A Lightweight Batch Authenticated Key Agreement Scheme Based on Fog Computing for VANETs

Abstract

In recent years, fog-based vehicular ad hoc networks (VANETs) have become a hot research topic. Due to the inherent insecurity of open wireless channels between vehicles and fog nodes, establishing session keys through authenticated key agreement (AKA) protocols is critically important for securing communications. However, existing AKA schemes face several critical challenges: (1) When a large number of vehicles initiate AKA requests within a short time window, existing schemes that process requests one by one individually incur severe signaling congestion, resulting in significant quality of service degradation. (2) Many AKA schemes incur excessive computational and communication overheads due to the adoption of computationally intensive cryptographic primitives (e.g., bilinear pairings and scalar multiplications on elliptic curve groups) and unreasonable design choices, making them unsuitable for the low-latency requirements of VANETs. To address these issues, we propose a lightweight batch AKA scheme based on fog computing. In our scheme, when a group of vehicles requests AKA sessions with the same fog node within the set time interval, the fog node aggregates these requests and, with assistance from the traffic control center, establishes session keys for all vehicles by a round of operations. It has significantly reduced the operational complexity of the entire system. Moreover, our scheme employs Lagrange interpolation and lightweight cryptographic tools, thereby significantly reducing both computational and communication overheads. Additionally, our scheme supports conditional privacy preservation and includes a revocation mechanism for malicious vehicles. Security analysis demonstrates that the proposed scheme meets the security and privacy requirements of VANETs. Performance evaluation indicates that our scheme outperforms existing state-of-the-art solutions in terms of efficiency.

1. Introduction

With the rapid proliferation of private vehicles and increasingly complex road traffic networks, traffic management faces significant challenges, resulting in frequent accidents and substantial losses of life and property. Meanwhile, modern vehicles have transcended their traditional role as mere transportation tools, evolving into mobile intelligent spaces that integrate travel, leisure, entertainment, and work functions. These factors collectively highlight the critical importance of establishing an intelligent traffic management platform. In recent years, the swift advancement of information technology has positioned vehicular ad hoc networks (VANETs) as an emerging research focus [1,2]. By enabling wireless communication among multiple entities, VANETs provide crucial technical support for traffic control, autonomous driving, safety warnings, and vehicular services, thereby becoming a cornerstone of modern intelligent transportation systems.

The foundational architecture of conventional VANETs typically comprises three core components: a traffic control center (TCC), roadside units (RSUs), and vehicles equipped with an on-board unit (OBU) [3]. Central to this architecture, the TCC serves as both the system’s centralized control hub and primary computation component. Its responsibilities encompass identity management, secure authentication, and security policy formulation for the entire network.

However, with the rapid advancement of VANETs and the exponential growth of smart vehicles, network data traffic has surged dramatically. Due to its centralized nature, traditional vehicular network architecture struggles to meet the requirements of high concurrency and real-time communication, often resulting in communication bottlenecks and single points of failure.

To overcome these challenges, cloud computing and fog computing-based vehicular architectures have gained significant attention in recent years [4,5]. As an extension of cloud computing, fog computing deploys computing and storage resources closer to the network edge, enabling more localized data processing. This approach effectively reduces communication latency and enhances network efficiency [6]. Furthermore, given the limited coverage of RSUs, introducing fog nodes (FNs) between TCCs and RSUs can significantly improve network stability and overall communication quality in vehicular networks.

In VANET environments, information exchange primarily relies on wireless communication technologies, such as WiFi and dedicated short-range communications (DSR) [7,8]. However, the inherent security vulnerabilities in wireless technologies expose the entire system to both internal and external security threats, including man-in-the-middle attacks, replay attacks, and impersonation attacks. If VANETs suffer malicious attacks, they could result in serious casualties and substantial property damage. Therefore, ensuring communication security is a fundamental prerequisite for the widespread deployment of VANETs.

To ensure the security of VANETs, symmetric or asymmetric encryption is typically employed for secure data transmission. While asymmetric encryption offers robust security, its high computational and communication overheads make it difficult to satisfy VANETs’ requirements for high-frequency, low-latency communication. In contrast, the authenticated key agreement (AKA) mechanism enables the establishment of a secure session key between two communicating entities. This allows subsequent data transmission using symmetric encryption based on the session key, thereby reducing the computational and communication overhead while ensuring security.

At present, a variety of AKA schemes have been proposed [9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]. However, these schemes commonly face the following challenges: (1) When a large number of vehicles request key agreement from the TCC in a short period of time, each request is processed individually between the vehicle and the TCC. This paradigm incurs two critical limitations: on the one hand, the TCC has too much processing pressure in a short period of time; on the other hand, the communication overhead of the whole system increases greatly, and the processing efficiency of the whole system is relatively low. (2) Some schemes rely on complex cryptographic operations, which makes it difficult to meet the real-time requirements in the VANETs environment.

To solve the above problems, we propose an efficient batch AKA scheme based on fog computing (BAKAF), which can improve the overall efficiency of the system on the premise of ensuring security. Our key contributions are summarized as follows:

(1) For the scenario where a group of vehicles in a local area request AKA sessions within a short time frame, we propose a comprehensive AKA scheme based on the concepts of fog computing and Lagrange interpolation. In our scheme, the FN aggregates all AKA requests and, with the assistance of the TCC, establishes session keys for all vehicles by a round of operations. This approach effectively alleviates the operational complexity of the entire system. During the process of generating multiple session keys via Lagrange interpolation, a shared random point is used across the straight lines corresponding to different vehicles at the FN, thereby reducing both computational and communication overheads.

(2) Our scheme incorporates a conditional privacy-preserving mechanism and supports the revocation of malicious vehicles. The storage and computational overhead associated with tracking and revoking malicious vehicles is centralized at TCC, which is beneficial for resource-constrained vehicles.

(3) Our scheme employs cryptographic tools with low computational complexity, further reducing the overall computational overhead.

(4) Security analysis demonstrates that our scheme satisfies the security and privacy requirements of VANETs. Extensive experiments show that compared to existing advanced schemes, our approach achieves superior performance.

The remainder of this paper is organized as follows. Section 2 describes the related works. The preliminaries are presented in Section 3. Following this, the proposed scheme is detailed in Section 4. Subsequently, the security analysis and performance evaluation are presented in Section 5 and Section 6, respectively. Finally, there is the conclusion of the paper.

2. Related Works

To meet the high-security requirements for identity authentication and session key exchange, numerous AKA protocols have been proposed over the past decade.

In early schemes for foundational peer-to-peer communication scenarios, AKA mechanisms often relied on public key infrastructure (PKI). Islam et al. [9] proposed a device-to-device (D2D) AKA protocol based on elliptic curve cryptography (ECC) and self-certified public keys, which simplifies certificate management while achieving lightweight authentication. However, the lack of a complete mutual authentication mechanism makes this scheme vulnerable to typical threats such as replay and blocking attacks. To further simplify key management, Dang et al. [10] introduced a more efficient identity-based AKA protocol for VANETs, using an identity-based key generation model to reduce reliance on certificates. However, Deng et al. [11] pointed out that this scheme fails to ensure forward security in key leakage scenarios and proposed an improved version to enhance robustness under asymmetric attack models.

As privacy protection and practicality demands rise, recent studies have incorporated multi-factor authentication, anonymous authentication, Chebyshev polynomials, and elliptic curve-based lightweight cryptographic primitives into AKA protocols. For instance, Xie et al. [12] proposed a dynamic ID-based anonymous two-factor AKA scheme combining smart cards and dynamic identities, supporting anonymity and password updates. However, Li et al. [13] revealed that the scheme [12] is vulnerable to offline guessing attacks and smart card loss scenarios. Liu et al. [14] proposed a reputation-based conditional privacy-preserving AKA scheme for VANETs, which enhances authentication credibility and supports dynamic trust management. However, it suffers from high computational overhead due to its use of bilinear pairing. Lee et al. [15] introduced an improved two-factor AKA scheme based on extended chaotic maps, constructing a timestamp verification mechanism to resist replay attacks, but the protocol still faces risks of key leakage and temporary data exposure. Jiang et al. [22] proposed a cloud-based three-factor authentication and key agreement protocol (CT-AKA) integrating passwords, biometrics, and smart cards to secure access between cloud systems and vehicles. Dua et al. [16] designed a two-tier AKA scheme based on ECC, where cluster head vehicles are authenticated by a central authority in the first tier, and ordinary vehicles are authenticated by cluster head vehicles in the second tier to achieve efficient V2V communication.

With rising device density and access demands in VANETs, traditional authentication methods struggle with communication latency and key synchronization inefficiencies. To overcome these issues, researchers have designed AKA protocols supporting batch verification and one-to-many authentication. Vijayakumar et al. [17] proposed an efficient batch AKA scheme for 6G-enabled VANETs. However, their scheme requires authentication prior to key agreement and supports only batch authentication rather than batch key agreement. Sun et al. [18] combined certificateless signatures with the Chinese Remainder Theorem to design an AKA protocol with batch processing capabilities, claiming it effectively resists man-in-the-middle, impersonation, and replay attacks. Madandi et al. [19] developed a binary-tree-based AKA protocol to share authentication loads among nodes and enhance structural scalability. It should be noted that while these one-to-many AKA protocols reduce the complexity of operations, they also introduce high-computational operations such as pairing and modular exponentiation, which impose significant computational burdens on resource-constrained VANET environments. As a result, increasing attention has been paid to designing lightweight AKA protocols tailored for VANET environments. Researchers have recognized that vehicle terminals have limited resources, while RSUs, Trusted Authorities (TAs), and FNs possess greater computational and storage capabilities, leading to fog computing-based AKA design models. Wazid et al. [24] proposed a secure AKA protocol for fog computing-based VANET deployments, offering resource-aware advantages. However, some studies pointed out potential vulnerabilities in the scheme [24] under simulated attacks [25]. Ma et al. [26] designed a fog-based AKA scheme proven to provide session key security and protect V2I communication without using bilinear pairings. Wei et al. [20] proposed a symmetric encryption-based conditional privacy-preserving AKA scheme for fog-based VANETs, significantly reducing communication and computational costs. Qiao et al. [21] proposed a lightweight anonymous three-party AKA protocol using Chebyshev chaotic map operations to generate a shared session key while preserving anonymity; however, due to its focus on healthcare IoT, it is not suitable for VANETs. Cui et al. [23] proposed a robust and scalable VANET authentication scheme enabling vehicles to register with a trusted authority (TA) once and subsequently achieve rapid and efficient authentication with cloud service providers. Considering the limited computational and storage capacities of vehicles and drones, Cui et al. [27] further introduced a lightweight and provably secure two-factor AKA scheme based on chaotic maps for UAV-assisted VANETs, featuring fuzzy verifiers and honeywords to resist offline guessing and honeypot attacks. Zhou et al. [28] designed a vehicle-attribute-based AKA scheme supporting multi-user simultaneous authentication, offering formal security under the Canetti–Krawczyk (eCK) model and enabling session key agreement and anonymous identity updates. However, its use of bilinear pairing results in significant computational overhead.

In summary, although existing AKA protocols have made significant progress in enhancing the communication security of VANETs, several key challenges remain. First, many schemes rely on complex cryptographic operations such as bilinear pairings and group signatures, resulting in high computational overhead. However, given the limited computing resources of vehicular terminals, this leads to significant communication delays, making it difficult to meet the stringent low-latency requirements of vehicular applications. Second, many current schemes have large communication overhead, further exacerbating communication delays. Moreover, most protocols do not support batch AKA operations. When a large number of AKA requests occur simultaneously within a localized area and a short time window, the system suffers from high communication complexity and degraded service quality.

Our scheme effectively addresses these issues through the following mechanisms: When a group of vehicles request AKA sessions from the TCC within a predefined time interval, the fog node aggregates these requests and establishes session keys for all vehicles in a single round of operation. This design significantly reduces the system’s operational complexity and improves efficiency under large-scale request scenarios. Additionally, by employing Lagrange interpolation and lightweight cryptographic primitives, the scheme greatly reduces both computational and communication overheads. Furthermore, the proposed scheme supports conditional privacy preservation and incorporates a revocation mechanism for malicious vehicles, thereby enhancing both security and practicality.

3. Preliminaries

In this section, we introduce some basic knowledge, including system model, security and privacy requirements.

3.1. System Model

Our BAKAF scheme is based on the new architecture with FNs, as illustrated in Figure 1. This architecture mainly comprises four entities, i.e., a traffic control center (TCC), fog node (FN), roadside unity (RSU), and vehicle. The functions and features of each entity are as follows.

TCC: The TCC, as a fully trusted entity, is controlled by government agencies. It possesses robust storage capacity and computing power. The TCC is responsible for the registration of FNs, RSUs, and vehicles, broadcasting system parameters, and tracking and revoking malicious vehicles. By leveraging technologies such as artificial intelligence and big data, the TCC can provide data support for services like road navigation, real-time information sharing, public security investigation, traffic improvement, and urban data analysis.

FN: FNs have strong storage and processing capabilities, primarily responsible for collecting and processing data within their domains. They are generally arranged at the edges of the fogs so that the vehicles can handle various tasks nearby, thereby enhancing overall system efficiency and meeting the low-latency requirements of the VANETs. FNs are connected to the TCC and RSUs via wired links for various interactions. They are semi-trusted entities that, on the one hand, faithfully execute protocol commands, and, on the other hand, monitor and collect data from other entities.

RSU: RSUs typically feature small signal coverage areas and limited storage and computing capabilities. In our scheme, we assume that RSUs are only used for collecting and forwarding the information they receive.

Vehicle: Vehicles are equipped with wireless sensing devices and tamper-proof devices (TPDs). They are untrusted entities with weak computing and storage capabilities, making them vulnerable to various attacks. Vehicles collect surrounding information through sensing devices and transmit it to nearby vehicles or RSUs via wireless communication technology.

3.2. Security and Privacy Requirements

Mutual authentication: In order to ensure identity legitimacy of the communication entity during AKA communication, mutual authentication should be performed among vehicles, FNs, and the TCC.

Confidentiality: The session key established through the AKA process can be kept confidential from any other entity except for the participating entities.

Data integrity: If a message is maliciously forged during transmission, the receiver should be capable of detecting the forgery.

Unlinkability: Unlinkability guarantees that no observable connection exists between different messages sent by the same vehicle. This security mechanism effectively prevents any entity from deducing whether two intercepted messages were transmitted by the identical sender.

Conditional privacy preserving: During communication, the vehicle’s real identity remains hidden from all entities except the TCC, which can retrieve any vehicle’s true identity when necessary.

Revocability: Once malicious vehicles are detected, the TCC can prevent them from initiating further AKA sessions.

Forward and backward secrecy: From an adversarial perspective, session keys established across different sessions must be computationally indistinguishable. Knowledge of one session key provides no advantage in deriving another.

Resistance to various attacks: Our scheme must withstand various well-known attacks, such as impersonation attacks and replay attacks.

Remark: The Pseudo-Random Functions and Elliptic Curve Cryptography are detailed in Appendix A.

4. Proposed Scheme

In this section, we will describe our BAKAF scheme in detail, which consists of three phases, namely: the setup phase, registration phase, and authentication and key agreement phase. In the setup phase, the TCC initializes the system and selects public parameters. In the registration phase, all vehicles and fog nodes need to register with the TCC. In the authentication and key agreement phase, within the set time interval, a batch of vehicles simultaneously establishes corresponding session keys with the fog nodes. The important symbols and definitions used in subsequent sections are shown in

Table 1. Definitions of basic symbols.

Symbol	Definition
TCC	Traffic control center
RSU	Roadside unit
$F{N}^f$	The f-th fog node
$V_i$	The i-th vehicle
$\lambda$	Security parameter
$H_i(1\le i\le 7)$	Cryptographic hash functions
$G,q,P$	An additive elliptic curve group G with order q and generator P
$s/P_{pub}$	System master secret key/system public key
$I{D}_i^v/PI{D}_i^v$	Real identity/pseudonym of vehicle $V_i$
$I{D}^f/PI{D}^f$	Real identity/pseudonym of $F{N}^f$
$(x_i^v,y_i^v)$	The point selected by vehicle $V_i$
$(x^f,y^f)$	The point selected by $F{N}^f$
$(x_i^t,y_i^t)$	The point that TCC selects for vehicle $V_i$.
$t_i^v/t^f/t^t$	Timestamps generated by $V_i/F{N}^f/TCC$
$M_i$	Request message generated by vehicle $V_i$
$MA{C}_i$	Message authentication code of vehicle $V_i$
$M_{agg}$	Aggregated data of all vehicles’ request messages
$MA{C}_{agg}$	Aggregated data of all vehicles’ $MAC$
$\alpha ,\beta$	Hash values
$c_i^v/c^f$	The certificate of vehicle $V_i$/fog node $F{N}^f$
$r_i^v/R_i^v$	Random number/random point generated by vehicle $V_i$
$\oplus /\left|\right|$	XOR operation/concatenation of strings
$n_{max}$	Maximum number of AKA requests processed in a single batch
$T_{MW}$	Maximum waiting time for request aggregation
$S_{TCC}$	TCC status identifier
$T^f$	Dynamic window time of $F{N}^f$
${\rho }^f$	Real-time vehicle density

.

4.1. Setup Phase

Given a 128-bit security parameter $\lambda$, the TCC defines $F_p$ as a finite field with a large prime number p as its order. The TCC then generates an elliptic curve E defined by the equation $y^2\equiv x^3+ax+b(modp)$, where $a,b\in F_p$. Subsequently, the TCC defines an additive cyclic elliptic curve group G with order q and generator P, which includes a point at infinity denoted as O. Finally, the TCC selects a random number $s\in Z_q^{*}$ as the system’s master secret key and retains the corresponding system public key $P_{pub}=sP$.

The TCC constructs a revocation list, denoted as $RevList$, which is used to store the real identities of malicious vehicles. Then it chooses seven cryptographic hash functions: $H_1:Z_q^{*}\times {\{0,1\}}^{l_i}\to Z_q^{*}$, $H_2:G\to {\{0,1\}}^{l_i}$, $H_3:Z_q^{*}\times {\{0,1\}}^{l_i}\times Z_q^{*}\times G\to {\{0,1\}}^{l_a}$, $H_4:Z_q^{*}\times {\{0,1\}}^{l_i}\times Z_q^{*}\times Z_q^{*}\times {\{0,1\}}^{*}\to Z_q^{*}$, $H_5:Z_q^{*}\times {\{0,1\}}^{l_i}\times Z_q^{*}\times Z_q^{*}\times Z_q^{*}\to Z_q^{*}$, $H_6:{\{0,1\}}^{*}\to Z_q^{*}$, $H_7:Z_q^{*}\times {\{0,1\}}^{l_i}\times {\{0,1\}}^{l_i}\times Z_q^{*}\times Z_q^{*}\times Z_q^{*}\to Z_q^{*}$, where $l_i$ represents the length of the real identity or pseudonym, and $l_a$ represents the length of the message authentication code.

Initialize a set of global communication parameters, namely: the maximum number of AKA requests processed in a single batch, $n_{max}=30$; the maximum waiting time for request aggregation, $T_{MW}$ (initially set to a fixed value of 500 ms); and the TCC status identifier, $S_{TCC}\in \{“\mathrm{CONGESTED}”,“\mathrm{BUSY}”,“\mathrm{IDLE}”\}$, with status information directly provided by the TCC.

The TCC publishes the system parameters $parmas=\{p,q,a,b,P,P_{pub},H_1,H_2,H_3,H_4,H_5,H_6,H_7\}$ and secretly saves the system’s master secret key s.

4.2. Registration Phase

4.2.1. Registration for Vehicles

Assuming vehicle $V_i$ requests registration, the TCC selects a specific string $I{D}_i^v$ as the vehicle $V_i$’s real identity, calculates the certificate $c_i^v=H_1(s,I{D}_i^v)$, and sends $(I{D}_i^v,c_i^v)$ to vehicle $V_i$ through a secure channel.

4.2.2. Registration for Fog Node

Assuming fog node $F{N}^f$ requests registration, the TCC selects a specific string $I{D}^f$ as the fog node $F{N}^f$’s real identity, calculates the certificate $c^f=H_1(s,I{D}^f)$, and sends $(I{D}^f,c^f)$ to fog node $F{N}^f$ through a secure channel.

Define the following global communication parameters for fog node $F{N}^f$: the dynamic window time $T^f$, initialized to $T_0=300\mathrm{ms}$ and adjustable during operation; and the real-time vehicle density ${\rho }^f$, monitored and updated by $F{N}^f$.

The certificate $c_i^v$ (or $c^f$) is owned exclusively by the vehicle $V_i$ (or fog node $F{N}^f$) itself and the TCC, and will play a vital role in both authentication and message integrity assurance.

4.3. Authentication and Key Agreement Phase

Assume that there are n vehicles requesting key agreement with the fog node $F{N}^f$ in a short period of time. For the convenience of explanation, we will take vehicle $V_i$ as an example to elaborate.

4.3.1. Vehicle Requests to Generate a Session Key

Vehicle $V_i$ selects a random number $r_i^v\in Z_q^{*}$ and computes $R_i^v=r_i^{v}P$ to obtain a random point on the group G.

Vehicle $V_i$ retains its pseudonym $PI{D}_i^v=I{D}_i^v\oplus H_2\left(r_i^v{P}_{pub}\right)$. (The vehicle uses a different pseudonym each time it sends the requested information, helping to ensure conditional privacy preserving.)

The vehicle generates the message authentication code $MA{C}_i=H_3(c_i^v,PI{D}_i^v,t_i^v,R_i^v)$, where $t_i^v$ is the timestamp, and sets message ${\left(M_V^{FN}\right)}_i=\{M_i=\{PI{D}_i^v,t_i^v,R_i^v\},MA{C}_i\}$.

Finally, vehicle $V_i$ sends the message ${\left(M_V^{FN}\right)}_i$ to fog node $F{N}^f$. It notes that the subscript V denotes that the sender of the message is a vehicle, while the superscript $FN$ denotes that the receiver of the message is a FN, and the superscripts and subscripts of some symbols below have similar meanings.

4.3.2. FN Aggregates the Request Data from Each Vehicle

(1)

Decision on Initiating the Aggregation Process

Before aggregating requests, $F{N}^f$ first obtains the current status $S_{TCC}$ of the TCC and executes the corresponding strategy:

(a)

TCC congestion ($S_{\mathrm{TCC}}=\mathrm{CONGESTED}$): $F{N}^f$ suspends the aggregation process and resumes only upon receiving a “congestion relief” signal from the TCC.

(b)

TCC busy ($S_{\mathrm{TCC}}=\mathrm{BUSY}$): $F{N}^f$ immediately delays the aggregation process and continues collecting AKA requests until the maximum waiting time $T_{\mathrm{MW}}$ is reached.

(c)

TCC idle ($S_{\mathrm{TCC}}=\mathrm{IDLE}$): $F{N}^f$ dynamically adjusts the window duration $T^f$ based on the vehicle density ${\rho }^f$, with the following rules:

• High density (${\rho }^f\ge {\rho }_{\mathrm{high}}$, where ${\rho }_{\mathrm{high}}$ denotes the high-density threshold): If the number of accumulated AKA requests reaches $n_{\max }=30$, the aggregation process is immediately triggered, even if the dynamic window time $T^f$ has not expired. In this case, the window duration for the next batch is reset to the standard value $T_0$.
• Low density (${\rho }^f<{\rho }_{\mathrm{low}}$, where ${\rho }_{\mathrm{low}}$ denotes the low-density threshold): If the dynamic window time $T^f$ expires and fewer than $n_{\max }$ requests have been collected, the aggregation process is immediately initiated, and the window duration for the next batch is updated to $T^f=max(0.85\times T^f,T_{\min })$, where $T_{\min }=100\mathrm{ms}$ is the minimum allowable window duration.
• Medium density (${\rho }_{\mathrm{low}}\le {\rho }^f<{\rho }_{\mathrm{high}}$): The aggregation process is triggered immediately when either the timeout $T^f$ expires or the number of requests reaches $n_{max}$. The window duration for the next batch remains unchanged.

(2)

Aggregation Process

Upon receiving key agreement request information ${\{M_i,MA{C}_i\}}_{i=1}^n$ from n vehicles within the predetermined time interval, $F{N}^f$ initializes $MA{C}_{agg}$ (a binary string of length $|MA{C}_i|$, all bits are set to 0) and $M_{agg}$ (an empty string) for storing the aggregated $MAC$ and message, respectively.

For each vehicle’s information $M_i$, check whether the inequality $|t_{cur}-t_i^v|<T_{max}$ holds, where $t_{cur}$ and $T_{max}$ denote the current timestamp and max valid time interval, respectively. If not, discard the information. Otherwise, proceed to calculate $MA{C}_{agg}=MA{C}_{agg}\oplus MA{C}_i$ and $M_{agg}=M_{agg}\left|\right|M_i$. In this way, the information from all vehicles is aggregated into the variables $M_{agg}$ and $MA{C}_{agg}$.

$F{N}^f$ selects a random number $x^f\in Z_q^{*}$, such that $x^f\notin \{{\left(R_1^v\right)}_X,{\left(R_2^v\right)}_X,\dots ,{\left(R_n^v\right)}_X\}$, where ${\left(R_i^v\right)}_X$ represents the x coordinate of the point $R_i^v$ on the elliptic curve E. It calculates the verification message ${\beta }^f=H_4(c^f,I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg})$, where $t^f$ is the timestamp of $F{N}^f$. Then, $F{N}^f$ sends the message $M_{FN}^{TCC}=\{I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg},{\beta }^f\}$ to the TCC.

The operations of the FN and their logical relationships in this section are shown in Algorithm 1.

Algorithm 1 Aggregation

1: Initialize $MA{C}_{agg}$, $M_{agg}$; 2: for  $i=1,2,\dots ,n$do 3:     if $|t_{\mathrm{cur}}-t_i^v|<T_{\max }$ then 4:         $MA{C}_{agg}=MA{C}_{agg}\oplus MA{C}_i$ 5:         $M_{agg}=M_{agg}\left|\right|M_i$ 6:     end if 7: end for 8: Choose $x_f\in {\mathbb{Z}}_q^{*}$ 9: Compute ${\beta }_f=H_4(c^f,I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg})$

4.3.3. TCC Authenticates and Processes the FN’s Requests

Upon receiving the batch key agreement request message $M_{FN}^{TCC}$ from $F{N}^f$, the TCC first checks whether the inequality $|t_{cur}-t_f|<T_{max}$ holds, where $t_{cur}$ denotes the current time and $T_{max}$ denotes the maximum allowable message lifetime. If this condition is not satisfied, the AKA process is terminated; the TCC then sets the response message $M_{TCC}^{FN}=\left\{T\right\}$ and sends it back to $F{N}^f$.

Next, the TCC calculates ${\left(c^f\right)}^{\prime }=H_1(s,I{D}^f)$ and ${\left({\beta }^f\right)}^{\prime }=H_4({\left(c^f\right)}^{\prime },I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg})$, and checks whether the equation ${\left({\beta }^f\right)}^{\prime }\stackrel{?}{=}{\beta }^f$ holds. If it holds, two conclusions can be drawn: the identity legality of $I{D}^f$ has been validated by the TCC, and the integrity of $M_{FN}^{TCC}$ can be guaranteed. Otherwise, the entire AKA process will be terminated, and the TCC then sets the response message $M_{TCC}^{FN}=\{\perp \}$ and sends it back to $F{N}^f$.

Next, the TCC initializes an auxiliary variable $MA{C}_{agg}^{\prime }$, which is a binary string with length equal to $|MA{C}_i|$ and each bit of which is 0, and $MA{C}_{agg}^{\prime }$ is used to re-record the message authentication code of legitimate vehicles. Then, the TCC performs the following procedures for each vehicle $V_i$ to verify its identity legitimacy and information integrity.

• It retrieves the i-th tuple $(PI{D}_i^v,t_i^v,R_i^v)$ from $M_{agg}$ and obtains the real identity of $V_i$ by computing $I{D}_i^v=PI{D}_i^v\oplus H_2\left(s{R}_i^v\right)$.
• It calculates the vehicle $V_i$’s certificate ${\left(c_i^v\right)}^{\prime }=H_1(s,I{D}_i^v)$.
• It calculates $MA{C}_i^{\prime }=H_3({\left(c_i^v\right)}^{\prime },PI{D}_i^v,t_i^v,R_i^v)$, and verifies whether vehicle $V_i$ is revoked by checking if its real identity $I{D}_i^v$ exists in the revocation list $RevList$.

  –

  If it is not revoked, it indicates that the vehicle is legal, then calculates $MA{C}_{agg}^{\prime }=MA{C}_{agg}^{\prime }\oplus MA{C}_i^{\prime }$.

  –

  If it is revoked, it calculates $MA{C}_{agg}=MA{C}_{agg}\oplus MA{C}_i^{\prime }$, where the message authentication code $MA{C}_i$ of the illegal vehicle $V_i$ is removed from $MA{C}_{agg}$; at the same time, the message $M_i$ of the illegal vehicle $V_i$ should be removed from $M_{agg}$.

The TCC checks whether the equation $MA{C}_{\mathrm{agg}}\stackrel{?}{=}MA{C}_{agg}^{\prime }$ holds. If it does not hold, it indicates that the messages from some legitimate vehicles have been tampered with, and the entire AKA process is terminated; the TCC then sets the response message $M_{TCC}^{FN}=\{\times \}$ and sends it back to $F{N}^f$. Otherwise, it confirms that the information from all legitimate vehicles remains intact, and the TCC proceeds with the following steps.

The TCC computes $y^f=PRF(H_1({\left(c^f\right)}^{\prime },t^t),x^f)$, where $t^t$ is the timestamp of $TCC$. Then, based on the message $\{PI{D}_i^v,t_i^v,R_i^v,I{D}_i^v\}$ of each legitimate vehicle $V_i$, the TCC performs the following procedures.

• The TCC sets $x_i^v={\left(R_i^v\right)}_X$, and $y_i^v=PRF(H_1({\left(c_i^v\right)}^{\prime },t^t),x_i^v)$.
• Using the Lagrange interpolation formula, the TCC can obtain the equation $f_i\left(x\right)=y_i^v(x-x^f){(x_i^v-x^f)}^{-1}+y^f(x-x_i^v){(x^f-x_i^v)}^{-1}$ of a straight line passing through points $(x_i^v,y_i^v)$ and $(x^f,y^f)$. These straight lines corresponding to all legitimate vehicles pass through a common point $(x^f,y^f)$, which can significantly reduce the computational and communication overheads.
• The TCC selects a random number $x_i^t\in Z_q^{*}$ for vehicle $I{D}_i^v$, such that $x_i^t\notin \{x_i^v,x^f\}$, then substitutes $x_i^t$ into the straight line equation $f_i\left(x\right)$ to compute the corresponding y coordinate, i.e., it evaluates $y_i^t=f_i\left(x_i^t\right)$. Therefore, in addition to the points $(x_i^v,y_i^v)$ and $(x^f,y^f)$, the TCC has now obtained the third point $(x_i^t,y_i^t)$ on the straight line $f_i\left(x\right)$.
• The TCC obtains the verification message by computing ${\delta }_i^t=H_5({\left(c_i^v\right)}^{\prime },I{D}^f,x_i^t,y_i^t,t^t)$.

Upon completing the above operations for each vehicle, the TCC computes ${\gamma }^t=H_6({\left(c^f\right)}^{\prime },{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$, where l represents the number of legitimate vehicles, sets message $M_{TCC}^{FN}=\{{\{PI{D}_i^v,x_i^t,y_i^t,{\delta }_i^t\}}_{i=1}^l,t^t,{\gamma }^t\}$, and transmits the $M_{TCC}^{FN}$ to the fog node $F{N}^f$. Since the information of illegitimate vehicles has been deleted by the TCC, the pseudonyms of legitimate vehicles need to be returned to the fog node $F{N}^f$.

The operations of the TCC and their logical relationships in this section are shown in Algorithm 2.

Algorithm 2 TCC Process

1: if  $|t_{cur}-t^f|>T_{max}$  then 2:     Terminate entire AKA process; 3: end if 4: ${\left(c^f\right)}^{\prime }=H_1(s,I{D}^f)$; 5: ${\left({\beta }^f\right)}^{\prime }=H_4({\left(c^f\right)}^{\prime },I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg})$; 6: if  ${\left({\beta }^f\right)}^{\prime }\ne {\beta }^f$  then 7:     Terminate entire AKA process; 8: end if 9: Initialize $MA{C}_{agg}$; 10: for  $i=1,2,...,n$  do 11:     Retrieve $(PI{D}_i^v,t_i^v,R_i^v)$ from $M_{agg}$; 12:     $I{D}_i^v=PI{D}_i^v\oplus H_2\left(s{R}_i^v\right)$; ${\left(c_i^v\right)}^{\prime }=H_1(s,I{D}_i^v)$; 13:     if $I{D}_i^v$ exist in $RevList$ then 14:         $MA{C}_{agg}=MA{C}_{agg}\oplus H_3({\left(c_i^v\right)}^{\prime },PI{D}_i^v,t_i^v,R_i^v)$; 15:         Remove $M_i$ from $M_{agg}$; 16:     else 17:         $MA{C}_{agg}^{\prime }=MA{C}_{agg}^{\prime }\oplus H_3({\left(c_i^v\right)}^{\prime },PI{D}_i^v,t_i^v,R_i^v)$; 18:     end if 19: end for 20: if  $MA{C}_{agg}\ne MA{C}_{agg}^{\prime }$  then 21:     Terminate entire AKA process; 22: end if 23: $y^f=PRF(H_1({\left(c^f\right)}^{\prime },t^t),x^f)$; 24: for  $i=1,2,...,l$  do 25:     $x_i^v={\left(R_i^v\right)}_X$; $y_i^v=PRF(H_1({\left(c_i^v\right)}^{\prime },t^t),x_i^v)$; 26:     $f_i\left(x\right)=y_i^v(x-x^f){(x_i^v-x^f)}^{-1}+y^f(x-x_i^v){(x^f-x_i^v)}^{-1}$; 27:     Select $x_i^t\in {\mathbb{Z}}_q^{*}$ such that $x_i^t\notin \{x_i^v,x^f\}$; 28:     $y_i^t=f_i\left(x_i^t\right)$; 29:     ${\delta }_i^t=H_5({\left(c_i^v\right)}^{\prime },I{D}^f,x_i^t,y_i^t,t^t)$; 30: end for 31: ${\gamma }_t=H_6({\left(c_f\right)}^{\prime },{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$;

4.3.4. FN Generates Session Keys

Upon receiving message $M_{TCC}^{FN}$, fog node $F{N}^f$ checks whether $t^t$ is valid. If not, the entire AKA process is terminated. Then recall the aggregation algorithm in Section 4.3.2. If it is, the following process continues.

Check the type of message and take the corresponding measures. (1) If $M_{TCC}^{FN}=T$, it indicates that the entire message transmitted from the FN to the TCC has timed out. In this case, recall the aggregation algorithm in Section 4.3.2. (2) If $M_{TCC}^{FN}=\perp$, it indicates that there is tampering in the message transmitted from the FN to the TCC. Reuse the originally calculated $M_{agg}$ and $MA{C}_{agg}$, and recall the aggregation algorithm in Section 4.3.2. (3) If $M_{TCC}^{FN}=\times$, it indicates that the signatures of some vehicles are invalid or the information transmitted from the vehicle to the FN has been tampered with. Notify all vehicles to retransmit the AKA request. (4) Perform the following operations in other cases.

$F{N}^f$ computes ${\left({\gamma }^t\right)}^{\prime }=H_6(c^f,{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$ and checks whether the equation ${\gamma }^t\stackrel{?}{=}{\left({\gamma }^t\right)}^{\prime }$ holds. If it holds, it indicates that the legality of the vehicles ${\left\{V_i\right\}}_{i=1}^l$ and the integrity of $M_{TCC}^{FN}$ and $M_V^{FN}$ are guaranteed. Then, $F{N}^f$ performs the following steps.

• The fog node $F{N}^f$ sends the messages ${\left\{M_{FN}^V\right\}}_{i=1}^l={\{PI{D}_i^v,x_i^t,y_i^t,t^t,{\delta }_i^t\}}_{i=1}^l$ to the corresponding vehicles ${\left\{V_i\right\}}_{i=1}^l$, respectively.
• It computes $y^f=PRF(H_1(c^f,t^t),x^f)$, and performs the following operations for each legal vehicle.

  –

  It substitutes $x=0$ into the straight line equation $f_i\left(x\right)$ to obtain the y coordinate of the intersection point between the line $f_i\left(x\right)$ and the Y-axis: $f_i\left(0\right)=-x^f{y}_i^t{(x_i^t-x^f)}^{-1}-x_i^t{y}^f{(x^f-x_i^t)}^{-1}$. The line $f_i\left(x\right)$ passes through points $(x_i^t,y_i^t)$ and $(x^f,y^f)$, where point $(x^f,y^f)$ is set by fog node $F{N}^f$ and point $(x_i^t,y_i^t)$ is set by the TCC.

  Note: It is unnecessary to first solve the explicit expression of the linear equation here.

  –

  It obtains the session key between the vehicle $V_i$ and the fog node $F{N}^f$ by computing $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$.

  –

  Fog node $F{N}^f$ stores the session key $S{K}_i$.

The operations of the FN and their logical relationships in this section are shown in Algorithm 3.

Algorithm 3 FN Generates session keys

1: if  $|t_{cur}-t^t|>T_{max}$  then 2:     Terminate the entire AKA process; 3: end if 4: ${\left({\gamma }^t\right)}^{\prime }=H_6(c^f,{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$; 5: if  ${\gamma }^t\ne {\left({\gamma }^t\right)}^{\prime }$  then 6:     Terminate the entire AKA process; 7: end if 8: $y^f=PRF(H_1(c^f,t^t),x^f)$; 9: for  $i=1,2,...,l$  do 10:     $f_i\left(0\right)=-x^f{y}_i^t{(x_i^t-x^f)}^{-1}-x_i^t{y}^f{(x^f-x_i^t)}^{-1}$; 11:     $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$; 12: end for

4.3.5. Vehicle Generates Session Key

After receiving message ${\left(M_{FN}^V\right)}_i$, vehicle $I{D}_i^v$ checks whether $t^t$ is valid. If not, the entire AKA process is terminated. If it is, the following processes continue.

The vehicle computes ${\left({\delta }_i^t\right)}^{\prime }=H_5(c_i^v,I{D}^f,x_i^t,y_i^t,t^t)$ and checks whether the equation ${\left({\delta }_i^t\right)}^{\prime }\stackrel{?}{=}{\delta }_i^t$ holds. If it holds, it indicates that the legality of the vehicles $V_i$ and the integrity of $M_{TCC}^{FN}$ and $M_V^{FN}$ are guaranteed. Then, $F{N}^f$ performs the following steps.

• It sets $x_i^v={\left(R_i^v\right)}_X$, and computes $y_i^v=PRF(H_1(c_i^v,t^t),x_i^v)$.
• It substitutes $x=0$ into the linear equation $f_i\left(x\right)$ to obtain the y coordinate of the intersection point between the line $f_i\left(x\right)$ and the Y-axis: $f_i\left(0\right)=-x_i^v{y}_i^t{(x_i^t-x_i^v)}^{-1}-x_i^t{y}_i^v{(x_i^v-x_i^t)}^{-1}$. The line $f_i\left(x\right)$ passes through points $(x_i^t,y_i^t)$ and $(x_i^v,y_i^v)$, where point $(x_i^v,y_i^v)$ is set by vehicle $V_i$ and point $(x_i^t,y_i^t)$ is set by the TCC.
  Note: For a specific vehicle $V_i$, the three points $(x_i^t,y_i^t)$, $(x_i^v,y_i^v)$, and $(x^f,y^f)$ lie on the same straight line. Therefore, the line determined by any two of these points is identical, denoted as $f_i\left(x\right)$.
• It obtains the session key between the vehicle $V_i$ and the fog node $F{N}^f$ by computing $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$.
• Vehicle $I{D}_i^v$ stores the session key $S{K}_i$.

Remark 1.

Within a fixed time interval, if n vehicles request AKA sessions with the same FN, the FN aggregates all AKA session requests, and the system then performs batch AKA processing. This approach offers at least three advantages: (1) it reduces the overall system complexity; (2) it lowers the communication overhead between the FN and the TCC; and (3) it decreases the computational overhead for both the FN and the TCC.

Remark 2.

On the TCC side, even if some vehicles are found to be illegal, the remaining legal vehicles can still perform the batch AKA process, which greatly enhances the flexibility of batch AKA.

5. Security Analysis

In this section, we will analyze the security performance of our scheme from both informal and formal aspects.

5.1. Informal Security Analysis

Mutual authentication: Our scheme comprises four phases of information transmission, all employing identical authentication mechanisms. We illustrate this using the TCC-to-FN message transmission as an example. The TCC first computes ${\gamma }^t=H_6({\left(c^f\right)}^{\prime },{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$, where ${\left(c^f\right)}^{\prime }=H_1(s,I{D}^f)$ is the certificate of $F{N}^f$. Subsequently, the TCC transmits the message $M_{TCC}^{FN}=\{{\{PI{D}_i^v,x_i^t,y_i^t,{\delta }_i^t\}}_{i=1}^l,t^t,{\gamma }^t\}$ to $F{N}^f$. Upon receiving message $M_{TCC}^{FN}$, $F{N}^f$ computes ${\left({\gamma }^t\right)}^{\prime }=H_6(c^f,{\{PI{D}_i^v,x_i^t,y_i^t\}}_{i=1}^l,t^t)$ and checks whether the equation ${\gamma }^t\stackrel{?}{=}{\left({\gamma }^t\right)}^{\prime }$ holds. If the equation holds, it confirms that the message must originate from the TCC, since only $F{N}^f$ and the TCC possess the certificate $c^f$. Therefore, the authenticity is guaranteed.

Confidentiality: In our scheme, the method for calculating the session key is $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$. To obtain the session key between vehicle $V_i$ and $F{N}_j$, we first need to obtain $f_i\left(0\right)$, which represents the y coordinate of the line $f_i\left(x\right)$ at $x=0$. At least two points are required to determine a straight line. Even if a malicious entity intercepts a point on the straight line transmitted from the TCC, since it cannot obtain the certificates of the vehicle $V_i$ or the FN $F{N}_j$, it cannot obtain the other point on the required straight line. Consequently, it cannot construct the linear equation and calculate $f_i\left(0\right)$. Therefore, the session key between vehicle $V_i$ and $F{N}_j$ remains confidential to any malicious entity.

Data integrity: Our scheme comprises four phases of information transmission, all employing identical message integrity protection mechanisms. We illustrate this using the FN-to-TCC message transmission as an example. $F{N}^f$ first sends the message $M_{FN}^{TCC}=\{I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg},{\beta }^f\}$ to the TCC, where ${\beta }^f=H_4(c^f,I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg})$, and $c^f=H_1(s,I{D}^f)$ is the certificate of $F{N}^f$, which is owned exclusively by the fog node $F{N}^f$ itself and the TCC. If any field in $M_{FN}^{TCC}$ is tampered with (e.g., $t^f$ altered to $t_{*}^f$), the malicious attacker must recompute the verification value ${\beta }^f$. Without $F{N}^f$’s certificate, the attacker can only arbitrarily choose $c_{*}^f$, yielding: ${\beta }^f=H_4(c_{*}^f,I{D}^f,t_{*}^f,x^f,M_{agg},MA{C}_{agg})$.

Upon receiving the message $M_{FN}^{TCC}$ from $F{N}^f$, the TCC first recalculates certificate ${\left(c^f\right)}^{\prime }=H_1(s,I{D}^f)$ and verification value ${\left({\beta }^f\right)}^{\prime }=H_4({\left(c^f\right)}^{\prime },I{D}^f,t_{*}^f,x^f,M_{agg},MA{C}_{agg})$. Then, it checks whether the equation ${\left({\beta }^f\right)}^{\prime }\stackrel{?}{=}{\beta }^f$ holds. Because ${\left(c^f\right)}^{\prime }$ is not equal to $c_{*}^f$, the verification equation will not hold. In this way, the integrity of $M_{FN}^{TCC}$ can be guaranteed.

Unlinkability: For each AKA session request, the vehicle generates a fresh pseudonym, timestamp, and random ECC point, where neither the timestamp nor the ECC point correlate with the vehicle’s identity or pseudonym, and no other entity except the TCC and the vehicle itself can track the true identity through the pseudonym. Therefore, this mechanism effectively prevents any malicious entity from deducing whether two intercepted messages were transmitted by the identical sender.

Conditional privacy preserving: Prior to initiating an AKA session, vehicle $V_i$ generates a pseudonym $PI{D}_i^v=I{D}_i^v\oplus H_2\left(r_i^v{P}_{pub}\right)$, then uses $PI{D}_i^v$ for all subsequent communications. Once the message is disputed, the TCC can recover the real identity via $I{D}_i^v=PI{D}_i^v\oplus H_2\left(s{R}_i^v\right)$, where s is the master secret key and $R_i^v$ is a random ECC point.

To derive the real identity from $PI{D}_i^v$, any entity must calculate either $I{D}_i^v=PI{D}_i^v\oplus H_2\left(s{R}_i^v\right)$ or $I{D}_i^v=PI{D}_i^v\oplus H_2\left(r_i^v{P}_{pub}\right)$; s is the system’s master private key, owned only by the TCC, while $r_i^v$ is a random number, owned only by the vehicle $V_i$. Solving for $r_i^v$ from $R_i^v$ or s from $P_{pub}$ requires solving the difficult ECDL problem. Therefore, except for the TCC, no other entities can obtain the real identity.

Revocability: The TCC maintains a revocation list $RevList$. Upon detection of a malicious vehicle $V_i$, its real identity $I{D}_i^v$ is added to $RevList$. If $V_i$ attempts to initiate subsequent AKA sessions, the TCC will detect that its real identity $I{D}_i^v$ is already in the revocation list $RevList$ and terminate the AKA procedure. All revocation operations are concentrated on the TCC, which has abundant computing and storage resources, making it relatively friendly for vehicle terminals with limited resources.

Forward and backward secrecy: In our scheme, the session key is computed as $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$, where $f_i\left(0\right)$ depends on two fresh random nonces; $PI{D}_i^v$ is a randomly generated ECC point. The single use and randomness of these parameters ensure no correlation between session keys $S{K}_i$ across different sessions, thus guaranteeing both forward and backward secrecy.

Resistance to impersonation attack: In our scheme, any passed message contains a verification value, which is bound to the certificate of the entity (vehicle or FN) through a hash function. Since these certificates are exclusively held by the TCC and the originating entity itself, no other party can forge valid verification values. Consequently, any impersonation attempt by malicious attackers will be detected during the recipient’s verification process.

Resistance to replay attack: In our scheme, each transmitted message incorporates a timestamp. For instance, during the FN-to-TCC message transmission, $F{N}^f$ sends the message $M_{FN}^{TCC}=\{I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg},{\beta }^f\}$ to the TCC, where $t^f$ denotes the timestamp. As demonstrated in the “Data integrity” section, the timestamp $t^f$ is immutable. Upon receiving the message $M_{FN}^{TCC}$, the TCC verifies its freshness by checking whether the inequality $|t_c-t^f|<\Delta T$ holds, where $t_c$ represents the current time. If not, the TCC treats the message as expired. Therefore, this timestamp validation mechanism, combined with the immutability guarantee, ensures that our scheme can effectively defend against a replay attack.

5.2. Formal Security Proof

In this section, we formally prove that our scheme satisfies session key security under the Real-Or-Random (ROR) model [29].

5.2.1. Security Model

We first establish a security model to define the adversaries’ capabilities and the interaction rules between the challenger and the adversaries, and the model includes the following definitions:

Participants: Let ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$ denote the i-th instance of a vehicle, the f-th instance of an FN, and the t-th instance of a TCC, respectively. The concrete instance of these participants can also be represented as ${\Pi }_{\Lambda }^{\chi }$, where $\Lambda$ indicates the instance type and $\chi$ represents the index. Notably, RSUs are excluded from being considered as participating entities, as they merely function as conventional base stations for message forwarding.

Partnering: Two participants are considered as partners if they (a) belong to the same session, (b) successfully exchange messages in sequence, and (c) want to mutually authenticate each other.

Freshness: If the adversary $\mathcal{A}$ does not obtain the session key shared among ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$, then these instances are considered fresh.

Adversary: The adversary $\mathcal{A}$ can participate in interactions of ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$ by adopting the following oracle queries.

• $Execute({\Pi }_V^i,{\Pi }_{FN}^f,{\Pi }_{TCC}^t)$: This query simulates the passive adversary $\mathcal{A}$ to intercept messages exchanged among ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$.
• $Send({\Pi }_{\Lambda }^{\chi },m)$: The query models an active adversary $\mathcal{A}$ sending message m to ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$. Upon receiving this query, these instances return corresponding response messages to $\mathcal{A}$.
• $Test\left({\Pi }_{\Lambda }^{\chi }\right)$: When challenger $\mathcal{C}$ receives this query from adversary $\mathcal{A}$, it randomly selects a bit $b\in \{0,1\}$; if $b=1$, $\mathcal{C}$ sends the real session key of ${\Pi }_{\Lambda }^{\chi }$ to $\mathcal{A}$; if $b=0$, $\mathcal{C}$ sends a random key of the same length as the session key to the $\mathcal{A}$. If the session key of ${\Pi }_{\Lambda }^{\chi }$ is undefined, or if a $\mathsf{Test}$ query has been made to ${\Pi }_{\Lambda }^{\chi }$ or its partners, $\mathcal{A}$ receives ⊥ as an invalid value.

Semantic security: Adversary $\mathcal{A}$ first performs a $Test\left({\Pi }_{\Lambda }^{\chi }\right)$ query, and guesses the random value of b in the $Test\left({\Pi }_{\Lambda }^{\chi }\right)$ query, denoted as $b^{\prime }$; if $b^{\prime }=b$, $\mathcal{A}$ wins. We define our BAKAF scheme as $\mathcal{P}$, and the advantage of $\mathcal{A}$ to break the $\mathcal{P}$’s semantic security based on the ROR model within PPT as $Ad{v}_{\mathcal{A}}^{\mathcal{P}}=|2Pr[b^{\prime }=b]-1|$, where $Pr\left[E\right]$ denotes the probability that the event E occurs; if $Ad{v}_{\mathcal{A}}^{\mathcal{P}}$ is negligible, our scheme is regarded as secure under the ROR model.

5.2.2. Security Proof

In this subsection, we prove that our BAKAF scheme satisfies the semantic security of the session key.

 Theorem 1. 

Let $N_i(i=1,2,\dots ,7)$, $|has{h}_i|(i=1,2,\dots ,7)$, $N_s$, $N_e$, $N_t$, and $Ad{v}_{\mathcal{A}}^{PRF}$ represent the maximum number of hash $H_i$($i=1,2,\dots ,7$) queries, the space range of hash function $H_i$($i=1,2,\dots ,7$), the number of $\mathsf{Send}$ oracle queries, the number of $\mathsf{Execute}$ oracle queries, the number of $\mathsf{Test}$ oracle queries, and the advantage of adversary $\mathcal{A}$ in breaking the PRF, respectively. Thus, the advantage $Ad{v}_{\mathcal{A}}^{\mathcal{P}}$ of adversary $\mathcal{A}$ in breaking the semantic security of the session keys in our BAKAF scheme within PPT, can be calculated as follows:

$$Ad{v}_{\mathcal{A}}^{\mathcal{P}}\le {\displaystyle \frac{N_s+N_e}{q}}+\sum _{i=1}^7{\displaystyle \frac{N_i^2}{|has{h}_i|}}+2Ad{v}_{\mathcal{A}}^{PRF}$$

(1)

Proof. 

Similar to [30,31], to prove Theorem 1, we construct a sequence of games ${\mathsf{Game}}_i$ ($i=0,1,2,3$). These games involve interactions between adversary $\mathcal{A}$ and challenger $\mathcal{C}$. We define ${\mathsf{succ}}_i$ as the event that adversary $\mathcal{A}$ wins in ${\mathsf{Game}}_i$.

$Gam{e}_0$: This game serves as the starting point of the entire proof process. It simulates a realistic environment in which adversary $\mathcal{A}$ launches actual attacks. A random number b is predetermined before the game begins. Based on the semantic security of the session key, we have

$$Ad{v}_{\mathcal{A}}^{\mathcal{P}}=2|Pr\left[suc{c}_0\right]-1/2|$$

(2)

$Gam{e}_1$: In this game, the adversary $\mathcal{A}$ is permitted to eavesdrop on communications among parties ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$ by executing the Execute operation. Subsequently, $\mathcal{A}$ performs the Test operation to distinguish the real session key $S{K}_i$ from a random value. And this is because of $S{K}_i=H_7(f_i\left(0\right),PI{D}_i^v,I{D}^f,t^t)$, where $f_i\left(0\right)=-x_i^v{y}_i^t{(x_i^t-x_i^v)}^{-1}-x_i^t{y}_i^v{(x_i^v-x_i^t)}^{-1}$. Since determining the equation of a straight line requires at least two distinct points on the line, but $\mathcal{A}$ can obtain at most one point, the actual session key cannot be computed. Consequently, the probability of $\mathcal{A}$ winning ${\mathsf{Game}}_1$ is identical to that of winning ${\mathsf{Game}}_0$, as shown below:

$$Pr\left[suc{c}_1\right]=Pr\left[suc{c}_0\right]$$

(3)

$Gam{e}_2$: Based on $Gam{e}_1$, the adversary $\mathcal{A}$ can perform Send and hash oracle queries. In this game, $\mathcal{A}$ launches spoofing attacks by forging and sending malicious requests to ${\Pi }_V^i$, ${\Pi }_{FN}^f$, and ${\Pi }_{TCC}^t$. Our scheme allows $\mathcal{A}$ to modify messages $M_V^{FN}$, $M_{FN}^{TCC}$, $M_{TCC}^{FN}$, and $M_{FN}^V$, but these messages contain random elements ($r_i^v$, $x^f$, $x_i^t$) and independent timestamps ($t_i^v$, $t^f$, $t^t$). Hence, $\mathcal{A}$ must execute $\mathsf{Send}$ queries without causing collisions. By the birthday paradox, we derive the following probability bound:

$$|Pr\left[suc{c}_2\right]-Pr\left[suc{c}_1\right]|\le {\displaystyle \frac{N_s+N_e}{2q}}+\sum _{i=1}^7{\displaystyle \frac{N_i^2}{2|has{h}_i|}}$$

(4)

$Gam{e}_3$: In this game, the $\mathsf{Send}({\Pi }_{\mathsf{TCC}}^t,M_{FN}^{TCC})$ oracle is slightly modified compared to $Gam{e}_2$. Specifically, when processing queries from $\mathcal{B}$, the challenger $\mathcal{C}$ now substitutes the $\mathsf{PRF}$ outputs with truly random numbers. Since this modification affects exactly two $\mathsf{PRF}$ operations, namely $PRF(H_1({\left(c^f\right)}^{\prime },t^t),x^f)$ and $PRF(H_1({\left(c_i^v\right)}^{\prime },t^t),x_i^v)$), we can derive the following probability bound:

$$|Pr\left[suc{c}_3\right]-Pr\left[suc{c}_2\right]|\le Ad{v}_{\mathcal{A}}^{PRF}$$

(5)

After that, the adversary $\mathcal{A}$ has utilized all available oracles to challenge the semantic security of protocol $\mathcal{P}$. Adversary $\mathcal{A}$ attempts to win the game solely by guessing the value of b. All session keys $S{K}_i$ used to respond to Test queries in this game are independently and uniformly distributed. As a result, no information regarding the hidden bit b used by the Test oracle is leaked to the adversary. Consequently, we obtain:

$$Pr\left[suc{c}_3\right]=1/2$$

(6)

By combining the above formulas, (2)–(6), we can obtain:

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^{\mathcal{P}}& =2\left|Pr\right[suc{c}_0]-1/2|\hfill \\ \hfill & =2|Pr\left[suc{c}_1\right]-Pr\left[suc{c}_3\right]|\hfill \\ \hfill & =2|Pr\left[suc{c}_1\right]-Pr\left[suc{c}_2\right]+Pr\left[suc{c}_2\right]-Pr\left[suc{c}_3\right]|\hfill \\ \hfill & \le 2\left(\right|Pr\left[suc{c}_2\right]-Pr\left[suc{c}_1\right]|\hfill \\ \hfill & +|Pr\left[suc{c}_3\right]-Pr\left[suc{c}_2\right]\left|\right)\hfill \\ \hfill & \le {\displaystyle \frac{N_s+N_e}{q}}+\sum _{i=1}^7{\displaystyle \frac{N_i^2}{|has{h}_i|}}+2Ad{v}_{\mathcal{A}}^{PRF}\hfill \end{array}$$

(7)

Since q and $|Has{h}_i|$ are typically sufficiently large, and $Ad{v}_{\mathcal{B}}^{PRF}$ is small enough and infinitely close to 0, the adversary $\mathcal{A}$’s advantage $Ad{v}_{\mathcal{A}}^{\mathcal{P}}$ in breaking the semantic security of our BAKAF scheme is negligible. Thus, our scheme is semantically secure under the ROR model. □

6. Performance Evaluation

In this subsection, we evaluate the proposed scheme’s performance through two key metrics: computational overhead and communication overhead. We compare our BAKAF scheme with state-of-the-art provably secure AKA schemes [20,21,22,23]. The selection of these comparative schemes is based on two key criteria: (1) Our scheme employs three-party entity collaboration for key agreement, and all selected comparison schemes similarly adopt a three-party framework. (2) Since our scheme eliminates computationally expensive bilinear pairing operations, pairing-based AKA schemes are excluded from the comparison to ensure fairness.

As far as we know, this scheme is the first batch three-party AKA scheme in VANETs. Therefore, if other schemes perform n AKA sessions, the computational and communication overheads of those schemes are n times the respective overheads of a single AKA session.

6.1. Computational Overhead Comparison

Before comparing the computational overhead, we use the MIRACL [32] library to measure all basic operations. All experiments were conducted on a Lenovo Legion Y9000P laptop equipped with an 11th Gen Intel^® Core (TM) i7-11800H processor, 16 GB of memory, and the Windows 11 operating system. The laptop was purchased from Lenovo Store, Guilin, China. We omitted normal $Z_q^{*}$ operations (addition, multiplication) and string operations (concatenation, XOR) due to their negligible execution times. The experimental results for the average time consumption of basic operations are shown in

Table 2. The execution time of basic operations.

Operation	Description	Time (ms)
$T_{sm}$	Scale multiplication based on ECC	0.562
$T_{la}$	Lagrange interpolation	0.011
$T_h$	One-way hash	0.005
$T_{aes}$	AES-256 encryption/decryption	0.016
$T_{prf}$	Pseudo-random function	0.015
$T_{cm}$	Extended Chebyshev chaotic map	0.381

. It is noted that each operation’s execution time was averaged across 1000 repetitions.

In a complete AKA session process of Lu et al.’s scheme [20], the computational overheads of the vehicle and the fog node are $2T_{sm}+T_{la}+T_{prf}+5T_h$ and $T_{la}+T_{prf}+4T_h$, respectively. A lookup operation for the real ID was performed on the Cuckoo Filter in the scheme [20]. However, since this functionality is not implemented in our scheme, we omitted it to ensure fairness, so the computational overhead of a sub-TA (corresponding to the TCC in our scheme) is $T_{sm}+T_{la}+2T_{prf}+9T_h$. Thus, the total computational overhead of the scheme [20] for an AKA session process is $3T_{sm}+3T_{la}+4T_{prf}+18T_h$.

In a complete AKA session of Qiao et al.’s scheme [21], the computational overheads of the user (corresponding to the vehicle in our scheme), the fog node, and the cloud server (corresponding to the TCC in our scheme) are $2T_{cm}+7T_h$, $3T_{cm}+4T_h$, and $3T_{cm}+4T_{aes}+13T_h$, respectively. Thus, the total computational overhead of scheme [21] for an AKA session process is $8T_{cm}+24T_h+4T_{aes}$.

In a complete AKA session process of Jiang et al.’s scheme [22], the computational overheads of the user (corresponding to the vehicle in our scheme), the autonomous vehicle (corresponding to the fog node in our scheme), and the cloud (corresponding to the TCC in our scheme) are $5T_{sm}+7T_h$, 4$T_h$, and $5T_{sm}+13T_h$, respectively. Thus, the total computational overhead of scheme [22] for an AKA session process is $10T_{sm}+24T_h$.

In a complete AKA session process of Cui et al.’s scheme [23], the computational overheads of the vehicle, the cloud service (corresponding to the fog node in our scheme), and the TA (corresponding to the TCC in our scheme) are $8T_h+3T_{sm}$, $7T_h+3T_{sm}$, and $10T_h+2T_{sm}$, respectively. Thus, the total computational overhead of Scheme [23] for an AKA session process is $25T_h+8T_{sm}$.

In our BAKAF scheme, the AKA is executed in a batch for n vehicles; the computational overhead of n vehicles is $n(2T_{sm}+T_{la}+T_{prf}+5T_h)$. Moreover, the computational overheads of the fog node and the TCC are $n{T}_{la}+T_{prf}+(3+n)T_h$ and $n{T}_{sm}+n{T}_{la}+(n+1)T_{prf}+(5n+4)T_h$, respectively. Thus, the total computational overhead is $3n{T}_{sm}+3n{T}_{la}+2(n+1)T_{prf}+(11n+7)T_h$.

In Schemes [20,21,22,23], there are no batch handling functions. Therefore, executing n AKA sessions incurs n times the overhead of a single session. Consequently, the comparison results of computational overheads between our scheme and Schemes [20,21,22,23] are presented in

Table 3. Computational overheads for n AKA session (ms).

Scheme	Vehicle	FN	TCC	Total
[20]	$n(2T_{sm}+T_{la}+T_{prf}+5T_h)$ = 1.185n	$n(T_{la}+T_{prf}+4T_h)$ = 0.056n	$n(T_{sm}+T_{la}+2T_{prf}+9T_h)$ = 0.668n	$n(3T_{sm}+3T_{la}+4T_{prf}+18T_h)$ = 1.909n
[21]	$n(2T_{cm}+7T_h)$ = 0.797n	$n(3T_{cm}+4T_h)$ = 1.163n	$n(3T_{cm}+4T_{aes}+13T_h)$ = 1.272n	$n(8T_{cm}+24T_h+4T_{aes})$ = 3.232n
[22]	$n(5T_{sm}+7T_h)$ = 2.845n	$n\left(4T_h\right)$ = 0.02n	$n(5T_{sm}+13T_h)$ = 2.875n	$n(10T_{sm}+24T_h)$ = 5.74n
[23]	$n(8T_h+3T_{sm})$ = 1.726n	$n(7T_h+3T_{sm})$ = 1.721n	$n(10T_h+2T_{sm})$ = 1.174n	$n(25T_h+8T_{sm})$ = 4.621n
Ours	$2n{T}_{sm}+n{T}_{la}+n{T}_{prf}+5n{T}_h$ = 1.185n	$n{T}_{la}+T_{prf}+(3+n)T_h$ = 0.016n + 0.04	$$\begin{gathered} n{T}_{sm}+n{T}_{la}+ \\ (n+1)T_{prf}+(5n+4)T_h \end{gathered}$$ = 0.623n + 0.045	$$\begin{gathered} 3n{T}_{sm}+3n{T}_{la}+ \\ 2(n+1)T_{prf}+(11n+7)T_h \end{gathered}$$ = 1.824n + 0.085

Since the entities in Schemes [20,21,22,23] have similar functions to their counterparts in our scheme, this table only uses the entity names from our scheme.

.

We use Figure 2 to show the comparison results for a single AKA session. According to Figure 2, our scheme maintains an identical computational overhead to Scheme [20], while demonstrating significant advantages over Schemes [21,22,23] in terms of both per-entity and total computational overhead. Meanwhile, Figure 3 compares the computational overheads (both per-entity and total) for all schemes when n AKA sessions are conducted within a fixed time interval. The results demonstrate that as the number of vehicles n increases, our scheme achieves lower computational overhead than baseline schemes.

The low computational overhead of our scheme primarily stems from two key factors: (1) Our scheme employs lightweight cryptographic primitives, while the more computationally intensive ECC-based scalar multiplication operations are exclusively used for anonymous credential generation. (2) The batch AKA approach significantly reduces the overall computational operations. Beyond reducing per-entity computational overhead, our scheme substantially decreases the interaction between the FN and the TCC through batch AKA session processing.

6.2. Communication Overhead Comparison

Before comparing the communication overheads, we assume that the security parameters of all schemes are 128 bits in length. The element types and lengths involved in information transmission for each scheme are listed in

Table 4. The sizes of each element (byte).

Symbol	Description	Size (Byte)
$\left|G\right|$	The size of element in elliptic curve addition group	64
$\left|t\right|$	The size of timestamp	4
$\left|ID\right|$	The size of real identity or pseudonym	20
$\left|M\right|$	The size of message authentication code	20
$|Z_q^{*}|$	The size of element in $Z_q^{*}$	32
$\left|E\right|$	The size of the output generated by extended Chebyshev polynomial	32

. To ensure fairness and simplicity, we adopt AES as the symmetric encryption algorithm across all schemes, with ciphertext length identical to plaintext length.

In Scheme [20], a vehicle transmits $\{pi{d}_i,t_i^v,R_i^v,{\alpha }_i\}$ to the FN in the first stage, where $pi{d}_i$ is the pseudonym, whose length is identical to $\left|ID\right|$, $t_i^v$ is the timestamp, and $R_i^v$ is an element in elliptic curve group G, ${\alpha }_i\in Z_q^{*}$, so the communication overhead in the first stage is $\left|ID\right|+\left|t\right|+\left|G\right|+|Z_q^{*}|=120$ bytes. In the second stage, the FN transmits $\{i{d}_j,t_j,n_j,pi{d}_i,t_i^v,R_i^v,{\alpha }_i,{\beta }_j\}$ to the TCC, where $i{d}_j$ is the real identity and $t_j$ is the timestamp, $n_j,{\beta }_j\in Z_q^{*}$, so the communication overhead in this stage is $2\left|ID\right|+2\left|t\right|+\left|G\right|+3|Z_q^{*}|=208$ bytes. In the third stage, the TCC transmits $\{n_k,f{n}_k,t_k,{\gamma }_k,{\delta }_k\}$ to the FN, where $n_k,f{n}_k,{\gamma }_k,{\delta }_k\in Z_q^{*}$, and $t_k$ is the timestamp, so the communication overhead in this stage is $\left|t\right|+4|Z_q^{*}|=132$ bytes. In the fourth stage, the FN transmits $\{n_k,f{n}_k,t_k,{\delta }_k\}$ to the vehicle, so the communication overhead in this stage is $\left|t\right|+3|Z_q^{*}|=100$ bytes. Suppose there are n vehicles conducting AKA sessions during a fixed time interval, the total communication overhead is $(120+208+132+100)n=560n$ bytes.

In Scheme [21], a user transmits $M{S}_1=\{NI{D}_i,PI{D}_i^v,W_i,T_1,T_u\left(x\right)\}$ to the fog node $F{N}_j$ in the first stage, where $NI{D}_i=E_s(I{D}_i^v\left|\right|O_i)$ is obtained by symmetrically encrypting the concatenation of the identifier $I{D}_i^v$ and a random number $O_i$, whose length is identical to $\left|ID\right|+|Z_q^{*}|$. $T_1$ is the timestamp, and $PI{D}_i^v$ and $W_i$ are derived from one-way hash functions. Since their data types are unspecified in the original paper, we adopt the 20-byte length defined therein. $T_u\left(x\right)$ is the extended Chebyshev polynomial, whose length is $\left|E\right|$. Thus, the communication overhead in the first stage is $|M{S}_1|=|ID|+|Z_q^{*}|+2*20+|t|+|E|=128$ bytes. In the second stage, the $F{N}_j$ transmits $M{S}_2=\{M{S}_1,NI{D}_j,A,T_v\left(x\right),W_j,T_2\}$ to cloud server S, where $NI{D}_j=E_s(I{D}_j\left|\right|N_j)$ is obtained by symmetrically encrypting the concatenation of the identifier $I{D}_j$ and a random number $N_j$, whose length is $\left|ID\right|+|Z_q^{*}|$. A and $T_v\left(x\right)$ are the extended Chebyshev polynomial, $T_2$ is the timestamp, and $W_j$ is derived from one-way hash functions, so the communication overhead in this stage is $|M{S}_1|+|ID|+|Z_q^{*}|+|t|+2|E|+20=268$ bytes. In the third stage, cloud server S transmits $|M{S}_3|=\{V_i,V_j,A{u}_i,A{u}_j,B,C,T_3\}$ to the fog node $F{N}_j$, where $V_i,V_j,A{u}_i,A{u}_j$ are derived from one-way hash functions, B and C are the extended Chebyshev polynomial, and $T_3$ is the timestamp, so the communication overhead in this stage is $4*20+2\left|E\right|+\left|t\right|=148$ bytes. In the fourth stage, the fog node $F{N}_j$ transmits $M{S}_4=\{V_i,A{u}_i,A,B,C,T_3\}$ to the user, where $T_3$ is the timestamp, so the communication overhead in this stage is $2*20+3\left|E\right|+\left|t\right|=140$ bytes. Suppose there are n users conducting AKA sessions during a fixed time interval, the total communication overhead is $(128+268+148+140)n=684n$ bytes.

Similarly, when executing n AKA sessions within a fixed time interval, the total communication overheads for Scheme [22] and Scheme [23] are calculated as $704n$ bytes and $656n$ bytes, respectively.

In our scheme, suppose there are n vehicles performing AKA sessions with the same fog node $F{N}^f$ within a fixed time interval; vehicle $V_i$ needs to transmit ${\left(M_V^{FN}\right)}_i=\{M_i=\{PI{D}_i^v,t_i^v,R_i^v\},MA{C}_i\}$ to the fog node $F{N}^f$, where $PI{D}_i^v$ is the pseudonym, $t_i^v$ is the timestamp, $R_i^v$ is an element in elliptic curve group G, and $MA{C}_i$ is the message authentication code, so the communication overhead of n vehicles in the first stage is $\left(\right|ID|+|t|+|G|+|M\left|\right)n=108n$ bytes. In the second stage, the fog node $F{N}^f$ transmits the message $M_{FN}^{TCC}=\{I{D}^f,t^f,x^f,M_{agg},MA{C}_{agg},{\beta }^f\}$ to the TCC, where $I{D}^f$ is the real identity, $t^f$ is the time timestamp, $x^f,{\beta }^f\in Z_q^{*}$, $M_{agg}$ is formed by sequentially concatenating n messages ${\left\{M_i\right\}}_{i=1}^n$, whose length is $n\left(\right|ID|+|t|+|G\left|\right)$, and $MA{C}_{agg}$ is the message authentication code, so the communication overhead in this stage is $\left|ID\right|+\left|t\right|+2|Z_q^{*}|+n(\left|ID\right|+\left|t\right|+\left|G\right|)+|M|=108+88n$ bytes. In the third stage, the TCC transmits the message $M_{TCC}^{FN}=\{{\{PI{D}_i^v,x_i^t,y_i^t,{\delta }_i^t\}}_{i=1}^l,t^t,{\gamma }^t\}$ to the fog node $F{N}^f$, where $t^t$ is the timestamp, $x_i^t,y_i^t,{\delta }_i^t,{\gamma }^t\in Z_q^{*}$; here we assume $l=n$, implying that all vehicles’ data are both correct and complete. Thus, the communication overhead in this stage is $n\left(\right|ID|+3|Z_q^{*}\left|\right)+\left|t\right|+|Z_q^{*}|=36+116n$ bytes. In the fourth stage, the fog node $F{N}^f$ sends the messages ${\left\{M_{FN}^V\right\}}_{i=1}^n={\{PI{D}_i^v,x_i^t,y_i^t,t^t,{\delta }_i^t\}}_{i=1}^n$ to the corresponding vehicles ${\left\{V_i\right\}}_{i=1}^n$, so the communication overhead in this stage is $n\left(\right|ID|+3|Z_q^{*}|+|t\left|\right)=120n$ bytes. Thus, for n vehicles executing the AKA sessions, the total communication overhead across all four stages amounts to $432n+144$ bytes.

Figure 4 compares the communication overheads of different schemes as the number of AKAs varies. As shown in the figure, our scheme demonstrates a clear advantage as the number of AKAs increases. This is primarily because our scheme processes multiple AKA requests in batches within a fixed time interval.

7. Conclusions and Remark

In this scheme, for a batch of vehicles initiating AKA requests to the same fog node within a fixed short time interval, we combine fog computing and Lagrange interpolation to complete these AKA processes in a round of operations. The interpolation points of the straight lines corresponding to each vehicle share a common point at the fog node. These mechanisms ensure that our scheme possesses very low computational and communication overheads while simplifying the overall system operations.

The authentication component of our scheme relies on the certificates of vehicles and fog nodes, as well as the system master secret key. It is assumed that the system master secret key and the certificate values remain perpetually secure. However, existing physical attack techniques (such as side-channel attacks) can obtain such sensitive information. Since existing technologies like physically unclonable functions and fuzzy extractor can effectively resist these physical attacks, our scheme does not focus on this aspect in depth.

The batch AKA mechanism designed in our scheme requires participating vehicles to establish session keys with the same FN, which poses a certain limitation. How to perform batch AKA operations among different vehicles and different FNs within a short time interval is a key direction for our future research.