An Efficient SM9 Aggregate Signature Scheme for IoV Based on FPGA

Abstract

With the rapid development of the Internet of Vehicles (IoV), the demand for secure and efficient signature verification is becoming increasingly urgent. To meet this need, we propose an efficient SM9 aggregate signature scheme implemented on Field-Programmable Gate Array (FPGA). The scheme includes both fault-tolerant and non-fault-tolerant aggregate signature modes, which are designed to address challenges in various network environments. We provide security proofs for these two signature verification modes based on a K-ary Computational Additive Diffie–Hellman (K-CAA) difficult problem. To handle the numerous parallelizable elliptic curve point multiplication operations required during verification, we utilize FPGA’s parallel processing capabilities to design an efficient parallel point multiplication architecture. By the Montgomery point multiplication algorithm and the Barrett modular reduction algorithm, we optimize the single-point multiplication computation unit, achieving a point multiplication speed of 70776 times per second. Finally, the overall scheme was simulated and analyzed on an FPGA platform. The experimental results and analysis indicate that under error-free conditions, the proposed non-fault-tolerant aggregate mode reduces the verification time by up to 97.1% compared to other schemes. In fault-tolerant conditions, the proposed fault-tolerant aggregate mode reduces the verification time by up to 77.2% compared to other schemes. When compared to other fault-tolerant aggregate schemes, its verification time is only 28.9% of their consumption, and even in the non-fault-tolerant aggregate mode, the verification time is reduced by at least 39.1%. Therefore, the proposed scheme demonstrates significant advantages in both error-free and fault-tolerant scenarios.

1. Introduction

Currently, with the rapid development of the Internet of Things (IoT), an increasing number of vehicles are becoming intelligent, giving rise to the Internet of Vehicles (IoV). Within the same regional network, different IoV components exchange information through their self-organizing networks. However, IoV faces numerous challenges, such as communication delays, resource limitations, and complex communication environments. Efficiently verifying a large number of signatures using edge computing resources, while ensuring the accuracy and security of the information, is therefore a critical challenge [1,2]. To address this problem, current methods for accelerating signature verification primarily fall into two categories: (1) Compression Techniques: These methods aim to reduce the length of information to accelerate computation, such as through aggregate signature technology. (2) Algorithm Optimization: These methods focus on hardware and software optimization of the algorithms involved in signature verification, such as optimizing elliptic curve algorithms and leveraging Field-Programmable Gate Array (FPGA) hardware acceleration. However, aggregate signatures still face several issues, such as relatively long verification times and the potential for batch signature invalidation. Techniques such as parallel point multiplication acceleration and fault-tolerant aggregate signatures can effectively address these issues.

In order to address the challenge of efficiently verifying a large number of signatures, various scholars have proposed their own schemes based on different computational hardness problems and from distinct perspectives for improvement. Xie [3] improved the CLAS aggregate signature scheme based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). While this reduced the time complexity of various stages of the aggregate signature process, it did not adequately address the issues of numerous point multiplication operations and fault tolerance. An [4] modified the SM9 algorithm to support aggregate signatures, improving its performance; however, the number of point multiplication operations remains high, and fault tolerance issues were not resolved. Mei [5] designed an aggregate signature scheme aimed at addressing location privacy concerns in vehicular networks, effectively ensuring the integrity and authenticity of information, but further improvements in fault tolerance and elliptic curve acceleration remain possible. Ran [6] further enhanced the elliptic curve-based aggregate signature scheme, making it more suitable for IoT applications, yet fault tolerance was not considered. Yang [7] applied aggregate signature modifications to the Schnorr signature to adapt it to wireless communication networks in the medical IoT environment, but these modifications introduced a significant number of elliptic curve operations, leaving room for optimization in terms of efficiency. Fu [8], to solve the problem of numerous point multiplication operations in aggregate signatures, accelerated these operations using FPGA, but the fault tolerance issue was still unresolved. To tackle the fault tolerance problem in aggregate signatures, Hartung [9] proposed the concept of fault-tolerant aggregate signatures and provided theoretical derivations, but this concept has not been applied to practical schemes. Therefore, for the efficient optimization of aggregate signatures, accelerating point multiplication operations and introducing fault tolerance are crucial.

In current aggregate signature schemes, the point multiplication operation is a critical path that is relatively time consuming. There are various methods for point multiplication, such as the binary expansion method, sliding window method [10], and window non-adjacent form (w-NAF) method [11]. However, there is still room for optimization in both software and hardware implementations. To improve the efficiency of point multiplication algorithms, many scholars have conducted research from different perspectives. In software, Hai et al. [12] proposed replacing odd numbers with prime numbers during the pre-computation phase and constructing micro multi-base chains to compensate for the differences between primes and odd numbers, reducing the computational complexity of scalar multiplication by up to 77.38%. Zhao et al. [13] further optimized the computational complexity by replacing the odd numbers in the base chains of the w-NAF chain with the form of $2^n$. In hardware: Bellemou et al. [14] used the Montgomery power ladder binary method and an improved Radix-$2^{32}$ Montgomery modular multiplication to optimize elliptic curve point multiplication, achieving a computation time of 14.32 ms and balancing security and efficiency. Yue Hao et al. [15], based on the Zynq platform, utilized the Montgomery ladder algorithm and adaptively modified point addition and point double, optimizing the computation time to 1.80 ms. Islam et al. [16], also using the Montgomery ladder algorithm on the Virtex-7 platform, proposed a Radix-2 modular multiplication architecture on the Edwards curve, optimizing the computation time to 1.63 ms.

The SM9 [17] identity-based encryption algorithm was proposed in 2016 and officially became an international standard in 2021. Numerous scholars have researched and applied this algorithm. For instance, as mentioned earlier, the SM9 aggregate signature proposed by An Tao [4] added aggregation functionality to the SM9 signature. Additionally, Liu et al. [18] combined threshold signatures, ring signatures, and SM9 to achieve higher security but did not optimize for time consumption. Liu et al. [19] proposed a two-party cooperative signature based on SM9 and applied it to smart homes, although there remains significant room for optimization in verification efficiency. Jing et al. [20] introduced a four-stage pipeline improved modular multiplication algorithm and enhanced point addition and point double algorithms. Tested on the Zynq FPGA platform based on SM9, the point multiplication algorithm achieved a performance of 1179 operations per second, though further improvements could be made in utilizing FPGA board resources. Wang et al. [21] designed highly parallel computational unit structures and optimized $F_p$ and $F_{p^2}$ domain point addition, point double, and line functions. Based on the SM9 algorithm, they designed optimal ATE computation units on the Virtex-7 FPGA platform, reducing computation time to 3.43 ms, which is 20% of the time consumed by similar designs. Cheng [22] reduced the hardware cost of the SM9 algorithm by simplifying the Frobenius map and implemented its parallel structure. However, FPGA optimization for bilinear pairings is quite resource intensive, and optimizing point multiplication operations is crucial for improving verification efficiency in aggregate signature verification. Therefore, how to fully utilize edge resources to accelerate point multiplication and apply it to specific schemes is a critical issue.

In our work, (1) we design a comprehensive scheme for SM9 aggregate signatures based on FPGA. (2) We employ a parallel hardware structure to accelerate the computation speed of aggregate signature verification. (3) We utilize an improved Montgomery ladder algorithm to compute $F_p$ domain point multiplications in SM9 verification and optimize the Barrett modular reduction algorithm to better suit the characteristics of SM9. (4) We implement a fault-tolerant mechanism within the aggregate signature scheme and analyze and prove the scheme’s security based on the K-ary Computational Additive Diffie–Hellman (K-CAA) difficult problem.

The rest of the paper is organized as follows: In Section 2, we introduce the preliminary knowledge and related work pertinent to our work, mainly including the SM9 signature algorithm, aggregate signatures, K-CAA problem, and fault tolerance mechanisms. In Section 3, we describe the overall architecture of our proposed scheme In Section 4, we present the hardware design, optimization strategies employed, and the fault-tolerant mechanism design. In Section 5, we analyze the experimental results. In Section 6, we provide a conclusion and outlook for future work.

2. Related Work

Our work primarily involves the SM9 signature and verification algorithm, aggregate signatures, the K-CAA problem in hardness issues, and fault tolerance mechanisms. The background and related work are introduced in four parts below.

2.1. SM9 Signature Algorithm

As shown in Figure 1, the SM9 algorithm can be divided into four levels in terms of functionality and complexity. The first level is the SM9 protocol layer, which includes the signature algorithm, key exchange protocol, and others. The second level consists of bilinear pairing and point multiplication, which are more complex functional components based on elliptic curve operations. The bilinear pairing $e\left(a,b\right)$ operation rules are quite special and can be referenced in [23]. The first level achieves its functionality by invoking these components. The third level includes point addition and point double, which are the basic elliptic curve operations. The fourth level comprises modular addition, modular inversion, modular multiplication, and modular subtraction over finite fields [24].

2.2. Aggregate Signature

The current focus of research on encryption mechanisms is on computational efficiency and memory optimization [25]. To address these issues, many aggregate signature schemes have been developed [2,3,4,5,6,7]. Most aggregate signature algorithms involve the following steps: sign, single signature verification, aggregate signature generation, and aggregate signature verification. Below are the descriptions and explanations of these algorithms:

(a)

Sign: The user, holding the signature private key $d{s}_i$ issued by the Key Generation Center (KGC), generates a signature ${\sigma }_i$ for the message $m_i$ they intend to send.

(b)

Single Signature Verification: The verifier, holding the signature public key $Q_i$, receives the message $m_i$ and uses the public key $Q_i$, the message $m_i$, and the signature ${\sigma }_i$ to perform the verification.

(c)

Aggregate Signature: The aggregator, holding the signature public keys $Q_i$ for multiple messages, the signatures ${\sigma }_i$ of these multiple messages, and other accompanying information $o{m}_i$ sent, aggregates the signatures to obtain an aggregate signature $\sigma$ along with the packaged messages $M$ and accompanying information $OM$.

(d)

Aggregate Signature Verification: The verifier, upon receiving the aggregate signature $\sigma$, the packaged messages $M$, and the accompanying information $OM$ sent by the aggregator, uses the corresponding public keys $Q_i$ to perform the verification.

These steps are the most time-consuming parts of the aggregate signature mechanism. This is particularly true when an error occurs in the aggregate signature, as it requires individual verification of each signature [26], leading to a significant amount of time spent on single signature verifications.

2.3. K-CAA Problem

At present, the main computational hardness assumption problems for elliptic curves include the Computational Diffie–Hellman (CDH) problem [25] and ECDLP [3]. In elliptic curve aggregate signatures, the commonly used hardness assumption is the K-CAA problem. Below is the definition of the K-CAA problem.

Let $\left(G_1,+\right)$ be a cyclic group of order $q$, where $q$ is a large prime number. For an integer $k$ and unknown $x\in Z_q^{*}$, given $\left\{e_1,e_2,\cdots ,e_k\right\}\in Z_q^{*}$, $g,xg\in G_1$ and $\left\{{\displaystyle \frac{1}{x+e_1}}g,{\displaystyle \frac{1}{x+e_2}}g,\cdots ,{\displaystyle \frac{1}{x+e_k}}g\right\}$, compute $\left(e,{\displaystyle \frac{1}{x+e}}g\right)$, where $e\in Z_q^{*},e\notin \left\{e_1,e_2,\cdots ,e_k\right\}$.

2.4. Fault Tolerance Mechanism

To address the significant time consumption caused by verifying individual signatures due to aggregated erroneous signatures, Hartung et al. [9] proposed the concept of fault-tolerant aggregate signatures and conducted theoretical derivations. References [27,28] further extended these schemes based on non-overlapping sets using compression and nesting methods, respectively. However, these schemes are very challenging to implementing in practice. Wang et al. [26] proposed a new fault-tolerant scheme based on $uniform(k,n)-set$ combinatorial theory and validated it theoretically. We adopt $uniform(k,n)-set$ approach. Below is an introduction to the theoretical framework. Given a set $A=\left\{a_1,a_2,\dots ,a_{m-1},a_m\right\}$ and its subsets $A_1,A_2,\dots A_{n-1},A_n\subset A$, these subsets satisfy $uniform(k,n)-set$, where $m\ge C_n^{k-1}$. Additionally, these subsets meet the following conditions: (1) The sizes of these subsets are all equal. (2) For any $k$ subsets $A_{i1},A_{i2},\dots A_{ik}\in \left\{A_1,\dots A_{n-1},A_n\right\}$, the union of $A_{i1},A_{i2},\dots A_{ik}$ is $A$. (3) For any $k-1$ distinct subsets, the union of any $A_{ij},j\in \left[1,k-1\right]$ subsets contains at least one element $a_i$ that is not included in the union.

Cao et al. [29] proposed a method suitable for constructing a structure of $uniform(k,n)-set$. First, the set $A_1,A_2,\dots A_{n-1}$ is evenly divided into $m=C_n^{k-1}$ groups, each including $k-1$ subsets $A_i$. The format of the subsets is shown in Equation (1).

$$\left\{\begin{array}{c}{W}_1=A_{11}\cup A_{12}\dots \cup A_{1k-1}\\ \dots \\ W_m=A_{m1}\cup A_{m2}\dots \cup A_{mk-1}\end{array}\right.$$

(1)

where $A_{i1}\in A,i=1,2,\dots ,m,j=1,2,\dots ,k-1,i\ne j,W_i\ne W_j,a\ne b,a_b\notin W_b,a_b\notin W_c,1\le b,c\le m$.

Below is an example. Suppose we have a set $A=\left\{a_1,\dots ,a_{10}\right\}$; then, $m=10$. It is straightforward to set $n=5, k=4$, which satisfies the condition $C_n^{k-1}=10$. Then, dividing these 5 subsets $A_1,\dots ,A_5$ into 10 groups can be achieved by arranging them into 10 different sets of numbers, that is, $\left\{A_1,A_2,A_3\right\}, \left\{A_1,A_2,A_4\right\}, \left\{A_1,A_2,A_5\right\},\cdots ,\left\{A_3,A_4,A_5\right\}$.

Based on the requirements for $uniform(k,n)-set$ mentioned above, we can derive the specific subsets $A_1,\dots ,A_5$, as shown in Equation (2):

$$\begin{array}{l}{A}_1=\left\{a_1,a_2,a_4,a_7\right\}\\ A_2=\left\{a_2,a_3,a_6,a_9\right\}\\ A_3=\left\{a_1,a_3,a_5,a_8\right\}\\ A_4=\left\{a_4,a_5,a_6,a_{10}\right\}\\ A_5=\left\{a_7,a_8,a_9,a_{10}\right\}\end{array}$$

(2)

The specific construction method is referred to in references [26,29].

3. Entire Structure of the Scheme

In our work, there are two available modes: the classic aggregate signature mode and the fault-tolerant aggregate signature mode. The classic aggregate signature mode is suitable for scenarios with minimal network errors, while the fault-tolerant aggregate signature mode can handle situations with a certain error rate. The choice between these two methods only requires the Road-Side Unit (RSU) to decide based on its own situation with little impact on the perception of the authentication center and vehicles in the network.

As shown in Figure 2, the entire scheme is illustrated. While vehicles are driving on the road, they collect information, which is then aggregated by a randomly selected vehicle responsible for gathering the aggregated information, and subsequently sent to the RSU. The RSU initially processes the information using its CPU before passing it to the attached FPGA device for further processing. After the FPGA processes the information, it is sent back to the CPU for final processing. Once the RSU has processed the information, it is fed back to the vehicle cluster and the server. This scheme is an improvement based on the systems described in references [4,30]. The processes of system establishment, master key generation, vehicle registration, and key distribution are the same as those in the aforementioned references. The following sections will describe the main parts and the improved processes, including the sign, single signature verification, aggregate signature generation, and aggregate signature verification.

First, the main parameters required for the efficient SM9 aggregate signature scheme need to be explained, as shown in

Table 1. Notations.

Notation	Descriptions
$P_1,P_2$	Two different generators in the system
$ks$	System master private key
$kpb$	System master public key, $kpb=k·P_2\left(k\in Z_{n-1}^{*}\right)$
$N$	The order of the elliptic curve group in SM9
$H_1\left(Z,n\right),H_2\left(Z,n\right)$	One-way hash function, which takes a bit string $Z$ and an integer $n$ as input, outputs $h\in [1,n-1]$
$I{D}_i$	The real identity of vehicle $i$
$hid$	Private key generation identifier
$VI{D}_i$	Pseudonym assigned to vehicle $i$, denoted as $VI{D}_i=H_1\left(I{D}_i\left|\right|hid,N\right)$
$s_i$	Private key of vehicle $i$, $s_i=k·{\left(VI{D}_i+k\right)}^{-1}·P_1$
$Q_i$	Public key of vehicle $i$, $Q_i=VI{D}_i·P_2+kpb$

. The public key, private key, and pseudonym of the vehicle are assigned by the authentication center.

The following is the overall process of the efficient SM9 aggregate signature scheme. This section is divided into four parts: sign, single signature verification, fault-tolerant aggregate signature, and fault-tolerant aggregate verification.

(1)

Sign: $sign(m_i,VI{D}_i)$, where $m_i$ is the message to be sent.

(a)

Compute $g=e\left(P_1,kpb\right)$;

(b)

Randomly select $r_i,r_i\in Z_{n-1}^{*}$, and compute $w_i=g^{r_i}$;

(c)

Compute $h_{2i}=H_2\left(m_i\left|\right|w_i,N\right),L_i$. If $L_i=0$, reselect the random number; otherwise, $L_i=\left(r_i-VI{D}_i\right)\mathrm{mod}N$;

(d)

Compute $S_i=L_i·s_i,U_i=L_i·s_i·VI{D}_i$;

(e)

Package and send $\left(m_i,S_i,U_i,w_i\right)$.

(2)

Single signature verification: To verify the received message packet $\left(m_i,S_i,U_i,w_i\right)$, the verification process is as follows:

(a)

Compute $g=e\left(P_1,kpb\right),h_{2i}=H_2\left(m_i\left|\right|w_i,N\right),t_i=g^{h_{2i}}$;

(b)

Compute $v_i=e\left(S_i,Q_i\right)·t_i$, verify whether $v_i$ is equal to $w_i$. If they are not equal, the verification fails.

(3)

Fault-tolerant aggregate signature: The RSU can negotiate with the selected vehicle OBU based on its own situation to adopt the following non-fault-tolerant or fault-tolerant aggregate signature modes.

(a)

Non-fault-tolerant aggregate signature mode;

The OBU of the randomly selected vehicle acts as the signature aggregator. The set of pseudonyms of the received vehicles is $\left\{VI{D}_1,\dots ,VI{D}_n\right\}$, the corresponding set of messages is $\left\{m_1,\dots m_n\right\}$, and the received digital signatures are $\left\{\left(S_1,U_1,w_1\right),\dots ,\left(S_n,U_n,w_n\right)\right\}$. The signature aggregator computes $NU={\displaystyle \sum _{i=1}^8{U}_i},NS={\displaystyle \sum _{i=1}^8{S}_i},NW={\displaystyle \sum _{i=1}^8{w}_i}$. The aggregate signature is $\delta =\left(NS,NU,NW,w_1,\dots ,w_8\right)$.

•  

  (b)

  Fault-tolerant aggregate signature mode.

The OBU of the randomly selected vehicle acts as the signature aggregator, performing fault-tolerant aggregation processing on the received signature set. The set of pseudonyms of the received vehicles is $\left\{VI{D}_1,\dots ,VI{D}_n\right\}$, the corresponding set of messages is $\left\{m_1,\dots m_n\right\}$, and the received digital signatures are $\left\{\left(S_1,U_1,w_1\right),\dots ,\left(S_n,U_n,w_n\right)\right\}$. Due to the limited resources of the RSU, the received digital signatures and messages are divided into $uniform(8,9)$. According to the lemma mentioned in [26], there are a total of nine subsets, each containing eight elements. These are defined as $\left\{T_1,\dots ,T_9\right\}$. The fault-tolerant aggregate signature set composition is represented as $T_i=\left(T{S}_i,T{U}_i,T{w}_i,w_1,\dots ,w_8\right)$, where $w_1,\dots ,w_8$ is not specifically the first eight received digital signatures but rather a generic representation. Suppose the digital signature set $\left\{\left(S_1,U_1,w_1\right),\dots ,\left(S_8,U_8,w_8\right)\right\}$ forms the combination elements of $uniform(8,9)$; then, the aggregation method of $T_i$ is shown in Equations (3)–(5).

$$T{S}_i={\displaystyle \sum _{i=1}^8{S}_i}$$

(3)

$$T{U}_i={\displaystyle \sum _{i=1}^8{U}_i}$$

(4)

$$T{w}_i={\displaystyle \prod _{i=1}^8{w}_i}$$

(5)

(4)

Fault-tolerant aggregate verification: The RSU selects the verification mode based on the previously negotiated mode.

(a)

Non-fault-tolerant verification mode;

The RSU receives the message set $\left\{m_1,\dots m_n\right\}$ and the aggregate signature $\delta =\left(NS,NU,NW,w_1,\dots ,w_8\right)$ sent by the vehicle OBU, computation $h_{2i}=H_2\left(m_i\left|\right|w_i,N\right)$ and verification Equation (6).

$$e\left(NS,kpb\right)e(NU,P_2)e({\displaystyle \sum _{i=1}^8{h}_{2i}}{P}_1,kpb)=NW$$

(6)

•  

  (b)

  Fault-tolerant verification mode.

After receiving the message set $\left\{m_1,\dots m_n\right\}$ and the fault-tolerant aggregate signature $\left\{T_1,\dots ,T_n\right\}$ sent by the signature aggregator, the RSU computes $h_{2i}=H_2\left(m_i\left|\right|w_i,N\right)$ and verifies each fault-tolerant aggregate signature using Equation (7), where $c$ is the number of signatures that constitute a single fault-tolerant aggregate signature set.

$$e\left(T{S}_i,kpb\right)e(T{U}_i,P_2)e({\displaystyle \sum _{i=1}^c{h}_{2i}}{P}_1,kpb)=T{w}_i$$

(7)

It can be noted that there are a large number of point multiplication operations in Equations (6) and (7). Regardless of whether it is in the non-fault-tolerant aggregation or fault-tolerant aggregation process, the number of point multiplication operations will increase with the number of signatures, and point multiplication is a quite time-consuming operation [31]. Therefore, the time consumption will surge. Consequently, the point multiplication operations in the SM9 efficient aggregate signature scheme can be offloaded to the FPGA board for computation.

4. Hardware Improved Acceleration Structure

The overall structure of the hardware acceleration for the efficient SM9 aggregate signature scheme is shown in Figure 3. The architecture consists of a CPU connected to multiple FPGA boards with information exchanged via the PCIe bus. The CPU is responsible for bilinear pairing operations involved in the SM9 algorithm, the configuration of parallel point multiplication parameters in SM9, and the final verification of the results. The FPGA boards are responsible for parallel acceleration of the point multiplication operations.

As illustrated in Figure 3, a master state machine is set up to control the data flow within each point multiplication unit and handle the subsequent processing of the computation results. The state transition diagram of the master state machine is shown in Figure 4.

In the Idle state, parameters are read, and the state machine is initialized. When the start signal is valid, the state machine updates multiple point multiplication parameter registers and transitions to the PONIT_MUL_DSB state; otherwise, it remains in Idle. Upon transitioning to the PONIT_MUL_DSB state, the state machine reads the multiple point multiplication tasks and assigns each individual point multiplication task to the corresponding point multiplication unit. Once the task distribution is completed, the state transitions to the PONIT_MUL_WAIT state. In the PONIT_MUL_WAIT state, after all point multiplication tasks are completed, the state machine reads all the computed results and transitions to the COORDINATE_CONVERT state. In the COORDINATE_CONVERT state, the state machine transfers all point multiplication results to the coordinate conversion unit for merging and coordinate transformation. Then, it transitions to the CONVERT_WAIT state. While in the CONVERT_WAIT state, the state machine waits for the coordinate conversion unit to complete its computation. After the coordinate conversion is completed, the state machine reads the results and transitions to the Output state to output the computed results. Finally, the state transitions back to the Idle state.

For each point multiplication unit, the state machine is responsible for controlling the data flow between the point addition and point doubling units, achieving unit reuse. Additionally, by configuring multiple point multiplication modules, the on-board resources can be fully utilized to accelerate large-scale point multiplication operations.

4.1. Montgomery Point Multiplication

Montgomery point multiplication is currently the most efficient point multiplication algorithm, with a time complexity superior to existing methods such as binary expansion, non-adjacent form (NAF), and NAF-related improved algorithms. Montgomery point multiplication requires a base point $G$, and subsequently calculates $P_1$ and $P_2$, where $P_1=G,P_2=2G$. Then, based on $P_1$, $P_2$ and the multiplication scalar $k$, the point multiplication result is computed. The computation process is shown in Algorithm 1. Additionally, it can resist simple power analysis attacks.

Algorithm 1: Montgomery Point Multiplication

Input: $G=(x_G,y_G),k=\left(k_{n-1},\dots ,k_0\right)$

Output: $Q=kG$

1. $P_1=G;P_2=2G;i=n-2$

2. $\mathrm{while}(i\ge 0)$ do

3. $\mathrm{if}(k_i==0)$ then $P_2=P_1+P_2;P_1=2P_1$;

4. $\mathrm{else} \mathrm{if} (k_i==1)$ then $P_1=P_1+P_2;P_2=2P_2$;

5. $i=i-1$;

6.   end if

7. end while

8. $Q=P_1$

4.2. Optimization of Finite Field Operational Units

Finite field arithmetic units are the fundamental components of elliptic curve operations, and they include modular addition, modular subtraction, modular multiplication, and modular inversion modules. The performance of these finite field arithmetic units is crucial for the computation speed of point multiplication algorithms on the FPGA.

4.2.1. Design of Modular Addition and Subtraction Units

To optimize the use of on-board resources and reduce the area, modular addition and subtraction are implemented in a combined manner using pure combinational logic. This module performs calculations based on the initial input modulus $P$ and mode selection $mode$. Since modular addition can result in overflow and modular subtraction can result in negative outcomes, these situations need to be handled accordingly. The optimized computation method is shown in Algorithm 2.

Algorithm 2: Modular Addition and Subtraction Algorithm

Input: $A,B,P,mode$

Output: $C$

1.  $\mathrm{if}(mode==0)$begin

2.   $B_1=B,Bam=P$

3.  end else begin

4.   $B_1=P,Bam=B$

5.  end

6.  $\left\{C{A}_1,C{A}_2\right\}=A+B_1$

7.  $\left\{CA{S}_1,CA{S}_2\right\}=\left\{C{A}_1,C{A}_2\right\}-\left\{1\prime b0,Bam\right\}$

8.  $\left\{C{S}_1,C{S}_2\right\}=A-B$

9.  $\mathrm{if}(mode==0)$begin

10.  $\mathrm{if}(CA{S}_1==1)$begin

11.   $C=C{A}_2$

12.  end else begin

13.   $C=CA{S}_2$

14. end

15. end else begin

16.  $\mathrm{if}(C_2==1)$begin

17.   $C=CA{S}_2$

18.  end else begin

19.    $C=C{S}_2$

20.  end

21. end

As shown in Figure 5, the hardware structure of the modular addition and subtraction is composed of pure combinational logic, forming a parallel circuit structure. The computation is completed within a single clock cycle.

4.2.2. Design of the Modular Inversion Unit

Currently, the algorithms for computing modular inverses include Fermat’s Little Theorem, the Montgomery algorithm, the Extended Euclidean algorithm, and the binary modular inversion algorithm. Fermat’s Little Theorem requires modular exponentiation, while the Montgomery algorithm needs two domain transformations to obtain the final modular inverse result. Additionally, the original Extended Euclidean algorithm involves division in each step of the multiplication operations, which is highly costly [32]. Therefore, a more hardware-suitable binary modular inversion algorithm is adopted. The computation process of the binary modular inversion algorithm is shown in Algorithm 3.

Algorithm 3: Modular Inverse Algorithm

Input: $a,b,p$

Output: $c=b{a}^{-1}\mathrm{mod}p$

1.   $u=a,v=p,x1=b,x2=0$

2.  $\mathrm{while}(u!=1\&\&v!=1)$ do

3.  $\mathrm{if}(u[0]==0\&\&x1[0]==0)$ then

4.   $u=u>>>1$; $x_1=x_1>>>1$;

5.   end if

6.  $\mathrm{if}(u[0]==0\&\&x1[0]==1)$ then

7.   $u=u>>>1$; $;x_1=\left(x_1+p\right)>>>1$;

8.  end if

9.  $\mathrm{if}(u[0]==1\&\&v[0]==0\&\&x2[0]==0)$ then

10.   $v=v>>>1$; $x_2=x_2>>>1$;

11. end if

12.  $\mathrm{if}(u[0]==1\&\&v[0]==0\&\&x2[0]==1$) then

13.   $v=v>>>1$; $x_2=\left(x_2+p\right)>>>1$;

14.  end if

15.  $\mathrm{if}(u[0]==1\&\&v[0]==1$) then

16.      $\mathrm{if} (u\ge v)$ then $u=u-v$; $x_1=x_1-x_2$;else

17.         $v=v-u$; $x_2=x_2-x_1$;

18.      end if

19  end if

20.  end while

21.  $\mathrm{if} (u!=1)$ then $x_1==x_2$ end if

22.  $\mathrm{while}(x_1\ge p$) do

23.     $x_1=x_1-p$

24.  end while

25.  $c=x_1$;

4.2.3. Design of the Fast Modular Multiplication Unit

In the computation of elliptic curve finite fields, modular multiplication is the most critical part affecting performance. Modular multiplication includes the Montgomery multiplication algorithm, interleaved modular multiplication algorithm, and Barrett modular multiplication algorithm. Although Montgomery multiplication offers good generality and flexibility, it requires a domain transformation of data. The interleaved modular multiplication involves many iterations, leading to longer computation time. The Barrett modular multiplication algorithm, on the other hand, can achieve low-cost computation for any modulus $p$ with precomputed parameters. Therefore, this section uses and Barrett modular reduction algorithm to implement the Barrett fast modular reduction algorithm.

(1)

KOA Fast Multiplication

The main idea of KOA multiplication is to use a recursive approach to reduce multiple lower-complexity multiplications into a higher-complexity multiplication. This results in a faster and more efficient multiplication algorithm. In the computation of KOA, some parameters need to be defined first. For an $n$ bit number $A$, it can be represented in binary as $A=\left(a_{n-1},\cdots ,a_1,a_0\right)$, $a_i\in \left\{0,1\right\},0\le i\le n-1$, where $A_H=\left(a_{n-1},\cdots ,a_{n/2}\right)$ is the higher-order part and $A_L=\left(a_{n/2-1},\cdots ,a_0\right)$ is the lower-order part. Using the above definitions, the two numbers $A$ and $B$ to be multiplied using KOA multiplication can be represented as

$$A=A_H\times 2^{n/2}+A_L$$

(8)

$$B=B_H\times 2^{n/2}+B_L$$

(9)

For $C=A\times B$, the result of the computation is

$$C=A_H\times B_H\times 2^n+\left(A_H\times B_L+A_L\times B_H\right)\times 2^{n/2}+A_L\times B_L$$

(10)

while $A_H\times B_L+A_L\times B_H$ can be represented as

$$A_H\times B_L+A_L\times B_H=\left(A_H+A_L\right)\times \left(B_H+B_L\right)-A_H\times B_H-A_L\times B_L$$

(11)

From the above, it is clear that KOA multiplication only requires the computation of $A_H\times B_H$, $A_L\times B_L$ and $\left(A_H+A_L\right)\times \left(B_H+B_L\right)$, further reducing the computational complexity.

In SM9, all operations are based on 256-bit numbers. To better utilize the FPGA’s on-board resources, a double recursion method can be used to divide a 256-bit multiplication into multiple 64-bit multiplications. Additionally, the multiplications $A_H\times B_H\times 2^n+\left(A_H\times B_L+A_L\times B_H\right)\times 2^{n/2}$ of $2^n$ and $2^{n/2}$ can be accomplished through bit shifting. The KOA multiplication process is shown in Algorithm 4.

Algorithm 4: KOA Multiplication

Input: $A,B,n$,

Output: $C$

1.  $\mathrm{if}(n==64)$ then return $C=A\times B$

2.  end if

3.  $A=A_H\times 2^{n/2}+A_L$;

4.  $B=B_H\times 2^{n/2}+B_L$;

5.  $X=KOA\left(A_H,B_H,{\displaystyle \frac{n}{2}}\right)$;

6.  $Y=KOA\left(A_H+A_L,B_H+B_L,{\displaystyle \frac{n}{2}}\right)$;

7.  $Z=KOA\left(A_L,B_L,{\displaystyle \frac{n}{2}}\right)$;

8.  $D=Y-X-Z$;

9.  $C=X<<n+D<<{\displaystyle \frac{n}{2}}+Z$;

To further leverage the performance of the KOA algorithm on the FPGA, the computation cycle of the DSP 64-bit multipliers used in the component design is set to 0. Wire-type variables are used to connect the components within the module, achieving the goal of immediate output upon input. A register is then set at the end to divide the clock cycle. As shown in Figure 6, the schematic diagram of the 256-bit KOA algorithm expansion is illustrated, where H and L represent the higher-order and lower-order bits of the further split data. Finally, a 512-bit multiplication result is output through an adder.

(2)

Barret Fast Multiplication

For any two positive integers $A$ and $B$, there exist two numbers $q$ and $r$ such that the following equation holds:

$$A=q\times B+r,r\in \left[0,b-1\right]$$

(12)

Thus, $A=r\mathrm{mod}B$, where $B$ is the modulus for the modular operation. However, finding such numbers $q$ and $r$ requires high-cost division operations. But when the modulus is a fixed value, the Barrett algorithm can be used to perform modular reduction using multiplication and shift operations [33]. Let $a,b\in \left[0,P-1\right]$ to obtain the result of $a\times b\mathrm{mod}P$. We can set $d=a\times b$, then $d=e\times P+c$, and we have $c$, which is the result of $a\times b\mathrm{mod}P$.

First, we calculate the approximate value $e_1$ of $e$. Let $\mu =⌊{\displaystyle \frac{2^{2n}}{P}}⌋,e_1=⌊{\displaystyle \frac{d}{P}}⌋$, where $n$ is the bit length of the modulus $P$ in its binary representation. Then, $e_1=⌊{\displaystyle \frac{d}{P}}⌋\approx ⌊⌊{\displaystyle \frac{d}{2^n}}⌋{\displaystyle \frac{\mu }{2^n}}⌋=⌊⌊d>>n⌋\mu >>n⌋$. The computation of $e_1$ thus transforms into a combination of shifts and multiplications. For the calculation of $\mu$, this value is precomputed in software and then input $\mu$ into the FPGA. In practical applications, once the modulus $P$ is selected, it is typically treated as a system constant. Therefore, $\mu$ can also be treated as a system constant. The Barrett modular reduction process is shown in Algorithm 5.

Algorithm 5: Barrett Reduction

Input: $a,b,n,P,\mu$,

Output: $c=a\times b\mathrm{mod}P$

1.  $d=a\times b$;

2.  $e_{11}=\mu \left[n-1:0\right]\times d/2^n$;

3.  $\mathrm{if}(\mu \left[n\right]==1\prime b1$)then

4.  $e_{12}=\left\{\left(d>>n\right),256b\prime 0\right\}$;

5.  $\mathrm{else}{e}_{12}=512\prime b0$;

6.  end if

7.  $e_1=\left(e_{11}+e_{12}\right)>>n$; 8.  $d_1=P\times e_1$; 9.  $c=d-d_1$; 10. $\mathrm{if}(c>P)$ then $c=c-P$; 11. end if 12. return c;

For the multiplications involved, KOA multiplication is used. Since $\mu$ can be up to 257 bits, steps 3 to 6 handle this case. The final computed $c$, as it ranges from 0 to $2P-1$, needs to be checked and adjusted if necessary. Steps 9 to 11 handle this process.

4.3. Optimization of Point Addition and Point Double Modules

In elliptic curve point multiplication, the use of different coordinate systems results in varying computational complexities. For instance, operations in the affine coordinate system involve modular inversion, which is computationally expensive. In our work, we employ the standard projective coordinate system for the computations. In the standard projective coordinate system, modular inversion is required only when converting back to the affine coordinate system. Additionally, in the Montgomery point multiplication process within the standard projective coordinate system, computations are simplified as they only need to be performed on the coordinates $X$ and $Z$, thus reducing the computational burden.

Consider points $P_1=\left(X_1,Y_1,Z_1\right), P_2=\left(X_2,Y_2,Z_2\right)$ and $P_3=\left(X_3,Y_3,Z_3\right)$ in the standard projective coordinate system. The point addition formulas are given by Equations (13) and (14).

$$X_3={\left(X_1{X}_2-a{Z}_1{Z}_2\right)}^2-4b{Z}_1{Z}_2\left(X_1{Z}_2+X_2{Z}_1\right)$$

(13)

$$Z_3=x_G{\left(X_1{Z}_2-X_2{Z}_1\right)}^2$$

(14)

The point double operation formulas are given by Equations (15) and (16).

$$X_3={\left(X_1^2-a{Z}_1^2\right)}^2-8b{X}_1{Z}_1^3$$

(15)

$$Z_3=4Z_1\left(X_1^3+a{X}_1{Z}_1^2+b{Z}_1^3\right)$$

(16)

After completing the computations, the results are converted back to the affine coordinate system. The conversion methods are given by Equations (17) and (18).

$$x_i={\displaystyle \frac{X_i}{Z_i}},i\in \left[1,3\right]$$

(17)

$$y_3={\displaystyle \frac{2b+\left(a+x_3{x}_G\right)\left(x_3+x_G\right)-x_1{\left(x_3-x_G\right)}^2}{2y_G}}$$

(18)

The resulting $\left(x_3,y_3\right)$ are the converted results in the affine coordinate system.

Data Flow Optimization

To maximize the efficient use of on-board resources and complete point addition and point double in the shortest possible time, we optimize the data flow for state machine operations and Montgomery point multiplication. The computation processes and data flows for point addition and point double are shown in

Table 2. Point addition data flow.

Number	Operation	Computation
1	$T_1=X_1{X}_2$	$X_1{X}_2$
2	$z_1{z}_2=Z_1{Z}_2$	$Z_1{Z}_2$
3	$T_2=a\left(z_1{z}_2\right)$	$a{Z}_1{Z}_2$
4	$T_1=T_1-T_2$	$X_1{X}_2-a{Z}_1{Z}_2$
5	$T_1={\left(T_1\right)}^2$	${\left(X_1{X}_2-a{Z}_1{Z}_2\right)}^2$
6	$x_1{z}_2=X_1{Z}_2$	$X_1{Z}_2$
7	$x_2{z}_1=X_2{Z}_1$	$X_2{Z}_1$
8	$T_2=x_1{z}_2+x_2{z}_1$	$X_1{Z}_2+X_2{Z}_1$
9	$T_2=b{T}_2$	$b\left(X_1{Z}_2+X_2{Z}_1\right)$
10	$T_2=T_2\left(z_1{z}_2\right)$	$b\left(X_1{Z}_2+X_2{Z}_1\right)Z_1{Z}_2$
11	$T_2=T_2+T_2$	$2b\left(X_1{Z}_2+X_2{Z}_1\right)Z_1{Z}_2$
12	$T_2=T_2+T_2$	$4b\left(X_1{Z}_2+X_2{Z}_1\right)Z_1{Z}_2$
13	$X_3=T_1-T_2$	$\begin{array}{c}{\left(X_1{X}_2-a{Z}_1{Z}_2\right)}^2-\\ 4b\left(X_1{Z}_2+X_2{Z}_1\right)Z_1{Z}_2\end{array}$
14	$T_1=\left(x_1{z}_2\right)-\left(x_2{z}_1\right)$	$X_1{Z}_2-X_2{Z}_1$
15	$T_1={\left(T_1\right)}^2$	${\left(X_1{Z}_2-X_2{Z}_1\right)}^2$
16	$Z_3=x_G{T}_1$	$x_G{\left(X_1{Z}_2-X_2{Z}_1\right)}^2$

and

Table 3. Point double data flow.

Number	Operation	Computation
1	$x_1\_s={\left(X_1\right)}^2$	${\left(X_1\right)}^2$
2	$z_1\_s={\left(Z_1\right)}^2$	${\left(Z_1\right)}^2$
3	$a{z}_1\_s=a\left(z_1\_s\right)$	$a{\left(Z_1\right)}^2$
4	$T_1=x_1\_s-a{z}_1\_s$	${\left(X_1\right)}^2-a{\left(Z_1\right)}^2$
5	$T_1={\left(T_1\right)}^2$	${\left({\left(X_1\right)}^2-a{\left(Z_1\right)}^2\right)}^2$
6	$x_1{z}_2=X_1{Z}_2$	$X_1{Z}_2$
7	$\left({\left(X_1\right)}^2-a{\left(Z_1\right)}^2\right)X_1{Z}_2$	$b{\left(Z_1\right)}^2$
8	$T_2=\left(x_1{z}_1\right)\left(b{z}_1\_s\right)$	$b{X}_1{\left(Z_1\right)}^3$
9	$T_2=T_2+T_2$	$2b{X}_1{\left(Z_1\right)}^3$
10	$T_2=T_2+T_2$	$4b{X}_1{\left(Z_1\right)}^3$
11	$T_2=T_2+T_2$	$8b{X}_1{\left(Z_1\right)}^3$
12	$X_3=T_1-T_2$	${\left({\left(X_1\right)}^2-a{\left(Z_1\right)}^2\right)}^2-8b{X}_1{\left(Z_1\right)}^3$
13	$T_1=\left(x_1\_s\right)+\left(a{z}_1\_s\right)$	${\left(X_1\right)}^2+a{\left(Z_1\right)}^2$
14	$T_1=T_1\left(x_1{z}_1\right)$	$\left({\left(X_1\right)}^2+a{\left(Z_1\right)}^2\right)X_1{Z}_1$
15	$T_2=\left(b{z}_1\_s\right)\left(z_1\_s\right)$	$b{\left(Z_1\right)}^4$
16	$T_1=T_1+T_2$	$\left({\left(X_1\right)}^2+a{\left(Z_1\right)}^2\right)X_1{Z}_1+b{\left(Z_1\right)}^4$
17	$T_2=T_1+T_1$	$2Z_1\left(X_1^3+a{X}_1{Z}_1^2+b{Z}_1^3\right)$
18	$Z_2=T_2+T_2$	$4Z_1\left(X_1^3+a{X}_1{Z}_1^2+b{Z}_1^3\right)$

, respectively.

In the design presented in our work, the point addition and point double modules operate in parallel during the point multiplication process. Therefore, the total computation cycle count is determined by the module with the longest cycle duration. Modules with shorter cycles will idle, ensuring synchronization and smooth operation of the point multiplication state machine. Additionally, the multiplication operations utilize a fast modular multiplication unit with a computation cycle of seven cycles, while the modular addition and subtraction units each have a computation cycle of one cycle. Due to the presence of the state machine and synchronization stages, both the point addition and point double modules have an operation cycle of 102 cycles.

4.4. Optimization of Coordinate Transformation

After the point multiplication operation, the results need to be aggregated and coordinate conversion must be performed. In the design of this module, a modular inversion module and a point addition module are used with a state machine controlling the data flow and the reuse of these modules. The coordinate conversion method is described in Algorithm 6, where $X_i,Z_i,i\in \left[0,7\right]$ are the results output by the eight parallel point multiplication modules. The function Point_add is a wrapper for the point addition module, and $inv\left(a,b,p\right)$ is a wrapper for the modular inversion module. The output result is $a/b\mathrm{mod}P$.

Algorithm 6: Coordinate Transformation

Input: $\left(X_i,Z_i\right),i\in \left[0,7\right],a,b,n,P,x_G$,

Output: $x,y$

1.  i = 1;

2.  $X,Z=X_1,Z_1$

3.  $\mathrm{while}(i\le 6$) do

4.  $X,Z=\mathrm{Point}\_\mathrm{add}(X,Z,X_{i+1},Z_{i+1},a,b,P,x_G$)

5.  i = i+1;

6.  end while

7. $x_6=inv\left(X_6,Z_6,P\right)$

8. $x=inv\left(X,Z,P\right)$

9. $T_1=x_{G}x$

10. $T_2=x_G+x$

11. $T_3=x_G-x$;

12. $T_3={\left(T_3\right)}^2$;

13. $T_3=x_6{T}_3$

14. $T_1=T_1+a$

15. $T_1=T_1{T}_2$

16. $T_1=T_1+b$

17. $T_1=T_1+b$

18. $T_1=T_1-T_3$

19. $T_1=T_1{T}_2$

20. $y=y_G+y_G$

21. $y=inv\left(y,T_1,P\right)$

22. $\mathrm{return}\left(x,y\right)$

5. Experimental Results and Scheme Analysis

The host machine in this study is a computer with a Pentium Dual CPU E2200 2.20 GHz running Ubuntu 16.04, which can support simultaneous connections to nine FPGA boards. The hardware platform consists of a system of nine FPGA boards, where hardware modules are designed using the Verilog language based on FPGA boards with the chip model xcku-060-ffva1156-2-i. The software used is Vivado 2019.2.

5.1. Safety Analysis

5.1.1. Security Proof

For a signature scheme, its security must satisfy existential unforgeability under adaptive chosen message attacks (EUF-CMA). To prove that the proposed scheme possesses this property, the following definitions and proof process are provided. To address the security of the scheme, consider an attacker who does not have the capability to learn the master private key but can replace the vehicle’s public key. Under this attacker’s threat model, to prove that the scheme satisfies existential unforgeability under adaptive chosen message attacks (EUF-CMAs), Game 1 is defined as follows.

Definition 1: 

Facing a Type 1 attacker, if no Type 1 attacker can win Game 1 with a non-negligible advantage, then the proposed scheme is EUF-CMA secure.

Game 1: 

Let $\mathrm{C}$ be the challenger, ${\mathrm{A}}_1$ be the Type 1 attacker, and $I{D}_i$ be the target being challenged. The game is constructed as follows:

(1)

System Initialization: The system initialization is executed by $\mathrm{C}$, generating the system parameter set $Parms$ and the master private key $ks$. The system parameter set $Parms$ is then sent to the attacker ${\mathrm{A}}_1$, while the master private key $ks$ is kept secret.

(2)

First Phase Queries: In this phase, ${\mathrm{A}}_1$ can make the following queries to $\mathrm{C}$: hash queries, private key queries, and signature queries.

(a)

Private Key Query: When ${\mathrm{A}}_1$ requests the private key for $I{D}_i$, $\mathrm{C}$ sends the private key to ${\mathrm{A}}_1$.

(b)

Signature Query: When ${\mathrm{A}}_1$ requests this query, assuming the requested parameters are $\left(I{D}_i,m_i\right)$, $\mathrm{C}$ sends the signature to ${\mathrm{A}}_1$. However, ${\mathrm{A}}_1$ cannot request a signature query where $I{D}_i$ is the identity of the forger; otherwise, the game terminates.

(3)

Forgery: The attacker ${\mathrm{A}}_1$ forges a digital signature $\left(S_i,U_i,w_i\right)$ for the identity $I{D}_i$. ${\mathrm{A}}_1$ is considered to have won Game 1 if the following conditions are met:

(a)

The signature $\left(S_i,U_i,w_i\right)$ is valid.

(b)

The master private key has not been queried.

(c)

In the signature query, the requested parameters do not include the identity $I{D}_i$.

Theorem 1: 

In the random oracle model, if the K-CAA problem is hard to solve, then the proposed scheme is EUF-CMA secure.

Lemma 1: 

In the random oracle model, if there exists a Type 1 attacker ${\mathrm{A}}_1$ who can win Game 1 with non-negligible advantage $\epsilon$ (after making at most $q_{H_i}\left(i=1,2\right)$ $H_i$ hash queries, $q_E$ private key queries, and $q_s$ signature queries), then there exists a challenger $\mathrm{C}$ who can solve the K-CAA problem with non-negligible advantage $suc{c}_{A_1}^{K-CAA}\ge \left(\epsilon -{\displaystyle \frac{1}{2^k}}\right){\left({\displaystyle \frac{q_E}{q_{H_1}}}\right)}^{q_E+q_S}\left({\displaystyle \frac{q_{H_1}-q_E}{q_{H_1}}}\right)$.

Proof: 

Game 1 is constructed between the challenger $\mathrm{C}$ and the attacker ${\mathrm{A}}_1$. If ${\mathrm{A}}_1$ can forge a valid signature, then $\mathrm{C}$ can leverage Game 1 to solve the K-CAA problem. Therefore, given random inputs $R=k{P}_2\in G_1,h_1=H_1\left(I{D}_i\left|\right|hid,N\right),h_{1_i},\dots ,h_{1_{q_E}}\in Z_q^{*}$ and ${\displaystyle \frac{h_{1_1}{P}_1}{k+h_{1_1}}},$ ${\displaystyle \frac{h_{1_2}{P}_1}{k+h_{1_2}}},\dots ,{\displaystyle \frac{h_{1_{q_E}}{P}_1}{k+h_{1_{q_E}}}}$, the goal is to output a solution to the K-CAA problem where the solution is $\left(h_{1_I},{\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}}\right),h_{1_I}\notin \left\{h_{1_1},h_{1_2},\dots ,h_{1_{qE}}\right\}$.

(1)

System Initialization: The system initialization is executed by $\mathrm{C}$. Let $kpb=R=k{P}_2$, where $ks=k$ serves as the master private key, which is unknown to $\mathrm{C}$. The challenger $\mathrm{C}$ selects an identity $I{D}_i$ as the challenge identity and sends the parameters $\left\{P_1,P_2,kpb,H_1,H_2\right\}$ to the attacker ${\mathrm{A}}_1$.

(2)

First Phase Queries: ${\mathrm{A}}_1$ can initiate queries to $\mathrm{C}$, and $\mathrm{C}$ must respond according to the game rules. The possible queries include $H_1$ hash queries, $H_2$ hash queries, random oracle queries, public key queries, private key queries, public key replacement queries, and signature queries. Additionally, lists $H_1^{List},H_2^{List},s{k}^{list}$ and $p{k}^{list}$ are used to store the records of $H_1$ hash queries, $H_2$ hash queries, random oracle queries, public key queries, and private key queries, respectively. The following details each type of query in the first phase:

(a)

$H_1$ Hash Query: When ${\mathrm{A}}_1$ requests an $H_1$ hash query for input $\left(I{D}_i,hid,N\right)$, $\mathrm{C}$ first searches the list $H_1^{List}$ to see if there is a corresponding tuple. The structure of the tuple $H_1^{List}$ is $\left(I{D}_i,hid,N,h_{1_i}\right)$. If $H_1^{List}$ already contains the tuple $\left(I{D}_i,hid,N,h_{1_i}\right)$, $\mathrm{C}$ directly returns $h_{1_i}$ to ${\mathrm{A}}_1$. Otherwise, $\mathrm{C}$ randomly selects a value $h_{1_i}\in Z_q^{*}$, sets $h_{1_i}=H_1\left(I{D}_i\left|\right|hid,N\right)$, forms a new tuple $\left(I{D}_i,hid,N,h_{1_i}\right)$, inserts this tuple into the list $H_1^{List}$, and then returns $h_{1_i}$ to ${\mathrm{A}}_1$.

(b)

$H_2$ Hash Query: When ${\mathrm{A}}_1$ requests a $H_2$ hash query for input $\left(I{D}_i,m_i,r_i,N\right)$, $\mathrm{C}$ first searches the list $H_2^{List}$ to see if there is a corresponding tuple. The structure of the tuple $H_2^{List}$ is $\left(I{D}_i,m_i,r_i,w_i,N,h_{2_i}\right)$. If $H_2^{List}$ already contains the tuple $\left(I{D}_i,m_i,r_i,N,h_{2_i}\right)$, $\mathrm{C}$ directly returns $h_{2_i}$ to ${\mathrm{A}}_1$. Otherwise, $\mathrm{C}$ randomly selects two values $r_i,h_{2_i}\in Z_q^{*}$, sets $w_i=e{\left(P_1,kpb\right)}^{r_i},h_{2_i}=H_2\left(m_i\parallel w_i,N\right)$, forms a new tuple $\left(I{D}_i,m_i,r_i,w_i,N,h_{2_i}\right)$, inserts this tuple into the list $H_2^{List}$, and then returns $h_{2_i}$ to ${\mathrm{A}}_1$. This $H_2$ hash query event is denoted by $E_1$.

(c)

Private Key Query: When ${\mathrm{A}}_1$ requests the private key for identity $I{D}_i\left(1\le i\le q_E\right)$, $\mathrm{C}$ retrieves $\left(I{D}_i,h_{1_i}\right)$ from the list $H_2^{List}$. $\mathrm{C}$ then checks if $h_{1_i}$ belongs to the challenge identity set $\left\{h_{1_1},h_{1_2},\cdots ,h_{1_{q_E}}\right\}$. If it is not, the game terminates (this event is denoted by $E_2$); otherwise, $\mathrm{C}$ sets $s_i=P_1-{\displaystyle \frac{h_{1_i}{P}_1}{k+h_{1_i}}},Q_i={\displaystyle \frac{kpb{P}_1}{s_i}}$ and saves the tuple $\left(I{D}_i,hid,N,Q_i,s_i\right)$ in $s{k}^{list}$. $\mathrm{C}$ then returns $s_i$ and $Q_i$ to ${\mathrm{A}}_1$.

(3)

Forgery Phase: ${\mathrm{A}}_1$ outputs a digital signature $\left(S_I,U_I,w_I\right)$ for the identity $I{D}_I$, and the signature passes the verification $e\left(S_I,Q_I\right)·e{\left(P_1,kpb\right)}^{h_{2_I}}=e{\left(P_1,kpb\right)}^{r_I}$.

$\mathrm{C}$ retrieves $\left(I{D}_I,h_{1_I}\right)$ from $H_1^{list}$. Then, it retrieves the tuple $\left(I{D}_i,m_i,r_i,w_i,N,h_{2_i}\right)$ from the list $H_2^{list}$. Let $Q_I=h_{1_I}{P}_2+kpb$. If $h_{1_I}\in \left\{h_{1_1},h_{1_2},\cdots ,h_{1_{q_E}}\right\}$; then, the simulation terminates and outputs “Failure” (denoted as $E_3$), Otherwise, the equation $e\left(S_I,Q_I\right)·e{\left(P_1,kpb\right)}^{h_{2_I}}=e{\left(P_1,kpb\right)}^{r_I}$ holds, and let $x={\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}},Q_I={\displaystyle \frac{kpb{P}_1}{P_1-x}}=kpb{P}_1{\left(P_1-{\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}}\right)}^{-1}=kpb{P}_1,{\left({\displaystyle \frac{k{P}_1}{k+h_{1_I}}}\right)}^{-1}=h_{1_I}{P}_2+kpb$, so $e\left(S_I,Q_I\right)$$=e\left(S_I,{\displaystyle \frac{kpb{P}_1}{P_1-x}}\right)=e{\left(P_1,kpb\right)}^{r_I-h_{2_I}},e\left({\displaystyle \frac{S_I{P}_1}{P_1-x}},kpb\right)=e\left(\left(r_I-h_{2_I}\right)P_1,kpb\right),{\displaystyle \frac{S_I{P}_1}{P_1-x}}=\left(r_I-h_{2_I}\right)P_1$. From this, we obtain $x=P_1-{\displaystyle \frac{S_I}{r_I-h_{2_I}}}={\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}}$, where $\left(h_{1_I},{\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}}\right)$ is the solution to the K-CAA problem. Thus, $\mathrm{C}$ outputs the solution $\left(h_{1_I},{\displaystyle \frac{h_{1_I}{P}_1}{k+h_{1_I}}}\right)$ to the K-CAA problem. If the events $E_1,E_2$ and $E_3$ do not occur, then $\mathrm{C}$ can solve an instance of the K-CAA problem. The probability that ${\mathrm{A}}_1$ forges a valid signature without querying $H_2$ does not exceed ${\displaystyle \frac{1}{2^k}}$, so $\mathrm{C}$’s probability of successfully solving the K-CAA problem is $suc{c}_{A_1}^{K-CAA}\ge \left(\epsilon -{\displaystyle \frac{1}{2^k}}\right){\left({\displaystyle \frac{q_E}{q_{H_1}}}\right)}^{q_E+q_S}\left({\displaystyle \frac{q_{H_1}-q_E}{q_{H_1}}}\right)$.

Because ${\mathrm{A}}_1$’s advantage in winning the game is negligible, the probability of $\mathrm{C}$ successfully solving the K-CAA problem is negligible. Thus, the prerequisite for successfully solving the K-CAA problem does not exist. Furthermore, the fault-tolerant aggregate signature scheme constructed in our work operates mainly during the aggregation process and does not affect the aggregation method of the aggregate signature. Therefore, according to Definition 1, both the non-fault-tolerant and fault-tolerant aggregate signature schemes in our work are secure.

5.1.2. Unforgeability

Based on the security of the signature scheme under the K-CAA assumption, the scheme proposed in this section can resist existential forgery under adaptive chosen message attacks and identity attacks. Therefore, the scheme presented in our work possesses unforgeability.

5.1.3. Privacy

When a vehicle joins the IoV, it first sends its identity $I{D}_i$ to the authentication center to generate its pseudonym for use within the network. Consequently, during information exchange, no third party other than the authentication center can know the vehicle’s true identity. In subsequent communications, vehicles use pseudonyms to participate in the fault-tolerant aggregate signature process. Therefore, this scheme ensures the privacy of the vehicles participating in the communication.

5.1.4. Traceability

When the RSU detects an error or verification failure in the aggregated signature, it can send the pseudonym of the vehicle that caused the verification error to the authentication center. The authentication center can then use the pseudonym to trace the relevant information of the vehicle. Therefore, this scheme has traceability.

5.2. Performance of Each Module

In the SM9 signature algorithm, the main time-consuming modules are bilinear pairing, modular exponentiation, and point multiplication. Among these, the most time-consuming step in the aggregate signature process is point multiplication. Bilinear pairing is implemented in software. The software computation times are as follows: bilinear pairing takes 4.129 ms, point multiplication takes 1.814 ms, and point addition takes 0.009 ms. These times are the average values obtained from running each operation 1000 times in software.

An eight-way parallel point multiplication algorithm is implemented on the FPGA. The specific details regarding the resource utilization, control method, operation mode, and operating cycles of each module are shown in

Table 4. Resource utilization and performance of FPGA modules.

Module	Control Mode	Operation Mode	LUT	FF	DSP	Frequency/MHZ	Clock Cycles
modular inversion	State Machine	Serial	3951	1568	0	27	544
modular addition and subtraction units	Pure Combinational Logic	Parallel	2918	0	0	27	1
modular multiplication	State Machine	Serial	4581	2054	144	27	6
point addition	State Machine	Parallel	8137	5168	144	27	102
point double	State Machine	Parallel	8003	5664	144	27	102
point multiplication	State Machine	Parallel	20,321	15,505	288	27	26,014
coordinate conversion	State Machine	Serial	18,091	7618	288	27	1453
slave state machine	State Machine	Parallel	4181	4673	0	27	-
master control state machine	State Machine	Parallel	10,012	23,471	0	50	-

. The test data are sourced from the SM9 Chinese National Standard [34].

Based on Table 4, from the perspective of structural functionality, the modular multiplication and modular inversion units in the parallel point multiplication algorithm are both computed serially. The modular addition and subtraction functions are combined using combinational logic, which completes the operations within a single clock cycle, exhibiting parallel characteristics. The point addition and point doubling units achieve their functionality by invoking the modular addition/subtraction and modular multiplication units. As seen from the table, point addition and point doubling are executed in parallel with their parallel nature supported by the Montgomery point multiplication algorithm and controlled by the slave state machine. Additionally, the table shows that the slave state machine and point multiplication modules also operate in parallel with their parallelism supported by the master control state machine, which simultaneously distributes tasks and manages parallel control. However, during coordinate conversion, all data from the point multiplication modules need to be sent to the master state machine, which then forwards it to the coordinate conversion module. The coordinate conversion module operates serially, and its serial nature is determined by the coordinate conversion algorithm.

According to Table 4, in terms of resource and performance analysis, a single-point multiplication module efficiently utilizes the FPGA’s board resources. When the eight-way parallel point multiplication algorithm is implemented, the overall resource utilization of each FPGA is LUT: 57.48%, FF: 23.38%, DSP: 93.91%. The operating frequency of the above modules is shown in Table 4 as well. The eight-way parallel point multiplication algorithm on the FPGA experimental platform achieves a calculation throughput of approximately $\left(2.7\times {10}^7\right)/\left(\mathrm{26,014}+1453\right)\times 8\times 9\approx \mathrm{70,776}$ operations per second. Meanwhile, the software implementation achieves only 551 operations per second, indicating a significant improvement in computational efficiency.

5.3. Efficiency Analysis of Aggregated Signature

Below, we compare and analyze the aggregate verification efficiency of the proposed aggregate signature scheme in our work with currently well-performing software and hardware implementation schemes from different perspectives. $P_B$ represents the bilinear pairing operation time on software, $m$ represents the running time of a modular exponentiation on software, $M$ represents the running time of a point multiplication on software, $A$ represents the running time of a point addition on software, $M_P$ represents the running time of a point multiplication on the single-path FPGA in our work, $Co{T}_P$ represents the running time of a coordinate conversion operation on the single-path FPGA in our work, and $n$ represents the number of signatures participating in the aggregation.

5.3.1. Analysis of Non-Fault-Tolerant Aggregate Signature Verification Efficiency

First, let us assume that all signatures are valid and that the total number of signatures to be verified exceeds the 36 signatures required to construct a fault-tolerant set. Under this assumption, we can proceed with an analysis of the computational load associated with different aggregate signature schemes.

One such scheme, presented in [35], is a derivative of the fault-tolerant aggregate signature approach. To facilitate a meaningful comparison, the design of the fault-tolerant set in [35] has been aligned with the scheme proposed in our work. This unification allows for a direct comparison of the computational efficiency between the two methods, providing insights into their relative performance under similar conditions.

As shown in

Table 5. Comparison of individual and batch verification costs in different aggregate signature schemes.

Module	Individual Verification	Batch Verification
Shu, H. [36]	$2P_B+M+3A$	$2P_B+2nM+2\left(n+1\right)A$
Chen, Y. [37]	$2P_B+3M+2A$	$2n{P}_B+\left(2n+1\right)M+2nA$
Du, H. [38]	$3M+3A$	$\left(3n+1\right)M+\left(4n-1\right)A$
An, T. [4]	$2P_B+M$	$3P_B+nM+2\left(n-1\right)A$
Zhao, Y. [35]	$4M+3A$	$8nM+\left(4n-4\right)A$
Xie, Y. [3]	$4M+3A$	$\left(3n+1\right)M+\left(3n-1\right)A$
Deng, L. [39]	$2P_B+2M+3A$	$2P_B+3nM+3nA$
Gayathri, N.B. [40]	$5M+3A$	$\left(4n+1\right)M+\left(4n-1\right)A$
Xu, R. [6]	$P_B+2M$	$\left(2n-1\right)P_B+\left(3n+1\right)M$
Non-fault-tolerant mode	$2P_B+M$	$3P_B+⌈{\displaystyle \frac{n}{72}}⌉M_P+3\left(n-1\right)A+⌈{\displaystyle \frac{n}{72}}⌉Co{T}_P$
Fault-tolerant mode	$2P_B+M$	$3⌈{\displaystyle \frac{n}{4}}⌉P_B+⌈{\displaystyle \frac{n}{36}}⌉M_P+3\left(n-1\right)A+⌈{\displaystyle \frac{n}{36}}⌉Co{T}_P$

, the time consumption formulas for individual signature verification and batch verification are provided. The efficiency of aggregate signatures is primarily determined by the efficiency of batch verification. Figure 7 displays a categorized bar chart of batch verification time consumption, where “no tol” represents the verification time in the non-fault-tolerant mode, and “tol” represents the consumption time in the fault-tolerant mode. From the figure, it can be seen that a significant difference in verification time emerges even with a small number of signatures. Therefore, we analyze the case with 36 signatures and no faults. The aggregate signature verification times from the literature are as follows: 139.532 ms in [36], 432.172 ms in [37], 199.013 ms in [38], 78.321 ms in [4], 523.692 ms in [35], 198.689 ms in [3], 205.142 ms in [39], 264.317 ms in [40], and 490.885 ms in [6]. The verification time in the fault-tolerant mode of our work is 113.459 ms, and it is 14.899 ms in the non-fault-tolerant mode. Compared to the original SM9 aggregate signature scheme, the verification time in the non-fault-tolerant mode of our work is reduced by 80.9%, and compared to other schemes, it is reduced by up to 97.1%. Although the time consumption in the fault-tolerant aggregate signature mode has increased compared to the original SM9 scheme, it has decreased by 78.3% compared to the fault-tolerant aggregate signature scheme in [35] and at least by 18.6% compared to other schemes. Additionally, it provides fault-tolerant aggregation functionality that other schemes do not possess.

5.3.2. Analysis of Fault-Tolerant Aggregate Signature Verification Efficiency

Below, we analyze the fault-tolerant efficiency of the fault-tolerant aggregate signature, using an example where there are 36 signatures to be verified, including two erroneous signatures. First, we introduce the following theorem. Assume that set $\left(A_1,A_2,\dots ,A_n\right)$ is a $uniform\left(k,n\right)$ construction of set $A$; then, for any $r$ subset $A_{i1},A_{i2},\dots ,A_{ir}\in \left\{A_1,\dots ,A_n\right\}\left(1\le r\le k-1\right)$, we have Equations (19) and (20), where $m=\left(\begin{array}{c}n\\ k-1\end{array}\right)$.

$$\left|\underset{j=1}{\overset{r}{\cup }}{A}_{ij}\right|=m-\left(\begin{array}{c}n-r\\ k-r-1\end{array}\right)$$

(19)

$$\left|\underset{j=1}{\overset{r}{\cap }}{A}_{ij}\right|=m-\left(\begin{array}{c}n\\ k-1\end{array}\right)+\left(\begin{array}{c}n-r\\ k-1\end{array}\right)$$

(20)

Similarly, the size of each subset $A_i$ is $\left(\begin{array}{c}n-1\\ k-1\end{array}\right),1\le i\le n$. Specifically, when $r$ takes the value of $n-k+1$, the value of Equation (20) is 1.

In our work, we construct a $uniform(8,9)$ fault-tolerant aggregate signature set $\left\{T_1,\dots ,T_9\right\}$. Each $T_i\left(1\le i\le 9\right)$ has a size of $\left|T_i\right|=\left(\begin{array}{c}9-1\\ 8-1\end{array}\right)=8$. Once we have constructed the fault-tolerant set, for convenience of representation, we denote it using ${\epsilon }_1,{\epsilon }_2,\dots {\epsilon }_9$ to represent the corresponding $\left\{T_1,\dots ,T_9\right\}$. Additionally, we can observe that each individual signature appears twice in different $T_i,T_j$. Given that $16\left|T_i\right|/36=2$, we can infer $\left|{\cap }_{j=1}^2{A}_{ij}\right|=\left(\begin{array}{c}9-2\\ 8-1\end{array}\right)=1$ from Equation (20) that the number of single signatures in the intersection of any two subsets is 1. Therefore, we can conclude that the two erroneous signatures will appear in three or four different $T_i$ subsets. In our analysis, we consider the worst-case scenario where the two erroneous signatures appear in four different $T_i$ subsets. Thus, only five subsets ${\epsilon }_{i1},{\epsilon }_{i2},\dots {\epsilon }_{i5}$ pass verification. Consequently, the number of correct signatures passing verification can be calculated using Equation (19), yielding $36-\left(\begin{array}{c}9-5\\ 8-5-1\end{array}\right)=30$. Therefore, a total of 30 signatures pass the verification. In error handling of aggregate signature, the method of independent verification after error is generally adopted. Below, we provide a brief explanation of the number of individual verifications required for non-fault-tolerant aggregate signatures. When two erroneous signatures are mixed into 36 signatures, assuming the probability of encountering the first erroneous signature at position $\left(0,35\right]$ is uniform, we denote its position as $x$. The probability of the second erroneous signature being at position $\left[x+1,36\right]$ is $1/\left(36-i\right)$. Therefore, the expected number of verifications is approximately 21. In contrast, the maximum number of verifications required for fault-tolerant aggregate signatures is six. Hence, the fault-tolerant aggregate signature scheme demonstrates better performance in the presence of erroneous signatures. Figure 8 presents the efficiency analysis of fault-tolerant aggregate signatures, where “no tol” represents the verification time in the non-fault-tolerant mode, and “tol” represents the consumption time in the fault-tolerant mode. Below, we provide more specific data: in this scenario, the time to verify and identify all erroneous signatures is 351.611 ms for [36], 720.25 ms for [37], 313.862 ms for [38], 289.833 ms for [4], 567.39 ms for [35], 351.632 ms for [3], 455.315 ms for [39], 455.354 ms for [40], and 653.782 ms for [6]. The non-fault-tolerant aggregate mode takes 191.206 ms, while the fault-tolerant aggregate mode takes 163.97 ms. In the current scenario, analyzing the time taken by each scheme, our proposed scheme, whether in fault-tolerant or non-fault-tolerant aggregate mode, significantly outperforms other non-fault-tolerant schemes. Even compared to the fault-tolerant scheme in [35], our scheme’s time consumption is only 28.9% of theirs. In summary, our designed scheme shows a substantial advantage in both fault-tolerant and fault-free scenarios.

6. Conclusions

Considering the complex network environment and high-performance requirements of vehicular networks, we design an efficient aggregate signature algorithm with two modes based on the SM9 aggregate signature algorithm, FPGA acceleration technology, and the uniform(k,n) theory. The security of the proposed algorithm is also analyzed. For the numerous elliptic curve point multiplication operations involved, a parallel point multiplication architecture based on FPGA is designed. Single-point multiplication uses the Montgomery point algorithm, and the data flow of the point addition and point double modules is optimized. Key modules for modular addition/subtraction, multiplication, and inversion are designed using combined modular addition/subtraction, KOA and Barret algorithms, and the binary modular inversion algorithm, respectively. The parallel point multiplication architecture is applied to the SM9 efficient aggregate signature scheme, and its effectiveness is verified through simulation and on-board experiments. A comprehensive analysis of the proposed scheme’s performance is also conducted. The highly parallel elliptic curve point multiplication acceleration module designed on the FPGA platform is applied to both non-fault-tolerant and fault-tolerant modes, demonstrating good performance in the low-latency and complex network environment scenarios of vehicular networks. Compared to similar schemes, the proposed scheme not only achieves higher operational efficiency but also incorporates fault-tolerant features.

The next step could explore the hardware security design of the SM9 parallel point multiplication architecture to prevent side-channel attacks. This involves ensuring high performance while preventing the leakage of computational information. Additionally, developing new fault-tolerance theories to further optimize the construction speed of fault-tolerant sets can be investigated.