A Certificateless Anonymous Cross-Domain Authentication Scheme Assisted by Blockchain for Internet of Vehicles

. With the development of the Internet of Things and the increase of intelligent vehicles, the Internet of Vehicles (IoVs) have been widely used in the information communication such as road and tra ﬃ c conditions. However, heavy overhead of certi ﬁ cate management, high computing load of identity and message authentication, and the privacy disclosure of vehicle nodes have hindered the development of intelligent transportation. In this study, we propose a certi ﬁ cateless cross-domain anonymous authentication scheme based on blockchain for IoVs. Speci ﬁ cally, the vehicle identity information is authenticated by the ﬁ rst roadside unit (RSU), and transactions are recorded permanently and immutably in the blockchain to reduce the repeated authentication load of other RSUs. To achieve conditional privacy, the trusted authority (TA) generates pseudonyms for each registered user. The relation between the pseudonym and the real identity is kept con ﬁ dential by the TA and only can only be revealed in case of disputes. Meanwhile, the private key of the vehicle is generated anonymously on the basis of certi ﬁ cateless technology and the pairing-free signature veri ﬁ cation. Correctness and security proof demonstrate that our proposed scheme is provably secure and can withstand di ﬀ erent types of attacks. A simulation environment has been built to test the packet loss rate and delay of messages in the network. Results show that the proposed scheme is more e ﬃ cient than the related schemes.


Introduction
With the rapid development and maturity of the Internet of Things, the Internet of Vehicles (IoVs), as the basic technology of intelligent transportation system, have received extensive attention and research from academia and the industry. IoVs provide a safer driving environment by allowing vehicles to communicate with one another or with roadside infrastructure to improve road safety, driving conditions, and comfort for road users.
IoVs are formed by the combination of vehicles and intelligent network equipment, which is composed of a high-speed mobile wireless ad hoc networks. Figure 1 shows the typical IoV environment, including trusted authority (TA), roadside units (RSUs), vehicles, and the Internet. The communication is carried out by vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I), in which valuable driving information and exchange traffic-related information are shared to improve driving and passenger safety [1].
IoVs bring safety and provide various entertainment information services for drivers and passengers. However, at the same time, it will inevitably generate massive data and face many information security challenges. Firstly, given the openness and fragility of wireless networks, the messages transmitted in IoV system are vulnerable to various attacks, such as modification or impersonation. Moreover, the privacy of vehicles has also been greatly threatened, such as exposing user behaviour tracks. Secondly, the vehicles in IoVs move at high speed, and the communication bandwidth is minimal, which requires that vehicle identity and message authentication in IoVs to have lower computation and communication overhead. In addition, tens of thousands of vehicles and their onboard devices will realise the sharing and interaction of vehicle or driving data through the IoVs. This exchange results in massive data, which will inevitably cause high communication overhead and reduce the performance of each entity in the IoV system. Of course, it also leads to the increase of packet loss rate.
To solve the traffic-related message security problems in IoVs, researchers propose authentication schemes based on public key infrastructure (PKI), identity-based cryptography (IBC), and certificateless cryptography (CLC). In the schemes based on PKI, to manage users' public keys, a certification authority must store many certificates. Therefore, the RSUs require sufficient computation and storage capacity to validate these certificates. To alleviate the certificate management problem caused by PKI, IBC is introduced into the IoVs. In identity-based authentication schemes, the public key derives from the user's identity information, and the private key generator (PKG) has no certificate storage load. However, PKG can use the user's private key to forge the user's signature and thus cause a key escrow problem. To solve this problem, Al-Riyami and Paterson proposed CLC in 2003 [2]. Then, the researchers also proposed the corresponding CLC-based authentication schemes.
Some certificateless signature schemes use bilinear pairing operation with a large amount of computation; hence, they are unsuitable for IoV environment with low delay. Therefore, a signature scheme with low delay and minimal computation is urgently needed to improve the performance of all aspects in IoVs.

Motivation and Contributions.
Zheng et al. [3] proposed a traceable distributed IoV system framework based on blockchain technology by adopting the authentication scheme between vehicles and RSUs. However, there are two problems in the authentication stage of this scheme: Problem 1. When a vehicle reaches the range of each RSU on the road, it sends an authentication request to the RSU containing the pseudonym and the corresponding public key to achieve identity authentication by each RSU. This frequent and repeated operation cannot meet the low communication requirements and low computation requirements in the IoV system, which increases the system burden.
Problem 2. After determining the authenticity of the vehicle identity, the RSU initiates the random integer negotiation process and sends the vehicle a random integer encrypted by the vehicle's public key and stored in the on-board unit (OBU). However, this phase only considers the communication between the vehicle and the first RSU in a particular area. When the vehicle enters the next RSU area, this process will be repeated and the storage load of OBU will be increased.
Therefore, on the basis of the work of Zheng et al. [3], we propose a certificateless anonymous cross-domain authentication scheme assisted by blockchain, and its main contributions are as follows: (1) To preserve the privacy of vehicles, the TA distributes pseudonyms to each vehicle for the whole communication process. The key generation centre (KGC) generates partial private keys of the vehicle, and the vehicle combines partial private keys with its secret values to generate the actual private keys to solve the key escrow problem and void heavy certificate verification load (2) To overcome Problems 1 and 2, the vehicle sends the verification information calculated by itself and the pseudonym assigned by the TA to the first RSU, and only the first RSU negotiates a random integer with the vehicle. Then, the RSU packages the negotiated random integer and other contents on the blockchain built by the RSUs to realise cross-domain authentication and reduce the computational overhead caused by repeated signature authentication (3) The homomorphic signature without bilinear pairing is adopted to improve the efficiency of RSUs verifying messages (4) When a malicious event occurs, according to the openness and transparency of the blockchain, other vehicles can report the malicious event to RSUs. The RSUs will present the pseudoidentity of the malicious vehicle to TA. Finally, the TA traces the true identity from the user list, revokes the user, and updates the user list accordingly Organization. This research is organized as follows. Section 2 presents the existing related work. Section 3 shows the background knowledge and describes the system model. Section 4 shows the basic construction. Security proof and performance evaluation will be given in Section 5 and Section 6. The last section makes a conclusion.

Related Works
Anonymous identity authentication is a typical method to preserve vehicle privacy in IoVs. Many researchers have studied and proposed privacy preservation authentication schemes in IoVs based on the basic idea of using digital pseudonyms as a unique identifier to authenticate without  Wireless Communications and Mobile Computing any personal identity information. Firstly, in PKI-based scheme, certificate authorities need to generate multiple anonymous public-private key pairs and certificates for each OBU and prestore them in tamper-proof devices (TPD) [4,5]. Therefore, it is difficult to manage and store a large number of public-private key pairs and related certificates, which also increases the complexity of maintenance and management.
To solve the above problems, scholars have designed a variety of IBC-based schemes. IBC was first launched by Shamir in 1984 [6]. It sets the entity's digital identity as a public key, eliminating the need for the key infrastructure, and KGC uses the primary key to generate the entity's private key. Although such schemes avoid PKI's certificate management problems, they often need to carry out timeconsuming pairing operations [7] and introduce key escrow problems. Song et al. proposed a batch authentication scheme using elliptic curve bilinear pairs and pointed out the existing security risks. By improving the program of Song et al. [8], an identity-based batch verification security scheme [9] with bilinear pairing-free is proposed. However, in these identity-based schemes, the main problem is that KGC uses its master key to generate a key for a vehicle entity. It cannot ensure nonrepudiation because KGC abuses the vehicle's access ability to sign and decrypt any message, resulting in key escrow problems.
To address these problems of key escrow and certificate management, Al-Riyami and Paterson introduced a certificateless-based mechanism in 2003 [2]. Yao et al. [10] proposed a certificateless anonymous authentication mechanism named CLMA. The mechanism applies the key exchange technology supporting password authentication based on ring fault-tolerant learning problems, which can provide mutual authentication when vehicles access vehicle cloud services through RSUs. Xu et al. [11] proposed a certificateless authentication protocol named SE-CLASA, which does not rely on a fully trusted third party; the signature scheme supports aggregation, which can resist information injection attacks. Malhi and Batra [12] proposed a new certificateless aggregate signature scheme for VANETs with constant pairing computations. However, vehicles need to be registered repeatedly in different regional transportation authority management areas, and the amount of registration calculation is relatively high. In 2018, Wang and Teng [13] proposed a verifiable and secure certificateless aggregate signature algorithm in VANETs. However, Yang et al. [14] pointed out that the study by Wang and Teng [13] was not secure and proposed an improved certificateless aggregate signature scheme. Zhao and Zhang [15] proposed an authenticable privacy preservation scheme based on certificateless ring signcryption, but this scheme used a time-consuming bilinear pairing operation. Hathal et al. [16] presented a certificateless and lightweight authentication scheme. In their work, they introduced authentication tokens to reduce the burden of certificate management. However, the authentication of each vehicle node requires the participation of TA, so a bottleneck problem arises.
Yang et al. [17] proposed a method of using blockchain to protect the data privacy of IoVs. Although this method is also based on certificateless cryptography system to realise the signature and authentication of blockchain transactions, combined with edge computing devices, it proposed a finegrained data access control method with an efficient partially hidden access strategy. Ali et al. [18] also proposed a certificateless signature scheme based on blockchain, but many bilinear pairings are used in both schemes to verify the signature and are unsuitable for IoV systems with low delay and computational complexity. Bagga et al. [19] proposed blockchain-based batch authentication protocol for Internet of Vehicles, in which vehicles and RSUs can be added dynamically. Unfortunately, at the registration stage of vehicles and RSUs, TA generates certificates for them and a certificate management problem arises. In addition, the real identity, pseudoidentity, certificate, and part of private key of the vehicle and RSU are all generated by TA, so the calculation pressure of TA is large. Subsequently, Ren et al. [20] proposed an efficient and privacy-preserving certificateless public key signature scheme based on the blockchain. Although their scheme added two blockchains to the structure to protect the identity privacy of vehicles, it did not describe the construction of the blockchain network.
At present, many scholars have put forward a lot of other types of signature verification schemes, such as 6G-enabled VANETs [21] and anonymous signature-based authentication [22]. However, most of them have some problems, such as key management, high computational, and communicational costs. Consequently, we utilize the certificateless cryptosystem to solve the key escrow problem, and a pairing-free authentication method is used for efficiency consideration. Furthermore, we introduce blockchain technology to achieve transparency and nontamperability of transaction information and reduce duplicate certification load.

Preliminaries
In this section, we will present cryptographic materials, system models, adversary models, design objectives, and symbols.

Cryptography Materials
3.1.1. Elliptic Curve. Suppose that the symbol E/F p denotes an elliptic curve E over a prime finite field F p , where p is a large prime number. The curve E is defined as follows: Such that a, b ∈ F p and Δ = 4a 3 + 27b 2 ðmod pÞ ≠ 0. The points on E/F p and a point at infinity O construct a cyclic additive group: A scalar multiplication overE/F p can be computed as follows [23]: in which t ∈ F p and P ∈ G. G is a finite cyclic group of prime order p defined on elliptic curve E, pP is the generator of group G. Suppose that there is a random point Q in group G, and solve s so that it satisfies Q = sP.

Certificateless
Cryptosystem. The concept of certificateless encryption and signature was first proposed by Al-Riyami and Paterson, which solves the issue of key escrow in IBC. The basic idea of certificateless encryption and signature is that KGC generates a partial private key for the user. The user's private key is jointly generated by the user and KGC. The user selects a secret value and combines it with the partial private key to generate the user's full private key. KGC does not know the user's complete private key, thus avoiding the problem of key escrow. The versatile definition of certificateless encryption and signature scheme consists of five algorithms, and the user public/secret key pair can be generated independently by the user even before obtaining the user partial key from the KGC [24]. Next, the definition of certificateless signature scheme will be presented: (i) Setup (master key generation): on input security parameter 1 λ , it generates a master public/secret key pair ðmpk, mskÞ. The system parameter params is broadcasted to the other entities (ii) PartialKeyGen (user partial key generation): on input msk and user identity ID, it generates a user partial key d ID (iii) UserKeyGen (user key generation): on input mpk and user identity ID, it generates a user/private key pair ðpk ID , x ID Þ (iv) CL_Sign (signature generation): on input user private key x ID , user partial key d ID , and message m, it generates a signature σ (v) CL_Ver (signature verification): on input mpk, user identity ID, user public key pk ID , message m, and signature σ, it returns 1 or 0 for accept or reject, respectively Certificateless public key cryptography does not need certificate management and requires less load. Therefore, it is more suitable for mobile security applications with low broadband requirements and low energy consumption.

Blockchain.
Blockchain originates from a paper published by Nakamoto in 2008 [25]. It is a distributed ledger on a peer-to-peer network, with each node storing and backing up complete ledger information. As shown in Figure 2, it is a data structure that connects the generated data blocks sequentially in chronological order, a decentralized shared ledger that cannot be tampered and forged. Blockchain is an effective technology to deal with vehicle management and data transmission. A reasonable construction of vehicle blockchain network framework can effectively solve many problems in IoVs, such as broadcast conflict, resource scheduling, and privacy preservation. Therefore, promoting the deep integration of blockchain technology and IoVs is the inevitable trend of IoV development.
Each node user in the blockchain system can create a smart contract by publishing a transaction and use programming to set the smart contract as its own ownership transfer rules, transaction methods, and state transition functions. The blockchain verifies the correctness and integrity of the signature message data obtained by the RSUs through the deployed smart contract. When the data is correct, the smart contract is triggered to return the correct verification result. Otherwise, an error verification is returned.
The distributed ledger is encrypted using a Merkle tree. In this paper, we have only covered chronological Merkle tree (CMT). As shown in Figure 3, all transactions are hashed and stored chronologically in the CMT. Only the root hash is contained in the blockchain. In our proposed scenario, the transactions broadcast by RSUs are permanently recorded in the CMT, making the activities of each entity in the IoVs transparent and verifiable to the authorities.   we propose a certificateless anonymous cross-domain authentication system assisted by blockchain. Therefore, the entity is divided into five types: TA, KGC, cloud server (CS), RSUs, and vehicles (V). In the VANET system, the RSUs communicate with the TA through wired, while they communicate with the vehicles in its areas through wireless. This system has overcome two problems discussed in Section 1, and at the same time, with the participation of blockchain technology, the framework has the characteristics of reliability and security, reducing the dependence of traditional solutions on TA or KGC. The IoV network model is shown in Figure 4.
(1) TA: it is a fully trusted authority with unlimited computing resources and storage space. It is responsible for generating public/private keys and system parameters, registering vehicles, assigning pseudonyms to vehicles, and providing identity anonymity in vehicle communication (2) KGC: it is not fully trusted entity. It is responsible for building and allocating partial private keys for anonymous vehicles in IoVs (3) CS: it is responsible for managing the pseudonyms of vehicles issued by TA to facilitate identity verification and decentralized storage of transaction details including traffic information released by vehicles (4) RSUs: it is deployed on the roadside as a bridge between TA, KGC, and vehicles. All RSUs establish a blockchain network as peer nodes. The blockchain network is in charge of the collective maintenance of blockchain data and broadcasting messages to vehicles along the road. The first RSU of each area verifies the identity of vehicles through V2I communication and submits the verification result, which is recorded on the chain after verification. After receiving the signature message, each RSU is responsible for verifying the signature of message. It will be recorded in the blockchain after verification (5) Vehicle: the vehicle is equipped with an OBU to collect, calculate, and communicate traffic-related information. The device has its own clock to generate the correct timestamp. It is responsible for storing privacy information in the TPD of the vehicle and broadcasting information to the vehicle and nearby RSUs. In addition, vehicles can report malicious vehicles to RSUs 3.5. Adversary Model. Assume that TA and RSUs are trusted entities. The vehicle is equipped with TPD, so the adversary cannot read, write, or delete the contents of the TPD. This scheme is using the ideas of certificateless cryptography. Therefore, the user's public key has not been certificated. In the adversary model, adversaries have the right to replace the user's public key with the illegal public key chosen by themselves. Moreover, since KGC knows the system master key, which can calculate all part of the user private key, but he cannot replace the user's public key. Therefore, we divide the adversary types into two categories. The adversary of type I simulates a malicious user who can request and replace the public key in the system. The adversary of type II is an internal attacker who has access to the KGC's master key and acts as a malicious but passive KGC.
3.6. Notations. The notations used in this paper are given in Table 1.

Design Goals.
According to IoVs and practical application requirements, the new scheme shall meet the following properties: (1)Message authentication: it ensures that the received message has not been modified or forged in the process of communication (2)Anonymity: in this scheme, only TA can obtain the real identity of the vehicle. Other vehicles in IoVs and  (3)Unlinkability: an attacker cannot find that multiple messages are from the same sender, and all pseudonyms should not reveal any connection between them (4)Traceability and revocation: TA can track out the real identity of the vehicle sending malicious messages and revoke the malicious vehicle (5)Unforgeability: any attacker cannot forge a legitimate signature (6)Resilience to other attacks: blockchain-assisted certificateless anonymous authentication schemes should be able to withstand various common attacks in IoVs (such as impersonation, modification, replay, and man-in-the-middle attacks)

Concrete Scheme
In this section, we describe a concrete construction of our scheme, which consists of seven phases: system initialization phase, registration phase, partial key generation phase, key generation phase, identity authentication phase, message publishing and validation phase, and tracking.

System Initialization
Phase. This phase is executed by TA and KGC which inputs a security parameter λ and generates parameters fq, P, Gg.
(1)TA selects a master secret key s ∈ Z * q which is a random number and sets T pub = sP as its master public key (2)KGC selects u ∈ Z * q randomly as its master secret key and sets K pub = uP as its master public key (3)TA chooses five distinct cryptographic hash functions  Figure 5 shows the registration process.

Partial Key Generation
Phase. Vehicle V i requests the partial key from KGC with its pseudonym PID i . Once received PID i from vehicle V i , KGC works as follows: (1)The KGC first looks up the user list UL obtained from blockchain to ensure that PID i is present in UL, which means that PID i has not been revoked by TA Next, it selects x i ∈ Z * q randomly and computes and publishes public key V pub i = x i P, and the private key is SK i = ðx i , psk i Þ.

Identity Authentication Phase.
During identity authentication, the vehicle V i communicates with the RSUs by using its own pseudonym, and neither the RSUs nor the CS learns to acquire the vehicle's real identity. Figure 6 shows the identity authentication process.
(1) When the vehicle V i comes in the range of first RSU j in a region, it sends an authentication request with its own PID i and V i computes psk −1 i P and then sends it and PID i to RSU j . In order to determine whether the V i is legal, RSU j computes H i 2 ′ = hð PID i kpsk −1 i PÞ and sends the result to CS, and CS queries whether it is equal to its stored H i 2 . If the vehicle is legal, CS sends the result back to RSU j , and finally, RSU j broadcasts the authentication result into blockchain network and which will be recorded on the blockchain after verification (2) After determining the authenticity of the vehicle identity, the RSU j initiates the random integer negotiation process, which sends a random integer N R j encrypted by the vehicles' public key V pub i to the vehicle V i  Figure 5: Distribution of registration data. 6 Wireless Communications and Mobile Computing of the transaction information, it will perform h 3 operation according to N R j and received M V i . If the result is consistent with the H i 3 computed by the vehicle V i , an integer N R j is negotiated between the vehicle V i and the RSU j . Finally, the vehicle stores the N R j in OBU for later message publishing (4) In order to let the vehicle communicates conveniently with other RSUs, the RSU j computes L ij = M −1 V i N R j and packages PID i , V pub i , and L ij into a transaction Tx 1 = ðPID i kV pub i kL ij Þ and then records on the blockchain indicating that N R j can be used by other RSUs in a certain region and the identity of vehicle V i has been verified; that is, other RSUs do not need to repeatedly verify the identity of vehicle V i 4.6. Message Publishing and Validation Phase. After identity authentication phase, the vehicle V i can publish message and the RSU j should verify them. Figure 7 is the scenario of message publishing and validation.
(1) The vehicle V i computes N P = N R j P and H i (2) RSUs deploy a smart contract to verify the correctness and integrity of signature message data (3) Blockchain nodes execute the algorithm. At first, the RSU j determines the freshness of time stamp T i . If T i is not fresh, the message is discarded, and the operation is stopped. Otherwise, RSU j computes  (4) is valid. If so, RSU j accepts fM i , σ i , PID i , T i g: The following is the proof of correctness: (4) The smart contract validates the data through a function interface and returns the correct result True only when H i Otherwise, the error result False is returned. The smart contract verification algorithm in signature message verification phase can be written in Solidity language, and the content of the intelligent contract verification algorithm is roughly as shown in Algorithm 1 (5) If the verification is successful, RSU j packages the transaction Tx 2 = ðH i 4 kM i kPID i kT i Þ, divides the transaction into several parts and stores them in different CS, and then performs h 5 operation on Tx 2 and stores it in the blockchain as CMT. Finally, the transaction is broadcasted to each node 4.7. Tracking. When traffic conditions are safe, but it is inconsistent with the transaction information, other vehicles can report the vehicles who published the false message. The RSUs then report the pseudoidentity PID i = tH i 1 mod q of the malicious vehicle to TA. TA traces the real identity RID i from his database by computing H i 1 = h 1 ðRID i kT reg Þ and revokes the user information ðH i 1 , PID i , PID i s, T reg Þ to update the user list UL accordingly. Finally, the RSU broadcasts the malicious vehicle and new UL to the blockchain.

Security Proof and Analysis
In this part, the security of our scheme under random oracle is proved, and we demonstrate that our basic scheme meets the security objectives in Section 3. In other words, our architecture can provide integrity, anonymity, unlinkability, and so on.

Security Proof
Definition 3. If adversaries A1 and A2 cannot win the following games with negligible probability in polynomial time, then the proposed scheme satisfies the Existential Unforgeability Against Adaptive Chosen Message Attack (EUF-CMA) in the random oracle model.

Theorem 4.
If the running time of an adversary A1 with probability polynomial time in game 1 is t, execute Q i ði = 1 4Þ hash queries, Q PPK partial private key extraction queries, and Q PK public key queries, and the advantage of forging a legal signature after Q σ signature queries is ε; then, the ECDLP problem can be solved with a probability of no less than ε/Q PPK ð1 − 1/Q PPK Þ Q PPK in t ′ ≤ t + OðQ 2 + Q 3 + ðQ 1 + Q 4 + Q PPK + Q PK + Q σ Þt s Þ time, and t s represents the time of one multiplication in group G.
Proof of Theorem. Challenger algorithm C first interacts with adversary A1 to generate an instance of the ECDLP problem, given P, Q = aP, where a ∈ Z * q , P ∈ G. The goal of challenger C is to solve for a. C interacts with A1, responds to all the queries of A1, and records these in the corresponding lists which are initially empty.
(i) Setup: challenger C initializes system parameter fG, P, T pub , K pub = Q, h 1 , h 2 , h 3 , h 4 , h 5 g and sends the system parameter to A1 and C randomly selects ID * as the challenge identity of the game. A1 makes the following inquiries: (1) h 1 oracle: when A1 with an ID i performs this query to h 1 oracle, C records the questions and answers between A1 and C through list L 1 = ð ID i , h 1 ðID i , tÞÞ. If C looks up the corresponding L 1 = ðID i , h 1 ðID i , tÞÞ in L 1 , C returns h 1 ðID i , tÞ to A1; otherwise, C randomly picks h 1 ðID i , t′Þ ∈ Z * q and sends it to A1 and then adds ðID i , h 1 ðID i , t ′ ÞÞ to the L 1 (2) h 2 oracle: when A1 with a PID i performs this query to h 2 oracle, C records the questions and answers between A1 and C through list L 2 = ð PID i , psk −1 i P, u i Þ. If C looks up the corresponding ðPID i , psk −1 i P, u i Þ in L 2 , C returns u i to A1; otherwise, C randomly picks u i ∈ Z * q and sends (3) h 3 oracle: when A1 with ðN R j kM V i Þ performs this query to h 3 oracle, C records the questions and answers between A1 and C through list C randomly picks v i ∈ Z * q and sends it to A1 and then adds ðPID i , psk −1 i P, u i Þ to the L 3 (4) h 4 oracle: when A1 with ðN P kM i kPID i kT i Þ performs this query to h 4 oracle, C records the questions and answers between A1 and C through list returns w i to A1; otherwise, C randomly picks w i ∈ Z * q and sends it to A1 and then adds ðN P k M i kPID i kT i , w i Þ to the L 4 (5) Partial-private key oracle: when A1 with PID i performs this query to partial-private key oracle, C records the questions and answers between A1 and C through list L par = ðPID i , psk i Þ. If C looks up the correspondingðPID i , psk i Þ in L par , C returns psk i to A1; otherwise, if PID i ≠ PID * i , C randomly picks psk i ∈ Z * q and sends psk i to A1 and then saves ðPID i , psk i Þ in list L par . If PID i = PID * i , C stops the game (6) Public key oracle: when A1 with PID i performs this query to partial-private key oracle, C records the questions and answers between A1 and C through list q , let V pub i = x i P and sends V pub i to A1, and then saves ðPID i , x i , V pub i Þ in list L pub (7) Secret value oracle: when A1 with PID i performs this query to secret value oracle, if PID i ≠ PID * i , C gives up and terminates the operation; otherwise, C looks for list L pub , and if record ðPID i , x i , V pub i Þ exists, C returns x i to A1. If not, C performs a public key query to generate tuple ðx i , V pub i Þ, returns x i to A1, and adds ðx i , V pub i Þ to the L pub i , then C outputs the signature σ i corresponding to message M i and transmitsσ i to A1; otherwise, C randomly picks b i ∈ Z * q and computes represents a correct signature of the signer to the messageM i . And then finally, C returns σ i to A1 (ii) Forgery: finally, A1 prints a forged signature. If PID i ≠ PID * i , C stops the simulation; otherwise, C finds the corresponding signature information fM i , σ i , PID i , T i g from the prophecy query list, and if adversary A1 wins the game, then Then, the bifurcation lemma [26] is used to obtain another two sets of valid signatures σ i ðℓÞ , ðℓ = 2, 3Þ in polynomial time, and these three signatures must satisfy And because of V pub i = x i P, B i = b i P, and K pub = aP, there are three linearly independent equations: Challenger C solves the solution of these three equations and takes the a output as the solution of the ECDLP problem.
In the partial private key extraction query, the probability of C not giving up is at least ð1 − 1/Q PPK Þ Q PPK , and the probability of C not giving up in the forgery stage is at least 1/Q PPK . Therefore, the probability of C successfully solving the problem is at least ε/Q PPK ð1 − 1/Q PPK Þ Q PPK . The running time of C is t ′ ≤ t + OðQ 2 + Q 3 + ðQ 1 + Q 4 + Q PPK + Q PK + Q σ Þt s Þ.
Theorem 5. If the running time of an adversary A2 with probability polynomial time in game 2 is t, execute Q i ði = 1 4Þ hash queries, Q X secret value queries, and Q PK public key queries, and the advantage of forging a legal signature after Q σ signature queries is ε; then, the ECDLP problem can be solved with a probability of no less than ε/Q PK ð1 − 1/Q PK Þ Q PK +Q X in t ′ ≤ t + OðQ 2 + ðQ 1 + Q 3 + Q PK + Q σ Þ t s Þ time, and t s represents the time of one multiplication in group G.
The idea and method of proof are similar as that of Theorem 4. A2 only has the ability of hash value inquiry, public key extraction inquiry, secret value inquiry, private key extraction inquiry, and signature inquiry but does not have the 9 Wireless Communications and Mobile Computing ability of public key substitution, so the proof process will not be repeated here.

Message Authentication.
The RSU or any vehicle within the RSU domain can verify the message M i by verifying the pseudoidentity PID i of the vehicle and using its signature σ i . In addition, under the condition that ECDLP is difficult, there is no polynomial-time adversary to forge valid signatures; that is, there is no probabilistic polynomial-time adversary to forge valid messages without using the private key of signature. Therefore, the receiver can verify the authenticity and integrity of message fM i , σ i , PID i , T i g by verifying whether H i 4 ′ and H i 4 are equal to each other and whether (1) holds.

Anonymity.
The vehicle V i in the IoV environment with pseudoidentity PID i sends a message fM i , σ i , PID i , T i g, where PID i = tH i 1 mod q, H i 1 = h 1 ðRID i kT reg Þ, and T reg are the registration time of the vehicle, and t is randomly selected from Z * q . To extract the real identity RID i , the adversary should calculate H i 1 , and t is random. Obviously, it is impossible for the enemy to calculate the RID i of vehicle V i for discrete logarithm problem and one-way hash function. Therefore, the scheme guarantees the privacy of the vehicle.

Unlinkability.
The message M and message M ′ are signed by different private keys SK i , and the pseudoidentity PID i is calculated by TA, PID i = tH i 1 mod q, where H i 1 is the hash value of the real identity RID i and the registration time T reg , and t is a random number, so it is impossible for any adversary to link any pseudoidentity PID i .

Forward Security and Backward Security.
In this scheme, if the adversary obtains the signed message and M P = M V i P, because b i is random, and N R j is a random integer secretly negotiated between the RSU j and vehicle V i . So each signature is different and the adversary cannot infer a previous or subsequent signature message from the current signature message.

Traceability.
The proposed scheme provides conditional identity privacy preservation in IoVs. TA tracked and revealed the real identity of the malicious vehicle from its database. When a malicious vehicle with forged messages is found, the real identity of the malicious vehicle can be traced by TA. TA, as a trust authority, cannot tamper the real identity and the pseudoidentity PID i of a malicious vehicle because tupleðH i 1 , PID i , PID i s, T reg Þ of the vehicle is recorded in a blockchain. Second, only the first RSU negotiates a random integer N R j with a vehicle V i , and a transaction Tx 1 = ðPID i kV pub i kL ij Þ with L ij = M −1 V i N R j , PID i , and V pub i is recorded on the blockchain. Therefore, when the vehicle V i enters the next RSU range, if a new message is to be published, there is no need to renegotiate the random number.

Resilience to Other Attacks
(1) Impersonation Attack. In order to impersonate a registered vehicle, the enemy needs a valid signature for message M i . Therefore, need to be calculated, where N R j is an integer to ensure the integrity of the transaction content negotiated between vehicle V i and RSU j , and the adversary needs to know the private key used for signature. Therefore, in calculation, it is not feasible for the adversary to create another valid request message without knowing the above content. Therefore, the scheme is safe from vehicle simulation attacks.
(2) Modification Attack. In the authentication phase, the freshness of the message is determined by the timestamp at the time of signing, and the message fM i , σ i , PID i , T i g sent by vehicle V i has the timestamp T i of the sender. Any nearby vehicle or RSU can check T i to verify the freshness of the message. It prevents the message fM i , σ i , PID i , T i g from being repeatedly broadcast in the RSU domain, so the scheme protects against replay attacks.
(3) Man-In-The-Middle Attack. Suppose an adversary intercepts a message fM i , σ i , PID i , T i g, and the adversary tries to create a valid signature in place of the vehicle to send to the RSU as an authentication request. However, it can be seen from the signature that the adversary needs to know N R j , b i , and M V i , and these parameters are embedded in the ECDLP difficulty problem, so the scheme is not subject to man-in-the-middle attack.
the message contains the current timestamp; when receiving a message, the RSU checks the validity of the message by comparing the received timestamp to the current timestamp. For valid message and its freshness, the difference between the timestamp should be a small value; therefore, by containing a timestamp in each message, one can ensure that the message is protected from replay attacks because no adversaries can successfully replay the intercepted message.

Performance Analysis
This section will give a function comparison, then analyze and calculate the communication costs of our scheme and 10 Wireless Communications and Mobile Computing related schemes, and make experimental simulation and analysis.
In Table 2, we first give a simplified comparison of functions between our scheme and other related schemes [3,12,19,20] in terms of privacy, decentralization, multistorage, anonymity, unforgeability, and key escrow. We use the symbol "-" to represent that the corresponding property is not considered. In scheme [3], it realises the privacy protection, decentralization, multistorage, and anonymity of vehicles in the authentication process but does not provide unforgeability, nor could it avoid the key escrow. And in scheme [12], it does not consider decentralization and multistorage. The privacy protection, decentralization, and anonymity of vehicles are implemented in the scheme [19]. However, multistorage and key escrow are not considered. As to scheme [20], it achieved the privacy protection, decentralization, unforgeability, and avoided key escrow but did not have multistorage and anonymity. As shown in Table 2, our scheme satisfies all the above functions.
6.1. Computational Cost Analysis. In terms of computational overhead, we analyze our scheme and compare it with the recent correlative signature schemes [3,12,19,20] for signature generation and verification in V2I communication.
We use a MIRACL simulation library in VS 2019. The simulation environment is Win1064 bit, and the hardware environment is Intel Core i5 3.10 GHz. T bp denotes the execution time of a bilinear pairing operation, T sm denotes the execution time of a scalar multiplication operation in G 1 , T pa denotes the execution time of a point addition operation in G 1 , T pm denotes the execution time of a point multiplication operation in G 1 , and hash operation is not considered for its low load. The addition and multiplication of points on an elliptic curve are performed under a nonsingular elliptic curve y 2 = x 3 + ux + vðmod qÞ, where 4u 3 + 27v 2 ≠ 0ðmod qÞ. Table 3 shows the computation costs of the proposed scheme and schemes [12,19,20] in the signature and verification stage. As for scheme [3], it is defaulted that only legal vehicles can publish messages. Therefore, vehicles only submit messages without signing and RSU does not need to perform identity verification. Because only hash operation is included, the computation is very low, but this is exactly a security vulnerability. In [12], users need to perform four scalar multiplication operations and two point addition operations at the signing stage; that is, users need 4T sm + 2 T pa in total and RSUs need 3T bp + 3T sm + T pa . The computation cost is 3T pm + 3T pa , 3T bp + 5T pm + T pa , 2T sm , and 2 T bp + T pa in [19,20], respectively. Our proposed scheme needs three point multiplication operations on elliptic curves and one scalar multiplication (i.e., 3T pm + 2T sm ) in the signature process. In the verification process, the computational cost is 5T pm + 2T pa . Our scheme is built on elliptic curves with less computation overhead. There is no bilinear pairing operation with higher computation overhead in the signature and verification phase. Only point and multiplication operations with lower computation overhead are used. Therefore, the computation overhead of this scheme is better than the other three schemes in the signature and verification phase.

Communication Cost Analysis.
To analyze the communication overhead of the proposed scheme and the related signature schemes [12,19,20], we analyze the communication overhead by considering the size of parameters. At the security level of 80 bytes, the p − length equation E : y 2 ≡ ðx 3 + xÞ mod p is 64 bytes, and the elements on the circle group G occupy 128 bytes. We consider the size of the timestamp to be 4 bytes and the size of the normal hash function to be 20 bytes. Table 4 shows the communication costs of the proposed scheme and schemes [3,12,19,20]. As can be seen from Table 4, the communication overhead of Zheng et al. is the lowest in these five schemes because only message is transmitted without signature. Then, our scheme is significantly lower than that of Bagga et al. and Ren et al. Although the communication cost of the proposed scheme is the same as that of Malhi and Batra, the computation is significantly lower than that of Malhi and Batra. Therefore, our scheme has more communication advantages.

Experimental Simulation and Analysis.
This section uses the MIRACL library to test the computation costs in Table 3 in Visual Studio 2019. Figures 8 and 9 show the relationship between the number of message and the time consumed by the proposed scheme and the other three schemes in the   Figures 8 and 9 that our scheme has no significant advantages in the signature phase but has obvious advantages in the verification phase, because in our scheme, only the message needs to be authenticated, rather than the vehicle identity needs to be authenticated. Specifically, the vehicle identity information is authenticated by the first RSU, and transactions are recorded permanently and immutably in the blockchain to reduce the repeated authentication load of other RSUs.
Through theoretical analysis and simulation experiments, it is intuitive to see that with the increase of messages, the proposed scheme has certain efficiency advantages over the schemes [12,19,20].
The packet loss rate and delay are tested according to the time and traffic of the scheme in the signature and verification stage. A scenario is simulated by using VanetMobiSim and NS-2, as shown in Figure 10. The scenario is divided into four parts, and each part is managed by an RSU. The vehicle speed is controlled between 7 m/s and 45 m/s, the communication range is 400 m, the message interval is 80 ms, and the data packet sizes are 536 bytes, 664 bytes, 660 bytes, and 536 bytes, respectively.
When testing the packet loss rate and time delay, set the number of vehicles to gradually increase from 5 to 95. The simulation results of packet loss rate are shown in Figure 11. The packet loss rate in the four schemes is also gradually increasing as the increase of the number of     vehicles. When the quantity of vehicles reaches a certain number, the packet loss rate tends to be stable. Compared with the other three schemes, our scheme has the lowest packet loss rate, which shows that our scheme has high efficiency. The delay results are shown in Figure 12. Although the delay of the four schemes increases gradually, the delay of our scheme is the smallest. Therefore, the communication timeliness of our schemer is higher than that of the other three schemes.
To sum up, through theoretical analysis and simulation experiments, our scheme has certain advantages in traffic, computation, packet loss rate, and delay, so it is suitable for the IoVs with high security and high efficiency requirements.

Conclusion and Future Research
On the basis of the scheme [3], we put forward an effective cross-domain certificateless anonymous authentication scheme based on blockchain by using pairing-free signature verification scheme. Our scheme reduces the computing cost of signature verification on RSUs, solves the key escrow problem in traditional authentication scheme, and improves the efficiency of V2I communication. In addition, the blockchain built by RSUs is introduced to the scheme, the vehicle identity and messages realise cross-domain authentication through a random integer negotiation process, and the blockchain stores the identity information of the vehicle and the authentication results of the signature. As a result, the load and delay caused by repeated identity and message authentication are prevented. Our scheme is provably secure and provides integrity, anonymity, privacy, traceability, revocation, and nonrepudiation. Experiments show that our scheme is efficient in terms of computation costs, latency, and packet loss rate for signature generation and verification.
Compared with cloud computing, edge computing is very faster, reduces network latency, and is more reliable. Therefore, the future works are suggested to study anonymous authentication based on edge computing in IoVs.

Data Availability
All relevant data are within the paper.

Conflicts of Interest
The authors declare that they have no conflicts of interest.