An Efficient V 2 I Authentication Scheme for VANETs

0e advent of intelligent transportation system has a crucial impact on the traffic safety and efficiency. To cope with security issues such as spoofing attack and forgery attack, many authentication schemes for vehicular ad hoc networks (VANETs) have been developed, which are based on the hypothesis that secret keys are kept perfectly secure. However, key exposure is inevitable on account of the openness of VANETenvironment. To address this problem, key insulation is introduced in our proposed scheme. With a helper device, vehicles could periodically update their own secret keys. In this way, the forward and backward secrecy has been achieved. In addition, the elliptic curve operations have been integrated to improve the performance. 0e random oracle model is adopted to prove the security of the proposed scheme, and the experiment has been conducted to demonstrate the comparison between our scheme and the existing similar schemes.


Introduction
Due to the growing demands for a safer and more efficient intelligent transportation system, the development of vehicular ad hoc networks (VANETs) has captured a large amount of attentions from research institutions and industries in recent years.VANETs are deemed to be a variant of the mobile ad hoc network, which is a type of continuously self-configuring, wirelessly connected, and infrastructure-less network of mobile devices [1].
ere are two indispensable infrastructure elements in VANETs: on-board units (OBUs), which are mounted in each vehicle, and roadside units (RSUs), which are used to communicate and to assist authentication [2].In addition, a third trusted party (TA) should also be deployed in VANETs, which mainly provides services of registration and authentication.
A common model of VANETs is exhibited in Figure 1.Communication modes in VANETs could be sorted into two categories: vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication.By employing the dedicated short range communication (DSRC) protocol [3], these dynamic nodes (vehicles) could broadcast and exchange traffic information via RSU and other nearby moving vehicles.Upon receiving those messages including location, speed, and traffic conditions, vehicles would take reasonable actions immediately such as rerouting and braking to avoid possible traffic emergency.
As we all know, the communication channels in VANETs are open, so an attacker could capture, modify, replay, and delete messages transmitted in VANETs easily, leading to a large number of security problems, which will have a strong impact on the whole system.Assume that an original message is actually a warning that there is a serious traffic jam ahead, if it is tampered to a different message which tells vehicles that the road is unblocked, a completely opposite result would be caused.erefore, authentication between vehicle and infrastructure should be employed to guarantee the authenticity of the transmitted messages in this situation.
Moreover, many devices of infrastructure such as RSU are unmanned, and the units installed on the vehicles which are used to run cryptographic algorithms are resource limited; thus, the risk of key exposure is unavoidable and should not be overlooked.In addition, in the majority of cases, it is much easier for an attacker to obtain a secret key from an insecure device than to get it by breaking cryptogrammic hypothesis which system's security relies on.Once key exposure occurs, it means that security of the whole system loses.Taken into account efficiency, difficulties of construction, and security, key insulation is a desirable method to deal with the key exposure issue.
However, the vast majority of security protocols for VANETs are established on bilinear pairing, which would inevitably cause heavy computation costs.In order to enhance the security and performance of VANET-oriented authentication schemes, a novel practical V2I authentication scheme for VANETs is proposed, which attempts to lower computation complexity and the risk of losing secret keys.
To be specific, the main contributions of this paper represent as follows: (1) Firstly, the key-insulated method is applied into V2I authentication for VANETs.In our proposed scheme, the user's private key is divided into two portions: one is managed by a secure device called helper or assistant and the other is held by the user, and both of them are updated periodically.
(2) Secondly, ECC, instead of bilinear pairing, is utilized to construct the proposed scheme.As most of devices in VANETs are resource limited, the computation consumption of the adopted schemes should be minimized as much as possible.Operations based on ECC in our construction can save far less time and computation burden than bilinear pairing operations, which is expected to gain higher efficiency.(3) Finally, the forward and backward secrecy is achieved.e secret key of OBU consists of two fractions in which private information is involved.
e secret key must be generated with the helper's participation, and it updates periodically so that malicious attackers cannot obtain the user's private key in the previous periods or in the subsequent periods.e remainder of this paper proceeds as follows.Section 2 reviews the related work about V2I authentication scheme for VANETs.Section 3 presents the related essential knowledge.Section 4 describes the construction of the proposed scheme in detail.e security analysis and performance evaluation are given in Sections 5 and 6, respectively.Finally, this paper is concluded.

Related Works
In recent years, efforts on authentication have been made to address the problems of verification and efficiency.e 2 Mobile Information Systems privacy-preserving scheme [4] introduced by Wang et al. employs membership validity to replace the certificate revocation list and batch verification to improve efficiency, which achieved nonreputation, anonymity, traceability, and forward and backward secrecy.Wang [5] developed a privacypreserving and accountable authentication protocol for IoT end-devices by adopting short group signature and secret sharing scheme.Shen et al. [6] proposed a multilayer authentication protocol with session key generation for wireless body area networks which is used for one-to-many group authentication scenario.e scheme with group testing towards a secure batch verification was introduced by Lee and Lai [7].Unfortunately, this scheme is vulnerable to the impersonation attack since a malicious user could generate a fake signature on behalf of other vehicle.Based on this defect, another secure authentication scheme was introduced by Bayat et al. [8] to improve it.Wang and Yao [9] proposed the LIAP scheme, in which the vehicle and RSU are assigned with a long-term certification from the certificate authority (CA).If the vehicle is compromised, CA could easily revoke the vehicle's long-term certificate to terminate its behavior in the network.Jiang et al. [10] proposed an efficient anonymous batch authentication scheme to replace the CRL checking process by calculating the hash message authentication code, which divides the whole area into several domains.However, every vehicle has stored enough pseudonyms; if any of them is revoked, the rest pseudonyms are wasted.Azees et al. [11] proposed another anonymous scheme to avoid malicious nodes attending the activities in VANETs, which provides conditional tracking mechanism, low-cost certificate, and signature verification.Many secure schemes have achieved authentication by various means; however, most of them adopt bilinear pairing to realize their security characteristics.Actually, the bilinear pairing is not efficient for limited VANET devices on account of its vast computation costs.In view of this, pairing-free schemes have been put forward over the past years.For instance, Cui et al. [12] proposed a privacypreserving scheme, using cuckoo filter and the binary search methods instead of map-to-point hash function and bilinear pairing operations to achieve high efficiency.Xie et al. [13] proposed an ECC-based authentication scheme to realize reliability and integrity of message.Lo and Tsai [14] proposed an efficient authentication scheme for V2I in vehicular sensor networks without bilinear pairing to improve performance, which achieves message integrity, traceability, and unlinkability.He et al. [15] proposed a new ID-based and elliptic curve-based authentication scheme, which withstands diverse types of attacks and yields better performance.
To address the problem of key exposure, Dodis et al. presented the idea of key insulation and came up with the first key-insulated public key cryptosystem [16] and the first strong key-insulated signature scheme [17].Following the pioneering works, great efforts have been devoted to the key-insulated signature (KIS) schemes [18][19][20].e scheme proposed by Gonzlez-Deleito et al. [18] uses numerous power operations, which adopts multiple private keys and master keys to achieve security.Le et al. [19] utilized multiple certification authorities to shorten verification path and mitigated damage.Hanaoka et al. [20] used two helpers to update the secret key and to enhance the system security.Later, quantities of identity-based or attribution-based key insulation schemes have been proposed [21][22][23][24][25][26][27], which are all based on bilinear pairing with random key updating.Additionally, key insulation has been applied into various other research fields.Zhou et al. [28] proposed a certificateless keyinsulated generalized signcryption scheme without bilinear pairing in the context of cloud, which is proved to be secure under the computational Diffie-Hellman (CDH) assumption and the elliptic curve discrete logarithm (EC-DL) assumption.Hong et al. [29] proposed a key-insulated attributebased signature without pairings for wireless communications, which attempts to minimize the potential threat and to relieve the computational burden.Kun et al. [30] and Shi et al. [31] put key insulation into peer-to-peer (P2P) networks and electronic commerce environment, respectively.Moreover, key insulation was introduced into mobile ad hoc networks (MANETs) by V. Kumar and R. Kumar [32].Park et al. [33] proposed the EA2P scheme and first used key insulation in VANET environment.Although EA2P provides anonymity, identity extraction, and traceability, it only isolates the public key certification, not the private key, which actually fails to achieve a practical sense of key insulation.

Preliminaries
In this part, some necessary knowledge including system model, KIS framework, the random oracle model, and discrete logarithm (DL) problem is introduced.

System Model.
As shown in Figure 2, the whole system model in this paper consists of three kinds of entities as follows: PKG: Private key generator, which is deemed to be fully trusted, is responsible for producing keys including secrete keys as well as public keys.
RSU: Roadside unit, the infrastructure of VANET.It is a kind of computing device located on the roadside, which uses DSRC protocol and provides connectivity support for passing vehicles [34].
Vehicle: Each vehicle is equipped with an on-board unit (OBU) and a tamper-proof device (TPD).OBU is used to help vehicle communicate wirelessly with RSU.TPD acts as a helper which is physically secure but computationally limited, and its stored information can never be disclosed.
ere are mainly four procedures in our proposed schemes as shown in Figure 2. Firstly, PKG preloads the related keys into TPD, produces, and publishes system parameters in initialization phase (Phase 1).Secondly, TPD helps the OBU to generate the vehicle's temporary secret key in Phase 2. en OBU generates the signature and sends it to RSU in Phase 3. Finally, RSU validates the signature in Phase 4.

Mobile Information Systems
Kgen: the key generation algorithm, which falls into the initialized stage, takes a security parameter 1 k and the total number of time periods N as input to return a public key PK, a master key SK * , and an initial key SK 0 .UpdD: the key update algorithm for the device, which takes indices i, j for time periods (throughout, 1 ≤ i, j ≤ N) and the master key SK * as input to return a partial secret SK ′ i,j ε.UpdU: the key update algorithm for the user, which takes indices i, j, a secret key SK i , and a partial secret key SK ′ i,j as input to return the secret key SK * for the time period j.Sign: the signing algorithm, which takes an index i of a time period, a message M, and a secret key SK i as input.en Sign SK i (i, M) returns a signature < i, s > constituting the time period i and a signature S. Verf: the verification algorithm, which takes the public key PK, a message M, and a pair < i, s > as input.en Verf PK (M, < i, s > ) returns a bit b, where b � 1 means that the signature is accepted.
If Verf PK (M, < i, s > ) � 1, we say that < i, s > is a valid signature of M for the time period i.

Security Model.
e random oracle model was first proposed by Bellare and Rogaway [35] to prove the security of cryptographic protocols, and it is quoted in our proof.Oracle is an external device (it is usually being treated as a theoretical black box) that could provide true outputs for any inputs.In the case of inputting x, running a random oracle could be thought to pick a hash function h(•) at random and outputs h(x).Besides, the relationship between the oracle's output and input satisfies properties of function; namely, the same input corresponds to the same output.As a matter of fact, each output is selected from its output domain, and acquired inputs/outputs are completely independent of current inputs/outputs on account of randomness.
Definition 2 (unforgeability).To prove the unforgeability, a game played between a challenger C and an adversary A is defined.Our scheme is unforgeable against the malicious OBU if the following condition is satisfied: for any probabilistic polynomial time (PPT) adversary A, the probability that A wins the following game is negligible.e adversary can adaptively issue a series of undermentioned queries in the game.
Configuration-oracle: this can be considered as an initialization stage.
e challenger C generates the system secret key and public parameters.C conveys these public parameters to the adversary A. H 1 -oracle: upon receiving the query issued by the adversary A with the message m, the challenger C picks a stochastic number e ∈ Z q , puts the tuple (m, e) into the list L h 1 , and returns e to the adversary A. H 2 -oracle: upon receiving the query issued by the adversary A with the message m, the challenger C picks a stochastic number e ∈ Z q , puts the tuple (m, e) into the list L h 2 , and returns e to the adversary A. TSK-oracle: upon receiving the query issued by the adversary A on the secret key SK i , the challenger C computes it, puts the tuple (m, SK i ) into the list L key , and returns SK i to A. H 3 -oracle: upon receiving the query issued by the adversary A with the message m, the challenger C picks a stochastic number e ∈ Z q , puts the tuple (m, e) into the list L h 3 , and returns e to the adversary A. H 4 -oracle: upon receiving the query issued by the adversary A with the message m, the challenger C picks a stochastic number e ∈ Z q , puts the tuple (m, e) into the list L h 4 , and returns e to the adversary A. Signing-oracle: the challenger C generates the message required by the adversary A and sends it to A. Verification: the adversary A inputs the signature U i , σ i , λ i , M i , T i   given by the challenger C, and the verification algorithm returns a bit b, where b � 1 means that the signature is valid.
After a polynomial number of queries, if the adversary A can violate the unforgeability of the proposed scheme by generating a tuple on the condition that the verification phase outputs 1, then we say the adversary A wins the game.

The Proposed V2I Authentication Scheme
e proposed scheme consists of four phases: system initialization, key generation, signing stage, and verification stage.In the first place, notations used are defined in Table 1.

System Initialization.
In this phase, every appliance in VANETs performs initialization.
(1) PKG generates fundamental system parameters including a group over the chosen elliptic curve E p (a, b), a random number SK msk ∈ Z * q as the system master key, and the system public key computed as follows: (2) PKG selects a random number SK TPD ∈ Z * q as the private key of the helper (TPD) and calculates its corresponding public key PK TPD � SK TPD • P. ( All these four parameters should be preloaded into TPD. (3) RSU selects a random number SK rsu ∈ Z * q as its private key and computes the corresponding public key PK rsu � SK rsu • P. ( (4) PKG publishes the public parameter set: param � a, b, p, q, P, PK pub , PK TPD , PK rsu , H 1 , H 2 , H 3 , H 4  . ( In this paper, we assume that the OBU's public key and its TPD public key have been preloaded.

Initial Key Generation.
Set the parameter α i corresponding to the time period i as α i � H 2 (H 1 (ID obu )SK TPD • PK rsu T i ).Note that it is default for TPD to keep its OBU's identity.TPD computes α 0 � H 2 (H 1 (ID obu )||SK TPD • PK rsu || T 0 ) and the initial private key of the OBU as which is preloaded into the OBU.

Partial Key Generation. TPD calculates
as the partial key corresponding to the time period i, and sends it to the OBU to assist in generating the temporary secret key.

Temporary Secret Key
Generation.OBU calculates its own temporary secret key in the time period i as soon as it receives K i part from the TPD.e temporary public key in the time period i of OBU is set as and it is published by the OBU, while the partial key K i part and the initial key SK i−1 obu are removed after key updating.

Signing
Stage.An OBU can generate the signature on message M i in the time period i as follows.
Step 1. Selects the random number u i ∈ Z * q to compute.
Step 2. Uses the identity ID obu , the temporary secret key in the time period i SK i obu , the public key of RSU PK rsu , the corresponding time stamp T i , and hash functions to compute Step 3. Selects another random number λ i ∈ Z * q and uses the identity and η i to compute Step 4. Concatenates the hash value of identity H 1 (ID obu ), λ i , U i , the message about traffic status M i and current time stamp T i to compute Step 5. Uses the two random numbers u i and λ i , β i , and the temporary secret key SK i obu to compute Step 6. Sends the message U i , σ i , ω i , θ i , M i , T i   to the regional RSU.

Verification Stage.
Upon receiving the signature, RSU proceeds the following steps to verify it.
Step 1. Examines the freshness of T i .If it is fresh, goes to step 2; otherwise, the signature is rejected.
Step 2. Uses own secret key SK rsu , the private key in the time period i of the vehicle PK i obu and ω i to count the hash value of identity of the vehicle:

Mobile Information Systems
Step 3. Uses the hash value of ID obu , its own secret key SK rsu , the private key of the vehicle, the private key of TPD, and current time stamp T i to evaluate Step 4. Uses the hash value of ID obu , θ i , and η i to evaluate Step 5. Concatenates the hash value of ID obu , λ i , U i , the message about traffic status M i , and current time stamp T i to evaluate Step 6. Checks whether the equation holds.If it holds, the signature is valid.

Security Analysis
In this part, the correctness and the security analysis under the random oracle model of our proposed scheme are illustrated.

Correctness Proof eorem 1.
A signature from the OBU could pass the verification of the RSU.Proof.Actually, given a signature U i , σ i , ω i , θ i , M i , T i   from an OBU, the RSU could compute erefore, the signature is verified to be valid.Proof.Assume that there is a PPT adversary A who could forge a signature to pass the verification successfully.e challenger C is constructed to tackle the DL problem with a nonnegligible probability by interacting with A. Given a DL instance (P, PK TPD � x • P � X), the game between A and C is played as follows.

Query Phase.
Configuration-oracle: e challenger C allocates PK pub � s • P and PK TPD � x • P, generates the public parameter param � a, b, p, q, P, PK pub , PK TPD , PK rsu  , and conveys these parameters to the adversary A.
1 is set up and retained by the challenger C, which is initialized to empty.Upon receiving the query about (ID obu , T i ) from the adversary A, C first examines whether the tuple 2 is set up and retained by the challenger C, which is initialized to empty.Upon receiving the query about (ID obu , T i , D 2 ) from the adversary A, C first extracts the tuple (ID obu , T i , R 1 ) from the list H list 1 .en, C examines whether the tuple

Temporarysecretkey − oracle:
e adversary A asks for the temporary private key SK i obu in the current time period i.
e challenger C first extracts the tuples (ID obu , T i , R 1 ) and (ID obu , T i , D 2 , R 2 ) from lists H list 1 and H list 2 , respectively.en, C computes Finally, C adds the tuple (ID obu , T i , SK i obu ) into the list Key list and returns SK i obu to A. H 3 − oracle: A list H list 3 is set up and retained by the challenger C, which is initialized to empty.Upon receiving the query about (ID obu , T i ) from the adversary A, C first examines whether the tuple q , puts the tuple (ID obu , T i , R 3 ) into H list 3 , and returns R 3 to A. H 4 − oracle: A list H list 4 is set up and retained by the challenger C, which is initialized to empty.Upon receiving the query about (ID obu , T i , U i , λ i , M i ) from the adversary A, C first extracts the tuple (ID obu , T i , R 1 ) from the list H list 1 .en, C examines whether the tuple Signing − oracle: Upon receiving the query about the signature on message M i from the adversary A, the challenger C picks random numbers u i , ) and adds the tuples (ID obu , T i , r 1 ), (ID obu , T i , d 2 , r 2 ), and (ID obu , T i , U i , λ i , M i , r 4 ) into the lists H list 1 , H list 2 , and does not hold, the verification algorithm outputs 0 and the process is aborted.Otherwise, the verification algorithm outputs 1 and the signature is accepted.

Forgery Phase. If an adversary
A could successfully output a signature which can pass the verification with nonneglectable probability according to the forking lemma [36], then A could output a second signature in an attack by using a different random oracle with nonneglectable probability.Consequently, A could output another signature by repeating the process with a different choice of R 2 , which leads to a distinguishing σ i , while the value of λ i remains unchanged.Such that, the following equation is obtained: At last, the challenger ) as the answer of the DL problem instance (P, PK TPD � x • P � X). is contradicts with the difficulty of the DL problem.Hence, our proposed V2I authentication scheme is secure against forgery under the random oracle model on the condition of adaptive chosen message attack.

Performance Evaluation
To examine the performance of our proposed scheme in reality, an experiment has been conducted on a Windows 10installed laptop with Intel(R) Core(TM) i7, and the cryptographic operations have been implemented by using the TEPLA library [37], which requires GMP library and OpenSSL [38].
TEPLA Elliptic Curve and Pairing Library is a free C library which provides functions such as finite field arithmetic with 254-bit prime number, elliptic curve arithmetic over Barreto-Neahrig curve, and pairing arithmetic using optimal ate pairing over BN curve.To set up the system Mobile Information Systems environment as the library required, MinGW64 and MSYS are needed to simulate Linux environment to compile cryptography libraries.To install TEPLA, GNU MP library and OpenSSL are required.GNU MP is a free library for big number related operations, and OpenSSL is used to realize cryptographic operations.After finishing compiling, environment variables for Visual Studio are configured and header files of these cryptography libraries are included to conduct the experiment for our scheme.

8
Mobile Information Systems Except the operations listed in Table 2, other operations have not been considered since their running time is ignorable.In terms of the verification phase, according to Table 3, in the scheme of Wang and Yao [9], RSU needs to run two hash operations, three bilinear pairing operations, and one multiplication operation.In the scheme of Weng [22] and Zhou [23], RSU needs to run three hash operations, four bilinear pairing operations, and two multiplication operations.In the scheme of Wan [24], RSU needs to run five bilinear pairing operations, and three multiplication operations.In the scheme of Zhao [25], RSU needs to run one hash operations, three bilinear pairing operations, one multiplication operation, one point addition operation, and one multiplication operation related to ECC.In the scheme of Weng [26], RSU needs to run six bilinear pairing operations and four multiplication operations.In the scheme of Chen [27], RSU needs to run one exponentiation operation, four bilinear pairing operations, and two multiplication operations.As we all know, the bilinear pairing operation is the most time-consuming, while hash function is the least time-consuming.Furthermore, time consumption for the operations listed could be ranked as follows: T bili−pairing > T poi−mul > T exp > T bilipair−mul ≈ T poi−add > T h .It could be seen from Table 4 that our scheme possesses comparatively high efficiency in verification since our scheme is constructed by using comparatively lightweighted operations.To show the advantage clearly, the improved ratio of our scheme against other seven schemes is defined as (T where T [num] refers to time costs of the scheme with the reference number "num" and T [ours] refers to time costs of our scheme.In terms of the verification stage, the improved ratios of our scheme against the schemes [9,[22][23][24][25][26][27] are (4.724− 3.683)/4.724� 22.04%, (6.305 − 3.683)/6.305� 41.59%, (6.305 − 3.683)/ 6.305 � 41.59%, (7.882 − 3.683)/7.882� 53.27%, (5.255 − 3.683)/5.255� 29.91%, (9.462 − 3.683)/9.462� 61.08%, and (6.333 − 3.683)/6.333� 41.84%, respectively.When it comes to the total costs of signing and verifying stages, the improved ratios of our scheme against other seven schemes [9, 22-27] are 30.68%,30.69%, 25.68%, 41.34%, 24.9%, 50.94%, and 27.74% individually.From Figures 3 and 4, the computation costs of singing phase of our proposed scheme are lightly higher than some schemes, because indispensable operations in this phase are needed to achieve key insulation and to provide better security.Even that our promotion comes at a little price of efficiency of signing, the gain of keyinsulated secrecy deserves it, and on the whole, the proposed scheme achieves a better trade-off between security and efficiency than the compared schemes.

Conclusion
Vehicular ad hoc networks (VANETs) are one of the most promising technologies nowadays.For the sake of providing efficient and secure authentication for VANETs, a keyinsulated V2I authentication scheme has been constructed in this paper.e core idea of the proposed scheme is dividing private key of the vehicle into two parts which are, respectively, held by a temper-proofing device (TPD) and the vehicle itself, and these two parts of the private key are used to generate a signature.e proposed scheme supports dynamically updating private key in different time periods.For the vehicle, it obtains its updated secret key by the help of TPD before signing.For the RSU, it first checks whether the time stamp is valid before verification, and then it validates the signature from the vehicle.e security analysis manifests that the proposed scheme is secure under the adaptive chosen message attack.e comparison is also conducted among our scheme and other similar schemes.
e performance evaluation shows that our bilinear pairing-free scheme harvests a better trade-off between security and efficiency, and it is feasible for VANET environment.
In our proposed scheme, the helper is assumed as a fullytrusted device, and the private key of the vehicle is generated by its helper.However, the helper is actually semitrusted in some situations, which means that the assistant device can generate signature without the user's approval.In this situation, 2-out-of-2 threshold manner should be a considerable method to prevent the misuse of the user's secret key by the helper.e core idea of 2-out-of-2 threshold manner is that the user and the helper device could share the threshold value n using standard threshold techniques, where the user keeps n 1 and the helper keeps n 2 such that n 1 + n 2 � n.In addition, because the RSU would receive and verify numerous signatures from the vehicles within its region, this would inevitably cause burden of computational consumption if the RSU proceeds verification on by one.Taken into account the requirements for efficiency and security in the context discussed above, design of an efficient threshold key-insulated authentication scheme is our future work, which aims to achieve feasible secure V2I communication for VANETs.

3. 3 .
Discrete Logarithm (DL) Problem.Provided with two stochastic points P, Q over an elliptic curve E, the DL problem is to compute a number x to meet the equation Q � x • P.

Figure 2 :
Figure 2: Model of VANET in this paper.

Figure 4 :
Figure 4: Computational costs of verification phase in different schemes.

Table 1 :
Definition of notations.An elliptic curve defined by the equation y 2 � x 3 + ax + bmodp(a, b ∈ F p ) G An additive group with the order q, where G is constitutive of all points on E and the point at infinity O P A generator of the group G H 1 , H 2 , H 3 , H 4 Four security functions, where H 1

Table 2 :
Definition of symbols.

Table 3 :
Computational costs comparison of the signature and verification phases in theory (ms).

Table 4 :
Computational costs comparison of the signature and verification phases in simulation (ms).