A Strong Anonymous Privacy Protection Authentication Scheme Based on Certificateless IOVs

Abstract

The Internet of Vehicles (IoVs) uses vehicles as the main carrier to communicate with other entities, promoting efficient transmission and sharing of traffic data. Using real identities for communication may leak private data, so pseudonyms are commonly used as identity credentials. However, existing anonymous authentication schemes have limitations, including large vehicle storage demands, information redundancy, time-dependent pseudonym updates, and public–private key updates coupled with pseudonym changes. To address these issues, we propose a certificateless strong anonymous privacy protection authentication scheme that allows vehicles to autonomously generate and dynamically update pseudonyms. Additionally, the trusted authority transmits each entity’s partial private key via a session key, eliminating reliance on secure channels during transmission. Based on the elliptic curve discrete logarithm problem, the scheme’s existential unforgeability is proven in the random oracle model. Performance analysis shows that it outperforms existing schemes in computational cost and communication overhead, with the total computational cost reduced by 70.29–91.18% and communication overhead reduced by 27.75–82.55%, making it more suitable for privacy-sensitive and delay-critical IoV environments.

1. Introduction

With the rapid development of the information society, the IoVs, as a core component of the intelligent transportation system, is leading the technological revolution in the field of transportation. By leveraging modern technologies, such as sensing technology, network communication, cloud computing, and big data analysis, the IoVs realizes high-level connectivity among vehicles, roadside infrastructure, drivers, and cloud platforms, thus enhancing the efficiency of transmitting and sharing various traffic-related data. However, the highly dynamic and open nature of IoVs mean that it faces many threats, such as identity impersonation, message tampering, and vehicle user location tracking attacks, which will lead to the disclosure of users’ privacy data such as identity and driving trajectory. Once malicious entities obtain this private information, they may threaten traffic safety.

Against this backdrop, security in user messages and identity privacy has become a research focus of the IoVs. Although traditional digital signature technology can meet some security requirements, such as message authentication, integrity and non-repudiation, there is a risk of privacy leakage when vehicle users directly use their real identities to communicate with other entities. Therefore, researchers have proposed anonymous authentication schemes based on pseudonyms, group signatures, and ring signatures to address the above problems. Among them, the pseudonym-based method can achieve conditional privacy protection; that is, it not only allows vehicles to communicate anonymously, but also allows the trusted authority to track and revoke malicious vehicles, so this method is widely studied by researchers. However, existing pseudonym schemes have certain limitations. For instance, vehicles consistently communicate using the same pseudonym, which increases the potential risk of the malicious attacker tracking vehicles.

Some schemes involving the “pre-generation pseudonyms” strategy allow vehicles to apply for multiple pseudonyms at the same time, which may cause high storage requirements. Therefore, the periodic pseudonym mechanism is applied to reduce the storage overhead. However, the periodic replacement of pseudonyms in some schemes relies on the time factor, and frequent replacement of pseudonyms will increase system overhead, so the time interval of regular replacement of pseudonyms needs to be considered. Additionally, to implement conditional privacy protection, most of the pseudonym-based authentication protocols rely on a fully trusted third party to track the user’s real identity. However, the overly centralized tracking method may pose a risk to the privacy and security of users.

Therefore, to enhance the privacy, security, and efficiency of IoVs, we propose an autonomous dynamic pseudonym update mechanism based on collision-resistant hash function iteration ($k_t=h_2\left(k_t\right)$) to comprehensively address the current issues—specifically filling the gaps of time-dependent updates and excessive storage in existing schemes—and provide more reliable security for vehicle communication.

1.1. Contributions

In this paper, a strong anonymous privacy protection authentication scheme based on certificateless technology is constructed by combining anonymous technology and certificateless signature technology. Our scheme not only achieves the autonomous dynamic update of vehicle pseudonyms but also realizes distributed accountability to improve the security of the system. The contributions of this paper mainly include the following aspects.

1.

We design a novel autonomous dynamic pseudonym update mechanism based on collision-resistant hash functions to iteratively update pseudonyms. In this mechanism, the vehicle can update the pseudonym at any time according to the users’ needs, which eliminates the time dependence of the pseudonym updates, enhances the anonymity of the vehicle, and reduces the local storage burden of the vehicle.

2.

We propose a certificateless privacy protection authentication scheme. Firstly, this scheme avoids the problems of certificate management and key escrow. Secondly, the third-party trusted authority uses the session key to transmit the partial private key to the corresponding entity, eliminating the reliance on the secure channel. Finally, in our scheme, the third-party trusted authority and pseudonym activator collaborate to track the real identity of the vehicle, which effectively prevents the trusted authority from directly and independently restoring the vehicle’s real identity.

3.

We analyze the security of our scheme, evaluate the performance of our scheme, and compare the performance of our scheme with related schemes. The evaluation results show that our scheme has more advantages than the existing anonymous signature schemes in terms of computational cost and communication overhead, and is more suitable for the IoVs field with its demand for high-strength security and low transmission bandwidth and storage.

1.2. Roadmap

The rest of this paper is as follows. Section 2 presents the related work. Section 3 covers the Elliptic Curve Discrete Logarithm Problem (ECDLP), system model and scheme definition, security requirements, and security models. Section 4 introduces the proposed scheme. The security and performance of the proposed scheme are analyzed in Section 5 and Section 6, respectively. Finally, Section 7 concludes this paper.

2. Related Work

To better realize conditional privacy protection for IoVs users, driver identities remain confidential under normal circumstances but can be revealed by the Trusted Authority (TA) during incidents (e.g., hit-and-runs). Thus, scholars combine anonymity and signature technologies to achieve conditional privacy protection in IoVs.

Privacy-protection authentication schemes based on anonymity mainly include a group-based signature, a ring-based signature, and pseudonym-based methods. A group signature allows vehicles to sign messages anonymously in a group without revealing individual identities [1,2,3,4], but suffers from identity escrow (group administrators can arbitrarily disclose member identities). A ring signature, proposed by Rivest et al. [5], enables signers to remain anonymous within a ring but fails to meet IoV traceability requirements due to its “complete anonymity.”

The pseudonymous authentication system, initiated by Chaum [6], uses pseudonyms instead of real identities to enhance privacy. Wang et al. [7] proposed a PKI-based anonymous protocol with TA-generated pseudonyms, but certificate distribution and revocation list management increase computational and communication costs. Tzeng et al. [8], Li et al. [9], and Alazzawi et al. [10] developed ID-based schemes using TPDs to store master keys for dynamic pseudonym updates, but Mahanta et al. [11] showed that TPDs are vulnerable to side-channel attacks, risking key leakage.

Mei et al. [12] introduced a certificateless scheme with joint key/pseudonym generation, solving key escrow but relying on bilinear pairing, which incurs high computational costs—an issue our ECC-based design addresses to reduce overhead while retaining the advantages of certificateless technology. Thumbur et al. [13] proposed an ECC-based certificateless scheme to cut overhead, but its rigid key-update mechanism lacks adaptability to dynamic IoV topologies, motivating our flexible hash-driven key management.

Lu et al. [14], Ali et al. [15], and Al-Shareeda et al. [16] achieved anonymity but use static pseudonyms, risking tracking. Lee et al. [17] allowed dynamic pseudonyms but failed in unforgeability, while Bayat et al. [18] improved it with bilinear pairing at high cost. Raya et al. [19], Cui et al. [20], and Ali et al. [21] used pseudonym pools, but key-pseudonym coupling increases storage and Sybil attack risks. Pseudonym exchange schemes [22,23,24,25,26,27,28,29,30] reduce storage but risk impersonation via private key sharing and fail to protect pseudonym unlinkability.

Qi et al. [31] proposed a pseudonym self-generation scheme using anonymous credentials and zero-knowledge proofs, allowing repeated credential use without exposure—aligning with our focus on self-generated pseudonyms. However, their zero-knowledge proof-based verification incurs 67% higher computational cost (4.2 ms vs. our requirement of 2.3 ms for verification) due to complex proof generation. Our scheme retains self-generation but replaces proofs with lightweight hash operations, reducing latency while maintaining anonymity—directly addressing this overlapping design’s inefficiency.

Kamil et al. [32] also used self-generated pseudonyms via TA-sent random factors, overlapping with our approach to autonomous pseudonym creation. However, their time-dependent updates (tied to timestamps) create predictability: attackers can exploit time patterns to link pseudonyms, as shown in our threat analysis (§5.2). Our scheme eliminates time dependence by updating pseudonyms via collision-resistant hashing, ensuring unlinkability even in dynamic IoV scenarios, resolving this critical limitation of their overlapping mechanism.

Sucasas et al. [33] generated pseudonyms with legitimate credential association, but their static update logic lacks adaptability compared to our dynamic hash-based approach.

Notably, unlike pre-generated pseudonym pool schemes [19,20] that require storing massive pseudonyms, our hash-driven iteration ($k_t=h_2\left(k_t\right)$) enables on-demand updates without pre-storage, directly filling the gap of storage-efficiency in dynamic scenarios.

Additionally, most of the above schemes for achieving conditional privacy protection rely on a fully trusted third party to track the real identity of the user. However, an overly centralized system configuration may threaten user privacy and security—a limitation also reflected in

Table 1. Comparison of core innovation dimensions.

Scheme	Pseudonym Update Mechanism	Partial Private Key Transmission
Our Scheme	Autonomous hash iteration ($k_t=h_2\left(k_t\right)$)	Session key encryption
Mei et al. [12]	Time-synchronized periodic update (TA controls cycle; public–private keys reset mandatorily)	Secure channel (TLS) with high deployment cost
Kamil et al. [32]	Time-factor triggered update (relies on TA’s random factors; update frequency constrained)	Pre-encrypted secure channel (still dependent on channel security)
Azees et al. [34]	Fixed cycle (30 s interval; rigid schedule, predictable patterns)	PKI-based certificate (heavy management, centralized authority)

, where single-authority tracking (e.g., Mei et al. [12], Kamil et al. [32]) risks over-tracing. Therefore, we will design an efficient and secure strong anonymous authentication scheme to eliminate the time dependence of pseudonyms updates, and avoid the trusted authority to directly and independently restore the user’s real identity, as detailed in the comparative analysis of Table 1.

3. Preliminaries

3.1. Definition of Entity Roles

In the proposed scheme, two core entities, namely the Pseudonym Authority (PA) and Trusted Authority (TA), are introduced with distinct functionalities to ensure a privacy–security balance is achieved in IoV authentication.

• Trusted Authority (TA): As the root authority, TA manages vehicles’ real identities (RIDs) during registration, generates partial private keys, and retains the final ability to trace real identities. It does not engage in daily pseudonym validation or updates.
• Pseudonym Authority (PA): PA handles pseudonym management: maintaining validity lists, processing initial pseudonym (PID) requests, and verifying pseudonyms during authentication without accessing real identities. In tracing, it only provides initial pseudonym queries.

The two entities operate in a complementary, permission-separated manner: TA delegates pseudonym management tasks to PA while retaining control over real identity roots, creating a “delegation–execution” hierarchy. This division ensures that no single entity holds excessive authority—TA’s inability to interfere with daily pseudonym operations reduces centralization risks, while PA’s lack of access to real identities prevents privacy breaches.This separation—TA handling identity root management and PA managing pseudonym lifecycle—reduces the risks posed by over-centralized authority.

3.2. Elliptic Curve Discrete Logarithm Problem (ECDLP)

• ECDLP Problem: Given a prime number p and an elliptic curve E, for $Q=kP$, it is difficult to find a positive integer k less than p given $P,Q$.
• ECDLP hardness assumption: There is no algorithm that can solve ECDLP in probabilistic polynomial time with a non-negligible probability ${ϵ}_1$.

3.3. System Model

The system model includes four entities: TA, PA, RSU, and VU, as shown in Figure 1. The functionality of each entity is described as follows:

1.

Trusted Authority (TA): TA is a fully trusted third party with powerful computing and information storage capabilities. Its responsibilities include generating the public parameters of the system, the initial pseudonyms for vehicles, and the partial private keys for roadside units and the pseudonym activator.

2.

Pseudonym Activator (PA): PA is a trusted entity controlled by TA, which has better computing and information storage capabilities. Its main responsibility is to activate the pseudonym sent by the vehicle to make it valid.

3.

Roadside Unit (RSU): RSU is the infrastructure deployed on side of the road, which is the most basic part of the IoVs architecture. It is a semi-trusted, honest, and curious entity with good computing and information storage capabilities. It is responsible for collecting and publishing real-time traffic information and providing message authentication and other communication services for vehicles.

4.

Vehicle user (VU): In the vehicle network, vehicles communicate with other entities through On-Board Unit (OBU) devices, and their computing and storage capabilities are limited. In our scheme, vehicles can autonomously generate pseudonyms and dynamically update them.

3.4. Security Goals

To resist the potential security threats in IoVs, it is generally necessary to achieve the following security goals.

• Integrity: Protect data from tampering, forgery or replay during transmission and maintain the integrity of the message. This prevents the attacker from tampering with the communication data and ensures that the message obtained by the receiver is consistent with the original message of the sender.
• Authentication: Through the effective authentication mechanism, the identity of the communication entity is guaranteed to be legal and valid. The camouflage and identity impersonation attacks are prevented, which maintains the authenticity and credibility of the communication and prevents the malicious entity from impersonating the legal entity and participating in the communication.
• Conditional Privacy: The trusted authority is able to trace the real identity of the anonymous vehicle for the violation. It is crucial in maintaining the security and trustworthiness of IoVs.
• Unlinkability: When a vehicle sends different signatures using different communication pseudonyms in the network, the attacker cannot associate the different communication pseudonyms used by the vehicle with the same vehicle when verifying the signature. Therefore, the proposed scheme should satisfy the unlinkability between different pseudonyms.
• Non-repudiation: Ensure that the sender of a message cannot deny the fact that the message was sent by the corresponding sender to ensure non-repudiation of the communication.

3.5. Security Models

Suppose there are two types of adversaries with different attack capabilities, denoted as $A_1$ and $A_2$, where $A_1$ is a malicious vehicle with the ability to replace the signer’s public key, but cannot access the TA’s main master key, and $A_2$ is a malicious passive TA with the ability to access the TA’s main master key, but cannot replace the signer’s public key. In this section, we will design different security models based on the capabilities of these two adversaries. Specifically, we simulate the unforgeability of the scheme through Game 1 and Game 2 executed by adversary $A\in \{A_1,A_2\}$ and Challenger C. A is allowed to make the following five queries to C:

Hash query: A gives an input value, and C responds with the hash value corresponding to A.

Secret value query: A gives a pseudonym identity to C, and C responds with the secret value corresponding to the pseudonym to A.

Create user query: A gives a pseudonym identity to C, and C responds with the public key of that identity to A.

User private key query: A gives an identity to C, and C responds with the private key for that identity to A.

Replace public key query: A gives a pseudonym identity and a public key $P{K}^{*}$ to C, and C replaces the original public key $PK$ with $P{K}^{*}$.

Signature query: A gives a pseudonym and a message to C, and C responds with the signature for that identity to A.

Next, we will provide detailed descriptions of two games and give two definitions.

Game 1: adversary $A_1$ and challenger C.

1.

C runs the setup algorithm to generate system parameters, then sends them to $A_1$.

2.

$A_1$ performs hash queries and creates user queries, user private key queries, replacement public key queries, and signature queries.

3.

$A_1$ generates a signature on $(SPI{D}_{V_i}^{*},P{K}_{V_i}^{*},m_{V_i}^{*})$.

If the following conditions are simultaneously satisfied, then $A_1$ wins Game 1.

1.

${\sigma }_V^{*}$ is a valid signature.

2.

$A_1$ cannot query signatures on $(SPI{D}_{V_i}^{*},m_{V_i}^{*})$.

Game 2: adversary $A_2$ and challenger C.

1.

C runs the Setup algorithm to generate system parameters and system master key, then sends them all to $A_2$.

2.

$A_2$ performs hash queries and creates user queries, user private key queries, and signature queries.

3.

$A_2$ generates a signature on $(SPI{D}_{V_i}^{*},P{K}_{V_i}^{*},m_{V_i}^{*})$.

If the following conditions are simultaneously satisfied, then $A_2$ wins Game 2.

1.

${\sigma }_{V_i}^{*}$ is a valid signature.

2.

$A_2$ cannot query users’ private keys for $I{D}_{V_i}^{*}$.

3.

$A_2$ cannot query signatures on $(SPI{D}_{V_i}^{*},m_{V_i}^{*})$.

Definition 1. 

The scheme satisfies existential unforgeability under the chosen message attack (EU-CMA) if adversary $A_1$ and $A_2$ cannot win Game 1 and Game 2 with non-negligible advantage ${ϵ}_1$ and ${ϵ}_2$ in polynomial time, respectively.

4. Our Scheme

4.1. Construction of Scheme

This section describes the designed scheme in detail. The scheme is composed of five parts: the system initialization phase, registration phase, pseudonym generation and update phase, message authentication phase, and tracking phase. A detailed introduction of each phase is given below.

In the proposed scheme, the hash functions $h_0$∼$h_3$ are designed to meet essential properties for IoV security: determinism ensures consistent pseudonym generation and verification across entities like TA, PA, and vehicles, as seen in fixed outputs for identical inputs in operations such as $h_1(PI{D}_{V_i},h)$; computational speed supports real-time communication in resource-constrained IoV environments, which is crucial for timely pseudonym updates and message authentication; a one-way structure and preimage resistance prevent the derivation of sensitive inputs (e.g., pseudonym seed $k_0$ from $k_t=h_1\left(k_0\right)$), safeguarding key information; avalanche effect in functions like $h_2\left(k_t\right)$ ensures minor input changes lead to significantly different pseudonyms, enhancing unlinkability; fixed-length results streamline data transmission, reducing overhead in processes such as pseudonym activation; and collision resistance, as already emphasized, prevents pseudonym forgery, ensuring the uniqueness of communication identities. These properties collectively reinforce the scheme’s security and efficiency in IoVs scenarios.

1.

Initialization Phase

In this phase, the TA executes the following algorithm to generate the system parameters and the public–private key pair of the system.

(a)

Taking the security parameter $\lambda$ as input, the addition cyclic group $G_1$ of order q is selected according to $\lambda$, and P is selected as the generator of group $G_1$. TA selects four one-way hash functions $h_0$∼$h_3$, defined as fixed-length cryptographic functions with key properties: determinism (consistent outputs for identical inputs, e.g., $h_1(PI{D}_{V_i},h)$), a one-way structure (irreversible, protecting seeds like $k_0$ in $k_t=h_1\left(k_0\right)$), and avalanche effect (minor input changes in $k_t$ yield distinct $h_2\left(k_t\right)$ outputs, enhancing unlinkability). These lightweight functions support efficient IoV operations.

(b)

TA selects the random number $k\in {\mathbb{Z}}_q^{*}$ as the system master key and calculates $P{K}_{TA}=k·P$ as the system public key.

(c)

TA publishes the system parameters $pub=$$q,P,G_1,h_0$∼$h_3,P{K}_{TA}$.

2.

Registration Phase

All vehicles, the PA, and RSUs must register with the TA separately before joining the connected vehicle system. This phase mainly includes PA registration, RSU registration, and vehicle registration. In PA registration and RSU registration, TA needs to generate partial private keys for PA and RSU, respectively. In vehicle registration, TA needs to generate an initial pseudonym for the vehicle, and the specific registration steps are as follows.

• PA registration:

  (a)

  PA selects the random number $s_P\in {\mathbb{Z}}_q^{*}$ and calculates $V_P=s_P·P$.

  (b)

  PA sends the registration request containing its real identity $RI{D}_P$ and $V_P$ to TA;

  (c)

  After receiving the registration request from PA, TA checks whether $RI{D}_P$ exists in the registration list. If it exists, the request is denied. Otherwise, TA selects a random number $t_P\in {\mathbb{Z}}_q^{*}$, calculates $T_P=t_P·P$, $w_P=h_1(RI{D}_P,T_P)$, $PS{K}_P=k·w_P+t_P$, $C_P=PS{K}_P\oplus h_0(k·V_P)$, and sends $C_P$ to PA, where $k·V_P$ is the session key for communication between PA and TA.

  (d)

  After receiving $C_P$ from TA, PA computes $PS{K}_P=C_P\oplus h_0(s_P·P{K}_{TA})$, the private key $S{K}_P=s_P·PS{K}_P$, and the public key $P{K}_P=S{K}_P·P$.

• RSU registration
  Since the RSU registration process is similar to the PA registration process, it will not be described here.
• Vehicle Registration:

  (a)

  Vehicle $V_i$ chooses a random number $b_{V_i}\in {\mathbb{Z}}_q^{*}$ as the secret key and calculates the public key $P{K}_{V_i}=b_{V_i}·P$.

  (b)

  $V_i$ calculates $C_{V_i}=RI{D}_{V_i}\oplus h_0(b_{V_i}·P{K}_{TA})$ and sends the registration request containing $C_{V_i}$ to TA, where $b_{V_i}·P{K}_{TA}$ is the session key for communication between vehicle $V_i$ and TA.

  (c)

  After receiving the registration request sent by $V_i$, TA calculates $RI{D}_{V_i}=C_{V_i}\oplus h_0(k·P{K}_{V_i})$, checks the validity of the $RI{D}_{V_i}$ and checks whether $RI{D}_{V_i}$ exists in the registration list. If it exists, the registration request is denied. Otherwise, TA chooses two random numbers $x_{V_i},t_{V_i}\in {\mathbb{Z}}_q^{*}$, calculates $T_{V_i}=t_{V_i}·P$, $PI{D}_{V_i}=h_1(T_{V_i},RI{D}_{V_i},x_{V_i})$, and $h=k·PI{D}_{V_i}+t_{V_i}$, $L=h\oplus h_0(k·P{K}_{V_i})$, where $PI{D}_{V_i}$ is the vehicle’s initial pseudonym. Finally, TA sends $PI{D}_{V_i}$ and $(L,T_{V_i})$ to $V_i$.

3.

Pseudonym Generation and Autonomous Dynamic Update Phase

In this phase, the vehicle generates the communication pseudonym according to the initial pseudonym generated by TA, and the vehicle sends the communication pseudonym activation request to PA, which activates the vehicle communication pseudonym and sends the activation credential to the vehicle. When the vehicle needs to update the communication pseudonym, the vehicle updates the communication pseudonym through the pseudonym update mechanism and sends the updated communication pseudonym to PA, which activates the updated communication pseudonym of the vehicle and sends the activation credential to the vehicle.

• Seed generation:
  Vehicle $V_i$ chooses a random number $t_i\in {\mathbb{Z}}_q^{*}$, and computes $M_{V_i}=t_i·P$, $h=L\oplus h_0(b_{V_i}·P{K}_{TA})$, $q_{V_i}=h_1(PI{D}_{V_i},h)$, $k_0=M_{V_i}·q_{V_i}$, $k_t=h_1\left(k_0\right)$, where $k_0$ denotes the communication pseudonym seed.
• Pseudonym self-generation:

  (a)

  $V_i$ computes $N_{V_i}=k_t·P$, $SPI{D}_{V_i}^1=N_{V_i}·h_3\left(k_t\right)$;

  (b)

  $V_i$ chooses random number ${\theta }_i\in {\mathbb{Z}}_q^{*}$, and computes $SPI{D}_{V_i}^2=h_1(PI{D}_{V_i},{\theta }_i·P)$, $SPI{D}_{V_i}=(SPI{D}_{V_i}^1,SPI{D}_{V_i}^2)$, where $SPI{D}_{V_i}$ denotes the communication pseudonym of vehicle $V_i$.

• Pseudonym activation:

  (a)

  $V_i$ chooses a random number $a_i\in {\mathbb{Z}}_q^{*}$, and computes $A_{V_i}=a_i·P$, $CT=(PI{D}_{V_i}\left|\right|k_t)\oplus h_1((a_i·P{K}_P)\left|\right|T_{cur}\left|\right|A_{V_i}\left|\right|h)$, $CR=h\oplus h_0(a_i·P{K}_P)$, where $T_{cur}$ is the current timestamp. $V_i$ computes $V=h_1(PI{D}_{V_i}\left|\right|SPI{D}_{V_i}\left|\right|k_t\left|\right|T_{cur})$, let $rp=\{T_{V_i},CR,A_{V_i},CT,V\}$. $V_i$ sends $\{PI{D}_{V_i},SPI{D}_{V_i}^2,rp,T_{cur}\}$ to PA.

  (b)

  After receiving $\{PI{D}_{V_i},SPI{D}_{V_i}^2,rp,T_{\mathrm{cur}}\}$ from $V_i$, PA determines the freshness of the message based on $T_{\mathrm{rev}}-T_{\mathrm{cur}}\le \Delta T$, where $\Delta T$ is the maximum transmission delay. If the message is fresh, steps d)-g) are performed; otherwise, the PA refuses to provide the communication pseudonym activation service for the vehicle $V_i$.

  (c)

  PA needs to maintain two pseudonym lists, $L_1$ and $L_2$, where list $L_1=(z,k_t^{*},PI{D}_{V_i})$, and the list $L_2$ stores the current valid communication pseudonyms of all vehicles, and these two lists are initialized as empty.

  (d)

  PA computes $h=CR\oplus h_0(S{K}_P·A_{V_i})$ and determines whether the equality $hP=PI{D}_{V_i}P{K}_{TA}+T_{V_i}$ holds, and if it holds, PA calculates $(PI{D}_{V_i}\left|\right|k_t^{\prime })=CT\oplus h_0((S{K}_P·A_{V_i})\left|\right|T_{cur}\left|\right|A_{V_i}\left|\right|h)$. $N_{V_i}^{\prime }=k_t^{\prime }·P$.

  (e)

  PA checks whether the tuple $(z,k_t^{*},PI{D}_{V_i})$ exists in the list $L_1$. If it does not exist, PA lets $z={k_t}^{\prime }$ and calculates ${{SPID}_{V_i}^1}^{\prime }={N_{V_i}}^{\prime }·h_3\left({k_t}^{\prime }\right)$. If it exists, PA checks whether $k_t^{\prime }$ computed in the previous step is equal to $k_t^{*}$ in the tuple. If they are equal, PA rejects the pseudonym activation service; otherwise, PA verifies whether the equality $k_t^{\prime }=h_2\left(k_t^{*}\right)$ holds. If it holds, then PA calculates $SPI{D}_{V_i}^1=N_{V_i}^{\prime }·h_3\left(k_t^{\prime }\right)$, ${{SPID}_{V_i}}^{\prime }=(SPI{D}_{V_i}^1$, $SPI{D}_{V_i}^2)$.

  (f)

  PA computes $V^{\prime }=h_1(PI{D}_{V_i}\Vert {{SPID}_{V_i}}^{\prime }\Vert {k_t}^{\prime }\Vert T_{\mathrm{cur}})$ and checks whether the equality $V^{\prime }=V$ holds. If it holds, it means that the communication pseudonym ${{SPID}_{V_i}}^{\prime }$ is generated by the vehicle identity $PI{D}_{V_i}$ and is not activated. Then, PA sets $k_t^{*}={k_t}^{\prime }$ and stores $(z,{k_t}^{\prime },PI{D}_{V_i})$ in list $L_1$.

  (g)

  PA selects a random number $\mu \in {\mathbb{Z}}_q^{*}$ and calculates $X_{V_i}=\mu P$, $R_{V_i}=h_1(SPI{D}_{V_i},L)S{K}_P+\mu$, $C{R}_{V_i}=R_{V_i}\oplus h_0(S{K}_P·A_{V_i})$, $L=E_{P{K}_P}\left(z\right)$, $G_{V_i}=h_1(SPI{D}_{V_i},L)S{K}_P$, $c{t}_{SPI{D}_{V_i}}=(SPI{D}_{V_i},L,G_{V_i},X_{V_i})$, where $c{t}_{SPI{D}_{V_i}}$ is the credential generated by PA for the vehicle $V_i$. PA stores $SPI{D}_{V_i}$ in the public valid communication pseudonym list $L_2$ and sends $c{t}_{SPI{D}_{V_i}},C{R}_{V_i}$ to $V_i$.

• Vehicle pseudonym update and re-activation

  (a)

  When vehicle $V_i$ needs to update the communication pseudonym, the vehicle updates it through the pseudonym update mechanism, setting $k_t=h_2\left(k_t\right)$, and then repeating the pseudonym self-generation step to obtain the updated communication pseudonym.

  (b)

  Vehicle $V_i$ executes a) in the pseudonym activation step, sends the updated communication pseudonym to PA, repeats b)-g) in the pseudonym activation step, activates the updated communication pseudonym of the vehicle, and sends the activation credential to vehicle $V_i$.

  (c)

  When vehicle $V_i$ needs to update the communication pseudonym again, the vehicle pseudonym update and re-activation step is repeated.

4.

Message Authentication Phase

When vehicle $V_i$ sends a message $m_{V_i}$ to other entities using the communication pseudonym $SPI{D}_{V_i}$, the other entities should verify the message $m_{V_i}$ to prevent it from being tampered with or forged. Taking vehicle $V_i$ as the message sender and RSU as the message receiver as an example, the authentication steps are as follows:

(a)

$V_i$ chooses random numbers $d_1,d_2\in {\mathbb{Z}}_q^{*}$ and calculates $D_{V_i}=d_1·P$, $R_{V_i}=C{R}_{V_i}\oplus h_0(a_i·P{K}_P)$, $N_{V_i}=b_{V_i}{d}_{2}P$, $Q_{V_i}=h_1(SPI{D}_{V_i}\Vert m_{V_i}\Vert T_{cur}\Vert D_{V_i}\Vert N_{V_i})$, $W_{V_i}=h_1(SPI{D}_{V_i}\Vert A_{V_i})$, $F_{V_i}=R_{V_i}+d_1{Q}_{V_i}+b_{V_i}{d}_2+a_i{W}_{V_i}$. Let signature ${\sigma }_{V_i}=(D_{V_i},F_{V_i})$. $V_i$ send $re{p}_2=\{SPI{D}_{V_i},c{t}_{SPI{D}_{V_i}},{\sigma }_{V_i},N_{V_i},A_{V_i},T_{\mathrm{cur}}\}$ to RSU.

(b)

After receiving the $re{p}_2$ sent by $V_i$, RSU checks whether the equality $GP=h_1(SPI{D}_{V_i},L)P{K}_P$ holds. If it does not hold, the RSU rejects the request; otherwise, RSU calculates $Q_{V_i}=h_1(SPI{D}_{V_i}\Vert m_{V_i}\Vert T_{cur}\Vert D_{V_i}\Vert N_{V_i})$, $W_{V_i}=h_1(SPI{D}_{V_i}\Vert A_{V_i})$.

(c)

Finally, the RSU verifies whether $F_{V_i}P=h_1$

$\left(SPI{D}_{V_i}\right)P{K}_P+X_{V_i}+D_{V_i}{Q}_{V_i}+N_{V_i}+W_{V_i}{A}_{V_i}$ holds. If it holds, then the message $m_{V_i}$ is valid and received by the RSU; otherwise, the RSU declines to accept the invalid message $m_{V_i}$.

5.

Malicious Vehicle Tracking Phase

After receiving the malicious behavior report of the vehicle, the PA tracks the initial pseudonym of the malicious vehicle based on its communication pseudonym and sends it to the trusted authority, TA. The TA tracks the real identity of the malicious vehicle according to the initial pseudonym of the malicious vehicle and holds it accountable. The specific tracing process is outlined below:

(a)

When the malicious vehicle $V_i$ is reported by other entities in the IoVs, the whistleblower sends $c{t}_{SPI{D}_{V_i}}$ and the malicious behavior of the vehicle $V_i$ to PA, and PA obtains L from $c{t}_{SPI{D}_{V_i}}$, and then decrypts L with its private key $S{K}_P$ to obtain z; that is, $z=D_{S{K}_P}\left(L\right)$, where $c{t}_{SPI{D}_{V_i}}$ represents the valid credential of the vehicle, whose communication pseudonym is $SPI{D}_{V_i}$.

(b)

Based on z, PA looks up the initial pseudonym $PI{D}_{V_i}$ corresponding to the vehicle with the communication pseudonym $SPI{D}_{V_i}$ in list $L_1$ and sends $PI{D}_{V_i}$ to TA.

(c)

TA retrieves the real identity $RI{D}_{V_i}$ of the malicious vehicle $V_i$ according to $PI{D}_{V_i}$.

4.2. Correctness Proof

The correctness of the signature is ensured by the following equation:

$$\begin{array}{cc}\hfill F_{V_i}·P& =\left(R_{V_i}+d_1{Q}_{V_i}+b_{V_i}{d}_2+a_i{W}_{V_i}\right)P\hfill \\ \hfill & =R_{V_i}P+d_1{Q}_{V_i}P+b_{V_i}{d}_{2}P+a_i{W}_{V_i}P\hfill \\ \hfill & =\left[h_1\left(SPI{D}_{V_i}\right)S{K}_P+\mu \right]P+D_{V_i}{Q}_{V_i}\hfill \\ \hfill & +N_{V_i}+W_{V_i}{A}_{V_i}\hfill \\ \hfill & =h_1\left(SPI{D}_{V_i}\right)P{K}_P+X_{V_i}+D_{V_i}{Q}_{V_i}\hfill \\ \hfill & +N_{V_i}+W_{V_i}{A}_{V_i}\hfill \end{array}$$

(1)

5. Security Analysis of Our Scheme

5.1. Security Proof

It is assumed that there are two types of adversaries with different attack capabilities, namely $A_1$ and $A_2$. $A_1$ is a malicious vehicle that has the ability to replace the signer’s public key but cannot access the master key of the TA. $A_2$ is a malicious passive TA that can access the system master key but cannot replace the signer’s public key. We will design different security models based on the capabilities of these two types of adversaries. Specifically, the unforgeability of the scheme is simulated through Game 1 and Game 2 executed by the adversary $A\in \{A_1,A_2\}$ and the challenger C.

Theorem 1. 

In polynomial time, if the adversary $A_1$ can forge a valid signature with non-negligible advantage ${ϵ}_1$ in the ROM, then there exists an algorithm that can solve the ECDLP problem with non-negligible advantage ${ϵ}_1^{\prime }$.

(${\epsilon }_1^{\prime }=P(E{v}_1\wedge E{v}_2\wedge E{v}_3)\ge \left(1-{\displaystyle \frac{1}{q_c{q}_{SEC}{q}_{sig}}}\right){\displaystyle \frac{{\epsilon }_1}{q_c}}·\left({\displaystyle \frac{{\epsilon }_1}{q_{H_0}+q_{H_1}}}-{\displaystyle \frac{1}{q_c}}\right){\epsilon }_1$, where $q_c$, $q_{SEC}$, $q_{sig}$, $q_{H_i}$ represent the times at which the user query, secret value query, sign query, and $H_i$ query are created, respectively.)

Proof. 

Suppose C is a solver for the elliptic curve discrete logarithm problem, where the input to the challenging problem is $(G,Q=aP)$, with P being the generator of group G, $a,Q\in {\mathbb{Z}}_q^{*}$. The objective of C is to compute the value of a. □

C needs to maintain four initially empty lists, namely $L_0=(SPI{D}_{V_i},h_0)$, $L_1=(SPI{D}_{V_i},E_{V_i},Q_{V_i},W_{V_i})$, $L_{\mathrm{USER}}=(RI{D}_{V_i},P{K}_{V_i},S{K}_{V_i},A_{V_i},a_i)$, $L_{\mathrm{SEC}}=(SPI{D}_{V_i}$, $R_{V_i},X_{V_i},\mu )$, which are used to store the values of $A_1$’s queries to the oracles for $H_0$, $H_1$, create user, and secret value, respectively.

Phase 1: C runs the Setup algorithm to generate the system parameters $pub=$$q,P,g_1,h_0$∼$h_3,P{K}_{TA}$ and computes the public–private key pair $(P{K}_P=S{K}_{P}P,S{K}_P)$ of PA, then sends the system parameters $pub$ and $P{K}_P$ to $A_1$.

Phase 2: $A_1$ adaptively makes a bounded polynomial number of queries to C.

(1) $H_0$ Query: When C receives an $H_0$ query from $A_1$ concerning $SPI{D}_{V_i}$, it first checks whether the tuple $(SPI{D}_{V_i},h_0)$ exists in the list $L_0$. If it exists, it sends $h_0$ to $A_1$. Otherwise, it performs the following operations:

1.

If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C chooses $h_0\in {\mathbb{Z}}_q^{*}$ and inserts the tuple $(SPI{D}_{V_i},h_0)$ into the list $L_0$.

2.

If $SPI{D}_{V_i}=SPI{D}_{V_i}^{*}$, C aborts the game.

(2) $H_1$ Query: When C receives an $H_1$ query from $A_1$ concerning $SPI{D}_{V_i}$, it first checks whether the tuple $(SPI{D}_{V_i},E{V}_i,Q_{V_i},W_{V_i})$ exists in the list $L_1$. If it exists, C sends $E{V}_i,Q_{V_i},W_{V_i}$ to $A_1$. Otherwise, it performs the following operations:

1.

If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C chooses $E{V}_i,Q_{V_i},W_{V_i}\in {\mathbb{Z}}_q^{*}$, sends them to $A_1$, and inserts the tuple $(SPI{D}_{V_i},E{V}_i$,

$Q_{V_i},W_{V_i})$ into the list $L_1$.

2.

If $SPI{D}_{V_i}=SPI{D}_{V_i}^{*}$, C accesses the list $L_{USER}$ to obtain $A{V}_i$, then chooses $E{V}_i$, $Q_{V_i}\in {\mathbb{Z}}_q^{*}$, computes $W_{V_i}=h_1(SPI{D}_{V_i}\left|\right|A{V}_i)$.

Finally, C sends $E{V}_i,Q_{V_i},W_{V_i}$ to $A_1$, and inserts the tuple $(SPI{D}_{V_i},E{V}_i,Q_{V_i},W_{V_i})$ into the list $L_1$.

(3) Creating User Query: When C receives the create user query from $A_1$ regarding the identity $(RI{D}_{V_i},SPI{D}_{V_i})$, it first checks whether the tuple $(RI{D}_{V_i},P{K}_{V_i},S{K}_{V_i},A{V}_i)$ exists in the list $L_{USER}$. If it exists, C sends $P{K}_{V_i}$ to $A_1$. Otherwise, it performs the following operations:

1.

If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C chooses $a_i,S{K}_{V_i}\in {\mathbb{Z}}_q^{*}$, lets $P{K}_{V_i}=S{K}_{V_i}P$, sends $P{K}_{V_i},A{V}_i$ to $A_1$, and inserts $(RI{D}_{V_i},P{K}_{V_i},S{K}_{V_i},A{V}_i)$ into the list $L_{USER}$.

2.

If $SPI{D}_{V_i}=SPI{D}_{V_i}^{*}$, C chooses $S{K}_{V_i}=aP$, then sends $P{K}_{V_i},A{V}_i$ to $A_1$, and inserts $(RI{D}_{V_i},P{K}_{V_i},S{K}_{V_i}$,$A{V}_i,-)$ into the list $L_{USER}$.

(4) Private Key Query: When C receives a private key query about the identity $(RI{D}_{V_i},SPI{D}_{V_i})$, it first checks whether the tuple $(RI{D}_{V_i},P{K}_{V_i},S{K}_{V_i},A{V}_i)$ exists in the list $L_{USER}$.

1.

If it exists, C sends $S{K}_{V_i}$ to $A_1$.

2.

Otherwise, C outputs an error character ⊥, indicating that the user has not been created.

(5) Secret Value Query: When C receives a query about the secret value related to the identity $SPI{D}_{V_i}$ from $A_1$, it first checks whether the tuple $(SPI{D}_{V_i},R_{V_i},\mu )$ exists in the list $L_{SEC}$. If it exists, C sends $C_w$ to $A_1$. Otherwise, it performs the following operations:

1.

If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C accesses the list $L_1$ to obtain $E{V}_i$, chooses $\mu \in {\mathbb{Z}}_q^{*}$, computes $X_{V_i}=\mu P$, $R_{V_i}=E_{V_i}S{K}_P+\mu$, sends $R_{V_i}$ to $A_1$, and inserts $(SPI{D}_{V_i},R_{V_i},\mu )$ into the list $L_{SEC}$.

2.

If $SPI{D}_{V_i}=SPI{D}_{V_i}^{*}$, C aborts the game.

(6) Public Key Replacement Query: $A_1$ wants to replace the $P{K}_{V_i}$ of identity $RI{D}_{V_i}$, so it submits a public key replacement query to C. Upon receiving $A_1$’s query, it first checks whether the tuple $(RI{D}_{V_i},P{K}_{V_i}^{*},S{K}_{V_i},A{V}_i)$ exists in the list $L_{USER}$. If it exists, C updates the tuple to $(RI{D}_{V_i},P{K}_{V_i}^{*},S{K}_{V_i},A{V}_i)$. Otherwise, C outputs the error character ⊥, indicating that the user has not been created.

(7) Signature Query: When $A_1$ submits a signature query about $(SPI{D}_{V_i},m_{V_i})$ to C, C performs the following operations:

(a)

If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C accesses the lists $L_{SEC}$, $L_{USER}$, and $L_1$ to obtain $R_{V_i},a_i,Q_{V_i},W_{V_i}$, respectively. Then, C chooses random numbers $d_1,d_2\in {\mathbb{Z}}_q^{*}$ and calculates $D_{V_i}=d_{1}P$, $N_{V_i}=S{K}_{V_i}{d}_{2}P$, $F_{V_i}=R_{V_i}+d_1{Q}_{V_i}+b_{V_i}{d}_2+a_i{W}_{V_i}$. C returns the signature ${\sigma }_{V_i}=(D_{V_i},F_{V_i})$ to $A_1$.

(b)

If $SPI{D}_{V_i}=SPI{D}_{V_i}^{*}$, C aborts the game.

Stage 3: $A_1$ stops the above inquiries and outputs a forged signature ${\sigma }_{V_i}^{*}=(D_{V_i}^{*},F_{V_i}^{*})$ about $(SPI{D}_{V_i}^{*},m_{V_i}^{*})$. If $SPI{D}_{V_i}\ne SPI{D}_{V_i}^{*}$, C aborts the game; otherwise, using the Forking Lemma, C can successfully obtain two valid signatures ${\sigma }_{V_{i}1}^{*}=(D_{V_{i}1}^{*},F_{V_{i}1}^{*})$ and ${\sigma }_{V_{i}2}^{*}=(D_{V_{i}2}^{*},F_{V_{i}2}^{*})$ in polynomial time. Therefore, C calculates $a={\displaystyle \frac{F_{V_{i}1}^{*}-F_{V_{i}2}^{*}}{W_{V_{i}1}^{*}-W_{V_{i}2}^{*}}}$ using the following formula as a valid solution to the elliptic curve discrete logarithm problem, thus solving the elliptic curve discrete logarithm problem.

$$\begin{array}{c}{F}_{V_{i_1}}^{*}P=h_1\left(SPI{D}_{V_i}\right)P{K}_T+X_{V_i}+D_{V_i}{Q}_{V_i}+N_{V_i}+W_{V_{i_1}}^{*}{A}_{V_{i_1}}^{*}\hfill \\ F_{V_{i_2}}^{*}P=h_1\left(SPI{D}_{V_i}\right)P{K}_T+X_{V_i}+D_{V_i}{Q}_{V_i}+N_{V_i}+W_{V_{i_2}}^{*}{A}_{V_{i_2}}^{*}\hfill \\ F_{V_{i_1}}^{*}P-F_{V_{i_2}}^{*}P=a{W}_{V_{i_1}}^{*}P-a{W}_{V_{i_2}}^{*}P\hfill \end{array}$$

Next, we analyze C’s advantage in solving the ECDLP through the following events.

Ev1: ${\sigma }_{V_i}^{*}$ is a valid signature.

Ev2: $A_1$ cannot inquire about the secret value of $SPI{D}_{V_i}^{*}$.

Ev3: $A_1$ cannot inquire about the signature of $(SPI{D}_{V_i}^{*},m_{V_i}^{*})$.

In Stage 2, the probability that $A_1$ will submit $q_{SEC}$ secret value queries and $q_{sig}$ sign queries without being aborted is $\left(1-{\displaystyle \frac{1}{q_c{q}_{SEC}{q}_{sig}}}\right)$.

In Stage 3, the probability that $A_1$ successfully forges a valid signature is ${ϵ}_1$, and the probability that C does not abort the game is $1/q_c$.

According to the Forking Lemma, the probability that C successfully obtains two valid signatures is ${ϵ}_1/(q_{H_0}+q_H)$$-1/q_c{ϵ}_1$.

Therefore, C’s advantage in solving the ECDLP is ${ϵ}_1^{\prime }=P(Ev1\wedge Ev2\wedge Ev3)\ge \left(1-{\displaystyle \frac{1}{q_c{q}_{SEC}{q}_{sig}}}\right){\displaystyle \frac{{ϵ}_1}{q_c}}·{\displaystyle \frac{{ϵ}_1}{(q_{H_0}+q_H)}}$$-{\displaystyle \frac{1}{q_c}}{ϵ}_1$.

As ${ϵ}_1$ is non-negligible, C can solve the ECDLP problem with a non-negligible probability. This contradicts the fact that ECDLP is a hard problem. Therefore, the scheme can resist forgery attacks from $A_1$.

The security proof for the second type of attacker $A_2$ is similar to $A_1$ and is not discussed here.

5.2. Security Requirement Analysis

(1) Message Authenticity and Integrity: Message Authenticity and Integrity: According to the security proof, adversaries $A_1$ and $A_2$ are incapable of successfully forging a valid signature. The RSU can verify the authenticity and integrity of the message by verifying whether the equation $F_{V_i}P=h_1\left(SPI{D}_{V_i}\right)P{K}_P+X_{V_i}+D_{V_i}{Q}_{V_i}+N_{V_i}+W_{V_i}{A}_{V_i}$ holds. This equality holds only if the signature is valid. Therefore, the proposed scheme satisfies the message authenticity and integrity.

(2) Conditional Privacy: In the proposed scheme, the vehicle $V_i$ uses the communication pseudonym $SPI{D}_{V_i}$ to communicate anonymously with other entities in IoVs, and TA can track the real identity of the vehicle $V_i$ with the assistance of PA. That is, PA finds the initial pseudonym $PI{D}_{V_i}$ of vehicle $V_i$ according to the credential $c{t}_{SPI{D}_{V_i}}$ and sends it to TA. TA tracks the real identity $RI{D}_{V_i}$ of vehicle $V_i$ based on its initial pseudonym $PI{D}_{V_i}$. Therefore, the proposed scheme satisfies conditional privacy.

(3) Unlinkability: When a vehicle generates a signature each time in the network, the communication pseudonym and credential will change accordingly, and the attacker cannot infer whether different signatures are from the same vehicle, which effectively prevents the attacker from tracking the identity of the vehicle. In addition, in the message authentication phase, each piece of verification information used by the RSU to verify the message signature will change as the signature changes; that is, the communication pseudonyms used by the vehicle cannot be associated during verification. Therefore, the proposed scheme satisfies the unlinkability of pseudonyms and real identities and the unlinkability of pseudonyms and communication pseudonyms.

(4) Autonomy and Dynamics of the Pseudonym Update: In the proposed scheme, each vehicle computes a pseudonym seed $k_0$ related to TA information and calculates $k_t=h_1\left(k_0\right)$. When vehicle $V_i$ wants to update its communication pseudonym, it can automatically and dynamically update its communication pseudonym through the hash function $k_t=h_2\left(k_t\right)$, and then it uses the new communication pseudonym to communicate with other entities. Therefore, the proposed scheme satisfies the autonomous and dynamic of pseudonym updates.

(5) Anti-Sybil attacks: The communication pseudonym $SPI{D}_{V_i}$ generated by the vehicle will be activated by PA. After the PA is activated, the updated communication pseudonym $SPI{D}_{V_i}$ of the vehicle is stored in the public valid fake name table, ensuring that only one pseudonym is valid for a vehicle at each time point. So the vehicle cannot use multiple simultaneously valid communication pseudonyms to communicate with other entities. Therefore, the proposed scheme can effectively resist Sybil attacks.

(6) Anti-replay attacks: There is a timestamp in the tuple $\{SPI{D}_{V_i},c{t}_{SPI{D}_{V_i}},{\sigma }_{V_i},N_{V_i},A_{V_i}$, $T_{\mathrm{curr}}\}$, which can be used by other entities in the IoV to check the validity of the signature. Therefore, the proposed scheme can effectively resist replay attacks.

(7) Anti-man-in-the-middle attack: The message authentication method provided by the proposed scheme was based on the certificateless public key cryptosystem, and the third party could not perform public key replacement attacks and replace the message. Therefore, the proposed scheme can effectively resist man-in-the-middle attacks.

5.3. Scyther Tool Analysis

To verify the security of the certificateless-based strong anonymous privacy protection authentication scheme proposed in this paper, the Scyther tool is used for formal modeling and verification of the protocol’s identity authentication process and pseudonym management mechanism.

In the Scyther modeling, the focus is on abstracting two core communication roles in the protocol:

• Vehicle (V): As the message sender, it uses dynamically generated pseudonyms (SPIDs) for signing and sends authentication information, including signatures, credentials, and timestamps, to the Roadside Unit (RSU).
• Roadside Unit (R): As the message receiver, the Roadside Unit is responsible for verifying the validity of the signature sent by the vehicle, checking the pseudonym status, and ensuring the freshness of the message.

The model strictly follows the core processes of the protocol, including pseudonym generation (based on a seed iterative update of hash functions), signature generation (combined with elliptic curve scalar operations), signature verification (verification through public key and elliptic curve point operations), and pseudonym activation (authorized by the Pseudonym Activator PA). Scyther claims are used to define key security attributes such as Authentication, Secrecy, and Unlinkability.

The results show that all Scyther claims are verified successfully, and the Scyther tool cannot effectively break this strong anonymous identity authentication protocol in the aforementioned malicious attack detection. The experimental results indicate that this strong anonymous identity authentication protocol can meet the preset security requirements and effectively resist common threats such as temporary key leakage attacks, pseudonym correlation attacks, Sybil attacks, replay attacks, and man-in-the-middle attacks. Additionally, it possesses forward security and flexibility in dynamic pseudonym management, making it suitable for Internet of Vehicles (IoVs) scenarios with high security demands and low latency requirements.

6. Performance Analysis

In this section, we analyze the performance of our scheme in terms of computational cost and communication overhead, and compare our scheme with five existing signature schemes. The computational cost mainly evaluates the computational amount of pseudonym generation, signature generation, and signature verification algorithms. The communication cost mainly evaluates the transmission length of signatures, pseudonyms, current timestamps, and public keys.

6.1. Computational Cost

In terms of computational cost, due to the small cost of universal hash operation and symmetric encryption and decryption, this assessment ignores them. Kamil et al. [32] simulated the basic encryption operation and obtained the running time required for the encryption operation, as shown in

Table 2. Cryptographic operation symbol and execution time.

Symbol	Description	Time (ms)
$B_p$	Bilinear pairing operation	4.2110
$B_{pm}$	Bilinear pairing multiplication	1.7090
$B_{pa}$	Bilinear paired addition	0.0071
$E_m$	Elliptic curve scalar (ECC) multiplication	0.4420
$E_a$	Elliptic curve scalar (ECC) addition	0.0018
$H_p$	Hash-to-point-function operation	4.406

. To facilitate comparison, we used these data to analyze the computational overhead of our scheme, Li et al.’s scheme [29], Mei et al.’s scheme [12], Pournaghi et al.’s scheme [35], Wang et al.’s scheme [7], and Azees et al.’s scheme [34].

Table 3. Calculation cost comparison.

Scheme	Pseudonym and Signature Generation	Sign Verification	Total Cost	Percentage
Our scheme	$6T_{Em}=2.652\mathrm{ms}$	$5T_{Em}=2.21\mathrm{ms}$	4.862 ms	―
[29]	$4T_{Em}+2T_{Ea}+T_{Bp}=6.1776\mathrm{ms}$	$4T_{Em}+2T_{Bp}=10.19\mathrm{ms}$	16.3676 ms	70.29%
[13]	$4T_{Em}+2T_{Hp}=10.58\mathrm{ms}$	$2T_{Em}+4T_{Bp}=17.728\mathrm{ms}$	28.308 ms	82.82%
[35]	$4T_{Em}+T_{Hp}=6.174\mathrm{ms}$	$T_{Em}+2T_{Bp}+T_{Hp}=13.27\mathrm{ms}$	19.444 ms	74.99%
[7]	$4T_{Em}+2T_{Hp}=11.022\mathrm{ms}$	$T_{Em}+3T_{Bp}+T_{Hp}=17.481\mathrm{ms}$	28.503 ms	82.94%
[34]	$6T_{Bp}=25.266\mathrm{ms}$	$5T_{Bp}+2T_{Hp}=29.867\mathrm{ms}$	55.133 ms	91.18%

shows the comparison results of computational cost between our scheme and five existing schemes.

As can be seen from Table 3, for the pseudonym and signature generation process of Li et al.’s scheme [29], vehicle users need to perform four scalar multiplication operations related to ECC, two scalar addition operations related to ECC, and one bilinear pairing operation. Therefore, the computational cost of the pseudonym and signature generation process of Li et al.’s scheme [29] is $4T_{E_m}+2T_{E_a}+T_{B_p}=6.1776\mathrm{ms}$. To verify the signature, the verifier needs to perform four scalar multiplications associated with ECC and two bilinear pairing operations. Thus, the computational cost of signature verification is $4T_E+2T_B=10.19\mathrm{ms}$.

For the pseudonym and signature generation process of Mei et al.’s scheme [12], vehicle users need to perform four scalar multiplication operations related to ECC and two hash-to-point-function operations. Therefore, the computational cost of the pseudonym and signature generation process of Mei et al.’s scheme [12] is $4T_{E_m}+2T_{H_p}=10.58\mathrm{ms}$. In the process of signature verification, the verifier needs to perform two scalar multiplication operations related to ECC and two bilinear pairing operations. Thus, the computational cost of signature verification is $2T_{E_m}+4T_{B_p}=17.728\mathrm{ms}$.

For the pseudonym and signature generation process of Pournaghi et al.’s scheme [35], vehicle users need to perform four scalar multiplication operations related to ECC and one hash-to-point-function operation. Therefore, the computational cost of the pseudonym and signature generation process of Pournaghi et al.’s scheme [35] is $4T_{E_m}+T_{H_p}=6.174\mathrm{ms}$. To verify the signature, the verifier needs to perform one scalar multiplication operation related to ECC, two bilinear pairing operations, and one hash-to-point function operation. Thus, the computational cost of signature verification is $T_{E_m}+2T_{B_p}+T_{H_p}=13.27\mathrm{ms}$.

For the pseudonym and signature generation process of Wang et al.’s scheme [7], vehicle users need to perform four scalar multiplication operations related to ECC and two hash-to-point-function operations. Therefore, the computational cost of the pseudonym and signature generation process of Wang et al.’s scheme [7] is $4T_{E_m}+2T_{H_p}=11.022\mathrm{ms}$. To verify the signature, the verifier needs to perform one scalar multiplication operation related to ECC, three bilinear pairing operations, and one hash-to-point function operation. Thus, the computational cost of signature verification is $T_{E_m}+3T_{B_p}+T_{H_p}=17.481\mathrm{ms}$.

For the pseudonym and signature generation process of Azees et al.’s scheme [34], vehicle users need to perform six bilinear pairing operations. Therefore, the computational cost of the pseudonym and signature generation process of Azees et al.’s scheme [34] is $6T_{B_p}=25.266\mathrm{ms}$. To verify the signature, the verifier needs to perform five bilinear pairing operations and two hash-to-point function operations. Thus, the computational cost of signature verification is $5T_{B_p}+2T_{H_p}=29.867\mathrm{ms}$.

In the process of pseudonym and signature generation in our proposed scheme, vehicle users need to perform six scalar multiplication operations related to ECC. Therefore, the computational cost of the pseudonym and signature generation process of our scheme is $6T_{E_m}=2.652\mathrm{ms}$. To verify the signature, the verifier needs to perform five scalar multiplication operations related to ECC. Thus, the computational cost of signature verification is $5T_E=2.21\mathrm{ms}$.

Compared with Wang et al.’s scheme [7], Mei et al.’s scheme [12], Li et al.’s scheme [29], Pournaghi et al.’s scheme [35], and Azees et al.’s scheme [34], the total computational cost of our scheme is reduced by 82.94%, 82.82%, 70.29%, 74.99%, and 91.18%, respectively. In addition, a bar chart is presented in this subsection for a clearer view of the comparison results, as shown in Figure 2. Therefore, the proposed scheme is more efficient in pseudonym generation, signature creation, and signature verification.

6.2. Communication Overhead

In terms of communication overhead, we perform simulations by using the following settings:

1.

Elliptic curve cryptography scheme: Construct an addition group G with the curve $E:y^2\equiv x^3+ax+bmodp$ of order q using generator p, where a and $b\in {\mathbb{Z}}_q^{*}$, $\left|p\right|=\left|q\right|=160$ bits, $\left|G\right|=320$ bits.

2.

Bilinear paired cipher scheme: Use a bilinear pairing operations, where $G_1\times G_1\to G_2$, $G_1$ is an addition cyclic group of order $q_1$ with generator $P_1$, where $P_1$ is a point on the curve $E:y^2\equiv x^3+xmod{P}_1$, $|P_1|=512$ bits, $|q_1|=160$ bits of prime, $|G_1|=1024$ bits. In addition, the timestamp T is $\left|T\right|=32$ bits.

Table 4. Communication overhead comparison.

Scheme	Communication Overhead	Total Length (Bits)
our scheme	$2\left|G\right|+|{\mathbb{Z}}_q^{*}|+|T|$	832 bits
[29]	$|G_1|+6|{\mathbb{Z}}_q^{*}|+|T|$	2016 bits
[12]	$3\left|G\right|+|{\mathbb{Z}}_q^{*}|+|T|$	1152 bits
[35]	$3\left|G\right|+|{\mathbb{Z}}_q^{*}|+|T|$	1152 bits
[7]	$3\left|G\right|+2|{\mathbb{Z}}_q^{*}|+|T|$	1312 bits
[34]	$4|G_1|+4|{\mathbb{Z}}_q^{*}|+|T|$	4768 bits

shows the comparison results of the communication cost between our scheme and the existing five schemes.

In Wang et al.’s scheme [7], the user sends the pseudonym $PI{D}_i=(PI{D}_i^1,PI{D}_i^2)$, signature ${\sigma }_i$, certificate $Cer{t}_{Vi}=(P{K}_{Vi},{\sigma }_i)$, and timestamp $T_i$ to the verifier, where $PI{D}_i^1,{\sigma }_i,P{K}_{Vi}\in G$, $PI{D}_i^2\in {\mathbb{Z}}_q^{*}$. Therefore, the communication cost of sending pseudonym, signature, and timestamp in Wang et al.’s scheme [7] is $3\left|G\right|+2|{\mathbb{Z}}_q^{*}|+|T|=1312\mathrm{bits}$.

In Mei et al.’s scheme [12], the user sends the pseudonym $PI{D}_i=(PI{D}_i^1,PI{D}_i^2)$, signature ${\sigma }_i=(U_i,T_i)$, and timestamp $T_i$ to the verifier, where $PI{D}_i^1,U_{Vi},T_{Vi}\in G$, $PI{D}_i^2\in {\mathbb{Z}}_q^{*}$. Therefore, the communication cost of sending the pseudonym, signature, and timestamp in Mei et al.’s scheme [12] is $3\left|G\right|+|{\mathbb{Z}}_q^{*}|+|T|=1152$ bits.

In our scheme, the user sends the pseudonym $SPI{D}_{V_i}$, signature ${\sigma }_{V_i}=(D_{V_i},F_{V_i})$, and timestamp $T_i$ to the verifier, where $SPI{D}_{V_i},D_{V_i}\in G$, $F_{V_i}\in {\mathbb{Z}}_q^{*}$. Therefore, the communication cost of sending the pseudonym, signature, and timestamp in our scheme is $2\left|G\right|+1|{\mathbb{Z}}_q^{*}|+|T|=832$ bits. Using the same approach, the communication overhead of Li et al.’s scheme [29], Pournaghi et al.’s scheme [35], and Azees et al.’s scheme [34] can be obtained.

According to Table 3, compared with Wang et al.’s scheme [7], Mei et al.’s scheme [12], Li et al.’s scheme [29], Pournaghi et al.’s scheme [35], and Azees et al.’s scheme [34], the total communication overhead of our scheme is reduced by 27.78%, 58.73%, 27.75%, and 82.55%, respectively. In addition, a bar chart pertaining to communication overhead is given for a clearer view of the comparison results, as shown in Figure 3. It can be observed in Figure 3 that the communication overhead of the proposed scheme is lower than that of other schemes; that is, the total transmission length of the pseudonym, signature and timestamp is reduced, which effectively saves the transmission bandwidth and storage overhead at the receiver. Therefore, the proposed scheme also has more advantages for communication, and is more suitable for the field of IoVs with low requirements for transmission bandwidth and storage overhead.

7. Conclusions

This paper proposes a strong anonymous privacy protection authentication scheme. The scheme is based on a certificateless public key cryptosystem, which effectively solves the problems of certificate management and key escrow. A strong anonymity method based on a collision-resistant hash function is designed, and the vehicle can update the pseudonym in communication at any time according to the users’ needs, eliminating the time dependence of the pseudonym updates and realizing the autonomy and dynamic update of pseudonyms. In addition, the trusted authority uses the session key to transmit the partial private key of each entity to the corresponding entity, which eliminates the dependence on the secure channel in the process of partial private key transmission. In addition, TA and PA cooperated to track the real identity of vehicle users, which effectively avoided TA directly and independently restored the user’s real identity. The security analysis results show that the proposed scheme can resist adaptive chosen message attacks, replay attacks, man-in-the-middle attacks, and Sybil attacks. The performance analysis results show that compared with the existing schemes, the proposed scheme has low computational cost and small communication overhead, which is more suitable for the field of IoVs with high security strength demand and low transmission bandwidth and storage.

In summary, the originality of this scheme lies in breaking through the time dependence limitation of existing pseudonym updates and proposing an autonomous dynamic update mechanism; pioneering a method of transmitting partial private keys via session keys in a certificateless architecture to eliminate the reliance on secure channels; and designing a distributed tracking mechanism with collaboration between TA and PA to balance privacy protection and traceability. These designs collectively address the bottlenecks of existing schemes in computational efficiency, privacy security, and practicality, forming a significant distinction from existing research schemes.