Privacy-Preserving Data Aggregation Protocol for Fog Computing-Assisted Vehicle-to-Infrastructure Scenario

1MOE Key Laboratory for Transportation Complex Systems Theory and Technology, School of Traffic and Transportation, Beijing Jiaotong University, Beijing 100044, China 2Basic Course Teaching Department, Jiangxi University of Science and Technology, Ganzhou, China 3School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China 4State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China


Introduction
Most of road anomalies, that is, potholes, bumps and slipperiness, are potentially hazardous to the commuters and vehicles [1].Naturally, the condition of road surface is considered to be an important criterion for assessing the quality of transportation infrastructure [2].The continuous development of sensing technique provides a promising approach to build an autonomous system for monitoring road surface condition [3].Specifically, the mobile sensors embedded in mobile vehicles are used to sense the real-time data about road surface condition [4].With the V2I communication [5], the data collected by the vehicles can be uploaded to the backend server via the RSUs installed at road intersections.By collecting and analyzing these real-time road surface data, the congestion of traffic and car crashes can be reduced significantly.Thanks to the resource restraint of mobile vehicles, the vehicular cloud networking [6,7] has been introduced to ease the cost of vehicles, where the sensed data are stored in the remote cloud centers.It is easy to observe that the delivery of these data to the cloud servers located in the core network is commonly considered to be cumbersome due to the unreliable latency and network congestion [8].To address these issues, the fog computing [9][10][11] has been introduced as an alternative for cloud computing.Different from cloud computing, elastic and virtual cloud resources are extended to one or more collaborative edge devices in the fog computing.In this sense, the collected data can be preprocessed and aggregated by the edge devices, which are instantiated by the resource-abundant RSU, before Security and Communication Networks uploading to the data analytic center [12].Therefore, the realtime road surface data can be efficiently processed with the support of fog computing-assisted V2I communication.
However, the fog computing-based V2I communication scenario cannot be accepted and deployed widely if the security of the transmitted data has not been considered appropriately.It is desirable to achieve data confidentiality such that the transmitted data can only be accessed by the intended RSU [13].Otherwise, the collected data may be abused by the malicious adversary without any cost.Besides, it is also necessary to achieve message unforgeability such that the adversary is computationally infeasible to impersonate any vehicle [14].Otherwise, the result about the analysis of collected data may be polluted by the forged data.To fulfill the mentioned security goals, it is naturally to introduce the public key encryption and signature to generate the ciphertext on the transmitted data.According to [15], signcryption is a promising primitive that achieves the security goals of encryption and signature simultaneously.It is realized by combining the public key encryption and digital signatures in one logical step.Moreover, this technique entails minimized computation and communication overhead compared with the sign-then-encrypt paradigm [16].Since its introduction, the signcryption primitive has been studied in several cryptosystems, that is, traditional public key infrastructure-(PKI-) based cryptosystem [15], identity-based cryptosystem [17], and certificateless cryptosystem [16].In the traditional PKIbased cryptosystem, the certificate management is a burdensome task.To alleviate the overhead of this task, the identitybased public key cryptosystem [18] has been introduced, where a trusted third party termed as private key generator is adopted to issue private keys for the users.This paradigm results in key escrow problem since the private key generator knows the private keys of all users in the system [18].The certificateless cryptosystem [19] inherits from identity-based cryptosystem, whereas it eliminates the demand for the private key generator with key escrow capability.In this cryptosystem, a trusted third party named key generation center (KGC) is adopted to generate the private keys for users.Only a partial private key is issued by the KGC for each user.The full private key of a user is composed of the partial private key received from KGC and a secret value selected by his/herself.Because the full private key of a user is not held by the KGC, certificateless public key cryptosystem solves the key escrow problem of the identity-based cryptosystem.Thus, certificateless signcryption seems to be a promising primitive to ensure the security of the V2I communication.
Based on the idea of certificateless signcryption, Basudan et al. [20] proposed an anonymous aggregation protocol to secure the V2I communication recently.Unfortunately, in this paper, the protocol of [20] is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data.Besides, this protocol is constructed by utilizing the expensive bilinear pairings, which makes this protocol inefficient.Therefore, it is fair to regard the construction of anonymous aggregation protocol for the fog computing-based V2I communication scenario as an open issue.
Motivated by the practical needs, a privacy-preserving protocol for the V2I communication scenario with fog computing is proposed in this paper.The major contributions of this paper are summarized as follows: (i) Firstly, Basudan et al. 's [20] protocol is demonstrated to be subject to the forgery attack, by which an adversary is able to forge a valid signcryption on any data.In this sense, the aggregation protocol in [20] does not provide unforgeability as they claimed.(ii) Next, a light-weight and anonymous aggregation protocol for the V2I communication scenario with fog computing is proposed by elaborately combining a CL-A-SC scheme and the fog computing architecture.Specifically, the suggested protocol is realized without resorting to the costly bilinear pairings.Besides, the proposed protocol is proved secure under the standard computational Diffie-Hellman assumption and elliptic curve discrete logarithm problem in the random oracle model.Furthermore, the proposed aggregation protocol proved to be able to achieve The organization of this paper is summarized as follows: the next section describes the system model, mathematical background, design objectives, the notion, and the security model of CL-A-SC scheme.In Section 3, Basudan et al. 's protocol is briefly reviewed.After that, the forgery attack against this protocol is presented.The proposed protocol is introduced in Section 4. Furthermore, the security of the proposed protocol is discussed in Section 5, where the comparison of the practical performance of the proposed protocol and Basudan et al. 's protocol is also provided.Finally, Section 6 concludes this paper.

Preliminaries
The background information is introduced in this section.

System
Model.The considered system is comprised of three types of entities: control center, mobile sensors and RSUs.For ease of understanding, the system model is depicted in Figure 1.The definitions of the entities are described as follows: (i) Control center (CC): CC is considered to be a trustee which is able to initialize the whole system and generate the partial private key for mobile sensors and RSUs.(ii) Mobile sensors: the devices are embedded into the vehicles to generate the report about the road event, that is, potholes, slipperiness and bumps.(iii) RSU: each RSU is able to receive and process the messages sent by the mobile sensors.(1) Bilinearity: for all ,  ∈ G and ,  ∈   *  , ê(, ) = ê(, )  .

Cryptographic Assumptions.
Given the mathematical background described above, the cryptographic assumptions are defined as follows.
This assumption is denoted as CDH.Given a tuple ⟨, , ⟩ ∈ G (,  ∈   *  ), the CDH assumption in G is to calculate .

Security Model.
There are two types of adversaries considered in the certificateless cryptosystem [19].A Type I adversary A 1 is able to replace the public key of a legitimate user with a bogus one but cannot access the master private key.A Type II adversary A 2 is able to access the master private key but cannot execute the public key replacement.
According to the protocol of [22], the security notions of data confidentiality and mutual authentication for the CL-A-SC scheme are captured by the indistinguishability and the existential unforgeability of the signcryption, respectively.By using the same security model provided in [22], the ability of the adversaries is modeled by the following four interactive games.
Game 3.This game is played by a challenger C and a Type I adversary A 1 .
(i) Initializing: C executes CL-A-SC.Setup algorithm to obtain the public parameters  and the master private key .After that, C sends params to A 1 .
(ii) Training: A 1 is able to query the following oracles (these oracles model the capability of A 1 in reality) in an adaptive manner:  (iv) Guessing: a bit   is outputted by A 1 .
A 1 's advantage to win this game is defined as (iii) Guess: this phase is the same as the third phase in Game 3, where a bit   is outputted by A 2 .
A 2 is considered to win this game iff (1)   = , where  and   are defined as above; (2) The oracle Secret-Value-Extraction(ID  ) has never been queried; (3) The oracle Designcryption( * , (ID   ) =1,..., , ID  ) has never been queried, where there exists  ∈ {1, . . ., } such that ID *  = ID   .A 2 's advantage to win this game is defined as Definition 5. A CL-A-SC scheme is considered to be secure against the adaptively chosen ciphertext attacks if there is no adversary of Type I or Type II has a nonnegligible advantage to win Game 3 or Game 4, respectively.Game 6.This game is played by a challenger C and a Type I adversary A 1 .
(i) Initializing: this phase is the same as the first phase in Game 3.
( (1) Data confidentiality and integrity: it is desirable to secure the transmitted data from revealing the sensitive information about the source mobile sensor.Besides, it is required to ensure the data has not been tampered [23].
(2) Mutual authentication: it is desirable that the RSU and the mobile sensor are allowed to authenticate each other [24].
(3) Anonymity: it is desirable to hide the real identity of the mobile sensor during the transmission [25,26].
(4) Key escrow resilience: it is desirable that the adversary is unable to obtain the full private key of any mobile sensor even if CC has been compromised [27].

Cryptanalysis of Basudan et al.'s CL-A-SC Scheme
In this section, Basudan et al. 's CL-A-SC scheme is briefly reviewed.After that, their scheme is demonstrated to be insecure against the public-key-replacement attack.

Notations.
To ensure the consistency, the notations are defined in the Symbols.Concretely, each sensor   is able to generate a real-time message   = { , ,   , Sig  } when sensing the road condition RC  .After that,   generates signcryption on   to construct the road condition report RCR , and then sends RCR , to the nearest RSU.

Review of Basudan et al. 's CL-A-SC Scheme.
The CL-A-SC scheme in the protocol of [20] consists of the following algorithms: (i) Setup: let G be an additive cyclic group of prime order , G  be a multiplicative cyclic group of the same order, ê : G × G → G  be an admissible bilinear map, and  ∈ G denote a generator of G. Let  1 ,  2 ,  3 , and  4 be four cryptographic hash functions such that (iii) Signcryption: the RSU with identity ID  is assumed to be the message receiver.For  ranges from 1 to ,   randomly chooses   ∈   *  and calculates ), and    =  ,2 ⊕ ℎ  ,1 for  ranges from 1 to .

Forgery Attack against Basudan et al. 's CL-A-SC Scheme.
Basudan et al. [20] claimed that their CL-A-SC scheme proved to be able to achieve indistinguishability and unforgeability against the Type I and Type II adversary.However, the adversary A 1 of Type I is able to forge signcryption on any message  * by launching a public-key-replacement attack, which is described as follows: Thus, the verification holds.The message  * is recovered by the RSU according to the specification of Designcryption algorithm.

Our Proposed Protocol
In this section, a concrete CL-A-SC scheme is proposed, which is the building block of our data aggregation protocol.

The Proposed CL-A-SC Scheme. This scheme consists of the following algorithms:
(i) CL-A-SC.Setup: let  and  be two large primes such that  divides  − 1, E be an elliptic curve over a finite field F  , and G be an additive cyclic group formed by E with the point addition law.Let  be a generator of G and be three cryptographic hash functions.Randomly choose  ∈   *  as the master private key and calculates  = .The system parameter  = (, , , ,  1 ,  2 ,  3 ).

The Data Aggregation Protocol.
In this part, our data aggregation protocol is proposed, which involves the CC, RSU, and mobile sensors.The suggested protocol is comprised of four phases: system initialization, data generation and transmission, aggregate verification, and data retrieval.

System Initialization.
In this phase, CC performs the CL-A-SC.Setup algorithm to initialize the system.The system parameter  = (, , , ,  1 ,  2 ,  3 ).After that, the mobile sensors and the RSUs are allowed to register to CC by performing the following steps: (1) For  ranges from It is worth noting that the format of the road condition report is defined by CC in this phase.Concretely, each mobile sensor   is able to generate   = { , ,   , Sig  } when sensing the road condition RC  , where  , is the time when   sensed RC  ,   is the location where RC  occurred, and Sig  is the action signal about RC  .After that,   generates signcryption on   to construct the road condition report RCR , .
To protect private information of mobile sensors, the real identity of each   cannot be retrieved from RCR , .In this way, the anonymity of mobile sensors is preserved.

Aggregate Verification.
Upon receiving the reports (RCR , ) =1,..., from the sensors (  ) =1,..., on a road condition RC  , the RSU is allowed to aggregate the ciphertexts and then verify the authenticity of the aggregate data.The identity of this RSU is assumed to be ID  .The aggregation and verification procedures are carried out by performing the following steps: (1) The RSU calculates  ,3 = ∑  =1  ,3 .
(2) For  ranges from 1 to , the RSU calculates ℎ   =  1 (ID  ,  ,1 ,  ,2 , ).After that, this RSU checks if If the equation holds, this RSU accepts the received reports and executes the next phase.Otherwise, this RSU aborts these reports.

Data Retrieval.
If the verification in the previous phase holds, the RSU retrieves (  ) =1,..., as follows: (1) For  ranges from 1 to , the RSU calculates ) ⊕   for  ranges from 1 to .

Analysis and Comparison
The correctness and security properties of the proposed protocol are analyzed in this section.After that, the comparison in terms of efficiency and security properties of the proposed protocol and the related works is presented.

Correctness Analysis.
The correctness of the decryption procedure is presented as follows: The correctness of the verification procedure is presented as follows: (3)

Security Proof.
In this part, the security proof of the proposed protocol is given under the random oracle model [28].Proof.The proof of this lemma is omitted since it follows the proof of Lemma 13.
Theorem 15.The proposed protocol achieves EUF-CMA security under the ECDLP assumption.
Proof.Theorem 15 is derived directly from Lemmas 13 and 14.

Security Strength
(1) Data confidentiality and integrity: each   is calculated as   =  3 (V ,1 , V ,2 ) ⊕   , where V ,1 , V ,2 can only be recovered by the RSU.The confidentiality of the data is proved in Theorem 12.Moreover, the RSU is able to decrypt and verify the received data.Thus, the integrity of the data is ensured.
(2) Mutual authentication: each mobile sensor   authenticates itself by sending RCR , to the RSU.Only the RSU which keeps the private key ( ,1 ,  ,2 ) can recover   .Besides, the RSU authenticates each sensor by verifying the received data.The unforgeability of the data is proved in Theorem 15.
(3) Anonymity: according to the specification of the proposed protocol, the real identity of each mobile sensor   cannot be retrieved from the ciphertext.Thus, the proposed protocol achieves anonymity.
(4) Key escrow resilience: the proposed protocol is designed under the certificateless cryptosystem.Specifically, CC is only allowed to issue the partial private key  ,2 for each mobile sensor   .The adversary  1, which includes data confidentiality and integrity (DCI), mutual authentication (MA), anonymity (AN), key escrow resilience (KER), and timing attack resilience (TAR).The timing attack is considered as a kind of side-channel attack [29].In the execution of the cryptographic protocols, variations of the executing timing can leak some information if sensitive data is involved.By measuring the time which the sensors take to perform the cryptographic operations, the adversary is able to obtain some secret parameters of the sensors.It is required to reduce the computation overhead of the sensors.According to this comparison, it can be concluded that the proposed protocol is able to achieve all of the security goals, while Basudan et al. 's [20] protocol fails to achieve mutual authentication.The comparison of the communication overhead is presented in Figure 2. To get an intuitive comparison of the efficiency, the practical performance of the protocols is presented in Figures 3-5, respectively.To ensure the consistency, the 80bit security level (RSA-1024 bit, ECC-160 bit equivalent) is adopted for both protocols.The implementation is based on a common hardware platform with Intel Core i5-4460 CPU at 3.2 GHz using the PBC library [30].According to this comparison, it can be concluded that the proposed protocol outperforms the related works in terms of communication and computation overhead.

Conclusion
The security and privacy concerns are essential and challenging issues in road surface condition monitoring system.In this paper, the security flaw of a certificateless data aggregation protocol in [20] for monitoring system is pointed out.After that, a light-weight and anonymous data aggregation protocol is introduced, which is constructed by combining a CL-A-SC scheme and the fog computing architecture.The proposed protocol is proved secure under the random oracle model and achieves desirable security properties including data confidentiality, mutual authentication, anonymity and key escrow resilience.Besides, an experimental simulation of the proposed protocol and the protocol in [20] is presented.According to the comparison results, the proposed protocol is efficient and more practical for the road surface condition monitoring system.A 1 adaptively queries the same oracles as the Training phase.Note that, A 1 is not allowed to query the Designcryption oracle on  * with the receiver whose identity is ID  .

( a )
Secret-Value-Extraction(ID  ): on receiving the query on ID  , this oracle returns the corresponding secret value  ,1 to A 1 .(b) Partial-Private-Key-Extraction(ID  ): on receiving the query on ID  , this oracle returns the corresponding partial private key  ,2 to A 1 .(c) Public-Key-Extraction(ID  ): on receiving the query on ID  , this oracle returns the corresponding public key ( ,1 ,  ,2 ) to A 1 .(d) Public-Key-Replacement(ID  ,

Game 4 .
This game is played by a challenger C and a Type II adversary A 2 .(i)Initializing: this phase is the same as the first phase in Game 3, while C sends (, ) to A 2 .(ii)Training: in this phase, A 2 queries the same oracles (except the Public-Key-Replacement oracle) and receives the same responses as the second phase in Game 3.

Figure 5 :
Figure 5: Computation overhead of the Xiong and Qin's protocol.
F  ).This set of points and the point at infinity (denoted by O) form a group G = {(, ) | (, ) ∈ F  ∩ E(, ) = 0} ∪ {O}.Particularly, G is an additive cyclic group formed by E and the point addition law, which is denoted by + and defined as follows.Let , , and  be three elements in G, where  is the intersection of the line  and E. Specifically,  connects  and  (tangent line to E if  = ).Let   be another line, which connects  and O.The sum of  +  is denoted by the intersection of   and E.Moreover, the scalar multiplication on E is calculated as 2.2.1.Elliptic Curve Group.Let an elliptic curve E over a prime finite field F  denote a set of points (, ), which are defined by the equation E(, ) :  2 =  3 ++ with the discriminant 4 3 +27 2 ̸ = 0 mod  (,  ∈ ( ,1 ,  ,2 ) and ( ,1 ,  ,2 ) are set to be the full public key and full private key of   , respectively.(iii) CL-A-SC.Signcryption: this algorithm is carried out by each   .On inputting , a message   , full private key ( ,1 ,  ,2 ) of   , and the public key ( ,1 ,  ,2 ) of the user with identity ID  , this algorithm outputs signcryption   on   .
The proposed protocol is indistinguishable against the chosen ciphertext attacks (Ind-CCA-II) of the Type II adversary A 2 in the random oracle model under the CDH assumption.Proof.The proof of this lemma is omitted since it follows the proof of Lemma 10.The proposed protocol is existentially unforgeable against adaptive chosen-message attacks (EUF-CMA-II) of the Type I adversary A 1 in the random oracle model under the ECDLP assumption.
10.The proposed protocol is indistinguishable against the chosen ciphertext attacks (Ind-CCA-II) of the Type I adversary A 1 in the random oracle model under the CDH assumption.Proof.See Appendix A. Lemma 11.Proof.See Appendix B. Lemma 14.The proposed protocol is existentially unforgeable against adaptive chosen-message attacks (EUF-CMA-II) of the Type II adversary A 2 in the random oracle model under the ECDLP assumption.

Table 1 :
Comparison of security properties.