Open AccessArticle

A Conditional Privacy-Preserving Identity-Authentication Scheme for Federated Learning in the Internet of Vehicles

Shengwei Xu

^1,* and

Runsheng Liu

Institute of Information Security, Beijing Electronic Science and Technology Institute, Beijing 100070, China

Department of Cryptography Science and Technology, Beijing Electronic Science and Technology Institute, Beijing 100070, China

Author to whom correspondence should be addressed.

Entropy 2024, 26(7), 590; https://doi.org/10.3390/e26070590

Submission received: 4 June 2024 / Revised: 27 June 2024 / Accepted: 4 July 2024 / Published: 10 July 2024

(This article belongs to the Section Information Theory, Probability and Statistics)

Download

Browse Figures

Versions Notes

Abstract

With the rapid development of artificial intelligence and Internet of Things (IoT) technologies, automotive companies are integrating federated learning into connected vehicles to provide users with smarter services. Federated learning enables vehicles to collaboratively train a global model without sharing sensitive local data, thereby mitigating privacy risks. However, the dynamic and open nature of the Internet of Vehicles (IoV) makes it vulnerable to potential attacks, where attackers may intercept or tamper with transmitted local model parameters, compromising their integrity and exposing user privacy. Although existing solutions like differential privacy and encryption can address these issues, they may reduce data usability or increase computational complexity. To tackle these challenges, we propose a conditional privacy-preserving identity-authentication scheme, CPPA-SM2, to provide privacy protection for federated learning. Unlike existing methods, CPPA-SM2 allows vehicles to participate in training anonymously, thereby achieving efficient privacy protection. Performance evaluations and experimental results demonstrate that, compared to state-of-the-art schemes, CPPA-SM2 significantly reduces the overhead of signing, verification and communication while achieving more security features.

Keywords:

federated learning; Internet of Vehicles; authentication; certificateless-based cryptography

1. Introduction

With the rapid development of intelligent transportation systems and Internet of Things (IoT) technology, the Internet of Vehicles (IoV) has become an essential component of smart cities [1]. IoV enables real-time sharing of traffic information and intelligent coordination of vehicles through communication between vehicles and between vehicles and infrastructure. Additionally, with the advancement of machine learning technology, many automotive companies are leveraging machine learning in the IoV to provide more intelligent and efficient services to users [2]. By collecting a large amount of vehicle data to train models, they offer applications such as autonomous driving and traffic flow prediction [3]. However, traditional centralized model training requires gathering vehicle data to the central server for training. Since this vehicle data often contains a significant amount of personal information, such as driving habits, travel routes, home and work locations, many users are concerned about privacy breaches and are reluctant to send their data to the central server [4]. Moreover, recent data security regulations prohibit automotive companies from collecting user data without authorization. To address these privacy concerns, federated learning (FL) has emerged as a solution [5]. FL is a decentralized machine learning approach where multiple clients (such as smartphones, vehicles or other devices) collaboratively train a shared model under the orchestration of a central server while keeping the data localized [6]. Instead of sending raw data to a central server, each client processes the data locally and only shares the model updates (like gradients or parameters) with the central server. The server then aggregates these updates to form a global model. Currently, FL has been widely applied in various IoV scenarios, such as trajectory prediction, advanced driver-assistance systems and traffic flow prediction and management [7].

Although FL addresses the issue of data silos, researchers have found that without proper protection of the transmitted model parameters, attackers can still infer privacy information about user data [8]. Additionally, during the aggregation of parameters by the central server, there is a risk that the server may attempt to infer original data information from the uploaded model parameters. Moreover, due to the open nature of the IoV, attackers can easily eavesdrop on and manipulate messages transmitted between vehicles, gaining access to the vehicles’ real identities and further tracking their behaviors, posing a threat to user privacy [9].

To address the issue of privacy leakage in federated learning, existing solutions are mainly categorized into differential privacy (DP) [10,11,12] and encryption techniques [13,14,15,16,17,18]. DP protects the privacy of original data by adding random noise to model parameters. Wei et al. [10] proposed a differential privacy-based federated learning framework, which achieves different levels of differential privacy protection by adding artificial noise to client parameters before aggregation. Zhao et al. [11] combined DP with federated learning, proposing four localized differential privacy mechanisms to perturb gradients generated by vehicles, thereby preventing privacy leakage. Zhou et al. [12] achieved high-level privacy protection by adding noise and theoretically proved the convergence of their algorithm. Although DP-based solutions have been extended to all machine learning algorithms in deep learning, the added random noise can degrade model accuracy and extend the model convergence time. Encryption-based solutions can be divided into homomorphic encryption and secure multiparty computation (SMC). Zhou et al. [13] combined differential privacy, blinding and Paillier homomorphic encryption to resist model attacks and achieve secure aggregation of model parameters. Ma et al. [14] proposed a dual-trapdoor homomorphic encryption scheme, ShieldFL, which can defend against model poisoning attacks and protect privacy. They also introduced a secure cosine similarity method for Byzantine-robust aggregation. Hijazi et al. [15] introduce four different fully homomorphic encryption (FHE)-based methods for FL, which securely transmit model parameters in encrypted form, thereby enhancing robust privacy and security protection. Zhang et al. [16] present a lightweight dual-server secure aggregation protocol based on secret sharing, achieving both privacy protection and Byzantine robustness. A typical example is secret sharing. This method reduces computational overhead compared to homomorphic encryption but increases the number of communication rounds and communication overhead, thereby hindering the training efficiency of federated learning. Furthermore, encryption-based solutions prevent the cloud server from directly accessing plaintext local model parameters during aggregation. This hinders integration with Byzantine-robust federated learning defense mechanisms [17,18], as existing Byzantine-robust defense mechanisms focus on computing similarities directly on plaintext model parameters. Therefore, it is necessary to research a privacy-preserving federated learning solution suitable for the IoV that can balance efficiency and practicality.

To ensure the authenticity and integrity of communication data in the IoV, many identity-authentication protocols have been proposed [19]. Currently, existing identity-authentication protocols in the IoV can be primarily categorized into three types: public key infrastructure-based (PKI-based) [20], identity-based (ID-based) [21,22,23,24] and certificateless-based [25,26,27,28]. PKI-based identity-authentication protocols bind a vehicle’s identity to its public key through digital certificates. Vehicles use their private keys to sign messages, and verifiers use the public keys from the vehicle’s digital certificates to verify the signatures. The main drawback of this method is the significant storage and maintenance overhead associated with managing a large number of digital certificates and certificate revocation lists. Identity-based authentication protocols directly use the vehicle’s identity information as the public key, thereby avoiding the overhead of certificate management and maintenance. Zhao et al. [22] proposed an identity-based federated learning collaborative authentication protocol for shared data, achieving efficient anonymous authentication and key agreement between vehicles and other entities. Zhang et al. [23] proposed an ID-based conditional privacy-preserving identity-authentication scheme that does not require bilinear pairings or hash-to-point operations, enabling efficient vehicle authentication. Kanchan et al. [24] proposed a federated learning algorithm based on group signatures, enhancing the protection of node identities. Although ID-based identity-authentication schemes can achieve efficient vehicle authentication, they have the issue of key escrow. Therefore, certificateless identity-authentication schemes have been proposed as a promising solution. However, this approach has a key escrow problem, as the Trusted Authority (TA) has full control over the vehicle’s private keys and can generate legitimate signatures for any vehicle. To address the key escrow issue, certificateless authentication protocols have been proposed. In these protocols, a vehicle’s private key consists of two parts: one part is a secret value selected by the vehicle itself, and the other part is a partial private key generated by TA. Lin et al. [25] proposed a certificateless authentication and key agreement protocol for IoV based on blockchain. This protocol utilizes the decentralized architecture of blockchain to achieve decentralized trusted third-party services, thus mitigating issues such as single-point failure and the risk of trusted third-party disclosure. It aims to achieve efficient authentication between vehicles. Jiang et al. [26] proposed a certificateless anonymous identity-authentication scheme, which aims to anonymize the relationship between terminal identities and data. However, the use of bilinear pairing operations affects authentication efficiency. Ma et al. [27] extended Jiang’s work by proposing a certificateless identity-authentication scheme that does not require bilinear pairing operations and supports batch verification. However, this scheme lacks dynamic member-management capabilities, and the pseudonyms generated by vehicles cannot be dynamically updated. Currently, most existing certificateless authentication protocols use bilinear pairing operations or do not support batch verification, leading to low authentication efficiency. Additionally, most certificateless authentication protocols are independently designed and are not integrated with existing international standard cryptographic algorithms, making them inconvenient for practical application and widespread adoption. Therefore, it is necessary to study an efficient authentication protocol to establish a secure communication environment for the IoV.

To address the aforementioned challenges, we propose a conditional privacy-preserving authentication scheme called CPPA-SM2, which provides secure authentication and privacy protection for vehicle communication and federated learning in the IoV. Specifically, it is based on the fact that if vehicles send messages and participate in training anonymously, even if attackers or the cloud server obtain the plaintext local model parameters and infer some data information, they cannot associate this information with a specific real vehicle identity, thus achieving privacy protection. Our main contributions are as follows:

We propose a Conditional Privacy-Preserving Authentication scheme, CPPA-SM2, and integrate it with federated learning. Vehicles participate in federated learning training anonymously, obfuscating the link between local model parameters and the vehicle’s real identity, thus achieving privacy protection. Unlike existing privacy-preserving federated learning schemes, it does not require time-consuming encryption operations or add random noise that affects model performance. It maintains the efficiency of federated learning and has the potential to be integrated with Byzantine-robust defense mechanisms.
CPPA-SM2 is a certificateless identity-authentication scheme based on Elliptic Curve Cryptography, SM2 and the Chinese Remainder Theorem. It can verify the authenticity and integrity of the local model parameters uploaded by vehicles and supports batch verification. Unlike existing certificateless identity-authentication schemes, it integrates with the standard SM2 digital signature algorithm, facilitating practical application. Dynamic member management is achieved through the Chinese Remainder Theorem. When a malicious vehicle is detected in the system, TA can use the system master secret key to trace its real identity and then revoke it from the federated learning system.
We conducted a security proof and an informal security analysis of the CPPA-SM2 scheme. Additionally, we evaluated its performance through experiments and compared it with other schemes. The experimental results show that CPPA-SM2 can achieve efficient and secure authentication for vehicles while providing privacy protection for federated learning.

The remainder of this paper is organized as follows. Section 2 presents the notation definitions, mathematical background, system model, threat model, security model and design objectives. Section 3 details the implementation of the CPPA-SM2 scheme. Section 4 provides the correctness and security proof of the CPPA-SM2 scheme along with an informal security analysis. Section 5 evaluates the performance of the CPPA-SM2 scheme and compares it with other schemes. Section 6 concludes the paper.

2. Preliminaries

In this section, we mainly introduce the preliminary knowledge, system model, threat model, security model and design goals. The relevant symbols used in this paper are explained in Table 1.

2.1. Chinese Remainder Theorem

The Chinese Remainder Theorem (CRT) [23,28] is a theorem of number theory that allows one to solve systems of simultaneous congruences with different moduli. It asserts that if one knows the remainders of the division of an integer by several pairwise coprime integers, then one can determine uniquely the remainder of the division of that integer by the product of these integers, under certain conditions.

Let

s k_{1}, s k_{2}, \dots, s k_{n}

be pairwise co-prime positive numbers and

l_{1}, l_{2}, \dots l_{n}

be any given

n

positive integers. Then, CRT asserts that the following simultaneous congruence equation

X \equiv l_{1} \mod s k_{1}, X \equiv l_{2} \mod s k_{2}, \dots, X \equiv l_{n} \mod s k_{n}

(1)

has a unique solution

X

module

θ

, where

θ = s k_{1} s k_{2} \dots s k_{n} = \prod_{i = 1}^{n} s k_{i}

, and the

X

can be obtained by the following equation:

X = \sum_{i = 1}^{n} l_{i} a_{i} b_{i} (\mod θ),

(2)

where

a_{i} = θ / s k_{i}

and

b_{i} = {(a_{i})}^{- 1} \mod s k_{i}

2.2. Elliptic Curve Cryptosystem

Consider a finite field

F_{p}

determined by a prime number

p

. Let

E (F_{p})

be a set of elliptic curve points over

F_{p}

defined by the equation

y^{2} = x^{3} + a x + b \mod p

, where

a, b \in F_{p}

and

(4 a^{3} + 27 b^{2}) \mod p \neq 0

. The elliptic curve

E (F_{p})

includes both scalar multiplication and point addition operations.

G

is an additive cyclic group with order

q

. The Elliptic Curve Discrete Logarithm Problem (ECDLP) is defined as follows: Given two random points

P, Q \in G

on elliptic curve

E (F_{p})

, where

Q = x P, x \in Z_{q}^{*}

, it has been proven that calculating

x

from

Q

is computationally difficult. In other words, it is infeasible to find

x

in polynomial time with a non-negligible probability [29,30].

2.3. SM2 Digital Signature Algorithm

The SM2 digital signature algorithm [31] is a public key cryptographic algorithm based on elliptic curve cryptography, developed by the Chinese State Cryptography Administration. It is part of the Chinese National Standards (GB/T 32918.1-2016) [32] and is widely used for secure communications in China. The SM2 digital signature algorithm consists of three main phases: Key Generation, Signature Generation and Signature Verification.

Key Generation $(p a r a m s) \to (d_{A}, P_{A})$ : Assume the signer of the message is user $A$ . TA chooses the elliptic curve parameters $p a r a m = (p, a, b, q, G)$ , selects a random integer $d_{A} \in [1, n - 1]$ as the private key and calculates the public key $P_{A} = d_{A} G$ for user $A$ .
Signature Generation $(p a r a m s, m, d_{A}) \to σ_{A}$ : Given a message $m$ . $A$ computes $Z_{A} = H (l e n_{I D_{A}} | | I D_{A} | | a | | b | | G | | P_{A})$ and $e_{A} = H (Z_{A} | | m)$ , where $l e n_{I D_{A}}$ represents two bytes converted from the bit length of user $A$ ’s identity $I D_{A}$ , $a$ and $b$ are elements in $F_{p}$ that define an elliptic curve over $E (F_{p})$ , $G$ denotes the base point in the elliptic curve group $G$ and $P_{A}$ denotes user $A$ ‘s public key. Then, $A$ randomly chooses $k_{A} \in [1, n - 1]$ , calculates $K_{A} = k_{A} \cdot G = (x_{1}, y_{1})$ and $r_{A} = (e_{A} + x_{1}) \mod q$ . Finally $A$ calculates $s_{A} = (k_{A} - r_{A} \cdot d_{A}) / (1 + d_{A}) \mod q$ , where $d_{A}$ denotes user $A$ ’s private key. User $A$ ’s signature on the message $m$ is $σ_{A} = (r_{A}, s_{A})$ .
Signature Verification $(p a r a m s, m, σ_{A}, P_{A}) \to t r u e o r f a l s e$ : Assume the verifier of the signature $σ_{A}$ is user $B$ . Given user $A$ ’s signature $σ_{A} = (r_{A}, s_{A})$ on message $m$ , if $r_{A} \notin [1, n - 1] o r s_{A} \notin [1, n - 1]$ , $B$ outputs false and exits. Then $B$ computes $Z_{A} = H (l e n_{I D_{A}} | | I D_{A} | | a | | b | | G | | P_{A})$ , $e_{A} = H (Z_{A} | | m)$ and calculates $t_{A} = (r_{A} + s_{A}) \mod q$ . If $t_{A} = 0$ , $B$ outputs false and exits. Finally, $B$ calculates $s_{A} G + t_{A} P_{A} = (x_{_{1}}^{’}, y_{_{1}}^{’}) = K_{A}^{’}$ and $R = (e_{A} + x_{1}^{’}) \mod q$ . If $R = r_{A}$ , $B$ outputs true; otherwise, it outputs false.

2.4. System Model

In the IoV, a federated learning system primarily includes four entities: a trusted authority (TA), cloud server (CS), roadside units (RSUs) and vehicles, as shown in Figure 1.

TA: This is a trusted third party, typically the traffic-management department. It is primarily responsible for system initialization, registration of vehicles and RSUs, generating related keys for them and managing identities. In this paper, when a malicious vehicle uploads false local model parameters or forges identity information, the TA can trace its real identity and revoke it from the system.

Vehicles: These are the data owners and participants in federated learning. They use their locally collected data to train the global model received from CS, and then upload the local model parameters. In this paper, vehicles participate in federated learning using pseudonyms, sign the locally trained model parameters and then send them to the nearby RSU.

RSUs: These verify the authenticity and integrity of the local model parameters uploaded by vehicles. They use the FedAvg algorithm [5] to perform local aggregation on these parameters to obtain local aggregation results, which are then uploaded to the cloud server for global aggregation. Additionally, they broadcast the global model issued by TA to the vehicles within their communication range.

CS: Upon receiving the local aggregation results uploaded by RSUs, CS uses FedAvg to perform global aggregation to obtain the global model for the next round of training. The new global model is then distributed to the vehicles to begin the next training round. Through multiple iterations, the performance of the global model can be improved, enabling the cloud server to utilize the results for practical predictions, judgments and applications.

2.5. Threat Model and Security Model

In the threat model, CS and RSUs are considered honest-but-curious. This means they will honestly follow the protocol to verify vehicle identities and the authenticity and integrity of model parameters, and they will aggregate local models to obtain the global model [33]. However, they are curious about the private data owned by the vehicles and may attempt to recover the vehicles’ original data and reveal their true identities by analyzing the received model parameters. Therefore, they might pose a threat to vehicle privacy. Vehicles may be malicious and can launch free-riding attacks and data-poisoning attacks by uploading false model parameters. They may also forge identities and signatures to attempt to have fake messages successfully authenticated by RSUs. Additionally, they might try to infer the privacy information of other vehicles. Attackers can fully control the wireless communication channels between vehicles, RSUs, TA and CS. They can intercept messages on the channel, tamper with messages, replay old messages and attempt to impersonate other vehicles to send messages [34].

Based on the aforementioned threats and the certificateless signature security model [27,28,30], our proposed security model is as follows. The hash functions used in this model are assumed to be random oracles.

In the security model, we consider two types of adversaries,

A_{I}

and

A_{I I}

A_{I}

can launch public key-replacement attacks but cannot access system master secret key

s

A_{I I}

can access the system master secret key but cannot perform public key-replacement attacks. Both types of adversaries will engage in two separate games with the challenger

C

Game 1: This security game is executed between

A_{I}

and

C

C

initializes the system using the security parameter

λ

generating system master secret key

s

and system public parameters

p a r a m

C

secretly keeps

s

and sends the public parameters to

A_{I}

A_{I}

can perform the following queries.

-: Hash queries: Upon receiving a query from $A_{I}$ , $C$ returns the corresponding hash values to $A_{I}$ .
-: Partial-Private-Key-Extract-queries: Upon receiving a query with a pseudonym $P I D_{i}$ , $C$ returns the partial private key $y_{i}$ of the vehicle to $A_{I}$ .
-: Public-Key-Extract-queries: Upon receiving a query with a pseudonym $P I D_{i}$ , $C$ returns the public key $(X_{i}, Y_{i})$ of the vehicle to $A_{I}$ .
-: Secret-Value-Extract-queries: Upon receiving a query with a pseudonym $P I D_{i}$ , $C$ returns the secret value $x_{i}$ of the vehicle to $A_{I}$ .
-: Public-Key-Replace-queries: Upon receiving a query with $(P I D_{i}, (X_{i}^{’}, Y_{i}^{’}))$ , $C$ replaces public key with the new public key $(X_{i}^{’}, Y_{i}^{’})$ .
-: Sign queries: After receiving a query from $A_{I}$ with ${P I D_{i, 1}, P I D_{i, 2}, M_{i}, T_{i}}$ , $C$ responds with a signature $σ_{i}$ .
-: Forgery: Once $A_{I}$ has completed the desired queries, it outputs ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}, σ_{i}^{*}}$ under the pseudo identity $P I D_{_{i}}^{*}$ . $A_{I}$ wins the game if the following conditions are met:
-: $σ_{i}^{*}$ passes verification.
-: Partial-Private-Key-Extract-queries oracle has not received the request with $P I D_{i}^{*}$ .
-: Sign queries oracle has not received the request with ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}}$ .

Definition 1.

CPPA-SM2 is existentially unforgeable under adaptive chosen-identity and chosen-message attacks if no polynomial-time adversary

A_{I}

can win the above game with non-negligible advantage.

Game 2: This security game is executed between

A_{I I}

and

C

C

initializes the system using the security parameter

λ

generating system master secret key

s

and system public parameters

p a r a m

C

sends them to

A_{I I}

-: Query: $A_{I I}$ can perform all the queries from Game 1 except for Public-Key-Replace-queries.
-: Forgery: Once $A_{I I}$ has completed the desired queries, it outputs ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}, σ_{i}^{*}}$ under the pseudo identity $P I D_{_{i}}^{*}$ . $A_{I I}$ wins the game if the following conditions are met:
-: $σ_{i}^{*}$ passes verification.
-: Secret-Value-Extract-queries oracle has not received the request with $P I D_{i}^{*}$ .
-: Sign queries oracle has not received the request with ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}}$ .

Definition 2.

CPPA-SM2 is existentially unforgeable under adaptive chosen-identity and chosen-message attacks if no polynomial-time adversary

A_{I I}

can win the above game with non-negligible advantage.

2.6. Design Goals

Under the security model, CPPA-SM2 primarily has the following design goals:

Anonymity and Privacy-Preserving: CPPA-SM2 should protect the privacy of vehicles participating in federated learning training. No entity other than TA should be able to infer the true identity of the vehicles.

Authenticity and Integrity: CPPA-SM2 should ensure that the local model parameters received by RSUs are from legitimate vehicles and that they have not been tampered with during transmission.

Un-linkability: Attackers cannot link any two messages sent by the same vehicle.

Un-forgeability: Attackers cannot forge signatures of other vehicles on messages, allowing RSUs to successfully verify the signatures.

Non-repudiation: Once a vehicle uploads local model parameters and they are authenticated, the vehicle cannot deny its contribution to the global model.

Forward Security: When a vehicle joins a group, it cannot access communications that occurred before its joining, meaning it cannot participate in previous federated learning training processes of the group.

Backward Security: When a vehicle leaves the group or is revoked by the TA, it cannot participate in the current model training process or access communications that occur after its departure from the group.

In addition to achieving the aforementioned security goals, CPPA-SM2 should also have efficient authentication efficiency and lower communication overhead to adapt to the communication environment of IoV. In particular, when a large number of vehicles participate in federated learning training, RSUs should be able to authenticate them in batches.

3. The Proposed Scheme

In this section, we present a certificateless conditional privacy-preserving identity-authentication protocol based on CRT and the SM2 digital signature algorithm, named CPPA-SM2. CPPA-SM2 aims to provide privacy protection for vehicles participating in federated learning. It consists of five phases: system initialization, registration, message sign, message verification and group member management. First, TA initializes the system and publishes the system’s public parameters. Then, vehicles and RSUs register with TA before participating in communications. Through registration, they obtain the public and private keys required for subsequent communications. In the message signing phase, vehicles train a model based on their local datasets and then sign the local model parameters before sending them to RSU. RSU, upon receiving the local model parameters from nearby vehicles, verifies the signatures and aggregates the verified local model parameters to obtain a local aggregation result. RSU then sends this local aggregation result to CS for global aggregation, resulting in the next round of the global model. If a malicious vehicle is detected uploading malicious model parameters or forging signatures, TA can trace its identity and revoke it from the system. The overall workflow of CPPA-SM2 is illustrated in Figure 2 and Protocol 1. The details of the scheme are as follows.

Protocol 1 CPPA-SM2

①: System Initialization

For TA:
1: Use

λ

to generate two large prime numbers

p

and

q

.
2: Randomly select

s \in Z_{q}^{*}

and calculates

P_{p u b} = s \cdot G

.
3: Choose five one-way hash functions

H_{i} = {0, 1}^{*} \to Z_{q}^{*}, i = 1, 2, 3, 4, 5

.
4: Publish

p a r a m = {p, q, E (F_{p}), G, G, Z_{q}^{*}, P_{p u b}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}}

②: Registration

For each vehicle:
1:

V_{i}

randomly selects

x_{i} \in Z_{q}^{*}

, calculates

X_{i} = x_{i} \cdot G

and send

(R I D_{i}, X_{i})

to TA.
2: Upon receiving

(R I D_{i}, X_{i})

, TA calculates

h_{i} = H_{1} (X_{i} | | P_{p u b})

y_{i} = s \cdot h_{i}

Y_{i} = y_{i} \cdot G

and randomly selects

s k_{i} \in Z_{q}^{*}

. Then, TA sends

y_{i}

Y_{i}

and

s k_{i}

V_{i}

.
3:

V_{i}

sets

(X_{i}, Y_{i})

(x_{i}, y_{i})

and

s k_{i}

.
For each RSU:
1:

R S U_{j}

sends

I D_{R S U j}

to TA.
2: TA generates a pair of public and private keys

(s k_{R S U_{j}}, p k_{R S U_{j}})

and sends them to

R S U_{j}

.
3.

R S U_{j}

sets

(s k_{R S U_{j}}, p k_{R S U_{j}})

.
For TA:
1: Calculate

θ = \prod_{i = 1}^{n} s k_{i}

a_{i} = θ / s k_{i}

b_{i} = {(a_{i})}^{- 1} \mod s k_{i}

and set

c_{i} = a_{i} \cdot b_{i}

u = \sum_{i = 1}^{n} c_{i}

.
2: Randomly pick a group key

K \in Z_{q}^{*}

and calculate the group public key

β = K \cdot u

and

D_{p u b} = K \cdot G

.
3: Sign

β

D_{p u b}

and the

K

’s valid period

T_{K}

using its private key

s k_{T A}

and broadcast the information

{β, D_{p u b}, S I G_{s k_{T A}} (β | | D_{p u b} | | T_{K})}

to vehicles and RSUs in

C_{n}

③: Message Sign

For each vehicle:
1:

V_{i}

trains the global model

W_{g l o b a l}^{t}

using its local dataset

D_{i}

to obtain the local model parameters

W_{i}^{t}

.
2:

V_{i}

randomly selects

c_{i} \in Z_{q}^{*}

to generate a pseudo identity

P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})

, where

P I D_{i, 1} = c_{i} \cdot G

and

P I D_{i, 2} = R I D_{i} \oplus H_{2} (c_{i} \cdot P_{p u b})

.
3:

V_{i}

calculates

Z_{i} = H_{3} (l e n_{P I D_{i, 2}} | | P I D_{i, 2} | | a | | b | | G | | X_{i})

φ_{i} = H_{4} (P I D_{i, 1} | | T_{i})

and

s g k_{i} = y_{i} + Z_{i} \cdot K + x_{i} \cdot φ_{i}

.
4:

V_{i}

randomly selects

k_{i} \in Z_{q}^{*}

, calculates

K_{i} = k_{i} \cdot G = (x_{1}, y_{1})

e_{i} = H_{5} (Z_{i} | | W_{i}^{t} | T_{i})

r_{i} = e_{i} + x_{1} \mod q

and

s_{i} = {(1 + s g k_{i})}^{- 1} \cdot (k_{i} - r_{i} \cdot s g k_{i}) \mod q

.
5.

V_{i}

obtains the signature

σ_{_{i}}^{t} = (r_{i}, s_{i})

W_{i}^{t}

and sends messages

{W_{_{i}}^{t}, σ_{_{i}}^{t}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

to the nearby

R S U_{j}

④: Message Verification

For each RSU:
1: Upon receiving the messages

{W_{_{i}}^{t}, σ_{_{i}}^{t}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

from

V_{i}

R S U_{j}

first checks the validity of timestamp. If

Δ T \geq T_{a} - T_{i}

, where

T_{a}

represents the arrival time, continues; otherwise, discards.
2:

R S U_{j}

calculates

Z_{i} = H_{3} (l e n_{P I D_{i, 2}} | | P I D_{i, 2} | | a | | b | | G | | X_{i})

e_{i} = H_{5} (Z_{i} | | W_{i}^{t} | | T_{i})

φ_{i} = H_{4} (P I D_{i, 1} | | T_{i})

t_{i} = r_{i} + s_{i} \mod q

and

K_{_{i}}^{’} = (x_{1}^{’}, y_{1}^{’}) = s_{i} \cdot G + t_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]

.
3:

R S U_{j}

checks the equality of

R = e_{i} + x_{1}^{’} = r_{i}

for authentication and validity.
4:

R S U_{j}

uses the FedAvg algorithm to locally aggregate the verified local model parameters

{W_{_{1}}^{t}, W_{_{2}}^{t}, \dots, W_{_{n}}^{t}}

, producing a local aggregation result

W_{R S U_{j}}^{t} \leftarrow F e d A v g (W_{i}^{t}, n)

.
5:

R S U_{j}

signs this result with its private key and sends messages

{W_{R S U_{j}}^{t}, S I G_{s k_{R S U_{j}}} (W_{R S U_{j}}^{t})}

to CS.
For CS:
1: CS performs a global aggregation on the verified local aggregation results

{W_{R S U_{1}}^{t}, W_{R S U_{2}}^{t}, \dots, W_{R S U_{m}}^{t}}

to obtain the global model

W_{g l o b a l}^{t + 1} \leftarrow F e d A v g (W_{R S U_{j}}^{t}, m)

.
2: CS signs the global model with its private key and sends messages

{W_{g l o b a l}^{t + 1}, S I G_{s k_{C S}} (W_{g l o b a l}^{t + 1})}

to the vehicles within the communication group via RSUs.

⑤: Group Member Management

Trace:
1: TA uses the system’s master private key

s

to recover the vehicle’s true identity

R I D_{i} = P I D_{i, 2} \oplus H_{2} (s \cdot P I D_{i, 1})

.
Revoke:
1. TA first removes

c_{i}

related to

V_{i}

from

u

by computing

u^{’} = u - c_{i}

.
2: TA randomly selects a new group key

K^{’} \in Z_{q}^{*}

, calculates new group public keys

β^{’} = K^{’} \cdot u^{’}

and

D_{p u b}^{’} = K^{’} \cdot G

, and broadcasts the updated information

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

to vehicles and RSUs in

C_{n}

.
Add:
1. TA randomly selects a new group key

K^{’} \in Z_{q}^{*}

and calculates

θ^{’} = θ \cdot f_{i}

a_{i}^{’} = θ^{’} / f_{i}

b_{i}^{’} = {(a_{i}^{’})}^{- 1} \mod s k_{i}

c_{i}^{’} = a_{_{i}}^{’} \cdot b_{_{i}}^{’}

and

u^{’} = \sum_{i = 1}^{n} c_{i}^{’}

.
2. TA computes new group public keys

β^{’} = K^{’} \cdot u^{’}

and

D_{p u b}^{’} = K^{’} \cdot G

, and broadcasts the updated information

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

C_{n}

3.1. System Initialization

TA uses a security parameter

λ

to generate two large prime numbers

p

and

q

, where

p > q

q \leq ⌈p / 4⌉

. Let

E (F_{p})

denote an elliptic curve over the finite field

F_{p}

and

G

denote a base point on the elliptic curve

E (F_{p})

with order

q

. Let

G

be an additive cyclic group generated by

G

. TA randomly selects

s \in Z_{q}^{*}

as the system master secret key and calculates the system public key

P_{p u b} = s \cdot G

. Then, TA chooses five one-way hash functions

H_{i} = {0, 1}^{*} \to Z_{q}^{*}, i = 1, 2, 3, 4, 5

. TA secretly holds

s

and publishes the system’s public parameters

p a r a m = {p, q, E (F_{p}), G, G, Z_{q}^{*}, P_{p u b}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}}

3.2. Registration

In the registration phase, both vehicles and RSUs need to register with TA to obtain the relevant keys for subsequent communications. We assume that TA is fully trusted and that the entire registration phase is conducted over a secure channel, eliminating the risk of privacy leaks and security attacks.

3.2.1. Vehicle Registration

For a vehicle

V_{i}

with its real identity

R I D_{i}

, it first randomly selects

x_{i} \in Z_{q}^{*}

as its secret value and calculates

X_{i} = x_{i} \cdot G

as its first part of the public key. Then,

V_{i}

sends

(R I D_{i}, X_{i})

to TA. Upon receiving

(R I D_{i}, X_{i})

, TA calculates

h_{i} = H_{1} (X_{i} | | P_{p u b})

y_{i} = s \cdot h_{i}

and

Y_{i} = y_{i} \cdot G

, where

y_{i}

and

Y_{i}

serve as

V_{i}

’s partial private key and the second part of the public key. In addition, TA randomly selects a prime number

s k_{i} \in Z_{q}^{*}

as a secret key for

V_{i}

. Completing these computations, TA returns

y_{i}

Y_{i}

and

s k_{i}

V_{i}

. Upon receiving

y_{i}

Y_{i}

and

s k_{i}

V_{i}

sets

(x_{i}, y_{i})

as its full private key,

(X_{i}, Y_{i})

as its full public key and uses

s k_{i}

for subsequent group communications.

3.2.2. RSU Registration

For a roadside unit

R S U_{j}

with its identity

I D_{R S U j}

, TA generates a pair of public and private keys

(s k_{R S U_{j}}, p k_{R S U_{j}})

. Then, TA distributes them to

R S U_{j}

. Here, we assume that all vehicles know the public keys of TA and RSUs.

3.2.3. Group Key Generate

To ensure that the uploaded local model parameters come from legitimate vehicles and to support efficient group communication, TA constructs a communication group

C_{n}

for them based on the secret keys

s k_{i}

n

vehicles and CRT. TA first calculates

θ = \prod_{i = 1}^{n} s k_{i}

a_{i} = θ / s k_{i}

and

b_{i} = {(a_{i})}^{- 1} \mod s k_{i}

. TA sets

c_{i} = a_{i} \cdot b_{i}

u = \sum_{i = 1}^{n} c_{i}

, where

i = 1, 2, \dots, n

. Then, TA randomly picks a group key

K \in Z_{q}^{*}

and calculates the group public key

β = K \cdot u

and

D_{p u b} = K \cdot G

. TA signs

β

D_{p u b}

and the

K

’s valid period

T_{K}

using its private key

s k_{T A}

and broadcasts the information

{β, D_{p u b}, S I G_{s k_{T A}} (β | | D_{p u b} | | T_{K})}

to vehicles and RSUs in

C_{n}

. Once receiving the broadcast information, any authorized vehicle in

C_{n}

can obtain

K

by performing a modulus operation

K \equiv β \mod s k_{i}

according to CRT.

3.3. Message Sign

In the

t - t h

round of training, the vehicle

V_{i}

trains the global model

W_{g l o b a l}^{t}

using its local dataset

D_{i}

to obtain the local model parameters

W_{i}^{t}

, i.e.,

W_{i}^{t} \leftarrow W_{g l o b a l}^{t} - η \nabla L (W_{g l o b a l}^{t}, D_{i})

. Before sending the local model parameter

W_{i}^{t}

to the nearby

R S U_{j}

, the vehicle

V_{i}

signs it as follows to ensure the authenticity and integrity of

W_{i}^{t}

V_{i}

randomly selects

c_{i} \in Z_{q}^{*}

to generate a pseudo identity

P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})

, where

P I D_{i, 1} = c_{i} \cdot G

and

P I D_{i, 2} = R I D_{i} \oplus H_{2} (c_{i} \cdot P_{p u b})

. Then,

V_{i}

calculates

Z_{i} = H_{3} (l e n_{P I D_{i, 2}} | | P I D_{i, 2} | | a | | b | | G | | X_{i})

φ_{i} = H_{4} (P I D_{i, 1} | | T_{i})

and signature key

s g k_{i} = y_{i} + Z_{i} \cdot K + x_{i} \cdot φ_{i}

, where

l e n_{P I D_{i, 2}}

represents two bytes converted from the bit length of

P I D_{i, 2}

a

and

b

are elements in

F_{p}

that define an elliptic curve over

E (F_{p})

and

T_{i}

represents the current timestamp. Next,

V_{i}

randomly selects

k_{i} \in Z_{q}^{*}

and calculates

K_{i} = k_{i} \cdot G = (x_{1}, y_{1})

e_{i} = H_{5} (Z_{i} | | W_{i}^{t} | T_{i})

r_{i} = e_{i} + x_{1} \mod q

and

s_{i} = {(1 + s g k_{i})}^{- 1} \cdot (k_{i} - r_{i} \cdot s g k_{i}) \mod q

. For simplicity, we omit the notation

t

P I D_{i}

Z_{i}

φ_{i}

s g k_{i}

K_{i}

e_{i}

r_{i}

and

s_{i}

. Finally,

V_{i}

obtains the signature

σ_{_{i}}^{t} = (r_{i}, s_{i})

W_{i}^{t}

and sends messages

{W_{_{i}}^{t}, σ_{_{i}}^{t}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

to the nearby

R S U_{j}

3.4. Message Verification

3.4.1. Single Message Verification

Upon receiving the messages

{W_{_{i}}^{t}, σ_{_{i}}^{t}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

from

V_{i}

R S U_{j}

first checks the validity of the timestamp. If

Δ T \geq T_{a} - T_{i}

, where

T_{a}

represents the arrival time, it continues; otherwise, it discards. Then

R S U_{j}

calculates

Z_{i} = H_{3} (l e n_{P I D_{i, 2}} | | P I D_{i, 2} | | a | | b | | G | | X_{i})

e_{i} = H_{5} (Z_{i} | | W_{i}^{t} | | T_{i})

φ_{i} = H_{4} (P I D_{i, 1} | | T_{i})

t_{i} = r_{i} + s_{i} \mod q

and

K_{_{i}}^{’} = (x_{1}^{’}, y_{1}^{’}) = s_{i} \cdot G + t_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]

. Finally,

R S U_{j}

checks the equality of

R = e_{i} + x_{1}^{’} = r_{i}

for authentication and validity.

3.4.2. Batch Messages Verification

When receiving a batch of messages

{W_{1}^{t}, σ_{1}^{t}, (X_{1}, Y_{1}), P I D_{1}, T_{1}}

{W_{2}^{t}, σ_{2}^{t}, (X_{2}, Y_{2}), P I D_{2}, T_{2}}

, …,

{W_{n}^{t}, σ_{n}^{t}, (X_{n}, Y_{n}), P I D_{n}, T_{n}}

from the vehicles

{V_{1}, V_{2}, \dots, V_{n}}

R S U_{j}

first checks the validity of timestamp

T_{i}

, where

i = 1, 2, \dots, n

. If

T_{i}

is valid, it continues; otherwise, it discards. To prevent confusion attacks while ensuring non-repudiation, CPPA-SM2 uses a set of small exponents

{v_{1}, v_{2}, \dots, v_{n}}

for batch verification [23,35], where

v_{i} \in [1, 2^{t}]

and

t

is a small integer. Next,

R S U_{j}

calculates

(x_{1}^{’}, y_{1}^{’}) = \sum_{i = 1}^{n} (v_{i} \cdot s_{i}) \cdot G + \sum_{i = 1}^{n} (v_{i} \cdot t_{i} \cdot Y_{i}) + \sum_{i = 1}^{n} (v_{i} \cdot t_{i} \cdot Z_{i}) \cdot D_{p u b} + \sum_{i = 1}^{n} (v_{i} \cdot t_{i} \cdot φ_{i} \cdot X_{i}),

(3)

and checks whether

R = \sum_{i = 1}^{n} (v_{i} \cdot e_{i}) + x_{1}^{’} = \sum_{i = 1}^{n} (v_{i} \cdot r_{i})

holds or not. If true, all messages are valid; otherwise, some of these messages are invalid. The detection algorithm for invalid message signatures has been proposed in [36]. The details of this algorithm are beyond the scope of this paper.

3.4.3. Local Model Aggregation

R S U_{j}

uses the FedAvg algorithm to locally aggregate the verified local model parameters

{W_{_{1}}^{t}, W_{_{2}}^{t}, \dots, W_{_{n}}^{t}}

, producing a local aggregation result

W_{R S U_{j}}^{t} \leftarrow F e d A v g (W_{i}^{t}, n)

, where

i \in [1, n]

and

n

denotes the number of vehicles participating in the training within the

R S U_{j}

’s range. It then signs this result with its private key and sends messages

{W_{R S U_{j}}^{t}, S I G_{s k_{R S U_{j}}} (W_{R S U_{j}}^{t})}

to CS. Upon receiving the local aggregation result

W_{R S U_{j}}^{t}

from RSUs, CS verifies its validity. It then performs a global aggregation on the verified local aggregation results

{W_{R S U_{1}}^{t}, W_{R S U_{2}}^{t}, \dots, W_{R S U_{m}}^{t}}

to obtain the global model

W_{g l o b a l}^{t + 1} \leftarrow F e d A v g (W_{R S U_{j}}^{t}, m)

, where

j \in [1, m]

and

m

denotes the number of RSUs. CS signs the global model with its private key and sends messages

{W_{g l o b a l}^{t + 1}, S I G_{s k_{T A}} (W_{g l o b a l}^{t + 1})}

to the vehicles within the communication group via RSUs.

3.5. Group Member Management

3.5.1. Trace

When

R S U_{j}

detects that a vehicle

V_{i}

has uploaded malicious local model parameters or has engaged in identity forgery, it sends the vehicle’s pseudonym

P I D_{i}

to TA. TA then uses the system’s master private key

s

to recover the vehicle’s true identity

R I D_{i} = P I D_{i, 2} \oplus H_{2} (s \cdot P I D_{i, 1})

3.5.2. Revoke

Upon obtaining the true identity

R I D_{i}

of the malicious vehicle

V_{i}

, TA can completely remove it from the federated learning system by revoking its legitimate information from the group. TA first removes

c_{i}

related to

V_{i}

from

u

by computing

u^{’} = u - c_{i}

. Then, TA randomly selects a new group key

K^{’} \in Z_{q}^{*}

, calculates new group public keys

β^{’} = K^{’} \cdot u^{’}

and

D_{p u b}^{’} = K^{’} \cdot G

and broadcasts the updated information

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

to vehicles and RSUs in

C_{n}

. Upon receiving

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

, the remaining vehicles in

C_{n}

can use their secret key

s k_{j}

to compute the updated group key

K^{’} = β^{’} \mod s k_{j}

. Since

u^{’}

no longer contains the legitimate information of

V_{i}

, it cannot compute the new group key

K^{’}

. When a vehicle leaves the communication group

C_{n}

, TA can also revoke it in this way.

3.5.3. Add

When a vehicle

V_{i}

applies to join the federated learning system, TA randomly selects a new group key

K^{’} \in Z_{q}^{*}

and calculates

θ^{’} = θ \cdot f_{i}

a_{i}^{’} = θ^{’} / f_{i}

b_{i}^{’} = {(a_{i}^{’})}^{- 1} \mod s k_{i}

c_{i}^{’} = a_{_{i}}^{’} \cdot b_{_{i}}^{’}

and

u^{’} = \sum_{i = 1}^{n} c_{i}^{’}

. Then, TA computes new group public keys

β^{’} = K^{’} \cdot u^{’}

and

D_{p u b}^{’} = K^{’} \cdot G

, and broadcasts the updated information

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

C_{n}

. Upon receiving

{β^{’}, D_{p u b}^{’}, S I G_{s k_{T A}} (β^{’} | | D_{p u b}^{’} | | T_{K^{’}})}

, vehicles in

C_{n}

, it calculates the updated group key

K^{’} = β^{’} \mod s k_{i}

4. Correctness and Security Proof and Analysis

In this section, we first provide a proof of correctness for the proposed scheme. Then, under the random oracle model, we prove the security of the scheme. Finally, we conduct an informal security analysis of the scheme.

4.1. Correctness Proof

The correctness verification of the single message signature is ensured by Equations (4) and (5).

\begin{array}{l} K_{_{i}}^{’} = (x_{1}^{’}, y_{1}^{’}) & = s_{i} \cdot G + t_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}] \\ = s_{i} \cdot G + (r_{i} + s_{i}) [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}] \\ = s_{i} \cdot G + r_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}] + s_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}] \\ = s_{i} \cdot G (1 + y_{i} + Z_{i} \cdot K + φ_{i} \cdot x_{i}) + r_{i} \cdot G (y_{i} + Z_{i} \cdot K + φ_{i} \cdot x_{i}) \\ = {(1 + s g k_{i})}^{- 1} \cdot (k_{i} - r_{i} \cdot s g k_{i}) \cdot G \cdot (1 + s g k_{i}) + r_{i} \cdot G \cdot (s g k_{i}) \\ = {(1 + s g k_{i})}^{- 1} \cdot k_{i} \cdot G \cdot (1 + s g k_{i}) - {(1 + s g k_{i})}^{- 1} \cdot r_{i} \cdot s g k_{i} \cdot G \cdot (1 + s g k_{i}) + r_{i} \cdot G \cdot (s g k_{i}) \\ = k_{i} \cdot G - r_{i} \cdot s g k_{i} \cdot G + r_{i} \cdot G \cdot (s g k_{i}) \\ = k_{i} \cdot G \\ = K_{i} = (x_{1}, y_{1}) \end{array}

(4)

R = e_{i} + x_{1}^{’} = r_{i} = e_{i} + x_{1}

(5)

The correctness verification of the batch message signatures is ensured by Equations (6) and (7).

\begin{array}{l} (\sum_{i = 1}^{n} v_{i} \cdot K_{_{i}}^{’}) = (x_{1}^{’}, y_{1}^{’}) = (\sum_{i = 1}^{n} v_{i} \cdot s_{i}) \cdot G + (\sum_{i = 1}^{n} v_{i} \cdot t_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]) \\ = (\sum_{i = 1}^{n} v_{i} \cdot s_{i}) \cdot G + (\sum_{i = 1}^{n} v_{i} \cdot (r_{i} + s_{i}) \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]) \\ = (\sum_{i = 1}^{n} v_{i} \cdot s_{i}) \cdot G + (\sum_{i = 1}^{n} v_{i} \cdot r_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]) + (\sum_{i = 1}^{n} v_{i} \cdot s_{i} \cdot [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]) \\ = (\sum_{i = 1}^{n} v_{i} \cdot s_{i} \cdot G (1 + y_{i} + Z_{i} \cdot K + φ_{i} \cdot x_{i})) + (\sum_{i = 1}^{n} v_{i} \cdot r_{i} \cdot G (y_{i} + Z_{i} \cdot K + φ_{i} \cdot x_{i})) \\ = (\sum_{i = 1}^{n} v_{i} \cdot {(1 + s g k_{i})}^{- 1} \cdot (k_{i} - r_{i} \cdot s g k_{i}) \cdot G \cdot (1 + s g k_{i})) + (\sum_{i = 1}^{n} v_{i} \cdot r_{i} \cdot G \cdot (s g k_{i})) \\ = (\sum_{i = 1}^{n} v_{i} \cdot k_{i} \cdot G) - (\sum_{i = 1}^{n} v_{i} \cdot r_{i} \cdot s g k_{i} \cdot G) + (\sum_{i = 1}^{n} v_{i} \cdot r_{i} \cdot G \cdot (s g k_{i})) \\ = (\sum_{i = 1}^{n} v_{i} \cdot k_{i} \cdot G) \\ = (\sum_{i = 1}^{n} v_{i} \cdot K_{i}) = (x_{1}, y_{1}) \end{array}

(6)

R = (\sum_{i = 1}^{n} v_{i} \cdot e_{i}) + x_{1}^{’} = (\sum_{i = 1}^{n} v_{i} \cdot r_{i}) = (\sum_{i = 1}^{n} v_{i} \cdot e_{i}) + x_{1}

(7)

Based on the signing and verification process, if the local model parameter

W_{i}^{t}

and signature

σ_{_{i}}^{t} = (r_{i}, s_{i})

transmitted by the vehicle

V_{i}

have not been tampered with and the signature

σ_{_{i}}^{t} = (r_{i}, s_{i})

is generated using the legitimate vehicle’s private key, then according to (4)–(7), RSU can correctly compute that

K_{i} = k_{i} \cdot G = (x_{1}, y_{1}) = K_{_{i}}^{’}

, thereby making

R = e_{i} + x_{1}^{’} = r_{i} = e_{i} + x_{1}

The correctness of legitimate vehicles in

C_{n}

obtaining the correct group key

K

is ensured by Equation (8).

\begin{array}{l} β (\mod s k_{i}) \\ = K \cdot u (\mod s k_{i}) \\ = K \cdot (a_{1} \cdot b_{1} + \dots + a_{n} \cdot b_{n}) (\mod s k_{i}) \\ = K \cdot a_{i} \cdot b_{i} (\mod s k_{i}) \\ = K \end{array}

(8)

When vehicle

V_{i}

is revoked from the group

C_{n}

by TA, since

u^{’} = u - c_{i} = (a_{1} \cdot b_{1} + \dots + a_{n} \cdot b_{n}) - a_{i} \cdot b_{i}

, the revoked vehicle will be unable to obtain the correct group key according to Equation (9).

\begin{array}{l} β^{’} (\mod s k_{i}) \\ = K^{’} \cdot u^{’} (\mod s k_{i}) \\ = K^{’} \cdot (a_{1} \cdot b_{1} + \dots + a_{n} \cdot b_{n} - a_{i} \cdot b_{i}) (\mod s k_{i}) \\ \neq K^{’} \end{array}

(9)

4.2. Security Proof

The security of CPPA-SM2 relies on the ECDLP. In the random oracle model, if there exist adversaries

A_{I}

and

A_{I I}

who can win games 1 and 2 with non-negligible probabilities, respectively, then there exists a probabilistic polynomial-time simulator that can solve the ECDLP with non-negligible probability.

Theorem 1.

CPPA-SM2 is existentially unforgeable under adaptive chosen-identity and chosen-message attacks against

A_{I}

with the assumption that ECDLP is hard to resolve.

Proof of Theorem 1.

Let

C

be the solver of the ECDLP. Suppose that

A_{I}

can succeed in forging a valid signature by interacting with

C

C

utilizes

A_{I}

to solve the ECDLP. Here, we give an ECDLP instance

{G, G^{’} = g \cdot G}

C

executes the simulation to compute

g

through interacting with

A_{I}

as follows.

-: Setup: On input ${G, G^{’}}$ , $C$ sets $P_{p u b} = G^{’}$ and returns ${p, q, E (F_{p}), G, Z_{q}^{*}, P_{p u b}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}}$ to $A_{I}$ . $A_{I}$ selects $P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$ as a target vehicle. In addition, $C$ maintains five lists $L = {P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ , $L_{H_{1}} = {h_{i}, X_{i}, P_{p u b}}$ , $L_{H_{3}} = {Z_{i}, l e n (P I D_{i, 2}), P I D_{i, 2}, a, b, G, X_{i}}$ , $L_{H_{4}} = {φ_{i}, P I D_{i, 1}, T_{i}}$ , $L_{H_{5}} = {e_{i}, Z_{i}, M_{i}, T_{i}}$ , which are empty initially.
-: Query: $A_{I}$ can adaptively make the following queries:
-: $H_{1}$ -queries: After receiving the queries from $A_{I}$ with ${X_{i}, P_{p u b}}$ , $C$ checks whether ${X_{i}, P_{p u b}}$ exists in $L_{H_{1}}$ . If it does, $C$ returns $h_{i}$ to $A_{I}$ . Otherwise, $C$ selects $h_{i} \in Z_{q}^{*}$ randomly and adds ${h_{i}, X_{i}, P_{p u b}}$ to $L_{H_{1}}$ . Then, $C$ returns $h_{i}$ to $A_{I}$ .
-: $H_{3}$ -queries: When receiving the queries with ${l e n (P I D_{i, 2}), P I D_{i, 2}, a, b, G, X_{i}}$ from $A_{I}$ , $C$ checks whether ${l e n (P I D_{i, 2}), P I D_{i, 2}, a, b, G, X_{i}}$ exists in $L_{H_{3}}$ . If it does, $C$ returns $Z_{i}$ to $A_{I}$ . Otherwise, $C$ selects $Z_{i} \in Z_{q}^{*}$ randomly and adds ${Z_{i}, l e n (P I D_{i, 2}), P I D_{i, 2}, a, b, G, X_{i}}$ to $L_{H_{3}}$ . Then, $C$ returns $Z_{i}$ to $A_{I}$ .
-: $H_{4}$ -queries: Upon receiving the queries from $A_{I}$ with ${P I D_{i, 1}, T_{i}}$ , $C$ checks whether ${P I D_{i, 1}, T_{i}}$ exists in $L_{H_{4}}$ . If it does, $C$ returns $φ_{i}$ to $A_{I}$ . Otherwise, $C$ selects $φ_{i} \in Z_{q}^{*}$ randomly and adds ${φ_{i}, P I D_{i, 1}, T_{i}}$ to $L_{H_{4}}$ . Then, $C$ returns $φ_{i}$ to $A_{I}$ .
-: $H_{5}$ -queries: Upon receiving the queries from $A_{I}$ with ${Z_{i}, M_{i}, T_{i}}$ , $C$ checks whether ${Z_{i}, M_{i}, T_{i}}$ exists in $L_{H_{5}}$ . If it does, $C$ returns $e_{i}$ to $A_{I}$ . Otherwise, $C$ selects $e_{i} \in Z_{q}^{*}$ randomly and adds ${e_{i}, Z_{i}, M_{i}, T_{i}}$ to $L_{H_{5}}$ . Then, $C$ returns $e_{i}$ to $A_{I}$ .
-: Partial-Private-Key-Extract-queries: After receiving the queries from $A_{I}$ with $P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$ , $C$ checks whether ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ exists in $L$ . If it does, $C$ returns $y_{i}$ to $A_{I}$ . Otherwise, $C$ selects $h_{i} \in Z_{q}^{*}$ randomly, computes $y_{i} = s \cdot h_{i}$ , $Y_{i} = y_{i} \cdot G$ . Then, $C$ sets $x_{i} = X_{i} = ⊥$ . After that, $C$ adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ and returns $y_{i}$ to $A_{I}$ .
-: Public-Key-Extract-queries: After receiving the queries from $A_{I}$ with $P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$ , $C$ checks whether ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ exists in $L$ . If it does, $C$ returns $(X_{i}, Y_{i})$ to $A_{I}$ . Otherwise, $C$ does the Partial-Private-Key-Extract-queries to obtain $y_{i}$ . Then, $C$ selects $x \in Z_{q}^{*}$ randomly and computes $X_{i} = x \cdot G$ , $x_{i} = x$ , $Y_{i} = y_{i} \cdot G$ . After that, $C$ adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ and returns $(X_{i}, Y_{i})$ to $A_{I}$ .
-: Secret-Value-Extract-queries: After receiving the queries from $A_{I}$ with $P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$ , $C$ checks whether ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ exists in $L$ . If it does, $C$ returns $x_{i}$ to $A_{I}$ . Otherwise, $C$ does the Public-Key-Extract-queries to obtain $(x_{i}, X_{i}, Y_{i})$ . After that, $C$ adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ and returns $x_{i}$ to $A_{I}$ .
-: Public-Key-Replace-queries: After receiving the queries from $A_{I}$ with ${P I D_{i, 1}, P I D_{i, 2}, X_{i}^{’}, Y_{i}^{’}}$ , $C$ checks whether ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ exists in $L$ . If it does, $C$ sets $X_{i} = X_{i}^{’}$ , $Y_{i} = Y_{i}^{’}$ , $x_{i} = y_{i} = ⊥$ and updates ${x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ . Otherwise, $C$ sets $X_{i} = X_{i}^{’}$ , $Y_{i} = Y_{i}^{’}$ , $x_{i} = y_{i} = ⊥$ and adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ to $L$ .
-: Sign queries: After receiving the queries from $A_{I}$ with ${P I D_{i, 1}, P I D_{i, 2}, M_{i}, T_{i}}$ , $C$ retrieves the lists $L$ , $L_{H_{1}}$ , $L_{H_{3}}$ , $L_{H_{4}}$ , randomly selects $v_{i} \in Z_{q}^{*}$ , $w_{i} \in Z_{q}^{*}$ , $o_{i} \in Z_{q}^{*}$ and sets $s_{i} = v_{i}$ , $t_{i} = w_{i}$ , $e_{i} = o_{i}$ , $K_{i} = (x_{1}, y_{1}) = s_{i} \cdot G + t_{i} [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]$ , $r_{i} = e_{i} + x_{1} \mod q$ . $C$ returns $σ_{i} = (r_{i}, s_{i})$ to $A_{I}$ and adds $H_{1}$ ${e_{i}, Z_{i}, M_{i}, T_{i}}$ into $L_{H_{5}}$ . For the output $σ_{i} = (r_{i}, s_{i})$ of the signature oracle satisfies $K_{_{i}}^{’} = (x_{_{1}}^{’}, y_{_{1}}^{’}) = s_{i} \cdot G + t_{i} [Y_{i} + Z_{i} \cdot D_{p u b} + φ_{i} \cdot X_{i}]$ , $R = e_{i} + x_{1}^{’} \mod q = r_{i}$ .
-: Forgery: After all queries have been completed, $A_{I}$ outputs a forged tuple ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}, σ_{i}^{* (1)}}$ . $C$ verifies whether $K_{i}^{*} = (x_{1}^{’}, y_{1}^{’}) = s_{i}^{*} \cdot G + t_{i}^{*} (Y_{i} + Z_{i}^{*} \cdot D_{p u b} + φ_{i}^{*} \cdot X_{i})$ , $R^{*} = e_{i}^{*} + x_{1}^{’^{*}} \mod q = r_{i}^{*}$ holds. If it does not hold, $C$ terminates the simulation. Otherwise, $C$ replays the above process by choosing different $H_{1}$ , $H_{3}$ and $H_{4}$ based on forking lemma. $A_{I}$ will output three other distinct valid signatures $σ_{i}^{* (2)}$ , $σ_{i}^{* (3)}$ and $σ_{i}^{* (4)}$ .

Finally, we can obtain four equations as below.

k_{i} = s_{i}^{* (j)} + t_{_{i}}^{* (j)} (g \cdot h_{i} + Z_{_{i}}^{* (j)} \cdot K + φ_{_{i}}^{* (j)} \cdot x_{i}), where j = 1, 2, 3, 4 .

(10)

In the above four equations,

k_{i}

g

K

and

x_{i}

represent the discrete logarithms of

K_{i}

P_{p u b}

D_{p u b}

and

X_{i}

, respectively, which are not known to

C

C

can obtain the four unknown values by solving the above four linear independent equations, where

g

is the solution of ECDLP. □

Theorem 2.

CPPA-SM2 is existentially unforgeable under adaptive chosen-identity and chosen-message attacks against

A_{I I}

with the assumption that ECDLP is hard to resolve.

Proof of Theorem 2.

Let

C

be the solver of the ECDLP. Suppose that

A_{I I}

can succeed in forging a valid signature by interacting with

C

C

utilizes

A_{I I}

to solve the ECDLP. Here, we give an ECDLP instance

{G, G^{’} = g \cdot G}

C

executes the simulation to compute

g

through interacting with

A_{I I}

as follows.

-: Setup: On input ${G, G^{’}}$ , $C$ sets $P_{p u b} = s \cdot G$ and returns ${p, q, s, E (F_{p}), G, Z_{q}^{*}, P_{p u b}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}}$ to $A_{I I}$ . $A_{I I}$ selects $P I D_{_{i}}^{*} = (P I D_{_{i, 1}}^{*}, P I D_{_{i, 2}}^{*})$ as a target vehicle. In addition, $C$ maintains five lists $L = {P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ , $L_{H_{1}} = {h_{i}, X_{i}, P_{p u b}}$ , $L_{H_{3}} = {Z_{i}, l e n (P I D_{i, 2}), P I D_{i, 2}, a, b, G, X_{i}}$ , $L_{H_{4}} = {φ_{i}, P I D_{i, 1}, T_{i}}$ , $L_{H_{5}} = {e_{i}, Z_{i}, M_{i}, T_{i}}$ , which are empty initially.
-: Query: $C$ responds to - $H_{i}$ -queries ( $i = 1, 3, 4, 5$ ), Partial-Private-Key-Extract-queries, Secret-Value-Extract-queries and Sign queries as in Theorem 1. $C$ responds to Public-Key-Extract-queries as follows.
-: Public-Key-Extract-queries: After receiving the queries from $A_{I I}$ with $P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$ , $C$ checks whether ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ exists in $L$ . If it does, $C$ returns $(X_{i}, Y_{i})$ to $A_{I I}$ . Otherwise, $C$ does the Partial-Private-Key-Extract-queries to obtain $y_{i}$ .
-: If $P I D_{i} = P I D_{i}^{*}$ , $C$ sets $X_{i} = G^{’} = g \cdot G$ , $Y_{i} = y_{i} \cdot G$ , $x_{i} = ⊥$ . $C$ adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ and sends $(X_{i}, Y_{i})$ to $A_{I I}$ .
-: If $P I D_{i} \neq P I D_{i}^{*}$ , $C$ chooses $x \in Z_{q}^{*}$ randomly, computes $X_{i} = x \cdot G$ , $x_{i} = x$ , $Y_{i} = y_{i} \cdot G$ . After that, $C$ adds ${P I D_{i, 1}, P I D_{i, 2}, x_{i}, y_{i}, X_{i}, Y_{i}}$ into $L$ and returns $(X_{i}, Y_{i})$ to $A_{I I}$ .
-: Forgery: After all queries have been completed, $A_{I I}$ outputs a forged tuple ${M_{i}^{*}, P I D_{i, 1}^{*}, P I D_{i, 2}^{*}, T_{i}^{*}, σ_{i}^{* (1)}}$ . $C$ verifies whether $K_{i}^{*} = (x_{1}^{’}, y_{1}^{’}) = s_{i}^{*} \cdot G + t_{i}^{*} (Y_{i} + Z_{i}^{*} \cdot D_{p u b} + φ_{i}^{*} \cdot X_{i})$ , $R^{*} = e_{i}^{*} + x_{1}^{’^{*}} \mod q = r_{i}^{*}$ holds. If it does not hold, $C$ terminates the simulation. Otherwise, $C$ replays the above process by choosing different $H_{3}$ and $H_{4}$ based on forking lemma. $A_{I I}$ will output two other distinct valid signatures $σ_{i}^{* (2)}$ and $σ_{i}^{* (3)}$ .

Finally, we can obtain three equations as below.

k_{i} = s_{i}^{* (j)} + t_{_{i}}^{* (j)} (s \cdot h_{i} + Z_{_{i}}^{* (j)} \cdot K + φ_{_{i}}^{* (j)} \cdot x_{i}), where j = 1, 2, 3 .

(11)

In the above three equations,

k_{i}

K

and

x_{i}

represent the discrete logarithms of

K_{i}

D_{p u b}

and

X_{i}

, respectively, which are not known to

C

C

can obtain the three unknown values by solving the above three linear independent equations, where

x_{i}

is the solution of ECDLP.

However, it is difficult to solve the ECDLP in polynomial time. So, under the random oracle model, CPPA-SM2 is existentially unforgeable under adaptive chosen-identity and chosen-message attacks. □

4.3. Informal Security Analysis

Anonymity and Privacy-Preserving: In the CPPA-SM2 scheme, vehicles use pseudonyms

P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})

to communicate with other entities. To obtain the vehicle’s real identity

R I D_{i}

, the adversary must compute

R I D_{i} = P I D_{i, 2} \oplus H (c_{i} \cdot P_{p u b}) = P I D_{i, 2} \oplus H (c_{i} \cdot s \cdot G)

. However, due to the hardness of the Computational Diffie–Hellman (CDH) problem, the adversary is unable to obtain

R I D_{i}

, thereby protecting the vehicle’s identity privacy. Additionally, since vehicles participate in federated learning using pseudonyms, and these pseudonyms are updated with each message sent, even if external adversaries or RSUs gain access to the plaintext local model parameters, they cannot link them to specific vehicles. This prevents the inference of any private information, thus providing privacy protection during the federated learning process.

Traceability: When a vehicle with malicious behavior is detected, TA can trace its real identity

R I D_{i} = P I D_{i, 2} \oplus H (s \cdot P I D_{i, 1})

from its pseudonym

P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})

using the system’s master private key

s

Message integrity and authentication: According to Theorem 1 and Theorem 2, as long as the ECDLP is hard to solve, the CPPA-SM2 scheme is existentially unforgeable under adaptive chosen-identity and chosen-message attacks against the attackers

A_{I}

and

A_{I I}

Non-repudiation: Since only the message signer

V_{i}

can compute the signature key

s g k_{i}

, an adversary cannot forge valid signatures for a specific vehicle identity. Additionally, the TA can execute the Trace algorithm to obtain the vehicle’s real identity. Therefore, once a vehicle’s message passes the signature verification, it cannot be denied.

Un-linkability: Since the vehicle pseudonym identity

P I D_{i}

is generated during the signing process and the random number used in the signature generation process is non-repetitive, each PID in every signature is unique. As a result, any adversary cannot link any number of signatures sent by the same vehicle.

Forward privacy: When a new vehicle joins the group

C

, the new group key

K^{’}

is randomly generated by the TA and is independent of the old group key

K

. Therefore, the newly joined vehicle cannot access the group’s communications prior to joining.

Backward privacy: When a vehicle is revoked or leaves the group, the TA will remove the legitimate information

c_{i}

associated with that vehicle from

u

and compute a new group key

K^{’}

and group public key

β^{’} = K^{’} \cdot u

and

D_{_{p u b}}^{’} = K^{’} \cdot G

. Since the revoked vehicle cannot obtain the updated group key

K^{’}

, it cannot access the communications after leaving the group.

Impersonation attack: If an adversary wants to impersonate vehicle

V_{i}

to the RSUs nearby or other vehicles

V_{j}

, they must generate a valid message

{M_{i}, σ_{i}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

that passes the verification algorithm. However, according to Theorem 1 and Theorem 2, it is evident that no polynomial adversary can forge a valid message.

Modification attack: According to Theorem 1 and Theorem 2, any modification of the message

{M_{i}, σ_{i}, (X_{i}, Y_{i}), P I D_{i}, T_{i}}

can be detected by the verification algorithm. Therefore, the proposed CPPA-SM2 scheme can withstand the modification attack.

Replay attack: In the proposed CPPA-SM2 scheme, vehicles use the current timestamp

T_{i}

when generating message signatures. Therefore, message verifiers can resist replay attacks by verifying the freshness of the timestamp

T_{i}

Collusion attack: Several vehicles would collaborate to try to compute the new group key

K^{’}

after they left the group. However, since their legitimate information

c_{i}

has been removed from

u

, these leaving vehicles cannot conspire to calculate the new group key

K^{’}

5. Performance Evaluation

In this section, we will evaluate the performance of the proposed CPPA-SM2 scheme from both security features, computation overhead and communication overhead perspectives, and compare and analyze it with the existing works. For bilinear pairings-based CPPA schemes for IoV, we construct a bilinear pairing

\bar{e} : G_{1} \times G_{1} \to G_{T}

, where

G_{1}

is an additive group generated by a point

\bar{G}

with the order

\bar{q}

on the super singular elliptic curve

\bar{E} : y^{2} = x^{3} + x \mod \bar{p}

with embedding degree 2,

\bar{p}

is a 512-bit prime number,

\bar{q}

is a 160-bit prime number. For ECC-based CPPA schemes for IoV, we construct an additive group

G

generated by a point

G

with the order

q

on a non-singular elliptic curve

E : y^{2} = x^{3} + a x + b \mod p

, where

p, q

are two 256-bit prime numbers and

a, b \in Z_{p}^{*}

. We calculate the execution time of basic cryptographic operations using the MIRACL library in VS 2019 with Windows 11 operating system over an Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, as shown in Table 2.

5.1. Computation Costs

We compared the computational costs of the CPPA-SM2 scheme with other relevant schemes in terms of signature generation, single signature verification, batch verification and member management, as shown in Table 3 and Table 4, and Figure 3 and Figure 4, where “-” indicates that the property is not considered in the scheme, MS denotes the message sign and MV denotes the message verification.

Table 3. Analysis of computation costs for different schemes.

Scheme	MS	MV	Trace	Revoke
[22]	$2 T_{\oplus} + 2 T_{e m} + 4 T_{h}$	$2 T_{\oplus} + 2 T_{e m} + 7 T_{h}$	-	Revocation list
[24]	$T_{h} + 4 T_{b p} + 4 T_{b p e 2} + 6 T_{e} + 9 T_{m}$	$T_{h} + 2 T_{m} + 4 T_{b p e 2} + 5 T_{b p} + 8 T_{e}$	$T_{b p e 1}$	Revocation list
[26]	$2 T_{h} + 5 T_{b p e 1}$	$T_{i} + T_{b p e 1} + T_{b p e 2} + T_{h} + T_{D E} + T_{b p m 2} + 3 T_{b p}$	$O (1)$	Revocation list
[37]	$T_{\oplus} + 2 T_{h} + 3 T_{m t p} + 4 T_{b p m 1} + 6 T_{b p e 1}$	$T_{\oplus} + T_{b p m 1} + 2 T_{h} + 3 T_{b p e 1} + 3 T_{b p m 2} + 5 T_{b p} + 5 T_{m t p}$	$T_{D E}$	-
[38]	$2 T_{h} + 2 T_{e a} + 3 T_{m} + 6 T_{e m}$	$T_{h} + 3 T_{e m} + 4 T_{e a}$	$T_{e m} + T_{e a}$	Revocation list
Ours	$T_{\oplus} + T_{i} + 2 T_{e m} + 4 T_{m} + 4 T_{h}$	$3 T_{h} + 3 T_{e a} + 4 T_{e m}$	$T_{h} + T_{\oplus}$	$T_{\mod}$

Table 4. Comparison of batch-verification costs.

Scheme	Batch Verification Time
[28]	$4 n T_{h} + (2 n + 3) T_{e m} + (3 n + 1) T_{e a}$
[39]	$n T_{b p} + n T_{b p e 2} + (3 n - 2) T_{b p m 1}$
Ours	$3 n T_{h} + (2 n + 2) T_{e m} + (2 n + 1) T_{e a}$

Figure 3. Comparison of computation costs.

Figure 4. Comparison of the scheme proposed by [28,39], and our scheme in batch validation time.

Zhao et al. scheme [22] offers relatively low computational overhead, but RSU needs to send a request to TA for each identity verification, and there is a key escrow issue. In Kanchan et al. scheme [24] based on bilinear pairings, group signature is used instead of an individual signature for message authentication, and the group manager achieves tracing of malicious vehicles. Generating a group signature requires performing

T_{h} + 4 T_{b p} + 4 T_{b p e 2} + 6 T_{e} + 9 T_{m}

. Verifying the group signature requires performing

T_{h} + 2 T_{m} + 4 T_{b p e 2} + 5 T_{b p} + 8 T_{e}

, resulting in a relatively high computational overhead. In Jiang et al. scheme [26], similarly, bilinear pairing operations are used, requiring

2 T_{h} + 5 T_{b p e 1}

computations to generate a signature and

T_{i} + T_{b p e 1} + T_{b p e 2} + T_{h} + T_{D E} + T_{b p m 2} + 3 T_{b p}

computations to verify the signature. In Yang et al. scheme [37], generating a signature requires performing

T_{\oplus} + 2 T_{h} + 3 T_{m t p} + 4 T_{b p m 1} + 6 T_{b p e 1}

. To verify the signature,

T_{\oplus} + T_{b p m 1} + 2 T_{h} + 3 T_{b p e 1} + 3 T_{b p m 2} + 5 T_{b p} + 5 T_{m t p}

operations are needed. Due to the involvement of bilinear pairings and hash-to-point mappings, this method incurs the highest computational overhead. In Lin et al. scheme [38], a vehicle calculates

2 T_{h} + 2 T_{e a} + 3 T_{m} + 6 T_{e m}

to generate the anonymous public keys and a signature. Upon receiving the signature, RSU verifies it by performing

T_{h} + 3 T_{e m} + 4 T_{e a}

. Additionally, Zhao et al. scheme [22], Kanchan et al. scheme [24], Jiang et al. scheme [26] and Lin et al. scheme all require maintaining a revocation list for revocation purposes, which incurs additional lookup and maintenance overhead. CPPA-SM2 does not require bilinear pairings or hash-to-point mappings, relying only on basic ECC operations, thus reducing computational costs. Specifically, when a vehicle sends a message, it first generates an unlinkable pseudonym

P I D_{i}

by performing one

T_{e m}

, one

T_{\oplus}

and one

T_{h}

. Then, it generates the signature by performing three

T_{h}

, one

T_{e m}

, four

T_{m}

and one

T_{i}

. Therefore, the computation cost for signature generation is

T_{\oplus} + T_{i} + 2 T_{e m} + 4 T_{m} + 4 T_{h}

. To authenticate the message sent by the vehicle, the RSU, upon receiving the message, needs to perform

3 T_{h} + 3 T_{e a} + 4 T_{e m}

. Therefore, the total computation cost for signature generation and signature verification in CPPA-SM2 is

T_{\oplus} + T_{i} + 3 T_{e a} + 4 T_{m} + 6 T_{e m} + 7 T_{h}

. When RSU receives messages sent from

n

vehicles, it performs batch verification of the messages by executing

(2 n + 1) T_{e a} + (2 n + 2) T_{e m} + 3 n T_{h}

. To test the effectiveness of batch verification, we conducted experimental comparisons between CPPA-SM2 and Xiong et al. scheme [28] and Shen et al. scheme [39]. In batch verification, the RSU will verify the

n

messages received simultaneously from

n

vehicles, meaning

n

represents both the number of signatures received by the RSU at the same time and the number of vehicles. In the experiment, we tested with

n

set to 20, 40, 60 and 100, respectively. In CPPA-SM2, when RSU simultaneously receives

n

messages from

n

vehicles, it needs to compute three

T_{h}

, two

T_{e m}

and two

T_{e a}

for each vehicle. Finally, it performs two

T_{e m}

and one

T_{e a}

to verify multiple messages. Therefore, the total cost of batch verification is

3 n T_{h} + (2 n + 2) T_{e m} + (2 n + 1) T_{e a}

. In Xiong et al. scheme [28], it performs four

T_{h}

, two

T_{e m}

and three

T_{e a}

for each vehicle. Then, it also executes three

T_{e m}

and one

T_{e a}

. Therefore, the total cost of batch verification is

4 n T_{h} + (2 n + 3) T_{e m} + (3 n + 1) T_{e a}

. In Shen et al. scheme [39], RSU invokes one exponent operation, one bilinear pairing and one multiplication to confirm the equation

m = e (η, p k_{i}) e {(P, P)}^{- r_{2}}

. Its batch verification is based on

\prod_{n} e (η_{n}, p k_{n}) e {(P, P)}^{- r_{2, n}} = \prod_{n} m_{n}

, which needs

n

times

T_{b p}

n

times

n T_{b p e 2}

and

(3 n - 2) T_{b p m 1}

. The results are shown in Table 4 and Figure 4. From the experimental results, it can be seen that the batch-verification performance of our scheme is better than these two schemes. In terms of tracing cost, Kanchan et al. scheme [24], Yang et al. scheme [37], Lin et al. scheme [38] and CPPA-SM2 are 1.3451 ms, 0.1759 ms, 1.6320 ms and 0.3027 ms, respectively. All these approaches can achieve fast identity tracing. But in terms of revocation, all schemes except CPPA-SM2 utilize revocation lists, leading to additional maintenance and lookup overheads, while CPPA-SM2 only requires a single modular operation to efficiently revoke vehicles. Therefore, overall, compared to other schemes, CPPA-SM2 not only reduces the computational costs of signature generation and verification, and supports batch verification, but it also achieves efficient tracing and revocation of vehicles while preserving vehicle privacy.

5.2. Communication Costs

We compared the communication costs of CPPA-SM2 with other schemes, mainly including the following: the size of single signature (SSS), the total number of transmitted messages (NTMs), their sizes (STMs) and the number of interactions (NIs). The results are shown in Table 5 and Figure 5. In Zhao et al. scheme [22], to complete the authentication, interaction is required four times, making it the highest number of interactions. Its total computational cost is 476 bytes. The communication overhead for the group signature

{D_{1}, D_{2}, D_{3}, c, s_{α}, s_{β}, s_{x}, s_{δ_{1}}, s_{δ_{2}}}

generated in Kanchan et al. scheme [24] is the highest, at 576 bytes. Jiang et al. scheme [26], Yang et al. scheme [37] and CPPA-SM2 all require only one interaction to complete message authentication. In Lin et al. scheme [38], vehicles need to transmit

{σ_{n}, k_{n}, U_{n}, D_{n}, Z_{n}^{’}}

for message authentication, with a total size of 480 bytes. In CPPA-SM2, the generated signature, denoted as

σ_{i} = (r_{i}, s_{i})

, consists of two elements from

Z_{q}^{*}

; hence, its size is merely 64 bytes. To authenticate the signature, three additional messages

{P I D_{i}, (X_{i}, Y_{i}), T_{i}}

of size 228 bytes need to be transmitted, resulting in a total transmission cost of 292 bytes. In Yang et al. scheme [37], The generation of a single signature is denoted as

C_{i} = {R_{i}, c_{i}, s_{i}}

, where

R_{i}

c_{i}

and

s_{i}

belongs to

G_{1}

; thus, the size of

C_{i}

is 384 bytes.

In Lin et al. scheme [38], the obtained signature is denoted as

{c_{i}, z_{i, 1}, z_{i, 2}, R_{i, 1}, R_{i, 2}}

, with a length of 224 bytes. Additionally, to resist replay attacks,

{t s_{i}, A P K_{a}^{1}, A P K_{a}^{2}}

are also sent, making the total message length for transmission 356 bytes. From the experimental results, it can be observed that CPPA-SM2 has the smallest signature size and total cost of transmitting messages. This makes it more suitable for operation in bandwidth-constrained vehicular networking environments.

5.3. Security Features

We compared the security features (SFs) satisfied by these schemes, including the following: 1: anonymity; 2: traceability; 3: authenticity; 4: integrity; 5: non-repudiation; 6: un-linkability; 7: forward security; 8: backward security; 9: key escrow-free; 10: batch verification; 11: revocability; 12: dynamic member management; and 13: un-forgeability. The results are shown in Table 6, where 1–13 represent these security features in order, with √ indicating that the security feature is met and × indicating that it is not met. From the results, it can be seen that all schemes achieve 1: anonymity, 3: authenticity, 4: integrity and 6: un-linkability. Zhao et al. scheme [22], Kanchan et al. scheme [24], Jiang et al. scheme [26] and CPPA-SM2 use digital signatures to verify the authenticity and integrity of the local model parameters uploaded by vehicles. However, in Zhao et al. scheme [22] and Kanchan et al. scheme [24], since TA possesses all users’ private keys, there is a key escrow issue. Jiang et al. scheme [26] satisfies most of the security features; however, it uses a revocation list for identity management, resulting in additional verification and maintenance overhead. Furthermore, it does not support 12: dynamic member management. To achieve 6: un-linkability, Yang et al. scheme [37] and Lin et al. scheme [38] use a set of pseudonyms to hide real identities, whereas CPPA-SM2 achieves 6: un-linkability by randomly generating pseudonyms each time a signature is made. Overall, compared to these schemes, CPPA-SM2 achieves more comprehensive security attributes, supports 10: batch verification and 12: dynamic member management, and has lower computational and communication costs.

Overall, compared to the state-of-the-art scheme, Jiang et al. scheme [26], CPPA-SM2 reduces the cost of single signature generation and verification by 42.25% and 74.25%, respectively. In terms of communication overhead, CPPA-SM2 reduces it by 60% and 39.17%, respectively. While the performance of CPPA-SM2 in batch verification is not as good as Jiang et al. scheme [26], it supports dynamic member management, enabling efficient member addition and revocation, which results in increased batch-verification costs.

6. Conclusions

In this paper, we propose a conditional privacy-preserving identity-authentication protocol that provides privacy protection for vehicles participating in federated learning in the IoV. Unlike most existing privacy-preserving federated learning schemes, it does not require complex cryptographic operations or the introduction of random noise. Instead, it achieves privacy protection by using dynamic pseudonyms to obscure the connection between model parameters and the real identities of vehicles, thereby maintaining federated learning efficiency.

Moreover, CPPA-SM2 is a certificateless authentication scheme based on ECC, CRT and the SM2 digital signature algorithm. It enables efficient identity authentication and dynamic member management, and supports batch verification. Security proofs and analyses demonstrate that it can ensure the authenticity and integrity of local model parameters, achieving secure vehicle authentication. Experimental results show that, compared to existing advanced schemes, CPPA-SM2 offers high computational efficiency and low communication overhead. Additionally, its integration with standard algorithms endows it with the potential for widespread application.

However, the focus of this paper is on identity-authentication schemes and privacy protection in the federated learning process. There are still some malicious clients in the federated learning process that may launch data-poisoning attacks by uploading malicious local model parameters, thereby affecting the performance of the global model. Therefore, future research could integrate Byzantine robust detection schemes to achieve privacy-preserving Byzantine robust federated learning. Additionally, with the development of post-quantum algorithms, the ECDLP may be efficiently solved by post-quantum algorithms, making ECC-based authentication schemes no longer secure. Future work can explore quantum-resistant identity-authentication schemes, such as lattice-based cryptography.

Author Contributions

Conceptualization, R.L. and S.X.; methodology, S.X.; formal analysis, R.L.; investigation, R.L.; resources, R.L. and S.X.; writing—original draft preparation, R.L.; writing—review and editing, R.L. and S.X.; supervision, S.X.; project administration, S.X.; funding acquisition, S.X. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Ministry of Science and Technology of the People’s Republic of China, the Research on Digital Identity Trust System for Massive Heterogeneous Terminals in Road Traffic System (Grant No. 2022YFB3104402).

Institutional Review Board Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

References

Duan, W.; Gu, J.; Wen, M.; Zhang, G.; Ji, Y.; Mumtaz, S. Emerging Technologies for 5G-IoV Networks: Applications, Trends and Opportunities. IEEE Netw. 2020, 34, 283–289. [Google Scholar] [CrossRef]
Elbir, A.M.; Soner, B.; Coleri, S.; Gunduz, D.; Bennis, M. Federated Learning in Vehicular Networks. In Proceedings of the 2022 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), Athens, Greece, 5–8 September 2022; pp. 72–77. [Google Scholar] [CrossRef]
Khan, L.U.; Mustafa, E.; Shuja, J.; Rehman, F.; Bilal, K.; Han, Z.; Hong, C.S. Federated Learning for Digital Twin-Based Vehicular Networks: Architecture and Challenges. IEEE Wirel. Commun. 2024, 31, 156–162. [Google Scholar] [CrossRef]
Zhang, X.; Chang, Z.; Hu, T.; Chen, W.; Zhang, X.; Min, G. Vehicle Selection and Resource Allocation for Federated Learning-Assisted Vehicular Network. IEEE Trans. Mob. Comput. 2023, 23, 3817–3829. [Google Scholar] [CrossRef]
Cao, X.; Başar, T.; Diggavi, S.; Eldar, Y.C.; Letaief, K.B.; Poor, H.V.; Zhang, J. Communication-Efficient Distributed Learning: An Overview. IEEE J. Sel. Areas Commun. 2023, 41, 851–873. [Google Scholar] [CrossRef]
Qu, Z.; Tang, Y.; Muhammad, G.; Tiwari, P. Privacy protection in intelligent vehicle networking: A novel federated learning algorithm based on information fusion. Inf. Fusion 2023, 98, 101824. [Google Scholar] [CrossRef]
Ni, R.; Lu, Y.; Yang, B.; Yang, C.; Liu, X. A federated pedestrian trajectory prediction model with data privacy protection. Complex Intell. Syst. 2024, 10, 1787–1799. [Google Scholar] [CrossRef]
XHu, X.; Li, R.; Wang, L.; Ning, Y.; Ota, K. A Data Sharing Scheme Based on Federated Learning in IoV. IEEE Trans. Veh. Technol. 2023, 72, 11644–11656. [Google Scholar] [CrossRef]
Sikarwar, H.; Das, D. A Novel MAC-Based Authentication Scheme (NoMAS) for Internet of Vehicles (IoV). IEEE Trans. Intell. Transp. Syst. 2023, 24, 4904–4916. [Google Scholar] [CrossRef]
Wei, K.; Li, J.; Ding, M.; Ma, C.; Yang, H.H.; Farokhi, F.; Jin, S.; Quek, T.Q.S.; Poor, H.V. Federated Learning With Differential Privacy: Algorithms and Performance Analysis. IEEE Trans. Inf. Forensics Secur. 2020, 15, 3454–3469. [Google Scholar] [CrossRef]
Zhao, Y.; Zhao, J.; Yang, M.; Wang, T.; Wang, N.; Lyu, L.; Niyato, D.; Lam, K.-Y. Local Differential Privacy-Based Federated Learning for Internet of Things. IEEE Internet Things J. 2021, 8, 8836–8853. [Google Scholar] [CrossRef]
Zhou, H.; Yang, G.; Dai, H.; Liu, G. PFLF: Privacy-Preserving Federated Learning Framework for Edge Computing. IEEE Trans. Inf. Forensics Secur. 2022, 17, 1905–1918. [Google Scholar] [CrossRef]
Zhou, C.; Fu, A.; Yu, S.; Yang, W.; Wang, H.; Zhang, Y. Privacy-Preserving Federated Learning in Fog Computing. IEEE Internet Things J. 2020, 7, 10782–10793. [Google Scholar] [CrossRef]
Ma, Z.; Ma, J.; Miao, Y.; Li, Y.; Deng, R.H. ShieldFL: Mitigating Model Poisoning Attacks in Privacy-Preserving Federated Learning. IEEE Trans. Inf. Forensics Secur. 2022, 17, 1639–1654. [Google Scholar] [CrossRef]
Hijazi, N.M.; Aloqaily, M.; Guizani, M.; Ouni, B.; Karray, F. Secure Federated Learning with Fully Homomorphic Encryption for IoT Communications. IEEE Internet Things J. 2024, 11, 4289–4300. [Google Scholar] [CrossRef]
ZZhang, Z.; Wu, L.; Ma, C.; Li, J.; Wang, J.; Wang, Q.; Yu, S. LSFL: A Lightweight and Secure Federated Learning Scheme for Edge Computing. IEEE Trans. Inf. Forensics Secur. 2023, 18, 365–379. [Google Scholar] [CrossRef]
Taheri, R.; Shojafar, M.; Alazab, M.; Tafazolli, R. Fed-IIoT: A Robust Federated Malware Detection Architecture in Industrial IoT. IEEE Trans. Ind. Inform. 2021, 17, 8442–8452. [Google Scholar] [CrossRef]
Taheri, R.; Arabikhan, F.; Gegov, A.; Akbari, N. Robust Aggregation Function in Federated Learning. In Advances in Information Systems, Artificial Intelligence and Knowledge Management; Saad, I., Rosenthal-Sabroux, C., Gargouri, F., Chakhar, S., Williams, N., Haig, E., Eds.; ICIKS 2023. Lecture Notes in Business Information Processing; Springer: Cham, Switzerland, 2024; Volume 486. [Google Scholar] [CrossRef]
Al Sibahee, M.A.; Nyangaresi, V.O.; Abduljabbar, Z.A.; Luo, C.; Zhang, J.; Ma, J. Two-Factor Privacy-Preserving Protocol for Efficient Authentication in Internet of Vehicles Networks. IEEE Internet Things J. 2024, 11, 14253–14266. [Google Scholar] [CrossRef]
Ou, Z.; Xing, X.; He, S.; Wang, G. TDS-NA: Blockchain-based trusted data sharing scheme with PKI authentication. Comput. Commun. 2024, 218, 240–252. [Google Scholar] [CrossRef]
Chen, Y.; Su, Y.; Zhang, M.; Chai, H.; Wei, Y.; Yu, S. FedTor: An Anonymous Framework of Federated Learning in Internet of Things. IEEE Internet Things J. 2022, 9, 18620–18631. [Google Scholar] [CrossRef]
Zhao, P.; Huang, Y.; Gao, J.; Xing, L.; Wu, H.; Ma, H. Federated Learning-Based Collaborative Authentication Protocol for Shared Data in Social IoV. IEEE Sens. J. 2022, 22, 7385–7398. [Google Scholar] [CrossRef]
Zhang, J.; Cui, J.; Zhong, H.; Chen, Z.; Liu, L. PA-CRT: Chinese Remainder Theorem Based Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks. IEEE Trans. Dependable Secur. Comput. 2019, 18, 722–735. [Google Scholar] [CrossRef]
Kanchan, S.; Choi, B.J. An Efficient and Privacy-Preserving Federated Learning Scheme for Flying Ad Hoc Networks. In Proceedings of the ICC 2022—IEEE International Conference on Communications, Seoul, Republic of Korea, 16–20 May 2022; pp. 1–6. [Google Scholar] [CrossRef]
Lin, H.-T.; Jhuang, W.-L. Blockchain-Based Lightweight Certificateless Authenticated Key Agreement Protocol for V2V Communications in IoV. IEEE Internet Things J. 2022, 15. [Google Scholar] [CrossRef]
Jiang, Y.; Zhang, K.; Qian, Y.; Zhou, L. Anonymous and Efficient Authentication Scheme for Privacy-Preserving Distributed Learning. IEEE Trans. Inf. Forensics Secur. 2022, 17, 2227–2240. [Google Scholar] [CrossRef]
Ma, Y.; Cheng, Q.; Luo, X. 2PCLA: Provable Secure and Privacy Preserving Enhanced Certificateless Authentication Scheme for Distributed Learning. IEEE Trans. Inf. Forensics Secur. 2023, 18, 5876–5889. [Google Scholar] [CrossRef]
Xiong, H.; Chen, J.; Mei, Q.; Zhao, Y. Conditional Privacy-Preserving Authentication Protocol With Dynamic Membership Updating for VANETs. IEEE Trans. Dependable Secur. Comput. 2020, 19, 2089–2104. [Google Scholar] [CrossRef]
Zhong, H.; Wang, L.; Cui, J.; Zhang, J.; Bolodurina, I. Secure Edge Computing-Assisted Video Reporting Service in 5G-Enabled Vehicular Networks. IEEE Trans. Inf. Forensics Secur. 2023, 18, 3774–3786. [Google Scholar] [CrossRef]
Yuan, X.; Liu, J.; Wang, B.; Wang, W.; Li, T.; Ma, X.; Pedrycz, W. FedComm: A Privacy-Enhanced and Efficient Authentication Protocol for Federated Learning in Vehicular Ad-Hoc Networks. IEEE Trans. Inf. Forensics Secur. 2023, 19, 777–792. [Google Scholar] [CrossRef]
Zhang, Y.; Lei, H.; Wang, B.; Wang, Q.; Lu, N.; Shi, W.; Chen, B.; Yue, Q. Traceable ring signature schemes based on SM2 digital signature algorithm and its applications in the data sharing scheme. Front. Comput. Sci. 2024, 18, 182815. [Google Scholar] [CrossRef]
GM/T 0003.2-2012; SM2 Elliptic Curve Public Key Cryptographic Algorithm Part 2: Digital Signature Algorithm. National Standard of the People’s Republic of China: Beijing, China, 2012.
Eltaras, T.; Sabry, F.; Labda, W.; Alzoubi, K.; Ahmedeltaras, Q. Efficient Verifiable Protocol for Privacy-Preserving Aggregation in Federated Learning. IEEE Trans. Inf. Forensics Secur. 2023, 18, 2977–2990. [Google Scholar] [CrossRef]
Maurya, C.; Chaurasiya, V.K. Efficient Anonymous Batch Authentication Scheme with Conditional Privacy in the Internet of Vehicles (IoV) Applications. IEEE Trans. Intell. Transp. Syst. 2023, 24, 9670–9683. [Google Scholar] [CrossRef]
Horng, S.-J.; Tzeng, S.-F.; Pan, Y.; Fan, P.; Wang, X.; Li, T.; Khan, M.K. b-SPECS+: Batch Verification for Secure Pseudonymous Authentication in VANET. IEEE Trans. Inf. Forensics Secur. 2013, 8, 1860–1875. [Google Scholar] [CrossRef]
Cui, J.; Zhang, J.; Zhong, H.; Xu, Y. SPACF: A Secure Privacy-Preserving Authentication Scheme for VANET With Cuckoo Filter. IEEE Trans. Veh. Technol. 2017, 66, 10283–10295. [Google Scholar] [CrossRef]
Yang, Y.; Zhang, L.; Zhao, Y.; Choo, K.-K.R.; Zhang, Y. Privacy-Preserving Aggregation-Authentication Scheme for Safety Warning System in Fog-Cloud Based VANET. IEEE Trans. Inf. Forensics Secur. 2021, 17, 317–331. [Google Scholar] [CrossRef]
Lin, C.; Huang, X.; He, D. EBCPA: Efficient Blockchain-based Conditional Privacy-preserving Authentication for VANETs. IEEE Trans. Dependable Secur. Comput. 2022, 20, 1818–1832. [Google Scholar] [CrossRef]
Shen, J.; Liu, D.; Chen, X.; Li, J.; Kumar, N.; Vijayakumar, P. Secure Real-Time Traffic Data Aggregation with Batch Verification for Vehicular Cloud in VANETs. IEEE Trans. Veh. Technol. 2019, 69, 807–817. [Google Scholar] [CrossRef]

Figure 1. Authentication scheme based on CPPA-SM2 for IoV.

Figure 2. Workflow of CPPA-SM2.

Figure 5. Comparison of communication costs.

Table 1. Notations and definitions used.

Notations	Definition
$λ$	Security parameter
$s$	System master secret key
$P_{p u b}$	System public key
$(p k_{T A}, s k_{T A})$	TA’s public and private key pair
$(p k_{R S U}, s k_{R S U})$	RSU’s public and private key pair
$V_{i}$	The $i$ -th vehicle
$K$	Group key
$(β, D_{p u b})$	Group public key
$(X_{i}, Y_{i})$	$Vehicle V_{i}$ ’s full public key
$(x_{i}, y_{i})$	$Vehicle V_{i}$ ’s full private key
$s k_{i}$	$Vehicle V_{i}$ ’s secret key
$R I D_{i}$	$Vehicle V_{i}$ ’s real identity
$P I D_{i} = (P I D_{i, 1}, P I D_{i, 2})$	An pseudo-identity of vehicle $V_{i}$
$T_{i}$	Current timestamp
$T_{a}$	Arrival time
$Δ T$	The validity period of the pseudo-identity
$T_{K}$	The validity period of the group key
$H_{1}, H_{2}, H_{3}, H_{4}, H_{5}$	Five one-way hash functions
$s g k_{i}$	$The signature key for vehicle V_{i}$
$\| \|$	Concatenation operation
$S I G$	Signature algorithm
$W_{i}^{t}$	$The local model parameters of vehicle V_{i}$ in round $t$
$W_{R S U_{j}}^{t}$	$The local model parameters aggregated by R S U_{j}$ in round $t$
$W_{g l o b a l}^{t + 1}$	$The global model for round t + 1$

Table 2. Execution time of basic cryptographic operations and element size.

Symbols	Meanings	Time (ms)/Size (Byte)
$T_{i n v e r s e}$	$Time of module inverse on Z_{q}^{*}$	0.0181 ms
$T_{\mod}$	$Time of \mod operation on Z_{q}^{*}$	0.0020 ms
$T_{e}$	$Time of module exponential on Z_{q}^{*}$	0.0434 ms
$T_{m}$	$Time of module multiplication on Z_{q}^{*}$	0.0044 ms
$T_{S E}$	Encryption time of AES algorithm	10.0761 ms
$T_{D E}$	Decryption time of AES algorithm	0.1759 ms
$T_{\oplus}$	Time of XOR operation	0.0009 ms
$T_{b p}$	Time of bilinear pairing	8.7985 ms
$T_{b p m 1}$	$Time of multiplication on bilinear group G_{1}$	0.1361 ms
$T_{b p e 1}$	$Time of exponential on bilinear group G_{1}$	1.3451 ms
$T_{b p m 2}$	$Time of multiplication on bilinear group G_{2}$	0.0069 ms
$T_{b p e 2}$	$Time of exponential on bilinear group G_{2}$	0.0869 ms
$T_{e m}$	Time of scalar multiplication on ecliptic curve group $G$	1.4944 ms
$T_{e a}$	Time of point addition on ecliptic curve group $G$	0.1376 ms
$T_{h}$	Time of one-way hash function	0.3018 ms
$T_{m t p}$	Time of hash mapped to point	48.3228 ms
$\| T \|$	Size of timestamp	4 bytes
$\| I D \|$	Size of ID	8 bytes
$\| A E S \|$	The ciphertext size of AES algorithm	32 bytes
$\| G \|$	Size of elements on elliptic curve $G$	64 bytes
$\| G_{1} \|$	Size of elements on bilinear group $G_{1}$	128 bytes
$\| G_{2} \|$	Size of elements on bilinear group $G_{2}$	128 bytes
$\| Z_{q}^{*} \|$	$Size of elements on Z_{q}^{*}$	32 bytes
$\| H \|$	Output size of hash function	32 bytes

Table 5. Comparison of communication costs for different schemes.

Scheme	SSS	NTM	STM	NI
[22]	$\| I D \| + \| G \| + \| T \| + 2 \| Z_{q}^{*} \|$	4	$2 \| I D \| + 2 \| G \| + 3 \| T \| + 10 \| Z_{q}^{*} \|$	4
[24]	$\| G_{2} \| + 2 \| G_{1} \| + 6 \| Z_{q}^{*} \|$	9	$\| G_{2} \| + 2 \| G_{1} \| + 6 \| Z_{q}^{*} \|$	2
[26]	$\| G_{1} \| + \| Z_{q}^{*} \|$	5	$3 \| G_{1} \| + 3 \| Z_{q}^{*} \|$	1
[37]	$3 \| G_{1} \|$	2	$3 \| G_{1} \|$	1
[38]	$2 \| G \| + 3 \| Z_{q}^{*} \|$	4	$\| T \| + 3 \| Z_{q}^{*} \| + 4 \| G \|$	2
Ours	$2 \| Z_{q}^{*} \|$	4	$\| T \| + \| H \| + 2 \| Z_{q}^{*} \| + 3 \| G \|$	1

Table 6. Security features.

Scheme	SF
Scheme	1	2	3	4	5	6	7	8	9	10	11	12	13
[22]	√	×	√	√	×	√	√	×	×	×	√	×	×
[24]	√	√	√	√	√	√	×	×	×	×	√	×	√
[26]	√	√	√	√	√	√	√	√	√	√	√	×	√
[37]	√	√	√	√	√	√	×	×	√	√	×	×	√
[38]	√	√	√	√	√	√	×	×	√	√	√	×	√
Ours	√	√	√	√	√	√	√	√	√	√	√	√	√

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Xu, S.; Liu, R. A Conditional Privacy-Preserving Identity-Authentication Scheme for Federated Learning in the Internet of Vehicles. Entropy 2024, 26, 590. https://doi.org/10.3390/e26070590

AMA Style

Xu S, Liu R. A Conditional Privacy-Preserving Identity-Authentication Scheme for Federated Learning in the Internet of Vehicles. Entropy. 2024; 26(7):590. https://doi.org/10.3390/e26070590

Chicago/Turabian Style

Xu, Shengwei, and Runsheng Liu. 2024. "A Conditional Privacy-Preserving Identity-Authentication Scheme for Federated Learning in the Internet of Vehicles" Entropy 26, no. 7: 590. https://doi.org/10.3390/e26070590

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Scheme	SSS	NTM	STM	NI
[22]	$\| I D \| + \| G \| + \| T \| + 2 \| Z_{q}^{*} \|$	4	$2 \| I D \| + 2 \| G \| + 3 \| T \| + 10 \| Z_{q}^{*} \|$	4
[24]	$\| G_{2} \| + 2 \| G_{1} \| + 6 \| Z_{q}^{*} \|$	9	$\| G_{2} \| + 2 \| G_{1} \| + 6 \| Z_{q}^{*} \|$	2
[26]	$\| G_{1} \| + \| Z_{q}^{*} \|$	5	$3 \| G_{1} \| + 3 \| Z_{q}^{*} \|$	1
[37]	$3 \| G_{1} \|$	2	$3 \| G_{1} \|$	1
[38]	$2 \| G \| + 3 \| Z_{q}^{*} \|$	4	$\| T \| + 3 \| Z_{q}^{*} \| + 4 \| G \|$	2
Ours	$2 \| Z_{q}^{*} \|$	4	$\| T \| + \| H \| + 2 \| Z_{q}^{*} \| + 3 \| G \|$	1

Article Menu

A Conditional Privacy-Preserving Identity-Authentication Scheme for Federated Learning in the Internet of Vehicles

Abstract

1. Introduction

2. Preliminaries

2.1. Chinese Remainder Theorem

2.2. Elliptic Curve Cryptosystem

2.3. SM2 Digital Signature Algorithm

2.4. System Model

2.5. Threat Model and Security Model

2.6. Design Goals

3. The Proposed Scheme

3.1. System Initialization

3.2. Registration

3.2.1. Vehicle Registration

3.2.2. RSU Registration

3.2.3. Group Key Generate

3.3. Message Sign

3.4. Message Verification

3.4.1. Single Message Verification

3.4.2. Batch Messages Verification

3.4.3. Local Model Aggregation

3.5. Group Member Management

3.5.1. Trace

3.5.2. Revoke

3.5.3. Add

4. Correctness and Security Proof and Analysis

4.1. Correctness Proof

4.2. Security Proof

4.3. Informal Security Analysis

5. Performance Evaluation

5.1. Computation Costs

5.2. Communication Costs

5.3. Security Features

6. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Data Availability Statement

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI