Keywords

1 Introduction

Mobile ad hoc networks (MANETs) [14] have attracted many researchers’ interests due to the nonexistence of fixed network infrastructure, but which increases the difficulty of providing security for MANETs. Vehicle ad hoc network (VANET) [5, 6] is a variant of MANETs which can improve the traffic safety and efficiency. In a VANET, vehicles are equipped with on-board units (OBUs) which can be used to communicate with road side units (RSU). The vehicles can also use OBUs to communicate each other. However, wireless communication mode makes the security of VANET is complex. Many attack issues need to be considered, including intercept, replay, delete and so on. A secure VANET ought to include the following properties [6]: unforgeagility, identity privacy preservation, traceability, message authentication, non-repudiation, unlinkability and replaying resistance. Recently, a lot of research [712] was made on security of VANET. However, most of them involved low efficiency and expensive deployment.

In 2008, an identity-based batch (IBBV) scheme was proposed by zhang et al. [13, 14]. In their scheme, a batch of messages to be signed can be verified together, which is greatly saving time. In 2013, Lee and Lai [15] pointed that there existed some drawbacks in Zhang et at.’ IBBV scheme [14]. Lee and Lai also addressed an improved IBBV with high efficiency. Unfortunately, in 2015, Tzeng et al. [6] found out that Lee and Lai’s IBBV scheme was vulnerable to some attacks, including forgeability and real identity extracting. As an improvement, Tzeng et al. [6] proposed a new IBBV scheme with enhancing security. They also made a concrete simulation evaluation that showed that their scheme had a superior performance in terms of computation cost and transmission overhead compared with other similar IBBV schemes. However, Tzeng et al.’s scheme [6] needed to use bilinear pairing operation which is one of the most consuming-time operations in modern cryptography. In this paper, we make a slight modification for Tzeng et al.’s scheme to propose an improved IBBV scheme. The improved scheme removes the bilinear pairing and make the computation cost be very low, i.e., constant 1.2 ms for any message signatures. Therefore, our scheme obtains a better performance than Tzeng et al.’s scheme and other similar schemes.

The rest of the paper is organized as follows. In second section, we give some preliminaries. In Sect. 3, we review the Tzeng et al.’s IBBV scheme. In Sect. 4, we present our improved scheme and the evaluation for security and performance of our scheme. In Sect. 5, an improved authentication scheme is presented. In Sect. 6, we conclude this paper.

2 Preliminaries

2.1 Bilinear Map

Let G1 and G2 be two groups with the same prime order q. Assume that P is a generator of G1 and \( {\text{e:}}\,{\text{G1}} \times {\text{G1}} \to {\text{G2}} \) is a bilinear map if it holds the following properties:

  • Bilinearity: \( e(U^{x} ,V^{y} ) = e(U,V)^{xy} \) for all \( U,V \in G_{1} \) and \( x,y \in Z_{q}^{*} . \)

  • Non-degeneracy: \( e(P,P) \ne 1. \)

  • Computability: for all \( U,V \in G_{1} ,\;e(U,V) \) can be computed efficiently.

2.2 Discrete Logarithm (DL) Problem

Given two random elements \( P_{1} ,P_{2} \in G_{1} \), the DL problem is to find a which satisfies \( P_{ 2} = aP_{ 1} . \)

3 Review of Tzeng et al.’s IBBV Scheme

In order to state conveniently and show the difference of our improved IBBV scheme and Tzeng et al.’s scheme clearly, here we briefly review Tzeng et al.’s IBBV scheme [6] for VANET.

Tzeng et al.’s IBBV scheme includes three parts: system setup (Syssetup), identity and signature generation (ID-SIGgeneration) and signature verification (SIGverification).

3.1 System Setup(Syssetup)

In this phase, a trust authority (TA) setups and publishes some system parameters as follows.

  • TA selects two groups G 1 and G 2 with the same prime order q. Then choose two random generators of \( G_{ 1} :P_{ 1} \,{\text{and}}\,{\text{P}}_{2} . \) \( e:\,G_{1} \times G_{1} \to G_{2} \) is a bilinear map as defined above. Define two one-way hash functions: \( H_{ 1} : \, \left\{ {0, 1} \right\}^{*} \to G_{ 1} \) and \( H_{ 2} : \, \left\{ {0, 1} \right\}^{*} \to Z_{q}^{*} \). Then, TA chooses a random element \( s \in Z_{q}^{*} \) as the master private key and computes \( P_{pk} = sP_{ 1} \) as the system public key. Next, the system public parameters are \( params = \, \{ G_{ 1} ,G_{ 2} ,q,e,P_{ 1} ,P_{ 2} ,P_{pk} ,H_{ 1} ,H_{ 2} \} . \)

  • TA generates a real identity RID and a secret password PWD for each vehicle when it makes the first registration. After that, TA preloads its identity RID, the password PWD and the master private key s into each vehicle’s tamper-proof device. Then, TA publishes params to all RSUs and all vehicles.

3.2 Identity and Signature Generation (ID-SIGgeneration)

In this phase, the tamper-proof device of each vehicle performs the anonymous identity generation and signature generation. In order to do these works, the tamper-proof device of each vehicle consists of three modules: authentication module (AM), anonymous identity generation module (AIGM) and signature module (SM). Each module works as follows.

  • Before making message signing, the vehicle C must pass the identity authentication which is performed by the authentication module of tamper-proof device. C first inputs its own RID and PWD into tamper-proof device. Then, the AM verifies the correctness of RID and PWD. If they are both not correct, the tamper-proof device ends the following operation. Otherwise, it performs the AIGM as follows.

  • The AIGM picks up a random element \( k \in Z_{q}^{*} \) and computes (ID 1, ID 2) where \( ID_{ 1} = kP_{ 1} \) and \( ID_{ 2} = RID \oplus H_{ 1} \left( {kP_{pk} } \right). \) Then, (ID 1, ID 2) is an anonymous identity for vehicle C. Next, SM begins to work.

  • The vehicle C constructs a message m and sends m to the SM of tamper-proof device. SM performs the following signature operations on m. First, the SM generates a current time stamp T. Then, it computes

$$ V = \,(k + sH_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T). $$

Finally, the tamper-proof device obtains \( \sigma = \, \left\{ {\left( {ID_{ 1} ,ID_{ 2} } \right),m,V,T} \right\} \) and the vehicle C sends σ to the neighbouring RSU and vehicles.

3.3 Signature Verification (SIGverification)

  • Single signature verification. After RSU or a vehicle receives a message \( \sigma = \left\{ {\left( {ID_{ 1} ,ID_{ 2} } \right),m,V,T} \right\}, \) the RSU or vehicle verifies the message as follows. First, it checks if the time T is fresh. If T is fresh, it checks if

    $$ e(V,P_{1} ) = e(ID_{1} + H_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T)P_{pk} ,P_{2} ) $$

    If the above equation is satisfied, the RSU or vehicle accepts the message or rejects it.

  • Batch signatures verification. In order to prevent a lot of messages congesting the RSU, batch verification is used as a very efficient method to improve the verification speed. Assume that the RSU receives l messages, such as \( \{ (ID_{1,1} ,ID_{1,2} ),m_{1} ,V_{1} ,T_{1} \} ,\{ (ID_{2,1} ,ID_{2,2} ),m_{2} ,V_{2} ,T_{2} \} , \ldots \ldots ,\{ (ID_{l,1} ,ID_{l,2} ),m_{l} ,V_{l} ,T_{l} \} . \) RSU first checks if all time T i is fresh for \( 1\le i \le l. \) Then, RSU uses the concept of small exponent test [6, 9] to check the following equation

    $$ e(\sum\limits_{i = 1}^{l} {t_{i} V_{i} } ,P_{1} ) = e(\sum\limits_{i = 1}^{l} {t_{i} ID_{i,1} } + \sum\limits_{i = 1}^{l} {t_{i} H_{2} (ID_{i,1} \,||\,m_{i} \,||\,ID_{i,2} \,||\,T_{i} )} P_{pk} ,P_{2} ) $$

    where \( t_{i} ( 1\le i \le l) \) is a random l-vector referring to [6, 9] for more information on t i .

4 The Improved IBBV Scheme

From the above description of Tzeng et al.’s IBBV scheme, it can see that Tzeng et al.’s IBBV scheme needs two bilinear pairing operations for single signature verification. In this section, we make a slight modification for Tzeng et al.’s IBBV scheme to present an improved IBBV scheme which is pairing-free.

4.1 The Scheme

Our improved scheme consists of three phases as Tzeng et al.’s IBBV scheme: system setup (Syssetup), identity and signature generation (ID-SIGgeneration) and signature verification (SIGverification).

The Syssetup phase of our improved scheme is the same to that of Tzeng et al.’s scheme. The main difference is the ID-SIGgeneration and SIGverification phases.

ID-SIGgeneration

  • After RID and PWD pass the authentication of the AM, the AIGM picks up a random element \( k \in Z_{q}^{*} \) and computes (ID 1, ID 2) where

    $$ \begin{aligned} & ID_{1} = kP_{1} \\ & ID_{2} = RID \oplus H_{1} (kP_{pk} ). \\ \end{aligned} $$

    Then, (ID 1, ID 2) is an anonymous identity for vehicle C.

    We can reduce the computation cost of anonymous identity by the following method. The AIGM generates a current time stamp T and computes

    $$ ID = RID \oplus H_{1} (T,s). $$

    Then, ID is the anonymous identity which can be used to generate signature lately. It can be saw that a point multiplication operation is reduced than the previous method. When the real identity of vehicle needs to be recovered, TA computes

    $$ RID = ID \oplus H_{1} (T,s). $$

    Then TA obtains the vehicle’s real identity RID.

  • After the anonymous identity generation, the vehicle C constructs a message m and sends m to the SM of tamper-proof device. The SM generates a current time stamp T. Then, it computes

    $$ r = k + sH_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T). $$

    Finally, the tamper-proof device gets the signature {(ID 1, ID 2), m, r, T} and the vehicle C sends {(ID 1, ID 2), m, r, T} to the neighbouring RSU and vehicles.

Signature Verification (SIGverification)

  • Single signature verification. After RSU or a vehicle receives a signature {(ID 1, ID 2), m, r, T}, the RSU or vehicle verifies the message as follows. First, it checks if the time T is fresh. If T is fresh, it checks if

    $$ rP_{1} = ID_{1} + H_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T)P_{pk} . $$

    If the above equation is satisfied, the RSU or vehicle accepts the message or rejects it. The correctness of the above equation can be verified by the following method.

    $$ \begin{aligned} & \;\,rP_{1} \\ & = (k + sH_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T))P_{1} \\ & = kP_{1} + sH_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T)P_{1} \\ & = ID_{1} + H_{2} (ID_{1} \,||\,m\,||\,ID_{2} \,||\,T)P_{pk} . \\ \end{aligned} $$

  • Batch signatures verification adopts the same technology as Tzeng et al.’s scheme. Assume that the RSU receives l messages, such as

    $$ \begin{aligned} & \{ (ID_{1,1} ,ID_{1,2} ),m_{1} ,r_{1} ,T_{1} \} , \\ & \{ (ID_{2,1} ,ID_{2,2} ),m_{2} ,r_{2} ,T_{2} \} , \\ & \ldots \ldots \\ & \{ (ID_{l,1} ,ID_{l,2} ),m_{l} ,r_{l} ,T_{l} \} . \\ \end{aligned} $$

    RSU first checks if all time T i is fresh for 1 ≤ i ≤ l. Then, RSU checks the following equation

    $$ \sum\limits_{i = 1}^{l} {t_{i} r_{i} P_{1} } = \sum\limits_{i = 1}^{l} {t_{i} ID_{i,1} } + \sum\limits_{i = 1}^{l} {t_{i} H_{2} (ID_{i,1} \,||\,m_{i} \,||\,ID_{i,2} \,||\,T_{i} )P_{pk} } . $$

    where \( t_{i} (1 \le i \le l \) is a random l-vector as that of Tzeng et al.’s scheme.

4.2 Performance and Security Evaluation

Performance Analysis

In order to facilitate comparison with other IBBV schemes, we adopt the same items to Tzeng et al.’s scheme and only consider the dominated operations, such as \( T_{pairing} \) as the time for one bilinear pairing operation, \( T_{multiple} \) as the time for one point multiplication operation on G 1. Then, from the Table 1, we can get that Tzeng et al.’s scheme needs \( 2T_{multiple} + 2T_{pairing} \) for single message signing and verifying, and at the same needs \( \left( {n + 1} \right) T_{multiple} + { 2} T_{pairing} \) for n messages signing and verifying. According to the simulation result from Tzeng et al.’s literature [6], \( T_{pairing} \) is 4.5 ms and \( T_{multiple} \) is 0.6 ms. So the total time for Tzeng et al.’s scheme is \( 4.5\,ms \times 2 + 0.6\,ms \times 2 = 10.2\,ms \) for single message and \( 4.5\,ms \times 2 + 0.6\,ms \times (n + 1) = (9.6 + 0.6n)\,ms \) for n messages. Comparison with other schemes [1418], Tzeng et al.’s scheme has the best efficiency.

Table 1. Computional comparison with scheme [6]
Full size table

However, from the Table 1, we can get that our improved IBBV scheme needs \( 2T_{multiple} \) for single message signing and verifying and \( 2T_{multiple} \) for n messages signing and verifying, and the total time is the constant \( 0.6\,ms \times 2 = 1.2\,ms \) for single message and n messages respectively. Therefore, our scheme has the constant time cost which does not increase with the number of message. So, by the above analysis, we can find that our improved scheme has better efficient than other schemes, including Tzeng et al.’s scheme [6, 1418]. We will present the practical experiment data of our improved scheme in the further work.

Security Analysis

Our improved IBBV scheme is slight change of Tzeng et al.’s IBBV scheme. So, we can adopt the similar proof technology to prove the security of our improved scheme. Next we give a simple analysis on the unforgeability of our scheme, which is the main security property of IBBV scheme.

The unforgeability of our improved IBBV scheme can be deduced to the DL problem on G 1 in the random oracle model. The main idea on the unforgeability is as follows. Given a random instance of DL problem (P 1, Q) where \( Q = aP_{1} \,{\text{and}}\,P_{1} ,\,Q \in G_{1} ,\,a \in Z_{q}^{*} . \) The aim of the challenger CH is to obtain a by the adversary AD by the following running.

Setup: In order to get a, CH sets

$$ P_{pk} = aP_{1} $$

as the system public key and a as the master private key. The other system parameters are set as Tzeng et al.’s scheme.

Query: In this phase, AD can make the random oracle query and signature query. When AD submits a \( U_{i} \in G_{1} \) for a H 1 random oracle query, CH chooses a random number \( b_{i} \in G_{1} \) and returns b i to AD as the value of H 1(U i ). CH records the tuple (U i , b i ). Namely,

$$ b_{i} = H_{1} (U_{i} ). $$

When AD submits a \( \left\{ {\left( {ID_{i,1} ,ID_{i,2} } \right),m_{i} ,T_{i} } \right\} \) for a H 2 query, CH selects randomly \( c_{i} \in Z_{q}^{*} \) and returns c i to AD as the value of \( H_{2} (ID_{i,1} \left\| {\,m_{i} \,} \right\|\,\left. {ID_{i,2} \,} \right\|\,T_{i} ). \) Namely,

$$ c_{i} = H_{2} (ID_{i,1} ||m_{i} ||ID_{i,2} ||T_{i} ). $$

When AD submits a message m i for a signature query, CH chooses randomly \( k_{i \cdot } \,c_{i} \in Z_{q}^{*} ,b_{i} \in G_{1} \) and sets

$$ \begin{aligned} & \;r_{i} = k_{i} , \\ & ID_{i,2} = RID \oplus b_{i} . \\ \end{aligned} $$

Then, CH computes

$$ ID_{i,1} = k_{i} P_{1} - c_{i} P_{pk} . $$

\( \left\{ {\left( {ID_{i,1} ,ID_{i,2} } \right),m_{i} ,r_{i} ,T_{i} } \right\} \) is a valid signature because

$$ \begin{aligned} & \;\;r_{i} P_{1} \\ & = ID_{i,1} + c_{i} P_{pk} \\ & = k_{i} P_{1} - c_{i} P_{pk} + c_{i} P_{pk} \\ & = k_{i} P_{1} = r_{i} P_{1} . \\ \end{aligned} $$

Output: AD finally outputs a forged signature \( \{ (ID_{1}^{*} ,ID_{2}^{*} ),\,m^{*} ,\,r^{*} ,\,T^{*} \} . \) Writing

$$ h^{*} = H_{2} (ID_{1}^{*} \,\left\| {\,m^{*} \,} \right\|\,\left. {ID_{2}^{*} \,} \right\|\,T^{*} ). $$

Using the forking lemma [19], CH can obtain another signature \( \{ (ID_{1}^{*} ,ID_{2}^{*} ),\,m^{*} ,\,r^{'*} ,\,T^{'*} \} . \) The two signatures satisfy

$$ \begin{aligned} & r^{*} = k^{*} + ah^{*} \\ & r^{'*} = k^{*} + ah^{'*} \\ \end{aligned} $$

Thus, CH can solve the given DL problem and obtain

$$ a = (r^{*} - r^{'*} ) \cdot (h^{*} - h^{'*} )^{ - 1} . $$

The other security properties (i.e., message authentication, identity privacy preservation, traceability and so on) for our IBBV scheme can be proved using the same analysis to Tzeng et al.’s scheme [6]. So we omit these descriptions. Therefore, our improvement scheme does not change the security properties of the original scheme, namely, the improved scheme still keeps the original security properties.

5 A Pairing-Free Authentication Scheme

In 2012, Tameem Eissa et al. [2] proposed an identity-based RSA authentication scheme for mobile ad hoc network (MANET). In their authentication scheme, the messages transmitted between mobile nodes were encrypted by RSA. In order to avoid RSA attacks, the public keys of RSA are secured and only the trust nodes can access. Due to the use of RSA, the efficiency of their authentication scheme is high. However, their scheme used bilinear pairing operation, so the computation cost still is high. Here, we use the recovering technology of the real identity of Tzeng et al.’s IBBV scheme (i.e., \( RID = ID_{ 2} \oplus H_{ 1} (kP_{pk} ) \) present an improved authentication scheme which is a very slight change of Tameem Eissa et al.’ scheme. Due to the space, we only provide the main idea.

Assume that d i and (e i , N i ) is the private key and public keys on RSA for node \( i \in \{ A,B,CRSA\} . \) When a node A submits (ID B , P A ) to a coalition CRSA for the public keys of B node where ID B is the identity of B and

$$ P_{A} = d_{A} P, $$

CRSA does as follows. CRSA computes

$$ \begin{aligned} & C = e_{B} \oplus H_{2} (d_{CRSA} P_{A} \,||\,ID_{A} \,||\,ID_{B} ), \\ & U = P_{CRSA} = d_{CRSA} P, \\ & W = e_{B} P, \\ & Y = N_{B} \oplus H_{3} (e_{B} ). \\ \end{aligned} $$

After A gets (U, C, W, Y), it can obtain the public key (e B , N B ) by the following computing

$$ \begin{aligned} & e_{B} = C \oplus H_{d} (d_{A} P_{CRSA} \,\left\| {\,ID_{A} \,} \right\|\,ID_{B} ), \\ & N_{B} = Y \oplus H_{3} (e_{B} ). \\ \end{aligned} $$

6 Conclusion

In this study, we review Tzeng et al.’s identity-based batch scheme for VANET which has better efficiency than other similar schemes. As an improvement of Tzeng et al.’s scheme, we present a new IBBV scheme with pairing-free. We also make a performance evaluation between our scheme with other IBBV schemes. The comparison shows that our scheme is not only secure in the random oracle but also has constant computation cost which is independent of the number of messages. Therefore, our scheme has better performance and more practical than others.