Efficient proxy ring signature for VANET

: The messages in vehicular ad hoc networks (VANET) are vulnerable to attack in the open wireless environment. Group communication in VANET is receiving more attention, which confronts many security issues. First, only users who have passed legal authentication can communicate in the group. The ring signature is an effective solution. In addition, the group membership in the vehicular self-organising network changes rapidly, which leads to dynamic adjustment of group members. It is necessary to consider the computing power and communication capability of each node in the group members. To speed up the authentication process, a roadside unit with more computing power and communication capability than vehicles is selected as the signature agent, which effectively reduces the computational load of vehicles and accelerates the communication throughput. Meanwhile, the computational task and communication overhead have not been well-solved. To address these issues, this paper proposed an efficient proxy ring signature scheme for VANET to achieve higher signature efficiency and lower transmission overhead. The scheme allows both privacy protection and original signer tracing. Security analysis shows that the proposed scheme meets the security requirements of VANET.


Introduction
Vehicular ad hoc network (VANET) has emerged as a very hot research area over the past few years [1,2]. It is a special mobile ad hoc network for vehicle communication. VANET will become an important part of future intelligent transportation system. VANET can significantly improve the safety and efficiency of transportation systems and connect vehicles to computer networks. VANET can establish wireless communication between vehicles as well as establish wireless communication between vehicles and roadside units (RSUs). VANET can realise road traffic information query, traffic condition prediction, traffic congestion control and vehicle user access to the Internet. It is increasingly concerned by industry companies, standardisation organisations and research institutions. In VANETs, RSUs and vehicles with wireless on-board units (OBUs) form self-organised ad hoc network. They communicate with each other through a dedicated short-range communications (DSRC) protocol [3,4]. They also collect driving status (e.g. location, speed and braking) and road information (e.g. traffic jam and icy road), and regularly broadcast services information to users [5].
While VANETs bring convenience to the driving experience and traffic safety, there are also huge risks of security and user privacy. First, it should prevent a malicious attacker from modifying the delivered messages to keep message integrity [6]. Second, authentication is needed to ensure user legitimacy; meanwhile, it should provide a guarantee to protect user privacy [7] including vehicle owner, driving route etc. and to trace the real sender in some specific situations. To deal with these issues, many schemes have been proposed for VANETs [7][8][9]. Chen et al. [10] proposed an ID-based proxy ring signature scheme with a certificate. However, their scheme cannot solve the inherent key escrow problem in ID-based applications. Jiang et al. [9] designed an anonymous communication scheme based on a certificate-less ring signature, which is contributed to reduce the length of signature and simplify key management. Zeng et al. [11] introduced a conditionally anonymous ring signature scheme for VANET to address the issues of anonymous authentication and efficient tracking in case of a dispute. Lang et al. [12] and Gao et al. [13] put forward an improved ID-based proxy ring signature scheme using bilinear pairings, which combines the advantages of proxy signature and ring signature. Unfortunately, their ID-based proxy ring signatures with bilinear pairings require high computational costs for performing several pairing operations. Owing to the limited computational ability of OBU, vehicles may concern about the computational costs. Moreover, the effective communication time between vehicle and RSU becomes less because of the fast speed of vehicle and limitation of the communication distance when using the DSRC protocol. Yu et al. [14] proposed a proxy ring signature scheme for an anonymous voting system with higher security and efficiency than related schemes. However, this scheme still heavily depends on the tamper-proof hardware device. Therefore, it is necessary to effectively reduce the computational complexity at the vehicle side.
The proxy ring signature can achieve the signature of the agent instead of the original signer, and can also satisfy the anonymity of the signature while tracking the real signer when necessary. To improve the vehicle's signing efficiency and solve the security requirements, we propose an efficient proxy ring signature (EPRS) scheme for VANETs without bilinear pairings. Our contributions are summarised as follows: • First, to deal with the above-mentioned problems, we propose a new proxy ring signature without bilinear pairings, which achieves higher signature efficiency and lower transmission overhead. • Second, by using a new key distribution method, the proxy ring signature can be implemented without the need for tamper-proof hardware device. • Third, our scheme selects RSU with strong computing power and wide communication bandwidth as the signing agent, which effectively reduces the computational load of vehicle nodes with weak computing power and accelerates the communication throughput.
The remainder of this paper is organised as follows. We describe related works in Section 2 and define the system model and security requirements for VANET in Section 3. We present an EPRS scheme in Section 4 and analyse its security in Section 5. Finally, Section 6 concludes this paper.

Related works
With the wide application of digital signature, an ordinary digital signature has been unable to meet the growing safety requirements. Therefore, digital signature schemes have been put forward according to different specific requirements such as identity-based signature, proxy signature, blind signature etc. For the sake of the open network information environment, digital signature anonymisation can effectively avoid privacy leaks. Therefore, many anonymous digital signature schemes such as group signature and ring signature have been proposed. The ring signature can realise anonymous signature unconditionally, and is widely applied in data exchange, electronic money and other application fields. At the same time, considering the different computing powers of OBU and RSU, RSU with strong computing power is selected as the signing agent for VANET. Mambo et al. [15] introduced proxy signature, where the original signer can delegate signing a power to a proxy signer so that the proxy signer can sign on behalf of the original signer. The verifier needs to verify both signature and entrustment signing protocol between the original signer and proxy signer. In a proxy signature scheme, the proxy signer usually has a powerful computing resource, which can effectively reduce the computational task of generating signature by the original signer, and thus greatly improve the signing efficiency. In 2001, Rivest et al. first proposed a ring signature scheme. Ring signatures are distributed with no organisation administrator to manage ring members. In ring signature scheme, the verifier can verify if the signature is generated by some ring member, but cannot identify the specific member. Thus, the ring signature scheme can effectively protect the privacy of real signer in the ring, which means that it can realise unconditional identity anonymity. However, the ring signature scheme does not allow anyone to trace the real signature members. In some case, malicious attackers may abuse ring signatures. Therefore, the ring signature has been extended to support many applications. Zhang and Chen [16] proposed a ring signature scheme using identity or certificate in bilinear groups, which satisfies unconditional anonymity, and the real signer in the ring cannot deny its signature. Zhang and Safavi-Naini [17] proposed a proxy ring signature scheme combining proxy signature and ring signature. The proxy signer can produce signatures on behalf of the original signer with high anonymity.
Zhang et al. [18] proposed a certificate-less proxy ring signature scheme without bilinear pairings and exponentiations. However, their scheme did not describe how to distribute the private key among partners. Since the proxy and ring members are predefined, there is no process to allow membership change in the ring. Therefore, its scheme is not suitable for dynamic VANET. Cui et al. [8] proposed a privacy-preserving authentication scheme with a cuckoo filter for VANET. However, the vehicle needs to sign every message personally. Owing to the limited computing power of the vehicle, RSU with more powerful computing power can be selected as a signature agent. Chen [19] put forward an anonymous attestation scheme under a trusted computing environment. Although the schemes designed by Chen [19] without using bilinear pairings, their security heavily depends on the tamperproof hardware device.

Preliminaries
In this section, we briefly introduce the system model and elliptic curve cryptosystem (ECC). Some notations are shown in Table 1.

System model
As shown in Fig. 1, a typical VANET system consists of three types of entities, that is, OBU, RSU and TA: • OBU is responsible for communicating with neighbouring OBUs or RSUs using the 802.11p protocol. OBU is semi-trusted in the system. A vehicle with OBU can regularly broadcast messages of its driving state (e.g. emergency braking). In transmission, it is necessary to sign and authenticate the messages sent by vehicles. Otherwise, the transmitted messages would be vulnerable to attacks launched by malicious attackers.
In VANET system, OBU usually has only limited computation and storage capabilities. • RSUs are always deployed on both sides of roads and intersections, which are responsible for vehicle-to-infrastructure communication. RSU is also semi-trusted in the system. They regularly broadcast road information (e.g. road congestion) and local environment (e.g. gas station and parking lot). Since RSUs have the wider broadcast range and more powerful computation capability than OBUs, they are very suitable to serve as proxies to generate ring signatures. • Trusted Authority (TA) is responsible for the generation and distribution of the private and public keys for OBUs and RSUs. It is completely trusted by the other entities in the system. At first, the TA initialises the system and produces public system parameters. Each OBU and RSU has to register to TA, so as to get public and private keys of a proxy ring signature scheme. The traceability of the system allows the TA to find out the real signer when it is necessary [20].

System requirements
The proposed EPRS scheme for VANET without using a bilinear map has to meet the following requirements: •

Elliptic curve cryptosystem
Assume p is a prime number and F p is a finite prime field. In mathematics, an elliptic curve E p (a, b) is a plane algebraic curve defined by the following equation: where a, b, x, y ∈ F p . Assume P(x 1 , y 1 ) and Q(x 2 , y 2 ) are two distinct points on the elliptic curve E q (a, b). Draw a line L through P and Q, where L will intersect with the curve. Let the intersected point be R′ = (x 3 , − y 3 ). R = (x 3 , y 3 ) is the symmetric point of R′ = (x 3 , − y 3 ) based on the X-axis.
We define an additive cyclic group with the special point O at infinity as follows: where μ = We also define the following equations: Some related mathematical problems of ECC are described as follows: i. Elliptic curve discrete logarithm problem (ECDLP): Given any n ∈ Z p * , it is easy to compute R = nP. However, it is difficult to calculate n from points P and R. ii. Computational Diffie-Hellman problem: Given a, b ∈ Z p * and (P, aP, bP), it is difficult to calculate abP without a and b.

Proposed scheme
In this section, to address the security requirements in VANET communication security requirements, we design a secure and EPRS scheme without using bilinear paring. The application process of our proxy ring signature scheme is shown in Fig. 2. i. Vehicle sends its signature to TA. ii. TA returns a partial proxy ring signature if the vehicle's signature passes the verification. iii. RSU sends its signature to TA. iv. TA returns a partial proxy ring signature if the RSU's signature passes the verification. v. Some new vehicle requests to join the ring. vi. RSU forwards the request to TA. vii .
TA sends the verification result of the vehicle's request to RSU. vii i. RSU accepts the vehicle to join the ring if its request passes the verification. ix. Vehicle sends trusted member authentication information to RSU. x. RSU generates a proxy ring signature if the vehicle's authentication succeeds, and sends the signature to the vehicle.
The proposed scheme consists of seven phases, that is, system initialisation, local key generation, partial proxy ring signing key generation, trusted member authentication, proxy ring signing key generation, proxy ring signing and signature verification.

System initialisation
Suppose G 1 is an addition group on elliptic curves generated by P, and its order is a prime number p.
TA selects two collision-resistant hash functions, that is, TA randomly selects s ∈ R Z p * as the master key and calculates P pub = sP as the public key of the system. The system parameters parame := ⟨G 1 , p, P, P pub , H 1 , H 2 ⟩ are broadcasted by TA to all users. TA keeps the master secret key s secret.

Local key generation
Vehicle randomly selects y i ∈ R Z p * (1 ≤ i ≤ N) as the private key and calculates Y i = y i P as the public key. In this paper, let (y o , Y o ) denote the key pair of the original signer vehicle and (y r , Y r ) denote the key pair of RSU.

Partial proxy ring signing key generation
The process of partial proxy ring signing key generation is shown in Fig. 3. i. With identity ID i , password PWD i and public key Y i , vehicle randomly selects v i ∈ R Z p * and computes then it sends the signature σ = E P pub (ID i ∥ Y i ∥ V i ∥ c i ) to TA. ii. TA decrypts σ. First, TA queries the password PWD′ i according to the vehicle's identity ID i , computes , and verifies the equality If it holds, TA randomly selects t i ∈ R Z p * and computes to the vehicle. iii. Vehicle decrypts ϕ and verifies the following equality: If it holds, the vehicle uses the public key D i = V i + (d i + y i )P for proxy ring signature and saves iv. Denote the information for partial signature (e.g. partial public key and verification information) of the original signer vehicle and RSU by respectively.

Trusted member authentication
The process of trusted member authentication is shown in Fig. 4.
i. When the original signer vehicle goes into the communication range of an RSU, it sends a request to join the trusted member list. That is, the vehicle computes and ii. RSU forwards the signature σ to TA. iii. TA decrypts σ. TA queries the password PWD o′ according to the vehicle's identity ID o and computes and verifies the following equality: If it holds, TA randomly selects m o ∈ R Z p * and computes Then TA sends λ = {λ 1 , λ 2 } to RSU and saves iv. When receiving λ, RSU decrypts λ 1 and checks the following equality: If it holds, RSU saves {ID o , Y o , T o , J o , j o } at local and forwards λ 2 to the requested vehicle. v. The vehicle decrypts λ 2 and checks the following equality: If it holds, the vehicle saves

Proxy ring signing key generation
i. Vehicle generates authentication information ξ, which includes vehicle information, public key, valid deadline etc. Vehicle computes and sends σ = E P pub (ID o ∥ ξ ∥ e ξ ∥ f ξ ) to TA, as shown in Fig. 5. ii. TA decrypts σ. TA queries (V o , Y o , T o , j o′ ) according to the vehicle's ID o and verifies the following equality: If it holds, TA adds the vehicle ID o into the trusted member list and computes as the proxy ring signing key for the vehicle. x i ∈ R Z p * and computes iii. RSU randomly selects x r ∈ R Z p * , x r ≠ x i (i = 1, 2, 3, …, M, i ≠ r) and computes

Signature verification
After receiving the trusted member list L and signature σ, the receiver performs as follows: i. Compute (29) ii. Verify the equality iii. If it holds, the proxy ring signature is legal. Otherwise, the signature is invalid and would be denied.

Security analysis
In this section, we analyse our proposed scheme in terms of verifiability, unconditional anonymity and unforgeability: i. Verifiability: OBU can trust that the RSU has the original signer's signature of authorisation information m according to the K in the signature σ generated by the signature agent RSU. From the process of generating a proxy ring signature, we can get the following formula: Therefore, proxy ring signatures are verifiable: ii. Unconditional anonymity: Our proposed scheme offers unconditional anonymity, except that only TA is able to trace the real signer anytime. The probability that an attacker can correctly identify the real proxy signer is not more than 1/M. Let σ = {m, X 1 , X 2 , …, X i , X o , X r , …, X M , K, L} be a ring proxy ring signature on the message m under the trusted member list L. During the process of proxy ring signing, RSU randomly selects different x i ∈ R Z p * and x r ∈ R Z p * , x r ≠ x i (i = 1, 2, 3, …, M, i ≠ r) thus the probability of X i is In this way, no matter who has signed the message M, and no matter how large the number of ring members is, the probability of generating σ is the same to each of the other ring members. This implies that the probability of determining the identity of a real signer will not exceed 1/M. iii. Unforgeability: The private key (y o , d o ) of the original signer vehicle and the proxy ring signature key k o are all safe. To crack the private key, its hardness is equivalent to solving the ECDLP. In addition, since the proxy signing private key simultaneously includes the private keys of the original signer and proxy signer, anyone cannot forge a proxy ring signature. Therefore, the proposed scheme offers unforgeability. iv. Uncollectability: In addition to the real signer, other users do not know who the signer is. If there is user collusion in the member list L, all members are required to participate in the collusion; otherwise, the real signer cannot be known either. However, the real signer would rather protect its privacy than risk participating in collusion. Otherwise, it will reveal privacy too. v. Performance: In this section, the proposed scheme is compared with schemes [14,21] in terms of computation overhead. For comparison, only the time-consuming add/multiplication and bilinear pairing operations are considered. Let T par be the execution time of a pairing operation, T Ga be the execution time of performing an addition operation over an elliptic curve, T Gm be the execution time of performing a scale multiplication over an elliptic curve and n is the number of vehicles signed by the agent. The comparison of computation costs between the proposed scheme and the existing schemes [14,21] is summarised in Table 2.
As shown in Table 2, the signature and verification efficiencies of our scheme have been improved in comparison with other schemes. The signature verification of the proposed scheme does not require pairing operations, whereas the other two schemes require two pairing operations. Signature verification is generally performed in OBU with weak computing power. In this way, the computational load of OBU is greatly reduced, and the communication bottleneck in the signing process can be effectively solved.

Conclusions
In this paper, an EPRS scheme for VANET without bilinear pairing is proposed. Our scheme effectively reduces the vehicle's computing task and communication overhead by introducing a proxy signer. The security analysis demonstrates that our scheme well meets the security requirements for VANET.  [21] (4n − 2)T Ga + (2n + 2)T Gm nT Ga + nT Gm + 2T par EPRSS [14] nT Ga + 2nT Gm (2n − 1)T Ga + (n + 1)T Gm + 2T par our scheme 2(n − 1)T Ga + 2nT Gm 2nT Ga + nT Gm J. Eng