Journal of Systems Architecture 160 (2025) 103345 Contents lists available at ScienceDirect Journal of Systems Architecture journal homepage: www.elsevier.com/locate/sysarc A hash-based post-quantum ring signature scheme for the Internet of Vehicles Shuanggen Liu a ,∗, Xiayi Zhou a , Xu An Wang b , Zixuan Yan a , He Yan a , Yurui Cao a a School of Cyberspace Security, Xi’an University of Posts and Telecommunications, Xi’an, Shaanxi, China b Key Laboratory of Network and Information Security, Engineering University of People’s Armed Police, Shaanxi, China ARTICLE INFO ABSTRACT Keywords: With the rapid development of the Internet of Vehicles, securing data transmission has become crucial, Ring signature especially given the threat posed by quantum computing to traditional digital signatures. This paper presents Internet of Vehicles a hash-based post-quantum ring signature scheme built upon the XMSS hash-based signature framework, Merkle tree leveraging Merkle trees for efficient data organization and verification. In addition, the scheme is applied to Post-quantum digital signature the Internet of Vehicles, ensuring both anonymity and traceability while providing robust quantum-resistant Hash-based signature scheme security. Evaluation results indicate that, compared to other schemes, the proposed method achieves superior verification speed while ensuring data security and privacy. 1. Introduction area of study, with the aim of establishing a resilient foundation for the industry. The National Institute of Standards and Technology As a fundamental necessity in modern life, the number of vehicles (NIST) has been conducting a multi-stage standardization process for produced worldwide continues to grow. According to relevant statistics, post-quantum cryptography. The third round of candidate evaluations global vehicle production reached 94 million units in 2023 [1]. Ad- has been completed, and algorithms such as SPHINCS+, CRYSTALS- ditionally, data from the International Organization of Motor Vehicle DILITHIUM, and CRYSTALS-KYBER have been standardized. These Manufacturers indicates that there are now 1.3 billion vehicles in algorithms achieve varying levels of bit-level security depending on use [2]. However, this growth brings various challenges, including key size and parameter settings, which align with NIST security levels network attacks, unauthorized access, and concerns around road safety from 1 to 5, representing 128/160/192/224/256-bit security strengths, and privacy. To address these issues, new research fields, such as respectively [5]. A post-quantum digital signature scheme is a dig- intelligent transportation systems (ITS) and the Internet of Vehicles ital signature scheme capable of resisting quantum attacks. Among (IoV), have emerged. These fields aim to provide safer, more efficient, post-quantum digital signature schemes, hash-based schemes are partic- and more harmonious vehicular environments. Vehicle-to-Everything ularly effective and provably secure. Hash-based post-quantum digital (V2X) technology enables the effective use of dynamic information signature schemes offer significant advantages over other types of from all networked vehicles via on-board devices, facilitating secure, post-quantum schemes due to their high computational efficiency, scal- efficient, intelligent, and comfortable services, thereby contributing ability, maturity, and reliance solely on the preimage resistance of the to the intelligence of social traffic systems [3]. The typical VANET underlying hash function [6]. structure is shown in Fig. 1. In IoV networks, where both privacy and traffic safety are essential, With the increasing number of vehicles and the development of ring signatures are especially suitable. Ring signature schemes offer the IoV, it is a very important job to ensure the security of the anonymity by concealing the identity of signer among a group of par- IoV systems. Currently, the security of vehicular networks, whether ticipants. Using hash-based post-quantum ring signatures, vehicles can internal or external, primarily relies on digital signatures or public- sign messages anonymously within a group, ensuring their identities key encryption. However, as quantum computing advances, traditional digital signature algorithms are increasingly vulnerable to quantum cannot be traced. These signatures also provide unforgeability, collision attacks, making it essential to incorporate post-quantum digital sig- resistance, resilience against quantum attacks, and low communication nature algorithms into IoV research. Unlike traditional computers, overhead. In densely populated cities, managing keys for secure vehic- quantum computers can accelerate the cracking of probabilistic al- ular communications can be challenging, especially given the limited gorithms through parallel computation capabilities [4]. In light of IoV coverage [7]. The Merkle tree structure effectively compresses these challenges, post-quantum cryptography has become a critical keys, reducing key management costs [8]. In this study, we propose a ∗ Corresponding author. E-mail address: liushuanggen201@xupt.edu.cn (S. Liu). https://doi.org/10.1016/j.sysarc.2025.103345 Received 11 November 2024; Received in revised form 23 December 2024; Accepted 16 January 2025 Available online 23 January 2025 1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 of classical signature and ring signature in the quantum environment, and proposed two short signature schemes, which were implemented in the quantum random prediction model and the ordinary model respectively [20]. Recent literature has introduced novel architectures, such as linkable ring signatures, threshold ring signatures, and identity- based post-quantum ring signatures, discussing their post-quantum se- curity features [21–23], Similarly, literature [24]systematically reviews the theory and application of linkable ring signatures, providing an in- depth comparison of anonymization and linkability schemes, but these studies lack analysis of specific application scenarios (such as the IoV), and do not fully consider resource-constrained environments and the potential of anti-quantum computing. In response to the research of NIST on post-quantum algorithms and verification ring signatures, a blockchain-based, post-quantum anonymous, traceable, and verifiable authentication scheme was pro- posed to mitigate quantum attacks while addressing security and pri- vacy concerns, with an evaluation of its feasibility in IoV environ- ments [25]. The IoV faces significant security and privacy challenges, Fig. 1. VANET structure. and blockchain technology offers an effective platform to ensure both user privacy and security [26–28]. Literature [29] proposes an identity authentication and signature scheme for UAV-assisted Vehicular Ad Hoc Networks (VANET), focusing on enhancing network anonymity hash-based post-quantum ring signature scheme for IoV applications. and user privacy through an efficient authentication mechanism. Lit- The ring signature algorithm of Our scheme is based on the XMSS erature [30] introduces a distributed message authentication scheme algorithm, aiming to enhance data sharing security and efficiency. combined with a reputation mechanism to improve the security and Merkle trees are used to organize and verify data efficiently, while ring trust of the IoV. The scheme uses node credit values to authenticate signatures ensure the authenticity and integrity of data within the IoV message validity, effectively preventing malicious attacks and forgery. network without compromising user anonymity. Literature [31] presents an authentication key negotiation protocol for intelligent transportation systems in vehicle networks, strengthening 1.1. Related works identity authentication and key exchange mechanisms to prevent secu- rity threats such as eavesdropping, tampering, and man-in-the-middle In recent years, hash-based post-quantum digital signature schemes attacks. While these studies address key security challenges in vehicular have garnered significant attention within the cryptography commu- networks, they often focus on specific aspects, lacking comprehensive nity. Following the fourth round of the NIST post-quantum digital and scalable frameworks for real-world scenarios. Furthermore, the signature standardization process, the SPHINCS+ algorithm was in- integration of post-quantum cryptography and scalability in dynamic, troduced as a supplementary standard, featuring a flexible, tunable large-scale networks remains underexplored, highlighting opportunities hash function structure [9]. As the standardization process progresses, for future research into robust and future-proof solutions. Given the researchers have proposed various adaptations, including SPHINCS-a inherent advantages of ring signatures, they are particularly well- and SPHINCS+-c, which further compress signature sizes and enhance suited for applications such as the Internet of Vehicles, making further execution speeds [10,11]. Additionally, Sun, Liu, and colleagues de- investigation essential. veloped a domestic signature algorithm based on the post-quantum In order to ensure the post-quantum security of data transmission hash function SM3 [12]. Hülsing and Kudinov provided a rigorous in the IoV environment, researchers have proposed various solutions. security proof for the SPHINCS+ algorithm, confirming its robustness The literature [32] recommends the use of lattice-based post-quantum in a post-quantum environment [13]. The XMSS algorithm forms the digital signature, but the signature algorithm has not been combined foundation of SPHINCS+, with its architectural design and security with specific scenarios. Another study [33] proposed a ring-signature proof presented by Hülsing, Butin, and others [14]. Research on hard- scheme based on lattice-based difficult problems and combined it with ware implementations of the XMSS algorithm has also advanced, with the vehicle-connected environment, but the quantum anti-attack char- significant contributions from Thoma and Güneysu [15]. Meanwhile, acteristics of the scheme were not explained in detail. In addition, Sun and Liu investigated the feasibility of replacing the hash function reducing energy consumption in blockchain has also become a research in XMSS with the domestic SM3 hash function [16]. An essential com- focus [34]. An energy saving method is adopted to calculate the root of ponent of XMSS is WOTS+, a one-time signature algorithm; Hülsing Merkle tree, and a Merkle tree design scheme conforming to the specifi- provided its security proof [17], while Zhang, Cui, and colleagues cation is proposed. The effectiveness of this method is verified through evaluated the efficiency of WOTS+ in tree-based one-time signature experiments. At the same time, the Merkle tree accumulator algorithm algorithms [18]. Currently, research on post-quantum digital signatures proposed by Derler and Ramacher in [35] builds an accumulator that primarily concentrates on enhancing signature efficiency and replacing can resist quantum attacks by using only hash function and symmetric the underlying hash functions. However, there is a scarcity of studies meta language, and gives specific operations and definitions. However, that integrate post-quantum digital signatures with specific application the specific algorithm implementation and its combination in practical scenarios or explore their variants. application scenarios need to be further studied. The exploration of post-quantum ring signatures is also accelerating in post-quantum digital signature research. Xie, Wang, and colleagues 1.2. Contributions highlighted that traditional signature algorithms are highly susceptible to quantum computing attacks, and noted that ring signatures offer Firstly, building on the Merkle tree accumulator algorithm described considerable advantages in blockchain applications, including medical in Ref. [35], we propose a hash-based ring signature algorithm specif- data sharing and vehicular networking, due to their unique proper- ically designed for IOV, we improve the Merkle tree accumulator ties [19]. Chatterjee and Chung et al. conducted an in-depth analysis on algorithm to XMSS accumulator algorithm. This algorithm integrates the security of post-quantum ring signature, re-examined the security the principles of ring signatures with Merkle tree structures. Unlike 2 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Table 1 Notation for ring signature scheme. Let the security parameter 𝜆, ring signature 𝑅𝑆 = (𝐺𝑒𝑛, 𝑠𝑖𝑔 , 𝑉 𝑒𝑟), 𝜆 Security parameter algorithm A is polynomial-time algorithm (any PPT adversary A), for any integer 𝑠, define the following experiment: 𝑁 The size of the ring (𝑝𝑘, 𝑠𝑘) Key pair Step 1, the challenger generates 𝑠 key pairs (𝑝𝑘, 𝑠𝑘) in which 𝑅 A ring consisting of (𝑝𝑘1 , 𝑝𝑘2 , … … , 𝑝𝑘𝑙 ) 𝑖 ∈ [1, 𝑠], and sends all the public keys 𝑃 𝐾𝑖 in a set 𝑃 𝐾 = (𝑃 𝐾1 , 𝑚 The message digest 𝑃 𝐾2 , … , 𝑃 𝐾𝑠 ) to 𝐴. 𝜎 The signature of message Step 2, the challenger chooses one 𝑃 𝐾𝑖 and checks whether 𝑃 𝐾𝑖 belongs to 𝑅, if 𝑆 𝑖𝑔(𝑠𝑘𝑖 , 𝑅, 𝑚) → 𝜎 is calculated by the challenger, then the challenger will send 𝜎 to A. Step 3, the attacker outputs the tuple 𝑅∗ , 𝑚∗ , 𝜎 ∗ , and the challenger traditional ring signature algorithms, this proposed scheme can resist checks it. quantum attacks, thus offering post-quantum security. If: 𝑅∗ ∈ 𝑃 𝐾 Attacker A never performs signature query access to Secondly, we construct a new hash-based post-quantum ring sig- (𝑠𝑖𝑔 𝑛, 𝑅∗ , 𝑚∗ ), nature scheme for application of vehicular network. This scheme en- 𝑉 𝑒𝑟(𝑅∗ , 𝑚∗ , 𝜎 ∗ ) hances the security of data transmission within the vehicular network, And returns a 1 for the experiment, or a 0 otherwise. providing robust post-quantum security to effectively protect shared data. 𝐴𝑑 𝑣𝜆,𝑠 𝑈𝑁𝐹 (𝐴) = 𝑃 𝑟[𝐸 𝑥𝑝𝜆,𝑠 𝑈𝑁𝐹 (𝐴) = 1] ≤ 𝑛𝑒𝑙𝑔(𝜆) 1.3. Structure Definition 3 (Anonymity). Anonymity in a ring signature scheme en- sures that the identity of signer remains concealed among a group of The remainder of this paper is organized as follows: Chapter 2 potential signers, making it impossible to determine who specifically provides the necessary foundational knowledge, along with a review generated the signature. This anonymity is achieved through a ring of the background and related work relevant to this study. In Chapter signature generation process that relies on the public keys of all group 3, we present a post-quantum ring signature algorithm based on Merkle members, without revealing the identity of the actual signer. trees and discuss its application within the IoV environment. Chapter In the anonymization experiment, the adversary is given a ring 4 offers a security analysis and proof of the robustness of proposed. In signature generated from any two pairs of public and private key pairs, Chapter 5, we evaluate the performance of the scheme and compare it as well as from either of these two private keys, which contains both public keys owned by the adversary, and the goal of adversary is to with existing alternatives. Finally, Chapter 6 concludes the paper and distinguish which private key was used to generate the ring signature outlines directions for future research. with negligible probability. Let the security parameter 𝜆, the ring signature 𝑅𝑆 = (𝐺𝑒𝑛, 𝑠𝑖𝑔 , 𝑉 𝑒𝑟), 2. Preliminaries algorithm A be a polynomial time algorithm, for any integer 𝑠 and any bit 𝑏, define the experiment as follows: 2.1. Ring signature Step 1, the challenger generates 𝑠 key pairs (𝑃 𝐾𝑖 , 𝑆 𝐾𝑖 ), of which 𝑖 ∈ [1, 𝑠], and sends all the public keys 𝑃 𝐾𝑖 to A. Ring signature is a digital signature scheme introduced by Rivest, Step 2, A sends (𝑅, 𝑚, 𝑖0 , 𝑖1 ) to the challenger, the challenger checks Shamir, and Tauman in 2001. A ring is composed of a group of if 𝑝𝑘𝑖0 ∈ 𝑅2 , 𝑝𝑘𝑖1 ∈ 𝑅2 , then the challenger calculates 𝑅2 𝜎 ← members, allowing any member within the group to sign on behalf 𝑆 𝑖𝑔(𝑠𝑘𝑖𝑏 , 𝑅, 𝑚) and send 𝜎 to A. of the entire group without revealing the identity of the signing mem- Step 3, A returns a guess bit 𝑏∗ where the experiment 𝑏∗ = 𝑏 outputs 1 if and 0 otherwise, and RS is considered anonymous if for all 𝑠 and ber [36],The main parameters of ring signature are given in Table 1. all polynomial-time algorithms A, the probability of A returning 1 in the (𝑠, 0)-anonymous experiment (in the 𝜆) is ignorably close to the Definition 1 (Ring Signature). A ring signature scheme consists of three probability of A returning 1 in the (𝑠, 1)anonymous experiment. core algorithms: key generation, signature generation, and signature 1 verification. These algorithms are defined as follows: 𝐴𝑑 𝑣𝜆,𝑠 𝐴𝑁 𝑂𝑁 (𝐴) = |𝑃 𝑟[𝐸 𝑥𝑝𝜆,𝑠 𝐴𝑁 𝑂𝑁 (𝐴)] − | ≤ 𝑛𝑒𝑙𝑔(𝜆) 2 Step1: Key generation (𝑝𝑘, 𝑠𝑘) ← 𝐺𝑒𝑛(𝜆, 𝑁):The size of the ring is 𝑁, set the security param- 2.2. WOTS+ eters 𝜆 the maximum number of members in the ring 𝑁, 𝜆 and 𝑁 as input, the output is the public and private key pair. Ralph Merkle pioneered hash-based signature algorithms, as noted Step2: Signature generation in Ref. [37]. Currently, hash-based signature schemes are categorized 𝜎 ← 𝑆 𝑖𝑔 𝑛(𝑠𝑘, 𝑅, 𝑚): Input private key 𝑠𝑘, set of all public keys 𝑅 = into three main types: one-time signature schemes (OTS), few-time (𝑃 𝐾1 , 𝑃 𝐾2 , … , 𝑃 𝐾𝐿 ), message 𝑚 ∈ 𝑀𝜆 , output signature 𝜎. signature schemes (FTS), and many-time signature schemes (MTS). The Table 2 below summarizes some of the most widely used hash- Step3: Signature verification based signature schemes. Research on OTS schemes began with the 𝑇 𝑟𝑢𝑒∕𝑓 𝑎𝑙𝑠𝑒 ← 𝑉 𝑒𝑟(𝑅, 𝑚, 𝜎): Input a collection composed of all public Lamport-Diffie algorithm. This paper adopts the WOTS+ (Winternitz keys 𝑅, message 𝑚 ∈ 𝑀𝜆 , signature 𝜎, and output 𝑇 𝑟𝑢𝑒∕𝑓 𝑎𝑙𝑠𝑒. One-Time Signature Plus) scheme, which comprises three main compo- A ring signature must satisfy two critical security properties: nents: key generation (GEN), signature generation (SIG), and signature anonymity and Unforgeability. Anonymity ensures that while the sig- verification (VER). nature indicates it was generated by a member of the ring, it does The first step is parameter selection, where parameter 𝜔, an integer not reveal the specific identity of the signer. Unforgeability guarantees 𝜔 ∈ 𝑁 with 𝜔 ≥ 2, is determined to set the number of hash iterations that only members of the ring can generate valid signatures; outsiders required to construct the 𝑛 ∈ 𝑁 public key. Additionally, the hash cannot create valid signatures for the ring. output length m and security parameter n, where, need to be defined. Next, parameters 𝑙1 and 𝑙2 are computed, which are then summed to Definition 2 (Unforgeability). Unforgeability ensures that only members obtain l. The calculation method is as follows: of the ring can generate a valid signature. In the unforgeability model, ⌈ ⌉ ⌊ ⌋ 𝑚 log2 (𝑙1 (𝜔 − 1)) + log2 𝜔 we assume that the attacker has access to a public key and aims to 𝑙1 = , 𝑙2 = , 𝑙 = 𝑙1 + 𝑙2 log2 𝜔 log2 𝜔 produce a valid ring signature without authorization. 3 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Table 2 Classification table for hash-based signature schemes. Scheme Type Scheme Name OTS Lamport-Diffe, WOTS, 𝑊 𝑂𝑇 𝑆 + FTS HORS, HORST-T, PORS, PORS-T MTS XMSS, SPHINCS, SPHINCS+ Table 3 Parameter descriptions for the WOTS+ algorithm. 𝑛∈𝑁 Security parameter 𝑤∈𝑁 Winternitz parameter (𝑤 ≥ 2) 𝑚∈𝑁 Bit length of the message digest { } 𝐹𝑛 A set of functions, 𝐹𝑛 = 𝑓𝑘 ∣ 𝑘 ∈ {0, 1}𝑛 , 𝑓𝑘 ∶ {0, 1}𝑛 → {0, 1}𝑛 ℎ∈𝑁 Height of the tree H Hash function, 𝐻 ∶ {0, 1}∗ → {0, 1}𝑚 𝑥 ∈ {0, 1}𝑛 Randomly chosen string 𝑥, used to construct a one-time verification key Fig. 2. Key generation process for WOTS+. The Table 3 gives the meaning of the parameters in the formula. Next define the operation, WOTS+ uses the function 𝐹𝑛 family: 𝐹𝑛 ∶ {0, 1}𝑛 → {0, 1}𝑛 Fig. 3. Message digest generation graph. Define the function operation: { 𝑖 𝑐 (𝑥, 𝑟) = 𝐹 (𝑐𝑘𝑖−1 (𝑥, 𝑟) ⊕ 𝑟𝑖 ) 𝑖 > 0 𝑐 𝑖 (𝑥, 𝑟) = 𝑥, 𝑖 𝑖=0 ⎧ 𝑥 ∈ {0, 1}𝑛 ⎪ 𝑛 𝑛 ⎨𝐹 = 𝐹 𝑛 ∶ {0, 1} → {0, 1} ⎪ 𝑟 = (𝑟 , 𝑟 , … … , 𝑟 𝑤 ) 𝑟 ∈ {0, 1}𝑛×(2 𝜔−1 ) ⎩ 1 2 2 −1 Step1: Key Generation(GEN) The process of key generation mainly includes two steps: private key generation and public key generation. The key generation process is shown in Fig. 2. (1) Private key generation: Using PRG to generate 𝑙 + 2𝜔 − 1 n bits of random number, the first random number is the private key 𝑠𝑘 = (𝑠𝑘0 , 𝑠𝑘1 , … … , 𝑠𝑘𝑙−1 ), and the last 2𝜔 − 1 are the mask, 𝑟 = (𝑟1 , 𝑟2 , … … , 𝑟2𝜔 −1 ). (2) Public key generation: The public key consists of 𝑙 + 1 blocks, the first block is the mask r, the last L blocks are converted by sk, and The public key is composed as follows: 𝜔 𝑝𝑘𝑖 = 𝑐 2 −1 (𝑠𝑘𝑖−1 , 𝑟), 𝑖 ∈ [1, 𝑙] Fig. 4. WOTS+ signature generation diagram. 𝑝𝑘 = (𝑝𝑘0 , 𝑝𝑘1 , … , 𝑝𝑘𝑙 ) ( 𝜔−1 𝜔−1 ) = 𝑟, 𝑐 2 (𝑠𝑘0 , 𝑟), … , 𝑐 2 (𝑠𝑘𝑙−1 , 𝑟) The message M is converted to 𝑏 = (𝑏0 , 𝑏1 , … … , 𝑏𝑙−1 ). Then, the Step2: Message Signature(SIG) transmitted signature 𝜎 = (𝜎0 , 𝜎1 , … … , 𝜎𝑙−1 ) is processed as follows to (1) Generate message digest: Generate message digest M that needs obtain 𝑝𝑘′ . If the signature is the same as pk, the signature verification to be signed message m through the hash function, and then divide the succeeds. message digest into 𝑙1 parts, each 𝜔 bit, where each 𝜔 bit represents the 𝑝𝑘′ =(𝑟, 𝑝𝑘′1 , 𝑝𝑘′2 , … , 𝑝𝑘′𝑙 ) 𝑚𝑖 , 𝑖 ∈ [0, 𝑙1 − 1] equivalent of an integer. The message digest generation ( 𝜔 𝜔 𝜔 ) process is shown in Fig. 3, and the overall signature generation process = 𝑟, 𝐹 2 −1−𝑏0 (𝜎0 ), 𝐹 2 −1−𝑏1 (𝜎1 ), … , 𝐹 2 −1−𝑏𝑙−1 (𝜎𝑙−1 ) is shown in Fig. 4. (2) Calculate the checksum: 𝑙1 ∑ 2.3. XMSS 𝐶= (2𝜔 − 1 − 𝑚𝑖 ) ≤ 𝑙1 (2𝜔 − 1) 𝑖=1 2.3.1. Merkle tree Divide C into 𝜔 bits, and 𝑐 = (𝑐0 , 𝑐1 , … … , 𝑐𝑙2 −1 ). The Merkle Signature Scheme (MSS), proposed by Ralph Merkle in Let 𝑏 = (𝑏0 , 𝑏1 , … … , 𝑏𝑙−1 ), that is b be the concatenation of 𝑚 and 𝑐. 1979, integrates the Merkle Tree with an OTS algorithm. A Merkle tree Signature generation is represented by the following formula: is a hierarchical structure where leaf nodes contain hash values of data, and non-leaf nodes store the combined hash values of their child nodes. 𝜎 = (𝜎0 , 𝜎1 , … , 𝜎𝑙−1 ) This structure enables efficient data integrity verification, especially for ( ) = 𝐹 𝑏0 (𝑠𝑘0 , 𝑟), 𝐹 𝑏1 (𝑠𝑘1 , 𝑟), … , 𝐹 𝑏𝑙−1 (𝑠𝑘𝑙−1 , 𝑟) large-scale datasets. The structure of the Merkle tree is shown in Fig. 5. According to the Fig. 5, the tree has 3 layers and 23 = 8 leaf nodes, Step3: Message verification(VER) each storing the hash of a one-time signature public key. The leaf nodes, 4 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Fig. 5. Merkle tree structure diagram. labeled node0 to node7, are hashed pairwise to generate the middle 2.3.4. Signature verification nodes. The final root node stores the public key. The signature verification process ensures the correctness of the The Merkle tree serves two primary functions: OTS signature and validates that the corresponding OTS public key (1) Data Integrity Verification, where users can check if data has is consistent with the root of the Merkle tree. The main steps are as been tampered with by recalculating the root hash. follows: (2) Public Key Size Compression, reducing the storage requirements Step1: Extract Information for numerous public keys by consolidating them into a single root key. Extract OTS serial number 𝑖, OTS signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 , and path proof AuthPath for the Merkle tree from XMSS signature 𝑆 𝑖𝑔𝑋 𝑀 𝑆 𝑆 . 2.3.2. Key generation Step2: Verify OTS signature The XMSS algorithm deploys 2ℎ WOTS+ instances as the 2ℎ leaf Using the extracted OTS public key, verify the validity of 𝑆 𝑖𝑔𝑂𝑇 𝑆 nodes of a Merkle tree with height ℎ, with the root node authenticating for the message M. If verification fails, the signature is deemed invalid. these instances [38]. The XMSS key consists of multiple OTS keys and Step3: Compute Merkle Tree Path the root of the Merkle tree as the public key. Step1: Select the parameters Calculate the Merkle tree node of the OTS public key Using OTS Step2: Generate a one-time signature key pair (𝑝𝑘, 𝑠𝑘) public key 𝑝𝑘𝑖 and path proof AuthPath, calculate the hash value of Step3: Build the Merkle tree the parent node step by step from the leaf node 𝑝𝑘𝑖 until the root node Use each OTS public key 𝑝𝑘𝑖 as a leaf node of the Merkle tree. 𝑁 𝑜𝑑 𝑒(𝑖) = 𝐻(𝑐 ℎ𝑖𝑙𝑑(𝑖) ∥ 𝑐 ℎ𝑖𝑙𝑑(𝑖)) is calculated. Each leaf node generates non-leaf nodes through a hash function, which Step4: Compare Root Nodes eventually generates the Root node. The parent node in the Merkle tree Compare the reconstructed root node with the root node Root is generated from the hash of the two child nodes, that is, 𝑁 𝑜𝑑 𝑒(𝑖) = from the XMSS public key. If the values match, the signature is valid; 𝐻(𝑐 ℎ𝑖𝑙𝑑(1) ∥ 𝑐 ℎ𝑖𝑙𝑑(𝑖)), the root node 𝑅𝑜𝑜𝑡 serves as the XMSS public otherwise, it is invalid. key. Step4: Output the key pair 3. Hash-based post-quantum ring signature scheme Public key: 𝑝𝑘 = (𝑟𝑜𝑜𝑡, 𝑠𝑒𝑒𝑑), the private key consists of the OTS key pairs. In addition to its high computational efficiency and excellent scal- ability, the hash function-based signature scheme exhibits greater al- 2.3.3. Message signature gorithmic maturity compared to other post-quantum digital signature To sign a message, an unused WOTS+ private key is selected, and schemes, such as XMSS and SPHINCS+. Furthermore, post-quantum the Merkle tree path proof is generated to output the signature SIG. ring signatures ensure both the anonymity and unforgeability of signa- Step1: Select WOTS+ key tures. Consequently, in light of the security threats posed by the rapid Choose an unused WOTS+ private key 𝑠𝑘𝑖 , ensuring it is used only advancement of quantum computing, it is highly significant to integrate once. the post-quantum ring signature scheme with vehicle networking. Step2: Generate WOTS+ one-time signature Use the WOTS+ private key to sign message M, producing the OTS signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 . 3.1. Design principles Step3: Merkle tree path proof Hash path from leaf node 𝑝𝑘𝑖 to Root node, this path proves that The Merkle tree is an efficient data structure, a binary hash tree OTS public key is valid. where each node represents the hash value of a data block. The root Step4: Generate XMSS signature node represents the hash of the entire data set. The characteristics The signature includes: serial number 𝑖 (using the 𝑖 th OTS key), of the Merkle tree make it a highly efficient method for storing and OTS signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 , and AuthPath for authentication of the Merkle verifying large amounts of data. In blockchain, Merkle trees are widely tree 𝑆 𝑖𝑔𝑋 𝑀 𝑆 𝑆 = (𝑖, 𝑆 𝑖𝑔𝑂𝑇 𝑆 , 𝐴𝑢𝑡ℎ𝑃 𝑎𝑡ℎ). used to store transaction data and block hashes. Ring signatures enable 5 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Table 4 Meaning of parameters in the proposed scheme. ⎡ 𝐸 𝑣𝑎𝑙𝑟 ((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋 ∗ ) → 𝛺∗ ⎤ Parameter Description ⎢ 𝑖 ⎥ 𝑃 𝑟 ⎢ (Gen(1𝑘 , 𝑡) → (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ))(𝐴(𝑝𝑘𝛺 ) → (𝑤𝑖𝑡∗𝑥𝑖 , 𝑥∗𝑖 , 𝑋 ∗ )) ⎥ ≤ 𝜀(𝑘) 𝑘 Security parameter ⎢ 𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺∗ , 𝑤𝑖𝑡∗ , 𝑥∗ ) = 1 ∧ 𝑥𝑖 ∈ 𝑋 ∗ ⎥ 𝑡 Maximum number of elements to accumulate ⎣ 𝑥𝑖 𝑖 ⎦ 𝑖 𝑖 ∈ [0, 2ℎ − 1] ℎ∈𝑁 Height of the tree The implementation of the Merkle tree ring signature is described 𝐻 Hash function, 𝐻 ∶ {0, 1}∗ → {0, 1}𝑚 next, and the whole process is covered in Algorithm 1. (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) A key pair { } Step1: Key Generation: 𝐺𝑒𝑛(1𝑘 , 𝑡) 𝑋 The set of 𝑥𝑖 ∣ 𝑖 ∈ [0, 2ℎ − 1] { } 𝛺 The accumulator First, determine the hash functions 𝐻𝑘 𝑘∈𝐾 𝐾 , where for any 𝑘 ∈ 𝑎𝑢𝑥 The auxiliary information 𝐾 𝐾 , the hash function 𝐻𝑘 ∶ {0, 1}∗ → {0, 1}𝐾 . The hash function can be 𝑤𝑖𝑡𝑥𝑖 The certificate for 𝑥𝑖 chosen as SHA functions, SM2, SM3, etc. Determine the parameter N, which represents the number of ring members, and 𝑡, the upper bound for accumulating elements. Then, generate the key pairs and return (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ). a message sender to demonstrate possession of at least one public Step2: Public Key Evaluation Eval: 𝐸 𝑣𝑎𝑙((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋) key within a set while concealing the specific public key used, thus Parse the number of ring members N. The parsing rule is that if N providing anonymity and unlinkability. This feature makes ring sig- natures particularly valuable in applications centered on privacy and is not a power of 2, the function returns false, as it must be a perfect secure communication. Within ring signatures, Merkle trees can be binary tree. If N is a power of 2, begin computation from layer 0 (the employed to organize the hashes of messages or data blocks into a leaf nodes at the lowest level) and continue until the root (the single tree structure, facilitating efficient verification of data integrity and node at the top) is obtained. Let 𝐿𝑢,𝑣 represent the node at layer v and authenticity. Furthermore, ring signatures can leverage Merkle trees the u-th leaf index. The auxiliary variable aux stores the hash values to obscure the identity of sender by integrating the public key of corresponding to each layer. signer with those of other members in a ring. Consequently, the signer Step3: Certificate Creation: 𝑊 𝑖𝑡((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥𝑥𝑖 , 𝑥𝑖 ) can validate ownership of at least one public key in the set without First, parse aux into nodes at each level of the Merkle tree. Then, re- disclosing the specific key used. Even if an attacker intercepts the construct the Merkle tree from bottom to top. The 𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡 algorithm signed message, they would be unable to ascertain the true identity involves using intermediate nodes to build up to the root hash value. of the signer. Step4: Certificate Verification: 𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 ) The final step is verification. Start by setting the leaves to the hash 3.2. Scheme description values of each party and proceed to compute hashes from the bottom up. Check if the final result matches the root node value. If it matches, This scheme is based on the definition of Merkle tree accumulators it verifies that the member is part of the ring. For example, node 𝑙0,2 is as described in [35], with slight modifications to accommodate the visualized in Fig. 6, showing how node 𝑙0,2 reconstructs the root node proposed post-quantum ring signature scheme utilizing hash functions, in a Merkle tree with height ℎ = 3 and 𝑁 = 8 leaf nodes. specifically designed for vehicular networks. This formalism facilitates the restatement of the Merkle tree accumulator algorithm within the current framework. The main parameters of this scheme are given in Algorithm 1 Extend Merkle tree accumulator Table 4. input: 𝑘, 𝑡, {𝐻𝑘 }𝑘∈𝐾 𝜅 , 𝐻𝑘 ∶ {0, 1}∗ → {0, 1}𝜅 output: (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝐿𝑢,𝑣 , 𝑤𝑖𝑡𝑥𝑖 , 0 or 1 Definition 4 (Extend Merkle Tree Accumulator). The Merkle tree accu- mulator algorithm (Algorithm 1) comprises the following subroutines 1. 𝑘 ∈ 𝐾𝜅 # Key generation 𝐺𝑒𝑛(1𝑘 , 𝑡) (Gen, Eval, WitCreate, Verify), defined as follows: 2. (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) ← {𝐻𝑘 }𝑘∈𝐾 𝜅 𝐺𝑒𝑛(1𝑘 , 𝑡): The key generation algorithm takes a security parameter 3. 𝐻𝑘 ← 𝑝𝑘𝛺 # Public Key Resolution 𝑘 and a parameter 𝑡, where 𝑡 is the upper bound on the number of 4. (𝑥0 , 𝑥1 , … , 𝑥𝑛−1 ) ← 𝑋 elements to be accumulated, and returns a key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ). 5. If 𝑛 = 2𝑘 ∣ 𝑘 ∈ N, 𝑣 ≤ 𝑘: 𝐸 𝑣𝑎𝑙((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋): This algorithm takes the key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) and 6. 𝐻𝑘 (𝐿2𝑢,𝑣+1 ∥𝐿2𝑢+1,𝑣+1 ) if 𝑣 < 𝑘 else 𝐻𝑘 (𝑥𝑖 ) the set of elements X to be accumulated, returning the accumulator 𝛺𝑋 and some auxiliary information aux. 7. Else False ( ) 𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥, 𝑥𝑖 ): This algorithm takes the key 8. 𝑙𝑢,𝑣 (𝑢∈[𝑛∕2𝑘−𝑣 ]) ← 𝑎𝑢𝑥 # Creates a certificate 𝑣∈[𝑘] pair(𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), accumulator 𝛺𝑋 , auxiliary information aux, and an 𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡𝑒((𝑝𝑘𝛺 , 𝑠𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥𝑋 , 𝑥𝑖 ) element 𝑥𝑖 . If 𝑥𝑖 is not in the set X, it returns false; otherwise, it returns a certificate𝑤𝑖𝑡𝑥𝑖 for 𝑥𝑖 . 9. 𝑤𝑖𝑡𝑥𝑖 ← (𝑙⌊𝑖∕2𝑣 ⌋ + 𝜂 , 𝑘 − 𝑣), 0 ≤ 𝑣 ≤ 𝑘 𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 ): This algorithm takes the public key 𝑝𝑘𝛺 , 10. 1 if ⌊𝑖∕2𝑣 ⌋ (mod 2) = 0 else −1 accumulator 𝛺𝑋 certificate 𝑤𝑖𝑡𝑥𝑖 , and element 𝑥𝑖 . If 𝑤𝑖𝑡𝑥𝑖 is a valid 11. 𝐻𝑘 ← 𝑝𝑘𝛺 , 𝐿0,0 ← 𝛺𝑋 # Certificate authentication certificate for 𝑥𝑖 it returns 1; otherwise, it returns 0. 𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 ) The Merkle tree accumulator ensures both correctness and collision resistance. Collision resistance indicates the difficulty of finding an 12. 𝐿𝑖,𝑘 ← 𝐻𝑘 (𝐿⌊𝑖∕2𝑣 ⌋,𝑘−𝑣 ∥𝐿⌊𝑖∕2𝑣 ⌋+1,𝑘−𝑣 ) If ⌊𝑖∕2𝑣 ⌋ (mod 2) = 0 element 𝑥𝑖,𝑗 that does not belong to X yet possesses a valid certificate else 𝐿𝑖,𝑘 ← 𝐻𝑘 (𝐿⌊𝑖∕2𝑣 ⌋,𝑘−𝑣 ∥𝐿⌊𝑖∕2𝑣 ⌋,𝑘−𝑣 ) 𝑥𝑖,𝑗 . 13. 1 if 𝑤𝑖𝑡𝑥𝑖 is a valid witness for 𝑥𝑖 ∈ 𝑋 else 0 Definition 5 (Collision Resistance). Collision resistance implies that for an adversary 𝐴 possessing a valid key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) generated by 3.3. Signature algorithm description the Gen algorithm, and under the assumption that intermediate values are correct, the probability of finding an element 𝑥∗𝑖 that is not in the The hash-based post-quantum ring signature scheme explored in accumulator 𝑋 ∗ but still produces a verification result of 1 is negligible. this work is based on the XMSS algorithm, which incorporates two Assuming the existence of a negligible function 𝜀(𝑘), collision resistance primary frameworks: the WOTS+ algorithm and the Merkle tree algo- is formally defined as follows: rithm. Below is an overview of these frameworks. 6 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 The formal signing process begins by selecting the corresponding one- time signature (OTS) key pair (𝑥𝑖 , 𝑦𝑖 ), specifically the 𝑖th OTS key pair. The signer then uses the private OTS key 𝑥𝑖 to sign the message, creating a one-time signature 𝜎𝑂𝑇 𝑆 and calculating the authentication path. The final signature comprises: the index 𝑖, the one-time signature 𝜎𝑂𝑇 𝑆 , the public key 𝑦𝑖 , and the authentication path for 𝑦𝑖 , denoted 𝑎𝑢𝑡ℎ𝑖 . The signature is formally represented as 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡ℎ𝑖 ). The Fig. 7 illustrates the signing process using leaf node𝑥2 as the signing node, where the shaded areas represent the authentication path of the Fig. 6. A Merkle tree with a height of h = 3 and a number of leaf nodes N = 8 signature. visualizes the reconstruction of the root node by 𝑙0.2 nodes. Step 4: Signature Verification As shown in Algorithm 4, signature verification begins by first verifying the one-time signature 𝜎𝑂𝑇 𝑆 . If this check is successful, the Definition 6 (Merkle Tree Ring Signature Algorithm). The Merkle tree- next step involves reconstructing the Merkle tree root based on the based ring signature algorithm comprises four main steps: parameter chosen index 𝑖 and the public key 𝑦𝑖 . The reconstructed root is then definition, public key generation, signature generation, and signature compared with the stored public key. If the two match, verification is verification. These steps are outlined as follows: deemed successful. Step 1: Parameter Definition Algorithm 4 Signature verification The height h of the tree represents its number of layers, meaning a Merkle tree with height ℎ has 2ℎ leaf nodes, indicating 2ℎ ring members input: 𝜎 and corresponding key pairs (𝑥𝑖 , 𝑦𝑖 ), 𝑖 ∈ [0, 2ℎ − 1]. output: true or false 1 If In practical application scenarios, if the number of vehicles does 2 𝑉𝐸𝑅(𝑀 , 𝑠𝑖𝑔(𝑂𝑇 𝑆), 𝑌𝑖 ) = 𝑡𝑟𝑢𝑒 not satisfy this condition, it is recommended to either introduce virtual 3 Reconstruct the 𝑟𝑜𝑜𝑡∗ node of the merkle tree members into the ring or divide the vehicles into multiple rings. according to i and Yi Step 2: Public Key Generation/Merkle Tree Construction 4 If As shown in algorithm 2, in the Merkle tree, all leaf nodes together 5 𝑅𝑜𝑜𝑡′ = 𝑃 𝐾 constitute the ring. Each member in the ring is represented by a public– 6 true private key pair corresponding to a leaf node. Each leaf node holds the 7 Else hash of the public key derived from a one-time signature (OTS) scheme, 8 False while each parent node stores the hash of the concatenation of its two 9 Else child nodes. This process repeats according to the same generation rule 10 False until the final root node is formed. The value of the root node is the final public key, while the private key consists of the 2ℎ OTS private To illustrate the reconstruction process, consider node𝑥2 as an keys 𝑥𝑖 . The number of ring members equals the number of leaf nodes in example, assuming 𝑖 = 2 and 𝑌2 known, along with the signature 𝜎 = the Merkle tree. It is essential to ensure that the number of participating (2, 𝜎𝑂𝑇 𝑆 , 𝑌2 , 𝑎𝑢𝑡ℎ2 ). Here, 𝑎𝑢𝑡ℎ2 contains values stored in nodes 3, 8, and members in the ring is a power of 2. The public key of each ring 13. The root node can be reconstructed as follows: node14=hash(node member corresponds to the public key from the one-time signature. 12∥node13), node12=hash(node8∥node9), node9= hash(node2∥node3) wh-ere node2 stores the value of 𝑌2 . The computed value of node14 is Algorithm 2 Public Key Generation the value of the reconstructed root 𝑟𝑜𝑜𝑡∗ . This is shown in Fig. 8. By input: h, SK hashing upwards from the leaf nodes, if a match with the stored root output: PK node is found, the membership of signer in the ring is verified. ( ) 1. 𝑛𝑜𝑑 𝑒𝑖 = 𝐻 𝑎𝑠ℎ 𝑛𝑜𝑑 𝑒2𝑖+1 ||𝑛𝑜𝑑 𝑒2𝑖 , 𝑖 ∈ [0, 2ℎ − 1] 2. Root=Hash(node1|| node2) 3.4. Application of the scheme in vehicular networks 3. PK=Root The proposed hash-based signature scheme offers post-quantum security, protecting against quantum threats, and is highly efficient Step 3: Signature Generation Before executing the ring signature opera- with compact signatures, ideal for resource-constrained on-board de- tion, the signer hashes the binary message to generate a message digest vices in IoV. It supports fast information exchange and verification in 𝑚 = 𝐻(𝑀), where H is the chosen hash function, and M represents the dynamic traffic environments, enhancing security and privacy, such as original binary message. This digest 𝑚 will be used in the subsequent in accident reporting systems, while maintaining reporter anonymity. steps of the signature generation process. This process is shown in Overall, it addresses key security, efficiency, and scalability challenges algorithm 3. in connected vehicle networks. The application of ring signatures in IoV involves three main stages: the registration stage, the inter-vehicle communication stage, and the Algorithm 3 Signature generation signature tracing and broadcast stage. input: M, H, one-time signature key pair (𝑥𝑖 , 𝑦𝑖 ) Step 1: Registration Stage output: 𝜎 This stage consists of three main steps, First, the On-Board Unit 1 (𝑥𝑖 , 𝑦𝑖 ), 𝑖 ∈ [0, 2ℎ − 1] (OBU) sends a registration request to the Trusted Authority (TA). 2 For 𝑥𝑖 Upon receiving the request, the TA generates a public–private key 3 Select node to perform a one-time digital pair (𝑃 𝐾𝑂𝐵𝑈 , 𝑆 𝐾𝑂𝐵𝑈 ) for the OBU. In the final step, the TA returns signature on message M to generate the private key to the OBU, along with the public key and identity signature 𝜎𝑂𝑇 𝑆 information bound to the blockchain network. The identity information 4 Calculate 𝑦𝑖 authentication path 𝑎𝑢𝑡ℎ𝑖 typically includes vehicle certificates, vehicle identification numbers 5 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡ℎ𝑖 ) (VIN), and other vehicle-related data. This process ensures that vehicles 7 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Fig. 7. Diagram of the signature generation process. Fig. 8. Signature verification diagram. are properly registered and recognized within the blockchain network, the signatures and returns the verification results to the requesting as illustrated in Fig. 9. OBU, enabling secure and authenticated access to the information. This Step 2: Inter-Vehicle Communication Stage process is further illustrated in Fig. 10. At this stage, the OBU utilizes the public key of the Roadside Step 3: Signature Tracing and Broadcast Stage Unit (RSU) 𝑃 𝐾𝑅𝑆 𝑈 to encrypt its own public key and sends it to the In the event of an accident, the OBU sends accident-related informa- RSU, requesting the creation of a ring. Upon receiving the encrypted tion to the RSU, which then processes and broadcasts the information message, the RSU decrypts it using its private key to obtain 𝑃 𝐾𝑂𝐵 𝑈 , to other OBUs. At the same time, the RSU forwards the signature of the which is then added to the ring. When the number of ring members OBU involved in the accident, denoted as 𝑆 𝐼 𝐺(𝑂𝐵 𝑈 𝑎𝑐 𝑐 ) to the TA. The reaches the threshold of 2ℎ , the RSU broadcasts the ring structure, TA uses its private key to identify the relevant vehicle information. If allowing all ring members to participate in signing processes. the OBU is determined to be malicious, the TA revokes its identity and If the threshold is not met, virtual members may be added, or the public key on the blockchain network. The TA then sends the revoked ring may be split into smaller sub-rings to ensure each ring contains public key and the adverse record of the malicious OBU to the RSU. The 2ℎ members. Once the ring is established, the OBU can sign messages RSU subsequently broadcasts this information to other OBUs, ensuring using a ring signature and forward them to the RSU. The RSU sub- they are aware of the revoked identity and can exclude the malicious sequently broadcasts the signed messages to other OBUs, which can OBU from further network participation. This process is illustrated in request verification from the Verification Node (VN). The VN validates Fig. 11. 8 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Fig. 12. IOV model based on post-quantum ring signature. accident, sends the public key and adverse record of the vehicle Fig. 9. Registration phase. involved to the RSU. [4] Verification Node (VN): Responsible for verifying signature re- quests sent by other vehicles. [5] Anonymous Blockchain Network (ABN): In this model, vehicle public keys are stored in the blockchain network, providing a secure and anonymous framework for identity management. In addition to the interactions between the OBU and the TA, as well as between the OBU and RSU in the aforementioned process, within a specific segment of roadway, the OBU is also capable of engaging with pedestrians, road infrastructure, and stations located within that segment. In general, the integrity and privacy protection of data transmis- sion are more emphasized in interactions between vehicles and other vehicles, as well as roadside units. However, interactions between Fig. 10. Information interaction phase. vehicles and pedestrians often involve location verification and identity confirmation. In a vehicular networking system, vehicles may need to verify both the identity and location of pedestrians, while using post- quantum ring signatures to ensure the integrity and non-repudiation of pedestrian information. 4. Security analysis 4.1. Safety assessment The proposed scheme possesses the following characteristics: (1) Anonymity: Ring signatures inherently support anonymity, pro- tecting the identity of signer. Assuming an attacker has obtained a valid ring signature generated only by members within the ring, if the ring contains 𝑛 members, the probability that the attacker identifies the true signer is 1∕𝑛. For any member other than the signer, the probability of Fig. 11. Signature tracing phase. knowing the identity of signer is 1∕𝑛 − 1. (2) Privacy: The generation of a ring signature relies solely on the signer within the ring, with no involvement from other ring members, When applying this ring signature scheme to a vehicular network thus preserving the privacy of the signer. system, the overall model framework is shown in Fig. 12. The primary (3) Post-Quantum Security: This scheme employs a post-quantum ring signature approach based on Merkle trees, leveraging hash-based components of the model include: and post-quantum secure mathematical problems. This design provides robust security against quantum computing threats. The use of hash- [1] On - Board Unit (OBU): Responsible for sending requests to the based post-quantum ring signatures combines the strong properties of TA, transferring its public key to the RSU, signing messages with hash functions with quantum-resilient security, maintaining integrity the ring signature, and sharing traffic accident information. even under potential quantum computing attacks. [2] Road - Side Unit (RSU): Organizes received public keys into a (4) Efficiency: The computational efficiency of hash functions makes ring, broadcasts signatures, accident information, and adverse this scheme suitable for a variety of application scenarios. records to other vehicles, and forwards accident-related signa- (5) Unforgeability: The scheme ensures unforgeability through the tures to the TA. one-way and irreversible properties of hash functions in constructing [3] Trusted Authority (TA): Generates key pairs for the OBU, up- hash chains. Thus, it is highly challenging for anyone other than the loads these to the blockchain network, and, in the event of an legitimate signer to forge a signature within this scheme. 9 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 C computes the corresponding 𝜎𝑠 , which S returns as a complete ring signature to A. Step 4: In the challenge phase, A sends M and an unobserved forged ring signature to S, which calculates the corresponding 𝑌𝑠 of the forged signer and submits (𝑌𝑠 , 𝜎𝑠 ) to C. If C verifies 𝑌𝑠 and 𝜎𝑠 as valid, then S has successfully forged a signature, with output 1; otherwise, S fails, outputting 0. Since A can break the scheme with non-negligible probability P, we deduce that 𝑝𝑟(𝑜𝑢𝑡𝑝𝑢𝑡(𝐺𝑎𝑚𝑒) = 1) = 𝑝, allowing S to break the post-quantum ring signature algorithm with non-negligible probability. However, this contradicts the assumed security of scheme, proving that A cannot successfully forge signatures in polynomial time. Fig. 13. Authentication path diagram of a node with index i = 2. Theorem 3. If the underlying hash function family {𝐻𝑘 }, 𝑘 ∈ 𝐾𝐾 is a collision-resistant family, then the proposed hash-based post-quantum ring 4.2. Security proof signature scheme is collision-resistant. The following section provides security proofs and discussions for Proof. During initialization, this reduction interacts with a collision- the proposed scheme: resistant hash function challenge to acquire 𝐻𝑘 and completes initial- ization per the original protocol. If an attacker generates a collision Lemma 1. If a one-time signature scheme passes verification and the within the accumulator, this implies that the reduction knows two reconstructed Merkle root Root∗ matches the original Merkle root Root, then distinct inputs that collide under 𝐻𝑘 , with the collision probability the signature is valid. bounded by the collision resistance of hash function. Proof. Suppose the index 𝑖 = 2 is chosen for the one-time signature key Theorem 4. If the employed hash functions are one-way, then the proposed used in the message signature. The nodes from index 𝑖 = 2 to the root Merkle-tree-based post-quantum ring signature scheme is unforgeable under node traverse nodes [2, 9, 12], with sibling nodes [3, 8, 13], forming chosen-message attacks. a verification path [3, 8, 13], In Fig. 13, we illustrate the verification Let 𝑛, 𝑤, 𝑚 ∈ 𝑁 , 𝑤𝑖𝑡ℎ𝑤, 𝑚 = 𝑝𝑜𝑙𝑦(𝑛), and let the function family 𝐹𝑛 = pathway of the leaf node indexed at 2, which is depicted as the gray 𝑓𝑘 ∶ {0, 1}𝑛 → {0, 1}𝑛 where 𝑘 ∈ {0, 1}𝑛 satisfy second-preimage resistance node. Reconstructing the root Root* follows these steps: and one-way properties. The variable t represents the computational time. 𝑁 𝑜𝑑 𝑒(9) = Hash(𝑛𝑜𝑑 𝑒(2) ∥ 𝑛𝑜𝑑 𝑒(3)) The term 𝜔 ⋅ 𝐼 𝑛𝑆 𝑒𝑐 𝑈 𝐷 (𝐹𝑛 ; 𝑡∗ ) reflects the undetectability (UD) security of the function family 𝐹𝑛 , while 𝐼 𝑛𝑆 𝑒𝑐 𝑂𝑊 (𝐹𝑛 ; 𝑡′ ) represents its one-way(OW) 𝑁 𝑜𝑑 𝑒(12) = Hash(𝑛𝑜𝑑 𝑒(9) ∥ 𝑛𝑜𝑑 𝑒(8)) security. Additionally, the term 𝜔 ⋅ 𝐼 𝑛𝑆 𝑒𝑐 𝑆 𝑃 𝑅 (𝐹𝑛 ; 𝑡′ ) denotes the second- preimage resistance(SPR) security, scaled by the parameter 𝜔. The formal definitions of EU-CMA and SPR are provided in [14], and will not be 𝑁 𝑜𝑑 𝑒(14) = Hash(𝑛𝑜𝑑 𝑒(12) ∥ 𝑛𝑜𝑑 𝑒(13)) elaborated on here. The value of node 9 is computed from nodes 2 and 3, the value of We define the unforgeability insecurity under chosen-message at- node 12 is computed from nodes 9 and 8, and the value of the root node tack of WOTS+ as follows: Root∗ (node 14) is computed from nodes 12 and 13. This computed lnSecEU-CMA (WOTS+ (1𝑛 , 𝑤, 𝑚); 𝑡, 1) Root∗ value is then compared with the public key. Clearly, the hash of Root∗ matches the original public key. The proof process for any other ≤ 𝑤 ⋅ ln SecUD (𝐹𝑛 ; 𝑡∗ ) + 𝑤𝑙 node is identical, thus confirming the correctness of the signature. ⋅ max{ln SecOW (𝐹𝑛 ; 𝑡′ ), 𝑤 ⋅ ln SecSPR (𝐹𝑛 ; 𝑡′ )} with 𝑡′ = 𝑡 + 3𝑙𝑤 and 𝑡∗ Theorem 1. The proposed post-quantum ring signature scheme preserves = 𝑡 + 3𝑙𝑤 + 𝑤 − 1 anonymity. Assuming a valid signature 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡ℎ𝑖 ), where each value For WOTS+ combined with Merkle trees, the non-forgeability under of 𝑖 is within the appropriate range 𝑖 ∈ [0, 2ℎ − 1], the probability that chosen-message attacks on the Merkle tree can be defined as follows: any other person can identify the true signer is 1∕2ℎ (for a ring with ( ( ) ) InSecEU-CMA Merkle-tree 1𝑛 , 𝑇 = 2ℎ ; 𝑡, 1 2ℎ members). For other ring members, the probability of knowing the { ℎ+log 𝓁−1 ≤ 2 ⋅ max 2 2 ⋅ identity of signer is 1∕(2ℎ − 1). } SPR InSec (WOTS+ (1𝑛 , 𝜔, 𝑚) ; 𝑡, 1) Theorem 2. The proposed ring signature scheme is unforgeable. Using the derived insecurity function for the Merkle tree combined Proof. Suppose an attacker A could successfully forge a ring signature with W-OTS, which employs pseudorandom key generation and 𝐺𝑒𝑛2ℎ with non-negligible probability P within polynomial time. We construct we arrive at the following results: ( ) a simulator S to challenge a ring signature algorithm claimed to be InSecEU-CMA XMSS(1𝑛 , 𝑇 = 2ℎ ); 𝑡, 1 ( ) secure by challenger C as follows: ≤ InSecEU-CMA WOTS+(1𝑛 , 𝜔, 𝑚); 𝑡, 1 Step 1: The challenger initializes 𝑛 signing instances with the MSS ( ) + InSecEU-CMA Merkle-tree(1𝑛 , 𝑇 = 2ℎ ); 𝑡, 1 signing algorithm, generating 𝑛 key pairs (𝑠𝑘, 𝑝𝑘) and sends all public keys pk to simulator S. = InSecPRF (𝐹𝑛 , 𝑡′ + 2ℎ , 2ℎ ) Step 2: Upon receiving the public keys, S initializes the ring sig- ⎧(2ℎ+log2 𝑙−1 ) ⋅ InSecSPR (𝐻𝑛 , 𝑡′ ), ⎫ nature algorithm by randomly selecting additional parameters and ⎪ ℎ PRF ′ ⎪ ⎪2 ⋅ InSec (𝐹𝑛 ; 𝑡 + 𝑙, 𝑙)+ ⎪ forwarding the public keys to attacker A. + 2 max ⎨ ( { OW ′ }) ⎬. Step 3: In the query phase, A selects a message M and sends it to ⎪ UD ∗ InSec (𝐹𝑛 ; 𝑡 ), ⎪ ⎪ 𝜔 ⋅ InSec 𝐹𝑛 ; 𝑡 + max ⎪ S. Following the ring signature algorithm, S randomly selects a user ⎩ InSecSPR (𝐹𝑛 ; 𝑡′ ) ⎭ 𝑠 to generate the ring signature, computes 𝑌𝑠 , and forwards it to C. 10 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Table 5 Test 16 XMSS-SHA2_10_256 signatures. Number Signature time Verification time 0 1.990014 0.001119 1 1.980151 0.000947 2 1.969849 0.001210 3 1.965888 0.001184 4 1.969898 0.001056 5 1.980296 0.001144 6 2.017889 0.001093 7 2.054971 0.001101 8 2.016147 0.001241 9 2.020737 0.001267 10 1.954583 0.001016 11 2.021315 0.001060 12 2.029765 0.001043 Fig. 14. Signature generation time of 16 test results. 13 2.057487 0.001016 14 1.958401 0.001081 15 1.990919 0.001053 To prove XMSS is unforgeable under chosen-message attacks, we consider the following factors: Random Oracle Model: Assuming the hash function behaves as a random oracle, an attacker has no foreknowledge of input–output pairs. Irreversibility: WOTS+ security relies on the irreversibility of hash chains; given a hash value 𝐻𝑖 (𝑥), finding the predecessor 𝐻𝑖−1 (𝑥) is infeasible. Collision Resistance: The hash function must resist collisions, mak- ing it nearly impossible for an attacker to produce distinct messages that yield identical hash chains. Fig. 15. Signature verification time of 16 test results. 5. Performance analysis Table 6 Signature efficiency comparison table. This study evaluates the performance of proposed scheme in densely Scheme Number of Key Signature Verification trafficked urban areas, focusing particularly on resistance to quantum Members generation time/s time/s attacks. The experiments are based on the Merkle tree-ring signature time/s scheme, with a primary emphasis on security strength, as attacks in OURS HBS 210 2.06 1.97 9.47e−04 the IoV environments are expected to become increasingly complex, [33] LBS 10 0.07 0.06 0.04 especially with the advent of quantum attacks. Consequently, a high- [32] LBS – 34.1e−06 9.59e−05 3.49e−05 security, quantum-resistant signature scheme is essential for the IoV [25] HBS 210 – 0.16 0.11 systems. The primary operations in the signature scheme include generating Table 7 public and private keys, measuring the time required for message Function comparison table of the scheme. signing and verification, and instantiating the SHA-256 function as Scheme Post- Anonymity Traceability Application the underlying hash function. Key parameters include the security quantum to IOV parameter 𝑛, the Winternitz parameter 𝜔, and the number of ring security members, with specific values assigned to each. These operations allow OURS HBS YES YES YES YES [33] LBS NO YES YES YES us to measure metrics such as key generation time, signature generation [32] LBS YES NO NO YES time, and signature verification time. [25] HBS YES YES YES NO In this scheme, the digital signature algorithm is set to XMSS- SHA2-10-256, utilizing the SHA-256 hash function with a Merkle tree height of 10, enabling a maximum of 210 = 1024 possible ring signa- tures. The number of signature tests is set to 16 to balance efficiency of Merkle tree as 10, and the number of ring members as 210 . Among and data stability, ensuring valid results without excessive resource them, HBS stands for the scheme based on hash and LBS stands for a consumption. scheme based on lattices. To present the data more intuitively, the experimental results of the Comparing the scheme proposed in this paper with the scheme 16 tests shown in Table 5 are depicted in graphical form, resulting in in [33], it can be seen that the post-quantum ring signature scheme Fig. 14 and Fig. 15. Fig. 14 illustrates the signature generation times based on Merkle tree has great advantages. First, in this evaluation, the across the 16 tests, while Fig. 15 displays the signature verification number of ring members our scheme can accommodate is 210 , which times. These figures show that both the signature generation time and is much larger than the number of ring members evaluated in [33]. verification time fluctuate within a certain range, indicating variability When the road section is wider and crowded, the scheme proposed in rather than fixed values. Select one of the 16 test results to compare this paper is more suitable. Secondly, this scheme has post-quantum with relevant literature studies. The attributes of comparison include security, which is more secure; Moreover, although the key generation key generation time, signature generation time, signature verification time of our scheme is slightly longer than that of the scheme with time, resistance to quantum attacks, anonymity, traceability, and ap- fewer ring members in [33], it is much faster in terms of signature time plication to the IoV. The comparison results are drawn in Tables 6 and and verification time, especially the verification time is nearly 44 times 7, In our scheme, we set the parameters as n = 32, 𝜔 = 16, the height faster than that of [25]. 11 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 Compared with the scheme in [32], the outstanding feature of Data availability the scheme in this paper is ring signature, which has anonymity and traceability, making it more suitable for the Internet of vehicles en- No data was used for the research described in the article. vironment. In addition, the scheme in this paper uses Merkle tree structure, which reduces the storage cost of public key and signature. References In general, lattice signature may require special optimization in high performance computing. The algorithm maturity is not high, but the [1] I. Wanger, Car production: Number of cars produced worldwide, Statista (2020). underlying hash function of the post-quantum ring signature scheme in [2] Patrick Miner, Barbara M. Smith, Anant Jani, Geraldine McNeill, Alfred this paper is SHA-256, and the SHA-256 function has passed the test of Gathorne-Hardy, Car harm: A global review of automobility’s harm to people time in many practical applications, and has high algorithm maturity. and the environment, J. Transp. Geogr. 115 (2024) 103817. Comparing the scheme in this paper with the scheme in [25], it can [3] Juan Contreras-Castillo, Sherali Zeadally, Juan Antonio Guerrero-Ibañez, Internet of vehicles: Architecture, protocols, and security, IEEE Internet Things J. 5 (5) be seen that both papers are based on hash function. The advantages (2018) 3701–3709, http://dx.doi.org/10.1109/JIOT.2017.2690902. of the scheme in this paper are as follows: First, although the time [4] David Deutsch, Quantum theory, the Church–Turing principle and the universal of signature generation in [25] is nearly 12 times faster than that in quantum computer, Proc. R. Soc. A 400 (1818) (1985) 97–117. this paper, the time of signature verification in this paper is nearly 100 [5] Rasha Shajahan, Kurunandan Jain, Prabhakar Krishnan, A survey on NIST 3 rd round post quantum digital signature algorithms, in: 2024 5th International times faster than that in [25]. In addition, the scheme in this paper is Conference on Mobile Computing and Sustainable Informatics, ICMCSI, IEEE, also applied to the vehicle networking model. 2024, pp. 132–140. As shown in Table 7, this study compares the attributes of ‘‘Post- [6] David A. Cooper, Daniel C. Apon, Quynh H. Dang, Michael S. Davidson, Morris J. quantum’’, ‘‘Anonymity’’, ‘‘Traceability’’, and ‘‘Application to IoV’’. Dworkin, Carl A. Miller, et al., Recommendation for stateful hash-based signature The comparison reveals that our scheme offers post-quantum security, schemes, NIST Spec. Publ. 800 (208) (2020) 208–800. [7] Samira El Madani, Saad Motahhir, Abdelaziz El Ghzizal, Internet of vehicles: anonymity, traceability, and the ability to apply to IoV, with the concept, process, security aspects and solutions, Multimedia Tools Appl. 81 (12) advantages of our proposed scheme becoming more evident through (2022) 16563–16587. this comprehensive comparison. [8] Cesar Castellon, Swapnoneel Roy, Patrick Kreidl, Ayan Dutta, Ladislau Bölöni, Energy efficient merkle trees for blockchains, in: 2021 IEEE 20th International 6. Conclusion Conference on Trust, Security and Privacy in Computing and Communications, TrustCom, IEEE, 2021, pp. 1093–1099. [9] Daniel J. Bernstein, Andreas Hülsing, Stefan Kölbl, Ruben Niederhagen, Joost The hash-based post-quantum ring signature scheme offers advan- Rijneveld, Peter Schwabe, The SPHINCS+ signature framework, in: Proceedings tages such as high signature efficiency, good scalability, and inde- of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pendence from complex mathematical assumptions. In the context of 2019, pp. 2129–2146. [10] Kaiyi Zhang, Hongrui Cui, Yu Yu, SPHINCS-𝛼: A compact stateless hash-based increasing security threats posed by advancements in quantum com- signature scheme, 2022, Cryptology ePrint Archive. puting, applying post-quantum ring signatures in IoV can enhance [11] Mikhail Kudinov, Andreas Hülsing, Eyal Ronen, Eylon Yogev, SPHINCS+ C: anonymity and privacy protection while ensuring quantum-resistant Compressing SPHINCS+ with (almost) no cost, 2022, Cryptology ePrint Archive. security. This paper presents a hash-based post-quantum ring signature [12] Sun Siwei, Liu Tianyu, Guan Zhi, SM3-based post-quantum digital signature scheme built on the XMSS algorithm and demonstrates its application schemes, J. Cryptologic Res. 10 (1) (2023) 46. [13] Andreas Hülsing, Mikhail Kudinov, Recovering the tight security proof of in the IoV system. The proposed scheme is analyzed and proven secure. SPHINCS+, in: International Conference on the Theory and Application of Performance analysis is conducted following 16 experimental tests, Cryptology and Information Security, Springer, 2022, pp. 3–33. with comparisons made to other similar schemes. The results show [14] Andreas Hülsing, Denis Butin, Stefan Gazdag, Joost Rijneveld, Aziz Mohaisen, that the proposed scheme exhibits significant advantages in signature XMSS: Extended Merkle Signature Scheme, Technical Report, 2018. verification time compared to other approaches. This is due to the [15] Jan Philipp Thoma, Tim Güneysu, A configurable hardware implementation of XMSS, 2021, Cryptology ePrint Archive. efficient hash computations and Merkle tree verification paths, which [16] Siwei Sun, Tianyu Liu, Zhi Guan, Yifei He, Jiwu Jing, Lei Hu, Zhenfeng maintain low time complexity and high efficiency even with large Zhang, Hailun Yan, XMSS-SM3 and MT-XMSS-SM3: Instantiating extended Merkle data sets. Moreover, the scheme satisfies the properties of quantum signature schemes with SM3, 2022, Cryptology ePrint Archive. resistance, anonymity, traceability, and applicability to IoV. [17] Andreas Hülsing, W-OTS+–shorter signatures for hash-based signature schemes, in: Progress in Cryptology–AFRICACRYPT 2013: 6th International Conference on Future research will aim to further improve the practicality and Cryptology in Africa, Cairo, Egypt, June 22-24, 2013. Proceedings 6, Springer, security of the scheme in response to the evolving threats posed by 2013, pp. 173–188. quantum computing, and second, interdisciplinary collaboration can [18] Kaiyi Zhang, Hongrui Cui, Yu Yu, Revisiting the constant-sum winternitz be strengthened in future research to provide valuable insights for one-time signature with applications to SPHINCS+ and XMSS, in: Annual optimizing solutions in real-world scenarios. International Cryptology Conference, Springer, 2023, pp. 455–483. [19] Xie Jia, Liu Shizhao, Wang Lu, Research progress and prospects of ring signature technology., J. Front. Comput. Sci. Technol. 17 (5) (2023). CRediT authorship contribution statement [20] Rohit Chatterjee, Kai-Min Chung, Xiao Liang, Giulio Malavolta, A note on the post-quantum security of (ring) signatures, in: IACR International Conference on Shuanggen Liu: Conceptualization. Xiayi Zhou: Writing – original Public-Key Cryptography, Springer, 2022, pp. 407–436. [21] Yuxi Xue, Xingye Lu, Man Ho Au, Chengru Zhang, Efficient linkable ring signa- draft. Xu An Wang: Supervision. Zixuan Yan: Investigation. He Yan: tures: new framework and post-quantum instantiations, in: European Symposium Formal analysis. Yurui Cao: Resources. on Research in Computer Security, Springer, 2024, pp. 435–456. [22] Abida Haque, Alessandra Scafuro, Threshold ring signatures: new definitions Declaration of competing interest and post-quantum security, in: Public-Key Cryptography–PKC 2020: 23rd IACR International Conference on Practice and Theory of Public-Key Cryptography, Edinburgh, UK, May 4–7, 2020, Proceedings, Part II 23, Springer, 2020, pp. The authors declare that they have no known competing finan- 423–452. cial interests or personal relationships that could have appeared to [23] Maxime Buser, Joseph K. Liu, Ron Steinfeld, Amin Sakzad, Post-quantum id-based influence the work reported in this paper. ring signatures from symmetric-key primitives, in: International Conference on Applied Cryptography and Network Security, Springer, 2022, pp. 892–912. Acknowledgments [24] J. Odoom, X. Huang, Z. Zhou, et al., Linked or unlinked: A systematic review of linkable ring signature schemes, J. Syst. Archit. 134 (2023) 102786. [25] Shiwei Xu, Tao Wang, Ao Sun, Yan Tong, Zhengwei Ren, Rongbo Zhu, This work was supported by the National Natural Science Founda- Houbing Herbert Song, Post-quantum anonymous, traceable and linkable au- tion of China (NSFC) under Grant No. 62172436.The first author and thentication scheme based on blockchain for intelligent vehicular transportation the third author are the corresponding authors of this paper. systems, IEEE Trans. Intell. Transp. Syst. (2024). 12 S. Liu et al. Journal of Systems Architecture 160 (2025) 103345 [26] Nyothiri Aung, Tahar Kechadi, Tao Zhu, Saber Zerdoumi, Tahar Guerbouz, [33] Cui Yongquan, Cao Ling, Zhang Xiaoyu, Privacy protection of internet of vehicles Sahraoui Dhelim, Blockchain application on the internet of vehicles (iov), based on lattice-based ring signature, Chinese J. Comput. 42 (5) (2019) 980–992. in: 2022 IEEE 7th International Conference on Intelligent Transportation [34] Cesar Castellon, Swapnoneel Roy, Patrick Kreidl, Ayan Dutta, Ladislau Bölöni, Engineering, ICITE, IEEE, 2022, pp. 586–591. Energy efficient merkle trees for blockchains, in: 2021 IEEE 20th International [27] Haibin Zhang, Jiajia Liu, Huanlei Zhao, Peng Wang, Nei Kato, Blockchain-based Conference on Trust, Security and Privacy in Computing and Communications, trust management for internet of vehicles, IEEE Trans. Emerg. Top. Comput. 9 TrustCom, IEEE, 2021, pp. 1093–1099. (3) (2020) 1397–1409. [35] David Derler, Sebastian Ramacher, Daniel Slamanig, Post-quantum zero- [28] Mirador Labrador, Weiyan Hou, Implementing blockchain technology in the knowledge proofs for accumulators with applications to ring signatures from internet of vehicle (IoV), in: 2019 International Conference on Intelligent symmetric-key primitives, in: Post-Quantum Cryptography: 9th International Con- Computing and Its Emerging Applications, ICEA, IEEE, 2019, pp. 5–10. ference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9-11, 2018, Proceedings [29] Y. Liu, Q. Xia, X. Li, et al., An authentication and signature scheme for UAV- 9, Springer, 2018, pp. 419–440. assisted vehicular ad hoc network providing anonymity, J. Syst. Archit. 142 [36] Xinyu Zhang, Ron Steinfeld, Joseph K. Liu, Muhammed F. Esgin, Dongxi (2023) 102935. [30] X. Feng, X. Wang, K. Cui, et al., A distributed message authentication scheme Liu, Sushmita Ruj, DualRing-PRF: Post-quantum (linkable) ring signatures from with reputation mechanism for internet of vehicles, J. Syst. Archit. 145 (2023) Legendre and power residue PRFs, in: Australasian Conference on Information 103029. Security and Privacy, Springer, 2024, pp. 124–143. [31] S. Thapliyal, M. Wazid, D.P. Singh, et al., Robust authenticated key agreement [37] David A. Cooper, Daniel C. Apon, Quynh H. Dang, Michael S. Davidson, Morris J. protocol for internet of vehicles-envisioned intelligent transportation system, J. Dworkin, Carl A. Miller, et al., Recommendation for stateful hash-based signature Syst. Archit. 142 (2023) 102937. schemes, NIST Spec. Publ. 800 (208) (2020) 208–800. [32] Nikhil Verma, Swati Kumari, Pranavi Jain, Post quantum digital signature change [38] Ralph C. Merkle, A certified digital signature, in: Conference on the Theory and in iota to reduce latency in internet of vehicles (iov) environments, in: 2022 Application of Cryptology, Springer, 1989, pp. 218–238. International Conference on IoT and Blockchain Technology, ICIBT, IEEE, 2022, pp. 1–6. 13