Dynamic Privacy-Preserving Anonymous Authentication Scheme for Condition-Matching in Fog-Cloud-Based VANETs

Secure group communication in Vehicle Ad hoc Networks (VANETs) over open channels remains a challenging task. To enable secure group communications with conditional privacy, it is necessary to establish a secure session using Authenticated Key Agreement (AKA). However, existing AKAs suffer from problems such as cross-domain dynamic group session key negotiation and heavy computational burdens on the Trusted Authority (TA) and vehicles. To address these challenges, we propose a dynamic privacy-preserving anonymous authentication scheme for condition matching in fog-cloud-based VANETs. The scheme employs general Elliptic Curve Cryptosystem (ECC) technology and fog-cloud computing methods to decrease computational overhead for On-Board Units (OBUs) and supports multiple TAs for improved service quality and robustness. Furthermore, certificateless technology alleviates TAs of key management burdens. The security analysis indicates that our solution satisfies the communication security and privacy requirements. Experimental simulations verify that our method achieves optimal overall performance with lower computational costs and smaller communication overhead compared to state-of-the-art solutions.


Introduction
Vehicle Ad hoc Networks (VANETs) play a crucial role in supporting intelligent transportation systems, including data sharing and collaborative processing, within modern urban traffic [1].The popularity of electric vehicles brings more powerful sensing modules and stronger computation capabilities.VANETs, through the cooperation of On-Board Units (OBUs) and Roadside Units (RSUs), can provide high-speed data communication services between vehicles, guaranteeing the safety of vehicle travel and achieving fully intelligent traffic management.For example, in the event of a traffic accident, relevant vehicles can report the incident to nearby sections through RSUs, guiding nearby vehicles to avoid congested routes [2].The role of VANETs in intelligent transportation has attracted attention from both industry and academia [3].
Unlike many fixed-terminal networks, VANETs must deal with rapid changes in access and are more prone to attacks like eavesdropping, user tracking, and tampering [4].In an open VANET, ensuring communication and data security is a key concern.Traditional VANET security protection schemes generally involve a Trusted Authority (TA) that issues certificates to vehicles and RSUs, handles authentication at the access endpoints, and performs critical security algorithms [5].However, as more vehicles join VANETs, the TA needs to manage a large number of certificates and handle a significant amount of requests, resulting in high computational and storage costs for the TA.Furthermore, due to the TA's distance from vehicles and RSUs, higher latency is more likely, making it unable to provide real-time services.
To address the drawbacks of a single TA, multi-TA schemes have been introduced into VANETs [6].In a multi-TA scheme, fog computing TA sub-nodes are deployed on the RSU side, and fog node TAs are managed by a central TA, forming a two-tier TA structure.Vehicles are authenticated and managed by the fog TA nodes on the RSU side, greatly improving the real-time data processing and mitigating the impact caused by DoS attacks.The VANETs architecture with multi-TA composed of fog computing can significantly enhance the service quality of the network [7].
In some previous VANET schemes, vehicles or RSUs directly report the road conditions to the TA [8].The TA collects real-time data and responds accordingly.However, as the amount of data generated by vehicles rapidly increases, this places a significant computational burden on the TA, and the cost of storing and computing by the TA becomes extremely high.To address this issue, some scholars have combined VANETs with cloud computing [9,10], using cloud computing to store and process data in VANETs, providing VANETs with more elastic computing capabilities.For example, authenticated vehicles have the ability to upload traffic data to the remote cloud, while the TA is only responsible for secure computations such as authentication.
In VANETs, authenticated key agreement is crucial for communication security.A session security key protocol that satisfies session security can be used to construct a communication channel with dynamic members [11].Furthermore, to provide security and privacy protection for VANETs communication, various scholars have introduced Conditional Privacy-Preserving (CPP) authentication schemes in recent years [12], where the information of vehicles is kept private from all participants except the TA.However, if a vehicle engages in malicious behavior, the TA is able to trace its real identity.
In recent years, many classic solutions have been studied for CPP authentication under VANETs.Lin et al. [13] combined blockchain technology with key derivation algorithms to manage certificates, in order to avoid vehicles storing a large number of keys, but the single TA mode is vulnerable to DoS attacks.Yu et al. [14] used ECC and certificateless aggregate signatures to reduce the computational load of OBUs, but they cannot support dynamic groups.Wang et al. [15] proposed a scheme that achieves conditional privacy protection without using pseudonyms, but it involves operations with bilinear pairs, resulting in high computational costs and unfriendly support for vehicles with low computing power.

Our Contributions
To summarize, existing schemes still have issues to address.Traditional session AKA solutions lack consideration for cross-domain scenarios and complete group session key negotiation within a single domain.Multi-TA may enhance VANET response speed and capacity but faces challenges due to increasing data volume.Our scheme addresses these issues by introducing a dynamic privacy-preserving anonymous authentication scheme tailored for fog-cloud-based VANETs.It utilizes RSUs as fog computing nodes, incorporates multi-level TAs, and integrates cloud services for storage and computing.Lightweight security algorithms are employed for group session key negotiation to ensure secure VANET communication.The contributions of our proposed scheme include:

•
The introduction of an anonymous and dynamic conditional privacy-preserving scheme using basic elliptic curve algorithms and hash functions for low-computingpower OBUs.

•
The implementation of certificateless and multi-TA modes to reduce the burden on TAs, improve response speed, and enhance overall VANET robustness.The use of cloud services as an outsourcing platform to expand data processing capabilities and boost VANET performance.

•
Security analysis demonstrates satisfaction of VANET security requirements, achieving forward security and resisting attacks.In comprehensive performance, our proposed solution is better than existing similar conditional privacy-preserving schemes in comprehensive performance.

Related Work
In order to meet the security and privacy protection requirements of vehicle communication in open channels, many researchers have conducted research on conditional privacy protection for VANETs in recent years.These studies are roughly summarized as PKI-based, certificateless, fog-cloud-based, and blockchain-based.
In 2007, Raya et al. [16] introduced the first PKI-based conditional privacy protection authentication system, aiming to enhance the security of vehicle communication through the utilization of anonymous certificates.However, this scheme necessitates the involvement of a Certification Authority (CA) to handle a substantial volume of certificates.Xiong et al. [17] introduced a authentication framework ensuring conditional privacy with support for dynamic members using the Chinese Remainder Theorem.This protocol supports both forward and backward security, but it also faces the problem of certificate management by a single TA.In response to the security update challenges related to Tamper-Proof Device (TPD) keys, Wei et al. [18] introduced a secure updateable conditional privacy protection authentication scheme.This scheme is built upon Shamir's secret sharing and secure pseudo-random functions to ensure the robustness of the security updates for TPD keys.By using ECC signatures, this scheme improves the transmission speed of messages in emergency situations.To tackle the security challenges associated with heterogeneous vehicle communication in VANETs, Ali et al. [19] introduced an privacy hybrid signcryption scheme with high efficiency.This scheme relies on bilinear pairings to enhance the security of communication among diverse vehicles.They also reduced decryption time by using batch decryption.To address the risk of private key leakage in VANETs, Xiong et al. [20] constructed a dual insurance conditional privacy authentication scheme using ECC.Even if the master key or one of the vehicle keys is leaked, this scheme ensures that valid authentication messages cannot be forged.To provide traceability and credibility of malicious senders, Luo et al. [21] designed a conditional privacy protection authentication protocol using ring signatures and ring signcryption.This protocol provides publicly verifiable algorithms for exposing the real identity of malicious users, but it requires the support of a third-party TA.To address the privacy concerns introduced by the open channels in VANETs, Cai et al. [22] proposed a conditional privacy protection scheme for VANETs using identity-based encryption and ring signatures.They proved the security properties of anonymity, traceability, confidentiality, and unforgeability of the scheme.However, Du et al. [23] pointed out issues in [22] such as the lack of anonymous protection for honest senders.They improved the scheme to achieve sender anonymity and malicious user traceability, as well as resistance to response attacks.Additionally, Zhou et al. [24] proposed a multi-key outsourcing computation scheme for VANETs, which designed an efficient privacy protection information filtering system location-based service.This system eliminates useless encrypted information before authentication, optimizing the computation and communication workload.Based on PKI, the CPP solution can achieve complex functions, but it also faces challenges such as high computational costs for certain cryptographic primitives.
To avoid the burden of managing certificates and keys, many researchers have started to consider certificateless schemes in VANETs.In order to enhance computational speed, Chen et al. [25] proposed a certificateless fully aggregated signature scheme in 2021, which does not increase the length of signatures with the number of vehicles, reducing communication and processing costs.This scheme uses general ECC and hash computations, reducing the computational burden.Ali et al. [26] considered the limited computation power of OBUs and designed a certificate-free conditional privacy authentication scheme without bilinear pairings and mapping to points.They used ECC and ordinary hash functions instead and improved overall efficiency through batch signature verification.Building on the scheme proposed by [26], Zhou et al. [27] proposed a certificateless privacypreserving authentication scheme which was both secure and lightweight.This solution can resist signature forgery attacks and has fast computational efficiency compared to [26].Certificateless solutions effectively reduce the pressure of certificate and key management and lower the risk of key leakage.However, TA requires responsibility for participating in the generation of all keys and certificates, which can be a significant burden.
To address the issue of a high workload on a single CA, several fog-cloud-based VANET solutions have been proposed.Goudarzi et al. [28] proposed a fog-based VANET privacy protection authentication protocol, which utilizes Quotient Filter to solve node authentication, and uses fog nodes to reduce system latency and improve system throughput.Zhong et al. [29] proposed a fog computing-based CPP scheme, which supports mobility, low latency, and location awareness through fog computing, and reduces expenses by generating pseudonyms using two hash chains.Navdeti et al. [30] proposed a fog-based VANET privacy protection and secure data sharing scheme.By outsourcing the data to cloud servers and implementing fine-grained access control, data forwarding is reduced, and bandwidth requirements are lowered through fog computing.Wang et al. [31] designed a road condition monitoring scheme based on cloud that incorporates a hierarchical structure with a root authority (RA) and sub-authorities.This method improves response speed by using multiple sub-authorities and reduces the pressure on the root authority.The cloud server can quickly verify the validity of ciphertexts and categorize traffic condition reports based on equivalence classes to achieve batch processing of tasks.In order to resist DoS attacks and improve communication efficiency, Wei et al. [32] introduced a multi-TA scheme designed for privacy protection under specific conditions, employing fog computing to enhance communication efficiency and facilitate the revocation of identities of illegal vehicles.Yang et al. [33] proposed an anonymous certificateless aggregated signature encryption system for conditional privacy protection.This scheme aggregates the signed messages from neighboring vehicles into aggregate ciphertexts using fog nodes, and batch verifies them.This scheme avoids key escrow and pseudonym management.Fog-cloud-based VANETs can enhance system computing capacity and communication efficiency, and reduce pressure on TA.However, few schemes combine clouds and fog, forming a more scalable cloud-fog architecture.
In terms of combining with blockchain, Liu et al. [34] implemented conditional privacy protection using identity-based group signatures and managed vehicle reputation values using blockchain to identify the reliability of messages.In order to improve the efficiency of blockchain-based conditional privacy protection authentication schemes, Zhou et al. [35] proposed the use of knowledge signatures for identity verification to improve efficiency and eliminate the need for secure channels for key distribution.Yang et al. [36] proposed an access control scheme for partial data privacy in VANETs using function encryption.This scheme divides data access into offline and online stages to reduce online computation costs and improve efficiency.The blockchain is used to guarantee identity records and prevent data tampering.To meet the requirements of high mobility and real-time performance in VANETs, Lin et al. [37] used a one-time public key generation mechanism to generate anonymous public keys and used knowledge signatures for authentication.The anonymous public keys for data sharing can be generated and published on the blockchain in advance, improving the overall performance of the protocol.However, none of the above schemes consider the requirements of vehicle social networking, which motivated us to propose a dynamic privacy-preserving anonymous authentication scheme for condition-matching in fog-cloud-based VANETs.

Elliptic Curve Cryptosystem
The definition of an elliptic curve over the finite field Z * p with prime order p is E : , where the condition 4a 3 + 27b 2 ̸ = 0 mod p is satisfied.The group representation on the elliptic curve is defined as where O is called the point at infinity [38].

Related Complexity Assumptions
The security of the proposed scheme relies on the following complexity assumptions.

•
Computational Discrete Logarithm (DL) Assumption: For a given generator P of group G and a point Q = aP ∈ G, there exists no polynomial-time algorithm capable of determining the integer a ∈ Z * p .
• Decisional Computational Diffie-Hellman (CDH) Assumption: When provided with the tuple (P, aP, bP, cP) in group G, where a, b, c ∈ Z * p are unknown, no polynomialtime algorithm can distinguish whether cP = abP or represents a random element in G.

System Model
The system model is illustrated in Figure 1, and the key entities are introduced below.

•
Trusted Authority (TA): Responsible for global initialization and creating the main key pair of the system.Also, help to generate public and private key pairs for fog nodes to avoid key escrow issues.TA acts as the root TA and is not directly responsible for vehicle registration.Next, we will explain the system workflow in detail.

1.
TA performs global initialization of the privacy-preserving vehicular communication system, creating the main key pair and other public parameters.TA securely stores the master key locally and publicly exposes the public parameters to other entities in the system.2.
The fog node (FN) registers with TA.FN chooses a random secret value and generates partial keys to send to TA along with its identity information.If FN is verified as legitimate, TA computes another partial key for FN and generates pseudonyms.FN combines its self-created partial key with the partial key generated by TA to form its final key pair.

3.
The vehicle (V H) registers with FN.V H chooses a random secret value and generates partial keys to send to FH along with its identity information.If the information sent by V H is verified as legitimate, FN incorporates traffic conditions and a valid time period to generate partial keys and pseudonyms for V H.By combining its selfgenerated partial key with the partial key generated by FN, V H obtains a complete key pair.4.
When a group of vehicles (crossing fog nodes) wishes to establish a condition-based session group, they first use an anonymous authenticated key agreement to generate a group session key.Subsequently, the key obtained through negotiation is used to encrypt the sessions within the group.5.
During the communication phase, the message-sending vehicle transmits the message to the CS, which stores it and broadcasts it to other vehicles.Vehicles within the group can retrieve the complete encrypted message from the CS at any time.6.
When a vehicle applies to leave the existing group or a new vehicle joins the new group, the system recomputes and updates the group's session key.
Remark 1. Crossing fog nodes refers to a vehicle registered at one RSU wishing to communicate with other vehicles registered at another RSU, which may be in a different city and crossing different fog nodes, in order to form a group.

Security Requirements
The system needs to have the following functions and can provide a series of security protections.

•
Mutual authentication: We select V H ρ 0 ,θ 0 as the vehicle with higher computational power, while V H ρ i ,θ i (1 ≤ i ≤ n) represents vehicles with relatively weaker computational power.For the security of the group sessions based on traffic condition matching, mutual authentication between group members V H ρ 0 ,θ 0 and V H ρ i ,θ i becomes very important.

•
Fog node anonymity: In order to eliminate some malicious users from obtaining the location information of vehicles through fog nodes, the scheme must generate pseudonyms for each fog node, and entities other than TA cannot obtain the real identity of fog nodes.Resistance against impersonation attacks: The scheme should be able to resist impersonation attacks, where attackers pretend to be one of the entities involved in the scheme and send misleading information to the other communicating party.

•
Resistance against tampering attacks: Prevent tampering attacks, where attackers secretly modify transmitted information in VANET communication without the knowledge of the communicating party.

Security Model
In this scheme, we will establish two categories of adversaries [39,40].
Adversary I: This category of adversary is represented as A I .A I is unable to obtain the master key MSK of TA, but A I can query the public keys of fog nodes and vehicles, and A I has the ability to replace the public keys with forged ones.A I can freely query partial private keys and the secret values generated by FN and V H, or attempt to disrupt partial private keys and the secret values of FN and V H.The constraints for A I are: (1) A I cannot disrupt the challenger vehicles, (2) if the public keys of FN and V H are replaced, A I is not allowed to query the partial private keys of FN and V H or disrupt FN and V H.A I effectively simulates a malicious vehicle in the system.
Adversary II: This category of adversary is represented as A II , which has access to the master key MSK of TA.However, A II does not replace the permissions of the VANETs vehicle public key.With the knowledge of TA's master key MSK, A II can compute the partial private keys of all vehicles.The constraint for A II is not to disrupt the challenger vehicles.A II can be conceptualized as a simulation of eavesdropping on TA.
Defined by an interactive game consisting of an adversary A and a challenger C, the security model of this scheme is established.
Initialization: In this phase, the challenger C first creates the system's public parameters and master public key, then exposes it to the adversary A. If the adversary belongs to type A I , C keeps the master key secret.If A is of type A II , C reveals the master key to A but restricts A II adversaries from making substitution key requests in subsequent games.
Query Phase: During this phase, the adversary A can initiate various queries beyond constraints.

•
Hash Query: A hash function H i and a message m i are specified by the adversary A to query the challenger C. The corresponding hash value is generated by the challenger C and returned to A.  .It is important to note that the public key of the challenged fog node cannot undergo replacement, imposing a specific restriction.

•
Extract secret value from V H ρ i ,θ i : The adversary A initiates queries to obtain the secret value associated with vehicle V H ρ i ,θ i .In response, the challenger C discloses the secret value of V H ρ i ,θ i to A.
• Extract partial secret key from V H ρ i ,θ i : The adversary A initiates queries to obtain the partial secret key associated with vehicle V H ρ i ,θ i .In response, the challenger C discloses the partial secret key of V H ρ i ,θ i to A. Response: Finally, the adversary A submits a guessed result b ′ to the challenger C. Should b ′ be equal to b, the adversary wins the game, and the advantage is computed as Definition 1.This scheme's security is contingent on the polynomial-time adversary A (of either type A I or A II ) being unable to win the interactive game with a non-negligible advantage.In simpler terms, any polynomial-time adversary A that attains a non-negligible advantage Adv(A) in the game is deemed negligible.

The Proposed System
In Table 1, we establish the primary symbols and terms utilized throughout this document.Following this, we detail the initial configuration of the system, the registration processes for both fog nodes and vehicles, the protocols for group key agreement, and the procedures for dynamic vehicle management.The verification of the system's operational accuracy is presented in Supplemental Material A.
low-power computation vehicles GSK group session key

Initial Configuration Stage
The TA initiates the setup algorithm by taking the security parameter κ ∈ Z + as an input.This process results in the derivation of system parameters along with a key pair, consisting of the system's master public and secret keys.
(1) Opting for an elliptic curve E over a finite field p, the TA makes a selection, where G represents the elliptic curve group and P is its generator.
(2) TA randomly chooses x ∈ R Z * p and calculates P pub = xP.The system master secret key is MSK = x and master public key is MPK = (P, P pub ).

Fog Node Registration
In the pursuit of joining the system as the i-th fog node, FN ρ i initiates its registration with TA.Upon receiving the registration request, TA undertakes a validation process to ascertain the functionality of FN ρ i as an RSU.If the evaluation proves negative, the request is dismissed; however, in the affirmative case, TA and FN ρ i engage in mutual collaboration to establish the key pair for FN ρ i .It is noteworthy that this key generation process operates in a key escrow-free and certificateless manner.
(1) Set Secret Value: The fog node FN ρ i with identity ID FN ρ i selects x FN ρ i ∈ R Z * p and computers P FN ρ i = x FN ρ i P. Upon determining the secret value, FN ρ i designates x FN ρ i and conveys the pair (ID FN ρ i , P FN ρ i ) to TA through a secure channel.
(2) Partial Secret Key Extraction: This algorithm takes TA's master secret key MSK, FN ρ i 's identity ID FN ρ i and the public value P FN ρ i as input, it outputs FN ρ i 's partial secret key and pseudo identity.

•
TA selects µ FN ρ i ∈ R Z * p and computes FN ρ i 's pseudo identity: The validity of the partial secret key y FN ρ i is contingent on the equation holding, and vice versa.
(3) Set Secret Value: The fog node FN ρ i , identified by the pseudo identity PID FN ρ i , assigns SK FN ρ i = (x FN ρ i , y FN ρ i ) as its confidential secret key.
(4) Set Public Key: The fog node FN ρ i , associated with the pseudo identity PID FN ρ i , designates PK FN ρ i = (P FN ρ i , R FN ρ i ) as its public key, accessible within the system.

Vehicle Reporting and Registration
A vehicle V H ρ i ,θ i informs a fog node FN ρ i about a traffic condition TC V H ρ i ,θ i ∈ T C. Subsequently, FN ρ i and V H ρ i ,θ i engage in an interaction to generate the public/secret key for V H ρ i ,θ i .Notably, this key generation procedure is designed to circumvent the key escrow problem.TA establishes a predefined expiration time VT V H ρ i ,θ i for the key pair of each vehicle.For example, if the key's expiration time is set to 1 December 2023, at 14:30, it is represented as "202312011430".Other vehicles can verify whether the key of that vehicle is within its validity period based on as the secret value and securely transmits (ID V H ρ i ,θ i , P V H ρ i ,θ i ) to FN ρ i through the secure channel.(2) Partial Secret Key Extraction: As input, FN ρ i 's secret key , and the public value P V H ρ i ,θ i are taken by this algorithm.In turn, V H ρ i ,θ i 's pseudoidentity and partial secret key are outputted.
, the vehicle V H ρ i ,θ i verifies whether the following equation is equal: The validity of the partial secret key y V H ρ i ,θ i is contingent on the equation holding, and vice versa.
(3) Set Secret Key: The secret key ) is adopted by the vehicle V H ρ i ,θ i and is confidentially stored.
(4) Set Public Key: ) as its public key, the vehicle V H ρ i ,θ i makes this information public within the system.

Condition-Matching-Based Authenticated Key Agreement
Assuming the vehicles V 0 = {V H ρ 1 ,θ 1 , • • • } and V H ρ 0 ,θ 0 aim to establish a secure group communication based on condition-matching, ensuring the security of their traffic discussions.The first step involves establishing a group session key.In this scenario, vehicle V H ρ 0 ,θ 0 possesses relatively robust computational capabilities, while the vehicles within V 0 have lower computational power.The group-authenticated key agreement unfolds through the following interactive steps.

Mutual Authentication Requests Within the Group:
The powerful vehicle V H ρ 0 ,θ 0 sends (PID FN ρ 0 , PID V H ρ 0 ,θ 0 ) to V 0 , and Receiving the messages (PID Authentication Process for High-Computational-Power Vehicles: ).If the above equation holds true, it indicates that the identity of V H ρ i ,θ i has been verified and V H ρ i ,θ i encounters the same traffic condition as V H ρ 0 ,θ 0 .Suppose the verified vehicle set be Authentication Process for Low-Computational-Power Vehicles: it ensures that the identity of V H ρ 0 ,θ 0 is authenticated and V H ρ 0 ,θ 0 encounters the same traffic condition as V H ρ i ,θ i .Then, V H ρ i ,θ i computes the group session key GSK = H 5 (PID U , PID 0 , TC V H ρ i ,θ i , K V H ρ i ,θ i ).

Vehicle Join
If a set of vehicles U ′ 0 = {V H n+1 , • • • , V H h } with lower computational power encounters the same traffic condition and desires to join the existing session group, the current group members collaboratively establish a new group authentication key as follows.

Security Proof
Theorem 1. Assuming the decisional CDH assumption holds in the random oracle model, then the scheme we propose is secure against A I adversary (as defined in Section 4.3).
The formal security proof of Theorem 1 is deferred to Supplemental Material B. Theorem 2. In the scenario where the decisional CDH assumption is satisfied, the proposed group authenticated key agreement ensures security against A II adversaries in the random oracle model.
Proof.The proof of Theorem 1 is followed with the following modification: the master key MSK = x can be obtained by a A II attacker, but the attacker is not permitted to issue substitute public key queries.The remaining part of the proof remains unchanged.Theorem 3. The proposed system satisfies mutual authentication, fog node anonymity, vehicle anonymity, vehicle traceability, cross-domain authenticated key management, group key establishment, condition-matching, time-limited keys, perfect forward secrecy, impersonation/modification/ replay attack resistance.
The proposed system meets the functional and security requirements defined in Section 4.2, which are proven in Supplemental Material C.

Performance Comparison and Analysis
To assess the performance of other existing conditional privacy-preserving schemes, a comparison will be made with the proposed system.Subsequently, an assessment of the computational and communication overheads of these schemes will be conducted in a real experimental environment.

Theoretical Analysis
Before conducting the comparison, we have defined certain symbols in Table 2. Our proposed system will be compared to the schemes introduced in [6, 17,21].We assume the vehicle group has a size of n.

T HG
The average computation time for hash to G T HZ The average computation time for hash to Z p T M The average computation time for scalar multiplication T PP The computation time for exponentiation operations on the bilinear pairing G T T P The average computation time for bilinear pairing T cc The computation time required to construct the Chinese Remainder Theorem T cr The computation time for discovering the root of the Chinese Remainder Theorem The size of element in group G T

|M|
The size of a typical message for vehicle communication.

Analysis of Computation Overhead
We conducted a theoretical analysis of the computational expenses associated with these schemes in Table 3.When analyzing the computational costs, we do not include the overhead of global initialization and server registration (such as cloud and fog servers) as they are constant and do not vary with the number of vehicles.Additionally, the computational cost of ECC scalar addition is very low, so it is also not taken into account.In the computational analysis, for ease of understanding, we consider the total computational cost of a vehicle from registration to completing verification.l: the quantity of pseudo-identities generated for a vehicle in Xiong et al. [17].n: the number of vehicles within the group.

Analysis of Communication Overhead
In schemes [6,17], and our scheme, the session key is generated through negotiation, making subsequent communication processes dependent only on the length of the message itself.However, in Luo et al. [21], due to the employment of ring signatures, each communication involves additional data transmission.The communication process involves both sending and receiving parties; therefore, we uniformly consider the data quantity sent by the sender for computation.The theoretical analysis of communication overhead can be found in Table 4  In Luo et al. [21], with each communication involving the group size n, the communication cost becomes maximal.In [6,17], and our proposal, the registration and authentication times for each vehicle are not affected by other members.We compared our solution with those in [6, 17,21] in Table 5, including functionality and security aspects.In the table, '⊥' denotes aspects that are not discussed or proven in the respective schemes.combined with the secret value, forms the user's key.Hence, the TA cannot access all elements of the vehicle keys.However, in Xiong et al. [17] , pre-computed secret values are sent offline to vehicles, also incurring high usage costs.• Both our proposed scheme and the one presented in Xiong et al. [17] have been demonstrated to attain forward secrecy and resist the attacks outlined in Table 5.It is noteworthy that not all other schemes exhibit these comprehensive security attributes.

Simulation
For the simulation of group sessions under conditional privacy protection, we used the Integer and Rational Arithmetic Cryptographic Library (Miracl) [41] to test the performance of our schemes and others, as presented in [6, 17,21].The experiments were performed on a desktop computer with a 64-bit Windows 10 operating system, featuring an Intel(R) Core(TM) i7-9700 CPU @ 3.00 GHz and 16.00 GB RAM.
We selected points belonging to the elliptic curve E : y 2 = x 3 + x as elements of group G.The order of group G is denoted by q.The bit length of q is 256 bits, and the bit length of elements in G is 512 bits.We chose the eta_T pairing e : G × G → G T to evaluate the scheme [21].The lengths of elements in G, G T , and Z p are 512 bits, 512 bits, and 256 bits, respectively.

Transmission Efficiency
The transmission costs for vehicles are shown in Table 6 and Figure 2. In our comparison, we consider the total transmission expenses for vehicles during both the registration and authentication processes.We set the group size n of vehicles to vary from 2, 5, 10 to 30.Below is the analysis of the transmission costs for vehicles: In Luo et al. [21], due to the employment of a ring signature scheme, the transmission costs for each vehicle increase with the group size n.When n = 2, the transmission cost for authenticating a single message is 6.5 kb.The communication costs generated when n ranges from 5 to 30 are 27.5 kb, 92.5 kb, 195 kb, 335 kb, 512.5 kb, and 727.5 kb, respectively.It is noticeable that this scheme incurs significantly higher communication costs as the number of vehicles increases compared to other schemes.

•
In our scheme, when n = 2, the authentication transmission cost is 9 kb.The communication costs generated when n ranges from 5 to 30 are 22.5 kb, 45 kb, 67.5 kb, 90 kb, 112.5 kb, and 135 kb, respectively.Our proposed scheme exhibits the most optimal communication costs.In summary, compared to schemes in [6,17,21], our proposed scheme demonstrates lower communication transmission costs.

Computation Efficiency
Next, we analyze computational efficiency.Bilinear pairing computations and hashing to points are particularly time-consuming, while scalar multiplications and hashing to Z p are more efficient operations.Especially, the addition computation in G is highly efficient, which we directly ignore in our analysis.It is essential to highlight that in Xiong et al. [17] , the Chinese Remainder Theorem is used, and its construction and solving are also time-consuming computations that we must consider.Schemes [6,17], and our scheme use symmetric encryption for communication, which introduces encryption time considerations during communication.Table 7 and Figure 3 compare the computational costs for vehicles.Overall, in our proposed system, the computational costs for authentication and total communication remain at a lower level compared to all the compared schemes.

Conclusions
In this paper, we propose a dynamic privacy-preserving anonymous authentication scheme for condition-matching in fog-cloud-based VANETs.The approach addresses the challenge of computational limitations in OBUs by using general ECC to optimize computational efficiency.By leveraging fog computing, the scheme implements a multi-TA mode to enhance system robustness and meet the real-time requirements of VANETs.Our scheme employs a certificateless approach, eliminating the need for TA-managed certificates and enabling cross-domain group session key agreement.This improves the social aspects of VANETs and expands their potential applications in the era of intelligent vehicles.Integrating VANETs with cloud services enhances scalability and provides essential storage and computational support for diverse VANET-based applications.Our scheme satisfies the security requirements for conditional privacy protection in VANETs through security proofs.Additionally, performance analysis shows that it outperforms similar relevant schemes comprehensively.For future research, we consider designing authenticated key agreement based on lattices to achieve resistance against quantum attacks, and adopting outsourcing computing to reduce the computational requirements for vehicles.

•
In Ma et al. [6], the authentication transmission cost when n = 2 is 20.5 kb.As n increases from 5, 10 to 15, the transmission costs for vehicles are 51.25 kb, 102.5 kb, and 153.75 kb, respectively.When the number of vehicles reaches 30, the total transmission expense amounts to 307.5 kb.• In Xiong et al. [17], the authentication transmission cost when n = 2 is 22 kb.The communication volumes generated when n ranges from 5 to 30 are 55 kb, 110 kb, 165 kb, 220 kb, 275 kb, and 330 kb, respectively.The communication costs of this scheme are slightly higher compared to [6].•

•
Vehicle anonymity: In a socially attribute-enabled VANET, protecting the identity privacy of vehicles is crucial.A secure group session authentication key protocol should ensure the anonymity of vehicles, and entities other than TA cannot recover the real identity of vehicles from pseudonyms.•Fog node traceability: When a malicious event involving a fog node (FN) is received, TA can obtain the real identity of FN from pseudonyms to achieve fog node traceability.• Vehicle traceability: When malicious behavior of a vehicle (V H) is discovered, FN can use pseudonyms to obtain the real identity of V H to achieve vehicle traceability.The establishment of VANETs groups has temporary and spontaneous characteristics, so a time-limited key mechanism can ensure that vehicle keys automatically expire, improving security.• Perfect forward secrecy: The scheme must have forward secrecy to ensure the confidentiality of intra-group communication in VANETs.Even if a malicious user gains knowledge of the group vehicles, they cannot derive the original group session key.• Resistance against replay attacks: This scheme should be able to avoid the harm caused by replay attacks, where attackers repetitively send valid messages to vehicles, fog nodes, or TA.• • Traffic condition matching: Sharing VANETs-related traffic information is achieved by establishing groups based on traffic condition matching.Only vehicles encountering the same traffic conditions can negotiate a group session key.This traffic condition is invisible to potential attackers.•Time-limitedkeys: • Symmetric Encryption Query: The adversary A initiates a symmetric encryption query using a symmetric key k i and a message m i .The challenger C responds by providing the ciphertext c i .•ExtractSecret Value of FN ρ i : The adversary A initiates a query for the secret value of fog node FN ρ i .In response, the challenger C discloses the secret value of FN ρ i to A. • Extract Partial Key of FN ρ i : The adversary A initiates queries to extract the partial secret key associated with fog node FN ρ i .In response, the challenger C discloses the partial secret key of FN ρ i to A.
• Request public key of FN ρ i : Public keys are made accessible to adversaries.The adversary A initiates queries to extract the public key associated with fog node FN ρ i .In response, the challenger C provides the public key PK FN ρ i to A.

•
Replace public key of FN ρ i : The adversary A has the capability to substitute PK FN ρ i with a carefully chosen valid public key replacement, denoted as PK ′

•
Request public key of V H ρ i ,θ i : Public keys are made accessible to adversaries.The adversary A initiates queries to obtain the public key associated with vehicle V H ρ i ,θ i .In response, the challenger C provides the public key PK V H ρ i ,θ i to A. Replace public key of V H ρ i ,θ i : The adversary A possesses the capability to substitute PK V H ρ i ,θ i with a carefully chosen valid public key replacement, denoted as PK ′ Upon receiving an execution request from A, the challenger C generates and returns the response information to A.
• V H ρ i ,θ i .It is crucial to highlight that the public key of the challenged vehicle cannot undergo replacement, subject to specific restrictions.•Execute:•Revealgroupauthenticatedkey:Upon receiving a query for the group authenticated key, the challenger C discloses the group authenticated key GSK to A.•Corrupt FN ρ i : In response to the corruption query targeting fog node FN ρ i , the challenger C divulges the secret key SK FN ρ i .•CorruptVH ρ i ,θ i : In response to the corruption query targeting vehicle V H ρ i ,θ i , the challenger C discloses the secret key SK V H ρ i ,θ i .•Test: In the Test phase, a coin b is randomly tossed by the challenger C from the set {0, 1}.If b equals 1, C furnishes A with the genuine authentication information among the challenged vehicles.If b equals 0, randomly selected authentication information will be provided.
r FN ρ i and sends the partial secret key y FN ρ i to FN ρ i via secure channel.• Upon receiving y FN ρ i , FN ρ i verifies the equation

Table 2 .
The notations of performance.

•
[17]t al. [6]adopts ECC algorithm design, where the initiating vehicle performs four scalar multiplications on G and five computations hashed to Z p .Hence, the computational overhead for the initiating vehicle is 3T M + 4T HZ .The verification task is accomplished through collaboration among the cloud server and fog nodes.Fog nodes execute four scalar multiplications on G, two computations hashed to Z p , while the cloud server executes eight scalar multiplications on G and nine computations hashed to Z p .Consequently, the total verification task requires 12T M + 13T HZ .•InXiongetal.[17], before a group session, the TA initially constructs an instance of the Chinese Remainder Theorem and finds a root.Each joining vehicle needs to perform 2l + 3 scalar multiplications on G and l + 4 computations hashed to Z p .Thus, the total computational overhead for the authentication initiation phase is 1T cr + (2l + 3)T M + (l + 4)T HZ .The verification task requires five scalar multiplications on G, totaling 5T M .• In Luo et al. [21], the initiating vehicle performs five scalar multiplications on G1, four computations hashed to Z p , and 2n exponentiations on GT.Hence, the computational overhead for the initiating vehicle is 5T M + 4T HZ + 2nT PE .The verification task requires executing n + 1 scalar multiplications on G1, two computations hashed to Z p , n exponentiations on GT, and two bilinear pairing computations, resulting in a total verification task cost of (n + 1)T M + 2T HZ + nT PE + 2T P .• Our scheme eliminates time-consuming bilinear pairing computations.The computational overhead for the initiating vehicle is 12T M + 6T HZ , which does not exhibit linear growth with an increase in-group members.For verification, vehicles perform seven scalar multiplications on G and nine computations hashed to Z p , totaling 7T M + 9T HZ to establish a group authenticated session key.
•In our scheme, the communication cost during the registration phase for the initiating authenticated vehicle is 1|G| + 2|Z p |, during the initiation of authentication is 2|G| + 4|Z p |, during verification is 3|G|, resulting in a total communication cost of 6|G| + 6|Z p |.

Table 7 .
[17]7,21]onal cost of vehicles (ms)[6,17,21].InMa et al. [6], the computation time for the authentication phase is 16T M + 18T H Z .In our simulation test, the computation time for n = 2 is 14.42 ms.As the communication quantity n increases from 5 to 30, the time increases from 36.05 ms to 216.3 ms.Hence, the computational time for the [6] scheme appears stable in Table7.•InTable3,weanalyzed the computational costs of each scheme with theory.In Xiong et al.[17], the computation costs for registration and authentication are 1T c + 1T r + (2l + 7)T M + (l + 4)T H Z .The computation time for n = 2 is 27.834 ms.As the number of vehicles n increases from 5 to 30, the time increases from 69.585 ms to 417.51 ms.• In Luo et al. [21], the computation costs for vehicle registration and authentication processes are 3T P + 3nT PP + (n + 7)T pm + 1T H G + 2T H Z .The computation time for n = 2 is 59.386 ms.This scheme employs a ring encryption method, hence the encryption algorithm's computational load is substantial.As the number of vehicles n increases from 5 to 30, the time increases from 174.175 ms to 2299.05 ms.• In our scheme, the computation cost for the authentication phase is 19T M + 15T H Z .The computation time for n = 2 is 17.11 ms.As the number of vehicles n increases from 5 to 30, the time increases from 42.775 ms to 256.65 ms.