A Dickson polynomial based group key agreement authentication scheme for ensuring conditional privacy preservation and traceability in VANETs

Rajkumar, Y.; Santhosh Kumar, S. V. N.

doi:10.1038/s41598-025-89208-5

Download PDF

Article
Open access
Published: 20 February 2025

A Dickson polynomial based group key agreement authentication scheme for ensuring conditional privacy preservation and traceability in VANETs

Y. Rajkumar¹ &
S. V. N. Santhosh Kumar¹

Scientific Reports volume 15, Article number: 6211 (2025) Cite this article

1928 Accesses
3 Citations
2 Altmetric
Metrics details

Subjects

Abstract

VANETs exchange data in highly dynamic open wireless access environments which are prone to security and privacy attacks. In order to safeguard the transmitted data, group key agreement authentication (GKAA) technique is used. Utilization of group key allows entities to corroborate a group key for secure VANET communication in an unsecure wireless communication channels. The traditional GKAA consumes a considerable amount of resources, verification delay is very high. Since the group key is computed and administered solely by TTA, it leads to central tendency. Additionally the communication delay soars high. To alleviate the problems of computational cost, communication cost, security, conditional privacy, central tendency, a Dickson polynomial based conditional privacy preservation authentication based on group key authentication (GKA) for VANETs has been proposed. The proposed work involves the use of Dickson polynomial to improve the security strength of TTA while authentication vehicles. Since it is based on chaotic mapping algorithm, wherein the chaotic map provides a one-way hash function; Dickson polynomial is used to corroborate a publicly distributed group key; it alleviates the complex modular or scalar multiplication performed using Elliptic curves. The group key gets computed in a distributed fashion by using the Chinese Remainder Theorem (CRT) and gets updated dynamically without the aid of TTA. Conditional Privacy has been ensured by the tracing back the pseudonyms in case of any illicit behavior exhibited by the vehicles. The proposed scheme is lightweight and lowers the communication, computation cost involved during authentication and verification. Performance analysis has been carried out by using BAN logic and ROR model thereby ensuring the security and efficiency. Thus the proposed authentication technique outperforms the traditional certificate-less and group key authentication schemes in terms of improvement in computation cost of 39%, communication cost of 672 bits for a single message with a less verification delay.

A secure and efficient user selection scheme in vehicular crowdsensing

Article Open access 31 May 2025

An efficient certificateless anonymous signcryption communication scheme for vehicular adhoc network

Article Open access 07 November 2024

An optimized elliptic curve digital signature strategy for resource-constrained devices

Article Open access 02 July 2025

Introduction

Conventional transportation systems (CTSs) suffer from problems such as traffic congestion, traffic delays, traffic accidents, economical loss, infrastructure damage and deaths¹. To cater these problems of traffic, ITS emerged as a solution to mitigate the traffic problems encountered by the traditional transportation². VANETs act as a core functioning entity of ITS³. Vehicles, especially cars have now been equipped with sensors and information computing facilities along with the information and communication technologies (ICT) opened a new arena of applications revolutionizing the modern transportation systems⁴. VANETs are applied in a wide variety of applications relating to advanced cruise control, vehicle collision avoidance, cooperative and autonomous driving⁵. Vehicles are capable of forming a network on-the-go referred to as VANETs. They are highly dynamic and self-organized in nature⁶. The major advantage of the VANETs is to provide the safety, efficiency and comfort to the commuters⁷.

Data transmissions in VANETs are highly subjugated by different kinds of security and privacy concerns⁸. Since the data gets exchanged through a wide open wireless communication channel, it is highly susceptible to message modification, tampering, impersonation, signature forgery, and side channel attacks⁹. Thus it provokes a hasty concern to protect the data that has been exchanged through the vehicles on the roads to enable a secure and a sustainable ITS. Traffic information being trapped or hijacked by an intruder may manipulate, modify or de-route the commuter leading to unforeseen consequences. The leakage of the sensitive data during the transit may also be viable which questions the integrity and the legality of the data being transmitted. Hence anonymity of data has to be ensured¹⁰. In case of medical emergencies, patient information on roads falling into the hands of intruder may tend to critical situations of life loss, delay in treatment or even medical errors¹¹. Similarly, an invader having access to the personal travelling preference may have the possibility to exploit in any possible way. It is essential to preserve the privacy by means of pseudonyms. Usage of pseudonyms helps the signature verifier for tracking the original identification of the vehicles that involve in adverse illegal activities¹². There is an exclusive need to process the large amount of messages being generated which may lead high computation delay or processing delays. Processing large amounts of messages by the RSUs may be cumbersome, overloading resulting in attrition, exposed, physical side-channel attacks, replication attacks, DoS attacks and TPD attacks in the network¹³. This consequence will lead to the decline in the performance of the network. In order to achieve security and privacy several authentication schemes relating to public key-based¹⁴, identity-based¹⁵, pseudonym-based¹⁶, certificate-less cryptography^17,18 have been proposed. Most of these cryptographic schemes utilize either bilinear pairing or elliptic curves in order to ensure the security of the data being generated and transferred. Though ECC is 20 times faster than the bilinear pairing operation, it still suffers from lengthy signatures which degrade the computation efficiency and storage overhead¹⁹.

To alleviate these problems, it is desired to design a lightweight distributed authentication scheme by using Dickson polynomials has been proposed²⁰. The proposed scheme utilizes lightweight mechanisms such as XOR operations and chaotic maps²¹ to ensure security and high connectivity among the vehicles in the network. The authentication is lightweight and employs Chinese Remainder Theorem for the dynamic distribution of group keys. Our method involves the following advantages. First, it effectively distinct security objectives and resists message modification, replay, impersonation and so on. Second, it reduces the computational overhead incurred with the cryptographic methods based on ECC or bilinear pairing which means that it performs distributed authentication.

Research gaps

Existing authentication schemes in VANETs suffers from problems such as central point of failure, traceability and privacy preservation. In addition, when the pseudonyms are stored inside the TPDs of the OBUs, there is a high possibility of TPD attack. TTA faces high computational burden when it performs message signature verification and revocation in a centralized manner. Chebyshev polynomial based conditional privacy preservation authentication scheme though it alleviates the aforementioned problems it suffers Bergamo et al.²² attack. These challenges provide a motivation to design a conditional privacy preservation authentication scheme that would be distributed, traceable, revocation and thereby achieving conditional privacy preservation in VANETs.

Major contributions

The major contributions of the proposed authentication scheme are outlined as follows:

A new distributed group key agreement authentication scheme has been proposed to ensure conditional privacy preservation implemented using Dickson polynomial in lieu of ECC or Bilinear Pairing with reduced computation and communication overheads.
The proposed scheme is lightweight, distributed and performs dynamic distribution of group keys using Chinese Remainder Theorem (CRT) where the vehicles are managed efficiently while stepping in or out of a group thereby achieving V2V and V2I communications
The proposed scheme achieves location, user, conditional privacy, traceability and resists replay, message modification and impersonation attacks, TPD and Bergamo et al.²² attacks being encountered.
The proposed scheme utilizes group key authentication to reduce the computational burden incurred by the TTA while performing verification by making it distributed. This alleviates the central dependency problem associated with the conventional authentication schemes.
A formal security analysis has been carried out by using both BAN logic and ROR model to demonstrate the security of the proposed scheme. Performance analysis has also been carried out by using performance metrics such as computation, communication, storage costs and verification delay.

Organization of the article

The manuscript has been structured as follows: “Introduction” Section encompasses the introductory segment, while “Related Works” Section delves into the comprehensive examination of the research endeavors pertaining to group key authentication techniques. “Preliminaries” Section introduces the foundational elements, system design, and security objectives that serve as the foundation for the proposed distributed authentication scheme. “Proposed Methodology” Section elaborates on the methodology of the authentication scheme. “Security Analysis” Section presents both the formal and informal security analysis. “Experimental Setup and Performance Metrics” Section offers a performance evaluation of the proposed authentication scheme, including benchmarks. Finally, “Results Discussion and Analysis” Section concludes the paper. Table 1 presents a compilation of abbreviations employed in the present study.

Table 1 Abbreviations utilized in our Survey.

Full size table

Related works

Various Authors have proposed numerous mechanisms to counter the issues related to security and privacy by designing numerous authentication schemes. To achieve security, conditional privacy and to improve the efficiency schemes such as certificate-based, identity-based, pseudonym-based, certificate-less are proposed. This section provides a brief understanding of some of the related works pertaining to authentication schemes.

Conditional privacy preserving authentication schemes (CPPAs)

CPPA ensures security, anonymity and traceability in the network. Upon any malfunctioning, CPPA provides efficient tracing back of vehicles with the help of pseudonyms stored inside the TPDs of the vehicles. Several schemes based on conditional privacy preservation have been proposed by various academicians around the globe. Among them, Liang et al.²³ proposed an authentication scheme to address the problem of ESL from the storage devices by utilizing PUFs. Their system model also addressed the problem of computational overhead soars due to frequent contact with the vehicles in motion. Their proposed authentication scheme utilized PUFs to achieve conditional privacy authenticated key agreement for VANETs. The proposed PUF based mutual authentication between the vehicles and RSUs does not require the participation of TA. Utilization of pseudonym and conditional privacy provides anonymity and traceability in case of malevolent vehicles. The proposed protocol is resilient against cloning, physical, vehicle-RSU impersonation, MiTM, replay, ESL and known session key attacks. However, the computation and communication cost soars high which needs to be reduced. Yang et al.²⁴ has come up with a secure, pairing-free, energy-efficient CLAS scheme which ensures CPPA for VANETs. Their proposed scheme addresses the problem of coalition attacks from malicious RSUs and public-key replacement attacks from malicious vehicles. Their proposed scheme involves ECC based authentication scheme which provides anonymity of vehicle identity and traceability of malevolent vehicles. Their methodology is secure against public key replacement, forgery, and tampering, malicious KGC, coalition attacks and lowers the computation and communication costs efficiently. Roy et al.²⁵ has come up with a novel multiple TA model for fog-enables VANETs to address the problems of centralized trusted authority, single-point-of-failure, service unavailability due to increased traffic load. Their proposed model involves multiple TAs where the traffic processing load has been distributed across many sub-TAs. Their model also incorporates a fog node which takes care of the managing the RSUs centrally eliminating the need to perform individual authentication of RSUs. Their proposed protocol involves CPPA ensuring security and privacy it suffers from high computation and communication costs. Additionally utilized TA may behave as malevolent which weakens the security strength of the proposed scheme. Zhu et al.²⁶ proposed a CLAS based authentication scheme based on ECC. Their proposed system utilized ECC based multiplication, one-way hash functions, XoR operation and dynamic pseudonyms in order to guarantee security and privacy. However the proposed protocol suffers from high computational overhead. TA incurs additional overhead in maintaining subsequent updation of pseudonyms. Zhang et al.²⁷ proposed a novel authentication scheme based on HSMs to address the problem of certificate storage. In order to lower the computation costs, forward secrecy, a lightweight authentication scheme that ensures CPPA has been proposed. Their scheme involves SSK updation which involves identity-based batch multi-signature algorithm which ensures traceability and revocation. Though the proposed work reduces the computational complexity to a considerable extent, it still suffers from communication overhead due to frequent secret session key updates. Wang et al.²⁸ has come up with a CPPA ensure anonymity and conditional privacy. The proposed authentication scheme has been designed without pseudonyms and is resilient to linkage attacks. Their proposed scheme is efficient and achieves anonymity, unlinkability, non-repudiation, message integrity, traceability and revocation. Though their proposed scheme is computationally efficient it is suitable only for V2V communications. Roy et al.²⁹ has come up with an authentication protocol which has backed up by the elimination of TA ensuring zero-trust mechanism for VCS. Their scheme addressed the problem of communication delay, central tendency and DoS with the help of 5G connectivity. Their system has utilized ECC and Secret sharing scheme to ensure the security against vehicles and RSUs and provides support for both V2V and V2I communications. However the authentication delay is still high which needs to get reduced. Kumar et al.³⁰ proposed a (2,n) threshold secret sharing scheme in combination with ECC to provide solution to the problem of computational overhead, authentication delay and re-authentication. Their proposed scheme eliminated the use of TA and subsequently reduces the communication overhead. The major novelty is that atleast two of n registered vehicles cooperation is required to compute a shared secret key which is highly not possible for an attacker to counter. Though the proposed scheme ensures security and privacy, the computation and the communication cost is higher in case of V2I communications. Moni et al.³¹ proposed a pseudonym-based privacy preservation scheme to address the problem of traceability incurred in processing the certificate revocation lists. Though it reduces the overhead it suffers from storage cost in maintaining the cuckoo filter and is not suited for V2I communications. Samra et al.³² has come up with a CPPA scheme based on ECC and ring signatures. Though the scheme achieves traceability it suffers from computation overhead and non-repudiation. Wang et al.³³ proposed a certificate-less conditional privacy preservation scheme based on Bilinear pairing. Their work has achieved full aggregation and reduced the communication cost, it suffers from high computation cost due to pairing operation. Wang et al.³⁴ has come up with a certificate-less CPPA to ensure unlinkability, anonymity and to lower the computational and computational overhead incurred in VANETs. Their proposed scheme involves the use of Bilinear pairing technique and ensured traceability, anonymity. Though it is resilient against reply, impersonation, message modifications and MiTM attacks it has to be tested and validated for real-time implementations. Xiong et al.³⁵ proposed a mutual authentication protocol to ensure conditional privacy, anonymity and traceability in VANETs to address the problem of forward and backward secrecy. Their proposed protocol utilized bilinear maps and puncturable authentication along with parallel key insulation technique which eliminates the computational overhead incurred when authentication involves RSUs. However the authentication delay is very high.

Group key agreement authentication schemes (GKAs)

Group key Agreement authentication schemes have been proposed to reduce the computational overhead incurred by the TTA thereby eliminating the central point of failure. To ensure security and conditional privacy several GKAA schemes have been proposed. Among them, Ali et al.³⁶ has proposed group shared key authentication scheme based on ECC and a combiner for hash function to provide security in case of IIoTs. Their proposed scheme utilized group secret keys between the industrial objects. Digital signatures are utilized and the scheme is highly resilient against attacks such as brute force, stolen verifier table, device capture, MiTM, Cipher-text, key attacks. However their protocol needs to be verified for computational and communication overheads. Zhan et al.³⁷ proposed a secure group authentication scheme where the GKA are updated based on condition matching to ensure conditional privacy in VANETs. Their proposed authentication scheme involves the use of ECC and fog-computing for VANETs in order to reduce the problem of computational overhead and key management burdens. The scheme achieves cross-domain authentication, anonymity, traceability, key-escrow freeness, perfect forward secrecy and is resistant to attacks such as replay, impersonation and modification attacks. However, their schemes incur high computation and communication costs which need to get reduced. Li et al.³⁸ has come up with a MAC based group key authentication scheme to achieve anonymity and conditional privacy. The scheme lags in key update mechanism and is vulnerable to security attacks. It cannot achieve forward and backward security. Islam et al.³⁹ proposed a secure password based GKAA scheme to achieve conditional privacy. Though their work has reduced the computational cost to a greater extent it still suffers from communication overhead since it involves repeated communication with the transport authority. Cui et al.⁴⁰ addressed the problem of security and privacy by proposing a novel dynamic GKA scheme to prevent forgery and session specific key attacks. Though the protocol extremely supports C-V2X application is suffers from high communication overhead which needs to be reduced. paliwal et al.⁴¹ has come up with a novel multi-party GKA scheme to ensure conditional privacy, and to overcome the data breach during data transmission. Their proposed protocol incurs authentication and communication delay which involve high transmission cost. Xu et al.⁴² addressed the problem of forward secrecy and malicious attacks by proposing a continuous GKA for IoVs. Their main aim is to design a GKA which provide efficiency against collusion attacks. The proposed protocol utilizes treeKEM architecture for group key authentication and management along with threshold secret sharing scheme for encryption. Though their protocol reduces the computation cost it still suffers from communication overhead during the communication and key updation phase. Cui et al.⁴³ proposed a conditional privacy preserving GKA using chaotic maps for VANETs. Though their proposed protocol efficiently lowers the computation overhead it is high susceptible to Bergamo et al.²² attacks and suffers from high communication cost. Lai et al.⁴⁴ has come up with a three party key agreement authentication scheme utilizing Chebyshev chaotic maps for VANETs. Their scheme suffers from the disadvantage such as bilinear pairing which incurs high computation overhead and is suitable only for V2I communications. Similarly, Lee et al.⁴⁵ utilized Chebyshev chaotic maps based on diffie-hellman assumption. The major advantage is that it reduces the computational complexity incurred in signing and verification. Yang et al.⁴⁶ proposed a Chebyshev polynomial based GKAA scheme to achieve conditional privacy and traceability. However, the proposed scheme is suitable only for V2V communications. The major drawback of the scheme is that it cannot resist Bergamo et al.²² attack where the security assumption is based on real numbers and is sensitive to initial value^47,48. Table 2 provides the comparative analysis of various authentication schemes. From the literary related works, it is apparent that most of the CPPAs either use bilinear pairing or ECC to counter the TPD attacks and non-repudiation. However, these schemes suffer from computational complexity and increased length of signatures. Similarly, the GKAs suffer from high communication cost, forward and backward security. Hence in order to counter these issues, our scheme aims to counter by utilizing pseudonym to achieve non-repudiation, forward and backward security and CRT for key management. Additionally, it is necessary to reduce the computational complexity of the TTA; the scheme is distributed where the computational burden gets reduced. In addition, the key operations and values are also reduced subsequently. This results in the design of a new authentication scheme to achieve conditional privacy preservation and traceability using the Dickson polynomial in VANETs.

Table 2 Comparative analysis of various existing authentication schemes.

Full size table

Preliminaries

This chapter provides an overview of the context, concept and system design employed in the development of the proposed distributed authentication technique for vehicular ad hoc networks.

Dickson polynomial

Due to the irreducible property, polynomials find its applications in security and authentication⁴⁹. Polynomial cryptography exhibits two different properties namely semi-group and irreducibility⁵⁰. Utilization of Dickson polynomial offers security against TPD and ephemeral key attacks it finds application in key agreement schemes. Due to the irresistive nature of Chebyshev polynomial towards MiTM and Bergamo et al. attack Dickson polynomial has been adopted^{51,52,53,54,55}. Dickson polynomials are defined over the finite field recursively which depends upon the parameter $n$ and $a$ mapping the elements bijectively which makes it highly suitable for low resource-constrained environment like VANETs⁵⁶

Dickson Polynomial and its properties: Dickson Polynomial²⁰ for a variable ${\text{a}} \in {\text{F}}_{{\text{q}}}$ defined by an integer n; then the Dickson Polynomial ${\text{D}}_{{\text{n}}} \left( {{\text{x}},{\text{ a}}} \right)$ over any finite field ${\text{F}}_{{\text{q}}}$ can be defined as

$$D_{n} \left( {x,a} \right) = \mathop \sum \limits_{i = 0}^{\frac{n}{2}} \frac{n}{n - i}\left( {\begin{array}{*{20}c} {n - i} \\ i \\ \end{array} } \right)\left( { - a} \right)^{i} x^{n - 2i}$$

(1)

where $\frac{n}{2}$ is the largest integer $\ge \frac{n}{2}$. The Dickson Polynomials gets gratified by the continuous relation such that $D_{n} \left( {x,\alpha } \right) = x D_{n - 1} \left( {x,\alpha } \right) - \alpha D_{n - 2} \left( {x,\alpha } \right); n{ \succcurlyeq }2.$ Under the initial condition ${\text{D}}_{0} ({\text{x}},{\upalpha }$) = 2 and ${\text{D}}_{1} ({\text{x}},{\upalpha }$) = x and some of the other polynomials are computed by using the Eqs. (2–5) as follows:

$$D_{2} \left( {x,\alpha } \right) = x^{2} - 2\alpha$$

(2)

$$D_{3} \left( {x,\alpha } \right) = x^{2} - 3\alpha$$

(3)

$$D_{4} \left( {x,\alpha } \right) = x^{4} - 4\alpha x^{2} + 2 \alpha^{2}$$

(4)

$$D_{5} \left( {x,\alpha } \right) = x^{5} - 45\alpha x^{3} + 5 \alpha^{2} x$$

(5)

The most important characteristic property of the Dickson polynomial is that is satisfies commutativity under composition when $\alpha$ = 0 or 1.

Definition 1: Semi-group Property: Dickson polynomials exhibit semi-group property under composition which can be defined as follows:where p is a prime number. Hence

$$D_{n} \left( x \right) \equiv \left( {2xD_{n - 1} \left( x \right) - D_{n - 2} \left( x \right)} \right) mod p; \forall n \ge 2;x \in \left( { - \infty , + \infty } \right);$$

$$\begin{aligned} D_{mn} \left( {x,1} \right) & = D_{m} \left( {D_{n} \left( {x,1} \right),1} \right) \\ & = D_{m} \left( {x,1} \right) o D_{n} \left( {x,1} \right) \\ & = D_{n} \left( {x,1} \right)o\;D_{m} \left( {x,1} \right) \\ & = D_{n} \left( {D_{m} \left( {x,1} \right), 1} \right) \\ & = D_{nm} \left( {x,1} \right) \\ \end{aligned}$$

(6)

The semi-group property exhibited by the Dickson polynomials is an essential property and finds a wide variety of cryptographic applications which is given by the Eq. (6).

Definition 2: Chaotic-Map based Dickson Diffie-Hellman Problem (CMDDHP): For any given value of x; where $x \in \left( { - \infty ,\user2{ } + \infty } \right)$; $D_{u} \left( x \right)mod p, D_{v} \left( x \right)mod p$ for a large prime p. It is intransigent to compute $D_{uv} \left( x \right)mod p$⁴⁷.

Chaotic map based hash function

Due to the properties of variable-dependency and abstract correlation; chaotic maps are utilized to build the hash functions. One notable benefit of utilizing chaotic hash is its ability to streamline normal procedures. Chaotic Hash function^57,58 used along with Dickson-based sequences alleviates the problem of computational overhead and storage complexity. This results in increase in the performance of the OBUs. The algorithm works according to⁴⁶ which consist of both the input and the output as follows:

Input: A discrete length of a string of bits which is of length y.

Output: Chaotic Hash Value of 128 bits.

Chinese remainder theorem (CRT)

CRT asserts that, under the condition that the divisors are pairwise co-prime, it is feasible to determine the remainder of an integer divided by its product in a unique manner, provided that the remainders resulting from the Euclidean division of n by multiple integers are known²³.

CRT can be stated as follows:

Let $\left\{ {l_{1} , l_{2} ,l_{3} , \ldots , l_{n} } \right\}$ be the set of positive integers which are relatively prime to one another;

Let $\left\{ {b_{1} ,b_{2} ,b_{3} , \ldots ,b_{n} } \right\}$ be the set of positive integers. Therefore the pair of congruences given by the chinese remainder theorem can be defined as.

{$Z \equiv b_{1} mod l_{1}$; $Z \equiv b_{2} mod l_{2} , \ldots ,Z \equiv b_{n} mod l_{n}$} gives an individual solution defined by $mod \partial_{h} = \mathop \prod \limits_{i = 1}^{n} \left( {l_{i} } \right)$. The trusted transport authority finds the solution based on the Eq. (7)

$$Z = \left( {\mathop \sum \limits_{i = 1}^{n} \delta_{i} \theta_{i} \vartheta_{i} } \right) mod \partial_{h}$$

(7)

where $\theta_{i} = \frac{{\partial_{h} }}{{l_{i} }}$ and $\theta_{i} \vartheta_{i} \equiv 1 mod l_{i}$.

System design

The typical architecture of a conventional VANET comprises of essential components namely the trusted transport authority (TTA), which includes the Key Generation Center (KGC) and the Authentication Server (AS), as well as the Road-Side Units (RSUs) and the On-Board Units (OBUs). The logical description of these components is achieved through the utilization of three levels, specifically referred to as the upper layer, the middle layer, and the bottom layer. The uppermost tier of the architecture comprises of the TTA, the KGC, and the AS while the intermediate layers comprises of RSUs. The lowest layer is comprised of the vehicles. The exchange of information among these three constituents is enabled by an IEEE standard, namely IEEE 802.11p, which is commonly referred to as DSRC. RSUs serve as an intermediary entity that facilitates communication and coordination between the TTA, KGC, and OBUs. The architectural structure adheres to a hierarchical design in which data transmission is authenticated through the utilization of two private keys generated by both the key generation center and the trusted transport authority. The concatenation of these partial private keys serves as a shield against forging, replay, impersonation, and various other forms of attacks. To compromise a specific message, an intruder must possess two partial private keys and one secret key of the vehicle, hence rendering it highly resistant to key ephemeral assaults. The distributed nature of the VANET model employed in our proposed system is illustrated in Fig. 1. Figure 2 depicts the operational framework of the proposed system.

Trusted transport authority (TTA)

TTA is mainly responsible for the initialization, functioning and generation of the public parameters required for the system. TTA is highly trustworthy and it cannot be compromised. The communication between the TTA and the AS can be accommodated wirelessly by means of EAP^59,60,61. This protocol takes the responsibility of the vehicle registration, RSUs and AS. Furthermore, legal measures are implemented to address the issue of vehicle impersonation or masquerading, with the capability to trace the true identity of the vehicle in question during any legal procedures. This guarantees the retention of conditional privacy within the system.

Key generation center (KGC)

KGC is a separate entity which exhibits functionality such as generation of partial private key for secure message communications. KGC possess enough storage and processing capabilities which administers the role of managing and storing the keys. KGC is fully trusted and cannot be compromised³⁷.

Authentication server (AS)

AS performs the verification of messages received from the vehicle or the RSUs. Both KGC and AS shares the same database that contains keys. AS stores all the traffic information in the form of database records and performs analytics very often. It is fully trusted and cannot be compromised³⁹.

Road-side units (RSUs)

RSUs are mainly responsible for the communication between the OBUs and the Upper layered components. RSUs are installed for every 500 m and they are responsible for the message signature verification. RSUs are partially-trusted and are authenticated during the installation of the system by the TTA. RSUs are equipped with sensor device, servicing platform and a V2I communication platform. Utilization of RSUs makes it possible to achieve both V2V and V2I communications.

On-board units (OBUs)

OBUs are the vehicles which are registered with the TTA in an offline manner. After registration, each vehicle gets installed with the public parameters by taking the private aspects of each vehicle. Each vehicle is fitted with a TPD called as OBUs. Vehicles communicate with each other with the help of these on-board units. Each vehicle is fitted with communication systems called GPS and sensors for navigation which is responsible for the transmission and record-keeping of highly crucial information like messages and private keys.

Adversary model

The adversarial model for the proposed authentication scheme is simulated in the form of a game between an adversary $\zeta_{1}$ and the rival $\eta_{1}$. The adversarial model of existential unforgeability against chosen-message attacks (EUF-CMA) can be defined as follows:

Initialization: The system initialization algorithm is executed by the rival $\eta_{1}$ in order to generate the system public parameters $pms.$ The public parameters are then sent to the adversary $\zeta_{1}$ and the rival $\eta_{1}$ in a secret way thereby seizing the master secret key $o$.

Queries: The adversary $\zeta_{1}$ attempts to query on messages selected by the adversary in an adaptive way. In order to execute a signature query on the message $M_{i}$, then the rival performs the execution of the message signature generation algorithm in order to compute the message signature $\sigma_{i}$ and dispatches it to the adversary $\zeta_{1}$.

Forgery: The adversary $\zeta_{1}$ returns a signature which is forged $\sigma_{i}^{\prime }$ on a particular message $M_{i}^{\prime }$ and succeeds in the game iff.

$\sigma_{i}^{\prime }$ is the legitimate signature pertaining to the message $M_{i}^{\prime }$
During the querying phase, queries are not performed for the message signature $\sigma_{i}^{\prime }$

The major benefit ${\Im }$ in succeeding the game indicates the generation of a valid forged signature. When ${\Im }$ is trivial for any polynomial adversary $\zeta_{1}$ then the proposed authentication scheme is secure.

Security goals

Data transmission in VANETs has to be secured. In the proposed work, the group key agreement authentication scheme should satisfy the security properties such as message authentication, data integrity, perfect forward secrecy, perfect backward secrecy, conditional privacy preservation, traceability, unlinkability, anonymity.

Data integrity and message authentication

The received data should not be tampered, modified but preventing the data loss and leaks, errors and unauthorized access. The vehicle must be authenticated before it acquires the group key for message transmission.

Perfect forward secrecy

Upon any attack, even if the current session key gets compromised, the attacker should not gain any access to the previous session key utilized for Vehicular communications.

Perfect backward secrecy

Ensuring that the attackers cannot gain access to future session keys even if the current session key gets compromised during vehicular communications.

Conditional privacy preservation

The attacker should not be able to access or break into the original identity of the vehicle involved in communication. In case of legal proceeding TTA or AS performs revocation.

Traceability

Upon any illegal activity, it is necessary to trace and revoke back the original identity of the vehicle by the TTA or AS.

Unlinkability

Only TTA possess the capability to performs the linking of messages sent from the same vehicle.

Anonymity

The original identity of the entities such as $V_{{ID_{i} }}$ and $RSU_{{ID_{i} }}$ cannot disclose their original identity thereby ensuring the anonymity with the help of the pseudonyms.

Non-repudiation

The sender cannot deny the sending of the message.

Mutual authentication

All the entities involved inside the communication should verify the legitimacy of each other during the mutual authentication and group key agreement (GKA) phase.

Resistance to attacks

The proposed scheme must be resistant to attacks such as replay, message modification, impersonation, coalition, Man-in-the-Middle, Key Exposure, DoS and ESL attacks.

Proposed methodology

The proposed distributed authentication scheme’s primary objective is to provide conditional privacy preservation in VANET communications by facilitating efficient group key agreement authentication. It is composed mainly of eight phases namely 1. System Initialization Phase 2. Offline Registration Phase 3. Group Key Computation Phase 4. Group Key Distribution Phase 5. Mutual Authentication Phase 6. Message Signing and Verification Phase 7. Group Key Updation Phase and 8. Pseudonym Updation Phase. The first module to be created is called "System Initialization," and its primary job is to generate crucial parameters necessary for the system’s initial operation. Additionally the group key is computed during this phase. In the second phase, known as offline registration, vehicles and RSUs are added to the system and given public and private keys for use in further communications. The group key distribution section is the third component. Here, the TTA must produce the group key that will be used later in the process to authenticate and verify messages.

The fourth phase, known as Group Key distribution phase is responsible for concealing the true identities of vehicles and roadside units behind fictitious names, or pseudonyms. The mutual authentication process is the fifth and the sixth module. The vehicles now have the group key and can reliably communicate with each other while still within range of the roadside equipment. The sixth stage is the group key updation phase. In this step, the group key is updated anytime a vehicle joins or departs the group. The seventh section deals with the generation and signature of messages. In this step, vehicles collect data on the road’s state and construct a time stamped message that must be sent to other nearby vehicles or roadside equipment. The eighth modules consist of the pseudonym updation phase. Table 3 provides the description of the symbols utilized in our proposed scheme.

Table 3 List of Symbols.

Full size table

System initialization phase

TTA initiates the system initialization phase. TTA computes the field of prime numbers over the galois field by selecting an odd prime number and a random positive integer. Additionally, TTA chooses a system secret key for the whole system from the multiplicative field. To compute a Dickson polynomial, KGC selects a random number from the Galois field of a selected prime number. Following the selection of a random number, KGC selects a secret key for each car and RSU that will be given out at the time of vehicle registration and forwards it to the TTA. Algorithm 1 provides the steps involved in the system initialization phase.

Offline registration phase

Offline vehicle registration phase

Each vehicle and RSU is securely registered offline with the TTA before to the particular system’s operation. The personal credentials such as name, address, phone number, email address, car number, type, and Iris biometric data are all submitted by each owner of a vehicle. Following TTA registration, KGC generates a special secret Dickson group key for every car and sends it to that vehicle. The procedures to be taken during the offline registration phase are listed in Algorithm 2. A duplicate of the same is then kept in the AS’s tracking database. The third step illustrates how the identification and secret key of the matching vehicle are kept in the tracking database.

Offline RSU registration phase

The RSUs are registered with the TTA prior to the RSUs being installed. The first step illustrates how the location and identity of the RSUs are obtained during registration. Following verification, KGC computes the Dickson polynomial and the Dickson secret key, which serve as the corresponding RSU’s public key and are represented in step 4. Algorithm 3 provides the steps necessary for offline RSU registration phase. Next, KGC selects the RSU secret key that has been transmitted to it. A duplicate of the secret key will be kept in the KGC database, as indicated by equation in the final step.

Dickson’s group key computation phase

Users or vehicles in the same communication RSU range must first go through an authorization process before they can receive a group key for message creation and authentication. A vehicle notifies the KGC of its approach to the RSU’s coverage region by sending an authentication request. The step 1 shows how the KGC and AS choose a new group key in response to the request. It then broadcasts the private key to all of the RSUs and cars in group G, as shown in step 2 and step 3 after calculating the private key for the vehicle that approaches the RSU coverage range. The step 4 shows how the vehicle can access a new domain key that was calculated using the CRT after it has been authorized. The list of steps needed to calculate the Dickson’s group key computation is given in Algorithm 4. The figure illustrates the group key computation and distribution phase in Fig. 3.

Group key distribution phase

In this phase, a pseudonym is given to every single vehicle before any communication is initiated. To produce the pseudonym for a vehicle, the Dickson polynomial must be calculated, as indicated using the step 1.Every vehicle communicates with the TTA using an authentication request message. Following receipt of the request, it directs the KGC to create a pseudo-identity allowing vehicle in order to enable communication, as indicated by the step 2. Every vehicle receives an authorized public key that may be used to describe the message using the step 3. Vehicles near an RSU need to be validated during this phase in order to ensure the group key’s authenticity. It comprises the generation of messages for authentication as well as their verification. Figure 5 describes how the vehicles are authenticated. Algorithm.5 has provided a description of the group key distribution. Prior to being sent from the car to the RSU, all messages are encrypted using the step 4, the Dickson polynomial, and the Dickson secret key.

Mutual authentication phase

Only after the AS computes the vehicle’s original identity using the matching Dickson polynomial and verifies the vehicles timestamp to get vehicle authorized. The original identification that has been decrypted is confirmed against the tracking database that is shared with the KGC and AS. Step 3 indicates that a vehicle is authentic if the matching vehicle identity is found in the database. Algorithm.6 has outlined the procedures that must be followed during the mutual authentication phase. Figure 4 provides the steps required for vehicle authentication.

Group key updation phase

The group key updating phase initiates when a vehicle leaves the RSU’s communication range, as shown by step 1 and step 4. Tree based logical key hierarchy rekeying procedure is followed where the group keys are updated dynamically⁶². The procedures to be followed during the group key updating phase are given in Algorithm 7.

Message signature generation and verification phase

Message signature generation phase

According to Step 1 and 2, traffic information is transmitted by selecting a new pseudo-identity and a current timestamp, which is then sent to the vehicle or RSU for verification because the communication entities are authenticated using the Dickson secret key and the Dickson polynomial. The procedures to be followed during the message signing phase are given in Algorithm 8.

Message signature verification phase

When the message signature is received, the vehicle or the AS verifies it by utilizing step 1 and step 2 to compare the message signatures received. The step 2 is used to verify the correctness proof. The procedure for the single message verification is provided in Algorithm 9. Figure 5 provides the message authentication among the vehicles.

Pseudonym updation phase

Every time the vehicle enters an urban region, it frequently changes its pseudonym to protect location privacy. Each vehicle produces a Dickson group polynomial from the pseudo-identity production phase, as indicated using the Eq. (33) as follows:

$$PSID_{{V_{i,n} }} = V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} \left( y \right) mod \left( {f\left( y \right)} \right)$$

(33)

Security analysis

This section provides the security analysis for the proposed authentication scheme in terms of formal security proofs and informal security proofs to validate its security strengths and its resilience to security attacks. Formal security analysis has been carried out by using BAN logic and ROR model. Since both of them serve for distinct purpose wherein BAN logic ascertain the logical correctness of the authentication proofs while ROR model verifies the security strengths of the authentication scheme.

Formal security analysis based on BAN logic

This section provides an analysis based on BAN logic⁶³ to validate the security features of the proposed distributed group key authentication scheme. The most important rules of the BAN logic are as follows:

Axiom 1: Information-Definition Rule: $\frac{{R| \equiv R \leftrightarrow S, R \triangleleft Y_{k} }}{{R\left| { \equiv S} \right| \sim Y}}$
Axiom 2: Time-Stamp Verification Rule: $\frac{{R| \equiv \# \left( Y \right), R\left| { \equiv S} \right| \sim Y}}{{R\left| { \equiv S} \right| \equiv Y}}$
Axiom 3: Authority Rule: $\frac{{R\left| { \equiv S \Rightarrow Y, R} \right| \equiv S| \equiv Y}}{R| \equiv Y}$
Axiom 4: Aliveness-Concurrence Rule: $\frac{R| \equiv \# \left( Y \right)}{{R| \equiv \# \left( {Y,Z} \right)}}$
Axiom 5: Access Key Rule: $\frac{{R\left| { \equiv \# Y,R} \right| \equiv S| \equiv Y}}{{R| \equiv R\mathop \leftrightarrow \limits^{k} S}}$

There are four objectives which are supposed to be achieved and are as follows:

Obj 1: $TTA\left| { \equiv KGC} \right| \equiv RSU_{{ID_{i} }} ,~TTS_{{RSU_{i} }} ,~M_{{V_{i} }} ,~\Delta T_{i} ^{\prime }$
Obj 2: $RSU_{i} | \equiv PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i}$
Obj 3: $V_{i} | \equiv t_{i}$
Obj 4: $V_{j} \left| { \equiv V_{i} } \right| \equiv PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i}$

In order to carry out the formal security analysis, the messages are exchanged between the TTA, KGC, AS, RSUs and OBUs are formulated as follows:

Msg1:$V_{i} \to RSU_{j} :\left\{ {PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i} } \right\}$
Msg2: $RSU_{j} \to KGC:\left\{ {RSU_{{ID_{i} }} ,~TTS_{{RSU_{i} }} ,~M_{{V_{i} }} ,~\Delta T_{i} ^{\prime } } \right\}$
Msg3: $KGC \to V_{i} :g_{i}$
Msg4: $V_{i} \to V_{j} :\left\{ {PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i} } \right\}$

The rudimentary formulations required for the formal verification proofs are as follows:

P1: $RSU_{j} | \equiv RSU_{j} \mathop \leftrightarrow \limits^{{(m_{i } , D_{{n_{i} }} \left( {m_{i} } \right))}} V_{i}$
P2: $RSU_{j} | \equiv \# \Delta T_{i}$
P3: $RSU_{j} | \equiv V_{i} \Rightarrow PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( Y \right),\Delta T_{i}$
P4: $KGC| \equiv \# \Delta T_{i}^{\prime }$
P5: $KGC| \equiv RSU_{j} \Rightarrow \left( {RSU_{{ID_{i} }} ,S_{{RSU_{i} }} } \right)$
P6: $V_{i} | \equiv V_{i} \mathop \leftrightarrow \limits^{{DSK_{i} }} TTA$
P7: $V_{i} | \equiv \# \Delta T_{i}$
P8: $V_{i} \left| { \equiv TTA} \right| \equiv DSK_{i}$
P9: $V_{j} | \equiv V_{j} \mathop \leftrightarrow \limits^{{t_{i} }} V_{i}$
P10: $V_{j} | \equiv \# TS_{{V_{i} }}$

According to the formulated hypothesis and rational premises of BAN logic, the formal proof verification of the proposed authentication scheme is as follows:

By using the message 1, the following statements are obtained:

Q1: $RSU_{j} \triangleleft \left\{ {PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i} } \right\}_{{\left( {(m_{i } , D_{{n_{i} }} \left( {m_{i} } \right))} \right)}}$

According to Q1, P1 and Axiom 1, it is obvious that:

Q2: $RSU_{j} \left| { \equiv V_{i} } \right| \sim PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i}$

According to Q2, P2, Axiom 2 and Axiom 4, it is obvious that:

Q3: $RSU_{j} \left| { \equiv V_{i} } \right| \equiv PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i}$.

According to Q3, P3 and Axiom 3, it is obvious that:

Q4: $RSU_{j} | \equiv PSID_{{V_{i,n} }} , TTS_{{V_{i} }} ,D_{{\vartheta_{i,n} }} \left( y \right),\Delta T_{i} \quad \left( {\text{Obj 2}} \right)$

By using the message 2, the following statements are obtained:

Q5: $KGC\left| { \equiv RSU_{j} } \right| \sim RSU_{{ID_{i} }} ,~TTS_{{RSU_{i} }} ,~M_{{V_{i} }} ,~\Delta T_{i} ^{\prime }$

According to Q5, P4, Axiom 2 and Axiom 4, it is obvious that:

Q6:$~KGC\left| { \equiv RSU_{j} } \right| \equiv RSU_{{ID_{i} }} ,~TTS_{{RSU_{i} }} ,~M_{{V_{i} }} ,~\Delta T_{i} ^{\prime }$

According to Q6, P5 and Axiom 3, it is obvious that:

Q7: $KGC| \equiv RSU_{{ID_{i} }} ,~TTS_{{RSU_{i} }} ,~M_{{V_{i} }} ,~\Delta T_{i} ^{\prime } \quad \left( {{\text{Obj 1}}} \right)$

By using the message 3, the following statements are obtained:

Q8:$V_{i} \triangleleft t_{i} x {\complement }$

According to Q8, P6 and Axiom 1, it is obvious that:

Q9:$V_{i} \left| { \equiv KGC} \right|\sim t_{i} x {\complement }$

According to Q9, P7, Axiom 2 and Axiom 4, it is obvious that:

Q10: $V_{i} \left| { \equiv KGC} \right| \equiv t_{i} x {\complement }$

According to Q10, P8 and Axiom 3, it is obvious that:

Q11: $V_{i} | \equiv g_{i} \quad \left( {\text{Obj 3}} \right)$

By using the message 4, the following statements are obtained:

Q12:$V_{j} \triangleleft PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i}$

According to Q12, P9 and Axiom 1, it is obvious that:

Q13: $V_{j} \left| { \equiv V_{i} } \right| \sim PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i}$

According to Q13, P10, Axiom 2 and Axiom 4, it is obvious that:

Q14: $V_{j} \left| { \equiv V_{i} } \right| \equiv PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i} \quad \left( {\text{Obj 4}} \right)$

It is obvious that the proposed authentication scheme through the security analysis made using BAN logic has achieved all the formulated objectives and thereby provides an assurance of mutual authentication between the vehicles. It is also apparent that vehicles receive correct group key after the mutual authentication which makes vehicles to have a communication with the same group key within the range of road-side units. From these results obtained, it is obvious that our proposed authentication scheme according to the definition (1 and 2) it is not possible to crack due to the CMDDHP.

Formal security analysis based on ROR model

In VANETs, the communication proceeds between the road-side units and the vehicles through a wide open wireless communication channel, it is obvious that the network is susceptible to hackers and malevolent users which are unavoidable. Analysis using ROR has been adopted from Vallant et al.⁶⁴. To prove that our proposed authentication mechanism is safe from adaptive selected message attacks, the following proofs are presented.

Definition:

It is not possible for an invader to gain access to an entity $\left( {t, \beth , p} \right)$ to perform an adaptive chosen message attack under a signature authentication scheme. P denotes the number of $H_{2}$ hash queries in the random oracle.

Theorem 1:

The ROR states that any invader A with a probabilistic polynomial time executes the game (Definition 4) and succeeds with probability which cannot be left out in the corresponding polynomial time, then the simulator with the probabilistic polynomial time can solve CMDDHP problem not less than within a span of $\beth^{\prime} = \frac{\beth }{p}$ in that polynomial time.

Proof:

Let us assume that an invader $\chi$ can be able to gain access and generate the message as $\left\{ {PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,{\mathcal{L}}_{i} } \right\}$. Let $\psi$ be an imposter that has been built on $\chi$, so $\psi$ describes the capability to provide solution to the CMDDHP problem executed by $\chi$ with a ruled out probability. With an instance sample $\left\{ {Z, q,y,f\left( y \right),p = q^{o} } \right\}$ of the CMDDHP problem, $\psi$ imposter oracles which are challenged by $\chi$ as follows:

Setup: The Imposter $\psi$ fix $p = q^{o}$ and chooses an abstract integer $\lambda_{i} \epsilon Z$ which is utilized to establish an anonymous set ${\text{PSID}}_{{v_{n} }} = \left\{ {PSID_{{v_{1} }} ,PSID_{{v_{2} }} , \ldots ,PSID_{{v_{n} }} } \right\}$ where $i \epsilon \left\{ {1,2, \ldots ,n} \right\}$.

$$PSID_{{v_{{i,n}} }} = \left\{ {\begin{array}{*{20}c} {{\text{PSID}}_{{vl_{{1,n}} }} = p;} & {iff~i = i^{*} } \\ {PSID_{{v_{{1,n}} }} = q^{o} ;} & {iff~i \ne i^{*} } \\ \end{array} } \right.$$

(34)

Imposter $\psi$ selects an abstract integer $t_{i} \epsilon Z$ and computes the public group key as $g_{i} = \gamma_{i} x {\complement }$. Then the imposter $\psi$ sends these parameters as $pms = \left\{ {Z, P,t_{i} {\complement }, H_{1} ,H_{2} } \right\}$ and the anonymous set $K_{{ID_{{i,n}} }}$ to the invader $\chi$.

H₂ Hash Query: If the invader $\chi$ makes an $H_{2}$ query by having a pseudo-identity $PSID_{{v_{i,n} }}$, the imposter $\psi$ examines whether the tuple $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,\tau _{{H_{2} }} } \right\rangle$ is present in the hash list $L_{{H_{2} }}$ or not. Iff the tuple presents in the list, then the imposter $\left\langle {\tau _{{H_{2} }} = H_{2} {\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} } \right\rangle$ dispatch to $\chi$. Else $\psi$ selects an abstract $\tau_{{H_{2} }} \in Z$ and then appends $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,\tau _{{H_{2} }} } \right\rangle$ it to the hash list $L_{{H_{2} }}$. At the end, $\psi$ gives $\left\langle {\tau _{{H_{2} }} = H_{2} {\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} } \right\rangle$ to $\chi$.

H₃ Hash Query: When an invader $\chi$ makes an $H_{3}$ query with the message $\left\langle {PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} ,\tau_{{H_{2} }} } \right\rangle$, the imposter $\psi$ examines iff the tuple $\left\langle {PSID_{{v_{i,n} }} ,M_{i} ,TS_{{V_{i} }} } \right\rangle$ is already present in the list $L_{{H_{3} }}$ or not. Iff the tuple presents in the list, then the imposter $\tau _{{H_{3} }} = H_{3} \left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} } \right\rangle$ dispatch to $\chi$. Else $\psi$ selects an abstract ${\tau }_{{H}_{3}}\in Z$ and then appends $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} ,\tau _{{H_{2} }} } \right\rangle$ it to the hash list $L_{{H_{2} }}$. At the end, $\psi$ gives $\tau _{{H_{3} }} = H_{3} \left\langle {{\text{PSID}}_{{ID_{i} }} ,M_{i} ,TS_{{V_{i} }} } \right\rangle$ to $\chi$.

Sign Query: If the invader $\chi$ generates a signing inquiry on the message $M_{i}$ and the pseudo-identity ${\text{PSID}}_{{ID_{i} }}$, then the imposter $\psi$ examines the tuple value $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,\tau _{{H_{2} }} } \right\rangle$ from the hash list $L_{{H_{2} }} .$ Then the imposter $\psi$ picks up $\tau_{{H_{2} }}$ from the tuple $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,\tau _{{H_{2} }} } \right\rangle$.

If $i = i^{*}$; then the imposter $\psi$ selects three abstract integers $\phi_{i} ,\varphi_{i} ,{\Psi }_{i} \epsilon Z$, a random point ${\text{PSID}}_{{ID_{i} }}$; and computes $V_{{ID_{i} }} =$ $PSID_{{V_{i,n} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right){ }mod{ }\left( {f\left( y \right)} \right)$. Then the imposter $\psi$ appends $\tau _{{H_{2} }} = H_{2} \left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} } \right\rangle ~and~\tau _{{H_{3} }} = \left\langle {H_{3} {\text{PSID}}_{{ID_{i} }} ,M_{i} ,TS_{{V_{i} }} } \right\rangle$ to the hash list $L_{{H_{3} }}$; then dispatches $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} ,\tau _{{H_{2} }} } \right\rangle$ to $\chi$. According to the formulations specified, all the reply sent to the sign query becomes valid because $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} ,\tau _{{H_{2} }} } \right\rangle$ has been answered in the game thereby satisfying:

$$\begin{gathered} \sigma_{i} \cdot P = V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }} \hfill \\ = V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} \left( Y \right)PSID_{{V_{i,n} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right) + M_{i} + H_{{\gamma_{i} }} \hfill \\ = V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} \left( Y \right)V_{{ID_{i} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right) + M_{i} + H_{{\gamma_{i} }} \hfill \\ = PSID_{{ \vartheta_{i,n} }} \left( Y \right)V_{{ID_{i} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right) + M_{i} + H_{{\gamma_{i} }} \hfill \\ = \sigma_{i}{\prime} \cdot P PSID_{{v_{i} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right) \hfill \\ \sigma_{i} .P - \sigma_{i}{\prime} \cdot P = PSID_{{v_{i} }} D_{{n{ }\vartheta_{i,n} { }}} \left( {Y^{ - 1} } \right) \hfill \\ \end{gathered}$$

(35)

Else $i \ne i^{*}$; then the imposter $\psi$ gets verified that it has obtained a valid signature and publishes it.

Output: The invader communicates $\chi$ with the imposter $\psi$ until $\chi$ comprehend that the work has been completed. Therefore, the invader provides the message $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} ,{\mathcal{L}}_{i} } \right\rangle$ as its output. The imposter checks whether the equation holds true or not.

$$\sigma_{i} .P = V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }}$$

(36)

If not the imposter $\psi$ will end the process. By using the forgery axiom⁵⁴, the invader may produce another legal valid message with $\left\langle {{\text{PSID}}_{{ID_{i} }} ,TS_{{V_{i} }} ,M_{i} ,{\mathcal{L}}_{i} ^{*} } \right\rangle$ within a polynomial time, if it selects another $H_{2}$ where $V_{{ID_{i} }} \ne V_{{ID_{i} }}^{*}$. Hence we obtain:

$$\sigma_{i}^{*} .P = V_{{ID_{i} }}^{*} D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }}$$

(37)

From the Eqs. 36 and 37, it is deduced that

$$\begin{gathered} (\sigma_{i}^{*} - \sigma_{i} ) \cdot P = \sigma_{i} \cdot P - \sigma_{i}^{*} \cdot P \hfill \\ = (V_{{ID_{i} }} D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }} ) - \left( {V_{{ID_{i} }}^{*} D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }} } \right) \hfill \\ = P\left( {V_{{ID_{i} }} - V_{{ID_{i} }}^{*} } \right)\left( {D_{{n \vartheta_{i,n} }} + M_{i} + H_{{\gamma_{i} }} } \right) \hfill \\ \end{gathered}$$

(38)

Now the imposter $\psi$ produces the solution $\left( {V_{{ID_{i} }} - V_{{ID_{i} }}^{*} } \right)^{ - 1} (\sigma_{i}^{*} - \sigma_{i} )$ for the proposed instance of the CMDDHP problem. Else the imposition will be ceased.

The correct solutions for the proposed instance of the CMDDHP problem can be assured based on the co-occurrence of the events as follows:

Event $E_{1}$: The invader $\chi$ produces and outputs a legal signature forgery.
Event $E_{2}$: The invader $\chi$ can forfeit a pseudo-identity $PSID_{{v_{i} }} \ne PSID_{{v_{i} }}^{*}$

Due to Prob $\left[ {E_{1} } \right] = \beth$, Prob $\left[ {E_{2} } \right] = \frac{1}{p}$; we get.

Prob $\left[ {E_{1} E_{2} } \right]$ = Prob $\left[ {E_{1} } \right]$ Prob $\left[ {E_{2} } \right]$ = $\beth x \frac{1}{p} = \frac{\beth }{p}$.

It is obvious that the imposter $\psi$ can solve the instance of the CMDDHP problem with the advantage $adv_{\psi } = = \frac{\beth }{p}$. Thus, the imposter $\psi$ calculates y within a polynomial time with an waste probability with the advantage of $\frac{\beth }{p}$ namely the solution to the CMDDHP problem which implies that the theorem 1 can be satisfied. However it is difficult to solve the CMDDHP within a minimum span of time. Hence, it proved that our proposed authentication scheme is secure against forgery under the adaptive chosen message attacks.

Formal security analysis using coq tool⁶⁵

Coq is a formal security verification system that offers tools for the interactive creation of machine-checked proofs along with a programming language and logic for expressing mathematical prepositions, algorithms, and theorems. Coq has been extensively utilized in several fields, such as security verification for protocols based on polynomials cryptography, quantum communication⁶⁶. Coq offers a high degree of assurance in the security of cryptographic protocols by enabling logical reasoning about their characteristics and behavior. The ability to formally reason about the behavior and characteristics of the protocol is one advantage of utilizing Coq for security verification of cryptographic protocols. This aids in locating possible weaknesses in the protocol and offers a means of demonstrating that it satisfies security standards.

Informal security analysis

In order to evaluate the safety measures used in our suggested authentication technique, informal security analysis has been presented below.

Message integrity and authentication

Since the authentication scheme utilizes group key based authentication strategy; it is necessary for vehicle to be verified as legitimate if it wants to join a group and connect with others. The Hash value created by the sender can be affirmed by using the formula ${\mathcal{L}}_{i} = H_{{t_{i} }} \left( {PSID_{{v_{i,n} }} \left\| {M_{i} } \right\|TS_{{V_{i} }} } \right)$. In order to verify the integrity of the message received, the receiver verifies the legitimacy of the hash value generated by using the group key as ${\mathcal{L}}_{i} = = {\mathcal{L}}_{i}^{*}$. If it holds then the message will be accepted.

Perfect backward secrecy

An intruder can compromise a group’s security by intercepting the freshly produced group key $t_{i}$ and using it to unlock the private key $DSK_{i} ;$ of one of the group vehicles. A large collection of positive integers related to the multiplicative field Z is also required for the random number generator used to produce the private keys. This feature makes it so the enemy can’t break into any other cars’ safes. Since the adversary cannot access the communication that had place before their entry into the group, the proposed solution satisfies the backward secrecy condition.