Security proof
Firstly the definition of the elliptic curve discrete logarithm problem (ECDLP) that the whole analysis based on will be introduced.
Definition1(ECDLP): n∈Z_{q} and N=nP∈G, where P is the generator of the group G. Given N=nP it’s difficult to compute n. Then a game between adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) is introduced to set up the security model of our scheme.
Setup Oracle: In this query, \(\mathcal {C}\) generates the secret keys and other system parameters, which are sent to \(\mathcal {A}\).
H0 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H0}.
H1 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H1}.
H2 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H2}.
H3 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H3}.
H4 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Z_{q} and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list L_{H4}.
Sign Oracle: In this query, on receiving message M from \(\mathcal {A}\), \(\mathcal {C}\) generates msg and sends to \(\mathcal {A}\).
If adversary \(\mathcal {A}\) could generate a login request message, it is proved to be able to violate the authentication of the scheme. Let \(\Phi (\mathcal {A})\) denote the probability that \(\mathcal {A}\) violates the authentication of our scheme.
Definition 1.
Our scheme is secure if \(\Phi (\mathcal {A})\) is negligible for any polynomial adversary \(\mathcal {A}\).
We evaluated the proposed scheme and it is proved secure in the random oracle.
Theorem 1.
The proposed scheme is secure in the random oracle model.
Proof: Suppose that there exists adversary \(\mathcal {A}\) that could forge a msg. We construct a challenger \(\mathcal {C}\) that is able to solve the ECDLP problem with a nonnegligible probability by running \(\mathcal {A}\) as a subroutine.
Setup Oracle: Firstly a security parameter k is taken as input. Then \(\mathcal {C}\) randomly selects a number s as its private key and computes P_{pub}=sP and \(\mathcal {C}\) sends {H0,H1,H2,H3,H4,P,P_{pub},q,PID_{LC,i},A,B}.
H0 Oracle: \(\mathcal {C}\) keeps a list L_{H0}〈PID_{LC,i},h0〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{LC,i}〉, \(\mathcal {C}\) checks if 〈PID_{LC,i},h0〉 already exists in L_{H0}. If so, \(\mathcal {C}\) returns h0. Otherwise it generates a random h0=H0(PID_{LC,i}), inserts 〈PID_{LC,i},h0〉 in L_{H0} and returns h0 to \(\mathcal {A}\).
H1 Oracle: \(\mathcal {C}\) keeps a list L_{H1}〈P_{pub},B,h1〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{LC,i},B〉, \(\mathcal {C}\) checks if 〈P_{pub},B〉 already exists in L_{H1}. If so, \(\mathcal {C}\) returns h1. Otherwise it generates a random h1=H1(P_{pub}∥B), inserts 〈P_{pub},B,h1〉 in L_{H1} and returns h1 to \(\mathcal {A}\).
H2 Oracle: \(\mathcal {C}\) keeps a list L_{H2}〈s,B,h2〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈s,B〉, \(\mathcal {C}\) checks if 〈s,B〉 already exists in L_{H2}. If so, \(\mathcal {C}\) returns h2. Otherwise it generates a random h2=H2(s∥B), inserts 〈s,B,h2〉 in L_{H2} and returns h2 to \(\mathcal {A}\).
H3 Oracle: \(\mathcal {C}\) keeps a list L_{H3}〈PID_{v,j},h3〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PID_{v,j}〉, \(\mathcal {C}\) checks if 〈PID_{v,j}〉 already exists in L_{H}3. If so, \(\mathcal {C}\) returns h3. Otherwise it generates a random h3=H3(PID_{v,j}), inserts 〈PID_{v,j},h3〉 in L_{H3} and returns h3 to \(\mathcal {A}\).
H4 Oracle: \(\mathcal {C}\) keeps a list L_{H4}〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈M,PID_{v,j},T_{t},R_{j},CFS_{j}〉, \(\mathcal {C}\) checks if 〈M,PID_{v,j},T_{t},R_{j},CFS_{j}〉 already exists in L_{H4}. If so, \(\mathcal {C}\) returns h4. Otherwise it generates a random h4=H4(M∥PID_{v,j}∥T_{t}∥R_{j}∥CFS_{j}), inserts 〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 in L_{H4} and returns h4 to \(\mathcal {A}\).
Sign Oracle: On receiving \(\mathcal {A}\)’s query with message M and pseudo identity PID_{v,j}, \(\mathcal {C}\) chooses random α,β,R_{j} from Z_{q} and computes signature σ=αH0(PID_{LC,i})+H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j}). Then \(\mathcal {C}\) inserts 〈PID_{LC,i},h0〉 and 〈M,PID_{v,j},T_{t},R_{j},CFS_{j},h4〉 into L_{H0} and L_{H4} respectively.
Analysis: Based on Forking lemma [42], suppose that \(\mathcal {A}\) has generated two valid signatures σ=SK_{j}H0(·)+rH4(·) and \(\widetilde {\sigma }=SK_{j}\widetilde {H0}(\cdot)+\widetilde {r}\widetilde {H4}(\cdot)\). To obtain the secret key SK_{j}, it computes
$$ \frac{\sigma\widetilde{\sigma}r\cdot H4(\cdot)+\widetilde{r}\cdot \widetilde{H4}(\cdot)}{H0(\cdot)\widetilde{H0}(\cdot)}mod\ q=SK_{j} $$
(5)
As the result shows, \(\mathcal {C}\) is able to solve the ECDLP problem as a polynomial adversary, which contradicts Definition 1. So we come to the conclusion that the proposed scheme is secure against adaptive chosen message attack in the random oracle model.
Security and attributes analysis

1
Authentication: According to Theorem 1, there exists no polynomial adversary being able to forge a valid message. Therefore the integrity of messages are able to be verified by computing σ·P=A·H0(PID_{v,j})+r·H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j})mod q.

2
Identity Privacy Preserving: The vehicle’s real identity does take part in the communication process but in the form of pseudo identity, and the master key stays unexposed.If an adversary intends to obtain other vehicle’s identities, it has to solve the difficult problems in mathematics in our scheme, which makes sure the identity privacy preserved.

3
Tracebility: If messages are found dishonest while transporting, LCs or GC can obtain the identities of vehicles by computing ID_{v,j}=PID_{v,j}⊕H2(s∥B).

4
Unlinkability: As a result of using different pseudo identities in different areas or even different periods, adversaries are kept from figuring out if multiple messages come from one same vehicle.

5
Resistance to Attacks: The proposed scheme can also resistant the following attacks [43, 44].

Forgery Attack: This attack intends to forge and transmit false warning messages in order to contaminate roads information and mislead vehicles. In the proposed scheme, once a vehicle found to send out false messages, its weigh value will drop more quickly than constant multiple speed. At last, the messages transformed by this vehicle will be ignored by surrounding vehicles.

Replay Attack: The encapsulated message contains timestamps, which can prevent messages are saved then reforwarded. Receivers check the freshness of messages at the very first beginning when getting them.

Impersonation Attack: If an adversary tends to impersonate a legal vehicle, it must generate a signature of the related message which satisfying σ·P=A·H0(PID_{v,j})+r·H4(M∥PID_{LC,i}∥R_{j}∥T_{t}∥CFS_{j}), which is difficult according to Theorem 1.

Modify Attack: If the message contained is modified, receivers will find out that the equation doesn’t hold. Then modified illegal message will be abandoned.

Man−in−the−middle Attack: Since messages sent by senders and receivers needs to be verified its integrity and nonreputation, the scheme can resist maninthemiddle attack.