Efficient Privacy-Preserving Data Sharing for Fog-Assisted Vehicular Sensor Networks

Abstract

Vehicular sensor networks (VSNs) have emerged as a paradigm for improving traffic safety in urban cities. However, there are still several issues with VSNs. Vehicles equipped with sensing devices usually upload large amounts of data reports to a remote cloud center for processing and analyzing, causing heavy computation and communication costs. Additionally, to choose an optimal route, it is required for vehicles to query the remote cloud center to obtain road conditions of the potential moving route, leading to an increased communication delay and leakage of location privacy. To solve these problems, this paper proposes an efficient privacy-preserving data sharing (EP${}^2$DS) scheme for fog-assisted vehicular sensor networks. Specifically, the proposed scheme utilizes fog computing to provide local data sharing with low latency; furthermore, it exploits a super-increasing sequence to format the sensing data of different road segments into one report, thus saving on the resources of communication and computation. In addition, using the modified oblivious transfer technology, the proposed scheme can query the road conditions of the potential moving route without disclosing the query location. Finally, an analysis of security suggests that the proposed scheme can satisfy all the requirements for security and privacy, with the evaluation results indicating that the proposed scheme leads to low costs in computation and communication.

1. Introduction

Vehicular sensor networks (VSNs) [1,2,3], that is, a combination of wireless communication given by vehicular ad hoc networks [4] and the sensing devices installed in the vehicle, can improve traffic conditions in urban cities, and have recently received considerable attention. In VSNs, the vehicles equipped with sensing devices can record a myriad of data reports on the road conditions and environment situations, and these data reports need be uploaded to the remote cloud center [5,6] for processing and analyzing. In addition, vehicles often need to query the road conditions of potential moving routes at remote cloud centers. However, uploading a large amount of data reports to the cloud data center consumes heavy bandwidth, and leads to an increased communication delay.

Recently, fog computing [7] has been proposed to extend the capabilities of cloud computing [8] near vehicles [9], which can locally handle the data reports uploaded by vehicles. These new properties will bring about benefits such as location awareness and low latency. Fog computing has already been used to provide low latency services in vehicular sensor networks, such as navigation services [10] and surface condition monitoring [11].

A typical architecture of fog-assisted vehicular sensor networks (F-VSNs) [12,13,14] contains the trusted authority, cloud center, fog nodes, and vehicles. The trusted authority is responsible for generating system parameters, and the registration of all entities (cloud center, fog nodes and vehicles). The cloud center provides centralized control with strong computing power and large storage capacity from a remote location. Fog nodes have available computing, storage, and communication resources [15], which is deployed at the edge of networks with physical proximity to vehicles, playing as the bridge across the vehicles and the cloud center. Vehicles are installed with a variety of smart sensors that can sense road conditions and environmental parameters. F-VSNs allows some computations and processing to be performed at the fog nodes, greatly reducing the consumption of communication time and energy.

Although F-VSNs brings a great deal of benefits and conveniences, there still exist several issues in terms of data collection and data query. Specifically, vehicles generate a large amount of sensory data reflecting the road conditions and environment situations, and need to upload the sensory data to cloud center for further processing and analyzing, which brings heavy computation and communication costs. To solve this problem, data aggregation technology, which is designed to aggregate multiple data into one report, has recently received more and more attention.

However, using the existing data aggregation schemes [16,17,18,19,20,21,22] cannot determine the number of data reports produced in each road segment, and cannot compute the average sensory data in each road segment. To solve the problem, the scheme [23] exploits the Chinese remainder theorem and Paillier cryptosystem to calculate the average sensory data in each segments; however, it brings heavy computation and communication costs. In addition, to choose an optimal route, vehicles often query about the road conditions of the potential moving routes, but the query reports uploaded by vehicles are tightly associated with the query location, and thus the query location could be disclosed.

The oblivious transfer [24,25], homomorphic encryption technology [26,27], and proxy re-encryption technique [23] have been exploited to hide the query location. However, it is worth noting that the computation and communication costs by the schemes [24,25] is directly proportional to the data dimension, the schemes [26,27] do not support the scenario with high vehicle density, and the scheme [23] needs heavy computation and communication costs.

1.1. Our Contributions

To solve the aforementioned problems, this paper proposes an efficient privacy-preserving data sharing (EP${}^2$DS) scheme for fog-assisted vehicular sensor networks. The main contributions of this paper are as follows:

• First, the proposed EP${}^2$DS scheme exploits the super-increasing sequence [20] for achieving multi-dimensional data aggregation, while calculating the average sensory data in each road segment, greatly saving on the resources of communication and computation.

• Secondly, by utilizing the modified oblivious transfer [28], the proposed EP${}^2$DS scheme is able to query about the road conditions of the potential moving routes without disclosing the query location.

• Thirdly, an analysis of security indicates that the proposed EP${}^2$DS scheme is proven to be secure under elliptic curve discrete logarithm (ECDL) assumption in the random oracle model and satisfies all the requirements for security and privacy.

• Finally, the performances of computation and communication in costs are evaluated through quantitative calculations, with the results that the proposed EP${}^2$DS scheme is of more efficiency than others.

1.2. Organization

This paper is organized as follows. The related work is surveyed in Section 2. We introduce the background in Section 3. The concrete scheme is proposed in Section 4. Section 5 provides an analysis of the security. In Section 6, the performance evaluation is performed. Section 7 concludes the paper.

2. Related Works

Some works closely related to this paper are briefly reviewed below.

In F-VSNs, massive sensory data is produced in each data dimension, and needs to be uploaded for further processing and analysis; data aggregation schemes [16,17,18,19,20,21,22,23] have received considerable attention recently, and are roughly classified into two categories: single-dimensional data aggregation [16,17,18,19] and multi-dimensional data aggregation [20,21,22,23]. Zhuo et al. [16] introduced a data aggregation scheme, which protects each involved entity’s identity privacy, and allows the requester to examine the correctness of the obtained results. Rabieh et al. [17] employed the data aggregation technique to find out the routes for the vehicle to be in each road segment; however, it only can calculate the data aggregation result, and cannot recover the content in each data dimension.

Xu et al. [18] constructed a privacy-preserving data aggregation scheme that can classify messages based on where and when the sensor data is collected, and aggregate the data collected in the same area and period. Sun et al. [19] designed a data aggregation mechanism considering data integrity and access control. However, the schemes [16,17,18,19] are unable to determine the number of the data reports produced in each data dimension, and further fail to calculate the average sensory data in each data dimension. Lin et al. [20] integrated the perturbation technique and super-increasing sequence to combine multiple aggregated data into one data report to improve the energy efficiency.

Lu et al. [21] employed the homomorphic Paillier encryption, one-way hash chain technique and Chinese remainder theorem to achieve lightweight multi-dimensional data aggregation. On the basis of the super-increasing sequence and modified homomorphic Paillier encryption, Wang et al. [22] introduced a multi-subtasks aggregation scheme, in which each aggregated datum is mapped to a specific area and period. Kong et al. [23] designed a privacy-preserving multi-dimensional data sharing scheme using the Chinese remainder theorem and modified Paillier encryption, with counting the number of the sensory data collected at each segments and calculating the average sensory data in each segment.

Although schemes [20,21,22,23] are able to calculate the average sensory data in each data dimension, they bring heavy computation costs and communication overhead. In addition, the query vehicle usually wants to know the road conditions of the potential moving route, which could lead to that the query location being disclosed in the data query process, the schemes in [23,24,25,26,27] have been proposed to solve this problem.

Ghinita et al. [24] and Paulet et al. [25] employed the oblivious transfer to hide query location in the data query process, but the communication cost of schemes [24,25] is directly proportional to the data dimension. Zhu et al. [25,26] utilized an improved homomorphic encryption technology to protect the query location in location-based services, but it do not support scenarios with a high vehicle density. Kong et al. [23] utilized the proxy re-encryption technique to hide the query location, but it does not support queries of whole network sensory data during the data query phase.

To sum up, from the review above, the available data aggregation schemes [16,17,18,19,20,21,22,23] either fail to determine the number of data reports produced in each data dimension or bring heavy computation and communication costs. In addition, the communication costs of the existing schemes [23,24,25,26,27] are either directly proportional to the data dimension or bring heavy communication costs in the data query process.

To address the issues above, we propose an EP${}^2$DS scheme for fog-assisted vehicular sensor networks, which can not only reduce the computation and communication costs, but also calculate the average sensory data in each road segment. Additionally, the proposed EP${}^2$DS scheme can query the road conditions of potential moving routes without disclosing the query location.

3. Background

3.1. System Model

The system model is presented in Figure 1, which is composed of five entities: trusted authority ($TA$), cloud center ($CC$), the data collection vehicle $V_i$$(i=1,2,···,\delta )$, fog node $F{N}_j$$(j=1,2,···,n)$, and the data query vehicle $V_q$. The road area is divided into m segments, and each segment k$(k=1,2,···,m)$ is represented by a unique two-dimensional identifier $(u_k,v_k)$, approximating of the location coordinates [23]. As to readability, the definitions of notations employed in this study are illustrated in Table 1.

Figure 1.

System model.

Table 1.

Notations

Symbol	Definition
$TA$	Trusted authority
$CC$	Cloud center
$\left(s,P_{pub}\right)$	$TA$’s public key and private key
$\left(x,P_{cc}\right)$	$CC$’s public key and private key
$V_i$	The i-th data collection vehicle
$(I{D}_i,PI{D}_i)$	$V_i$’s real identity and pseudo identity
$\left(x_i,R_i\right)$	$V_i$’s private key
$F{N}_j$	The j-th fog node
$I{D}_j$	$F{N}_j$’s identity
$\left(x_{F{N}_j},R_{F{N}_j}\right)$	$F{N}_j$’s private key
$V_q$	The data query vehicle
$(I{D}_q,PI{D}_q)$	$V_q$’s real identity and pseudo identity
$\left(x_q,R_q\right)$	$V_q$’s private key
$(u_k,v_k)$	Identifier of the segment k
d	Maximum value of sensory data
m	The total number of segments
n	The total number of fog nodes
$\delta$	The total number of vehicles
$\left|d\right|$	Maximum length of sensory data
$\phi$	The vehicles’ sharing key
$d_{i,k}^j$	The sensory data captured by $V_i$ at segment k under $F{N}_j$
$e_{i,k}^j$	If $d_{i,k}^j>0$, then $e_{i,k}^j=1$; If $d_{i,k}^j=0$, then $e_{i,k}^j=0$.
$H_i$	Eight one-way hash functions, $H_i:{\{0,1\}}^{*}\to Z_q^{*},i=1,2,···,7,H_8:{\{0,1\}}^{*}\to {\{0,1\}}^{\left|d\right|-1}$.
⊕	The exclusive OR operation
$p,q$	Two large prime numbers
$F_p$	The finite field over p
$\mathbb{G}$	An additive group with the order q on the elliptic curve E over $F_p$
P	A generator of $\mathbb{G}$

The wireless connections between the vehicles and the fog nodes are brought about by the Institute of Electrical and Electronics Engineers (IEEE) 802.11p standard [29]. The connections between the fog nodes and $CC$ are achieved via either the wired links or other links with low transmission delay and high bandwidth.

$TA$: A fully trusted entity, which is responsible for the management of the security parameters for the system and the registration of the cloud center, fog nodes, and vehicles, and periodically updates the system information.

$CC$: An honest-but-curious entity, which is responsible for providing centralized control with powerful storage and computing capabilities from a remote location. In addition, it can perform computational analytics from data reports uploaded by the fog nodes, and distribute data to all fog nodes for further sharing with vehicles [30].

$V_i$: It is equipped with smart sensors, periodically formatting a data report from the collected sensory data and uploading the data report towards the fog node.

$F{N}_j$: This consists of a road side unit and an edge server [13], and aggregates the data reports uploaded by the data collection vehicles under its communication range and transmits the aggregated data report towards $CC$. Meanwhile, each fog node manages one or more segments, and can assist in sharing the sensory data to the query vehicle [31].

$V_q$: To choose an optimal route, $V_q$ usually sends a query report to the fog node, then the fog node returns a response report to $V_q$.

In our system model, we assume the fog node is honest-but-curious, i.e., it is able to correctly execute the operations defined in the protocol; however, it also can try to violate the privacy of the vehicle through analyzing the vehicle’s data report and query report; meanwhile, we assume neither the fog nodes nor the query vehicles can collude with each other in the proposed EP${}^2$DS scheme. Additionally, we assume there exists an attacker, which can eavesdrop on the data transmission and launch attacks.

3.2. Security Requirement

The following security requirements should be achieved.

Authentication and data integrity: The proposed EP${}^2$DS scheme should guarantee that any reports are not modified during the transmission process, and can detect any modification of the reports; moreover, any entity in F-VSNs should be able to be authenticated to ensure the reliability of the data source.

Confidentiality: To ensure the privacy of sensory data, the proposed EP${}^2$DS scheme should provide confidentiality, i.e., no attacker can obtain the sensory data from data report.

Location privacy preservation: To protect vehicle’s query location, it is important not to disclose the query location to fog nodes that provide location-based services in the data query process.

Identity privacy preservation: Apart from the $TA$, any entities should not trace or recognize the identity of the data collection vehicle by analyzing the received data reports.

Traceability: $TA$ should be able to reveal the identity of the malicious vehicle uploading the bogus data report.

Unlinkability: Apart from the $TA$, neither fog nodes nor the malicious vehicles can determine whether the two data reports are from the same vehicle.

Resistance to attacks: The proposed EP${}^2$DS scheme should be able to withstand various popular attacks such as the modification attack, replay attack, impersonation attack, and man-in-the-middle attack.

3.3. Elliptic Curve

Let $F_p$ be a finite field with a prime number p. The elliptic curve E over $F_p$ defined as the set of all points $(x,y)$ meeting $y^2=x^3+ax+bmodp$, where $4a^3+27b^2\ne 0$ and $a,b\in F_p$ [32,33].

An infinity point O, and other points on E, form an additive cyclic group $\mathbb{G}$ with the order q and generator P. Let $P\in \mathbb{G}$ and $k\in {\mathbb{Z}}_q^{*}$, the scalar multiplication over $\mathbb{G}$ is described as $kP=P+P+···+P$ (k times).

3.4. Security Assumption

ECDL problem [34,35]: Given two elements $P,Q\in \mathbb{G}$, the ECDL problem is to find an integer $x\in {\mathbb{Z}}_q^{*}$ such that $Q=xP$.

ECDL assumption [34,35]: It is hard for any probabilistic polynomial-time algorithm to solve ECDL problem with non-negligible probability.

4. The Proposed Scheme

The proposed EP${}^2$DS scheme includes system initialization, registration, data collection, and data query phases. Note that the data flows in the data collection and data query phases are shown in Figure 2.

Figure 2.

Data flows in the data collection and data query phases.

4.1. System Initialization

$TA$ produces all system parameters through executing the following steps.

• (1)$TA$ randomly chooses a large prime number p, and selects a non-singular elliptic curve E defined by $y^2=x^3+ax+bmodp$, where $a,b\in F_p$.
• (2)$TA$ picks a group $\mathbb{G}$ of E with the prime order q and a generator P.
• (3)$TA$ randomly chooses $s\in {\mathbb{Z}}_q^{*}$ as its master key and computes its public key $P_{pub}=sP$.
• (4)$TA$ chooses eight one-way hash functions $H_i:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $i=1,2,···,7$, $H_8:{\{0,1\}}^{*}\to \in {\{0,1\}}^{\left|d\right|-1}$.
• (5)$TA$ chooses a super-increasing sequence $\overrightarrow{a}=(a_1,a_2,···,a_m)$, such that ${\sum }_{k=1}^m{a}_{k}3n\delta d<q$, ${\sum }_{k=1}^{i-1}{a}_{k}3n\delta d<a_i$ ($i=1,2,···,m$), where $a_1,a_2,···,a_m$ are large prime numbers and d is the maximum value of the data. Then, $TA$ assigns prime number $a_k$ towards segment k.
• (6)$TA$ publishes the system parameters $\{p,q,\mathbb{G},P,P_{pub},$ $H_1,H_2,H_3,H_4,H_5,H_6,H_7,H_8,\overrightarrow{a}\}$.

4.2. Registration

All vehicles, fog nodes, and cloud centers register with $TA$.

4.2.1. $V_i$ Registers with $TA$

• (1)$V_i$ sends the identity $I{D}_i$ to the $TA$ in secure channel.
• (2)
  After confirming the identity $I{D}_i$, $TA$ randomly chooses $w_i\in {\mathbb{Z}}_q^{*}$ and computes

  $$PI{D}_{i,1}=w_{i}P,PI{D}_{i,2}=I{D}_i\oplus H_1(w_i{P}_{pub},t_i),$$

  and sets $PI{D}_i=\{PI{D}_{i,1},PI{D}_{i,2},t_i\}$, where $t_i$ represents the valid period of $PI{D}_i$.
• (3)
  $TA$ randomly chooses $r_i\in {\mathbb{Z}}_q^{*}$ and computes

  $$R_i=r_{i}P,x_i=r_i+s{H}_2(PI{D}_i,R_i,P_{pub}).$$
• (4)$TA$ randomly chooses a sharing key $\phi \in {\{0,1\}}^{\left|d\right|-1}$, and transmits the pseudo identity $PI{D}_i$, the private key $(x_i,R_i)$ and the sharing key $\phi$ to $V_i$ in a secure channel.

4.2.2. $F{N}_j$ Registers with $TA$

• (1)$F{N}_j$ sends the identity $I{D}_{F{N}_j}$ to the $TA$ in a secure channel.
• (2)
  $TA$ randomly chooses $r_{F{N}_j}\in {\mathbb{Z}}_q^{*}$ and computes

  $$R_{F{N}_j}=r_{F{N}_j}P,x_{F{N}_j}=r_{F{N}_j}+s{H}_3(I{D}_{F{N}_j},R_{F{N}_j},P_{pub}).$$
• (3)$TA$ sends the private key $(x_{F{N}_j},R_{F{N}_j})$ to $F{N}_j$ in a secure channel.

4.2.3. $CC$ Registers with $TA$

• (1)$TA$ randomly chooses $x\in {\mathbb{Z}}_q^{*}$ and computes $P_{cc}=xP$.
• (2)$TA$ sends the private key x and public key $P_{cc}$ to $CC$ in a secure channel.

4.3. Data Collection

The data collection phase includes three processes: data gathering, data aggregation, and data reading.

4.3.1. Data Gathering

$V_i$ gathers sensory data in a short period of time, e.g., every five minutes: (i) if there is a sensory data obtained at road segment k under $F{N}_j$, i.e., $d_{i,k}^j>0$, then $e_{i,k}^j=1$; (ii) if there is no sensory data obtained at road segment k under $F{N}_j$, i.e., $d_{i,k}^j=0$, then $e_{i,k}^j=0$.

$V_i$ produces a data report through executing the following steps:

• (1)$V_i$ formats $(d_{i,1}^j,d_{i,2}^j,···,d_{i,m}^j)$ and $(e_{i,1}^j,e_{i,2}^j,···,e_{i,m}^j)$ into $d_i^j={\sum }_{k=1}^m{a}_k(d_{i,k}^j+\phi )$ and $e_i^j={\sum }_{k=1}^m{a}_k(e_{i,k}^j+\phi )$.
• (2)
  $V_i$ randomly selects $r_i^j$, $s_i^j\in {\mathbb{Z}}_q^{*}$ and computes

  $$A_i^j=r_i^{j}P,B_i^j=d_i^{j}P+r_i^j{P}_{cc},C_i^j=s_i^{j}P,D_i^j=e_i^{j}P+s_i^j{P}_{cc}.$$
• (3)
  $V_i$ randomly picks $l_i^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $$L_i^j=l_i^{j}P,{\sigma }_i^j=x_i+l_i^j{H}_4(PI{D}_i,R_i,A_i^j,B_i^j,C_i^j,D_i^j,L_i^j,T_i^j),$$

  where $T_i^j$ is current timestamp.
• (4)$V_i$ transmits the data report $D{R}_i^j=\{PI{D}_i,R_i,A_i^j,B_i^j,$ $C_i^j,D_i^j,L_i^j,{\sigma }_i^j,T_i^j\}$ towards $F{N}_j$, as shown in Figure 2 (①).

4.3.2. Data Aggregation

Supposing w vehicles $\{V_1,V_2,···,V_w\}$ upload the data reports $\{D{R}_1^j,D{R}_2^j,···,D{R}_w^j\}$ to $F{N}_j$, where $w\le \delta$. $F{N}_j$ can aggregate data reports through executing the following steps:

• (1)
  $F{N}_j$ checks whether $t_i$ is valid and $T_i^j$ is fresh for each $i=1,2,···,w$. If $t_i$ is not valid or $T_i^j$ is not fresh, $D{R}_i^j$ will be rejected. Otherwise, $F{N}_j$ performs the batch verification using small exponent test [36]. $F{N}_j$ randomly selects a set of small numbers ${\theta }_1^j,{\theta }_2^j,···,{\theta }_w^j\in [1,2^w]$ and checks whether the following equation holds

  $$\begin{array}{c}{\sum }_{i=1}^w{\theta }_i^j{\sigma }_i^{j}P={\sum }_{i=1}^w{\theta }_i^j{R}_i+{\sum }_{i=1}^w{\theta }_i^j{H}_2(PI{D}_i,R_i,P_{pub})P_{pub}\hfill \\ +{\sum }_{i=1}^w{\theta }_i^j{H}_4(PI{D}_i,R_i,A_i^j,B_i^j,C_i^j,D_i^j,L_i^j,T_i^j)L_i^j.\hfill \end{array}$$
  If it does hold, $F{N}_j$ computes

  $$A^j={\sum }_{i=1}^w{A}_i^j,B^j={\sum }_{i=1}^w{B}_i^j,C^j={\sum }_{i=1}^w{C}_i^j,D^j={\sum }_{i=1}^w{D}_i^j.$$
• (2)
  $F{N}_j$ randomly picks $l^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $$L^j=l^{j}P,{\sigma }^j=x_{F{N}_j}+l^j{H}_5(I{D}_{F{N}_j},R_{F{N}_j},A^j,B^j,C^j,D^j,L^j,T^j),$$

  where $T^j$ is current timestamp.
• (3)$F{N}_j$ transmits the aggregated data report $AD{R}^j=\{I{D}_{F{N}_j},R_{F{N}_j},A^j,B^j,C^j,D^j,L^j,{\sigma }^j,T^j\}$ towards $CC$, as shown in Figure 2 (②).

4.3.3. Data Reading

After receiving $\{AD{R}^1,AD{R}^2,···,AD{R}^n\}$ from $\{F{N}_1,$ $F{N}_2,···,F{N}_n\}$ respectively, $CC$ executes the following steps:

• (1)
  $CC$ checks whether $T^j$ is fresh for each $j=1,2,···,n$. If $T^j$ is not fresh, $AD{R}^j$ will be rejected. Otherwise, $CC$ randomly chooses a set of small numbers ${\theta }^1,{\theta }^2,···,{\theta }^n\in [1,2^n]$ and performs the batch verification using small exponent test [36]. $CC$ verifies whether the following equation holds

  $$\begin{array}{c}{\sum }_{j=1}^n{\theta }^j{\sigma }^{j}P={\sum }_{j=1}^n{\theta }^j{R}_{F{N}_j}+{\sum }_{j=1}^n{\theta }^j{H}_3(I{D}_{F{N}_j},R_{F{N}_j},P_{pub})P_{pub}\hfill \\ +{\sum }_{j=1}^n{\theta }^j{H}_5(I{D}_{F{N}_j},R_{F{N}_j},A^j,B^j,C^j,D^j,L^j,T^j)L^j.\hfill \end{array}$$
  If it does hold, $CC$ calculates

  $$\mathsf{\Phi }={\sum }_{j=1}^n{B}^j-x·{\sum }_{j=1}^n{A}^j,\Delta ={\sum }_{j=1}^n{D}^j-x·{\sum }_{j=1}^n{C}^j.$$
  By solving the discrete log of $\mathsf{\Phi }$ and $\Delta$ with the base P, utilizing the Pollard’s lambda algorithm [37], $CC$ can obtain

  $$\mu ={\sum }_{j=1}^n{\sum }_{i=1}^w(\phi +d_i^j),\nu ={\sum }_{j=1}^n{\sum }_{i=1}^w(\phi +e_i^j).$$
• (2)$CC$ distributes $\mu$ and $\nu$ to all fog nodes $\{F{N}_1,F{N}_2,···,F{N}_n\}$ for further sharing with vehicles.

4.4. Data Query

The data query vehicle $V_q$ intends to query the data captured at segment c with the identifier $(u_c,v_c)$ at the $F{N}_j$. The phase includes three processes: query generation, data response, and response reading.

4.4.1. Query Generation

• (1)
  $V_q$ selects two random numbers $r_q^j,s_q^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $$E_q^j=r_q^{j}P,F_q^j=u_{c}P+x_q{E}_q^j,G_q^j=s_q^{j}P,H_q^j=v_{c}P+x_q{G}_q^j.$$
• (2)
  $V_q$ randomly picks $l_q^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $$L_q^j=l_q^{j}P,{\sigma }_q^j=x_q+l_q^j{H}_6(PI{D}_q,R_q,E_q^j,F_q^j,G_q^j,H_q^j,L_q^j,T_q^j),$$

  where $T_q^j$ is the current timestamp.
• (3)$V_q$ transmits the query report $Q{R}_q^j=\{PI{D}_q,R_q,E_q^j,F_q^j,$ $G_q^j,H_q^j,L_q^j,{\sigma }_q^j,T_q^j\}$ towards $F{N}_j$, as shown in Figure 2 (③).

4.4.2. Data Response

• (1)
  After receiving $Q{R}_q^j$, $F{N}_j$ checks whether $t_q$ is valid and $T_q^j$ is fresh. If $t_q$ is not valid or $T_q^j$ is not fresh, $Q{R}_q^j$ will be rejected. Otherwise, $F{N}_j$ verifies whether the following equation holds

  $$\begin{array}{c}{\sigma }_q^{j}P=R_q+H_2(PI{D}_q,R_q,P_{pub})P_{pub}+H_6(PI{D}_q,R_q,E_q^j,F_q^j,G_q^j,H_q^j,L_q^j,T_q^j)L_q^j.\end{array}$$
  If it does hold, $F{N}_j$ selects two random numbers $t_q^j,{\phi }_q^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $$J_q^j=t_q^j{E}_q^j+{\phi }_q^j{G}_q^j,K_q^j=t_q^j{F}_q^j+{\phi }_q^j{H}_q^j,$$

  $$M_q^j=\mu +{\sum }_{k=1}^m{a}_k{H}_8(t_q^j{u}_k+{\phi }_q^j{v}_k),N_q^j=\nu +{\sum }_{k=1}^m{a}_k{H}_8(t_q^j{u}_k+{\phi }_q^j{v}_k).$$
• (2)
  $F{N}_j$ randomly picks ${\widehat{l}}_q^j\in {\mathbb{Z}}_q^{*}$ and calculates

  $${\widehat{L}}_q^j={\widehat{l}}_q^{j}P,{\widehat{\sigma }}_q^j=x_{F{N}_j}+{\widehat{l}}_q^j{H}_7(I{D}_{F{N}_j},R_{F{N}_j},J_q^j,K_q^j,M_q^j,N_q^j,{\widehat{L}}_q^j,{\widehat{T}}_q^j),$$

  where ${\widehat{T}}_q^j$ is the current timestamp.
• (3)$F{N}_j$ transmits the response report $R{R}_q^j=\{I{D}_{F{N}_j},$ $R_{F{N}_j},J_q^j,K_q^j,M_q^j,N_q^j,{\widehat{L}}_q^j,{\widehat{\sigma }}_q^j,{\widehat{T}}_q^j\}$ towards $V_q$, as shown in Figure 2 (④).

4.4.3. Response Reading

• (1)
  After receiving $R{R}_q^j$, $V_q$ checks whether ${\widehat{T}}_q^j$ is fresh. If ${\widehat{T}}_q^j$ is not fresh, $R{R}_q^j$ will be rejected. Otherwise, $V_q$ verifies whether the following equation holds

  $$\begin{array}{c}{\widehat{\sigma }}_q^{j}P=R_{F{N}_j}+H_3(I{D}_{F{N}_j},R_{F{N}_j},P_{pub})P_{pub}+H_7(I{D}_{F{N}_j},R_{F{N}_j},J_q^j,K_q^j,M_q^j,N_q^j,{\widehat{L}}_q^j,{\widehat{T}}_q^j){\widehat{L}}_q^j.\hfill \end{array}$$
  If it does hold, $V_q$ calculates

  $$\mathsf{\Lambda }=K_q^j-x_q·J_q^j.$$

  By solving the discrete log of $\mathsf{\Lambda }$ with the base P, utilizing the Pollard’s lambda algorithm [37], $V_q$ can obtain ${\beta }_c=H_8(t_q^j{u}_c+{\phi }_q^j{v}_c)$.

• (2)By calling the Algorithm 1, $V_q$ can achieve the average sensing data ${\overline{d}}_c$ captured at segment c.

Algoruthm 1 Recovery ${\overline{d}}_c$ captured at segment c

Input: $(a_1,a_2,···,a_m)$, ${\beta }_c$, $\phi$, $\delta$, $M_q^j$ and $N_q^j$

Output:  ${\overline{d}}_c$

begin:

set $X_1=M_q^j$, $X_2=N_q^j$;

for $k=m$ to c do

$d_k=\frac{X_1-X_{1}mod{a}_k}{a_k}$, $e_k=\frac{X_2-X_{2}mod{a}_k}{a_k}$;

$X_1=X_{1}mod{a}_k$, $X_2=X_{2}mod{a}_k$;

return ${\overline{d}}_c=\frac{d_c-{\beta }_c-\delta \phi }{e_c-{\beta }_c-\delta \phi }$.

end

5. Security

This section depicts the security proof of the proposed EP${}^2$DS scheme in the random oracle model. Additionally, a security evaluation and comparison on the proposed EP${}^2$DS scheme and schemes of [17,19,23,25,26] is conducted.

5.1. Security Model

The security model of the proposed EP${}^2$DS scheme can be found in the Appendix A.

5.2. Security Proof

The security proof of the proposed EP${}^2$DS scheme can be found in the Appendix B.

5.3. Analysis and Comparison of Security Requirement

Authentication and data integrity: Based on Theorem 2, no polynomial-time attacker is able to fake a valid data report owing to the ECDL assumption. Therefore, authentication and data integrity can be ensured in the proposed EP${}^2$DS scheme.

Confidentiality: Based on Theorem 1, without the cloud center’s private key x, any attacker is unable to compute the sensing data $\mu ={\sum }_{j=1}^n{\sum }_{i=1}^w(\phi +d_i^j)$ and $\nu ={\sum }_{j=1}^n{\sum }_{i=1}^w(\phi +e_i^j)$, and thus confidentiality can be ensured in the proposed EP${}^2$DS scheme.

Location privacy preservation: Based on Theorem 1, without the the data query vehicle’s private key $x_q$, no attacker can obtain the query location $(u_c,v_c)$ from $\{E_q^j=r_q^{j}P$, $F_q^j=u_{c}P+x_q{E}_q^j$, $G_q^j=s_q^{j}P$, $H_q^j=v_{c}P+x_q{G}_q^j\}$, and hence the location privacy can be guaranteed in the proposed EP${}^2$DS scheme.

Identity privacy preservation: On the basis of the proposed EP${}^2$DS scheme, the identity $I{D}_i$ of $V_i$ is only contained in the pseudo identity $PI{D}_i=\{PI{D}_{i,1},PI{D}_{i,2},t_i\}$, where $PI{D}_{i,1}=w_{i}P$, $PI{D}_{i,2}=I{D}_i\oplus H(w_i{P}_{pub},t_i)$ and $P_{pub}=sP$. To extract the identity $I{D}_i$ of $V_i$, the attacker has to compute $I{D}_i=PI{D}_{i,2}\oplus H(s·PI{D}_{i,2},t_i)$. However, it is impossible to solve $w_i·s·P$ for any attacker to obtain $I{D}_i$ without knowing $w_i$ and s. Therefore, the identity privacy is guaranteed in the proposed EP${}^2$DS scheme.

Traceability: In accordance with the proposed EP${}^2$DS scheme, $TA$ can adopt its own master key s to calculate $I{D}_i=PI{D}_{i,2}\oplus H(s·PI{D}_{i,2},t_i)$, and find out the identity $I{D}_i$ of $V_i$ from the pseudo identity $PI{D}_i$ involved in the data report, with the proposed EP${}^2$DS scheme satisfying the traceability.

Unlinkability: On the basis of the proposed EP${}^2$DS scheme, the data reports generated by any vehicle are random, and any attacker cannot link the two data reports sent by the same vehicle, with the proposed EP${}^2$DS scheme realizing the traceability.

Resistance to attacks: The proposed EP${}^2$DS scheme is able to withstand the networks attacks in the following:

• Modification attack: Based on Theorem 2, any polynomial attacker is unable to forge a valid data report with modification on data reports found.

• Replay attack: On the basis of the proposed EP${}^2$DS scheme, the timestamp is contained in the data report. By examining freshness of the timestamp, the verifier is able to bear any replay attacks.

• Impersonation attack: From Theorem 2, no attacker can fabricate a legal data report without vehicle’s private key.

• Man-in-the-middle attack: The analysis of the modification attack shows that any modification of the data reports on transmission is able to be found.

Security comparisons of schemes [17,19,23,25,26] and the proposed EP${}^2$DS scheme are displayed in Table 2. S1, S2, S3, S4, S5, S6, S7, S8, S9, and S10 are used to represent authentication and data integrity, confidentiality, location privacy preservation, identity privacy preservation, traceability, unlinkability, the modification attack, the replay attack, the impersonation attack, and the man-in-the-middle attack, respectively.

Table 2.

Security comparisons. Efficient privacy-preserving data sharing (EP${}^2$DS), √ represents “satisfy” and × denotes “does not satisfy”.

Security	S1	S2	S3	S4	S5	S6	S7	S8	S9	S10
Rabieh et al.’s scheme [17]	√	√	×	×	×	√	√	√	√	√
Sun et al.’s scheme [19]	√	√	×	√	√	√	√	√	√	√
Kong et al.’s scheme [23]	√	√	√	×	×	√	√	×	√	×
Paulet et al.’s scheme [25]	×	√	√	×	×	√	×	×	×	×
Zhu et al.’s scheme [26]	√	√	√	×	×	√	√	×	√	×
EP${}^2$DS	√	√	√	√	√	√	√	√	√	√

In accordance with Table 2, Rabieh et al.’s scheme [17] is able to provide location privacy preservation, identity privacy preservation, and traceability. Sun et al.’s scheme [19] cannot achieve location privacy preservation. Kong et al.’s scheme [23] cannot achieve identity privacy preservation, traceability, the replay attack, and the man-in-the-middle attack. Paulet et al.’s scheme [25] cannot achieve authentication and data integrity, identity privacy preservation, traceability, the modification attack, the replay attack, the impersonation attack, and the man-in-the-middle attack. Zhu et al.’s scheme [26] cannot achieve identity privacy preservation and traceability, the replay attack, and the man-in-the-middle attack. In contrast, all security requirements are able to be satisfied in the proposed EP${}^2$DS scheme.

6. Performance Evaluation

We analyze the computation and communication costs of these schemes [17,19,23,25,26] and the proposed EP${}^2$DS scheme, and evaluate their performance.

To realize a fair comparison, we compare these schemes [17,19,23,25,26] with the proposed EP${}^2$DS scheme under the 80-bit security level [38]. Regarding the pairing-based schemes [17,19,23,25,26], we choose a bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$, where ${\mathbb{G}}_1$ is an additive group defined by the generator P with order q on the super singular elliptic curve $E:y^2=x^3+xmodp$ with the embedding degree 2, q is 160-bit Solinas prime number and p is 512-bit primer number meeting $q·12·r=p+1$. With regard to the proposed EP${}^2$DS scheme, we pick a group $\mathbb{G}$, where $\mathbb{G}$ is produced by the generator P with the order q on an elliptic curve $E:y^2=x^3+ax+bmodp$ with a prime order q, where q, p are 160 bits prime number and $a=-3$, b is 160-bits random prime number.

The running time of the operations is able to be derived by making use of the MIRACL Crypto SDK [39]. We run the experiment on a 64-bit Windows 10 operating system with 2.53 GHz, an i7 CPU and 4 GB memory. Table 3 lists the average running time for these operations.

Table 3.

Runtime of cryptographic operation (millisecond).

Notations	Descriptions	Runtime
$T_{sm}$	Scalar multiplication operation in $\mathbb{G}$	0.3851
$T_{log}$	Solving the DL operation mod p	0.6438
$T_e$	The exponentiation operation in ${\mathbb{G}}_1$	2.0289
$T_m$	The multiplication operation in ${\mathbb{G}}_1$	1.4293
$T_h$	Map to point hash function operation	3.5819
$T_p$	Bilinear pairing operation in ${\mathbb{G}}_1$	10.3092

6.1. Computation Costs

The computation costs of the proposed EP${}^2$DS scheme and these schemes [17,19,23,25,26] are displayed in Table 4.

Table 4.

Comparison of computation costs.

Scheme	Data Collection Phase			Data Query Phase
	${\mathit{V}}_{\mathit{i}}$	$\mathit{F}\mathit{N}$	$\mathit{C}\mathit{C}$	${\mathit{V}}_{\mathit{a}}$	$\mathit{F}\mathit{N}$
[17]	$2T_m$+$2T_e$	$T_m$+$T_e$+$(w$+$1)T_p$	$T_e$+$(n$+$1)T_p$	−	−
	= 6.9164 ms	= 10.3092w+13.7674 ms	=10.3092n+2.0289 ms
[19]	$2T_m$+$T_e$+$T_h$	$(w$+$3)T_m$+$4T_p$	$T_m$+$n{T}_e$+$2T_p$	−	−
	= 15.1967 ms	= 1.4293w+45.5247 ms	=2.0289n+11.7385 ms
[23]	$4T_m$+$4T_e$	$2w{T}_m$	$6n{T}_m$+$4n{T}_e$	$10T_m$+$7T_e$	$9T_m$+$7T_e$
	= 13.8328 ms	= 2.8586w ms	=16.6914n ms	=28.4953 ms	=27.0660 ms
[25]	−	−	−	$5T_m$+$9T_e$	6m$T_m$+$(8$m+ )Te
				=25.4066 ms	=24.8070m+6.0867 ms
[26]	−	−	−	$2T_p$+$5T_e$	$4T_p$+$4T_m$
				=30.7629 ms	=46.9540 ms
EP${}^2$DS	$5T_{sm}$	$(w$+$3)T_{sm}$	$(n$+$3)T_{sm}$+$2T_{log}$	$11T_{sm}$+$2T_{log}$	$8T_{sm}$
	=1.9255 ms	=0.3851w+1.1553 ms	=0.3851n+2.4429 ms	=5.5237 ms	=3.0808 ms

In the data collection phase, for Rabieh et al.’s scheme [17], $V_i$ requires running two multiplication operations in ${\mathbb{G}}_1$ and two exponentiation operations in ${\mathbb{G}}_1$, thus the total time is $2T_m+2T_e$ = 6.9164 ms. $FN$ requires executing one multiplication operation in ${\mathbb{G}}_1$, one exponentiation operation in ${\mathbb{G}}_1$, and $w+1$ bilinear pairing operations in ${\mathbb{G}}_1$, and thus the total time is $T_m+T_e+(w+1)T_p$ = 10.3092w+13.7674 ms. $CC$ requires executing one exponentiation operation in ${\mathbb{G}}_1$ and $n+1$ bilinear pairing operations in ${\mathbb{G}}_1$, and hence the total time is $T_e+(n+1)T_p=10.3092n+2.0289$ ms.

For Sun et al.’s scheme [19], $V_i$ requires running two multiplication operations in ${\mathbb{G}}_1$ and one exponentiation operation in ${\mathbb{G}}_1$ and one map to point hash function operation, thus the total time is $2T_m+T_e+T_h$ = 15.1967 ms. $FN$ requires executing $w+3$ multiplication operations in ${\mathbb{G}}_1$ and four bilinear pairing operations in ${\mathbb{G}}_1$, so the total time is $(w+3)T_m+4T_p$ = 1.4293w +45.5247 ms. $CC$ requires executing one multiplication operation in ${\mathbb{G}}_1$, n exponentiation operations in ${\mathbb{G}}_1$ and two multiplication operations in ${\mathbb{G}}_1$, and hence the total time is $T_m+n{T}_e+2T_p=2.0289n+11.7385$ ms.

For Kong et al.’s scheme [23], $V_i$ requires running four multiplication operations in ${\mathbb{Z}}_{n^2}$ and four exponentiation operations in ${\mathbb{Z}}_{n^2}$, thus the total time is $4T_m+4T_e$ = 13.8328 ms. $FN$ requires executing $2w$ multiplication operations in ${\mathbb{G}}_1$, so the total time is $2w{T}_m$ = 2.8586w ms. $CC$ requires executing $6n$ multiplication operations in ${\mathbb{G}}_1$ and $4n$ exponentiation operations in ${\mathbb{G}}_1$, and hence the total time is $6n{T}_m+4n{T}_e=16.6914n$ ms.

For the proposed EP${}^2$DS scheme, $V_i$ needs to run five scalar multiplication operations in $\mathbb{G}$, and therefore the total time is $5T_{sm}$ = 1.9255 ms. $FN$ requires executing $w+3$ scalar multiplication operations in $\mathbb{G}$; accordingly, the total time is $(w+3)T_{sm}$ = 0.3851w+1.1553 ms. $CC$ requires executing $n+3$ scalar multiplication operations in $\mathbb{G}$ and two solving the DL operations; therefore, the total time is $(n+3)T_{sm}+2T_{log}$ = 0.3851n+2.4429 ms.

In the data query phase, for Kong et al.’s scheme [23], $V_q$ requires running ten multiplication operations in ${\mathbb{G}}_1$ and seven exponentiation operations in ${\mathbb{G}}_1$, so the total time is $10T_m+7T_e$ = 28.4953 ms. $FN$ needs to run nine multiplication operations in ${\mathbb{G}}_1$ and seven exponentiation operations in ${\mathbb{G}}_1$, the total time is thus $9T_m+7T_e$ = 27.0660 ms. For Paulet et al.’s scheme [25], $V_q$ requires running five multiplication operations in ${\mathbb{G}}_1$ and nine exponentiation operations in ${\mathbb{G}}_1$, the total time is thus $5T_m+9T_e$ = 25.4066 ms. $FN$ needs to run $6m$ multiplication operations in ${\mathbb{G}}_1$ and $8m+3$ exponentiation operations in ${\mathbb{G}}_1$, the total time is thus $6m{T}_m+(8m+3)T_e$ = 24.8070m +6.0867 ms.

For Zhu et al.’s scheme [26], $V_q$ requires running five exponentiation operations in ${\mathbb{G}}_1$ and two bilinear pairing operation in ${\mathbb{G}}_1$, the total time is thus $5T_e+2T_p$ = 30.7629 ms. $FN$ needs to run four multiplication operations in ${\mathbb{G}}_1$ and four bilinear pairing operation in ${\mathbb{G}}_1$, the total time is thus $4T_m+4T_p$ = 46.9540 ms.

For the proposed EP${}^2$DS scheme, $V_q$ needs to run eleven scalar multiplication operations in $\mathbb{G}$ and two solving the DL operations, and hence the total time is $11T_{sm}+2T_{log}$ = 5.5237 ms. $FN$ needs to run eight scalar multiplication operations in $\mathbb{G}$, thus the total time is $8T_{sm}$ = 3.0808 ms.

Figure 3 clearly demonstrates the comparison result of computation costs in the data collection phase. Figure 3a shows that the computation costs of $V_i$ is 1.9255 ms, which decreases by 72.2%, 87.3%, and 86.1% compared with that by Rabieh et al.’s scheme [17], Sun et al.’s scheme [19], and Kong et al.’s scheme [23], respectively. As shown in Figure 3b, the computation costs of $FN$ increase linearly with the number of vehicles, with the proposed EP${}^2$DS scheme having a lower slope compared with Rabieh et al.’s scheme [17], Sun et al.’s scheme [19], and Kong et al.’s scheme [23]. From Figure 3c, we can see that the computation costs of $CC$ grows linearly with the number of fog nodes, and the proposed EP${}^2$DS scheme has a lower slope compared with Rabieh et al.’s scheme [17], Sun et al.’s scheme [19], and Kong et al.’s scheme [23].

Figure 3.

Computation costs in the data collection phase. (a) Computation costs of $V_i;$ (b) Computation costs of $FN$ vs. number of vehicles; (c) Computation costs of $CC$ vs. number of $FN$.

Figure 4 clearly indicates the comparison result of the computation costs in the data query phase. From Figure 4a, we can know that the computation costs of $V_q$ in the proposed EP${}^2$DS scheme are 5.5237 ms, which decreases by 80.6%, 78.3%, and 82.0% compared with that by Kong et al.’s scheme [23], Paulet et al.’s scheme [25], and Zhu et al.’s scheme [26], respectively. Figure 4b shows the correlation between the computation cost of $FN$ and the number of segments m, we can see that the computation cost of $FN$ in the EP${}^2$DS scheme is the smallest compared with Kong et al.’s scheme [23], Paulet et al.’s scheme [25], and Zhu et al.’s scheme [26]. The computation costs of $FN$ in the proposed EP${}^2$DS scheme are 3.0808 ms, which decreases by 88.6% and 93.4% compared with Kong et al.’s scheme [23] and Zhu et al.’s scheme [26]. Furthermore, unlike Paulet et al.’s scheme [25], the computation cost of $FN$ in the EP${}^2$DS scheme does not increase with the number of segments m.

Figure 4.

Computation costs in the data query phase. (a) Computation costs of $V_q;$ (b) Computation costs of $FN$ vs. number of segments.

6.2. Communication Costs

The communication costs of the proposed EP${}^2$DS scheme and these schemes [17,19,23,25,26], are evaluated in this subsection. We mainly consider the data report size, query report size, and response report size. As mentioned above, the lengths of the elements in $\mathbb{G}$, ${\mathbb{Z}}_q^{*},{\mathbb{Z}}_n$, and ${\mathbb{Z}}_{n^2}$ are 160 bits (20 bytes), 160 bits (20 bytes), 1024 bits (128 bytes), and 2048 bits (256 bytes), respectively, assuming that the length of timestamp and identity are 32 bits (4 bytes). The comparison results of communication costs are illustrated in Table 5.

Table 5.

Comparison of the communication costs.

Scheme	Data Collection Phase	Data Query Phase
	Data Report Size	Query Report Size	Response Report Size
Rabieh et al.’s scheme [17]	260 bytes	−	−
Sun et al.’s scheme [19]	516 bytes	−	−
Kong et al.’s scheme [23]	1152 bytes	1152 bytes	1664 bytes
Paulet et al.’s scheme [25]	−	256 bytes	256m+128 bytes
Zhu et al.’s scheme [26]	−	324 bytes	320 bytes
EP${}^2$DS	172 bytes	172 bytes	148 bytes

In the data collection phase, for Rabieh et al.’s scheme [17], the data report size is 260 bytes, as

$$\begin{array}{c}|C_v|+|TS|+|{\alpha }_v|=128+4+128=260\mathrm{bytes}.\hfill \end{array}$$

For Sun et al.’s scheme [19], the data report size is 516 bytes, as

$$\begin{array}{c}|S_c|+|Sign{C}_i|+|t_i|=256+256+4=516\mathrm{bytes}.\hfill \end{array}$$

For Kong et al.’s scheme [23], the data report size is 1152 bytes, as

$$\begin{array}{c}|C_{i,1}|+|C_{i,2}|+|C_{i,3}|+|C_{i,4}|+|MA{C}_i|=256+256+256+256+128=1152\mathrm{bytes}.\hfill \end{array}$$

For the proposed EP${}^2$DS scheme, the data report size is 172 bytes, as

$$\begin{array}{c}|PI{D}_i|+|R_i|+|A_i^j|+|B_i^j|+|C_i^j|+|D_i^j|+|L_i^j|+|{\sigma }_i^j|+|T_i^j|\hfill \\ =28+20+20+20+20+20+20+20+4+4=172\mathrm{bytes}.\hfill \end{array}$$

In the data query phase, for Kong et al.’s scheme [23], the query report size is 1152 bytes, as

$$\begin{array}{c}|C_{a,1}|+|C_{a,2}|+|C_{a,3}|+|C_{a,4}|+|MA{C}_a|=256+256+256+256+128=1152\mathrm{bytes}.\hfill \end{array}$$

The response report size is 1664 bytes, as

$$\begin{array}{c}|C_{r,1}|+|C_{r,2}|+|C_{r,3}|+|C_{r,4}|+|C_{r,5}|+|C_{r,6}|+|MA{C}_r|\hfill \\ =256+256+256+256+256+256+128=1664\mathrm{bytes}.\hfill \end{array}$$

For Paulet et al.’s scheme [25], the query report size is 256 bytes, as

$$\begin{array}{c}|C_1|+|C_2|=128+128=256\mathrm{bytes}.\hfill \end{array}$$

The response report size is 256m+128 bytes, as

$$\begin{array}{c}|C_{1,1}^{{}^{\prime }}|+|C_{1,2}^{{}^{\prime }}|+···+|C_{1,m}^{{}^{\prime }}|+|C_{2,1}^{{}^{\prime }}|+|C_{2,2}^{{}^{\prime }}|···+|C_{2,m}^{{}^{\prime }}|+|\gamma |\hfill \\ =128m+128m+128=256m+128\mathrm{bytes}.\hfill \end{array}$$

For Zhu et al.’s scheme [26], the query report size is 324 bytes, as

$$\begin{array}{c}|I{D}_{LBS}|+|E_{LQR}|+|U_i|+|TS|+|Si{g}_i|=4+256+256+4+256=324\mathrm{bytes}.\hfill \end{array}$$

The response report size is 320 bytes, as

$$\begin{array}{c}|E_{r{q}_1}\left(TRL\right)|+|I{D}_{cs}|+|TS|+|Si{g}_{cs}|=256+4+4+256=320\mathrm{bytes}.\hfill \end{array}$$

For the proposed EP${}^2$DS scheme, the query report size is 172 bytes, as

$$\begin{array}{c}|PI{D}_q|+|R_q|+|A_q^j|+|B_q^j|+|C_q^j|+|D_q^j|+|L_q^j|+|{\sigma }_q^j|+|T_q^j|\hfill \\ =28+20+20+20+20+20+20+20+4=172\mathrm{bytes}.\hfill \end{array}$$

The response report size is 148 bytes, as

$$\begin{array}{c}|I{D}_{F{N}_j}|+|R_{F{N}_j}|+|J_q^j|+|K_q^j|+|M_q^j|+|N_q^j|+|{\widehat{L}}_q^j|+|{\widehat{\sigma }}_q^j|+|{\widehat{T}}_q^j|\hfill \\ =4+20+20+20+20+20+20+20+4=148\mathrm{bytes}.\hfill \end{array}$$

The results from the comparison of communication costs in the data collection phase are illustrated in Figure 5. In terms of the data report size, the proposed EP${}^2$DS scheme requires 172 bytes, which is decreased by 33.8%, 66.7%, and 85.1% compared with that for Rabieh et al.’s scheme [17], Sun et al.’s scheme [19], and Kong et al.’s scheme [23], respectively.

Figure 5.

Comparison of the data report size.

The result from the comparison of communication costs in the data query phase is shown in Figure 6. Regarding the query report size, from Figure 6a, we can see that the proposed EP${}^2$DS scheme requires 172 bytes, a decrease of 85.1%, 32.8%, and 46.9% compared with that by Kong et al.’s scheme [23], Paulet et al.’s scheme [25], and Zhu et al.’s scheme [26], respectively. Figure 6b shows the correlation between the response report size and the number of segments m, and we can see that the response report size in the EP${}^2$DS scheme is the smallest compared with Kong et al.’s scheme [23], Paulet et al.’s scheme [25], and Zhu et al.’s scheme [26]. The proposed EP${}^2$DS scheme requires 148 bytes, which is decreased by 91.1% and 53.8% compared with that of Kong et al.’s scheme [23] and Zhu et al.’s scheme [26], respectively. Furthermore, unlike Paulet et al.’s scheme [25], the response report size in the EP${}^2$DS scheme does not increase with the number of segments m.

Figure 6.

(a) Comparison of the query report size; (b) Comparison of the response report size.

7. Conclusions

This paper proposes an efficient privacy-preserving data sharing scheme for fog-assisted vehicular sensor networks. Based on the super-increasing sequence, the proposed EP${}^2$DS scheme is able to format the data reports captured at different road segments into one report, while calculating the average sensory data in each road segment, greatly saving on the resources of communication and computation. Furthermore, by exploiting the modified oblivious transfer technology, the proposed EP${}^2$DS scheme also can query the road conditions of the potential moving route in the data query phase without disclosing the query location. Finally, an analysis of security displays that the proposed EP${}^2$DS scheme can satisfy all the requirements for security and privacy, with the performance evaluation suggesting that the proposed EP${}^2$DS scheme is more efficient in computation and communication costs compared to the existing schemes of [17,19,23,25,26]. Accordingly, the proposed EP${}^2$DS scheme is more appropriate for achieving data sharing in fog-assisted vehicular sensor networks. In future work, we will consider using blockchain technology to achieve decentralization and privacy protection.

Appendix A

Security Model

The proposed EP${}^2$DS scheme should satisfy the confidentiality and unforgeability. The security is defined by the following two interaction games executed by a challenger $\mathcal{C}$ and an attacker $\mathcal{A}$. $\mathcal{A}$ could make the following queries.

• Hash queries: Upon receiving the query, $\mathcal{C}$ returns a random value to $\mathcal{A}$.

• Extract queries: Upon receiving the query on the pseudo identity $PI{D}_i$, $\mathcal{C}$ returns a private key to $\mathcal{A}$.

• Signcryption queries: Upon receiving the query on the message $m_i$ under $PI{D}_i$, $\mathcal{C}$ returns a ciphertext to $\mathcal{A}$.

Definition A1

(Confidentiality). The proposed scheme is secure against indistinguishability under the chosen plaintext attack (IND-CPA), if any probabilistic polynomial-time attacker does not have the ability to win the below game with a non-negligible advantage.

The IND-CPA is defined by the following game.

Setup: $\mathcal{C}$ generates the system parameters and returns to $\mathcal{A}$.

Phase 1: $\mathcal{A}$ adaptively makes the hash, extract, and signcryption queries with polynomial bounded times.

Challenge: $\mathcal{A}$ chooses a challenging identity $PI{D}_i^{*}$, picks two messages $m_0^{*}$ and $m_1^{*}$ and sends to $\mathcal{C}$. $\mathcal{C}$ randomly picks $b\in \{0,1\}$ and produces the ciphertext of message $m_b^{*}$ under $PI{D}_i^{*}$. Finally, $\mathcal{C}$ returns the ciphertext to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ is able to adaptively perform the query in Phase 1 apart from that, it cannot make extract queries on $PI{D}_i^{*}$.

Guess: $\mathcal{A}$ produces a guess $b^{\prime }\in \{0,1\}$. The advantage that $\mathcal{A}$ wins the game is

$$Ad{v}_{\mathcal{A}}^{IND-CPA}=|Pr[b^{\prime }=b]-\frac{1}{2}|.$$

Definition A2

(Unforgeability). The proposed scheme can achieve existential unforgeability against adaptive chosen message attacks (EUF-CMA), if any probabilistic polynomial-time attacker does not have the ability to win the below game with a non-negligible advantage.

The EUF-CMA is defined by the following game.

Initialization: $\mathcal{A}$ selects a challenging pseudo identity $PI{D}_i^{*}$ and transmits to $\mathcal{C}$.

Setup: $\mathcal{C}$ generates the system parameters and returns to $\mathcal{A}$.

Queries: $\mathcal{A}$ adaptively makes hash, extract and signcryption queries.

Forgery: $\mathcal{A}$ outputs a ciphertext on $m_i^{*}$ under $PI{D}_i^{*}$, such that

• The ciphertext on $m_i^{*}$ under $PI{D}_i^{*}$ is valid.

• $PI{D}_i^{*}$ has not been requested in the extract queries.

Appendix B

Security Proof

Theorem A1.

The proposed EP${}^2$DS scheme can provide confidentiality if ElGamal encryption is secure against the IND-CPA.

Supposing there is an attacker $\mathcal{A}$ is able to win the game defined in Definition 1 with a non-negligible probability $\epsilon$, we can construct an algorithm $\mathcal{B}$ that could break the IND-CPA of ElGamal encryption with probability ${\epsilon }^{\prime }$.

Initialization: The simulator $\mathcal{S}$ for ElGamal encryption generates the $\{p,q,P,\mathbb{G},P_{pub})$ and transmits to $\mathcal{B}$.

Setup: $\mathcal{B}$ chooses hash functions $H_i$: $i=1,2,···,8$ and a super-increasing sequence $\overrightarrow{a}$. Finally, $\mathcal{B}$ returns $\{p,q,P,\mathbb{G},$ $P_{pub},P_{sp},H_1,H_2,H_3,H_4,H_5,H_6,H_7,H_8,\overrightarrow{a}\}$ to $\mathcal{A}$.

To keep the rapidly response and consistency, $\mathcal{B}$ maintains the following list:

• $L_{H_2}$: It consists of tuples $(PI{D}_i,R_i,P_{pub},h_i)$.

• $L_{H_4}$: It consists of tuples $(PI{D}_i,R_i,C_{i,1},C_{i,2},L_i,$$T_i,{\tau }_i)$.

• $L_{V_i}$: It consists of tuples $(PI{D}_i,x_i,R_i)$.

Phase 1: $\mathcal{A}$ adaptively is able to adaptively perform the following polynomial bounded times queries.

$H_2$ queries: $\mathcal{A}$ performs a query on $(PI{D}_i,R_i,P_{pub})$, $\mathcal{B}$ executes as follows:

• If $L_{H_2}$ contains $(PI{D}_i,R_i,P_{pub},h_i)$, $\mathcal{B}$ responds with the previous value $h_i=H_2(PI{D}_i,R_i,P_{pub})$ to $\mathcal{A}$.

• If $L_{H_2}$ does not contain $(PI{D}_i,R_i,P_{pub},h_i)$, $\mathcal{B}$ randomly chooses a number $h_i\in {\mathbb{Z}}_q^{*}$, adds $(PI{D}_i,R_i,$ $P_{pub},h_i)$ into $L_{H_2}$ and returns $h_i$ to $\mathcal{A}$.

$H_4$ queries: $\mathcal{A}$ performs a query on $(PI{D}_i,R_i,C_{i,1},C_{i,2},$ $L_i,T_i)$, $\mathcal{B}$ executes as follows:

• If $L_{H_4}$ contains $(PI{D}_i,R_i,C_{i,1},C_{i,2},L_i,T_i,{\tau }_i)$, $\mathcal{B}$ responds with the previous value ${\tau }_i=H_4(PI{D}_i,R_i,C_{i,1},$ $C_{i,2},L_i,T_i)$ to $\mathcal{A}$.

• If $L_{H_4}$ does not contain $(PI{D}_i,R_i,C_{i,1},C_{i,2},L_i,$ $T_i,{\tau }_i)$, $\mathcal{B}$ randomly chooses a number ${\tau }_i\in {\mathbb{Z}}_q^{*}$, adds $(PI{D}_i,R_i,C_{i,1},C_{i,2},L_i,T_i,{\tau }_i)$ into $L_{H_4}$ and returns ${\tau }_i$ to $\mathcal{A}$.

Extract queries: $\mathcal{A}$ performs a query on $PI{D}_i$, $\mathcal{B}$ executes as follows:

• If $PI{D}_i=PI{D}_i^{*}$, $\mathcal{B}$ aborts the game.

• If $PI{D}_i\ne PI{D}_i^{*}$, $\mathcal{B}$ executes:

  • -
    If $L_{V_i}$ contains $(PI{D}_i,x_i,R_i)$, $\mathcal{B}$ returns $(x_i,R_i)$ to $\mathcal{A}$.
  • -
    If $L_{V_i}$ does not contain $(PI{D}_i,x_i,R_i)$, $\mathcal{B}$ randomly chooses $x_i,h_i\in {\mathbb{Z}}_q^{*}$ and makes $R_i=x_{i}P-h_i{P}_{pub}$. If $h_i$ already appear in $L_{H_2}$, $\mathcal{B}$ chooses another $x_i\in {\mathbb{Z}}_q^{*}$ and tries again. $\mathcal{B}$ inserts $(PI{D}_i,x_i,R_i)$ and $(PI{D}_i,R_i,P_{pub},h_i)$ into $L_{V_i}$ and $L_{H_2}$, respectively. Finally, $\mathcal{B}$ returns the $(x_i,R_i)$ to $\mathcal{A}$.

Signcryption queries: $\mathcal{A}$ makes a query on the message $m_i$ under $PI{D}_i$, $\mathcal{B}$ returns $m_i$ to $\mathcal{S}$. $\mathcal{S}$ randomly chooses $t_i\in {\mathbb{Z}}_q^{*}$ and computes $C_{i,1}=t_{i}P$, $C_{i,2}=t_i{P}_{cc}+m_{i}P$,and returns them to $\mathcal{B}$. $\mathcal{B}$ produces a ciphertext $\{PI{D}_i,$ $R_i,C_{i,1},C_{i,2},L_i,{\sigma }_i,T_i\}$ in accordance with the proposed scheme. Finally, $\mathcal{B}$ returns the ciphertext to $\mathcal{A}$.

Challenge: $\mathcal{A}$ selects a challenging identity $PI{D}_i^{*}$, picks two same length message $m_0^{*}$ and $m_1^{*}$ and sends them to $\mathcal{B}$. Then $\mathcal{B}$ transmits them to $\mathcal{S}$. $\mathcal{S}$ randomly chooses $b\in \{0,1\}$, $t_i^{*}\in {\mathbb{Z}}_q^{*}$ and computes $C_{i,1}^{*}=t_i^{*}P$, $C_{i,2}^{*}=t_i^{*}{P}_{cc}+m_b^{*}P$, and returns them to $\mathcal{B}$. $\mathcal{B}$ produce a ciphertext $\{PI{D}_i^{*},R_i^{*},C_{i,1}^{*},C_{i,2}^{*},L_i^{*},{\sigma }_i^{*},T_i^{*}\}$ in accordance with the proposed scheme. Finally, $\mathcal{B}$ returns the ciphertext to $\mathcal{A}$.

Phase 2: $\mathcal{A}$ is able to adaptively perform the query in Phase 1 apart from it cannot make a extract queries on $PI{D}_i^{*}$.

Guess: $\mathcal{B}$ can output $b^{\prime }$ as its guess against the IND-CPA of ElGamal encryption.

Probability analysis: Supposing that $\mathcal{A}$ is able to make at most $q_{H_2}$ times $H_2$ queries, $q_{H_4}$ times $H_4$ queries, $q_e$ times extract queries and $q_s$ times signcryption queries. We define two events as follows:

• $E_1$: $\mathcal{B}$ does not abort above game in extract queries.

• $E_2$: $\mathcal{B}$ is able to correctly output the value of b.

According to the above simulation, we could obtain that $Pr\left[E_1\right]\ge {(1-\frac{1}{q_{H_2}})}^{q_e}$ and $Pr\left[E_2\right|E_1]\ge \epsilon$, and hence the advantage that $\mathcal{B}$ is able to break the IND-CPA of ElGamal encryption is

$${\epsilon }^{\prime }=Pr\left[E_2\right|E_1]Pr\left[E_1\right]\ge {(1-\frac{1}{q_{H_2}})}^{q_e}\epsilon .$$

In accordance with the above analysis, we can conclude that $\mathcal{B}$ can break the IND-CPA of ElGamal encryption with a non-negligible probability, this is contradicts with the security of ElGamal encryption, so the proposed EP${}^2$DS scheme could provide confidentiality.

Theorem A2.

The proposed EP${}^2$DS scheme can provide the unforgeability if the ECDL problem is hard.

Assuming that there is an attacker $\mathcal{A}$ can break the unforgeability of the proposed EP${}^2$DS scheme with a non-negligible advantage $\epsilon$, we can construct an algorithm $\mathcal{B}$ for solving the ECDL problem with probability ${\epsilon }^{\prime }$.

Initialization: $\mathcal{A}$ picks a challenging identity $PI{D}_i^{*}$ and returns to $\mathcal{B}$.

Setup: Given an instance $(P,aP=Q)$ of the ECDL problem, then $\mathcal{B}$ sets $P_{pub}=Q$ and returns $\{p,q,P,\mathbb{G},P_{pub},P_{sp},H_1,$ $H_2,H_3,H_4,H_5,H_6,H_7,H_8,\overrightarrow{a}\}$ to $\mathcal{A}$.

$H_2$ queries: It is the same as Theorem 1.

$H_4$ queries: It is the same as Theorem 1.

Extract queries: It is the same as Theorem 1.

Signcryption queries: $\mathcal{A}$ makes a query on the message $m_i$ under $PI{D}_i$, $\mathcal{B}$ executes as follows:

• If $PI{D}_i=PI{D}_i^{*}$, $\mathcal{B}$ randomly selects $t_i,l_i,{\sigma }_i,h_i,{\tau }_i\in {\mathbb{Z}}_q^{*}$ and calculates $C_{i,1}=t_{i}P$, $C_{i,2}=t_i{P}_{cc}+m_{i}P$, $L_i=l_{i}P,R_i={\sigma }_{i}P-(h_i{P}_{pub}+{\tau }_i{L}_i)$. If the $h_i$ already appears in $L_{H_2}$ or ${\tau }_i$ already appears in $L_{H_4}$, $\mathcal{B}$ chooses another ${\sigma }_i\in {\mathbb{Z}}_q^{*}$ and tries again. Then, $\mathcal{B}$ returns the ciphertext $\{PI{D}_i,R_i,C_{i,1},C_{i,2},L_i,{\sigma }_i,$ $T_i\}$ to $\mathcal{A}$, and inserts $(PI{D}_i,R_i,P_{pub},h_i)$ and $(PI{D}_i,R_i,C_{i,1},C_{i,2},$ $L_i,T_i,{\tau }_i)$ into $L_{H_2}$ and $L_{H_4}$, respectively.

• If $PI{D}_i\ne PI{D}_i^{*}$, $\mathcal{B}$ generates a ciphertext $\{PI{D}_i,R_i,$ $C_{i,1},C_{i,2},L_i,{\sigma }_i,T_i\}$ in accordance with the proposed scheme. Then, $\mathcal{B}$ returns the ciphertext to $\mathcal{A}$.

Forgery: $\mathcal{A}$ outputs a forged ciphertexts $\{PI{D}_i^{*},R_i^{*},$ $C_{i,1}^{*},C_{i,2}^{*},L_i^{*},{\sigma }_i^{*},T_i^{*}\}$ on $m_i^{*}$ under $PI{D}_i^{*}$. On the basis of the forking lemma [40,41], $\mathcal{B}$ is able to output another valid ciphertext $\{PI{D}_i^{*},R_i^{*},C_{i,1}^{*},C_{i,2}^{*},L_i^{*},{\sigma }_i^{{*}^{\prime }},T_i^{*}\}$ on $m_i^{*}$ under $PI{D}_i^{*}$ by choosing a different $H_2$. Since both ciphertexts are valid, we are able to gain the following two equations

$${\sigma }_i^{*}P=R_i^{*}+h_i^{*}{P}_{pub}+{\tau }_i^{*}{L}_i,{\sigma }_i^{{*}^{\prime }}P=R_i^{*}+h_i^{{*}^{\prime }}{P}_{pub}+{\tau }_i^{*}{L}_i.$$

We can gain the equations:

$$\begin{array}{c}({\sigma }_i^{*}-\sigma {}_i^{{*}^{\prime }})P={\sigma }_i^{*}P-\sigma {}_i^{{*}^{\prime }}P=(h_i^{*}-h{}_i^{{*}^{\prime }})P_{pub}=(h_i^{*}-h{}_i^{{*}^{\prime }})aP.\hfill \end{array}$$

$\mathcal{B}$ outputs $a={(h_i^{*}-h_i^{{*}^{\prime }})}^{-1}({\sigma }_i^{*}-{\sigma }_i^{{*}^{\prime }})$ as a solution of ECDL problem.

Probability analysis: Supposing that $\mathcal{A}$ is able to make at most $q_{H_2}$ times $H_2$ queries, $q_{H_4}$ times $H_4$ queries, $q_e$ times extract queries, and $q_s$ times signcryption queries. We define three events as follows:

• $E_1$: $\mathcal{B}$ never abort above game in extract and signcryption queries.

• $E_2$: $\mathcal{B}$ is able to output a valid ciphertext.

• $E_3$: $PI{D}_i=PI{D}_i^{*}$.

According to the above simulation, we could obtain that $Pr\left[E_1\right]\ge {(1-\frac{1}{q_{H_2}})}^{q_e}{(1-\frac{1}{q_{H_4}})}^{q_s}$, $Pr\left[E_2\right|E_1]\ge \epsilon$, and $Pr\left[E_3\right|E_1\wedge E_2]\ge \frac{1}{q_{H_2}}$. Thus, the probability that $\mathcal{B}$ is able to solve the ECDL problem is shown as:

$$\begin{array}{c}{\epsilon }^{\prime }=Pr[E_1\wedge E_2\wedge E_3]\ge Pr\left[E_3\right|E_1\wedge E_2]Pr\left[E_2\right|E_1]Pr\left[E_1\right]\ge \frac{1}{q_{H_2}}{(1-\frac{1}{q_{H_2}})}^{q_e}{(1-\frac{1}{q_{H_4}})}^{q_s}\epsilon .\hfill \end{array}$$

Due to the non-negligibility of $\epsilon$, we are able to know that ${\epsilon }^{\prime }$ is non-negligible. In accordance with the above analysis, we are able to conclude that $\mathcal{B}$ can solve the ECDL problem with a non-negligible probability. This contradicts with the hardness of the ECDL problem [42], and hence the proposed EP${}^2$DS scheme can provide unforgeability.

Author Contributions

Y.M. and X.Y. conceived of the work, designed the concrete scheme, and wrote the paper. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported in part by the Natural Science Foundation of Shaanxi Province under Grant 2018JM6081, and in part by the Fundamental Research Funds for the Central Universities, CHD, under Grant 300102249204.

Conflicts of Interest

The authors declare no conflict of interest.