V-LDAA: A New Lattice-Based Direct Anonymous Attestation Scheme for VANETs System

Chen, Liquan; Tu, Tianyang; Yu, Kunliang; Zhao, Mengnan; Wang, Yingchao

doi:https://doi.org/10.1155/2021/4660875

Security and Communication Networks

On this page

Abstract Introduction Related Works Preliminaries Experimental Results and Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy Challenges for Intelligent Internet of Things Devices

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 4660875 | https://doi.org/10.1155/2021/4660875

V-LDAA: A New Lattice-Based Direct Anonymous Attestation Scheme for VANETs System

Liquan Chen,^1,2Tianyang Tu,¹Kunliang Yu,¹Mengnan Zhao,¹and Yingchao Wang¹

Academic Editor: Jinguang Han

Received10 Jun 2021

Accepted12 Aug 2021

Published02 Sept 2021

Abstract

Privacy protection and message authentication issues in VANETs have received great attention in academia. Many authentication schemes in VANETs have been proposed, but most of them are based on classical difficult problems such as factorization in RSA setting or Elliptic Curve setting and are therefore not quantum resistant. If a quantum computer becomes available in the next few decades, the security of these schemes will be at stake. This paper presents a vehicular lattice-based direct anonymous attestation (V-LDAA) scheme adopting an optimized signature scheme based on automorphism stability which achieves postquantum security. A distributed pseudonym update and vehicle revocation mechanism based on the lattice is introduced in this paper, which means vehicles can update their pseudonyms and revoke the identity certificate by themselves without the need for pseudonym resolutions or CRLs checking. Compared with the existing lattice-based attestation schemes in VANETs, computation costs during signing and verification operations in V-LDAA are no longer related to the number of users, which makes it suitable for large-scale VANETs. Security analysis shows that V-LDAA resists TPM theft attacks and provides users with user-controlled anonymity, user-controlled unlinkability, and unforgeability against quantum adversaries. Experimental results show that V-LDAA reduces the blind signature size by 18%. The speed of blind signing is increased by 30%, and blind verification operation is accelerated 3 times compared with the existing lattice-based direct anonymous attestation (LDAA) scheme.

1. Introduction

The Intelligent Transportation System (ITS) provides vehicles with intelligent and efficient services, such as collision avoidance, traffic condition reports, and entertainment services, etc. Messages are sent to various network nodes through vehicular ad hoc networks (VANETs) [1]. VANET is a key facility of an intelligent transportation system, which is composed of Certification Authority (CA), roadside units (RSUs), and on-board units (OBUs) [2]. Among them, the OBU is responsible for supporting the V2I communication between the roadside units and the vehicle and V2V communication between vehicles. These nodes are connected to each other to form a network, and the communications in the entire network are achieved through the information transferring among adjacent nodes. The key issue that needs to be solved in the implementations for ITS is how to protect the security and privacy of users in VANETs. Vehicle users in ITS need to send information about their location, speed, and other driving conditions, or traffic jams, icy roads, and other surrounding road conditions to adjacent users. If this information is maliciously tracked or tampered with by an adversary, it will cause serious privacy leakage accidents and even threaten the life of the driver. For example, the adversary can obtain the real location information of the vehicle by tracing the navigation route information or modify the traffic information, which may lead to traffic paralysis or even serious traffic accidents. Therefore, an anonymous attestation protocol in VANETs needs to be established to ensure the anonymity of users and the integrity and untraceability of messages.

In addition, with the development of quantum computing technology, the security of traditional public key cryptosystems has received an impact. Most of the existing authentication protocols in VANETs have their security supported on classic difficult problems such as factorization in RSA setting or Elliptic Curve setting. Under traditional computing conditions, these difficult problems can only be solved in exponential or subexponential time. However, according to Shor’s algorithm, quantum computers can efficiently solve these problems, leading to the failure of traditional cryptosystems. Thus, there is a need to introduce quantum-resistant authentication schemes in VANETs.

We have proposed the following major contributions in this paper.(1)A vehicular lattice-based direct anonymous attestation scheme that achieves postquantum security is proposed in this paper. In this scheme, a lattice-based distributed pseudonym update and certificate revocation mechanism is introduced. By embedding a trusted platform module (TPM) in each vehicle, trust is distributed from Certification Authority (CA), pseudonym provider (PP), Revocation Authority (RA), and other authoritative institutions to each legitimate user, transforming a centralized trust system into a distributed trust system. “Distributed trust” is reflected in the processes of pseudonym update and vehicle revocation. Users can generate pseudonyms by themselves without the need for regular updates and distributions by PP. TPM performs the revocation operation independently, without RA performing pseudonym resolution operations, and there is no need to maintain the certificate revocation lists CRLs. Moreover, the calculation costs in signing operations are no longer related to the number of members. Thus, it is more suitable for large-scale VANETs.(2)V-LDAA optimizes the signature scheme based on automorphism stability which is used in the BlindSign and BlindVerify protocols of the original LDAA scheme. The optimized signature scheme reduces the number of automorphisms that need to be proven stable, which simplifies the processes of signing and verification and reduces the signature size. Based on the experimental implementation of the V-LDAA scheme, the high computation and storage efficiency of the proposed scheme is confirmed.(3)V-LDAA binds TPM and Host to jointly generate an identity certificate in Join protocol to resist TPM theft attacks. This is important in VANETs because it prevents TPM from being transplanted to a new vehicle platform by an adversary and signed with the replaced identity certificate.

The rest of this paper is organized as follows. We first introduce related works, the background knowledge, an optimized signature scheme used in V-LDAA and VANET architectures based on V-LDAA. Then, the construction of the proposed V-LDAA scheme is described. After that, security and performance analysis are detailed. Finally, the conclusion of this paper is presented.

In recent years, research studies on authentication schemes mainly focused on the following aspects. The first is based on a symmetric key mechanism [2]. The sender uses a shared key to generate the message authentication code (MAC), while the receiver verifies it before accepting the message. However, because both parties need to share the private key, the mechanism based on message authentication code cannot withstand a large number of node tampering attacks in the network. In addition, the adversary can cheat any individual node to obtain the private key, which can be used for message authentication. The second is an identity-based encryption system [3, 4], where the trusted authority is responsible for the generation and distribution of public and private key pairs for legitimate members. However, under this mechanism, the adversary can easily obtain the user’s real identity from the signature and track the signature. The third one is an authentication scheme based on vehicle public key infrastructures (VPKIs), which is also the design idea of this paper. CA is responsible for registering and managing long-term identity certificates of members, while members sign messages through short-term pseudonym certificates. The VPKIs scheme can meet the anonymity property and provide a pseudonym mechanism, but there are still many shortcomings. In this scheme, the security risk and computation burden are caused by different pseudonym update strategies. In order to prevent users from being maliciously tracked, CA needs to change pseudonyms for all users regularly [1]. In the case of unconditional security, the pseudonym should be changed every time the signature is signed, which causes a huge computational and storage burden when PP generates new pseudonym certificates and distributes them to every legitimate user periodically. In [5], an optimized pseudonym update scheme is proposed, but its computation costs still burden the vehicle and the Pseudonym Provider (PP). In addition, in order to revoke the identity certificate of an illegal vehicle, the Revocation Authority (RA) needs to resolute the user’s long-term identity ID value from the user’s pseudonym and save it to certificate revocation lists (CRLs) for all users to query. The update, query, maintenance, and storage of CRLs cause heavy computation and storage costs.

The existing authentication schemes for VANETs which achieve postquantum security are mainly lattice-based ring signature schemes [6–8]. In the lattice-based ring signature scheme, each member needs to use its private key and the public keys of all other members to sign the message, and the members in a ring need to change with the specific driving position of the vehicle. In recent years, several lattice-based direct anonymous attestation (LDAA) schemes are proposed by updating the cryptographic primitives to be quantum resistant in direct anonymous attestation (DAA) [9–11]. The first LDAA in [9] is based on a lattice-based MAC scheme and a CMA-secure digital signature scheme, but it suffers from high computation costs in signing protocol. LDAA in [10] adopts a noninteractive sigma protocol construction and a modified Boyen’s signature scheme, which can improve signing and storage efficiency compared to LDAA in [9]. Among them, the lattice-based direct anonymous attestation in [11] is most suitable for a future quantum-resistant TPM for its high efficiency. LDAA becomes an interesting candidate for the postquantum secure authentication protocol in VANETs because of its balance in authentication and anonymity.

3. Preliminaries

3.1. Notation

Symbols used in this paper are illustrated in Table 1 with their definitions.

3.2. Trapdoor Sampling

Sample two short vectors satisfyingwhere is a nonzero element in . According to [12], there is a set of basis for . The Gram–Schmidt orthogonalization of satisfies with . To sample , first calculate an arbitrary solution (not necessarily short solutions) that satisfies (1). Then express it in basis , and use the randomized nearest plane discrete Gaussian sampling algorithm in [13] to get solutions distributed as the discrete Gaussian distribution with . The algorithm is called .

3.3. Lattice-Based Commitment Scheme

We use the commitment scheme from [14] with M-LWE based hiding property and M-SIS based binding property. Define public parameters , , where and . To commit to a message , sample and compute . If there exists and satisfying , then the opening is valid.

3.4. Lattice-Based Zero-Knowledge Proof

Lattice-based encryption schemes usually include a public and small coefficient secret value , which satisfies . In order to prove that is a legal ciphertext, a zero-knowledge proof about needs to be generated, which satisfies . There are several protocols to achieve zero-knowledge proof about . The first one is based on a Stern-type protocol to prove a norm bounded satisfying exactly , which is the most accurate but also the most expensive protocol. In V-LDAA, this method can be used in the zero-knowledge proof of TPM and Host secret values in the Join phase because each user only needs to perform it once in the entire certificate lifecycle. The second is to use rejection sampling and lattice-based Fiat–Shamir [15], which proves that , where is the difference between two challenge values.

4. An Optimized Signature Scheme Based on Automorphism Stability of the Cyclotomic Field

The signature schemes of the LDAA schemes in [9, 10] both use Boyen’s signature framework under the standard security model [16]. Although there are studies using polynomial lattices to improve the efficiency of Boyen’s signature mechanism [17], the size of its group signature is still around 50 MB [18]. The LDAA framework proposed in [11] uses a selectively secure signature mechanism based on the lattice [19]. The so-called selective security refers to the security of messages that can be fixed in advance (fixed before the attacker communicates with the system). In the case of selectively secure, in order to prove the security of the message to be signed, we have to prove the invertibility of the signed message μ and its stability in a special subset. In [19], a Galois extension of the cyclotomic field was used to prove that μ belongs to a certain subset and is invertible. In this paper, we optimize the selective-secure signature scheme used in [11], reducing the number of automorphisms that need to be proven stable from two to one.

4.1. Galois Group of Cyclotomic Rings

If is separable from , then is the splitting field of on and is called a Galois extension. Suppose is a cyclotomic field of degree with an integer ring and its subring . Then, the Galois group is defined as , which consists of all automorphisms of . The Galois group on the cyclotomic field is isomorphic to , that is where . For the subfield , there must be a subgroup which is the Galois group on , that is . According to [19], if satisfies , then is in the subfield of . Thus, in order to prove , we need to prove the stability of by all Galois automorphisms in . In other words, we need to prove the stability of under the generators of .

4.2. Power-of-Two Cyclotomic Rings

Suppose is a power-of-two cyclotomic fields, we get, which is generated by and , that is . Consider a subgroup , according to [19], the fixed field of is generated by . Consider the parameter used in [11] when , then and the corresponding fixed field and . For every prime number , is a field. In this case, it is enough to prove that the message remains unchanged under and . This means that every time the zero-knowledge proof of the identity certificate is performed, similar calculations have to be repeated twice (on and ), which increases the computational complexity of the protocol and the size of the commitments.

In this paper, we change the subfield to , which means or . When , the generator of its fixed field is and the minimal polynomial is . In this case, only one automorphism stability needs to be proved during zero-knowledge proof. We select , where of size and . When TPM chooses its identity value, it computes with arbitrary and proves that remains unchanged under . The process of signing and verification is shown in Table 2.

5. VANET Architectures Based on V-LDAA

The traditional VPKI is shown in Figure 1, which is composed of a Certification Authority (CA), a pseudonym provider (PP), a vehicle Revocation Authority (RA), and user vehicles. The vehicle registers its identity with CA, and CA signs the long-term identity certificate VID to the vehicle after confirming that the vehicle is in a trustworthy state. After the vehicle shows VID to the pseudonym provider PP, PP generates a pseudonym certificate based on VID and issues it to the vehicle user. During V2V communication, the illegal behavior of the vehicle will be reported to PP, and PP will determine whether to revoke the user certificate. When deciding to revoke the user certificate, RA cooperates with PP and CA to resolute the pseudonymous certificate to obtain the user's real identity ID. The violation ID is updated to the certificate revocation lists (CRLs). Every time before the user verifies the signature, it needs to first check whether the sender is in the CRLs. The main shortcomings of the traditional VPKI architecture are high storage and calculation consumption for updating, maintaining and querying CRLs; pseudonym resolution is required when certificate revocation, computing efficiency, and security issues are brought by PP's regular update of pseudonym certificates, etc.

VANET architecture based on V-LDAA is shown in Figure 2. Compared with the traditional VPKI system, a hardware chip TPM is embedded in each user's vehicle platform. Through the identity certificate, we distribute trust from CA to TPM embedded in each legitimate user, transforming a centralized trust system into a distributed trust system. “Distributed Trust” is reflected in the processes of pseudonym update and vehicle revocation. Users can generate pseudonyms by themselves without the need for regular updates and distribution by PP. During certificate revocation, RA only needs to broadcast the revocation instruction of a certain vehicle, while the target vehicle will check its identity, perform the revocation operation, and return the revocation certificate to RA. The whole process does not involve any pseudonym resolution or operations related to the revocation list CRLs.

6. Proposed V-LDAA Scheme

Based on the LDAA scheme in [11], we propose a V-LDAA scheme in VANETs. The overall V-LDAA scheme includes Setup, Join, Create, Sign/verify, Revoke protocols. The structure of the DAA protocol is redesigned. After the Join phase, each user needs to pass through the Create phase to generate identity credentials , where nym is a pseudonym public key, is the certificate used to determine the identity when the certificate is revoked, and is a blind signature on VID used to verify the identity of its legitimate users. Users can complete the anonymous authentication of the message and the self-revocation of the certificate by holding PSCert. TPM executes the destruction operation of the identity certificate and the pseudonymous certificate, generates the revocation certificate, and returns it to RA. RA verifies the identity certificate and the revocation certificate and confirms that the target vehicle has revoked its identity certificate.

Moreover, we optimize the signature scheme based on automorphism stability of the power-of-two cyclotomic fields. When the user interacts with the CA to generate the VID, the identity ID is selected in the more optimal cyclotomic field, where . At this time, it is enough to prove automorphism stability once instead of twice as in [11], which optimizes the computational efficiency and signature size during BlindSign. Finally, in the Join phase, the platform secret value sent to CA is changed to be generated by TPM and Host together instead of TPM alone. This is very important in VANETs, because the TPM chip embedded in the vehicle may be in an unmanned environment, and the adversary can directly steal the TPM chip and transplant it to another Host platform to cheat the verifier.

6.1. Setup

We consider a cyclotomic ring , and identity ID in VID , which keeps stable under . Randomly choose as TPM public parameters, as Host public parameters and as CA public parameter. The private key of CA is a trapdoor while the public key is , . By Ring-LWE assumption, is indistinguishable from uniform. Thus, we write CA public key as , where .

6.2. Join

TPM randomly select a secret value and a private key . Compute and send to the Host. Similarly, the Host chooses its secret and computes . Then, the Host adds and to generate . TPM and Host jointly give a zero-knowledge proof of short and . is sent by Host to CA. Because the Join protocol only needs to be executed once, the calculation of zero-knowledge proof has little effect on the efficiency of the entire protocol. We can choose the “Stern-type” protocol with the largest amount of calculation but the most accurate. CA first confirms the zero-knowledge proof and then uses algorithm to sample satisfying . Note that instead of an arbitrary . Finally, CA sends the generated identity certificate to the Host and the Host saves it as VID.

6.3. Create

The Create protocol generates PScert for vehicles to send and receive messages in VANETs, including pseudonym key pairs, identity certificate in revocation, and legal member certificates . To generate pseudonym key pairs, TPM picks a basename bsn and creates a value as well as the pseudonym private key , where is a part of the TPM secret value and . TPM outputs as pseudonym public key and creates .

Using the BlindSign protocol in Table 3, TPM and Host jointly sign the message “certified” with TPM private key and the pseudonymous private key to generate a legal identity certificate . BlindSign is a zero-knowledge proof of VID completed by the Host and TPM interaction. That is, to prove that the Host has satisfying . However, the verifier needs to know the value of in the scheme, among which are all public parameters, so the identity can be easily deduced, and the user’s identity will be leaked. Therefore, the zero-knowledge proof is not directly performed on , but the commitment value about is first generated, and the zero-knowledge proof is generated by replacing with the commitment value. Bring the commitment value into the trapdoor function to get the following:where and . Suppose and , then (2) can be expressed as .

In summary, the Host needs to generate three zero-knowledge proofs in parallel, that is, : prove t, t' open to messages m, m' satisfying : prove t opens to message m satisfying : prove s' satisfying

Finally, the identity credentials are generated and saved on the Host platform.

6.4. Sign/Verify

When the vehicle is moving in VANETs, the Host generates messages about the location and speed of the vehicle and transmits them to TPM. TPM signs messages using Sign protocol in Table 5 with pseudonym private key and pseudonym public key and returns to Host. The Host creates and sends it to the receiver. After receiving msg, the receiver first calls BlindVerify Protocol as in Table 4 to verify , confirming that the message comes from a legal user. Then use pseudonym public key nym to verify as in Table 5.

6.5. Revoke

The revocation instruction generated by RA is encrypted with the RA private key and broadcast in VANETs so that all legitimate users can receive it. After receiving the message, the Host passes it on to TPM. TPM uses RA public key to decrypt msg and recognizes that the target of the instruction is itself according to nym. Then TPM creates and calls BlindSign to generate on message “confirm,” which is used to prove that TPM has received the revocation instruction and completed the self-revocation. After that, TPM deletes its own public and private key pairs and all identity certificates independently. The Host sends to RA. Since RA has knowledge of the misbehaving vehicle’s PScert, it checks whether and guarantees that the target vehicle has been revoked. Then, RA calls BlindVerify to confirm that is indeed issued by the revoked vehicle.

It can be seen from the entire revocation process that RA can correctly revoke the target vehicle without any pseudonym resolution operations. The vehicle provides RA with proof that the identity certificate has been forcibly revoked by TPM. If the vehicle wants to communicate with the users in VANETs again, it must rerun the Join phase to generate a new identity certificate.

7. Security Analysis

The security comparison between V-LDAA, the lattice-based ring signature schemes in [7, 8, 20], and the VPKI scheme in [1] are shown in Table 6. Compared with lattice-based ring signatures in VANETs, V-LDAA has the advantage of achieving user-controlled unlinkability and unforgeability. In contrast to the existing VPKI scheme, V-LDAA achieves postquantum security and realizes the user's independent pseudonym update scheme and the distributed vehicle certificate revocation scheme.

7.1. Unforgeability

Suppose CA public parameters are set as follows: , where , , , , , , , .

Suppose we have a fake sampling algorithm. The adversary chooses the identity and secret value . When , use the original to generate satisfying and output to the adversary. When , the gadget matrix vanishes and . Therefore, compute , which is also a valid signature and output to the adversary and the adversary verifies . According to [11], based on Ring-LWE and NTRU assumptions, the adversary cannot distinguish whether it is generated by the real public parameters and the real preimage sampling algorithm or generated by the above public parameters and the fake preimage sampling algorithm.

According to the above conclusion, we can prove the unforgeability of the V-LDAA signature.

During BlindSign, the Host needs to generate a zero-knowledge proof about such that

In parallel, it will also prove that

Combine (3) and (4) to get the following:

The adversary randomly selects , and the probability of selecting is . At this time is vanished, that is,

Sampling algorithm outputs satisfying the following:

Subtract (6) and (7) to get the following:which can be written as follows:

Because , , , , , are all polynomials with small coefficients, (9) is a nonzero Ring-SIS solution to unless all multiplicands are 0. Therefore, if the adversary can successfully generate a zero-knowledge proof that satisfies (9), the Ring-SIS problem can be solved with a probability of . To generate a zero solution, it requires . That is, , which means every extracted from the zero-knowledge proof in the blind signing phase must be equal to a certain , where is a TPM secret value of a legal certificate VID generated in the Join phase. So far, the unforgeability of the V-LDAA signature can be proved. If the adversary wants to break the unforgeability, the difficulty of using the secret value of a platform without a legal identity certificate to generate a legal signature can be reduced to solve the Ring-SIS problem.

7.2. Anonymity

Anonymity means the adversary cannot extract the user identity value from the signature. Suppose the adversary knows the TPM private key , and outputs the message to be signed and two identity values to the challenger. The challenger randomly selects an identity value to sign and returns the signature to the adversary. After receiving the signature, the adversary guesses whether the identity value chosen by the challenger is or . According to [19], the commitment scheme used in this article has hiding property based on the difficulty of M-LWE. That is, the adversary cannot distinguish the commitment value of two different messages. When signing, the challenger can replace the identity value at will to calculate the commitment value, and the generated signature is completely independent of the identity value , so the difficulty of the adversary's guessing the id value used from the blind signature can be reduced to the M-LWE problem. In VANETs, the identity certificate generated in the Create stage only contains pseudonym information and does not contain any real identity information, and the TPM signing key cannot be associated with the vehicle user, so the adversary cannot distinguish different vehicles from the signature unless the user reveals his or her identity information.

7.3. User-Controlled Unlinkability

During Create protocol, the user can choose whether to use the same secret key sk to generate the same or different pseudonym private key so as to control whether the generated signature is linked. Once a different pseudonym is selected, the adversary cannot determine whether the two signatures are from the same user. Since is generated by hashing the TPM private key and the pseudonym private key, the adversary cannot determine which TPM private key is used. In addition, is a blind signature and cannot be linked.

7.4. Unforgeability of Revocation Instruction

In order to prevent the adversary from maliciously revoking the legal vehicle, it should be ensured that the revocation instruction received by TPM is from the real RA and not forged by an adversary. Adding the signature of RA to each revocation instruction can meet this requirement. TPM can confirm the authenticity of the revocation instruction by verifying the RA signature.

7.5. Unforgeability of Revocation Certificate

When RA receives the revocation certificate returned by TPM, RA must ensure that it is from the correct target vehicle and has honestly performed certificate and key destruction operations. In V-LDAA, the credibility of the revocation operation is guaranteed by the trusted hardware chip TPM. By comparing the signatures in the revocation certificate, RA can confirm that the target vehicle has indeed performed the revocation operation. No other user can forge this signature as long as the TPM key is not leaked.

7.6. Consistency of Revocation Operation

When the revocation instruction is correctly delivered to TPM, TPM will perform a series of destruction operations. However, the revocation instruction needs to be passed through the Host. If the Host is controlled by an adversary and maliciously intercepts the transmission of the revocation instruction, TPM cannot receive the correct information from RA and cannot complete the revocation operation, which is a major challenge in the distributed revocation mechanism. In V-LDAA, TPM receives information from RA at fixed time intervals which include time stamps and RA’s signature. If TPM stops receiving the time stamp information, it is considered that the communication between TPM and RA interferes, and corresponding countermeasures should be taken.

8. Experimental Results and Analysis

We compare the performance of V-LDAA from two aspects: theoretical analysis and experimental simulation. Firstly, we compare V-LDAA with existing lattice-based authentication schemes in VANETs in Section 8.1 to measure the advantages of V-LDAA in the scenario of the Internet of Vehicles. Secondly, the BlindSign protocol in V-LDAA is compared with that in existing LDAA in Section 8.2 to highlight the improvement of computing efficiency after adopting the optimized signature scheme as presented in Section 4.2. This article uses Python language and SageMath9.2 library to simulate V-LDAA, LRMA in [8], DAPRS in [7], and LDAA in [11], in which the polynomial multiplication is accelerated by the NTL library. Based on the Intel(R) Core (TM) i5-7500 CPU @3.40 GHz memory 8 GB processor, we tested the execution time and signature size of each scheme.

8.1. Comparison with Existing Lattice-Based Authentication Schemes in VANETs

We compare the proposed V-LDAA scheme with existing lattice-based authentication schemes in VANETs. Assuming that the time for a preimage sampling is , the time for a polynomial multiplication is , and the time for a zero-knowledge proof is . The signing and verification calculation costs and signature length of each scheme are shown in Table 7. The studies in [6–8, 21] are all lattice-based ring signature schemes. In the ring signature scheme, users need to use their private key and all other users’ public keys to sign messages. For a ring with numerous users, that is, when is large, the computation burden is considerable. In addition, the members in a ring change as vehicles move. Thus, the member public key also needs to be updated consequently. However, in V-LDAA, users only need to sign with their pseudonym private keys each time, regardless of N.

The experimental results are shown in Figures 3–6 . We implement Sign, Verify, BlindSign, and BlindVerify protocols and measure the running time. The results are shown in Figure 3. The execution time is averaged after 10 runs of each protocol. We also compare the V-LDAA scheme with DAPRS in [7] and LRMA in [8]. A lattice-based double-authentication-preventing ring signature (DAPRS) is introduced in [7] using double-authentication-preventing signatures (DAPSs) instead of conventional signatures. A lattice-based ring signature scheme for message authentication (LRMA) is presented in [8], providing unconditional privacy to vehicles. The number of users N varies from 50 to 200. The degree of cyclotomic d = 128, and q = 114356107. Since BlindSign protocol is called only when users want to update their pseudonyms and recreate PScert, we ignore the cost of BlindSign. In Figure 4, the signing time required for LRMA and DAPRS increases tremendously as the number of users rises, while in V-LDAA the execution time in signing operations maintains at a low level with slight fluctuations. In Figure 5, additional verification of PScert is required in V-LDAA, so the verification execution time is longer than LRMA when N is small but is exceeded as N increases. The size of the certificate generated by V-LDAA is significantly smaller than that of LRMA and DAPRS, as shown in Figure 6, and it will not increase with the growth of the number of users.

8.2. Comparison with the Existing LDAA Scheme

We compare the performance of the proposed V-LDAA protocol with the existing LDAA protocol in [11] during the blind signing and blind verification on computation and storage resource consumption. In the blind signing phase, V-LDAA adopts an optimized signature scheme which removes the proof for and thus reduces the number of response values to the challenge, so the number of polynomials that the generated signature contains is reduced from 40 in [11] to 36.

In the Joining phase, V-LDAA adds public and secret values to the Host and enables the Host’s secret value to participate in the generation of the identity certificate. This change encourages TPM and Host to interact in the Joining phase to generate a zero-knowledge proof of their respective secret values. Although the amount of calculation is increased, considering that the long-term identity certificate of each legal user only needs to be generated once, it has little effect on the overall computing efficiency. In VANETs, the participation of TPM and Host in the generation of identity certificates can effectively resist TPM chip theft attacks and prevent TPM from being transplanted to a new vehicle platform by the adversary and signed with the replaced identity certificate. The experimental results are shown in Figure 7, where d = 128, = 128, and q = 114356107.

(a)

(b)

(c)

As shown in Figure 7(a), the speed of the Host blind signing operation is increased by 30% by reducing the number of proofs for automorphism stability. The Host operation during blind verification is accelerated 3 times, according to Figure 7(b). Also, V-LDAA reduces the signature size by 18%, as in Figure 7(c).

9. Conclusion

To solve the security and user privacy issues in VANETs, we propose a lattice-based direct anonymous attestation scheme in VANETs that achieves postquantum security. We introduce a lattice-based long-term certificate generation mechanism, a pseudonym certificate renewal mechanism, and a distributed certificate revocation mechanism. Users can update the pseudonym certificate by themselves and control the linkability of signatures. RA does not need to perform pseudonym resolution or maintain CRLs, which overcomes the shortcomings of the traditional VPKIs. We also demonstrate that V-LDAA has significant advantages in computing efficiency and storage consumption compared with the existing lattice-based direct anonymous attestation by adopting an optimized signature scheme based on automorphism stability. Experimental results show that V-LDAA reduces the signature size by 18%. And the speed of blind signing is increased by 30% and blind verification operations are accelerated 3 times compared with the existing LDAA scheme. The main shortcoming of the proposed V-LDAA scheme is the computation and storage costs in the BlindSign protocol. In future work, we will aim to further optimize the proposed scheme to make it more suitable for resource-constrained TPM chips and vehicle platforms.

Data Availability

All of the data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This research was supported by the National Key Research and Development Program of China, Joint Research of IoT Security System and Key Technologies Based on Quantum Key (2020YFE0200600).

References

M. Asghar, R. R. M. Doss, and L. Pan, “A scalable and efficient PKI based authentication protocol for VANETs,” in Proceedings of the 28th International Telecommunication Networks and Applications Conference (ITNAC), pp. 1–3, IEEE, Sydney, Australia, November 2018.
View at: Publisher Site | Google Scholar
P. Vijayakumar, M. Azees, V. Chang, J. Deborah, and B. Balusamy, “Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks,” Cluster Computing, vol. 20, no. 3, pp. 2439–2450, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
S. F. Tzeng, S. J. Horng, T. Li, X. Wang et al., “Enhancing security and privacy for identity-based batch verification scheme in VANETs,” IEEE Transactions on Vehicular Technology, vol. 66, no. 4, pp. 3235–3248, 2015.
View at: Google Scholar
I. Ullah, A. Wahid, M. A. Shah et al., “VBPC: velocity based pseudonym changing strategy to protect location privacy of vehicles in VANET,” in Proceedings of the 2017 International Conference on Communication Technologies (ComTech), pp. 132–137, IEEE, Rawalpindi, Pakistan, April 2017.
View at: Publisher Site | Google Scholar
Y. Cui, L. Cao, X. Zhang, and G. Zeng, “Ring signature based on lattice and VANET privacy preservation,” Chinese Journal of Computers, vol. 42, no. 51, pp. 1–14, 2017.
View at: Google Scholar
J. Liu, Y. Yu, J. Jia et al., “Lattice-based double-authentication-preventing ring signature for security and privacy in vehicular Ad-Hoc networks,” Tsinghua Science and Technology, vol. 24, no. 5, pp. 575–584, 2019.
View at: Publisher Site | Google Scholar
P. Mundhe, V. K. Yadav, S. Verma, and S. Venkatesan, “Efficient lattice-based ring signature for message authentication in VANETs,” IEEE Systems Journal, vol. 14, no. 4, pp. 5463–5474, 2020.
View at: Publisher Site | Google Scholar
R. E. Bansarkhani and A. E. Kaafarani, “Direct anonymous attestation from lattices,” 2017, Cryptology ePrint Archive, Report 2017/1022.
View at: Google Scholar
N. El Kassem, L. Chen, R. El Bansarkhani et al., “More efficient, provably-secure direct anonymous attestation from lattices,” Future Generation Computer Systems, vol. 99, pp. 425–458, 2019.
View at: Publisher Site | Google Scholar
L. Chen, N. Kassem, A. Lehmann et al., “A framework for efficient lattice-based daa,” in Proceedings of the 1st ACM Workshop on Workshop on Cyber-Security Arms Race, pp. 23–34, London, UK, November 2019.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Advances in Cryptology—EUROCRYPT 2012, pp. 700–718, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206, Victoria Canada, May 2008.
View at: Publisher Site | Google Scholar
C. Baum, I. Damgård, V. Lyubashevsky, S. Oechsner, and C. Peikert, “More efficient commitments from structured lattice assumptions,” in Lecture Notes in Computer Science, pp. 368–385, Springer, Cham, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 738–755, Springer, Cambridge,UK, April 2012.
View at: Publisher Site | Google Scholar
X. Boyen, “Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more,” in Proceedings of the International Workshop on Public Key Cryptography, pp. 499–517, Springer, Paris, France, April 2010.
View at: Publisher Site | Google Scholar
S. Katsumata and S. Yamada, “Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps,” in Advances in Cryptology—ASIACRYPT 2016, pp. 682–712, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
B. Libert, S. Ling, K. Nguyen, and H. Wang, “Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 1–31, Springer, Vienna, Austria, May 2016.
View at: Publisher Site | Google Scholar
R. Del Pino, V. Lyubashevsky, and G. Seiler, “Lattice-based group signatures and zero-knowledge proofs of automorphism stability,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 574–591, Toronto Canada, October 2018.
View at: Publisher Site | Google Scholar
Y. Wang, H. Zhong, Y. Xu, and J. Cui, “ECPB: efficient conditional privacy-preserving authentication scheme supporting batch verification for VANETs,” IJ Network Security, vol. 18, no. 2, pp. 374–382, 2016.
View at: Google Scholar
M. M. Tian, L. S. Huang, and W. Yang, “Efficient lattice-based ring signature scheme,” Chinese Journal of Computers, vol. 35, no. 4, pp. 712–718, 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Liquan Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Security and Privacy Challenges for Intelligent Internet of Things Devices

V-LDAA: A New Lattice-Based Direct Anonymous Attestation Scheme for VANETs System

Abstract

1. Introduction

2. Related Works

3. Preliminaries

3.1. Notation

3.2. Trapdoor Sampling

3.3. Lattice-Based Commitment Scheme

3.4. Lattice-Based Zero-Knowledge Proof

4. An Optimized Signature Scheme Based on Automorphism Stability of the Cyclotomic Field

4.1. Galois Group of Cyclotomic Rings

4.2. Power-of-Two Cyclotomic Rings

5. VANET Architectures Based on V-LDAA

6. Proposed V-LDAA Scheme

6.1. Setup

6.2. Join

6.3. Create

6.4. Sign/Verify

6.5. Revoke

7. Security Analysis

7.1. Unforgeability

7.2. Anonymity

7.3. User-Controlled Unlinkability

7.4. Unforgeability of Revocation Instruction

7.5. Unforgeability of Revocation Certificate

7.6. Consistency of Revocation Operation

8. Experimental Results and Analysis

8.1. Comparison with Existing Lattice-Based Authentication Schemes in VANETs

8.2. Comparison with the Existing LDAA Scheme

9. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright