Implementing an Efficient Secure Attribute-Based Encryption System for IoV Using Association Rules

Abstract

As the Internet of vehicles (IoV) is the perceptual information subject, the intelligent connected vehicle (ICV) is establishing an interconnected information transmission system through opening more external interfaces. However, security communication problems thereby are generated, attracting massive attention for researchers. Hence, the in-vehicle network system is responsible for controlling the state of the ICV and has a major impact on driving safety. In this paper, we designed an efficient secure ciphertext-policy attribute-based encryption (CP-ABE) system for protecting communication. The research focuses on mining the frequency features between vehicle nodes through the max-miner association rules algorithm, aiming to build frequent item sets. Furthermore, an improved asymmetric ABE scheme can implement secure communication in-vehicle nodes that belong to the same classification set. Through the hardware platform and in-vehicle network simulator (INVS) to evaluate our scheme, the results demonstrate that the work possesses enough security without reducing communication efficiency, meanwhile improve bus load performance.

1. Introduction

Recently, the Internet of vehicles (IoV) has attracted much interest due to initiatives on improving traffic efficiency and reduce traffic breakdowns, especially through the smart mobility projects being implemented in many countries [1]. With the new generation of mobile communication technology, IoV realizes the communication between “vehicle to infrastructure (V2I)”, “vehicle to people (V2P)” and “vehicle to vehicle (V2V)”, thereby enhancing the intelligence of vehicles and building an intelligent, convenient, and efficient driving environment [2], as shown in Figure 1.

As the core of IoV, intelligent connected vehicles (ICVs) are also attracting a lot of attention and developing rapidly. In order to facilitate the connection of vehicle to the Internet, ICV opens up a number of interfaces, for example, cellular connection, Wi-Fi, Bluetooth, USB and onboard diagnostics (OBD-II) [3]. However, this also increases the likelihood that the vehicle will be successfully attacked [4]. Through these interfaces, the attacker can intrusion the in-vehicle network and inject malicious messages, finally achieve illegal control of the vehicle. In recent years, various attacks incidents frequent occurrences, especially remote attacks [5,6]. For example, the attacker takes control of the vehicle by sending a forged message from the entertainment system to the CAN bus via a cellular network connected to the vehicle [7].

Initially, the in-vehicle communication protocol only considers some characteristics, such as reliability, comfort, and convenience but yet ignores a crucial point that the message is transmitted under a secure environment [8]. Hence, as the applicate in-vehicle communication bus, the controller area network (CAN) does not provide any security mechanisms. In addition, the broadcast transmission mechanism between electronic control units (ECUs) also increases a security risk for ICV. Additionally, the ECUs are the core electronic components of a smart networked vehicle and are considered to be the in-vehicle computer. ECUs communicate with sensors on the CAN network to control the driving state of the vehicle. It is also an untrustworthy exchange of information method. In a nutshell, the safe transmission of information is a prerequisite for safe driving, necessary to be considered.

In order to solve the security problem of in-vehicle networks, many researchers have provided solutions based on cryptography methods. These methods can be divided into two categories. One is to verify the integrity of the message and the origin of the data by means of a message authentication mechanism, for example by generating a MAC authentication message based on cryptography and transmitting an authentication message of equal length corresponding to this message on the CAN bus [9]. Another approach is to ensure the confidentiality of the message by means of an encryption mechanism, for example, by encrypting the data in groups using AES [10]. However, these approaches are based on information systems and ignore the fact that ICV is a physical information system, so they are inefficient or not applicable to in-vehicle networks. Therefore, it is considered necessary to combine the physical characteristics of smart vehicles with cryptographic methods to design secure and effective in-vehicle communication systems.

In this paper, we first analyze the communication list between ECUs of a vehicle brand, finding that ECU could receive all the data in the CAN, but it did not use all the data received. Hence, it is important for the message transmitting mechanism to make a pre-isolated communication scheme. Not only does it improve the efficiency of message transmission, but it also prevents other ECUs from being attacked by a break-in to affect themselves in terms of security. Furthermore, efficient encryption solutions are also necessary for data transmission to achieve integrity and confidentiality. In this paper, we perform a correlation analysis of communication frequencies based on real in-vehicle communication data and combines the analysis results with asymmetric ciphertext-policy attribute-based encryption (CP-ABE) algorithms [11,12] to design an in-vehicle access control strategy to achieve isolation of ECUs without communication needs.

The main contributions of this paper are as follows:

(1)

First, we collect the ECUs communication list of a company. Through the max-miner association rules algorithm, the frequency features are mined between vehicle nodes. The ECU whose communication frequency reaches the threshold value is grouped into one category and regarded as having the same frequency attribute. We find that this part filter unnecessary communications, laying the foundation for the implementation of the ABE pre-isolation system.

(2)

Second, we propose an improved attribute-based encryption algorithm to build an attribute isolation architecture of the in-vehicle network after getting the frequency sets. This architecture only allows ECU with the same frequency attribute to communicate, thus reducing the load on the bus while isolating ECU nodes that do not need to communicate. Most importantly, it improves the security of automotive node communication.

(3)

Third, we analyze the communication architecture security. Through the performance evaluation based on hardware is performed, as well as the simulation based on vehicle network simulator (IVNS), the results of security analysis and evaluation show that the architecture meets the security and real-time requirements of the in-vehicle network.

The rest of this paper is organized as follows: In Section 2, we review more related works. In Section 3, ECU frequency attributes are classified. In Section 4, we present the details of isolated communication system. The analysis of the security for the communication system in Section 5. Simulations are presented in Section 6. Finally, the conclusions of this research and future work are presented in Section 7.

2. Related Work

In the past decade, in order to solve the problem of information security of ICV, many researchers have been working on designing a secure in-vehicle network architecture. As the most widely used in-vehicle bus communication protocol, CAN is currently the focus of research. The characteristics of non-encryption and non-authentication are the main reasons why CAN networks are vulnerable to malicious attacks. Therefore, enhancing the security of the in-vehicle network with encryption and authentication functions is one of the effective measures to ensure the confidentiality and reliability of CAN frames. In this section, research related to the proposed security communication for in-vehicle CAN is presented.

The first method of ensuring the security of in-vehicle networks through authentication mechanisms was proposed by Nilsson et al. [13], who provided integrity and authentication through a 64-bit message authentication codes (MACs) tag. Their method requires four messages to send a 64-bit tag by inserting a 16-bit tag in the CRC field. Therefore, their method increases the bus load and takes up CAC field resulting in errors that cannot be verified during transmission.

With the development of ICV, CAN is gradually unable to meet its demands in transmission rate and bandwidth. In order to solve this problem, Robert Bosch GmbH developed a new communication protocol—CAN with flexible data rate (CAN-FD) [14]. Soon afterward, Patsakis et al. [15] proposed a distributed secure communication architecture for modern vehicles under CAN-FD in which ECU performs secure multi-party calculations for authentication and asymmetric encrypted communication. However, ECU nodes need additional data interaction in the communication process, which increases the bus load and limits the applicability of this architecture in the vehicle real-time communication system. In [16], Woo et al. proposed a practical vehicle CAN-FD security architecture. In their architecture, each ECU performs the initial session key generation process with the GECU in a fixed order, and the ECUs perform authentication and encryption based on HMAC and AES. Han et al. [17] creatively put forward a kind of attribute isolation communication architecture. Their scheme is to divide the ECU’s functional attributes according to the characteristics of ICV, and build the attribute isolation communication architecture based on the ABE algorithm. Agrawal et al. [18] implement encrypted communication for ECU groupings based on characteristics and enable communication between ECUs of different groups through GECU. However, the forwarding of data frames from different groups through the GECU can cause communication delays. Groza et al. [19] proposed a broadcast authentication for CAN-FD. They used split keys and mixed authentication tags to improve the security of the in-vehicle network.

While the above methods provide authentication or encryption of data for in-vehicle networks, they also suffer from response delays or increased bus loads. In this paper, we propose a frequency attribute isolation system based on CP-ABE for CAN-FD. ECUs encrypt data according to access structure without concern for the number of ECUs in the network, which is suitable in in-vehicle networks where the number of ECUs is increasing dramatically. By associating the key with the frequency attribute of the ECUs, there is no need to store a large number of keys and key management is simplified. In addition, the proposed system reduces the response time and bus load rate compared to [18,19].

3. ECU Frequency Attribute Classification

In this section, we will analyze the communication frequency correlation based on real in-vehicle communication data and cluster the ECUs.

3.1. Data Pre-Processing

The CAN bus is a multi-master bus system where all ECUs connected to the network can send data when it is idle. When an ECU on the CAN sends data, it is broadcast to all other ECUs in the network in the form of a data frame. However, according to the CAN bus communication list we obtained from one company, the data frames on the bus are not required for every ECU, part of the communication list is shown in

Table 1. Part of the communication list.

ID	EMS	TCU	GSM	ICU	ESP	……
FB	T	R			R
1A1	R	T
1A3		R	T	R
431	R			T
211	R	R			T
……

Annotation: T = sender, R = user.

. For example, when the engine management system (EMS) sends a data frame with the ID FB, the gear shift module (GSM) and instrument cluster unit (ICU) do not use it. The communication list contains the destination and source addresses of the data frames, this information is confidential and is provided by the automotive companies we work with. Therefore, isolation of ECUs that have no communication needs does not interfere with the normal operation of the vehicle. In addition, when a node in the CAN is hijacked, it can prevent all nodes in the network from being controlled.

To ensure that the results of the correlation analysis are more accurate, we use a real dataset of in-vehicle communications for the analysis. We collected 870,000 CAN bus data for two hours of vehicle driving with a USBCAN. The communication dataset contains the DLC, Data, etc. of the data frames without destination and source addresses, but from the communication dataset we can obtain the frequency of each data frame.

Furthermore, we have produced a heat map (Figure 2) based on the pre-processed data set, from which we can get a more intuitive impression of the connection between the ECUs. Dark colors indicate a high frequency of communication between ECUs and light colors indicate a low frequency of communication, we can see that some ECUs communicate at a high frequency and some at almost zero.

3.2. Communications Frequency Correlation Analysis

Association rule analysis is the process of mining hidden information from a data set, and the maximum frequent itemset mining algorithm is an important algorithm in association rule analysis [20,21]. A frequent item set is a set of items that occur in a data set with a frequency no less than that used to specify a threshold. For example, a set of items, such as EMS and transmission control unit (TCU), that occur frequently together in dataset, is a frequent item-set. The sets of ECUs that appear frequently in the dataset are in demand for communication. However, since the number of frequent item sets is numerous and the maximum frequent itemset is relatively less and can contain all frequent item sets, maximum frequent itemset mining is more suitable for us to uncover the communication relationships between ECUs [22].

Complete set-enumeration tree is the primary data structure for the maximum frequent itemset mining algorithm. The process of data mining is transformed into the search process of a set enumeration tree by describing the set of items as in Figure 3, enumerating all possible combinations of items. Figure 3 shows the complete set-enumeration tree for $\left\{TCU,EMS,ESP,GSM,ICU\right\}$. Each node $g$ of the tree is represented by two item sets. The first item set is called the prefix, denoted as $h\left(g\right)$, which is represented by the enumeration item of the current node of the tree; the second item set is called the suffix, denoted as $t\left(g\right)$, and it is composed of all the items of the child nodes of the current node after removing the items contained in the current node. For example, for node EMS, $h\left(EMS\right)=\left\{EMS\right\}$, $t\left(EMS\right)=\left\{ESP,GSM,ICU\right\}$. We denote the parent node of node $g$ as $g_p$ and the child node as $g_c$. The generation method of $g_c$ is $h\left(g_c \right)=h\left(g\right)\cup i,i\in t\left(g\right);t\left(g_c \right)=\left\{j|j\in t\left(g\right),j>i\right\}$.

Maximum frequent itemset mining for complete set-enumeration tree according to the max-miner algorithm [23]. Maximal frequent itemset mining is the continuous pruning of the enumeration tree. There are two principles of pruning: firstly, all item sets containing infrequent subsets are infrequent; secondly, if the superset of an item set is a frequent item set, this item set must not be the maximum frequent item set. We prune the enumeration tree according to these two principles. First, the 1-itemset are sorted by frequency of occurrence in the dataset and the candidate itemset C and the frequent itemset F. Second, the frequency of $h\left(g\right)\cup t\left(g\right)$ of element $g$ in C is calculated and added to F if it is greater than the threshold value. Otherwise, add its child nodes $h\left(g_c \right)$ to C. Third, update the candidate itemset C and the frequent itemset F. Repeat second and third until $C=\{ \}$. The max-miner algorithm is presented as Algorithm 1.

Algorithm 1 Max-Miner.

1: Input: Data T

2: Output: Maximal frequent item sets

3: Set of Candidate Group C ← {Frequent 1- item sets}

4: Set of Itemset F ← {Frequent 1- item sets}

5:  While C is non-empty do

6:   Scan T to count the frequency of all candidate groups in C

7:   For each $g\in C$ such that $h\left(g\right)\cup t\left(g\right)$ is frequent do

8:     F ←$F\cup \left\{h\left(g\right)\cup t\left(g\right)\right\}$

9:   For each $g\in C$ such that $h\left(g\right)\cup t\left(g\right)$ is infrequent do

10:     C ←$C\cup \left\{h\left(g_c\right)\right\}$

11:   Remove from F any itemset with a proper superset in F

12:   Remove from C any group g such that $h\left(g\right)\cup t\left(g\right)$ has a superset in F

13: Return F

3.3. Results of Clustering

Through constant parameter tuning, we found that the clustering effect is the best when the threshold is 0.1. A total of six maximum frequent item sets are mined, and these six groups are visualized by R language [24], as shown in Figure 4. The circle diagram in Figure 4 is a Venn diagram used to show the relationship between sets of frequency attributes, with the overlapping parts being the intersection between different sets and the non-overlapping parts being elements specific to the set. However, the Venn diagram is not very readable, and the upset diagram (i.e., bar chart) in Figure 4 can show the relationship between sets more clearly. According to the clustering results, match the corresponding frequency attribute set for ECUs. For example, the $g{l}_1$,$g{l}_2$ and $g{l}_3$ collections all have EMS, and the frequency attribute set of EMS is $S=\left\{g{l}_1,g{l}_2,g{l}_3\right\}$. The set of frequency attributes of automatic parking assist system (APA) is $S_{APA}=\left\{g{l}_4,g{l}_5\right\}$ and the set of frequency attributes of intelligent remote car anti-theft alarm (GSM) is $S_{GSM}=\left\{g{l}_3,g{l}_5\right\}$. According to the in-vehicle communication system designed in this paper, EMS and GSM have the same frequency attribute $g{l}_3$, so they can communicate, while EMS and APA do not have the same frequency attribute, so they cannot communicate.

4. Communication Architecture

In this section, the in-vehicle communication system based on the above ECU frequency attribute clustering is elaborated. The communication system consists of a GECU and ECUs which are equipped in vehicle. There are four phases to consider for the proposed in-vehicle communication system, namely system initialization, registration, setting the matching strategy and isolated communication.

GECU: The GECU is considered trustworthy and has better computation power and storage capacity than the ECU. The GECU is used to verify the identity of the ECUs.

ECU: ECUs are also known as car computers and their purpose is to control the state of the car and implement its various functions. According to the frequency attribute clustering above, each ECU has a different set of frequency attributes.

4.1. System Initialization

The GECU follows the steps below to generate the public parameters and master key, before broadcasting the public parameters across the network.

• The GECU inputs the security parameter $1^{\lambda }$, generate an additive group G and a multiplicative $G_1$ with prime order $p,g$ is a generator in G. Define a bilinear mapping $e:G\times G\to G_1$.
• It can be seen from the above that there are a total of six group labels for ECUs, GECU randomly selects six number for group labels and marks them as $g{l}_1,g{l}_2,g{l}_3,g{l}_4,g{l}_5,g{l}_6$ in $Z_P^{*}$.
• The GECU randomly picks $y\in Z_p$,$\theta ,\alpha ,\beta \in G$ and publishes the public parameters are:$PK=\left(\left(p,g,G,G_1,e\right),\theta ,\alpha ,\beta ,e{\left(g,g\right)}^y\right)$. Meanwhile, the master key is $MK=y$.

4.2. Registration

During the registration phase, the GECU verifies the legitimacy of the ECU identity and sends the master key for the ECU with a legitimate identity. To improve the speed of registration, symmetric encryption is used at this stage. Specific registration process is shown in Algorithm 2.

4.2.1. ECU Sends Registration Request Information to GECU

• $EC{U}_I$ randomly chooses $a\in Z_q^{*}$ to generate the request information $\left(ag\left|\right|I{D}_{EC{U}_I}\right)$.
• $EC{U}_I$ signs the request information $\left(ag\left|\right|I{D}_{EC{U}_I}\right)$ to obtain the signature information $Si{g}_I$.
• $EC{U}_I$ sends $Ms{g}_1\left(ag\left|\left|I{D}_{EC{U}_I}\left|\left|t\right|\right|Si{g}_I\right|\right|Certificat{e}_I\right)$ to GECU.

4.2.2. GECU Verifies ECU Identity

• The GECU verifies the validity of the timestamp by Formula (1). The maximum time difference allowed by the in-vehicle network is T, the current time is $t\prime$.

  $$\left(\Delta t=t\prime -t\right)<T$$

  (1)
• If the timestamp is valid, the GECU confirms the integrity and validity of $EC{U}_I$ by verifying the signature and certificate of the $Ms{g}_1$.
• After verify the legal identity of $EC{U}_I$, the GECU randomly choose $b\in Z_q^{*}$ to generate response information $\left(bg\left|\right|I{D}_{EC{U}_I}\right)$, and a signature on response information.
• The GECU generates a temporal session key $SK=abg$, and uses SK to encrypt master key $y$.
• The GECU sends $Ms{g}_2\left(bg\left|\left|I{D}_{GECU}\left|\left|t\prime \right|\right|Si{g}_{GECU}\right|\right|Certificat{e}_{GECU}\left|\right|E_{SK}\left(y\right)\right)$ to $EC{U}_I$.

4.2.3. GECU Sends MK to ECU

• $EC{U}_I$ verifies the validity of the timestamp by Formula (2). The maximum time difference allowed by the in-vehicle network is T, the current time is $t″$.

  $$\left(\Delta t=t″-t\prime \right)<T$$

  (2)
• If the timestamp is valid, $EC{U}_I$ confirms the integrity and validity of GECU by verifying the signature and certificate of the $Ms{g}_2$.
• After verify the legal identity of GECU, $EC{U}_I$ decrypts $E_{SK}\left(y\right)$ in $Ms{g}_2$ by $SK$ and obtains $y$.

  Algorithm 2 ECU Registration Protocol.

  1: $EC{U}_I$: Generate the registration request information

  2: $EC{U}_I\to GECU: Ms{g}_1\left(ag\left|\left|I{D}_{EC{U}_I}\left|\left|t\right|\right|Si{g}_I\right|\right|Certificat{e}_I\right)$

  3: GECU:

  4: if $\left(\Delta t=t^{\prime }-t\right)<T$

  5:    if $EC{U}_I$ is legal

  6:      $GECU\to EC{U}_I$: $Ms{g}_2\left(bg\left|\left|I{D}_{GECU}\left|\left|t\prime \right|\right|Si{g}_{GECU}\right|\right|Certificat{e}_{GECU}\left|\right|E_{SK}\left(y\right)\right)$

  7: else

  8:    Refuse the request information

  9: endif

  10:$EC{U}_I:$

  11: if $\left(\Delta t=t″-t\prime \right)<T$

  12:    if GECU is legal

  13:      decrypt $E_{SK}\left(y\right)$ in $Ms{g}_2$ by $SK$ and obtains $y$

  14: else

  15:    Execute the registration protocol again

  16: endif

4.3. Setting the Matching Strategy

Based on the above clustering of frequency attributes define the set of frequency attributes as $U=\left\{g{l}_1,g{l}_2,g{l}_3,g{l}_4,g{l}_5,g{l}_6\right\}$. A tree structure T is used to represent access policies. When x is an internal node, it represents the relationship “or”, when x is a leaf node, it represents the frequency attribute. For example, the set of frequency attributes of EMS is $S=\left\{g{l}_1,g{l}_2,g{l}_3\right\}$. The EMS access structure tree T is shown in Figure 5.

In order to represent simply, we define the following two functions. Firstly, $parent\left(x\right)$ is used to denote the parent of node $x$. Secondly, the function $att\left(x\right)$ returns the frequency attribute associated with $x$ when $x$ is a leaf node.

Let the root node of the access tree T be r. The access tree T is denoted $T_r$ and the subtree with root node $x$ is denoted $T_x$. A set of frequency attributes $S$ satisfying the access tree structure $T_x$ is denoted $T_x\left(S\right)=1$, otherwise, $T_x\left(S\right)=0$. The value of $T_x$ is computed recursively, and if $x$ is non-leaf node, the value of $T_x$ is computed for each child node $x\prime$ of $T_{x^{\prime }}\left(S\right)$. When at least one child node returns 1, $T_x\left(S\right)=1$. When is a leaf node, when $att\left(x\right)\in S$, $T_x\left(S\right)=1$. If $T_r\left(S\right)=1$ then it means that the set S of frequency attributes satisfies the access $T_r$.

Based on the clustering results in the previous section, the set of frequency attributes of automatic parking assist system (APA) is $S_{APA}=\left\{g{l}_4,g{l}_5\right\}$ and the set of frequency attributes of intelligent remote car anti-theft alarm (GSM) is $S_{GSM}=\left\{g{l}_3,g{l}_5\right\}$. The access structure of the EMS is denoted T, then $T\left(S_{APA}\right)=0$ and $T\left(S_{GSM}\right)=1$. This means that the GSM satisfies the EMS access structure and that messages sent encrypted by the EMS can be successfully decrypted by the GSM, but not by the APA.

4.4. Isolated Communication

We propose an isolated communication system for in-vehicle networks based on asymmetric CP-ABE algorithms. In this system, the key is associated with a frequency attribute. Only ECUs with the same frequency attribute as the sender ECU can decrypt the ciphertext, which guarantees the confidentiality of the architecture. We take $EC{U}_I$, $EC{U}_J$ and $EC{U}_K$ as an example to illustrate the way in which the ECUs communicate with each other (see Figure 6). The specific steps include the following three algorithms: encrypt, keygen and decrypt.

• $Encrypt \left(S,M,PK\right)$:$EC{U}_I$ generates the ciphertext CT according to the encrypt algorithm. The encrypt algorithm takes frequency attribute set $S_1$ of $EC{U}_I$, a message M and the public parameters PK as input. $EC{U}_I$ picks up a random value $s\in Z_p$, where s is secret value. We denote the number of elements in set S as n. $EC{U}_I$ randomly picks up n elements $k_i\in Z_p$ for $g{l}_i\in S_1$ and set $C=Me{\left(g,g\right)}^{ys}$,$C_1=g^s$. For $g{l}_i\in S_1$, the algorithm computes $C_{gl}={\beta }^s+{\alpha }^{k_i}$,$C_{gl}^{\prime }={\theta }^{-H\left(gl\right)k_i}$, $C_{gl}^{″}=g^{k_i}$ and hashes the value of the $g{l}_i$ in $S_1$ and construct an access structure tree T as shown in Figure 7. The ciphertext $CT=\left(T,C,C_1,\forall gl\in N:C_{gl},C_{gl}^{,},C_{gl}^{″}\right)$.
• $Keygen \left(S,MK,PK\right)$: $EC{U}_J$ generates key SK according to the keygen algorithm. The keygen algorithm takes frequency attribute set $S_3$ of $EC{U}_J$, the master key MK and the public parameters PK as input. $EC{U}_J$ denotes the number of elements in $S_3$ is m, and randomly picks up m elements $t_i\in Z_p$ for $g{l}_i\in S_3$. $EC{U}_J$ randomly chooses $t\in Z_p$ and computes $D_1=g^y+{\beta }^t$,$D_2=g^t$. For $g{l}_i\in S_3$, the algorithm computes $D_{gl}^{\prime }=g^{t_i}$ and $D_{gl}^{″}={\theta }^{H\left(gl\right)t_i}+{\alpha }^{-t}$. The secret key $SK=\left(D_1,D_2,\forall gl\in GL:D_{gl}^{\prime },D_{gl}^{″}\right)$. The steps for $EC{U}_K$ are the same as for $EC{U}_J$.
• $Decrypt \left(CT,SK,S\right)$: $EC{U}_J$ decrypts the ciphertext CT according to the decrypt algorithm. The decrypt algorithm takes the frequency attribute set $S_3$ of $EC{U}_J$, the ciphertext CT and secret key SK as input. $EC{U}_J$ computes the hash value of the elements in the set $S_3$ and denotes it as the set $S_3^{\prime }$. The algorithm chooses $D_{gl}^{\prime },D_{gl}^{″}$ for $gl$, which the hash value matches the T. $EC{U}_J$ computes as follows:

  $$B=\mathrm{e}\left({\mathrm{C}}_1,D_1\right)∕e\left(C_{gl},D_2\right)e\left(C_{gl}^{\prime },D_{gl}^{\prime }\right)e\left(C_{gl}^{″},D_{gl}^{″}\right)$$

  (3)

  $$B=e\left(g^s,g^y+{\beta }^t\right)∕e\left({\beta }^s+{\alpha }^{k_i},g^t\right)e\left({\theta }^{H\left(gl\right)k_i},g^{t_i}\right)e\left(g^{k_i},{\theta }^{-H\left(gl\right)t_i}+{\alpha }^{-t}\right)$$

  (4)

  $$B=e\left(g^s,g^y+{\beta }^t\right)∕e\left({\beta }^s+{\alpha }^{k_i},g^t\right)e\left(g^{k_i},{\alpha }^{-t}\right)$$

  (5)

  $$B=e\left(g^s,g^y+{\beta }^t\right)∕e\left({\beta }^s,g^t\right)$$

  (6)

  $$B=e{\left(g,g\right)}^{sy}$$

  (7)

$EC{U}_J$ obtains the $M=C⁄B$. The frequency attribute set $S_2$ of the $EC{U}_K$ does not satisfy the access structure tree T, so the $EC{U}_K$ decryption fails.

5. Security Analysis of the Proposed Scheme111

In this section, we present a theoretical proof of the security of the proposed communication architecture for IoV.

Theorem 1.

Assuming that the computational Diffie–Hellman (CDH) assumption is established, the MK in the proposed system cannot be obtained.

Proof of Theorem 1.

If the adversary $A$ can compute temporal session key $SK=abg$, it is possible for $A$ to obtain MK. The advantage of a successful attack by $A$ is $Ad{v}_A$. We use $A$ to construct algorithm $A_{CDH}$ to solve the CDH problem.

$A_{DL}$ randomly picks $y,\theta ,\alpha ,\beta \in Z_p$ and publishes the public parameters are:$PK=\left(\left(p,g,G,G_1,e\right),\theta ,\alpha ,\beta ,e{\left(g,g\right)}^y\right)$ and saves the master key $MK=y$. $\mathsf{A}$ can make queries about $A_{CDH}$ to $q_{CDH}$ times.

Query: $\mathsf{A}$ makes queries about SK, the algorithm $A_{DL}$ returns $ag$ and $bg$ to A.

Challenge: After $\mathsf{A}$ receives $ag$ and $bg$, $A$ uses $\left(ag,bg\right)$ to call algorithm $A_{DL}$. That is given $ag,bg$, compute $abg$. The advantage of $A$ challenge success in this process is $Ad{v}_A=q_{CDH}\times Ad{v}_{CDH}$. The advantage $Ad{v}_A$ of the algorithm in successfully solving the CDH problem in the polynomial time is negligible. Therefore, the adversary $A$ does not have access to the temporal session keys SK and MK. □

Theorem 2.

Assuming that the decisional Diffie–Hellman (DDH) assumption is established, plaintext cannot be extracted from ciphertext.

Proof of Theorem 2.

If there is a polynomial-time adversary $A$ that can attack our scheme with advantage of ε, we can construct a simulator Β to play the DDH game with advantage of $\epsilon$. Given a DDH paradigm $\left(g,g^a,g^b,Z\right)$, Β creates the following simulation.

Init: The adversary $A$ commits to simulator Β the challenge access tree $T$. The simulator Β sets the public parameters according to the following steps. It randomly picks $y,m,n\in Z_p$ and calculates $\theta =g^m,\beta =g^n$ and sets the public parameter $PK=\left(\left(p,g,G,G_1,e\right),\theta ,\alpha =g^a,\beta ,e{\left(g,g\right)}^y\right)$ and the master key $MK=y$. The simulator sends the PK to the adversary $A$.

Phase 1: The adversary $A$ can query the SK of the frequency attribute set S. If S cannot satisfy the challenge access tree, Β will calculate SK and send it to $A$ as follows. ${\rm B}$ randomly pick $t\in Z_p,{\left\{t_i\in Z_p\right\}}_{1\le i\le m}$ and $D_1=g^y+{\beta }^t$,$D_2=g^t$. For $gl\in S$, the algorithm computes $D_{gl}^{\prime }=g^{t_i}$ and $D_{gl}^{″}={\theta }^{-H\left(gl\right)t_i}+{\alpha }^{-t}$. The secret key $SK=\left(D_1,D_2,\forall gl\in GL:D_{gl}^{\prime },D_{gl}^{″}\right)$.

Challenge: The adversary $A$ submits two messages $M_0$ and $M_1$ of equal length to Β. The simulator randomly selects a message $M{ }_b$ to encrypt and sends the encrypted ciphertext CT to A. The ciphertext is output as:

$$CT=\left(P^{\prime },C,C_1,\forall gl\in N:C_{gl},C_{gl}^{,},C_{gl}^{″}\right)$$

$C=Me{\left(g,g\right)}^{ys}=me{\left(g,g\right)}^{yab}=me{\left(g^a,g^b\right)}^y$ which implies $s=ab$,$C_1=Z$. For $gl\in N$, the algorithm computes $C_{gl}=g^{ns}+g^{a{k}_i}$,$C_{gl}^{\prime }={\theta }^{H\left(gl\right)k_i}$, $C_{gl}^{″}=g^{k_i}$. For $gl\notin N$, the algorithm computes $C_{gl}=g^{ns}+g^{a{k}_i}$, $C_{gl}^{″}=g^{k_i}$ and randomly selects $C_{gl}^{\prime }\in G$.

Phase 2: Repeat Phase 1 and any $S$ cannot satisfy the challenge access tree.

Guess: The adversary $A$ computes M. When $C_1=Z=g^{ab}$, the ciphertext is well-formed and the plaintext M is computed correctly. A can guess $b\prime$ correctly. When Z is randomly chosen, m is random and A can only guess $b\prime$ randomly, So if $b\prime =b$, Β return $\eta =1$. Otherwise, Β returns $\eta =0$. However, DDH difficulty problem is unsolvable in probabilistic polynomial time. Therefore, we can conclude that the proposed scheme satisfies IND-CPA secure. □

6. Simulation and Evaluation

To evaluate the performance of the proposed scheme, we carried out hardware-based performance evaluation and software simulation based on in-vehicle network simulator (IVNS) [25]. The performance evaluation environment is illustrated in Figure 8, and the specifications of equipment used for evaluation are listed in

Table 2. Tools used for the simulation.

Tools	Remarks
Hardware	STM32H743, STM32H743IIT6
Compiler	MDK5
Software	IVNS
CPU	Intel core i5-8259U 1.6 GHz
RAM	8GB

.

6.1. Hardware-Based Performance Evaluation

To measure the time parameters of registration, keygen, encrypt, decrypt success and failure, we carried out hardware-based performance evaluation. In our scheme, all ECU must send a registration request to GECU before the vehicle starts, and the ECU passing the registration request can obtain important parameters for communication. After obtaining the important parameters, ECU generates the key for decryption according to its own set of frequency attributes. When $EC{U}_I$ sends a data frame, it encrypts the message according to the set of frequency attributes, hashes the frequency attributes of the set and construct an access structure tree T to achieve the effect of protecting the privacy of the $EC{U}_I$, and embeds T in the ciphertext for broadcasting in the network. When the $EC{U}_J$ receives the ciphertext, it hashes its own set of frequency attributes first, if it meets the access structure tree T, it is considered successful decryption, otherwise, the decryption failed. We apply this scheme to the microcontrollers of STM32H743 and STM32H743IIT6 and evaluate their performance. To minimize errors, these four algorithms were run 100,000 times respectively, and the average, maximum and minimum execution time were measured.

As shown in Figure 9, the average time of successful registration is 8.24 ms. The ignition time of a car is about 1 s generally, and the number of ECU nodes in the car will not exceed 100, so the scheme can meet the real-time requirements of current intranet. The average time of key generation, encryption, decryption success and failure are 2.78 ms, 4.12 ms, 6.9 ms and 1.98 ms, respectively.

6.2. Network Simulator-Based Evaluation

We use the software IVNS, STM32H743 and STM32H743IIT6 microcontrollers to build an evaluation environment similar to the real in-vehicle network environment. IVNS is an in-vehicle network simulator developed by Mundhenk et al., based on the discrete event simulation framework (SimPy) in Python language in 2016. It can evaluate the real-time performance of in-vehicle network well. We imported the average execution time of registration, key generation, encryption, successful decryption and failure decryption based on the hardware performance evaluation into the IVNS database, and performed the performance evaluation based on the network simulator. STM32H743 serves as the GECU and STM32H743IIT6 serves as the ECU.

6.2.1. Analysis of Calculation Time Consumption

For the measurement of time calculation consumption, we defined the following scenarios and performed a performance evaluation.

(1)

Sender-ECU encrypts data frames based on the set of frequency attributes.

(2)

Sender-ECU broadcasts the ciphertext and access structure tree T on the network.

(3)

Receiver-ECU receives ciphertext and access structure tree T.

(4)

If the frequency attributes set of receiver-ECU meets the requirements of the access structure tree T, decryption will be carried out and plaintext will be obtained. Otherwise, decryption fails.

We measured the execution time from the time the sender ECU encrypts the data frame to the time all the receiver ECUs decrypt the message. By fixing the bit rate of the arbitration segment at 0.5 Mbit/s, the bit rate of the data segment at 4 Mbit/s, and the data transmission cycle of the ECU at 50ms, the communication response time of the ECU at same CPU clock rate is measured. We measured the response time of Sec suggestion in [18] and LiBrA suggestion in [19] under the same circumstances and compared them to the proposed scheme. The communication response time under different ECU numbers is shown in Figure 10. Since the encrypted data frames are forwarded by the GECU, the Sec’s response time is higher than ours. At the same time, since there are $2^n$ communication groups for n nodes, LiBrA’s response time is higher than ours when the number of ECUs increases. For example, with 80 ECUs in the vehicle, the response time of our solution is 34% faster than Sec and 57% faster than LiBrA.

6.2.2. Analysis of Bus Load Rate

Bus load rate refers to the actual legend of the total number of bits per unit time of the bus and the total number of bits per unit time of the legend of the bus, and is an important index to measure the performance of the in-vehicle network communication, we can read the communication of the bus load rate through the IVNS added monitor. By fixing the bit rate of the arbitration segment at 0.5 Mbit/s, the bit rate of the data segment at 4 Mbit/s, and the data transmission cycle of the ECU at 20 ms, the bus load rate of the architecture in this paper is evaluated. We measured the bus load rate of Sec suggestion in [18] and LiBrA suggestion in [19] under the same circumstances and compared them to the proposed scheme. The bus load rate under different ECU numbers is shown in Figure 11. Due to the fact that there are $2^n$ communication groups for n nodes and that the ECUs store multiple keys, the bus load rate of the LiBrA increases significantly when the number of ECUs increases. Since the encrypted data frames are forwarded by the GECU, the Sec’s bus load rate is higher than ours. As the encryption and decryption of our solution is less affected by the number of ECUs, the bus load rate of our solution is 7.8% lower than Sec and 20.6% lower than LiBrA at a number of 80 ECUs in the vehicle.

Under normal circumstances, the bus load rate must be maintained below 30% in order to meet the real-time requirements of intelligent networked vehicles for in-vehicle communication. As shown in Figure 11, the bus load rate of our scheme is kept below 30%, which meets the real-time communication requirements of vehicles. The proposed scheme simplifies key management and reduces bus load by constructing access policies for each ECU and isolating unauthorized ECUs, meeting the real-time needs of the in-vehicle network.

7. Conclusions

In this paper, a secure and efficient in-vehicle communication system is designed based on an asymmetric ABE algorithm. First, the ECU communication frequency relationship is analyzed according to the max-miner algorithm of the maximum frequent term set, and the frequency attributes of ECUs are classified based on the mining results. Secondly, access structures are designed according to the set of frequency attributes of the ECUs to build the in-vehicle network communication system. In our scheme, only ECUs that meet the ciphertext requirements can decrypt the data, ensuring data confidentiality while reducing the risk of attacks on the in-vehicle network. In addition, we demonstrate through theoretical proof that the scheme in this paper achieves IND-CPA security. Finally, our solution is evaluated by means of a hardware platform and IVNS software. The evaluation results show that the scheme meets the requirements of in-vehicle networks in terms of communication latency and busload.

In the future, as driverless technology becomes more popular, there will be higher requirements for data transmission efficiency in in-vehicle networks. Designing faster and more secure in-vehicle communication solutions is the focus of our research.