sigma }_i·D_i.$$

(10)

Now, from Equations (9) and (10), Equation (11) can be concluded.

$$\begin{array}{cc}\hfill ({\delta }_i^t-{\delta }_i^{{}^{\prime }t})\mathcal{A}& =PI{D}_{i,1}+{\eta }_i·Pub+{\sigma }_i·D_i-PI{D}_{i,1}-{\eta }_i^{{}^{\prime }}·Pub-{\sigma }_i·D_i\hfill \\ \hfill & =(PI{D}_{i,1}-PI{D}_{i,1})+({\sigma }_i·D_i-{\sigma }_i·D_i)+({\eta }_i·Pub-{\eta }_i^{{}^{\prime }}·Pub)\hfill \\ \hfill & ={\eta }_i·Pub-{\eta }_i^{{}^{\prime }}·Pub\hfill \\ \hfill & =({\eta }_i-{\eta }_i^{{}^{\prime }})·Pub\hfill \\ \hfill & =({\eta }_i-{\eta }_i^{{}^{\prime }})·S_x^t\mathcal{A}\hfill \end{array}$$

(11)

Now, $\mathbf{C}$ takes the definition of an ISIS or SIS problem as Equation (12).

$$\frac{{\delta }_i-{\delta }_i^{{}^{\prime }}}{({\eta }_i-{\eta }_i^{{}^{\prime }})}$$

(12)

Nevertheless, this definition does not attain the difficulty of ISIS or the SIS problems. Therefore, our proposal achieves strong security against $\mathbf{Adv}$ under the random oracle model.

6.2. Security Requirements

In this section, our proposal satisfies the privacy and security properties (as mentioned above in Section 3.2) as follows.

• Authentication and integrity: According to Theorem 3, we can observe that PPT-based $\mathbf{Adv}$ does not have the capability to produce a forgery due to problems of ISIS/SIS. Hence, the validity and safety of message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ sent by a vehicle are verifiable by testing Equation (7) or Equation (8). Therefore, our proposal for a 5G-enabled vehicular network supports the properties of authentication and integrity.
• Identity privacy-preserving: A vehicle broadcasts message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ including its true identity $TI{D}_{v_i}$, where $PI{D}_{v_i}=\{PI{D}_{i,1},PI{D}_{i,2}\}$. Due to $PI{D}_{i,1}=r_i^t\mathcal{A}$ and $PI{D}_{i,2}=TI{D}_{v_i}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$, the PPT-based $\mathbf{Adv}$ must compute $h_1(S_x\left|\right|PI{D}_{i,1})$ to reveal a vehicle’s true identity $TI{D}_{v_i}=PI{D}_{i,2}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$. Due to the problems of ISIS/SIS, $\mathbf{Adv}$ does not have the capability to disclose $S_x$ from $Pub=S_x^t\mathcal{A}$ or $PI{D}_{i,2}=TI{D}_{v_i}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$. Therefore, our proposal for a 5G-enabled vehicular network supports the property of identity privacy-preserving.
• Traceability: The vehicle’s true identity $TI{D}_{v_i}$ is traceable by the TA as follows. The pseudonym-ID $PI{D}_{v_i}$ in message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ is issued by the user with the assistance of true identification $TI{D}_{v_i}$. This is because $PI{D}_{i,1}=r_i^t\mathcal{A}$, $PI{D}_{i,2}=TI{D}_{v_i}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$, and $PI{D}_{v_i}=\{PI{D}_{i,1},PI{D}_{i,2}\}$. The TA utilizes its master private key $S_x$ to calculate $h_1(S_x\left|\right|PI{D}_{i,1})$ and obtains the true identity as $TI{D}_{v_i}=PI{D}_{i,2}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$. Therefore, our proposal for a 5G-enabled vehicular network supports the property of traceability.
• Unlinkability: The vehicle randomly picks $r_i\in Z_q^{\alpha }$ and $d_i\in Z_q^{\alpha }$ to compute message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$, where $PI{D}_{i,1}=r_i^t\mathcal{A}$, $PI{D}_{i,2}=TI{D}_{v_i}\oplus h_1(S_x\left|\right|PI{D}_{i,1})$, $PI{D}_{v_i}=\{PI{D}_{i,1},PI{D}_{i,2}\}$, $D_i=d_i^t\mathcal{A}$ and ${\sigma }_i=h_3(PI{D}_{i,1}\left|\right|T_i\left|\right|D_i\left|\right|M_i)$. Any $\mathbf{Adv}$ cannot distinguish two messages of the user due to random values $r_i$ and $d_i$. Therefore, our proposal for a 5G-enabled vehicular network supports the property of unlinkability.
• Security attack resistant:

  -

  Replay attacks: In our proposal, the message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ includes a timestamp $T_i$. Due to the freshness of $T_i$, the replay attack cannot be processed.

  -

  Modify attacks: According to Theorem 3, we can observe that any alteration in the message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$ is easily detectable by testing Equation (7) or Equation (8).

  -

  Forgery attacks: $\mathbf{Adv}$ has to generate the message-tuple $\{PI{D}_{v_i},M_i,D_i,T_i,{\delta }_i\}$, which holds Equation (7) or Equation (8). Nevertheless, according to Theorem 3, no such $\mathbf{Adv}$ can be constructed.

  -

  Man-in-the-middle attacks: Our proposal achieves node authentication and message integrity, and thus the authenticity and validity of the communicating components.

6.3. Quantum Resistant

This section provides security in a quantum environment [35,36,37]. On the basis of the difficulty in some lattices, the security of our proposal is assumed. This lattice-based technique is according to the worst-to-average-case premise that the SIS and ISIS problems in some lattices are difficult to resolve with appropriate values. The following list contains the key security elements.

• Resistance to collision: In some of the lattices, the matrix family $\{\mathcal{A}:C\to {\mathbf{Adv}}^{\alpha }|A\in \mathcal{A}\}$ has the ability to resist collisions. If there are collisions, then SIS is simple to solve. Let $\mathcal{A}x$ = $\mathcal{A}{x}^{{}^{\prime }}$ for some short vector x and $x^{{}^{\prime }}$ be the collision; then, $\mathcal{A}$(x − $x^{{}^{\prime }}$) = 0 and x − $x^{{}^{\prime }}$ is short.
• Property of hiding:$({\rm Y},\Omega )$-hiding for any $\mathcal{A}\in Z_q^{\alpha \times \beta }$, $S_x\in Z_q^{\alpha }$, $P\in P$; let $\Gamma (S_x,P)$$=\{S_x^{{}^{\prime }},d^{{}^{\prime }},r^{{}^{\prime }}:$$S_x^t\mathcal{A}=S_x^{{}^{\prime }t}\mathcal{A}\wedge d^t\mathcal{A}=$$d^{{}^{\prime }t}\mathcal{A}\wedge r^t\mathcal{A}\}$ be the gathering of private keys with corresponding public key $Pub=X_s^t\mathcal{A}$ and signature $d^t\mathcal{A},r^t\mathcal{A}$. Our proposal has the property of hiding when $P{r}_{S_x\in Z_q^{\alpha }}[\forall P\ne P^{{}^{\prime }}|\Gamma (S_x,P)\cap \Gamma (S_x,P^{{}^{\prime }})|\le ϵ|\Gamma (S_x,P^{{}^{\prime }})\left|\right]\ge \Omega$.

Lemma 2.

Suppose that if a randomized probabilistic polynomial-time adversary $\mathbf{Adv}$ breaches the authenticity system with probability ϖ, our proposal has the features of closure and concealing. Then, with probability $\frac{(\varpi +\Omega -1).(1-ϵ)}{2-ϵ}$, collision resistance is effectively targeted.

Theorem 4.

If an $\mathbf{Adv}$ has the concealment features, collision resistance, and closing that hold for $ϵ<1$ with two hard problems of ISIS and SIS in the associated lattice, then our proposal is quantum-resistant.

Proof. 

Assume that the adversary with probability ϖ is the one that compromises the security of our proposal. Here, $\mathbf{Adv}$ performs the following collision detection using a PPT method as follows.

• Let $\mathcal{A}{Z}_q^{\alpha \times \beta }$ and private key $S_x\in Z_q^{\alpha }$, then calculate $Pub=S_x^t\mathcal{A}$.
• Send the system’s parameters $\{\mathcal{A},Pub\}$ to $\mathbf{Adv}$.
• Let a query $P\leftarrow \mathbf{Adv}(\mathcal{A},Pub)$.
• Verify the authenticity of P and transmit $\{P,PID,T,D$ $=d^t\mathcal{A},\delta =SK+\sigma d\}$ to $\mathbf{Adv}$.
• The impersonation obtained is $\{P^{{}^{\prime }},PI{D}^{{}^{\prime }},T^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }}\}\leftarrow \mathbf{Adv}(\mathcal{A},Pub,D,\delta ,PID)$.
• The result is $\{d^t\mathcal{A},SK+\sigma d,r^t\mathcal{A},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}$ as a collision to $\mathcal{A}$.

□

Consider that in queries of $\mathbf{Adv}$ with correct $P,P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }}$, and $PI{D}^{{}^{\prime }}$, if he/she experiences a nontrivial collision as a result, collision will be successful as Equation (13). Note that $D^{-}$ refers to a query generated through $\mathbf{Adv}$.

$$\begin{array}{cc}\hfill d^t\mathcal{A}& \ne D^{-}\hfill \\ \hfill SK+\sigma d& \ne {\delta }^{{}^{\prime }}\hfill \end{array}$$

(13)

Attacker $\mathbf{Adv}$ issues valid message-tuple $\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}$ if $\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne \{P,D,\delta ,PID\}$. We can assume that $Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne \{P,D,\delta ,PID\}]$ = $\varpi$ and randomly select value $b\in 0,1$. We assume that $Pr[b=0]=\frac{1-ϵ}{2-ϵ}$ and $Pr[b=1]=\frac{1}{2-ϵ}$. Moreover. if b=0, then set $S_x^{{}^{\prime }}=S_x$, $d=d^{{}^{\prime }}$; otherwise select a random value from definitive dissemination $\Gamma (S_x,P)$.

Thus, the amounts $\{d^{{}^{\prime }t}\mathcal{A},S{K}^{{}^{\prime }},\sigma d^{{}^{\prime }},r^{{}^{\prime }t}\mathcal{A},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}$ are the result of $\mathbf{Adv}$. Additionally, $S_x$ is distributed over $\Gamma (S_x,P)$. From the analysis, we can observe that the amounts $\{d^{{}^{\prime }t}\mathcal{A},S{K}^{{}^{\prime }},\sigma d^{{}^{\prime }},r^{{}^{\prime }t}\mathcal{A},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}$ is distributed by the hash function with collision resistance. The following is the probability of a collision:

$Pr[d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }}]$$=Pr[(d^{{}^{\prime }t}\mathcal{A}{D}^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }})\wedge P=P^{{}^{\prime }}]+$$Pr[(d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }})\wedge P\ne P^{{}^{\prime }}\wedge d^t\mathcal{A}=D\wedge SK+\sigma d=\delta \wedge r^t\mathcal{A}=PID]+$$Pr[(d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }})\wedge P\ne P^{{}^{\prime }}\wedge (d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\ne r^{{}^{\prime }t}\mathcal{A}\ne PID\mathcal{A})]$.

Case 1.

If $P=P^{{}^{\prime }}$ and $\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne$ $\{P,D,\delta ,PID\wedge P=P^{{}^{\prime }}\}$ holds, $d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }}$, and also $P^{{}^{\prime }}=P$ holds. Thus, ($d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne r^{{}^{\prime }t}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }})\hspace{0.17em}\wedge \hspace{0.17em}P=P^{{}^{\prime }}$ also holds. Thus, $Pr[d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}PI{D}^{{}^{\prime }}\wedge P=P^{{}^{\prime }}]$ $\ge Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne \{P,D,\delta ,PID\}\wedge P=P^{{}^{\prime }}]$ $\ge Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne \{P,D,\delta ,PID\}\wedge P=P^{{}^{\prime }}]$ $\frac{1-ϵ}{2-ϵ}$.

Case 2.

When $P\ne P{}^{\prime }$ and $d{}^{\prime }\mathcal{A}=D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d={\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}=PI{D}^{{}^{\prime }}$, then we have $d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne r^t\mathcal{A}$. Therefore, $S_x^{{}^{\prime }}\mathcal{A}=S_x\mathcal{A}$ $d^{{}^{\prime }t}\mathcal{A}\ne d\mathcal{A},S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne SK+\sigma d^{{}^{\prime }}$ and $r^{{}^{\prime }t}\mathcal{A}\ne r^t$ holds if $S_x^{{}^{\prime }}$ does not lie in $\Gamma (S_x,P^{{}^{\prime }})$. Let $X\subseteq Z_q^{\alpha }$, $▵\subseteq Z_q^{\alpha }$ be the set of possible secrets $S_x,d$ and r, respectively, such that $P\ne P^{{}^{\prime }}|\Gamma (S_x,P)\cap \Gamma (S_x,P^{{}^{\prime }})|\le ϵ|\Gamma (S_x,P)$. Based on the concept of hiding, it can obtained that $Pr[S_x\in x\subseteq Z_q^{\alpha }$, $d\in ▵\subseteq Z_q^{\alpha }$, $r\in R\subseteq Z_q^{\alpha }]\ge \Omega$. Now, we have the following for b = 1, using the union bound on probability:

$Pr[P\ne P^{{}^{\prime }}\wedge (d^t\mathcal{A}=D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d={\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}=PI{D}^{{}^{\prime }})\wedge S_x\in X\wedge d\in ▵\wedge r\in A\wedge b=1]$$=Pr[P\ne P^{{}^{\prime }}\wedge (d^t\mathcal{A}=D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d={\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }}\mathcal{A}=PI{D}^{{}^{\prime }})S_x\in X\wedge d\in ▵\wedge r\in A]$$Pr[b=1]\ge$$Pr[P\ne P^{{}^{\prime }}\wedge (d^{{}^{\prime }}\mathcal{A}=D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d={\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}=PI{D}^{{}^{\prime }})]-$$Pr[X_s\notin X\wedge d\notin ▵r\notin A]$${(2-ϵ)}^{-1}\ge Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne$$\{P,D,\delta ,PID\}\wedge P\ne P^{{}^{\prime }}\wedge (d^t\mathcal{A}=D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d={\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }}\mathcal{A}=PI{D}^{{}^{\prime }})]-1+\Omega {(2-ϵ)}^{-1}$.

Likewise, it is possible to see the following:

$Pr[\{d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }}\}|\{P\ne P^{{}^{\prime }}\wedge d^{{}^{\prime }t}\mathcal{A}=D\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}={\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}=PI{D}^{{}^{\prime }}\wedge S_x\in X\wedge d\in \gneqq \wedge r\in A\wedge b=1\}]$$\ge 1-Ma{x}_{S_x\in X\wedge d\gneqq \wedge r\in A}\frac{|\Gamma (S_x,\alpha )\cap \Gamma (S_x,{\alpha }^{{}^{\prime }})|}{|\Gamma (S_x,\alpha \left)\right|}\ge 1-ϵ$.

Consequently, we obtain the following:

$Pr[(d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }})\wedge P=P^{{}^{\prime }}\wedge (d^{{}^{\prime }}\mathcal{A}=D^{{}^{\prime }}\wedge SK+\sigma d={\delta }^{{}^{\prime }}{r}^t\mathcal{A}=PI{D}^{{}^{\prime }})\wedge S_x\in X\wedge d\in \gneqq \wedge r\in A]\ge Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne$$\{P,D,\delta ,PID\wedge P=P^{{}^{\prime }}\}\wedge (d^t\mathcal{A}=D^{{}^{\prime }}\wedge SK+\sigma d={\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}=PI{D}^{{}^{\prime }})]-1+\Omega (2-ϵ)$

Case 3.

If $P=P^{{}^{\prime }}$ and $d^t\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d\ne {\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}\ne PI{D}^{{}^{\prime }}$, then it becomes apparent that $P\ne P^{{}^{\prime }}$ and $d^{{}^{\prime }}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d\ne {\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}\ne PI{D}^{{}^{\prime }}\wedge b=0$, implying that $S_x^{{}^{\prime }}=S_x$, and $r^{{}^{\prime }}=r$.

$Pr[\{d^{{}^{\prime }t}\mathcal{A}\ne D^{{}^{\prime }}\wedge S{K}^{{}^{\prime }}+\sigma d^{{}^{\prime }}\ne {\delta }^{{}^{\prime }}\wedge r^{{}^{\prime }t}\mathcal{A}\ne PI{D}^{{}^{\prime }}\}\wedge P\ne P^{{}^{\prime }}(d^t\mathcal{A}\ne D^{{}^{\prime }}\wedge SK+\sigma d\ne {\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}\ne PI{D}^{{}^{\prime }})]\ge$$Pr[P\ne P^{{}^{\prime }}\wedge (d^{{}^{\prime }}\mathcal{A}\ne D^{{}^{\prime }}\wedge SK+\sigma d\ne {\delta }^{{}^{\prime }}\wedge r^t\mathcal{A}\ne PI{D}^{{}^{\prime }}\wedge b=0]\ge$$Pr[\{P^{{}^{\prime }},D^{{}^{\prime }},{\delta }^{{}^{\prime }},PI{D}^{{}^{\prime }}\}\ne \{P,D,\delta ,PID\}]-1+\Omega )\frac{1-ϵ}{2-ϵ}=$$(\varpi -1-\Omega )\frac{1-ϵ}{2-ϵ}$.

According to the calculations above, if $\varpi$ is very small and $\Omega$ is close to 1 with $ϵ<1$, then our proposal is resistant to quantum attacks.

7. Performance Evaluation

In this section, we evaluate and compare the performance evaluation of our proposal and recent existing schemes such as those of Ali et al. [15], Cui et al. [24], and Al-Shareeda et al. [20]. Some notations used in this section are as follows.

• $T_{bp}$: The runtime taken to run a bilinear pairing computation. $T_{bp}$ = 5.811 ms.
• $M_{bp}$: The runtime taken to run a scalar multiplication operation on the bilinear group. $M_{bp}$ = 1.5654 ms.
• $A_{bp}$: The runtime taken to run a point addition operation on the bilinear group. $A_{bp}$ = 0.0106 ms.
• h: The runtime taken to run a collision-resistant hash function. h = 0.001 ms.
• $M_{ecc}$: The runtime taken to run a scalar multiplication operation on the elliptic curve. $M_{ecc}$ = 0.6718 ms.
• $A_{ecc}$: The runtime taken to run a point addition operation on the elliptic curve. $A_{ecc}$ = 0.0031 ms.
• $T_{nm}$: The runtime taken to run a number multiplication. $T_{nm}$ = 1.409 $\mathsf{\mu }$s.
• $T_{na}$: The runtime taken to run a number addition. $T_{na}$ = 1.18 $\mathsf{\mu }$s.

Note that we can observe that the overhead of different cryptography operations follows the inequality $h<T_{nm}<M_{ecc}<M_{bp}$. The hardware platform used in this paper operated on a 64-bit Microsoft^® Windows™ 10 operating system with a 2.20 GHz processor and a 16.0 GB RAM-based Intel^® Core™ i7-2670QM. The times required for $T_{nm}$ and $T_{na}$ were averaged over ${10}^5$ trials, where the lattice dimension was 251 according to the NTRU standard [32,38].

Table 2. Performance evaluation comparison.

Schemes	Signature Generation (ms)	Signature Generation (ms)	Batch Signature Verification (ms)
Ali et al. [15]	$\{2M_{bp}+A_{bp}\}$	$\{2T_{bp}+1M_{bp}\}$	$\{2T_{bp}+n{M}_{bp}\}$
Cui et al. [24]	$\{3M_{ecc}+3h\}$	$3M_{ecc}+A_{ecc}+2h$	$(n+2)M_{ecc}+(n-1)A_{ecc}+2nh$
Al-Shareeda et al. [20]	$\{1M_{ecc}+2h\}$	$2M_{ecc}+A_{ecc}+1h$	$2M_{ecc}+(n+1)A_{ecc}+nh$
Our proposal	is $\{\alpha (\beta +1)T_{nm}+\alpha ·T_{na}+\alpha ·3h\}$	$\{\beta (\alpha +1)\left(T_{nm}\right)+\beta ·T_{na}+\beta ·2h\}$	$\{n{T}_{nm}+(2\beta +\alpha )(n-1)T_{na}+nh\}$

shows each operation over the existing schemes and the proposal in detail.

7.1. Signature Generation

This subsection analyzes and evaluates the computation cost of signature generation. Figure 3 summarizes the comparison authentication schemes.

In the scheme of Ali et al. [15], the user needs two scalar multiplication operations ($2M_{bp}$) on the bilinear group and one point addition operation $A_{bp}$ to generate a signature of the message. Thus, the entire overhead is $\{2M_{bp}+A_{bp}\}$.

In the scheme of Cui et al. [24], the user needs three scalar multiplication operations $3M_{ecc}$ on an elliptic curve and three collision-resistant hash functions $3h$ to generate the signature of the message. Thus, the entire overhead is $\{3M_{ecc}+3h\}$.

In the scheme of Al-Shareeda et al. [20], the user needs one scalar multiplication operation $1M_{ecc}$ on an elliptic curve and two collision-resistant hash functions $2h$ to generate the signature of the message. Thus, the entire overhead is $\{1M_{ecc}+2h\}$.

In our proposal, the user needs number multiplication $\left\{\alpha (\beta +1)\left(T_{nm}\right)\right\}$, number addition $\{\alpha ·T_{na}\}$, and collision-resistant hash functions $\{\alpha ·3h\}$ to generate the signature of a message. Thus, the entire overhead is $\{\alpha (\beta +1)T_{nm}+\alpha ·T_{na}+\alpha ·3h\}$.

7.2. Single Signature Verification

This subsection analyzes and evaluates the computation cost of single signature verification. Figure 4 summarizes the comparison authentication schemes.

In the scheme of Ali et al. [15], the user needs two bilinear pairing operations $2T_{bp}$ and one scalar multiplication operation ($M_{bp}$) on the bilinear group to verify the single signature verification of message. Thus, the entire overhead is $\{2T_{bp}+1M_{bp}\}$.

In the scheme of Cui et al. [24], the user needs three scalar multiplication operations $3M_{ecc}$ on an elliptic curve, one point addition operation $A_{ecc}$, and two collision-resistant hash functions $2h$ to verify the single signature verification of message. Thus, the entire overhead is $3M_{ecc}+A_{ecc}+2h$.

In the scheme of Al-Shareeda et al. [20], the user needs two scalar multiplication operations $2M_{ecc}$ on an elliptic curve, one point addition operation $A_{ecc}$, and one collision-resistant hash function $1h$ to verify single signature verification of message. Thus, the entire overhead is $2M_{ecc}+A_{ecc}+1h$.

In our proposal, the user needs number multiplication $\left\{\beta (\alpha +1)\left(T_{nm}\right)\right\}$, number addition $\{\beta ·T_{na}\}$, and collision-resistant hash functions $\{\beta ·2h\}$ to verify the single signature verification of a message. Thus, the entire overhead is $\{\beta (\alpha +1)\left(T_{nm}\right)+\beta ·T_{na}+\beta ·2h\}$.

7.3. Batch Signature Verification

This subsection analyzes and evaluates the computation cost of batch signature verification. Figure 5 summarizes the comparison authentication schemes.

In the scheme of Ali et al. [15], the vehicle needs two operations related to bilinear pairing $2T_{bp}$ and n scalar multiplication operations ($n{M}_{bp}$) on a bilinear group to verify the batch signatures verification of messages. Thus, the entire overhead is $\{2T_{bp}+n{M}_{bp}\}$.

In the scheme of Cui et al. [24], the vehicle requires (n + 2) operations-based scalar multiplication $(n+2)M_{ecc}$ on an elliptic curve, (n − 1) operations-based point addition $(n-1)A_{ecc}$, and (2n) collision-resistant hash functions $2nh$ to verify the batch signatures verification of messages. Thus, the entire overhead is $(n+2)M_{ecc}+(n-1)A_{ecc}+2nh$.

In the scheme of Al-Shareeda et al. [20], the vehicle requires two scalar multiplication operations $2M_{ecc}$ on the elliptic curve, (n + 1) point addition operations on the $(n+1)A_{ecc}$, and (n) collision-resistant hash functions $nh$ to verify the batch signatures verification of messages. Thus, the entire overhead is $2M_{ecc}+(n+1)A_{ecc}+nh$.

In our proposal, the vehicle requires number multiplication $\left\{n{T}_{nm}\right\}$, number addition $\left\{(2\beta +\alpha )(n-1)T_{na}\right\}$, and collision-resistant hash functions $\left\{nh\right\}$ to verify the batch signatures verification of messages. Thus, the entire overhead is $\{n{T}_{nm}+(2\beta +\alpha )(n-1)T_{na}+nh\}$.

8. Conclusions

This paper has proposed a lattice-based lightweight quantum-resistant scheme in 5G-enabled vehicular networks. Our proposal applies matrix multiplication rather than operations-based cryptographies of the elliptic curve or bilinear pair to generate and verify signatures of messages sent among vehicles. Since these operations-based elliptic curves or bilinear pair are not used to sign and verify messages, our proposal satisfies a significant reduction in the performance, which makes it lightweight enough to handle quantum attacks. Our proposal is based on 5G technology that has the responsibility to connect between the TA and vehicles within its wide-range communication domain by using the 5G standard. Security analysis showed that our proposal satisfies privacy and security properties as well as resisting quantum attacks. Lastly, this work also shows convenient performance compared to most recent schemes.

In future work, we will expand this research by utilizing fog computing to overcome the assumption that the TPD is hard and strong.