Protocol 1 CPPA-SM2

①System Initialization For TA: 1: Use $\lambda$ to generate two large prime numbers $p$ and $q$. 2: Randomly select $s\in Z_q^{\ast }$ and calculates $P_{pub}=s\cdot G$. 3: Choose five one-way hash functions $H_i={\{0,1\}}^{\ast }\to Z_q^{*},i=1,2,3,4,5$. 4: Publish $param=\{p,q,E(F_p),G,\mathbb{G},Z_q^{*},P_{pub},H_1,H_2,H_3,H_4,H_5\}$. ②Registration For each vehicle: 1: $V_i$ randomly selects $x_i\in Z_q^{*}$, calculates $X_i=x_i\cdot G$ and send $(RI{D}_i,X_i)$ to TA. 2: Upon receiving $(RI{D}_i,X_i)$, TA calculates $h_i=H_1(X_i||P_{pub})$, $y_i=s\cdot h_i$, $Y_i=y_i\cdot G$ and randomly selects $s{k}_i\in Z_q^{*}$. Then, TA sends $y_i$, $Y_i$ and $s{k}_i$ to $V_i$. 3: $V_i$ sets $(X_i,Y_i)$, $(x_i,y_i)$ and $s{k}_i$. For each RSU: 1: $RS{U}_j$ sends $I{D}_{RSUj}$ to TA. 2: TA generates a pair of public and private keys $(s{k}_{RS{U}_j},p{k}_{RS{U}_j})$ and sends them to $RS{U}_j$. 3. $RS{U}_j$ sets $(s{k}_{RS{U}_j},p{k}_{RS{U}_j})$. For TA: 1: Calculate $\theta ={\displaystyle {\prod }_{i=1}^{n}s{k}_i}$, $a_i=\theta /s{k}_i$, $b_i={(a_i)}^{-1}\mathrm{mod}s{k}_i$ and set $c_i=a_i\cdot b_i$, $u={\displaystyle \sum _{i=1}^n{c}_i}$. 2: Randomly pick a group key $K\in Z_q^{*}$ and calculate the group public key $\beta =K\cdot u$ and $D_{pub}=K\cdot G$. 3: Sign $\beta$, $D_{pub}$ and the $K$’s valid period $T_K$ using its private key $s{k}_{TA}$ and broadcast the information $\{\beta ,D_{pub},SI{G}_{s{k}_{TA}}(\beta \left|\right|D_{pub}\left|\right|T_K)\}$ to vehicles and RSUs in $C_n$. ③Message Sign For each vehicle: 1: $V_i$ trains the global model $W_{global}^t$ using its local dataset $D_i$ to obtain the local model parameters $W_i^t$. 2: $V_i$ randomly selects $c_i\in Z_q^{*}$ to generate a pseudo identity $PI{D}_i=(PI{D}_{i,1},PI{D}_{i,2})$, where $PI{D}_{i,1}=c_i\cdot G$ and $PI{D}_{i,2}=RI{D}_i\oplus H_2(c_i\cdot P_{pub})$. 3: $V_i$ calculates $Z_i=H_3(le{n}_{PI{D}_{i,2}}|\left|PI{D}_{i,2}\right|\left|a\right|\left|b\right|\left|G\right||X_i)$, ${\phi }_i=H_4(PI{D}_{i,1}||T_i)$ and $sg{k}_i=y_i+Z_i\cdot K+x_i\cdot {\phi }_i$. 4: $V_i$ randomly selects $k_i\in Z_q^{*}$, calculates ${\mathcal{K}}_i=k_i\cdot G=(x_1,y_1)$ $e_i=H_5(Z_i|\left|W_i^t\right|T_i)$, $r_i=e_i+x_1\mathrm{mod}q$ and $s_i={(1+sg{k}_i)}^{-1}\cdot (k_i-r_i\cdot sg{k}_i)\mathrm{mod}q$. 5. $V_i$ obtains the signature ${\sigma }_{{ }_i}^t=(r_i,s_i)$ of $W_i^t$ and sends messages $\{W_{{ }_i}^t,{\sigma }_{{ }_i}^t,(X_i,Y_i),PI{D}_i,T_i\}$ to the nearby $RS{U}_j$. ④Message Verification For each RSU: 1: Upon receiving the messages $\{W_{{ }_i}^t,{\sigma }_{{ }_i}^t,(X_i,Y_i),PI{D}_i,T_i\}$ from $V_i$, $RS{U}_j$ first checks the validity of timestamp. If $\Delta T\ge T_a-T_i$, where $T_a$ represents the arrival time, continues; otherwise, discards. 2: $RS{U}_j$ calculates $Z_i=H_3(le{n}_{PI{D}_{i,2}}|\left|PI{D}_{i,2}\right|\left|a\right|\left|b\right|\left|G\right||X_i)$, $e_i=H_5(Z_i|\left|W_i^t\right||T_i)$, ${\phi }_i=H_4(PI{D}_{i,1}||T_i)$, $t_i=r_i+s_i\mathrm{mod}q$ and ${\mathcal{K}}_{{ }_i}^{’}=(x_1^{’},y_1^{’})=s_i\cdot G+t_i\cdot [Y_i+Z_i\cdot D_{pub}+{\phi }_i\cdot X_i]$. 3: $RS{U}_j$ checks the equality of $R=e_i+x_1^{’}=r_i$ for authentication and validity. 4: $RS{U}_j$ uses the FedAvg algorithm to locally aggregate the verified local model parameters $\{W_{{ }_1}^t,W_{{ }_2}^t,\dots ,W_{{ }_n}^t\}$, producing a local aggregation result $W_{RS{U}_j}^t\leftarrow FedAvg(W_i^t,n)$. 5: $RS{U}_j$ signs this result with its private key and sends messages $\{W_{RS{U}_j}^t,SI{G}_{s{k}_{RS{U}_j}}(W_{RS{U}_j}^t)\}$ to CS. For CS: 1: CS performs a global aggregation on the verified local aggregation results $\{W_{RS{U}_1}^t,W_{RS{U}_2}^t,\dots ,W_{RS{U}_m}^t\}$ to obtain the global model $W_{global}^{t+1}\leftarrow FedAvg(W_{RS{U}_j}^t,m)$. 2: CS signs the global model with its private key and sends messages $\{W_{global}^{t+1},SI{G}_{s{k}_{CS}}(W_{global}^{t+1})\}$ to the vehicles within the communication group via RSUs. ⑤Group Member Management Trace: 1: TA uses the system’s master private key $s$ to recover the vehicle’s true identity $RI{D}_i=PI{D}_{i,2}\oplus H_2(s\cdot PI{D}_{i,1})$. Revoke: 1. TA first removes $c_i$ related to $V_i$ from $u$ by computing $u^{’}=u-c_i$. 2: TA randomly selects a new group key $K^{’}\in Z_q^{*}$, calculates new group public keys ${\beta }^{’}=K^{’}\cdot u^{’}$ and $D_{pub}^{’}=K^{’}\cdot G$, and broadcasts the updated information $\{{\beta }^{’},D_{pub}^{’},SI{G}_{s{k}_{TA}}({\beta }^{’}\left|\right|D_{pub}^{’}\left|\right|T_{K^{’}})\}$ to vehicles and RSUs in $C_n$. Add: 1. TA randomly selects a new group key $K^{’}\in Z_q^{*}$ and calculates ${\theta }^{’}=\theta \cdot f_i$, $a_i^{’}={\theta }^{’}/f_i$, $b_i^{’}={(a_i^{’})}^{-1}\mathrm{mod}s{k}_i$, $c_i^{’}=a_{{ }_i}^{’}\cdot b_{{ }_i}^{’}$ and $u^{’}={\displaystyle \sum _{i=1}^n{c}_i^{’}}$. 2. TA computes new group public keys ${\beta }^{’}=K^{’}\cdot u^{’}$ and $D_{pub}^{’}=K^{’}\cdot G$, and broadcasts the updated information $\{{\beta }^{’},D_{pub}^{’},SI{G}_{s{k}_{TA}}({\beta }^{’}\left|\right|D_{pub}^{’}\left|\right|T_{K^{’}})\}$ in $C_n$.