A. Review
We will now briefly discuss Lin’s [1] forgery attack against our privacy-preserving aggregation authentication scheme (PPAAS) described in [2]. Recall that PPAAS is based on the CASS that consists of five stages, namely: system initialization, registration, message delivery, fog-cloud based message processing, and trace. We will now describe these five stages below.
System initialization: The TA generates the public system parameters and the master secret key, where the master key is used to issue partial private keys for the entities (i.e., vehicles or RSUs) in the system.
Registration: Vehicles obtain a pool of pseudonyms and the corresponding partial private keys from the TA and then use them to generate their full private-public key pairs. As for the RSUs, they only obtain one partial private key from the TA and then use it to generate their long-term full private-public key pair. Specifically, the TA computes the partial private key of an entity by running the PPK algorithm of CASS proposed in [2], while the vehicle/RSU computes the full public-private key pairs by running the UKG algorithm of CASS proposed in [2].
Message delivery: Vehicles generate signcrypted traffic-related messages and send them to nearby RSUs. For example, when a vehicle enters the communication range of an RSU and needs to send a traffic-related message to the RSU, it runs the Signcrypt algorithm of the CASS proposed in [2] which takes the traffic-related message, the current aggregate keyword, its current pseudonym, and the corresponding private-public key pair generated in the registration stage, and the public key and identity of the RSU as inputs.
Fog-cloud based message processing: The RSUs unsigncypt the received signcrypted traffic-related messages under the same aggregate keyword and aggregate them into an aggregated ciphertext. Concretely, the RSU runs the AggUnSignCrypt algorithm of CASS proposed in [2] which takes the traffic-related message, the current aggregate keyword, its current pseudonym and the corresponding private-public key pair generated in the registration stage, and the public key and identity of the RSU as inputs. Then, the RSUs run Pre to generate a collision warning message and then forward the aggregated ciphertext to the CS.
Trace: The TA recovers the real identity of any malicious vehicle. Specifically, if an RSU finds a fake message, it will forward the corresponding pseudonym to the TA, which can then be used to recover the malicious vehicle’s real identity.