Introduction

The expeditious development in the field of communication and technology has been making the transportation systems more intelligent. The Intelligent Transportation Systems (ITS) are developed to solve the traffic problems [1] occurred due to the conventional transportation system. The ITS reduces the accidents and increases the safety of the drivers by transmitting the messages over the network. If any message contains the malicious information or it get altered, then it may lead to the serious problems in the road including accidents and traffic congestion. So, it is necessary to secure the messages and this can be done by using different signature schemes and authentication techniques [2, 3].

In intelligent transportation system, the VANETs comprise mainly three components: mobile On Board Units (OBUs) on cars, static Road Side Units (RSUs) and a central unit called Trusted Root Authority (TRA). In the network, vehicles can communicate with each other or with infrastructure through the VANETs for sending messages and authentication. Mainly, there are two types of communication involved in the VANETs i.e., Vehicle-to-Vehicle(V2V) and Vehicle-to-Infrastructure(V2I). In former, the communication takes place between the OBUs of the vehicles while in the latter, OBUs of the vehicles and the RSU or TRA communicate to exchange the messages. While exchanging the information between the units over the network, there may be a threat that the data can be altered by the attackers and cause the serious harm. Message modification is one of the challenges along with the driver or vehicles privacy. For secure communication between the vehicles, many signature and conditional privacy preserving authentication schemes are specially developed for the VANETs. In these schemes, vehicles send signatures along with the messages to the receiver and on receiving the signatures and their corresponding messages from the sender, receiver verifies the single message or the bunch of messages using the verification algorithms proposed in the schemes. These schemes [4, 5, 6, 7, 8–9] are using different cryptographic structures like public-key [10] and identity [11]. Some of the schemes [4, 5–6] are using group signatures but these group signatures are replaced by the ring signatures as in the group signature, members are static which is not a good choice for the VANETs. And also the schemes are adopting the concept of batch verification [12] for reducing the computation overhead. In this paper, we propose a bilinear mapping based certificateless ring signature scheme with batch verification for applications in VANETs to reduce the communication cost and computational cost. Its formal security analysis is performed by RoR model and formal security verification is done by AVISPA tool, which shows that it is resistant to passive and active attacks.

Rest of the paper is arranged as follows. Section 2 overviews the existing signature schemes for the VANETs. In Sect. 3, some preliminary notions are defined and Sect. 4 describes our proposed scheme. The security analysis of the proposed scheme is done using the RoR and AVSIPA in Sect. 5. Section 6 discusses the comparison between our scheme and the related existing schemes. Lastly, the paper is concluded in the Sect. 7.

Literature Survey

Researchers come up with different solutions to resolve the different issues like privacy and security issues of VANET. The solutions use the different cryptographic structure like public key infrastructure, identity based signature, group and ring signatures. For ease of readiness, the existing work for ensuring privacy preservation in VANETs architecture has been divided into mainly four categories based on public key infrastructure, identity, group and ring. We have summarized the existing schemes in Table 1. In the first category, the schemes [7, 8–9] use the Public Key-based Infrastructure (PKI) [10]. The Vehicles and RSUs use the anonymous certificates issued by trusted authorities with maintaining the user anonymity and integrity. The issue in these schemes occurs with TRA as it suffers from the overburden of memory as TRA stores and manages the vehicles certificates.

The second category contains the schemes [13, 14, 15–16] based on identity signature [11] and these schemes reduce the requirement of the storage by the PKI. Identity-based signature uses the public information of vehicles as the public key. The information can be anything related to the vehicle such as names, contact numbers, email addresses, etc. The problem in identity-based signature is inherent key escrow property.

In the third category, we have clustered the schemes [4, 5–6, 17, 18, 19, 20–21] which are constructed on the concept of group signatures which is very different from the all the previous schemes. Chaum and Heyst [22] propose the first scheme based on group signature. In these schemes, only one member of the group is allowed to sign a message on the behalf of whole group. But in case of contention, group manager can disclose the identity of the signer. There is one disadvantage while signing the message, the group members cannot be added or removed as groups are static [23]. The group signature come usually with a set-off between anonymity and group size.

The fourth category includes the schemes [24, 25, 26, 27, 28, 29–30] which are based on the ring signature. Rivest et al. [31] solve the issues in group signature by introducing a new concept called ring signature. Ring signature provides more advantages than group signature including no group manager, strong traceability and anonymity. The ring signature may be certificate or certificateless. The certificate ring signature is inefficient in terms of space and time as it requires the transfer and verification of n certificates. Due to this inefficiency, the ring signature works in VANET.

To reduce the computation overhead in individual verification of several messages simultaneously, researchers have used the concept of batch verification. The paper [12] defines a batch verification method in which a sequence of exponential is verified by the probabilistic batch verifiers. This concept yields faster speed than the naive re-computation method. Recently researchers [5, 17, 32] have integrated the batch verification concept with different signature schemes to reduce the verification time significantly.

Table 1. Literature survey

Preliminaries

In this section, we define a basic concept of a VANET architecture, its security requirement, bilinear mapping, framework of the proposed scheme and its security model as follow.

Proposed Scheme

Before discussing our proposed bilinear mapping based ring signature scheme for VANETs, we present the notations used in the paper in Table 2. The presented Fig. 2 illustrates the process of certificateless ring signature generation, individual verification, and batch verification within a cryptographic system. In the certificateless ring signature generation phase, the On-Board Unit (OBU) initiates the signing process by randomly selecting a secret value and computing various cryptographic components, including hash functions and unique keys. The result is an individualized signature, denoted as $\sigma j$, containing elements such as $H{T}_j$, $T_j$, and $U_j$, which is then sent to the RSU for verification. In the individual verification phase, the RSU computes ${H_{3_j}}^{{}^{\prime }}$ and evaluates an equation involving the signature and public keys. If the equation holds true, the RSU accepts the message; otherwise, it rejects it.

Moving on to batch verification, the RSU aggregates individual signatures into a collective signature $\sigma$, calculated by summing up the individual components. The RSU then checks the validity of the batch signature using a verification equation involving aggregated components and public keys. If the equation is valid, the RSU accepts the entire set of messages; otherwise, it rejects them collectively. This batch verification process enhances efficiency by allowing the RSU to verify multiple signatures simultaneously. The entire cryptographic workflow ensures the integrity and authenticity of messages in a distributed communication system while preserving the privacy and security of the communicating entities. The stepwise description given below involves the TRA producing the output parameters and generating the key pair, OBU randomly selecting values, computing various cryptographic components, and sending the resulting signature to the RSU. The RSU, in turn, performs computations on received signatures, verifies equations, and either accepts or rejects the individual or batch of messages based on the outcomes of these verifications. These processes collectively contribute to the security and authenticity of messages transmitted in a vehicular communication environment.

Table 2. Notations used in the proposed scheme

[See PDF for image]

Fig. 2

Flow diagram

Initial Setup Phase TRA selects a parameter k and creates system parameters $\{G_{\mathit{add}},G_{\mathit{mul}},X,p,T_{\mathit{pbk}},H_i\}$ and master key $T_{\mathit{msk}}$. In the Initial Setup phase, the following steps are performed by TRA:

TRA:

• Take two groups, $G_{\mathit{add}}$ with generator X and $G_{\mathit{mul}}$ of the same order where $p>2^s$, along with a bilinear map e defined such that $G_{\mathit{add}}\times G_{\mathit{add}}\to G_{\mathit{mul}}$.

• Choose $r\in {\mathbb{Z}}_p^{\ast }$ as $T_{\mathit{msk}}$, and then compute the system public key as $T_{\mathit{pbk}}=rX\in G_{\mathit{add}}$.

• Choose five hash functions $\{h_i,i=1,2,3,4,5\}$, such that $h_1:{\{0,1\}}^{\ast }\to G_{\mathit{add}}$, $h_2:{\{0,1\}}^{\ast }\times G_{\mathit{add}}\times G_{\mathit{add}}\times G_{\mathit{add}}\to {\mathbb{Z}}_p^{\ast }$, $h_3:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p^{\ast }$, $h_4:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p^{\ast }$, and $h_5:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p^{\ast }$.

• Keep the Master Key r private and publicize the variables $vars=\{G_{\mathit{add}},G_{\mathit{add}},X,p,T_{\mathit{pbk}},h_i,i=1,2,3,4,5\}$.

Registration & Key Generation This phase is responsible for registering the entity to the TRA and TRA is going to generate public–private key pair as shown for each registered entity. In the Registration and Key Generation phase, the entities TRA, RSU, and OBU perform the following steps:

RSU and OBU:

1. Entity identity $E_k$ is represented by $I{D}_k\in {\{0,1\}}^{\ast }$.

2. Create hash $W_k=h_1(I{D}_k)\in G_{\mathit{add}}$.

3. Choose a secret value $v_k\in {\mathbb{Z}}_p^{\ast }$.

4. Compute $V_k=v_k{W}_k\in G_{\mathit{add}}$ and $D_k=v_{k}X\in G_{\mathit{add}}$.

5. Send both $(V_k,D_k)$ to TRA for registration.

1. Choose a secret value $o_k$ and compute $O_k=o_{k}X\in G_{\mathit{add}}$.

2. Calculate $H_{1_k}=h_2(I{D}_k,V_k,D_k,O_k)\in {\mathbb{Z}}_p^{\ast }$.

3. Calculate $PS{K}_k=r{H}_{1_k}{W}_k\in G_{\mathit{add}}$.

4. Send $O_k$, $PS{K}_k$, and $H_{1_k}$ to entity $E_k$.

1. Receive $O_k$, $PS{K}_k$, and $H_{1_k}$ from TRA.

2. Store $P{K}_k=(V_k,D_k)$ and $S{K}_k=(v_k,PS{K}_k)$.

Certificateless Ring Signature Entity signs message and sends it to RSU. There are n ring members $L_{\mathit{ID}}=\left\{I,D_1,,,I,D_2,,,I,D_3,,,.,.,.,,,I,D_n\right\}$ and corresponding public key $L_{\mathit{PK}}=\left\{P,K_1,,,P,K_2,,,P,K_3,,,.,.,.,,,P,K_n\right\}$. The signer $I{D}_j$ has private key $S{K}_j$ and public key $P{K}_j$. $I{D}_j$ can sign message $m_j$, on behalf of ring members $L_{\mathit{ID}}$ and public key $L_{\mathit{PK}}$ using its private key $S{K}_j$. In the Certificateless Ring Signature phase, the OBU performs the following steps:

OBU:

1. The OBU $I{D}_j$ randomly selects $t_j\in {\mathbb{Z}}_p^{\ast }$.

2. Computes $H_{2_j}=h_5(m_j\Vert PS{K}_j\Vert P{K}_j\Vert t_j)\in {\mathbb{Z}}_p^{\ast }$.

3. Computes $t_j=H_{1_j}(t_j+H_{2_j})V_j\in G_{\mathit{add}}$.

4. For all $P{K}_k\in L_{\mathit{PK}}$, $I{D}_j$ randomly picks $T_K\in G_{\mathit{add}}$ for each $k\in \{1,2,...,n\}\backslash \{j\}$.

5. Computes $H_{T_j}={\sum }_{k=1}^n{h}_4(m_j\Vert T_k)\in {\mathbb{Z}}_p^{\ast }$.

6. Computes $H_{3_j}=h_5(m_j\Vert L_{\mathit{ID}}\Vert L_{\mathit{PK}}\Vert H_{T_j})\in {\mathbb{Z}}_p^{\ast }$.

7. Computes $U_j=(t_j+H_{2_j})H_{3_j}{v}_{j}PS{K}_j\in G_{\mathit{add}}$.

8. Sends ${\sigma }_j=(H_{T_j},T_j,U_j)$ to the receiver $I{D}_r$.

Individual Verification This algorithm is run by the receiver to verify the single message. In the Individual Verification phase, the entity RSU performs the following steps:

RSU:

1. Computes ${H_{3_j}}^{{}^{\prime }}=h_5(m_j\Vert L_{\mathit{ID}}\Vert L_{\mathit{PK}}\Vert H_{T_j})\in {\mathbb{Z}}_p^{\ast }$.

2. RSU $I{D}_r$ verifies the following equation: $$\begin{array}{c}\hfill e(U_j,X)=e({H_{3_j}}^{{}^{\prime }},T_j,T_{\mathit{pbk}})\end{array}$$ If the above equation holds, the receiver accepts the message $m_j$; otherwise, it rejects it.

Batch Verification Run by the receiver $I{D}_r$. RSU receives the set of certificateless signature $L_{\sigma }={\bigcup }_{j=1}^n{\sigma }_j$ on the set of user messages $L_m={\bigcup }_{j-1}^n{m}_j$ from the set of signer set $L_{\mathit{ID}}$, where j is the index of signer in the same ring list.

In the Batch Verification phase, the entity RSU performs the following steps:

RSU:

1. Compute $\cup ={\sum }_{j=1}^n{U}_j$.

2. Produce the aggregate signature $\sigma =\{H_{T_1},...H_{T_n},T_1,...T_n,U\}$.

3. For $\forall j=\{1,...,n\}$, calculate ${H_{3_j}}^{{}^{\prime }}=h_5(m_j\Vert L_{\mathit{ID}}\Vert L_{\mathit{PK}}\Vert H_{T_j})$.

4. RSU verifies the following equation: $$\begin{array}{c}\hfill e(U,X)=e\left(\sum _{j=1}^n,{H_{3_j}}^{{}^{\prime }},T_j,T_{\mathit{pbk}}\right)\end{array}$$ If the above equation is valid, RSU accepts the message $L_m$; otherwise, it rejects it.

Proof of Verification:

$$\begin{array}{c}\text{Individual Signature:}e\left(U_j,X\right)=e\left(\left(t_j+H_{2_j}\right)H_{3_j}{v}_{j}PS{K}_j,X\right)\\ =e\left(\left(t_j+H_{2_j}\right)H_{3_j}{v}_j,r{H}_{1_j}{W}_j,X\right)\\ =e\left(H_{3_j}{H}_{1_j}\left(t_j+H_{2_j}\right)v_j{W}_j,rX\right)\\ =e\left(H_{3_j}{H}_{1_j}\left(t_j+H_{2_j}\right)V_j,P_{\mathit{pbk}}\right)\\ =e\left(H_{3_j}{T}_j,P_{\mathit{pbk}}\right)\\ \end{array}$$

$$\begin{array}{c}\text{Batch Signature:}e\left(U,X\right)=e\left(\sum _{j=1}^n{U}_j,X\right)\\ =e\left(\sum _{j=1}^n\left(t_j+H_{2_j}\right)H_{3_j}{v}_{j}PS{K}_j,X\right)\\ =e\left(\sum _{j=1}^n\left(t_j+H_{2_j}\right)H_{3_j}{v}_{j}r{H}_{1_j}{W}_j,X\right)\\ =e\left(\sum _{j=1}^n{H}_{3_j}{H}_{1_j}\left(t_j+H_{2_j}\right)v_j{W}_j,rX\right)\\ =e\left(\sum _{j=1}^n{H}_{3_j}{H}_{1_j}\left(t_j+H_{2_j}\right)V_j,P_{\mathit{pbk}}\right)\\ =e\left(\sum _{j=1}^n{H}_{3_j}{T}_j,P_{\mathit{pbk}}\right)\\ \end{array}$$

Table 3. Queries run by Eve I

Security Analysis

In this section, we show the formal security analysis of the proposed a scheme using the Real or Random model (ROR) and verify its security using Automated Validation of Internet Security Protocols (AVISPA).

Performance Evaluation

In this section, we evaluate the performance of the proposed scheme by calculating the computational and communication costs of the proposed scheme along with the existing schemes [32, 34, 35–36].

Conclusion

To protect the privacy of driver and prevent the malicious entities from modifying the message over the VANET, we have designed a ring signature scheme in this paper. The proposed scheme uses the certificateless ring signature for signature generation and then it verifies the multiple messages using the batch verification to lessen the computational overhead. The performance analysis clearly indicated that the proposed scheme has the least computational and communication cost as compared to the existing schemes. We have also done the security analysis of the scheme against the unforgeability and anonymity in the detail using the RoR and AVISPA tool. The future scope and applicability of a bilinear mapping based ring signature scheme with batch verification can be broad and impactful, especially in the field of cryptography, privacy-preserving technologies, and secure communication. This scheme finds potential applications in blockchain networks, where privacy is paramount, as well as in secure communication systems, such as Vehicular Ad Hoc Networks (VANETs) or Internet of Things (IoT) environments. As decentralized technologies continue to evolve, the bilinear mapping-based ring signature scheme with batch verification could play a crucial role in safeguarding user identities and ensuring the integrity of communications across various domains.

Author Contributions

Mr. Lalit wrote this manuscript and Dr. Devender Kumar reviewed it and gave his valuable suggestions to improve its quality.

Funding

No external funding.

Declarations