A Unified Fault-Tolerant Batch Authentication Scheme for Vehicular Networks

Abstract

This paper proposes a unified fault-tolerant batch authentication scheme for vehicular networks, designed to address key limitations in existing approaches, namely the segregation between in-vehicle and V2I authentication scenarios and the lack of fault tolerance in traditional batch authentication methods. Based on a hardware–software co-design philosophy, the scheme deeply integrates the security features of hardware such as Tamper-Proof Devices (TPDs) and Physical Unclonable Functions (PUFs) with the efficiency of cryptographic primitives like Aggregate Message Authentication Codes (MACs) and the Chinese Remainder Theorem (CRT). It establishes an end-to-end, integrated authentication framework spanning from in-vehicle electronic control units (ECUs) to external roadside units (RSUs), effectively meeting the diverse requirements for secure and efficient authentication among the three core entities involved in Internet of Vehicles (IoV) data collection: in-vehicle ECUs, vehicle gateways, and RSUs. Security analysis demonstrates that the proposed scheme fulfills the necessary security requirements. And extensive experimental results confirm its high efficiency and practical utility.

1. Introduction

Serving as the foundation for advanced Internet of Vehicles (IoV) applications such as smart traffic scheduling [1] and cooperative driving [2], vehicle perception data primarily collected and generated by onboard sensors encompasses information about the vehicle’s own status and the surrounding environment [3,4,5]. As illustrated in Figure 1, perception data is initially captured by various in-vehicle sensors, pre-processed by electronic control units (ECUs), and then transmitted to the vehicle gateway for encapsulation. Subsequently, it is conveyed via IoV communication technologies to roadside units (RSUs) and Cloud Platforms (CS), ultimately driving upper-layer IoV intelligent applications. Therefore, ensuring the secure transmission of vehicle perception data from in-vehicle to external system is of critical importance. However, in IoV, which is open network environment, adversaries may illegally forge or maliciously tamper with the perception data, thereby undermining the availability of IoV services [6,7]. As the first line of defense for guaranteeing the secure acquisition and transmission of vehicle perception data, authentication has been extensively studied [8,9,10].

Existing IoV authentication schemes can be categorized into two classes based on their application scenarios: in-vehicle authentication [11] and out-of-vehicle authentication [12]. In-vehicle authentication primarily focuses on verifying the identity legitimacy of various ECUs connected to the controller area network (CAN) bus. It commonly employs lightweight cryptographic primitives or intrusion detection with a hardware–software co-design security philosophy to ensure the security of perception data during in-vehicle transmission [13,14,15]. Out-of-vehicle authentication, on the other hand, mainly focuses on authentication between vehicles and between vehicles and RSU utilizing public-key cryptography and anonymous message authentication techniques, aiming to ensure the security of perception data during external transmission while simultaneously preserving vehicle identity privacy [8,16].

However, it is the division of the whole IoV scenario into in-vehicle and out-of-vehicle among current IoV authentication mechanisms that leads to a critical limitation: traditional out-of-vehicle authentication mechanisms can only verify the legitimacy of the vehicle’s identity but are incapable of authenticating the legitimacy of in-vehicle ECUs or verifying whether the perception data has been tampered with [17,18]. Considering a straightforward combination of existing in-vehicle and out-of-vehicle authentication schemes would introduce redundant computation and storage overhead, including but not limited to key management inevitably, designing an integrated in-vehicle and out-of-vehicle authentication framework presents a significant challenge. Furthermore, while existing batch authentication schemes can improve the efficiency of RSU in verifying vehicle messages, they are suffering from a major drawback: the presence of even a single illegal message will cause the failure of the batch authentication [19,20], which limits their application in the time-sensitive IoV.

To address the aforementioned challenges, this paper proposes a unified fault-tolerant batch authentication scheme for vehicular networks (UFTBA). Guided by a hardware-software co-design philosophy, the scheme leverages the hardware security features of tamper-proof devices (TPDs) and physical unclonable functions (PUFs), combined with the algorithmic efficiency of the aggregate message authentication code and the Chinese Remainder Theorem (CRT). Specifically, we sequentially design a PUF-based in-vehicle group authentication method and a TPD-assisted out-of-vehicle batch anonymous message authentication method. The integration of these two methods realizes an integrated, efficient batch authentication framework for both in-vehicle and out-of-vehicle scenarios. This framework fulfills the critical requirement for secure and efficient authentication among the three key entities involved in the IoV perception data acquisition process: in-vehicle ECUs, the vehicle gateway, and the RSU. The specific contributions of this paper are as follows:

• Established integrated in-vehicle and out-of-vehicle authentication, guaranteeing end-to-end security for the perception data flow from ECUs to the RSU. This is accomplished by, firstly, employing PUF challenge–response pairs to generate unique hardware-based identities for ECUs and implementing a group key agreement protocol via a non-overlapping clustering technique for the in-vehicle phase. Then, for out-of-vehicle communication, the TPD is utilized to generate vehicle pseudonyms, and the same non-overlapping clustering technique is leveraged to achieve efficient and fault-tolerant batch authentication of messages from multiple vehicles.
• Achieved efficient batch authentication with inherent fault tolerance, thereby solving the “all-or-nothing” verification problem in traditional approaches where a single invalid message causes the entire batch to fail. By utilizing the non-overlapping clustering technique, the authentication codes from ECUs are grouped and aggregated. This allows for the rapid identification of illegitimate nodes through batch verification. Similarly, during the out-of-vehicle communication phase, the RSU employs the same technique to group message signatures from multiple vehicles. Invalid signatures are handled through fault-tolerant verification of smaller sub-batches, meaning only the failed group needs re-verification instead of the entire batch.
• Security and Practicality. Security analysis demonstrates that the proposed scheme can resist various attacks defined in the threat model. Extensive simulations and performance evaluations confirm its high efficiency and practical utility.

The paper is organized as follows: Section 2 reveals the related work, while Section 3 presents the preliminary knowledge necessary for the proposed scheme. In Section 4, the system model and threat model are put forward. Section 5 is devoted to the implementation of the proposed scheme. Section 6 is concerned with the analysis of security and simulation experiments. Finally, Section 7 concludes the paper.

2. Related Work

Based on the application scenarios of IoV authentication schemes, we categorize existing approaches into two classes. The first is in-vehicle authentication, which primarily focuses on the authentication of various ECUs mounted on the CAN bus. Its purpose is to ensure the security of perception data during in-vehicle transmission. The second is out-of-vehicle authentication, which mainly concentrates on the authentication of vehicles. It is designed to guarantee the security of perception data during out-of-vehicle transmission, while also addressing the privacy protection of vehicle identities.

Due to limited resources of in-vehicle devices, in order to reduce the load on the CAN bus, Wu et al. proposed a security protocol for the CAN bus data where the encrypted data can be transmitted within the data field instead of the extended-ID and cyclic redundancy check (CRC) field of the CAN frame by using a data compression algorithm [21]. Nilsson et al. introduced an authentication protocol splitting and subsequently recombining the generated MAC based on a combined message authentication code (MAC) and CRC [22]. However, the above schemes introduced additional authentication latency. To make in-vehicle authentication more timely, Woo et al. truncated the MAC to 32 bits to achieve message authentication without increasing additional bus load, at the cost of weaker security [23]. Similarly, in order to reduce the bus overhead, Murvay et al. and Choi et al. successively proposed methods that leveraged the physical signal characteristics on the CAN bus for ECU authentication [24,25]. However, such schemes were susceptible to interference in practical environments, leading to a high error rate.

Anonymous message authentication is a commonly used method for achieving privacy protection in out-of-vehicle authentication. Asghar et al. proposed an efficient and scalable public-key certificate-based message authentication scheme, providing anonymity for vehicle identities by pre-loading a large number of pseudonymous public-key certificates into vehicles and using a different public key to sign each message [26]. However, the extensive and cumbersome certificate management involved lead to low authentication efficiency. To overcome this issue, Zhang et al. proposed an identity-based privacy-preserving authentication scheme for the IoV [27]. This scheme used pseudonymous identities as public keys for message signing, thereby avoiding the complex management issues associated with traditional public-key certificates. To further improve authentication efficiency, Cui et al. and Wei et al. developed several batch anonymous message authentication schemes leveraging the TPD installed in vehicles [28,29]. Furthermore, considering the issue of vehicle revocation, Zhang et al. proposed a conditional privacy-preserving authentication scheme based on the CRT [30]. Inspired by [30], we utilize CRT in our proposed scheme to achieve efficient distribution of in-vehicle session keys.

Table 1. Function comparison of schemes.

	Technique	Unified Authentication	Fault Tolerance	Vehicle Privacy Information Protection
[31]	SRAM PUF and MAC	× 1	-	-
[15]	Digital Watermark and Huffman Coding	×	-	-
[32]	ECC	×	×	√ 2
[33]	Blockchain and ECC	×	×	√
[34]	Blockchain and Accumulator	×	×	√
Ours	PUF and MAC and CRT	√	√	√

¹ Scheme does not implement the function. ² Scheme implements the function.

compares our scheme with other in-vehicle authentication schemes based on PUF and out-of-vehicle batch authentication scheme in terms of function. Lai et al. combined PUF with MAC to achieve lightweight in-vehicle authentication and key distribution [31], while Wu et al. further enhanced the security of in-vehicle data communication based on digital watermarking [15]. However, these above schemes are all based on the assumption that the vehicle gateway is secure, and do not consider the serious security risks caused by the malicious manipulation of the vehicle gateway. Schemes [32,33,34] achieved batch authentication of vehicle messages. Maurya et al. and Dwivedi et al. used elliptic curve encryption to achieve vehicle authentication that protects vehicle privacy in the IoV scenario [32,33], and Zhong et al. introduced accumulator technology to achieve cross-domain batch authentication of vehicles [34]. However, these schemes cannot achieve fault tolerance. This means once there is an error message, the batch authentication will fail, which ultimately reduces the authentication efficiency of the vehicles. Our scheme can achieve fault-tolerant batch authentication out of the vehicle while taking into account the security guarantee of the in-vehicle gateway, and it builds an efficient end-to-end security authentication framework from ECU to RSU.

3. Preliminaries

3.1. Notation

Table 2. Notations used frequently.

Notations	Description
$UID$	Unique identity of vehicle
$PID$	Pseudonym of vehicle
$(c_j,r_j)$	The CRPs for $ECUs$
$Aut{h}_i^{*}$	The authentication code of $EC{U}_i$
${\mathsf{\Psi }}_c^{*}$	The aggregated authentication code for $ECUs$ in the $c^{th}$ group
${\Phi }_i$	The signature of vehicle $U_i$

summarizes the notations that are used frequently.

3.2. Cryptographic Primitive

3.2.1. Group

Let G be a set equipped with a binary operation ·. The structure $(G,·)$ is called a group (often denoted simply by G) if and only if the following four axioms are satisfied [35]:

• Closure: For all $a,b\in G$, the result of the operation $a·b$ also belongs to G.
• Associativity: For all $a,b,c\in G$, the equation $(a·b)·c=a·(b·c)$ holds.
• Identity Element: There exists an element $einG$ such that for every element $a\in G$, the equations $e·a=a$ and $a·e=a$ hold.
• Inverse Element: For each $a\in G$, there exists an element $a^{-1}\in G$ such that $a·a^{-1}=a^{-1}·a=e$, where e is the identity element.

3.2.2. Elliptic Curve Cryptography

In 1984, Miller first applied elliptic curves to cryptography. After Koblitz utilized the elliptic curve discrete logarithm problem (ECDLP) to construct elliptic curve cryptography (ECC), ECC began to be widely adopted in security-related fields such as encryption and protocols [36].

Let ${\mathbb{F}}_p$ denote a finite field of order p, where p is a large prime. An elliptic curve E defined over ${\mathbb{F}}_p$ is given by the equation:

$$\begin{array}{c}\hfill y^2=x^3+ax+b(modp),\mathrm{where}a,b\in {\mathbb{F}}_p.\end{array}$$

(1)

Let ${\mathbb{G}}_p$ be the set of points on E, forming a group of prime order q with generator P, which includes the point at infinity $\mathcal{O}$. The group ${\mathbb{G}}_p$ has the following properties:

• Addition/Subtraction (+/−). Let P and Q be two points in ${\mathbb{G}}_p$.
  • If $P\ne Q$, then $R=P+Q$, where R is the reflection over the x-axis of the third point of intersection between the curve E and the line connecting P and Q.
  • If $P=Q$, then $R=P+Q=2P$, where R is the reflection over the x-axis of the second point of intersection between the curve E and the tangent line at point P (or Q).
  • If $Q=-P$, then $P+Q=P-P=\mathcal{O}$.
• Scalar Multiplication. Let $P\in {\mathbb{G}}_p$ and $m\in {\mathbb{Z}}_q^{*}$. Scalar multiplication over the group ${\mathbb{G}}_p$ is defined as

  $$\begin{array}{c}\hfill m·P=\underset{m\mathrm{times}}{\underbrace{P+P+\cdots +P}}\end{array}$$

  (2)

3.2.3. Chinese Remainder Theorem

The Chinese Remainder Theorem (CRT) is a renowned ancient Chinese mathematician, used for solving systems of linear congruences [37]. Also known as Sun Zi’s Theorem, it plays a significant role in diverse fields such as classical information communication, modern mathematics, and contemporary cryptography. The definition of the CRT is as follows:

Let $n\ge 2$, $(m_1,\dots ,m_n)\ge 2$, and $(z_1,\dots ,z_n)\in \mathbb{Z}$. If $gcd(m_i,m_n)=1$ for all $1\le i\le n$, $1\le j\le n$ with $i\le j$, then the following system of congruences

$$\begin{array}{c}\hfill \left\{\begin{array}{c}S\equiv z_1(mod{m}_1)\hfill \\ ⋮\hfill \\ S\equiv z_n(mod{m}_n)\hfill \end{array}\right.\end{array}$$

(3)

has a unique solution modulo $M=m_1\times m_2\times \cdots \times m_n$. This solution is given by

$$\begin{array}{c}\hfill S\equiv \sum _{i=1}^n{z}_i·T_i·M_i(modM)\end{array}$$

(4)

where $M_i=M/m_i$, and $T_i$ is the modular multiplicative inverse of $M_i$ modulo $m_i$, i.e., $T_i·M_i\equiv 1(mod{m}_i)$. Moreover, S can be chosen such that $0\le S<M$.

According to the CRT, the system of equations

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{z}_1\equiv S(mod{m}_1)\hfill \\ ⋮\hfill \\ z_n\equiv S(mod{m}_n)\hfill \end{array}\right.\end{array}$$

(5)

can be derived.

A dealer can utilize the CRT to split an initial secret into n shares $(z_1,\dots ,z_n)$ and distribute them to n participants. The original secret can only be recovered when all legitimate participants collaborate. Owing to its computational efficiency, which enhances processing speed, this algorithm is widely adopted in various schemes, such as digital fingerprinting, group signatures, and anti-tracking mechanisms. Practicality and versatility are two of the most significant characteristics of the CRT.

3.2.4. Hardness Assumption

Theorem 1. 

Elliptic curve discrete logarithm problem (ECDLP): Let G be be a finite cyclic group of order q, where q is a large prime, and let P be a generator of G. Let Q be an arbitrary point in G. The ECDLP is to find a solution $x\in {\mathbb{Z}}_q^{*}$ such that $Q=x·P$.

If there exists no algorithm that can solve the ECDLP in group G with a non-negligible probability ϵ within a polynomial computation time t, then the ECDLP is said to be hard in the group G.

Theorem 2. 

Computational Diffie–Hellman (CDH) Assumption: Let $a,b,z\in {\mathbb{Z}}_p$ be integers chosen uniformly at random. There does not exist a probabilistic polynomial-time algorithm $\mathcal{A}$ that can compute group element $g^{ab}$ with the given triple $(g,g^a,g^b)$ in non-negligible advantage.

3.3. Physically Unclonable Functions

3.3.1. Physically Unclonale Functions

Due to the different natural variations in the integrated circuit (IC) manufacturing process, each IC chip has a physical structure that makes it unique. Taking advantage of this property, Physically Unclonable Functions (PUFs) are introduced to simulate human fingerprints for hardware devices [38]. A PUF is a hardware circuit that produces a random string upon an input of bits, $R=PUF\left(C\right)$; this is called the challenge–response pair (CRP), where C is the challenge and R is its response.

Let $C\in {\{0,1\}}^{\lambda }$ be a string of bits of length $\lambda$, and let $PUF$ be a deterministic function such that $R=PUF\left(C\right)$. We say that $PUF$ is a secure PUF if the following holds:

• A response to a challenge $R_i=PUF\left(C_i\right)$ gives negligible information to another response, $R_j=PUF\left(C_j\right)$, where $i\ne j$.
• Without physically having the PUF-device, it is infeasible to generate $R_i^{\prime }=R_i$, where $R_i=PUF\left(C_i\right)$.
• If an adversary, $\mathcal{A}$, tampers with the PUF-device, the PUF function is destroyed.

3.3.2. Noisy PUFs and Fuzzy Extractors

The application of PUFs faces many challenges. Ideally, inputting the same challenge at any time should yield the same output. However, in reality, the output of a PUF may be affected by noise due to voltage fluctuations, temperature, and other environmental or operational factors. For example, when given a challenge C, the PUF output may not be the original response $Raw$, but may be $Ra{w}^{\prime }=Raw\oplus e$, where e is the error. Therefore, directly using the output of PUF for security protocols may compromise the security of the protocols. To address this issue, fuzzy extractors (FE) were proposed to handle bit errors and obtain a more stable PUF response [39,40].

Using FE can make the response of the noisy PUF more reliable. The FE model consists of the following two algorithms:

• $FE.Gen\left(C\right)$: Inputting a challenge C, a key R, and auxiliary data $hd$ are generated. $hd$ is a vector generated by the original output $Raw$ and a linear-error-correction-code.
• $FE.Rec(C,hd)$: Inputting the challenge C and helper-data string $hd$, key R is refactored using error-decoding algorithm.

Furthermore, during long-term use, PUF may develop additional errors due to factors such as hardware aging. Based on the above issues, to ensure the reliability of the authentication, in our scheme, we assume that the PUF response value of the in-vehicle ECU has been stabilized by FE to generate a stable and reliable value R for subsequent calculations.

3.4. Message Authentication Code

Message authentication code (MAC) is a symmetric-key primitive protecting data integrity. A MAC scheme includes three algorithms:

• GenKey($1^{\lambda }$): given a ecurity parameter $\lambda$, output a secret key k.
• Auth($k,m$): given a message m and a secret key k, output a MAC $\sigma$.
• Verify($k,m,\sigma$): given a message m, a MAC $\sigma$ and a secret key k, output 1 if m is correct, and 0 otherwise.

Aggregate MAC is an efficient way to verify multiple messages by reducing the number of MACs needed in verification. For example, given two message–MAC pairs $(m_1,{\sigma }_1)$ and $(m_2,{\sigma }_2)$, where ${\sigma }_i=MAC.Auth\left(m_i\right)$, for $1\le i\le 2$, we can compute an aggregate MAC as

$$\begin{array}{c}\hfill {\sigma }^{*}={\sigma }_1\oplus {\sigma }_2\end{array}$$

(6)

where ⊕ denotes an XOR operation. Then, the integrity of the two messages $m_1,m_2$ can be verified with the aggregated MAC ${\sigma }^{*}$ instead of using two MACs separately. Stated differently, a single aggregate MAC is sufficient to verify the integrity of a large number of messages in a batch. The simple XOR operations make aggregate MACs extremely efficient.

3.5. Cover-Free Family

A k-Cover-Free Family (k-CFF) is defined by a triple $(X,B,k)$, where X is a base set of size n, B is a family of subsets of X such that $B=\{B_1,B_2,\cdots ,B_m\}$, where $B_i$ is called a block, and k is a positive integer. A k-CFF guarantees that for any block $B_i,i\in m$, there exists at least one element that does not belong to any other k blocks.

A $b\times n$ matrix M is called a k-CFF incidence matrix if the following holds:

• b represents the number of blocks (in our scheme, it refers to the number of blocks into which the messages participating in authentication are divided), and n represents the total number of base points (in our scheme, it refers to the total number of messages participating in authentication).
• If the j-th base point is assigned to the i-th block, then $M_{i,j}=1$; otherwise $M_{i,j}=0$.
• For any $k+1$ different indices $j_0,j_1,\cdots ,j_k$, there exists at least one row i such that $M_{i,j_0}=1$ and $M_{i,j_1}=M_{i,j_2}=\cdots =M_{i,j_k}=0$.

When using k-CFF to achieve efficient fault location, malicious base points (in our proposed scheme, illegal messages) can be quickly identified by calculating the intersection of all the blocks that failed authentication.

4. System Overview

4.1. System Model

Figure 2 illustrates the system model of UFTBA, which comprises three entities: ECUs, vehicle gateway, and RSU.

• ECUs. Each ECU is embedded with a PUF and stores a large number of CRPs. Upon receiving a challenge value from the gateway, the ECU uses the corresponding PUF response to compute its respective authentication code, which is then returned to the gateway.
• Vehicle gateway. Acting as a secure hub between the in-vehicle network and the out-of-vehicle network, the vehicle gateway embedded with TPD is responsible for efficient batch authentication of in-vehicle ECUs and group key distribution. It broadcasts PUF challenge values to the ECUs, verifies the aggregated authentication codes received from the ECUs, and after successful authentication, distributes group key to the ECUs using the CRT. Simultaneously, it generates pseudonyms on behalf of the vehicle and transmits encapsulated perception data to the RSU.
• RSU. After receiving a large number of vehicle messages, the RSU performs fault-tolerant batch authentication. Even if a small number of illegitimate vehicle messages are received, the RSU can swiftly complete the authentication of vehicle messages and identify the source of illegitimate data. However, RSU cannot trace the real identity of vehicles based on the received messages.

4.2. Threat Model

In the proposed scheme, both the RSU and the vehicle gateway integrated with TPD are semi-trusted, that correctly execute the protocol procedures. RSU may exhibit curiosity towards vehicle messages and attempt to probe into vehicle users’ privacy. And once a vehicle gateway is compromised, not only will the in-vehicle session key be leaked, but the collected perception data can also be maliciously tampered with. This poses a serious challenge to the confidentiality, integrity, and availability of vehicle perception data. The ECUs are fully untrusted and may attempt to forge or tamper with sensing data, or impersonate other legitimate ECUs.

4.3. Security Model

In our proposed system, we consider three types of adversaries: malicious ECUs attempting to forge MACs or impersonate other legal ECUs without access to the corresponding stable PUF responses, semi-honest RSUs executing the protocol correctly but attempting to infer some information, and external attackers capable of intercepting, modifying, replaying, and injecting arbitrary messages.

Our security model meets the following requirements:

• Integrity and authenticity. No probabilistic polynomial-time (PPT) adversary can forge a valid in-vehicle MAC or an external signature with non-negligible probability.
• Fault-tolerant batch authentication. For most k-corrupted messages, the misbehaving set is uniquely identified with a failure probability no higher than $ϵ$, where $ϵ$ is negligible.
• Conditional anonymity. Vehicle pseudonyms must be unlinkable without the master key.
• EU-CMA security. External signatures must resist existential forgery under chosen-message attacks.

5. Scheme Construction

5.1. Overview

The overview of UFTBA is shown in Figure 3. The vehicle and its internal ECUs requiring authentication first undergo system authentication. This is followed by integrated in-vehicle and out-of-vehicle authentication. In-vehicle authentication begins with the gateway sending a PUF challenge to the participating ECUs and authenticating the received aggregated MAC value. Finally, a session key is distributed to authenticated ECUs based on the CRT. Next, the vehicle sends encrypted perception data generated by legitimate ECUs and signed by the vehicle to the RSU. The RSU performs batch fault-tolerant authentication on the received messages.

5.2. Workflow of UFTBA

The workflow of the algorithm is illustrated in Figure 4 and Figure 5. Figure 4 depicts the in-vehicle authentication and group key agreement phase, where the vehicle gateway is responsible for authenticating all legitimate ECUs and distributing a group key to encrypt in-vehicle communications.

Figure 5 depicts the anonymous batch authentication for external vehicular message phase, where the vehicle gateway securely and anonymously transmits the sensory data collected by its ECUs to the RSU, which then performs an efficient batch verification.

5.3. Concrete Construction

5.3.1. System Initialization

$Setup$: Trust authority (TA) runs a group generator $\mathcal{G}$ to generate group $(\mathbb{G},P,q)$, and it randomly selects master secret key $s\in {\mathbb{Z}}_q^{*}$ and hash functions

$$H_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*},H_2:{\{0,1\}}^{*}\to {\{0,1\}}^l$$

TA then computes system public key $P_{pub}=s·P$. The system public parameter $pp=\{\mathbb{G},q,P,P_{pub},H_1,H_2\}$. TA stores s in the TPD of the vehicle gateway. In subsequent steps, unless otherwise specified, $pp$ will be taken as an implicit input.

5.3.2. In-Vehicle Authentication and Group Key Agreement

$Aut{h}_{in}$: The vehicle gateway broadcasts a random number $Num$ and a challenge value $c_j$ stored in its TPD to all ECUs requiring authentication $EC{U}_1,EC{U}_2,\cdots ,EC{U}_n$. Upon receiving the messages, $EC{U}_i(i=1,2,\cdots ,n)$ computes its PUF response $r_{i,j}^{*}=PUF\left(c_j\right)$ and its own authentication code

$$\begin{array}{c}\hfill Aut{h}_i^{*}=H_1(r_{i,j}^{*}\parallel Num)\end{array}$$

(7)

then returns $Aut{h}_i^{*}$ to the vehicle gateway. The vehicle gateway locally computes the expected authentication code $Aut{h}_i^{exp}=H_1(r_{i,j}\parallel Num),i=1,2,\cdots ,n$. It then partitions the n ECUs into m groups according to the incidence matrix of k-Cover-Free Family (k-CFF), (n,m). n is the number of ECUs that participated in authentication, and k is the maximum number of colluding faulty ECUs. Based on the k-CFF incidence matrix, we partition the n ECUs into m groups. For the authentication codes of the ECUs in the $c^{th}$ group, the vehicle gateway calculates the aggregated authentication code ${\mathsf{\Psi }}_c^{*}={⨁}_{k=1}^{x}Aut{h}_k^{*}$ and the expected aggregated authentication code ${\mathsf{\Psi }}_c^{exp}={⨁}_{k=1}^{x}Aut{h}_k^{exp}$, where x represents the number of ECUs in that group. It then evaluates whether the Equation (8) holds.

$$\begin{array}{c}\hfill {\mathsf{\Psi }}_c^{*}={\mathsf{\Psi }}_c^{exp}\end{array}$$

(8)

If it holds, the authentication of all ECUs within that group is successful; otherwise, it indicates that at least one ECU in the group has failed authentication. Due to the properties of k-CFF, any single ECU is present in multiple groups. By analyzing all failed groups and identifying their intersection, the gateway can precisely pinpoint the malicious ECU(s).

$DisKey$: The vehicle gateway randomly generates a group key $gk\in {\mathbb{Z}}_q^{*}$ and selects a pair of coprime integers $(m_i,d_i)$ for each legitimate ECU, where $gk\equiv d_i\left(mod{m}_i\right)$. Using the CRT, the vehicle gateway then computes an integer $GK$ that satisfies all the corresponding congruence equations and broadcasts it. Upon receiving $GK$, each legitimate ECU can recover the group key $gk$ through computation

$$\begin{array}{c}\hfill gk=GK\mathrm{mod}{m}_i\end{array}$$

(9)

5.3.3. Anonymous Batch Authentication for External Vehicular Messages

$Sig$: The vehicle gateway equipped with a TPD selects a random number $v\in {\mathbb{Z}}_q^{*}$ and computes $PI{D}_1=v·P,PI{D}_2=UID\oplus H_2(s·PI{D}_1)$. The pseudonym is

$$\begin{array}{c}\hfill PID=(PI{D}_1,PI{D}_2)\end{array}$$

(10)

It then selects a timestamp T for the aggregated sensory data M reported to it, and it computes $\varphi =H_1(PID\parallel T),\beta =H_1(PID\parallel H_1\left(M\right))$. The signature for the message is

$$\begin{array}{c}\hfill \mathsf{\Phi }=s·\varphi +v·\beta \end{array}$$

(11)

Finally, it transmits $Mes=\{PID,\mathsf{\Phi },T,M\}$ to the RSU.

$Aut{h}_{out}$: Upon receiving a set of messages $\{Me{s}_1,Me{s}_2,\cdots ,Me{s}_z\}$ from z vehicles, the RSU first verifies the freshness of the timestamps $T_i$ and then computes ${\varphi }_i=H_1(PI{D}_i\parallel T_i)$ and ${\beta }_i=H_1(PI{D}_i\parallel H_1\left(M_i\right))$, where $i=1,2,\cdots ,z$. Subsequently, it partitions the z signatures into $\omega$ groups according to the incidence matrix of $k-CFF(z,\omega )$. For the $c^{th}$ group, the RSU selects a set of small random numbers $\{k_1,k_2,\cdots ,k_y\}$ and checks whether the equation

$$\begin{array}{c}\hfill (\sum _{i=1}^y{k}_i·{\mathsf{\Phi }}_i)·P=(\sum _{i=1}^y{k}_i·{\varphi }_i)·P_{pub}+\sum _{i=1}^y(k_i·{\beta }_i·PI{D}_{i_1})\end{array}$$

(12)

holds, where y represents the number of signatures in that group. If Equation $\left(12\right)$ holds, according to the small exponent test, all signatures in the group are valid with an overwhelming probability. Otherwise, the illegitimate messages can be pinpointed by finding the intersection of all failed groups.

$Trace$: Upon detection of a malicious message $Me{s}_i$, the TA utilizes its master key s to compute $UI{D}_i=PI{D}_{i_2}\oplus H_2(s·PI{D}_{i_1})$, thereby recovering the real identity $UID$ of the vehicle that sent the fraudulent message. Appendix A.1 gives the pseudocode for this process. In this stage, if the number of messages in each batch is N, and the number of invalid messages is t, then the computational complexity will be $O(logN\times t)$.

6. Scheme Analysis

6.1. Correctness Analysis

6.1.1. Correctness of the External Authentication Signature Verification Equation

Theorem 3. 

For any legitimately generated signature $\mathsf{\Phi }=s·\varphi +v·\beta$, the aforementioned batch verification equation holds identically according to $\left(13\right)$.

$$\begin{array}{cc}\hfill (\sum _{i=1}^y{k}_i·{\mathsf{\Phi }}_i)·P& =(\sum _{i=1}^y{k}_i·(s·{\varphi }_i+v_i·{\beta }_i))·P\hfill \\ \hfill & =(s·\sum _{i=1}^y{k}_i{\varphi }_i+\sum _{i=1}^y{k}_i{v}_i{\beta }_i)·P\hfill \\ \hfill & =s·(\sum _{i=1}^y{k}_i{\varphi }_i)·P+(\sum _{i=1}^y{k}_i{v}_i{\beta }_i)·P\hfill \\ \hfill & =(\sum _{i=1}^y{k}_i{\varphi }_i)·(s·P)+\sum _{i=1}^y(k_i{\beta }_i·(v_i·P))\hfill \\ \hfill & =(\sum _{i=1}^y{k}_i{\varphi }_i)·P_{pub}+\sum _{i=1}^y(k_i{\beta }_i·PI{D}_{i_1})\hfill \end{array}$$

(13)

The introduction of the small exponent test significantly reduces the computational cost of batch verification. Moreover, based on probability theory, the equation will fail with an overwhelming probability even in the presence of a single signature, thereby ensuring fault tolerance.

6.1.2. Correctness of the Vehicle Tracing Formula

Theorem 4. 

For any legitimately generated pseudonym $PI{D}_i$, TA can correctly recover the corresponding unique identifier $UI{D}_i$ according to $\left(14\right)$.

$$\begin{array}{cc}\hfill PI{D}_{i_2}\oplus H_2(s·PI{D}_{i_1})& =(UI{D}_i\oplus H_2(s·(v_i·P)))\oplus H_2(s·(v_i·P))\hfill \\ \hfill & =UI{D}_i\oplus (H_2(s·v_i·P)\oplus H_2(s·v_i·P))\hfill \\ \hfill & =UI{D}_i\oplus 0\hfill \\ \hfill & =UI{D}_i\hfill \end{array}$$

(14)

6.1.3. Correctness of the In-Vehicle CRT-Based Key Distribution

Guaranteed by the Chinese Remainder Theorem, if all moduli $m_{ji}$ are pairwise coprime, then the system of congruences $G{K}_j\equiv d_{ji}(mod{m}_{ji})$ has a unique solution $G{K}_j$ modulo $M=\prod m_{ji}$. The operation performed by each ECU

$$\begin{array}{c}\hfill g{k}_j^{\prime }=G{K}_j(mod{m}_{ji})\end{array}$$

(15)

will inevitably yield a result, $g{k}_j^{\prime }$ equal to $g_{ji}$, which is the group key $g{k}_j$.

6.2. Security Analysis

6.2.1. Unforgeability of External Message Authentication

Theorem 5. 

Existential Unforgeability under Chosen-Message Attack (EU-CMA): A scheme is said to be EU-CMA-secure if, for any PPT adversary $\mathcal{A}$, the advantage

$$Ad{v}_{\mathcal{A}}^{EU-CMA}\left(1^{\lambda }\right)=Pr[Ex{p}_{\mathcal{A}}^{EU-CMA}\left(1^{\lambda }\right)=1]$$

is negligible in the security parameter λ. The experiment $Ex{p}_{\mathcal{A}}^{EU-CMA}$ is defined as follows:

The challenger runs the system initialization algorithm $\mathcal{G}\left(1^{\lambda }\right)$ to generate the system parameters $params$ and the key pair $(pk,sk)$. The public key $pk$ is given to the adversary $\mathcal{A}$, while the private key $sk$ is kept secret by the challenger. Then, the adversary $\mathcal{A}$ is allowed to adaptively issue a series of signing queries to the challenger. For any message $M_i$ chosen by $\mathcal{A}$, the challenger computes the corresponding signature ${\sigma }_i$ using the private key $sk$ and return it to $\mathcal{A}$. Eventually, the adversary $\mathcal{A}$ outputs a forged message–signature pair $(M^{*},{\sigma }^{*})$. The experiment outputs 1 (indicating the adversary’s success) if and only if the following two conditions are satisfied simultaneously:

• The signature ${\sigma }^{*}$ is a valid signature for the message $M^{*}$ under the public key $pk$.
• The message $M^{*}$ was never submitted by $\mathcal{A}$ during the signing queries, i.e., $M^{*}\notin \{M_1,M_2,\cdots ,M_q\}$, where q is the total number of queries.

The proposed external message authentication scheme is EU-CMA secure under the CDH Assumption.

6.2.2. Detection and Localization Guarantees of Aggregate MAC + k-CFF

Here, we give formal statements about the correctness, detection capability, and error probabilities using aggregate MAC and k-CFF.

Theorem 6. 

For any forged message, the probability that the aggregated MAC ${\mathsf{\Psi }}_c^{*}={\mathsf{\Psi }}_c^{exp}$ holds is at most $1/2^t$ when the MAC is t bits.

Theorem 7. 

For any set S of malicious messages with $\left|S\right|\le k$, the intersection of all failed blocks uniquely identifies S.

6.2.3. Conditional Privacy Preservation

The proposed scheme balances vehicle privacy and accountability. For vehicle anonymity, the vehicle’s true identity $UID$ is concealed within pseudonym $PID=(PI{D}_1,PI{D}_2)$ = $(v·P,UID\oplus H_2(s·v·P))$. Based on the hardness of ECDLP, an external adversary cannot derive the random number v from $v·P$. Consequently, the pseudonyms $PI{D}_1$ generated at different times appear to the adversary as unlinkable random points, making vehicle tracking based on pseudonyms infeasible. Furthermore, $PI{D}_2$ essentially constitutes a one-time pad encryption. Without knowledge of both s and v, it is impossible to decrypt and recover $UID$. Therefore, the scheme provides strong anonymity for the vehicle’s private information against malicious adversaries.

For traceability, within the system, only the TA possesses the master key s. When it is necessary to trace a malicious vehicle, the TA can compute the vehicle’s identity $UID=PI{D}_2\oplus H_2(s·PI{D}_1)$. In summary, the scheme achieves conditional privacy.

6.2.4. Forward Secret

In the proposed scheme, the provision of forward secrecy guarantees that the compromise of a long-term key does not jeopardize the security of past communications. Upon the completion of a round of in-vehicle authentication and group key distribution, the vehicle gateway selects a new challenge $c_{ji}^{\prime }$ stored in its TPD, encrypts it using the newly established group key $gk$, and transmits it to each ECU. Each ECU individually computes a new PUF response $r_{ji}^{\prime }=PUF\left(c_j^{\prime }i\right)$, encrypts it, and sends it back to the gateway. The gateway then uses these new responses to replace the old response values stored in its TPD, which will be applied in the next authentication round.

In the external communication phase, when a vehicle needs to be revoked from the system, the TA updates the system master key $s^{\prime }$ for the remaining legitimate vehicles. The revoked vehicle, which only possesses the old key s, cannot learn the new key $s^{\prime }$. Consequently, it is unable to generate valid signatures for any subsequent communications.

6.2.5. Replay Attack

Each vehicle message contains a fresh timestamp $T_j$. Before verifying the validity of the signature, the RSU first checks whether the timestamp falls within a reasonable time window. Even if an adversary intercepts an old message and attempts to replay it, the RSU will reject the message due to its expired timestamp.

6.3. Performance Analysis

6.3.1. Computational Complexity

Table 3. Comparison of computational complexity.

Scheme	$\mathbf{Setup}$	${\mathbf{Auth}}_{\mathbf{in}}$	$\mathbf{DisKey}$	$\mathbf{Sig}$	${\mathbf{Auth}}_{\mathbf{out}}$
[31]	$T_{mul}$	$n(T_{PUF}+2T_H)$	$n(3T_{AES}+2T_H)$	-	-
[32]	$T_{mul}$	-	-	$4T_{mul}+2T_H+T_{add}+2T_{inv}$	$3T_{bp}+(3m+2)T_{mul}+2m{T}_H+m{T}_{inv}$
[33]	$T_{mul}$	-	-	$3T_{mul}+4T_H+T_{inv}$	$2T_{mul}+(3m+1)T_{add}$
[41]	$T_{mul}$	$2n{T}_H$	$2n{T}_{AES}$	-	-
Ours	$T_{mul}$	$n{T}_{PUF}+(n+1)T_H$	$n(T_{inv}+2T_{mod})$	$2T_{mul}+3T_H$	$2\omega T_{mul}+m{T}_{add}+2m{T}_H$

$T_{mul}$: one point multiplication operation. $T_H$: one cryptographic hash operation. $T_{PUF}$: one PUF operation. $T_{inv}$: one modular inverse operation. $T_{bp}$: one bilinear paring operation.

compares the computational complexity of various functionalities among the UFTBA and the schemes [31,32,33,41], where $Aut{h}_{in}$ means the function that vehicle gateway authenticates ECUs. $DisKey$ means the function that vehicle gateway distributes group key to ECUs. $Sig$ means the function that vehicle gateway computes the $PID$ and signature. $Aut{h}_{out}$ means the function that RSU authenticates all the received messages from vehicles. n is the number of ECUs and m is the number of vehicles, while $\omega$ is the number of groups composed of vehicles. The notation used is explained in Table 1.

UFTBA incurs low computational overhead during the in-vehicle ECU authentication, vehicle signing, and batch authentication phases, as it primarily relies on PUF, hash, and point addition operations. Notably, during the vehicle authentication phase, UFTBA utilizes point addition instead of the more computationally intensive point multiplication. Given that the computational cost of a point addition is approximately $1/10$ that of a point multiplication (under typical ECC parameters), this design makes UFTBA particularly suitable for large-scale vehicular networks.

6.3.2. Experimental Results and Analysis

The proposed scheme was implemented in C++ to prototype its various operations. In our simulations, we implemented the proposed scheme alongside the [31,32,33,41]. A 32 GB host computer with an 8-core AMD R7-8845H processor and running Windows 11 was used as the vehicle node (to perform vehicle gateway operations), and multiple Ubuntu 20.04 virtual machines were used as in-vehicle ECU nodes. Meanwhile, a 16 GB host computer with an Intel Core i5-14400F processor and running Windows 11 was used as the RSU node. A comparative analysis was conducted regarding public parameter size, in-vehicle ECU authentication efficiency, vehicle signing efficiency, and batch verification efficiency for vehicle signatures. The final results are presented as the average value obtained over 100 algorithm runs.

Figure 6 compares the public parameter size of the proposed UFTBA scheme with those of existing schemes [31,32,33,41]. The compactness of UFTBA stems from its core building blocks—PUF, ECC, and the CRT—all of which are inherently lightweight. Specifically, the PUF leverages intrinsic hardware features to generate key material, eliminating the need to store large volumes of pre-computed data in the public parameters. The ECC offers a high security level with relatively short key lengths compared to other schemes (e.g., RSA), which directly reduces the size of public keys and related parameters. Furthermore, the CRT, utilized for efficient group key distribution, primarily relies on a set of coprime moduli, which incur minimal storage overhead. This optimization in parameter size directly alleviates the storage pressure on resource-constrained OBUs and RSUs, making the UFTBA scheme more practical for deployment and promotion in real-world IoV environments.

Figure 7 clearly demonstrates the significant advantage of the proposed UFTBA scheme in terms of in-vehicle ECU authentication efficiency. The key observation is that the authentication time of UFTBA is substantially lower than that of the comparative scheme [31]. The fundamental reason for this performance gain lies in UFTBA’s departure from traditional high-overhead approaches, which rely either on complex public-key cryptography (such as the bilinear pairing operations used) or on extensive certificate management. Instead, UFTBA adopts a lightweight authentication flow centered around PUF and aggregate MACs. During authentication, each ECU simply uses its embedded PUF to generate a response to a challenge from the gateway and then computes a simple hash-based message authentication code. The vehicle gateway, leveraging a k-CFF, aggregates the MACs from multiple ECUs. Subsequently, it authenticates the entire group of ECUs through a single batch verification operation. This design enables the authentication time to scale approximately linearly with the number of ECUs, rather than increasing exponentially.

Figure 8 clearly illustrates the significant advantage of the proposed UFTBA scheme in terms of vehicle signature generation efficiency. The key observation is that the signature generation time of UFTBA is substantially lower than that of the comparative schemes [32,33], achieving approximately 75% and 60% time savings compared to Scheme [32] and Scheme [33], respectively. In UFTBA, the signature generation process requires the vehicle gateway’s TPD to utilize a pre-stored master key and a random number, performing only two point multiplications and three hash operations to quickly generate a valid anonymous signature. This streamlined process eliminates the need for the extra modular inversion and point addition operations required by Scheme [32], as well as the additional modular inversions and higher number of point multiplications demanded by Scheme [33].

Figure 9 clearly demonstrates the significant advantage of the proposed UFTBA scheme in terms of batch verification efficiency for vehicle signatures, with its authentication time being substantially lower than that of the comparative scheme [33]. UFTBA employs a lightweight batch verification process centered around point addition and hash operations. During verification, the RSU utilizes a k-CFF to group the received vehicle signatures and selects a small set of random exponents for each group. It then authenticates the entire group through a single aggregated verification operation. This design ensures that even if a small number of invalid signatures are present, only the specific failed groups need to be re-verified, rather than the entire batch, thereby significantly reducing the overall computational overhead. In contrast, Scheme [33] requires the execution of a large number of point multiplication and modular inversion operations, both of which incur substantially higher computational costs than the efficient point additions and hashing used in UFTBA.

7. Conclusions

This paper proposes a unified fault-tolerant batch authentication scheme to address the secure transmission of vehicle-sensed perception data in the IoV. Assisted by TPD and PUF, the scheme leverages aggregate MAC and the CRT to design a software–hardware co-designed authentication mechanism. It fulfills the stringent requirements for secure and efficient authentication among the three key entities prevalent in the data collection process: in-vehicle ECUs, vehicle gateways, and RSUs. Extensive experimental analysis and comparisons demonstrate the high efficiency and practicality of the proposed scheme.

However, our proposed work still has limitations. One is that in large-scale deployment scenarios, the number of CRT parameters that the vehicle gateway needs to store and compute will increase significantly, placing considerable pressure on resource-constrained in-vehicle gateway. Our future work will focus on parameter preprocessing or physical layering of ECUs to explore whether lightweight, secure, and efficient group key distribution based on CRT can be achieved in large-scale deployment scenarios.

Furthermore, applying UFTBA to large-scale fleet or mixed-vendor systems in practice will face challenges due to hardware and platform differences. The advantage is that the safety features relied upon by our solution, such as PUF and TPD, are not limited to hardware implemented by specific brands, which lays a feasible foundation for multi-vendor interaction in real-world scenarios.