An Anonymous Authentication Scheme with Controllable Linkability for Vehicle Sensor Networks

: Vehicle sensor networks (VSN) play an increasingly important part in smart city, due to the interconnectivity of the infrastructure. However similar to other wireless communications, vehicle sensor networks are susceptible to a broad range of attacks. In addition to ensuring security for both data-at-rest and data-in-transit, it is essential to preserve the privacy of data and users in vehicle sensor networks. Many existing authentication schemes for vehicle sensor networks are generally not designed to also preserve the privacy between the user and service provider (e.g., mining user data to provide personalized services without infringing on user privacy). Control-lable linkability can be used to facilitate an involved entity with the right linking key to determine whether two messages were generated by the same sender, while preserving the anonymity of the signer. Such a functionality is very useful to provide personalized services. Thus, in this paper, a threshold authentication scheme with anonymity and controllable linkability for vehicle sensor networks is constructed, and its security is analyzed under the random oracle model.


Figure 1: Entities of vehicle sensor network
In general, striking a balance between preserving user privacy and maximizing the utility of user data (e.g., to offer better and customized services, based on mining and analysis of user data) is tricky [13,14]. For example, a key characteristic required to provide personalized services is linkability, which contradicts the privacy requirement. Controllable linkability, first proposed by Hwang et al. [15], is one potential solution. In such a concept, an entity who owns a linking key can dervie whether two authentication messages were generated by the same user (or not). Doing so does not infringe the user's anonymity since the identity of the message signer cannot be obtained. Since the seminal work of Hwang et al. [15], a great many group signature schemes with controllable linkability have been investigated in the literature [15][16][17][18]. However, the verifier can only check the valid signature message generated by a group member but cannot decide whether the message has been fabricated. Threshold authentication can, however, mitigate such a limitation. Specifically, the receiver accepts a message only after it has been confirmed by the specified threshold number of user.
In this work, we present a group signature-based anonymous authentication scheme for vehicle sensor networks, which is designed to achieve threshold authentication, anonymity, nonrepudiation, and controllable linkability. In addition, we will demonstrate that it is more efficient than similar existing schemes in regard to both communicational and computational costs, based on the findings from our evaluations using the widely accepted OpenSSL library. We also demonstrate the security of the scheme under the random oracle model, as well as explaining how it achieves the other desirable security properties.
The rest of this article is structured as below. Related work and relevant background materials are introduced in Sections 2 and 3, respectively. Then, the concrete construction of the scheme is presented in Section 4, followed by its security and performance analysis in Sections 5 and 6. Finally, this paper is concluded in the last section.

Related Work
In recent years, authentication schemes with different properties for vehicle sensor networks have been investigated in the literature. For instance, Raya et al. [19] introduced an anonymous authentication scheme for vehicle sensor networks by employing anonymous certificates. In such a scheme, a vehicle is preloaded with large anonymous certificates such that the vehicle can employ different public/private key pairs during each authentication process to avoid being traced. However, the public/private key pairs must have a short lifetime so as to achieve privacy preservation; otherwise, there will be significant storage and management costs. Lu et al. [20] presented a new method to deal with the challenge of preloading a mass of anonymous certificates, by leveraging RSUs. To update the anonymous certificate in order to keep linkability of the message, each vehicle would request the RSU to issue a short-time anonymous certificate when the vehicle passes by the RSU. Consequently, frequent interaction between vehicle and RSU may influence the performance of the entire vehicle sensor networks. Huang et al. [21] proposed two certificateless signatures schemes; however, anonymity is not achieved because the public key of the user is needed during verification.
Group signature schemes can also be used to achieve privacy preservation [22][23][24]. For example, Hwang et al. [15][16][17] introduced three group signature schemes with controllability linkability, for purpose of preserving the privacy between the users and service providers. However, these schemes do not support threshold authentication and require significant computing cost due to the number of exponentiation operations and bilinear pairings operations.
Threshold authentication is a common approach to assure the authenticity of the received (traffic) information [25][26][27]. For example, Shao et al. [28,29] introduced two threshold anonymous authentication schemes for vehicle sensor networks, designed to resist an attack on a single malicious message. However, the cost of computation of these schemes is significantly high on account of the employment of exponentiation and bilinear pairing. Therefore, in this work, we construct a group signature-based anonymous authentication scheme with controllable linkability, based on Shao et al. [28,29] scheme. However, our proposed scheme is more efficient because we utilize the point multiplication operation instead of the exponentiation operations.

System and Security Models
Our proposed protocol comprises four entities, namely: central authority (CA), service providers (SP), RSUs and OBUs (see also Fig. 2). CA is mainly tasked with issuing of the corresponding public key certificates for both RSUs and OBUs after their respective public keys have been successfully authenticated. Moreover, CA can uncover the original identity of the sender who is found to send a fabricated message in VANET. SP is responsible for providing personalized services, first by examining whether given two messages are produced by the same sender with the linking key. RSUs are densely deployed along the road, and each of them is assumed as the manager of a group consisting of OBUs within its communication area. Besides, RSUs are also responsible for issuing group certificates for vehicles equipped with OBUs when they enter into its communication range, which can be used to communicate with other OBUs by signing the message with its private key. Note that if an OBU is in the revocation list obtained from the CA, it would not be assigned with a group certificate by its RSU.

Figure 2: System model
CA is assumed to be fully honest, whereas SPs and RSUs are presumed to be semi-honest (i.e., honest but curious), in the sense that they would honestly follow the proposed protocol and would not conspire with other RSUs. However, they are curious about the user's identity information and trace information, and hence may passively seek to collect group signatures and gather other information. Honest OBUs can accept a message only when they have received the number of valid signatures whose number is greater than the threshold value on the same message. However, OBUs could also be malicious, in the sense of attempting to obtain the user's identity information and trace information by launching either passive or active attack. For instance, they may attempt to broadcast many fabricated message signatures without being perceived or conspire with each other.

Bilinear Groups
Let G 1 , G 2 and G 3 denote three different additive groups over elliptic curve with the same order q, where q is a prime number, and they all satisfy non-degenerated properties and are used to construct a bilinear map e : G 1 × G 2 → G 3 , such that e(aP 1 , b P 1 ) = e(P 1 , P 1 ) ab for all a, b ∈ Z * q , any P 1 ∈ G 1 and P 1 ∈ G 2 . For convenience, the symbol "∼" is used to label the elements in G 2 .
We analyze the security of the proposed threshold anonymous authentication scheme based on the eCDH assumption and the eDDH assumption, which are defined as follows [29]: Definition 1: (eCDH Assumption): Given P, aP, bP ∈ G 1 and P, a P ∈ G 2 , where a, b ∈ Z * q , to output abP. The (t, ε) eCDH assumption states that there is no t-time algorithm that can break the eCDH assumption with a non-negligible advantage of at least ε.
Definition 2: (eDDH Assumption): Given P, aP, bP, cP ∈ G 1 and P, a P, b P ∈ G 2 , where a, b, c ∈ Z * q , to decide whether abP = cP holds or not. The (t, ε) eDDH assumption states that there is no t-time algorithm can break the eDDH assumption with non-negligible advantage of at least ε.

Proposed Authentication Protocol
The construction of our proposed group signature-based anonymous authentication scheme with controllable linkability is illustrated here, and the scheme includes initialization, registration, joining, signing, verifying, linking, and tracing stage.
First, the CA follows the initialization process to produce public/private key pairs for itself and the public parameters for the entire system. Before each RSU and OBU join the network, they need to follow the registration process to produce the pairs of the public key and private key for itself and obtain corresponding public certificates from the CA. RSUs are deployed on critical points along the road (e.g., roadsides or building and other installations). When a vehicle employed with an OBU enters into a new range covered by a certain RSU, it has to follow the joining process to obtain the corresponding group certificate from the RSU. Then, the vehicle can sign and broadcast messages. After that, the receiver can perform the threshold authentication process to verify any received messages and signatures. In order to identify the malicious signer, the CA can perform identity tracing process to uncover the identity of the singer corresponding to the suspicious signature. To provide personalized service, one can perform linking process to check whether two given pairs of signatures and messages are from the same sender.
The definition of used notations is shown as Tab. 1, and details of our proposed authentication scheme is illustrated in the remaining of this section.

Initialization
In this stage, CA produces the key pairs for itself and the public parameters for the entire system. The detailed description is as follows: • First, CA produces the public parameter q, P 1 , • Then, CA randomly chooses x ca , x tm ∈ Z * q , and computes P ca = x ca P 1 , P ca = x ca P 1 and P tm = x tm P 1 , P link = −x tm P 1 . Finally, CA sets P link as the linking key, (P ca , P ca , P tm ) as its public key and keeps (x ca , x tm ) as its private key.

Registration
The registration stage consists of two parts, namely: RSU registration and OBU registration. CA assign RSUs and OBUs with the corresponding public certificates by performing this process.
Three different groups with the same order q P 1 , P 2 The primitive generator of G 1 P 1 The primitive generator of G 2 x ca The private key of CA to issue certificates x tm The private key of CA to trace x rsu The private key of RSU x obu The private key of OBU P link The linking key of SP (P ca , P ca , P tm ) The public key of CA P rsu The public key of RSU P obu The public key of OBU

RSU Registration
Each RSU registers itself as follows, • RSU selects x rsu ∈ Z * q randomly as its private key, and evaluates P rsu = x rsu P 1 as its public key.
• RSU sends P rsu to CA through a secure channel. After receiving the message, CA produces a public certificate cert rsu on P rsu , and sends cert rsu and the current revocation list CRL to RSU, where CRL is defined as (cert obu_n , P obu_n ))

Vehicle OBU registration
• Each OBU selects x obu ∈ Z * q randomly as its private key and evaluates P obu = x obu P 1 as its public key.
• Then, OBU sends P obu and P obu = x obu P 1 to CA through a secure channel. After receiving the message, if e(P obu , P 1 ) = e(P 1 , P obu ) holds, then CA produces corresponding public certificate cert obu on P obu , and sends cert obu to the OBU. Finally, CA records (cert obu , P obu ) in the user list.

Joining
In this stage, RSUs will issue corresponding group certificate for the OBUs within their radio coverage. When OBU i gets into the communication area covered by a new RSU, the joining stage is activated between OBU i and the particular RSU. The detailed steps are as follows.
• To begin with, OBU i sends a request message to RSU for obtaining its public key.
• Upon receiving the request from OBU i , RSU returns its certificate and public key (cert rsu , P rsu ) to OBU i . • Upon receiving (cert rsu , P rsu ), OBU i checks (cert rsu , P rsu ). If it is not valid, OBU i would be required to send another request message again; otherwise, OBU i selects k, n ∈ Z * q randomly and computes P obu = x obu P ca . Then, it uses the public key of RSU P rsu to encrypt P obu , where the encrypting process is found by computing k P rsu = (x 1 , y 1 ) and C obu = (k P 1 , P obu + x 1 P 1 ). Finally, OBU i sends (cert obu , P obu , C obu , n) to RSU, where n is a random number chosen from Z * q . • Upon receiving (cert obu , P obu , C obu , n), RSU uses its private key x rsu to decrypt C obu and obtains P obu , and checks whether cert obu exists in the revocation list CRL. Then it checks whether e(P obu , P ca ) = e(P obu , P 1 ). If it does not holds, then it terminates at this stage; otherwise, RSU chooses two random numbers r, t ∈ Z * q and computes group certificate cert g = (c 1 , c 2 ), where c 1 = x rsu P 2 − r(P obu ), c 2 = rP 1 . Finally, RSU adds OBU i 's certificate cert obu to member list(ML) and uses OBU i 's public key P obu to encrypt cert g , where the encrypting process is found by computing tP obu = (x 2 , y 2 ) and C rsu = (tP 1 , c 2 + x 2 P 1 , c 1 + x 2 P 1 ). It then broadcasts (C rsu , n, CRL rsu ) within its communication range, where CRL rsu is the latest and is obtained from CRL and cert obu exists in ML of this RSU.
• When OBU i receives (C rsu , n, CRL rsu ), OBU i first determines whether this message is sent to itself by using the value n. If it holds, then OBU i uses its private key x obu to decrypt C rsu and obtains cert g , prior to checking whether e(c 1 , P 1 ) · e(x obu c 2 , P ca ) = e(P 2 , P rsu ). If it holds, then OBU i accepts this group certificate cert g = (c 1 , c 2 ); otherwise, OBU i sends the request message to RSU again.

Signing
When an OBU intends to broadcast a message m, it performs the following steps to sign the message.
• Computes τ 7 = x obu H 1 (m), which would be employed to determine whether two given signatures for a certain message are produced by a same OBU or not. However, the characteristic of threshold authentication is enabled by τ 7 . • A bundle of the above evaluated values is made by

Verifying
Upon receiving a message m and its signature τ , OBU j uses CA's public key ( P ca , P tm ), RSU's public key P rsu , and the revocation list CRL rsu to verify this signature as follows.
If all equations hold, then OBU j believes the validity of the signature, i.e., the sender of the signature has not been revoked. Once OBU j had received exceeding threshold number of valid signatures about the same message from distinctive OBUs, it would accept and believe the message.
In addition, the OBU can also use batch verification to speed up the verification on τ i 6 , P tm + P 1

Linking
With the linking key P link , SP can check whether two given pairs (m , τ ) and (m, τ ) are generated by a same user, as follows.
• First, it performs the verification process to check the validity of two given signatures.

Tracing
In this stage, CA can recover the real identity of the sender corresponding to a valid pair (m, τ ), then it updates the CRL and sends CRL to each RSU. The detailed process is as follows: • First, CA reveals the identity of signer corresponding to the signature message (m, τ ) by computing P obu = τ 4 − x tm τ 3 . • Then, CA finds signer's certificate cert obu in user list and computes P obu = x ca P obu .
• Finally, CA records (cert obu , P obu ) in CRL and sends CRL to each RSU.

Correctness and Security Analysis
In this section, the analysis of correctness and security about our proposed threshold anonymous authentication scheme are provided.

Correctness
We will now illustrate that our proposed scheme satisfies the correctness requirements according to Theorem 1.
Theorem 1: Our presented threshold anonymous authentication scheme is reasonable, i.e., the signatures generated by the honest user can be efficiently verified and traced correctly.

Security Analysis
We will now prove that our scheme achieves unforgeability and anonymity under the random oracle model, respectively in Theorems 2 and 3.
Unforgeability: In order to show that our anonymous authentication scheme satisfies unforgeability, we will prove that the adversary A cannot produce a valid signature in case it does not know secret key x obu or group certificate cert g = (c 1 , c 2 ). This security feature can be achieved by the unforgeability of signature.
Theorem 2: Our presented threshold anonymous authentication scheme is unforgeability.
Proof: We will demonstrate that if the unforgeability of our proposed authentication scheme can be violated by an adversary A with advantage ε, then an algorithm B can be built to break some hard problem by invoking A in a blackbox manner. Therefore, there exist two cases for the unforgeability of our proposed anonymous authentication scheme, the one is that the private key of group member is known to B, but the corresponding group certificate is unknown, and the other is that the group certificate is known to B, but the private key of group member is unknown.
Case 1: In terms of the former case, the purpose of B is to solve the eCDH problem, i.e., with given (P, aP, bP, P, a P), B outputs abP. Firstly, B generates the public parameters. It sets P 1 = aP, P 1 = a P, P 2 = bP, P ca = w(aP) = wP 1 , P ca = w(a P) = w P 1 , where w, x tm ∈ Z * q is selected randomly. B can interact with A by issuing the following queries.
• OBU public key oracle: When the adversary A issues this query to ask for the public key of OBUs, B returns P obu = x obu P 1 to A , where x obu is selected randomly from Z * q . • RSU public key oracle: When the adversary A issues this query to ask for the public key of RSUs, B decides whether the public key is the target public key. B computes P rsu = a P = x rsu P 1 if the public key is the target public key; otherwise, P rsu = x rsu P 1 , where x rsu is selected randomly from Z * q . At last, B returns P rsu to A . • OBU private key oracle: When A requests the corresponding private key of the public key P obu obtained from public key oracle, the corresponding x obu is returned by B. • Signature generation oracle: When A asks for the signature with a message m and an OBU public key P obu generated in OBU public key oracle and a RSU public key P rsu generated in RSU public key oracle. If P rsu is a P, B reports failure; otherwise, B performs as follows. B firstly issues private key oracle to obtain x obu , and then selects r, α, τ 8 , τ 9 ∈ Z * q randomly. Finally, B computes the signature and returns the signature to A .
• Reveal oracle: Take a pair (m, τ ) from A as input, B performs as the actual execution, as it knows x tm .
In a moment, A outputs a valid signature {τ 1 , τ 2 , τ 3 , τ 4 , τ 5 , τ 6 , τ 7 , τ 8 , τ 9 } on the message m under the targeted public key of RSU P rsu = a P. Whereafter, B is able to compute abP = τ 1 + wτ 5 = abP − r(wP obu ) + w(rP obu ), which exactly is the solution of the eCDH problem about the instance P, aP, bP. Note that only if B can correctly guess the right public key of RSU, the eCDH problem can be resolved with the probability of at least ε/qk rsu , where qk rsu denotes the number of RSU public key.
Case 2: For the later case, the purpose of B is still to solve the eCDH problem, i.e., with given (P 1 , aP 1 , bP 1 , P 1 , a P 1 ), B outputs abP.
Firstly B generates public parameter and public and private key pair for CA and RSU as the actual execution. Then, B can interact with A by issuing the following queries.
• OBU public key oracle: When the adversary A issues this query to request the public key of OBUs, B returns P obu = t obu (aP 1 ), where t obu is selected randomly from Z * q . • Group certificate oracle: When A requests the corresponding group certificate for the public key P obu obtained from the public key oracle, B performs as the actual execution, because it knows the group certificate, so it knows x rsu . • H 1 hash oracle: When A inputs message m, B firstly checks whether (m 1 , r 1 , R 1 ) exists in List L h 1 . If it exists, R 1 is returned to A ; otherwise, R 1 = r 1 (bP 1 ) if the message m is targeted message, where r 1 ∈ Z * q is chosen randomly; R 1 = r 1 P 1 , otherwise. Finally, the new tuple (m 1 , r 1 , R 1 ) is recorded into L h 1 .
where t obu is the value corresponding to P obu and r 1 is the value corresponding to the message m in L h 1 . At last, B checks whether (m τ 1 · · · τ 7 S 1 S 2 , σ 8 ) exists in List L h 2 . If it does not exists, B records (m τ 1 · · · τ 7 S 1 S 2 , σ 8 ) into L h 2 ; otherwise, aborts.
Theorem 3 (Anonymity) our proposed signature scheme is anonymous.
Proof: We will demonstrate that if there exists an ε-advantage adversary can break the identity indistinguishability of the proposed scheme, then a polynomial probability time algorithm B can be built to solve the eDDH problem with an advantage at least ε, i.e., with given (P, P, aP, bP, a P, b P, c P), B decides whether c P = ab P holds or not.
where x obu is the private key with respect to P obu .
Note because B does not abort at any step in all simulations, we can know that the overall probability of success for B is the same as the probability of success for A . Therefore, our proposed signature scheme is anonymous because the eDDH problem is hard problem.
• Threshold authentication: To ensure the authenticity of some special messages, such as traffic accident message, threshold based trust mechanism is adopted in our proposed scheme. i.e., a single signed message would not be accepted by the receiver unless the number of received signatures from different senders on the same message has exceeded the threshold number.
-since the values τ 1 = c 1 − r (x obu P ca ) and τ 2 = c 2 + r P 1 of τ are derived from the group certificate cert g = (c 1 , c 2 ), τ 1 and τ 2 can be used to check whether the sender poses a group certificate of a RSU, and the values τ 3 = α · P 1 , τ 4 = x obu · P 1 + α · P tm which are computed by using the private key of the sender x obu can be employed to trace the identity of signer. -However, the value τ 7 = x obu H 1 (m) in τ is generated by the private key x obu and the hash value of m, thus the receiver can use the value τ 7 to determine whether the received signatures for the message m are produced by the same signer. If a malicious sender attempts to break the threshold mechanism by producing multiple different signatures for the same message m, this misbehavior would be detected by the receiver. Therefore, threshold authentication is achieved. • Controllable linkabilty: The controllable linkability in our scheme refers to that any other entities except the service provider SP cannot link any two or messages to a sender, i.e., only SP can determine whether two anonymous signatures are produced by the same sender. Since the signature is produced by using random numbers, and the group certificate of a signer is randomized before it is assigned each time. Even if two or more signatures about different messages are generated by the same user, an adversary A cannot figure out whether they are signed by the same user, which means that the exchanged messages are unlinkable for the outside adversary. However, SP with a linking key can determine whether two different signatures are produced by the same sender, thus it can provide personalized services. Therefore, the controllable linkability has been achieved in our presented anonymous authentication scheme. • Non-repudiation: Although our presented anonymous authentication scheme enable the signer of a message to be anonymous, the sender cannot deny the signature, and the nonrepudiation of the proposed scheme is still effective. Every broadcasted signature message consists of a dynamic pseudonyms and a dynamic group certificate, which is computed by using the public key and private key of the signer, group certificate and random numbers. According to Theorem 2, an adversary A cannot produce a valid signature if he or she does not have a private key or the corresponding group certificate. Therefore, the user can never deny the broadcasted signature message generated by its private key and group certificate. Thus, the non-repudiation of our scheme is achieved. • Conditional traceability: The conditional traceability in our presented scheme means the message sender cannot be traced by any unauthorized entity, and the identity of a signature sender can only be derived by the trusted third party (TTP). Since the public key of the signer is used to produce the values τ 3 , τ 4 in signature by utilizing CA's public key, CA is the only entity who can recover the identity corresponding to the signature. Suppose there exists an adversary A can violate the conditional traceability of our presented authentication scheme, thus A can produce a valid signature without the private key or the corresponding group certificate, which is contradicts with Theorem 2. Therefore, our proposed scheme achieves traceability.

Performance Evaluation
In this section, we give out a comparison on the computation cost and communication overhead with existing group signature based authentication schemes. In addition, the running time of compared schemes are evaluated with implementation based on cryptographic libraries.

Computation Cost
We focus on the computation cost of the signing process and the verifying process with the existing similar schemes [15,17,28,29], and the cost of revocation check is not considered since this function is our specific goal and the length of the revocation list is uncertain. The related computation cost is summarized in Tab. 3. Since the time of transmission depends on the real network, not the concret scheme, it is not considered in the comparison. In sign stage, when a signer signs a single message, the computation cost in scheme [15,17] is about 11T ex ; the computation cost in scheme [28] is about 10T ex ; the computation cost in scheme [29] is about 9T ex ; the computation cost in our proposed scheme is about 8T mul . In addition, in the verification stage, when a verifier verifies a single message, the computation cost in scheme [15,17] is about 11T ex + 1T bp ; the computation cost in scheme [28] is about 4T ex + 10T bp ; the computation cost in scheme [29] is about 4T ex + 9T bp ; the computation cost in our proposed scheme is about 4T mul + 6T bp .
However, a verifier may need to verify multiple messages in a verification period, thus we assume that the traffic density is n which is the verifier received the number of messages in a verification period. Therefore, when a verifier verifies n messages simultaneously, the computation cost in scheme [15,17] is about 11nT ex + nT bp ; the computation cost in scheme [28] is about 4nT ex + (n + 5)T bp in batch; the computation cost in scheme [29] is about 4nT ex + (n + 6)T bp in batch; the computation cost in our proposed scheme is about 4nT mul + (n + 4)T bp in batch.

Communication Overhead
In this subsection, we evaluate the communication overhead with the existing group signature based schemes [15,17,28,29]. The related comparison result is summarized in Tab. 4. In Tab. 4, G , q and H represent the bit-length of an element of group G, the order of group G and an element of hash H, respectively.

Figure 4: Computation cost of verification stage
An intuitive comparison on communication overhead in term of the number of messages is given in Fig. 5. It can be seen that the communication overhead increases linearly with the growth of the number of messages transmitted. Based on the comparison above, we can conclude that the communication overhead of our presented anonymous authentication scheme is relatively low.  [17] 3 G + 1 H + 4 q Reference [28] 7 G + 1 H + 1 q Reference [29] 9 G + 1 H + 1 q Proposed 7 G + 1 H + 1 q ref. [21] ref. [23] ref. [27] ref.
[28] Our In this paper, a group signature-based anonymous authentication scheme with controllable linkability was proposed. The scheme is designed to enable providers who have a linking key to determine whether two messages were produced by the same signer, while preserving the user's anonymity. Threshold authentication enables the receiver to figure out whether the received signature is produced by the same sender to prevent the replay attack. In addition, the function of verifier-local revocation is supported (i.e., a verifier is able to check whether a received signature is generated by a revoked user). Security and performance evaluations demonstrated the utility of our presented scheme.
Funding Statement: Our work was jointly supported by the National Natural Science Foundation of China (Nos. 61872051, 61702067), the Venture & Innovation Support Program for Chongqing Overseas Returnees (No. CX2018122), the Chongqing Natural Science Foundation (No. cstc2020jcyjmsxmX0343).

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.