A certificateless aggregate signature scheme for VANETs with privacy protection properties

Huimin Li; Chucheng Shen; Hui Huang; Chenhuang Wu

doi:10.1371/journal.pone.0317047

Abstract

Aggregate signatures are excellent in simultaneously verifying the validity of multiple signatures, which renders them highly suitable for bandwidth-constrained environments. The certificateless public key system is among the most advanced public key cryptosystems at present. Scholars have combined their advantages to develop certificateless aggregate signature schemes, which are applicable to the secure communication of Vehicular Ad-hoc Networks (VANETs). Recently, Cahyadi E F et al. put forward a certificateless aggregate signature scheme specifically designed for use in VANETs. Regrettably, through our strict security analysis, we discovered at least two major vulnerabilities in the signature scheme: a public key replacement attack and a malicious KGC (Key Generation Center) attack. To tackle these vulnerabilities, our article not only presents the methods of these attacks but also explores the fundamental reasons for their feasibility. Additionally, we propose specific improvement measures and show that the enhanced scheme retains its security under the random oracle model. The stability of the improved scheme depends on the computational complexity of the Diffie-Hellman problem. Finally, a comprehensive assessment involving security, computational cost, communicational cost, and calculational efficiency overhead highlights the excellent performance of our proposed solution.

Citation: Li H, Shen C, Huang H, Wu C (2025) A certificateless aggregate signature scheme for VANETs with privacy protection properties. PLoS ONE 20(2): e0317047. https://doi.org/10.1371/journal.pone.0317047

Editor: Hasan Tahir, National University of Sciences and Technology, UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND

Received: September 18, 2024; Accepted: December 19, 2024; Published: February 20, 2025

Copyright: © 2025 Li et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This work is supported by the National Natural Science Foundation of China in the form of a grant [61772292] to CW, the Fujian Provincial Natural Science and Technology of China in the form of a grant [2023J01996] to HH, the Science and Technology Project of Putian City of China in the form of grants [2024SZ3001PTXY02, 2022SZ3001PTXY05] to HL, the Open Research Fund of Fujian Key Laboratory of Financial Information Processing at Putian University of China in the form of a grant [JXC202301] to CS, and Key Technological Innovation and Industrialization Projects in Fujian Province of China in the form of a grant [2024XQ020] to CW. The funders play an important role in data collection as well as preparation, validation, review, and editing of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

The global increase in car ownership has led to a higher risk of traffic safety issues, such as accidents and congestion. Vehicular Ad-hoc Networks (VANETs) utilize advanced information technology to establish an extensive network connection among entities, facilitating real-time monitoring of vehicle flow and driving conditions [1]. This innovative approach aims to mitigate or even prevent traffic accidents, enhance traffic efficiency, and optimize the overall driving environment. The core components of VANETs typically consist of three entities: a Trusted Authority (TA), vehicles equipped with On-Board Units (OBUs), and Roadside Units (RSUs). VANETs enable vehicles to broadcast messages every 100 to 300 milliseconds via the Dedicated Short-Range Communication (DSRC) protocol [2]. These frequent broadcasts enable vehicles to make well-informed decisions based on the received information. For example, they can choose faster and safer travel routes based on real-time transmission data to relieve traffic congestion, minimize or avoid traffic accidents, and enhance road utilization, traffic efficiency. Moreover, VANETs provide a variety of value-added services like navigation, media, and social media, thereby remarkably enhancing people’s driving experience [3, 4].

However, the open and broadcast nature of VANETs’ communication facilitates real-time information exchange but also makes it vulnerable to various security threats like message forgery and tampering [5]. In VANETs, vehicle users depend on public communication channels which are usually insecure. Consequently, this vulnerability enables adversaries to intercept and manipulate information, possibly resulting in the exposure of vehicle users’ identity details. These security breaches might also allow the tracking of vehicle users’ travel patterns, thus endangering the safety of individuals and their property. Furthermore, there is the risk of malicious vehicles deliberately spreading false information to disrupt traffic flow for their gain. For instance, a vehicle may broadcast false reports of congestion ahead, causing other vehicles to avoid specific routes during route planning and giving the malicious vehicle an unfair edge. In such cases, it is essential for trustworthy entities to quickly verify the identities of the malicious entities in the network. Therefore, strong conditional privacy protection and message authentication mechanisms are required in VANETs. Moreover, considering the limited communication bandwidth in VANETs, these authentication processes need to be designed to reduce communication overhead as much as possible.

The certificateless public key cryptosystem [6], which was first introduced by Al Riyami et al. at ASIACRYPT 2003, is a high-performance and versatile cryptographic framework and has become one of the most advanced public key systems available since then. It doesn’t need certificates and still keeps robust security. In the field of digital signatures, the concept of aggregate signatures, which was initially presented by Boneh et al. [7] at EUROCRYPT 2003, has proved to be particularly innovative. This approach enables multiple signatures to be consolidated into a single (aggregated signature), thus simplifying the verification process. The verifier only needs to confirm the validity of this aggregated signature to verify the authenticity of all individual signatures. Therefore, aggregate signatures have broad application value in network communication environments that have low computational load, low bandwidth, low capacity, and require mutual verification of signature validity. It is essential to explore a certificateless aggregate signature scheme which combines the advantages of both certificateless cryptography and aggregate signatures, because such a scheme provides the dual benefits of conditional anonymity and enhanced security. And it is well-suited for applications that require efficient network communication and mutual verification of signature integrity, like healthcare wireless medical sensor networks (HWMSNs) and VANETs. In recent years, scholars have been highly interested in enhancing the security and privacy of networks, including devising certificateless aggregate signature schemes for HWMSNs and VANETs. For example, Zhou et al. [8] proposed an improved pair-free certificateless aggregate signature scheme for HWMSNs which was based on the work of Zhan et al. [9]. Altaf et al. [10] proposed a privacy-preserving local hybrid authentication scheme that is suitable for large vehicle networks. Almazroi et al. [11] proposed an efficient certificateless authentication scheme for fog computing in 5G-assisted vehicle systems. Xu et al. [12] proposed a certificateless aggregate signature scheme aimed at ensuring secure routing. Wang et al. [13] utilized full aggregation technology to reduce computing and bandwidth resources, proposed a certificateless aggregate signature scheme for implementing conditional privacy protection in VANETs and proved the security of the scheme under the standard model. Liang et al. [14] analyzed and improved an efficient certificateless aggregate signature scheme that has conditional privacy protection properties and is applied to VANETs. Yu et al. [15] proposed the first scheme for aggregation on a vehicle-mounted unit. This scheme performed a certificateless aggregate signature on the vehicle-mounted unit to avoid channel conflicts. Moreover, they utilized elliptic curve point multiplication operations to reduce computational costs. Rajkumar et al. [16] put forward an improved scheme that ensures robust privacy protection and security. They utilized aggregation and elliptic curve point addition to enhance efficiency without affecting verification speed or adding extra costs for roadside units.

Although several certificateless aggregate signature schemes suitable for VANETs already exist, some of them have not been subject to rigorous security analysis and might be vulnerable to attacks like public key replacement and KGC(Key Generation Center) attacks. For example, Jiu et al. [17] pointed out that the scheme proposed by Thumbur et al. [18] is prone to signature forgery attacks and then proposed a new certificateless aggregate signature scheme without pairing based on [18]. Similarly, Zhou et al. [19] pointed out that neither the scheme of Thumbur et al. [18] nor that of Chen et al. [20] can resist public key replacement attacks, and proposed an improved certificateless aggregate signature scheme which is more suitable for resource-constrained VANETs environments. Shim et al. [21] also indicated that the scheme of Chen Y [20] is vulnerable to forgery attacks and Type I attacks. Ali et al. [22] presented a certificateless aggregate signature scheme with provable security, providing conditional privacy authentication within a random oracle model framework. However, Zhou et al. [23] emphasized that the scheme of Ali et al. is vulnerable to malicious vehicle attacks or malicious KGC attacks. Xiong et al. [24] proposed a certificateless aggregate signature scheme based on elliptic curve cryptography which can resist collusion attacks. However, Xu et al. [25] pointed out that this scheme can be forged by Type I adversaries. Wu et al. [26] pointed out that the pair-free certificateless aggregate signature scheme with conditional privacy protection proposed by Gong et al. [27] for VANETs fails to achieve the required unlinkability and is vulnerable to public key replacement forgery attacks by Type I adversaries. In 2022, Cahyadi et al. [28] developed a certificateless aggregate signature scheme with security and privacy protection for VANETs. Unfortunately, through analysis, we found that this signature scheme is also insecure. This paper will analyze and indicate that the signature scheme is vulnerable to at least two types of attacks, and offer a detailed analysis of the specific reasons for the existence of these attack methods. Additionally, corresponding improvement measures to defend against these attacks are proposed, and the enhanced security of the improved signature scheme is demonstrated.

The layout of this article is organized as follows. The related work is discussed in Section 2. Essential preliminary knowledge is presented in Section 3. A comprehensive review of the certificateless aggregate signature scheme proposed by Cahyadi et al. is shown in Section 4. Subsequently, Section 5 explores the vulnerabilities of Cahyadi et al.’s scheme, illustrating two distinct attack methodologies. In Section 6, we first analyze the underlying causes of these attacks. Then, we introduce an improved certificateless aggregate signature scheme which is designed to address the aforementioned vulnerabilities. This new scheme is accompanied by rigorous security proof, demonstrating its robustness. Section 7 focuses on an analysis of computational and communication costs, assessing the efficiency of our proposed scheme. Finally, Section 8 presents the conclusion and future work.

2 Related work

In the open wireless communication environment of VANETs, several crucial security challenges emerge, mainly concerning the dynamic authentication of vehicles, the efficiency and effectiveness of authentication procedures, and the location privacy issues of vehicles. Ensuring the security and protecting the privacy of users have become crucial issues in the research field of VANETs [29, 30].

To ensure the integrity and reliability of messages received in VANETs and prevent malicious actors from tampering with communications or impersonating legitimate users, researchers have adopted reputation management systems. These systems allow vehicles to evaluate the trustworthiness of their peers and the received messages, thus reducing the risks related to deceptive messages spread by malicious entities [31–33]. To assess the reliability of sensor vehicles, some schemes like those in literature [34–36] have carried out real-time updates of reputation values. Reputation update is a crucial part of reputation management. It is typically performed regularly by Trusted Authority (TA) after gathering, decrypting, and verifying a large amount of reputation feedback. This leads to high computational and communication costs for the TA and may even cause the TA to become a bottleneck in the reputation management system [33, 37]. Moreover, digital signature technology is also a significant technology for guaranteeing the security of VANETs. It ensures that communication messages between entities are signed for security. In the communication process, the sender encrypts the information using a private key, and the receiver verifies the signature first to confirm the reliability of the message source. Furthermore, to improve the efficiency of verification processes and reduce communication overhead, VANETs security protocols frequently utilize aggregate signature technology and certificateless signature technology. These methods are preferred due to their advantages in optimizing signature efficiency and decreasing the overall system overhead. Then, certificateless aggregate signature schemes have been continuously proposed for VANETs [12–28] (A brief introduction to these algorithms can be found in Section 1.).

On the other hand, privacy protection is also a crucial aspect of research in VANETs. Without privacy protection for reputation feedback, sensitive information about vehicle privacy may be leaked. When a dispute over messages occurs, it is expected that only trusted institutions can track and extract the true identity of the message sender, thus achieving conditional privacy protection for user identity. To address such issues, Liu et al. [34] proposed a scheme that can simultaneously offer accurate trust management and robust conditional privacy protection by using the well-known Private Set Intersection (PSI) technique based on Bloom Filter (BF). Cheng et al. [31] designed a lightweight privacy-preserving sensing task-matching algorithm. This algorithm is implemented by devising algorithms to verify the validity of reputation values, selecting reliable sensing vehicles, and an efficient reputation management mechanism that can update the reputation values of sensing vehicles efficiently and accurately. So, this algorithm can protect location privacy, identity privacy, sensing data privacy, and reputation value privacy while decreasing the computational and communication overhead of sensing vehicles. Liu et al. [38] proposed a cloud-assisted vehicle network privacy protection reputation update (PPRU) scheme based on elliptic curve cryptography (ECC) and the Parlier algorithm. In this scheme, reputation feedback is provided by honest but curious cloud service providers (CSPs). Moreover, the pseudonym mechanism is also a means of protecting user privacy. Zhou et al. [39] proposed a certificateless aggregate signature scheme, which uses full aggregation technology to reduce computation and bandwidth resources and implements conditional privacy protection through a pseudonymization mechanism to ensure the communication security and privacy protection of VANETs. References [13–15, 20, 22, 26, 27] also combine the pseudonym mechanism with the certificateless aggregate signature to ensure the conditional privacy of VANETs. Furthermore, the utilization of algorithms incorporating privacy principles represents a means of safeguarding user privacy. Shahrouz et al. [40] proposed an anonymous authentication scheme based on zero-knowledge proof to achieve conditional privacy protection of VANETs. Mundhe et al. [41] proposed a conditional privacy protection authentication scheme based on lightweight ring signatures and pseudonyms for VANETs. Zhang [42] proposed a privacy protection announcement scheme based on message link group signatures for VANETs. This scheme has information-binding and efficient revocation functions and exhibits strong credibility.

In the domain of communication security and privacy preservation in VANETs, a promising research approach is to integrate reputation management, pseudonymization mechanisms, and advanced digital signatures technologies like certificateless aggregate signatures, ring signatures, and group signatures. This approach not only improves network security but also reduces communication and storage costs. Moreover, it incorporates a fault-tolerant mechanism that ensures operational continuity even when a trusted authority is absent or there is a partial infrastructure disruption, thereby offering a practical solution for building a reliable and trustworthy vehicle network.

3 Preliminary

3.1 Bilinear mapping and its properties

Let G₁ and G₂ denote two groups respectively, where G₁ is an additive group with an order of a large prime number q, G₂ is a multiplication group having the same order q. P is a generator of G₁. Then the bilinear pairing operation is defined as a bilinear mapping that satisfies the following properties:

Bilinear: Let P,Q,R∈G₁, the equation and hold for any .
Nondegeneracy: .
Computability: For any P,Q∈G₁, an efficient algorithm can be found to compute .

It is known that , P,Q,aP,bP∈G₁, there are two Difficult Problems in Group G₁:

Discrete Logarithm Problem (DLP): Finding an integer n that satisfies Q = nP is difficult.
Computational Diffie-Hellman Problem (CDHP): Calculating abP∈G₁ is difficult.

3.2 Two types of attacks in certificateless cryptosystems

In the certificateless cryptosystem, the authentication of a personal public key does not rely on the certificate issued by the certificate authority (CA). The user private key comprises two parts: the secret value selected by the user and the partial private key generated by KGC for the user. Therefore, in a certificateless public key system, it is commonly assumed that an attacker will replace the user’s public key with a randomly chosen value to assess the security of the system. That is, it is assumed that the attacker already knows the user’s secret value at this stage. Furthermore, as the user’s partial private key is generated by KGC, it is assumed that KGC is untrustworthy. This implies that if the attacker knows the system’s master private key, they can generate the user’s partial private key. It is assumed that, of course, an attacker cannot possess the aforementioned capabilities simultaneously. Otherwise, the attacker would have the user’s private key and could naturally perform all actions that the user can. For this reason, there are two types of attackers in the security model of certificateless public key systems [1], namely type I (denoted as A_I) and type II (denoted as A_II). Although A_I does not know the system master private key, it can replace the user’s public key and then it knows the user’s secret value. A_II cannot replace the user’s public key, but it can calculate the user’s partial private key because it knows the system’s master private key. In practical applications, A_I simulates attackers other than KGC, while A_II simulates malicious KGC attackers.

A secure signature scheme in a certificateless system must be capable of withstanding the previously mentioned attacks. Moreover, regardless of whether it is under the attack of the first type attacker A_I or the second type attacker A_II, the signature scheme must be unforgeable.

In order to characterize the attacking capabilities of attacker A_I and attacker A_II, it is usually carried out in the following Game I and Game II respectively. In view of Game I and Game II, if the success probability of an attacker A (including A_I and A_II) in forging a signature can be negligible, then this certificateless aggregate signature scheme is secure.

A_I and A_II can access the following six oracles:

CreateUser: This oracle returns the vehicle’s public key to A after receiving the vehicle’s pseudo-identity PID_i.
RevealPartialPrivateKey: This oracle returns the vehicle’s partial private key to A after receiving the vehicle’s real identity ID_i.
RevealPrivateKey: This oracle returns the vehicle’s private key to A after receiving PID_i.
RevealPseudonym: The challenger C searches the list L_K when A requests the pseudonym of the vehicle ID_i. If the entry exists, this oracle uses PID_i to respond. Otherwise, it returns ⊥.
ReplaceKey: This oracle will update the vehicle’s to after receiving the new public key selected by A and PID_i.
Sign: The oracle machine returns a signature σ_i regarding the message M_i to A after receiving PID_i and M_i∈{(0,1)*}.

Game I:

Setup: Challenger C inputs the security parameter l to generate master key s and public parameters params. Then C keeps s confidential, and sends params to A_I.

Query: A_I is allowed to run several oracles such as CreateUser, RevealPrivateKey, RevealPartialPrivateKey, ReplaceKey and Sign.

Forgery: A signature σ′ on message M′ is generated by A_I finally. Where M′ is the message of the target identity PID* whose public key is .

If A_I achieves the following points when challenging identity PID*, it is considered that A_I has won

Game I.

A_I did not conduct partial private key inquiries regarding the target user’s identity PID*
A_I did not inquire about the signature signed by the target user’s identity PID* on M′.
σ′ is about the valid signature of and PID* on M′.

Game II:

Setup: Challenger C inputs the security parameter l to generates master key s and public parameters params. Then C sends s and params to A_II.

Query: A_II is allowed to run several oracles such as CreateUser, RevealPrivateKey and Sign. Because A_II can access s, it no longer needs RevealPartialPrivateKey.

Forgery: A signature σ′ on the message M′ is generated by A_II finally, where M′ is the message of the target identity PID* whose public key is .

If A_II achieves the following points, it is considered that A_II has won the Game II.

A_II did not conduct private key inquiries regarding the target user’s identity PID*.
A_II did not inquire about the signature signed by target user’s identity PID* on the message M′.
σ′ is about the valid signature of and PID* on M′.

4 Restatement of Cahyadi et al.’s certificateless aggregate signature scheme

Cahyadi et al.’s certificateless aggregate signature scheme consists of nine algorithms as follows [28]:

Setup: KGC inputs safety parameter l∈N, selects large prime numbers q, constructs an additive group G₁ and a multiplication group G₂, where G₁ and G₂ have the same order q. Then KGC selects a generator P from G₁, and selects a bilinear pairwise mapping . The system master and the private key are selected randomly as , and the system public key is calculated as P_pub = αP. KGC selects six secure one-way hash functions .

Meanwhile, TRA (Trace Authority) selects a secret value , then calculates public key T_pub = βP. Every RSU in the vehicle self-organizing network needs to randomly select a number as their private key, then calculates the corresponding public key , and sends to KGC. Common system parameters will be sent to each vehicle in the network by KGC after KGC received , and params will also be preloaded on TPD(Tamper-Proof Device).

Registration: Each vehicle equipped with OBU devices needs to register with the TRA. Thus, the TRA is capable of tracking the false identities of vehicles and precisely identifying which vehicle used a false identity in disputable situations. The registration process comprises three steps:

Firstly, TRA selects a hash function .

Then, TRA selects a random number and the vehicle’s identity ID_i, associating it with the new actual identity which will be used in all further communication in the future. will be transmitted to the vehicle through a secure communication channel by TRA. After receiving this information, the vehicle selects nonce which is a random number, and subsequently computes the password .

Finally, is sent to TRA via a secure communication channel, TRA stores , and vehicle registration is completed.

Partial-Private-Key-Gen: KGC uses the vehicle’s identity and system master private key α to generate its partial private key . Secure communication channels are used by KGC to send to the vehicle. The vehicle can verify and by Eq (1) to determine whether they are created by legal TRA and KGC.

(1)

Vehicle-Key-Gen: To obtain a pseudo-identity from the TRA, a vehicle must first follow the steps below to generate its own public and private keys.

①The vehicle randomly selects a value as its private key , that is .
②The vehicle calculates its public key by using the common parameter P.
③The vehicle calculates a one-time password used for mutual authentication with TRA based on the current timestamp T_i, and , and this OTP can only be used once. Afterward, the vehicle encrypts the message by using the public key cryptography system and T_pub, and sends the encrypted message to TRA, where m represents that the vehicle’s OBU device stores m pseudo identities.
④Using its private key β, the TRA decrypts the received message and checks if T_i falls in a valid time period. If so, TRA calculates and . If OTP^∘ = OTP, TRA can verify the vehicle’s identity.

Pseudonym-Gen: TRA will produce a pseudo-identity PID_i for the vehicle upon successful mutual authentication between the TRA and the vehicle.

①TRA creates a pseudo-identity by calculating .
②TRA calculates D_i = h₄(PID_i) and K_i = C_iD_i.

The vehicle has to preload several pseudo-identities and ensure that none of them are reused. Whenever a message is sent to another vehicle, a different pseudo-identity is used. When vehicles are in areas where many vehicles congregate, like intersections or parking lots, this approach will make it hard for legitimate vehicles to be tracked by malicious attackers. The TRA decides the number of pseudo-identities to generate based on the current number of pseudo-identities stored in the OBU device. Each application process leads to the generation of multiple pseudo-identities .

③TRA calculates , and encrypts messages M₁ (Eq 2) by using .

(2)

RSU sends M₁ to the vehicle. Then the vehicle will use to decrypt the message (Eq 3) after receiving the M₁, and verify if is in a valid time interval. If so, the vehicle calculates and verifies if j^∘ = j holds.

(3)

After successful verification, the vehicle and the TRA will conduct mutual authentication. Subsequently, the vehicle will store the pseudo-identities together with K_i. Since OBU devices must store sufficient pseudo-identities, vehicles need to reapply to the TRA at appropriate times to prevent a lack of pseudo-identities.

Sign: ①The vehicle selects a random number , and calculates U_i = u_iP∈G₁.

②OBU calculates h_i (Eq 4) and S_i (Eq 5) to form a certificateless signature σ_i = (U_i,S_i) for the message M_i.

(4)

(5)

③Vehicle broadcast final message , where t_i is the timestamp.

Verify: This step is executed by RSU. When the RSU detects a message sent by the vehicle, it first verifies t_i. If the message is not signed within an acceptable time frame, t_i will not be accepted and the message will be abandoned. Conversely, RSU calculates and D_i = h₄(PID_i). Finally, RSU verifies Eq (6). If the verification is successful, the certificateless signature is accepted. Conversely, if the verification fails, it implies potential message tampering and the signature will not be accepted.

(6)

Aggregate: When RSU receives n message signature pairs from the vehicle with pseudo-identities (PID₁,⋯,PID_n). It calculates the formula and returns σ = (U₁,⋯,U_n,S) as an aggregate signature.

Finally, RSU sends to AS.

Aggregate-verify: When AS receives σ = (U₁,⋯,U_n,S) from RSU, it calculates and . Finally, the AS verifies if the Eq (7) holds. If so, the aggregate signature is valid and is accepted. Otherwise, it is invalid and is rejected.

(7)

5 Two attack methods for Cahyadi et al.’s certificateless aggregate signature schemes

The subsequent analysis reveals that the certificateless aggregate signature scheme presented in [28] is vulnerable to at least two distinct malicious attacks, as detailed below:

Attack Method 1: KGC Malicious Attack
KGC starts with the signature algorithm Sign to attack. Firstly, it is noticed that in the signature algorithm Sign, the calculated formula is equivalently deformed as follows:
The equation shows that KGC is capable of generating an authentic signature for any arbitrary message intended for any vehicle ID_i, by using the system’s master private key α, even without access to the private key x_i of the specific vehicle. The specific attack method is described below:
1. ① Choose any message to be signed.
2. ② The vehicle selects a random number , and calculates .
3. ③ OBU calculates (Eq 8) and (Eq 9) to form a certificateless signature for the message .
(8) (9)
The forgery method described above cannot be distinguished from a genuine signature generated by the legitimate signer with their private key in Cahyadi et al.’s signature protocol. Moreover, it meets the verification formula of the aggregate signature algorithm. Notably, when examining the verification formula for individual signatures, it can be seen that the forgery satisfies the verification Eq (6). That is because
Therefore, KGC successfully forged a signature on any selected message .
Attack Method 2: Public Key Replacement Attack
The aggregate signature scheme proposed in reference [28] is based on a certificateless public key cryptography system. Thus, it is essential to consider replacement public key attacks. An attacker can successfully forge signatures on any selected message M′ by commencing with the verification algorithm, as described below:
1. ① Chooses any message to be signed.
2. ② Selects , and replaces the vehicle public key with .
3. ③ The vehicle selects a random number , let .
4. ④OBU calculates (Eq 10) and (Eq 11) to form a certificateless signature for the message .

(10)

(11)

⑤ Outputs the signature of the message .

The forgery method described above cannot be distinguished from a signature that would have been produced by the signer using the vehicle’s private key in Cahyadi et al.’s signature scheme. Moreover, it completely conforms to the verification Eq (6), which makes it hard to tell from an authentic signature. The reason is that

Therefore, the attacker successfully forged a signature on any selected message .

6 Improvement methods and analysis to overcome the above attacks

6.1 Improvement methods to overcome the above attacks

Firstly, we will discuss how to overcome attack method 1(KGC Malicious Attack). Note that the reason why attack method 1 was successful is due to the computation S_i, which involved in Eq (5). The way to overcome this attack is to change the generation method of S_i, that is the vehicle’s secret value and private key need to be used separately. The fundamental reason why attack method 2 (Public Key Replacement Attack) can succeed is that PID_i⋅D_i can be eliminated by a new public key .

In addition, it was found that there was a conceptual error in the proof of their Theorem 1(See reference [28] for details) of Cahyadi et al.’s scheme, as follows:

This is obviously not right. Therefore, we propose an improved signature scheme as follows:

Setup: KGC and TRA execute this algorithm to generate relevant parameters. The generation method of each parameter is the same as Cahyadi et al.’s signature scheme. KGC sends common system parameters to each vehicle in the network, and secretly stores system master private key α.

Registration: TRA completes registration of vehicle equipped with OBU. This algorithm is equivalent to Cahyadi et al.’s signature scheme.

Partial-Private-Key-Gen: KGC executes this algorithm to create the vehicle’s partial private keys . This algorithm is the same as Cahyadi et al.’s signature scheme.

Vehicle-Key-Gen: The vehicle’s unique public and private keys will be created through this algorithm by the vehicle itself. This algorithm is identical to Cahyadi et al.’s signature scheme in terms of its functionality and output.

Pseudonym-Gen: TRA and the vehicle execute this algorithm to generate the vehicle’s pseudo-identity PID_i. This algorithm is the same as Cahyadi et al.’s signature scheme.

Sign: While the fundamental principles of this algorithm remain similar to Cahyadi et al.’s signature scheme, a key difference lies in the modified method for generating S_i. Vehicle ID_i generates a signature for message M_i in the following two steps:

①The vehicle selects a random number , and calculates U_i = u_iP∈G₁.
②OBU calculates h_i (Eq 12) and S_i (Eq 13) to form a certificateless signature σ_i = (U_i,S_i) for the message M_i, where t_i represents the timestamp.

(12)

(13)

③Vehicle broadcasts the final message .

Verify: This algorithm is executed by RSU, and it is basically the same as Cahyadi et al.’s signature scheme, but modify the validation formula to Eq (14).

(14)

Aggregate: This is an algorithm for generating an aggregate signature σ = (U₁,⋯,U_n,S) which is executed by RSU, and it is the same as Cahyadi et al.’s scheme.

Aggregate-verify: The AS utilizes the algorithm to authenticate the legitimacy of the signature. This algorithm is fundamentally identical to Cahyadi et al.’s signature scheme, necessitating only minor modifications to the verification formula to adapt it to the new context. AS verifies if the Eq (15) holds. If it holds, the aggregate signature is considered valid and accepted. Otherwise, it is invalid and rejected.

(15)

6.2 Security analysis

6.2.1 Correctness.

Note that the verification of a single signature involves the following steps:

The verification of the aggregate signature is as follows:

Therefore, the modified signature scheme is correct.

6.2.2 Unforgeability.

Theorems 1 and 2 shown below illustrate that, within the random oracle model, the enhanced signature scheme is resistant to attacks from adversaries A_I and A_II, respectively.

Theorem 1 Under the attack of adaptive choose identity and message in a random oracle model. If the attacker A_I can complete q_H times of H queries, times of h_i (i = 1,2,⋯,6) queries, q_c times of q_c queries, times of RevealPartiaPrivatelKey queries, times of RevealPrivateKey queries, q_rp times of ReplaceKey queries, q_sign times of Sign queries with in time , and successfully create a valid aggregate signature with a non-negligible probability. Then can completely solve the CDH problem with an undeniable probability in time , where t_M denotes the duration necessary to perform scalar multiplication in the group G₁ once, while e stands for a natural constant with a value of approximately 2.718281828459045.

Proof In the following section, we present a demonstration within Game I that illustrates the resilience of our CLAS scheme against forgery attacks launched by A_I. Let be the challenger to solve the CDH problem, and (aP,bP) be any instance of the CDH problem. The subsequent proof demonstrates that, assuming the random oracle model, if A_I is capable of successfully forgery a signature, the challenger can exploit A_I’s forgery capability to solve the CDH problem.

Firstly, selects a challenge identity and maintains some lists to assist in answering the attacker A_I’s inquiries in Game I. In this paper, we use * to indicate a wildcard character, and use ⊥ to indicate that the item is empty below.

Next, and A_I will play the following game:

runs algorithm Setup, defines system parameters , and sends params to A_I. Among them, let P_pub = aP, , . We note that the output of the Hash function is answered by under the random oracle model. Then A_I begins to execute the following inquiry, and answers A_I’s related inquiries by maintaining the list which are initialized as empty.
L_H contains a triplet (ID_i,r_i,l_i).
contains a triplet .
contains a quadruple .
contains a quadruple .
contains a binary (PID_i,D_i).
contains triplet .
contains a six tuple .
L_K contains a quintuple .
CreateUser query: Assuming A_I registers identity ID_i with . first check L_H, if there is no record of (ID_i,*,*) in L_H, makes H query with himself firstly. If L_H contains a record (ID_i,*,*), then continue to check if L_K contains (ID_i,*,*,*,*). If so, further confirm whether is ⊥. If so, selects a random value as , and computes . Then sends to A_I, and updates the corresponding element in list L_K. If , directly sends to A_I. Additionally, if L_K does not include (ID_i,*,*,*,*), performs h₃ and h₄ queries to establish a pseudo-identity and store it in the and L_H lists. Then selects a random value as , computes , sends to A_I, and adds to the list L_K.
RevealPartialPrivateKey query: When A_I asks the partial private key of , checks if ID_i is a challenge identity . If so, outputs failure and stops the simulation. Otherwise, queries L_H to confirm whether (ID_i,r_i,l_i) is already in the list L_H, if so, returns l_iaP.
RevealPseudonym query: When A_I asks the corresponding PID_i for ID_i, finds (ID_i,*,*,*,*) in L_K. If L_K contains (ID_i,*,*,*,*), confirms whether PID_i is ⊥. If PID_i≠⊥, returns PID_i to A_I. Otherwise, finds the corresponding record by querying L_H. If not, self-inquire about the identity ID_i and record it. If , let PID_i = C_ibP, where C_i corresponds to the list . Otherwise, let PID_i = C_il_iP, where l_i is from the record (ID_i,r_i,l_i) of L_H. returns PID_i to A_I, and adds to the list L_K.
RevealPrivateKey query: When A_I asks the private key of , checks whether is included in L_K. If , makes a CreateUser query, chooses a random value as , and computes . Then sends to A_I, and updates the corresponding element in the list L_K. Otherwise, If , directly sends to A_I. Additionally, if L_K does not include , makes a CreateUser query, sends to A_I, and adds to the list L_K.
ReplaceKey query: When A_I asks for PID_i, checks whether is included in L_K, let , and replace the public key with .
H query: When receiving an inquiry about identity ID_i, searches for triples (ID_i,r_i,l_i) in L_H. If (ID_i,r_i,l_i) can be found, returns to A_I. Otherwise, randomly selects , and adds (ID_i,r_i,l_i) to L_H, return to A_I finally. Specifically, if the inquiry about the challenge’s identity for the first time, randomly selects , adds to L_H.
h₁ query: When A_I asks h₁, searches for triples in . If can be found, returns to A_I. Otherwise, randomly selects , adds to , and returns to A_I finally.
h₂ query: When A_I asks h₂, searches for in . If can be found, returns OTP to A_I. Otherwise, randomly selects , adds to , and returns OTP to A_I finally.
h₃ query: When A_I asks h₃, searches for in . If can be found, returns C_i to A_I. Otherwise, randomly selects , adds to , and returns C_i to A_I finally.
h₄ query: When A_I asks h₄, searches for (PID_i,D_i) in . If (PID_i,D_i) can be found, returns D_i to A_I. Otherwise, randomly selects , let D_i = μ_i, adds D_i to , and returns D_i to A_I finally.
h₅ query: When A_I asks h₅, searches for in . If can be found, returns j to A_I. Otherwise, randomly selects , adds to , and returns j to A_I finally.
h₆ query: When A_I asks h₆, searches for in . If can be found, submits h_i to A_I. Otherwise, randomly selects , adds to , and returns h_i to A_I finally.
Sign query: When A_I asks for a signature from (PID_i,M_i), checks eight lists: . If is not in the list L_K, lets , randomly selects as , and computes . Therefore generates , then adds to L_K. Otherwise, if is in L_K, checks and , this indicates that A_I has replaced the public key of the user. If , outputs failure and stops. Otherwise, extracts the corresponding PID_i and from table L_K, finds the corresponding record for ID_i in table L_K and extract l_i, finds the corresponding record for ID_i in table and extract D_i, finds the corresponding record for ID_i in table and extract C_i. Next, can simulate the vehicle PID_i, and generates the signature of M_i through the following two steps:

① chooses a random number , and compute U_i = u_iP∈G₁.
② computes , t_i represents the current time.

Let , outputs the signature σ_i = (U_i,S_i) for message M_i, and returns it to A_I.

It is easy to verify that the simulated signature σ_i = (U_i,S_i) mentioned above can pass the verification algorithm. Note the randomness of parameters l_i, C_i, D_i mentioned above, so the simulated signature σ_i = (U_i,S_i) is indistinguishable from real signature, that is A_I cannot distinguish whether it is a simulated signature or not.

(16) Forgery: Assuming that after answering the above inquiry, A_I can forge a valid signature on , and the corresponding vehicle’s identity happens to be the challenge identity .

The following analysis shows that can successfully solve the CDH problem by using valid signature corresponding to the challenge identity forged by attackers A_I. The specific methods are as follows:

Notes , finds the corresponding C_i, D_i, h_i and in lists based on identity . Because , P_pub = aP, we can see that , then can be obtained and the CDH problem is solved.

Next, we will analyze the probability of successfully solving the CDH problem. winning the game requires completing the following four things:

E₁ means that will not fail during the game. E₂ indicates that A_I forged a valid signature. E₃ denotes the event where A_I has successfully forged a legitimate signature, resulting in not terminating the game. E₄ indicates that A_I has successfully forged a valid signature and will refrain from terminating the game, and the forged signature corresponds to a challenged identity .

Next, we analyze the probability of each event occurring,

Due to the large enough , , Therefore, in time , solves the CDH problem with probability .

Theorem 2 Under the attack of adaptive choose identity and message in a random oracle model. If an attacker A_II is capable of creating a legitimate aggregate signature within a specified time frame with a significant, non-negligible probability ε after performing q_H times of Hqueries, times of h_i (i = 1,2,⋯,6) queries, q_c times of q_c queries, times of RevealPartiaPrivatelKey queries, times of RevealPrivateKey queries, q_sign times of Sign queries with . So can completely solve the CDH problem with an undeniable probability in time , where t_M denotes the duration required to compute scalar multiplication in the group G₁ once, while e stands for a natural constant with a value of approximately 2.718281828459045.

The proof of Theorem 2 adopts a similar methodology as that of Theorem 1. Hence, the detailed proof process of Theorem 2 is omitted. By exploiting the well-known intractability of the CDH problem, the signature scheme proposed in this paper guarantees the infeasibility of forgery.

From the above, it can be found that the new algorithm satisfies the security requirements of VANETs, including identity privacy protection, pseudonyms, message authentication, mutual authentication, non-repudiation, untraceability, unlinkability, resistance to replay attacks, resistance to MITM (Man-in-the-Middle) attacks, resistance to impersonation attacks, resistance to simulation attacks, and user location privacy. The analysis process is analogous to that in reference [28]. Owing to space limitations, a detailed description is omitted herein.

7 Analysis of computing and communication costs

This article uses third-party data to analyze the computational efficiency of some schemes. Altaf et al. [10] conducted experiments on a simulation machine using MIRACL database data to obtain the basic cryptographic operation time (Linux Mint operating system with Core-i7@3.40 GHz processor and 16 GB RAM driver). Under CDHP, the computational overhead of one-way hash function operations is very low. Therefore, the main operations considered in this article are: Bilinear-Pairing(T_bp=3.24 ms), Map-to-Point in G₁(T_H=0.58 ms), Scalar Multiplication in G₁(T_m=0.24 ms), Point Addition in G₁(T_a=0.005 ms). Using the above data, the analysis and comparison of the computational cost results between this article and several similar schemes [12–14, 28] are presented in Table 1, where n represents the number of users with aggregated signatures. The security of these schemes is also shown in Table 1. The computational cost considering different numbers of messages is illustrated in Fig 1.

Download:

Fig 1. The computational cost of aggregate verification for different n.

https://doi.org/10.1371/journal.pone.0317047.g001

Download:

Table 1. Comparison of the computational cost and the security.

https://doi.org/10.1371/journal.pone.0317047.t001

From Table 1, it can be observed that our signature scheme demands only marginally more computational overhead compared to Wang et al.’s scheme [13] during the single signature generation stage, and Wang et al.’s scheme is insecure and will be vulnerable to KGC attacks. As shown in Table 1 and Fig 1, our scheme presents a computational cost comparable to that of Cahyadi et al.’s scheme [28], which surpasses other schemes in the signature verification stage. In the aggregation verification stage, it is notable that our scheme shows a slightly higher computational cost than Wang et al.’s scheme [13] when the total message count is 300 or less. However, as the message volume rises, the computational efficiency of our scheme becomes more prominent, displaying an advantage over the existing methods.

In terms of communication overhead, this article uses the relevant parameters used in reference [28]. The length of the cyclic addition group G₁ is 128 bytes. The length of the multiplication group G₂ is 40 bytes. The length of the timestamp is 4 bytes. The output length of a universal one-way hash function is the same as the length of the number in , both being 20 bytes. The length of traffic related messages in VANETS is 67 bytes. The communication overhead results of this article and several similar schemes [12–14, 28] are analyzed and compared is shown in Table 2.

Download:

Table 2. Comparison of the communication overhead for n messages.

https://doi.org/10.1371/journal.pone.0317047.t002

By inspecting Fig 2 and Table 2, it is revealed that our scheme has the same communication overhead as Cahyadi et al.’s scheme and surpasses the other three schemes in communication efficiency.

Download:

Fig 2. The communication overhead for a single message.

https://doi.org/10.1371/journal.pone.0317047.g002

Furthermore, we take into account the calculational efficiency aspect of certificateless aggregate signature schemes. According to the definition given by Zhao et al. [43], let K denote the total computational cost of signature and verification for n messages, and L denote the computational cost of signature verification after aggregation. Then, the calculational efficiency is defined as β=(K-L)/K. The calculational efficiency β of each scheme is presented in Table 3, and the comparison results are illustrated in Fig 3. From Fig 3, it can be observed that our scheme exhibits the highest calculational efficiency.

Download:

Fig 3. Comparison of calculational efficiency β of different schemes.

https://doi.org/10.1371/journal.pone.0317047.g003

Download:

Table 3. Comparison of the calculational efficiency β of different schemes for n messages.

https://doi.org/10.1371/journal.pone.0317047.t003

The aforementioned observations and analyses highlight the subtle yet crucial advantages of our algorithm regarding computational and communication overheads as well as calculational efficiency. With respect to security, our in-depth analysis has detected vulnerabilities in Cahyadi et al.’s scheme, which is prone to both public key replacement attacks and KGC attacks. Likewise, Wang et al.’s scheme is also susceptible to KGC attacks. Consequently, the improvement scheme proposed in our article outperforms the other four schemes [12–14, 28] used for comparison.

8 Conclusion

This article conducts a rigorous security analysis of the certificateless aggregate signature scheme for VANETs proposed by Cahyadi et al. [28]. The study reveals that Cahyadi et al.’s scheme cannot withstand two crucial security vulnerabilities: malicious KGC attack and public key replacement attack. The specific reasons for the existence of these attack methods are presented in this paper. Subsequently, this article presents an enhanced scheme aimed at strengthening against these attacks, accompanied by proof of its enhanced security. Through a comparative analysis of the computational cost, communication overhead, calculational efficiency and security of the proposed scheme with several similar schemes, the results demonstrate that our scheme exhibits superior performance in both computational and communication efficiency, along with enhanced security. The security analysis and attack methodologies described here are effective not only for the signature schemes mentioned in [28] but also possess reference value for the analysis and design of other similar signature schemes. This is especially the case for those based on bilinear pairings, as well as certificateless and certificate-based signature schemes. In future work, we will further refine and design certificateless aggregate signature schemes. This will involve considering more potential attacks, integrating reputation management mechanisms and privacy-based signature schemes, and evaluating their performance in diverse simulated and real vehicle networks.

References

1. Englund C, Chen L, Vinel A, et al. Future applications of VANETs. Vehicular ad hoc Networks: Standards, Solutions, and Research. 2015: 525–544.
- View Article
- Google Scholar
2. Kenney J.B. Dedicated short-range communications (DSRC) standards in the United States. Proceedings of the IEEE, 2011, 99(7): 1162–1182.
- View Article
- Google Scholar
3. Eze E. C., Zhang S., Liu E. Vehicular ad hoc networks (VANETs): Current state, challenges, potentials and way forward. In: 2014 20th International Conference on Automation and Computing. IEEE, 2014: 176–181.
- View Article
- Google Scholar
4. Manvi S.S., Tangade S. A survey on authentication schemes in VANETs for secured communication. Vehicular Communications, 2017, 9: 19–30.
- View Article
- Google Scholar
5. Qu F, Wu Z, Wang FY, et al. A security and privacy review of VANETs. IEEE Transactions on Intelligent Transportation Systems, 2015, 16(6): 2985–2996.
- View Article
- Google Scholar
6. Al-Riyami S, Paterson K.G. Certificateless public key cryptography. Advances in Cryptology: ASIACRYPT 2003, LNCS, 2894: 452–473.
- View Article
- Google Scholar
7. Boneh D, Gentry C., Lynn B., et al. Aggregate and verifiably encrypted signatures from bilinear maps. Advances in Cryptology: EUROCRYPT 2003, LNCS: 2656. Berlin: Springer, 2003. 416-432.
8. Zhou L., Yin X. An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. PLoS ONE. 2022, 17(7): e0268484. pmid:35816499
- View Article
- PubMed/NCBI
- Google Scholar
9. Zhan Y, Wang B, Lu R. Cryptanalysis and improvement of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2021;8(7):5973–5984.
- View Article
- Google Scholar
10. Altaf F, Maity S. PLHAS: Privacy-preserving localized hybrid authentication scheme for large scale vehicular ad hoc networks. Vehicular Communications, 2021, 30: 100347.
- View Article
- Google Scholar
11. Almazroi A.A., Aldhahri E.A., Al-Shareeda M.A., et al. ECA-VFog: An efficient certificateless authentication scheme for 5G-assisted vehicular fog computing. Plos One, 2023, 18(6): e0287291. pmid:37352258
- View Article
- PubMed/NCBI
- Google Scholar
12. Xu Z, He D, Kumar N, et al. Efficient certificateless aggregate signature scheme for performing secure routing in VANETs. Security and Communication Networks, 2020, 2020(1): 5276813.
- View Article
- Google Scholar
13. Wang H, Wang L, Zhang K, et al. A conditional privacy-preserving certificateless aggregate signature scheme in the standard model for VANETs. IEEE Access, 2022, 10: 15605–15618.
- View Article
- Google Scholar
14. Liang Y, Liu Y. Analysis and improvement of an efficient certificateless aggregate signature with conditional privacy preservation in VANETs. IEEE Systems Journal, 2023, 17(1): 664–672.
- View Article
- Google Scholar
15. Yu S, Cao Q, Wang C, et al. Efficient ECC-based conditional privacy-preserving aggregation signature scheme in V2V. IEEE Transactions on Vehicular Technology, 2023, 72(11): 15028–15039.
- View Article
- Google Scholar
16. Rajkumar Y, Kumar S.V.N.S. An elliptic curve cryptography based certificateless signature aggregation scheme for efficient authentication in vehicular ad hoc networks. Wireless Networks, 2024, 30(1): 335–362.
- View Article
- Google Scholar
17. Jiu M, Wang D, Liu F, et al. A secure and efficient VANET certificateless aggregate signature improvement scheme. Communications Technology,2021,54(5):1189–1198.
- View Article
- Google Scholar
18. Thumbur G, Rao G.S, Reddy P.V., et.al. Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks. IEEE Internet of Things Journal, 2020, 8(3): 1908–1920.
- View Article
- Google Scholar
19. Zhou Y, Wang Z, Qiao Z, et al. An efficient and provably secure identity authentication scheme for VANET. IEEE Internet of Things Journal, 2023, 10(19): 17170–17183.
- View Article
- Google Scholar
20. Chen Y, Chen J. CPP-CLAS: Efficient and conditional privacy-preserving certificateless aggregate signature scheme for VANETs. IEEE Internet of Things Journal, 2021, 9(12): 10354–10365.
- View Article
- Google Scholar
21. Shim K.A. Cryptanalysis of compact certificateless aggregate signature schemes for HWMSNs and VANETs. IEEE Access, 2024(Early Access).
- View Article
- Google Scholar
22. Ali I, Chen Y, Ullah N, et al. An efficient and provably secure ECC-based conditional privacy-preserving authentication for vehicle-to-vehicle communication in VANETs. IEEE Transactions on Vehicular Technology, 2021, 70(2): 1278–1291.
- View Article
- Google Scholar
23. Zhou X, Luo M, Vijayakumar P, et al. Efficient certificateless conditional privacy-preserving authentication for VANETs. IEEE Transactions on Vehicular Technology, 2022, 71(7): 7863–7875.
- View Article
- Google Scholar
24. Xiong W, Wang R, Wang Y, et al. Improved certificateless aggregate signature scheme against collusion attacks for vanets. IEEE Systems Journal, 2022, 17(1): 1098–1109.
- View Article
- Google Scholar
25. Xu R, Zhou Y, Yang Q, et al. An efficient and secure certificateless aggregate signature scheme. Journal of Systems Architecture, 2024, 147: 103030.
- View Article
- Google Scholar
26. Wu W, Ye F. IPCAS: An improved conditional privacy-preserving certificateless aggregate signature scheme without bilinear pairing for VANETs. Journal of Systems Architecture, 2024, 152: 103175.
- View Article
- Google Scholar
27. Gong Z, Gao T, Guo N. PCAS: Cryptanalysis and improvement of pairing-free certificateless aggregate signature scheme with conditional privacy-preserving for VANETs. Ad Hoc Networks, 2023, 144: 103134.
- View Article
- Google Scholar
28. Cahyadi E.F., Su T.W., Yang CC, et al. A certificateless aggregate signature scheme for security and privacy protection in VANET. International Journal of Distributed Sensor Networks, 2022, 18(5): 1–21.
- View Article
- Google Scholar
29. Manivannan D, Moni S.S, Zeadally S. Secure authentication and privacy-preserving techniques in Vehicular Ad-hoc NETworks (VANETs). Vehicular Communications, 2020, 25: 100247.
- View Article
- Google Scholar
30. Han M, Liu S, Ma S, et al. Anonymous-authentication scheme based on fog computing for VANET. PLoS one, 2020, 15(2): e0228319. pmid:32053610
- View Article
- PubMed/NCBI
- Google Scholar
31. Cheng Y, Ma J, Liu Z, et al. A lightweight privacy preservation scheme with efficient reputation management for mobile crowdsensing in vehicular networks. IEEE Transactions on Dependable and Secure Computing, 2022, 20(3): 1771–1788.
- View Article
- Google Scholar
32. Gyawali S, Qian Y, Hu R.Q. Deep reinforcement learning based dynamic reputation policy in 5g based vehicular communication networks. IEEE Transactions on Vehicular Technology, 2021, 70(6): 6136–6146.
- View Article
- Google Scholar
33. Liu Z, Weng J, Ma J, et al. TCEMD: A trust cascading-based emergency message dissemination model in VANETs. IEEE Internet of Things Journal, 2019, 7(5): 4028–4048.
- View Article
- Google Scholar
34. Liu Z, Huang F, Weng J, et al. BTMPP: Balancing trust management and privacy preservation for emergency message dissemination in vehicular networks. IEEE Internet of Things Journal, 2020, 8(7): 5386–5407.
- View Article
- Google Scholar
35. Gao S, Chen X, Zhu J, et al. Trust Worker: A trustworthy and privacy-preserving worker selection scheme for blockchain-based crowdsensing. IEEE Transactions on Services Computing, 2021, 15(6): 3577–3590.
- View Article
- Google Scholar
36. Dai M, Su Z, Xu Q, et al. A trust-driven contract incentive scheme for mobile crowd-sensing networks. IEEE Transactions on Vehicular Technology, 2021, 71(2): 1794–1806.
- View Article
- Google Scholar
37. Cheng H, Shojafar M, Alazab M, et al. PPVF: privacy-preserving protocol for vehicle feedback in cloud-assisted VANET. IEEE transactions on intelligent transportation systems, 2021, 23(7): 9391–9403.
- View Article
- Google Scholar
38. Liu Z, Wan L, Guo J, et al. PPRU: A privacy-preserving reputation updating scheme for cloud-assisted vehicular networks. IEEE Transactions on Vehicular Technology, 2023,1(1):1–16.
- View Article
- Google Scholar
39. Zhou Y, Cao L, Qiao Z, et al. An efficient identity authentication scheme with dynamic anonymity for VANETs. IEEE Internet of Things Journal, 2023, 10(11): 10052–10065.
- View Article
- Google Scholar
40. Shahrouz J.K, Analoui M. An anonymous authentication scheme with conditional privacy-preserving for Vehicular Ad hoc Networks based on zero-knowledge proof and Blockchain. Ad Hoc Networks, 2024, 154: 103349.
- View Article
- Google Scholar
41. Mundhe P, Yadav V.K, Singh A, et al. Ring signature-based conditional privacy-preserving authentication in VANETs. Wireless Personal Communications, 2020, 114: 853–881.
- View Article
- Google Scholar
42. Zhang L, Li J, Yang Y. Message Linkable Group Signature with Information Binding and Efficient Revocation for Privacy-Preserving Announcement in VANETs. IEEE Transactions on Dependable and Secure Computing, 2024,21(6):5667–5680.
- View Article
- Google Scholar
43. Zhao N, Zhang G.A, Gu X.H. Certificateless aggregate signature scheme for privacy protection in VANET. Computer Engineering, 2020, 46(1): 114–120,128.
- View Article
- Google Scholar

[ref1] 1. Englund C, Chen L, Vinel A, et al. Future applications of VANETs. Vehicular ad hoc Networks: Standards, Solutions, and Research. 2015: 525–544.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Kenney J.B. Dedicated short-range communications (DSRC) standards in the United States. Proceedings of the IEEE, 2011, 99(7): 1162–1182.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Eze E. C., Zhang S., Liu E. Vehicular ad hoc networks (VANETs): Current state, challenges, potentials and way forward. In: 2014 20th International Conference on Automation and Computing. IEEE, 2014: 176–181.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Manvi S.S., Tangade S. A survey on authentication schemes in VANETs for secured communication. Vehicular Communications, 2017, 9: 19–30.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Qu F, Wu Z, Wang FY, et al. A security and privacy review of VANETs. IEEE Transactions on Intelligent Transportation Systems, 2015, 16(6): 2985–2996.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Al-Riyami S, Paterson K.G. Certificateless public key cryptography. Advances in Cryptology: ASIACRYPT 2003, LNCS, 2894: 452–473.
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Boneh D, Gentry C., Lynn B., et al. Aggregate and verifiably encrypted signatures from bilinear maps. Advances in Cryptology: EUROCRYPT 2003, LNCS: 2656. Berlin: Springer, 2003. 416-432.

[ref8] 8. Zhou L., Yin X. An improved pairing-free certificateless aggregate signature scheme for healthcare wireless medical sensor networks. PLoS ONE. 2022, 17(7): e0268484. pmid:35816499
View Article
PubMed/NCBI
Google Scholar

[21] View Article

[22] PubMed/NCBI

[23] Google Scholar

[ref9] 9. Zhan Y, Wang B, Lu R. Cryptanalysis and improvement of a pairing-free certificateless aggregate signature in healthcare wireless medical sensor networks. IEEE Internet of Things Journal. 2021;8(7):5973–5984.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref10] 10. Altaf F, Maity S. PLHAS: Privacy-preserving localized hybrid authentication scheme for large scale vehicular ad hoc networks. Vehicular Communications, 2021, 30: 100347.
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref11] 11. Almazroi A.A., Aldhahri E.A., Al-Shareeda M.A., et al. ECA-VFog: An efficient certificateless authentication scheme for 5G-assisted vehicular fog computing. Plos One, 2023, 18(6): e0287291. pmid:37352258
View Article
PubMed/NCBI
Google Scholar

[31] View Article

[32] PubMed/NCBI

[33] Google Scholar

[ref12] 12. Xu Z, He D, Kumar N, et al. Efficient certificateless aggregate signature scheme for performing secure routing in VANETs. Security and Communication Networks, 2020, 2020(1): 5276813.
View Article
Google Scholar

[35] View Article

[36] Google Scholar

[ref13] 13. Wang H, Wang L, Zhang K, et al. A conditional privacy-preserving certificateless aggregate signature scheme in the standard model for VANETs. IEEE Access, 2022, 10: 15605–15618.
View Article
Google Scholar

[38] View Article

[39] Google Scholar

[ref14] 14. Liang Y, Liu Y. Analysis and improvement of an efficient certificateless aggregate signature with conditional privacy preservation in VANETs. IEEE Systems Journal, 2023, 17(1): 664–672.
View Article
Google Scholar

[41] View Article

[42] Google Scholar

[ref15] 15. Yu S, Cao Q, Wang C, et al. Efficient ECC-based conditional privacy-preserving aggregation signature scheme in V2V. IEEE Transactions on Vehicular Technology, 2023, 72(11): 15028–15039.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref16] 16. Rajkumar Y, Kumar S.V.N.S. An elliptic curve cryptography based certificateless signature aggregation scheme for efficient authentication in vehicular ad hoc networks. Wireless Networks, 2024, 30(1): 335–362.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref17] 17. Jiu M, Wang D, Liu F, et al. A secure and efficient VANET certificateless aggregate signature improvement scheme. Communications Technology,2021,54(5):1189–1198.
View Article
Google Scholar

[50] View Article

[51] Google Scholar

[ref18] 18. Thumbur G, Rao G.S, Reddy P.V., et.al. Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks. IEEE Internet of Things Journal, 2020, 8(3): 1908–1920.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref19] 19. Zhou Y, Wang Z, Qiao Z, et al. An efficient and provably secure identity authentication scheme for VANET. IEEE Internet of Things Journal, 2023, 10(19): 17170–17183.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref20] 20. Chen Y, Chen J. CPP-CLAS: Efficient and conditional privacy-preserving certificateless aggregate signature scheme for VANETs. IEEE Internet of Things Journal, 2021, 9(12): 10354–10365.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref21] 21. Shim K.A. Cryptanalysis of compact certificateless aggregate signature schemes for HWMSNs and VANETs. IEEE Access, 2024(Early Access).
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref22] 22. Ali I, Chen Y, Ullah N, et al. An efficient and provably secure ECC-based conditional privacy-preserving authentication for vehicle-to-vehicle communication in VANETs. IEEE Transactions on Vehicular Technology, 2021, 70(2): 1278–1291.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref23] 23. Zhou X, Luo M, Vijayakumar P, et al. Efficient certificateless conditional privacy-preserving authentication for VANETs. IEEE Transactions on Vehicular Technology, 2022, 71(7): 7863–7875.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref24] 24. Xiong W, Wang R, Wang Y, et al. Improved certificateless aggregate signature scheme against collusion attacks for vanets. IEEE Systems Journal, 2022, 17(1): 1098–1109.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

[ref25] 25. Xu R, Zhou Y, Yang Q, et al. An efficient and secure certificateless aggregate signature scheme. Journal of Systems Architecture, 2024, 147: 103030.
View Article
Google Scholar

[74] View Article

[75] Google Scholar

[ref26] 26. Wu W, Ye F. IPCAS: An improved conditional privacy-preserving certificateless aggregate signature scheme without bilinear pairing for VANETs. Journal of Systems Architecture, 2024, 152: 103175.
View Article
Google Scholar

[77] View Article

[78] Google Scholar

[ref27] 27. Gong Z, Gao T, Guo N. PCAS: Cryptanalysis and improvement of pairing-free certificateless aggregate signature scheme with conditional privacy-preserving for VANETs. Ad Hoc Networks, 2023, 144: 103134.
View Article
Google Scholar

[80] View Article

[81] Google Scholar

[ref28] 28. Cahyadi E.F., Su T.W., Yang CC, et al. A certificateless aggregate signature scheme for security and privacy protection in VANET. International Journal of Distributed Sensor Networks, 2022, 18(5): 1–21.
View Article
Google Scholar

[83] View Article

[84] Google Scholar

[ref29] 29. Manivannan D, Moni S.S, Zeadally S. Secure authentication and privacy-preserving techniques in Vehicular Ad-hoc NETworks (VANETs). Vehicular Communications, 2020, 25: 100247.
View Article
Google Scholar

[86] View Article

[87] Google Scholar

[ref30] 30. Han M, Liu S, Ma S, et al. Anonymous-authentication scheme based on fog computing for VANET. PLoS one, 2020, 15(2): e0228319. pmid:32053610
View Article
PubMed/NCBI
Google Scholar

[89] View Article

[90] PubMed/NCBI

[91] Google Scholar

[ref31] 31. Cheng Y, Ma J, Liu Z, et al. A lightweight privacy preservation scheme with efficient reputation management for mobile crowdsensing in vehicular networks. IEEE Transactions on Dependable and Secure Computing, 2022, 20(3): 1771–1788.
View Article
Google Scholar

[93] View Article

[94] Google Scholar

[ref32] 32. Gyawali S, Qian Y, Hu R.Q. Deep reinforcement learning based dynamic reputation policy in 5g based vehicular communication networks. IEEE Transactions on Vehicular Technology, 2021, 70(6): 6136–6146.
View Article
Google Scholar

[96] View Article

[97] Google Scholar

[ref33] 33. Liu Z, Weng J, Ma J, et al. TCEMD: A trust cascading-based emergency message dissemination model in VANETs. IEEE Internet of Things Journal, 2019, 7(5): 4028–4048.
View Article
Google Scholar

[99] View Article

[100] Google Scholar

[ref34] 34. Liu Z, Huang F, Weng J, et al. BTMPP: Balancing trust management and privacy preservation for emergency message dissemination in vehicular networks. IEEE Internet of Things Journal, 2020, 8(7): 5386–5407.
View Article
Google Scholar

[102] View Article

[103] Google Scholar

[ref35] 35. Gao S, Chen X, Zhu J, et al. Trust Worker: A trustworthy and privacy-preserving worker selection scheme for blockchain-based crowdsensing. IEEE Transactions on Services Computing, 2021, 15(6): 3577–3590.
View Article
Google Scholar

[105] View Article

[106] Google Scholar

[ref36] 36. Dai M, Su Z, Xu Q, et al. A trust-driven contract incentive scheme for mobile crowd-sensing networks. IEEE Transactions on Vehicular Technology, 2021, 71(2): 1794–1806.
View Article
Google Scholar

[108] View Article

[109] Google Scholar

[ref37] 37. Cheng H, Shojafar M, Alazab M, et al. PPVF: privacy-preserving protocol for vehicle feedback in cloud-assisted VANET. IEEE transactions on intelligent transportation systems, 2021, 23(7): 9391–9403.
View Article
Google Scholar

[111] View Article

[112] Google Scholar

[ref38] 38. Liu Z, Wan L, Guo J, et al. PPRU: A privacy-preserving reputation updating scheme for cloud-assisted vehicular networks. IEEE Transactions on Vehicular Technology, 2023,1(1):1–16.
View Article
Google Scholar

[114] View Article

[115] Google Scholar

[ref39] 39. Zhou Y, Cao L, Qiao Z, et al. An efficient identity authentication scheme with dynamic anonymity for VANETs. IEEE Internet of Things Journal, 2023, 10(11): 10052–10065.
View Article
Google Scholar

[117] View Article

[118] Google Scholar

[ref40] 40. Shahrouz J.K, Analoui M. An anonymous authentication scheme with conditional privacy-preserving for Vehicular Ad hoc Networks based on zero-knowledge proof and Blockchain. Ad Hoc Networks, 2024, 154: 103349.
View Article
Google Scholar

[120] View Article

[121] Google Scholar

[ref41] 41. Mundhe P, Yadav V.K, Singh A, et al. Ring signature-based conditional privacy-preserving authentication in VANETs. Wireless Personal Communications, 2020, 114: 853–881.
View Article
Google Scholar

[123] View Article

[124] Google Scholar

[ref42] 42. Zhang L, Li J, Yang Y. Message Linkable Group Signature with Information Binding and Efficient Revocation for Privacy-Preserving Announcement in VANETs. IEEE Transactions on Dependable and Secure Computing, 2024,21(6):5667–5680.
View Article
Google Scholar

[126] View Article

[127] Google Scholar

[ref43] 43. Zhao N, Zhang G.A, Gu X.H. Certificateless aggregate signature scheme for privacy protection in VANET. Computer Engineering, 2020, 46(1): 114–120,128.
View Article
Google Scholar

[129] View Article

[130] Google Scholar

Figures

Abstract

1 Introduction

2 Related work

3 Preliminary

3.1 Bilinear mapping and its properties

3.2 Two types of attacks in certificateless cryptosystems

4 Restatement of Cahyadi et al.’s certificateless aggregate signature scheme

5 Two attack methods for Cahyadi et al.’s certificateless aggregate signature schemes

6 Improvement methods and analysis to overcome the above attacks

6.1 Improvement methods to overcome the above attacks

6.2 Security analysis

6.2.1 Correctness.

6.2.2 Unforgeability.

7 Analysis of computing and communication costs

8 Conclusion

References