Security proof
Firstly the definition of the elliptic curve discrete logarithm problem (ECDLP) that the whole analysis based on will be introduced.
Definition1(ECDLP): n∈Zq and N=nP∈G, where P is the generator of the group G. Given N=nP it’s difficult to compute n. Then a game between adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) is introduced to set up the security model of our scheme.
Setup Oracle: In this query, \(\mathcal {C}\) generates the secret keys and other system parameters, which are sent to \(\mathcal {A}\).
H0 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Zq and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list LH0.
H1 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Zq and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list LH1.
H2 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Zq and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list LH2.
H3 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Zq and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list LH3.
H4 Oracle: On input m by \(\mathcal {A}\), \(\mathcal {C}\) chooses a random number r from Zq and returns to \(\mathcal {A}\) while inserting the tuple (m,r) into list LH4.
Sign Oracle: In this query, on receiving message M from \(\mathcal {A}\), \(\mathcal {C}\) generates msg and sends to \(\mathcal {A}\).
If adversary \(\mathcal {A}\) could generate a login request message, it is proved to be able to violate the authentication of the scheme. Let \(\Phi (\mathcal {A})\) denote the probability that \(\mathcal {A}\) violates the authentication of our scheme.
Definition 1.
Our scheme is secure if \(\Phi (\mathcal {A})\) is negligible for any polynomial adversary \(\mathcal {A}\).
We evaluated the proposed scheme and it is proved secure in the random oracle.
Theorem 1.
The proposed scheme is secure in the random oracle model.
Proof: Suppose that there exists adversary \(\mathcal {A}\) that could forge a msg. We construct a challenger \(\mathcal {C}\) that is able to solve the ECDLP problem with a non-negligible probability by running \(\mathcal {A}\) as a subroutine.
Setup Oracle: Firstly a security parameter k is taken as input. Then \(\mathcal {C}\) randomly selects a number s as its private key and computes Ppub=sP and \(\mathcal {C}\) sends {H0,H1,H2,H3,H4,P,Ppub,q,PIDLC,i,A,B}.
H0 Oracle: \(\mathcal {C}\) keeps a list LH0〈PIDLC,i,h0〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PIDLC,i〉, \(\mathcal {C}\) checks if 〈PIDLC,i,h0〉 already exists in LH0. If so, \(\mathcal {C}\) returns h0. Otherwise it generates a random h0=H0(PIDLC,i), inserts 〈PIDLC,i,h0〉 in LH0 and returns h0 to \(\mathcal {A}\).
H1 Oracle: \(\mathcal {C}\) keeps a list LH1〈Ppub,B,h1〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PIDLC,i,B〉, \(\mathcal {C}\) checks if 〈Ppub,B〉 already exists in LH1. If so, \(\mathcal {C}\) returns h1. Otherwise it generates a random h1=H1(Ppub∥B), inserts 〈Ppub,B,h1〉 in LH1 and returns h1 to \(\mathcal {A}\).
H2 Oracle: \(\mathcal {C}\) keeps a list LH2〈s,B,h2〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈s,B〉, \(\mathcal {C}\) checks if 〈s,B〉 already exists in LH2. If so, \(\mathcal {C}\) returns h2. Otherwise it generates a random h2=H2(s∥B), inserts 〈s,B,h2〉 in LH2 and returns h2 to \(\mathcal {A}\).
H3 Oracle: \(\mathcal {C}\) keeps a list LH3〈PIDv,j,h3〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈PIDv,j〉, \(\mathcal {C}\) checks if 〈PIDv,j〉 already exists in LH3. If so, \(\mathcal {C}\) returns h3. Otherwise it generates a random h3=H3(PIDv,j), inserts 〈PIDv,j,h3〉 in LH3 and returns h3 to \(\mathcal {A}\).
H4 Oracle: \(\mathcal {C}\) keeps a list LH4〈M,PIDv,j,Tt,Rj,CFSj,h4〉 initialized to empty. When \(\mathcal {A}\) invokes this query with 〈M,PIDv,j,Tt,Rj,CFSj〉, \(\mathcal {C}\) checks if 〈M,PIDv,j,Tt,Rj,CFSj〉 already exists in LH4. If so, \(\mathcal {C}\) returns h4. Otherwise it generates a random h4=H4(M∥PIDv,j∥Tt∥Rj∥CFSj), inserts 〈M,PIDv,j,Tt,Rj,CFSj,h4〉 in LH4 and returns h4 to \(\mathcal {A}\).
Sign Oracle: On receiving \(\mathcal {A}\)’s query with message M and pseudo identity PIDv,j, \(\mathcal {C}\) chooses random α,β,Rj from Zq and computes signature σ=αH0(PIDLC,i)+H4(M∥PIDLC,i∥Rj∥Tt∥CFSj). Then \(\mathcal {C}\) inserts 〈PIDLC,i,h0〉 and 〈M,PIDv,j,Tt,Rj,CFSj,h4〉 into LH0 and LH4 respectively.
Analysis: Based on Forking lemma [42], suppose that \(\mathcal {A}\) has generated two valid signatures σ=SKjH0(·)+rH4(·) and \(\widetilde {\sigma }=SK_{j}\widetilde {H0}(\cdot)+\widetilde {r}\widetilde {H4}(\cdot)\). To obtain the secret key SKj, it computes
$$ \frac{\sigma-\widetilde{\sigma}-r\cdot H4(\cdot)+\widetilde{r}\cdot \widetilde{H4}(\cdot)}{H0(\cdot)-\widetilde{H0}(\cdot)}mod\ q=SK_{j} $$
(5)
As the result shows, \(\mathcal {C}\) is able to solve the ECDLP problem as a polynomial adversary, which contradicts Definition 1. So we come to the conclusion that the proposed scheme is secure against adaptive chosen message attack in the random oracle model.
Security and attributes analysis
-
1
Authentication: According to Theorem 1, there exists no polynomial adversary being able to forge a valid message. Therefore the integrity of messages are able to be verified by computing σ·P=A·H0(PIDv,j)+r·H4(M∥PIDLC,i∥Rj∥Tt∥CFSj)mod q.
-
2
Identity Privacy Preserving: The vehicle’s real identity does take part in the communication process but in the form of pseudo identity, and the master key stays unexposed.If an adversary intends to obtain other vehicle’s identities, it has to solve the difficult problems in mathematics in our scheme, which makes sure the identity privacy preserved.
-
3
Tracebility: If messages are found dishonest while transporting, LCs or GC can obtain the identities of vehicles by computing IDv,j=PIDv,j⊕H2(s∥B).
-
4
Unlinkability: As a result of using different pseudo identities in different areas or even different periods, adversaries are kept from figuring out if multiple messages come from one same vehicle.
-
5
Resistance to Attacks: The proposed scheme can also resistant the following attacks [43, 44].
-
Forgery Attack: This attack intends to forge and transmit false warning messages in order to contaminate roads information and mislead vehicles. In the proposed scheme, once a vehicle found to send out false messages, its weigh value will drop more quickly than constant multiple speed. At last, the messages transformed by this vehicle will be ignored by surrounding vehicles.
-
Replay Attack: The encapsulated message contains timestamps, which can prevent messages are saved then reforwarded. Receivers check the freshness of messages at the very first beginning when getting them.
-
Impersonation Attack: If an adversary tends to impersonate a legal vehicle, it must generate a signature of the related message which satisfying σ·P=A·H0(PIDv,j)+r·H4(M∥PIDLC,i∥Rj∥Tt∥CFSj), which is difficult according to Theorem 1.
-
Modify Attack: If the message contained is modified, receivers will find out that the equation doesn’t hold. Then modified illegal message will be abandoned.
-
Man−in−the−middle Attack: Since messages sent by senders and receivers needs to be verified its integrity and non-reputation, the scheme can resist man-in-the-middle attack.