Identity-based Conditional Privacy-Preserving Authentication Scheme

Resistant to Malicious Subliminal Setting of Ephemeral Secret

Patryk Kozieł, Łukasz Krzywiecki and Damian Stygar

Department of Computer Science, Faculty of Fundamental Problems of Technology,

Wrocław University of Science and Technology, Poland

Keywords:

Authentication, Bilinear Pairing, Elliptic Curve, Vehicular Ad-hoc Networks, Ephemeral Secret Setting,

Ephemeral Secret Leakage.

Abstract:

In this paper we propose a modiﬁcation of the Identity Based Conditional Privacy-Preserving Authentication

Scheme (CPPA), which is based on Schnorr Signature Scheme (SS). The applicability and the security of

the scheme is mainly considered in Intelligent Transportation Systems. We discuss scenarios with subliminal

malicious setting of a ephemeral secret. We present a new, stronger security model for the scheme in which

we allow the adversary to choose random values used during signing process. We deﬁne the SS to be secure

if the advantage of the adversary in this model is negligible. Finally we prove the security of the modiﬁed

Identity Based CPPA in our stronger model.

1 INTRODUCTION

In recent years Vehicular Sensor Networks (VSNs)

have became an interest of a lot of researchers. They

provide a lot of opportunities for modern transporta-

tion. Collecting information in real time can support

trafﬁc management and driving safety, especially in

heavy trafﬁc scenarios, road defects or bad weather

conditions. There exist many propositions for crypto-

graphic schemes applicable to VSNs (e.g. (Li et al.,

2018)). Vehicular Ad-Hoc Network (VANET) is a

subset of Mobile Ad-Hoc Network (MANET), a net-

work that is continuously self-conﬁguring and does

not have a ﬁxed infrastructure. VANET supports com-

munication between vehicles (V2V) and between ve-

hicles and road side units (V2I). Two of the crucial

features we require from such networks in the context

of cryptography are security and privacy preserving

of the identities of the participants. VANET is mainly

used for providing safety related information and traf-

ﬁc conditions. Trafﬁc management directly impacts

driving comfort and safety. We can easily imagine

scenarios in which maliciously altered trafﬁc-related

data causes dangerous circumstances on the road.

Hence the legitimacy of the messages is one of our

primary concerns.

1.1 Problem Statement and Motivation

It is very prevalent in cryptographic schemes to use

ephemeral values, i.e. values drawn randomly from

some sets and used in subsequent processing. We are

mainly interested in scenarios in which an adversary

(who we will call forger from this moment on) has the

ability to learn how ephemeral secrets are produced

or inject them by herself. In particular some imple-

mentations of the pseudo-random number generators

(PRNG) can be prone to attacks (e.g. (Dorrendorf

et al., 2007)) or even deliberately constructed mali-

ciously. It is also known that certiﬁcation of hardware

for cryptographic purposes can be a long and costly

process, so many small producers choose cheap, but

rather not trustworthy devices available on the market.

Many PRNGs are constructed in such a way that

if the attacker learns the current state of the generator,

then she can also predict its future outputs. A very ba-

sic example is Linear Congruential Generator (LCG).

Breaking of this generator is often presented for stu-

dents as an exercise.

Ephemeral leakage can often result in ability to

forge signatures, impersonation or discovery of a se-

cret key. This is why there is a lot of research on the

security of PRNGs. However, we propose a different

approach in which the security of the generator is not

crucial anymore.

492

Kozieł, P., Krzywiecki, Ł. and Stygar, D.

Identity-based Conditional Privacy-Preserving Authentication Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret.

DOI: 10.5220/0007954204920497

In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019), pages 492-497

ISBN: 978-989-758-378-0

In the context of VSNs we are mainly concerned

with situations where protocols are executed using

untrustworthy devices, e.g. not certiﬁcated or maybe

not updated by the manufacturer but claiming to meet

the security standards.

In this paper we focus on the Identity Based Con-

ditional Privacy-Preserving Authentication Scheme

(He et al., 2015) in scenarios with the inject-

ing/leaking of the ephemerals. We provide a new se-

curity model with ephemeral leakage, propose a mod-

iﬁcation of that scheme, and prove that it is a secure

solution in our proposed model. We chose to research

on this particular scheme because we noticed that im-

provement (in a sense of protection against ephemeral

leakage) is possible and can be formally proved. We

devote this paper entirely to this scheme because any

modiﬁcations of secure schemes require a very care-

ful analysis to ensure that current security features are

not compromised.

1.2 Contribution

The contribution of the paper is the following:

• We propose a new security model for Identity-

Based Conditional Privacy Preserving Authenti-

cation Schemes, stronger than the usual one. In

this model the forger is able to choose and inject

ephemerals in the signing process.

• We propose a modiﬁcation of Identity-Based

Conditional Privacy-Preserving Authentication

Scheme from (He et al., 2015), originally

not secure in scenarios with ephemeral leak-

age/injection. We prove the security of the modi-

ﬁcation in the strong model.

1.3 Previous Work

In VANETs, privacy and message integrity is a widely

researched concept. The legitimacy of the trafﬁc

related messages is crucial for safe trafﬁc manage-

ment. On the other hand, we require that a vehi-

cle which sends trafﬁc information cannot be tracked

(privacy), except in the situations when it provides

malicious information. Then some trusted third party

should be able to discover the identity of such vehi-

cle. That is the motivation for supporting conditional

privacy and anonymous message authentication. Cur-

rently, there exist Conditional Privacy-Preserving Au-

thentication schemes, e.g. ECPP (Lu et al., 2008),

CPAS (Shim, 2012), RAISE (Zhang et al., 2008),

PCPA (Ming and Shen, 2018). Usually the security

of ephemeral values or leakage consequences are not

discussed by the authors. The discussion on the leak-

age of the ephemeral key and countermeasures have

been shown for Schnorr Identiﬁcation Scheme (Krzy-

wiecki, 2016) and for Okamoto Identiﬁcation Scheme

(Krzywiecki and Kutylowski, 2017).

The paper is organized in the following way.

In Section 2 we recall Identity-Based Conditional

Privacy-Preserving Authentication Scheme. In Sec-

tion 3.3.2 we introduce our stronger security model

which includes the ephemeral setting by the forger. In

section 3 we propose the modiﬁed version of Identity-

Based CPPA, and prove its security in our model.

2 IDENTITY-BASED

CONDITIONAL

PRIVACY-PRESERVING

AUTHENTICATION SCHEME

2.1 Preliminaries and Notation

Let G(1

) be a (randomized) group generation algo-

rithm that takes as an input 1

, and outputs a tuple

G = (G

,g, ˆg,q), where q is a prime number,

= hgi, G

= h ˆgi, |G

| = |G

| = q, and G

is an-

other group of prime order q. Let x be a private key of

the system and X = g

be a public key. Let V denote

the real identity of a vehicle. AID denotes an anony-

mous identity of a vehicle which consists of two ele-

ments {W,W }. Let H

: G

→ Z

∗

, H

: {0, 1}

∗

→ Z

∗

: {0,1}

∗

×{0,1}

∗

×G

×{0,1}

∗

→ Z

∗

, H

: G

∗

→ G

represent four secure hash functions. We

will use the following operations: ⊕ - XOR and “,”

- string concatenation inside a hash. Let m denote an

element from the set of all possible messages M .

Bilinear Map: Let G

be groups of a prime

order q. We deﬁne ˆe : G

× G

→ G

as a bilinear

pairing such that the following condition holds:

1) Bilinearity: ∀a,b ∈ Z

∗

,∀g

∈ G

,∀g

∈ G

ˆe(g

) = ˆe(g

)

2) Non-degeneracy: ˆe 6= 1.

3) Computability: ˆe is efﬁciently computable.

The Discrete Logarithm (DL) Assumption: For any

probabilistic polynomial time (PPT) algorithm A

holds that:

Pr[A

(G,g

) = x | G ← G(1

),x

←− Z

∗

] ≤ ε

(λ),

where ε

(λ) is negligible.

The Computational Difﬁe-Hellman (CDH) As-

sumption: For any probabilistic polynomial time

(PPT) algorithm A

CDH

it holds that:

Pr[A

CDH

(G,g

) = g

| G ← G(1

),x

←− Z

∗

←−

∗

] ≤ ε

CDH

(λ), where ε

CDH

(λ) is negligible.

The Decisional Difﬁe-Hellman Oracle (O

DDH

) de-

notes the (PPT) algorithm, which for G ← G(1

),x ∈

Identity-based Conditional Privacy-Preserving Authentication Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret

493

∗

,y ∈ Z

∗

,z ∈ Z

∗

DDH

(G,g

) = 1 iff z = xy mod q.

The Computational co-Difﬁe-Hellman (CcDH) As-

sumption: (Saito and Uchiyama, 2004) For any prob-

abilistic polynomial time (PPT) algorithm A

CcDH

holds that:

Pr[A

CcDH

(G,a,a

,b) = b

| G ← G(1

),x

←− Z

∗

,a ∈

,b ∈ G

] ≤ ε

CcDH

(λ), where ε

CcDH

(λ) is negligible.

2.2 VANET Model

We model VANET using two layers:

• Upper Layer which consists of:

– third party Trusted Authority (TA) responsible

for generating parameters and loading them to

tamper-proof devices in vehicles and discover-

ing the real identities of the vehicles if needed

– Application Server supporting safety-related

applications at the trafﬁc management center.

• Bottom Layer:

– The Road Side Units (RSUs) - wireless com-

munication devices located at roadside able to

communicate with vehicles. It can verify the

validity of received messages and sends them to

the trafﬁc management center or process them

locally.

– Vehicles equipped an On-Board Unit (OBU)

for communication. The OBU is a tamper-

proof device. The vehicle communicates wire-

lessly with RSUs using the OBU.

2.3 Signature Schemes

2.3.1 Identity-based Conditional

Privacy-Preserving Authentication Scheme

Deﬁnition

Deﬁnition 1. Identity-Based Conditional Privacy-

Preserving Authentication Scheme (CPPA) is a sys-

tem which consists of ﬁve algorithms (ParGen,

KeyGen, AIDGen, AIDSign, Verify):

par ← ParGen(1

): takes the security parameter λ as

input, and outputs public parameters available to

all users of the system

(sk,pk) ← KeyGen: creates a pair of the public key

and the secret key of the system and identities of

the users.

(t,sk

,TempAID) ← AIDGen(V,password,sk): ver-

iﬁes identity V with provided password and cre-

ates a timestamp t and associated with it secret

key sk

based also on the secrey key of the system

and anonymous identity TempAID.

σ ← AIDSign(t,sk

,TempAID, m): an algorithm

creating a signature over the provided message

using private temporary key and the identity.

The signature plays roles both authenticating the

message and identifying the signer.

Verify(t,TempAID,pk,m,σ): an algorithm verifying

if signature over given message is valid taking into

account the public key, the timestamp and AID

identity.

The scheme is actually an extended identiﬁca-

tion scheme in which a prover together with iden-

tifying herself sends authenticated messages at the

same time. The algorithms generating the key for

the users are assumed to be secure and deployed in

tamper-proof devices. In this particular case the se-

curity of the scheme depends solely on the security

of the signature scheme, so unforgeability of the un-

derlying signature scheme determines if the whole

scheme is secure. Our exact modiﬁcation is actu-

ally posing new security requirements for the signa-

ture scheme. Therefore in this paper we focus mostly

on malicious ephemeral setting in the context of the

signature scheme used in the main scheme.

3 MODIFIED IDENTITY-BASED

CONDITIONAL

PRIVACY-PRESERVING

AUTHENTICATION SCHEME

Our proposed modiﬁed Identity-Based Conditional

Privacy-Preserving Authentication Scheme is de-

picted in Figure 1 alongside the regular scheme.

Points with sufﬁx "mod" come from modiﬁed ver-

sion. The signing procedure requires one exponen-

tiation and one call to hash function more. In the ver-

iﬁcation procedure one additional call to hash func-

tion and two executions of the bilinear pairing are

required. In Theorem 3 we show that if an adver-

sary attacking regular version of the scheme knows

the ephemeral value from AIDSign, then she can eas-

ily compute the private key. Our solution is to mask

this ephemeral value in such a way that knowledge of

it does not allow to recover the secret key. We propose

usage of a bilinear pairing.

3.1 Batch Veriﬁcation

The original scheme supports also batch veriﬁcation.

Here we omit discussion on this feature. Our mod-

iﬁcation is also scalable for veriﬁcation of multiple

messages at once. The full modiﬁcation and the secu-

rity proof is planned for future research.

SECRYPT 2019 - 16th International Conference on Security and Cryptography

494

Parameters initialization:

par ← ParGen(1

): Let G ← G(1

), s.t. DL and

CDH assumptions hold.

Key Generation:

1. KeyGen(): sk = x ← Z

∗

, pk = X = g

. Output

(sk,pk).

2. Trusted Authority (TA) assigns a real identity V

and a password for each vehicle and pre-loads

{V, password, x} into its tamper-proof device.

3. The system parameters are sent to all RSUs and

vehicles by the TA.

AID generation: (in a tamper-proof device) If V and

password are equal to the stored ones then:

1. w

←− Z

∗

2. W = g

3. W = V ⊕ H

)

4. h

= H

(AID||t)

5. v = w + h

· x

6. AID = {W,W }

7. sends a tuple {AID,v,t} to the vehicle.

AID Signing: The vehicle generates:

1. r

←− Z

∗

2. R = g

3. h

= H

(AID,t,R, m)

4. s = v + h

· r

5. sends {m, AID,t,R,s} to the veriﬁer

5mod ˆg = H

(R,h

)

6mod S = ˆg

7mod sends {m, AID,t,R,S} to the veriﬁer

Veriﬁcation: The veriﬁer checks:

1. freshness of t

2. {W,W } = AID

3. h

= H

(AID||t)

4. h

= H

(AID,t,R, m)

5. acceptance if g

= W · X

· R

5mod ˆg = H

(R,h

)

6mod acceptance if ˆe(S,g) = ˆe( ˆg,W X

)

Figure 1: Identity-Based Conditional Privacy-Preserving

Authentication Scheme - Regular and Modiﬁed versions.

3.2 Correctness of the Proposed Scheme

Theorem 1 (Correctness). The Modiﬁed Identity-

Based Conditional Privacy-Preserving Authentica-

tion Scheme, depicted in Figure 1 is correct, that is:

Pr[Verify(t, TempAID,pk,m,σ) = 1|

σ ← AIDSign(t, sk

,TempAID,m),

par ← ParGen(1

(sk,pk) ← KeyGen(),

(t,sk

,TempAID) ← AIDGen(V,password,sk)] = 1

Proof. For properly generated keys the produced sig-

nature is always accepted by the veriﬁer.

ˆe(S,g) = ˆe( ˆg

,g) = ˆe( ˆg, g

) = ˆe( ˆg,g

v+h

∗r

) =

= ˆe( ˆg,g

w+h

x+h

) = ˆe( ˆg,g

= ˆe( ˆg,g

)

3.3 Security Analysis

3.3.1 New Stronger Security Model for

Signatures

Deﬁnition 2 (Signature Scheme). Signature Scheme

(SiS) is a system which consists of four algorithms

(ParGen, KeyGen, Sign, Verify):

par ← ParGen(1

): takes the security parameter λ as

input, and outputs public parameters available to

all users of the system.

(sk,pk) ← KeyGen(): outputs the secret key sk and

corresponding public key pk.

Sign(sk,m): an algorithm creating a signature over

the provided message using private key.

Verify(pk,m,σ): an algorithm to verify that signa-

ture over given message is valid.

We say that signature scheme is correct if for any

pair (sk,pk):

Pr[Verify(pk,m,σ) = 1|σ ← Sign(sk,m)] = 1.

To address the scenario with ephemeral leak-

age/injection we propose a new, stronger security

model for SiS, based on models introduced in (Krzy-

wiecki, 2016; Krzywiecki and Kutylowski, 2017). In

this particular model in the learning phase the ma-

licious forger F has the ability to inject ephemeral

secrets to the signing procedure.

Let ¯r be a ephemeral secret chosen by F . Signing

procedure executed by an honest signer with injected

¯r will be denoted by Sign

¯r

. The signer uses value ¯r as

its random short term secret key. Let ` be the number

of executions of Sign method (polynomial in λ).

Deﬁnition 3 (Chosen Ephemeral Forger – (CEF)).

Let SiS = (ParGen, KeyGen, Sign, Verify, ) be

a signature scheme. We deﬁne security experiment

Exp

CEF,λ,`

SiS

Init : par ← ParGen(1

), (sk,pk) ← KeyGen().

Sign Oracle : The sign oracle O

¯r

accepts messages

, ephemerals ¯r

and outputs corresponding pos-

itively veriﬁable signatures σ

generated with the

¯r

, i.e. O

¯r

) → σ

, s.t. Verify(m

,σ

,pk) = 1.

Identity-based Conditional Privacy-Preserving Authentication Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret

495

The oracle models the device in which the signa-

tures are generated via the algorithm Sign, with

injected ephemerals, controlled externally by the

adversary: σ ← Sign

¯r

(m).

Forger : Let the forger F

¯r

(pk,par), be the ma-

licious algorithm initialized with the public key

pk and parameters, having access to the sign-

ing oracle O

¯r

. The forger F

issuess a num-

ber ` of queries to O

¯r

with the messages of

its choice obtaining the corresponding signa-

tures, where ¯r

,σ

denote respectively: the

ephemeral values, the message, and the signa-

ture in ith oracle query. Let R = {¯r

,... , ¯r

}

M = {m

,... ,m

}, and L = {σ

,... ,σ

} denote

the set of the ephemerals, the set of the inputs, and

corresponding outputs the oracle processes.

Forgery : The forger generates a pair:

∗

,σ

∗

) ← F

¯r

(pk,par).

We deﬁne the advantage of F in the experiment

Exp

CEF,λ,`

SiS

as probability of positive veriﬁcation:

Adv(F , Exp

CEF,λ,`

SiS

) =

= Pr[m

∗

/∈ M , Verify(m

∗

,σ

∗

,pk) → 1].

We say that the signature scheme is secure if

Adv(F , Exp

CEF,λ,`

SiS

)) ≤ ε(λ), where ε(λ) is negligible.

Theorem 2. The modiﬁed ModSchnorrSig Signature

scheme, obtained by applying Fiat-Shamir transfor-

mation on Identiﬁcation Scheme from (Krzywiecki,

2016) is secure in CEF model, assuming the CcDH

hardness and programmable ROM.

Sketch. Essentially the same as the proof of the secu-

rity of (Krzywiecki, 2016) scheme, utilizing the Fork-

ing Lemma (Pointcheval and Stern, 1996). Omitted

due to space constraints (to be included in the future

research).

3.3.2 New Stronger Security Model for CPPA

Scheme

Deﬁnition 4. Let CPPA = (ParGen, KeyGen,

AIDGen, AIDSign, Verify) be a given scheme. We de-

ﬁne security experiment Exp

CEF,λ,`

CPPA

Init : par ← ParGen(1

), (sk,pk) ← KeyGen().

AIDGen Oracle : The oracle O

AIDGen

accepts iden-

tiﬁers V and outputs AID,v,t. It models tamper

resistant device with the secret key x, which pro-

duces secret key v for pseudonym AID.

AIDSign Oracle : The oracle O

¯r

AIDSign

accepts mes-

sages m

, ephemerals ¯r

and outputs cor-

responding positively veriﬁable signatures σ

= AID,t,R

generated with the ¯r

, i.e.

¯r

AIDSign

) → σ

, s.t. Verify(m

,σ

,pk) = 1. The

oracle models the device in which the signatures

are generated via the algorithm AIDSign, with

injected ephemerals, controlled externally by the

adversary: σ ← AIDSign

¯r

(m).

Adversary : Let the adversary

AIDGen

¯r

AIDSign

(pk,par), be the malicious

algorithm initialized with the public key pk and

parameters, having access to the AID oracle

AIDGen

, and the signing oracle O

¯r

AIDSign

. The

AIDGen

¯r

AIDSign

issuess a number ` of queries

to oracles. Let A = {AID

}

R = {¯r

}

M = {m

}

, and L = {σ

}

denote respectively

the set of pseudonyms with keys, the set of

the ephemerals, the set of the inputs, and the

corresponding outputs the oracles processes.

Impersonation : The adversary generates a pair:

∗

,σ

∗

) ← A

AIDGen

¯r

AIDSign

(pk,par).

We deﬁne the advantage of A in the experiment

Exp

CEF,λ,`

CPPA

as probability of positive veriﬁcation:

Adv(A,Exp

CEF,λ,`

CPPA

) =

= Pr[m

∗

/∈ M , AID

∗

/∈ A,Verify(m

∗

,σ

∗

,pk) → 1].

We say that the signature scheme is secure if

Adv(A,Exp

CEF,λ,`

CPPA

)) ≤ ε(λ), where ε(λ) is negligible.

Theorem 3. The original Identity-Based Conditional

Privacy-Preserving Authentication Scheme is not se-

cure in the sense of Deﬁnition 4.

Proof. The adversary A with the knowledge of

ephemeral the ¯r is able to compute the secret key of

the vehicle v = s − h

¯r. Therefore the adversary can

generate positively veriﬁable signature over any mes-

sage later on.

Theorem 4. Let CPPA denote the modiﬁed Identity-

Based Conditional Privacy-Preserving Authentica-

tion Scheme. CPPA is secure (in the sense of Deﬁ-

nition 4).

Sketch of the proof. We provide the adversary the ac-

cess to O

AIDGen

, and O

AIDSign

oracles. The ora-

cles can be programmed via standard simulation of

Schnorr signatures, and registering the inputs and

outputs of hash queries in corresponding ROM ta-

bles. The O

Sign

oracle uses injected ephemerals by

forger. The proof is by contradiction. Suppose there

is an adversary A

AIDSign

which would authenticate

with non-negligible probability without the appropri-

ate secret key obtained from AIDGen procedure. We

assume that the advantage of the adversary is non-

negligible. In the attack stage, by Forking Lemma,

SECRYPT 2019 - 16th International Conference on Security and Cryptography

496

we get two tuples (m,AID,t,R,S

), (m, AID,t,R,S

Subsequently those tuples can be used to obtain ˆg

also with non-negligible probability, for any value ˆg,

provided to the A

AIDSign

adversary as the answer from

programmable O

oracle. Therefore the adversary

can be used as a subprocedure by the efﬁcient algo-

rithm F

ModSchnorrSig

that forges the modiﬁed Schnorr

signature scheme, obtained by Fiat-Schamirr transfor-

mation on (Krzywiecki, 2016) scheme.

3.4 Performance

Additional assessments of complexity were per-

formed. They are not included in this paper due to

the space constraint and the fact that they are not es-

sential in the context of this paper, however they were

acceptable in real-world applications.

4 CONCLUSION

We modiﬁed the Identity-Based CPPA from (He

et al., 2015) to a version resistant to ephemeral key

setting. This kind of setting can be used by the ad-

versary in scenarios with possible leakage/injection

of ephemeral values. In such scenarios a secret key

masked by the ephemeral value is not secure even if it

is stored in the secure memory module in the device.

We proposed the stronger security model to cover that

particular scenario and proved the security of the pro-

posed scheme in our model.

ACKNOWLEDGEMENTS

This paper was supported by Wroclaw University of

Science and Technology, grant S50129/K1102.

REFERENCES

Dorrendorf, L., Gutterman, Z., and Pinkas, B. (2007).

Cryptanalysis of the random number generator of

the windows operating system. Cryptology ePrint

Archive, Report 2007/419. https://eprint.iacr.org/

2007/419.

He, D., Zeadally, S., Xu, B., and Huang, X. (2015). An

efﬁcient identity-based conditional privacy-preserving

authentication scheme for vehicular ad hoc networks.

In IEEE Transactions on Information Forensics and

Security ( Volume: 10 , Issue: 12 , Dec. 2015 ), August

31, 2015, pages 2681–2691.

Krzywiecki, L. (2016). Schnorr-like identiﬁcation scheme

resistant to malicious subliminal setting of ephemeral

secret. In In Innovative Security Solutions for Infor-

mation Technology and Communications - 9th Inter-

national Conference, October 05, 2016, pages 137–

148.

Krzywiecki, L. and Kutylowski, M. (2017). Security

of okamoto identiﬁcation scheme: a defense against

ephemeral key leakage and setup. In in Proceedings

of the Fifth ACM International Workshop on Security

in Cloud Computing, April, 2017, pages 43–50.

Li, C., Zhang, X., Wang, H., and Li, D. (2018). An en-

hanced secure identity-based certiﬁcateless public key

authentication scheme for vehicular sensor networks.

Sensors, 18(1):194.

Lu, R., Lin, X., Zhu, H., Ho, P.-H., and Shen, X. (2008).

ECPP: Efﬁcient conditional privacy preservation pro-

tocol for secure vehicular communications. In IEEE

INFOCOM 2008 - The 27th Conference on Computer

Communications, April 13-18, 2008, pages 1229–

1237.

Ming, Y. and Shen, X. (2018). PCPA: A practical certiﬁ-

cateless conditional privacy preserving authentication

scheme for vehicular ad hoc networks. In Sensors

2018.

Pointcheval, D. and Stern, J. (1996). Security proofs for

signature schemes. In Maurer, U., editor, Advances

in Cryptology — EUROCRYPT ’96, pages 387–398,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Saito, T. and Uchiyama, S. (2004). The co-difﬁe-hellman

problem over elliptic curves. Reports of the Faculty of

Science and Engineering, 33(1):1–8.

Shim, K.-A. (2012). CPAS: An efﬁcient conditional

privacy-preserving authentication scheme for vehicu-

lar sensor networks. In IEEE Trans. Veh. Technol., vol.

61, no. 4, May, 2012, pages 1874–1883.

Zhang, C., Lin, X., Lu, R., and Ho, P.-H. (2008). RAISE:an

efﬁcient rsu-aided message authentication scheme in

vehicular communication networks. In 2008 IEEE In-

ternational Conference on Communications, May 19-

23, 2008, pages 1451–1457.

Identity-based Conditional Privacy-Preserving Authentication Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret

497