Lightweight and Secure Multi-Message Multi-Receiver Certificateless Signcryption Scheme for the Internet of Vehicles

Abstract

The Internet of Vehicles (IoV) improves traffic efficiency and enhances driving safety through the real-time collection and analysis of traffic-related data. Numerous secure and privacy-preserving communication protocols have been proposed for the IoV. However, various security threats, privacy leakage, and inefficient communications remain unaddressed. Therefore, a lightweight and secure multi-message multi-receiver certificateless signcryption (LS-MRCLSC) scheme based on elliptic curve cryptography (ECC) is proposed. The proposed scheme guarantees secure communication and promotes messaging efficiency with multi-cast mode. Multiple key generation centers (KGCs) collaborate to generate and update the system master key (SMK) using Feldman’s verifiable secret-sharing (FVSS) algorithm, avoiding the single point of failure (SPoF) problem. Formal security proofs under the random oracle model (ROM) demonstrate that the proposed scheme meets requirements such as data confidentiality, message unforgeability, anonymity, and unlinkability. Performance evaluations confirm that the LS-MRCLSC scheme is better than similar schemes in terms of efficiency, feasibility, and scalability.

1. Introduction

With the rising number of social vehicles, traffic accidents are becoming more frequent, and urban areas are experiencing traffic congestion, which poses a significant barrier to the economic growth of cities. The Internet of Vehicles (IoV) integrates cutting-edge vehicle sensors, controllers, actuators, and modern communication technology to enable intelligent information sharing and interaction between vehicles, people, roads, and the cloud. Vehicles can transmit real-time traffic information (e.g., current location, speed, weather conditions, and road congestion) among IoV infrastructures through dedicated short-range communications (DSRC) or cellular vehicle-to-everything (C-V2X) [1] standards. This helps other vehicles plan more efficient traffic routes and reduces the occurrence of traffic accidents. However, numerous security threats exist during data transmission due to insecure open wireless channels. Attackers may eavesdrop, forge, delete, replay, and tamper with the transmitted data. Certificateless signcryption [2] is a solution for ensuring communication security by providing both message authentication and data confidentiality simultaneously. Nevertheless, in certificateless signcryption protocols, receivers decrypt the ciphertext to access the message and then verify the validity of the signature, which leads to massive computation delays. Absolute anonymity is undesirable because of the requirement of supervision. A traffic management authority (TMA) should have the capability to trace and recover the real identity of malicious vehicles that have sent fake or faulty messages to disturb traffic orders [3]. Therefore, many schemes adopt pseudonym technology to protect the privacy of vehicles (e.g., identity, location, request content).

Certificateless communication protocols leverage a key generation center (KGC) to generate partial private keys (PPKs) and eliminate key escrow problems. Nevertheless, a KGC is not totally credible and is susceptible to denial of service (DoS) attacks in the IoV. With the success of advanced persistent threat (APT) attacks, attackers can acquire the system master key (SMK) and seriously threaten the security of the system. To resolve this issue, researchers have proposed the utilization of multiple KGCs to manage an SMK with Shamir’s threshold secret-sharing (TSS) scheme [4]. Consequently, attackers have to corrupt at least threshold KGCs to retrieve the SMK. However, this cannot guarantee the safety of KGCs since it is possible for threshold KGCs to be corrupted in practical scenarios. Furthermore, Shamir’s TSS scheme involves a key distributor that knows the secret key, and the holder of the sub-key may provide an unreal share. Thus, devising a dynamically updatable protocol that allows KGCs to update the SMK for signcryption will enhance the security of the system. Even if attackers recover the SMK of the last period, they cannot disturb the current status and operation of the system.

Furthermore, the computation and storage capacities of the on-board unit (OBU) loaded onto vehicles are significantly limited. In the IoV, vehicles are equipped with multiple sensors that can detect various heterogeneous messages simultaneously, including informative messages (speed, weather conditions), indicative messages (direction, coordinates), and emergency messages (traffic accidents, traffic jams, natural disasters) [5]. For different types of messages, we aim to send them to the corresponding receivers as quickly as possible. For instance, if vehicles need to send emergency messages to a TMA to optimize road conditions, the best course of action is to transmit these messages to the nearest roadside unit (RSU). An RSU is capable of verifying the received messages and broadcasting them to inform the TMA, nearby wired-connected RSUs, and vehicles within its communication range. This allows the TMA to be aware of the current traffic conditions and take real-time management measures while also ensuring that the RSU spreads messages over the maximum range as fast as possible. Regarding indicative messages, direct vehicle-to-vehicle (V2V) communication will aid receivers in facilitating traffic strategies. In traditional signcryption schemes, sender vehicles must execute the signcryption algorithm n times to send n messages, which is a significant challenge for OBUs with limited resources in a delay-sensitive IoV. Therefore, reducing the overall computation costs required for the signcryption algorithm is crucial.

All in all, there are various challenges in the IoV: (a) insecure communication; (b) privacy leakage of vehicles; (c) key escrow problems; (d) single points of failure (SPoFs) of KGCs; and (e) inefficient message transmission. Thus, this research aims to design a secure and lightweight communication scheme for the IoV to address the aforementioned challenges.

1.1. Contribution

Regarding the above concerns, a lightweight and secure multi-message multi-receiver certificateless signcryption (LS-MRCLSC) scheme with multiple KGCs for the IoV is proposed, based on a multi-message multi-receiver signcryption (MMSC) scheme [2]. Our main contributions can be summarized as follows:

• An LS-MRCLSC scheme with multiple KGCs is proposed. The proposed LS-MRCLSC scheme is proven to realize confidentiality and unforgeability under the intractable problems in the random oracle model (ROM). Furthermore, it achieves the fundamental security requirements of the IoV such as anonymity, unlinkability, forward and backward secrecy, and resistance to KGC damage attacks and replay attacks.
• Multiple KGCs are employed in the LS-MRCLSC instead of the traditional single KGC, which avoids SPoFs and key escrow problems. With Feldman’s verifiable secret-sharing (FVSS) [6] mechanism, multiple KGCs negotiate the SMK after a round of communication. To resist APT attacks, each KGC is able to periodically update its own sub-key and the SMK. Moreover, secure channels are not required during PPK transmission, which improves the robustness of our LS-MRCLSC scheme.
• The LS-MRCLSC scheme effectively reduces the computation cost and communication overhead. Both theoretical analysis and simulation experiments demonstrate that the LS-MRCLSC scheme is efficient in terms of computation cost and communication overhead. Specifically, when there are 100 receivers, the total computation time (signcryption and unsigncryption) of the LS-MRCLSC scheme is reduced by 48.77%, 66.28%, 48.90%, 49.27%, and 49.27%, respectively, compared to the schemes in [7,8,9,10,11]. In addition, the communication overhead is reduced by 7.32%, 83.57%, 47.06%, 0.93%, and 0.93%, respectively, compared to the schemes in [7,8,9,10,11].

1.2. Organization

The remainder of this article is organized as follows. Section 2 outlines the related works. In Section 3, the preliminaries, including complexity assumption, system model, security model, and security goals, are introduced. The proposed LS-MRCLSC scheme is presented in Section 4. Section 5 demonstrates the security proof and analysis. The performance evaluation results are given in Section 6. Finally, we conclude this work in Section 7.

2. Related Works

2.1. Conditional Privacy-Preserving Schemes in the IoV

To ensure the secure communication of vehicles, a series of protocols have been proposed with cryptographic technology. Cui et al. [12] devised an efficient authentication scheme based on semi-trusted authority, which combines self-repairing key distribution and certificate signing. But it increases the communication overhead of the system. Gao et al. [13] introduced a decentralized distributed denial of service (DDoS) attack detection scheme using big data techniques. The scheme mainly comprises two parts: real-time network traffic acquisition and network traffic detection. Nevertheless, the authors did not perform simulated attacks to analyze the performance of the system. Baza et al. [14] proposed a scheme to detect Sybil attacks using proof-of-work (PoW) and proof-of-trajectory (PoT) mechanisms, combining both trajectory verification and resource testing. However, the method could fail if a capable attacker focused on endowing a fake vehicle with additional computational resources, causing confusion in a specific region. In 2022, to resist attacks like eavesdropping, Ren et al. [15] proposed an efficient distance-based privacy-preserving authentication protocol. They used hash functions and exclusive-OR operations to fulfill the privacy protection requirement, which is based on distance. However, it cannot effectively withstand malicious tampering attacks. To cope with challenges like the leakage of data and personal privacy, Bao et al. [16] introduced a scheme with dynamic service, which attains full policy hiding by implementing access control in the inner product. Moreover, they designed an efficient indirect revocation mechanism, which enables the cloud and users to update the ciphertext and user secret key. Recently, blockchain technology has become popular due to its tamper-proof nature, decentralization, and transparency. Conditional privacy-preserving authentication (CPPA) protocols based on blockchain [17,18] have been devised. They utilize blockchain technology for storing vehicular certificates to realize effective certificate management. Tu et al. [19] proposed a vehicle-based secure blockchain consensus algorithm, which overcomes the leakage of sensitive data, high costs, and delays. In addition, homomorphic techniques have gradually been applied to the CPPA protocols for the IoV. Verma et al. [20] utilized homomorphic signatures to protect the confidentiality and unforgeability of traffic-related messages. Homomorphic cryptography [21] assists in accomplishing tripe pseudonym authentication, reducing the dependence on TMAs.

2.2. Certificateless Signcryption Schemes

In 2003, Al-Riyami and Paterson [22] first proposed the concept of certificateless public key cryptography, which addressed the certificate management problem in traditional public key infrastructure (PKI) schemes [23] and the key escrow problem in ID-based signature schemes [24]. Since then, scholars have proposed many certificateless (aggregate) signature schemes [25,26,27,28]. However, these schemes cannot resist public key replacement attacks or malicious KGC attacks. Moreover, in the signature system, sender vehicles send out traffic messages along with the signature. Although attackers cannot steal secret keys or forge signatures via eavesdropping wireless channels, they can know the message content from intercepted data, which may contain sensitive information. Therefore, it is vital to ensure data confidentiality. The signcryption primitive was proposed by Zheng et al. [29], which performs signature and encryption in one logical step. Nevertheless, if we want to send a secret message to multiple receivers, the traditional one-to-one structure of signcryption would no longer be efficient. Selvi et al. [30] first proposed the concept of multi-receiver certificateless signcryption (MRCLSC) and provided a security model. However, Miao et al. [31] pointed out that it cannot maintain confidentiality under internal attacks. Receiver anonymity is also significant in the IoV, which means that each user can identify whether they are an authenticated receiver but cannot identify others. Focusing on the privacy issue of heterogeneous systems, Niu et al. [32] constructed an aggregate signcryption scheme based on MRCLSC. Li and Pang [33] declared that Niu et al.’s scheme [32] could not really achieve receiver anonymity because of the fixed Lagrange interpolation polynomial results. Then, Pang et al. [34] devised an efficient MRCLSC scheme without bilinear pairing, while Yu et al. [35] substantiated that Pang’s et al. scheme [34] could not achieve unforgeability and confidentiality, as the adversary can randomly forge the public and private key pairs of users. Yu et al. [35] also found that the schemes in [36,37,38] could not ensure the integrity of transmitted data. Considering the secure data transmission of wireless body area networks, Shen et al. [7] proposed a lightweight MRCLSC scheme. However, they utilized secure channels to transmit PPKs.

Moreover, the existing multi-receiver signcryption (encryption) schemes cannot send multiple different messages to multiple related vehicles in a data report. Seo and Kim [39] proposed the first MMSC scheme, which supports sending n messages at a time. Soon after, MMSC schemes based on chaotic theory [40] and elliptic curve cryptography (ECC) [41] were proposed. However, receivers can obtain all plaintext by decrypting one ciphertext in these schemes. Zhou et al. [8] presented a certificateless MMSC scheme to realize the anonymous transmission of multiple messages in multicast communication, but the overhead is extremely high due to bilinear pairing. Pang et al. [42] presented a certificateless MMSC scheme, claiming it was secure and efficient. However, Peng et al. [9] proved that Pang et al.’s scheme [42] is vulnerable to a Type I attack. Therefore, the confidentiality, unforgeability, and anonymity of the senders cannot be guaranteed. Although some MMSC schemes have been designed [43,44,45], Pang et al. [42] pointed out that none of them can provide receiver anonymity and privacy preservation. Qiu et al. [46] proposed an MMSC scheme for a heterogeneous smart mobile Internet of Things (IoT), but it cannot achieve receiver anonymity. Recently, Ming et al. [10] devised an MMSC scheme for the healthcare IoT. Nevertheless, it is unable to withstand replay attacks. Zhou et al. [11] also proposed an anonymous certificateless MMSC scheme for a vehicular ad hoc network (VANET). However, the scheme cannot resist replay attacks, and unlinkability is not achieved.

Secure channels are required when a KGC generates PPKs for users in the above schemes. However, maintaining secure channels needs huge economic expenditure. In addition, most existing schemes utilize a single KGC. If attackers successfully invade a KGC, the security of the system will be seriously threatened. Moreover, certificateless signature schemes cannot avoid the key escrow problem. Hence, it is important to guarantee the security of the KGC in the LS-MRCLSC scheme.

3. Preliminaries

The preliminaries of the LS-MRCLSC scheme are introduced in this section.

3.1. Notations

The main notations and corresponding descriptions of our scheme are presented in

Table 1. Notations and corresponding descriptions.

Notation	Description
q	A large prime number
$\mathbb{G}$	An addictive cyclic group with order q
$H_i$	Secure one-way hash function
P	A generator of $\mathbb{G}$
$params$	System’s public parameters
$V_i$	The i-th vehicle
$V_{R_i}$	The i-th receiver vehicle
$KG{C}_i$	The i-th KGC
t	Threshold value
$s_i$	Sub-key of $KG{C}_i$
$P_i$	Sub-public key of $KG{C}_i$
s	The SMK
$P_{pub}$	System public key
a	Private key of TMA
$T_{pub}$	Public key of the TMA
$F_{index}$	An index function
⊕	XOR operation
$RI{D}_i$	The real identity of $V_i$
$I{D}_i$	The temporary identity of $V_i$
$PI{D}_{i,j}$	The j-th pseudo-identity of $V_i$
$T_{i,j}$	Valid period of $PI{D}_{i,j}$
$k_i$	The temporary PPK of $V_i$
$d_i$	The PPK of $V_i$
$x_i$	The secret key of $V_i$
$(P{K}_i,S{K}_i)$	Public and private key pair of $V_i$
$m_{R_i}$	Traffic message related to $V_{R_i}$
M	Traffic message set to be signcrypted
$si{g}_{R_i}$	Signature related to $V_{R_i}$
$c_{R_i}$	Ciphertext related to $V_{R_i}$
$t_{R_i,j}$	The j-th current timestamp related to $V_{R_i}$
$CT$	Ciphertext set
T	Timestamp set
$C_m$	Signcryption ciphertext
A	The adversary
C	The challenger
$\epsilon$	The probability that adversary A wins the game
$\Delta$$tt$	The valid time interval

. The abbreviations used in this paper are listed in the abbreviation table following Section 7.

3.2. Complexity Assumption

In this subsection, the complexity assumptions associated with the ECCDHP and ECDLP are introduced.

Elliptic Curve Computational Diffie–Hellman Problem (ECCDHP): Given an elliptic curve E, choose a group $\mathbb{G}$ on E, where $\mathbb{G}$ has the prime order q and generator P. Given a tuple $(aP,bP)\in \mathbb{G}$, it is difficult to compute $abP$ in probabilistic polynomial time (PPT), where $a,b\in {\mathbb{Z}}_q^{*}$.

Elliptic Curve Discrete Logarithm Problem (ECDLP): Given an elliptic curve E, choose a group $\mathbb{G}$ on E, where $\mathbb{G}$ has the prime order q and generator P. Given a tuple $(P,W)\in \mathbb{G}$, it is difficult to compute $a\in {\mathbb{Z}}_q^{*}$ in PPT, where $W=aP$.

3.3. Feldman’s Verifiable Secret Sharing

Let $\mathbb{G}$ be a group with order q. The sharing algorithm takes the threshold parameters $LL$ and t and a secret $ss\in {\mathbb{Z}}_q^{*}$; chooses a polynomial with random coefficients, except for the constant term, i.e., $p\left(X\right)=a_0+a_{1}X+\dots +a_t{X}^t(a_0=ss)$; and outputs the commitments $A_k=g^{a_k}\in \mathbb{G}$ for $k=0,1,\dots ,t$. The j-th share ${ss}_j$ is $p\left(j\right)$ for $j=1,\dots ,LL$.

To verify the j-th share against the commitments, the verification algorithm takes ${ss}_j$ and a set of commitments ${\left\{A_k\right\}}_{k=0}^t$ and checks whether $g^{{ss}_j}={\displaystyle \prod _{k=0}^t}{\left(A_k\right)}^{j^k}$. The above algorithms are defined as:

• $FShare(ss,t,LL)\to {\left\{{ss}_j\right\}}_{j=1}^{LL}$, ${\left\{A_k\right\}}_{k=0}^t$.
• $FVerify({ss}_j,{\left\{A_k\right\}}_{k=0}^t)\to b$, where $b\in \{0,1\}$.

3.4. System Model

Figure 1 describes the system model of our LS-MRCLSC scheme. There are four entities equipped in vehicles: the TMA, KGC, RSUs, and OBUs. The upper layer is composed of the TMA and KGC, which communicate over the wired channels. The lower layer consists of RSUs and vehicles, which communicate over the wireless channels.

• TMA: The TMA is usually a trusted traffic management department that is responsible for generating the system’s public parameters. Moreover, the TMA helps vehicles generate pseudonyms and traces the real identities of malicious vehicles if necessary.
• KGC: The KGC, composed of $KG{C}_i$$(i=1,2,\dots ,n)$, is responsible for generating the PPKs for vehicles through public channels. $KG{C}_i$ cooperatively negotiates the SMK with $KG{C}_j$$(j=1,2,\dots ,n,j\ne i)$. It could be compromised if attackers achieve a specific threshold t within one epoch. Hence, $KG{C}_i$$(i=1,2,\dots ,n)$ should periodically update their own sub-keys and SMKs.
• RSU: The RSU is the communication equipment installed along the roadside. RSUs can receive and verify the traffic messages from vehicles within their communication range. After verifying the validity of messages, they provide services like network connections for vehicles.
• Vehicles: Each vehicle is equipped with an OBU to sense, compute, and process traffic data. OBUs signcrypt multiple traffic messages and send ciphertext to RSUs or other vehicles. Meanwhile, vehicles can be the receivers, decrypt ciphertext, and obtain traffic data.

3.5. Security Model

According to the definition in [22], a signature system in the IoV faces two types of attacks. A Type I attacker is malicious, denoted as $V_i$. It can attack the security of the LS-MRCLSC scheme and replace the public keys of all vehicles. A Type II attack is a malicious KGC. It can obtain the SMK but cannot replace a user’s public key. Meanwhile, the LS-MRCLSC scheme should simultaneously offer indistinguishability against a chosen ciphertext attack adaptively (IND-CCA2) and existential unforgeability under a chosen message attack (EUF-CMA).

Game I: This game is played between challengers $C_{\mathrm{I}\text{-}1}$ and $A_{\mathrm{I}\text{-}1}$.

Definition 1.

Confidentiality against a Type I attack. If there is no adversary, $A_{I\text{-}1}$ can win Game I with a non-negligible probability in polynomial time, so the LS-MRCLSC scheme offers IND-CCA2.

• $C_{\mathrm{I}\text{-}1}$ executes the system initialization algorithm, generates the system parameters $params$, and returns the results to $A_{\mathrm{I}\text{-}1}$.
• $C_{\mathrm{I}\text{-}1}$ executes the following queries adaptively.

  (1)

  PPK generation query: $A_{\mathrm{I}\text{-}1}$ chooses an identity $PI{D}_{i,j}$, and challenger $C_{\mathrm{I}\text{-}1}$ computes $(R_i,d_i)\leftarrow PPKgeneration(params,s,PI{D}_{i,j})$ and returns it to $A_{\mathrm{I}\text{-}1}$.

  (2)

  Private key generation query: $A_{\mathrm{I}\text{-}1}$ chooses an identity $PI{D}_{i,j}$, and challenger $C_{\mathrm{I}\text{-}1}$ computes $d_i\leftarrow \mathrm{PPKGen}(params,s,PI{D}_{i,j})$, $x_i\leftarrow \mathrm{Sec}\mathrm{retKeyValue}(params,PI{D}_{i,j})$, and $S{K}_i\leftarrow \mathrm{PrivateKeyGen}(params,PI{D}_{i,j},x_i,d_i)$ and returns $S{K}_i$ to $A_{\mathrm{I}\text{-}1}$.

  (3)

  Public key generation query: $A_{\mathrm{I}\text{-}1}$ chooses an identity $PI{D}_{i,j}$, and challenger $C_{\mathrm{I}\text{-}1}$ computes $R_i\leftarrow \mathrm{PPKGen}(params,s,PI{D}_{i,j})$, $X_i\leftarrow \mathrm{Sec}\mathrm{retKeyValue}(params,PI{D}_{i,j})$, and $P{K}_i\leftarrow \mathrm{PublicKeyGen}(params,PI{D}_{i,j},X_i,R_i)$ and returns $P{K}_i$ to $A_{\mathrm{I}\text{-}1}$.

  (4)

  Signcryption query: $A_{\mathrm{I}\text{-}1}$ chooses $PI{D}_a$, $PI{D}_b$, and message m, and challenger $C_{\mathrm{I}\text{-}1}$ executes a private key generation query for $PI{D}_a$ and public key generation queries for $PI{D}_a$ and $PI{D}_b$, computes $C_m=\mathrm{Signcryption}(m,S{K}_a,P{K}_a,P{K}_b)$, and returns $C_m$ to $A_{\mathrm{I}\text{-}1}$.

  (5)

  UnSigncryption query: $A_{\mathrm{I}\text{-}1}$ chooses $PI{D}_a$, $PI{D}_b$, and ciphertext $C_m$, and challenger $C_{\mathrm{I}\text{-}1}$ executes a private key generation query for $PI{D}_b$ and public key generation queries for $PI{D}_a$ and $PI{D}_b$, computes $\mathrm{UnSigncryption}(C_m,S{K}_b,P{K}_a,P{K}_b)$, and returns m to $A_{\mathrm{I}\text{-}1}$.

  (6)

  Public key replacement: At any time, $A_{\mathrm{I}\text{-}1}$ chooses a new value to replace $P{K}_i$.

• $A_{\mathrm{I}\text{-}1}$ generates two isometric messages $m_0$, $m_1$ and two identities $PI{D}_a$, $PI{D}_b$ as a challenge, where $PI{D}_b$ cannot be the identity that has executed the PPK generation query or private key generation query. $C_{\mathrm{I}\text{-}1}$ randomly chooses $j\in \left\{0,1\right\}$, computes $C_m=\mathrm{Signcryption}(m_j,S{K}_a,P{K}_a,P{K}_b)$, and returns $C_m$ to $A_{\mathrm{I}\text{-}1}$.
• In the guess stage, $A_{\mathrm{I}\text{-}1}$ executes polynomial bounded degree queries similar to step 2, but it cannot execute the PPK generation query, private key generation query, or UnSigncryption query for $C_m$.
• $A_{\mathrm{I}\text{-}1}$ outputs $j^{\prime }$ as the guess of j. If $j^{\prime }=j$, $A_{\mathrm{I}\text{-}1}$ wins Game I.

Game II: This game is played between challengers $C_{\mathrm{II}\text{-}1}$ and $A_{\mathrm{II}\text{-}1}$.

Definition 2.

Confidentiality against a Type II attack. If there is no adversary, $A_{\mathit{II}\text{-}1}$ can win Game II with a non-negligible probability in polynomial time, so the LS-MRCLSC scheme offers IND-CCA2.

• $C_{\mathrm{II}\text{-}1}$ executes the system initialization algorithm, generates the system parameters $params$, and returns $params$ and s to $A_{\mathrm{II}\text{-}1}$.
• $C_{\mathrm{II}\text{-}1}$ executes queries adaptively, as in Definition 1, except for the PPK generation query and public key replacement.
• The challenge stage and guess stage are the same as in Definition 1.
• $A_{\mathrm{II}\text{-}1}$ outputs $j^{\prime }$ as the guess of j. If $j^{\prime }=j$, $A_{\mathrm{II}\text{-}1}$ wins Game II.

Game III: This game is played between challengers $C_{\mathrm{I}\text{-}2}$ and $A_{\mathrm{I}\text{-}2}$.

Definition 3.

Unforgeability against a Type I attack. If there is no adversary, $A_{I\text{-}2}$ can win Game III with a non-negligible probability in polynomial time, so the LS-MRCLSC scheme offers EUF-CMA.

• $A_{\mathrm{I}\text{-}2}$ executes steps 1 and 2, as in Definition 1.
• $A_{\mathrm{I}\text{-}2}$ outputs a new signature $\{C_m^{\prime },PI{D}_{i,j}\}$. Moreover, $PI{D}_{i,j}$ does not execute a PPK generation query, private key generation query, or signcryption query. If the result of UnSigncryption $(C_m^{\prime },PI{D}_{i,j})$ is ‘1’, then $A_{\mathrm{I}\text{-}2}$ wins Game III.

Game IV: This game is played between challengers $C_{\mathrm{II}\text{-}2}$ and $A_{\mathrm{II}\text{-}2}$.

Definition 4.

Unforgeability against a Type II attack. If there is no adversary, $A_{\mathit{II}\text{-}2}$ can win Game IV with a non-negligible probability in polynomial time, so the LS-MRCLSC scheme offers EUF-CMA.

• $A_{\mathrm{II}\text{-}2}$ executes steps 1 and 2, as in Definition 2.
• $A_{\mathrm{II}\text{-}2}$ outputs a new signature $\{C_m^{\prime },PI{D}_{i,j}\}$. Moreover, $PI{D}_{i,j}$ does not execute a PPK generation query, private key generation query, or signcryption query. If the result of UnSigncryption $(C_m^{\prime },PI{D}_{i,j})$ is ‘1’, then $A_{\mathrm{II}\text{-}2}$ wins Game IV.

3.6. Security Goals

The LS-MRCLSC scheme should fulfill the following security requirements:

• Data confidentiality: The traffic data should be encrypted during transmission, and only the designated receivers can decrypt the corresponding ciphertext.
• Message unforgeability: The LS-MRCLSC scheme can resist signature forgeability attacks. Receivers ($V_i$ or RSUs) can verify the validity of signatures to confirm that the messages were sent by valid vehicles and not tampered with during transmission.
• Anonymity: Vehicles should utilize pseudonyms to communicate with others. Apart from the TMA, any third-party entity cannot know the real identities of registered vehicles.
• Unlinkability: No vehicle, RSU, or other third party can judge whether two or more messages are from the same vehicle. In other words, attackers cannot trace vehicles through messages over public channels.
• Resist KGC damage attacks: Attackers cannot steal the system master key when they compromised fewer than t $KG{C}_i$ (t < n, where n denotes the total number of $KG{C}_i$) in the same period. Even if the current SMK is disclosed, attackers cannot obtain the previous or subsequent communication keys.
• Forward and backward secrecy: Although the private keys of vehicles and KGCs are disclosed in the current period, attackers cannot obtain the previous or subsequent private keys.
• Resistance to replay attack: This prevents attackers from re-transmitting messages that were eavesdropped over public channels.

4. The LS-MRCLSC Scheme for the IoV

4.1. High-Level Description

Our LS-MRCLSC scheme contains six stages: system initialization, pseudonym generation, key generation, message signcryption and unsigncryption, KGC secret key update, and malicious vehicle tracing. Figure 2 shows the detailed process.

In the system initialization stage, the TMA and KGC generate their own private keys and system public parameters. In the pseudonym generation stage, vehicle registration is accomplished through the TMA. In the key generation stage, vehicles compute complete public and private keys with the help of $KG{C}_i$. In the message signcryption and unsigncryption stage, the sender vehicle signcrypts the messages and sends the ciphertext to other vehicles or RSUs. Then, the receiver vehicles or RSUs unsigncrypt the ciphertext to obtain the traffic-related information. In the KGC secret key update stage, $KG{C}_i$$(i=1,2,\dots ,n)$ update their own sub-keys and SMKs by executing the FVSS algorithm. In the malicious vehicle tracing stage, the TMA retrieves the real identities of malicious vehicles and punishes them.

4.2. System Initialization

In this stage, the TMA and KGC generate the public system parameters, which is the public input in the later stages.

• TMA initialization. The TMA generates its private key, which is used to register vehicles. Furthermore, the TMA generates some of the public system parameters. The steps are as follows:

  (1)

  Input security parameter $\lambda$, and let $\mathbb{G}$ be an additive cyclic group generated by P with prime order q.

  (2)

  Randomly choose $a\in {\mathbb{Z}}_q^{*}$ as its private key, store it secretly, and set the public key $T_{pub}=aP$.

  (3)

  To fulfill the security requirements of the proposed scheme, six secure one-way hash functions are selected. $H_0:\mathbb{G}\to {\mathbb{Z}}_q^{*}$ is used to achieve key agreement [47] in pseudonym generation requests and PPK generation, which enables the PPK to be transmitted over public channels. $H_1:\mathbb{G}\times {\mathbb{Z}}_q^{*}\times {\mathbb{Z}}_q^{*}\to {\mathbb{Z}}_q^{*}$ is used to request pseudonyms, which enables the registration request to be transmitted over public channels. $H_2:\mathbb{G}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$ is used to generate pseudonyms for vehicles, which provides a secure link between the real identity and pseudo-identity of vehicles to the TMA. If the vehicle sends fake or faulty messages, the TMA can retrieve its real identity from the pseudonym. $H_3:{\mathbb{Z}}_q^{*}\times \mathbb{G}\times \mathbb{G}\times \mathbb{G}\to {\mathbb{Z}}_q^{*}$ is used to generate PPKs for vehicles, which guarantees that the SMK cannot be calculated by attackers. $H_4:{\mathbb{Z}}_q^{*}\times \mathbb{G}\times \mathbb{G}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$ is used to generate signatures. The timestamp and public key in $H_4$ achieve unforgeability and resist replay attacks. $H_5:{\mathbb{Z}}_q^{*}\times \mathbb{G}\times \mathbb{G}\times \mathbb{G}\times \mathbb{G}\to {\mathbb{Z}}_q^{*}$ is used to generate the encryption key, which supports data confidentiality in the proposed scheme.

  (4)

  Define a one-way index function $F_{index}:{\mathbb{Z}}_q^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$. In $F_{index}(n,PI{D}_{R_i})$, n denotes the input number of $PI{D}_{R_i}$, $PI{D}_R=\{PI{D}_{R_1},PI{D}_{R_2},\dots ,PI{D}_{R_n}\}$ denotes the receiver vehicle identity, and the output of $F_{index}(n,PI{D}_{R_i})$ is $i=1,2,\dots ,n$. In other words, $F_{index}(n,PI{D}_{R_i})$ uniformly maps each user $PI{D}_{R_i}$ to a unique value in the set $i=1,2,\dots ,n$. It is used to locate the ciphertext from $C_m$ for the receivers.

• KGC initialization. In our scheme, the KGC is composed of $\{KG{C}_1, KG{C}_2,\dots ,$ $KG{C}_n\}$. $KG{C}_i$$(i=1,2,\dots ,n)$ generate their own sub-keys and SMKs. The steps are as follows:

  (1)

  Randomly choose a polynomial on $F_q$: $g_i\left(x\right)=a_{i,0}+a_{i,1}x+\dots +a_{i,t-1}{x}^{t-1}$, where $a_{i,j}\in {\mathbb{Z}}_q^{*}$.

  (2)

  Execute the FVSS algorithm: $FVSS(g_i\left(x\right),n,t)=(s_{i,1},s_{i,2},\dots ,s_{i,n})$. For $j=1,2,\dots ,n$, $KG{C}_i$ sends $s_{i,j}$ to $KG{C}_j(j\ne i)$ and broadcasts commitment $\{a_{i,0}P,a_{i,1}P,\dots ,a_{i,t-1}P\}$.

  (3)

  Check whether $s_{j,i}P={\displaystyle \sum _{\ell =0}^{t-1}}\left(i^{\ell }\left(a_{j,\ell }P\right)\right)+a_{j,0}P$ holds to verify the validity of $s_{j,i}$ from $KG{C}_j$. If it holds, $KG{C}_i$ computes its sub-key $s_i={\sum }_{j=1}^t{s}_{j,i}$ and sets sub-public key $P_i=s_{i}P$.

  (4)

  For index set $I=\{i_1,i_2,\dots ,i_t\}$, compute ${\delta }_{\ell }={\displaystyle \prod _{j{\ne }_{\ell },j\in I}}\frac{j}{j{-}_{\ell }}$, set SMK $s={\displaystyle \sum _{\ell =1}^t}{\delta }_{\ell }{s}_{\ell }$ and system public key $P_{pub}=sP$.

  (5)

  Publish the system public parameters $params=\{q,P,\mathbb{G},F_{index}(n,PI{D}_{R_i}),$ $F_q,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4,H_5,P_i,{\delta }_i\}$$(i=1,2,\dots ,n)$.

4.3. Pseudonym Generation

In this stage, vehicles request registration from the TMA. In the IoV, a batch of pseudonyms is necessary to protect the privacy of vehicles’ identities and historical routes. The steps are as follows:

(1)

$V_i$ randomly selects $x_i\in {\mathbb{Z}}_q^{*}$ and computes $X_i=x_{i}P$, $h_0=H_0\left(x_i{T}_{pub}\right)$, $I{D}_i=RI{D}_i\oplus h_0$, and $h_{1i}=H_1(X_i\left|\right|I{D}_i\left|\right|n)$. Then, $V_i$ sends the registration request $\{h_{1i},X_i,I{D}_i,n\}$ to the TMA over public channels, where n denotes the requested number of pseudonyms.

(2)

After receiving $\{h_{1i},X_i,I{D}_i,n\}$, the TMA computes $h_{{}_{1i}}^{\prime }=H_1(X_i\left|\right|I{D}_i\left|\right|n)$ and checks whether $h_{{}_{1i}}^{\prime }=h_{1i}$. If not, the TMA rejects the registration request. Otherwise, the TMA computes $h_0=H_0\left(a{X}_i\right)$ and retrieves the real identity of $V_i$: $RI{D}_i=I{D}_i\oplus h_0$.

(3)

For $j=1,2,\dots ,n$, the TMA computes $Q_{i,j}=RI{D}_i\oplus h_{2i}$, where $h_{2i}=H_2(a{X}_i\left|\right|T_{i,j})$, and sets pseudonym $PI{D}_{i,j}=\{Q_{i,j},T_{i,j}\}$, where $T_{i,j}$ is the valid period of $PI{D}_{i,j}$. The anonymous identity is $PID=\{PI{D}_{i,1},PI{D}_{i,2},\dots ,$$PI{D}_{i,n}\}$.

(4)

To avoid heavy communication costs between vehicles and the KGC in requesting PPKs, the TMA sends $PID$ and $\{PID,X_i\}$ to $V_i$ and KGC, respectively.

4.4. Key Generation

In this stage, $V_i$ obtains a PPK from the KGC and computes the complete public and private keys.

• PPK Generation. After receiving $\{PID,X_i\}$, the KGC generates a PPK that corresponds to $PI{D}_{i,j}$$(j=1,2,\dots ,n)$. To improve the robustness and reduce economic expenditure, we utilize key agreements to enable the PPK to be transmitted over public channels. The steps are as follows:

  (1)

  Randomly select $l_i\in {\mathbb{Z}}_q^{*}$, and compute $L_i=l_{i}P$, $h_{3i}=H_3(PI{D}_{i,j}\left|\right|X_i\left|\right|L_i\left|\right|P_{pub})$.

  (2)

  Set $k_i=[l_i+{\delta }_i{s}_i{h}_{3i}-H_0\left(s_i{X}_i\right)]\mathrm{mod}q$, and send $(L_i,k_i)$ to $V_i$ over public channels.

  (3)

  $V_i$ computes $h_{3i}=H_3(PI{D}_{i,j}\left|\right|X_i\left|\right|L_i\left|\right|P_{pub})$, and checks whether $k_{i}P=L_i+h_{3i}{\delta }_i{P}_i-H_0\left(x_i{P}_i\right)P$ holds. If not, $V_i$ applies for registration and a PPK again. Otherwise, $V_i$ computes $y_i=[k_i+H_0\left(x_i{P}_i\right)]\mathrm{mod}q=(l_i+{\delta }_i{s}_i{h}_{3i})\mathrm{mod}q$.

  (4)

  For sets $y=\{y_1,y_2,\dots ,y_t\}$ and $L=\{L_1,L_2,\dots ,L_t\}$, $V_i$ generates a complete PPK $d_i={\displaystyle \sum _{i=1}^t}{y}_i$ and the corresponding public key $R_i={\displaystyle \sum _{i=1}^t}{L}_i$.

• Private Key Generation. Set private key $S{K}_i=(x_i+d_i)modq$. Store $S{K}_i$ and $PID$ in a tamper-proof device (TPD).
• Public Key Generation. Set public key $P{K}_i=(X_i,R_i)$.

4.5. Message Signcryption and Unsigncryption

In this stage, sender $V_i$ signcrypts messages that are collected by sensors and transmits the ciphertext to other vehicles or RSUs. Receivers unsigncrypt the designated ciphertext to obtain traffic-related information. For convenience, we only describe the process of message signcryption and unsigncryption between sender $V_i$ and receiver $V_{R_i}$.

• Message Signcryption. This algorithm is executed by $V_i$. In the IoV, vehicles broadcast their public keys and communication pseudonyms on the way. Sender $V_i$ obtains n vehicles’ identities $PI{D}_R=\{PI{D}_{R_1},PI{D}_{R_2},\dots ,PI{D}_{R_n}\}$ and collects the corresponding messages $M=\{m_{R_1},m_{R_2},\dots ,m_{R_n}\}$, where $m_{R_i}\in {\{0,1\}}^{*}$. Sender $V_i$ randomly chooses a private key $S{K}_i$ and a pseudonym $PI{D}_{i,j}$ from the TPD to signcrypt M. The steps are as follows:

  (1)

  Select a random integer $z\in {\mathbb{Z}}_q^{*}$ and compute $Z=zP$. For $PI{D}_{R_i}$$(1\le i\le n)$, $V_i$ executes steps 2–4.

  (2)

  Compute $J_{R_i}=F_{index}(n,PI{D}_{R_i})$, where $J_{R_i}$$\in [1,n]$.

  (3)

  Compute $h_4^{{}_{R_i}}=H_4(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|m_i\left|\right|t_{R_i,1})$ and signature $si{g}_{R_i}=[z+h_4^{{}_{R_i}}{SK}_i]modq$, where $t_{R_i,1}$ is the OBU’s current timestamp related to $V_{R_i}$. Let $J_{R_i}$ be the index of $t_{R_i,1}$ in set T, which means that $T\left[J_{R_i}\right]=t_{R_i,1}$.

  (4)

  Compute $U_{R_i}=z{X}_{R_i}$, $K_{R_i}=H_5(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|P{K}_{R_i}\left|\right|U_{R_i})$ and ciphertext $c_{R_i}=K_{R_i}\oplus (m_i\left|\right|si{g}_{R_i})$. Let $J_{R_i}$ be the index of $c_{R_i}$ in $CT$, which means that $CT\left[J_{R_i}\right]=c_{R_i}$.

  (5)

  Set $C_m=\{Z,T,CT\}$ as the signcryption ciphertext and send it to all receivers.

• Message Unsigncryption. This algorithm is executed by receiver $V_{R_i}$. The steps are as follows:

  (1)

  Compute $J_{R_i}=F_{index}(n,PI{D}_{R_i})$.

  (2)

  Obtain $t_{R_i,1}$ from T and check whether $|t_{R_i,2}-t_{R_i,1}| \le \Delta tt$ holds, where $t_{R_i,2}$ denotes the current timestamp of $V_{R_i}$, and $\Delta$$tt$ denotes the valid time interval. If so, $V_{R_i}$ executes step 3. Otherwise, output ⊥.

  (3)

  Obtain $c_{R_i}$ from $CT$ and compute $U_{{}_{R_i}}^{\prime }=x_{R_i}Z$, $K_{{}_{R_i}}^{\prime }=H_5(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|P{K}_{R_i}\left|\right|U_{{}_{R_i}}^{\prime })$, $(m_{R_i}\left|\right|si{g}_{R_i})=K_{{}_{R_i}}^{\prime }\oplus c_{R_i}$.

  (4)

  Compute $h_{3i}=H_3(PI{D}_{i,j}\left|\right|X_i\left|\right|R_i\left|\right|P_{pub})$, $h_4^{{}_{R_i}}=H_4(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|m_{R_i}\left|\right|$$t_{R_i,1})$, and check whether $si{g}_{R_i}P=Z+h_4^{{}_{R_i}}(X_{\mathrm{i}}+R_{\mathrm{i}}+h_{3i}{P}_{pub})$ holds. If not, output ⊥. Otherwise, output $m_{R_i}$.

4.6. KGC Secret Key Update

In this stage, $KG{C}_i$$(i=1,2,\dots ,n)$ update their sub-keys and SMKs to resist APT attacks. The steps are as follows:

(1)

Randomly choose a polynomial on $F_q:g_i^x\left(x\right)=b_{i,0}+b_{i,1}x+\dots +b_{i,t-1}{x}^{t-1}$, where $b_{i,j}\in {\mathbb{Z}}_q^{*}$.

(2)

Execute the FVSS algorithm: $FVSS(g_i^x\left(x\right),n,t)=(w_{i,1},w_{i,2},\dots ,w_{i,n})$. For $j=1,2,\dots ,$ n, $KG{C}_i$ sends $w_{i,j}$ to $KG{C}_j$$(j\ne i)$ and broadcasts commitment $\{b_{i,0}P,b_{i,1}P,\dots ,b_{i,t-1}P\}$.

(3)

Check whether $w_{j,i}P={\displaystyle {\displaystyle \sum _{\ell =0}^{t-1}}}\left(i^{\ell }\left(b_{j,\ell }P\right)\right)+b_{j,0}P$ holds to verify the validity of $w_{j,i}$ from $KG{C}_j$ $(j=1,2,\dots ,n,j\ne i)$. If it holds, $KG{C}_i$ computes its new sub-key $s_i^{\prime }={\sum }_{j=1}^t{w}_{j,i}$ and sets a new sub-public key $P_{{}_i}^{\prime }=s_{{}_i}^{\prime }P$.

(4)

For index set $I=\{i_1,i_2,\dots ,i_t\}$, compute ${\delta }_{\ell }={\displaystyle \prod _{j{\ne }_{\ell },j\in I}}\frac{j}{j{-}_{\ell }}$ and set a new SMK $s^{\prime }={\displaystyle \sum _{\ell =1}^t}{\delta }_{\ell }{s}_{\ell }^{\prime }$ and a new system public key $P_{{}_{pub}}^{\prime }=s^{\prime }P$.

(5)

After the KGC finishes the key update, it instructs vehicles to reapply for a PPK.

4.7. Malicious Vehicle Tracing

In this stage, the TMA traces and punishes malicious vehicles that transmit fake or faulty messages. The steps are as follows:

(1)

If vehicles in the IoV find that the message is fake or faulty after decryption, they send the sender vehicle’s $PI{D}_{i,j}$ and detailed illegal behavior to the TMA with the help of the RSUs.

(2)

When receiving $PI{D}_{i,j}=\{Q_{i,j},T_{i,j}\}$, the TMA first quickly retrieves $RI{D}_i=Q_{i,j}\oplus H_2(a{X}_i\left|\right|T_{i,j})$ with private key a. Then, the TMA investigates and verifies the reporting information. If it is true, the TMA reduces the reputation level of vehicle $RI{D}_i$ and imposes fines on its owners. Moreover, the punished vehicle may be removed from the IoV assuming that $RI{D}_i$ made a major mistake. Lastly, the TMA sets the vehicle’s corresponding public key $X_i$ as invalid and broadcasts this to the RSUs. The RSUs stop supporting services for $RI{D}_i$ for a period of time.

4.8. Correctness Analysis of the LS-MRCLSC Scheme

The correctness of the LS-MRCLSC scheme is guaranteed by the following equations.

• From Section 4.2 and Section 4.4, we know that $P_i=s_{i}P$, $L_i=l_{i}P$, $X_i=x_{i}P$, and $k_i=r_i+{\delta }_i{s}_i{h}_{3i}-H_0\left(s_i{X}_i\right)$. Since vehicle $V_i$ does not know $s_i$, it computes $H_0\left(s_i{X}_i\right)=H_0\left(s_i{x}_{i}P\right)=H_0\left(x_i\left(s_{i}P\right)\right)=H_0\left(x_i{P}_i\right)$ according to the key agreement in [47]. Then, $V_i$ verifies the correctness of the temporary PPK using the following equation:

  $$\begin{array}{lll}{k}_{i}P& =& (l_i+h_{3i}{\delta }_i{s}_i-H_0\left(x_i{P}_i\right))P\\ & =& l_{i}P+h_{3i}{\delta }_i\left(s_{i}P\right)-H_0\left(x_i{P}_i\right)P\\ & =& L_i+{\delta }_i{h}_{3i}{P}_i-H_0\left(x_i{P}_i\right)P\end{array}$$

  (1)
• From Section 4.5, we know that $U_{R_i}=z{X}_{R_i}$, $X_{R_i}=x_{R_i}P$, $c_{R_i}=K_{R_i}\oplus (m_{R_i}\left|\right|si{g}_{R_i})$. After computing index $J_{R_i}$, receiver vehicle $V_{R_i}$ obtains parameter Z. Since $V_{R_i}$ does not know z, it computes $U_{R_i}^{\prime }=z{X}_{R_i}=z{x}_{R_i}P=x_{R_i}\left(zP\right)=x_{R_i}Z$ according to the key agreement in [47]. If $V_{R_i}$ can decrypt $c_{R_i}$ with $K_{R_i}^{\prime }=H_5\left(Z\right||P{K}_{R_i}\left|\right|U_{R_i}^{\prime })=K_{R_i}$, it means that Z has not been tampered with or replaced. The correctness of the decryption process is expressed as follows:

  $$\begin{array}{lll}\left(m_{R_i}\right|\left|si{g}_{R_i}\right)& =& K_{{}_{R_i}}^{\prime }\oplus c_{R_i}\\ & =& H_5(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|P{K}_{R_i}\left|\right|U_{{}_{R_i}}^{\prime })\oplus c_{R_i}\\ & =& H_5(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|P{K}_{R_i}\left|\right|x_{R_i}Z)\oplus c_{R_i}\\ & =& H_5(PI{D}_{i,j}\left|\right|P{K}_i\left|\right|Z\left|\right|P{K}_{R_i}\left|\right|z{X}_{R_i})\oplus c_{R_i}\\ & =& H_5(PI{D}_{i,j}\left|\right|P{K}_{i}Z\left|\right|P{K}_{R_i}\left|\right|U_{R_i})\oplus c_{R_i}\\ & =& K_{{}_{R_i}}\oplus c_{R_i}\end{array}$$

  (2)
• From Section 4.4, we know that $S{K}_i=(x_i+d_i)$, $R_i={\displaystyle \sum _{i=1}^t}{L}_i$, $d_i={\displaystyle \sum _{i=1}^t}{y}_i={\displaystyle \sum _{i=1}^t}(l_i$$+{\delta }_i{s}_i{h}_{3i})={\displaystyle \sum _{i=1}^t}{l}_i+{\displaystyle \sum _{i=1}^t}\left({\delta }_i{s}_i{h}_{3i}\right)$, $X_i=x_{i}P$, $P_{pub}=sP={\displaystyle \sum _{i=1}^t}\left({\delta }_i{s}_{i}P\right)$, $d_{i}P={\displaystyle \sum _{i=1}^t}{y}_{i}P=$${\displaystyle \sum _{i=1}^t}(l_i+{\delta }_i$ $s_i{h}_{3i})P={\displaystyle \sum _{i=1}^t}{l}_{i}P+{\displaystyle \sum _{i=1}^t}\left({\delta }_i{s}_i{h}_{3i}\right)P={\displaystyle \sum _{i=1}^t}{L}_i+h_{3i}{P}_{pub}=R_i+h_{3i}{P}_{pub}$. Therefore, the correctness of the verification process is expressed as follows:

  $$\begin{array}{lll}si{g}_{R_i}P& =& (z+h_4^{{}_{R_i}}{SK}_i)P\\ & =& (z+h_4^{{}_{R_i}}(x_i+d_i))P\\ & =& zP+h_4^{{}_{R_i}}(x_{i}P+d_{i}P)\\ & =& Z+h_4^{{}_{R_i}}(X_i+R_i+h_{3i}{P}_{pub})\end{array}$$

  (3)

5. Security Analysis

In this section, we prove that our LS-MRCLSC scheme can withstand malicious $V_i$ attacks and malicious KGC attacks through Theorems 1–4.

5.1. Data Confidentiality

Theorem 1.

Confidentiality against a Type I attack. If IND-CCA2 adversary $A_{I\text{-}1}$ can win Game I with a non-negligible probability $\mathcal{E}$ in polynomial time, then challenger $C_{I\text{-}1}$ has the advantage of ${\left(\frac{1}{q_1}\right)}^2\frac{\mathcal{E}}{q_2{q}_3}$ in solving the ECCDHP.

Proof of Theorem 1.

Assume that challenger $C_{\mathrm{I}\text{-}1}$ receives a random example of the ECCDHP $(p,q,P,aP,bP)$, where $a,b\in {\mathbb{Z}}_q^{*}$ and $a,b$ are unknown. The goal of $C_{\mathrm{I}\text{-}1}$ is to calculate $abP$. $C_{\mathrm{I}\text{-}1}$ needs the ability of $A_{\mathrm{I}\text{-}1}$ and plays the role of a challenger in the IND-CCA2 game.

Setup: $C_{\mathrm{I}\text{-}1}$ executes the system initialization algorithm and sends $params=$$\{q,P,G,F_{index},F_q,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4,H_5,P_i\}$$(i=1,2,\dots ,n)$ to $A_{\mathrm{I}\text{-}1}$. $C_{\mathrm{I}\text{-}1}$ maintains the list $L_0,L_1,L_2,L_3,L_4,L_5,L_P,L_{Pri},L_{Pub}$, which is used to record the results of the $H_0$ query, $H_1$ query, $H_2$ query, $H_3$ query, $H_4$ query, $H_5$ query, PPK generation query, private key query, and public key query, respectively. Initialize all lists as null. The interactive process between $A_{\mathrm{I}\text{-}1}$ and $C_{\mathrm{I}\text{-}1}$ is as follows.

Query Stage: $A_{\mathrm{I}\text{-}1}$ executes the following queries adaptively.

• $H_0$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\{a{X}_i,h_0\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_0$. Otherwise, $C_{\mathrm{I}\text{-}1}$ randomly chooses $h_0\in {\mathbb{Z}}_q^{*}$, adds $\{a{X}_i,h_0\}$ to $L_0$, and returns $h_0$ to $A_{\mathrm{I}\text{-}1}$.
• $H_1$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\{X_i,I{D}_i,n,h_1\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_1$. Otherwise, $C_{\mathrm{I}\text{-}1}$ randomly chooses $h_1\in {\mathbb{Z}}_q^{*}$, adds $\{X_i,I{D}_i,n,h_1\}$ to $L_1$, and returns $h_1$ to $A_{\mathrm{I}\text{-}1}$.
• $H_2$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{a{X}_i,T_{i,j},h_{2i}\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_2$. Otherwise, $C_{\mathrm{I}\text{-}1}$ randomly chooses $h_{2i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{a{X}_i,T_{i,j},h_{2i}\right\}$ to $L_2$, and returns $h_{2i}$ to $A_{\mathrm{I}\text{-}1}$.
• $H_3$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},X_i,R_i,P_{pub},h_{3i}\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_3$. Otherwise, $C_{\mathrm{I}\text{-}1}$ selects $c\in \{0,1\}$, where $Pr[c=1]=\delta$. When $c=0$, $C_{\mathrm{I}\text{-}1}$ randomly chooses $h_{3i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{PI{D}_{i,j},X_i,R_i,P_{pub},h_{3i}\right\}$ to $L_3$, and returns $h_{3i}$ to $A_{\mathrm{I}\text{-}1}$.
• $H_4$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_4$. Otherwise, $C_{\mathrm{I}\text{-}1}$ randomly chooses $h_4^{R_i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\right\}$ to $L_4$, and returns $h_4^{R_i}$ to $A_{\mathrm{I}\text{-}1}$.
• $H_5$ query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},P{K}_i,Z,P{K}_{R_i},U_{R_i},K_{R_i}\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_5$. Otherwise, $C_{\mathrm{I}\text{-}1}$ randomly chooses $K_{R_i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{PI{D}_{i,j},P{K}_i,Z,P{K}_{R_i},U_{R_i},K_{R_i}\right\}$ to $L_5$, and returns $K_{R_i}$ to $A_{\mathrm{I}\text{-}1}$.

PPK generation query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},R_i,d_i\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_P$. Otherwise, $C_{\mathrm{I}\text{-}1}$ looks up $\left\{PI{D}_{i,j},X_i,R_i,P_{pub}\right\}\in L_3$, selects a random integer $d_i\in {\mathbb{Z}}_q^{*}$, calculates $R_i=d_{i}P-h_{3i}{P}_{pub}$, returns $\left(d_i,R_i\right)$ to $A_{\mathrm{I}\text{-}1}$, and adds $\left\{PI{D}_{i,j},R_i,d_i\right\}$ to $L_P$.

Private key generation query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},S{K}_i\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_{Pri}$. Otherwise, $C_{\mathrm{I}\text{-}1}$ looks for $L_P$ to obtain $d_i$ and randomly selects $x_i\in {\mathbb{Z}}_q^{*}$, returns $\left\{PI{D}_{i,j},S{K}_i\right\}$ to $A_{\mathrm{I}\text{-}1}$, and adds it to $L_{Pri}$.

Public key generation query: When $A_{\mathrm{I}\text{-}1}$ queries $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$, $C_{\mathrm{I}\text{-}1}$ returns it if it exists in $L_{Pub}$. Otherwise, $C_{\mathrm{I}\text{-}1}$ looks for $L_P$, calculates $R_i=d_{i}P-h_{3i}{P}_{pub}$, selects $x_i\in {\mathbb{Z}}_q^{*}$, computes $X_i=x_{i}P$, $P{K}_i=\left(X_i,R_i\right)$, adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$, and returns it to $A_{\mathrm{I}\text{-}1}$. If no corresponding records exist in $L_P$, then it looks for $L_3$. If $c=1$, $C_{\mathrm{I}\text{-}1}$ selects two random integers $x_i,d_i\in {\mathbb{Z}}_q^{*}$, calculates $X_i=x_{i}P$, and $R_i=d_{i}P-h_{3i}{P}_{pub}$; sets $P{K}_i=\left(X_i,R_i\right)$; adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$; and returns it to $A_{\mathrm{I}\text{-}1}$. If $c=0$, $C_{\mathrm{I}\text{-}1}$ performs a PPK generation query to obtain $\left(d_i,R_i\right)$, elects $x_i\in {\mathbb{Z}}_q^{*}$, computes $X_i=x_{i}P$, sets $P{K}_i=\left(X_i,R_i\right)$, adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$, and returns it to $A_{\mathrm{I}\text{-}1}$.

Public key replacement: $A_{\mathrm{I}\text{-}1}$ chooses a new $si{g}_{{}_{R_i}}^{\prime }$ to replace $si{g}_{{}_{R_i}}$ and replaces $P{K}_i$ with a new $P{K}_i^{\prime }$. $C_{\mathrm{I}\text{-}1}$ updates $L_{Pub}$ with $\left\{PI{D}_{i,j},P{K}_i^{\prime }\right\}$.

For convenience, we assume that the sender is $PI{D}_a$ and the receiver is $PI{D}_b$.

Signcryption query: When $A_{\mathrm{I}\text{-}1}$ queries $\{PI{D}_a,PI{D}_b,si{g}_{R_b},c,m_{R_b}\}$, $C_{\mathrm{I}\text{-}1}$ first looks for $\left\{PI{D}_b,P{K}_{R_b}=(X_{R_b},R_{R_b}),c\right\}$ in $L_{Pub}$. If $c=1$, $C_{\mathrm{I}\text{-}1}$ aborts the game. Otherwise, $C_{\mathrm{I}\text{-}1}$ looks for $\left\{PI{D}_a,S{K}_a\right\}$ in $L_{Pri}$ and $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$. $C_{\mathrm{I}\text{-}1}$ randomly selects $z\in {\mathbb{Z}}_q^{*}$; computes $Z=zP$, $h_4^{R_b}=H_4(PI{D}_a\left|\right|P{K}_a\left|\right|Z\left|\right|m_{R_b}\left|\right|t_{R_b,1})$, $si{g}_{R_b}=\left[z+h_4^{R_b}S{K}_a\right]modq$, $U_{R_b}=z{X}_{R_b}$, $K_{R_b}=H_5\left(PI{D}_a\left|\right|P{K}_a\left|\right|Z\left|\right|P{K}_{R_b}\left|\right|U_{R_b}\right)$, and $c_{R_b}=K_{R_b}\oplus (m_{R_b}\left|\right|si{g}_{R_b})$; and returns $C_m=\{c_{R_b},t_{R_b},si{g}_{R_b}\}$ to $A_{\mathrm{I}\text{-}1}$.

Unsigncryption query: When $A_{\mathrm{I}\text{-}1}$ queries $\{PI{D}_a,PI{D}_b,C_m,m_{R_b}\}$, $C_{\mathrm{I}\text{-}1}$ first looks for $PI{D}_a$ in $L_{Pub}$.

(1)

If $PI{D}_a$ exists and $c=0$, then $C_{\mathrm{I}\text{-}1}$ looks for $\left\{PI{D}_b,x_b\right\}$, $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$, and $\left\{PI{D}_b,P{K}_{R_b}=(X_{R_b},R_{R_b})\right\}$ in $L_{Pri}$ and $L_{Pub}$; computes $U_{{}_{R_b}}^{\prime }=x_{b}Z$, $K_{{}_{R_b}}^{\prime }=H_5(PI{D}_a\left|\right|P{K}_a\left|\right|Z\left|\right|P{K}_{R_b}\left|\right|U_{{}_{R_b}}^{\prime })$, and $(m_{R_b}\left|\right|si{g}_{R_b})=K_{{}_{R_b}}^{\prime }\oplus c_{R_b}$; and returns $m_{R_b}$. Otherwise, $C_{\mathrm{I}\text{-}1}$ aborts.

(2)

If $PI{D}_a$ exists and $c=1$, then $C_{\mathrm{I}\text{-}1}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$, $\{PI{D}_a,$$P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\}$ in $L_4$, and $\left\{PI{D}_b,Z,P{K}_b,U_{R_b},K_{R_b}\right\}$ in $L_5$ and returns $m_{R_b}$. Otherwise, $C_{\mathrm{I}\text{-}1}$ aborts.

(3)

If $PI{D}_a$ does not exist in $L_{Pub}$ (the public key has been replaced), $C_{\mathrm{I}\text{-}1}$ looks for $\{PI{D}_a,P{K}_a=(X_a,$$R_a\left)\right\}$ in $L_{Pub}$, $\left\{PI{D}_a,P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\right\}$ in $L_4$, and $\left\{PI{D}_b,Z,P{K}_b,U_{R_b},K_{R_b}\right\}$ in $L_5$ and returns $m_{R_b}$. Otherwise, $C_{\mathrm{I}\text{-}1}$ aborts.

Challenge Stage: After polynomial-bounded degree queries, $A_{\mathrm{I}\text{-}1}$ outputs two identities $\left\{PI{D}_a,PI{D}_b\right\}$ and two messages $\{m_0,m_1\}$ as a challenge. If $c=0$, $C_{\mathrm{I}\text{-}1}$ aborts. Otherwise, it randomly selects $z^{*},h_4^{*}\in {\mathbb{Z}}_q^{*}$ and computes $j\in \left\{0,1\right\}$, $si{g}_{R_b}^{*}=z^{*}+h_4^{*}S{K}_a$, $Z^{*}=z^{*}P$, $K_{R_i}=H_5\left(PI{D}_a\left|\right|P{K}_a\left|\right|Z^{*}\left|\right|P{K}_b\left|\right|U_{R_b}\right)$, and $c_{R_b}^{*}=K_{R_b}\oplus (m_j\left|\right|si{g}_{R_b}^{*})$. Then, $C_{\mathrm{I}\text{-}1}$ submits the challenge ciphertext $C_m^{*}=\{c_{R_b}^{*},t_{R_b}^{*},si{g}_{R_b}^{*}\}$ to $A_{\mathrm{I}\text{-}1}$, where $C_{\mathrm{I}\text{-}1}$ knows the information of the public key replacement.

Guess Stage: $A_{\mathrm{I}\text{-}1}$ continues polynomial-bounded degree queries, and outputs $j^{\prime }$ as the guess of j when the simulation stops. If $j^{\prime }=j$, $C_{\mathrm{I}\text{-}1}$ outputs $\left(\frac{S{K}_b-x_b}{h_{3i}}\right)Z^{*}-\frac{z^{*}}{h_{3i}}{R}_b=s{Z}^{*}$ as the solution of the ECCDHP. Otherwise, $C_{\mathrm{I}\text{-}1}$ fails.

Now, we analyze the probability that $C_{\mathrm{I}\text{-}1}$ outputs the correct solution of the ECCDHP. If the following two conditions are satisfied, $A_{\mathrm{I}\text{-}1}$ wins Game I.

(1)

$A_{\mathrm{I}\text{-}1}$ did not submit a PPK generation query or private key query, whose probability is ${\left(\frac{1}{q_1}\right)}^2$.

(2)

$A_{\mathrm{I}\text{-}1}$ did not execute an $H_4$ query or $H_5$ query with the probability $\frac{1}{q_2{q}_3}$.

In summary, if $A_{\mathrm{I}\text{-}1}$ wins Game I with a non-negligible probability $\mathcal{E}$ in polynomial time, $C_{\mathrm{I}\text{-}1}$ can solve the ECCDHP with the probability ${\left(\frac{1}{q_1}\right)}^2\frac{\mathcal{E}}{q_2{q}_3}$. □

Theorem 2.

Confidentiality against a Type II attack. If IND-CCA2 adversary $A_{\mathit{II}\text{-}1}$ can win Game II with a non-negligible probability $\mathcal{E}$ in polynomial time, then challenger $C_{\mathit{II}\text{-}1}$ has the advantage of $\frac{\mathcal{E}}{q_1{q}_2{q}_3}$ in solving the ECCDHP.

Proof of Theorem 2.

Assume that challenger $C_{\mathrm{II}\text{-}1}$ receives a random example of the ECCDHP $(p,q,P,aP,bP)$, where $a,b\in {\mathbb{Z}}_q^{*}$ and $a,b$ are unknown. The goal of $C_{\mathrm{II}\text{-}1}$ is to calculate $abP$. $C_{\mathrm{II}\text{-}1}$ needs the ability of $A_{\mathrm{II}\text{-}1}$ and plays the role of a challenger in the IND-CCA2 game.

Setup: $C_{\mathrm{II}\text{-}1}$ executes the system initialization algorithm and sends $params$$=\{q,P,G,F_{index},F_q,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4,H_5,P_i\}$$(i=1,2,\dots ,n)$ to $A_{\mathrm{II}\text{-}1}$. $A_{\mathrm{II}\text{-}1}$ knows the SMK s but cannot execute public key replacement attacks and PPK generation queries. The other assumptions are the same as Theorem 1. The interactive process between $A_{\mathrm{II}\text{-}1}$ and $C_{\mathrm{II}\text{-}1}$ is as follows.

Query Stage: $A_{\mathrm{II}\text{-}1}$ executes an $H_0$ query, $H_1$ query, $H_2$ query, $H_3$ query, $H_4$ query, $H_5$ query, private key generation query, public key generation query, and signcryption query adaptively.

For convenience, we assume that the sender is $PI{D}_a$ and the receiver is $PI{D}_b$.

Unsigncryption query: When $A_{\mathrm{II}\text{-}1}$ queries $\{PI{D}_a,PI{D}_b,C_m,m_{R_b}\}$, $C_{\mathrm{II}\text{-}1}$ first looks for $PI{D}_a$ in $L_{Pub}$.

(1)

If $PI{D}_a$ exists and $c=0$, then $C_{\mathrm{II}\text{-}1}$ looks for $\left\{PI{D}_b,x_b\right\}$, $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$, and $\left\{PI{D}_b,P{K}_{X_{R_b}}=(X_{R_b},R_{R_b})\right\}$ in $L_{Pri}$ and $L_{Pub}$; computes $U_{{}_{R_b}}^{\prime }=x_{b}Z$, $K_{{}_{R_b}}^{\prime }=H_5(PI{D}_a\left|\right|P{K}_a\left|\right|Z\left|\right|P{K}_{R_b}\left|\right|U_{{}_{R_b}}^{\prime })$, an $(m_{R_b}\left|\right|si{g}_{R_b})=K_{{}_{R_b}}^{\prime }\oplus c_{R_b}$; and returns $m_{R_b}$. Otherwise, $C_{\mathrm{II}\text{-}1}$ aborts.

(2)

If $PI{D}_a$ exists and $c=1$, then $C_{\mathrm{II}\text{-}1}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$, $\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\}$ in $L_4$, and $\left\{Z,P{K}_i,U_{R_i},K_{R_i}\right\}$ in $L_5$ and returns $m_{R_b}$. Otherwise, $C_{\mathrm{II}\text{-}1}$ aborts.

(3)

If $PI{D}_a$ does not exist in $L_{Pub}$ (the public key has been replaced), $C_{\mathrm{II}\text{-}1}$ looks for $\{PI{D}_a,P{K}_a=(X_a,R_a)\}$ in $L_{Pub}$, $\left\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\right\}$ in $L_4$, and $\left\{Z,P{K}_i,U_{R_i},K_{R_i}\right\}$ in $L_5$ and returns $m_{R_b}$. Otherwise, $C_{\mathrm{II}\text{-}1}$ aborts.

Challenge Stage: After polynomial-bounded degree queries, $A_{\mathrm{II}\text{-}1}$ outputs two identities $\left\{PI{D}_a,PI{D}_b\right\}$ and two messages $\{m_0,m_1\}$ as a challenge. If $c=0$, $C_{\mathrm{II}\text{-}1}$ aborts. Otherwise, it randomly selects $z^{*},h_4^{*}\in {\mathbb{Z}}_q^{*}$ and computes $j\in \left\{0,1\right\}$, $Z^{*}=z^{*}P$, $si{g}_{R_b}^{*}=z^{*}+h_4^{*}S{K}_a$, $K_{R_i}=H_5\left(PI{D}_a\left|\right|P{K}_a\left|\right|Z^{*}\left|\right|P{K}_b\left|\right|U_{R_b}\right)$, and $c_{R_b}^{*}=K_{R_b}\oplus (m_j\left|\right|si{g}_{R_b}^{*})$. Then, $C_{\mathrm{II}\text{-}1}$ submits the challenge ciphertext $C_m^{*}=\{c_{R_b}^{*},t_{R_b}^{*},si{g}_{R_b}^{*}\}$ to $A_{\mathrm{II}\text{-}1}$, where $C_{\mathrm{II}\text{-}1}$ knows the SMK s.

Guess Stage: $A_{\mathrm{II}\text{-}1}$ continues polynomial-bounded degree queries and outputs $j^{\prime }$ as the guess of j when the simulation stops. If $j^{\prime }=j$, $C_{\mathrm{II}\text{-}1}$ outputs $(S{K}_b-d_b)Z^{*}=x_b{Z}^{*}$ as the solution of the ECCDHP. Otherwise, $C_{\mathrm{II}\text{-}1}$ fails.

Now, we analyze the probability that $C_{\mathrm{II}\text{-}1}$ outputs the correct solution of the ECCDHP. If the following two conditions are satisfied, $A_{\mathrm{II}\text{-}1}$ wins Game II.

(1)

$A_{\mathrm{II}\text{-}1}$ did not submit a private key query, whose probability is $\frac{1}{q_1}$.

(2)

$A_{\mathrm{II}\text{-}1}$ did not execute an $H_4$ query or $H_5$ query with the probability $\frac{1}{q_2{q}_3}$.

In summary, if $A_{\mathrm{II}\text{-}1}$ wins Game I with a non-negligible probability $\mathcal{E}$ in polynomial time, $C_{\mathrm{II}\text{-}1}$ can solve the ECCDHP with the probability $\frac{\mathcal{E}}{q_1{q}_2{q}_3}$. □

5.2. Message Unforgeability

Theorem 3.

Unforgeability against a Type I attack. If EUF-CMA adversary $A_{I\text{-}2}$ can win Game III with a non-negligible probability $\mathcal{E}$ in polynomial time, then challenger $C_{I\text{-}2}$ has the advantage of ${\left(\frac{1}{q_1}\right)}^2\frac{\mathcal{E}}{q_2}$ in solving the ECDLP.

Proof of Theorem 3.

Assume that challenger $C_{\mathrm{I}\text{-}2}$ receives a random example of the ECDLP $(p,q,P,aP)$, where $a\in {\mathbb{Z}}_q^{*}$ and a is unknown. The goal of $C_{\mathrm{I}\text{-}2}$ is to calculate a. $C_{\mathrm{I}\text{-}2}$ needs the ability of $A_{\mathrm{I}\text{-}2}$ and plays the role of a challenger in the EUF-CMA game.

Setup: $C_{\mathrm{I}\text{-}2}$ executes the system initialization algorithm and sends $params=\{q,P,G,F_{index},F_q,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4,H_5,P_i\}$$(i=1,2,\dots ,n)$ to $A_{\mathrm{I}\text{-}2}$. $C_{\mathrm{I}\text{-}2}$ maintains the list $L_0,L_1,L_2,L_3,L_4,L_5,L_P,L_{Pri},L_{Pub}$, which is used to record the results of the $H_0$ query, $H_1$ query, $H_2$ query, $H_3$ query, $H_4$ query, $H_5$ query, PPK generation query, private key query, and public key query, respectively. Initialize all lists as null. The interactive process between $A_{\mathrm{I}\text{-}2}$ and $C_{\mathrm{I}\text{-}2}$ is as follows.

Query Stage: $A_{\mathrm{I}\text{-}2}$ executes the following queries adaptively.

• $H_0$ query: When $A_{\mathrm{I}\text{-}2}$ queries $\{a{X}_i,h_0\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_0$. Otherwise, $C_{\mathrm{I}\text{-}2}$ randomly chooses $h_0\in {\mathbb{Z}}_q^{*}$, adds $\{a{X}_i,h_0\}$ to $L_0$, and returns $h_0$ to $A_{\mathrm{I}\text{-}2}$.
• $H_1$ query: When $A_{\mathrm{I}\text{-}2}$ queries $\{X_i,I{D}_i,n,h_1\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_1$. Otherwise, $C_{\mathrm{I}\text{-}2}$ randomly chooses $h_1\in {\mathbb{Z}}_q^{*}$, adds $\{X_i,I{D}_i,n,h_1\}$ to $L_1$, and returns $h_1$ to $A_{\mathrm{I}\text{-}2}$.
• $H_2$ query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{a{X}_i,T_{i,j},h_{2i}\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_2$. Otherwise, $C_{\mathrm{I}\text{-}2}$ randomly chooses $h_{2i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{a{X}_i,T_{i,j},h_{2i}\right\}$ to $L_2$, and returns $h_{2i}$ to $A_{\mathrm{I}\text{-}2}$.
• $H_3$ query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{PI{D}_{i,j},X_i,R_i,P_{pub},h_{3i}\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_3$. Otherwise, $C_{\mathrm{I}\text{-}2}$ selects $c\in \{0,1\}$, where $Pr[c=1]=\delta$. When $c=0$, $C_{\mathrm{I}\text{-}2}$ randomly chooses $h_{3i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{PI{D}_{i,j},X_i,R_i,P_{pub},h_{3i}\right\}$ to $L_3$, and returns $h_{3i}$ to $A_{\mathrm{I}\text{-}2}$.
• $H_4$ query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_4$. Otherwise, $C_{\mathrm{I}\text{-}2}$ randomly chooses $h_4^{R_i}\in {\mathbb{Z}}_q^{*}$, adds $\left\{PI{D}_{i,j},P{K}_i,Z,m_{R_i},t_{R_i},h_4^{R_i}\right\}$ to $L_4$, and returns $h_4^{R_i}$ to $A_{\mathrm{I}\text{-}2}$.

PPK generation query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{PI{D}_{i,j},R_i,d_i\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_P$. Otherwise, $C_{\mathrm{I}\text{-}2}$ looks up $\left\{PI{D}_{i,j},X_i,R_i,P_{pub}\right\}\in L_3$, selects a random integer $d_i\in {\mathbb{Z}}_q^{*}$, calculates $R_i=d_{i}P-h_{3i}{P}_{pub}$, returns $\left(d_i,R_i\right)$ to $A_{\mathrm{I}\text{-}2}$, and adds $\left\{PI{D}_{i,j},R_i,d_i\right\}$ to $L_P$.

Private key generation query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{PI{D}_{i,j},S{K}_i\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_{Pri}$. Otherwise, $C_{\mathrm{I}\text{-}2}$ looks for $L_P$ to obtain $d_i$, randomly selects $x_i\in {\mathbb{Z}}_q^{*}$, returns $\left\{PI{D}_{i,j},S{K}_i\right\}$ to $A_{\mathrm{I}\text{-}2}$, and adds it to $L_{Pri}$.

Public key generation query: When $A_{\mathrm{I}\text{-}2}$ queries $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$, $C_{\mathrm{I}\text{-}2}$ returns it if it exists in $L_{Pub}$. Otherwise, $C_{\mathrm{I}\text{-}2}$ looks for $L_P$, calculates $R_i=d_{i}P-h_{3i}{P}_{pub}$, selects $x_i\in {\mathbb{Z}}_q^{*}$, computes $X_i=x_{i}P$, $P{K}_i=\left(X_i,R_i\right)$, adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$, and returns it to $A_{\mathrm{I}\text{-}2}$. If no corresponding records exist in $L_P$, then it looks for $L_3$. If $c=1$, $C_{\mathrm{I}\text{-}2}$ selects two random integers $x_i,d_i\in {\mathbb{Z}}_q^{*}$; calculates $X_i=x_{i}P$ and $R_i=d_{i}P-h_{3i}{P}_{pub}$; sets $P{K}_i=\left(X_i,R_i\right)$; adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$; and returns it to $A_{\mathrm{I}\text{-}2}$. If $c=0$, $C_{\mathrm{I}\text{-}2}$ executes a PPK generation query to obtain $\left(d_i,R_i\right)$, selects $x_i\in {\mathbb{Z}}_q^{*}$, computes $X_i=x_{i}P$, sets $P{K}_i=\left(X_i,R_i\right)$, adds $\left\{PI{D}_{i,j},P{K}_i=(X_i,R_i)\right\}$ to $L_{Pub}$, and returns it to $A_{\mathrm{I}\text{-}2}$.

Public key replacement: $A_{\mathrm{I}\text{-}2}$ chooses a new $si{g}_{{}_{R_i}}^{\prime }$ to replace $si{g}_{{}_{R_i}}$ and replaces $P{K}_i$ with a new $P{K}_i^{\prime }$. $C_{\mathrm{I}\text{-}2}$ updates $L_{Pub}$ with $\left\{PI{D}_{i,j},P{K}_i^{\prime }\right\}$.

For convenience, we assume that the sender is $PI{D}_a$ and the receiver is $PI{D}_b$.

Sign query: When $A_{\mathrm{I}\text{-}2}$ queries $\{PI{D}_a,PI{D}_b,si{g}_{R_b},m_{R_b}\}$, $C_{\mathrm{I}\text{-}2}$ first looks for $\{PI{D}_b,P{K}_{R_b}$$=(X_{R_b},R_{R_b}),c\}$ in $L_{Pub}$. If $c=1$, $C_{\mathrm{I}\text{-}2}$ aborts the game. Otherwise, $C_{\mathrm{I}\text{-}2}$ looks for $\left\{PI{D}_a,S{K}_a\right\}$ in $L_{Pri}$ and $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$. $C_{\mathrm{I}\text{-}2}$ randomly selects $z\in {\mathbb{Z}}_q^{*}$; computes $Z=zP$, $h_4^{R_b}=H_4(PI{D}_a\left|\right|P{K}_a\left|\right|Z\left|\right|m_{R_b}\left|\right|t_{R_b,1})$, and $si{g}_{R_b}=\left[z+h_4^{R_b}S{K}_a\right]modq$; and returns $C_m=\{t_{R_b},si{g}_{R_b}\}$ to $A_{\mathrm{I}\text{-}2}$.

Verify query: When $A_{\mathrm{I}\text{-}2}$ queries $\{PI{D}_a,PI{D}_b,C_m,m_{R_b}\}$, $C_{\mathrm{I}\text{-}2}$ first looks for $PI{D}_a$ in $L_{Pub}$.

(1)

If $PI{D}_a$ exists and $c=0$, then $C_{\mathrm{I}\text{-}2}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$ and $\{PI{D}_a,$$P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\}$ in $L_4$ and verifies that $si{g}_{R_b}P=Z+h_4^{R_b}(X_b+Y_b+h_{3i}{P}_{pub})$. If so, the output is “1”. Otherwise, $C_{\mathrm{I}\text{-}2}$ aborts.

(2)

If $PI{D}_a$ exists and $c=1$, then $C_{\mathrm{I}\text{-}2}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$ and $\{PI{D}_a,$$P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\}$ in $L_4$ and verifies that $si{g}_{R_b}P=Z+h_4^{R_b}(X_b+Y_b+h_{3i}{P}_{pub})$. If so, the output is “1”. Otherwise, $C_{\mathrm{I}\text{-}2}$ aborts.

(3)

If $PI{D}_a$ does not exist in $L_{Pub}$ (the public key has been replaced), $C_{\mathrm{I}\text{-}2}$ looks for $\{PI{D}_a,P{K}_a=(X_a,R_a)\}$ in $L_{Pub}$ and $\left\{PI{D}_a,P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\right\}$ in $L_4$ and verifies that $si{g}_{R_b}P=Z+h_4^{R_b}(X_b+Y_b+h_{3i}{P}_{pub})$. If so, the output is “1”. Otherwise, $C_{\mathrm{I}\text{-}2}$ aborts.

Forge: After polynomial-bounded degree queries, $A_{\mathrm{I}\text{-}2}$ randomly selects $z^{*},r^{*},si{g}_{R_b}^{*}\in {\mathbb{Z}}_q^{*}$; obtains the current timestamp $t_{R_b}^{*}$; and computes $Z^{*}=z^{*}P$, $h_4^{{}_{R_b^{*}}}=H_4(PI{D}_a\left|\right|P{K}_a\left|\right|Z^{*}\left|\right|m_i\left|\right|t_{R_b}^{*})$. Then, $C_{\mathrm{I}\text{-}2}$ submits the challenge ciphertext $C_m^{*}=\{t_{R_b}^{*},si{g}_{R_b}^{*}\}$ to $A_{\mathrm{I}\text{-}2}$, where $C_{\mathrm{I}\text{-}2}$ knows the information of the public key replacement. If $A_{\mathrm{I}\text{-}2}$ successfully forges a signature, $C_{\mathrm{I}\text{-}2}$ outputs $s=\frac{si{g}_{R_b}^{*}-z^{*}-h_4^{{}_{R_b^{*}}}(x_a+r^{*})}{h_{3i}{h}_4^{{}_{R_b^{*}}}}$ as the solution of the ECDLP. Otherwise, $C_{\mathrm{I}\text{-}2}$ fails.

Now, we analyze the probability that $C_{\mathrm{I}\text{-}2}$ outputs the correct solution of the ECDLP. If the following two conditions are satisfied, $A_{\mathrm{I}\text{-}2}$ wins Game III.

(1)

$A_{\mathrm{I}\text{-}2}$ did not submit a PPK generation query or private key query, whose probability is ${\left(\frac{1}{q_1}\right)}^2$.

(2)

$A_{\mathrm{I}\text{-}2}$ did not execute an $H_4$ query with the probability $\frac{1}{q_2}$.

In summary, if $A_{\mathrm{I}\text{-}2}$ wins Game III with a non-negligible probability $\mathcal{E}$ in polynomial time, $C_{\mathrm{I}\text{-}2}$ can solve the ECDLP with the probability ${\left(\frac{1}{q_1}\right)}^2\frac{\mathcal{E}}{q_2}$. □

Theorem 4.

Unforgeability against a Type II attack. If EUF-CMA adversary $A_{\mathit{II}\text{-}2}$ can win Game IV with a non-negligible probability $\mathcal{E}$ in polynomial time, then challenger $C_{\mathit{II}\text{-}2}$ has the advantage of $\frac{\mathcal{E}}{q_1{q}_2}$ in solving the ECDLP.

Proof of Theorem 4.

Assume challenger $C_{\mathrm{II}\text{-}2}$ receives a random example of the ECDLP $(p,q,P,aP)$, where $a\in {\mathbb{Z}}_q^{*}$ and a is unknown. The goal of $C_{\mathrm{II}\text{-}2}$ is to calculate a. $C_{\mathrm{II}\text{-}2}$ needs the ability of $A_{\mathrm{II}\text{-}2}$ and plays the role of a challenger in the EUF-CMA game.

Setup: $C_{\mathrm{II}\text{-}2}$ executes the system initialization algorithm and sends $params=\{q,P,G,$$F_{index},F_q,T_{pub},P_{pub},H_0,H_1,H_2,H_3,H_4,H_5,P_i\}$$(i=1,2,\dots ,n)$ to $A_{\mathrm{II}\text{-}2}$. $A_{\mathrm{II}\text{-}2}$ knows the SMK s but cannot execute a public key replacement attack and PPK generation query. The other assumptions are the same as Theorem 3.

Query Stage: $A_{\mathrm{II}\text{-}2}$ executes an $H_0$ query, $H_1$ query, $H_2$ query, $H_3$ query, $H_4$ query, private key generation query, public key generation query, and sign query adaptively, as in Theorem 3.

For convenience, we assume that the sender is $PI{D}_a$ and the receiver is $PI{D}_b$.

Verify query: When $A_{\mathrm{II}\text{-}2}$ queries $\{PI{D}_a,PI{D}_b,C_m,m_{R_b}\}$, $C_{\mathrm{II}\text{-}2}$ first looks for $PI{D}_a$ in $L_{Pub}$.

(1)

If $PI{D}_a$ exists and $c=0$, then $C_{\mathrm{II}\text{-}2}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$ and $\{PI{D}_a,$$P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\}$ in $L_4$ and verifies that $si{g}_{R_b}P=Z+h_4^{R_b}(X_b+Y_b+h_{3i}{P}_{pub})$. If so, the output is “1”. Otherwise, $C_{\mathrm{II}\text{-}2}$ aborts.

(2)

If $PI{D}_a$ exists and $c=1$, then $C_{\mathrm{II}\text{-}2}$ looks for $\left\{PI{D}_a,P{K}_a=(X_a,R_a)\right\}$ in $L_{Pub}$ and $\{PI{D}_a,$$P{K}_a,Z,m_{R_n},t_{R_b},h_4^{R_b}\}$ in $L_4$ and verifies that $si{g}_{R_b}P=Z+h_4^{R_b}(X_b+Y_b+h_{3i}{P}_{pub})$. If so, the output is “1”. Otherwise, $C_{\mathrm{II}\text{-}2}$ aborts.

Forge: After polynomial-bounded degree queries, $A_{\mathrm{II}\text{-}2}$ randomly selects $z^{*},r^{*},si{g}_{R_b}^{*}\in {\mathbb{Z}}_q^{*}$; obtains the current timestamp $t_{R_b}^{*}$; and computes $Z^{*}=z^{*}P$, $h_4^{{}_{R_b^{*}}}=H_4(PI{D}_a\left|\right|P{K}_a\left|\right|Z^{*}\left|\right|m_i\left|\right|t_{R_b}^{*})$. Then, $C_{\mathrm{II}\text{-}2}$ submits the challenge ciphertext $C_m^{*}=\{t_{R_b}^{*},si{g}_{R_b}^{*}\}$ to $A_{\mathrm{II}\text{-}2}$, where $C_{\mathrm{II}\text{-}2}$ knows the SMK s. If $A_{\mathrm{II}\text{-}2}$ successfully forges a signature, $C_{\mathrm{II}\text{-}2}$ outputs $x_a=\frac{si{g}_{R_b}^{*}-z^{*}-h_4^{{}_{R_b^{*}}}(r^{*}+s{h}_{3i})}{h_4^{{}_{R_b^{*}}}}$ as the solution of the ECDLP. Otherwise, $C_{\mathrm{II}\text{-}2}$ fails.

Now we analyze the probability that $C_{\mathrm{II}\text{-}2}$ outputs the correct solution of the ECDLP. If the following two conditions are satisfied, $A_{\mathrm{II}\text{-}2}$ wins Game IV.

(1)

$A_{\mathrm{II}\text{-}2}$ did not submit a private key query, whose probability is $\frac{1}{q_1}$.

(2)

$A_{\mathrm{II}\text{-}2}$ did not execute an $H_4$ query with the probability $\frac{1}{q_2}$.

In summary, if $A_{\mathrm{II}\text{-}2}$ wins Game IV with a non-negligible probability $\mathcal{E}$ in polynomial time, $C_{\mathrm{II}\text{-}2}$ can solve the ECDLP with the probability $\frac{\mathcal{E}}{q_1{q}_2}$. □

5.3. Anonymity

Throughout the process of the proposed LS-MRCLSC scheme, vehicles use pseudo-identity $PI{D}_{i,j}$ to communicate with other entities. Real identity $RI{D}_i$ is encrypted as $Q_{i,j}=RI{D}_i\oplus h_{2i}$, where $PI{D}_{i,j}=\{Q_{i,j},T_{i,j}\}$, $h_{2i}=H_2(a{X}_i\left|\right|T_{i,j})$, $T_{i,j}$ is the valid period of $PI{D}_{i,j}$. To achieve the real identity of the vehicle, the adversary needs to solve the ECDLP since the adversary has to compute a satisfying $T_{pub}=aP$. Due to the intractability of the ECDLP, the proposed LS-MRCLSC scheme provides sender anonymity. Moreover, all pre-determined receiver identities $PI{D}_R=\{PI{D}_{R_1},PI{D}_{R_2},\dots ,PI{D}_{R_n}\}$ are not included in the ciphertext. Hence, the proposed LS-MRCLSC scheme also achieves receiver anonymity.

5.4. Unlinkability

The adversary may reveal sensitive information about the vehicle from the fixed pseudo-identity. Therefore, the proposed LS-MRCLSC scheme also provides unlinkability. Foremost, the fixed pseudo-identity $PI{D}_{i,j}$ is replaced with a pool of pseudonyms $PID=\{PI{D}_{i,1},PI{D}_{i,2},\dots ,PI{D}_{i,n}\}$. After signcrypting messages with different private keys, vehicle $V_i$ chooses an unused pseudonym $PI{D}_{i,j}$ from $PID$ and transmits the ciphertext to the receivers. Upon finishing the last round of communication, $V_i$ discards the used $PI{D}_{i,j}$. Moreover, the new $PI{D}_{i,j}$ has no relationship with the old one since $T_{i,j}$ is different in each session. Hence, the adversary cannot determine whether the senders in two or more transmission sessions are identical.

5.5. Forward and Backward Secrecy

On the one hand, in our LS-MRCLSC scheme, the private key of the vehicle consists of two parts: $S{K}_i=(x_i+d_i)$, where $x_i$ is a random secret value selected by vehicles and $d_i$ is the PPK generated by the KGC. Concretely, the PPK $d_i=={\displaystyle \sum _{i=1}^t}{y}_i={\displaystyle \sum _{i=1}^t}(l_i$$+{\delta }_i{s}_i{h}_{3i})$, where $l_i$ is a random secret value, $s_i$ is the sub-key of each KGC, $h_{3i}=H_3(PI{D}_{i,j}\left|\right|X_i\left|\right|L_i\left|\right|P_{pub})$, $X_i=x_{i}P$, $R_i={\displaystyle \sum _{i=1}^t}{L}_i$, and $P_i=s_{i}P$. Because $l_i$ and $PI{D}_{i,j}$ are different in each epoch, the PPK $d_i$ and private key $S{K}_i$ are different in each session. Hence, the adversary cannot obtain the previous or subsequent session keys even if the current session key $S{K}_i$ has been disclosed. On the other hand, each $KG{C}_i$ periodically updates its own sub-key, leading to updates in the PPK. Therefore, even if the adversary compromised t $KG{C}_i$ in one epoch during a period of non-update, it would not last too long. Upon timer triggers, each $KG{C}_i$ updates its own sub-key. Thus, our proposed LS-MRCLSC scheme provides both forward and backward secrecy.

5.6. Resist KGC Damage Attacks

A compromised key server is an adversary and can extract the SMK. Several compromised KGCs can even launch more severe attacks in collusion. For the security of KGCs in our proposed scheme, each $KG{C}_i(1\le i\le n)$ should update its secret key during each epoch. When a participant tries to obtain the SMK, it has to collect at least t secret shares from those KGCs. Based on the assumption in Section 3, we suggest that an adversary who collects t secret shares at different epochs cannot reconstruct the SMK s. Briefly, we assume that t key generation centers are broken through in two successive epochs. The adversary can obtain t shares of $s_i$, which are $\{s_1^{\psi },s_2^{\psi },\dots ,s_k^{\psi }\}$ at the $\psi$-th epoch and $\{s_{k+1}^{\psi +1},s_{k+2}^{\psi +1},\dots ,s_t^{\psi +1}\}$ at the $(\psi +1)$-th epoch.

5.7. Resist Replay Attacks

In our LS-MRCLSC scheme, timestamp $t_{R_i,1}$ is used to guarantee the freshness of ciphertext $C_m$, which can effectively resist replay attacks. If the adversary replays ciphertext $C_m$, it cannot pass authentication because of an invalid timestamp $t_{R_i,1}$. Specifically, during the message signcryption and unsigncryption stage, we assume that the predefined threshold of the period is $\Delta$$tt$, and the time each receiver vehicle receives $C_m=\{Z,T,CT\}$ is $t_{R_i,2}$. If $|t_{R_i,1}-t_{R_i,2}| \le \Delta$$tt$, then $C_m$ reaches receiver vehicle $V_{R_i}$ within a valid time interval. Otherwise, receiver $V_{R_i}$ regards $C_m$ as a revised message and discards it. Thus, our LS-MRCLSC scheme can resist replay attacks.

Next, a security comparison between existing schemes [7,8,9,10,11] and our LS-MRCLSC scheme is presented in

Table 2. Security comparison.

Scheme	Scheme [7]	Scheme [8]	Scheme [9]	Scheme [10]	Scheme [11]	Ours
Data confidentiality	✓	✓	✓	✓	✓	✓
Message unforgeability	✓	✓	✓	✓	✓	✓
Anonymity	✓	✓	×	✓	✓	✓
Unlinkability	×	×	×	×	×	✓
Resist KGC damage attacks	×	×	×	×	×	✓
Forward and backward secrecy	✓	×	×	×	×	✓
Resist replay attacks	✓	×	×	×	×	✓
Without secure channels	×	×	×	✓	×	✓

, where “✓” represents satisfying the property and “×” represents not satisfying the property.

In Peng’s scheme [9], the sender’s anonymity cannot be achieved. Apart from Ming’s scheme [10], the schemes in [7,8,9] require secure channels during the PPK generation, but their robustness is weak. In addition, in the schemes [8,9,10], users utilize a fixed private key for a long time, which makes the system vulnerable to attacks. Moreover, the schemes in [7,8,9,10,11] utilize only one KGC, so they cannot resist KGC damage attacks and avoid SPoFs. Meanwhile, users utilize one identity to communicate with others, so unlinkability is not satisfied. Our scheme meets all security requirements, which is more practical.

6. Performance Evaluation

In Section 4.8 and Section 5, the correctness and security of the proposed LS-MRCLSC scheme were proven. However, in addition to security requirements, the lightweight nature of the proposed scheme is necessary for a resource-constrained IoV. Otherwise, it will be difficult to apply to actual IoV environments. Therefore, we designed simulation experiments based on common methods to analyze the communication protocols for the IoV, which start from the computation and communication overheads. The computation overhead mainly involves the computation time of the equations in the signcryption and unsigncryption stage, whereas the communication overhead involves the bandwidth requirement for ciphertext transmission.

Specifically, the computation and communication costs of our LS-MRCLSC scheme are compared to those of the schemes in [7,8,9,10,11]. We utilize the JPBC library [48] to simulate cryptographic operations on Orange Pi Zero 2 with a 1.5 GHz quad-core ARM Cortex-A53 CPU and 1 GB DDR3 of RAM. The Orange Pi Zero 2 is shown in Figure 3. Figure 4 shows the implementation. Without loss of generality, we choose the Type A elliptic curve, whose parameters are shown in

Table 3. Elliptic curve parameters.

Item	Parameter
Elliptic curve equation	$y^2=x^3+x$
Order of group $\mathbb{G}$	512 bits
Order of ${\mathbb{Z}}_q^{*}$	160 bits

. For convenience, we presume the number of receivers n is 100.

6.1. Computation Cost

We mainly compare the computation costs of the signcryption and unsigncryption algorithms. As the schemes in [7,8,9,10,11], as well as our LS-MRCLSC scheme, are all based on ECC, we only consider the operation times of scalar multiplication $T_{sm}$, point addition $T_{pa}$, and map-to-point hash $T_h$. Specifically, the general hash function operation time, the computation time of $F_{index}$, and the modular operation time are negligible.

Table 4. Runtimes of cryptographic operations.

Operation	Abbreviation	Runtime (ms)
Scalar multiplication	$T_{sm}$	11.63
Point addition	$T_{pa}$	0.059
Map-to-point hash	$T_h$	25.869

shows the runtimes of the cryptographic operations.

The comparison results of the computation times are shown in

Table 5. Comparison of computation costs.

Scheme	Signcryption	Unsigncryption	Total Cost
Scheme [7]	$(2n+1)T_{sm}+2n{T}_{pa}$	$3T_{sm}+2T_{pa}$	$(2n+4)T_{sm}+(2n+2)T_{pa}$
Scheme [8]	$(3n+1)T_{sm}+2n{T}_{pa}+T_h$	$5T_{sm}+4T_{pa}+T_h$	$(3n+6)T_{sm}+(2n+4)T_{pa}+2T_h$
Scheme [9]	$(2n+1)T_{sm}+n{T}_{pa}$	$4T_{sm}+2T_{pa}$	$(2n+5)T_{sm}+(n+2)T_{pa}$
Scheme [10]	$(2n+1)T_{sm}+2n{T}_{pa}$	$5T_{sm}+3T_{pa}$	$(2n+6)T_{sm}+(2n+3)T_{pa}$
Scheme [11]	$(2n+1)T_{sm}+2n{T}_{pa}$	$5T_{sm}+3T_{pa}$	$(2n+6)T_{sm}+(2n+3)T_{pa}$
Ours	$(n+1)T_{sm}$	$4T_{sm}+3T_{pa}$	$(n+5)T_{sm}+3T_{pa}$

.

In our LS-MRCLSC scheme, sender $V_i$ computes $Z=zP$, $U_{R_i}=z{X}_{R_i}$($i=1,2,\dots ,n$). Thus, sender $V_i$ needs to execute $(n+1)T_{sm}$, which costs 1174.63 ms. In the message unsigncryption stage, receiver $V_{R_i}$ computes $U_{R_i}^{\prime }=x_{R_i}{Z}_i$ to obtain the decryption key and checks whether $si{g}_{R_i}P=Z_i+h_4^{R_i}(X_i+Y_i+h_{3i}{P}_{pub})$ holds. Therefore, receiver $V_{R_i}$ needs to execute $4T_{sm}+3T_{pa}$, and the time consumed is 46.70 ms. Therefore, the total computation cost is 1221.33 ms.

Similarly, in the message signcryption stage, the schemes in [7,8,9,10,11] consume 2349.43 ms, 3538.30 ms, 2343.53 ms, 2349.43 ms, and 2349.43 ms, respectively. In the message unsigncryption stage, the computation cost is 35.01 ms, 84.26 ms, 46.64 ms, 58.33 ms, and 58.33 ms, and the total cost is 2384.44 ms, 3622.55 ms, 2390.17 ms, 2407.76 ms, and 2407.76 ms, respectively.

According to Figure 5, we can see that compared to the schemes in [7,8,9,10,11], the computation cost of signcryption in our scheme was reduced by 50.00%, 66.80%, 49.87%, 50.00%, and 50.00%, respectively.

As is shown in Figure 6, the computation cost of unsigncryption in our scheme was essentially equal to that in [9] and was reduced by 44.54%, 19.94%, and 19.94% compared to the schemes in [8,10,11], respectively. Although our cost was slightly higher than that in [7], that scheme could not achieve unlinkability nor resist KGC damage attacks.

Figure 7 illustrates the total time cost of the sender. When n = 100, the cost of our scheme was reduced by 48.77%, 66.28%, 48.90%, 49.27%, and 49.27% compared to the schemes in [7,8,9,10,11], respectively. With an increasing number of receivers, our scheme appears to be more advantageous. Hence, our scheme is more efficient and practical.

6.2. Communication Cost

Table 6. Notations and lengths.

Notation	Description	Length (bits)
$\left|\mathbb{G}\right|$	The length of an element in $\mathbb{G}$	1024
$|{\mathbb{Z}}_q^{*}|$	The length of an element in ${\mathbb{Z}}_q^{*}$	160

presents the size of an element in groups $\mathbb{G}$ and ${\mathbb{Z}}_q^{*}$. Moreover, we neglect the overhead of the timestamps and the encrypted message $\left|m\right|$ in all schemes.

For 100 receivers, the transmitted data of our scheme $C_m=\{Z,T,CT\}$ are composed of Z, $T=\{t_{R_1,1},t_{R_2,1},\dots ,t_{R_n,1}\}$, and $CT=\{c_{R_1},c_{R_2},\dots ,c_{R_3}\}$.

The length of $C_m$ is $n|{\mathbb{Z}}_q^{*}| + |\mathbb{G}| =$ 17,024 bits. Similarly, we can compute the computation overheads of the schemes in [7,8,9,10,11]. A comparison of the ciphertext lengths is shown in

Table 7. Comparison of communication costs.

Scheme	Ciphertext Length (bits)
Scheme [7]	$(n+2)|{\mathbb{Z}}_q^{*}| + 2|\mathbb{G}|=$18,368
Scheme [8]	$|{\mathbb{Z}}_q^{*}| + (n+1)|\mathbb{G}|=$103,584
Scheme [9]	$(2n+1)|{\mathbb{Z}}_q^{*}|=$32,160
Scheme [10]	$(n+1)|{\mathbb{Z}}_q^{*}| + |\mathbb{G}|=$17,184
Scheme [11]	$(n+1)|{\mathbb{Z}}_q^{*}| + |\mathbb{G}|=$17,184
Ours	$n|{\mathbb{Z}}_q^{*}| + |\mathbb{G}|=$17,024

.

According to Figure 8, the communication overhead of the LS-MRCLSC scheme was reduced by 7.32%, 83.57%, 47.06%, 0.93%, and 0.93% compared to the schemes in [7,8,9,10,11], respectively.

Based on Figure 9, we can see that the communication cost of the sender in the LS-MRCLSC scheme was slightly higher than that in [9] at the beginning, whereas when the number of receivers increased (about $n\ge 6$), our scheme performed much better. Moreover, our scheme fulfilled more security requirements. Consequently, our scheme had a lower communication overhead compared to the schemes in [7,8,9,10,11] when applied to multi-receiver data transmission scenarios.

6.3. Discussion

• The feasibility and scalability of the proposed LS-MRCLSC scheme.
  • Lightweight and feasible. The proposed LS-MRCLSC adopts multi-cast communication to reduce communication time and improve driving efficiency. It broadcasts traffic-related messages to neighboring vehicles in as short a time as possible. In addition, considering the limited computation and storage resources of OBUs and RSUs in the IoV, we have simulated the computation and communication costs using Orange Pi (with fewer resources compared to actual OBUs). The experimental results are more comparable to similar schemes. Therefore, the LS-MRCLSC can be easily applied to the resource-constrained IoV.
  • Practical and scalable. The proposed LS-MRCLSC employs multiple KGCs instead of the traditional single KGC (the security assumption is too strong and is prone to SPoFs), which aligns more closely with the needs of practical applications. Moreover, multiple KGCs are independently distributed across different sites. In the system initialization stage, only one round of online interaction is needed for the KGCs. They generate their own sub-keys using the FVSS algorithm and there is no need for mutual trust. After generating the public key $P_{pub}$ for verification, the SMK can be deleted. In this way, the maintenance and management of the SMK can be avoided. When the vehicle initiates a PPK request, each KGC generates part of the PPK independently, and the vehicle computes the complete PPK upon receiving t shares. Hence, the LS-MRCLSC is practical and scalable in an actual IoV environment.
• Compression algorithms in the IoV. Compression and decompression algorithms [49,50] are usually a set of deterministic algorithms and are publicly available. Data with low-security requirements can be transmitted directly or after compression, which greatly reduces the communication bandwidth requirements. However, when transmitting data with strict privacy-preserving demands, the compression algorithms are unsuitable. Once an attacker intercepts a piece of compressed data, it can directly use a decompression algorithm to decompress and obtain the plaintext. In other words, compression algorithms cannot achieve data confidentiality, whereas our proposed LS-MRCLSC scheme has proven to be secure. Of course, encrypting the compressed data is a credible approach with security considerations. But in this case, the computational overhead would be very high, which is intolerable for the resource-constrained IoV environment. All in all, we usually require the algorithm to be public and the key to be secret. If the algorithm is kept secret, once the attacker breaks the algorithm, the consequences will be very serious. As for key secrecy, we can ensure the security of the algorithm by updating the key periodically, which is more practical.
• Digital twin technology in the IoV. Digital twin technology [51,52,53] is a virtual counterpart to actual physical devices (entities). It can enhance the security and efficiency of the IoV ecosystem, particularly in terms of vehicle data monitoring, predictive maintenance, and anomaly detection. For instance, digital twin-based penetration tests could enable relevant tests virtually (instead of on a real system) during both the operation phase and the engineering phase to fix vulnerabilities early in the lifecycles of cyber-physical systems (CPSs) [54]. Thus, the integration of digital twins within the proposed LS-MRCLSC scheme may be a research direction to consider.

7. Conclusions

In this paper, we propose an LS-MRCLSC scheme for the IoV without secure channels. The leveraging of an MMSC structure enables vehicles to transmit a batch of messages to the designated receivers in one report. In addition, multiple KGCs are employed to resist KGC damage attacks and avoid SPoFs. Moreover, we have proven that the LS-MRCLSC scheme satisfies data confidentiality and message unforgeability under the ROM. Security proofs and performance evaluations show that the LS-MRCLSC scheme can provide vehicles with secure communication and privacy protection at a lower cost in contrast to related schemes.

Public key replacement attacks are common in many CPPA protocols. Therefore, in future work, we will try to utilize a blockchain to design a secure CPPA scheme for the IoV that can withstand such attacks. The key materials of vehicles can be stored on the blockchain for public key queries with pseudonyms. The tamper-proof property of the blockchain will eliminate public key replacement attacks using effective and verifiable approaches. Meanwhile, the communication costs of vehicles’ public keys will be saved, which is another advantage for resource-limited vehicles.