Beruflich Dokumente
Kultur Dokumente
Jinhui Liu, Yong Yu , Jianwei Jia, Shijia Wang, Peiru Fan, Houzhen Wang, and Huanguo Zhang
Abstract: Amidst the rapid development of the Internet of Things (IoT), Vehicular Ad-Hoc NETwork (VANET), a
typical IoT application, are bringing an ever-larger number of intelligent and convenient services to the daily lives
of individuals. However, there remain challenges for VANETs in preserving privacy and security. In this paper, we
propose the first lattice-based Double-Authentication-Preventing Ring Signature (DAPRS) and adopt it to propose
a novel privacy-preserving authentication scheme for VANETs, offering the potential for security against quantum
computers. The new construction is proven secure against chosen message attacks. Our scheme is more efficient
than other ring signature in terms of the time cost of the message signing phase and verification phase, and also in
terms of signature length. Analyses of security and efficiency demonstrate that our proposed scheme is provably
secure and efficient in the application.
Key words: Vehicular Ad-Hoc NETwork (VANET); privacy; security; Double-Authentication-Preventing Ring
Signature (DAPRS); lattice
privacy preserving anonymous authentication scheme problems, such as the discrete logarithm problem or the
for VANETs. The scheme is highly efficient in terms large integer factorization problem.
of the delays involved in signature and certificate In this paper, to prevent fraud by discouraging users
verification; however, it maintains conditional from submitting (signing) duplicates, we use Double
privacy. For an anonymous certificate, in order to Authentication Preventing Signatures (DAPSs) instead
reduce communication overhead and to minimize of conventional signatures, where the address a (or
cryptographic packet loss, Feiri et al.[10] combined its associated space) can be given some application
certificate pre-distribution and certificate omission dependent semantics. DAPSs are stronger signatures
in order to reduce communications overhead and in the sense that they can reveal a signer’s secret key
minimize cryptographic packet loss. Although the use to the public[11–15] . In anonymous credential systems,
of anonymous certificates is able to achieve the purpose revealing the secret key is related to the Public
of privacy protection, it needs further investigation to Key Infrastructure (PKI) assured non-transferability
overcome weaknesses in certificate distribution and concept, which discourages fraudulent behavior. Many
revocation, and numerous problems with certificate instances show that while DAPS in itself offers
storage. detection, this may not be enough of a deterrence
Group signature schemes use traits of anonymity for fraud. Consequently, by combining ring signature
and traceability to construct anonymous certificate and DAPS, we provide a lattice-based Double-
schemes. For example, Lin et al.[11] used group Authentication-Preventing Ring Signature (DAPRS).
signatures in proposing a security and privacy- Based on DAPRS, we propose a new and practical
preserving protocol. The key features of this protocol conditional privacy protection scheme for VANETs.
are that the vehicles’ On Board Units (OBUs) are not Our latticed-based DAPRS has a number of advantages.
asked to store massive anonymous keys, and the Trust First, the use of a ring signature-based scheme
Authority (TA) is able to trace a misbehaving vehicle. means equality between numbers; compared with
The need to store revocation lists is a problem for group signatures, there is no group administrator
this group of methods. Some vehicles need to store a and therefore the scheme offers enhanced privacy
revocation list in case of communication with revoked protection. Second, in comparison with anonymous
vehicles and, for a wide-ranging network, the demands certificate-based schemes, ours does not need to keep
on the verification process rise linearly as vehicles in contact with certification distribution agents and
are added to the revocation list. Moreover, all group offer greater flexibility. Third, although the proposed
signatures schemes have to face up to an important scheme is more complex than a pseudonym-based
problem, namely how to select a group administrator. scheme, it is more secure and has the useful property
The group administrator holds great power in a group of extractability.
signature scheme, but the general assumption that they Our contribution: This paper presents the first
are honest and reliable may not hold, which poses a secure lattice-based DAPRS applied to VANETs,
threat to the security of group signatures. covering anonymity, unforgeability, extractability, and
On this front, ring signature-based authentication non-slanderability. Our scheme has the potential to
schemes have the advantage of not having an defend against quantum computer attacks, which have
administrator role. All members of the ring have been of widespread concerned for decades[16, 17] .
equal status, which is better for the preservation of The structure of the paper is as follows. Section
privacy. Also, compared with anonymous certificate 2 presents some preliminaries including notations,
schemes, ring signature authentication does not require mathematical functions, and syntax. Section 3 provides
to communicate with certificate authorities, making system model and security goals, while the details of
it more flexible and self-contained. Although ring our proposed scheme are given in Section 4. Security
signature schemes are not as simple as pseudonym- and efficiency analyses are presented in Sections 5 and
based schemes, they can achieve a higher level of 6, respectively.
security. With the development of quantum computers,
2 Preliminaries
there have appeared a few ring signatures for VANETs,
especially using a lattice-based ring signature. Most In this section, we introduce some notations and
of these are based on traditional mathematical hard mathematical tools, and the Existential UnForgeability
Jinhui Liu et al.: Lattice-Based Double-Authentication-Preventing Ring Signature for Security and Privacy in : : : 577
under Chosen Message Attack (EUF-CMA) security of with a non-negligible probability, then for every lattice
DAPS and DAPRS syntax. in D there exists a polynomial-time algorithm that can
2.1 Notations solve S VP
.L/ problem corresponding to an ideal,
where
D 16d mn log2 n[18] .
The main symbols used in our scheme are illustrated in
Table 1 along with their definitions. 2.3 Statistical distance
2.2 Collision-resistant hash functions For any function f with domain A which may be
possibly randomized, the statistical distance between
Suppose that D is a ring Zp Œx=hx n C 1i, where n is
f .x/ and f .x 0 / is at most
the power of 2. Let D D fy 2 D; kyk1 6 d g be
a set for some integer d and H.D; D ; m/ be a hash .f .x/; f .x 0 // 6 .x; x 0 /;
function family which satisfies linear property such that where x and x 0 are two random variables over a
m > log p=log .2d / and p > 4d mn1:5 log n. That is common set A and
to say, if h 2 H.D; D ; m/, it satisfies properties P
jP rŒX D x P rŒX 0 D xj
(
h.by Cb z / D h.b
y / C h.b
z /; b z 2 D mu ,
y; b .X; X 0 / D
x2S
,
(1) 2
h.by c/ D ch.by /; c 2 D
and .f .X /; f .X 0 // D
y D .y1 ; : : : ; ym /; b
where b z D .z1 ; : : : ; zm /.
P rŒf .X 0 / D f .x/j
P
For random h 2 H.D; D ; m/, if there exists a jP rŒf .X / D f .x/
x2S
polynomial-time algorithm that can solve Col.h; D / .
2
Table 1 Notation.
Notation Description 2.4 EUF-CMA of DAPS
Zp Quotient ring Z=pZ
For all adversaries A, if there exists a negligible
Security parameter
function "./ such that
Power of 2 greater than security
n
parameter
PrŒexpEUF-CMA
A;DAPS ./ D 1 6 "./;
Prime of order .n4Cc / such that
p
p 3 mod 8 where the experiment expEUF-CMA A;DAPS ./ is given as
x n C 1 is irreducible and the elements follows:
Ring D D
of D are represented by f .p
Zp Œx=hx n C 1i
1/=2; : : : ; .p 1/=2g.
.skD ; pkD / KGenD .1 /;
Polynomials Roman letters .a; b; : : : / Q ∅0 ; R ∅0 ,
sign0D .skD ;/
Vectors of polynomials Roman letters with a hat .b a; b
b; : : : / .m ; / A .pk˙ /,
a D .a1 ; : : : ; am / a1 ; : : : ; am are polynomials in D.
b if verifyD .pkD ; m ; / D 1 ^ m … Q
on the underlying hard problem assumption, which can key, and b a and h as its public keys.
be proved by the ring signature scheme. Each vehicle Vi with its real identity RIDi , then self-
(4) Deterable-iff-double signature by one signer: generates its key pair by itself and obtains its certificate
If a vehicle signs on colliding messages .a; p1 / and from TA as follows.
.a; p2 /, it can be identified and its signature keys can (7) Choose b s i as its private key and compute b bi D b
ab
si
be extracted by anyone. as its public key.
(8) Select b t i to compute verification information
4 DAPRS for VANETs Si D H.b abt i kRIDi / and b ci D b ti C bb i Si . Then send
In this section we present details of our privacy .b i ; RIDi ; Si ; c i / to TA for registration.
b b
protection scheme for VANETs based on DAPRS. Each (9) After Vi receives this message, the TA checks
vehicle can receive a pair of public keys from other whether the following equation holds or not:
moving vehicles’ messages. When a vehicle (sender) ‹
Si D H.b a.bci b b i H.b
abt i kRIDi //kRIDi /.
‚…„ƒ
wants to authenticate a message m D .a; p/, it chooses
n valid public keys .h1 ; : : : ; hn / to form a ring R. The If it does hold, bi and RIDi are defined as a valid
the vehicle then makes a ring signature with respect public key and identity of Vi , respectively. After
to .a; p; R/ based on the underlying DAPRS. On the that, the TA stores .bi ; RIDi / and creates Certi D
one hand, if is a valid signature, then the receiver sig.bi ; RIDi I bs TRC / for Vi with the TA’s private key
believes that .a; p/ is sent by a member of ring R s TRC . Finally, the tamper-proof device of each vehicle
b
without knowing which member; so the actual identity is preloaded with .b s i ; bi ; RIDi ; Certi /.
of the signer is protected. On the other hand, if there (10) A ring set generation phase. Once Vi moves into
are two valid signatures 1 and 2 on messages .a; p1 / a region which is covered by an RSU, the Vi applies to
and .a; p2 / from the same vehicle, then the signature form a ring R. When the RSU receives the application,
keys of that vehicle can be extracted. In this way, the it verifies its effectiveness and timeliness. The RSU puts
underlying DAPRS can be unconditionally anonymous the public keys into the ring, and when the default value
for the signer. is achieved by public keys, RSU broadcasts the ring set.
Our proposed scheme is made up of four parts: All vehicles contained in the ring set can then use the
system initialization and membership registration, OBU ring to sign their corresponding messages.
safety message generation, message verification, and 4.2 Message signature
extractability of double signatures by one signer.
When a vehicle broadcasts messages to other vehicles,
4.1 System initialization and membership
it first construct a message with a timestamp, then it
registration
chooses a ring containing the public keys of the ring
Given a security parameter , TA generates the members. The signature generation algorithm is listed
parameters .; n; mu ; p; S /, where n is the power of as follows.
2 and n > , mu D 3 log n, and p is a prime larger Taking a common vehicle Vk , once it has been
than n4 such that p 3 mod 8. According to these moving on the road for some time it will have collected
parameters, we define D; Dh ; Dz ; Dy ; and Ds;c , the and stored many public keys of other vehicles. Let these
family H, and S D, S ¤ 0. We then proceed with public keys be R D fb h1 ; : : : ; b a; H1 g, where
hl ; S; b
the following steps. H1 is a cryptographic hash function. When Vk needs
mu
(1) Set b s D .s1 ; : : : ; smu / Ds;c . to send and authenticate the message m D .a; pk /, it
(2) If si is non-invertible, go to Step 1. randomly chooses n public keys from set R to form a
(3) Choose an invertible si0 , where i0 2 f1; : : : ; mg. ring R. We then proceed with the following steps.
mu
(4) Pick .a1 ; a2 ; : : : ; ai0 1 ; ai0 C1 ; : : : ; amu / (1) Vk verifies bs k 2 Ds;c ; R is of a size bounded by
mu 1 c
D . ; one of the public keys in R is associated to b s k . If
(5) Let ai0 D si01 .S
P
a D
i ¤i0 ai si / and set b verification fails, output a failure result.
.a1 ; a2 ; : : : ; amu /. mu
(2) For all i 2 Œl, i ¤ k; b
yk Db z
.
(6) TA selects a secure signature algorithm sig() and mu
(3) For i D k; byk Dy .
a cryptographic hash functions h.b s/ D b abs 2 H defined
P
(4) Set e H1 . i2Œl hi .b y k /; pk /, where e is in
by a. After that, TA randomly selects s as its private
b b Ds;c .
580 Tsinghua Science and Technology, October 2019, 24(5): 575–584
performance of our scheme. We compare the efficiency and 2018CBLY006), and the China Postdoctoral Science
of our scheme with some related schemes on signature Foundation (No. 2018M631121).
generation time, verification of signature time, and
References
signature length. Since the cost of addition operations
and hash values are very small, here we will ignore their [1] H. Zhu, W. Pan, B. Liu, and H. Li, A lightweight
anonymous authentication scheme for VANET based on
time cost here[20, 21] . Suppose that the number of ring
bilinear pairing, in Proc. 4th International Conference
signature is R, Tmul and TSample represent the time cost on Intelligent Networking and Collaborative Systems
of the point multiplications and SamplePre algorithms, (INCoS), Bucharest, Romania, 2012, pp. 222–228.
respectively, and TNIZK represents the time cost of a [2] P. Vijayakumar, M. Azees, and L. Deborah, CPAV:
Computationally efficient privacy preserving anonymous
non-interactive zero knowledge proof. The efficiency
authentication scheme for vehicular ad-hoc networks,
comparisons of our DAPRS with some related schemes in Proc. IEEE 2nd International Conference on Cyber
for VANETs are listed in Table 3. From Table 3, we can Security and Cloud Computing (CSCloud), New York, NY,
see that our scheme achieves much greater efficiency. USA, 2015, pp. 62–67.
[3] D. Förster, F. Kargl, and H. Löhr, PUCA: A pseudonym
7 Conclusion scheme with user-controlled anonymity for vehicular ad-
hoc networks (VANET), in Proc. Vehicular Networking
In this paper, we investigated a new primitive. We Conference (VNC), Paderborn, Germany, 2014, pp. 25–32.
[4] J. Petit, F. Schaub, M. Feiri, and F. Kargl, Pseudonym
provided a new construction of this primitive and
schemes in vehicular networks: A survey, IEEE
showed that it achieves four security properties of Communications Surveys & Tutorials, vol. 17, no. 1, pp.
anonymity, unforgeability, extractability, and non- 228–255, 2015.
slanderability. We demonstrated that the proposed [5] Z. Liu, L. Zhang, and X. Lin, MARP: A distributed MAC
layer attack resistant pseudonym scheme for VANET, IEEE
scheme achieves unconditional anonymity of messages. Transactions on Dependable and Secure Computing. DOI:
We conducted security and efficiency analysis, which 10.1109/TDSC.2018.2838136.
show that our scheme for VANETs is efficient and [6] K. Lim, K. M. Tuladhar, X. Wang, and W. Liu, A
practical. scalable and secure key distribution scheme for group
signature-based authentication in VANET, in Proc. 8th
Acknowledgment Annual Ubiquitous Computing, Electronics, and Mobile
Communication Conference (UEMCON), New York, NY,
The author would like to thank the anonymous reviewers USA, 2017, pp. 478–483.
for their constructive comments and suggestions. This [7] L. Zhang, C. Li, Y. Li, Q. Luo, and R. Zhu, Group
work was supported by the National Key R&D (973) signature-based privacy protection algorithm for mobile
Program of China (No. 2017YFB0802000), the National ad-hoc network, in Proc. IEEE International Conference
on Information and Automation (ICIA), Wuyishan, China,
Natural Science Foundation of China (Nos. 61772326,
2017, pp. 947–952.
61572303, 61872229, and 61802239), the NSFC [8] Y. Han, N. N. Xue, B. Y. Wang, Q. Zhang, C. L. Liu,
Research Fund for International Young Scientists (No. and W. S. Zhang, Improved dual-protected ring signature
61750110528), the National Cryptography Development for security and privacy of vehicular communications
Fund during the 13th Five-Year Plan Period (Nos. in vehicular ad-hoc networks, IEEE Access, vol. 6, pp.
MMJJ20170216 and MMJJ201701304), the Foundation 20209–20220, 2018.
[9] Y. Cui, L. Cao, X. Zhang, and G. Zeng, Ring signature
of State Key Laboratory of Information Security (No.
based on lattice and VANET privacy preservation, Chinese
2017-MS-03), the Fundamental Research Funds for the Journal of Computers, vol. 40, no. 169, pp. 1–14, 2017.
Central Universities (No. GK201702004, GK201803061, [10] M. Feiri, R. Pielage, J. Petit, N. Zannone, and F. Kargl,
Pre-distribution of certificates for pseudonymous broadcast
Table 3 Efficiency comparison. authentication in VANET, in Proc. IEEE 81st Vehicular
Signature Verification Signature Technology Conference (VTC Spring), Glasgow, UK, 2015,
Scheme
cost cost length pp. 1–5.
Cui et al.[9]
5lTmul TNIZK C5lTmul 2.l C 1/m [11] X. Lin X, X. Sun, P. H. Ho, and X. Shen, GSIS:
Wang mTSample C A secure and privacy preserving protocol for vehicular
m.l C k/Tmul .l C k/m C l communication, IEEE Trans. Veh. Technol., vol. 56, no. 6,
and Sun[22] m.l C k 1/Tmul
pp. 3442–3456, 2008.
Tian mTSample C
m.l C 2/Tmul .l C 2/m [12] B. Poettering and D. Stebila, Double-authentication-
et al.[23] m.l C 1/Tmul preventing signatures, International Journal of
Our scheme 2lTmul 2lTmul .l C 1/m Information Security, vol. 16, no. 1, pp. 1–22, 2017.
584 Tsinghua Science and Technology, October 2019, 24(5): 575–584
[13] M. Bellare, B. Poettering, and D. Stebila, Deterring P. Gaborit, Adapting Lyubashevsky’s signature schemes
certificate subversion: Efficient double-authentication- to the ring signature setting, in Proc. International
preventing signatures, in Proc. IACR International Conference on Cryptology in Africa, Cairo, Egypt, 2013,
Workshop on Public Key Cryptography, Amsterdam, the pp. 1–25.
Netherlands, 2017, pp. 121–151. [19] Y. Wang, H. Zhong, Y. Xu, and J. Cui, ECPB:
[14] D. Boneh, S. Kim, and V. Nikolaenko, Lattice-based Efficient conditional privacy-preserving authentication
DAPS and generalizations: Self-enforcement in signature scheme supporting batch verification for VANETs,
schemes, in Proc. International Conference on Applied International Journal of Network Security, vol. 18, no. 2,
Cryptography and Network Security, Kanazawa, Japan, pp. 374–382, 2016.
2017, pp. 457–477. [20] D. Li, J. Liu, Z. Zhang, Q. Wu, and W. Liu, Revocable
[15] B. Poettering, Shorter double-authentication preventing hierarchical identity-based broadcast encryption, Tsinghua
signatures for small address spaces, in Proc. International Science and Technology, vol. 23, no. 5, pp. 539–549, 2018.
Conference on Cryptology in Africa, Stellenbosch, South [21] S. Liang, Y. Zhang, B. Li, X. Guo, C. Jia, and Z. Liu,
Africa, 2018, pp. 344–361. SecureWeb: Protecting sensitive information through the
[16] S. Mao, P. Zhang, H. Wang, H. Zhang, and W. Wu, web browser extension with a security token, Tsinghua
Cryptanalysis of a lattice-based key exchange protocol, Science and Technology, vol. 23, no. 5, pp. 526–538, 2018.
Science China Information Sciences, vol. 60, no. 2, pp. [22] J. Wang and B. Sun, Ring signature schemes from lattice
028101–028105, 2017. basis delegation, in Proc. International Conference on
[17] W. Wu, H. Zhang, H. Wang, S. Mao, S. Wu, and H. Han, Information & Communications Security, Beijing, China,
Cryptanalysis of an MOR cryptosystem based on a finite 2011, pp. 15–28.
associative algebr, Science China Information Sciences, [23] M. Tian, L. Huang, and W. Yang, Efficient lattice-based
vol. 59, no. 3, p. 32111, 2016. ring signature scheme, Chinese Journal of Computers, vol.
[18] C. A. Melchor, S. Bettaieb, X. Boyen, L. Fousse, and 39, no. 4, pp. 712–717, 2016.
Yong Yu is currently a professor at the Houzhen Wang received the PhD degree
School of Computer Science, Shaanxi in information security from Wuhan
Normal University. He graduated from University in 2011. He is currently a
Xidian University in 2010 with a PhD lecturer at the School of Cyber Science
degree. His research interests include and Engineering of Wuhan University. His
information security and cryptography. research interests include cryptography
and information security.