A secure authentication and key agreement scheme with dynamic management for vehicular networks

Abstract

The development of 5G communication, big data technology and intelligent transportation system has driven the rapid development of vehicle network (VANET). However, with the rapid development of vehicle networks, it will be invaded by various security problems, such as privacy disclosure, session key security, forward security, etc. To eliminate the security threats faced by the vehicle network and ensure privacy and secure communication between vehicles and roadside units(RSU), it is necessary to introduce a secure, reliable, and efficient authentication key agreement scheme. Therefore, based on the principle of challenge authentication handshake protocol, we propose a novel security authentication and key agreement scheme for the vehicle networks. The scheme meets mutual authentication, and is the session key of communication protocol between vehicle and roadside unit to resist common attacks. In addition, compared with other schemes, our scheme has the advantage that we can flexibly set time keys to constrain vehicle behaviour and achieve dynamic vehicle management. We also give a formal security proof of the scheme under the random oracle model (ROM). Finally, the efficiency of the protocol is evaluated, and the computing and communication overhead of our scheme is about 35% lower than that of the existing scheme. So, our scheme is more practical.

Keywords:

• VANET
• authentication
• key agreement
• security

1. Introduction

VANET refers to the carrying of advanced in-vehicle sensors, controllers, and other devices to enable intelligent information interaction through integrating with the Internet (Zeadally et al., 2012), that is, V2X (where X refers to entities such as vehicles, roads, people, and clouds). VANET is not an independent network, it is closely related to several industry chains, such as transportation, logistics, and communication. The concept of VANET is relatively broad, with the basic content including mobile internet, in-vehicle self-assembled network and in-vehicle network, and communication scenarios including vehicle-vehicle, vehicle-roadside unit, vehicle-trusted authority, vehicle-roadside unit-cloud, etc (Guerrero-Ibáñez et al., 2013). So, the communication scenarios of Telematics are complex and changeable, and its security aspect requires various security mechanisms. For instance, VANET security has security requirements such as verifying message integrity, traceability, anonymity, etc. The security mechanisms induced for these security requirements are password authentication, identity authentication, access control, etc.

With the development of VANET, some issues are gradually exposed. Firstly, there is usually the massive vehicle information stored in the VANET. If an attacker uses the information to carry out a witch attack or identity forgery, it may cause the privacy of drivers and passengers to be leaked, and the resulting consequences are unimaginable (Isaac et al., 2010). The security threat to identity privacy in connected vehicle security is real. Thus, it is imperative that user identity privacy is a high priority for VANET. Secondly, generally, roadside units are typically placed at the roadside and an attacker may be able to access the information within VANET by some means of controlling the RSU. One of the communication methods in VANET is V2I (Azees et al., 2016). Because of the public nature of this communication method, an attacker can eavesdrop and analyse the communication content transmitted from the public channel, which can access the real private information of the critical infrastructure or tamper with the original communication messages, posing a huge threat and thus have some unavoidable consequences on road traffic safety (Qu et al., 2015). Finally, these mobile vehicle nodes need to periodically communicate as necessary, thus generating a large amount of communication information. The communication cost is also an issue that must be taken into account (Al-Sultan et al., 2014).

One of the most important methods commonly used to secure networks is message signing techniques and authenticated key agreements. To eliminate security threats to VANET and to ensure the privacy protection of users and secure communication in VANET (Zeadally et al., 2012). Similarly, identity authentication can prevent adversaries from tampering with the message and tracking the source of the message. In particular, secure authentication and key agreement guarantee that an adversary cannot gain access to the generated key by carrying out a malicious attack (e.g. replay attack) (Shen et al., 2017). The security and efficiency of the VANETs environment will be an important constraint to the spread of driverless technology. Under these requirements, authentication and key negotiation protocols, as an important cryptographic primitive, can provide a strong guarantee for secure communication in VANETs environments. Therefore, the introduction of a trusted authentication mechanism is necessary and imperative to protect the security and privacy of VANET (Cui et al., 2018). Now, some researchers have made certain research results in the field of authentication and key agreement for VANET, but the existing research results have not formed a complete system architecture, and there are still problems that need to be solved, such as the leakage of user identity privacy, the lack of effective management, and the lack of balance between security and efficiency.

1.1. Our inspiration and contributions

The inspiration for this paper comes from the conference paper (Zhou et al., 2022). This paper can be regarded as an extended version of the conference paper. The difference is that a time constraint mechanism is introduced in the scheme to address the problems revealed in the development of VANET, such as the inability to dynamically manage vehicles. The time key is set flexibly according to the user's honesty to avoid potential abnormal behaviours of users or vehicles as much as possible, thus realising dynamic management and control of vehicle security.

On this basis, a message authentication scheme is further designed based on schnorr signatures. Under the random oracle model, this paper gives strict formal security proof of the scheme. In addition, the perspective for performance analysis is extended and a comparative analysis with similar schemes is given. The specific contributions of this paper are as follows.

• In this paper, we design a secure authentication and key agreement scheme for VANET. In addition, the scheme has a variety of security features, such as anonymous identity and traceable malicious users, dynamically constraining vehicle behaviour, and resisting common network attacks.

• In our scheme, based on the time-bound mechanism, the dynamic revocation of vehicles is designed to avoid attacks by malicious users. Without the dynamic revocation function, the authority TA will not be able to punish malicious users in time. This may lead to irreversible consequences as such malicious attackers remain active in the network and disrupt the communication between legitimate vehicles and the roadside units RSU.

• In random oracle model, based on the one-way irreversibility of the hash function and DDH problem, we formally prove the security of the proposed scheme. The security and performance analysis shows that the proposed scheme can improve efficiency without sacrificing security.

2. Related work

The entities of the system model of VANET include vehicles, trusted authority (TA), and roadside unit (RSU). The main communication process in VANET takes place between the RSU and the vehicle and between the vehicle and the vehicle. By designing a reasonable security authentication key negotiation protocol, VANET can achieve a secure and convenient authentication between RSU and vehicle, ensuring that the mutual identity is secure and trustworthy while guaranteeing the privacy of the user in order to exchange information with each other securely. In recent years, a popular approach that can guarantee vehicle communication security and user privacy is to design authenticated key agreement protocols. As Canetti and Krawczyk (2002) point out the key agreement, symmetric encryption and authentication algorithm for achieving session key security can be co-designed to establish a secure and reliable communication channel, which in turn enables secure data communication. Lee and Lai (2013) proposed an authentication scheme based on bilinear pair from the perspective of efficiency and practicability of scheme design, which is more suitable for practical application. However, Jianhong et al. (2014) analysed the scheme proposed by Lee and Lai (2013) and pointed out that its scheme has potential security risks, such as not resisting replay attacks and not tracking malicious users. On this basis, an authentication scheme that enables anonymity and identity tracking is proposed, which makes up for the shortcomings of the scheme proposed by Lee and Lai (2013). that it cannot resist replay attacks and does not have traceability, and has better security performance. From the perspective of protecting users' privacy, 2015 proposed a new vehicle anonymous authentication protocol based on group signature, but the scheme introduced new security risks, such as random tracking. Ying and Nayak (2017) designed a lightweight authentication scheme using the fast computation of hash functions to achieve mutual authentication between On Broad Units (OBU), RSUs and Trusted Authorities (TA). However, the scheme also has security risks, such as unable to resist replay and modification attacks. Mohit et al. (2017) proposed a three-factor authentication mechanism based on password, smart card and biometrics in VANET that they claimed could resist known attacks. However, Yu et al. (2018) conducted in-depth analysis on the scheme of Mohit et al. (2017) and pointed out that its scheme has great security risks and can not resist a variety of attacks, such as counterfeiting and tracking attacks. In addition, its scheme can not provide session security and user anonymity. Chen et al. (2019) proposed authentication protocol to resist offline identity guessing attack, location spoofing attack, and replay attack. Jia et al. (2019) propose a three-party authenticated key agreement protocol from bilinear pairings. However, the computation cost of the proposed scheme is relatively high. Ma et al. (2019) design a new authenticated key agreement protocol without bilinear pairing. Subsequently, Wang et al. (2020) proposed a scalable computing V2I authentication scheme suitable for the vehicle network with the help of blockchain technology, which improved the security and efficiency of authentication. To improve the efficiency of the whole certification process, Zheng et al. (2022) introduced multi-TA model concept design certification protocol. Based on blockchain incentive mechanism and certificateless message authentication technology, Zhang and Xu (2022) introduced an adaptive t threshold multi-signature mechanism to improve the efficiency of message authentication. Compared with the existing schemes mentioned above, our proposed scheme provides more functional features and is more flexible without sacrificing security. Specifically, in our scheme, based on the time constraint mechanism, the dynamic revocation of vehicles is designed to avoid the attack of malicious users. If there is no dynamic revocation function, the trusted authority TA will not be able to punish malicious users in time. This may lead to irreversible consequences, because such malicious attackers are still active in the network and interrupt the communication between legitimate vehicles and roadside units RSUs.

3. Preliminaries

3.1. Fuzzy extractor

Fuzzy extractor is one of the commonly used techniques in biometric recognition, $FE=Gen(),Rep()$. Specific details are shown in Figure 1.

• $G\mathrm{en}(\omega )\to (\theta ,\vartheta )$: Generate algorithm $Gen()$ input ω (a sampling of random sources of noise), output a string θ and a public auxiliary string ϑ.

• $Rep({\omega }^{\mathrm{\prime }},\vartheta )\to \theta$: Regeneration algorithm $Rep()$ input ${\omega }^{\mathrm{\prime }}$ (another sampling of random sources of noise) and public auxiliary string ϑ, output a string ${\theta }^{\mathrm{\prime }}$.

• If the biometric error of the two inputs meets the specified threshold ε. If $dis\text{(}\omega ,{\omega }^{\mathrm{\prime }})\le \epsilon$, output θ.

Figure 1. Fuzzy extractor.

3.2. Schnorr signatures

In 1989, Schnorr proposed a digital signature scheme based on discrete logarithms. Schnorr signatures consists of three algorithms: setup, signature and signature verification.

• Setup : Let p and q be prime numbers, $q|p-1$, selects a private key $s\in {\mathbb{Z}}_q^{\ast }$, a generator $\mathrm{g}$ of $\mathbb{F}$, a secure hash function f, and then calculate the public key $g_{pb}=g^s$.

• Signature : The signer selects nonce integer $r\in {\mathbb{Z}}_q^{\ast }$, message M and then calculate $R=g^r,E=f(M,R)$, $S=(r+sE)modq$. Output message signature pairs $(M,E,S)$.

• Signatureverification : After verifier receiving the message signature pairs $(M,E,S)$, it first calculates $R=g^S\cdot g_{pub}^{-E}$, after calculating $E\underset{\_}{\underset{\_}{?}}f(M,R)$.

  Figure 2. System architecture.

  

4. System model

4.1. System architecture

• Trusted Authority (TA) : It is determined to be highly and completely trustworthy. In reality, it refers to the government traffic control authorities. It is assumed that the TA has adequate computational and storage capacities and is responsible for generating and publishing relevant system parameters, vehicle registration and the flexible generation and updating of the corresponding time keys for each vehicle. It is worth noting that the trusted authority TA is special, and only it can realise dynamic management and user tracking.

• User : The user, meaning the driver of the vehicle, establishes a direct connection with the vehicle so that he or she can control it.

• Vehicle : Vehicles are identified as untrustworthy entities. Each vehicle integrates an OBU and a TPM, where the OBU has good wireless communication capabilities, while the TPM is a secure tamper-proof hardware device and is mainly used to process and store relevant parameters.

• RSU : RSU is considered to be honest and curious, i.e. a semi-trustworthy entity.It is responsible for communicating with every vehicle in its jurisdiction, thus identifying and pinpointing the vehicle. The system architecture is shown in Figure 2.

4.2. Security objectives

• Mutual authentication : To ensure the authenticity of the entities in the agreement, the vehicle and RSU should verify each other's identity.

• Session key agreement : To encrypt and decrypt messages for message authenticity protection, fresh, secure session keys should be negotiated between the vehicle and the RSU.

• Anonymity and traceability : To prevent the compromise of the user's or vehicle's private information, the true identity of the user and vehicle cannot be calculated in the message by any entity other than the Trusted Authority TA, including the attacker, during the entire communication process. In addition, when a user or vehicle behaves abnormally, the Trusted Authority TA can track the real identity of the user or vehicle, punishment and, even revocation.

• Resistant against various kinds of attacks : Our proposed solution should resist common network attacks, such as replay attack and man-in-the-middle attack.

5. Our proposed scheme

Our scheme is divided into seven stages. In the initialisation phase, relevant system parameters are generated. At the registration stage, the trusted authority registers the identity information for the user's vehicle. At the time key constraint stage, the trusted authority updates the time key regularly for the legal vehicle. In the authentication phase, the identity authentication between people and vehicles, the authentication and key negotiation between vehicles and RSUs are realised. In the message authentication stage, the process of encrypting communication with key is shown. The dynamic management stage realises the dynamic management of vehicles and users. The details are as follows.

5.1. Initialization phase

Given a security parameterκ, the TA shall carry out the following operations:

Step 1: Selects a multiplicative cyclic group $\mathbb{G}$. Here, q is its prime order and g is its generator.

Step 2: Selects a system private key: a nonce $x\in {\mathbb{Z}}_q^{\ast }$, compute $g_{pub}=g^x$.

Step 3: Chooses four secure hash functions: $h:{\{0,1\}}^{\ast }\to {\{0,1\}}^l$, $H_1:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_q^{\ast }$, $H_2:{\{0,1\}}^{\ast }\times \mathbb{G}\to {\mathbb{Z}}_q^{\ast }$, $H_3:{\mathbb{Z}}_q^{\ast }\to {\mathbb{Z}}_q^{\ast }$. The public parameters $Params=\{\mathbb{G},q,g,g_{pub},H_1,H_2,H_3\}$. Here, h is not publicly available, it is only saved in TPM.

5.2. Registration phase

Step 1: User $U_i$ inputs their identity $I{D}_i$, password $P{W}_i$, and fingerprints $BI{O}_i$ into the vehicle's TPM.

Step 2: Upon receiving $\{I{D}_i,P{W}_i,BI{O}_i\}$ from $U_i$, the vehicle's TPM picks $a_i\in {\mathbb{Z}}_q^{\ast }$ and computes $Gen(BI{O}_i)=({\theta }_i,{\vartheta }_i)$, $PI{D}_i=h(I{D}_i||a_i)$, $P_i=h(P{W}_i||a_i)$, $B_i=h({\theta }_i||a_i),C_i=a_i\oplus H_1({\theta }_i)$, and $A_i=h(PI{D}_i||P_i||B_i)$. Finally, $V_i$ submits the registration request $\{I{D}_i,PI{D}_i,P_i,B_i\}$ to TA through the secure channel.

Step 3: Upon getting $\{I{D}_i,PI{D}_i,P_i,B_i\}$ from the vehicle $V_i$, TA chooses a unique element $T_i\in {\mathbb{Z}}_p^{\ast }$ as the identification of the vehicle and calculates $E_i=g^{(P_i+B_i+T_i)}$. The TA then sends $\{T_i,params\}$ to the TPM of the corresponding vehicle. The $V_i$ stores $\{P_i,B_i,T_i,C_i,A_i,params\}$ into its TA. Meanwhile, the TA generates a database table $T_{U_i-V_i}$ for locally stores the data corresponding to each user and vehicle. For more details see Figure 3.

Figure 3. Registration phase.

Remark 5.1

$A{F}_i$, indicates the number of failed authentication and message authentication attempts. The initial value of X is NULL. Similarly, status indicates the current state of the vehicle, and the initial value is NULL. Subsequently, it will change to Y es or No depending on whether the vehicle behaves normally or not. Moreover, if $|A{F}_i|\ge N_i$ (Such as the threshold $N_i$ = 5), where $N_i$ is a threshold. TA will set the status of the vehicle to No. More detailed analysis can be found in Section 6.4.

5.3. Time key constraint phase

TA dynamically manages users by periodically updating time keys to registered legal vehicles. The details are shown in Figure 4.

Figure 4. Time key constraint phase.

Step 1 : Before updating the key for corresponding registered legal vehicle, TA first checks the status of the corresponding vehicle in $T_{U_i-V_i}$ to determine if the vehicle is in an abnormal condition.

Step 2 : If the Status is No, The stops updating the time key of the corresponding vehicle. Otherwise, TA chooses a reasonable time T and a nonce $r_i\in {\mathbb{Z}}_p^{\ast }$, and gets $R_i=g^{r_i}$, $Q_i=(r_i+H_2(\mathrm{PI}{\mathrm{D}}_i||{\mathrm{B}}_i||T||R_i)x)modq$for the corresponding legal vehicle. The TA then delivers the tuple $\{R_i,Q_i,T\}$ to the registered legal vehicle through public channels.

Step 3 : After receiving $\{R_i,Q_i,T\}$ from the trusted authority TA, the user first inputs $\mathrm{I}{\mathrm{D}}_i{,\mathrm{BIO}}_i^{\ast }$into the vehicle's TPM. Then, TPM calculates $Rep(BI{O}_i^{\ast },{\vartheta }_i)={\theta }_i^{\ast }$, $a_i^{\ast }=C_i\oplus H_1({\theta }_i^{\ast }),PI{D}_i^{\ast }=h(I{D}_i||a_i^{\ast }),B_i^{\ast }=h({\theta }_i^{\ast }||a_i^{\ast })$, ${g^{Q_i}}^{\ast }\underset{\_}{\underset{\_}{?}}{R}_i\cdot {(g_{pub})}^{H_2(PI{D}_i^{\ast }||B_i^{\ast }||T||R_i)}$. TPM verifies that the time key is valid by checking ${g^{Q_i}}^{\ast }\underset{\_}{\underset{\_}{?}}{g}^{Q_i}$. If the equation does not hold, then the update of the time key has failed. Otherwise, the update key succeeds and is stored in the TPM of the corresponding vehicle.

5.4. User-to-Vehicle authentication phase

In Figure 5, a user needs to drive the vehicle, he needs to provide some personal information to the vehicle to verify the legitimacy of his identity.

Figure 5. User-to-vehicle-to-RSU authentication and key agreement phase.

Step 1 : $U_i$ provides $I{D}_i$, $P{W}_i$ and $BI{O}_i^{\ast }$ as $UserLoginRequest$ to $V_i$.

Step 2 : Upon receiving $UserLoginRequest$ from the user $U_i$, the vehicle's TPM calculates some parameters as follows: $Rep(BI{O}_i^{\ast },{\vartheta }_i)={\theta }_i^{\ast },a_i^{\ast }=C_i\oplus H_1({\theta }_i^{\ast })$ $PI{D}_i^{\ast }=h(I{D}_i||a_i^{\ast }),P_i^{\ast }=h(P{W}_i||a_i^{\ast }),B_i^{\ast }=h({\theta }_i^{\ast }||a_i^{\ast })$, $A_i^{\ast }=h(PI{D}_i^{\ast }||P_i^{\ast }||B_i^{\ast })$.

Step 3 : TPM check $A_i^{\ast }\underset{\_}{\underset{\_}{?}}{A}_i$, if the equation doesn't hold, the verification will be interrupted and the vehicle will actively report to TA. TA will add this failed authentication record to the $A{F}_i$.

5.5. Vehicle-to-RSU authentication and key agreement phase

After the user $U_i$ is logged into the vehicle $V_i$ successfully, $V_i$ transmits authentication request to RSU - see below:

Step 1 : First, the vehicle sends the parameters $\{R_i,Q_i,T,PI{D}_i^{\ast }\}$ generated in the time key phase to the RSUas an $VehicleRequest$.

Step 2 : After obtaining $VehicleRequest$ from $V_i$, Then, RSU searches for the $PI{D}_i^{\ast }$ corresponding to table $T_{V_i}$ based on the $PI{D}_i^{\ast }$ sent by the vehicle and calculates ${g^{Q_i}}^{\ast }$, thus verifying the correctness of the time key by checking ${g^{Q_i}}^{\ast }\underset{\_}{\underset{\_}{?}}{g}^{Q_i}$. If holds, RSU continues. Otherwise, rejects the $VehicleRequest$.

Step 3 : RSU chooses a random number ${\eta }_1\in {\{0,1\}}^{\kappa }$, ${\alpha }_1,{\alpha }_2,{\alpha }_3,{\alpha }_4\in {\mathbb{Z}}_q^{\ast }$ and randomly generated $SI{D}_i$ (mark this unique session), $A_3=g^{{\alpha }_3}$, $A_4=E_i^{{\alpha }_2}{g}^{{\alpha }_4}$, $Inf{o}_R=A_1||A_2||A_3||A_4||{\eta }_1||SI{D}_i$. Then, RSU sends $Inf{o}_R$ as $RSUChallenge$ to the corresponding $V_i$.

Step 4 : Upon receiving $RSUChallenge$ from RSU, $V_i$ chooses ${\eta }_2\in {\{0,1\}}^{\kappa }$, ${\alpha }_3^{\mathrm{\prime }},{\alpha }_4^{\mathrm{\prime }}\in {\mathbb{Z}}_p^{\ast }$ and computes $A_3^{\mathrm{\prime }}=g^{{{\alpha }_3}^{\mathrm{\prime }}}$, $A_4^{\mathrm{\prime }}=A_1^{(P_i+B_i+T_i)}{g}^{{\alpha }_4^{\mathrm{\prime }}}$, $Inf{o}_v=A_3^{\mathrm{\prime }}||A_4^{\mathrm{\prime }}||{\eta }_2||SI{D}_i$. Now, it can calculate session key $SK=A_3^{{\alpha }_4}\oplus {(\frac{A_4}{A_1^{(P_i+B_i+T_i)}})}^{{{\alpha }_3}^{\mathrm{\prime }}}$. The vehicle then runs $HMAC(SK,Inf{o}_R)$ to get a tag $T_R$. Note that $Inf{o}_R$ here notes the variable length message sent by the RSU, SK notes the session key calculated by the vehicle $V_i$, and $T_R$ means the fixed length authentication character, sometimes referred to as a tag. Finally, it sends $Inf{o}_V$ as $VehicleResponse$ and $T_R$ as $VehicleAcknowledgement$ to RSU.

Step 5 : Upon receiving $VehicleResponse$ and $VehicleAcknowledgement$ from vehicle $V_i$, RSU calculates $S{K}^{\mathrm{\prime }}=A{{}_3^{\mathrm{\prime }}}^{{\alpha }_4}\oplus {(\frac{A_4^{\mathrm{\prime }}}{E^{{\alpha }_1}})}^{{\alpha }_3}$, $T_V=HMAC(S{K}^{\mathrm{\prime }},Inf{o}_V)$. The RSU then sends $T_V$ as $RSUAcknowledgement$ to vehicle $V_i$.

Step 6 : The vehicle $V_i$ and RSU now have a set of parameters at both sides: $[(Inf{o}_V,T_V)(Inf{o}_R,T_R)]$. The vehicle $V_i$ confirms the correctness of SK by checking $HMAC(SK,Inf{o}_V)\underset{\_}{\underset{\_}{?}}{T}_V$. The RSU side confirms the correctness of $S{K}^{\mathrm{\prime }}$ by checking $HMAC(S{K}^{\mathrm{\prime }},Inf{o}_R)\underset{\_}{\underset{\_}{?}}{T}_R$.

Remark 5.2

As shown in Figure 5, the design inspiration of the above stage comes from SSL/TLS protocol.

5.6. Message authentication phase

It is assumed that the user and vehicle have successfully registered and successfully logged in for authentication, as shown in Figure 6.

Figure 6. Message authentication phase.

Step 1 : Firstly, the vehicle chooses a nonce $k_i\in {\mathbb{Z}}_q^{\ast }$ and calculates $K_i$, $F_i=H_3(S{K}_i||M_i||T{S}_i)$ and $N_i=(K_i+x{F}_i)$ mod q.

Step 2 : Then send its own pseudo identity $PI{D}_i$, message $M_i$, timestamp $T{S}_i$ of the current system, $K_i$ and signature $N_i$ to RSU;

Step 3 : Finally, RSU will check whether the difference between the time stamp $T_i$ sent by the vehicle and the time stamp $T_{cur}$ of the current system is within the validity period. If it expires, the subsequent operation will be terminated. On the contrary, the RSU will continue to use the $PI{D}_i$ sent by the vehicle to query the corresponding information $S{K}_i$ in the table $T_{Vi}$, calculate the $F_i$. Finally, RSU verify that Equation $g^{N_i}\underset{\_}{\underset{\_}{?}}{K}_i\cdot (g_{pub}{)}^{F_i}$ holds. If hold, it indicates that the message has not been tampered with, is complete and the source is real.

5.7. Dynamic management phase

In this part, our scheme mainly focuses on two different revocation scenarios. One is that the user actively applies for account cancellation, and the other is to revoke the malicious vehicles in the system.

• Legal user revocation : A user with a revocation request can send a revocation request message with their identification $I{D}_{ui}$ to the trusted authority via a reliable channel. After receiving the revocation request from the user, TA retrieves the corresponding $I{D}_{ui}$ in the system database table, and then stops updating the time key of the corresponding user to finally achieve the function of revoking the user.

• Revoke malicious vehicles : To realise the dynamic management of vehicle users, our scheme intends to set a trusted authority TA to regularly update the time key to the legitimate users in the system by setting a reasonable time threshold. If the RSU finds that the user has illegal behaviour during the session, it will report to the trusted authority TA. TA will verify the authenticity. If it is true, the time key of the vehicle will not be updated regularly by TA. Otherwise, TA will downgrade the RSU to a certain extent and initially realise the vehicles dynamic management function.

6. Security analysis

The simulator S generates corresponding system parameters and some public keys or private keys under the reference of the protocol, and exposes the public parameters to $\mathcal{A}$.

6.1. Correctness

Correctness of the session key SK:

$SK=A_3^{{\alpha }_4}\oplus {(\frac{A_4}{A_1^{(P_i+B_i+T_i)}})}^{{{\alpha }_3}^{\mathrm{\prime }}}=E^{{\alpha }_3^{\mathrm{\prime }}{\alpha }_3}\oplus E^{{\alpha }_4^{\mathrm{\prime }}{\alpha }_4}=A{{}_3^{\mathrm{\prime }}}^{{\alpha }_4}\oplus {(\frac{A_4^{\mathrm{\prime }}}{E^{{\alpha }_1}})}^{{\alpha }_3}=S{K}^{\mathrm{\prime }}$.

6.2. Threat model

Queries : Through oracles queries, the legitimate protocol participant and adversary can interact accordingly. Specifically, adversary $\mathcal{A}$ can carry out the following queries:

$Execute(\prod _{U_i}^u,\prod _{V_j}^v,\prod _R^r)$: This query simulates a passive attack, which can eavesdrop on the communication messages of instance $\prod _{U_i}^u,\prod _{V_j}^v,\prod _R^r$ on the public channel, and return the eavesdropped messages to $\mathcal{A}$ for analysis.

$Hash(value)$: $\mathcal{A}$ can obtain the hash output for the input.

$Send(\sigma ,M)$: $\mathcal{A}$ sends a message M to other instances by pretending to be an instance. The message can be a eavesdropping communication message or a forged message by $\mathcal{A}$. The Oracle returns a message of the inquired entity to $\mathcal{A}$.

$Test(\sigma )$: It is used to evaluate the security of the session key SK between instance $\prod _{V_j}^v$ and instance $\prod _R^r$. This query is only allowed once. If SK between instance $\prod _{V_j}^v$ a and instance $\prod _R^r$ is not established or is not fresh, it returns ⊥. Otherwise, the Oracle randomly flips a coin b to get the value of b.

If b = 0, it returns a real SK to $\mathcal{A}$.

If b = 1, it selects a random string from the same value space and returns it to $\mathcal{A}$.

Definition 6.1

DDH Assumption

Assuming that have a tuple $(q,g,\mathbb{G})$, $\mathbb{G}$ is a cyclic group, q is its prime order, and g as its generator. Given parameters$(\alpha ,\beta ,\gamma )\in {\mathbb{Z}}_q^{\ast }$, there is no a polynomial algorithm A can distinguish $(g^{\alpha },g^{\beta },g^{\alpha \beta })$ from $(g^{\alpha },g^{\beta },g^{\gamma })$ That is $|Pr[F(g^{\alpha },g^{\beta },g^{\gamma })=1]-Pr[F(g^{\alpha },g^{\beta },g^{\alpha \beta })=1]|\le Neg(\kappa )$, where $Neg(\kappa )$ is a negligible function about security parameters κ.

6.3. Formal security proof using ROM model

Proofs of security in cryptography can be demonstrated using a series of sequential games. In specific cases, this proof method can reduce the complexity of security proofs. The security of a scheme is usually expressed as an attack game between adversaries and challengers, where both adversaries and challengers are interconnected probabilistic processes. In constructing such a security proof, it is desirable that the variation between successive games is very small so that analysing the variation is as simple as possible. Usually, this proof method is called Sequences of Games.

The transition between successive games is generally of one of the following three types:

• Bridging steps.

• Transitions based on failure events.

• Transitions based on indistinguishability.

Theorem 6.1

Assume that $Adv(\mathcal{A})$ is the probability that $\mathcal{A}$ successfully compromises security of the proposed scheme in polynomial time t. Suppose adversary $\mathcal{A}$ asks $q_e$ $Execute()$ queries and $q_s$ $Send()$ queries, $q_h$ $Hash()$ queries. If the DDH assumption holds, then our scheme is secure. Then,

(1) $Adv(\mathcal{A})\le \frac{q_h^2}{2^l}+\frac{(q_s+q_e{)}^2}{p}+\frac{q_s}{2^{l-1}}+2Ad{v}_{\mathcal{A}}^{DDH}.$(1)

Proof.

We define game sequence $Game0$ to $Game5$. The proof is comprised of a sequence of games: Gamei, $i\in (1,5)$. $Pr[Suc{c}_{Gi}]$ represents the probability of success of Gamei.

Game0 : The simulation of $Game0$ is completely similar to the real attack in the random oracle model. So, in $Game0$, the probability of success is equal to the probability that $\mathcal{A}$ successfully attacks the real protocol. we get, (2) $Adv(\mathcal{A})=\mid Pr[Suc{c}_{G0}]-\frac{1}{2}=\mid 2Pr[Suc{c}_{G0}]-1\mid .$(2) Game1 : $\mathcal{A}$ obtains the communication information between instances through passive attack. $Game1$ is basically the same as $Game0$. All the above oracle and hash oracle are involved in the game. The above oracle has been included in the actual attack scenario, so the simulation of this game and the actual implementation of the protocol are essentially indistinguishable. In other words, it is only a bridging step. We obtain, (3) $\mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G0}]=0\mid .$(3) Game2 : The only difference between $Game2$ and $Game1$ is that if a collision occurs in the following two events, the $Game2$ will terminate:

Event1 : In this game, because the communication message in the authentication protocol includes hash function output, $\mathcal{A}$ can find the collision of messages through $Hash()$. Among, based on the birthday paradox principle (Suzuki et al., 2006), the collision probability of hash function output is at most $\frac{{\mathrm{q}}_h^2}{2^{l+1}}$.

Event2 : Similarly, $\mathcal{A}$ can find the collision of transcripts through interaction information generated during protocol execution.The collision probability of partial transcripts: $\{(R_i,Q_i,T),(Inf{o}_R,Inf{o}_v),(T_R,T_V)\}$ is at most $\frac{{(q_s+q_e)}^2}{2p}$ , because the number are randomly and uniformly distributed. So, we get, (4) $\mid Pr[Suc{c}_{G2}]-Pr[Suc{c}_{G1}]\mid \le \frac{q_h^2}{2^l}+\frac{(q_s+q_e{)}^2}{p}.$(4) Game3 : The only difference between $Game3$ and $Game2$ is that this game will be terminated if adversary successfully guesses the authentication factors ( $T_R$,$T_V$) without querying the $Hash()$ oracle. so, we conclude, (5) $|Pr\left[S\mathrm{u}c{c}_{G3}\right]-Pr\left[S\mathrm{u}c{c}_{G2}\right]|\le \frac{q_s}{2^l}.$(5) Game4 : Finally, we need to consider whether the session key SK is secure. $\mathcal{A}$ tries to compute SK by analysing the intercepted messages $Inf{o}_R$, $Inf{o}_V$ and also solving the difficult problem DDH.

Scenario1 : $\mathcal{A}$ plays the role of V ehilce. In this scenario, $Inf{o}_V=\{A_3^{\mathrm{\prime }},A_4^{\mathrm{\prime }}\}$, $\mathcal{A}$ can get $Inf{o}_R=\{A_1,A_2,A_3,A_4\}$ by honest party RSU. To obtain SK, $\mathcal{A}$ needs to be obtained by calculating $g^{{\alpha }_4^{\mathrm{\prime }}}$ to obtain the credential $A_4^{\mathrm{\prime }}$ correctly.

Scenario2 : $\mathcal{A}$ plays the role of RSU. In this scenario, $Inf{o}_R=\{A_1,A_2,A_3,A_4\}$, $\mathcal{A}$ can get $A_3^{\mathrm{\prime }},A_4^{\mathrm{\prime }}$ by $send()$ query. To get $S{K}^{\prime }$, adversary $\mathcal{A}$ plays the role of RSU to interact with another honest party vehicle. To make the honest party vehicle believe that it is a real RSU. So, $\mathcal{A}$ should calculate $g^{{\alpha }_4}$and $E_i^{{\alpha }_2}$ to obtain $A_4$ correctly. $\mathcal{A}$ may have gotten some of the factors, but not all of them. Thus, $\mathcal{A}$ may only have partial information that has $E_i$. Only if $\mathcal{A}$ has correctly guessed factors can both parties infer the same SK.

Both cases show that only $\mathcal{A}$ can obtain $SK=S{K}^{\prime }$, and $\mathcal{A}$ can destroy the security of the scheme. Let us focus on $S{K}^{\mathrm{\prime }}=A{{}_3^{\mathrm{\prime }}}^{{\alpha }_4}\oplus {(\frac{A_4^{\mathrm{\prime }}}{E^{{\alpha }_1}})}^{{\alpha }_3}=E^{{\alpha }_3^{\mathrm{\prime }}{\alpha }_3}\oplus E^{{\mathrm{x}}^{\mathrm{\prime }}}$. From the correctness of the scheme, if $E^{{\mathrm{x}}^{\mathrm{\prime }}}=E^{{\alpha }_4^{\mathrm{\prime }}{\alpha }_4}$ then can be determined (true DDH tuple). If $E^{{\mathrm{x}}^{\mathrm{\prime }}}\ne E^{{\alpha }_4^{\mathrm{\prime }}{\alpha }_4}$, SK is a random string (non-DDH tuple). According to DDH assumption, we have, (6) $|Pr\left[S\mathrm{u}c{c}_{G4}\right]-Pr\left[S\mathrm{u}c{c}_{G3}\right]|\le Ad{v}_{\mathcal{A}}^{DDH}.$(6) Game5 : In $Game4$, all above oracles have been executed. After executing $Test()$ oracle, $\mathcal{A}$ has only guess b to win the game. So, (7) $Pr\left[S\mathrm{u}c{c}_{G5}\right]=\frac{1}{2}.$(7) From equation (2(2) $Adv(\mathcal{A})=\mid Pr[Suc{c}_{G0}]-\frac{1}{2}=\mid 2Pr[Suc{c}_{G0}]-1\mid .$(2) ), (3(3) $\mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G0}]=0\mid .$(3) ) and (7(7) $Pr\left[S\mathrm{u}c{c}_{G5}\right]=\frac{1}{2}.$(7) ), we get, $$\begin{gathered} \frac{1}{2}Adv(\mathcal{A})=\mid Pr[Suc{c}_{G_0}]-\frac{1}{2}\mid =\mid Pr[Suc{c}_{G_1}]-Pr[Suc{c}_{G_5}]\mid \\ . \end{gathered}$$ In summary, we get, (8) $\begin{array}{r}\frac{1}{2}Adv(\mathcal{A})\le \mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G2}]\mid \\ +\mid Pr[Suc{c}_{G2}]-Pr[Suc{c}_{G3}]\mid \\ \le \mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G2}]\mid \\ +\mid Pr[Suc{c}_{G2}]-Pr[Suc{c}_{G3}]\mid \\ +\mid Pr[Suc{c}_{G3}]-Pr[Suc{c}_{G4}]\mid \\ +\mid Pr[Suc{c}_{G4}]-Pr[Suc{c}_{G5}]\mid \end{array}$(8) Finally, Equation  (8(8) $\begin{array}{r}\frac{1}{2}Adv(\mathcal{A})\le \mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G2}]\mid \\ +\mid Pr[Suc{c}_{G2}]-Pr[Suc{c}_{G3}]\mid \\ \le \mid Pr[Suc{c}_{G1}]-Pr[Suc{c}_{G2}]\mid \\ +\mid Pr[Suc{c}_{G2}]-Pr[Suc{c}_{G3}]\mid \\ +\mid Pr[Suc{c}_{G3}]-Pr[Suc{c}_{G4}]\mid \\ +\mid Pr[Suc{c}_{G4}]-Pr[Suc{c}_{G5}]\mid \end{array}$(8) ) is simplified and the result is obtained: $$\begin{gathered} Adv(\mathcal{A})\le \frac{q_h^2}{2^l}+\frac{(q_s+q_e{)}^2}{p}+\frac{q_s}{2^{l-1}}+2Ad{v}_{\mathcal{A}}^{DDH} \\ . \end{gathered}$$

6.4. Analysis of security requirement

• Mutual authentication : By verifying the ID, password PW and biometric bio entered by the user, the vehicle can authenticate the user. The vehicle $V_i$ confirms the correctness of the session key SK by checking $HMAC(SK,Inf{o}_V)\underset{\_}{\underset{\_}{?}}{T}_V$. The RSU side confirms the correctness of the session key $S{K}^{\mathrm{\prime }}$ by checking $HMAC(S{K}^{\mathrm{\prime }},Inf{o}_R)\underset{\_}{\underset{\_}{?}}{T}_R$. So, our protocol supports mutual authentication between vehicle and RSU.

• Anonymity and traceability : The pseudo identity of the user is calculated by selecting a nonce and a hash function. If $\mathcal{A}$ intends to derive the real ID from the anonymous ID, it can achieve real ID from $PI{D}_i=h(I{D}_i||a_i)$. However, the nonce and hash functions are involved in the user's pseudo-identity, which ultimately allows for the anonymous user's true identity due to randomness and the one-way and irreversible nature of the hash function. TA can compute the corresponding between the user's real identity and pseudo-identity, so TA can track the user.

• Dynamic management : Different from the previous schemes, in our protocol, TA can set a reasonable time T according to the scenarios of users and vehicles, which gives TA more flexibility in managing users. For example, in some specific occasions with high security sensitive requirements, the time can be set shorter; In addition, certain time constraints can be given according to the user's honesty, which will be given when the time key is issued next time. For example, TA can know whether the state of the vehicle is bad by the state value $‘‘Ye{s}^{″}$ or ${}^{″}N{o}^{″}$ of the user and the vehicle in the table $T_{U_i}$, so that certain punishments or rewards can be given. Thus, the proposed scheme can realise the dynamic management function by setting the time key elastically.

• Forward security : In our scheme, ${\alpha }_1$, ${\alpha }_2$, ${\alpha }_3$, ${\alpha }_4$, ${{\alpha }_3}^{\mathrm{\prime }}$, and ${{\alpha }_4}^{\mathrm{\prime }}$ are selected randomly in ${\mathbb{Z}}_p^{\ast }$. So, in the case of long-term key $E_i$ disclosure, there is no need to worry about the security of the previously negotiated $S{K}_x$ of the current instance, so as to achieve forward security of the scheme.

• Session key security : SK and $S{K}_{\mathrm{\prime }}$ in our protocol are computed by equation $SK=A_3^{{\alpha }_4}\oplus {(\frac{A_4}{A_1^{(P_i+B_i+T_i)}})}^{{{\alpha }_3}^{\mathrm{\prime }}}$ and $S{K}^{\mathrm{\prime }}=A{{}_3^{\mathrm{\prime }}}^{{\alpha }_4}\oplus {(\frac{A_4^{\mathrm{\prime }}}{E^{{\alpha }_1}})}^{{\alpha }_3}$, where ${\alpha }_1$, ${\alpha }_3$, ${\alpha }_4$, ${{\alpha }_3}^{\mathrm{\prime }}$ are nonce numbers. Thus, $\mathcal{A}$ can't steal SK according to other leaked long-term parameters.

• Resistant against various kinds of attacks

  Replay Attack: The proposed scheme embeds random numbers ${\eta }_1$, ${\eta }_2$ and temporary session identifier $SI{D}_i$ into the calculation of authentication parameters in the authentication stage during a new round of session. Because these parameters are fresh for each instance, it can protect the instance from replay attack.

  Man-in-the-Middle-Attack: $\mathcal{A}$ may intend to eavesdropping an interactive message generated during the execution of the protocol, so as to simulate a legal vehicle or RSU. However, in our scheme, not only does the updated time key have to be verified, but also the corresponding identity of the vehicle or RSU. Thus, our scheme can be immune to this attack.

7. Performance analysis

7.1. Security attributes

In Table 1, we analyse and compare the security attributes of SAPIV (Chen et al., 2019), AKAHS (Jia et al., 2019), and EPAKA (Ma et al., 2019) with our scheme. MA denotes mutual authentication, DM denotes dynamic management, AT denotes anonymity and traceability, RA denotes resist replay attack, FS denotes forward security, √ represents corresponding safety features, × indicates that there are no corresponding safety requirements, and “-” means not considering corresponding security requirements. It can be found that our scheme has more security features.

Table 1. Security features comparison.

	MA	DM	AT	RA	FS
SAPIV	√	×	A3	√	−
AKAHS	√	×	√	√	√
EPAKA	√	×	√	√	√
Our	√	√	√	√	√

7.2. Computation cost

We analyse the computational costs of the authentication phases of our scheme and compare SAPIV (Chen et al., 2019), AKAHS (Jia et al., 2019), and EPAKA (Ma et al., 2019). Note that experimental comparison ignores the XOR and connection operation because their cost is negligible compared to hash and exponential operations. We define below the time required to perform some cryptographic operations by notation.

• $T_h$: Time to execute a hash function.

• $T_{exp}$: Time to execute an exponential operation on cyclic group G.

• $T_{pm}$: Time to execute a point multiplication operation in cyclic group G.

• $T_{HMAC}$: Time to execute an HMAC function.

• $T_{mexp}$: Time to execute a modular exponentiation operation.

• $T_{bp}$: Time to execute a bilinear pairing operation $e(P,Q)$.

The execution time of operations is completed with a PBC library (Lynn, 2006) and MIRACL library (Scott, 2005). Our hardware equipment composes of an Intel(R) i5-9500 CPU with 3.00 GHz clock frequency, 8G running memory and, centos7 operating system. The experiment selected 160-bit standard elliptic curve, ${\eta }_1$ and ${\eta }_2$ are nonces with a length of 80-bit. The execution time of the encryption operation, as shown in Table 2.

Table 2. Operation time.

Operation	Time (ms)
$T_h$	0.0007
$T_{exp}$	1.882
$T_{pm}$	8.006
$T_{HMAC}$	0.0167
$T_{mexp}$	4.576
$T_{bp}$	16.064

The is the result analysis of calculation cost. Table 3 shows the comparison details of computing overhead on different entities. For scheme SAPIV, smart cards are introduced in the scheme to store the user's identity information in the registration stage. In the login authentication stage, users only need to insert the smart card into the vehicle, and the vehicle loads the smart card to perform subsequent operations. So, in the entire identity authentication phase, the user can consider that there is no cryptographic operation. Therefore, the computation cost of the user $U_i$ is 0. The main operations are as shown in Table 3. The total execution time of $V_i$ and RSU is 22.8849 ms and 18.3082 ms respectively.

Table 3. Computational cost comparison.

	User (ms)	Vehicle/Fog Node (ms)	RSU/CS/TA (ms)
SAPIV	$/$	$7T_h+5T_{mexp}\approx 22.8849$	$6T_h+4T_{mexp}\approx 18.3082$
AKAHS	$5T_h+2T_{pm}+T_{bp}\approx 26.0735$	$4T_h+2T_{pm}+T_{bp}\approx 26.0728$	$11T_h+3T_{pm}+T_{bp}\approx 40.0897$
EPAKA	$4T_h+3T_{pm}\approx 24.0208$	$4T_h+4T_{pm}\approx 32.0268$	$11T_h+10T_{pm}\approx 80.0677$
Our scheme	$/$	$5T_h+T_{pm}+6T_{\exp }+2T_{HMAC}\approx 19.3349$	$2T_h+2T_{pm}+10T_{\exp }+2T_{HMAC}\approx 34.856$

For scheme AKAHS, the total execution time of $U_i$ and $F{N}_j$ and CS is 26.0735 ms, 26.0728 ms and 40.0897 ms respectively.

For scheme EPAKA, the total execution time of $U_i$, $F{N}_j$ and CS is 24.0208 ms, 32.0268 ms and 80.0677 ms respectively.

For our scheme, it is set that the user can directly input his or her own identity authentication information to the terminal equipment integrated in the vehicle, and the subsequent identity authentication can be delivered to the on-board unit embedded in the vehicle. Therefore, in the entire identity authentication phase, the user can be considered that there is no cryptographic operation. So, the computation cost of the user $U_i$ is 0. Thus, the total execution time of $V_i$ and RSU is 19.3349 ms and 34.856 ms respectively.

In Figure 7, our scheme has obvious advantages over AKAHS and EPAKA in terms of computing cost on vehicle side and RSU side.

Figure 7. Comparison of computing overhead on different entities.

In Figure 8, it shows the relationship between the number of vehicles or nodes and the server computing cost. The computing cost of the server increases linearly with the number of vehicles or nodes. Obviously, our scheme's computational overhead is better than AKAHS and EPAKA. Specifically, the computational cost of the proposed scheme in the authentication phase is about 40% lower than that of AKAHS. It is worth mentioning that although the computing cost is inferior to SAPIV, the proposed scheme provides more security features, such as the elastic setting of time keys to constrain the behaviour of vehicles and achieve dynamic management, which is worth it.

Figure 8. Comparison of computational overhead.

7.3. Communication cost

Here, to facilitate experimental comparison, the length of fixed ID, password, biometric, timestamp and random number is 32 bits by default, and use the symbol $|X|$ to denote the lengths of these parameters. The output value length of the fixed hash function is $|H|$, the length of the value in G is $|G|$, both of which are 160 bits.

The communication cost of our scheme, SAPIV (Chen et al., 2019), AKAHS (Jia et al., 2019), and EPAKA (Ma et al., 2019) are shown in Table 4. For SAPIV, smart cards are introduced to store the identity information of users in the registration stage. In the login authentication phase, the user only needs to insert the smart card into the vehicle, and then the vehicle loads the smart card to perform subsequent operations. Therefore, in the entire authentication phase, the user can consider that there is no data to be transmitted. So, the communication cost of the user is 0. So, the communication cost of vehicle $V_i$ and roadside unit RSU is 672 bits and 480 bits, respectively. This is why SAPIV is superior to the proposed scheme in terms of communication cost. For AKAHS, the communication cost of user, fog node and server is 544 bits, 1536 bits, and 512 bits, respectively. For EPAKA, the communication cost of user, fog node and server is 512 bits, 1856 bits and 832 bits, respectively. For our scheme, the communication cost of user, vehicle and RSU is 96 bits, 896 bits and 864 bits, respectively.

Table 4. Communication cost comparison.

	User (bits)	Vehicle/Fog Node (bits)	RSU/CS/TA (bits)
SAPIV	$/$	$|X|+|G|+3|H|=672$	$|X|+|G|+2|H|=480$
AKAHS	$|X|+|G|+2|H|=544$	$3|X|+4|G|+5|H|=1536$	$|X|+|G|+2|H|=512$
EPAKA	$|X|+|G|+2|H|=512$	$3|X|+6|G|+5|H|=1856$	$|X|+|3G|+2|H|=832$
Our scheme	$3|X|=96$	$3|X|+3|G|+2|H|=896$	$2|X|+4|G|+|H|=864$

In Figure 9, the communication cost experiment shows that the communication cost of several schemes of the same type shows a thread growth trend with the increase in the number of vehicles or nodes. The communication overhead of our scheme is obviously better than that of AKAHS and EPAKA. For example, the communication overhead of our scheme in the authentication phase is about 28% lower than that of AKAHS. So, the computing and communication overhead of our scheme is 35% lower than that of AKAHS. The computing cost is inferior to SAPIV, but the proposed scheme provides more security features, such as the elastic setting of time keys to constrain the behaviour of vehicles and achieve dynamic management.

Figure 9. Comparison of communication overhead.

8. Conclusion

We design a novel authentication and key agreement scheme for internet of vehicles based on fuzzy extractor and schnorr signature. The propose scheme can not only achieve secure and reliable authentication key agreement protocol, but also achieve forward security and resist common network attacks. In addition, the time key is elastically set to dynamically constrain the behaviour of the vehicle and realise the dynamic management function. The strict formal security analysis proves that the scheme is safe and reliable, and the analysis of computing cost and communication cost proves that the efficiency of the scheme is better than that of existing similar schemes, and it is more practical.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work is supported by the National Natural Science Foundation of China [grant numbers 61922045, U21A20465, 62172292], and Science Foundation of Zhejiang Sci-Tech University (ZSTU) [grant number 22222266-Y].