coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
92b42a60aa122b784d194d00ad51d543d5e28391
opaque-lattice/papers_txt/A-hash-based-post-quantum-ring-signature-scheme-fo_2025_Journal-of-Systems-A.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

965 lines
109 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Journal of Systems Architecture 160 (2025) 103345
Contents lists available at ScienceDirect
Journal of Systems Architecture
journal homepage: www.elsevier.com/locate/sysarc
A hash-based post-quantum ring signature scheme for the Internet of Vehicles
Shuanggen Liu a ,, Xiayi Zhou a , Xu An Wang b , Zixuan Yan a , He Yan a , Yurui Cao a
a
School of Cyberspace Security, Xian University of Posts and Telecommunications, Xian, Shaanxi, China
b
Key Laboratory of Network and Information Security, Engineering University of Peoples Armed Police, Shaanxi, China
ARTICLE INFO ABSTRACT
Keywords: With the rapid development of the Internet of Vehicles, securing data transmission has become crucial,
Ring signature especially given the threat posed by quantum computing to traditional digital signatures. This paper presents
Internet of Vehicles a hash-based post-quantum ring signature scheme built upon the XMSS hash-based signature framework,
Merkle tree
leveraging Merkle trees for efficient data organization and verification. In addition, the scheme is applied to
Post-quantum digital signature
the Internet of Vehicles, ensuring both anonymity and traceability while providing robust quantum-resistant
Hash-based signature scheme
security. Evaluation results indicate that, compared to other schemes, the proposed method achieves superior
verification speed while ensuring data security and privacy.
1. Introduction area of study, with the aim of establishing a resilient foundation
for the industry. The National Institute of Standards and Technology
As a fundamental necessity in modern life, the number of vehicles (NIST) has been conducting a multi-stage standardization process for
produced worldwide continues to grow. According to relevant statistics, post-quantum cryptography. The third round of candidate evaluations
global vehicle production reached 94 million units in 2023 [1]. Ad- has been completed, and algorithms such as SPHINCS+, CRYSTALS-
ditionally, data from the International Organization of Motor Vehicle DILITHIUM, and CRYSTALS-KYBER have been standardized. These
Manufacturers indicates that there are now 1.3 billion vehicles in algorithms achieve varying levels of bit-level security depending on
use [2]. However, this growth brings various challenges, including key size and parameter settings, which align with NIST security levels
network attacks, unauthorized access, and concerns around road safety from 1 to 5, representing 128/160/192/224/256-bit security strengths,
and privacy. To address these issues, new research fields, such as respectively [5]. A post-quantum digital signature scheme is a dig-
intelligent transportation systems (ITS) and the Internet of Vehicles ital signature scheme capable of resisting quantum attacks. Among
(IoV), have emerged. These fields aim to provide safer, more efficient, post-quantum digital signature schemes, hash-based schemes are partic-
and more harmonious vehicular environments. Vehicle-to-Everything ularly effective and provably secure. Hash-based post-quantum digital
(V2X) technology enables the effective use of dynamic information signature schemes offer significant advantages over other types of
from all networked vehicles via on-board devices, facilitating secure,
post-quantum schemes due to their high computational efficiency, scal-
efficient, intelligent, and comfortable services, thereby contributing
ability, maturity, and reliance solely on the preimage resistance of the
to the intelligence of social traffic systems [3]. The typical VANET
underlying hash function [6].
structure is shown in Fig. 1.
In IoV networks, where both privacy and traffic safety are essential,
With the increasing number of vehicles and the development of
ring signatures are especially suitable. Ring signature schemes offer
the IoV, it is a very important job to ensure the security of the
anonymity by concealing the identity of signer among a group of par-
IoV systems. Currently, the security of vehicular networks, whether
ticipants. Using hash-based post-quantum ring signatures, vehicles can
internal or external, primarily relies on digital signatures or public-
sign messages anonymously within a group, ensuring their identities
key encryption. However, as quantum computing advances, traditional
digital signature algorithms are increasingly vulnerable to quantum cannot be traced. These signatures also provide unforgeability, collision
attacks, making it essential to incorporate post-quantum digital sig- resistance, resilience against quantum attacks, and low communication
nature algorithms into IoV research. Unlike traditional computers, overhead. In densely populated cities, managing keys for secure vehic-
quantum computers can accelerate the cracking of probabilistic al- ular communications can be challenging, especially given the limited
gorithms through parallel computation capabilities [4]. In light of IoV coverage [7]. The Merkle tree structure effectively compresses
these challenges, post-quantum cryptography has become a critical keys, reducing key management costs [8]. In this study, we propose a
Corresponding author.
E-mail address: liushuanggen201@xupt.edu.cn (S. Liu).
https://doi.org/10.1016/j.sysarc.2025.103345
Received 11 November 2024; Received in revised form 23 December 2024; Accepted 16 January 2025
Available online 23 January 2025
1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
of classical signature and ring signature in the quantum environment,
and proposed two short signature schemes, which were implemented
in the quantum random prediction model and the ordinary model
respectively [20]. Recent literature has introduced novel architectures,
such as linkable ring signatures, threshold ring signatures, and identity-
based post-quantum ring signatures, discussing their post-quantum se-
curity features [2123], Similarly, literature [24]systematically reviews
the theory and application of linkable ring signatures, providing an in-
depth comparison of anonymization and linkability schemes, but these
studies lack analysis of specific application scenarios (such as the IoV),
and do not fully consider resource-constrained environments and the
potential of anti-quantum computing.
In response to the research of NIST on post-quantum algorithms
and verification ring signatures, a blockchain-based, post-quantum
anonymous, traceable, and verifiable authentication scheme was pro-
posed to mitigate quantum attacks while addressing security and pri-
vacy concerns, with an evaluation of its feasibility in IoV environ-
ments [25]. The IoV faces significant security and privacy challenges,
Fig. 1. VANET structure.
and blockchain technology offers an effective platform to ensure both
user privacy and security [2628]. Literature [29] proposes an identity
authentication and signature scheme for UAV-assisted Vehicular Ad
Hoc Networks (VANET), focusing on enhancing network anonymity
hash-based post-quantum ring signature scheme for IoV applications.
and user privacy through an efficient authentication mechanism. Lit-
The ring signature algorithm of Our scheme is based on the XMSS
erature [30] introduces a distributed message authentication scheme
algorithm, aiming to enhance data sharing security and efficiency.
combined with a reputation mechanism to improve the security and
Merkle trees are used to organize and verify data efficiently, while ring
trust of the IoV. The scheme uses node credit values to authenticate
signatures ensure the authenticity and integrity of data within the IoV
message validity, effectively preventing malicious attacks and forgery.
network without compromising user anonymity.
Literature [31] presents an authentication key negotiation protocol for
intelligent transportation systems in vehicle networks, strengthening
1.1. Related works identity authentication and key exchange mechanisms to prevent secu-
rity threats such as eavesdropping, tampering, and man-in-the-middle
In recent years, hash-based post-quantum digital signature schemes attacks. While these studies address key security challenges in vehicular
have garnered significant attention within the cryptography commu- networks, they often focus on specific aspects, lacking comprehensive
nity. Following the fourth round of the NIST post-quantum digital and scalable frameworks for real-world scenarios. Furthermore, the
signature standardization process, the SPHINCS+ algorithm was in- integration of post-quantum cryptography and scalability in dynamic,
troduced as a supplementary standard, featuring a flexible, tunable large-scale networks remains underexplored, highlighting opportunities
hash function structure [9]. As the standardization process progresses, for future research into robust and future-proof solutions. Given the
researchers have proposed various adaptations, including SPHINCS-a inherent advantages of ring signatures, they are particularly well-
and SPHINCS+-c, which further compress signature sizes and enhance suited for applications such as the Internet of Vehicles, making further
execution speeds [10,11]. Additionally, Sun, Liu, and colleagues de- investigation essential.
veloped a domestic signature algorithm based on the post-quantum In order to ensure the post-quantum security of data transmission
hash function SM3 [12]. Hülsing and Kudinov provided a rigorous in the IoV environment, researchers have proposed various solutions.
security proof for the SPHINCS+ algorithm, confirming its robustness The literature [32] recommends the use of lattice-based post-quantum
in a post-quantum environment [13]. The XMSS algorithm forms the digital signature, but the signature algorithm has not been combined
foundation of SPHINCS+, with its architectural design and security with specific scenarios. Another study [33] proposed a ring-signature
proof presented by Hülsing, Butin, and others [14]. Research on hard- scheme based on lattice-based difficult problems and combined it with
ware implementations of the XMSS algorithm has also advanced, with the vehicle-connected environment, but the quantum anti-attack char-
significant contributions from Thoma and Güneysu [15]. Meanwhile, acteristics of the scheme were not explained in detail. In addition,
Sun and Liu investigated the feasibility of replacing the hash function reducing energy consumption in blockchain has also become a research
in XMSS with the domestic SM3 hash function [16]. An essential com- focus [34]. An energy saving method is adopted to calculate the root of
ponent of XMSS is WOTS+, a one-time signature algorithm; Hülsing Merkle tree, and a Merkle tree design scheme conforming to the specifi-
provided its security proof [17], while Zhang, Cui, and colleagues cation is proposed. The effectiveness of this method is verified through
evaluated the efficiency of WOTS+ in tree-based one-time signature experiments. At the same time, the Merkle tree accumulator algorithm
algorithms [18]. Currently, research on post-quantum digital signatures proposed by Derler and Ramacher in [35] builds an accumulator that
primarily concentrates on enhancing signature efficiency and replacing can resist quantum attacks by using only hash function and symmetric
the underlying hash functions. However, there is a scarcity of studies meta language, and gives specific operations and definitions. However,
that integrate post-quantum digital signatures with specific application the specific algorithm implementation and its combination in practical
scenarios or explore their variants. application scenarios need to be further studied.
The exploration of post-quantum ring signatures is also accelerating
in post-quantum digital signature research. Xie, Wang, and colleagues 1.2. Contributions
highlighted that traditional signature algorithms are highly susceptible
to quantum computing attacks, and noted that ring signatures offer Firstly, building on the Merkle tree accumulator algorithm described
considerable advantages in blockchain applications, including medical in Ref. [35], we propose a hash-based ring signature algorithm specif-
data sharing and vehicular networking, due to their unique proper- ically designed for IOV, we improve the Merkle tree accumulator
ties [19]. Chatterjee and Chung et al. conducted an in-depth analysis on algorithm to XMSS accumulator algorithm. This algorithm integrates
the security of post-quantum ring signature, re-examined the security the principles of ring signatures with Merkle tree structures. Unlike
2
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Table 1
Notation for ring signature scheme. Let the security parameter 𝜆, ring signature 𝑅𝑆 = (𝐺𝑒𝑛, 𝑠𝑖𝑔 , 𝑉 𝑒𝑟),
𝜆 Security parameter algorithm A is polynomial-time algorithm (any PPT adversary A), for
any integer 𝑠, define the following experiment:
𝑁 The size of the ring
(𝑝𝑘, 𝑠𝑘) Key pair Step 1, the challenger generates 𝑠 key pairs (𝑝𝑘, 𝑠𝑘) in which
𝑅 A ring consisting of (𝑝𝑘1 , 𝑝𝑘2 , … … , 𝑝𝑘𝑙 ) 𝑖 ∈ [1, 𝑠], and sends all the public keys 𝑃 𝐾𝑖 in a set 𝑃 𝐾 = (𝑃 𝐾1 ,
𝑚 The message digest 𝑃 𝐾2 , … , 𝑃 𝐾𝑠 ) to 𝐴.
𝜎 The signature of message Step 2, the challenger chooses one 𝑃 𝐾𝑖 and checks whether 𝑃 𝐾𝑖
belongs to 𝑅, if 𝑆 𝑖𝑔(𝑠𝑘𝑖 , 𝑅, 𝑚) → 𝜎 is calculated by the challenger, then
the challenger will send 𝜎 to A.
Step 3, the attacker outputs the tuple 𝑅 , 𝑚∗ , 𝜎 , and the challenger
traditional ring signature algorithms, this proposed scheme can resist
checks it.
quantum attacks, thus offering post-quantum security.
If: 𝑅𝑃 𝐾 Attacker A never performs signature query access to
Secondly, we construct a new hash-based post-quantum ring sig-
(𝑠𝑖𝑔 𝑛, 𝑅 , 𝑚∗ ),
nature scheme for application of vehicular network. This scheme en- 𝑉 𝑒𝑟(𝑅 , 𝑚∗ , 𝜎 )
hances the security of data transmission within the vehicular network, And returns a 1 for the experiment, or a 0 otherwise.
providing robust post-quantum security to effectively protect shared
data. 𝐴𝑑 𝑣𝜆,𝑠
𝑈𝑁𝐹
(𝐴) = 𝑃 𝑟[𝐸 𝑥𝑝𝜆,𝑠
𝑈𝑁𝐹
(𝐴) = 1] ≤ 𝑛𝑒𝑙𝑔(𝜆)
1.3. Structure Definition 3 (Anonymity). Anonymity in a ring signature scheme en-
sures that the identity of signer remains concealed among a group of
The remainder of this paper is organized as follows: Chapter 2 potential signers, making it impossible to determine who specifically
provides the necessary foundational knowledge, along with a review generated the signature. This anonymity is achieved through a ring
of the background and related work relevant to this study. In Chapter signature generation process that relies on the public keys of all group
3, we present a post-quantum ring signature algorithm based on Merkle members, without revealing the identity of the actual signer.
trees and discuss its application within the IoV environment. Chapter In the anonymization experiment, the adversary is given a ring
4 offers a security analysis and proof of the robustness of proposed. In signature generated from any two pairs of public and private key pairs,
Chapter 5, we evaluate the performance of the scheme and compare it as well as from either of these two private keys, which contains both
public keys owned by the adversary, and the goal of adversary is to
with existing alternatives. Finally, Chapter 6 concludes the paper and
distinguish which private key was used to generate the ring signature
outlines directions for future research.
with negligible probability.
Let the security parameter 𝜆, the ring signature 𝑅𝑆 = (𝐺𝑒𝑛, 𝑠𝑖𝑔 , 𝑉 𝑒𝑟),
2. Preliminaries algorithm A be a polynomial time algorithm, for any integer 𝑠 and any
bit 𝑏, define the experiment as follows:
2.1. Ring signature Step 1, the challenger generates 𝑠 key pairs (𝑃 𝐾𝑖 , 𝑆 𝐾𝑖 ), of which
𝑖 ∈ [1, 𝑠], and sends all the public keys 𝑃 𝐾𝑖 to A.
Ring signature is a digital signature scheme introduced by Rivest, Step 2, A sends (𝑅, 𝑚, 𝑖0 , 𝑖1 ) to the challenger, the challenger checks
Shamir, and Tauman in 2001. A ring is composed of a group of if 𝑝𝑘𝑖0 ∈ 𝑅2 , 𝑝𝑘𝑖1 ∈ 𝑅2 , then the challenger calculates 𝑅2 𝜎
members, allowing any member within the group to sign on behalf 𝑆 𝑖𝑔(𝑠𝑘𝑖𝑏 , 𝑅, 𝑚) and send 𝜎 to A.
of the entire group without revealing the identity of the signing mem- Step 3, A returns a guess bit 𝑏 where the experiment 𝑏 = 𝑏 outputs
1 if and 0 otherwise, and RS is considered anonymous if for all 𝑠 and
ber [36],The main parameters of ring signature are given in Table 1.
all polynomial-time algorithms A, the probability of A returning 1 in
the (𝑠, 0)-anonymous experiment (in the 𝜆) is ignorably close to the
Definition 1 (Ring Signature). A ring signature scheme consists of three
probability of A returning 1 in the (𝑠, 1)anonymous experiment.
core algorithms: key generation, signature generation, and signature
1
verification. These algorithms are defined as follows: 𝐴𝑑 𝑣𝜆,𝑠
𝐴𝑁 𝑂𝑁
(𝐴) = |𝑃 𝑟[𝐸 𝑥𝑝𝜆,𝑠
𝐴𝑁 𝑂𝑁
(𝐴)] | ≤ 𝑛𝑒𝑙𝑔(𝜆)
2
Step1: Key generation
(𝑝𝑘, 𝑠𝑘) ← 𝐺𝑒𝑛(𝜆, 𝑁):The size of the ring is 𝑁, set the security param- 2.2. WOTS+
eters 𝜆 the maximum number of members in the ring 𝑁, 𝜆 and 𝑁 as
input, the output is the public and private key pair. Ralph Merkle pioneered hash-based signature algorithms, as noted
Step2: Signature generation in Ref. [37]. Currently, hash-based signature schemes are categorized
𝜎𝑆 𝑖𝑔 𝑛(𝑠𝑘, 𝑅, 𝑚): Input private key 𝑠𝑘, set of all public keys 𝑅 = into three main types: one-time signature schemes (OTS), few-time
(𝑃 𝐾1 , 𝑃 𝐾2 , … , 𝑃 𝐾𝐿 ), message 𝑚 ∈ 𝑀𝜆 , output signature 𝜎. signature schemes (FTS), and many-time signature schemes (MTS).
The Table 2 below summarizes some of the most widely used hash-
Step3: Signature verification
based signature schemes. Research on OTS schemes began with the
𝑇 𝑟𝑢𝑒𝑓 𝑎𝑙𝑠𝑒𝑉 𝑒𝑟(𝑅, 𝑚, 𝜎): Input a collection composed of all public
Lamport-Diffie algorithm. This paper adopts the WOTS+ (Winternitz
keys 𝑅, message 𝑚 ∈ 𝑀𝜆 , signature 𝜎, and output 𝑇 𝑟𝑢𝑒𝑓 𝑎𝑙𝑠𝑒.
One-Time Signature Plus) scheme, which comprises three main compo-
A ring signature must satisfy two critical security properties: nents: key generation (GEN), signature generation (SIG), and signature
anonymity and Unforgeability. Anonymity ensures that while the sig- verification (VER).
nature indicates it was generated by a member of the ring, it does The first step is parameter selection, where parameter 𝜔, an integer
not reveal the specific identity of the signer. Unforgeability guarantees 𝜔 ∈ 𝑁 with 𝜔 ≥ 2, is determined to set the number of hash iterations
that only members of the ring can generate valid signatures; outsiders required to construct the 𝑛𝑁 public key. Additionally, the hash
cannot create valid signatures for the ring. output length m and security parameter n, where, need to be defined.
Next, parameters 𝑙1 and 𝑙2 are computed, which are then summed to
Definition 2 (Unforgeability). Unforgeability ensures that only members obtain l. The calculation method is as follows:
of the ring can generate a valid signature. In the unforgeability model, ⌈ ⌉ ⌊ ⌋
𝑚 log2 (𝑙1 (𝜔 1)) + log2 𝜔
we assume that the attacker has access to a public key and aims to 𝑙1 = , 𝑙2 = , 𝑙 = 𝑙1 + 𝑙2
log2 𝜔 log2 𝜔
produce a valid ring signature without authorization.
3
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Table 2
Classification table for hash-based signature schemes.
Scheme Type Scheme Name
OTS Lamport-Diffe, WOTS, 𝑊 𝑂𝑇 𝑆 +
FTS HORS, HORST-T, PORS, PORS-T
MTS XMSS, SPHINCS, SPHINCS+
Table 3
Parameter descriptions for the WOTS+ algorithm.
𝑛∈𝑁 Security parameter
𝑤∈𝑁 Winternitz parameter (𝑤 ≥ 2)
𝑚∈𝑁 Bit length of the message digest
{ }
𝐹𝑛 A set of functions, 𝐹𝑛 = 𝑓𝑘 𝑘 ∈ {0, 1}𝑛 ,
𝑓𝑘 {0, 1}𝑛 → {0, 1}𝑛
ℎ∈𝑁 Height of the tree
H Hash function, 𝐻 {0, 1} → {0, 1}𝑚
𝑥 ∈ {0, 1}𝑛 Randomly chosen string 𝑥,
used to construct a one-time verification key
Fig. 2. Key generation process for WOTS+.
The Table 3 gives the meaning of the parameters in the formula.
Next define the operation, WOTS+ uses the function 𝐹𝑛 family:
𝐹𝑛 {0, 1}𝑛 → {0, 1}𝑛
Fig. 3. Message digest generation graph.
Define the function operation:
{ 𝑖
𝑐 (𝑥, 𝑟) = 𝐹 (𝑐𝑘𝑖1 (𝑥, 𝑟) ⊕ 𝑟𝑖 ) 𝑖 > 0
𝑐 𝑖 (𝑥, 𝑟) = 𝑥, 𝑖 𝑖=0
𝑥 ∈ {0, 1}𝑛
𝑛 𝑛
⎨𝐹 = 𝐹 𝑛 {0, 1} → {0, 1}
𝑟 = (𝑟 , 𝑟 , … … , 𝑟 𝑤 ) 𝑟 ∈ {0, 1}𝑛×(2
𝜔1 )
⎩ 1 2 2 1
Step1: Key Generation(GEN)
The process of key generation mainly includes two steps: private
key generation and public key generation. The key generation process
is shown in Fig. 2.
(1) Private key generation: Using PRG to generate 𝑙 + 2𝜔 1 n
bits of random number, the first random number is the private key
𝑠𝑘 = (𝑠𝑘0 , 𝑠𝑘1 , … … , 𝑠𝑘𝑙1 ), and the last 2𝜔 1 are the mask, 𝑟 =
(𝑟1 , 𝑟2 , … … , 𝑟2𝜔 1 ).
(2) Public key generation: The public key consists of 𝑙 + 1 blocks,
the first block is the mask r, the last L blocks are converted by sk, and
The public key is composed as follows:
𝜔
𝑝𝑘𝑖 = 𝑐 2 1 (𝑠𝑘𝑖1 , 𝑟), 𝑖 ∈ [1, 𝑙] Fig. 4. WOTS+ signature generation diagram.
𝑝𝑘 = (𝑝𝑘0 , 𝑝𝑘1 , … , 𝑝𝑘𝑙 )
( 𝜔1 𝜔1
)
= 𝑟, 𝑐 2 (𝑠𝑘0 , 𝑟), … , 𝑐 2 (𝑠𝑘𝑙1 , 𝑟)
The message M is converted to 𝑏 = (𝑏0 , 𝑏1 , … … , 𝑏𝑙1 ). Then, the
Step2: Message Signature(SIG) transmitted signature 𝜎 = (𝜎0 , 𝜎1 , … … , 𝜎𝑙1 ) is processed as follows to
(1) Generate message digest: Generate message digest M that needs obtain 𝑝𝑘 . If the signature is the same as pk, the signature verification
to be signed message m through the hash function, and then divide the succeeds.
message digest into 𝑙1 parts, each 𝜔 bit, where each 𝜔 bit represents the 𝑝𝑘 =(𝑟, 𝑝𝑘1 , 𝑝𝑘2 , … , 𝑝𝑘𝑙 )
𝑚𝑖 , 𝑖 ∈ [0, 𝑙1 1] equivalent of an integer. The message digest generation ( 𝜔 𝜔 𝜔
)
process is shown in Fig. 3, and the overall signature generation process = 𝑟, 𝐹 2 1𝑏0 (𝜎0 ), 𝐹 2 1𝑏1 (𝜎1 ), … , 𝐹 2 1𝑏𝑙1 (𝜎𝑙1 )
is shown in Fig. 4.
(2) Calculate the checksum:
𝑙1
∑ 2.3. XMSS
𝐶= (2𝜔 1 𝑚𝑖 ) ≤ 𝑙1 (2𝜔 1)
𝑖=1 2.3.1. Merkle tree
Divide C into 𝜔 bits, and 𝑐 = (𝑐0 , 𝑐1 , … … , 𝑐𝑙2 1 ). The Merkle Signature Scheme (MSS), proposed by Ralph Merkle in
Let 𝑏 = (𝑏0 , 𝑏1 , … … , 𝑏𝑙1 ), that is b be the concatenation of 𝑚 and 𝑐. 1979, integrates the Merkle Tree with an OTS algorithm. A Merkle tree
Signature generation is represented by the following formula: is a hierarchical structure where leaf nodes contain hash values of data,
and non-leaf nodes store the combined hash values of their child nodes.
𝜎 = (𝜎0 , 𝜎1 , … , 𝜎𝑙1 ) This structure enables efficient data integrity verification, especially for
( )
= 𝐹 𝑏0 (𝑠𝑘0 , 𝑟), 𝐹 𝑏1 (𝑠𝑘1 , 𝑟), … , 𝐹 𝑏𝑙1 (𝑠𝑘𝑙1 , 𝑟) large-scale datasets. The structure of the Merkle tree is shown in Fig. 5.
According to the Fig. 5, the tree has 3 layers and 23 = 8 leaf nodes,
Step3: Message verification(VER) each storing the hash of a one-time signature public key. The leaf nodes,
4
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Fig. 5. Merkle tree structure diagram.
labeled node0 to node7, are hashed pairwise to generate the middle 2.3.4. Signature verification
nodes. The final root node stores the public key. The signature verification process ensures the correctness of the
The Merkle tree serves two primary functions: OTS signature and validates that the corresponding OTS public key
(1) Data Integrity Verification, where users can check if data has is consistent with the root of the Merkle tree. The main steps are as
been tampered with by recalculating the root hash. follows:
(2) Public Key Size Compression, reducing the storage requirements Step1: Extract Information
for numerous public keys by consolidating them into a single root key. Extract OTS serial number 𝑖, OTS signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 , and path proof
AuthPath for the Merkle tree from XMSS signature 𝑆 𝑖𝑔𝑋 𝑀 𝑆 𝑆 .
2.3.2. Key generation
Step2: Verify OTS signature
The XMSS algorithm deploys 2 WOTS+ instances as the 2 leaf
Using the extracted OTS public key, verify the validity of 𝑆 𝑖𝑔𝑂𝑇 𝑆
nodes of a Merkle tree with height , with the root node authenticating
for the message M. If verification fails, the signature is deemed invalid.
these instances [38]. The XMSS key consists of multiple OTS keys and
Step3: Compute Merkle Tree Path
the root of the Merkle tree as the public key.
Step1: Select the parameters Calculate the Merkle tree node of the OTS public key Using OTS
Step2: Generate a one-time signature key pair (𝑝𝑘, 𝑠𝑘) public key 𝑝𝑘𝑖 and path proof AuthPath, calculate the hash value of
Step3: Build the Merkle tree the parent node step by step from the leaf node 𝑝𝑘𝑖 until the root node
Use each OTS public key 𝑝𝑘𝑖 as a leaf node of the Merkle tree. 𝑁 𝑜𝑑 𝑒(𝑖) = 𝐻(𝑐 𝑖𝑙𝑑(𝑖) ∥ 𝑐 𝑖𝑙𝑑(𝑖)) is calculated.
Each leaf node generates non-leaf nodes through a hash function, which Step4: Compare Root Nodes
eventually generates the Root node. The parent node in the Merkle tree Compare the reconstructed root node with the root node Root
is generated from the hash of the two child nodes, that is, 𝑁 𝑜𝑑 𝑒(𝑖) = from the XMSS public key. If the values match, the signature is valid;
𝐻(𝑐 𝑖𝑙𝑑(1) ∥ 𝑐 𝑖𝑙𝑑(𝑖)), the root node 𝑅𝑜𝑜𝑡 serves as the XMSS public otherwise, it is invalid.
key.
Step4: Output the key pair 3. Hash-based post-quantum ring signature scheme
Public key: 𝑝𝑘 = (𝑟𝑜𝑜𝑡, 𝑠𝑒𝑒𝑑), the private key consists of the OTS key
pairs. In addition to its high computational efficiency and excellent scal-
ability, the hash function-based signature scheme exhibits greater al-
2.3.3. Message signature gorithmic maturity compared to other post-quantum digital signature
To sign a message, an unused WOTS+ private key is selected, and schemes, such as XMSS and SPHINCS+. Furthermore, post-quantum
the Merkle tree path proof is generated to output the signature SIG.
ring signatures ensure both the anonymity and unforgeability of signa-
Step1: Select WOTS+ key
tures. Consequently, in light of the security threats posed by the rapid
Choose an unused WOTS+ private key 𝑠𝑘𝑖 , ensuring it is used only
advancement of quantum computing, it is highly significant to integrate
once.
the post-quantum ring signature scheme with vehicle networking.
Step2: Generate WOTS+ one-time signature
Use the WOTS+ private key to sign message M, producing the OTS
signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 . 3.1. Design principles
Step3: Merkle tree path proof
Hash path from leaf node 𝑝𝑘𝑖 to Root node, this path proves that The Merkle tree is an efficient data structure, a binary hash tree
OTS public key is valid. where each node represents the hash value of a data block. The root
Step4: Generate XMSS signature node represents the hash of the entire data set. The characteristics
The signature includes: serial number 𝑖 (using the 𝑖 th OTS key), of the Merkle tree make it a highly efficient method for storing and
OTS signature 𝑆 𝑖𝑔𝑂𝑇 𝑆 , and AuthPath for authentication of the Merkle verifying large amounts of data. In blockchain, Merkle trees are widely
tree 𝑆 𝑖𝑔𝑋 𝑀 𝑆 𝑆 = (𝑖, 𝑆 𝑖𝑔𝑂𝑇 𝑆 , 𝐴𝑢𝑡𝑃 𝑎𝑡). used to store transaction data and block hashes. Ring signatures enable
5
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Table 4
Meaning of parameters in the proposed scheme.
𝐸 𝑣𝑎𝑙𝑟 ((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋 ) → 𝛺∗ ⎤
Parameter Description ⎢ 𝑖
𝑃 𝑟 ⎢ (Gen(1𝑘 , 𝑡) → (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ))(𝐴(𝑝𝑘𝛺 ) → (𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 , 𝑋 )) ⎥ ≤ 𝜀(𝑘)
𝑘 Security parameter
𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺∗ , 𝑤𝑖𝑡 , 𝑥 ) = 1 ∧ 𝑥𝑖𝑋
𝑡 Maximum number of elements to accumulate ⎣ 𝑥𝑖 𝑖
𝑖 𝑖 ∈ [0, 2 1]
ℎ∈𝑁 Height of the tree The implementation of the Merkle tree ring signature is described
𝐻 Hash function, 𝐻 {0, 1} → {0, 1}𝑚
next, and the whole process is covered in Algorithm 1.
(𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) A key pair
{ } Step1: Key Generation: 𝐺𝑒𝑛(1𝑘 , 𝑡)
𝑋 The set of 𝑥𝑖 𝑖 ∈ [0, 2 1] { }
𝛺 The accumulator First, determine the hash functions 𝐻𝑘 𝑘∈𝐾 𝐾 , where for any 𝑘
𝑎𝑢𝑥 The auxiliary information 𝐾 𝐾 , the hash function 𝐻𝑘 {0, 1} → {0, 1}𝐾 . The hash function can be
𝑤𝑖𝑡𝑥𝑖 The certificate for 𝑥𝑖 chosen as SHA functions, SM2, SM3, etc. Determine the parameter N,
which represents the number of ring members, and 𝑡, the upper bound
for accumulating elements. Then, generate the key pairs and return
(𝑠𝑘𝛺 , 𝑝𝑘𝛺 ).
a message sender to demonstrate possession of at least one public
Step2: Public Key Evaluation Eval: 𝐸 𝑣𝑎𝑙((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋)
key within a set while concealing the specific public key used, thus
Parse the number of ring members N. The parsing rule is that if N
providing anonymity and unlinkability. This feature makes ring sig-
natures particularly valuable in applications centered on privacy and is not a power of 2, the function returns false, as it must be a perfect
secure communication. Within ring signatures, Merkle trees can be binary tree. If N is a power of 2, begin computation from layer 0 (the
employed to organize the hashes of messages or data blocks into a leaf nodes at the lowest level) and continue until the root (the single
tree structure, facilitating efficient verification of data integrity and node at the top) is obtained. Let 𝐿𝑢,𝑣 represent the node at layer v and
authenticity. Furthermore, ring signatures can leverage Merkle trees the u-th leaf index. The auxiliary variable aux stores the hash values
to obscure the identity of sender by integrating the public key of corresponding to each layer.
signer with those of other members in a ring. Consequently, the signer Step3: Certificate Creation: 𝑊 𝑖𝑡((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥𝑥𝑖 , 𝑥𝑖 )
can validate ownership of at least one public key in the set without First, parse aux into nodes at each level of the Merkle tree. Then, re-
disclosing the specific key used. Even if an attacker intercepts the construct the Merkle tree from bottom to top. The 𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡 algorithm
signed message, they would be unable to ascertain the true identity involves using intermediate nodes to build up to the root hash value.
of the signer. Step4: Certificate Verification: 𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 )
The final step is verification. Start by setting the leaves to the hash
3.2. Scheme description values of each party and proceed to compute hashes from the bottom
up. Check if the final result matches the root node value. If it matches,
This scheme is based on the definition of Merkle tree accumulators it verifies that the member is part of the ring. For example, node 𝑙0,2 is
as described in [35], with slight modifications to accommodate the visualized in Fig. 6, showing how node 𝑙0,2 reconstructs the root node
proposed post-quantum ring signature scheme utilizing hash functions, in a Merkle tree with height = 3 and 𝑁 = 8 leaf nodes.
specifically designed for vehicular networks. This formalism facilitates
the restatement of the Merkle tree accumulator algorithm within the
current framework. The main parameters of this scheme are given in Algorithm 1 Extend Merkle tree accumulator
Table 4. input: 𝑘, 𝑡, {𝐻𝑘 }𝑘∈𝐾 𝜅 , 𝐻𝑘 {0, 1} → {0, 1}𝜅
output: (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝐿𝑢,𝑣 , 𝑤𝑖𝑡𝑥𝑖 , 0 or 1
Definition 4 (Extend Merkle Tree Accumulator). The Merkle tree accu-
mulator algorithm (Algorithm 1) comprises the following subroutines 1. 𝑘 ∈ 𝐾𝜅 # Key generation 𝐺𝑒𝑛(1𝑘 , 𝑡)
(Gen, Eval, WitCreate, Verify), defined as follows: 2. (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) ← {𝐻𝑘 }𝑘∈𝐾 𝜅
𝐺𝑒𝑛(1𝑘 , 𝑡): The key generation algorithm takes a security parameter 3. 𝐻𝑘 ← 𝑝𝑘𝛺 # Public Key Resolution
𝑘 and a parameter 𝑡, where 𝑡 is the upper bound on the number of 4. (𝑥0 , 𝑥1 , … , 𝑥𝑛1 ) ← 𝑋
elements to be accumulated, and returns a key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ). 5. If 𝑛 = 2𝑘 𝑘 ∈ N, 𝑣𝑘:
𝐸 𝑣𝑎𝑙((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝑋): This algorithm takes the key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) and
6. 𝐻𝑘 (𝐿2𝑢,𝑣+1 ∥𝐿2𝑢+1,𝑣+1 ) if 𝑣 < 𝑘 else 𝐻𝑘 (𝑥𝑖 )
the set of elements X to be accumulated, returning the accumulator 𝛺𝑋
and some auxiliary information aux. 7. Else False
( )
𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡((𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥, 𝑥𝑖 ): This algorithm takes the key 8. 𝑙𝑢,𝑣 (𝑢∈[𝑛2𝑘𝑣 ]) ← 𝑎𝑢𝑥 # Creates a certificate
𝑣∈[𝑘]
pair(𝑠𝑘𝛺 , 𝑝𝑘𝛺 ), accumulator 𝛺𝑋 , auxiliary information aux, and an
𝑊 𝑖𝑡𝐶 𝑟𝑒𝑎𝑡𝑒((𝑝𝑘𝛺 , 𝑠𝑘𝛺 ), 𝛺𝑋 , 𝑎𝑢𝑥𝑋 , 𝑥𝑖 )
element 𝑥𝑖 . If 𝑥𝑖 is not in the set X, it returns false; otherwise, it returns
a certificate𝑤𝑖𝑡𝑥𝑖 for 𝑥𝑖 . 9. 𝑤𝑖𝑡𝑥𝑖 ← (𝑙𝑖2𝑣 ⌋ + 𝜂 , 𝑘 𝑣), 0 ≤ 𝑣𝑘
𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 ): This algorithm takes the public key 𝑝𝑘𝛺 , 10. 1 if ⌊𝑖2𝑣 ⌋ (mod 2) = 0 else 1
accumulator 𝛺𝑋 certificate 𝑤𝑖𝑡𝑥𝑖 , and element 𝑥𝑖 . If 𝑤𝑖𝑡𝑥𝑖 is a valid 11. 𝐻𝑘 ← 𝑝𝑘𝛺 , 𝐿0,0 ← 𝛺𝑋 # Certificate authentication
certificate for 𝑥𝑖 it returns 1; otherwise, it returns 0.
𝑉 𝑒𝑟𝑖𝑓 𝑦(𝑝𝑘𝛺 , 𝛺𝑋 , 𝑤𝑖𝑡𝑥𝑖 , 𝑥𝑖 )
The Merkle tree accumulator ensures both correctness and collision
resistance. Collision resistance indicates the difficulty of finding an 12. 𝐿𝑖,𝑘𝐻𝑘 (𝐿𝑖2𝑣 ⌋,𝑘𝑣𝐿𝑖2𝑣 ⌋+1,𝑘𝑣 ) If ⌊𝑖2𝑣 ⌋ (mod 2) = 0
element 𝑥𝑖,𝑗 that does not belong to X yet possesses a valid certificate else 𝐿𝑖,𝑘𝐻𝑘 (𝐿𝑖2𝑣 ⌋,𝑘𝑣𝐿𝑖2𝑣 ⌋,𝑘𝑣 )
𝑥𝑖,𝑗 . 13. 1 if 𝑤𝑖𝑡𝑥𝑖 is a valid witness for 𝑥𝑖𝑋 else 0
Definition 5 (Collision Resistance). Collision resistance implies that for
an adversary 𝐴 possessing a valid key pair (𝑠𝑘𝛺 , 𝑝𝑘𝛺 ) generated by 3.3. Signature algorithm description
the Gen algorithm, and under the assumption that intermediate values
are correct, the probability of finding an element 𝑥𝑖 that is not in the The hash-based post-quantum ring signature scheme explored in
accumulator 𝑋 but still produces a verification result of 1 is negligible. this work is based on the XMSS algorithm, which incorporates two
Assuming the existence of a negligible function 𝜀(𝑘), collision resistance primary frameworks: the WOTS+ algorithm and the Merkle tree algo-
is formally defined as follows: rithm. Below is an overview of these frameworks.
6
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
The formal signing process begins by selecting the corresponding one-
time signature (OTS) key pair (𝑥𝑖 , 𝑦𝑖 ), specifically the 𝑖th OTS key pair.
The signer then uses the private OTS key 𝑥𝑖 to sign the message,
creating a one-time signature 𝜎𝑂𝑇 𝑆 and calculating the authentication
path. The final signature comprises: the index 𝑖, the one-time signature
𝜎𝑂𝑇 𝑆 , the public key 𝑦𝑖 , and the authentication path for 𝑦𝑖 , denoted
𝑎𝑢𝑡𝑖 . The signature is formally represented as 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡𝑖 ).
The Fig. 7 illustrates the signing process using leaf node𝑥2 as the signing
node, where the shaded areas represent the authentication path of the
Fig. 6. A Merkle tree with a height of h = 3 and a number of leaf nodes N = 8 signature.
visualizes the reconstruction of the root node by 𝑙0.2 nodes.
Step 4: Signature Verification
As shown in Algorithm 4, signature verification begins by first
verifying the one-time signature 𝜎𝑂𝑇 𝑆 . If this check is successful, the
Definition 6 (Merkle Tree Ring Signature Algorithm). The Merkle tree- next step involves reconstructing the Merkle tree root based on the
based ring signature algorithm comprises four main steps: parameter chosen index 𝑖 and the public key 𝑦𝑖 . The reconstructed root is then
definition, public key generation, signature generation, and signature compared with the stored public key. If the two match, verification is
verification. These steps are outlined as follows: deemed successful.
Step 1: Parameter Definition
Algorithm 4 Signature verification
The height h of the tree represents its number of layers, meaning a
Merkle tree with height has 2 leaf nodes, indicating 2 ring members input: 𝜎
and corresponding key pairs (𝑥𝑖 , 𝑦𝑖 ), 𝑖 ∈ [0, 2 1]. output: true or false
1 If
In practical application scenarios, if the number of vehicles does
2 𝑉𝐸𝑅(𝑀 , 𝑠𝑖𝑔(𝑂𝑇 𝑆), 𝑌𝑖 ) = 𝑡𝑟𝑢𝑒
not satisfy this condition, it is recommended to either introduce virtual
3 Reconstruct the 𝑟𝑜𝑜𝑡 node of the merkle tree
members into the ring or divide the vehicles into multiple rings.
according to i and Yi
Step 2: Public Key Generation/Merkle Tree Construction
4 If
As shown in algorithm 2, in the Merkle tree, all leaf nodes together 5 𝑅𝑜𝑜𝑡 = 𝑃 𝐾
constitute the ring. Each member in the ring is represented by a public 6 true
private key pair corresponding to a leaf node. Each leaf node holds the 7 Else
hash of the public key derived from a one-time signature (OTS) scheme, 8 False
while each parent node stores the hash of the concatenation of its two 9 Else
child nodes. This process repeats according to the same generation rule 10 False
until the final root node is formed. The value of the root node is the
final public key, while the private key consists of the 2 OTS private
To illustrate the reconstruction process, consider node𝑥2 as an
keys 𝑥𝑖 . The number of ring members equals the number of leaf nodes in
example, assuming 𝑖 = 2 and 𝑌2 known, along with the signature 𝜎 =
the Merkle tree. It is essential to ensure that the number of participating
(2, 𝜎𝑂𝑇 𝑆 , 𝑌2 , 𝑎𝑢𝑡2 ). Here, 𝑎𝑢𝑡2 contains values stored in nodes 3, 8, and
members in the ring is a power of 2. The public key of each ring
13. The root node can be reconstructed as follows: node14=hash(node
member corresponds to the public key from the one-time signature.
12∥node13), node12=hash(node8∥node9), node9= hash(node2∥node3)
wh-ere node2 stores the value of 𝑌2 . The computed value of node14 is
Algorithm 2 Public Key Generation the value of the reconstructed root 𝑟𝑜𝑜𝑡 . This is shown in Fig. 8. By
input: h, SK hashing upwards from the leaf nodes, if a match with the stored root
output: PK node is found, the membership of signer in the ring is verified.
( )
1. 𝑛𝑜𝑑 𝑒𝑖 = 𝐻 𝑎𝑠 𝑛𝑜𝑑 𝑒2𝑖+1 ||𝑛𝑜𝑑 𝑒2𝑖 , 𝑖 ∈ [0, 2 1]
2. Root=Hash(node1|| node2) 3.4. Application of the scheme in vehicular networks
3. PK=Root
The proposed hash-based signature scheme offers post-quantum
security, protecting against quantum threats, and is highly efficient
Step 3: Signature Generation Before executing the ring signature opera- with compact signatures, ideal for resource-constrained on-board de-
tion, the signer hashes the binary message to generate a message digest vices in IoV. It supports fast information exchange and verification in
𝑚 = 𝐻(𝑀), where H is the chosen hash function, and M represents the dynamic traffic environments, enhancing security and privacy, such as
original binary message. This digest 𝑚 will be used in the subsequent in accident reporting systems, while maintaining reporter anonymity.
steps of the signature generation process. This process is shown in Overall, it addresses key security, efficiency, and scalability challenges
algorithm 3. in connected vehicle networks.
The application of ring signatures in IoV involves three main stages:
the registration stage, the inter-vehicle communication stage, and the
Algorithm 3 Signature generation signature tracing and broadcast stage.
input: M, H, one-time signature key pair (𝑥𝑖 , 𝑦𝑖 ) Step 1: Registration Stage
output: 𝜎 This stage consists of three main steps, First, the On-Board Unit
1 (𝑥𝑖 , 𝑦𝑖 ), 𝑖 ∈ [0, 2 1] (OBU) sends a registration request to the Trusted Authority (TA).
2 For 𝑥𝑖 Upon receiving the request, the TA generates a publicprivate key
3 Select node to perform a one-time digital pair (𝑃 𝐾𝑂𝐵𝑈 , 𝑆 𝐾𝑂𝐵𝑈 ) for the OBU. In the final step, the TA returns
signature on message M to generate the private key to the OBU, along with the public key and identity
signature 𝜎𝑂𝑇 𝑆 information bound to the blockchain network. The identity information
4 Calculate 𝑦𝑖 authentication path 𝑎𝑢𝑡𝑖 typically includes vehicle certificates, vehicle identification numbers
5 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡𝑖 ) (VIN), and other vehicle-related data. This process ensures that vehicles
7
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Fig. 7. Diagram of the signature generation process.
Fig. 8. Signature verification diagram.
are properly registered and recognized within the blockchain network, the signatures and returns the verification results to the requesting
as illustrated in Fig. 9. OBU, enabling secure and authenticated access to the information. This
Step 2: Inter-Vehicle Communication Stage process is further illustrated in Fig. 10.
At this stage, the OBU utilizes the public key of the Roadside Step 3: Signature Tracing and Broadcast Stage
Unit (RSU) 𝑃 𝐾𝑅𝑆 𝑈 to encrypt its own public key and sends it to the In the event of an accident, the OBU sends accident-related informa-
RSU, requesting the creation of a ring. Upon receiving the encrypted tion to the RSU, which then processes and broadcasts the information
message, the RSU decrypts it using its private key to obtain 𝑃 𝐾𝑂𝐵 𝑈 , to other OBUs. At the same time, the RSU forwards the signature of the
which is then added to the ring. When the number of ring members OBU involved in the accident, denoted as 𝑆 𝐼 𝐺(𝑂𝐵 𝑈 𝑎𝑐 𝑐 ) to the TA. The
reaches the threshold of 2 , the RSU broadcasts the ring structure, TA uses its private key to identify the relevant vehicle information. If
allowing all ring members to participate in signing processes. the OBU is determined to be malicious, the TA revokes its identity and
If the threshold is not met, virtual members may be added, or the public key on the blockchain network. The TA then sends the revoked
ring may be split into smaller sub-rings to ensure each ring contains public key and the adverse record of the malicious OBU to the RSU. The
2 members. Once the ring is established, the OBU can sign messages RSU subsequently broadcasts this information to other OBUs, ensuring
using a ring signature and forward them to the RSU. The RSU sub- they are aware of the revoked identity and can exclude the malicious
sequently broadcasts the signed messages to other OBUs, which can OBU from further network participation. This process is illustrated in
request verification from the Verification Node (VN). The VN validates Fig. 11.
8
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Fig. 12. IOV model based on post-quantum ring signature.
accident, sends the public key and adverse record of the vehicle
Fig. 9. Registration phase.
involved to the RSU.
[4] Verification Node (VN): Responsible for verifying signature re-
quests sent by other vehicles.
[5] Anonymous Blockchain Network (ABN): In this model, vehicle
public keys are stored in the blockchain network, providing a
secure and anonymous framework for identity management.
In addition to the interactions between the OBU and the TA, as well
as between the OBU and RSU in the aforementioned process, within
a specific segment of roadway, the OBU is also capable of engaging
with pedestrians, road infrastructure, and stations located within that
segment.
In general, the integrity and privacy protection of data transmis-
sion are more emphasized in interactions between vehicles and other
vehicles, as well as roadside units. However, interactions between
Fig. 10. Information interaction phase.
vehicles and pedestrians often involve location verification and identity
confirmation. In a vehicular networking system, vehicles may need to
verify both the identity and location of pedestrians, while using post-
quantum ring signatures to ensure the integrity and non-repudiation of
pedestrian information.
4. Security analysis
4.1. Safety assessment
The proposed scheme possesses the following characteristics:
(1) Anonymity: Ring signatures inherently support anonymity, pro-
tecting the identity of signer. Assuming an attacker has obtained a valid
ring signature generated only by members within the ring, if the ring
contains 𝑛 members, the probability that the attacker identifies the true
signer is 1𝑛. For any member other than the signer, the probability of
Fig. 11. Signature tracing phase. knowing the identity of signer is 1𝑛 1.
(2) Privacy: The generation of a ring signature relies solely on the
signer within the ring, with no involvement from other ring members,
When applying this ring signature scheme to a vehicular network thus preserving the privacy of the signer.
system, the overall model framework is shown in Fig. 12. The primary (3) Post-Quantum Security: This scheme employs a post-quantum
ring signature approach based on Merkle trees, leveraging hash-based
components of the model include:
and post-quantum secure mathematical problems. This design provides
robust security against quantum computing threats. The use of hash-
[1] On - Board Unit (OBU): Responsible for sending requests to the
based post-quantum ring signatures combines the strong properties of
TA, transferring its public key to the RSU, signing messages with
hash functions with quantum-resilient security, maintaining integrity
the ring signature, and sharing traffic accident information. even under potential quantum computing attacks.
[2] Road - Side Unit (RSU): Organizes received public keys into a (4) Efficiency: The computational efficiency of hash functions makes
ring, broadcasts signatures, accident information, and adverse this scheme suitable for a variety of application scenarios.
records to other vehicles, and forwards accident-related signa- (5) Unforgeability: The scheme ensures unforgeability through the
tures to the TA. one-way and irreversible properties of hash functions in constructing
[3] Trusted Authority (TA): Generates key pairs for the OBU, up- hash chains. Thus, it is highly challenging for anyone other than the
loads these to the blockchain network, and, in the event of an legitimate signer to forge a signature within this scheme.
9
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
C computes the corresponding 𝜎𝑠 , which S returns as a complete ring
signature to A.
Step 4: In the challenge phase, A sends M and an unobserved forged
ring signature to S, which calculates the corresponding 𝑌𝑠 of the forged
signer and submits (𝑌𝑠 , 𝜎𝑠 ) to C. If C verifies 𝑌𝑠 and 𝜎𝑠 as valid, then
S has successfully forged a signature, with output 1; otherwise, S fails,
outputting 0.
Since A can break the scheme with non-negligible probability P,
we deduce that 𝑝𝑟(𝑜𝑢𝑡𝑝𝑢𝑡(𝐺𝑎𝑚𝑒) = 1) = 𝑝, allowing S to break the
post-quantum ring signature algorithm with non-negligible probability.
However, this contradicts the assumed security of scheme, proving that
A cannot successfully forge signatures in polynomial time.
Fig. 13. Authentication path diagram of a node with index i = 2.
Theorem 3. If the underlying hash function family {𝐻𝑘 }, 𝑘𝐾𝐾 is a
collision-resistant family, then the proposed hash-based post-quantum ring
4.2. Security proof
signature scheme is collision-resistant.
The following section provides security proofs and discussions for Proof. During initialization, this reduction interacts with a collision-
the proposed scheme: resistant hash function challenge to acquire 𝐻𝑘 and completes initial-
ization per the original protocol. If an attacker generates a collision
Lemma 1. If a one-time signature scheme passes verification and the within the accumulator, this implies that the reduction knows two
reconstructed Merkle root Root matches the original Merkle root Root, then distinct inputs that collide under 𝐻𝑘 , with the collision probability
the signature is valid. bounded by the collision resistance of hash function.
Proof. Suppose the index 𝑖 = 2 is chosen for the one-time signature key Theorem 4. If the employed hash functions are one-way, then the proposed
used in the message signature. The nodes from index 𝑖 = 2 to the root Merkle-tree-based post-quantum ring signature scheme is unforgeable under
node traverse nodes [2, 9, 12], with sibling nodes [3, 8, 13], forming chosen-message attacks.
a verification path [3, 8, 13], In Fig. 13, we illustrate the verification Let 𝑛, 𝑤, 𝑚 ∈ 𝑁 , 𝑤𝑖𝑡𝑤, 𝑚 = 𝑝𝑜𝑙𝑦(𝑛), and let the function family 𝐹𝑛 =
pathway of the leaf node indexed at 2, which is depicted as the gray 𝑓𝑘 {0, 1}𝑛 → {0, 1}𝑛 where 𝑘 ∈ {0, 1}𝑛 satisfy second-preimage resistance
node. Reconstructing the root Root* follows these steps: and one-way properties. The variable t represents the computational time.
𝑁 𝑜𝑑 𝑒(9) = Hash(𝑛𝑜𝑑 𝑒(2) ∥ 𝑛𝑜𝑑 𝑒(3)) The term 𝜔 ⋅ 𝐼 𝑛𝑆 𝑒𝑐 𝑈 𝐷 (𝐹𝑛 ; 𝑡 ) reflects the undetectability (UD) security of
the function family 𝐹𝑛 , while 𝐼 𝑛𝑆 𝑒𝑐 𝑂𝑊 (𝐹𝑛 ; 𝑡 ) represents its one-way(OW)
𝑁 𝑜𝑑 𝑒(12) = Hash(𝑛𝑜𝑑 𝑒(9) ∥ 𝑛𝑜𝑑 𝑒(8)) security. Additionally, the term 𝜔 ⋅ 𝐼 𝑛𝑆 𝑒𝑐 𝑆 𝑃 𝑅 (𝐹𝑛 ; 𝑡 ) denotes the second-
preimage resistance(SPR) security, scaled by the parameter 𝜔. The formal
definitions of EU-CMA and SPR are provided in [14], and will not be
𝑁 𝑜𝑑 𝑒(14) = Hash(𝑛𝑜𝑑 𝑒(12) ∥ 𝑛𝑜𝑑 𝑒(13))
elaborated on here.
The value of node 9 is computed from nodes 2 and 3, the value of We define the unforgeability insecurity under chosen-message at-
node 12 is computed from nodes 9 and 8, and the value of the root node tack of WOTS+ as follows:
Root (node 14) is computed from nodes 12 and 13. This computed
lnSecEU-CMA (WOTS+ (1𝑛 , 𝑤, 𝑚); 𝑡, 1)
Root value is then compared with the public key. Clearly, the hash of
Root matches the original public key. The proof process for any other ≤ 𝑤 ⋅ ln SecUD (𝐹𝑛 ; 𝑡 ) + 𝑤𝑙
node is identical, thus confirming the correctness of the signature. ⋅ max{ln SecOW (𝐹𝑛 ; 𝑡 ), 𝑤 ⋅ ln SecSPR (𝐹𝑛 ; 𝑡 )} with 𝑡
= 𝑡 + 3𝑙𝑤 and 𝑡
Theorem 1. The proposed post-quantum ring signature scheme preserves
= 𝑡 + 3𝑙𝑤 + 𝑤 1
anonymity.
Assuming a valid signature 𝜎 = (𝑖, 𝜎𝑂𝑇 𝑆 , 𝑌𝑖 , 𝑎𝑢𝑡𝑖 ), where each value For WOTS+ combined with Merkle trees, the non-forgeability under
of 𝑖 is within the appropriate range 𝑖 ∈ [0, 2 1], the probability that chosen-message attacks on the Merkle tree can be defined as follows:
any other person can identify the true signer is 12 (for a ring with ( ( ) )
InSecEU-CMA Merkle-tree 1𝑛 , 𝑇 = 2 ; 𝑡, 1
2 members). For other ring members, the probability of knowing the { +log 𝓁1
≤ 2 ⋅ max 2 2 ⋅
identity of signer is 1(2 1). }
SPR
InSec (WOTS+ (1𝑛 , 𝜔, 𝑚) ; 𝑡, 1)
Theorem 2. The proposed ring signature scheme is unforgeable. Using the derived insecurity function for the Merkle tree combined
Proof. Suppose an attacker A could successfully forge a ring signature with W-OTS, which employs pseudorandom key generation and 𝐺𝑒𝑛2
with non-negligible probability P within polynomial time. We construct we arrive at the following results:
( )
a simulator S to challenge a ring signature algorithm claimed to be InSecEU-CMA XMSS(1𝑛 , 𝑇 = 2 ); 𝑡, 1
( )
secure by challenger C as follows: ≤ InSecEU-CMA WOTS+(1𝑛 , 𝜔, 𝑚); 𝑡, 1
Step 1: The challenger initializes 𝑛 signing instances with the MSS ( )
+ InSecEU-CMA Merkle-tree(1𝑛 , 𝑇 = 2 ); 𝑡, 1
signing algorithm, generating 𝑛 key pairs (𝑠𝑘, 𝑝𝑘) and sends all public
keys pk to simulator S. = InSecPRF (𝐹𝑛 , 𝑡 + 2 , 2 )
Step 2: Upon receiving the public keys, S initializes the ring sig- ⎧(2+log2 𝑙1 ) ⋅ InSecSPR (𝐻𝑛 , 𝑡 ), ⎫
nature algorithm by randomly selecting additional parameters and ⎪ PRF
⎪2 ⋅ InSec (𝐹𝑛 ; 𝑡 + 𝑙, 𝑙)+ ⎪
forwarding the public keys to attacker A. + 2 max ⎨ ( { OW
}) ⎬.
Step 3: In the query phase, A selects a message M and sends it to ⎪ UD
InSec (𝐹𝑛 ; 𝑡 ), ⎪
⎪ 𝜔 ⋅ InSec 𝐹𝑛 ; 𝑡 + max ⎪
S. Following the ring signature algorithm, S randomly selects a user ⎩ InSecSPR (𝐹𝑛 ; 𝑡 ) ⎭
𝑠 to generate the ring signature, computes 𝑌𝑠 , and forwards it to C.
10
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Table 5
Test 16 XMSS-SHA2_10_256 signatures.
Number Signature time Verification time
0 1.990014 0.001119
1 1.980151 0.000947
2 1.969849 0.001210
3 1.965888 0.001184
4 1.969898 0.001056
5 1.980296 0.001144
6 2.017889 0.001093
7 2.054971 0.001101
8 2.016147 0.001241
9 2.020737 0.001267
10 1.954583 0.001016
11 2.021315 0.001060
12 2.029765 0.001043
Fig. 14. Signature generation time of 16 test results.
13 2.057487 0.001016
14 1.958401 0.001081
15 1.990919 0.001053
To prove XMSS is unforgeable under chosen-message attacks, we
consider the following factors:
Random Oracle Model: Assuming the hash function behaves as a
random oracle, an attacker has no foreknowledge of inputoutput pairs.
Irreversibility: WOTS+ security relies on the irreversibility of hash
chains; given a hash value 𝐻𝑖 (𝑥), finding the predecessor 𝐻𝑖1 (𝑥) is
infeasible.
Collision Resistance: The hash function must resist collisions, mak-
ing it nearly impossible for an attacker to produce distinct messages
that yield identical hash chains.
Fig. 15. Signature verification time of 16 test results.
5. Performance analysis
Table 6
Signature efficiency comparison table.
This study evaluates the performance of proposed scheme in densely
Scheme Number of Key Signature Verification
trafficked urban areas, focusing particularly on resistance to quantum
Members generation time/s time/s
attacks. The experiments are based on the Merkle tree-ring signature time/s
scheme, with a primary emphasis on security strength, as attacks in
OURS HBS 210 2.06 1.97 9.47e04
the IoV environments are expected to become increasingly complex, [33] LBS 10 0.07 0.06 0.04
especially with the advent of quantum attacks. Consequently, a high- [32] LBS 34.1e06 9.59e05 3.49e05
security, quantum-resistant signature scheme is essential for the IoV [25] HBS 210 0.16 0.11
systems.
The primary operations in the signature scheme include generating Table 7
public and private keys, measuring the time required for message Function comparison table of the scheme.
signing and verification, and instantiating the SHA-256 function as Scheme Post- Anonymity Traceability Application
the underlying hash function. Key parameters include the security quantum to IOV
parameter 𝑛, the Winternitz parameter 𝜔, and the number of ring security
members, with specific values assigned to each. These operations allow OURS HBS YES YES YES YES
[33] LBS NO YES YES YES
us to measure metrics such as key generation time, signature generation
[32] LBS YES NO NO YES
time, and signature verification time. [25] HBS YES YES YES NO
In this scheme, the digital signature algorithm is set to XMSS-
SHA2-10-256, utilizing the SHA-256 hash function with a Merkle tree
height of 10, enabling a maximum of 210 = 1024 possible ring signa-
tures. The number of signature tests is set to 16 to balance efficiency of Merkle tree as 10, and the number of ring members as 210 . Among
and data stability, ensuring valid results without excessive resource them, HBS stands for the scheme based on hash and LBS stands for a
consumption. scheme based on lattices.
To present the data more intuitively, the experimental results of the Comparing the scheme proposed in this paper with the scheme
16 tests shown in Table 5 are depicted in graphical form, resulting in in [33], it can be seen that the post-quantum ring signature scheme
Fig. 14 and Fig. 15. Fig. 14 illustrates the signature generation times based on Merkle tree has great advantages. First, in this evaluation, the
across the 16 tests, while Fig. 15 displays the signature verification number of ring members our scheme can accommodate is 210 , which
times. These figures show that both the signature generation time and is much larger than the number of ring members evaluated in [33].
verification time fluctuate within a certain range, indicating variability When the road section is wider and crowded, the scheme proposed in
rather than fixed values. Select one of the 16 test results to compare this paper is more suitable. Secondly, this scheme has post-quantum
with relevant literature studies. The attributes of comparison include security, which is more secure; Moreover, although the key generation
key generation time, signature generation time, signature verification time of our scheme is slightly longer than that of the scheme with
time, resistance to quantum attacks, anonymity, traceability, and ap- fewer ring members in [33], it is much faster in terms of signature time
plication to the IoV. The comparison results are drawn in Tables 6 and and verification time, especially the verification time is nearly 44 times
7, In our scheme, we set the parameters as n = 32, 𝜔 = 16, the height faster than that of [25].
11
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
Compared with the scheme in [32], the outstanding feature of Data availability
the scheme in this paper is ring signature, which has anonymity and
traceability, making it more suitable for the Internet of vehicles en- No data was used for the research described in the article.
vironment. In addition, the scheme in this paper uses Merkle tree
structure, which reduces the storage cost of public key and signature.
References
In general, lattice signature may require special optimization in high
performance computing. The algorithm maturity is not high, but the
[1] I. Wanger, Car production: Number of cars produced worldwide, Statista (2020).
underlying hash function of the post-quantum ring signature scheme in [2] Patrick Miner, Barbara M. Smith, Anant Jani, Geraldine McNeill, Alfred
this paper is SHA-256, and the SHA-256 function has passed the test of Gathorne-Hardy, Car harm: A global review of automobilitys harm to people
time in many practical applications, and has high algorithm maturity. and the environment, J. Transp. Geogr. 115 (2024) 103817.
Comparing the scheme in this paper with the scheme in [25], it can [3] Juan Contreras-Castillo, Sherali Zeadally, Juan Antonio Guerrero-Ibañez, Internet
of vehicles: Architecture, protocols, and security, IEEE Internet Things J. 5 (5)
be seen that both papers are based on hash function. The advantages (2018) 37013709, http://dx.doi.org/10.1109/JIOT.2017.2690902.
of the scheme in this paper are as follows: First, although the time [4] David Deutsch, Quantum theory, the ChurchTuring principle and the universal
of signature generation in [25] is nearly 12 times faster than that in quantum computer, Proc. R. Soc. A 400 (1818) (1985) 97117.
this paper, the time of signature verification in this paper is nearly 100 [5] Rasha Shajahan, Kurunandan Jain, Prabhakar Krishnan, A survey on NIST 3
rd round post quantum digital signature algorithms, in: 2024 5th International
times faster than that in [25]. In addition, the scheme in this paper is
Conference on Mobile Computing and Sustainable Informatics, ICMCSI, IEEE,
also applied to the vehicle networking model. 2024, pp. 132140.
As shown in Table 7, this study compares the attributes of Post- [6] David A. Cooper, Daniel C. Apon, Quynh H. Dang, Michael S. Davidson, Morris J.
quantum, Anonymity, Traceability, and Application to IoV. Dworkin, Carl A. Miller, et al., Recommendation for stateful hash-based signature
The comparison reveals that our scheme offers post-quantum security, schemes, NIST Spec. Publ. 800 (208) (2020) 208800.
[7] Samira El Madani, Saad Motahhir, Abdelaziz El Ghzizal, Internet of vehicles:
anonymity, traceability, and the ability to apply to IoV, with the
concept, process, security aspects and solutions, Multimedia Tools Appl. 81 (12)
advantages of our proposed scheme becoming more evident through (2022) 1656316587.
this comprehensive comparison. [8] Cesar Castellon, Swapnoneel Roy, Patrick Kreidl, Ayan Dutta, Ladislau Bölöni,
Energy efficient merkle trees for blockchains, in: 2021 IEEE 20th International
6. Conclusion Conference on Trust, Security and Privacy in Computing and Communications,
TrustCom, IEEE, 2021, pp. 10931099.
[9] Daniel J. Bernstein, Andreas Hülsing, Stefan Kölbl, Ruben Niederhagen, Joost
The hash-based post-quantum ring signature scheme offers advan- Rijneveld, Peter Schwabe, The SPHINCS+ signature framework, in: Proceedings
tages such as high signature efficiency, good scalability, and inde- of the 2019 ACM SIGSAC Conference on Computer and Communications Security,
pendence from complex mathematical assumptions. In the context of 2019, pp. 21292146.
[10] Kaiyi Zhang, Hongrui Cui, Yu Yu, SPHINCS-𝛼: A compact stateless hash-based
increasing security threats posed by advancements in quantum com-
signature scheme, 2022, Cryptology ePrint Archive.
puting, applying post-quantum ring signatures in IoV can enhance [11] Mikhail Kudinov, Andreas Hülsing, Eyal Ronen, Eylon Yogev, SPHINCS+ C:
anonymity and privacy protection while ensuring quantum-resistant Compressing SPHINCS+ with (almost) no cost, 2022, Cryptology ePrint Archive.
security. This paper presents a hash-based post-quantum ring signature [12] Sun Siwei, Liu Tianyu, Guan Zhi, SM3-based post-quantum digital signature
scheme built on the XMSS algorithm and demonstrates its application schemes, J. Cryptologic Res. 10 (1) (2023) 46.
[13] Andreas Hülsing, Mikhail Kudinov, Recovering the tight security proof of
in the IoV system. The proposed scheme is analyzed and proven secure.
SPHINCS+, in: International Conference on the Theory and Application of
Performance analysis is conducted following 16 experimental tests, Cryptology and Information Security, Springer, 2022, pp. 333.
with comparisons made to other similar schemes. The results show [14] Andreas Hülsing, Denis Butin, Stefan Gazdag, Joost Rijneveld, Aziz Mohaisen,
that the proposed scheme exhibits significant advantages in signature XMSS: Extended Merkle Signature Scheme, Technical Report, 2018.
verification time compared to other approaches. This is due to the [15] Jan Philipp Thoma, Tim Güneysu, A configurable hardware implementation of
XMSS, 2021, Cryptology ePrint Archive.
efficient hash computations and Merkle tree verification paths, which [16] Siwei Sun, Tianyu Liu, Zhi Guan, Yifei He, Jiwu Jing, Lei Hu, Zhenfeng
maintain low time complexity and high efficiency even with large Zhang, Hailun Yan, XMSS-SM3 and MT-XMSS-SM3: Instantiating extended Merkle
data sets. Moreover, the scheme satisfies the properties of quantum signature schemes with SM3, 2022, Cryptology ePrint Archive.
resistance, anonymity, traceability, and applicability to IoV. [17] Andreas Hülsing, W-OTS+shorter signatures for hash-based signature schemes,
in: Progress in CryptologyAFRICACRYPT 2013: 6th International Conference on
Future research will aim to further improve the practicality and
Cryptology in Africa, Cairo, Egypt, June 22-24, 2013. Proceedings 6, Springer,
security of the scheme in response to the evolving threats posed by 2013, pp. 173188.
quantum computing, and second, interdisciplinary collaboration can [18] Kaiyi Zhang, Hongrui Cui, Yu Yu, Revisiting the constant-sum winternitz
be strengthened in future research to provide valuable insights for one-time signature with applications to SPHINCS+ and XMSS, in: Annual
optimizing solutions in real-world scenarios. International Cryptology Conference, Springer, 2023, pp. 455483.
[19] Xie Jia, Liu Shizhao, Wang Lu, Research progress and prospects of ring signature
technology., J. Front. Comput. Sci. Technol. 17 (5) (2023).
CRediT authorship contribution statement [20] Rohit Chatterjee, Kai-Min Chung, Xiao Liang, Giulio Malavolta, A note on the
post-quantum security of (ring) signatures, in: IACR International Conference on
Shuanggen Liu: Conceptualization. Xiayi Zhou: Writing original Public-Key Cryptography, Springer, 2022, pp. 407436.
[21] Yuxi Xue, Xingye Lu, Man Ho Au, Chengru Zhang, Efficient linkable ring signa-
draft. Xu An Wang: Supervision. Zixuan Yan: Investigation. He Yan:
tures: new framework and post-quantum instantiations, in: European Symposium
Formal analysis. Yurui Cao: Resources. on Research in Computer Security, Springer, 2024, pp. 435456.
[22] Abida Haque, Alessandra Scafuro, Threshold ring signatures: new definitions
Declaration of competing interest and post-quantum security, in: Public-Key CryptographyPKC 2020: 23rd IACR
International Conference on Practice and Theory of Public-Key Cryptography,
Edinburgh, UK, May 47, 2020, Proceedings, Part II 23, Springer, 2020, pp.
The authors declare that they have no known competing finan-
423452.
cial interests or personal relationships that could have appeared to [23] Maxime Buser, Joseph K. Liu, Ron Steinfeld, Amin Sakzad, Post-quantum id-based
influence the work reported in this paper. ring signatures from symmetric-key primitives, in: International Conference on
Applied Cryptography and Network Security, Springer, 2022, pp. 892912.
Acknowledgments [24] J. Odoom, X. Huang, Z. Zhou, et al., Linked or unlinked: A systematic review
of linkable ring signature schemes, J. Syst. Archit. 134 (2023) 102786.
[25] Shiwei Xu, Tao Wang, Ao Sun, Yan Tong, Zhengwei Ren, Rongbo Zhu,
This work was supported by the National Natural Science Founda- Houbing Herbert Song, Post-quantum anonymous, traceable and linkable au-
tion of China (NSFC) under Grant No. 62172436.The first author and thentication scheme based on blockchain for intelligent vehicular transportation
the third author are the corresponding authors of this paper. systems, IEEE Trans. Intell. Transp. Syst. (2024).
12
S. Liu et al. Journal of Systems Architecture 160 (2025) 103345
[26] Nyothiri Aung, Tahar Kechadi, Tao Zhu, Saber Zerdoumi, Tahar Guerbouz, [33] Cui Yongquan, Cao Ling, Zhang Xiaoyu, Privacy protection of internet of vehicles
Sahraoui Dhelim, Blockchain application on the internet of vehicles (iov), based on lattice-based ring signature, Chinese J. Comput. 42 (5) (2019) 980992.
in: 2022 IEEE 7th International Conference on Intelligent Transportation [34] Cesar Castellon, Swapnoneel Roy, Patrick Kreidl, Ayan Dutta, Ladislau Bölöni,
Engineering, ICITE, IEEE, 2022, pp. 586591. Energy efficient merkle trees for blockchains, in: 2021 IEEE 20th International
[27] Haibin Zhang, Jiajia Liu, Huanlei Zhao, Peng Wang, Nei Kato, Blockchain-based Conference on Trust, Security and Privacy in Computing and Communications,
trust management for internet of vehicles, IEEE Trans. Emerg. Top. Comput. 9 TrustCom, IEEE, 2021, pp. 10931099.
(3) (2020) 13971409. [35] David Derler, Sebastian Ramacher, Daniel Slamanig, Post-quantum zero-
[28] Mirador Labrador, Weiyan Hou, Implementing blockchain technology in the knowledge proofs for accumulators with applications to ring signatures from
internet of vehicle (IoV), in: 2019 International Conference on Intelligent
symmetric-key primitives, in: Post-Quantum Cryptography: 9th International Con-
Computing and Its Emerging Applications, ICEA, IEEE, 2019, pp. 510.
ference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9-11, 2018, Proceedings
[29] Y. Liu, Q. Xia, X. Li, et al., An authentication and signature scheme for UAV-
9, Springer, 2018, pp. 419440.
assisted vehicular ad hoc network providing anonymity, J. Syst. Archit. 142
[36] Xinyu Zhang, Ron Steinfeld, Joseph K. Liu, Muhammed F. Esgin, Dongxi
(2023) 102935.
[30] X. Feng, X. Wang, K. Cui, et al., A distributed message authentication scheme Liu, Sushmita Ruj, DualRing-PRF: Post-quantum (linkable) ring signatures from
with reputation mechanism for internet of vehicles, J. Syst. Archit. 145 (2023) Legendre and power residue PRFs, in: Australasian Conference on Information
103029. Security and Privacy, Springer, 2024, pp. 124143.
[31] S. Thapliyal, M. Wazid, D.P. Singh, et al., Robust authenticated key agreement [37] David A. Cooper, Daniel C. Apon, Quynh H. Dang, Michael S. Davidson, Morris J.
protocol for internet of vehicles-envisioned intelligent transportation system, J. Dworkin, Carl A. Miller, et al., Recommendation for stateful hash-based signature
Syst. Archit. 142 (2023) 102937. schemes, NIST Spec. Publ. 800 (208) (2020) 208800.
[32] Nikhil Verma, Swati Kumari, Pranavi Jain, Post quantum digital signature change [38] Ralph C. Merkle, A certified digital signature, in: Conference on the Theory and
in iota to reduce latency in internet of vehicles (iov) environments, in: 2022 Application of Cryptology, Springer, 1989, pp. 218238.
International Conference on IoT and Blockchain Technology, ICIBT, IEEE, 2022,
pp. 16.
13
Reference in New Issue View Git Blame Copy Permalink