4.2. Implementation of Cryptographic Techniques
The approach presented in [
7] utilizes multiple cryptographic techniques to ensure security for vehicle communications on VANETs. In our simulation, we do not emphasize on pseudonym exchange and key updating/revocation, but mainly on the procedure of vehicle registration in an RSUs region, the procedure of choosing and informing a Group Leader in the network and finally, the procedure of a vehicle informing the RSU/GL about an important observed event in the region. Therefore, symmetric encryption is implemented using AES, while asymmetric encryption is implemented using ECC or HECC genus 2 or 3 using the ElGamal method
2. However, ElGamal method requires the messages to be a cryptographic Group element, a reduced divisor. So, a method of mapping text to a reduced divisor is also needed to be implemented. Furthermore, ECDSA signatures and HEC ElGamal signatures are used, key generation and distribution is implemented using (H)ECQV, (Hyper)Elliptic Qu-Vanstone certificates. Since no open-source library for Hyperelliptic Curve Cryptography of genus 3 is provided in C++, one is implemented and analyzed in this paper.
As mentioned above, the stages of the approach in [
7] that rely on symmetric encryption are implemented using AES, specifically, using the methods provided by the C++ library, Crypto++. AES is used with CBC mode of operation and with 16 bytes – 128 bits key and block sizes. Also, an Initialization Vector is used and is transmitted along with the symmetric key. To properly transmit the keys and IVs to the network as strings, the HexEncoder and HexDecoder methods of the library are used. Encrypted text outputs are always a multiple of 16 bytes since, by default, PKCS padding is used to handle input blocks.
Crypto++ additionally provides an API for executing ECC cryptographic operations (scalar multiplication, point addition etc.) and implemented methods for signing and verifying messages using ECDSA signatures. Curve secp256r
3 and its parameters (base/generator element) is provided by Crypto++ and it is chosen for our simulation because it produces 256-bit keys and therefore 128-bit security level. ElGamal encryption/decryption is implemented using the ScalarMultiply, Add and Subtract methods of Crypto++ to produce the cypher text as the tuple
, where
is a random integer of Group order (256 bits),
is the generator element,
is the public key and
is the message encoded as an EC point. The plain text is received by calculating
, where
is the private key. For encoding text as an EC Point, the Koblitz method is implemented [
10]. Modular arithmetic is executed using the NTL library
4 and given the plain text as an integer x that is less than the Group Order, the calculated EC Point
is
, where
and
. The
is calculated by the above equation until it is a quadratic residue
5, i.e.,
has a solution. ECDSA signatures are generated using Signer class of Crypto++ and verification is executed using the Verifier class of Crypto++. Points are compressed so that only the
coordinate is transmitted along with one extra byte to reconstruct y coordinate properly.
Key-pair generation, distribution and validation is handled by the ECQV certificate scheme [
11] for all three different asymmetric encryption algorithms. The scheme is adapted to match the requirements for Hyperelliptic Curve Cryptography. ECQV consists of 5 steps: ECQV_Setup, Cert_Request, Cert_Generate, Cert_PK_Extraction, Cert_Reception. At the ECQV_Setup step, the simulated node that acts as the Certificate Authority generates a key-pair
. The public key
is considered to be known to every participating vehicle and RSU. At the Cert_Request step, a node that requests a valid certificate from the CA generates a key-pair
and sends the public key
to the CA along with its ID. At the Cert_Generate step, the CA receives the
from the node, it generates another key-pair
and then it computes
and generates the certificate which include
. It also calculates
, where
and
is the Group Order. Finally, it sends the certificate and the parameter r to the node. At the Cert_PK_Extraction step, any node that wants to extract the public key from the certificate executes
. For the node that requested the certificate, at the Cert_Reception step, it computes its public as mentioned above and it also computes its private key
, where
and validates if
. For ECC, these operations are executed using the Crypto++ API for ECC operations including scalar multiplication and addition, while for Hashing, the SHA3-256 class of Crypto++ is used. Furthermore, for modular arithmetic the ModularArithmetic class is used that is initialized on
, the Group Order.
To implement the cryptographic operations for HECC of genus 2, libg2hec
6, has been used. This is a C++ library that provides methods for generating and and performing operations on reduced divisors of Hyperelliptic Curves of genus 2, which are suitable for cryptographic operations. The methods are based on the algorithms of the Handbook of Elliptic and Hyperelliptic Curve Cryptography by Henri Cohen and Gerhard Frey [
12]. It is based on NTL, a C++ library for number theory mathematics. For encryption/decryption using ElGamal and for HECQV certificates, the same operations are used as in ECC, but now the Group elements are the reduced divisors in Mumford representation. For signing and verifying messages, ElGamal signatures are used. The operations are similar to ECDSA, however methods were implemented from scratch. The produced signature is the tuple
, where
and
, where
is the message as a reduced divisor,
is the private key
is a random integer in
,
is the Group Order,
is the generator element as a reduced divisor and
is a bijection of a reduced divisor in Mumford representation to an integer in
. The bijection used is
, where
,
the coefficients of the u polynomial of the reduced divisor in Mumford representation.
The challenge in HECC is to choose secure Hyperelliptic Curve parameters for the cryptographic operations, since there is no given database of curves and parameters, like in ECC. Furthermore, general encoding and decoding techniques, that are needed for ElGamal encryption and signatures, to the Jacobian of the curves have not been established, so only algorithms for specific Hyperelliptic Curve families have been produced. For ElGamal signatures the Group Order needs to be known and to be prime or “almost” prime and the cofactor needs to be known as well. So, for the signatures of HECC genus 2 a curve was chosen from the “Construction of Secure Random Curves of Genus 2 over Prime Fields” by Gaudry and Schost [
13]. Specifically:
with
is chosen which produces a Group of Order:
where
is a prime number of 128 bits. That means that the security level of the curve is at the 128-bit level and can be compared with secp256-r1 that is chosen for ECC operations.
To overcome the challenge of encoding text to the Jacobian of the curve, a technique proposed by Michel Sack and Nafissatou Diarra on 2018 [
14] to encode integers as points to a specific family of Hyperelliptic Curves of arbitrary genus was used. In their paper, they provide code in Sage for executing their encoding techniques, which was translated to C++ using the NTL library. First of all, a different curve needs to be used and is produced by their algorithm for a given Finite Field of characteristic
. However,
and
. So, the characteristic of the Field is chosen as:
which is 128-bit and produces a Group of Order close to 256-bits. The curve is then produced based on the algorithm [
14] and is used for all cryptographic operations, except ElGamal signatures. Unfortunately, the exact Order of the curve is unknown. With [
14], text is mapped to a point in the Hyperelliptic Curve and then 2 points are combined and a reduced divisor produced. Specifically, the
polynomial of the divisor is calculated as
and the
polynomial is calculated as
and
.
Since in Mumford representation, the v polynomial can be constructed from the u polynomial it useful for a realistic simulation scenario to use divisor compression techniques. It is known that
, so based on the algorithm proposed by Henri Cohen and Gerhard Frey on their book [
12], a compression technique is used and the divisors are transmitted only using 256 bits for the
coefficients and one more byte used for the reconstruction information of the
polynomial.
Finally, for HECC of genus 3, a new library was created to match the needs of the simulation. Based completely on libg2hec implementation
7and Cohen’s and Frey’s book [
12], the curve and divisor classes were modified to match the required conditions for genus 3 curves and divisors. Most importantly, for Group operations, SAM, NAF and ML methods for scalar multiplication were used exactly as implemented in libg2hec since they are of arbitrary genus. For divisor “addition” and “doubling” Cantor’s algorithm can be used without modification since it is of arbitrary genus, however it is slow. Therefore, algorithms 14.52 and 14.53 for genus 3 divisor addition and doubling from the Handbook of Elliptic and Hyperelliptic Curve [
12] were implemented. As for cryptographic techniques, the same methods as in HECC of genus 2 were used. What differs are the chosen curves and the encoding/decoding and bijection techniques, which are adapted for genus 3 divisors. For general cryptographic operations, excluding signatures, a Finite Field of:
was used. Again,
and
, while
is an 86-bit integer which produces a Group Order of almost 256-bits. This Field is used by the algorithm of Michel Sack and Nafissatou Diarra [
14] to produce a curve that will be used for the cryptographic operations. For signatures, since the Group Order needs to be known, based on the publication of Annegret Weng [
15], curve:
was selected, where the Group Order is
, where
is a prime number of 168 bits. Also, the bijection
used for ElGamal signatures is now modified to
and for the encodings on the Jacobian, Michel Sack’s and Nafissatou Diarra’s algorithm [
14] is used to map text to points in the HEC and then 3 points are combined to produce a valid reduced divisor of genus 3.
4.4. Implementation of VANET Communication
The communication between vehicles and the Roadside Unit (RSU) to implement a secure scheme using desired cryptographic techniques was entirely carried out using NS-3 in C++, with the assistance of libraries like Crypto++, libg2hec, NTL, and g3hec, developed during the project and discussed in chapter 4.2. Specifically, communication was achieved through WAVE layer packets, extracting metrics without additional delay from processing higher network and application layers. Callback functions were installed to process incoming packets at nodes and take further actions based on the communication stage (Join, Accept, Extract_Symmetric, Receive GL Proof, Receive Vehicle Information based on [
7]), such as sending a response packet if necessary. Responses were routed randomly within a 0-3 second window to better utilize bandwidth and avoid collisions. The RSU stores the status of all vehicles in the area, key pairs, CA information, and the public key of entering vehicles along with their certificates. It maintains the total number of vehicles that joined, the GL identifier, the exchanged symmetric keys with vehicles, and parameters of curves used for encryption. Vehicles store their own keys, CA, RSU and GL public keys if available, certificates, the status of the communication that is ongoing, symmetric keys, IV arrays, and curve parameters.
Communication starts with the RSU broadcasting its certificate every 2 seconds. All vehicles are initially in RECEIVE_CERT state. Upon RSU certificate receipt, vehicles verify it, get the RSU public key, store it, and send back a Join packet to the RSU, transitioning to RECEIVE_ACCEPT_KEY state. RSU processes the response, changing vehicle state first to RECEIVE_ACCEPT_KEY, then ON_SYMMETRIC_ENC after sending the ACCEPT response. Vehicle density increases after 120 seconds, leading to congestion. RSU randomly selects a Group Leader (GL), sends GL Proof of Leadership, the GL transitions to GROUP_LEADER_INFORM and then IS_GROUP_LEADER. Note: ECC and HECC do not allow encryption of the Proof of Leadership message, so the RSU provides to the GL its own certificate, signed with RSU’s public key. GL relays decrypted message to the network every 2 seconds. Existing and new vehicles follow Join and Accept process with the GL (using RECEIVE_ACCEPT_GL and ON_SYMM_GL states). Finally, vehicles transmit an INFORM message at random times once they receive a symmetric key. GL gathers Inform messages and sends them to the RSU.