Академический Документы
Профессиональный Документы
Культура Документы
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
Abstract—The connected vehicular ad-hoc network (VANET) and cloud computing technology allows entities in VANET to enjoy the
advantageous storage and computing services offered by some cloud service provider. However, the advantages do not come free
since their combination brings many new security and privacy requirements for VANET applications. In this article, we investigate the
cloud-based road condition monitoring (RCoM) scenario, where the authority needs to monitor real-time road conditions with the help
of a cloud server so that it could make sound responses to emergency cases timely. When some bad road condition is detected, e.g.,
some geologic hazard or accident happens, vehicles on site are able to report such information to a cloud server engaged by the
authority. We focus on addressing three key issues in RCoM. First, the vehicles have to be authorized by some roadside unit before
generating a road condition report in the domain and uploading it to the cloud server. Second, to guarantee the privacy against the
cloud server, the road condition information should be reported in ciphertext format, which requires that the cloud server should be able
to distinguish the reported data from different vehicles in ciphertext format for the same place without compromising their
confidentiality. Third, the cloud server and authority should be able to validate the report source, i.e., to check whether the road
conditions are reported by legitimate vehicles. To address these issues, we present an efficient RCoM scheme, analyze its efficiency
theoretically, and demonstrate the practicality through experiments.
Index Terms—Data privacy, vehicular ad hoc networks, VANET, cloud computing, authentication, auditability.
1 I NTRODUCTION
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 2
center. Therefore, the vehicles are unable to directly report • Privacy-preserving monitoring. The cloud server is
the detected traffic information, and the traffic monitoring engaged to perform much of the monitoring work.
center must be powerful enough to process all reported Specifically, all reports are grouped into equivalence
traffic information in real-time as well as to maintain the classes by the cloud server, where the reports in
report data. the same equivalence class are for the same road
Notice that the connected vehicular cloud computing domain and the same road condition information.
(CVCC) has recently been brought out [8], [9], which com- When the cloud server receives a new report from
bines VANET with the cloud computing technology. With some vehicle, it compares this report with existing
CVCC, all entities in VANET are able to enjoy the ad- equivalence classes. In fact, only one report in each
vantages of cloud computing, that is, the computing and equivalence class needs to be compared. If some
storage services offered by some cloud service provider. In comparison returns true, then the fresh report is
this paper, we investigate the above mentioned road condi- inserted into the corresponding equivalence class.
tion monitoring scenario in the CVCC framework. When a When some equivalence class contains at least τ
vehicle gets into the domain of some RU, it should interact reports, then the cloud server informs the root au-
with such RU to obtain a token. If some road condition is thority to process immediately. The root authority
collected within the domain of RU, the vehicle generates a only needs to decrypt one ciphertext report to obtain
report using the issued token, and uploads the report to the the road condition information, and takes actions if
cloud server for processing. needed.
We observe that there remain three critical issues to be • Source authentication. The entities in RCoM system
addressed. First, the cloud server may not be trustworthy such as sub-authorities, vehicles and roadside units
[10] and may be curious about the contents of the stored are recognized with their identities. Thus, our RCoM
road condition reports. Thus, to protect the confidentiality, construction does not rely on complicated crypto-
all reports should be stored at the cloud server in ciphertext graphic certificates. When a vehicle or a RU receives
format such that only the root authority is able to decrypt a secret key from some sub-authority, it is able to val-
reports. Second, the uploaded reports are in fact big data idate the key using the identity of the administrative
with the high volume and velocity characteristics, thus they sub-authority. Moreover, the cloud server can check
cannot be directly forwarded to the trusted root authority whether a report is generated by the claimed vehicle,
for processing due to its limited storage and computing and the root authority can verify whether the report
capabilities. It is preferable to allow the cloud server to is generated with a token issued by the claimed RU.
undertake the most computations, for example, to identify The security of our RCoM scheme is analyzed under the
which road domain has been reported for more than τ Computational Diffie-Hellman assumption, which implies
times for the same condition information. This functionality that malicious vehicles cannot forge a valid road condition
requires that the cloud server should be able to compare report under the selective identity and chosen message
the ciphertext reports without decrypting their values. Note attacks, and the report enjoys one-way confidentiality under
that existing homomorphic encryption [11] is not applicable adaptive chosen ciphertext attack against the cloud server if
here in big data scenario due to its inefficiency. Third, some the order of the message space is larger than any polynomial
malicious vehicles may impersonate others to upload forged function. We also conduct extensive experiments of our
road conditions. Thus, the source of road condition report RCoM scheme. Both theoretical analyses and experimental
should be verifiable by the cloud server and authority. results demonstrate the practicality of our RCoM proposal
in applications.
1.1 Our contributions
1.2 Related techniques
To address the above issues for secure road condition mon-
itoring in the CVCC framework, this paper proposes a In this section, we briefly review some related cryptographic
privacy-preserving cloud-based road condition monitoring system techniques in secure VANET applications and secure cloud
with source authentication (RCoM). We design a concrete storage. We also review some related cryptographic tech-
RCoM scheme in bilinear groups, which provides the fol- niques such as encryption with equality test on ciphertexts
lowing functionalities. and delegated/authorized data processing.
Secure VANET applications. In [12], Wu et al. presented
• Authorized reporting. A vehicle can collect the real- a contributory broadcast encryption scheme, which allows
time road condition information and encrypt it with vehicles in VANET to negotiate a common public encryption
the root authority’s public key, its secret key and key, and meanwhile each vehicle can hold a decryption
the token issued by the administrative RU before key. In this way, only these vehicles are able to exchange
uploading to the cloud server, where the vehicle is traffic information securely with their decryption keys. Guo
currently running in the domain of RU. Without a et al. [13] designed a secure mechanism to collect traffic
valid token from some RU, the vehicle is unable information through the Internet of Vehicles. Particularly,
to generate a road condition report without being there is a trusted certification authority to issue certificates
caught. The report in ciphertext format can be par- for all vehicles. For two types of traffic information such
tially validated by the cloud server without decrypt- as business data and confidential data, the former can be
ing its value, in this way to filter out and discard transferred in plaintext format, whereas the later has to be
invalid reports. encrypted.
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 3
Sucasas et al. [14] addressed the issue of guaranteeing 1.3 Paper organization
vehicle location privacy when authenticating the received The remainder of this paper is organized as follows. We in-
messages in intelligent transportation systems. They pro- troduce the RCoM system architecture and security require-
posed an autonomous privacy-preserving authentication ments in Section 2. The RCoM framework and the security
scheme such that the vehicles are able to renew their model are formalized in Section 3. Section 4 introduces our
pseudonyms without interacting with the trusted authority. RCoM scheme and Section 5 proves its security. In Section
Malhi and Batra [15] considered the same authentication 6, we analyze our RCoM scheme both theoretically and
problem, where pseudonyms are used to achieve anony- empirically. Finally, Section 7 concludes the paper.
mous communication. Also, they designed a new privacy-
preserving signature scheme for inter-vehicle communica-
tion, where the verification procedure is further improved 2 A RCHITECTURE AND S ECURITY R EQUIRE -
to support aggregate verification and enhanced with bloom MENTS OF RC O M S YSTEM
filters to prevent message drop in heavy busy traffic hour. In this section, we formalize the architecture of RCoM and
Liu et al. [16] investigated the issue of user privacy pro- summarize its security requirements.
tection in data aggregation without trusted third party, and
designed an efficient scheme in bilinear groups.
2.1 RCoM architecture
Secure cloud storage. Security issues such as data au- The RCoM system consists of five types of entities (see
ditability, confidentiality and provenance for cloud storage Figure 1), that is, a root authority (RA), many sub-authorities
have been well studied in recent years [10], [17], [18]. (SAs), many roadside units (RUs), a cloud server, and
Provable Data Possession [19], Proofs of Retrievability [20], and many vehicles. As in VANET, RA, SAs and RUs are the
Proofs of Storage [21], [22] are introduced to guarantee the trusted participants. In real-world applications, RA can be
integrity of outsourced data in clouds. All these primitives the Department of Transportation. The goal of RA is to
allow an auditor to audit the outsourced data without monitor the real-time road conditions with the help of a
retrieving the entire version from the cloud server. Note cloud server, so that it could make timely response to emer-
that compared to Provable Data Possession and Proofs of gency cases. The cloud server is maintained by some cloud
Storage, Proofs of Retrievability [23] also employs erasure service provider (CSP), which has significant computing
code to support data recoverability to some extent when and storage resources, and provides on-the-move access to
outsourced data was partially lost or corrupted. outsourced data (i.e., road condition information) to end
users. In RCoM, the cloud server is a curious entity, which is
Delegated/Authorized data processing. Wang, He and Tang engaged by RA to maintain and process all road information
[24] studied proxy-oriented data outsourcing in clouds, collected by vehicles.
where the data owner can authorize a proxy to process her
data and upload to the cloud server. Wang et al. [25] con-
Monitoring
sidered the similar problem scenario, where the authorized
proxy can directly process data with his private key, while Cloud server
RA
Road
authentication and integrity protection in automatic depen- condition SA Registration
dent surveillance-broadcast system (ADS-B). In their pro- RU
report
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 4
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 5
any (par, msk) ← Setup(1κ ), the following conditions are been queried for a secret key, then the challenger
satisfied: C first generates ssk` . Then, the challenger C runs
• For any secret key sski ← SAdlg(par, msk, SAi ) the roadside unit registration algorithm and returns
issued by the RA, it can be validated as true and a secret key rskl of RUl with regard to SA` .
accepted by the sub-authority SAi ; • Road condition report: In each query, the adversary A
• For any secret key vskj ← VHreg(par, SAi , sski , Vj ) submits a pair (Vj , Tl , RUl , I) to C . Suppose both Vj
issued by the SAi , it can be validated as true and and RUl have been queried for secret keys before.
accepted by the vehicle Vj ; If Tl is a valid authentication tuple jointly generated
• For any secret key rskl ← RUreg(par, SA` , by Vj and RUl , then the challenger C returns a pair
ssk` , RUl ) issued by the SA` , it can be validated as (U, W ).
true and accepted by the roadside unit RUl ; • RA processing: In each query, the adversary A submits
• For any vehicle Vj and any road section ad- a pair (U, W ) to C . The challenger C returns the
ministrated by some roadside unit RUl , the to- output of the RA processing algorithm.
ken distribution protocol TKdis(par, (SAi , Vj , vskj ), End-Game: Eventually, the adversary A outputs a tuple
(SA` , RUl , rskl )) would output a valid authentica- (U ∗ , W ∗ ) with regard to sub-authority SA∗ , vehicle V ∗ and
tion tuple Tl ; (RU ∗ , T ∗ , I ∗ ). We say that the adversary A succeeds if all
• For any road condition information I collect- the following conditions hold:
ed at RUl and any vehicle Vj with authentica-
tion tuple Tl , both CLpro(par, U, W ) = 1 and • The adversary A has not been made a delegation
(RUl , I) ← RApro(par, msk, U, W ) hold, where query on sub-authority SA∗ to get a secret key;
(U, W ) ← RCrep(par, vskj , Tl , RUl , I). • The adversary A has not been made a registration
query on vehicle V ∗ ;
3.2 Formal security definitions • RApro(par, msk, U ∗ , W ∗ ) = (RU ∗ , I ∗ ), but (U ∗ , W ∗ )
was not generated in a road condition report query
We present formal security definitions to capture the un-
with (V ∗ , T ∗ , RU ∗ , I ∗ ).
forgeability of ciphertexts against selective identity and chosen
message attack (UF-SI-CMA) launched by some malicious Definition 1 A RCoM scheme is UF-SI-CMA secure if any PPT
vehicle, and the one-way confidentiality under adaptive chosen adversary A who plays the above game with C has only negligible
ciphertext attack (OW-CCA2) against curious cloud server. probability in winning the game, that is,
Note that the cloud server should be able to compare the
ciphertexts (i.e., encrypted road condition reports) from
Pr[Awin ] ≤ (κ)
vehicles, so as to group them into equivalence classes, which where the probability is taken over all coin tosses made by C and
means the ciphertexts in RCoM are distinguishable. Thus, A.
the RCoM system cannot offer indistinguishability for road
condition reports under chosen plaintext/ciphertext attacks. Remark 1 Note that Definition 1 also implies that malicious
In [29], Yang et al. have discussed that ciphertext com- vehicles cannot forge secret keys of SAs and vehicles. Otherwise,
parability and indistinguishability are irreconcilable, and the adversary would be able to generate a valid ciphertext for some
indistinguishability-based security notions are not applica- road condition information using the forged secret keys. Moreover,
ble to encryption schemes with ciphertext comparability. since the secret keys of RUs are generated in the same way as that
We first consider the case where malicious vehicles may of vehicles by SAs, the unforgeability of these keys can also be
collude to forge a road condition report (U ∗ , W ∗ ). Let A be implied by Definition 1.
a probabilistic polynomial-time (PPT) adversary, who plays We proceed to define the OW-CCA2 security of RCoM
the following game with a challenger C and tries to forge a scheme against a curious cloud server.
valid pair (U ∗ , W ∗ ). Setup: On input a security parameter κ, the challenger
Setup: The adversary A picks a target sub-authority SA∗ C generates (par, msk) and gives public parameter par to the
and vehicle V ∗ , and sends them to C . With a security param- adversary A.
eter κ, the challenger C generates (par, msk) and publishes Phase 1: The adversary A can adaptively submit queries
the public parameter par. to C as in Definition 1.
Queries: The adversary A can adaptively submit the
following queries to C . • Delegation: Same to Definition 1.
• Vehicle registration: Same to Definition 1.
• Delegation: The adversary A can ask for secret key for
• Roadside unit registration: Same to Definition 1.
any sub-authority SAi . The challenger C generates
• Road condition report: Same to Definition 1.
sski and gives it to A.
• RA processing: Same to Definition 1.
• Vehicle registration: In each query, the adversary A
submits a pair (SAi , Vj ) to C . If SAi has not been Challenge: At the end of Phase 1, the challenger
queried for a secret key, then the challenger C first randomly picks a vehicle V ∗ , a roadside unit RU ∗
generates sski . Then, the challenger C runs the ve- and a road condition I ∗ , and computes (U ∗ , W ∗ ) ←
hicle registration algorithm and returns a secret key RCrep(par, vsk ∗ , T ∗ , RU ∗ , I ∗ ), where V ∗ and RU ∗ are re-
vskj of Vj with regard to SAi . spectively administrated by SA∗ and SA0∗ , and T ∗ ←
• Roadside unit registration: In each query, the adversary TKdis(par, (SA∗ , V ∗ , vsk ∗ ), (SA0∗ , RU ∗ , rsk ∗ )). The chal-
A submits a pair (SA` , RUl ) to C . If SA` has not lenger C gives (U ∗ , W ∗ ) to A.
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 6
Phase 2: The adversary A can issue queries to C as in key msk = (x, z), and computes y = g x and w = g z . RA
Phase 1, except that (U ∗ , W ∗ ) cannot be submitted for RA also picks seven cryptographic hash functions such as Hi :
processing. {0, 1}∗ → Zp∗ for 1 ≤ i ≤ 5, H6 : G → {0, 1}λru +λI +2 log p
Guess: At the end of Phase 2, the adversary outputs and H7 : {0, 1}∗ → G, where λru and λI denote the length
a guess (RU ˆ , I)
ˆ and succeeds in the game if (RUˆ , I)
ˆ = of the identities of RU and road condition information I ,
(RU ∗ , I ∗ ). respectively.
RA also generates an alert threshold τ (e.g., τ =
Definition 2 A RCoM scheme is OW-CCA2 secure for reported
10) such that when τ or more vehicles report the same
road conditions if any PPT adversary A has only negligible
road condition at the same place, it would be looked
advantage in κ in winning the above game, that is,
as an emergency case and need fast response from RA.
ˆ , I)
Adv ow−cca2 = Pr[(RU ˆ = (RU ∗ , I ∗ )] ≤ (κ) Finally, RA sets the public system parameters par =
(ê, G, GT , g, h, p, y, w, H1 , H2 , · · · , H7 , τ ).
where the probability is taken over all coin tosses made by C and
A.
4.2 Delegation to sub-authority
Sub-authorities are delegated by RA to authorize vehicles,
4 O UR P ROPOSAL in this way to improve the authorization efficiency. In the
In this section, we propose a concrete RCoM scheme in delegation phase, each SAi would obtain a secret key from
bilinear groups. Table 1 summarizes the frequently used RA, that is, RA picks a random value ri ∈R Zp∗ , calculates
notations, which will be explained as they are used. the secret key
TABLE 1
sski = (sski,1 , sski,2 ) = g ri , hri +xH1 (SAi ksski,1 )
Notation.
and sends sski to SAi securely. Sub-authority SAi can
Symbol Meaning verify sski as follows
G, GT Cyclic groups with bilinear mapping ê : G × G → GT ?
g, h Two generators of G ê(sski,2 , g) = ê h, sski,1 · y H1 (SAi ksski,1 ) (1)
p A large prime, the order of G and GT
x, z The master secret key
y, w The public key of RA 4.3 Vehicle registration
Hi Cryptographic hash functions for 1 ≤ i ≤ 7
τ A threshold to trigger an emergency case In the registration phase, every vehicle Vj gets the au-
sski The secret key of SAi thorization (e.g., a secret key) from its administrative sub-
vskj The secret key of vehicle Vj authority SAi . SAi picks a random value ri,j ∈R Zp∗ , calcu-
rskl The secret key of RUl
lates the secret key vskj = (vskj,1 , vskj,2 , vskj,3 ) where
r, v, s Random values in Zp∗
Tj , Tl The tuples generated by Vj and RUl in TKdis vskj,1 = sski,1 , vskj,2 = g ri,j
θj , θ l The pairs contained in Tj , Tl , respectively
tj , tl Time stamps and
Td Valid period of θl
I Collected road condition information vskj,3 = sski,2 · hri,j H2 (SAi kVj kvskj,1 kvskj,2 )
(U, W ) Encrypted road condition information
G Equivalence class of road condition information and gives vskj to Vj securely. Vehicle Vj is able to verify
vskj as follows
Suppose G = hgi and GT are cyclic groups of prime
order p. The mapping ê : G × G → GT is bilinear if the ?
ê(vskj,3 , g) = ê h, vskj,1 · y H1 (SAi kvskj,1 )
following properties are satisfied:
H (SA kV kvskj,1 kvskj,2 )
·vskj,22 i j (2)
• Bilinearity: ∀µ, ν ∈ G and ∀a, b ∈ Zp∗ , ê(µa , ν b ) =
ê(µ, ν)ab ;
• Non-degeneracy: ê(g, g) 6= 1; 4.4 Roadside unit registration
• Efficiency: The mapping ê is efficiently computable. As in the vehicle registration phase, every roadside unit RUl
obtains a secret key from its administrative sub-authority
Our RCoM scheme will rely on the following complexity
SA` . That is, SA` picks a random value r`,l ∈R Zp∗ , calcu-
assumption.
lates the secret key rskl = (rskl,1 , rskl,2 , rskl,3 ) where
Computational Diffie-Hellman assumption (CDH). Let G =
hgi be a cyclic group of prime order p. Given a tuple rskl,1 = ssk`,1 , rskl,2 = g r`,l
(g, g a , g b ) for some random values a, b ∈R Zp∗ , any PPT
algorithm E would have negligible probability in computing and
g ab ∈ G. rskl,3 = ssk`,2 · hr`,l H2 (SA` kRUl krskl,1 krskl,2 )
and gives rskl to RUl securely. Roadside unit RUl can
4.1 System setup validate rskl as follows
The root authority RA generates a bilinear mapping ê : G × ?
G → GT , where G and GT are cyclic groups with prime ê(rskl,3 , g) = ê h, rskl,1 · y H1 (SA` krskl,1 )
order p, and g, h are two distinct generators of G. RA then
H (SA kRUl krskl,1 krskl,2 )
·rskl,22 ` (3)
selects random values x, z ∈R Zp∗ , sets the master secret
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 7
4.6 Road condition report and checks whether Equality (5) and the following condition
are satisfied
Suppose vehicle Vj collects road condition I on some section
?
administrated by roadside unit RUl at time Time. Then ê(u1 , H7 (RUl kI)) = ê(u3 , g) (8)
vehicle Vj performs as follows to generate a report. It selects
If both are true, then RA accepts the reported road condition
a random value s ∈R Zp∗ and computes the ciphertext
I at RUl , and takes action if needed.
U = (u1 , u2 , u3 , u4 ), where
u1 = g s
5 S OUNDNESS AND S ECURITY
u2 = H6 (ws ) ⊕ (RUl kIkrskl,1 krskl,2 )
In this section, we show that our RCoM is sound and enjoys
u3 = H7 (RUl kI)s the UF-SI-CMA and OW-CCA2 security.
u4 = vskj,3 · hsH5 (Vj kθl ku1 ku2 ku3 kTime)
Theorem 1 In a successful delegation, SA accepts the secret key
Finally, vehicle Vj uploads the ciphertext U and tuple generated by RA; In a successful registration, a vehicle or a RU
W = (SAi , SA` , Vj , vskj,1 , vskj,2 , tl , tj , Td , θl , Time) to the accepts the secret key generated by SA; In a round of successful
cloud server, where SAi and SA` are the administrative token distribution protocol, the vehicle accepts the authentication
sub-authorities of Vj and RUl , respectively. tuple generated by the corresponding RU; For any two ciphertexts
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 8
encrypting the same road condition information, the cloud server Theorem 3 Suppose the CDH assumption holds in bilinear
classifies them into the same group; For a sound ciphertext, RA is group G. The proposed RCoM scheme is EU-SI-CMA secure
able to recover the reported road condition information. for the secret keys of sub-authorities, vehicles and roadside units
against adaptive impersonation attacks. That is, any vehicle can-
Proof We only need to show Equations (1)-(8) hold.
not forge a valid secret key of another vehicle, sub-authority or
For a secret key sski of SAi , Equation (1) holds as follows
roadside unit.
ê hri +xH1 (SAi ksski,1 ) , g = ê h, g ri (g x )H1 (SAi ksski,1 ) As noted in Remark 1, the proof directly follows from
Theorem 2.
= ê h, sski,1 · y H1 (SAi ksski,1 )
Theorem 4 Suppose the CDH assumption holds in bilinear
For a secret key vskj of some vehicle Vj issued by SAi , group G. The proposed RCoM scheme offers OW-CCA2 confi-
Equation (2) holds as follows dentiality for road condition reports against the cloud server.
ê(vskj,3 , g) Proof The proof follows the standard framework established in
[29, Theorem 3]. Yang et al.’s scheme [29] is proven OW-CCA2
ri,j H2 (SAi kVj kvskj,1 kvskj,2 )
= ê(sski,2 , g) · ê h ,g
secure assuming that the CDH assumption holds in bilinear group
= ê h, vskj,1 · y H1 (SAi kvskj,1 ) G. Our proof for Theorem 4 in the random oracle model follows
H (SAi kVj kvskj,1 kvskj,2 )
mostly in [29, Theorem 3] except that in the setup phase, the
·vskj,22 challenger C chooses x ∈R Zp∗ and computes y = g x , and in
the query phase, the challenger C needs to answer four more
The correctness of Equation (3) can be proved in a similar way as
types of queries, i.e., delegation, vehicle registration, roadside
Equation (2).
unit registration and road condition report queries. In fact, these
In the token distribution protocol, the correctness of tuple Tj
queries can be answered directly using x and y without leaking
generated by vehicle Vj with regard to the roadside unit RUl
any information about RU ∗ kI ∗ . Thus, our RCoM scheme is OW-
is straightforward, since θj,2 = vskj,3 · hvj H3 (Vj kRUl ktj kθj,1 ) . CCA2 secure if the CDH assumption holds in G.
Similarly, the correctness of Equations (5) and (6) can also be
verified.
For two ciphertext U = (u1 , u2 , u3 , u4 ) and U 0 = 6 C OMPARISON AND A NALYSIS
(u1 , u02 , u03 , u04 ), we have
0
6.1 Functionality comparison
0 0
ê(u1 , u03 ) = ê(g s
, H7 (RUl0 kI 0 )s ) = ê(g, H7 (RUl0 kI 0 ))s·s We now compare our RCoM construction with existing
schemes in Table 2. In [24], [25], the authors studied the del-
and egated data outsourcing scenario, such that the data owner
0 0 is able to authorize a proxy to process her data and upload
ê(u01 , u3 ) = ê(g s , H7 (RUl kI)s ) = ê(g, H7 (RUl kI))s·s
to the cloud server. Particularly, the data owner needs to
Thus, Equation (7) holds if and only if RUl kI = RUl0 kI 0 . generate a warrant and sign it with some signature scheme
For a valid ciphertext U , Equation (8) in the RA processing E, and gives the authorization pair (warrant, signature) to
phase holds as follows the proxy for verification. Note that if the signature scheme
E is secure, then anyone including the designated proxy
ê(u1 , H7 (RUl kI)) = ê(g s , H7 (RUl kI)) cannot forge a (warrant, signature) pair. This authorization
= ê(g, H7 (RUl kI)s ) = ê(u3 , g) mechanism also implies that the delegation/authorization
can be publicly verified in the comprehensive auditing
Theorem 2 Suppose the CDH assumption holds in bilinear phase on outsourced data. Compared with our RCoM
group G. The proposed RCoM scheme is EU-SI-CMA secure scheme, the proposals in [24], [25] did not consider data
for road condition reports against adaptive impersonation attacks. privacy protection, thus they cannot support equality test
That is, any vehicle cannot forge road condition reports of other on ciphertexts without decryption.
vehicles.
Proof The proof follows the standard framework established in TABLE 2
[27, Theorem 1]. He et al.’s scheme [27] is proven existentially Comparison with related techniques.
unforgeable against selective identity and chosen message attacks
assuming that the CDH assumption holds in bilinear group G. Functionality Ours [24] [25] [26] [27] [28]
√ √ √ √ √ √
Our proof for Theorem 2 in the random oracle model follows Delegation √ √ √ √ √ √
mostly in [27, Theorem 1] except that in the setup phase, the Source authentication √ √ √ √ √
Integrity guarantee ×
challenger C chooses z ∈R Zp∗ and computes w = g z , and in the Privacy protection
√
× × × ×
√
query phase, the challenger C needs to answer two more types of √
Third party equality test × × × × ×
queries, i.e., road condition report and RA processing queries. In
fact, the road condition report queries can be answered in a similar
In [26], Yang et al. designed a framework to authenticate
way as in vehicle/roadside unit registration queries since only the
messages in ADS-B system based on the three-level hierar-
public parameter y is involved in generating u1 , u2 , u3 ; whereas
chical identity-based signature scheme. They also noticed
the RA processing queries can be answered directly using z . Thus,
that the verification costs need to be reduced, especially
our RCoM scheme is EU-SI-CMA secure if the CDH assumption
when the recipient receives lots of (message, signature)
holds in G.
pairs. This issue was well addressed in their proposed two
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 9
concrete schemes with partial and full batch verification, takes two exponentiations in G to generate such a secret
respectively. He et al. [27] studied the same problem and key, whereas the vehicle (or the roadside unit) takes two
proposed a more efficient construction without using hash- more bilinear pairings to do verification.
to-point operations. Compared with our scheme, there are The protocol TKdis contains four steps between a vehicle
no data privacy protection in the ADS-B authentication Vj and a roadside unit RUl . The tuple Tj is generated by Vj
framework and constructions in [26], [27]. with two exponentiations in G, while it is validated by RUl
Baek et al. [28] presented a confidentiality framework with three exponentiation and two bilinear pairings. If Tj
for ADS-B. They noted that key management and effi- passes the validation, then an authentication tuple Tl would
ciency are two key issues in this framework. To address be produced and verified by RUl and Vj , respectively, with
these issues, a staged identity-based encryption scheme the same computation costs for Tj . In generating a road
(SIBE) is designed from identity-based encryption (IBE) and condition report (U, W ), the vehicle Vj only needs to take
symmetric encryption. IBE does not need complicated key four exponentiations in G to compose the elements in U .
management mechanism as in traditional PKI-based crypto The generation of W does not involve any complicated
systems, however, many IBE schemes may require resource- computation. In the CLpro algorithm, every tuple (U, W ) is
intensive computations such as bilinear mapping. To reduce verified and compared with the stored equivalence classes.
the computation costs, only the symmetric key is transferred As shown in Equation (6), the verification step takes three
as IBE ciphertext in the first stage of SIBE, all the subsequent exponentiations and two bilinear pairings. Suppose there
communication are secured by the symmetric encryption are n equivalence classes at the cloud server side. For a
scheme. Compared with RCoM scheme, their confidentiality new report (U, W ), it is compared with only one element
framework and SIBE scheme do not consider data integrity in each equivalence class. Thus, the second step of equality
protection and the ciphertexts do not allow equality test. test in CLpro takes at most 2n bilinear pairings, that is, this
step enjoys the linear computation complexity. In the RApro
algorithm, RA recovers RUl kI from U , which requires four
6.2 Theoretical analysis
exponentiation and four bilinear pairings.
We analyze the computational complexity of our RCoM
scheme in terms of computation costs of every algorith- 6.3 Experimental analysis
m/protocol at each entity side, which is summarized in We conducted the experiments of our RCoM scheme
Table 3. Our analysis focuses on the most time-consuming using the Pairing Based Cryptography Library (PBC,
operations in the scheme such as exponentiations in group http://crypto.stanford.edu/pbc/). The details of hardware
G and bilinear pairing ê. In the table, Exp and Pair denote and software environments are summarized in Table 4. The
the evaluation times of an exponentiation in G and a bilinear elliptic curve is of Type A (y 2 = x3 + x) such that p is a
pairing, respectively. 160-bit prime and the element size in G is 256 bits.
TABLE 3 TABLE 4
Computational complexity of each algorithm/protocol in RCoM scheme. Experiment environments.
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 10
Time (seconds)
0.36
0.32
18 0.28
17
16 0.24
15 0.2
Time (milliseconds) 14 0.16
13 0.12
12
11 8 · 10−2
10 4 · 10−2
9 0
8 10 20 30 40 50 60 70 80 90 100
7
6 No. of equivalence classes
5
4
3
2
1 Fig. 5. Performance evaluation of the CLpro algorithm.
0
p
en
rf
RU en
rf
en
rf
tu
yV
yV
V
yG
yG
G
Se
el
el
Ke
Ke
Ke
Ke
D
D
V
V
RU
2.2
2
1.8
This article is supported in part by the National Key
1.6 R&D Program of China through project 2017YFB0802500,
1.4
1.2 the National Natural Science Foundation of China under
1
0.8 projects 61772150, 61772538, 61672083, 91646203, 61472429,
0.6
0.4 61402029, 61862012, 61862011, and 61602125, the National
0.2
0 Cryptography Development Fund of China under projects
ec
en
rf
U
V
pV
pD
pG
R
TK
Re
Re
Re
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 11
[2] Q. Wu, J. Domingo-Ferrer, and U. Gonzalez-Nicolas, “Balanced homomorphic signatures,” Peer-to-Peer Networking and Application-
trustworthiness, safety, and privacy in vehicle-to-vehicle commu- s, vol. 11, no. 2, pp. 235–251, Mar 2018.
nications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 2, [23] H. Shacham and B. Waters, “Compact proofs of retrievability,”
pp. 559–573, Feb 2010. Journal of Cryptology, vol. 26, no. 3, pp. 442–483, Jul 2013.
[3] F. Qu, Z. Wu, F. Y. Wang, and W. Cho, “A security and privacy [24] H. Wang, D. He, and S. Tang, “Identity-based proxy-oriented data
review of vanets,” IEEE Transactions on Intelligent Transportation uploading and remote data integrity checking in public cloud,”
Systems, vol. 16, no. 6, pp. 2985–2996, Dec 2015. IEEE Transactions on Information Forensics and Security, vol. 11, no. 6,
[4] “IEEE Standard for Wireless Access in Vehicular Environments– pp. 1165–1176, June 2016.
Security Services for Applications and Management Messages,” [25] Y. Wang, Q. Wu, B. Qin, W. Shi, R. H. Deng, and J. Hu, “Identity-
IEEE Std 1609.2-2016 (Revision of IEEE Std 1609.2-2013), pp. 1–240, based data outsourcing with comprehensive auditing in clouds,”
March 2016. IEEE Transactions on Information Forensics and Security, vol. 12, no. 4,
[5] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distribut- pp. 940–952, April 2017.
ed aggregate privacy-preserving authentication in vanets,” IEEE [26] A. Yang, X. Tan, J. Baek, and D. S. Wong, “A new ads-b authen-
Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. tication framework based on efficient hierarchical identity-based
516–526, March 2017. signature with batch verification,” IEEE Transactions on Services
[6] L. Chen, S. L. Ng, and G. Wang, “Threshold anonymous announce- Computing, vol. 10, no. 2, pp. 165–175, March 2017.
ment in vanets,” IEEE Journal on Selected Areas in Communications, [27] D. He, N. Kumar, K. K. R. Choo, and W. Wu, “Efficient hierarchical
vol. 29, no. 3, pp. 605–615, March 2011. identity-based signature with batch verification for automatic
dependent surveillance-broadcast system,” IEEE Transactions on
[7] Y. Liu, J. Ling, Q. Wu, and B. Qin, “Scalable privacy-enhanced
Information Forensics and Security, vol. 12, no. 2, pp. 454–464, Feb
traffic monitoring in vehicular ad hoc networks,” Soft Computing,
2017.
vol. 20, no. 8, pp. 3335–3346, Aug 2016.
[28] J. Baek, E. Hableel, Y. J. Byon, D. S. Wong, K. Jang, and H. Yeo,
[8] R. Yu, Y. Zhang, S. Gjessing, W. Xia, and K. Yang, “Toward cloud- “How to protect ads-b: Confidentiality framework and efficien-
based vehicular networks with efficient resource management,” t realization based on staged identity-based encryption,” IEEE
IEEE Network, vol. 27, no. 5, pp. 48–55, September 2013. Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp.
[9] J. A. Guerrero-ibanez, S. Zeadally, and J. Contreras-Castillo, “In- 690–700, March 2017.
tegration challenges of intelligent transportation systems with [29] G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic
connected vehicle, cloud computing, and internet of things tech- public key encryption with equality test,” in Topics in Cryptology -
nologies,” IEEE Wireless Communications, vol. 22, no. 6, pp. 122– CT-RSA 2010: The Cryptographers’ Track at the RSA Conference 2010,
128, December 2015. San Francisco, CA, USA, March 1-5, 2010. Proceedings, J. Pieprzyk,
[10] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Kon- Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 119–
winski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, 131.
“A view of cloud computing,” Commun. ACM, vol. 53, no. 4, pp. [30] Q. Tang, “Public key encryption supporting plaintext equality
50–58, Apr. 2010. test and user-specified authorization,” Security and Communication
[11] C. Gentry, “Fully homomorphic encryption using ideal lattices,” Networks, vol. 5, no. 12, pp. 1351–1362, 2012.
in Proceedings of the Forty-first Annual ACM Symposium on Theory of [31] S. Ma, Q. Huang, M. Zhang, and B. Yang, “Efficient public key
Computing, ser. STOC’09. New York, NY, USA: ACM, 2009, pp. encryption with equality test supporting flexible authorization,”
169–178. IEEE Transactions on Information Forensics and Security, vol. 10, no. 3,
[12] Q. Wu, B. Qin, L. Zhang, J. Domingo-Ferrer, O. Farràs, and pp. 458–470, March 2015.
J. A. Manjón, “Contributory broadcast encryption with efficient [32] S. Ma, M. Zhang, Q. Huang, and B. Yang, “Public key encryption
encryption and short ciphertexts,” IEEE Transactions on Computers, with delegated equality test in a multi-user setting,” The Computer
vol. 65, no. 2, pp. 466–479, Feb 2016. Journal, vol. 58, no. 4, pp. 986–1002, 2015.
[13] L. Guo, M. Dong, K. Ota, Q. Li, T. Ye, J. Wu, and J. Li, “A [33] Y. Wang and H. Pang, “Probabilistic public key encryption for
secure mechanism for big data collection in large scale internet of controlled equijoin in relational databases,” The Computer Journal,
vehicle,” IEEE Internet of Things Journal, vol. 4, no. 2, pp. 601–610, vol. 60, no. 4, pp. 600–612, 2017.
April 2017. [34] H. Pang and X. Ding, “Privacy-preserving ad-hoc equi-join on
[14] V. Sucasas, G. Mantas, F. B. Saghezchi, A. Radwan, and outsourced data,” ACM Trans. Database Syst., vol. 39, no. 3, pp.
J. Rodriguez, “An autonomous privacy-preserving authentication 23:1–23:40, Oct. 2014.
scheme for intelligent transportation systems,” Computers & Secu- [35] Y. Wang, H. Pang, N. H. Tran, and R. H. Deng, “Cca secure
rity, vol. 60, pp. 193–205, 2016. encryption supporting authorized equality test on ciphertexts in
[15] A. Malhi and S. Batra, “Privacy-preserving authentication frame- standard model and its applications,” Information Sciences, vol. 414,
work using bloom filter for secure vehicular communications,” pp. 289–305, 2017.
International Journal of Information Security, vol. 15, no. 4, pp. 433– [36] Z. Yan, W. Ding, X. Yu, H. Zhu, and R. H. Deng, “Deduplication on
453, Aug 2016. encrypted big data in cloud,” IEEE Transactions on Big Data, vol. 2,
[16] Y. Liu, W. Guo, C.-I. Fan, L. Chang, and C. Cheng, “A practi- no. 2, pp. 138–150, June 2016.
cal privacy-preserving data aggregation (3pda) scheme for smart [37] H. Cui, R. H. Deng, Y. Li, and G. Wu, “Attribute-based storage
grid,” IEEE Transactions on Industrial Informatics, pp. 1–1, 2018. supporting secure deduplication of encrypted data in cloud,” IEEE
Transactions on Big Data, vol. PP, no. 99, pp. 1–1, 2017.
[17] D. Song, E. Shi, I. Fischer, and U. Shankar, “Cloud data protection
[38] Z. Yan, L. Zhang, W. Ding, and Q. Zheng, “Heterogeneous data
for the masses,” IEEE Computer, vol. 45, no. 1, pp. 39–45, Jan 2012.
storage management with deduplication in cloud computing,”
[18] B. Wang, H. Li, X. Liu, F. Li, and X. Li, “Efficient public verification
IEEE Transactions on Big Data, vol. PP, no. 99, pp. 1–1, 2017.
on the integrity of multi-owner data in the cloud,” Journal of
Communications and Networks, vol. 16, no. 6, pp. 592–599, Dec 2014.
[19] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peter-
son, and D. Song, “Provable data possession at untrusted stores,”
in Proceedings of the 14th ACM Conference on Computer and Commu-
nications Security, ser. CCS’07. New York, NY, USA: ACM, 2007, Yujue Wang received the Ph.D. degrees from
pp. 598–609. the Wuhan University, Wuhan, China, and City
[20] A. Juels and B. S. Kaliski, Jr., “Pors: Proofs of retrievability for University of Hong Kong, Hong Kong, under the
large files,” in Proceedings of the 14th ACM Conference on Computer joint Ph.D. program, in 2015. He was a Research
and Communications Security, ser. CCS’07. New York, NY, USA: Fellow with the School of Information Systems,
ACM, 2007, pp. 584–597. Singapore Management University. He is cur-
[21] G. Ateniese, S. Kamara, and J. Katz, “Proofs of storage from rently with the School of Computer Science and
homomorphic identification protocols,” in Advances in Cryptology– Information Security, Guilin University of Elec-
ASIACRYPT 2009, M. Matsui, Ed. Springer Berlin Heidelberg, tronic Technology, China. His research interests
2009, pp. 319–333. include applied cryptography, database security
[22] Y. Wang, Q. Wu, B. Qin, X. Chen, X. Huang, and J. Lou, and cloud computing security.
“Ownership-hidden group-oriented proofs of storage from pre-
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2018.2885277, IEEE
Transactions on Information Forensics and Security
SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 12
Yong Ding received his PhD in Cryptography Huiyong Wang received his Ph.D. degree in
from the School of Communication Engineering, software theory and applications from Chinese
Xidian University, China, in 2005. He is currently Academy of Sciences in 2017 in China. He is
a Professor at School of Computer Science and currently a Lecture at the School of Mathemat-
Information Security, Guilin University of Elec- ics and Computing Science, Guilin University of
tronic Technology, China. He was a research Electronic Technology, China. His research in-
fellow of Computer Science at City University of terests include privacy-preserving computation,
Hong Kong from April, 2008 to September, 2009. information security, cyber security, multi-party
His research interests include cryptography and computation and homomorphic encryption.
information security.
1556-6013 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.