Practical SM2-Based Multisignature Scheme with Applications to Vehicular Networks

In vehicular networks, the increasing value of transportation data and scale of connectivity also brings many security and privacy concerns. Peer authentication and message integrity are two vital security requirements to ensure safe transportation system. Because of the constrained resources of the units performing the cryptographic components, the proposed security-enhancing schemes should be lightweight and scalable. In this paper, we present a multisignature scheme derived from the SM2 signature which enables a group of parties to collaboratively sign a message and generate a compact joint signature at the end. Our scheme requires no preprocessing or interactions among the parties before signing, and its performance matches or surpasses known ones in terms of signing time, verification time, and signature size. 'erefore, our scheme is also suitable for vehicular networks, with the goal to enhance security with small computation and storage cost.


Introduction
With the development of advanced information and communication-based technologies, intelligent transportation system (ITS) can provide a seamless transportation infrastructure and more functionalities for vehicles than a decade ago. Specifically, the Vehicle-to-Everything (V2X) communication technology in vehicular networks nowadays is able to support information sharing between vehicles and any other element involved in ITS [1,2], including nearby vehicles (V2V), the infrastructure (V2I), mobile devices carried by pedestrians (V2P), and remote application servers or cloud platforms (V2N). e increasing scale of ITS ecosystem and the growing trend to integrate vehicular network deployment with other networks also bring concerns about cybersecurity for ITS since any message interception or modification by malicious units could result in fatal consequences [3,4].
Digital signature is commonly used in vehicular networks to ensure integrity of messages exchanged among devices. However, the effectiveness of information propagation and routing, which are associated to delays and hence also have impacts on road safety, naturally depends on the computational overhead imposed by the applied security mechanisms [5]. Beyond traditional signature schemes, multisignature (MS) and aggregate signature (AS) are extended primitives considering multiuser setting to support cosigning and to reduce verification cost. e two primitives in common allow a group of signers to combine their individual signatures into a single short one. Specifically, an MS scheme [6,7] enables a group of signers, each having a public key and a corresponding private key, to collaboratively produce a joint signature on a common message which can be publicly verified given the set of public keys of all signers. As a more general primitive, an AS scheme [8,9] allows each of the signers to sign a different message, and all these individual signatures can still be aggregated into a single short one. As in the traditional signature scheme, the short combined signature should convince the verifier that all signers signed their designated messages.
Both MS and AS schemes have many potential uses in vehicular networks, such as in the distributed certificate authority (CA) or in V2I/V2V communications. Unfortunately, the commonly used technologies including dedicated short-range communications (DSRC) and cellular-V2X (C-V2X) mainly exploit elliptic curve-based signature schemes, e.g., ECDSA and SM2, which to the best of our knowledge has very few MS or AS extensions due to their nonlinear construction.
In this paper, we propose a candidate multisignature scheme MS − SM2 based on the SM2 signature algorithm and specify the applications of MS − SM2 for vehicular networks. SM2 is a signature algorithm standard based on the elliptic curve published by the Chinese government and has been extensively used in cryptographic devices in finance and industry. Our proposed MS − SM2 scheme allows dynamic joining of signers (with certified public keys) and has no burdensome assumptions on the public-key infrastructure (PKI), which makes it plausible in vehicular networks.

Our Contributions.
e original contribution of this work is mainly twofold: (i) We first present a multisignature scheme MS − SM2 based on the SM2 signature by designing a cosigning protocol and prove its security in plain public-key and semihonest model. No preprocessing or any proof-of-knowledge step on the signer side is required in our scheme. e experimental results also show that our protocol is relatively practical for many applications. (ii) We then illustrate some possible applications of MS − SM2 in vehicular networks, especially the usage in the multiple CAs architecture to reduce the certification storage for vehicles and RSUs and in V2I communication to reduce the computational overhead for RSUs.

Related Work.
A trivial way to build a multisignature from standard signatures is to concatenate all stand-alone signatures signed individually. However, the resulted multisignature is of large size and particularly of size proportional to the number of signers, which does not scale well in practice [6,7,10]. erefore, a multisignature should be short, meaning its length should be (ideally) independent from the number of signers and about the same as that of an ordinary stand-alone signature. Informally, the possibility of extending standard signature schemes to multisignatures comes from the homomorphism of the involved arithmetic operations of the underlying assumptions. However, the homomorphism also brings a serious vulnerability and allows adversaries to mount rogue key attacks, in which the attackers without valid key pairs can set its public key as a function of those from other honest signers and finally forge multisignatures. Micali et al. [6] described the formal model for the attack and showed a way to prevent such attacks known as knowledge of secret key (KOSK) assumption, in which users are required to prove knowledge of their secret keys during public key registration. Bellare and Neven [7] proposed a new practical multisignature scheme based on the Schnorr signature without KOSK assumption and proved that it can avoid rogue attack in the so-called plain public key model.
ere are several following-up work on constructing 2-round Schnorr-based multisignatures, i.e., all singers only need 2 rounds of communications to produce a multisignature [11][12][13][14][15]. Recently, public key aggregation is introduced to a multisignature scheme by which the verifier can check the validity of a multisignature only using a short aggregate key rather than a public key list [16,17].

Preliminaries
For prime number p, Z p denotes the additive group of integer modulo p. We consider elliptic curve E: where a, b ∈ Z p and 4a 3 + 27b 2 ≠ 0(modp). e set of points on E along with the infinity point O constitutes an additive elliptic-curve group E(Z p ) under points addition, denoted by ⊕, with O being the identity.
Range [x, y] denotes the set of integers i, x ≤ i ≤ y. Given a nonempty set S, s $ ⟵ denotes the operation of sampling an element of S uniformly at random and assigning it to s. For a randomized algorithm A, y ⟵ A((x 1 , . . . , x n ); ρ) denotes the operation of running A on inputs (x 1 , . . . , x n ) and random coins ρ then assigning its output to y.

Multisignature Scheme
2.1.1. Syntax. We follow the description of Bellare and Neven [7] and define a multisignature scheme as a tuple MS � (Setup, KeyGen, MSign, Vrfy). Note that the scheme is defined in the plain public key model, where the key generation is as same as that in any public-key cryptography and no more preprocessing protocol or key verification is required.
Setup(1 κ ) ⟶ pp: the setup algorithm takes as input the security parameter κ and generates system parameters pp.
KeyGen(pp) ⟶ (sk, pk): the key generation algorithm is a randomized algorithm executed by every signer on input pp to generate a key pair (sk, pk).
MSign(pp, L, sk i , m) ⟶ σ: the MSign algorithm represents the signing protocol run by a group of signers who intend to collaboratively sign the same message m. Each signer i executes the protocol on input pp, a set of public keys of signers L � pk 1 , . . . , pk N , private key sk i and message m. e protocol outputs a multisignature σ.
Vrfy(pp, L, m, σ) ⟶ 0/1: the verification algorithm checks the validity of a multisignature σ on message m on behalf of the group of signers whose public keys are in set L and output 1 or 0 indicating the multisignature is valid or not.

Completeness.
A multisignature scheme should satisfy the following completeness property, meaning that for any number n and message m, if (pk i , sk i )←Key Gen(pp) for i ∈ 1, . . . , N { } and all signers run MSign(pp, L, m, sk i ), then every signer will output the same signature σ such that Vrfy(pp, L, m, σ) � 1.

Security.
e security of multisignature requires that it is infeasible to forge a signature involving at least one honest signer. We assume an adversary (forger) F that corrupts all other signers except the honest one and can choose their public keys in arbitrary ways as it likes, e.g., the rogue key attack. e unforgeability of multisignature in plain public key model is defined by the following three-phase game Exp UF− CMA MS (F) between the forger F and a challenger.
Setup. e challenger generates system parameter pp←Setup(1 κ ) and a challenge key pair (pk * , sk * )←KeyGen(pp) for the target honest signer. It returns (pp, pk * ) to F.
Query. e forger F is allowed to make signature queries on any message m for any set L of signers with pk * ∈ L. is signing oracle O(pp, ·, sk * , ·) simulates the honest signer with key sk * interacting in a signing protocol with other signers in list L. F can make any number of such queries concurrently.
Forge. F outputs a set L * of public keys, a message m * , and a multisignature σ * . e forger is said to win the game if Vrfy(pp, L * , m * , σ * ) � 1 with pk * ∈ L * and the message m * never appeared in Query phase. e advantage of forger F in breaking the multisignature scheme is defined as the probability that F wins the above game (over the random coins of the challenger), denoted as Adv UF− CMA MS (F).
for every forger F that runs in time at most t, makes at most q s signing queries, produces forgeries on behalf of N parties, and wins the Exp UF− CMA MS (F) game with negligible probability ε. In random oracle model, we define it as (t, q s , q h , N, ε)-unforgeable where q h denotes the maximum number of hash queries.

SM2 Signature Algorithm.
e SM2 signature algorithm is initialized by taking as input a security parameter κ and outputs pp(E(Z p ), O, G, n, H(·)) as public parameters, in which H: 0, 1 { } * ⟶ Z n is a cryptography hash function. e SM2 signature scheme is briefly reviewed in Table 1.

General Forking Lemma.
We will use the general forking lemma [7] to prove the security of our scheme, which is a useful tool by extending the forking lemma of Pointcheval and Stern [18] without mentioning concrete signatures or random oracles.

Lemma 1 (general forking lemma). Let H be a set of size
where i ∈ 0, . . . , q and σ is a side output. For some randomized input generator IG, the accepting probability of algorithm A, denoted by acc, is defined as Consider randomized algorithm Fork A associated with A, taking as input x, proceeds as described in Algorithm 1. Let frk be the probability that 2.4. Secure Multiparty Computation. Secure multiparty computation (MPC) enables a group to jointly perform a computation without disclosing any participant's private inputs. e participants agree on a function to compute and then can use an MPC protocol to jointly compute the output of that function on their secret inputs without revealing them [19]. ere are several well-studied MPC protocols such as the GMW protocol [20] and the BGW protocol [21]. Both of the two schemes are based on the secret-sharing technique and can support both Boolean circuit and arithmetic circuit.
Here, we only present the general idea of a simple addition function to show how the protocols work. e basic idea is to allow each party holding the secret shares of the inputs; therefore, each party can locally sum up their shares and get a valid sharing of the final result. We describe it in a bit more detail in Figure 1.

SM2-Based Multisignature Scheme:
MS − SM2 In this section, we present a multisignature scheme based on the SM2 signature in the plain public key model. Intuitively, the original signing algorithm of SM2 involves a nonlinear combination of secret key and randomness; therefore, it is nontrivial to extend it directly to a multisignature. To cope with the problem, in the protocol, we first exploit the linear part in SM2 to produce a semiaggregated signature and then employ a simple MPC protocol for addition to finally achieve the goal. Note that we slightly modify the output of original SM2 signing algorithm in protocol where we take the inverse of s instead to be the part of signature by each party. erefore, the multisignature in our scheme is almost of the same structure as the original SM2 signature and remains practical. e unforgeability of the multisignature under chosen message attack can be proved in the random oracle model using general forking lemma [7,16].

Construction.
e initialization Setup algorithm and KeyGen algorithm of the multisignature are almost the same as that in the SM2 scheme, except that there are two hash functions used in multisignature scheme, denoted as H 0 : E(Z p ) ⟶ Z n , H 1 : 0, 1 { } * ⟶ Z n . We now proceed to describe the signing protocol and verification algorithm of Security and Communication Networks the MS − SM2 scheme. Note that we take L to be size of N for simplicity, where N is the maximum number of cosigners and N ≪ n.
MSign(pp, L, m, sk i ): each signer i with secret key sk i � d i and public key pk i � P i in set L runs an interactive protocol to collaboratively sign a message m.
e communication proceeds in a number of rounds, where in each round, every signer sends and receives messages to and from other signers and also performs some local computation. 1 , y i,1 ), and broadcast t i .
(2) Upon receiving t j from all other signers, broadcast    At the end the interactive protocol, the algorithm outputs a multisignature σ � (K, s), where K is the set of all points K i (x i,1 , y i,1 ).
Vrfy(pp, L, m, σ): given a multiset of public keys L, message m, and multisignature σ, the verifier computes Correctness: if σ � (K, s) is a valid output of protocol, Vrfy algorithm always accepts and outputs 1. e equation only holds when all signers follow the protocol and use valid key pairs. Note that the integer computations are all modulo n, and we omit the notation for simplicity.

Security Proof.
In general, we can treat the multisignature scheme as a multiparty computation protocol and prove its security in simulation-based framework for a clearer security guarantee. Unfortunately, the security of multisignature is traditionally defined in game-based framework, and on the other hand, simulation-based proof is complex in the random oracle model. Here, we follow the game-based definition of Bellare and Neven [7] and only show a proof sketch for the scheme. e basic idea of game-based proof is to obtain from F two different forgeries σ and σ ′ with the same randomness by employing the general forking lemma. As a result, we can extract the secret key from the target public key pk * , which is usually a solution of the discrete-logarithm problem in the elliptic-curve group E(Z p ). For simplification, we take an equivalent verification equation into consideration, and if σ � (K, s) and σ ′ � (K, s ′ ) satisfy then the secret key d * corresponding to pk * can be computed from the equation However, in the process of MSign, each signer can check the value s before continuing to execute the protocol, which allows signers to quit cosigning immediately if there is any rogue key attack. Specifically, they can compute [x 1 ′ , y 1 erefore, we can let the simulator halt if the forger successfully forged s. there exists a (t, q s , q h , N, ε)-forger F ′ that can output a forgery s, then there exists a PPT algorithm A which (t ′ , ε ′ )-solves the DL problem in E(Z p ).
Proof. Note that s � N i�1 s i (modn) and each s i has similar structure with Schnorr signature. erefore, the proof of Lemma 2 is similar to that of the MS − BN scheme. Generally, given a (t, q s , q h , N, ε)-forger F ′ , we first wrap it into an algorithm B that can be used in the general forking lemma. We then describe an algorithm A that on input pk * � P * and runs Fork B (pk * ) to output the corresponding discrete logarithm.

□
Let q � q h + q s , T 0 [·], T 1 [·] be the programmed hash tables for oracles H 0 and H 1 , respectively, and h 1 h 1,1 , . . . , h 1,q be the answers of queries to H 1 . Two counters ctr 1 and ctr 2 are initialized to zero. An additional array T 2 [·] records a unique index 1 ≤ i ≤ q h + Nq s to each public key P i occurring either as a cosigner's public key in signature queries or H 1 queries, where T 2 [P * ] � 0. On input pp, h 1 , P * ∈ E(Z p ), B plays the Exp UF− CMA MS (F) game with F ′ with the target public key pk * � P * . B answers queries from F ′ by programming the oracles as follows: increments ctr 2 and sets T 2 has not yet been defined, then B assigns random values to all  (K, h 1,J , s, L)). e accepting probability of B is as follows: We then construct the algorithm A that on input pk * � P * and runs Fork B (pk * ). According to the general forking lemma, it returns (1, (K, h 1,J , s, L), (K, h 1,J′ , s ′ , L)) with probability frk A . Note that the discrete logarithm with regard to P * can be computed through (K, h 1,J , s, L), (K, h 1,J′ , s ′ , L). erefore, the probability ε ′ is as follows: 3.3. Experimental Results. We now present the concrete experimental results based on our implementation. We implemented the MS − SM2 scheme in Java and ran it on an EC2 instance of type CPU 2.50 GHz with 1 GB RAM. We use the standard SM2 curve and the SM3 hash algorithm. We ran experiments from 2 to 20 parties and compare our results in two-party setting with a related protocol from Zhang et al. [22] in Table 2. Note that [22] is an SM2-based two-party distributed signing protocol, which is slightly different from multisignature in the way that parties should also cooperate in key generation. Moreover, they omit the zero-knowledge proof component in their implementation, and our demo (https://github.com/lhoou/ms-sm2) as a simulation only includes local computation and omits the communication cost in real world. As for multiuser setting, the performances of our scheme are presented in Table 3.

Applications to Vehicular Networks
In this section, we describe two potential applications of MS − SM2 to vehicular networks. We first show that it can be employed in the architecture of multiple certificate authorities to reduce the number of certificates that are required for devices in the system including on-board units (OBU) and road-side units (RSU). In addition, we also specify its possible usage in the process of V2I communications. e goal is to reduce computation and storage overhead for the units while maintaining security properties.

4.1.
Multi-CA Architecture. In vehicular networks, taking C-V2X, for example, certificate authorities usually include organizations for registration, communication authorization, and pseudonym authorization. Specifically, any device that is involved in the network should first require for registration certificate from registration CA and then require for other certificates from different CAs that are needed to send and receive messages in the network.
For instance, a vehicle is required to get a certificate from the registration CA using its unique identity before joining the network. It can then require a pseudonym certificate for the anonymous V2V communication and a secure V2I communication certificate from secure communication CA using its registration certificate. e vehicle can also apply multiple registration certificates from different registration CAs. To simplify the authentication process, the distributed CAs can employ MS − SM2 in order to jointly generate only one certificate or one registration certificate for the vehicle at the same time, instead of generating certificates one by one.

Cooperative V2I Communication.
Cooperative communication in vehicular networks has been leveraged to offer various improvements on spectral efficiency, transmission reliability, and reduced transmission delay. Vehicles can cooperate with each other either directly or through an RSU, and the vehicular node which helps the source node to transmit its data is called a helper node or relay node [23].
(i) Cooperative traffic reports: vehicles in the same traffic area, such as in an accident or in a neighborhood, can cooperatively issue a traffic report including awareness messages (CAMs), safety importance, and vehicle heading and transmit a packet to the RSU attached with a MS − SM2 signature. e MS − SM2 signature can help the RSU to check validity of the packet and also reduce the computation cost of RSU. (ii) RSU-assisted communication: when a source RSU fails to successfully transmit a packet to the targeted destination, it forwards the packet to the next RSU along the path using the backhaul wired connection. e new RSU relays the received packet to the targeted destination. In this scenario, both the source RSU and relayed RSU can jointly sign the packet using MS − SM2 to convince the target vehicle of the message transmitted, which can also prevent any malicious RSU from sending out frauds without collusion.

Conclusions
In this paper, we present a candidate multisignature scheme from the SM2 signature algorithm in the plain public-key model. Compared to a list of individual signatures, the storage volume of MS − SM2 signature reduces nearly 50% and the computation cost is relatively low. In addition, we specify in detail some potential applications of the MS − SM2 scheme to vehicular networks, especially in the scenario of cooperatively secure communication, with the goal of maximizing performance and compatibility. Because of the high-speed mobility, designing more efficient protocols with fewer communication rounds for vehicular networks is still a challenging research problem.
Data Availability e data, including algorithms and proofs, used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper. Table 2: Comparison of performances (in milliseconds) between [22] and our scheme in two-party setting.