Open AccessArticle

CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs

Center of Informatics Science, Faculty of Information Technology and Computer Science, Nile University, Giza 12588, Egypt

Informatics Department, Electronics Research Institute, Cairo 12622, Egypt

National Telecommunication Institute, Giza 12578, Egypt

⁴

National Telecommunications Regulatory Authority, Giza 12577, Egypt

Author to whom correspondence should be addressed.

Cryptography 2024, 8(3), 43; https://doi.org/10.3390/cryptography8030043

Submission received: 9 August 2024 / Revised: 10 September 2024 / Accepted: 10 September 2024 / Published: 17 September 2024

Download

Browse Figures

Versions Notes

Abstract

Vehicular ad hoc networks (VANETs), which are the backbone of intelligent transportation systems (ITSs), facilitate critical data exchanges between vehicles. This necessitates secure transmission, which requires guarantees of message availability, integrity, source authenticity, and user privacy. Moreover, the traceability of network participants is essential as it deters malicious actors and allows lawful authorities to identify message senders for accountability. This introduces a challenge: balancing privacy with traceability. Conditional privacy-preserving authentication (CPPA) schemes are designed to mitigate this conflict. CPPA schemes utilize cryptographic protocols, including certificate-based schemes, group signatures, identity-based schemes, and certificateless schemes. Due to the critical time constraints in VANETs, efficient batch verification techniques are crucial. Combining certificateless schemes with batch verification leads to certificateless aggregate signature (CLAS) schemes. In this paper, cryptanalysis of Xiong’s CLAS scheme revealed its vulnerabilities to partial key replacement and identity replacement attacks, alongside mathematical errors in the batch verification process. Our proposed CLAS scheme remedies these issues by incorporating an identity authentication module that leverages chameleon hashing within elliptic curve cryptography (CHAM-CLAS). The signature and verification modules are also redesigned to address the identified vulnerabilities in Xiong’s scheme. Additionally, we implemented the small exponents test within the batch verification module to achieve Type III security. While this enhances security, it introduces a slight performance trade-off. Our scheme has been subjected to formal security and performance analyses to ensure robustness.

Keywords:

privacy-preserving authentication; identity-based; certificateless aggregate signature; vehicular ad hoc networks

1. Introduction

In the contemporary global pursuit of intelligent cities, the Internet of Things (IoT) is the primary facilitator of device connectivity and communication, through which an immeasurable amount of data exchange and utilization occurs. A particular use case of the IoT is the Internet of Vehicles (IoV), which encapsulates cooperative intelligent transportation systems (C-ITSs) that employ vehicular ad hoc networks (VANETs). VANETs are self-organized networks that enable communication between the constituents of any C-ITS, namely vehicles, pedestrians, roadside units (RSUs), and possibly governing entities, which we will refer to as trusted authorities (TAs) [1,2]. The primary objective of a C-ITS is to facilitate a safer and more comfortable driving experience for all of its constituents by allowing vehicles to sense their surrounding environments and pool their collective resources to make reliable decisions [3].

The primary standards employed in vehicular communications are the Dedicated Short-Range Communications (DSRC) standard developed in the US and the Intelligent Transportation System (ITS-G5) protocol created by the European Telecommunications Standards Institute (ETSI) [3]. However, recent years have witnessed the emergence of a competitive alternative, Cellular Vehicle-to-Everything (C-V2X), which promises lower latency and high vehicle speed support [4]. Furthermore, developments to DSRC and C-V2X are already underway in pursuit of better efficiency and scalability, and new technologies like 802.11bd and New Radio V2X [5] promise to meet the stringent requirements of a maximum packet error rate of 10% with a minimum transmission radius of 300 m.

Owing to the significance of the data shared between different C-ITS constituents, guaranteeing security is as important as optimizing performance, since any breach with malicious intent can have disastrous consequences. Therefore, authentication, confidentiality, integrity, privacy, and revocability are non-negotiable security requirements to ensure the proper functioning of VANETs.

To that effect, a multitude of works have strived to create conditional privacy-preserving authentication (CPPA) schemes, which can be broadly classified into certificate-based schemes/public key infrastructure (PKI) schemes, identity-based schemes (IB), group signature (GS)-based schemes and certificateless (CL) schemes. Furthermore, to support scenarios of large vehicular densities, techniques to verify a batch of digital signatures simultaneously have been developed. This has led to the transformation of IB and CL schemes into identity-based batch verification (IBV) schemes and certificateless aggregated signature (CLAS) schemes, respectively.

Many recent CLAS schemes fail to guarantee adequate identity authentication, resulting in collusion, repudiation, and impersonation attacks. Furthermore, the same schemes fail to properly include a revocation check that prevents TA-revoked members from re-accessing the VANET. We show that these deficiencies exist in the recently published CLAS scheme [6] by Xiong and propose an alternative scheme that averts the associated risks and better meets VANET security requirements.

Accordingly, our contributions can be summarized as follows:

1-: We cryptanalyze Xiong’s scheme and point out that it cannot meet VANET security requirements.
2-: We propose an alternative CLAS scheme with an added identity authentication module based on chameleon hashing [7]. This module prevents repudiation attacks and fake identity attacks and ensures that revoked vehicles are denied access to the VANET.
3-: We conduct a formal security and performance analysis of our scheme.

The rest of this paper is set out as follows. Section 2 introduces a brief review of related works. Section 3 summarizes the background information, including VANET security requirements, cryptographic primitives utilized in the proposed scheme, and the network model. Section 4 presents a brief overview of Xiong’s scheme [6] as well as our cryptanalysis, suggested attacks, and modified scheme. Section 5 presents the formal security analysis of our proposed scheme. Section 6 presents the performance analysis of our scheme. Section 7 presents conclusions and future directions. A list of notations can be found in Table 1.

2. Related Works

As mentioned previously, CPPA schemes can be realized using various cryptographic approaches, including PKI, GS, IBV, or CLAS schemes.

PKI-based schemes typically involve significant overhead due to certificate storage and communication costs, not to mention the time-consuming process of certificate revocation checks. GS-based schemes also face challenges with revocation and high computational costs during signature verification.

In contrast, IB schemes are more efficient as they eliminate the need for certificate management. However, they suffer from the key escrow problem, where the key generation center (KGC) can access each member’s full private key.

CLAS schemes are a variant of IB schemes, where each member possesses a private key that combines a KGC-generated value and a secret value known only to the member. This resolves the key escrow issue, but it is at the expense of increased complexity in public key management, as the public key is no longer solely a function of publicly known information as in traditional IB systems. CLAS schemes are the most prominent tool for achieving CPPA, and significant recent literature has focused on deconstructing previous schemes and developing new ones with improved security.

CPPA schemes are an integral part of VANET security, and numerous surveys have been published in recent years [1,8,9,10] to extensively detail each scheme’s characteristics and conduct comparative analyses in terms of security and performance.

A survey specifically focused on CLAS schemes can be found in [11], which compares the performance of CLAS schemes based on bilinear pairings and CLAS schemes based on ECC. Since bilinear pairings are more computationally intensive and less efficient, we have implemented our CLAS scheme using ECC.

Our proposed scheme most closely resembles those of Zhao (2020) [12], Zhou (2023) [2], Zhu (2023) [13], Li (2020) [14], Thumbur (2020) [15], and finally Xiong (2022) [6], which we aim to analyze and improve in this paper. Accordingly, we will compare the performance of our scheme to those of existing schemes in Section 6.

3. Background

This section establishes the necessary background and prerequisites to our proposed scheme. We briefly overview the security requirements in Vehicular Ad hoc Networks (VANETs); then, we introduce the cryptographic primitives used in our scheme; and finally, we outline the network model upon which our scheme is based.

3.1. VANET Security Requirements

The aforementioned massive data exchange, which is the driving force behind the development of the Internet of Things (IoT) and the Internet of Vehicles (IoV), necessarily requires accompanying security measures to ensure the validity of the data before further use. The security requirements within VANETs are not uniform; instead, they are layered, with distinct demands and considerations at different levels. Table 2 comprehensively compares these layered security needs, categorized across various critical aspects. From the communication layer to the network and application layers, each aspect highlights the specific security demands, ensuring that VANETs operate securely and reliably. Key management, trust management, physical layer security, regulatory compliance, and lifecycle management aspects further underscore the multifaceted nature of securing VANETs. Understanding and addressing these diverse security requirements is essential to establish a resilient and trustworthy VANET ecosystem. Failure to do so could undermine the intended benefits and functionality of the IoT and IoV technologies.

To utilize the data exchanged between vehicles, the receiver must ensure three things:

The sender is legitimate and trustworthy.
The data have not been modified or tampered with.
The message is temporally relevant and up-to-date.

On the other hand, the sender will only participate in the message exchange if they are assured that their identity privacy is preserved. They want to be sure that only a legitimate governing authority can derive their real identity from the pseudo-identity used in the message transmission.

A combination of cryptographic approaches and intrusion detection methods addresses these requirements. Cryptographic protection is the first line of defense, providing proactive protection against potential attacks and holding the attacker accountable. However, intrusion detection techniques may be employed for mitigation if an attack does occur. This paper focuses exclusively on the cryptographic methods used to preserve secure communications in VANETs. Intrusion detection in VANETs has also been extensively studied in contemporary literature, and reviews of the contributions can be found in [16,17,18].

3.2. Cryptographic Preliminaries

This section provides a brief overview of the cryptographic primitives employed in our scheme.

(1): Elliptic curves

We assume

F_{p}

denotes a finite field with prime order p for elliptic curve E with the equation

y^{2} = x^{3} + a x + b

mod p, where

4 a^{3} + 27 b^{2} \neq 0

and

a, b \in F_{p}

. We presume that O denotes the point at infinity. The points of the ECC make an additive group G with order q and generator P.

Point addition: Let P and S be two random points on the ECC such that

(P, S) \in G

, where the point P generates the group G with sizeable prime order q. When

P \neq S

R = P + S

can be computed, where R denotes the intersection point of curve E and line PS. When

P = S

R = P + S

denotes the intersection of curve E with the tangent to E at P.

Scalar point multiplication: The scalar multiplication of E is defined as

m P = P + P + \dots + P (m t i m e s),

where

m \in Z_{q}^{*}, m > 0

Elliptic curve discrete logarithm problem (ECDLP): Given two random points P, Q ∈G on curve E, where

Q = x P, x \in Z_{q}^{*}

; it has proved difficult to calculate x given P, Q.

(2): Chameleon Hashing

Chameleon hash functions were first proposed in 1998 [7] and are the foundational building block for chameleon signatures. Chameleon signatures facilitate the signer’s undeniable commitment to the contents of a signed document without allowing the recipient to disclose the contents to a third party without the signer’s consent.

Conceptually similar to undeniable signatures, chameleon signatures have the relative advantage of being non-interactive and not requiring zero-knowledge proofs. The key idea is that a sender’s signature allows the recipient to forge further signatures of the signer at the latter’s will. To achieve this, chameleon signatures employ a hash-then-sign method using chameleon hash functions, which are collision-resistant to all parties except those possessing the trapdoor.

In the original paper, two implementations of chameleon hash functions were proposed—one based on the intractability of factoring and the other on the discrete logarithm problem.

The latter methodology features a function

C H_{y} (m, r) = g^{m} y^{r}

for the private key (trapdoor) x and the public key

y = g^{x} m o d p

. Accordingly, the function is equivalent to

C H_{y} (m, r) = g^{m} * {(g^{x})}^{r} = g^{m + x r} .

To find a collision

r^{'}

for any given message

m^{'}

, the owner of the private key

x

solves

m + x r = m^{'} + x r^{'}

. Our scheme uses a conceptually similar model based on elliptic curve cryptography, discussed in greater detail in Section 3.

3.3. Network Model

The most common network architecture used to model VANET security is the two-layer model, which comprises a TA in the top layer and vehicles and RSUs in the bottom layer.

(1) Trusted authority (TA): Also known as the trusted third party (TTP) or the central authority (CA), the TA generally consists of a key generation center (KGC) and a tracing authority/tracing manager (TRA/TRM). The KGC generates public and private keys (or partial keys) for all members to enable digital signature verification. The TRM generates verifiable pseudo-identities for each member to enable traceability in the case of disputes. Some schemes propose redundant TAs with access to the same data repository to prevent single points of failure.

(2) Roadside units (RSUs): RSUs are connected to the TA via secure wired links and to vehicles via insecure wireless connections. Different schemes assume varying levels of RSU trustworthiness, with the predominant assumption being that RSUs are “honest but curious.” The role of RSUs varies across schemes, ranging from being mere gateways to relay messages between the TA and vehicles to acting as group managers that issue signing and verification keys to members within their domain and manage localized groups.

(3) Vehicles: Vehicles are assumed to be untrustworthy. They are equipped with on-board units (OBUs) that contain a tamper-proof device (TPD). Schemes diverge on the assumption of an ideal TPD (secure enough to store the system’s master secret key for self-authentication) or a realistic TPD (where only the user’s secret key is stored and authentication is performed elsewhere).

4. Xiong’s Scheme: Description, Cryptanalysis, and Our Proposed Improved Scheme

In this section, we provide a brief overview of Xiong’s scheme [6], followed by our cryptanalysis of the scheme, and finally, we propose our modified version of the scheme.

4.1. Overview of Xiong’s Scheme

Xiong’s scheme, like other CLAS (certificateless aggregate signature) schemes, comprises the following phases:

Setup;
Pseudo-identity generation;
Partial private key generation;
User secret key generation;
Signing;
Verification;
Aggregate signature/batch verification.

Figure 1 provides a summary of Xiong’s scheme.

4.2. Cryptanalysis

The core purpose of any authentication scheme is to enable the receiver of a message to trust its contents. This is achieved through a transitive trust relationship, where the receiver verifies that a trusted authority (TA) deemed the sender trustworthy at a particular time and has not revoked its trust in them since (authentication). Furthermore, to deter any network member from initiating malicious actions, a mechanism is required to ensure their accountability and prevent them from later denying their actions (traceability and non-repudiation). Unfortunately, Xiong’s scheme does not meet these criteria, as detailed in the following analysis.

To guarantee the trustworthiness of a sender, digital signatures are used to incorporate a TA’s contribution along with some identifying information about the signer. CLAS (certificateless aggregate signature) schemes are built on the premise that signatures are trustworthy based on the partial private key generated by the key generation center (KGC), which is incorporated into the digital signature. To resist forgeability, the KGC uses its master secret key (denoted as

s

) and a randomly chosen value (denoted as

α_{i}

) to create a partial private key pair that the user cannot replicate. In Xiong’s scheme, the equation

p p k_{i} = (α_{i} + s . Q_{i}) m o d q

achieves this property, seeing that during verification (by the user or subsequently by any receiver of the user’s messages), the equation

p p k_{i} . P ≟ A_{i} + Q_{i} . P_{p u b}

is used. The idea is that the user cannot generate any pair

(p p k_{i}^{*}, A_{i}^{*})

to satisfy this equation since Qi.Ppub binds these two values together, and the user cannot generate this since it is a function of the KGC’s master secret

s

. While this is successfully implemented in Xiong’s partial private key generation module, it is not used correctly in their signature generation module since

A_{i}

is no longer subsequently used at all. In fact, once the user

V_{i}

receives

p p k_{i}, A_{i}

from the KGC and performs the verification (to ensure that this is indeed a KGC-verified pair), the user can promptly discard

A_{i}

since it does not come up again in any future modules. This renders the authentication property unsatisfactory since a malicious user can receive ppki,Ai from the KGC and then replace

p p k_{i}

with

p p k_{i}^{*}

in all subsequent calculations without being detected. The simple fix to that is to incorporate

A_{i}

in the verification equation.

Moreover, the pseudo-identities are generated in the vehicle, assuming that the TPD is ideal and cannot be tampered with, which is an impractical assumption. This is apparent in the scheme since at no point is the identity of the user

V_{i}

verified by any entity, which makes it possible for a malicious user, Oscar, to replace his

R I D_{O}

with a fictitious value

R I D_{O}^{*}

and accordingly compute

P I D_{O}^{*}

and still pass verification.

The fact that a malicious user, Oscar, can replace their real identity and partial private key with fictitious values renders the scheme incapable of satisfying the requirements of authentication and non-repudiation. This intuitively opens the scheme to bogus and repudiation attacks since any user can broadcast fake information under fake identities without considering the legal consequences of their actions. The attacks are shown in Figure 2.

Finally, we point out a minor mistake in the batch verification module of the original scheme:

p k = v . P

must become

p k^{*} = v . P_{p u b}

for the batch verification equation

β = β^{*}

to work out. In their scheme,

β = H_{4} (T_{1} p k | | \dots | | T_{n} p k)

and

β^{*} = H_{4}

, so to pass verification, we must ensure that

T_{i} . p k = v . φ_{i}

. Since

φ_{i} = h_{i} F_{i} + U_{i} = T_{i} . P_{p u b,}

. Therefore,

v . φ_{i} = v . T_{i} . P_{p u b} = T_{i} . p k^{*}

4.3. Our Improved Scheme

In our proposed scheme, we suggest the following improvements and modifications to avert the threats above:

(1): Identity Authentication using Chameleon Hashing

We added an identity authentication module based on chameleon hashing to prevent an attacker from using a fake identity. The idea is to allow the KGC to ascertain that the TRM authenticates the pseudo-identity for generating a partial private key. The chameleon hashing procedure is carried out as follows.

During the setup phase, the trapdoor

x

is first randomly chosen by the TRM, in addition to two random points

A, B

on the elliptic curve. Then, a point

C

is calculated as

C = A + x . B

. The trapdoor

x

and the point

C

are shared securely between the

T R M

and the

K G C

. The

T R M

assigns an elliptic curve point

D_{i}

to each member with identity

I D_{1, i}

by solving the equation

D_{i} = C - x . I D_{1, i}

. To prove to the KGC that they have obtained a legitimate identity from the TRM, the member submits

D_{i}

and

I D_{1, i}

to the KGC, which checks the equation

D_{i} + x : I D i ≟ C

before generating a partial private key for the user.

This guarantees that the partial private key is adopted with a legitimate pseudo-identity. It also gives the TRM a chance to review each member’s status before authenticating their identity, so revoked members are immediately excluded without being given the secret parameter Di, which they need to generate partial private keys.

(2): Adjusting the individual verification equation to prevent partial private key switching

As stated earlier, the significance of the partial private key generation module is that it creates a key pair

(p p k, A_{i})

where

p p k_{i} = (α_{i} + s . h_{2_{i}}) m o d q

and

A_{i} = α_{i} P

. The idea is that any user cannot generate a partial private key that satisfies the equation since the KGC’s master secret

s

links the two parameters. In Xiong’s scheme,

A_{i}

is not included in the individual verification equation, which allows any member to replace

p p k_{i}

with any other value without being detected during verification. In our proposed scheme,

A_{i}

is included in the verification equation, which ensures that the ppk used in signing is an authentic KGC-granted key. This also implicitly ensures that the pseudo-identity used to sign the message is genuine, thanks to the chameleon hashing authentication module introduced above.

(3): Small exponent test in batch verification

We adopted the batch verification equation and introduced the small exponent test to ensure resilience against CLAS Type III attacks, which involve inserting forged signatures into a batch of valid signatures without detection. Section 4 elaborates on this and is where we conduct a formal security analysis of our proposed scheme. We provide a summary of our improved scheme in Figure 3.

5. Security Analysis

This section conducts a security analysis for our improved scheme. We introduce formal definitions and algorithm instantiations of CLAS systems, followed by CLAS’s security models and games. Then, we proceeded to obtain our formal security proof.

5.1. Definition of CLAS

Definition 1.

A CLAS comprises the following eight polynomial time algorithms, found in Table 3.

5.2. Security Models of CLAS

To define security models of CLAS, we consider three types of adversary attacks according to their different abilities.

Type I attacks: The adversary has the target user’s secret value

x_{i}

and can replace the user’s public key

u p k_{i}

with its choice. However, it does not know the KGC’s secret key

s

and the user’s partial secret key

{p p k}_{i}

Type II attacks: The adversary owns the KGC’s secret key

s

and can generate the user’s partial secret key

p p . H o w e v e r

, it does not know the user’s secret value

x_{i}

Type III attacks: The adversary knows all signers’ secret keys

x_{i}, p p k_{i}

. The adversary cannot provide any invalid signatures

σ_{i}

that can be used for computing a valid aggregate signature

σ

The security of a CLAS scheme is captured by the following three games between a challenger

C

and adversaries

A_{1}, A_{2}, A_{3} .

The associated queries are outlined in Table 4.

The security games are outlined in Table 5.

Definition 2.

A CLAS scheme is existentially unforgeable under adaptive chosen message attacks (EUF-CMA) if the probability of any probabilistic polynomial time (PPT) adversary winning any of the above three games is negligible.

5.3. Security Proof

Theorem 1.

Our CLAS scheme is EUF-CMA secure against any Type I adversary if ECDLP is hard in the random oracle model (ROM).

Proof.

Let

A_{1}

be a Type I adversary who can break our underlying CLS scheme. We now construct another adversary

B

that can solve the ECDLP as the following:

Setup Phase:

B :

Inputs security parameter

1^{λ}

and generates

(G, q, P, P_{p u b}, T_{p u b}, H_{1 \to 3} (.))

. It sets

I D^{*}

as the challenged identity and maintains lists

L_{2 \to 5}

to store values queried by

A_{1}

as outlined in Table 6 □

Forgery Phase:

A_{1}

finally outputs a forgery

σ_{i}^{*} = (δ_{i}^{*}, U_{i}^{*})

m_{i}^{*}

under

I D^{*}

. If

P I D_{i} = P I D_{i}^{*}

B

aborts and admits failure; otherwise,

σ_{i}^{*}

is valid and we have

δ_{i}^{*} P = A_{i} + h_{3, i}^{*} {u p k}_{i}^{*} + h_{2, i}^{*} P_{P u b} + U_{i}^{*}

By adopting the forking lemma [19], if

B

selects a different

h a s h

and repeats the above process,

A_{1}

can output another forgery

σ_{i^{*}}^{'} = (δ_{i^{*}}^{'}, U_{i}^{*})

m_{i}^{*}

Then, we have

δ_{i}^{*'} P = A_{i} + h_{3, i}^{*} {u p k}_{i}^{*} + h_{2, i}^{*'} P_{P u b} + U_{i}^{*}

. Therefore,

B

can obtain a solution of ECDLP by computing

s = (δ_{i}^{*} - δ_{i}^{*'}) {(h_{2, i}^{*} - h_{2, i}^{*'})}^{- 1}

Proof.

\begin{matrix} δ_{i}^{*} P - δ_{i}^{*^{'}} P = h_{2, i}^{*} P_{P u b} - h_{2, i}^{*^{'}} P_{P u b} → P (δ_{i}^{*} - δ_{i}^{*^{'}}) = P_{P u b} (h_{2, i}^{*} - h_{2, i}^{*^{'}}) \\ → (δ_{i}^{*} - δ_{i}^{*^{'}}) {(h_{2, i}^{*} - h_{2, i}^{*^{'}})}^{- 1} = P_{P u b} P^{- 1} = s \end{matrix}

□

Theorem 2.

The CLAS scheme is EUF-CMA secure against any Type II adversary if ECDLP is hard in ROM.

The exact proof, as Theorem 1, is omitted for space considerations.

Theorem 3.

The CLAS scheme is secure against any Type III adversary.

Proof.

Type III security of a CLAS scheme states that the scheme must resist information injection attacks in the aggregate verification phase. For instance, assume two malicious vehicles generate two valid signatures

δ_{1}

and

δ_{2}

and inject

c

and

- c

in them, respectively. The batch verifier cannot detect this since

c

is countered by

- c

in the aggregation phase. In our scheme, we utilize the simplified small exponent test in the aggregation process. By doing so, the randomness of

x_{i}

necessitates that the verifier can detect any modification to the single signature δi. The rigorous proof can be found in [20]. Hence, Type III security is achieved. □

Theorem 4.

The CLAS scheme achieves CPP.

Proof.

The anonymity of the vehicle is ensured by the pseudo-identity

I D_{i}

. Note that

P I D_{i} = (I D_{i,, 1}, I D_{i, 2}, V T_{i})

, where

I D_{i, 1} = k_{i} P

I D_{i, 2} = R I D_{i} ⨁ H_{1} (k_{i} . T_{P u b} | | V T_{i})

and

V T_{i}

is the validity period. To extract the real identity

R I D_{i}

from

I D_{i, 2,}

the adversary needs to compute

H_{1} (k_{i} . T_{P u b} | | V T_{i})

. Since

k_{i}

is only known to

V_{i}

(the owner of

R I D_{i})

and securely transmitted to the TRA during the PID generation phase, it is impossible for an adversary to extract

R I D_{i}

from

I D_{i, 1}, I D_{i, 2}

. Since

k_{i}

is a random value that changes for every pseudonym, our scheme guarantees unlinkability since no two pseudo-identities can be traced back to the same real identity. Hence, this scheme achieves conditional privacy preservation since only the TRA can extract the real identity from a pseudo-identity, and no adversary can link two different pseudonyms to the same signer. □

This concludes our security analysis. In the following section, we conduct a performance analysis of our scheme and compare it to other ECC-based CLAS schemes.

6. Performance Analysis of Comparable CLAS Schemes

To ensure consistency, we evaluated all the schemes using the operation execution times reported in [2]. The authors employed the MIRACL cryptography library to measure the execution times on an Intel i5-6600 processor running at 3.3 GHz, with 8 GB of memory and a Windows operating system. The execution times they obtained are presented in Table 7.

Next, we evaluated the seven schemes in Table 8 to obtain the number of operations required to execute each scheme. The starred values indicate that we derived these through our analysis of the schemes, as they differed from the values stated in the authors’ performance analysis or were not provided by the authors at all. Our study focused on individual signatures and batch verifications, as particular (sequential) verification times are unlikely to occur in practical scenarios, except in scenarios with very low vehicle density, where the verification speed is insignificant due to the relatively few verifications that must be executed.

Batch verification times are compared in Figure 4.

Our scheme is comparable to Xiong’s in terms of performance but offers much more robust security guarantees. We note that our scheme’s performance is inferior to the schemes proposed by Zhao, Li, and Thumbur due to our use of the small exponent test. While this test incurs a higher computational cost, it is a necessary measure to prevent Type III attacks.

7. Conclusions and Future Work

This paper presents a cryptanalysis of Xiong’s recently published CLAS scheme [6]. We identify the causes of vulnerabilities in the original scheme and propose countermeasures. Based on this, we construct a new certificateless aggregate signature scheme, CHAM-CLAS, which addresses the identified issues. Finally, we conduct security and performance analyses of our proposed scheme.

While our scheme offers stronger security guarantees, it suffers from relative inefficiency due to the added cost of the small exponent test. This test must preserve batch verification capability against Type III attacks. One future research direction involves investigating approaches to achieve the same security level as our scheme but at a lower computational cost and simulating network performance. Additionally, we would like to explore the contextualization of our CLAS scheme within a blockchain-based VANET security system in future work.

Author Contributions

Conceptualization, A.K., M.A.A. and H.A.; methodology, A.K.; validation, H.A., M.A.A. and M.R.; formal analysis, A.K.; writing—original draft preparation, A.K.; writing—review and editing, H.A., M.A.A. and M.R.; supervision, H.A. and M.A.A.; funding acquisition, M.R. All authors have read and agreed to the published version of the manuscript.

Funding

This work is supported by National Telecom Regulatory Authority.

Data Availability Statement

No new data were created or analyzed in this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest to report regarding the present study.

References

Nath, H.J.; Choudhury, H. Privacy-Preserving Authentication Protocols in Vanet. SN Comput. Sci. 2023, 4, 589. [Google Scholar] [CrossRef]
Zhou, Y.; Wang, Z.; Qiao, Z.; Yang, B.; Zhang, M. An efficient and provably secure identity authentication scheme for VANET. IEEE Internet Things J. 2023, 10, 17170–17183. [Google Scholar] [CrossRef]
Hammi, B.; Monteuuis, J.-P.; Petit, J. PKIs in C-ITS: Security functions, architectures, and projects: A survey. Veh. Commun. 2022, 38, 100531. [Google Scholar] [CrossRef]
Mannoni, V.; Berg, V.; Sesia, S.; Perraud, E. A comparison of the V2X communication systems: ITS-G5 and C-V2X. In Proceedings of the 2019 IEEE 89th Vehicular Technology Conference (VTC2019-Spring), Kuala Lumpur, Malaysia, 28 April–1 May 2019; pp. 1–5. [Google Scholar]
Cominetti, E.L.; Silva, M.V.M.; Simplicio, M.A., Jr.; Patil, H.K.; Ricardini, J.E. Faster verification of V2X basic safety messages via Message Chaining. Veh. Commun. 2023, 44, 100662. [Google Scholar] [CrossRef]
Xiong, W.; Wang, R.; Wang, Y.; Wei, Y.; Zhou, F.; Luo, X. Improved certificateless aggregate signature scheme against collusion attacks for vents. IEEE Syst. J. 2022, 17, 1098–1109. [Google Scholar] [CrossRef]
Krawczyk, H.; Rabin, T. Chameleon hashing and signatures. Cryptol. Eprint Arch. 1998. Available online: https://eprint.iacr.org/1998/010 (accessed on 9 September 2024).
Sheikh, M.S.; Liang, J. A comprehensive survey on VANET security services in traffic management system. Wirel. Commun. Mob. Comput. 2019, 2019, 1–23. [Google Scholar] [CrossRef]
Mundhe, P.; Verma, S.; Venkatesan, S. A comprehensive survey on authentication and privacy-preserving schemes in VANETs. Comput. Sci. Rev. 2021, 41, 100411. [Google Scholar] [CrossRef]
Azam, F.; Yadav, S.K.; Priyadarshi, N.; Padmanaban, S.; Bansal, R.C. A comprehensive review of authentication schemes in a vehicular ad-hoc network. IEEE Access 2021, 9, 31309–31321. [Google Scholar] [CrossRef]
Cahyadi, E.F.; Hwang, M.-S. A comprehensive survey on certificateless aggregate signature in vehicular ad hoc networks. IETE Tech. Rev. 2022, 39, 1265–1276. [Google Scholar] [CrossRef]
Zhao, Y.; Hou, Y.; Wang, L.; Kumari, S.; Khan, M.K.; Xiong, H. An efficient certificateless aggregate signature scheme for the Internet of Vehicles. Trans. Emerg. Telecommun. Technol. 2020, 31, e3708. [Google Scholar] [CrossRef]
Zhu, F.; Yi, X.; Abuadbba, A.; Khalil, I.; Huang, X.; Xu, F. A Security-Enhanced Certificateless Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks. IEEE Trans. Intell. Transp. Syst. 2023, 24, 10456–10466. [Google Scholar] [CrossRef]
Li, C.; Wu, G.; Xing, L.; Zhu, F.; Zhao, L. An efficient certificateless aggregate signature scheme designed for VANET. J. Comput. Mater. Contin. 2020, 63, 725–742. [Google Scholar]
Thumbur, G.; Rao, G.S.; Reddy, P.V.; Gayathri, N.; Reddy, D.K.; Padmavathamma, M. Efficient and secure certificateless aggregate signature-based authentication scheme for vehicular ad hoc networks. IEEE Internet Things J. 2020, 8, 1908–1920. [Google Scholar] [CrossRef]
Sharma, S.; Kaul, A. A survey on Intrusion Detection Systems and Honeypot based proactive security mechanisms in VANETs and VANET Cloud. Veh. Commun. 2018, 12, 138–164. [Google Scholar] [CrossRef]
Gonçalves, F.; Ribeiro, B.; Gama, O.; Santos, A.; Costa, A.; Dias, B.; Macedo, J.; Nicolau, M.J. A systematic review on intelligent intrusion detection systems for VANETs. In Proceedings of the 2019 11th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), Dublin, Ireland, 28–30 October 2019; pp. 1–10. [Google Scholar]
Bangui, H.; Buhnova, B. Recent advances in machine-learning driven intrusion detection in transportation: Survey. Procedia Comput. Sci. 2021, 184, 877–886. [Google Scholar] [CrossRef]
Pointcheval, D.; Stern, J. Security proofs for signature schemes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Saragossa, Spain, 12–16 May 1996; pp. 387–398. [Google Scholar]
Hwang, J.Y.; Song, B.; Choi, D.; Jin, S.-H.; Cho, H.S.; Lee, M.-K.J.T.C.S. Simplified small exponent test for batch verification. Theor. Comput. Sci. 2017, 662, 48–58. [Google Scholar] [CrossRef]
Li, X.; Yin, X.; Ning, J. RelCLAS: A Reliable Malicious KGC-Resistant Certificateless Aggregate Signature Protocol for Vehicular Ad Hoc Networks. IEEE Internet Things J. 2023, 10, 21100–21114. [Google Scholar] [CrossRef]

Figure 1. Visual diagram of Xiong’s scheme.

Figure 2. Attacks on Xiong’s scheme.

Figure 3. (A) Visual diagram of our CHAM-HASH-based CLAS scheme; (B) Batch verification component of our CLAS scheme and proof of correctness.

Figure 4. Batch verification time (in milliseconds) for different values of n (number of signatures).

Table 1. Notations and definitions.

Notation	Definition
CA	Central Authority
CH	Chameleon Hash
C-ITS	Cooperative Intelligent Transportation System
CL	Certificateless (Scheme)
CLAS	Certificateless Aggregate Signature (Scheme)
CPPA	Conditional Privacy-Preserving Authentication
DSRC	Dedicated Short-Range Communications
EC(C)	Elliptic Curve (Cryptography)
ECDLP	Elliptic Curve Discrete Logarithm Problem
GS	Group Signature
IBC	Identity-Based Cryptography
IBV	Identity-Based Batch Verification (Scheme)
IDS	Intrusion Detection Systems
KGC	Key Generation Center
OBU	On-Board Unit
PKI	Public Key Infrastructure
PID	Pseudo-Identity
PWD	Password
RID	Real Identity
RSU	Roadside Unit
TA/TTP	Trusted Authority/Trusted Third Party
TPD	Tamper Proof Device
TRA/TRM	Tracing Authority/Tracing Manager
VANET	Vehicular Ad Hoc Network
V2I	Vehicle-to-Infrastructure
V2V	Vehicle-to-Vehicle
V2X	Vehicle-to-Everything

Table 2. Security requirements across domains in VANETs.

Security Domain	Security Requirement	Solutions	Description
Communication Layer	Authentication	Digital signatures, PKI	Verify the identity of vehicles and infrastructure units.
	Data integrity	HMAC, digital signatures	Ensure data have not been tampered with during transmission.
	Confidentiality	Encryption (e.g., AES)	Protect sensitive information from eavesdropping.
	Non-repudiation	Digital signatures	Prevent entities from denying their actions.
	Access control	Role-based access control	Restrict access to network resources based on permissions.
Network Layer	Routing security	Secure routing protocols	Prevent malicious routing and forwarding of data.
	DoS and DDoS mitigation	Rate limiting, intrusion detection	Defend against denial-of-service attacks.
	Secure neighbor discovery	Cryptographic neighbor discovery	Ensure vehicles can trust the identity of neighbors.
Application Layer	Vehicle-to-vehicle (V2V)	Secure communication protocols	Secure communication between vehicles.
	Vehicle-to-infrastructure (V2I)	Secure communication with RSUs	Ensure trust in roadside units.
	Location privacy	Pseudonym management, mixed zones	Protect the privacy of vehicle location information.
	Over-the-air updates	Code signing, secure channels	Ensure security when updating software/firmware.
Key Management	Key generation and storage	Hardware security modules, key vaults	Securely create and store cryptographic keys.
	Key distribution	PKI, certificate revocation lists	Safely share keys with authorized entities.
	Key revocation	Certificate revocation lists	Deactivate compromised or unauthorized keys.
Trust Management	Reputation systems	Trustworthiness metrics	Assess the trustworthiness of other network entities.
	Anomaly detection	Intrusion detection systems	Detect and respond to unusual network behavior.
Physical Layer	Jamming resistance	Frequency hopping, signal strength analysis	Protect against signal jamming attacks.
	Secure hardware	Hardware security modules	Ensure the security of on-board vehicle equipment.
Regulatory Compliance	Compliance with standards	Adherence to industry standards	Meet legal and industry standards for VANET security.
	Privacy regulations	Data anonymization, consent management	Adhere to data protection laws and regulations.
Lifecycle Management	Secure deployment	Secure boot process, firmware signing	Ensure secure VANET deployment and initial setup.
	Monitoring and auditing	Security information and event management (SIEM)	Continuously monitor and audit network activities.
	Incident response	Incident response plans	Develop procedures to respond to security incidents.

Table 3. CLAS scheme algorithms.

Algorithm	Inputs	Outputs	By	Notations
Setup	$1^{λ}$	$s, α, p p a$	$T A$	$1^{λ} :$ $Security Parameter$ $s : KGC \sec ret key$ $α : TRM \sec ret key$ $p p a : System Parameters$ $C, x : Chameleon Hash values$ $R I D_{i} : The real identity of vehicle V_{i}$ $p p k_{i} : Partial Sec ret Key$ $A_{i} : Partial Public Key$ $x_{i} : User Sec ret Key$ $u p k_{i} : User Public Key$ $t_{i} : Timestamp$ $M_{i} : Message$ $d : Decision$ $δ_{i}, U_{i} :$ Signature
PIDGen	$p p a, R I D_{i}$	$P I D_{i}$	$V_{i}$
PIDAuth	$p p a, P I D_{i}, C, x$	$D_{i}$	$T R M$
PKGen	$p p a, s, P I D_{i}$	$A_{i}, p p k_{i}$	$K G C$
UKGen	$p p a$	$x_{i}, u p k_{i}$	$V_{i}$
Sign	$p p a, I D_{i}, p p k_{i}, x_{i}, M_{i}$	$δ_{i}, U_{i}$	$V_{i}$
Verify	$p p a, I D_{i}, u p k_{i}, m_{i}, A_{i}, δ_{i}, U_{i}$	$d \in [0,1]$	$V_{j}$
Batch Verify	${p p a, (I D_{i}, u p k_{i}, m_{i}, A_{i}, δ_{i}, U_{i})}_{i = 1 \to n}$	$d \in [0,1$ ]	$V_{j}$

Table 4. CLAS scheme queries.

Query	Definition
Partial Key	$Given a user ’ s identity I D_{i}$ $, C$ $executes PKGen to obtain the partial key p p k_{i}, A_{i}$ $and sends it to A .$
User Key	$Given P I D_{i}$ $, C$ $invokes UKGen to obtain user key x_{i}, u p k_{i}$ $and sends it to A$ . $Note that C$ $will return ⊥$ $to A$ $if I D_{i}$ has already appeared in the Public Key Replace query.
Public Key Replace	$Upon receiving A$ $’ s query on P I D_{i}$ $, C$ $replaces (u p k_{i}, A_{i})$ $with (u p k_{i}^{'}, A_{i}^{'})$ $and returns (u p {k^{'}}_{i}, A_{i}^{'})$ $to A$ .
Sign	$Upon receiving A$ $’ s query on (P I D_{i}, m_{i})$ $, C$ $executes Sign to generate a signature δ_{i}, U_{i}$ $and returns it to A$ .
Key Corrupt	$Upon receiving this Query on P I D_{i}$ $, C$ $executes PKGen and UKGen to generate the \sec ret key (p p k_{i}, x_{i})$ $and returns it to A_{3 .}$
Aggregate Verify	$Upon receiving this query of δ$ $on {(P I D_{i}, A_{i}, u p k_{i}, m_{i}, U_{i})}_{i : 1 \to n}$ $, C$ $executes AggVerify to obtain a verification decision d \in [0,1]$ $and returns it to A_{3}$

Table 5. CLAS security games.

Phase	Game 1	Game 2	Game 3
$Adversary (A)$	$A_{1}$	$A_{2}$	$A_{3}$
Setup Phase	$A_{1}$ $receives p p a$	$A_{2}$ $receives s, p p a$	$A_{3}$ $receives p p a$
Query Phase	Partial Key, User Key, Public Key Replace, Sign	Partial Key, User Key, Sign	Key Corrupt, Aggregate Verify
Forgery	$A_{1}$ $outputs its forgery δ_{i}^{}, U_{i}^{}$ $for m_{i}^{}$ $under (P I D_{i}^{}, A_{i}^{}, u p k_{i}^{})$ .	$A_{2}$ $outputs its forgery δ_{i}^{}, U_{i}^{} f o r m_{i}^{} u n d e r$ $(P I D_{i}^{}, A_{i}^{}, u p k_{i}^{}) .$	$A_{3}$ $outputs a forgery δ^{}$ $on {(P I D_{i}^{}, U_{i}^{}, A_{i}, u p k_{i}^{}, m_{i}^{*})}_{i = 1 \to n}$ .
$A$ wins the game if	$(1) The signature δ_{i}^{}, U_{i}^{}$ $is valid on m_{i}^{}$ $under P I D_{i}^{}, A_{i}^{}$ $(2) P I D_{i}^{}$ $and (P I D_{i}^{}, m_{i}^{})$ have not been submitted to the Partial Key and Sign query, respectively.	$(1) The signature δ_{i}^{}, U_{i}^{}$ $is valid on m_{i}^{}$ $under P I D_{i}^{}, A_{i}^{}$ . $(2) P I D_{i}^{}$ $and (P I D_{i}^{}, m_{i}^{})$ have not been submitted to the User Key and Sign query, respectively.	$(1) All \sin gle signatures are compressed into the valid δ^{*}$ . (2) At least one single signature cannot pass through the verification equation.

Table 6. Query–response protocols between

A_{1}

and

B :

Table 6. Query–response protocols between

A_{1}

and

B :

Notation	$Query by A_{1}$	$B$ Checks	Exists	Does Not Exist
$Z_{2} = (P I D_{i}, A_{i})$	$H_{2} :$ Input: $Z_{2}$	$(Z_{2}, h_{2, i}) \in L_{2}$	Returns $h_{2, i}$ to $A_{1}$	Selects $h_{2, i} \in Z_{q}^{*}$ Adds $(Z_{2}, h_{2, i})$ to $L_{2}$ Returns $h_{2, i}$ to $A_{1}$
$Z_{3} = (M_{i}, P I D_{i}, t_{i}, u p k_{i})$	$H_{3} :$ Input $Z_{3}$	$(Z_{3}, h_{3, i}) \in L_{3}$	Returns $h_{3, i}$ to $A_{1}$	Selects $h_{3, i} \in Z_{q}^{*}$ Adds $(Z_{3}, h_{3, i})$ to $L_{3}$ Returns $h_{3, i}$ to $A_{1}$
$Z_{4} = (P I D_{i}, A_{i}, {p p k}_{i})$	$P a r t i a l K e y$ $Q u e r y :$ Input: $P I D_{i}$	$(P I D_{i} \neq P I D^{*})$ $Z_{4} \in L_{4}$	Returns $Z_{4}$ to $A_{1}$	Selects ${p p k}_{i}, h_{2, i} \in Z_{q}^{*}$ Sets $A_{i} = {p p k}_{i} P - h_{2, i} P_{P u b}$ Sets $h_{2, i} = H_{2} (A_{i}, I D_{i, 2})$ Adds $(I D_{i}, A_{i}, h_{2, i})$ to $L_{2}$ Adds $Z_{4}$ to $L_{4}$ Outputs $Z_{4}$
$Z_{5}^{'} = (I D_{i}, x_{i}, {u p k}_{i}, -, -)$	$U s e r K e y$ $Q u e r y :$ Input: $P I D_{i}$	$(P I D_{i} \neq P I D^{*})$ ${Z^{'}}_{5} \in L_{5}$	Returns $Z_{5}^{'}$ to $A_{1}$	Selects $x_{i} \in Z_{q}^{*}$ Computes $u p k_{i} = x_{i} P$ Adds $Z_{5}^{'}$ to $L_{5}$ Outputs $Z_{5}^{'}$
	$P u b K e y$ $Q u e r y :$ Input: $P I D_{i}$	Operates Partial key Query and User key Query. Returns $(u p k_{i}, A_{i})$ to $A_{1}$
$Z_{5} = (I D_{i}, x_{i}, {u p k}_{i}, ⊥, {u p k}_{i}^{'})$	$P u b K e y$ $R e p l a c e Q u e r y :$ Input: $P I D_{i}$	Finds $Z_{5}^{'}$ in $L_{5}$ Replaces with $Z_{5}$
	$S i g n Q u e r y :$ Input: $P I D_{i}, m_{i}$	$C h e c k s : (P I D_{i} \neq P I D^{})$ Traverses $L_{2 \to 5}$ to get $h_{2, i}, h_{3, i}, A_{i}, {u p k}_{i}$ respectively. Selects $δ_{i} \in Z_{q}^{}$ Computes $U_{i} = h_{4, i}^{- 1} (δ_{i} P - A_{i} - h_{3, i} u p k_{i} - h_{2, i} P_{P u b})$ Sends $σ_{i} = (δ_{i}, U_{i})$ to $A_{1}$

Table 7. Execution time of basic operations.

Symbol	Notation	Time (ms)
$T_{m_{e c c}}$	Scalar multiplication in ECC	0.3158
$T_{a_{e c c}}$	Addition in ECC	0.0026
$T_{h}$	Hash operation	0.0008

Table 8. Performance comparison of ECC-based CLAS schemes.

Scheme		$T_{m_{e c c}}$	$T_{a_{e c c}}$	$T_{h}$	Total
Zhao 2020 [12]	$S :$	$1$		$2^{*}$	$0.3174$
Zhao 2020 [12]	$B V :$	$2 n + 1^{*}$	$3 n^{*}$	$2 n^{*}$	$0.641 n + 0.3518$
Zhou 2023 [2]	$S :$	$1$		$2$	$0.3174$
Zhou 2023 [2]	$B V :$	$3 n + 1^{*}$	$3 n - 3^{*}$	$3 n$	$0.9576 n + 0.308$
Zhu 2023 [13]	$S :$	$1$		$2$	$0.3174$
Zhu 2023 [13]	$B V :$	$3 n + 2^{*}$	$3 n^{*}$	$3 n$	$0.9576 n + 0.6316$
Li 2020 [14]	$S :$	$1$		$3$	$0.3182$
Li 2020 [14]	$B V :$	$2 n + 3^{*}$	$2 n^{*}$	$3 n$	$0.6392 n + 0.9474$
Li 2023 [21]	$S :$	$4^{*}$	$1^{*}$	$1^{*}$	$1.4106$
Li 2023 [21]	$B V :$	$2 n + 2$	$3 n$	$3 n$	$0.6418 n + 0.6316$
Thumbur 2020 [15]	$S :$	$1$		$2$	$0.3174$
Thumbur 2020 [15]	$B V :$	$2 n + 1$	$3 n - 1$	$2 n^{*}$	$0.641 n + 0.3132$
Xiong 2022 [6]	$S :$	$1^{*}$		$1^{*}$	$0.3166$
Xiong 2022 [6]	$B V :$	$3 n + 1^{*}$	$2 n - 1^{*}$	$2$	$0.9542 n + 0.3148$
Our scheme	$S :$	$1$		$1$	$0.3166$
Our scheme	$B V :$	$3 n + 2$	$3 n$	$n$	$0.956 n + 0.6316$

n: number of operations. Time is measured in milliseconds.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Kabil, A.; Aslan, H.; Azer, M.A.; Rasslan, M. CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs. Cryptography 2024, 8, 43. https://doi.org/10.3390/cryptography8030043

AMA Style

Kabil A, Aslan H, Azer MA, Rasslan M. CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs. Cryptography. 2024; 8(3):43. https://doi.org/10.3390/cryptography8030043

Chicago/Turabian Style

Kabil, Ahmad, Heba Aslan, Marianne A. Azer, and Mohamed Rasslan. 2024. "CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs" Cryptography 8, no. 3: 43. https://doi.org/10.3390/cryptography8030043

Article Menu

CHAM-CLAS: A Certificateless Aggregate Signature Scheme with Chameleon Hashing-Based Identity Authentication for VANETs

Abstract

1. Introduction

2. Related Works

3. Background

3.1. VANET Security Requirements

3.2. Cryptographic Preliminaries

3.3. Network Model

4. Xiong’s Scheme: Description, Cryptanalysis, and Our Proposed Improved Scheme

4.1. Overview of Xiong’s Scheme

4.2. Cryptanalysis

4.3. Our Improved Scheme

5. Security Analysis

5.1. Definition of CLAS

5.2. Security Models of CLAS

5.3. Security Proof

6. Performance Analysis of Comparable CLAS Schemes

7. Conclusions and Future Work

Author Contributions

Funding

Data Availability Statement

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI