Dynamic Privacy-Preserving Anonymous Authentication Scheme for Condition-Matching in Fog-Cloud-Based VANETs

Abstract

Secure group communication in Vehicle Ad hoc Networks (VANETs) over open channels remains a challenging task. To enable secure group communications with conditional privacy, it is necessary to establish a secure session using Authenticated Key Agreement (AKA). However, existing AKAs suffer from problems such as cross-domain dynamic group session key negotiation and heavy computational burdens on the Trusted Authority (TA) and vehicles. To address these challenges, we propose a dynamic privacy-preserving anonymous authentication scheme for condition matching in fog-cloud-based VANETs. The scheme employs general Elliptic Curve Cryptosystem (ECC) technology and fog-cloud computing methods to decrease computational overhead for On-Board Units (OBUs) and supports multiple TAs for improved service quality and robustness. Furthermore, certificateless technology alleviates TAs of key management burdens. The security analysis indicates that our solution satisfies the communication security and privacy requirements. Experimental simulations verify that our method achieves optimal overall performance with lower computational costs and smaller communication overhead compared to state-of-the-art solutions.

1. Introduction

Vehicle Ad hoc Networks (VANETs) play a crucial role in supporting intelligent transportation systems, including data sharing and collaborative processing, within modern urban traffic [1]. The popularity of electric vehicles brings more powerful sensing modules and stronger computation capabilities. VANETs, through the cooperation of On-Board Units (OBUs) and Roadside Units (RSUs), can provide high-speed data communication services between vehicles, guaranteeing the safety of vehicle travel and achieving fully intelligent traffic management. For example, in the event of a traffic accident, relevant vehicles can report the incident to nearby sections through RSUs, guiding nearby vehicles to avoid congested routes [2]. The role of VANETs in intelligent transportation has attracted attention from both industry and academia [3].

Unlike many fixed-terminal networks, VANETs must deal with rapid changes in access and are more prone to attacks like eavesdropping, user tracking, and tampering [4]. In an open VANET, ensuring communication and data security is a key concern. Traditional VANET security protection schemes generally involve a Trusted Authority (TA) that issues certificates to vehicles and RSUs, handles authentication at the access endpoints, and performs critical security algorithms [5]. However, as more vehicles join VANETs, the TA needs to manage a large number of certificates and handle a significant amount of requests, resulting in high computational and storage costs for the TA. Furthermore, due to the TA’s distance from vehicles and RSUs, higher latency is more likely, making it unable to provide real-time services.

To address the drawbacks of a single TA, multi-TA schemes have been introduced into VANETs [6]. In a multi-TA scheme, fog computing TA sub-nodes are deployed on the RSU side, and fog node TAs are managed by a central TA, forming a two-tier TA structure. Vehicles are authenticated and managed by the fog TA nodes on the RSU side, greatly improving the real-time data processing and mitigating the impact caused by DoS attacks. The VANETs architecture with multi-TA composed of fog computing can significantly enhance the service quality of the network [7].

In some previous VANET schemes, vehicles or RSUs directly report the road conditions to the TA [8]. The TA collects real-time data and responds accordingly. However, as the amount of data generated by vehicles rapidly increases, this places a significant computational burden on the TA, and the cost of storing and computing by the TA becomes extremely high. To address this issue, some scholars have combined VANETs with cloud computing [9,10], using cloud computing to store and process data in VANETs, providing VANETs with more elastic computing capabilities. For example, authenticated vehicles have the ability to upload traffic data to the remote cloud, while the TA is only responsible for secure computations such as authentication.

In VANETs, authenticated key agreement is crucial for communication security. A session security key protocol that satisfies session security can be used to construct a communication channel with dynamic members [11]. Furthermore, to provide security and privacy protection for VANETs communication, various scholars have introduced Conditional Privacy-Preserving (CPP) authentication schemes in recent years [12], where the information of vehicles is kept private from all participants except the TA. However, if a vehicle engages in malicious behavior, the TA is able to trace its real identity.

In recent years, many classic solutions have been studied for CPP authentication under VANETs. Lin et al. [13] combined blockchain technology with key derivation algorithms to manage certificates, in order to avoid vehicles storing a large number of keys, but the single TA mode is vulnerable to DoS attacks. Yu et al. [14] used ECC and certificateless aggregate signatures to reduce the computational load of OBUs, but they cannot support dynamic groups. Wang et al. [15] proposed a scheme that achieves conditional privacy protection without using pseudonyms, but it involves operations with bilinear pairs, resulting in high computational costs and unfriendly support for vehicles with low computing power.

Our Contributions

To summarize, existing schemes still have issues to address. Traditional session AKA solutions lack consideration for cross-domain scenarios and complete group session key negotiation within a single domain. Multi-TA may enhance VANET response speed and capacity but faces challenges due to increasing data volume. Our scheme addresses these issues by introducing a dynamic privacy-preserving anonymous authentication scheme tailored for fog-cloud-based VANETs. It utilizes RSUs as fog computing nodes, incorporates multi-level TAs, and integrates cloud services for storage and computing. Lightweight security algorithms are employed for group session key negotiation to ensure secure VANET communication. The contributions of our proposed scheme include:

• The introduction of an anonymous and dynamic conditional privacy-preserving scheme using basic elliptic curve algorithms and hash functions for low-computing-power OBUs.
• The implementation of certificateless and multi-TA modes to reduce the burden on TAs, improve response speed, and enhance overall VANET robustness. The use of cloud services as an outsourcing platform to expand data processing capabilities and boost VANET performance.
• Security analysis demonstrates satisfaction of VANET security requirements, achieving forward security and resisting attacks. In comprehensive performance, our proposed solution is better than existing similar conditional privacy-preserving schemes in comprehensive performance.

2. Related Work

In order to meet the security and privacy protection requirements of vehicle communication in open channels, many researchers have conducted research on conditional privacy protection for VANETs in recent years. These studies are roughly summarized as PKI-based, certificateless, fog-cloud-based, and blockchain-based.

In 2007, Raya et al. [16] introduced the first PKI-based conditional privacy protection authentication system, aiming to enhance the security of vehicle communication through the utilization of anonymous certificates. However, this scheme necessitates the involvement of a Certification Authority (CA) to handle a substantial volume of certificates. Xiong et al. [17] introduced a authentication framework ensuring conditional privacy with support for dynamic members using the Chinese Remainder Theorem. This protocol supports both forward and backward security, but it also faces the problem of certificate management by a single TA. In response to the security update challenges related to Tamper-Proof Device (TPD) keys, Wei et al. [18] introduced a secure updateable conditional privacy protection authentication scheme. This scheme is built upon Shamir’s secret sharing and secure pseudo-random functions to ensure the robustness of the security updates for TPD keys. By using ECC signatures, this scheme improves the transmission speed of messages in emergency situations. To tackle the security challenges associated with heterogeneous vehicle communication in VANETs, Ali et al. [19] introduced an privacy hybrid signcryption scheme with high efficiency. This scheme relies on bilinear pairings to enhance the security of communication among diverse vehicles. They also reduced decryption time by using batch decryption. To address the risk of private key leakage in VANETs, Xiong et al. [20] constructed a dual insurance conditional privacy authentication scheme using ECC. Even if the master key or one of the vehicle keys is leaked, this scheme ensures that valid authentication messages cannot be forged. To provide traceability and credibility of malicious senders, Luo et al. [21] designed a conditional privacy protection authentication protocol using ring signatures and ring signcryption. This protocol provides publicly verifiable algorithms for exposing the real identity of malicious users, but it requires the support of a third-party TA. To address the privacy concerns introduced by the open channels in VANETs, Cai et al. [22] proposed a conditional privacy protection scheme for VANETs using identity-based encryption and ring signatures. They proved the security properties of anonymity, traceability, confidentiality, and unforgeability of the scheme. However, Du et al. [23] pointed out issues in [22] such as the lack of anonymous protection for honest senders. They improved the scheme to achieve sender anonymity and malicious user traceability, as well as resistance to response attacks. Additionally, Zhou et al. [24] proposed a multi-key outsourcing computation scheme for VANETs, which designed an efficient privacy protection information filtering system location-based service. This system eliminates useless encrypted information before authentication, optimizing the computation and communication workload. Based on PKI, the CPP solution can achieve complex functions, but it also faces challenges such as high computational costs for certain cryptographic primitives.

To avoid the burden of managing certificates and keys, many researchers have started to consider certificateless schemes in VANETs. In order to enhance computational speed, Chen et al. [25] proposed a certificateless fully aggregated signature scheme in 2021, which does not increase the length of signatures with the number of vehicles, reducing communication and processing costs. This scheme uses general ECC and hash computations, reducing the computational burden. Ali et al. [26] considered the limited computation power of OBUs and designed a certificate-free conditional privacy authentication scheme without bilinear pairings and mapping to points. They used ECC and ordinary hash functions instead and improved overall efficiency through batch signature verification. Building on the scheme proposed by [26], Zhou et al. [27] proposed a certificateless privacy-preserving authentication scheme which was both secure and lightweight. This solution can resist signature forgery attacks and has fast computational efficiency compared to [26]. Certificateless solutions effectively reduce the pressure of certificate and key management and lower the risk of key leakage. However, TA requires responsibility for participating in the generation of all keys and certificates, which can be a significant burden.

To address the issue of a high workload on a single CA, several fog-cloud-based VANET solutions have been proposed. Goudarzi et al. [28] proposed a fog-based VANET privacy protection authentication protocol, which utilizes Quotient Filter to solve node authentication, and uses fog nodes to reduce system latency and improve system throughput. Zhong et al. [29] proposed a fog computing-based CPP scheme, which supports mobility, low latency, and location awareness through fog computing, and reduces expenses by generating pseudonyms using two hash chains. Navdeti et al. [30] proposed a fog-based VANET privacy protection and secure data sharing scheme. By outsourcing the data to cloud servers and implementing fine-grained access control, data forwarding is reduced, and bandwidth requirements are lowered through fog computing. Wang et al. [31] designed a road condition monitoring scheme based on cloud that incorporates a hierarchical structure with a root authority (RA) and sub-authorities. This method improves response speed by using multiple sub-authorities and reduces the pressure on the root authority. The cloud server can quickly verify the validity of ciphertexts and categorize traffic condition reports based on equivalence classes to achieve batch processing of tasks. In order to resist DoS attacks and improve communication efficiency, Wei et al. [32] introduced a multi-TA scheme designed for privacy protection under specific conditions, employing fog computing to enhance communication efficiency and facilitate the revocation of identities of illegal vehicles. Yang et al. [33] proposed an anonymous certificateless aggregated signature encryption system for conditional privacy protection. This scheme aggregates the signed messages from neighboring vehicles into aggregate ciphertexts using fog nodes, and batch verifies them. This scheme avoids key escrow and pseudonym management. Fog-cloud-based VANETs can enhance system computing capacity and communication efficiency, and reduce pressure on TA. However, few schemes combine clouds and fog, forming a more scalable cloud-fog architecture.

In terms of combining with blockchain, Liu et al. [34] implemented conditional privacy protection using identity-based group signatures and managed vehicle reputation values using blockchain to identify the reliability of messages. In order to improve the efficiency of blockchain-based conditional privacy protection authentication schemes, Zhou et al. [35] proposed the use of knowledge signatures for identity verification to improve efficiency and eliminate the need for secure channels for key distribution. Yang et al. [36] proposed an access control scheme for partial data privacy in VANETs using function encryption. This scheme divides data access into offline and online stages to reduce online computation costs and improve efficiency. The blockchain is used to guarantee identity records and prevent data tampering. To meet the requirements of high mobility and real-time performance in VANETs, Lin et al. [37] used a one-time public key generation mechanism to generate anonymous public keys and used knowledge signatures for authentication. The anonymous public keys for data sharing can be generated and published on the blockchain in advance, improving the overall performance of the protocol. However, none of the above schemes consider the requirements of vehicle social networking, which motivated us to propose a dynamic privacy-preserving anonymous authentication scheme for condition-matching in fog-cloud-based VANETs.

3. Preliminary

3.1. Elliptic Curve Cryptosystem

The definition of an elliptic curve over the finite field $Z_p^{*}$ with prime order p is $E:$$y^2=x^3+ax+b(modp)$, where the condition $4a^3+27b^2\ne 0modp$ is satisfied. The group representation on the elliptic curve is defined as $G=\left\{(x,y)\mid y^2=x^3+ax+b,a,b\in Z_p^{*}\right\}\cup \left\{\mathcal{O}\right\}$, where $\mathcal{O}$ is called the point at infinity [38].

3.2. Related Complexity Assumptions

The security of the proposed scheme relies on the following complexity assumptions.

• Computational Discrete Logarithm (DL) Assumption: For a given generator P of group G and a point $Q=aP\in G$, there exists no polynomial-time algorithm capable of determining the integer $a\in Z_p^{*}$.
• Decisional Computational Diffie-Hellman (CDH) Assumption: When provided with the tuple $(P,aP,bP,cP)$ in group G, where $a,b,c\in Z_p^{*}$ are unknown, no polynomial-time algorithm can distinguish whether $cP=abP$ or represents a random element in G.

4. Scheme Formulation

4.1. System Model

The system model is illustrated in Figure 1, and the key entities are introduced below.

• Trusted Authority (TA): Responsible for global initialization and creating the main key pair of the system. Also, help to generate public and private key pairs for fog nodes to avoid key escrow issues. TA acts as the root TA and is not directly responsible for vehicle registration.
• Fog Node (FN): Acts as a subordinate TA and registers with TA. Responsible for managing vehicle registration on the road segment. Adopts a certificateless approach to avoid vehicle key escrow issues.
• Vehicle (VH): Participant in traffic. Vehicles register with fog nodes to obtain public-private key pairs. Vehicles can autonomously establish cross-domain groups based on traffic conditions and securely communicate within the group using negotiated secure keys.
• Cloud Server (CS): Serves as the system’s data storage hub and message distribution center. Stores encrypted messages from vehicles and broadcasts them to other group members. Facilitates efficient communication and message retrieval.

Figure 1. System architecture.

Figure 1. System architecture.

Next, we will explain the system workflow in detail.

• $TA$ performs global initialization of the privacy-preserving vehicular communication system, creating the main key pair and other public parameters. $TA$ securely stores the master key locally and publicly exposes the public parameters to other entities in the system.
• The fog node ($FN$) registers with $TA$. $FN$ chooses a random secret value and generates partial keys to send to $TA$ along with its identity information. If $FN$ is verified as legitimate, $TA$ computes another partial key for $FN$ and generates pseudonyms. $FN$ combines its self-created partial key with the partial key generated by $TA$ to form its final key pair.
• The vehicle ($VH$) registers with $FN$. $VH$ chooses a random secret value and generates partial keys to send to $FH$ along with its identity information. If the information sent by $VH$ is verified as legitimate, $FN$ incorporates traffic conditions and a valid time period to generate partial keys and pseudonyms for $VH$. By combining its self-generated partial key with the partial key generated by $FN$, $VH$ obtains a complete key pair.
• When a group of vehicles (crossing fog nodes) wishes to establish a condition-based session group, they first use an anonymous authenticated key agreement to generate a group session key. Subsequently, the key obtained through negotiation is used to encrypt the sessions within the group.
• During the communication phase, the message-sending vehicle transmits the message to the CS, which stores it and broadcasts it to other vehicles. Vehicles within the group can retrieve the complete encrypted message from the CS at any time.
• When a vehicle applies to leave the existing group or a new vehicle joins the new group, the system recomputes and updates the group’s session key.

Remark 1. 

Crossing fog nodes refers to a vehicle registered at one RSU wishing to communicate with other vehicles registered at another RSU, which may be in a different city and crossing different fog nodes, in order to form a group.

4.2. Security Requirements

The system needs to have the following functions and can provide a series of security protections.

• Mutual authentication: We select $V{H}_{{\rho }_0,{\theta }_0}$ as the vehicle with higher computational power, while $V{H}_{{\rho }_i,{\theta }_i}$ ($1\le i\le n$) represents vehicles with relatively weaker computational power. For the security of the group sessions based on traffic condition matching, mutual authentication between group members $V{H}_{{\rho }_0,{\theta }_0}$ and $V{H}_{{\rho }_i,{\theta }_i}$ becomes very important.
• Fog node anonymity: In order to eliminate some malicious users from obtaining the location information of vehicles through fog nodes, the scheme must generate pseudonyms for each fog node, and entities other than TA cannot obtain the real identity of fog nodes.
• Vehicle anonymity: In a socially attribute-enabled VANET, protecting the identity privacy of vehicles is crucial. A secure group session authentication key protocol should ensure the anonymity of vehicles, and entities other than TA cannot recover the real identity of vehicles from pseudonyms.
• Fog node traceability: When a malicious event involving a fog node ($FN$) is received, $TA$ can obtain the real identity of $FN$ from pseudonyms to achieve fog node traceability.
• Vehicle traceability: When malicious behavior of a vehicle ($VH$) is discovered, $FN$ can use pseudonyms to obtain the real identity of $VH$ to achieve vehicle traceability.
• Session key establishment: The communication key negotiation within the group is achieved through mutual authentication of all members in the group, creating a session key used to encrypt communication messages among vehicles in the group.
• Cross-domain authenticated key agreement: This scheme must allow the creation of groups between vehicles based on road conditions in different RSUs domains. Cross-domain vehicle groups are crucial for vehicle-based social topics.
• Traffic condition matching: Sharing VANETs-related traffic information is achieved by establishing groups based on traffic condition matching. Only vehicles encountering the same traffic conditions can negotiate a group session key. This traffic condition is invisible to potential attackers.
• Time-limited keys: The establishment of VANETs groups has temporary and spontaneous characteristics, so a time-limited key mechanism can ensure that vehicle keys automatically expire, improving security.
• Perfect forward secrecy: The scheme must have forward secrecy to ensure the confidentiality of intra-group communication in VANETs. Even if a malicious user gains knowledge of the group vehicles, they cannot derive the original group session key.
• Resistance against replay attacks: This scheme should be able to avoid the harm caused by replay attacks, where attackers repetitively send valid messages to vehicles, fog nodes, or TA.
• Resistance against impersonation attacks: The scheme should be able to resist impersonation attacks, where attackers pretend to be one of the entities involved in the scheme and send misleading information to the other communicating party.
• Resistance against tampering attacks: Prevent tampering attacks, where attackers secretly modify transmitted information in VANET communication without the knowledge of the communicating party.

4.3. Security Model

In this scheme, we will establish two categories of adversaries [39,40].

Adversary I: This category of adversary is represented as ${\mathcal{A}}_{\mathcal{I}}$. ${\mathcal{A}}_{\mathcal{I}}$ is unable to obtain the master key $MSK$ of TA, but ${\mathcal{A}}_{\mathcal{I}}$ can query the public keys of fog nodes and vehicles, and ${\mathcal{A}}_{\mathcal{I}}$ has the ability to replace the public keys with forged ones. ${\mathcal{A}}_{\mathcal{I}}$ can freely query partial private keys and the secret values generated by $FN$ and $VH$, or attempt to disrupt partial private keys and the secret values of $FN$ and $VH$. The constraints for ${\mathcal{A}}_{\mathcal{I}}$ are: (1) ${\mathcal{A}}_{\mathcal{I}}$ cannot disrupt the challenger vehicles, (2) if the public keys of $FN$ and $VH$ are replaced, ${\mathcal{A}}_{\mathcal{I}}$ is not allowed to query the partial private keys of $FN$ and $VH$ or disrupt $FN$ and $VH$. ${\mathcal{A}}_{\mathcal{I}}$ effectively simulates a malicious vehicle in the system.

Adversary II: This category of adversary is represented as ${\mathcal{A}}_{\mathcal{II}}$, which has access to the master key $MSK$ of TA. However, ${\mathcal{A}}_{\mathcal{II}}$ does not replace the permissions of the VANETs vehicle public key. With the knowledge of TA’s master key $MSK$, ${\mathcal{A}}_{\mathcal{II}}$ can compute the partial private keys of all vehicles. The constraint for ${\mathcal{A}}_{\mathcal{II}}$ is not to disrupt the challenger vehicles. ${\mathcal{A}}_{\mathcal{II}}$ can be conceptualized as a simulation of eavesdropping on $TA$.

Defined by an interactive game consisting of an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$, the security model of this scheme is established.

Initialization: In this phase, the challenger $\mathcal{C}$ first creates the system’s public parameters and master public key, then exposes it to the adversary $\mathcal{A}$. If the adversary belongs to type ${\mathcal{A}}_{\mathcal{I}}$, $\mathcal{C}$ keeps the master key secret. If $\mathcal{A}$ is of type ${\mathcal{A}}_{\mathcal{II}}$, $\mathcal{C}$ reveals the master key to $\mathcal{A}$ but restricts ${\mathcal{A}}_{\mathcal{II}}$ adversaries from making substitution key requests in subsequent games.

Query Phase: During this phase, the adversary $\mathcal{A}$ can initiate various queries beyond constraints.

• Hash Query: A hash function $H_i$ and a message $m_i$ are specified by the adversary $\mathcal{A}$ to query the challenger $\mathcal{C}$. The corresponding hash value is generated by the challenger $\mathcal{C}$ and returned to $\mathcal{A}$.
• Symmetric Encryption Query: The adversary $\mathcal{A}$ initiates a symmetric encryption query using a symmetric key $k_i$ and a message $m_i$. The challenger $\mathcal{C}$ responds by providing the ciphertext $c_i$.
• Extract Secret Value of $F{N}_{{\rho }_i}$: The adversary $\mathcal{A}$ initiates a query for the secret value of fog node $F{N}_{{\rho }_i}$. In response, the challenger $\mathcal{C}$ discloses the secret value of $F{N}_{{\rho }_i}$ to $\mathcal{A}$.
• Extract Partial Key of $F{N}_{{\rho }_i}$: The adversary $\mathcal{A}$ initiates queries to extract the partial secret key associated with fog node $F{N}_{{\rho }_i}$. In response, the challenger $\mathcal{C}$ discloses the partial secret key of $F{N}_{{\rho }_i}$ to $\mathcal{A}$.
• Request public key of $F{N}_{{\rho }_i}$: Public keys are made accessible to adversaries. The adversary $\mathcal{A}$ initiates queries to extract the public key associated with fog node $F{N}_{{\rho }_i}$. In response, the challenger $\mathcal{C}$ provides the public key $P{K}_{F{N}_{{\rho }_i}}$ to $\mathcal{A}$.
• Replace public key of $F{N}_{{\rho }_i}$: The adversary $\mathcal{A}$ has the capability to substitute $P{K}_{F{N}_{{\rho }_i}}$ with a carefully chosen valid public key replacement, denoted as $P{K}_{F{N}_{{\rho }_i}}^{\prime }$. It is important to note that the public key of the challenged fog node cannot undergo replacement, imposing a specific restriction.
• Extract secret value from $V{H}_{{\rho }_i,{\theta }_i}$: The adversary $\mathcal{A}$ initiates queries to obtain the secret value associated with vehicle $V{H}_{{\rho }_i,{\theta }_i}$. In response, the challenger $\mathcal{C}$ discloses the secret value of $V{H}_{{\rho }_i,{\theta }_i}$ to $\mathcal{A}$.
• Extract partial secret key from $V{H}_{{\rho }_i,{\theta }_i}$: The adversary $\mathcal{A}$ initiates queries to obtain the partial secret key associated with vehicle $V{H}_{{\rho }_i,{\theta }_i}$. In response, the challenger $\mathcal{C}$ discloses the partial secret key of $V{H}_{{\rho }_i,{\theta }_i}$ to $\mathcal{A}$.
• Request public key of $V{H}_{{\rho }_i,{\theta }_i}$: Public keys are made accessible to adversaries. The adversary $\mathcal{A}$ initiates queries to obtain the public key associated with vehicle $V{H}_{{\rho }_i,{\theta }_i}$. In response, the challenger $\mathcal{C}$ provides the public key $P{K}_{V{H}_{{\rho }_i,{\theta }_i}}$ to $\mathcal{A}$.
• Replace public key of $V{H}_{{\rho }_i,{\theta }_i}$: The adversary $\mathcal{A}$ possesses the capability to substitute $P{K}_{V{H}_{{\rho }_i,{\theta }_i}}$ with a carefully chosen valid public key replacement, denoted as $P{K}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }$. It is crucial to highlight that the public key of the challenged vehicle cannot undergo replacement, subject to specific restrictions.
• Execute: Upon receiving an execution request from $\mathcal{A}$, the challenger $\mathcal{C}$ generates and returns the response information to $\mathcal{A}$.
• Reveal group authenticated key: Upon receiving a query for the group authenticated key, the challenger $\mathcal{C}$ discloses the group authenticated key $GSK$ to $\mathcal{A}$.
• Corrupt $F{N}_{{\rho }_i}$: In response to the corruption query targeting fog node $F{N}_{{\rho }_i}$, the challenger $\mathcal{C}$ divulges the secret key $S{K}_{F{N}_{{\rho }_i}}$.
• Corrupt $V{H}_{{\rho }_i,{\theta }_i}$: In response to the corruption query targeting vehicle $V{H}_{{\rho }_i,{\theta }_i}$, the challenger $\mathcal{C}$ discloses the secret key $S{K}_{V{H}_{{\rho }_i,{\theta }_i}}$.
• Test: In the $Test$ phase, a coin b is randomly tossed by the challenger $\mathcal{C}$ from the set $\{0,1\}$. If b equals 1, $\mathcal{C}$ furnishes $\mathcal{A}$ with the genuine authentication information among the challenged vehicles. If b equals 0, randomly selected authentication information will be provided.

Response: Finally, the adversary $\mathcal{A}$ submits a guessed result $b^{\prime }$ to the challenger $\mathcal{C}$. Should $b^{\prime }$ be equal to b, the adversary wins the game, and the advantage is computed as $Adv\left(\mathcal{A}\right)=|Pr[b^{\prime }=b]-1/2|$.

Definition 1. 

This scheme’s security is contingent on the polynomial-time adversary $\mathcal{A}$ (of either type ${\mathcal{A}}_{\mathcal{I}}$ or ${\mathcal{A}}_{\mathcal{II}}$) being unable to win the interactive game with a non-negligible advantage. In simpler terms, any polynomial-time adversary $\mathcal{A}$ that attains a non-negligible advantage $Adv\left(\mathcal{A}\right)$ in the game is deemed negligible.

5. The Proposed System

In

Table 1. Notations.

Notation	Description
p	a prime number
$\kappa$	security parameter
$a{\in }_{R}S$	a is randomly chosen from S
$\mathcal{K}$	symmetric key space of $SEnc/SDec$
$SEnc/SDec$	secure symmetric encryption/decryption
$H_0$	secure hash function $H_0:{\{0,1\}}^{*}\to \mathcal{K}$
$H_i$	secure hash function $H_i:{\{0,1\}}^{*}\to Z_p^{*}$ ($1\le i\le 6$)
$\mathcal{TC}=(T{C}_1,T{C}_2,\cdots )$	a set of traffic conditions
$TA$	trusted authority
$MPK/MSK$	master public/secret key of the system
$F{N}_{{\rho }_i}$	the ${\rho }_i$-th fog node
$PI{D}_{F{N}_{{\rho }_i}}$	the pseudo-identity of $F{N}_{{\rho }_i}$
$V{H}_{{\rho }_i,{\theta }_i}$	the ${\theta }_i$-th vehicle in the ${\rho }_i$-th fog node domain
$PI{D}_{V{H}_{{\rho }_i,{\theta }_i}}$	the pseudo-identity of $V{H}_{{\rho }_i,{\theta }_i}$
$P{K}_{F{N}_{{\rho }_i}}/S{K}_{F{N}_{{\rho }_i}}$	public/secret key of $F{N}_{{\rho }_i}$
$P{K}_{V{H}_{{\rho }_i,{\theta }_i}}/S{K}_{V{H}_{{\rho }_i,{\theta }_i}}$	public/secret key of $V{H}_{{\rho }_i,{\theta }_i}$
$V{T}_{V{H}_{{\rho }_i,{\theta }_i}}$	valid time of $V{H}_{{\rho }_i,{\theta }_i}$’s public/secret keys
$V{H}_{{\rho }_0,{\theta }_0}$	powerful vehicle
$\{V{H}_{{\rho }_1,{\theta }_1},·,V{H}_{{\rho }_n,{\theta }_n}\}$	low-power computation vehicles
$GSK$	group session key

, we establish the primary symbols and terms utilized throughout this document. Following this, we detail the initial configuration of the system, the registration processes for both fog nodes and vehicles, the protocols for group key agreement, and the procedures for dynamic vehicle management. The verification of the system’s operational accuracy is presented in Supplemental Material A.

5.1. Initial Configuration Stage

The $TA$ initiates the $setup$ algorithm by taking the security parameter $\kappa \in Z^{+}$ as an input. This process results in the derivation of system parameters along with a key pair, consisting of the system’s master public and secret keys.

(1) Opting for an elliptic curve E over a finite field p, the $TA$ makes a selection, where G represents the elliptic curve group and P is its generator.

(2) $TA$ randomly chooses $x{\in }_R{Z}_p^{*}$ and calculates $P_{pub}=xP$. The system master secret key is $MSK=x$ and master public key is $MPK=(P,P_{pub})$.

(3) For secure encryption/decryption, $TA$ chooses a symmetric pair ($SEnc/SDec$) with a key space $\mathcal{K}$. Additionally, $TA$ chooses cryptographic hash functions $H_0:{\{0,1\}}^{*}\to \mathcal{K}$ and $H_i:{\{0,1\}}^{*}\to Z_p^{*}$ ($1\le i\le 6$) that are resistant to collusion.

(4) Publication by $TA$ includes the master public key $MPK$ and the system’s public parameters $(G,SEnc,SDec,H_0,H_1,$$\cdots ,H_6)$. The master secret key $MSK$ is retained in confidence by $TA$.

5.2. Fog Node Registration

In the pursuit of joining the system as the i-th fog node, $F{N}_{{\rho }_i}$ initiates its registration with $TA$. Upon receiving the registration request, $TA$ undertakes a validation process to ascertain the functionality of $F{N}_{{\rho }_i}$ as an RSU. If the evaluation proves negative, the request is dismissed; however, in the affirmative case, $TA$ and $F{N}_{{\rho }_i}$ engage in mutual collaboration to establish the key pair for $F{N}_{{\rho }_i}$. It is noteworthy that this key generation process operates in a key escrow-free and certificateless manner.

(1) Set Secret Value: The fog node $F{N}_{{\rho }_i}$ with identity $I{D}_{F{N}_{{\rho }_i}}$ selects $x_{F{N}_{{\rho }_i}}{\in }_R{Z}_p^{*}$ and computers $P_{F{N}_{{\rho }_i}}=x_{F{N}_{{\rho }_i}}P$. Upon determining the secret value, $F{N}_{{\rho }_i}$ designates $x_{F{N}_{{\rho }_i}}$ and conveys the pair $(I{D}_{F{N}_{{\rho }_i}},P_{F{N}_{{\rho }_i}})$ to $TA$ through a secure channel.

(2) Partial Secret Key Extraction: This algorithm takes $TA$’s master secret key $MSK$, $F{N}_{{\rho }_i}$’s identity $I{D}_{F{N}_{{\rho }_i}}$ and the public value $P_{F{N}_{{\rho }_i}}$ as input, it outputs $F{N}_{{\rho }_i}$’s partial secret key and pseudo identity.

• $TA$ selects ${\mu }_{F{N}_{{\rho }_i}}{\in }_R{Z}_p^{*}$ and computes $F{N}_{{\rho }_i}$’s pseudo identity: $PI{D}_{F{N}_{{\rho }_i}}=SEn{c}_{H_0\left(x\right)}(I{D}_{F{N}_{{\rho }_i}},{\mu }_{F{N}_{{\rho }_i}}).$
• $TA$ chooses $r_{F{N}_{{\rho }_i}}{\in }_R{Z}_p^{*}$ and computes $R_{F{N}_{{\rho }_i}}=r_{F{N}_{{\rho }_i}}P,{\alpha }_{F{N}_{{\rho }_i}}=H_1(PI{D}_{F{N}_{{\rho }_i}},P_{F{N}_{{\rho }_i}},R_{F{N}_{{\rho }_i}}).$
• $TA$ calculates $y_{F{N}_{{\rho }_i}}={\alpha }_{F{N}_{{\rho }_i}}x+r_{F{N}_{{\rho }_i}}$ and sends the partial secret key $y_{F{N}_{{\rho }_i}}$ to $F{N}_{{\rho }_i}$ via secure channel.
• Upon receiving $y_{F{N}_{{\rho }_i}}$, $F{N}_{{\rho }_i}$ verifies the equation

  $$y_{F{N}_{{\rho }_i}}P={\alpha }_{F{N}_{{\rho }_i}}{P}_{pub}+R_{F{N}_{{\rho }_i}}.$$

  (1)
  The validity of the partial secret key $y_{F{N}_{{\rho }_i}}$ is contingent on the equation holding, and vice versa.

(3) Set Secret Value: The fog node $F{N}_{{\rho }_i}$, identified by the pseudo identity $PI{D}_{F{N}_{{\rho }_i}}$, assigns $S{K}_{F{N}_{{\rho }_i}}=(x_{F{N}_{{\rho }_i}},y_{F{N}_{{\rho }_i}})$ as its confidential secret key.

(4) Set Public Key: The fog node $F{N}_{{\rho }_i}$, associated with the pseudo identity $PI{D}_{F{N}_{{\rho }_i}}$, designates $P{K}_{F{N}_{{\rho }_i}}=(P_{F{N}_{{\rho }_i}},R_{F{N}_{{\rho }_i}})$ as its public key, accessible within the system.

5.3. Vehicle Reporting and Registration

A vehicle $V{H}_{{\rho }_i,{\theta }_i}$ informs a fog node $F{N}_{{\rho }_i}$ about a traffic condition $T{C}_{V{H}_{{\rho }_i,{\theta }_i}}\in \mathcal{TC}$. Subsequently, $F{N}_{{\rho }_i}$ and $V{H}_{{\rho }_i,{\theta }_i}$ engage in an interaction to generate the public/secret key for $V{H}_{{\rho }_i,{\theta }_i}$. Notably, this key generation procedure is designed to circumvent the key escrow problem. $TA$ establishes a predefined expiration time $V{T}_{V{H}_{{\rho }_i,{\theta }_i}}$ for the key pair of each vehicle. For example, if the key’s expiration time is set to 1 December 2023, at 14:30, it is represented as “202312011430”. Other vehicles can verify whether the key of that vehicle is within its validity period based on $V{T}_{V{H}_{{\rho }_i,{\theta }_i}}$.

(1) Set Secret Value: The vehicle $V{H}_{{\rho }_i,{\theta }_i}$ with identity $I{D}_{V{H}_{{\rho }_i,{\theta }_i}}$ selects $x_{V{H}_{{\rho }_i,{\theta }_i}}{\in }_R{Z}_p^{*}$ and computes $P_{V{H}_{{\rho }_i,{\theta }_i}}=x_{V{H}_{{\rho }_i,{\theta }_i}}P$. Then, $V{H}_{{\rho }_i,{\theta }_i}$ sets $x_{V{H}_{{\rho }_i,{\theta }_i}}$ as the secret value and securely transmits $(I{D}_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}})$ to $F{N}_{{\rho }_i}$ through the secure channel.

(2) Partial Secret Key Extraction: As input, $F{N}_{{\rho }_i}$’s secret key $S{K}_{F{N}_{{\rho }_i}}$, $V{H}_{{\rho }_i,{\theta }_i}$’s identity $I{D}_{V{H}_{{\rho }_i,{\theta }_i}}$, and the public value $P_{V{H}_{{\rho }_i,{\theta }_i}}$ are taken by this algorithm. In turn, $V{H}_{{\rho }_i,{\theta }_i}$’s pseudo-identity and partial secret key are outputted.

• $F{N}_{{\rho }_i}$ selects ${\mu }_{V{H}_{{\rho }_i,{\theta }_i}}{\in }_R{Z}_p^{*}$ and computes $P_{V{H}_{{\rho }_i,{\theta }_i}}$’s pseudo-identity: $PI{D}_{V{H}_{{\rho }_i,{\theta }_i}}=SEn{c}_{H_0(x_{F{N}_{{\rho }_i}},y_{F{N}_{{\rho }_i}})}(I{D}_{V{H}_{{\rho }_i,{\theta }_i}},{\mu }_{V{H}_{{\rho }_i,{\theta }_i}}).$
• $F{N}_{{\rho }_i}$ chooses $r_{V{H}_{{\rho }_i,{\theta }_i}}{\in }_R{Z}_p^{*}$ and computes $R_{V{H}_{{\rho }_i,{\theta }_i}}=r_{V{H}_{{\rho }_i,{\theta }_i}}P,{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}=H_2(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{{\rho }_i,{\theta }_i}},T{C}_{V{H}_{{\rho }_i,{\theta }_i}}).$
• $F{N}_{{\rho }_i}$ calculates $y_{V{H}_{{\rho }_i,{\theta }_i}}={\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(x_{F{N}_{{\rho }_i}}+y_{F{N}_{{\rho }_i}})+r_{V{H}_{{\rho }_i,{\theta }_i}}$ and sends the partial secret key $y_{V{H}_{{\rho }_i,{\theta }_i}}$ to $V{H}_{{\rho }_i,{\theta }_i}$ via secure channel.
• Receiving $y_{V{H}_{{\rho }_i,{\theta }_i}}$, the vehicle $V{H}_{{\rho }_i,{\theta }_i}$ verifies whether the following equation is equal:

  $$y_{V{H}_{{\rho }_i,{\theta }_i}}P={\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(P_{F{N}_{{\rho }_i}}+{\alpha }_{F{N}_{{\rho }_i}}{P}_{pub}+R_{F{N}_{{\rho }_i}})+R_{V{H}_{{\rho }_i,{\theta }_i}}.$$

  (2)
  The validity of the partial secret key $y_{V{H}_{{\rho }_i,{\theta }_i}}$ is contingent on the equation holding, and vice versa.

(3) Set Secret Key: The secret key $S{K}_{V{H}_{{\rho }_i,{\theta }_i}}=(x_{V{H}_{{\rho }_i,{\theta }_i}},y_{V{H}_{{\rho }_i,{\theta }_i}})$ is adopted by the vehicle $V{H}_{{\rho }_i,{\theta }_i}$ and is confidentially stored.

(4) Set Public Key: Adopting $P{K}_{V{H}_{{\rho }_i,{\theta }_i}}=(P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{{\rho }_i,{\theta }_i}})$ as its public key, the vehicle $V{H}_{{\rho }_i,{\theta }_i}$ makes this information public within the system.

5.4. Condition-Matching-Based Authenticated Key Agreement

Assuming the vehicles $V_0=\{V{H}_{{\rho }_1,{\theta }_1},\cdots \}$ and $V{H}_{{\rho }_0,{\theta }_0}$ aim to establish a secure group communication based on condition-matching, ensuring the security of their traffic discussions. The first step involves establishing a group session key. In this scenario, vehicle $V{H}_{{\rho }_0,{\theta }_0}$ possesses relatively robust computational capabilities, while the vehicles within $V_0$ have lower computational power. The group-authenticated key agreement unfolds through the following interactive steps.

• Mutual Authentication Requests Within the Group:

The powerful vehicle $V{H}_{{\rho }_0,{\theta }_0}$ sends $(PI{D}_{F{N}_{{\rho }_0}},PI{D}_{V{H}_{{\rho }_0,{\theta }_0}})$ to $V_0$, and $V{H}_{{\rho }_i,{\theta }_i}\in V_0$ sends $(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}})$ to $V{H}_{{\rho }_0,{\theta }_0}$.

Receiving the messages $(PI{D}_{F{N}_{{\rho }_0}},PI{D}_{V{H}_{{\rho }_0,{\theta }_0}})$, the vehicle $V{H}_{{\rho }_i,{\theta }_i}\in V_0$ chooses $a_{V{H}_{{\rho }_i,{\theta }_i}}{\in }_R{Z}_p^{*}$ and computes $$\begin{gathered} A_{V{H}_{{\rho }_i,{\theta }_i}}=a_{V{H}_{{\rho }_i,{\theta }_i}}·P,b_{V{H}_{{\rho }_i,{\theta }_i}}=(a_{V{H}_{{\rho }_i,{\theta }_i}}+{\gamma }_{V{H}_{{\rho }_i,{\theta }_i}}+x_{V{H}_{{\rho }_i,{\theta }_i}}+y_{V{H}_{{\rho }_i,{\theta }_i}})·P,{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}= \\ {a}_{V{H}_{{\rho }_i,{\theta }_i}}{y}_{V{H}_{{\rho }_i,{\theta }_i}}·P+[P_{V{H}_{{\rho }_0,{\theta }_0}}+{\beta }_{V{H}_{{\rho }_0,{\theta }_0}}(P_{F{N}_{{\rho }_0}}+{\alpha }_{F{N}_{{\rho }_0}}{P}_{pub}+R_{F{N}_{{\rho }_0}})+R_{V{H}_{{\rho }_0,{\theta }_0}}], \end{gathered}$$ where $$\begin{gathered} {\alpha }_{F{N}_{{\rho }_0}}=H_1(PI{D}_{F{N}_{{\rho }_0}},P_{F{N}_{{\rho }_0}},R_{F{N}_{{\rho }_0}}),{\beta }_{V{H}_{{\rho }_0,{\theta }_0}}=H_2(PI{D}_{F{N}_{{\rho }_0}},PI{D}_{V{H}_{{\rho }_0,{\theta }_0}},P_{V{H}_{{\rho }_0,{\theta }_0}},R_{V{H}_{{\rho }_0,{\theta }_0}}, \\ V{T}_{V{H}_{{\rho }_0,{\theta }_0}},T{C}_{V{H}_{{\rho }_i,{\theta }_i}}),{\gamma }_{V{H}_{{\rho }_i,{\theta }_i}}=H_3(A_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{{\rho }_i,{\theta }_i}},T{C}_{V{H}_{{\rho }_i,{\theta }_i}}). \end{gathered}$$

Then, $V{H}_{{\rho }_i,{\theta }_i}$ sends $(A_{V{H}_{{\rho }_i,{\theta }_i}},b_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}})$ to $V{H}_{{\rho }_0,{\theta }_0}$, for $1\le i\le n$.

• Authentication Process for High-Computational-Power Vehicles:

When the vehicle $V{H}_{{\rho }_0,{\theta }_0}$ receives messages $(A_{V{H}_{{\rho }_i,{\theta }_i}},b_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}})$ from each vehicle $V{H}_{{\rho }_i,{\theta }_i}\in V_0$, $V{H}_{{\rho }_0,{\theta }_0}$ verifies whether $b_{V{H}_{{\rho }_i,{\theta }_i}}-(A_{V{H}_{{\rho }_i,{\theta }_i}}+{\gamma }_{V{H}_{{\rho }_i,{\theta }_i}}P)=P_{V{H}_{{\rho }_i,{\theta }_i}}+{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(P_{F{N}_{{\rho }_i}}+{\alpha }_{F{N}_{{\rho }_i}}{P}_{pub}+R_{F{N}_{{\rho }_i}})+R_{V{H}_{{\rho }_i,{\theta }_i}}$, where $$\begin{gathered} {\alpha }_{F{N}_{{\rho }_i}}=H_1(PI{D}_{F{N}_{{\rho }_i}},P_{F{N}_{{\rho }_i}},R_{F{N}_{{\rho }_i}}),{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}=H_2(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}}, \\ V{T}_{V{H}_{{\rho }_i,{\theta }_i}},T{C}_{V{H}_{{\rho }_0,{\theta }_0}}),{\gamma }_{V{H}_{{\rho }_i,{\theta }_i}}=H_3 \end{gathered}$$$(A_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{{\rho }_i,{\theta }_i}},T{C}_{V{H}_{{\rho }_0,{\theta }_0}}).$

If the above equation holds true, it indicates that the identity of $V{H}_{{\rho }_i,{\theta }_i}$ has been verified and $V{H}_{{\rho }_i,{\theta }_i}$ encounters the same traffic condition as $V{H}_{{\rho }_0,{\theta }_0}$. Suppose the verified vehicle set be $U=\{V{H}_{{\rho }_1,{\theta }_1},\cdots ,V{H}_{{\rho }_n,{\theta }_n}\}$. $V{H}_{{\rho }_0,{\theta }_0}$ sets $PI{D}_U=PI{D}_{V{H}_{{\rho }_1,{\theta }_1}}\left|\right|\cdots \left|\right|PI{D}_{V{H}_{{\rho }_n,{\theta }_n}}$.

Then, $V{H}_{{\rho }_0,{\theta }_0}$ chooses $a_{V{H}_{{\rho }_0,{\theta }_0}}{\in }_R{Z}_p^{*}$ and computes $$\begin{gathered} {\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }=a_{V{H}_{{\rho }_0,{\theta }_0}}{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+(x_{V{H}_{{\rho }_0,{\theta }_0}}+y_{V{H}_{{\rho }_0,{\theta }_0}})·P-{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_U={\sum }_{V{H}_{{\rho }_i,{\theta }_i}\in U}{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime } \\ {K}_{V{H}_{{\rho }_0,{\theta }_0}}=H_4\left({\mathrm{\Gamma }}_U\right)·P,GSK=H_5(PI{D}_U,PI{D}_0,T{C}_{V{H}_{{\rho }_0,{\theta }_0}},K_{V{H}_{{\rho }_0,{\theta }_0}}),Z_{V{H}_{{\rho }_i,{\theta }_i}}=H_4\left({\mathrm{\Gamma }}_U\right)·P \\ +r_{V{H}_{{\rho }_0,{\theta }_0}}{A}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}=a_{V{H}_{{\rho }_0,{\theta }_0}}{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+[P_{V{H}_{{\rho }_i,{\theta }_i}}+{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(P_{F{N}_{{\rho }_i}}+{\alpha }_{F{N}_{{\rho }_i}}{P}_{pub}+ \\ {R}_{F{N}_{{\rho }_i}})+R_{V{H}_{{\rho }_i,{\theta }_i}}],Aut{h}_{0,i}=H_6(PI{D}_U,{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime },K_{V{H}_{{\rho }_0,{\theta }_0}}), \end{gathered}$$ where $$\begin{gathered} {\alpha }_{F{N}_{{\rho }_i}}=H_1(PI{D}_{F{N}_{{\rho }_i}},P_{F{N}_{{\rho }_i}},R_{F{N}_{{\rho }_i}}),{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}=H_2(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{i,i}}, \\ T{C}_{V{H}_{{\rho }_0,{\theta }_0}}). \end{gathered}$$

Then, $V{H}_{{\rho }_0,{\theta }_0}$ sends $(Aut{h}_{0,i},PI{D}_U,Z_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}})$ to $V{H}_{{\rho }_i,{\theta }_i}\in U$.

• Authentication Process for Low-Computational-Power Vehicles:

Receiving $(Aut{h}_{0,i},PI{D}_U,Z_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}})$ from $V{H}_{{\rho }_0,{\theta }_0}$, each vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U$ computes $Aut{h}_{i,0}=H_6(PI{D}_U,{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime },K_{V{H}_{{\rho }_i,{\theta }_i}}),$ where $$\begin{gathered} {\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }={\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}-[a_{V{H}_{{\rho }_i,{\theta }_i}}{y}_{V{H}_{{\rho }_i,{\theta }_i}}·P+(x_{V{H}_{{\rho }_i,{\theta }_i}}+y_{V{H}_{{\rho }_i,{\theta }_i}})·P],K_{V{H}_{{\rho }_i,{\theta }_i}}=Z_{V{H}_{{\rho }_i,{\theta }_i}}- \\ \left(a_{V{H}_{{\rho }_i,{\theta }_i}}\right)·R_{V{H}_{{\rho }_0,{\theta }_0}}. \end{gathered}$$

If $Aut{h}_{i,0}=Aut{h}_{0,i}$, it ensures that the identity of $V{H}_{{\rho }_0,{\theta }_0}$ is authenticated and $V{H}_{{\rho }_0,{\theta }_0}$ encounters the same traffic condition as $V{H}_{{\rho }_i,{\theta }_i}$. Then, $V{H}_{{\rho }_i,{\theta }_i}$ computes the group session key $GSK=H_5(PI{D}_U,PI{D}_0,T{C}_{V{H}_{{\rho }_i,{\theta }_i}},K_{V{H}_{{\rho }_i,{\theta }_i}}).$

5.5. Vehicle Join

If a set of vehicles $U_0^{\prime }=\{V{H}_{n+1},\cdots ,V{H}_h\}$ with lower computational power encounters the same traffic condition and desires to join the existing session group, the current group members collaboratively establish a new group authentication key as follows.

• Mutual Authentication Requests Within the Group:

The vehicle $V{H}_{{\rho }_0,{\theta }_0}$ with relatively robust computational capabilities sends $(PI{D}_{F{N}_{{\rho }_0}},$$PI{D}_{V{H}_{{\rho }_0,{\theta }_0}})$ to $U_0^{\prime }$, and $V{H}_{{\rho }_i,{\theta }_i}\in U^{\prime }$ sends $(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}})$ to $V{H}_{{\rho }_0,{\theta }_0}$.

Receiving the messages $(PI{D}_{F{N}_{{\rho }_0}},PI{D}_{V{H}_{{\rho }_0,{\theta }_0}})$, the vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U_0^{\prime }$ chooses $a_{V{H}_{{\rho }_i,{\theta }_i}}{\in }_R{Z}_p^{*}$ and computes $(A_{V{H}_{{\rho }_i,{\theta }_i}},b_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}})$ as in the Section 5.4, which is then sent to $V{H}_{{\rho }_0,{\theta }_0}$, for $n+1\le i\le h$.

• Authentication Process for High-Computational-Power Vehicles:

Upon receiving messages $(A_{V{H}_{{\rho }_i,{\theta }_i}},b_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}})$ from each vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U_0^{\prime }$, the vehicle $V{H}_{{\rho }_0,{\theta }_0}$ verifies $b_{V{H}_{{\rho }_i,{\theta }_i}}$ as outlined in Section 5.4. It is assumed that these vehicles are all authenticated to be genuine and share the same traffic condition. $V{H}_{{\rho }_0,{\theta }_0}$ sets $U^{\prime }=U\cup U_0^{\prime }=\{V{H}_{{\rho }_1,{\theta }_1},\cdots ,V{H}_{{\rho }_h,{\theta }_h}\}$ and $PI{D}_{U^{\prime }}=PI{D}_U\cup PI{D}_{U_0^{\prime }}=PI{D}_{V{H}_{{\rho }_1,{\theta }_1}}\left|\right|\cdots \left|\right|PI{D}_{V{H}_{{\rho }_h,{\theta }_h}}$.

Then, $V{H}_{{\rho }_0,{\theta }_0}$ chooses $a_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }{\in }_R{Z}_p^{*}$ and computes $$\begin{gathered} {\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″}=a_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+(x_{V{H}_{{\rho }_0,{\theta }_0}}+y_{V{H}_{{\rho }_0,{\theta }_0}})·P-{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{U^{\prime }}={\sum }_{V{H}_{{\rho }_i,{\theta }_i}\in U^{\prime }}{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″} \\ {K}_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }=H_4\left({\mathrm{\Gamma }}_{U^{\prime }}\right)·P,GS{K}^{\prime }=H_5(PI{D}_{U^{\prime }},PI{D}_0,T{C}_{V{H}_{{\rho }_0,{\theta }_0}},K_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }),Z_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }=H_4\left({\mathrm{\Gamma }}_{U^{\prime }}\right)·P+ \\ {r}_{V{H}_{{\rho }_0,{\theta }_0}}{A}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }=a_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+[P_{V{H}_{{\rho }_i,{\theta }_i}}+{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(P_{F{N}_{{\rho }_i}}+{\alpha }_{F{N}_{{\rho }_i}}{P}_{pub} \\ +R_{F{N}_{{\rho }_i}})+R_{V{H}_{{\rho }_i,{\theta }_i}}],Aut{h}_{0,i}^{\prime }=H_6(PI{D}_{U^{\prime }},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″},K_{V{H}_{{\rho }_0,{\theta }_0}}^{\prime }), \end{gathered}$$ where $$\begin{gathered} {\alpha }_{F{N}_{{\rho }_i}}=H_1(PI{D}_{F{N}_{{\rho }_i}},P_{F{N}_{{\rho }_i}},R_{F{N}_{{\rho }_i}}),{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}=H_2(PI{D}_{F{N}_{{\rho }_i}},PI{D}_{V{H}_{{\rho }_i,{\theta }_i}},P_{V{H}_{{\rho }_i,{\theta }_i}},R_{V{H}_{{\rho }_i,{\theta }_i}},V{T}_{V{H}_{i,i}}, \\ T{C}_{V{H}_{{\rho }_0,{\theta }_0}}). \end{gathered}$$

Then, $V{H}_{{\rho }_0,{\theta }_0}$ sends $(Aut{h}_{0,i}^{\prime },PI{D}_{U^{\prime }},Z_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime },{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime })$ to $V{H}_{{\rho }_i,{\theta }_i}\in U^{\prime }$.

• Authentication Process for Low-Computational-Power Vehicles:

Receiving $(Aut{h}_{0,i}^{\prime },PI{D}_{U^{\prime }},Z_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime },{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime })$ from $V{H}_{{\rho }_0,{\theta }_0}$, each vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U^{\prime }$ computes $Aut{h}_{i,0}^{\prime }=H_6(PI{D}_{U^{\prime }},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″},K_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }),$ where $$\begin{gathered} {\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″}={\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }-[a_{V{H}_{{\rho }_i,{\theta }_i}}{y}_{V{H}_{{\rho }_i,{\theta }_i}}·P+(x_{V{H}_{{\rho }_i,{\theta }_i}}+y_{V{H}_{{\rho }_i,{\theta }_i}})·P],K_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }=Z_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }- \\ \left(a_{V{H}_{{\rho }_i,{\theta }_i}}\right)·R_{V{H}_{{\rho }_0,{\theta }_0}}. \end{gathered}$$

If $Aut{h}_{0,i}^{\prime }=Aut{h}_{i,0}^{\prime }$, it indicates that the identity of $V{H}_{{\rho }_0,{\theta }_0}$ is authenticated and $V{H}_{{\rho }_0,{\theta }_0}$ has encountered the same traffic condition as $V{H}_{{\rho }_i,{\theta }_i}\in U^{\prime }$. Then, $V{H}_{{\rho }_i,{\theta }_i}$ computes the group session key $GS{K}^{\prime }=H_5(PI{D}_{U^{\prime }},PI{D}_0,T{C}_{V{H}_{{\rho }_i,{\theta }_i}},K_{V{H}_{{\rho }_i,{\theta }_i}}^{\prime }).$

5.6. Vehicle Leave

If a set of vehicles $U_0^{″}=\{V{H}_{j+1},\cdots ,V{H}_n\}$ wishes to exit the session group, the remaining group members collaborate to create a new group authenticated key as follows.

$V{H}_{{\rho }_0,{\theta }_0}$ sets $U^{″}=U\setminus U_0^{″}=\{V{H}_{{\rho }_1,{\theta }_1},\cdots ,V{H}_{{\rho }_j,{\theta }_j}\}$ and $PI{D}_{U^{″}}=PI{D}_U\setminus PI{D}_{U_0^{″}}=PI{D}_{V{H}_{{\rho }_1,{\theta }_1}}\left|\right|\cdots \left|\right|PI{D}_{V{H}_{{\rho }_j,{\theta }_j}}$. Then, $V{H}_{{\rho }_0,{\theta }_0}$ chooses $a_{V{H}_{{\rho }_0,{\theta }_0}}^{″}{\in }_R{Z}_p^{*}$ and computes $$\begin{gathered} {\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{‴}=a_{V{H}_{{\rho }_0,{\theta }_0}}^{″}{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+(x_{V{H}_{{\rho }_0,{\theta }_0}}+y_{V{H}_{{\rho }_0,{\theta }_0}})·P-{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{U^{″}}={\sum }_{V{H}_{{\rho }_i,{\theta }_i}\in U}{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{‴} \\ {K}_{V{H}_{{\rho }_0,{\theta }_0}}^{″}=H_4\left({\mathrm{\Gamma }}_{U^{″}}\right)·P,GS{K}^{″}=H_5(PI{D}_{U^{″}},PI{D}_0,T{C}_{V{H}_{{\rho }_0,{\theta }_0}},K_{V{H}_{{\rho }_0,{\theta }_0}}^{″}),Z_{V{H}_{{\rho }_i,{\theta }_i}}^{″}=H_4\left({\mathrm{\Gamma }}_{U^{″}}\right)·P \\ +r_{V{H}_{{\rho }_0,{\theta }_0}}·A_{V{H}_{{\rho }_i,{\theta }_i}}^{‴},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″}=a_{V{H}_{{\rho }_0,{\theta }_0}}^{″}{y}_{V{H}_{{\rho }_0,{\theta }_0}}·P+[P_{V{H}_{{\rho }_i,{\theta }_i}}+{\beta }_{V{H}_{{\rho }_i,{\theta }_i}}(P_{F{N}_{{\rho }_i}}+{\alpha }_{F{N}_{{\rho }_i}}{P}_{pub} \\ +R_{F{N}_{{\rho }_i}})+R_{V{H}_{{\rho }_i,{\theta }_i}}],Aut{h}_{0,i}^{″}=H_6(PI{D}_{U^{″}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}}^{‴},K_{V{H}_{{\rho }_0,{\theta }_0}}^{″}). \end{gathered}$$

Then, $V{H}_{{\rho }_0,{\theta }_0}$ sends $(Aut{h}_{0,i}^{″},PI{D}_{U^{″}},Z_{V{H}_{{\rho }_i,{\theta }_i}}^{″},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″})$ to $V{H}_{{\rho }_i,{\theta }_i}\in U^{″}$.

Receiving $(Aut{h}_{0,i}^{″},PI{D}_{U^{″}},Z_{V{H}_{{\rho }_i,{\theta }_i}}^{″},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″})$ from $V{H}_{{\rho }_0,{\theta }_0}$, each vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U^{″}$ computes $Aut{h}_{i,0}^{\prime }=H_6(PI{D}_{U^{″}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Gamma }}_{V{H}_{{\rho }_i,{\theta }_i}},{\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{‴},K_{V{H}_{{\rho }_i,{\theta }_i}}^{″}),$ where $$\begin{gathered} {\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{‴}={\mathrm{\Lambda }}_{V{H}_{{\rho }_i,{\theta }_i}}^{″}-[a_{V{H}_{{\rho }_i,{\theta }_i}}{y}_{V{H}_{{\rho }_i,{\theta }_i}}·P+(x_{V{H}_{{\rho }_i,{\theta }_i}}+y_{V{H}_{{\rho }_i,{\theta }_i}})·P],K_{V{H}_{{\rho }_i,{\theta }_i}}^{″}=Z_{V{H}_{{\rho }_i,{\theta }_i}}^{″}- \\ \left(a_{V{H}_{{\rho }_i,{\theta }_i}}\right)·R_{V{H}_{{\rho }_0,{\theta }_0}}. \end{gathered}$$

If $Aut{h}_{i,0}^{″}=Aut{h}_{0,i}^{″}$, the vehicle $V{H}_{{\rho }_i,{\theta }_i}\in U^{″}$ obtains the negotiated group session key as $GS{K}^{″}=H_5(PI{D}_{U^{″}},PI{D}_0,T{C}_{V{H}_{{\rho }_i,{\theta }_i}},K_{V{H}_{{\rho }_i,{\theta }_i}}^{″}).$

6. Security Proof

Theorem 1. 

Assuming the decisional CDH assumption holds in the random oracle model, then the scheme we propose is secure against ${\mathcal{A}}_{\mathcal{I}}$ adversary (as defined in Section 4.3).

The formal security proof of Theorem 1 is deferred to Supplemental Material B.

Theorem 2. 

In the scenario where the decisional CDH assumption is satisfied, the proposed group authenticated key agreement ensures security against ${\mathcal{A}}_{\mathcal{II}}$ adversaries in the random oracle model.

Proof. 

The proof of Theorem 1 is followed with the following modification: the master key $MSK=x$ can be obtained by a ${\mathcal{A}}_{\mathcal{II}}$ attacker, but the attacker is not permitted to issue substitute public key queries. The remaining part of the proof remains unchanged. □

Theorem 3. 

The proposed system satisfies mutual authentication, fog node anonymity, vehicle anonymity, vehicle traceability, cross-domain authenticated key management, group key establishment, condition-matching, time-limited keys, perfect forward secrecy, impersonation/modification/ replay attack resistance.

The proposed system meets the functional and security requirements defined in Section 4.2, which are proven in Supplemental Material C.

7. Performance Comparison and Analysis

To assess the performance of other existing conditional privacy-preserving schemes, a comparison will be made with the proposed system. Subsequently, an assessment of the computational and communication overheads of these schemes will be conducted in a real experimental environment.

7.1. Theoretical Analysis

Before conducting the comparison, we have defined certain symbols in

Table 2. The notations of performance.

Notation	Description
$T_{HG}$	The average computation time for hash to G
$T_{HZ}$	The average computation time for hash to $Z_p$
$T_M$	The average computation time for scalar multiplication
$T_{PP}$	The computation time for exponentiation operations on the bilinear pairing $G_T$
$T_P$	The average computation time for bilinear pairing
$T_{cc}$	The computation time required to construct the Chinese Remainder Theorem
$T_{cr}$	The computation time for discovering the root of the Chinese Remainder Theorem
$|Z_p|$	The size of element in $Z_p$
$\left|G\right|$	The size of element in group G
$|G_T|$	The size of element in group $G_T$
$\left|M\right|$	The size of a typical message for vehicle communication.

. Our proposed system will be compared to the schemes introduced in [6,17,21]. We assume the vehicle group has a size of n.

7.1.1. Analysis of Computation Overhead

We conducted a theoretical analysis of the computational expenses associated with these schemes in Table 3. When analyzing the computational costs, we do not include the overhead of global initialization and server registration (such as cloud and fog servers) as they are constant and do not vary with the number of vehicles. Additionally, the computational cost of ECC scalar addition is very low, so it is also not taken into account. In the computational analysis, for ease of understanding, we consider the total computational cost of a vehicle from registration to completing verification.

• Ma et al. [6] adopts ECC algorithm design, where the initiating vehicle performs four scalar multiplications on G and five computations hashed to $Z_p$. Hence, the computational overhead for the initiating vehicle is $3T_M+4T_{HZ}$. The verification task is accomplished through collaboration among the cloud server and fog nodes. Fog nodes execute four scalar multiplications on G, two computations hashed to $Z_p$, while the cloud server executes eight scalar multiplications on G and nine computations hashed to $Z_p$. Consequently, the total verification task requires $12T_M+13T_{HZ}$.
• In Xiong et al. [17], before a group session, the TA initially constructs an instance of the Chinese Remainder Theorem and finds a root. Each joining vehicle needs to perform $2l+3$ scalar multiplications on G and $l+4$ computations hashed to $Z_p$. Thus, the total computational overhead for the authentication initiation phase is $1T_{cr}+(2l+3)T_M+(l+4)T_{HZ}$. The verification task requires five scalar multiplications on G, totaling $5T_M$.
• In Luo et al. [21], the initiating vehicle performs five scalar multiplications on $G1$, four computations hashed to $Z_p$, and $2n$ exponentiations on $GT$. Hence, the computational overhead for the initiating vehicle is $5T_M+4T_{HZ}+2n{T}_{PE}$. The verification task requires executing $n+1$ scalar multiplications on $G1$, two computations hashed to $Z_p$, n exponentiations on $GT$, and two bilinear pairing computations, resulting in a total verification task cost of $(n+1)T_M+2T_{HZ}+n{T}_{PE}+2T_P$.
• Our scheme eliminates time-consuming bilinear pairing computations. The computational overhead for the initiating vehicle is $12T_M+6T_{HZ}$, which does not exhibit linear growth with an increase in-group members. For verification, vehicles perform seven scalar multiplications on G and nine computations hashed to $Z_p$, totaling $7T_M+9T_{HZ}$ to establish a group authenticated session key.

Table 3. Comparison of computation overhead [6,17,21].

Scheme	Registration Phase	Authentication Phase
Ma et al.	$1T_M+1T_{HZ}$	$15T_M+17T_{HZ}$
Xiong et al.	$(2l+2)T_M+(l+1)T_{HZ}$	$1T_{cc}+1T_{cr}+7T_M+3T_{HZ}$
Luo et al.	$1T_P+1T_M+1T_{HG}$	$2T_P+3n{T}_{PP}+(n+6)T_M+6T_{HZ}$
Ours	$4T_M+2T_{HZ}$	$15T_M+13T_{HZ}$

l: the quantity of pseudo-identities generated for a vehicle in Xiong et al. [17]. n: the number of vehicles within the group.

Table 3. Comparison of computation overhead [6,17,21].

Scheme	Registration Phase	Authentication Phase
Ma et al.	$1T_M+1T_{HZ}$	$15T_M+17T_{HZ}$
Xiong et al.	$(2l+2)T_M+(l+1)T_{HZ}$	$1T_{cc}+1T_{cr}+7T_M+3T_{HZ}$
Luo et al.	$1T_P+1T_M+1T_{HG}$	$2T_P+3n{T}_{PP}+(n+6)T_M+6T_{HZ}$
Ours	$4T_M+2T_{HZ}$	$15T_M+13T_{HZ}$

l: the quantity of pseudo-identities generated for a vehicle in Xiong et al. [17]. n: the number of vehicles within the group.

7.1.2. Analysis of Communication Overhead

In schemes [6,17], and our scheme, the session key is generated through negotiation, making subsequent communication processes dependent only on the length of the message itself. However, in Luo et al. [21], due to the employment of ring signatures, each communication involves additional data transmission. The communication process involves both sending and receiving parties; therefore, we uniformly consider the data quantity sent by the sender for computation. The theoretical analysis of communication overhead can be found in Table 4.

• In Ma et al. [6], utilizing offline key distribution, the communication cost for the initiating authenticated vehicle comprises three G elements and two $Z_p$ elements. The verification process necessitates the transfer of 13 G elements and seven $Z_p$ elements, resulting in a total communication cost of $16\left|G\right|+9|Z_p|$ for the authentication process.
• In Xiong et al. [17], the communication cost for the initiating authenticated vehicle during the registration phase is $2|Z_p|+l(2\left|G\right|+3|Z_p\left|\right)$, and during the authentication phase is $1\left|G\right|+4|Z_p|+|M|$. The overall communication cost sums up to $1\left|G\right|+6|Z_p|+l(2\left|G\right|+3|Z_p\left|\right)+\left|M\right|$.
• In Luo et al. [21], the communication cost for the initiating authenticated vehicle during the registration phase is $2|Z_p|$, and during the authentication phase is $(n+1)\left|G\right|+(n+2)|Z_p|+|M|$. The total communication cost is $(n+1)\left|G\right|+(n+4)|Z_p|+|M|$.
• In our scheme, the communication cost during the registration phase for the initiating authenticated vehicle is $1\left|G\right|+2|Z_p|$, during the initiation of authentication is $2\left|G\right|+4|Z_p|$, during verification is $3\left|G\right|$, resulting in a total communication cost of $6\left|G\right|+6|Z_p|$.

In Luo et al. [21], with each communication involving the group size n, the communication cost becomes maximal. In [6,17], and our proposal, the registration and authentication times for each vehicle are not affected by other members.

Table 4. Comparison of communication overhead [6,17,21].

Scheme	Registration Phase	Authentication Phase
Ma et al.	$1|Z_p|$	$16\left|G\right|+9|Z_p|$
Xiong et al.	$2|Z_p|+l(2\left|G\right|+3|Z_p\left|\right)$	$1\left|G\right|+4|Z_p|+|M|$
Luo et al.	$2|Z_p|$	$(n+1)\left|G\right|+(n+2)|Z_p|+|M|$
Ours	$1\left|G\right|+2|Z_p|$	$5\left|G\right|+4|Z_p|$

l: the quantity of pseudo-identities generated for a vehicle in Xiong et al. [17]. n: the number of vehicles within the group.

Table 4. Comparison of communication overhead [6,17,21].

Scheme	Registration Phase	Authentication Phase
Ma et al.	$1|Z_p|$	$16\left|G\right|+9|Z_p|$
Xiong et al.	$2|Z_p|+l(2\left|G\right|+3|Z_p\left|\right)$	$1\left|G\right|+4|Z_p|+|M|$
Luo et al.	$2|Z_p|$	$(n+1)\left|G\right|+(n+2)|Z_p|+|M|$
Ours	$1\left|G\right|+2|Z_p|$	$5\left|G\right|+4|Z_p|$

l: the quantity of pseudo-identities generated for a vehicle in Xiong et al. [17]. n: the number of vehicles within the group.

7.1.3. Comparison of Functions and Security

We compared our solution with those in [6,17,21] in

Table 5. Comparison of functions and security [6,17,21].

Scheme	Ma et al.	Xiong et al.	Luo et al.	Ours
Authentication	√	√	√	√
Anonymity	√	√	√	√
Traceability	×	√	√	√
Cross-domain	×	×	×	√
Key Escrow-free	×	√	×	√
Condition-matching	×	×	×	√
Perfect forward secrecy	√	√	⊥	√
Resilience to replay attack	√	√	√	√
Resilience to impersonation attack	√	√	√	√
Resilience to modification attack	⊥	√	√	√

, including functionality and security aspects. In the table, ‘⊥’ denotes aspects that are not discussed or proven in the respective schemes.

• Vehicle authentication is a crucial factor in conditional privacy-preserving schemes. The schemes in Table 5 authenticate vehicles either online or offline before distributing group keys.
• Our scheme achieves cross-domain and condition-matching for vehicles. These useful functionalities favor flexible vehicle management. Regrettably, other schemes do not consider these functionalities.
• To our knowledge, our scheme is the first in the literature pertaining to VANETs which supports conditional matching and cross-domain communication under conditional privacy preservation.
• Both our approach and the one presented in Xiong et al. [17] address dynamic scenarios involving the joining and leaving of vehicles in a group. In the event of changes in-group members, the group session key will be promptly updated to maintain the confidentiality of the group session following the changes. It is worth noting that certain alternative schemes lack provisions for managing dynamic member changes.
• In schemes [6,21], vehicle keys are generated offline by the TA and sent to vehicles using smart cards, incurring high usage costs. In Luo et al. [21], all keys are entrusted to the TA, posing insecurity if the TA is compromised. In Xiong et al. [17] and our scheme, certificateless cryptography is adopted, creating a key escrow-free scheme. Each vehicle generates a secret value and transmits the corresponding public information to the TA. The TA is responsible for generating a subset of keys, which, when combined with the secret value, forms the user’s key. Hence, the TA cannot access all elements of the vehicle keys. However, in Xiong et al. [17], pre-computed secret values are sent offline to vehicles, also incurring high usage costs.
• Both our proposed scheme and the one presented in Xiong et al. [17] have been demonstrated to attain forward secrecy and resist the attacks outlined in Table 5. It is noteworthy that not all other schemes exhibit these comprehensive security attributes.

7.2. Simulation

For the simulation of group sessions under conditional privacy protection, we used the Integer and Rational Arithmetic Cryptographic Library (Miracl) [41] to test the performance of our schemes and others, as presented in [6,17,21]. The experiments were performed on a desktop computer with a 64-bit Windows 10 operating system, featuring an Intel(R) Core(TM) i7-9700 CPU @ 3.00 GHz and 16.00 GB RAM.

We selected points belonging to the elliptic curve $E:y^2=x^3+x$ as elements of group G. The order of group G is denoted by q. The bit length of q is 256 bits, and the bit length of elements in G is 512 bits. We chose the eta_T pairing $e:G\times G\to G_T$ to evaluate the scheme [21]. The lengths of elements in G, $G_T$, and $Z_p$ are 512 bits, 512 bits, and 256 bits, respectively.

7.2.1. Transmission Efficiency

The transmission costs for vehicles are shown in Table 6 and Figure 2. In our comparison, we consider the total transmission expenses for vehicles during both the registration and authentication processes. We set the group size n of vehicles to vary from 2, 5, 10 to 30. Below is the analysis of the transmission costs for vehicles:

• In Ma et al. [6], the authentication transmission cost when $n=2$ is 20.5 kb. As n increases from 5, 10 to 15, the transmission costs for vehicles are 51.25 kb, 102.5 kb, and 153.75 kb, respectively. When the number of vehicles reaches 30, the total transmission expense amounts to 307.5 kb.
• In Xiong et al. [17], the authentication transmission cost when $n=2$ is 22 kb. The communication volumes generated when n ranges from 5 to 30 are 55 kb, 110 kb, 165 kb, 220 kb, 275 kb, and 330 kb, respectively. The communication costs of this scheme are slightly higher compared to [6].
• In Luo et al. [21], due to the employment of a ring signature scheme, the transmission costs for each vehicle increase with the group size n. When $n=2$, the transmission cost for authenticating a single message is 6.5 kb. The communication costs generated when n ranges from 5 to 30 are 27.5 kb, 92.5 kb, 195 kb, 335 kb, 512.5 kb, and 727.5 kb, respectively. It is noticeable that this scheme incurs significantly higher communication costs as the number of vehicles increases compared to other schemes.
• In our scheme, when $n=2$, the authentication transmission cost is 9 kb. The communication costs generated when n ranges from 5 to 30 are 22.5 kb, 45 kb, 67.5 kb, 90 kb, 112.5 kb, and 135 kb, respectively. Our proposed scheme exhibits the most optimal communication costs.

Figure 2. Transmission cost of vehicles [6,17,21].

Figure 2. Transmission cost of vehicles [6,17,21].

Table 6. Transmission cost of vehicles (kb) [6,17,21].

n	2	5	10	15	20	25	30
Ma et al.	20.5	51.25	102.5	153.75	205	256.25	307.5
Xiong et al.	22	55	110	165	220	275	330
Luo et al.	6.5	27.5	92.5	195	335	512.5	727.5
Ours	9	22.5	45	67.5	90	112.5	135

Table 6. Transmission cost of vehicles (kb) [6,17,21].

n	2	5	10	15	20	25	30
Ma et al.	20.5	51.25	102.5	153.75	205	256.25	307.5
Xiong et al.	22	55	110	165	220	275	330
Luo et al.	6.5	27.5	92.5	195	335	512.5	727.5
Ours	9	22.5	45	67.5	90	112.5	135

In summary, compared to schemes in [6,17,21], our proposed scheme demonstrates lower communication transmission costs.

7.2.2. Computation Efficiency

Next, we analyze computational efficiency. Bilinear pairing computations and hashing to points are particularly time-consuming, while scalar multiplications and hashing to $Z_p$ are more efficient operations. Especially, the addition computation in G is highly efficient, which we directly ignore in our analysis. It is essential to highlight that in Xiong et al. [17], the Chinese Remainder Theorem is used, and its construction and solving are also time-consuming computations that we must consider. Schemes [6,17], and our scheme use symmetric encryption for communication, which introduces encryption time considerations during communication.

Table 7. Computational cost of vehicles (ms) [6,17,21].

n	2	5	10	15	20	25	30
Ma et al.	14.42	36.05	72.1	108.15	144.2	180.25	216.3
Xiong et al.	27.834	69.585	139.17	208.755	278.34	347.925	417.51
Luo et al.	59.386	174.175	431.95	773.325	1198.3	1706.875	2299.05
Ours	17.11	42.775	85.55	128.33	171.1	213.88	256.65

and Figure 3 compare the computational costs for vehicles.

• In Ma et al. [6], the computation time for the authentication phase is $16T_M+18T_{H_Z}$. In our simulation test, the computation time for $n=2$ is 14.42 ms. As the communication quantity n increases from 5 to 30, the time increases from 36.05 ms to 216.3 ms. Hence, the computational time for the [6] scheme appears stable in Table 7.
• In Table 3, we analyzed the computational costs of each scheme with theory. In Xiong et al. [17], the computation costs for registration and authentication are $1T_c+1T_r+(2l+7)T_M+(l+4)T_{H_Z}$. The computation time for $n=2$ is 27.834 ms. As the number of vehicles n increases from 5 to 30, the time increases from 69.585 ms to 417.51 ms.
• In Luo et al. [21], the computation costs for vehicle registration and authentication processes are $3T_P+3n{T}_{PP}+(n+7)T_{pm}+1T_{H_G}+2T_{H_Z}$. The computation time for $n=2$ is 59.386 ms. This scheme employs a ring encryption method, hence the encryption algorithm’s computational load is substantial. As the number of vehicles n increases from 5 to 30, the time increases from 174.175 ms to 2299.05 ms.
• In our scheme, the computation cost for the authentication phase is $19T_M+15T_{H_Z}$. The computation time for $n=2$ is 17.11 ms. As the number of vehicles n increases from 5 to 30, the time increases from 42.775 ms to 256.65 ms.

Overall, in our proposed system, the computational costs for authentication and total communication remain at a lower level compared to all the compared schemes.

8. Conclusions

In this paper, we propose a dynamic privacy-preserving anonymous authentication scheme for condition-matching in fog-cloud-based VANETs. The approach addresses the challenge of computational limitations in OBUs by using general ECC to optimize computational efficiency. By leveraging fog computing, the scheme implements a multi-TA mode to enhance system robustness and meet the real-time requirements of VANETs. Our scheme employs a certificateless approach, eliminating the need for TA-managed certificates and enabling cross-domain group session key agreement. This improves the social aspects of VANETs and expands their potential applications in the era of intelligent vehicles. Integrating VANETs with cloud services enhances scalability and provides essential storage and computational support for diverse VANET-based applications. Our scheme satisfies the security requirements for conditional privacy protection in VANETs through security proofs. Additionally, performance analysis shows that it outperforms similar relevant schemes comprehensively. For future research, we consider designing authenticated key agreement based on lattices to achieve resistance against quantum attacks, and adopting outsourcing computing to reduce the computational requirements for vehicles.