Secure and Efficient Communication in VANETs Using Level-Based Access Control

In years, the development of vehicular ad-hoc networks (VANETs) has received much attention in intelligent transportation systems (ITS). Unlike traditional ad-hoc networks, VANETs are emerging with unique characteristics that share similar technology with autonomous vehicles (AVs) and automated driving systems (ASDs). Communication between vehicles and the surrounding infrastructure unit, such as a roadside unit (RSU), must be secured, concise, and authentic. Hence, an access control system for the ad-hoc environment is required. We introduced a level-based controlled signcryption (LBS) scheme, which can be easily constructed and implemented into an access control system for VANETs environment. Our encrypted message has a short and constant size, which is better when compared with other attribute-based signcryption or encryption. Conﬁdentiality, privacy, and authenticity are also provided in our scheme to ensure secure and authentic communication. Therefore, our scheme has addressed communication cost, scalability, security, and privacy issues in VANETs. This primitive can be applied to simplify attribute-based access control, as the only attribute required is an integer representing the security level. Our objective is to improve the quality and security of VANETcommunication. Moreover, an optional privacy mechanism in our scheme provides ﬂexibility in controlling node privacy in VANETs.


Introduction
Vehicular ad-hoc networks (VANETs) are a key enabling technology in the development of autonomous vehicle technology and intelligent transportation systems (ITS). A VANET is a form of communication network that connects vehicles-to-vehicles and vehicles to roadside infrastructure. For example, Figure 1 shows communication between roadside units (RSUs) and vehicles. It also shows that vehicles can access information at the edge of an ITS server or the Internet. VANETs together with ITS and the Internet deliver a wide range of services, such as route guidance, traffic conditions (e.g., average vehicle density and speed), safety alerts, proximity advertisements, location-based positioning information, and entertainment. In general, vehicles in VANETs need to connect wirelessly to ITS applications and the Internet via RSUs. Vehicles exchange information with edge ITS servers to access a variety of local environmental data. For example, a subject's location positioning data are obtained through real-time point cloud data from LiDAR devices and cameras. is crucial information is particularly important for vehicles to be aware of any hidden out-of-sight vehicles/subjects that cannot be observed by the vehicle itself [1].
is is the fundamental information distribution system for autonomous vehicles (AVs). Despite the fact that VANETs and AV networks share similarities in communication and security issues, research in both areas have typically been conducted separately [2]. Secure broadcast communication plays a significant role in both systems. Whether using purely cellular, purely ad-hoc, or a hybrid architecture [3], VANETs need a confidential, efficient, concise, and precise communication protocol and access control.
To date, many security mechanisms have been proposed for VANETs. Insight on security issues related to VANETs can be found in surveys conducted by Malhi et al. [4] and Engoulou et al. [5]. e security challenges described in Malhi et al. [4] are the dependence on infrastructure, RSU range of communication, high mobility, difficulty in trust management, huge amount of data, scalability, and high cost. Our work aims to provide an efficient primitive for access control and secure communication, which will solve many of the security challenges related to the communication aspect of VANETs. For example, an efficient primitive should be able to work efficiently in architectures for high mobility, and it should provide a high degree of scalability for secure network access and have low communication overhead to reduce the amount of data in the network. An attribute-based access control where an integer representing the security level is the only attribute in the system will help simplify the hierarchical structure of a VANET. We call this level-based access control. e purpose of clustering protocols in VANETs aims to improve the performance of target tracking, traffic estimation, misbehaviour detection, privacy preservation, and certificate revocation, which makes significant contribution toward the dependence on infrastructure issue [6]. By providing an optional privacy mechanism in our primitive, it is easy to construct secure revocable local cluster communication.
Other than secure, fast, and efficient communication in VANETs, authentication, integrity, confidentiality, access control, and privacy are security requirements that are important in VANETs. Nevertheless, security requirements are application dependent. For example, message broadcasts from an RSU and message broadcasts from/to neighbouring vehicles may need to use two different primitives to satisfy VANET security requirements. To emphasise the importance of broadcast communication in VANETs, a survey on the quality-of-service (QoS) in relation to broadcast protocols is summarised [7]. It is an unavoidable fact that broadcast protocols play a significant role in VANETs for delivering emergency messages for the safety of vehicles or for reducing ad-hoc communication overhead. Due to the nature of VANETs that comprise of transient nodes and often unexpected changes in network topology, level-based access control can significantly improve broadcast performance.
Let us illustrate this based on the following example. e Bell-LaPadula model can be used for simple but efficient access control in sharing resources and communication in a VANET (or ad-hoc network) environment. However, based on the aforementioned reason, we argue that multilevel security can help to make communication in VANETs simple but secure. For example, let us consider a VANET with a number of security levels, such as top-security level, high-security level, operator security level, and general user level. An ambulance, which is a node in the VANET, wants a roadside unit to arrange the best route to a hospital. e roadside unit, which has the operator security level, only needs to know that the ambulance is a high-security level node in order for it to help manage the route and traffic. Assuming that all vehicles on the road are autonomous vehicles, the roadside unit may request that other vehicles make way for the ambulance due to its high-security level.

Related Work.
ere are three areas of work that closely relate to our work. ese are reviewed in this section.
First, there is attribute-based and policy-based cryptography. Sahai and Waters were the first to propose attributebased encryption in [8]. However, the implementation is not flexible and is only limited to particular systems. Later, Goyal et al. formalised and demonstrated a more general key-policy design for attribute-based encryption in [9]. An attributebased encryption (ABE) scheme is a cryptographic primitive that only allows users who satisfy the fine-grained access structure to decrypt the ciphertext. A ciphertext is generated by encrypting a message along with a public string p. By using a decryption key associated with a Boolean predicate function φ(.), the ciphertext can be decrypted only when φ(p) is true. eir ABE scheme can be classified as a key-policy attributebased encryption (KP-ABE). Basic KP-ABE uses threshold gates to express the access policy.
In later work on ABE schemes, logic gates (AND/OR) and threshold gates were used to construct the policy in ABE. A ciphertext-policy attribute-based encryption (CP-ABE) scheme was first proposed by Bethencourt et al. [10].
is primitive allows the policy to be constructed with a combination of numerical comparison and logic gates. Attribute-based access control benefited from this primitive in practice. Hence, their work is used for comparison with our work in a later section. Following their work, much research on CP-ABE has been published within the last decade. Recently, a CP-ABE scheme for a complex constructed attribute with multiauthorities was proposed by Rouselakis and Waters [11]. eir scheme supports any string for the attribute in the policy, and it can combine multiple trusted authorities in a single policy.
is is an efficient and practical scheme that can cover a wide range of users, on the condition that the attributes and the policy must not be complicated. Hence, this work was also included for comparison with our scheme. Another CP-ABE scheme, which is constructed without a bilinear function, was proposed by Yao and others [12]. eir scheme achieves significantly fast computation, which is suitable in the Internet of thing (IoT) and wireless sensor network (WSN). erefore, our work is also compared with this primitive in the comparison section of this study. Moreover, Xue et al. proposed a comparable attribute-based encryption scheme (CABE) in [13]. e CABE scheme provides a new way for attribute comparison which is an inspiration for our work. It allows the system to test whether an attribute is equal to, more than, or less than the given policy.
Similar to attribute-based cryptography, Bagga and Molva [14] introduced the notion of policy-based cryptography (policy-based encryption and policy-based signature schemes). e policy in CP-ABE proposed by Bethencourt et al. [10] is conceptually similar to policy-based encryption. However, the access structure and complexity of the policy are more comprehensive, which can easily be used in an access control system. Due to the nature of applications in our work, we only applied the concept of a policy tree implementing integer comparison. With only an integer attribute in the policy (no AND/OR logic gates), our scheme achieves a constant size ciphertext.
Bellare and Fuchsbauer later formally defined the security definition of policy-based signatures [15]. Like the attribute-based signature, a signer in the policy-based signature can sign on a message only if he/she meets the policy's requirement (or attributes). From a signer's point of view, both attribute-based and policy-based signatures ensure message integrity and authenticity properties. e authenticity and integrity of the message can be validated by only a verifier. Nevertheless, the signature cannot be generated or forged by other beside the signer who met the policy requirements. A variant policy-controlled signature scheme was proposed in [16], where authenticity was done in a reversed manner and limited to only the attribute-credential holder (verifier). In contrast to attribute-based and policybased signatures, policy-controlled signatures guarantee that only verifiers, who hold credentials that satisfy the policy or attributes, can verify the authenticity and integrity of the message and the nonreputability of the signer.
Closely related work on an attribute-based signature (ABS) scheme was presented in 2008 by Maji et al. [17]. ey also proposed an ABS scheme in the standard model in [18]. In this primitive, a signer reveals nothing about their identity in the signing process. It shows only their specific attributes. Many variant ABS schemes were put forward based on Maji et al.'s works. ese are presented in [19][20][21][22][23][24][25][26]. Shahandashti and Safavi-Naini [19] and Li et al. [27] independently published their work on the same topic of ABS with threshold predicate. Escala and others [22] also presented an ABS scheme with threshold predicate. eir scheme was equipped with a revocation method. ey also formalised the adaptive unforgeability property for their ABS scheme. Additionally, a constant size ABS with threshold predicate was proposed by Herranz et al. [21]. Later, an ABS scheme with arbitrary circuits, which is supposed to be more efficient than the ABS schemes proposed by Maji et al. [18,25], was presented by Sakai et al. [26]. is is true only when we increase the gate numbers. eir construction is based on the combination of a witness indistinguishable, an extractable noninteractive proof system and an existentially unforgeable signature scheme.
As mentioned above, many ABE and ABS schemes were proposed in the last decade. It seems that a simple solution for the aforementioned problems can easily be achieved by applying attribute-based or policy-based cryptography to encrypt a message and its signature. Only qualified users, who hold the proper credentials, can recover the message from an encrypted message. However, this is not entirely true since authentication of the signature can be transferred to a third party. Since the products after the decryption process are the signature and the message, they can be verified by any party. From the aforementioned scenario, signcryption's ability to authenticate and decrypt should be limited to verifiers who hold credentials that satisfy the security level. e second related topics is the hierarchical identitybased signature and encryption scheme (HIBS and HIBE). HIBE is a concept that combines an identity-based encryption (IBE) scheme and a hierarchical system. In the hierarchical system, a user's identity at the security level k is able to generate a secret key for the identity of its descendants. It also can decrypt a ciphertext meant for its descendants but not for other identities. Hence, it can provide a similar solution to the aforementioned problems about multilevel security. Our work has a slightly similar aspect; however, it differs in key generation and distribution. For example, every level in our scheme only has a single branch, but it can generate multiple private keys for the branch. Following the introduction of HIBE, there has been much subsequent work in this area [28,29]. As a natural conversion from the HIBE scheme, the hierarchical identitybased signature (HIBS) scheme also inherits its properties. e ancestor's identity can generate a secret key for the identity of its descendants, and it can generate the signature of behalf of its descendants as well. However, it cannot generate a signature on a message on behalf of other identities.
Boneh et al. was the first to propose a HIBE scheme with a constant size ciphertext in [30]. Our work on a constant size ciphertext was inspired by their work. Zhang et al. [28] proposed a compact size HIBE with a constant size private key. eir scheme's distinct feature is having a constant size for both private key and ciphertext. Our scheme achieves this feature as well. A review of existing HIBS schemes can be found in [29]. Chen et al. provided a performance comparison between four HIBS schemes. Our work uses a similar approach for comparison with various schemes. In general, the benefit of using HIBE and HIBS in the network system that applied the identity-based public key system is to mitigate the bottleneck in the communication. Moreover, it is also to limit the key escrow. Nevertheless, similar to ABS schemes, HIBS only provides authenticity and message integrity for a signer, but not nonrepudiation and authorisation for a verifier. e final related area of work is signcryption and attribute-based signcryption. Zheng was the first to proposed Wireless Communications and Mobile Computing the signcryption scheme in [31].
is primitive provides both authenticity and secrecy. e first attribute-based signcryption (ABSC) scheme with threshold predicate was presented by Gagné et al. [32]. e primitive is a solution to the problems mentioned earlier, but is much less efficient when compared to our scheme in term of communication overhead and computation. Following the above work, several researchers proposed some works [33][34][35] to improve ABSC schemes in terms of applications and concrete construction in the standard model, efficient constructions, and formal security models, respectively. Pandit et al. [33] provided an ABSC scheme in a standard model. eir scheme proved to be secure in the IND-CCA in the adaptivepredicate model. e ABSC-based linear codes secret sharing scheme was introduced by Song et al. in [34]. e access control system based on ABSC scheme was proposed by Zheng et al. in [35]. ey showed that the key agreement scheme, an important tool for the access control system, can be constructed efficiently with ABSC. Rao [36] proposed an attribute-based online/offline signcryption scheme, which reduced the computation signing time when needed. A certificateless threshold signcryption scheme proposed by Yu et al. in [37] allows t-out-of-n senders to work together to generate the signcryption for applications such as petition, voting. Wang et al. [38] proposed an efficient signcryption with a designated equality test. It allows a trusted third party to check the validity of ciphertext with a given message. Later on, Le et al. put forward a signcryption scheme in the standard model in [39], which adopted the concept of the designated equality test by Wang et al. in [38]. Nevertheless, in Wang et al.'s scheme [38], a signature on a message can easily be extracted from a signcrypted ciphertext. Hence, a signcrypted ciphertext can be linked to the sender identity. Recently, Yu et al. [40] introduced a lightweight hybrid ABSC scheme for IoT systems. eir schemes allow a lowpower and low-computation device to pass the heavy computation in the signing and encrypting process to the edge node before returning the partial output. However, its communication cost (ciphertext size) is linear to the attributes; hence, it is only suitable for a simple access control system for the IoT system. e features comparison between signcryption, HIBE, ABE, ABSC, and our LBS schemes are given in Table 1.
Finally, the access control schemes for ad-hoc networks or the Internet of ings are reviewed. ere are many access control systems that have been proposed recently [41][42][43][44]. Vijayakumar et al. [41] proposed an access control scheme that can be secure against attacks such as message reply attack, Sybil attack, masquerading attack, integrity attacks, and collusion attacks. Wazid et al. [42] proposed an access control scheme that is secured in the fog computing environment. Recently, Xia et al. [43] introduced an efficient authentication and key agreement scheme for a secure and anonymous access control system. It allows users to identify themselves without revealing their identity. is anonymous property is intriguing the optional anonymity in our scheme. Our scheme is designed to easily apply with the access control system, which allows users to securely and privately transmit their broadcast messages or private data to other users. It also reduces the process of encryption and signing in the existing access control schemes mentioned above. To further the benefits from privacy-preserving in our scheme, we believe that our scheme can integrate with AI-enabled blockchain-based access control proposed by Bera [44]. Hence, the anonymity in intrusion detection systems that detect and mitigate malicious attacks for the Internet of Everything (IOE) environment can be constructed. Moreover, our scheme can be designed for the access control system in an ad-hoc environment, such as VANETs, since a node can prove itself to another node that it holds a valid credential. Moreover, the proof cannot be replicated and transferred to other parties. Hence, it provides another privacy protection layer on top of it.

Our Contributions.
To tackle the secrecy and privacy issue in communication over VANETs or AV networks, we propose a level-based controlled signcryption (LBS) scheme for level-based access control systems. is primitive provides access control with a hierarchical structure or a simple multilevel access control. Level-based access control can be viewed as a simplified version of attribute-based access control where the only attribute is an integer representing the security level. Our aim is to flexibly and efficiently allow nodes to communicate with other nodes securely and privately. Hence, we provide an optional privacy mechanism in the signcrypting (sign with encrypt) and unsigncrypting (verify with decrypt) processes. e security of this primitive is also formalised in this study. e notion of LBS schemes allows receivers, who hold a credential of a certain security level specified by the sender, to verify the authenticity of the ciphertext and to decrypt it. Moreover, with optional privacy, higher levels of confidentiality can be provided in the LBS scheme. LBS with optional privacy provides privacy between two or more parties when required. Nodes in VANETs can securely, confidentially, and flexibly send messages to an individual node, a group of node, or all nodes (message broadcasts are often use in VANETs to get the current routing in the network). Hence, the LBS scheme is suitable for mass encryption with authenticity and privacy.
We organized our study as follows. Some preliminaries and definitions are defined in the next section. In Section 3, the formal definition of level-based controlled signcryption is presented. e security model is described as well in the same section. e construction detail of LBS scheme is described with its security proofs in Section 4. Finally, a comparison of our concrete scheme with ABS schemes and the conclusion of this study are presented in the last two sections.

Notation.
e rest of this study will use the following notations. We said that a function (f: N ⟶ R) is negligible, if ∀c > 0, and for all sufficiently large n, f(n) < 1/n c . poly(.) is a deterministic polynomial function. Let [n] represent a series of numbers (or indexes), e g., if n is integer, Let poly be a polynomial function. e security parameter is denoted by ℓ, and the polynomial time is denoted by P. We say that P ∈ poly(1 ℓ ) if ∀poly(1 ℓ ); ∀ℓ: P ≤ poly(1 ℓ ).
A process that randomly selects the element l from a set L is denoted by l← $ L. Let H: 0, 1 { } * ⟶ G 1 be a collisionresistant hash function that maps a string to G 1 . Let h: 0, 1 { } * ⟶ Z * p be a collision-resistant hash function that maps a string to Z * p .

Bilinear
Pairing. Let us define G 1 , G 2 , and G T cyclic multiplicative groups. e generators of G 1 and G 2 groups are g 1 and g 2 , respectively. p is defined as a prime number and the order of all generators. e is denoted as an efficient algorithm that maps G 1 × G 2 ⟶ G T . We call this function a bilinear mapping function. e bilinear mapping function has the following properties: (1) Bilinearity: is defined as an existing function mapping G 1 to G 2 in a one-time unit. It is also true in another way around.

Complexity Assumptions
Definition 1 (Computational Diffie-Hellman (CDH) problem). With a triple (g, g χ , g ψ ∈ G 1 ) as input and g χ·ψ as output, we said that an algorithm A with an advantage probability ϵ ′ breaks the CDH problem if Note that the probability is taken over the random bits used by A and the arbitrarily selected random integers χ, ψ ∈ Z * q .
e (t, ϵ ′ )-CDH assumption is intact if the probabilistic polynomial time-bound (PPT) algorithm with time complexity t(.) and a probability advantage of at least ϵ ′ breaking the CDH problem does not exist.
Definition 2 (Decisional bilinear Diffie-Hellman (DBDH) problem). With a random quadruple (g, g x , g y , g z ) ∈ G 1 and a random integer Z ∈ G T as input, determine if Z � e(g, g) x·y·z or not. An algorithm A solves the DBDH problem in G 1 , G T within t, ϵ ′ , if A runs in time t, and (2) Note that the above probability is taken over the random bits used by A, random integers x, y, z, d ∈ Z p , a random group g ∈ G 1 .
e (t, ϵ ′ )-DBDH assumption in G 1 , G T holds only if no PPT algorithm (t, ϵ ′ ) solving the DBDH problem does not exist.

Level-Based Signcryption Schemes with Optional Privacy (LBS)
ere are three main players in the level-based signcryption (LBS) scheme. A sender S generates a ciphertext that can only be verified and decrypted by a receiver V who holds a credential that satisfies the level-based security policy. is scenario can be used to ensure communication among authorised users. It can be used for message broadcasts in VANETs. It can also be used in secure group chats. However, if a sender wants to limit verification of the ciphertext to a particular receiver, the sender needs to place a personal receiver's public key in the signcryption. We called this "optional privacy." e "optional privacy" scenario is useful for sending private messages between the sender and the receiver.
is solution can also be applied to a group of receivers where they share a group secret key, which is not  [37] ✕ Wireless Communications and Mobile Computing 5 affected by a member's secret key. e last player is a trusted authority TA. In this level-based security system, a credential is generated by TA, where it associated the credential with the given security level. Notations on security level and level-based policy are defined as follows: L is a security level that specified in the level-based security policy. LP is defined as a level-based security policy that contains a security level as a security clearance of a verifier. Let us consider the following example. LP � "L > � l" means l is the minimum security level, and the policy is set such that l is the minimum level that can decrypt the ciphertext. Note that other types of index or symbol, such as A, B, C, and D, also can be used to indicate the security level in LP. We assume that the security levels are in ascending order, which means that the higher the number, the higher the security clearance.
System parameter generation (Setup): with a security parameter ℓ as input, Setup, a probabilistic function, generates the system parameter param as follows: TA key generator (TKeyGen): With param as input, TKeyGen, a probabilistic function, generates the private key (sk TA ) and the public parameter (pk TA ) of a trusted authority as follows: Signer key generator (SKeyGen): with param and pk TA as input, SKeyGen, a probabilistic function, generates the private key (sk E ) and the public parameter (pk E ) of a signer as follows: SKeyGen param, pk TA ⟶ pk E , sk E .
Verifier credential generator (CreGen): with param, sk TA , and an assertion L indicating the security level of a verifier as input, CreGen, a probabilistic function, generates a verifier's credential C as follows: Signcryption (SCrypt): with param, pk TA , sk E , pk E , a message M, and a level-based security policy LP as input, SCrypt, a probabilistic function, generates a sender's ciphertext C, that is, Unsigncryption (USCrypt): with param, pk TA , pk E , LP, C, and C as input, USCrypt, a deterministic function, returns with the decisional output d ∈ M, reject , that is, USCrypt param, C, pk TA , pk E , LP, C ⟶ d.
Signcryption with optional privacy (SCOP): with param, pk TA , sk E , pk E , pk R , a message M, and a level-based security policy LP as input, SCrypt, a probabilistic function, generates a sender's ciphertext C as follows: SCOP param, M, sk E , pk E , pk R , pk TA , LP ⟶ C.
Unsigncryption with optional privacy (USCOP): with param, pk TA , pk E , sk R , LP, C, and C as input, USCOP, a deterministic function, determines the validity of the input and returns the decisional output d ∈ M, reject , that is, 3.1. Unforgeability. e unforgeability property in LBS provides an assurance that an attacker allowed to access the credential queries that cannot generate a valid level-based signcryption C * , which seems to be signed by the sender S on a new message M * . e attacker is allowed to access the signing oracle SSO and the verifying oracle VCO. e pk E and pk TA is also known to the attacker; however, a signer's secret key sk E is restricted. Even the attacker can arbitrarily select a message M, the entire credentials, and a level-based security level policy LP as input, a valid signcryption on a new message M * cannot be generated. We called this a security against existential unforgeability under the adaptive chosen message and credentials exposure attack (EUF − CMCEA).
Let us define some notations before given a formal definition. Let A U be the adaptively chosen message and credentials exposure adversary. We assume that A U is an adversary who attacks the unforgeability of the LBS scheme. F is defined as a simulator who run the attack simulation with A U . Note that C is defined as the credentials of the entire security level, for example, if the system has 15 security levels, then C � (C 1 , . . . , C 15 ).
e SSO and VCO oracles that describe the ability of adversaries to break the unforgeability of an LBS scheme are illustrated as follows.
SSO(., .): at most o S times, when a query for a signcryption C on its choice of message M and a signer S corresponding to pk E is issued, SSO runs the Sign algorithm to generate a signcryption C on a message M corresponding to pk TA , pk E , and LP. Finally, SSO responses to the query with C. VCO(.): at most o C times, when a query for credential C i corresponding to the arbitrarily chosen security level L is issued, VCO responses with the corresponding credentials C. e formalisation of unforgeability is now defined in the following statements. For a level-based signcryption, an adversary A U is associated with the experiment given in Algorithm 1. A U has two functions, namely, st R stage and forge stage. Using an adaptive strategy, A U , in the st R stage, arbitrarily chooses a message and makes queries to the signing oracle SSO(., .) and the credential oracle VCO(.). e query processes are allowed repeatedly according to A U 's strategies. At the end of this stage, A U outputs a message M and a level-based security policy LP along with some state information (st) to be used in the forge state. In the second stage, A U takes M, LP, st as input and outputs a valid level-based signcryption C. A U wins the above experiment if (1) A U results a forged signcryption δ on a new message M * corresponding to pk E and LP (2) M * ←USCrypt(C, pk E , LP, C) (3) A U never makes a request for a level-based signcryption with M * , pk E , LP to the SSO oracle ADV EUF−CMCEA (.) denotes the probability that A U successfully passes the winning condition in the above simulation.
does not exist. Let A U runs at most t times and makes at most o S signing queries and o C credential queries.

Indistinguishability.
e indistinguishable property is modelled on the indistinguishability of ciphertext in the selective-credential exposed model. e attack models can be divided into two different models, which are the chosen plaintext attack and the (active) chosen ciphertext attack. e first attack model aims to prevent a group of corrupted credential holders (malicious receivers) from verifying and decrypting a level-based ciphertext C on a message M with a level-based security policy LP, where these malicious receivers do not have enough credentials to satisfy the security level indicated in LP. In the second attack model, an attacker has the added power to query for verification of any signature because excepted for the challenge signature, he/she does not have credentials that satisfy the level-based security policy LP to verify it by himself/herself.
Before describing the formal definition of these models, some definitions are first defined. A I is defined as the adaptive chosen plaintext (or ciphertext) and chosen levelbased security policy distinguisher.

Chosen Plaintext Attack (IND-CPA).
e signcryption oracle SSO, credential generator oracle VCO, and verification oracle VSO are used to describe the abilities of A I breaking the chosen plaintext attack in the selective-credential exposed model (IND − CPA). e VCO and SSO oracles are described as follows: SSO responses with the result of the SCrypt algorithm generating a ciphertext C corresponding to a message M, pk TA , pk E , and LP.
Formalisation of indistinguishability under the adaptive chosen plaintext attack model of an LBS scheme is described as follows. e experiment that is associated with an adversary A I of a level-based signcryption scheme is illustrated in Algorithm 2. A I has two functions that are st C stage and guess stage. Using an adaptive strategy, in the st C stage, A I arbitrarily chooses a message and makes queries to the signing oracle SSO(., .) and the credential oracle VCO(.). e query processes are allowed repeatedly according to A I 's strategies. A I outputs two messages (M 0 , M 1 ), a level-based security policy LP and some state information (st) used in the guess state at the end of the stage. Based on a previously set bit b, the experiment runs SCrypt with a message M b as an input and outputs a valid level-based ciphertext C. In the second stage (Phase 2), A I takes M 0 , M 1 , LP, st, C as input and outputs a guess bit (1 or 0). Note that A I still can make queries to the VCO oracle before outputting a guess, and if the following conditions are not satisfied, the experiment will be aborted.
(1) A I never issues a query for a level-based ciphertext with LP and M as input to the SSO oracle Input: A security parameter k Output: e success of the attack.
(1) param← $ Setup(1 k ) (2) (pk TA , sk TA )← $ TKeyGen(param) has never been executed;USCrypt(param, C, pk TA , pk E , < /span > < /i > < /p > < i > LP, C) � M then (9) return 1 (10) else (11) return 0 (12) end does not exist. Note that A I runs at most t times and makes at most o E signcryption queries and o C credential queries. (IND-CCA). Before formalising this attack, we first give some definitions and outline the oracles. Let (IND − CPA) be indistinguishability under a chosen plaintext attack in the selective-credential exposed model. e signing oracle SSO, credential generator oracle VCO, and unsigncryption oracle USO are used to describe the abilities of A C breaking (IND − CPA) of an LBS scheme. e SSO and VCO oracles have been depicted in Section 3.2.1. e USO oracle, however, is described as follows.

Chosen Ciphertext Attack
USO(., .): with a ciphertext C and a level-based security policy LP as input, A I can request up to o D queries for the decryption and verification of a ciphertext C. USO returns a decisional result d that is either reject regrading the authenticity of ciphertext C or a message M.
Formalisation of indistinguishability under the adaptive chosen ciphertext attack model of an LBS scheme is described as follows. e experiment in Algorithm 3 depicts an adversary A I of a level-based signcryption scheme. ere are two functions that are a st C stage and a guess stage, which A I can execute. In the first stage, A I , with some elastic and pliable strategies, chooses a message and issues a request to the credential queries VCO(.), the signing queries SSO(., .), and the unsigncryption queries USO(., .). e query processes are allowed repeatedly according to A I 's strategies. A I outputs two messages (M 0 , M 1 ), a level-based security policy LP, and some state information (st) used in the guess state at the end of the stage. e experiment runs SCrypt with a message M b as an input and outputs a valid levelbased ciphertext C. In the guess stage (Phase 2), A I takes M 0 , M 1 , LP, st, C as input and outputs a guess bit (1 or 0). Note that A I can still make queries to VCO and USO oracles before outputting a guess. However, if the following conditions are not satisfied, the experiment will be aborted.
(1) A I never issues a query for a level-based ciphertext with LP and M 0 or M 1 as input to the SSO oracle (2) A I never issues a query with C as input to the USO oracle does not exist. Note that A I runs at most t times and makes at most o E signcryption queries, o C credential queries, and o D unsigncryption queries.

The Level-Based Signcryption (LBS) Scheme
In this section, we present our concrete construction of the LBS scheme. e scheme is described as follows.
Setup: with ℓ as the input, Setup randomly selects a prime p ≈ poly(1 ℓ ). Setup select three groups G 1 , G 1 , and G T of the prime order p. Setup constructs a bilinear mapping function e that maps G 1 and G 2 to G T . e above mapping function is defined as e: Construct a hash function h(.), such that h: 0, 1 { } * ⟶ Z p . Finally, the system parameter param is composed of (p, e, g, o, h). param is returned as a response of the queries. TKeyGen: the total security level is denoted by n. Given param as input, TKeyGen computes a private key sk TA and a public key pk TA randomly for each security level as follows: choose random integers μ 0 , . . . μ n , c 0 , . . . , c n , a, b ∈ Z p . Let denote a public key. en, TKeyGen returns sk TA � (μ 0 , . . . , μ n , c 0 , . . . , c n , a, b), as the trusted authority's private key and pk TA � (U, V, W) as the trusted authority's public key. Note that U, V, and W are the symbols that represent the set of vectors (U 1 , . . . , U n ), (V 0 , . . . , V n ), and (W 1 , . . . , W n ), respectively. SKeyGen: on input of a system parameter param and a public key of the trusted authority, SKeyGen randomly generates a private key sk E and a public key pk E as follows: first, choose a random integer x ∈ Z p . Let X � (X 0 � V x 0 , . . . , X n � V x n ). Let sk E � x be the signer's private key and pk E � X be the signer's public key. At the end, SKeyGen outputs sk E , pk E . CreGen: L L denotes a list that contains the generated credentials. A security level of a verifier, for example, L � 'D″ or "5" is denoted by L. Given param, sk TA , pk TA , and L � l, CreGen randomly generates a credential csk E with the following processes. CreGen arbitrary chooses ] 0 ∈ Z * p : ] 0 ∉ L L . en, CreGen generates a credential at a security level of L � l by computed ] l � ((c 0 · μ 0 + c l · μ l ) · a + b − ] 0 · c 0 )/c l ; C 0 � o ] 0 ; C l � o ] l . CreGen stores C V � (C 0 , C l ) in L L and returns C V as a credential of L � l to the verifier. SCrypt: given param, pk TA , sk E , pk E , LP � "L ≥ l" and a message M, an encryptor E computes a ciphertext C as follows: Input: a security parameter k and a random bit b Output: the success of the attack. Setup parameters: the setup process is same with Algorithm 2.
USCrypt: a receiver D possesses a credential L � k, where k ≥ l. Given pk E , pk TA , C, LP � "L ≥ l", σ decrypt C as follows: (2) Check whether or not the following equation holds.
(3) If the equation in (1) holds, then decrypt the ciphertext as follows.
SCOP: in optional privacy, the security policy needs to be set to the lowest level to cover all possible users, since the ciphertext is intended for a single receiver R or a group with a shared secret key. Given param, pk TA , sk E , pk E , pk R , C E , LP � "L ≥ 1", and a message M, an encryptor E who possesses a credential for a security level assertion L � k, where k ≥ 1, computes a ciphertext C as follows: e level-based ciphertext is C � (σ 1 , σ 2 , σ 3 ). S publishes σ, LP.
USCOP: a receiver D who possesses a credential for a security level assertion L � k, where k ≥ l. Given sk R , pk E , pk TA , C R , LP � "L ≥ l", σ decrypts C as follows: (2) Check whether or not the following equation holds.
(3) If the equation in (1) holds, then decrypt the ciphertext as follows.
Note that e(W l , o), e(X R,0 , C R,0 ), e(X R,k , C R,k ), e(X R,i , U i )), e(X R,0 , C E,0 ), eX R,k , C E,k ), and e(X R,i , U i )) are precomputed and can be reused in the signcryption or signcryption process of other signcryption. Hence, only one pairing computation is needed in the unsigncryption algorithm. e optional privacy process has similar computation costs, where the computation of the bilinear paring component in R, R, and R can be precomputed once and saved or reused later.

Completeness.
e signcryption and unsigncryption algorithms can be verified its completeness with the following equations. Generated by the sender � generated by the receiver

Theorem 1. Under the adaptive chosen message and credential exposure attack model, the level-based signcryption scheme is existentially unforgeable if and only if the CDH assumption is intact under the random oracle model.
Proof. We start with the assumption that a forger algorithm A U that can win the existential unforgeability model described in Section 3.1 exists. Using this A U , we can construct an adversary algorithm F to break the CDH problem. We now begin with the construction of oracles. First, on input g 1 , g x 1 , and g y 1 as an instance of the CDH problem, F runs Setup, sets g � g 1 , o � g y 1 , and obtains param � (p, e, g, o, h). F then runs TKeyGen to obtain TA's public-private keys and sets X � (X 0 � g x·c 0 1 , . . . , X n � g x·c n 1 ) as the signer's public key pk E . e following algorithms are the construction of queries that are later used in the simulation.
HO oracle: given a string Γ as input, if it is a request for a hash value of h(Γ), HO checks whether or not Γ is in the queried list. If it exists in the list, then return the corresponding value; otherwise, HO randomly chooses ι← $ Z p and then returns h(Γ) � ι. Note that HO keeps (Γ, ι) in the list, and this list can only be accessed by F. VCO queries: given sk TA as input, VCO executes CreGen for the credential VCR, where L � l. VCO outputs VCR.
SSO queries: given "LP � L ≥ l " and a message M as input, SSO generated a level-based signcryption with the following equations.
Optional privacy: let X R � (X R,0 � g ) as the receiver's public key pk R . SSO generated a level-based signcryption with the following equations.

Wireless Communications and Mobile Computing
Note that R does not need to be computed. It only needs to be verified by the following equation when A U submits the query of the hash value for σ 1 .

e(R, g)�
? e X R,0 , X E,0 If it matches with X R,0 in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new ι 1 .
We start the simulation by allowing A U to access the above queries. In fact, A U always issues a request of query to HO queries before outputting the forgery. Let us denote this potential forgery by M * , C * , LP * . With any adaptive strategy, A U interacts with the simulator and eventually outputs a forgery.
A U successfully completes the challenge, if, with a message M * and LP * as input, A U generates a valid signcryption C * . Note that this forgery should not be a result of SSO queries. e success probability ADV EUF−CMCEA (.) of A U winning the simulation is denoted by ϵ. Let the base of the natural logarithm be denoted by e. In the random oracle, the input of every query made for a signcryption is a result of a query to HO oracle. Hence, q H ≥ q S . Let solve the CHD problem using the forgery generated by A U . e forking technique in [45,46] is applied in the following technique for the probability analysis.
First, a signcryption C * on message M * where σ * 1 � h(Γ * ) � ι * is obtained in the first round. en, F resets A U to the initial state and repeats the above simulation again. Note that in the second simulation, A U uses a different hash value σ 1 ′ � h(Γ * ) � ι ′ .
With these two signcryptions, F computes ϵ ′ is defined as the success probability ADV CDH (.) that F solves the CDH problem. We base this on the forking lemma theorem in [45,46] and obtain the success probability that F uses A U to solve the CDH problem as follows: Note that acc � ϵ, since the simulation behaves naturally, and it does not need to abort the experiment in any event. ϵ/2 l is omitted since it is negligible. To summarise the probability, A U wins the above game and outputs a signcryption C * on a message M * with a probability less than ���� q H ϵ ′ . erefore, the results of the above probability analysis lead us to conclude that the success of breaking the existential unforgeability of the LBS scheme is nonnegligible due to the probability of breaking the CDH problems that are nonnegligible in the random oracle model.

Indistinguishability
Theorem 2. Against the adaptive chosen ciphertext distinguisher A I in the selective-credential exposed attack model, the cyphertext of the level-based signcryption scheme is existentially indistinguishable if CDH and DBDH assumptions hold in the random oracle model.
Proof. Let us assume that an adversary A I exists. It runs the existentially indistinguishable game defined in Section 3.2.
en, it successfully outputs a correct guess. We will demonstrate that we can use an adversary F to output a solution to the DBDH problem by using A I as a tool. Given g, g x , g y , g z , and Z as an instance of the DBDH problem, F runs setup and sets g � g, o � g y and obtains param � (p, e, g, o, h).
F assigns b � z and runs TKeyGen to obtain TA's public-private keys. F also sets x � x and runs SKeyGen to obtain the signer's public key pk E . Assume that there exists an algorithm managing the list of each query, and such algorithms will be omitted. F builds the queries in the following functions.
HO oracle: given a string Γ as input, HO checks whether or not Γ is in the queried list for a hash value request of h(Γ). If it exists in the list, then return the corresponding value; otherwise, HO randomly chooses ι← $ Z p and then returns h(Γ) � ι. Note that HO keeps (Γ, ι) in the list and only F can access the list.

Wireless Communications and Mobile Computing
VCO queries: F randomly chooses an integer d← $ Z * n+1 . On input L � l, if l ≥ d, then output ⊥. Otherwise, VCO randomly chooses the integer k c ∈ Z p , if k c has yet to be selected. C V is computed as follows: VCO then returns C V � (C 0 , C l ). SSO queries: let L sso be the list that stores generated signcryption. On input LP � "L ≥ l" and a message M, if l ≥ d, then output ⊥. Otherwise, SSO generates a level-based signcryption ciphertext with the following algorithms.
Note that SSO has an access to the list of (Γ, ι) via F. SSO uses this advantage to update (Γ, ι) to the list in HO. SSO then responds with C � (σ 1 , σ 2 , σ 3 ) and keeps (C, M) in L sso .
Optional privacy: let , . . . , X R,n � g x R ·c n 1 ) be the receiver's public key pk R and X E � (X E,0 � X 0 , . . . , X E,n � X n ) be the sender's public key pk E . SSO generates a level-based signcryption with the following algorithms.
Note that R does not need to be computed. It only needs to be verified by the following equation when A U submits the query of the hash value for σ 1 .
If it matches with X R,0 in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new ι 1 .
USO queries: on input M, C, and LP � "L ≥ l", if C ∈ L sso , then USO responses with M from the corresponding C in the list. Otherwise, USO responses with "reject." Note that this setting is based on the assumption that the unforgeability of LBS holds. Hence, all signcryption ciphertexts that are not generated by SSO are all invalid signcryption ciphertexts. If the adversary aborts, due to an unnatural simulation, we can then use this adversary to run the unforgeability simulation to solve the CDH problem.
At the beginning of a game, A I is given access to the above oracles. Next, we run the simulation between A I and F as modelled in Section 3.2: (1) Phase 1: A I with adaptive strategy makes queries to SSO, VCO, and USO oracles. e oracles responses are as we previously described. (1) On input M 0 , M 1 , and LP * , A I makes a query for a level-based signcryption ciphertext to SSO queries (2) A I has a credential that is equal or higher than the security level assigned in the level-based security policy LP * Otherwise, F selects a random bit b * ∈ 0, 1 { } and computes a response as follows: Note that F has access to the list (Γ * , ι * ). F uses this advantage to update (Γ * , ι * ) to the list in HO. F then responds with C * � (σ * 1 , σ * 2 , σ * 3 ) to A I . Optional privacy: let X R � (X R,0 � g ) be the receiver's public key pk R and X E � (X E,0 � X 0 , . . . X E,n � X n ) be the sender's public key pk E . F computes the challenge ciphertext as follows: If it matches with X R,0 in the list of verifier public key and the list of queried ciphertext, it then returns the corresponding result. Otherwise, it returns the new ι 1 . (3) Phase 2: in this phase, A I can go back to Phase 1 as many as it requires. However, F will abort the game if (1) On input M 0 , M 1 , and LP * , A I issues a request for a level-based signcryption ciphertext to SSO queries (2) On input C * and LP * , A C issues a request for an unsigncryption query to USO (3) A I has a credential that is equal or higher than the security level assigned to the level-based security policy LP * (4) Guessing: on the valid challenge M 0 , M 1 , LP * , C * , A I finally outputs a guess b ′ Let ADV IND−CCA � ϵ be an advantage probability that A I wins the challenge in the above simulation. A upper bound of queries in polynomial time that A I request a hash value to the HO oracle is denoted as q. Note that q ≥ q H and q ≪ p. Since only F and SSO access HO before it outputs a response, we can conclude that q H ≥ q S . erefore, we can analyze the advantage that A I 's guess is correct and wins the above game as follows: (i) E 1 : during the request of queries to VCO, F did not abort. Let q VC be the highest security level that A I issues to the VCO oracle, rather than the number of queries that it makes to the VCO oracle. Since A I can only make one query for the security level L � n − 1, A I can use this credential to verify and decrypt ciphertexts with the entire security level except for the security level n. Note that d is a random integer chosen at the beginning of the game and n is the upper bound of the security level. e fact is that A I can make a request for credentials, up to the security level q VC � n − 1, to the VCO oracle, and the value of d is in range of 1, . . . , n { }. However, if q VC ≥ d, then VCO will always terminate the experiment. Otherwise, q VC < d, and VCO will not terminate the experiment. To choose q VC and d randomly, the probability that A I chooses q VC is 1/n and the probability that F chooses d is 1/n erefore, the probability of this event is 1/n 2 . (ii) E 2 : after the request of queries to USO, A I did not abort. Let ϵ be the success probability of solving the CDH problem. Since the probability of A I breaking unforgeability is equal to ϵ, the probability of this event is more than 1 − ��� � q H ϵ.
(iii) E 3 : after Phase 1 and Phase 2, F did not abort. Since we have assumed that A I follows the experiment and outputs a guess with a valid challenge (LP * , C * ), the probability of this event is 1.
e advantage that A I successfully completes the challenge in the above simulation and generates a right educa- Let an advantage probability in solving the DBDH problem be denoted by ϵ ′ . F is using A I 's guess to answer the DBDH problem. Due to the condition that A I can choose a challenge level-based security policy LP * , A I cannot have the credential above the security level in the challenge level-based security policy LP * . Hence, there is an event where A I 's guess in the game is not the right guess for the DBDH problem, where LP * ≠ "L ≥ d".
is event probability is 1/n. To conclude, the advantage probability of F using A I to produce a correct solution for the DBDH problem is ϵ ′ ≥ ϵ · (1 − ��� � q H ϵ ) · 1/n 2 · 1/n � ϵ · 1/n 3 . Against the adaptive chosen message and selective-credential exposure attack model, the advantage probability of A I breaking the existential indistinguishability of the LBS scheme is ϵ ≤ n 3 ϵ ′ /(1 − ��� � q H ϵ ). Note that n ≪ q H ≪ q. erefore, the results of the above probability analysis lead us to conclude that the success of breaking the existential indistinguishability of the LBS scheme is nonnegligible due to the probability of breaking the CDH and DBDH problems is nonnegligible in the random oracle model.

Theoretical Analysis
We introduced the notion of a level-based signcryption (LBS) scheme to capture the need for confidential and authenticated messages sent to a specific group of verifiers that satisfy the required security level. e LBS scheme has a short ciphertext, a constant credential size, and an efficient signcrypting algorithm. e encryption security of our LBS scheme is CCA-secure and relies on the CDH and DBDH assumptions. e communication and computation cost of our scheme and related schemes are compared, as given in Table 2. l is denoted as a security level which is specified in the level-based security policy (MP � "L ≥ l"). e total security levels or the total number of attributes are denoted by n, and let l n be the number of attribute specified in the policy. e computation cost for the exponential in groups G 1 or G T is denoted by E, while the computation cost of the multiplication in groups G 1 or G T is denoted by M. e computation cost for the bilinear pairing function is denoted as P. Computation for hash functions in Z p is denoted as H. A computation unit given in Table 2 is equivalent to the XOR operation's computation. For lightweight cryptography, S denotes a unit of time used for computing a symmetric encryption scheme such as AES.
We implemented our scheme based on the pairing-based cryptography (PBC) library. e comparison with the existing efficient schemes in PBC is shown in Figures 2 and 3.
Noted that, the results of some scheme may not be accurate due the original code not provided in the PBC library, Hence, only selected efficient ABE schemes in Table 2 are implemented. Moreover, from Table 2, our scheme's ciphertext size is constant compared to other schemes, which increase due to the attributes. e code was written in Python using the charm-crypto framework developed by Akinyele and others [48] for rapid cryptography development.
e first experiment was conducted on an Intel 10th Gen Core i5-10400 with 6 cores and 12 threads configuration with 32 gigabytes of DDR4 memory. e operating system used in the experiment was Ubuntu 18.04. e results of this experiment are presented on the left side of each figure. e second experiment was conducted on a Raspberry Pi 4 Cortex-A72 (ARM v8) 64 bit SoC with a 1.5 GHz CPU clock speed, 4 cores, and 4 gigabytes of DDR4 memory. Raspbian was the operation system used in the second |G T | +(2n + 1)| G 1 | h + M + (2n + 2)E + P (3n + 2)E + (2n − 1)M + (2n + 1)P RW15 [11] (n + 1)|G T | +3n|G 1 | h + E + M + P nh + nE + (4n)M + 3nP YTC14 [12] (n + 2)|G 1 | h + S + nM h + S + nM YLWXY20 [40] (n + 7)|G 1 | + |p| (2l n + 2n + 7)E + S, +(n + l n + 9)M + S (3l n + 13)E + S + 7P, +(n + 3l n + 2)M Our LBS |G 1 | + |p| + |G T | H + 2E + P + 1 1 + H + ((n − l) + 2)P + E + nM Our LBS with OP |G 1 | + |p| + |G T | 1 + 2H + (n − l + 2)P, +2E + nM 1 + 2H + (2n − l + 2)P + 2E + 2nM  experiment. e results are presented on the right side of each figure. e experiments were executed with two different types of curves, namely, type A and type A1. Type A curve is a curve that produces the fastest bilinear pairing computation, and it achieves security comparable to 1024 bits of discrete logarithm (DLog) security. On the other hand, type A1 provides higher security, which is 2048 bits of DLog security. Comparison results using the type A and A1 curves are shown in Figures 2 and 3. Meanwhile, our scheme's performances for the rest of the results are quite good. Only the result where our scheme consumes more time than others is in the setup process. However, this is still acceptable for access control in VANETs. e parameters of these two curves are given in Table 3. e experiment was conducted 500 times for each scheme to find the average time consumed in each computation process. e message used in the experiments was randomly generated in the G T domain. From the result in Figures 3 and  2, our scheme shows a significant boost in the encryption and verification in both curve types. Even when compared with a lightweight ABE scheme in [12], our scheme did not have much difference in the performance. Moreover, the size of our ciphertext is constant when the number of attributes increased. Meanwhile, the other schemes are linear to the number of attributes.

Conclusion
Privacy issues regarding information shared in organisations without an efficient and proper control mechanism have motivated us to provide a scheme to solve this. e notion of a level-based signcryption scheme provides simplicity, confidentiality, and privacy, enhancing secure communication in VANETs or any ad-hoc network that often needs to broadcast messages. With LBS, the communication among the VANET's nodes, such as RSU nodes and vehicles, is now efficient, secure, and private. LBS ensure the confidentiality, authenticity, and data for RSU to securely broadcast message to nodes. On the other hand, the vehicle node can be confident that its message communicates with RSU that cannot be read by other nodes eventhough it sometimes needs to communicate with RSU via other nodes. Similar to WSN and IoT networks, LBS provides secure broadcast communication among IoT devices.
e IoT node can choose to securely and privately communicate with its peer or have private communication with the primary access point units or any devices with a high-level policy setting such as the organisation's server, workstation, or mobile.
Moreover, the proposed scheme is an ideal tool for enabling access control systems or secure shared document systems for a large organisation where a hierarchical structure is applied. A file can be shared or transmitted to the same peer or higher-level security users via a broadcast channel. LBS scheme enables the above scenario securely. Even the message revel to the public, it will not be able to link the signer. In the event of credential disputes or discloses to others, our scheme did not provide a credential revocation mechanism. To resolve this issue, the system should resolve it without reissuing a new credential to other users. Our scheme can use the group key as a key to revoke the credential without affecting honest users. Nevertheless, this is not an ideal solution to this issue. Hence, this will be addressed in our future work.

Data Availability
e source code and some data generated from the experiment are found in the GitHub link (https://github. com/ yourchkung/LBSOP).

Conflicts of Interest
e authors declare that they have no conflicts of interest.