A Certificateless Aggregated Signcryption Scheme Based on Edge Computing in VANETs

Abstract

The development of Vehicle AD Hoc Networks (VANETs) has significantly enhanced the efficiency of intelligent transportation systems. Through real-time communication between vehicles and roadside units (RSUs), the immediate sharing of traffic information has been achieved. However, challenges such as network congestion, data privacy, and low computing efficiency still exist. Data privacy is at risk of leakage due to the sensitivity of vehicle information, especially in a resource-constrained vehicle environment, where computing efficiency becomes a bottleneck restricting the development of VANETs. To address these challenges, this paper proposes a certificateless aggregated signcryption scheme based on edge computing. This scheme integrates online/offline encryption (OOE) technology and a pseudonym mechanism. It not only solves the problem of key escrow, generating part of the private key through collaboration between the user and the Key Generation Center (KGC), but also uses pseudonyms to protect the real identities of the vehicle and RSU, effectively preventing privacy leakage. This scheme eliminates bilinear pairing operations, significantly improves efficiency, and supports conditional traceability and revocation of malicious vehicles while maintaining anonymity. The completeness analysis shows that under the assumptions of calculating the Diffie–Hellman (CDH) and elliptic curve discrete logarithm problem (ECDLP), this scheme can meet the requirements of IND-CCA2 confidentiality and EUF-CMA non-forgeability. The performance evaluation further confirmed that, compared with the existing schemes, this scheme performed well in both computing and communication costs and was highly suitable for the resource-constrained VANET environment.

1. Introduction

In modern society, with the increasing number of vehicles and the increasingly serious traffic problems, intelligent transportation has become a hot topic. VANETs are an important technology to realize intelligent transportation, which not only ensures the safety of the people in the vehicle but also greatly improves people’s travel experience and provides more intelligent services for the vehicle [1]. Through real-time information exchange, VANETs provide more accurate data support for traffic management. Therefore, the development of VANETs plays a crucial role in advancing intelligent transportation systems [2]. As an extension of the Internet of Things in the transportation field, VANETs can significantly improve vehicle management efficiency and optimize route planning [3]. VANETs mainly connect vehicles to the Internet and realize vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication through the linkage of on-board devices and sensors. In the framework of VANETs, on-board units (OBUs), as wireless communication devices, enable vehicles to acquire and share real-time data [4]. In addition, RSUs act as roadside network nodes to efficiently exchange data with vehicles through protocols such as 5G-V2X to improve traffic efficiency and prevent accidents [5]. The reliability and security of the entire system is the responsibility of a trusted authority (TA), which generates and manages the identity information and key of the vehicle and RSU and tracks the malicious vehicle, providing security for the entire system.

Although VANETs provide great convenience for people’s travel, with the continuous development of VANETs, the challenges facing them are gradually emerging; for example, a large number of data transmissions may cause network congestion and data privacy and security issues are also concerned. In order to deal with the problem of network congestion, edge computing technology comes into being. Edge computing pushes computing and storage functions to the edge of the network so that data can be stored, calculated, and analyzed at the edge nodes, and the calculated data can be further sent to the central server(CS) for computing and storage, effectively reducing the delay and bandwidth requirements of data transmission [6,7]. Therefore, it is necessary to apply edge computing in the field of the Internet of Vehicles.

Combining the advantages of certificateless signcryption and aggregation, many schemes for certificateless aggregate signcryption (CLAS) have been proposed [8,9,10,11,12,13,14]. However, these schemes are not secure enough, and there are still some security loopholes that cause privacy to be inadequately protected, and the communication overhead and efficiency need to be improved. Recently, some schemes [14,15,16] have proposed the combination of CLAS and OOE, which can ensure message confidentiality while reducing communication costs. After doing a lot of work on the security and privacy requirements of VANETS, we found that these schemes could not meet the privacy protection needs of users, so it is necessary to design an efficient and secure VANET certificateless online/offline aggregate signature encryption scheme.

1.1. Our Contributions

• This paper proposed a certificateless aggregate signature encryption protocol with conditional traceability in edge computing environments. This protocol does not need expensive bilinear pairing operations and can be used for V2I communication in vehicle networking with higher computational efficiency. When a vehicle communicates with an edge node (i.e., RSU), the authentication, confidentiality, integrity, and non-repudiation of the message are realized.
• In our protocol, a pseudonym mechanism is implemented to protect the privacy of vehicles and RSUs, effectively hiding the true identity of vehicles and RSUs. And we can track malicious vehicles under the condition of ensuring the anonymity of vehicles and achieve conditional traceability. If a malicious vehicle sends a false message, TRA can revoke the vehicle from the system based on the false name in the signature.
• Our protocol meets the security required for the design of VANETs, providing confidentiality, unforgeability, authentication, integrity, anonymity, non-repudiation, conditional traceability, revocability, and unlinkability. And our protocol can effectively protect against potential attacks, such as replay attacks, impersonation attacks, modification attacks, man-in-the-middle attacks, Ephemeral Secret Leakage (ESL) attacks, and full chosen-key attacks.

1.2. Organization

The rest of this article is arranged as follows. We introduce the related work in the Section 2. Section 3 provides the system model, scheme definition, security and attack model, design objectives, and ECC. Section 4 describes the specific content of our proposal. Section 5 and Section 6 give the security analysis and performance analysis of the scheme. Finally, Section 7 summarizes this paper.

2. Related Works

2.1. Certificateless Aggregate Signature Encryption

In traditional public key systems, the public key authentication of devices is achieved through Public Key Infrastructure (PKI). In VANETs, the rapid increase in the number of devices leads to a high overhead for storing PKI certificates and is not suitable for on-board units (OBUs) with limited computing and storage capacity [17]. To address the certificate management issues in PKI, Shamir [18] proposed the concept of Identity-Based Cryptography (IBC) in 1984. The principle of IBC is to use the user’s identity information (such as ID number, email, age, etc.) as the public key and apply to a trusted third party for the corresponding private key, namely the Key Generation Center (PKG). Since the private key in IBC is generated by the PKG, there is a key escrow problem. To solve the key escrow problem, Al-Riyami and Paterson [19] proposed the first certificateless signature (CLAS) scheme. In CLAS, the Key Generation Center (KGC) first sends a partial private key to the user. By combining the partial private key with a private key value determined by the user themselves, the user can generate a complete private key. Therefore, the KGC cannot access the user’s private key. In 2007, Castro and Dahab [20] introduced aggregate signatures and proposed the first certificateless aggregate signature scheme, which combined the advantages of certificateless encryption and aggregate signatures. In 2015, Horng et al. [21] proposed a certificateless aggregate signature scheme suitable for communication between vehicles and infrastructure in the Internet of Vehicles. This scheme uses pseudonyms to achieve conditional privacy protection. Li et al. [22] proved in the following year that Horng et al.’s scheme [21] did not achieve complete aggregation and was insecure against Type II attackers. In 2020, Mei et al. [12] proposed a certificateless aggregate signature scheme with conditional privacy protection in the Internet of Vehicles using bilinear pairings. However, due to the high cost of cryptographic operations using bilinear pairings, these schemes are not suitable for resource-limited environments. To reduce computational costs and time, Cui et al. [9] proposed a certificateless aggregate signature scheme without pairings, using elliptic curve encryption operations to improve computational efficiency. However, Xie et al. [14] found that the scheme in [9] was not proven to be existentially unforgeable against adversary $\overline{A_2}$. The scheme in [14] redesigned a certificateless aggregate signature scheme without pairings, introducing an edge computing architecture to perform signature verification and aggregation closer to the edge layer of the end user and proved that it was existentially unforgeable against adversary $\overline{A_2}$. In summary, although these certificateless aggregate signature schemes have improved computational efficiency and reduced computational costs, they still have vulnerabilities, lack tracking and revocation mechanisms, and are susceptible to replay attacks, malicious vehicle attacks, transient key leakage attacks, and complete key selection attacks. Therefore, a certificateless aggregate signature protocol with conditional traceability based on edge computing is proposed.

2.2. Online/Offline Encryption Technology

To enhance efficiency on resource-constrained devices, Even et al. [23] proposed a scheme to reduce computational overhead in digital signature processes by dividing the signing procedure into online/offline phases. The first phase (offline) is executed prior to message acquisition, while the second phase (online) occurs when message transmission is required. In 2008, Guo et al. [24] introduced an identity-based online/offline encryption (IBOOE) scheme where the offline phase operates without recipient identities or encrypted messages. This enables efficient completion of the online phase once recipient identities and messages become available. However, the ciphertext size in the scheme in [24] was excessively large, rendering it impractical for resource-limited devices. To address this issue, Lai et al. [25] achieved the shortest ciphertext size in both offline and online phases, demonstrating optimal performance during offline computations. Subsequently, Chen et al. [26] presented a certificateless signature scheme integrated with online/offline encryption technologies, requiring only one-point multiplication for resource-constrained edge devices in cloud–edge collaborative architectures, while verification demands only one bilinear pairing. In 2023, Ali et al. [5] proposed a heterogeneous online/offline signcryption scheme that eliminates the need for bilinear pairings, thereby reducing computational costs. Collectively, such OOE technologies have seen widespread adoption across diverse domains, including industrial networks, cloud computing, and VANETs, significantly improving encryption efficiency. However, security challenges persist in these schemes. By integrating TPD into physical devices, our proposed solution ensures security during both offline/online encryption phases while effectively mitigating ESL attacks.

2.3. Edge Computing Architecture

In recent years, the proliferation of internet-connected smart devices has brought significant data generation challenges in VANETs. Edge computing has gained increasing popularity and deployment across various latency-sensitive application domains, including VANETs [27]. As a technology enabling computation at the network edge, edge computing performs processing in proximity to data sources [28]. This architecture reduces data transmission latency and bandwidth demands by pushing computing and storage resources to the network periphery, thereby enhancing system responsiveness and efficiency.

In VANETs, edge computing applications are particularly critical. The massive volumes of data generated by vehicles require real-time processing and analysis to ensure traffic safety and efficiency. Traditional data centers are insufficient to handle the storage demands at this scale. Instead, CS can serve as a computing and storage platform for massive data in the Internet of Vehicles, enabling efficient data sharing between users and vehicles through centralized remote processing and storage. Edge computing nodes, such as RSUs, can process these data locally without transmitting all information to remote cloud servers. This not only mitigates network congestion but also lowers data transmission latency, enabling vehicles to respond more rapidly to traffic conditions [29]. Beyond improving data processing speed and efficiency, edge computing in VANETs enhances system security and privacy protection. By processing data at edge nodes, sensitive data transmission is minimized, reducing data leakage risks [30]. Furthermore, given the prevalence of resource-constrained devices in VANETs, cloud-collaborative frameworks provide specialized services that further optimize resource utilization and computational efficiency [31]. In 2023, Xie et al. [14] utilized edge computing to process data at the network edge, reducing the transmission of sensitive data and lowering the risk of leakage. Moreover, they employed a pseudonym mechanism to hide the true identities of vehicles, further protecting user privacy. In 2024, Han et al. [32] utilized edge computing to avoid the single-point-of-failure problem of CS, enhancing the robustness and reliability of the system.

3. Preliminaries

We introduce the system model, scheme definition, security and attack model, design objectives, and ECC in this section.

3.1. System Model

The network model of the VANET in this scheme is composed of vehicle, RSU, KGC, and TRA equipped with edge computing equipment. The structure is shown in Figure 1.

• Vehicle: Each vehicle is equipped with OBUs, and each OBU is equipped with TPD. The OBU collects real-time traffic data and encrypts the information to communicate wirelessly with a nearby RSU. And the energy required for each signature encryption operation of the OBU is consistent. TPD protects the OBU’s encryption process, as well as securely storing sensitive data and the vehicle’s public and private keys.
• RSU: It is a roadside infrastructure that communicates with vehicles in range and verifies the traffic-related information received. RSU is equipped with edge computing equipment, which extends more powerful computing power to the edge of the network and can process large amounts of data intelligently and efficiently.
• KGC: It is part of a reliable TA and has powerful computing and storage capabilities. It is responsible for generating and publishing system parameters, registration of RSU and vehicle, and generation of partial private keys. Together with TRA, it is responsible for managing the entire system of VANETs. In this model, it is assumed that KGC is a semi-trusted institution.
• TRA: It is part of TA and is responsible for establishing and saving anonymity for vehicles and RSUs. If anonymous identity lapses or malicious vehicles appear, it will track and revocate them from the system, thus ensuring the security of the system. In this model, it is assumed that TRA is a completely reliable institution.
• CS: In this model, CS serves only as a data center to receive messages sent by edge nodes and store them for future reference.

3.2. Scheme Definition

In this section, we describe the algorithmic flow of the scheme structure.

• Setup: Given a security parameter $1^{\lambda }$, KGC generates the master private key a and the system public parameter $params$.
• Anonymization: Given $params$, TRA interacts with a user (such as a vehicle) with a real identity ${RID}_{Vi}$ to generate a anonymous identity ${AID}_{Vi}$.
• Partial Private Key: Given $params,a,{AID}_{Vi}$, KGC generates a partial private key $s_{Vi,1}$ for that user.
• Public/Private Key: The user sets its full private key ${SK}_{Vi}$ and public key ${PK}_{Vi}$.
• Offline Signcryption: Given a vehicle’s private key ${SK}_{Vi}$ and a RSU’s public key ${PK}_{Ri}$, an offline ciphertext ${\sigma }_i^{▵}$ is obtained.
• Online Signcryption: Given ${\sigma }_i^{▵},m_i$, the vehicle’s anonymous identity ${AID}_{Vi}$ and the RSU’s anonymous identity ${AID}_{Ri}$ output the ultimate ciphertext ${\sigma }_i$.
• Unsigncryption: Given the ciphertext ${\sigma }_i$, RSU performs this operation to obtain plaintext $m_i$ and verifies it.

3.3. Security Model

To protect V2I communication, we define the security model of this scheme. According to the attacker’s behavior, we consider the following types of attackers.

(1) Type 1 attack (Public-Key Replacement Attack): The attacker possesses the target user’s private key $s_{Vi,2}$ and can replace the user’s public key $P{K}_{Vi}$ at will but cannot access the KGC’s master private key a.

(2) Type 2 attack (Malicious KGC Attack): The attacker possesses the KGC’s master private key a and can generate the user’s partial private key $s_{Vi,1}$ but cannot know the user’s private key $s_{Vi,2}$.

Game-1: This game is played between the challenger C and the adversary $A_1$.

Setup: First, C inputs the security parameter 1, generates the master private key a and the system public parameters $params$, and sends $params$ to $A_1$. Additionally, C performs the public/private key operation to obtain $(S{K}_{Ri},P{K}_{Ri})$ and sends $P{K}_{Ri}$ to $A_1$.

Phase 1: In this phase, $A_1$ can make the following queries to C:

Partial Private Key Query: $A_1$ sends $AI{D}_{Vi}$ to C, C performs the partial private key operation to obtain the partial private key $s_{Vi,1}$ and sends it to $A_1$.

Private Key Query: $A_1$ sends $AI{D}_{Vi}$ to C, C invokes the private key operation to obtain the private key $sVi,2$ and sends it to $A_1$.

Public Key Query: $A_1$ sends $AI{D}_{Vi}$ to C, C invokes the public key operation to obtain the public key $P{K}_{Vi}$ and sends it to $A_1$.

Public Key Replacement Query: $A_1$ submits the public key $P{K}_{Vi}^{\prime }$ to C, C replaces $P{K}_{Vi}$ with $P{K}_{Vi}^{\prime }$ in the list $Lk$.

Signcryption Query: C performs the offline signcryption and online signcryption operations to generate ${\sigma }_i$ and sends it to $A_1$.

Unsigncryption Query: C performs the unsigncryption operation to generate M or ⊥ and sends it to $A_1$.

Challenge: $A_1$ generates two messages $m_0$ and $m_1$ of the same length and marks them with the identity information $AI{D}_{Vi}^{\ast }$, then sends them to the challenger C. C performs the partial private key and private key operations to obtain the sender’s complete private key $S{K}_{Vi}^{\ast }$ and sends it to $A_1$. C selects $\rho \in \{0,1\}$ and obtains ${\sigma }_i^{\ast }$ through the offline signcryption and online signcryption operations. Finally, C sends ${\sigma }_i^{\ast }$ to $A_1$.

Phase 2: In this phase, $A_1$ repeats the same queries as in phase 1. However, it cannot request the unsigncryption query operation on (${\sigma }_i^{\ast }$, $S{K}_{Ri}^{\ast }$, $P{K}_{Vi}^{\ast }$) to obtain the corresponding message.

Guess: $A_1$ outputs ${\rho }^{\prime }$; if ${\rho }^{\prime }=\rho$, it indicates that the game is won.

Definition 1.

If no adversary can win Game 1 with a non-negligible advantage, the proposed scheme can achieve $IND-CCA2$ security.

Game-2: This game is played between the challenger C and the adversary $A_2$.

Setup: First, C inputs the security parameter 1, generates the master private key a and the system public parameters $params$, and sends params to $A_2$. Additionally, C performs the public/private key operation to obtain $(S{K}_{Ri},P{K}_{Ri})$ and sends $P{K}_{Ri}$ to $A_2$.

Phase 1: At this stage, $A_2$ can make the following queries:

Partial Private Key Query: $A_2$ sends $AI{D}_{Vi}$ to C, and C performs the partial private key operation to obtain the partial private key $sVi,1$ and sends it to $A_2$.

Private Key Query: $A_2$ sends $AI{D}_{Vi}$ to C, and C invokes the private key operation to obtain the private key $s_{Vi,2}$ and sends it to $A_2$.

Public Key Query: $A_2$ sends $AI{D}_{Vi}$ to C, and C invokes the public key operation to obtain the public key $P{K}_{Vi}$ and sends it to $A_2$.

Signcryption Query: C performs the offline signcryption and online signcryption operations to generate ${\sigma }_i$ and sends it to $A_2$.

Unsigncryption Query: C performs the unsigncryption operation to generate M or ⊥ and sends it to $A_2$.

Forgery: $A_2$ forges a signature ${\sigma }_i^{\ast }$, corresponding to the message $m^{\ast }$ and the sender identity $AI{D}_{Vi}$, satisfying the following conditions:

(1) $AI{D}_{Vi}$ has not been queried in the partial private key query of Phase 1 (i.e., $A_2$ has not obtained $s_{Vi,1}$);

(2) ${\sigma }_i^{\ast }$ has not been generated in the signcryption query of Phase 1.

Guess: C verifies the validity of ${\sigma }_i^{\ast }$. If ${\sigma }_i^{\ast }$ passes the verification and $m^{\ast }$ is valid, $A_2$ succeeds in the forgery.

Definition 2.

If no polynomial-time adversary $A_2$ can win Game 2 with a non-negligible advantage (i.e., successfully forge a valid ciphertext), then the scheme satisfies $EUF-CMA$ security.

3.4. Elliptic Curve Cryptography

Let $F_p$ be a finite field defined by a large prime number p, where $p>3$. Over the finite field $F_p$, an elliptic curve E consists of all points $(x,y)$ satisfying the equation $y^2=x^3+ax+b$, where $a,b\in F_p$, and the discriminant condition $4a^3+27b^2\ne 0\left(modp\right)$ holds. Additionally, a point at infinity O is included. All points on the elliptic curve E, together with the point at infinity O, form a group $\mathbb{G}$, known as the elliptic curve group. An addition operation is defined in the group $\mathbb{G}$ such that for any two points $P,Q\in \mathbb{G}$, there exists a unique point $R\in \mathbb{G}$ with $P+Q=R$. The addition operation satisfies associativity, commutativity, and the existence of an identity element O (i.e., for any $P\in \mathbb{G}$, we obtain $P+O=P$).

Elliptic Curve Discrete Logarithm Problem (ECDLP): Given two points P and Q in the elliptic curve group $\mathbb{G}$, where $Q=xP$ (x is some unknown integer), the ECDLP is to find this integer x. In ECC, it is assumed that this problem is computationally infeasible, meaning no efficient algorithm can solve it in probabilistic polynomial time (PPT).

4. Proposed Scheme

In Section 4, we describe the construction of our scheme in detail. Our scheme consists of six algorithms, and the flow of our scheme is shown in Figure 2. For ease of reading, the symbols used in this protocol are defined in

Table 1. Notations with definition.

Notations	Description
${RID}_{Vi},{RID}_{Ri}$	The real identity of vehicles and RSUs
${AID}_{Vi},{AID}_{Ri}$	The anonymous identity of vehicles and RSUs
$\mathbb{G}$	Cyclic addition group of elliptic curves
$q,P$	The order and generator of $\mathbb{G}$
${\alpha }_0,P_{pub}$	Master private and public key of KGC
${\alpha }_1,T_{pub}$	Master private and public key of TRA
$H_{i,i=1,2,3,4,5}$	A one-way hash functions
${SK}_{Vi},{SK}_{Ri}$	Full private key of vehicles and RSUs
${PK}_{Vi},{PK}_{Ri}$	Full public key of vehicles and RSUs
$T_i$	A valid time period of ${\sigma }_i$
$t_i$	A valid time period of anonymous identity
$m_i$	A message needs to be sent
${\sigma }_i^{▵}$	An offline ciphertext
${\sigma }_i$	An ultimate ciphertext
$L=\{l_2,\dots ,l_n\}$	Small random integer set

.

4.1. Setup

This algorithm takes a security parameter $1^{\lambda }$ as input. It generates a group $\mathbb{G}$ of an elliptic curve with prime order q, where P is the generator of $\mathbb{G}$. Next, the KGC and TRA execute the following steps:

(1) KGC randomly selects a parameter ${\alpha }_0\in Z_q^{\ast }$ as master private key ${msk}_0$ and calculates master public key $P_{pub}={\alpha }_{0}P$.

(2) TRA randomly selects a parameter ${\alpha }_1\in Z_q^{\ast }$ as master private key ${msk}_1$ and calculates master public key $T_{pub}={\alpha }_{1}P$.

(3) Select four hash functions $H_1:Z_q^{\ast }\times \mathbb{G}\times {\{0,1\}}^{\ast }\to Z_q^{\ast }$, $H_2:\mathbb{G}\times Z_q^{\ast }\times {\{0,1\}}^{\ast }\to Z_q^{\ast }$, $H_3:\mathbb{G}\times Z_q^{\ast }\times \mathbb{G}\to Z_q^{\ast }$, $H_4:\mathbb{G}\to {\{0,1\}}^{\ast }$ and $H_5:{\{0,1\}}^{\ast }\times Z_q^{\ast }\times \mathbb{G}\times \mathbb{G}\times {\{0,1\}}^{\ast }\to Z_q^{\ast }$.

(4) KGC and The TRA store ${msk}_0$ and ${msk}_1$, respectively, and publish the system parameter $params=\{\mathbb{G},q,P,P_{pub},T_{pub},H_1,H_2,H_3,H_4,H_5\}$.

4.2. Anonymization

TRA invokes this algorithm to generate the anonymous identity of vehicle and RSU. The algorithm is executed as follows:

(1) A vehicle with real identity ${RID}_{Vi}\in Z_q^{\ast }$ randomly selects $r_{Vi}\in Z_q^{\ast }$, computes ${AID}_{Vi,1}=r_{Vi}P$, and sends $({RID}_{Vi},{AID}_{Vi,1})$ to the TRA.

(2) TRA checks the validity of ${RID}_{Vi}$ and computes ${AID}_{Vi,2}={RID}_{Vi}⨁h_{i,1}$, where $h_{i,1}=H_1(a_1{RID}_{Vi},T_{pub},t_i)$ and $t_i\in {\{0,1\}}^{\ast }$ is the anonymous identity’s validity period. The vehicle’s anonymous identity is ${AID}_{Vi}=H_2({AID}_{Vi,1},{AID}_{Vi,2},t_i)$.

(3) TRA stores $({AID}_{Vi},{RID}_{Vi})$ in the local database, then sends $({AID}_{Vi},t_i)$ to the KGC and the vehicle. Similarly, TRA generates $({AID}_{Ri},{RID}_{Ri})$ and sends $({AID}_{Ri},t_i)$ to the KGC and RSU.

4.3. Partial Private Key

In this phase, the KGC generates the partial private key of vehicle and RSU, and the KGC executes the following operations:

(1) KGC receives ${AID}_{Vi}$ sent by the vehicle and retrieves ${AID}_{Vi}$ in the local list; if ${AID}_{Vi}$ exists and $t_i$ is valid, KGC proceeds to the next step.

(2) KGC selects $u_{Vi}\in Z_q^{\ast }$ and computes $U_{Vi}=u_{Vi}P$. Then, KGC calculates $s_{Vi,1}=u_{Vi}+{\alpha }_0{h}_{i,3}$ as partial secret key, where $h_{i,3}=H_3(P_{pub},{AID}_{Vi},U_{Vi})$.

(3) KGC sends the $(s_{Vi,1},U_{Vi})$ to the vehicle secretly. Similarly, KGC generates $(s_{Ri,1},U_{Ri})$ and sends it to the RSU.

4.4. Public/Private Key

The vehicle is calculated to obtain the full key at this stage, and it executes the following operations:

(1) The vehicle receives $(s_{Vi,1},U_{Vi})$ and checks the equation $s_{Vi,1}P=U_{Vi}+P_{pub}{h}_{i,3}$, where $h_{i,3}=H_3(P_{pub},{AID}_{Vi},U_{Vi})$. If not, the vehicle rejects it; otherwise, the vehicle accepts the $s_{Vi,1}$ and proceeds to the next step.

(2) The vehicle randomly selects $s_{Vi,2}\in Z_q^{\ast }$ as its secret value, and then the full private key is set as ${SK}_{Vi}=(s_{Vi,1},s_{Vi,2})$.

(3) The vehicle calculates ${PK}_{Vi}={(s_{Vi,1}+s_{Vi,2})}^{-1}P$ as the public key.

(4) Similarly, the RSU generates ${SK}_{Ri}=(s_{Ri,1},s_{Ri,2})$ as the full private key and sets its public key as ${PK}_{Ri}={(s_{Ri,1}+s_{Ri,2})}^{-1}P$.

4.5. Offline Signcryption

The vehicle whose anonymous identity is ${AID}_{Vi}$ obtains the public key ${PK}_{Ri}$ of the RSU and performs the following operations:

(1) Pick $x_{i,1},x_{i,2}\in Z_q^{\ast }$ at random.

(2) Compute $x_i=(x_{i,1}{s}_{Vi,1}+x_{i,2}{s}_{Vi,2}){(s_{Vi,1}+s_{Vi,2})}^{-1}$, and $X_i=x_{i}P$.

(3) Compute $W_i=x_i{PK}_{Ri}$.

(4) Obtain an offline ciphertext ${\sigma }_i^{▵}=(x_i,X_i,W_i)$.

4.6. Online Signcryption

In this phase, the vehicle gives $m_i$, the offline signcryption ${\sigma }_i^{▵}$, and its anonymous identity ${AID}_{Vi}$, public key ${PK}_{Vi}$, and private key ${SK}_{Vi}$. The vehicle computes the following algorithm:

(1) Compute ${\delta }_i=m_i⨁h_{i,4}$, where $h_{i,4}=H_4\left(X_i\right)$.

(2) Compute ${\omega }_i=\{h_{i,5}{(s_{Vi,1}+s_{Vi,2})}^{-1}+x_i\}modq$, where $h_{i,5}=$$H_5(m_i,{AID}_{Vi},{PK}_{Vi},X_i,T_i)$.

(3) Obtain an ultimate ciphertext ${\sigma }_i=({\delta }_i,{\omega }_i,W_i,T_i)$. The vehicle sends ${\sigma }_i$ to a nearby RSU where $T_i$ is the timestamp on the validity of ${\sigma }_i$.

4.7. Unsigncryption

When the RSU receives the ciphertext ${\sigma }_i$ from the vehicle, it first checks the freshness of ${\sigma }_i$. If $T_i$ or $t_i$ is invalid, ${\sigma }_i$ is rejected. Otherwise, the RSU gives ciphertext ${\sigma }_i$, the vehicle’s anonymous identity ${AID}_{Vi}$, public key ${PK}_{Vi}$, and the RSU’s private key ${SK}_{Ri}$, and the verification process is executed below:

(1) Compute $X_i=W_i(s_{Ri,1}+s_{Ri,2})$.

(2) Recover $m_i$ by calculating $m_i={\delta }_i⨁H_4\left(X_i\right)$.

(3) Compute $h_{i,5}=H_5(m_i,{AID}_{Vi},{PK}_{Vi},X_i,T_i)$ and verify the formula ${\omega }_{i}P=\{h_{i,5}{PK}_{Vi}+X_i\}$, Then, receive $m_i$ if the verification passes; otherwise, reject $m_i$.

4.8. Aggregate Unsigncryption

This algorithm has the functions of ciphertext aggregation and batch verification, which can significantly improve the efficiency. If $T_i$ is valid, the RSU receives multiple ciphertexts ${\sigma }_i=({\delta }_i,{\omega }_i,W_i,T_i)$ sent by multiple vehicles $V_i(i=1,2,\dots ,n)$ and provides ${AID}_{Vi}(i=1,2,\dots ,n),{PK}_{Vi}(i=1,2,\dots ,n),{SK}_{Ri}$. This algorithm works as follows:

(1) The RSU selects a small random integer set $L=\{l_2,\dots ,l_n\}$ and calculates ${\displaystyle \omega ={\omega }_1+\sum _{i=2}^n{l}_i{\omega }_i}$, where $l_i\in [1,2^{\zeta }]$ and $\zeta$ is a small integer (e.g., $\zeta =3$). and outputs aggregate ciphertext $\sigma =({\delta }_1,{\delta }_2,{\delta }_3,\dots ,{\delta }_n,\omega ,L,W_1,W_2,W_3,\dots ,W_n)$.

(2) Similarly, compute $X_i=W_i(s_{Ri,1}+s_{Ri,2})$ and recover $m_i$ by calculating $m_i={\delta }_i⨁H_4\left(X_i\right)$. Then, compute $h_{i,5}=H_5(m_i,{AID}_{Vi},{PK}_{Vi},X_i,T_i)$.

(3) Compute ${\displaystyle \omega P=h_{1,5}{PK}_{V1}+X_1+\sum _{i=2}^n{l}_i{h}_{i,5}{PK}_{Vi}+\sum _{i=2}^n{l}_i{X}_i}$. If the above equations hold, accept the messages $m_i$. If not, reject it.

5. Security Analysis

In Section 5, we give formal security analysis and informal security analysis of our scheme and prove the security of the security model in the VANETs.

5.1. Formal Security Analysis

(1) Correctness: The next steps are to verify the validity of the aggregated signcryption.

Firstly, we calculate

$$\begin{array}{cc}\hfill W_i(s_{Ri,1}+s_{Ri,2})& =x_i{PK}_{Ri}(s_{Ri,1}+s_{Ri,2})\hfill \\ \hfill & =x_i{(s_{Ri,1}+s_{Ri,2})}^{-1}P(s_{Ri,1}+s_{Ri,2})\hfill \\ \hfill & =x_{i}P\hfill \\ \hfill & =X_i\hfill \end{array}$$

(1)

Secondly,

$$\begin{array}{cc}\hfill m_i& ={\delta }_i⨁H_4\left(X_i\right)\hfill \\ \hfill h_{i,5}& =H_5(m_i,{AID}_{Vi},{PK}_{Vi},X_i,T_i)\hfill \end{array}$$

(2)

Then,

$$\begin{array}{cc}\hfill {\displaystyle h_{1,5}{PK}_{V1}+X_1+\sum _{i=2}^n{l}_i{h}_{i,5}{PK}_{Vi}+\sum _{i=2}^n{l}_i{X}_i}& {\displaystyle =h_{1,5}{(s_{V1,1}+s_{V1,2})}^{-1}P+x_{1}P+\sum _{i=2}^n{l}_i{h}_{i,5}{(s_{Vi,1}+s_{Vi,2})}^{-1}P+\sum _{i=2}^n{l}_i{x}_{i}P}\hfill \\ \hfill & {\displaystyle =\{h_{1,5}{(s_{V1,1}+s_{V1,2})}^{-1}+x_1\}P+\sum _{i=2}^n{l}_i\{h_{i,5}{(s_{Vi,1}+s_{Vi,2})}^{-1}+x_i\}P}\hfill \\ \hfill & {\displaystyle ={\omega }_{1}P+\sum _{i=2}^n{l}_i{\omega }_{i}P}\hfill \\ \hfill & =\omega P\hfill \end{array}$$

(3)

(2) Confidentiality: Our scheme achieves $IND-CCA2$ security under the Computational Diffie–Hellman (CDH) assumption.

Theorem 1.

If there is an opponent $A_1$ that can break our $IND-CCA2$ in PPT with a non-negligible advantage ε, then there is a challenger $C_1$ that can solve the CDH problem in polynomial time with a non-negligible advantage $Adv\left(C_1\right)⩾{(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{\epsilon }{e(q_s+1)}}$. Here, $q_{SK}$ is the number of private key extraction queries, $q_s$ is the number of signcryption queries, and e is the base of the natural logarithm.

Proof. 

Suppose $C_1$ has a CDH problem instance $(P,aP,bP)$ and $C_1$ intends to compute $abP$. $C_1$ constructs a simulation scheme and interacts with $A_1$. Assuming that the hash function is a random oracle under the control of $C_1$, its value is uniformly random and unpredictable unless the corresponding hash query is made.

• $Setup$: $C_1$ performs the setup operation to obtain $P_{pub}=bP$ ($b\in Z_q^{\ast }$ is $ms{k}_0$ and $C_1$ is not accessible) and $params=q,{\mathbb{G}}_1,{\mathbb{G}}_2,P,P_{pub},T_{pub},H_1,H_2,H_3,H_4,H_5$, and then publishes $params$.
• $Phase1$:
  -Public key queries: When $C_1$ receives an identity $RI{D}_{Vi}$ from $A_1$, $C_1$ first checks whether an item $(RI{D}_{Vi},P{K}_{Vi,1},P{K}_{Vi,1})\in L_K$. If so, $C_1$ returns $(P{K}_{Vi,1},P{K}_{Vi,1})$. Otherwise, $C_1$ generates a new $P{K}_{Vi}=(P{K}_{Vi,1},P{K}_{Vi,1})$ according to $AI{D}_{Vi}$ and stores it in $L_K$ and returns it to $A_1$.
  -$H_1$ queries: When $C_1$ receives $H_1$ queries from $A_1$, $C_1$ first checks whether list $L_{H1}$ exists items $(RI{D}_{Vi},AI{D}_{Vi,2})$, if so, $C_1$ returns $AI{D}_{Vi,2}$ to $A_1$; otherwise $C_1$ generates a new $AI{D}_{Vi,2}$ for $RI{D}_{Vi}$ in $A_1$ and returns it to $A_1$.
  -$H_2$ queries: When $C_1$ receives an $H_2$ query from $A_1$, $C_1$ first checks the list $L_{H2}$ for the presence of items $(AI{D}_{Vi,1},AI{D}_{Vi,2},AI{D}_{Vi})$, and if so, $C_1$ returns $AI{D}_{Vi}$ to $A_1$. Otherwise, $C_1$ will generate a new $AI{D}_{Vi}$ in $A_1$ for $(AI{D}_{Vi,1},AI{D}_{Vi,2})$ and return it to $A_1$.
  -$H_3$ queries: When $C_1$ receives $H_3$ queries from $A_1$, $C_1$ first checks the list $L_{H3}$ for the existence of items $(AI{D}_{Vi},U_{Vi},h_{i,3})$, and if so, $C_1$ returns $h_{i,3}$ to $A_1$; otherwise, $C_1$ generates a new $h_{i,3}$ in $A_1$ for $(AI{D}_{Vi},U_{Vi})$ and returns it to $A_1$.
  -$H_4$ queries: When $C_1$ receives $H_4$ queries from $A_1$, $C_1$ first checks the list $L_{H4}$ for the existence of items $(X_i,h_{i,4})$, and if so, $C_1$ returns $h_{i,4}$ to $A_1$; otherwise, $C_1$ generates a new $h_{i,4}$ for $X_i$ in $A_1$ and returns it to $A_1$.
  -$H_5$ queries: When $C_1$ receives an $H_5$ query from $A_1$, $C_1$ first checks the list $L_{H5}$ for the presence of items $(m_i,AI{D}_{Vi},P{K}_{Vi},X_i,T_i,h_{i,5})$, and if so, $C_1$ returns $h_{i,5}$ to $A_1$; otherwise, $C_1$ generates a new $h_{i,5}$ for $(m_i,AI{D}_{Vi},P{K}_{Vi},X_i,T_i)$ in $A_1$ and returns it to $A_1$.
  -Partial private key queries: When $C_1$ receives an anonymous identity $AI{D}_{vi}$ from $A_1$, $C_1$ performs the partial private key operation to calculate the partial private key $s_{Vi,1}$ and returns it to $A_1$.
  -Private key queries: When $C_1$ receives one $(s_{Vi,1},U_{Vi})$ from $A_1$, $C_1$ performs the private key operation to obtain $s_{Vi,2}$ and returns it to $A_1$. Otherwise, run the public key query to generate the private key.
  -Public key replacement queries: $A_1$ submits public key $P{K}_{Vi}^{\prime }$ to $C_1$, which replaces $P{K}_{Vi}$ with $P{K}_{Vi}^{\prime }$ in list $L_K$.
  -Signcryption queries: When $A_1$ requests signcryption message m, $C_1$ simulates offline signcryption and online signcryption operations to generate the ciphertext ${\sigma }_i$ and returns it to $A_1$.
  -Unsigncryption queries: $C_1$ generates m or ⊥ by simulating the unsigncryption operation and sends it to $A_1$.
• $Challenge$: $A_1$ selects two equal-length messages, $m_0,m_1$, and specifies the target identity $RI{D}_V^{\ast }$. $C_1$ randomly selects $\rho \in \{0,1\}$ to generate the challenge ciphertext ${\sigma }^{\ast }$ and return it to $A_1$.
• $Phase2$: $A_1$ can repeat the query of $phase1$, but it is forbidden to initiate a decryption query for the challenge ciphertext ${\sigma }^{\ast }$. If this rule is violated, $C_1$ terminates the interaction immediately.
• $Guess$: $A_1$ outputs guess value ${\rho }^{\prime }$. If ${\rho }^{\prime }=\rho$, then $A_1$ wins.

□

$C_1$ fails if $A_1$ has already performed a private key query in response to $RI{D}_{Vi}$ and $RI{D}_{Ri}$. The event in which $A_1$ does not make such a query is represented by x, and its probability is $Pr\left[x\right]={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2$. The event that $C_1$ does not stop executing at $Phase1$ is denoted by $x_1$ with probability $Pr\left[x_1\right]={(1-\phi )}^{q_s}$. The event that $C_1$ does not stop execution at Challenge is denoted by $x_2$ with probability $Pr\left[x_2\right]=\phi$. Therefore, the probability that $C_1$ does not stop executing throughout the simulation is $Pr[x\bigwedge x_1\bigwedge x_2]={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{(1-\phi )}^{q_s}\phi$. Knowing $\phi ={\displaystyle \frac{1}{q_s+1}}$, it can be found that when $q_s$ is large enough, ${(1-\phi )}^{q_s}$ will be infinitely close to $e^{-1}$ (e represents the base of the natural logarithm). Therefore, the probability that $C_1$ does not stop executing during the entire simulation is $Pr={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{1}{e(q_s+1)}}$.

If $A_1$ attacks the confidentiality of our scheme with a non-negligible advantage $\epsilon$, $C_1$ can construct a solution to the CDH problem from $A_1$’s interactive record. Through the above analysis, we can obtain that the advantage of $C_1$ is $Adv\left(C_1\right)⩾{(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{\epsilon }{e(q_s+1)}}$.

(3) Unforgeability: Our scheme implements $EUF-CMA$ security under the ECDLP.

Theorem 2.

If there is an opponent $A_2$ who can break our $EUF-CMA$ in PPT with a non-negligible advantage ε, then there is a challenger $C_2$ who can solve the ECDLP in polynomial time with a non-negligible advantage $Adv\left(C_2\right)⩾{(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{\epsilon }{e(q_s+1)}}$. Here, $q_{SK}$ is the number of private key extraction queries, $q_s$ is the number of signcryption queries, and e is the base of the natural logarithm.

Proof. 

Suppose $C_2$ has an ECDLP instance $(P,bP)$, and $C_2$ intends to compute $b\in Z_q^{\ast }$. $C_2$ constructs a simulation scheme and interacts with $A_2$. Assuming that the hash function is a random oracle under $C_2$ control, its value is uniformly random and unpredictable unless the corresponding hash query is made.

• $Setup$: $C_2$ performs the setup operation to obtain $P_{pub}=bP$ ($b\in Z_q^{\ast }$ is $ms{k}_0$ and $C_1$ is not accessible) and $params=q,{\mathbb{G}}_1,{\mathbb{G}}_2,P,P_{pub},T_{pub},H_1,H_2,H_3,H_4,H_5$, and then publishes $params$.
• $Phase1$:
  -Queries: Perform the same $H_i(i=1,2,3,4,5)$ queries, public key queries, partial private key queries, private key queries, and public key replacement queries as in $\mathrm{Theorem}1$.
  -Signcryption queries: $A_2$ submits message m and anonymous $AI{D}_{Vi}$ to request signcryption of m. $C_2$ queries whether $AI{D}_{Vi}$ exists. If $AI{D}_{Vi}$ does not exist, perform related operations to generate and save $S{K}_{Vi}$ and $P{K}_{Vi}$ corresponding to $AI{D}_{Vi}$. The offline signcryption and online signcryption operations are simulated to generate the ciphertext ${\sigma }_i$ and return it to $A_2$.
  -Unsigncryption queries: $A_2$ submits signature $\sigma$ and anonymous identity $AI{D}_{Vi}$ to request the signcryption of $\sigma$. $C_2$ searches the public key $P{K}_{Vi}$ corresponding to $AI{D}_{Vi}$ and simulates the unsigncryption operation to obtain m or ⊥ and sends it to $A_2$.
• $Forgephase$: $A_2$ randomly selects $r\in Z_q^{\ast }$, $R^{\ast }=rP$, calculates $W^{\ast }=rP{K}_R$, then calculates $\delta =m⨁H_4\left(W^{\ast }\right)$, $h_5^{\ast }=H_5(m,AI{D}_V,P{K}_V,R^{\ast },T^{\ast })$, chooses ${\omega }^{\ast }\in Z_q^{\ast }$ to prove that ${\omega }^{\ast }P=h_5^{\ast }P{K}_V+R^{\ast }$. Return ${\sigma }^{\ast }=({\delta }^{\ast },{\omega }^{\ast },W^{\ast },T^{\ast })$ to $C_2$. If $C_2$ solves the ECDLP, the private key b can be calculated; otherwise, the ECDLP is not solved.

□

$C_2$ fails if $A_2$ has already performed a private key query in response to $RI{D}_{Vi}$. The event in which $A_2$ does not make such a query is represented by x, and its probability is $Pr\left[x\right]={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2$. The event that $C_2$ does not stop executing at $Phase1$ is denoted by $x_1$ with probability $Pr\left[x_1\right]={(1-\phi )}^{q_s}$. The event that $C_2$ does not stop execution at challenge is denoted by $x_2$ with probability $Pr\left[x_2\right]=\phi$. Therefore, the probability that $C_2$ does not stop executing throughout the simulation is $Pr[x\bigwedge x_1\bigwedge x_2]={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{(1-\phi )}^{q_s}\phi$. Knowing $\phi ={\displaystyle \frac{1}{q_s+1}}$, it can be found that when $q_s$ is large enough, ${(1-\phi )}^{q_s}$ will be infinitely close to $e^{-1}$ (e represents the base of the natural logarithm). Therefore, the probability that $C_2$ does not stop executing during the entire simulation is $Pr={(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{1}{e(q_s+1)}}$.

From the above analysis, it can be seen that the probability of $C_2$ not stopping execution in the whole process is ${(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{1}{e(q_s+1)}}$, and $A_2$ can attack the unforgeability of the improved scheme with a non-negligible probability $\epsilon$. Then, $C_2$ can obtain a solution to the ECDLP in PPT with probability $Adv\left(C_2\right)⩾{(1-{\displaystyle \frac{q_{SK}}{2^k}})}^2{\displaystyle \frac{\epsilon }{e(q_s+1)}}$.

5.2. Informal Security Analysis

The security requirements met by our scheme are as follows:

(1) Confidentiality and unforgeability: Formal security analysis confirms that our scheme achieves confidentiality and unforgeability.

(2) Authentication and integrity: According to $\mathrm{Theorem}2$’s proof of the existence of unforgeability, our scheme is secure against Type I and Type II attackers who cannot forge a valid signature.

(3) Anonymity: Anonymous identity ${AID}_{Vi}=H_2({AID}_{Vi,1},{AID}_{Vi,2},t_i)$ is used to hide the real identity, where ${AID}_{Vi,1}=r_{Vi}P$, ${AID}_{Vi,2}={RID}_{Vi}⨁H_1(a_1{RID}_{Vi}$. $t_i$ represents the timestamp of ${AID}_{Vi}$, ensuring the validity of ${AID}_{Vi}$. The attacker would have to obtain $a_1$ if they wanted to obtain the real identity $RI{D}_{Vi}$. However, $a_1$ is the key chosen by the TRA. According to the ECDLP, no attacker can extract $a_1$ from Tpub in PPT. Therefore, our scheme ensures anonymity.

(4) Non-repudiation: If the vehicle attempts to deny the transmission, the TRA can verify that the message was indeed sent by the vehicle by verifying the legitimacy of the signature. Because of the uniqueness and confidentiality of the private key, the signer cannot deny its signcryption behavior, thus ensuring non-repudiation.

(5) Conditional traceability and revocability: If the anonymous identity $AI{D}_{Vi}$ is used to send malicious messages, the TRA can search the corresponding anonymous identity in the database, find the real identity $RI{D}_{Vi}$ bound to it, and revoke the registration of the malicious vehicle to achieve conditional traceability and revocability.

(6) Unlinkability: In the anonymization phase, TRA randomly selects $t_i$ to generate anonymous identity. In addition, the vehicle randomly selects $x_{i,1},x_{i,2}$ and computes the resulting $x_i$ to generate the signature. Due to the randomness of $t_i,x_{i,1}$, and $x_{i,2}$, neither different anonymous identities nor different signatures of the same vehicle can be linked by the attacker in the PPT.

(7) Resist attacks: In addition to the above security features, our scheme resists the following common attacks.

Replay attacks: There are two timestamps in our scheme; $t_i$ is included in the anonymous identity AIDVi and $T_i$ is included in the signature $\sigma$. When a message/signature pair is received, the verifier can detect the playback of the message by verifying the freshness of the timestamp.

Impersonation attacks: In order to launch a impersonation attack, the attacker should generate a valid signature. However, according to $\mathrm{Theorem} 2$, an attacker cannot generate valid message/signature pairs in PPT because neither of them can solve the ECDLP. Therefore, our scheme can successfully resist impersonation attacks.

Modification attacks: According to the security analysis of our scheme described above, any modification of the message/signature pair can be detected by checking whether the formula ${\omega }_{i}P=\{h_{i,5}{PK}_{Vi}+X_i\}$ holds, so our scheme can successfully resist modification attacks.

Man-in-the-middle attacks: Our scheme implements authentication based on ECDLP security, making it impossible for any third party to forge a valid signature between the message signer and the verifier, so our scheme is resistant to this attack.

ESL attacks: If the temporary keys $x_{i,1}$ and $x_{i,2}$ of the offline phase are compromised, the attacker cannot calculate $x_i=(x_{i,1}{s}_{Vi,1}+x_{i,2}{s}_{Vi,2}){(s_{Vi,1}+s_{Vi,2})}^{-1}$ unless the attacker breaks the CDH problem. According to the confidentiality proof of $\mathrm{Theorem}1$, our scheme successfully defends against ESL attacks.

Full chosen-key attack: Our scheme uses a simplified small index testing technique in the aggregation process [33]. Using the above techniques, we add small random integer sets $L=\{l_2,\dots ,l_n\}$ in the aggregate unsigncryption phase. Due to the randomness of $l_i$, any modification to a single signature ${\sigma }_i$ can be detected by the verifier (a strict proof can be found in [33]). Therefore, our scheme successfully resists the full chosen-key attack.

6. Performance Analysis

In Section 6, we analyze the performance of the protocol in terms of computational cost and communication overhead. We chose four signcryption schemes [26,34,35,36] to compare with our scheme to prove the effectiveness of our scheme. Therefore, in the comparison experiment phase, we choose the elliptic curve $y^2=x^3+x$, where q is 160 primes, p is 512 primes, $\mathbb{G}$ is the addition group of order q, and P is the generator of $\mathbb{G}$. The simulation uses two core Intel Core i5 processors clocked at 2.5 GHz, 4 GB of RAM, and a Linux operating system.

6.1. Computational Overhead Comparison

To calculate the computational cost of each scheme, we conducted experiments on the time cost of the main cryptographic operations. Each cryptographic operation was run 1000 times, and the average value was taken as the final time cost. The cryptographic operations involved in our scheme and those in the schemes [26,34,35,36] are as follows: (1) $T_s$ represents scalar multiplication in $\mathbb{G}$; (2) $T_{h-s}$ represents a hash function mapping to the string ${\{0,1\}}^{\ast }$; (3) $T_{h-z}$ represents a hash function mapping to the string $Z_q^{\ast }$; (4) $T_p$ represents symmetric bilinear pairing; (5) $T_e$ represents exponentiation in the multiplicative group. We list the running times of these cryptographic operations in

Table 2. Execution time of primary operations.

Notations	Description	Execution Time (ms)
$T_s$	Scalar multiplication in $\mathbb{G}$	0.444
$T_{h-s}$	A hash function mapping to the string ${\{0,1\}}^{\ast }$	0.011
$T_{h-z}$	A hash function mapping to the string $Z_q^{\ast }$	0.0023
$T_p$	Symmetric bilinear pairing	0.646
$T_e$	Exponentiation in the multiplicative group	0.028

. Based on the above values, the computational costs of the five schemes are given in

Table 3. Computational overhead for each scheme.

Scheme	Signcrypt	Single-Ciphertext’s Unsigncrypt	Multiple Ciphertext’s Unsigncrypt
[26]	${(2T_s+T_{h-z}+T_p)}_{off}+{(T_{h-s}+T_{h-z})}_{on}$	$T_s+T_{h-s}+3T_{h-z}+4T_p$	$n{T}_s+n{T}_{h-s}+(n+2)T_{h-z}+4n{T}_p$
[34]	${\left(T_s\right)}_{off}+{(T_s+3T_{h-s}+T_{h-z})}_{on}$	$5T_s+T_{h-s}+2T_{h-z}$	$(4n+1)T_s+n{T}_{h-s}+(n+1)T_{h-z}$
[35]	${(4T_s+T_{h-s}+4T_{h-z}+T_p)}_{on}$	$2T_s+T_{h-s}+3T_{h-z}+2T_p$	$2n{T}_s+n{T}_{h-s}+(2n+1)T_{h-z}+2n{T}_p$
[36]	${(4T_s+T_{h-s}+3T_{h-z}+T_p)}_{on}$	$T_s+T_{h-s}+3T_{h-z}+2T_p$	$n{T}_s+n{T}_{h-s}+(2n+1)T_{h-z}+(n+1)T_p$
OURS	${\left(2T_s\right)}_{off}+{(T_{h-s}+T_{h-z})}_{on}$	$3T_s+T_{h-s}+T_{h-z}$	$(2n+1)T_s+n{T}_{h-s}+n{T}_{h-z}$

, assuming that each vehicle only sends one message to the RSU and n is the number of vehicles, so the number of ciphertexts is also n. In the performance analysis, if the scheme adopts the OOE technology, we only focus on the online signcryption operation cost rather than the complete offline–online signcryption operation cost. The reason is as follows: in the real application environment, since the precomputation in the offline stage does not involve real-time messages, the computation process in this stage can be carried out during idle periods. In other words, this study focuses on the real-time message processing stage.

In our scheme, the complex scalar multiplication operation is run in the offline stage, and only simple hash function operations are run in the online stage. This division of labor reduces the burden on vehicles in real-time computation, thereby improving communication efficiency. In contrast, scheme [34] only uses one scalar multiplication in the offline stage, resulting in additional scalar multiplications in the online stage. Therefore, the online stage cost of our scheme is much smaller than that of the scheme in [34]. Thus, the precomputation in the offline stage is of practical significance. Taking the transmission of a sensitive message as an example, the computational costs of signcryption and decryption in these comparison schemes are shown in Figure 3 and Figure 4.

For the scheme in [26], one symmetric bilinear pairing, two scalar multiplications, two hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the signcryption phase. Four symmetric bilinear pairings, one scalar multiplication, three hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the unsigncryption phase. For the scheme in [34], two scalar multiplications, three hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the signcryption phase. Five scalar multiplications, two hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the unsigncryption phase. For the scheme in [35], one symmetric bilinear pairing, four scalar multiplications, four hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the signcryption phase. Two scalar multiplications, two symmetric bilinear pairing, three hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the unsigncryption phase. For the scheme in [36], one symmetric bilinear pairing, four scalar multiplications, three hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the signcryption phase. Two symmetric bilinear pairings, one scalar multiplication, three hash functions mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented in the unsigncryption phase. For our scheme, in the signcryption phase, two scalar multiplications, one hash function mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented. In the unsigncryption phase, three scalar multiplications, one hash function mapping to the string $Z_q^{\ast }$, and one hash function mapping to the string ${\{0,1\}}^{\ast }$ are implemented. Based on the analysis above, it can be observed from Figure 3 and Figure 4 that our scheme demonstrates significantly lower computational overhead during the signcryption phase compared to other schemes. Furthermore, in the decryption phase, our scheme achieves the smallest computational cost, and this is accomplished without employing symmetric bilinear pairings.

According to the DSRC specification, each vehicle must broadcast a basic safety message every 300 ms [37]. Assuming that there are usually 100 vehicles within the communication range of the RSU, approximately 350 messages are generated per second. To enhance the rationality of the analysis, our evaluation should include the computational cost of 350 signcryption operations. As shown in Figure 5, and with the increase in the number of messages, the signcryption efficiency of our scheme is superior to that of the schemes in [26,34,35,36].

We used omnet++ to conduct a real simulation of the time delay of this scheme, including the signcryption time, communication delay, and unsigncryption time. By making corresponding adjustments to the number of vehicles, when the number of vehicles was 20, the corresponding average communication delay was 13.9 ms. When the number of vehicles was 40, the corresponding average communication delay was 15.1 ms. When the number of vehicles was 60, the corresponding average communication delay was 16.6 ms. When the number of vehicles was 80, the corresponding average communication delay was 14.2 ms. When the number of vehicles was 100, the corresponding average communication delay was 14.6 ms. Figure 6 shows part of the simulation model based on 20 vehicles in the experiment. In Figure 6, our scheme defines the effective communication range of the RSU as 1 km and the speed of the vehicle as 30 m/s.

6.2. Communication/Storage Cost

Suppose that the element in G has size $\mid \breve{G}\mid$ and the message size is $\mid Z_q^{\ast }\mid$. Given that the primary communication overhead depends on ciphertext size,

Table 4. Computational overhead for each scheme.

Schemes	Send a Single Message	Send n Messages
[26]	$3\mid \breve{G}\mid +\mid Z_q^{\ast }\mid$	$(2n+1)\mid \breve{G}\mid +n\mid Z_q^{\ast }\mid$
[34]	$2\mid \breve{G}\mid +\mid Z_q^{\ast }\mid$	$(n+1)\mid \breve{G}\mid +n\mid Z_q^{\ast }\mid$
[35]	$2\mid \breve{G}\mid +\mid Z_q^{\ast }\mid$	$(n+1)\mid \breve{G}\mid +n\mid Z_q^{\ast }\mid$
[36]	$2\mid \breve{G}\mid +\mid Z_q^{\ast }\mid$	$(n+1)\mid \breve{G}\mid +n\mid Z_q^{\ast }\mid$
OURS	$2\mid \breve{G}\mid +\mid Z_q^{\ast }\mid$	$(n+1)\mid \breve{G}\mid +n\mid Z_q^{\ast }\mid$

presents a comparative analysis of the communication costs for the five schemes. The storage cost depends primarily on the size of the public/private key pair for both the sender and receiver, as well as the size of the signcryption itself. As shown in Table 4, we have reduced computing costs without increasing communication costs.

7. Conclusions

In order to meet the complex security requirements of VANETs, we propose a certificateless aggregated signcryption scheme based on edge computing. The scheme eliminates the dependence on expensive bilinear pairing operations and improves computational efficiency through online/offline encryption technology, making it suitable for resource-constrained environments. By adopting pseudonym mechanisms and conditional traceability, the protocol ensures strong privacy protections while enabling the identification and revocation of malicious vehicles. The security analysis shows that the scheme satisfies the confidentiality of $IND-CCA2$ and unforgerability of $EUF-CMA$ under CDH and ECDLP assumptions and can effectively resist common attacks, such as replay attacks, impersonation attacks, modification attacks, man-in-the-middle attacks, ESL attacks, and full chosen-key attacks. The performance analysis further verifies the advantages of the proposed scheme in terms of computation and communication overhead compared with the existing schemes and realizes faster signature encryption and de-signature encryption processes. This scheme still requires the KGC and TRA to generate and distribute some private keys and anonymous identities. This process increases the management cost of the system and potential security risks. The future research direction focuses on studying more lightweight key management and distribution mechanisms to reduce the burden of the KGC and TRA while improving the security and reliability of the system. In addition, in the work of reducing communication costs, we will shorten the length of the ciphertext without affecting the effect.