Certificateless aggregate signcryption scheme with multi-ciphertext equality test for the internet of vehicles

Xiaodong Yang; Xilai Luo; Ruixia Liu; Songyu Li; Ke Yao

doi:10.1371/journal.pone.0322185

Abstract

The Internet of Vehicles (IoV) facilitates connectivity among vehicles, roadside units, and smart terminals, enabling the evolution of traditional traffic networks into intelligent transport systems. The IoV has an open communication character, which enables various applications and services. However, this also exposes it to the risk of message tampering or the leaking of private data in the communication process. Such vulnerabilities may lead to security issues. At present, there are many solutions to solve the above problems, but most of them have great computational and communication overhead. Multi-ciphertext equality test can compare the equality between two ciphertexts without decryption, which avoids the user ’s repeated decryption of the same ciphertext to a certain extent. However, it still has a large computational overhead. For the above problems, we propose a certificateless aggregate signcryption scheme for the IoV that supports multi-ciphertext equality testing.

The proposed scheme addresses the key escrow and certificate management issues inherent in identity-based systems by employing a certificateless signcryption mechanism. To prevent redundant retrieval of ciphertexts that correspond to identical plaintexts, a multi-ciphertext equivalence test feature has been incorporated. Furthermore, the aggregation capability of this scheme significantly enhances the efficiency of signing multiple vehicle data entries. By leveraging the computational complexities associated with the Diffie-Hellman problem and the discrete logarithm problem, it is demonstrated that the scheme maintains confidentiality and unforgeability within the random oracle model. When compared to similar schemes, this approach exhibits reduced computational overhead while providing superior security features.

Citation: Yang X, Luo X, Liu R, Li S, Yao K (2025) Certificateless aggregate signcryption scheme with multi-ciphertext equality test for the internet of vehicles. PLoS One 20(5): e0322185. https://doi.org/10.1371/journal.pone.0322185

Editor: Hu Xiong, University of Electronic Science and Technology of China, CHINA

Received: July 30, 2024; Accepted: March 18, 2025; Published: May 27, 2025

Copyright: © 2025 Yang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper and its Supporting Information files.

Funding: National Natural Science Foundation of China (No. 62362059 to X.Y.), Key Research and Development Program of Gansu Province (23YFGA0081 to X.Y.), and Industrial Support Plan Project of Gansu Provincial Education Department (2023CYZC-09 to X.Y.).

Competing interests: The authors have declared that no competing interests exist.

Introduction

The Internet of Thing, which connects various devices and sensors through the IoV data acquisition and exchange. Under the influence of Internet of things technology, people ’s daily life has become more convenient, such as smart home, medical system, vehicle monitoring and environmental perception [1].

The rapid advancement in wireless network communication technology has heightened the demand for more user-centric transportation services [2]. This has led to the development of the IoV, which leverages vehicles as primary carriers to enable smart interactions among vehicles, roads, infrastructure, and networks. Connected vehicles can share vital information such as driving statuses, speeds, road conditions, locations, and incidents. This capability allows the IoV to effectively manage traffic flow, reducing congestion and accidents, and thereby enhancing travel safety and comfort for drivers and passengers [3,4]. However, the IoV also encounters security and privacy challenges due to network instability and complex information transmission, including risks like malicious eavesdropping [5–7].

Maintaining network connectivity in wireless communication networks is crucial. To address communication bottlenecks and enhance connectivity, effective node deployment is essential [8,9]. For improved traffic management, the IoV system can significantly reduce congestion and accidents through real-time communication and coordination between vehicles and Road Side Units (RSUs). However, this system also raises security and privacy concerns due to the collection and exchange of sensitive data, such as vehicle locations and speeds [11,12]. As vehicles, which act as primary information carriers, move rapidly, their frequent position changes necessitate switching between different network nodes. This scenario introduces risks from malicious attacks using forged nodes, potentially compromising system integrity and driver safety, and possibly causing traffic accidents [13–15].

To address the security challenges in information transmission within the IoV, aggregate signcryption technology has been developed. This technology combines aggregation techniques with signcryption systems to perform both digital encryption and digital signature in a single logical step [16]. It enables the merging of multiple signcryption messages into one, allowing the recipient to simultaneously verify several ciphertexts, which reduces the time needed for verification. Additionally, aggregated ciphertext occupies less space compared to multiple individual ciphertexts, thereby lowering network bandwidth and computational overhead requirements. By allowing multiple data sources or vehicles to collectively signcrypt information, aggregate signcryption enhances security, privacy, and authenticity. Integrating this technology into the IoV can thus greatly advance the intelligent development of transportation systems and improve safety performance [17].

The proposed scheme primarily contributes in the following ways:

1) The use of certificateless technology solves the problem of certificate management and key escrow, thereby ensuring the confidentiality and unforgeability of vehicle data in the IoV.
2) By using aggregate signcryption technology, aggregators can signcrypte multiple data, which improves the signcryption efficiency in multi-user environment.
3) The proposed scheme supports multi-ciphertext equality test. Testers can use the test trapdoor uploaded by data users to match multiple ciphertexts simultaneously, which enables multi-user retrieval and multi-ciphertext equality test, and reduces the computational cost of the equality test process in a multi-user environment.
4) Our scheme uses aggregate signcryption technology and multi-ciphertext equality test to solve the problem of high computational overhead and low computational efficiency in signcryption schemes, while improving the security of data.

We compare and analyze similar schemes in terms of functional characteristics and computational cost, and the results indicate that the proposed scheme has lower computational cost and higher security.

Related work

With the rapid development of the IoV, more and more vehicles and devices are integrated into it and constitute a huge network. The focus in this network is data security and privacy protection. The traditional encryption algorithms in IoV are limited by factors such as computation and storage resources, the complexity of certificate management and revocation. Therefore, certificateless encryption technology has become an effective means to address these issues.

To ensure the security of data acquisition, processing and access in the IoV, many scholars at home and abroad have proposed to add encryption mechanism to the IoV. From the perspective of security requirements, data authenticity and confidentiality are two emphases in many such applications [18].

Cryptography provides a solution to these security requirements, and has carried out many research work. The concept of signcryption and specific signcryption schemes was first proposed by Zheng [19] in 1997. In 2002, Baek et al [20] developed a security model for the signcryption scheme and demonstrated the security of Zheng’s scheme. In 2008, Barbosa et al. [21] introduced a certificateless signcryption scheme and presented a specific security model that combined the benefits of certificateless cryptography. Subsequently, several certificateless signcryption schemes have been proposed [22].

Mei et al. [23] proposed an efficient certificateless scheme with conditional privacy, which greatly reduced the computational overhead by using aggregation technology. Kasyoka et al. [24] proposed a certificateless signcryption scheme without bilinear pairing, which significantly reduces computational overhead. Dohare et al. [25] proposed a new certificateless aggregate signcryption scheme (CLASS). Compared to the traditional certificate-based public key cryptosystem (CPKC) scheme, this scheme does not require the distribution of certificates in advance, to reduce complexity and overhead.

Ullah et al. [26] proposed a new anonymous certificateless signcryption scheme that supports aggregate signcryption operations for multiple users, but uses computationally expensive bilinear pairing operations. However, this scheme cannot effectively retrieve ciphertext, which leads to the high cost of RSUs screening vehicle data.

In the IoV, multi-ciphertext matching is often required. However, traditional ciphertext equality test techniques can only compare the equality between two ciphertexts. For IoV, which with huge data, there are many ciphertexts waiting for equality test. Therefore, we need to divide multi-ciphertext into many groups to compare them in pairs and perform equality test separately. This obviously does not meet the needs of IoV, a resource-constrained network. The huge equality test will bring a greater burden to the system, thereby reducing the utilization of data. To enhance the computational efficiency of ciphertext equality test in multi-ciphertext scenarios, Susilo proposed a public-key encryption with multi-ciphertext equality test (PKE-MET). Although the scheme supports the equality test of more than two ciphertexts, there are some problems such as high cost for certificate management.

To address the aforementioned issues, we propose the Certificateless Aggregate Signcryption Scheme with Multi-Ciphertext Equality Test for the Internet of Vehicles presents a certificateless aggregate signcryption scheme that facilitates multi-ciphertext equality test. The scheme provides confidentiality, authenticity and unforgeability, and resists type I and type II adversarys with low computational cost. The proposed signcryption scheme significantly enhances computational efficiency when compared to existing schemes.

Preliminaries

Mathematical assumption

Discrete Logarithm Problem (DLP): Given two large prime numbers p and q that satisfy the condition , the generator of group is P, given tuple , calculate a.

Computational Diffie–Hellman (CDH) Problem: Given two large prime numbers p and q that satisfy the condition , the generator of group is P, and given tuple , calculate abP.

Security model

The proposed scheme in this paper satisfies the confidentiality of messages and the unforgeability of ciphertexts, namely the indistinguishability under adaptive chosen ciphertext attacks (IND-CCA2) and the existential unforgeability under adaptive chosen message attacks (EUF-CMA).

To demonstrate the security of the scheme, we define two types of adversaries.

1) Type I adversary: One type of adversary is not permitted to access the master key s, but can replace the public key of a receiver. In addition, it cannot determine the ciphertext that is calculated by which message with the absence of trapdoor. This model is considered as an IND-CCA2 security model.
2) Type II adversary: Another type of adversary is allowed to obtain the master key, but is unable to replace the public key of a receiver. In addition, it cannot determine the ciphertext that is calculated by which message with the absence of trapdoor. This model is also considered as an IND-CCA2 security model.

Definition 1 (IND-CCA2-1). If no adversary wins the following game by a non-negligible margin in bounded polynomial time, this signcryption scheme is secure. The adversary interacts with the challenger by the following steps:

Setup: executes system initialization algorithm, outputs system parameters para and master key s, returns para to , and keeps s in secret. The system initialization algorithm is executed by , which outputs the system parameters para and master key s. The algorithm then returns para to and keeps the master key s secretly.
Phase 1: performs the following polynomial time queries of finite order in an adaptive manner:
1. 1) Signcryption query: is provided to by . execute the signcryption algorithm to obtain the ciphertext C_i and return it to .
2. 2) Unsigncryption query: submits to for validation. Upon verifying the validity of the ciphertext, proceeds with the unsigncryption algorithm to recover plaintext message m_i, which it then returns to . If the ciphertext is found invalid, returns .
Challenge: chooses the challenge identity and two plaintext messages of identical length. unables to query the private key of the challenge identity. randomly selects , calculates ciphertexts and returns the corresponding result to .
Phase 2: After obtaining , continues to execute the associated query in Phase 1. cannot query the private key of identity , nor can it perform an unsigncryption query on .
Guess: exports a guess value of , if , wins in Game 1.

Definition 2 (IND-CCA2-2). If no adversary wins the following game by a non-negligible margin in bounded polynomial time, this signcryption scheme is secure. The adversary interacts with the challenger by the following steps:

Setup: selects challenge identity ID_j, executes initialization algorithm, randomly selects , calculates system public key P_pub = aP, and returns system parameters and ID_j to .
Phase 1: Similar to theorem 1, the difference is that public key replacement query and partial private key query cannot be performed.
Phase 2: Similar to theorem 1, the difference is that the secret value query of ID_j cannot be performed.

The challenge phase and the guess phase are the same as theorem 1. In the end, the adversary wins the game.

Definition 3 (EUF-CMA-1). If adversary is malicious users who does not possess the system’s master key, but can replace any user’s public key. If scheme can resist adaptive chosen messages attacks from , then the scheme satisfies the existential unforgeability under adaptive chosen messages attack (EUF-CMA).

Setup: sets P_pub = aP, and returns system parameters to .
Queries phases: adaptively performs hash query, public key query, private key query, public key replacement query signcryption query and unsigncryption query.
Forgery phase: In the forgery phase, attempts to construct a fake message or signature and submits it to the signcryption scheme for verification through an interactive process. If the signcryption scheme can accurately identify this forgery and refuse to accept false messages or signatures, then the scheme satisfies EUF- CMA. After the queries phases, forge and output n signers to create an aggregate signature ciphertext for the message . Assuming that at least one out of the nusers, specifically user D₁, has not been queried for their secret value. At the same time, D₁ has not conducted aggregate signcryption query, and is a valid ciphertext, then wins the game.

Definition 4 (EUF-CMA-2). If adversary is an honest but curious Key Generation Center (KGC) who can obtain the system’s master key, but cannot replace users’ public keys. If scheme can resist adaptive chosen messages attacks from , then the scheme satisfies the EUF-CMA.

Setup: sets P_pub = aP, and returns system parameters and system master key s to .
Queries phases: owns the system master key s. can adaptively perform hash query, public key query, private key query, signcryption query and unsigncryption query.
Forgery phase: In the forgery phase, attempts to construct a fake message or signature and submits it to the signcryption scheme for verification through an interactive process. If the signcryption scheme can accurately identify this forgery and refuse to accept false messages or signatures, then the scheme satisfies EUF- CMA. After the queries phases, forge and output n signers to create an aggregate signature ciphertext for the message . Assuming that at least one out of the nusers, specifically user D₁, has not been queried for their secret value. At the same time, D₁ has not conducted aggregate signcryption query, and is a valid ciphertext, then wins the game.

Scheme construction

In the IoV, when urban traffic is congested, a RSU typically needs to manage hundreds of vehicles, and can use aggregate signcryption technology to batch verify signcryption information from a large number of On- Board Units (OBUs) in a short time. The scheme is mainly composed of the following entities.

1) OBU : The vehicle data owner, it signs the message and sends it to the RSU.
2) RSU : The vehicle data receiver, decrypts and verifies the received ciphertext, signs and broadcasts the traffic information.
3) KGC : Initialize the system, generate the system master key and system parameters.
4) Aggregate Signcryption Generator (Agg-tor) : Aggregate the ciphertext from multiple vehicles and upload the aggregated ciphertext to cloud server.
5) Tester : Perform the equality test algorithm on multiple vehicle ciphertexts and return the coorsponding results to cloud server.
6) Cloud Service Provider (CSP) : Cloud Service Provider, provides flexible storage capacity and efficient data transmission.

The system model is indicated in Fig 1.

Download:

Fig 1. System model.

https://doi.org/10.1371/journal.pone.0322185.g001

We propose a certificateless aggregate signcryption scheme that does not require bilinear pairs and supports equality test. The specific implementation process, tailored to the application scenario of the IoV is as follows:

Setup: Given the security parameter k, we generate two large prime numbers p and q that satisfy − . Let G be a cyclic group on an elliptic curve. In group G, P is a generator of order q. The Key Generation Center (KGC) defines hash functions:
, , H₂: , , , .
The master key is randomly selected and kept secret by the KGC. The system’s public key is computed as P_pub = sP, and the system parameters are published as .
Key generation: There is the process for key selection and partial private key extraction:
1. 1) The vehicle mounted unit OBU_i randomly selects as its secret value and sets , and , then sending to the KGC.
2. 2) KGC randomly selects , calculates and , and sends to OBU_i.
3. 3) To ensure the validity of the partial public key and the partial private key, OBU_i receives sent by KGC and verifies whether equation d_iP = is true. If the equation is true, OBUI calculates part of the private key .
4. 4) OBU calculates , , PK_i,1), , , .
5. 5) OBU returns public key and private key SK_i to OBU_i.
  Similarly, the public key of RSU_j is , and the private key is .
Signcryption: Assuming the identity of OBU_i participating in the signcryption is ID_i, the identity of the aggregate signcryption resever RSU_j is ID_j with a public key of PK_j, and the message , OBU_i performs the following algorithm to sign the plaintext message m_i:
1. 1) Randomly select and calculate , , C_i,2 = b_iP, .
2. 2) Calculate , , , .
3. 3) Calculate , , where .
4. 4) Calculate , .
5. 5) Upload ciphertext to cloud storage, of which u_i = n.
Multi-Ciphertext Equality Test: At this segment, OBU_i decrypts the ciphertext C_i sent by RSU_j to obtain a plaintext message m_i, with the specific steps as follows:
The n RSUs send equivalent test trapdoors to the tester, of which . The tester downloads n ciphertexts that the vehicle wants to test from the cloud server, and performs the following multi- ciphertext equality test operations:
- Check whether is valid. If it is, the tester continues to perform the following operations. Otherwise, terminate the operation and output .
- The tester calculates and obtain by the signature secret algorithm. The tester combines the n equations into the following system of equations:(1)
- Check whether equation holds. If it holds, the tester outputs a test consequence of to the cloud server. Otherwise, the test consequence output to the cloud server is .
Aggregate signcryption:
1. 1) Calculate .
2. 2) The aggregated ciphertext is uploaded to the cloud server for storage.
Aggregate unsigncryption:
1. 1) Calculate , .
2. 2) Calculate based on .
3. 3) Calculate , and .
4. 4) Check whether equations and are valid. If the above equations are valid, the roadside unit accepts vehicle data . Otherwise, it outputs .

Correctness:

If the receiver receives the correct ciphertext, it can accurately decrypt the plaintext message. To prove that the scheme is correct, we only need to verify the correctness of the unsigncryption and the legitimacy of the aggregate signcryption ciphertext, as follows:

(2)

(3)

(4)

Security proof

Confidentiality

Theorem 1 (IND-CCA2-1). If an adversary wins the game with an undeniable advantage, the challenger can solve the CDH difficulty assumption within a finite polynomial time.

Proof. is the challenger to solve difficult problems, is an adversary. Given challenge example (P,aP,bP), . can use to calculate abP. The game is executed by and is as follows:

Setup: selects the challenge identity ID_j, executes initialization algorithm, randomly selects , calculates system public key P_pub = aP, and returns system parameters and ID_j to .
Phase 1: needs to maintain eight initially empty lists L_i(i = 0,1,2,3,4,5), L_c, L_x to record the results of queries, L₁ is also used for tracking key extraction queries. L_c is used for tracking test trapdoor queries. L_x is used for tracking secret value queries. The interactive process for and is as follows.
1. 1) H₀-queries: submits the H₀ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
2. 2) H₁-queries: submits the H₁ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
3. 3) H₂-queries: submits the H₂ query, searches PK_j) whether it exists in list L₂. If it exists, returns it to . Otherwise, randomly selects to return to , and add to L₂.
4. 4) H₃-queries: submits the H₃ query, searches whether exists in list L₃. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₃.
5. 5) H₄-queries: submits the H₄ query, searches whether exists in list L₄. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₄.
6. 6) H₅-queries: submits the H₅ query, searches C_i,6 whether exists in list L₅. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₅.
7. 7) td-queries: submits the td query. If exists in L₁, obtains SK_j,3 through H₁-queries, and returns to . Otherwise, randomly selects to send to , and adds to L_c.
8. 8) Secret value queries: performs the key query on identity ID_i, query whether exists in L_x. If it exists in L_x, returns to . Otherwise, randomly selects and adds to L_c.
9. 9) Public and private key queries: performs the key query on identity ID_i, query whether exists in L₁, and if it exists, return it to . Otherwise, randomly selects , calculates , returns (ID_i, PK_i) to , and add to L₁.
10. 10) Public key replacement queries: performs the public key replacement query on , if exists in L₁, replace with . Otherwise, add to L₁, set to , and update the list L_x.
11. 11) Aggregate signcryption queries: selects . query the list L₁ to obtain the private key of the sender and the public key of the receiver. Then, the aggregate signcryption algorithm is executed to obtain the aggregated ciphertext .
12. 12) Aggregate unsigncryption queries: selects . performs validity verification. If the ciphertext is valid, executes the aggregate unsigncryption algorithm to obtain the set of plaintext messages and returns it to . Otherwise, is returned.
Challenge: gives ID_i and ID_j, along with two plaintext messages of equal length to . Upon receiving these inputs, randomly selects a sender identity and a bit . If is not equal to ID_j, proceeds to run the signcryption algorithm on the plaintext message , producing ciphertext C. Subsequently, employs the aggregate signcryption algorithm to obtain , which is then returned to .
Phase 2: continues to execute the same inquiry as Phase 1 after receiving , but is unable to query the private key of and cannot perform unsigncryption queries on .
Guess: outputs a guess for , if , then wins the above game. will use to calculate R_i = abP as the solution of the CDH difficult problem.

Therefore, if an adversary is able to break the confidentiality of the proposed scheme by successfully performing the above game, it means that the adversary has a nonnegligible advantage in breaking the CDHP. However, there is currently no effective solution to the difficult problem. Hence, our scheme satisfies the confidentiality under the first type of attack.

Theorem 2 (IND-CCA2-2). If an adversary wins the game with an undeniable advantage, the challenger can solve the CDH difficulty assumption within a finite polynomial time.

Proof. is the challenger to solve difficult problems, is an adversary. Given challenge example (P,aP,bP), . can use to calculate abP. The game process for and is as follows.

Setup: selects challenge identity ID_j, and returns system parameters para = , ID_j and master key s to .
Phase 1: The interactive process for and is as follows:
1. 1) H₀-queries: submits the H₀ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
2. 2) H₁-queries: submits the H₁ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
3. 3) H₂-queries: submits a H₂ query, searches whether it exists in list L₂. If it exists, return it to . Otherwise, randomly selects to return to , and add to L₂.
4. 4) H₃-queries: submits the H₃ query, searches whether exists in list L₃. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₃.
5. 5) H₄-queries: submits the H₄ query, searches whether exists in list L₄. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₄.
6. 6) H₅-queries: submits the H₅ query, searches C_i,6 whether exists in list L₅. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₅.
7. 7) td-queries: submits a td query. If exists in L₁, obtains SK_j,3 through H₁-queries, and returns to . Otherwise, randomly selects to send to , and adds to L_c.
8. 8) Public and private key queries: perform a key query on identity ID_i, query whether exists in L₁, and if it exists, return it to . Otherwise, randomly selects , calculates , returns (ID_i, PK_i) to , and add to L₁.
9. 9) Aggregate signcryption queries: selects . query the list L₁ to obtain the private key of the sender and the public key of the receiver. Then, the aggregate signcryption algorithm is executed to obtain the aggregated ciphertext .
10. 10) Aggregate unsigncryption queries: selects . performs validity verification. If the ciphertext is valid, executes the aggregate unsigncryption algorithm to obtain the set of plaintext messages and returns it to . Otherwise, is returned.
Challenge: gives ID_i and ID_j, along with two plaintext messages of equal length to . Upon receiving these inputs, randomly selects a sender identity and a bit . If is not equal to ID_j, proceeds to run the signcryption algorithm on the plaintext message , producing ciphertext C. Subsequently, employs the aggregate signcryption algorithm to obtain , which is then returned to .
Phase 2: continues to execute the same inquiry as Phase 1 after receiving , but is unable to query the private key of and cannot perform unsigncryption queries on .
Guess: outputs a guess for , if , then wins the above game. will use to calculate R_i = abP as the solution of the CDH difficult problem.

If adversary can compromise the confidentiality of the proposed scheme by completing the described game, it implies that the adversary holds a significant advantage in breaking the CDHP. However, there is no feasible solution to solve this challenging problem yet. Therefore, the proposed scheme effectively ensures confidentiality against the first type of attack.

Unforgeability

Theorem 3 (EUF-CMA-1). Given the ROM and the intractability of the CDHP problem, if there exists an adversary who can win the EUF-CMA game in polynomial time, then the challenger can resolve the difficult CDHP problem with a non-negligible advantage.

Proof. Challenger gives a random DLP instance (P,aP), . The purpose of is to solve CDHP through interaction with opponent , that is, to find a.The game process for and is as follows:

Setup: sets P_pub = aP, and returns system parameters para = {p,q,P,P_pub, to .
Queries: adaptively performs hash query, public key query, private key query, public key replacement query and signcryption query. needs to maintain eight initially empty lists L_i(i = 0,1,2,3,4,5), L_c, L_x to record the results of queries. L₁ is also used for tracking key extraction queries. L_c is used for tracking test trapdoor queries. L_x is used for tracking secret value queries. The interactive process for and is as follows.
1. 1) H₀-queries: submits the H₀ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
2. 2) H₁-queries: submits the H₁ query, searches whether exists in list L₁. If it exists, returns it to . Otherwise, randomly selects to return to , and inserts into L₁.
3. 3) H₂-queries: submits a H₂ query, searches whether it exists in list L₂. If it exists, returns it to . Otherwise, randomly selects to return to , and adds (m_i,
  to L₂.
4. 4) H₃-queries: submits the H₃ query, searches whether exists in list L₃. If it exists, returns it to . Otherwise, randomly selects to return to , and adds it to L₃.
5. 5) H₄-queries: submits the H₄ query, searches whether exists in list L₄. If it exists, return it to . Otherwise, randomly selects to return to , and save it to L₄.
6. 6) H₅-queries: submits the H₅ query, searches C_i,6 whether exists in list L₅. If it exists, returns it to . Otherwise, randomly selects to return to , and save it to L₅.
7. 7) td-queries: submits a td query. If exists in L₁, obtains SK_j,3 through H₁-queries, and returns to . Otherwise, randomly selects to send to , and adds to L_c.
8. 8) Secret value queries: performs a key query on identity ID_i, C query whether exists in L_x. If it exists in L_x, returns to . Otherwise, randomly selects and adds to L_c.
9. 9) Public and private key queries: performs a key query on identity ID_i, C query whether exists in L₁, and if it exists, return it to . Otherwise, randomly selects , calculates , returns to , and add to L₁.
10. 10) Public key replacement queries: performs a public key replacement query on , if exists in L₁, replace with . Else, add to L₁, set to , and update the list L_x.
11. 11) Aggregate signcryption queries: selects . queries the list L₁ to obtain the private key of the sender and the public key of the receiver. In addition, the aggregate signcryption algorithm is executed to obtain the aggregated ciphertext .
12. 12) Aggregate unsigncryption queries: selects . performs validity verification. If the ciphertext is valid, executes the aggregate unsigncryption algorithm to obtain the set of plaintext messages and returns it to . Otherwise, is returned.

Forgery phase: After the inquiry phase, forge and output n signers to create an aggregate signature ciphertext for the message . Assuming that at least one out of the n users, specifically user D₁, has not been queried for their secret value. If the forged aggregate signature is valid, then

(5)

If can calculate , then has successfully solved the CDHP problem. The advantage of the to win the game is negligible, thus the premise for to successfully solve the CDHP does not exist. According to definition 3, the scheme satisfies the EUF-CMA.

Theorem 4 (EUF-CMA-2). Given the ROM and the intractability of the CDHP problem, if there exists an adversary who can win the EUF-CMA game in polynomial time, then the challenger can resolve the difficult CDHP problem with a non-negligible advantage.

Proof. Challenger gives a random DLP instance (P,aP), . The purpose of is to solve CDHP through interaction with opponent , that is, to find a. The game process for and is as follows.

Setup: sets P_pub = aP, and returns system parameters para = {p,q,P,P_pub, and master key s to .
Queries: In addition to mastering the given conditions in theorem 3, also owns the system master key s. can perform all queries except “public key replacement query” in theorem 3.

Forgery phase: After the inquiry phase, forge and output n signers to create an aggregate signature ciphertext for the message . Assuming that at least one out of the nusers, specifically user D₁, has not been queried for their secret value.

If can calculate by calculating

then has successfully solved the CDHP problem. The advantage of to win the game is negligible, thus the premise for to successfully solve the CDHP does not exist. According to definition 4, the scheme satisfies the EUF-CMA.

Security analysis

Confidentiality of data

In the IoV, vehicular data is safeguarded through key encryption prior to transmission. For instance, OBU_i computes the ciphertext of the message m_i. The key is derived through the hash function. If an adversary intends to obtain a random value x_i, it must first recover X_i based on the private key of the OBU_i, and then perform the calculation to obtain x_i.

However, the computational complexity of CDHP makes it infeasible for an adversary to calculate X_i. As a result, messages containing vehicle data in the IoV will remain secure and ensure data confidentiality. The relevant security proof has been provided in Confidentiality.

Unforgeability of data

In the signcryption phase, OBU_i outputs the ciphertexts , , , , , , of which , , , . d_i, r_i, t_i, and x_i are the secret numbers randomly selected by OBU_i, and is the private key of OBU_i. The adversary cannot obtain the secret number and private key, so it cannot recover the plaintext message or forge the legitimate ciphertext.

The encrypted ciphertext is sent by OBU_i to RSU_i. The RSU_i decrypts ciphertext and obtains message m, then verify the decryption process. If the result is yes, this indicates that the vehicle data has not been changed during transmission. That is, unforgeability is achieved under the condition of CDHP difficult problems.

The relevant security proof has been provided in Unforgeability.

Side channel attack defenses

The proposed scheme utilizes certificateless aggregate signcryption to significantly reduce computational overhead while enhancing security. By leveraging the aggregation feature, it lowers the risk of individual message attacks and complicates potential threats. Additionally, the multi-ciphertext equality test technology minimizes sensitivity to computational overhead, allowing for efficient processing of multiple ciphertexts, which balances power consumption and execution time. This dual approach not only improves efficiency but also provides strong protection against side channel attacks.

Our scheme effectively combines efficiency and enhanced security, making it suitable for secure communication in IoV vulnerable to side channel effects.

Man-in-the-middle attack defense

The proposed scheme uses certificateless technology, which uses KGC, which eliminates the need for PKI. The proposed scheme uses certificateless technology, which uses KGC, which eliminates the need for PKI. This simplification reduces the complexity of certificate management and reduces the risk of man-in-the-middle attack ( MITI ) due to forged certificates.Moreover, the integration of certificateless aggregate signcryption enhances security by combining digital signatures and encryption, ensuring message integrity. Additionally, multi-ciphertext equality test technology allows for verification of message consistency, ensuring that the received data matches what was originally sent.

By combining the above technologies, this method not only protects the communic- ation channel, but also improves the security of information.

Efficiency and performance analysis

In this section, we will conduct a comprehensive analysis and comparison of the security and computational efficiency performance between our proposed scheme and relevant certificateless signcryption schemes. Specific performance comparison results will be provided to illustrate the differences. The computational complexity of bilinear mapping is quite high. The certificateless signcryption schemes that do not use bilinear mapping have significant efficiency advantages over existing schemes that do.

As a result, the proposed scheme offers considerable benefits in terms of efficiency and security when compared to certificateless signcryption schemes that use bilinear mapping. In comparison to certificateless signcryption schemes that do not use bilinear mapping [16,18], the computational overhead mainly depends on the complexity of the signcryption and signcryption verification algorithms. It is primarily determined by counting the number of point multiplication and exponential operations performed on the group.

In order to evaluate the performance of the solution more comprehensively, the simulation was conducted on a host with the Intel (R) Xeon (R) Gold 6133 CPU @ 2.50GHz CPU and 8.0GB of memory, using PBC cryptography library on Ubuntu Server 22.04 LTS operating system. The computational overhead is shown in Table 1. For ease of representation, T₁ represents scalar multiplication operations on a group G, T₂ represents power operations on a group G, P represents bilinear pairing operations, and n represents the number of messages/recipients.

Download:

Table 1. Basic operation computational overhead.

https://doi.org/10.1371/journal.pone.0322185.t001

In this paper, we conduct a comparative analysis between the proposed scheme and the approaches presented in references [16,18,27,28] with regards to computational overhead. The findings of this analysis can be found in Table 2.

Download:

Table 2. Basic operation computational overhead.

https://doi.org/10.1371/journal.pone.0322185.t002

The proposed scheme uses multi-ciphertext equality test technology to support multi-user ciphertext retrieval, and supports testers to retrieve multiple ciphertexts at the same time, which improves the efficiency of ciphertext retrieval in multi-user environment. In addition, the scheme improves the efficiency of verifying user ciphertext in multi user environment by introducing aggregate signcryption.

The analysis results show that compared with similar schemes, the proposed scheme has lower computational overhead in the phases of ciphertext generation, ciphertext equality test, and ciphertext verification in a multi user environment. Signcryption and unsigncryption computational overhead are shown in Fig 2 and Fig 3.

Download:

Fig 2. Computational overhead at signcryption phase.

https://doi.org/10.1371/journal.pone.0322185.g002

Download:

Fig 3. Computational overhead at unsigncryption phase.

https://doi.org/10.1371/journal.pone.0322185.g003

In this paper, we compare the proposed scheme with the methods proposed in references [16,18,27,28] in terms of feature. The analysis results are shown in Table 3.

Download:

Table 3. Feature comparison.

https://doi.org/10.1371/journal.pone.0322185.t003

Compared with references [16,18,27,28], the proposed scheme uses multi-ciphertext equality test to retrieve multiple ciphertexts in the IoV at the same time. Compared with [18], the scheme introduces the certificateless aggregate signcryption technology, eliminates the key management problem, and proves that the scheme meets the unforgeability under the CDHP assumption.

Conclusion

Certificateless aggregate signcryption combines the benefits of certificateless cryptography, allowing for efficient transmission and verification of signcryption data, and reducing the computational and communication overhead significantly. Aiming at the problems of low computational efficiency and data security of existing IoV cryptosystems in multi user environments,we proposes an aggregate signcryption scheme for IoV that supports multi-ciphertext equality test. The utilization of a certificateless cryptosystem eradicates the additional burden of certificate administration that is typically associated with conventional public key approaches.

The introduction of multi-ciphertext equality test technology enables multiple data users to simultaneously retrieve multiple vehicle data ciphertext, reducing the computational overhead of ciphertext equality test in a multi user environment. The use of aggregate signcryption technology improves the efficiency of signcryption the data of multiple vehicle users. the proposed scheme satisfies the confidentiality of vehicle data during transmission. The comparation analysis of the proposed scheme with similar approaches reveals that it offers better security with reduced computational overhead.

Looking forward to the future, the proposed aggregate signcryption scheme can be further enhanced by post-quantum cryptography to solve the future challenges brought by quantum computing. In addition, further optimization can bring more efficient processing and lower computational overhead, making the scheme more suitable for high-demand IoV environments.

References

1. Siami M, Naderpour M, Lu J. A mobile telematics pattern recognition framework for driving behavior extraction. IEEE Trans Intell. 2020;3:1459–72.
- View Article
- Google Scholar
2. Ahmed A, Iqbal M, Jabbar S, Ibrar M, Erbad A, Song H. Position-based emergency message dissemination schemes in the IoV: A review. IEEE Trans Intell Transp Syst. 2023:1–25.
- View Article
- Google Scholar
3. Shah A, Engineer M. A survey of lightweight cryptographic algorithms for iot-based applications. Smart innovations in communication and computational sciences: Proceedings of ICSICCS-2018. Springer. 2019. p. 283–93.
4. Elhabob R, Zhao Y, Sella I, Xiong H. An efficient certificateless public key cryptography with authorized equality test in IIoT. J Ambient Intell Human Comput. 2019;11(3):1065–83.
- View Article
- Google Scholar
5. Chi H, Fu C, Zeng Q, Du X. Delay Wreaks Havoc on Your Smart Home: Delay-based Automation Interference Attacks. In: 2022 IEEE Symposium on Security and Privacy (SP), 2022. 285–302. https://doi.org/10.1109/sp46214.2022.9833620
6. Ju Y, Cao Z, Chen Y, Liu L, Pei Q, Mumtaz S, et al. Noma-assisted secure offloading for vehicular edge computing networks with asynchronous deep reinforcement learning. IEEE Trans Intell Transp Syst. 2023:1–14.
- View Article
- Google Scholar
7. Henze M, Hiller J, Hummen R, Matzutt R, Wehrle K, Ziegeldorf JH. Network security and privacy for cyber-physical systems. Security and Privacy in Cyber-Physical Systems: Foundations, Principles and Applications; 2017. p. 25–56.
- View Article
- Google Scholar
8. Cheng MX, Ling Y, Sadler BM. Network connectivity assessment and improvement through relay node deployment. Theor Comput Sci. 2017;660:86–101.
- View Article
- Google Scholar
9. Cheng MX, Wu WB. Data analytics for fault localization in complex networks. IEEE Internet Things J. 2016;3(5):701–8.
- View Article
- Google Scholar
10. Cheng X, Du DZ, Wang L. Relay sensor placement in wireless sensor networks. Wireless Netw. 2008;:347–55.
- View Article
- Google Scholar
11. Azam F, Kumar S, Yadav K, Priyadarshi N, Padmanaban S. An Outline of the Security Challenges in VANET. In: 2020 IEEE 7th Uttar Pradesh Section International Conference on Electrical, Electronics and Computer Engineering (UPCON), 2020. 1–6. https://doi.org/10.1109/upcon50219.2020.9376518
12. Hamdi M, Al-Dosary O, Alrawi OA, Mustafa A, Abood M, Noori MS. An overview of challenges for data dissemination and routing protocols in vanets. In: 2021 3rd International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), IEEE; 2021. 1–6.
13. Kim D, Wang W, Wu W, Li D, Ma C, Sohaee N, et al. On bounding node-to-sink latency in wireless sensor networks with multiple sinks. IJSNET. 2013;13(1):13.
- View Article
- Google Scholar
14. Ma L, Teymorian AY, Xing K, Du DZ. An one-way function based framework for pairwise key establishment in sensor networks. Int J Secur Netw. 2008;:217–25.
- View Article
- Google Scholar
15. Zhao L, Chai H, Han Y, Yu K, Mumtaz S. A Collaborative V2X Data Correction Method for Road Safety. IEEE Trans Rel. 2022;71(2):951–62.
- View Article
- Google Scholar
16. Kim T-H, Kumar G, Saha R, Alazab M, Buchanan WJ, Rai MK, et al. CASCF: Certificateless aggregated SignCryption framework for internet-of-things infrastructure. IEEE Access. 2020;8:94748–56.
- View Article
- Google Scholar
17. Feng H, Chen D, Lv Z. Blockchain in Digital Twins-Based Vehicle Management in VANETs. IEEE Trans Intell Transport Syst. 2022;23(10):19613–23.
- View Article
- Google Scholar
18. Xiong H, Hou Y, Huang X, Zhao Y. Secure message classification services through identity-based signcryption with equality test towards the Internet of vehicles. Vehicular Commun. 2020;26:100264.
- View Article
- Google Scholar
19. Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) cost (encryption). Advances in Cryptology-CRYPTO. Vol. 97.
- View Article
- Google Scholar
20. Baek J, Steinfeld R, Zheng Y. Formal proofs for the security of signcryption. In: Public key cryptography: 5th international workshop on practice and theory in public key cryptosystems, PKC 2002, Paris, France, February 12–14, 2002 Proceedings, 2002. 80–98.
21. Barbosa M, Farshim P. Certificateless signcryption. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security, 2008. 369–72. https://doi.org/10.1145/1368310.1368364
22. Xia A, Longjun Z. New secure certificateless signcryption scheme without pairing. Appl Res Comput. 2014;31(2):532–5.
- View Article
- Google Scholar
23. Mei Q, Xiong H, Chen J, Yang M, Kumari S, Khan MK. Efficient certificateless aggregate signature with conditional privacy preservation in IoV. IEEE Systems Journal. 2021;15(1):245–56.
- View Article
- Google Scholar
24. Kasyoka PN, Kimwele M, Mbandu SA. Efficient Certificateless Signcryption Scheme for Wireless Sensor Networks in Ubiquitous Healthcare Systems. Wireless Pers Commun. 2021;118(4):3349–66.
- View Article
- Google Scholar
25. Dohare I, Singh K, Ahmadian A, Mohan S, Kumar Reddy M P. Certificateless Aggregated Signcryption Scheme (CLASS) for Cloud-Fog Centric Industry 4.0. IEEE Trans Ind Inf. 2022;18(9):6349–57.
- View Article
- Google Scholar
26. Ullah I, Khan MA, Alsharif MH, Nordin R. An anonymous certificateless signcryption scheme for secure and efficient deployment of internet of vehicles. Sustainability. 2021;13(19):10891.
- View Article
- Google Scholar
27. Hou Y, Cao Y, Xiong H. Heterogeneous broadcast signcryption scheme with equality test for IoVs. IEEE Trans Vehicular Technol. 2024.
- View Article
- Google Scholar
28. Niu S, Dong R, Liu W, Ge P, Liu Q. Broadcast signcryption scheme with equality test in smart transportation system. Vehicular Commu. 2024;49:100820.
- View Article
- Google Scholar

[ref1] 1. Siami M, Naderpour M, Lu J. A mobile telematics pattern recognition framework for driving behavior extraction. IEEE Trans Intell. 2020;3:1459–72.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Ahmed A, Iqbal M, Jabbar S, Ibrar M, Erbad A, Song H. Position-based emergency message dissemination schemes in the IoV: A review. IEEE Trans Intell Transp Syst. 2023:1–25.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Shah A, Engineer M. A survey of lightweight cryptographic algorithms for iot-based applications. Smart innovations in communication and computational sciences: Proceedings of ICSICCS-2018. Springer. 2019. p. 283–93.

[ref4] 4. Elhabob R, Zhao Y, Sella I, Xiong H. An efficient certificateless public key cryptography with authorized equality test in IIoT. J Ambient Intell Human Comput. 2019;11(3):1065–83.
View Article
Google Scholar

[9] View Article

[10] Google Scholar

[ref5] 5. Chi H, Fu C, Zeng Q, Du X. Delay Wreaks Havoc on Your Smart Home: Delay-based Automation Interference Attacks. In: 2022 IEEE Symposium on Security and Privacy (SP), 2022. 285–302. https://doi.org/10.1109/sp46214.2022.9833620

[ref6] 6. Ju Y, Cao Z, Chen Y, Liu L, Pei Q, Mumtaz S, et al. Noma-assisted secure offloading for vehicular edge computing networks with asynchronous deep reinforcement learning. IEEE Trans Intell Transp Syst. 2023:1–14.
View Article
Google Scholar

[13] View Article

[14] Google Scholar

[ref7] 7. Henze M, Hiller J, Hummen R, Matzutt R, Wehrle K, Ziegeldorf JH. Network security and privacy for cyber-physical systems. Security and Privacy in Cyber-Physical Systems: Foundations, Principles and Applications; 2017. p. 25–56.
View Article
Google Scholar

[16] View Article

[17] Google Scholar

[ref8] 8. Cheng MX, Ling Y, Sadler BM. Network connectivity assessment and improvement through relay node deployment. Theor Comput Sci. 2017;660:86–101.
View Article
Google Scholar

[19] View Article

[20] Google Scholar

[ref9] 9. Cheng MX, Wu WB. Data analytics for fault localization in complex networks. IEEE Internet Things J. 2016;3(5):701–8.
View Article
Google Scholar

[22] View Article

[23] Google Scholar

[ref10] 10. Cheng X, Du DZ, Wang L. Relay sensor placement in wireless sensor networks. Wireless Netw. 2008;:347–55.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref11] 11. Azam F, Kumar S, Yadav K, Priyadarshi N, Padmanaban S. An Outline of the Security Challenges in VANET. In: 2020 IEEE 7th Uttar Pradesh Section International Conference on Electrical, Electronics and Computer Engineering (UPCON), 2020. 1–6. https://doi.org/10.1109/upcon50219.2020.9376518

[ref12] 12. Hamdi M, Al-Dosary O, Alrawi OA, Mustafa A, Abood M, Noori MS. An overview of challenges for data dissemination and routing protocols in vanets. In: 2021 3rd International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), IEEE; 2021. 1–6.

[ref13] 13. Kim D, Wang W, Wu W, Li D, Ma C, Sohaee N, et al. On bounding node-to-sink latency in wireless sensor networks with multiple sinks. IJSNET. 2013;13(1):13.
View Article
Google Scholar

[30] View Article

[31] Google Scholar

[ref14] 14. Ma L, Teymorian AY, Xing K, Du DZ. An one-way function based framework for pairwise key establishment in sensor networks. Int J Secur Netw. 2008;:217–25.
View Article
Google Scholar

[33] View Article

[34] Google Scholar

[ref15] 15. Zhao L, Chai H, Han Y, Yu K, Mumtaz S. A Collaborative V2X Data Correction Method for Road Safety. IEEE Trans Rel. 2022;71(2):951–62.
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref16] 16. Kim T-H, Kumar G, Saha R, Alazab M, Buchanan WJ, Rai MK, et al. CASCF: Certificateless aggregated SignCryption framework for internet-of-things infrastructure. IEEE Access. 2020;8:94748–56.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref17] 17. Feng H, Chen D, Lv Z. Blockchain in Digital Twins-Based Vehicle Management in VANETs. IEEE Trans Intell Transport Syst. 2022;23(10):19613–23.
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref18] 18. Xiong H, Hou Y, Huang X, Zhao Y. Secure message classification services through identity-based signcryption with equality test towards the Internet of vehicles. Vehicular Commun. 2020;26:100264.
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref19] 19. Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) cost (encryption). Advances in Cryptology-CRYPTO. Vol. 97.
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref20] 20. Baek J, Steinfeld R, Zheng Y. Formal proofs for the security of signcryption. In: Public key cryptography: 5th international workshop on practice and theory in public key cryptosystems, PKC 2002, Paris, France, February 12–14, 2002 Proceedings, 2002. 80–98.

[ref21] 21. Barbosa M, Farshim P. Certificateless signcryption. In: Proceedings of the 2008 ACM symposium on Information, computer and communications security, 2008. 369–72. https://doi.org/10.1145/1368310.1368364

[ref22] 22. Xia A, Longjun Z. New secure certificateless signcryption scheme without pairing. Appl Res Comput. 2014;31(2):532–5.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref23] 23. Mei Q, Xiong H, Chen J, Yang M, Kumari S, Khan MK. Efficient certificateless aggregate signature with conditional privacy preservation in IoV. IEEE Systems Journal. 2021;15(1):245–56.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref24] 24. Kasyoka PN, Kimwele M, Mbandu SA. Efficient Certificateless Signcryption Scheme for Wireless Sensor Networks in Ubiquitous Healthcare Systems. Wireless Pers Commun. 2021;118(4):3349–66.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref25] 25. Dohare I, Singh K, Ahmadian A, Mohan S, Kumar Reddy M P. Certificateless Aggregated Signcryption Scheme (CLASS) for Cloud-Fog Centric Industry 4.0. IEEE Trans Ind Inf. 2022;18(9):6349–57.
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref26] 26. Ullah I, Khan MA, Alsharif MH, Nordin R. An anonymous certificateless signcryption scheme for secure and efficient deployment of internet of vehicles. Sustainability. 2021;13(19):10891.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref27] 27. Hou Y, Cao Y, Xiong H. Heterogeneous broadcast signcryption scheme with equality test for IoVs. IEEE Trans Vehicular Technol. 2024.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref28] 28. Niu S, Dong R, Liu W, Ge P, Liu Q. Broadcast signcryption scheme with equality test in smart transportation system. Vehicular Commu. 2024;49:100820.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

Figures

Abstract

Introduction

Related work

Preliminaries

Mathematical assumption

Security model

Scheme construction

Security proof

Confidentiality

Unforgeability

Security analysis

Confidentiality of data

Unforgeability of data

Side channel attack defenses

Man-in-the-middle attack defense

Efficiency and performance analysis

Conclusion

References