Mitigating DoS Attacks against Signature-Based Authentication in VANETs
Li He and Wen Tao Zhu
State Key Laboratory of Information Security
Graduate University of Chinese Academy of Sciences
19A Yuquan Road, Beijing 100049, P. R. China
Email: lhe@is.ac.cn & wtzhu@ieee.org
Abstract—Vehicular ad hoc networks (VANETs) are supposed
to improve traffic safety and drivers’ experiences. In a typical
VANET, a vehicle broadcasts safety messages to its neighbors.
Since behaviors based on safety messages could be life-critical,
authentication of these messages must be guaranteed. Many
signature-based schemes have been proposed for authentica-
tion in VANETs, but few of them have addressed the problem
of denial of service (DoS) attacks against signature-based au-
thentication. In such a DoS attack, attackers can broadcast
forged messages with invalid signatures to force the receiving
vehicles to perform lots of unnecessary signature verifications,
and thus the benign vehicles cannot verify the messages from
other legitimate vehicles. Our scheme features a pre-
authentication process before signature verifying process to
deal with this kind of DoS attack. The pre-authentication
process takes advantage of the one-way hash chain and a
group rekeying scheme. Evaluations show that the proposed
scheme mitigates such DoS attacks effectively.
Keywords-vehicular ad hoc network; security and privacy;
authentication; denial of service
I. INTRODUCTION
Over the past few years, vehicular ad hoc networks
(VANETs) have attracted extensive attention from car manu-
facturers as well as wireless communication researchers. The
VANET is a self-organized network, which can be consi-
dered as a special implementation of the mobile ad hoc net-
work (MANET). VANET is formed with wireless communi-
cation devices known as on-board units (OBUs) equipped in
vehicles and fixed roadside units (RSUs). Vehicles can be
aware of the environment around them by communicating
with each other and with RSUs. VANETs are supposed to
improve traffic safety and drivers’ driving experiences. For
example, VANETs can provide some safety related services
such as warning of cars’ collision, reporting dangerous con-
ditions of the road and providing cooperative driving. Also,
it can provide some other services, e.g., the location-based
services.
According to the Dedicated Short-Range Communica-
tions (DSRC) standard, each vehicle broadcasts traffic re-
lated safety messages every 100-300 ms. The message con-
tains information of the vehicle’s position, direction, speed,
acceleration, etc. The security and privacy issues in VANET
must be carefully and properly addressed before it can be
widely deployed [1]. Since behaviors based on the safety
messages could be life-critical, the security of these messag-
es should be promised. Besides, people are more and more
This work was supported by the National Natural Science Foundation of
China under Grant 60970138.
___________________________________
978-1-4673-0089-6/12/$26.00 ©2012 IEEE

concerned about their privacy, and thus it is necessary to
protect drivers’ privacy information. Moreover, safety mes-
sages in VANETs must be processed with strict time con-
straints due to vehicles’ high mobility.
Lots of schemes have been proposed to achieve authenti-
cation in VANETs. They can be classified into two catego-
ries. One is based on symmetric cryptography, such as the
Timed Efficient Stream Loss-tolerant Authentication
(TESLA) protocol [2]. The other is based on asymmetric
cryptography, such as the Elliptic Curve Digital Signature
Algorithm (ECDSA) [3], the identity-based signature algo-
rithm [4] and the group signature algorithm [5]. In this paper,
we only focus on the authentication schemes based on
asymmetric cryptography. In other words, we are concerned
about the signature-based schemes. However, our scheme is
not limited to any specific signature algorithm.
An outside attacker can launch a DoS attack by repeated-
ly broadcasting forged messages with invalid signatures to
consume the benign vehicles’ computation resource and pre-
vent them from verifying the messages received from other
legitimate vehicles. Under such attacks, VANET loses a part
or all of its ability to provide services. We call this kind of
attack the DoS attack against signature-based broadcast au-
thentication. Since this kind of attack cannot be totally
avoided, our objective is to try to mitigate it as much as poss-
ible.
The paper is organized as follows. Section II reviews the
related work. Section III explains the models and involved
mathematics. Section IV discusses the details of the pro-
posed scheme. Section V presents the security and perfor-
mance evaluations. Section VI concludes the paper and gives
the future work.
II. RELATED WORK
In order to authenticate safety messages in VANETs, lots
of schemes have been proposed.
Zhang et al. [6] introduced a novel RSU-aided message
authentication scheme called RAISE. According to RAISE,
RSUs are responsible for checking the authenticity of the
messages by a message authentication code and notifying the
results back to vehicles. Lin et al. [2] developed a timed effi-
cient and secure vehicular communication (TSVC) scheme
to reduce the communication and computation overhead. The
scheme made a small change to the TESLA protocol and
applied it to VANETs.
 The two schemes above are based on symmetric crypto-
graphy, while more schemes are based on asymmetric cryp-
tography. Calandriello et al. [3] proposed that each vehicle
can generate an own set of pseudonyms and calculate a
group signature on each pseudonym to achieve the authenti-
cation in VANETs. Zhang et al. [4] introduced an efficient
batch signature verification scheme, in which an RSU can
verify a batch of identity-based signatures at the same time,
and thus the total time of verifying all the messages can be
reduced. Wasef et al. [5] employed an efficient group signa-
ture scheme supporting batch verification for VANETs,
which can also verify a large number of messages in a timely
manner. However, all these schemes have not considered the
DoS attack based on signatures.
Few of the studies have addressed the problem of DoS at-
tacks. Studer et al. [7] provided a hybrid authentication me-
chanism that combined the advantages of ECDSA and a
modified version of TESLA to deal with DoS attacks. A trial
period was suggested to reduce the DoS attacks based on
signatures. Wasef et al. [8] suggested that all the vehicles in
the network use the same group key to compute a hash-based
message authentication code (HMAC) on the message and
send it with the message. The receiver would check the sig-
nature only after the HMAC is verified.
Some research efforts have considered the problem of
signature-based DoS attacks in the wireless sensor network
(WSN). Ning et al. [9] presented an efficient mechanism
called message specific puzzle to mitigate such DoS attacks.
The mechanism added a weak authenticator in each broad-
cast packet, which can be verified quickly by a regular sen-
sor node but takes an attacker a large amount of time to forge.
Du et al. [10] used a sender-specific one-way key chain to
defend DoS attacks against signature-based broadcast au-
thentication in sensor networks.
III. PRELIMINARIES
A. System Model
As illustrated in Figure 1, a VANET consists of a trusted
authority (TA), mobile OBUs and fixed RSUs. The TA is in
charge of a city’s OBUs and RSUs. The TA is responsible
for cryptographic operations like issuing credentials to
RSUs/OBUs and when needed, revealing the real identity of
a misbehaving vehicle. An OBU (equivalently, a vehicle)
can communicate with other OBUs through vehicle-to-
vehicle (V2V) communication and communicate with RSUs
through vehicle-to-infrastructure (V2I) communication. We
focus on V2V communication in this paper. In V2V commu-
nication, we assume that an OBU broadcasts safety messages
to its neighboring OBUs every 300 ms and the receiving
OBUs need to authenticate the messages. All the vehicles
can be time synchronized via an external time reference.
We assume that a packet sent by a node is received by a
neighboring node before a third node can replay the packet to
it [11]. It means that when a vehicle broadcasts a message,
its neighbors will receive the message before they receive a
copy forwarded (maybe modified) by any other vehicle. This
is true because of the triangular inequality.

Figure 1. A vehicular ad hoc network formed by OBUs and RSUs
B. Threat Model
The TA and RSUs are trusted. Similar to the research ef-
fort in [8], we only consider the outside attacker, who does
not have the secret group key shared between the TA and
non-revoked vehicles. A vehicle with the current group key
is considered to be legitimate. We assume that the legitimate
vehicles can be trusted and always execute the protocol cor-
rectly. Once a vehicle is found misbehaving, it will be re-
voked by the TA at once and have no way to get the new
group key. RSUs can get the new group key through the
communication with the TA and the details are omitted in
this paper.
Since most of the proposed authentication schemes are
based on signatures, an outside adversary can forge lots of
bogus messages with invalid signatures and broadcast them.
As a result, receivers will consume the computation resource
to verify the invalid signatures. If the forged messages domi-
nate the messages to be verified, legitimate messages from
benign vehicles would be dropped since they cannot be veri-
fied in time. This kind of attack is referred to as the DoS
attack against signature-based authentication. We do not
consider the DoS attack caused by channel jamming.
When the TA broadcasts revocation messages signed
with the TA’s private key, it first broadcasts them to the
RSUs (through the wired secure channel) and then RSUs
broadcast them to OBUs. These messages are transmitted via
V2I communication and they are sent much less frequently
than the messages are sent in V2V communication. V2I
communication can be distinguished from V2V communica-
tion (maybe at the physical layer). As our focus in this paper
is V2V communication, we do not consider DoS attacks
based on signatures of these revocation messages.
C. One-way Hash Chain
The properties of the one-way hash function are as fol-
lows (H denotes the hash function):
x H(x) takes a message of arbitrary length as input and
produces a message of fixed length as output.
x When given x, it is easy to compute y = H(x). But it
is hard to compute x = H-1(y) when given y.
 x When given x, it is computationally infeasible to find
x ' z x satisfying H(x') = H(x).
x It is computationally infeasible to find a pair of x and
x' satisfying x ' z x and H(x') = H(x).
The one-way hash chain is generated as follows:
 Kn1 H( Kn ),..., Ki1 H (Ki ),..., K0 H (K1),1  i  n 
Where Kn is called the seed of the chain and K0 is called
the commitment of the chain. When the chain is used, the
elements of the chain are revealed in a reverse order. In other
words, with the knowledge of the commitment value K0, a
verifier can authenticate K1, K2, …, Kn in the key chain by
performing a few hash functions. If some of the intermediate
values are missed, the verifier can still check the authenticity
of the received value Kj based on the last authenticated value
Ki, since Hj-i(Kj) = Ki, where i < j.
IV. THE PROPOSED SCHEME
In this section, we present the pre-authentication process
and the group rekeying scheme. The pre-authentication is
similar to the pre-authenticator in [10] and the traffic authen-
tication in [11]. Since safety messages must be processed in
strict delay constraints, we do not take the scheme of mes-
sage specific puzzles [9] as a solution because the generation
of a puzzle would introduce a long delay at the sender side.
We append a chain value of the one-way hash chain to the
message instead of appending an HMAC to the message [8]
because it is computationally more efficient to compute a
chain value (a hash over a key of a small fixed size) than to
compute an HMAC over the entire message.
A. System Setup
The TA issues each legitimate vehicle the corresponding
credentials used for signing the messages. For example, the
certificates for the ECDSA scheme and the identities asso-
ciated with the secret keys for the identity-based signature
scheme. Notice that all the credentials are based on pseudo-
nyms, which will be used in communication for the purpose
of privacy protection.
The TA has a symmetric key pool P. Each vehicle Vi (i
denotes the i-th vehicle) is preloaded with a set of distinct
keys Ri from the key pool, an initial group key kg, and a
pseudo-random function f. Keys in Ri are used as encryption
keys , kg is used to calculate the HMAC on the commitment
message, and f is used to update the keys in vehicles. Each
key in the key pool has a unique id. The vehicles can reveal
some key ids in certain situations but none of them is al-
lowed to reveal the real values of the keys loaded in them.
The TA maintains a database recording each vehicle’s real
identity along with its credentials and the preloaded key set.
It also maintains a revocation database about the revoked
vehicles along with their corresponding information.
In this paper, we denote id as a symmetric key’s identity
and ID as a vehicle’s identity. We define k as the symmetric
key preloaded in vehicles and K as the value in a hash chain.

B. The Pre-authentication Process
When a vehicle Vi wants to broadcast safety messages, it
first generates a hash chain from a random seed Si, where Ki,n
= Si and Ki,l = Hj-l(Ki,j) ( 0 d l  j d n ), in which Ki,j is the j-
th value of the i-th vehicle’s hash chain. Each value in the
chain (except the commitment Ki,0) will be attached to a safe-
ty message. The commitment is contained in the commit-
ment message broadcast with an HMAC. The format of the
commitment message is as follows:
 PIDi | 0 | Ki ,0 | Ti,0 | HMAC kg ( PIDi , 0, K i ,0 , Ti ,0 ) 
Where PIDi is one of the sender’s pseudo identities, the
next value denotes the index of the element released in the
hash chain and 0 means that the value revealed in the mes-
sage is the commitment of the chain, Ki,0 is the correspond-
ing commitment, and Ti,0 is the timestamp. The HMAC is
calculated using the group key kg shared between the TA and
non-revoked vehicles. The commitment message should be
broadcast periodically, where the broadcasting period in-
volves a tradeoff between security and communication cost.
On the receiver side, it first verifies the HMAC with its
own secret group key. After verifying successfully, the re-
ceiver maintains a record for the sender, which includes the
sender’s PIDi, the corresponding commitment Ki,0, and the
timestamp of the commitment message (i.e., Ti,0).
The format of the safety messages is as follows:
 PIDi | j | M i , j | V i , j | K i , j 
Where j is the index of the revealed value in the hash
chain, Mi,j denotes the information of the j-th safety message
of the i-th vehicle,  i , j is the signature of the j-th message,
and Ki,j is the j-th value in the hash chain. The timestamp Ti,j
is included in the message Mi,j.
Upon receiving a message, the receiver first checks
whether the time difference between Ti,j and the instant time
Mi,j was received is less than a threshold to prevent the replay
attack. Then the receiver checks whether it is the right time
to release the value in the hash chain by checking Ti,j = Ti,l +
300(j-l) ms (vehicles broadcast safety messages every 300
ms), where Ti,l is the timestamp of the l-th message of the i-th
vehicle buffered in the record of the receiving vehicle. If the
equation holds, it means Ti,j is the right time to release the j-
th chain value. If both of the conditions hold, it will further
check whether Ki,j is the j-th element in the hash chain of
PIDi by performing a few hash functions since Ki,l = Hj-l(Ki,j)
(l<j). Only if all of the checking conditions are satisfied, the
receiver will consider the pre-authentication process is suc-
cessful and decide to verify the signature of the safety mes-
sage; otherwise it stops verifying and discards the message.
The receiver updates the records with each PID’s hash
chain value and the corresponding timestamp based on its
verified messages. Even if some of the intermediate messag-
es are lost, the receiver can still pre-authenticate Mi,j by
checking whether Ti,j is the time to release Ki,j and authenti-
cating Ki,j based on the property of the one-way hash chain.
If a receiver does not have the sender’s commitment
when it receives some safety messages from a sender, it may
choose to wait for the commitment message, or it can decide
to verify one of the signatures if it has pre-authenticated the
consistency of the chain values in the messages (i.e., the
chain values attached to the messages satisfy the property of
the one-way hash chain). In the second situation, once the
signature is authenticated, the receiver records the corres-
ponding PID, chain value and timestamp of the sender; oth-
erwise it will refuse to verify the signatures from the same
sender until it receives a correct commitment message from
the sender. In both situations, the receiver can pre-
authenticate the sender in the future. However, the decision
is based on the receiver’s policy, which is a tradeoff between
security and efficiency.
Once a sender changes its pseudo identity, it can create a
new hash chain and then process as before.
C. Group Rekeying Scheme
When a vehicle Vu is revoked, its ID with all its creden-
tials should be added to the revocation database. Besides, all
the keys in Ru and the current group key kg are considered to
be revoked, too. Therefore, the non-revoked vehicles need to
update their symmetric key sets and the current group key.
Our group rekeying scheme is inspired by [12], which is
based on the research effort of [13]. The processes are as
follows:
x The TA determines z, the id of the non-revoked
symmetric key that is possessed by the maximum
number of the non-revoked vehicles. Then the TA
calculates an intermediate key kim f k z (k g ) and a
new group key k g ' f kim (0) . After that, it broad-
casts a revocation message containing z, the ids of
the symmetric keys in the revoked vehicle, and
f k g ' (0) . f k g ' (0) will be used for a vehicle to verify
the authenticity of the new group key k g ' that it cal-
culates based on the revocation message. The mes-
sage is signed with the TA’s private key.
x After verifying the revocation message, the vehicles
with kz can compute the intermediate key kim inde-
pendently.
x If any vehicle Vw does not have the key kz after veri-
fying the revocation message, it randomly selects r
keys out of its symmetric key set Rw and broadcasts
the ids of the selected keys to its neighboring ve-
hicles to request the intermediate key. It also starts a
timer T.
x All the neighboring vehicles of Vw search their key
sets to find a shared key with Vw. If any neighboring
vehicle finds a shared key, it uses the shared key to
encrypt kim and sends the encrypted kim to Vw along
with the encryption key’s id.
x If the timer T is timed out and Vw does not receive
any required data, it will select another set of r keys
and try again.

x When a vehicle has the data necessary to update the
keys, it computes the new group key k g ' f kim (0)
and verifies it by checking if f k g ' (0) is equal to the
corresponding value received in the revocation mes-
sage.
x After calculating the new group key, each vehicle al-
so updates its symmetric key set. For example, Vw
updates every key kp in Rw as k p ' f k p (0) . However,
if kp was held by the revoked Vu, the vehicles that
hold k p ' further update k p ' as k p ' f kim (k p ') .
x Finally, non-revoked vehicles erase kim and the orig-
inal kp’s.
The revoked vehicle cannot compute k g ' since it does
not have kz. Furthermore, it cannot get kim from neighboring
vehicles because the revocation message contains the ids of
its symmetric keys, which prevents it from having shared
keys with other benign vehicles.
If a vehicle misses a group rekeying event, it is still able
to update any keys that are not revoked (i.e., k p ' f k p (0) )
and then obtains the current group key through the shared
keys with other non-revoked vehicles. As long as a vehicle
possesses some keys that have not been revoked, it can al-
ways get the current group key even if it has missed some
rekeying events. However, if a vehicle has missed a number
of rekeying events and all of its symmetric keys are revoked,
it has to turn to the RSU for the current group key and maybe
a set of new symmetric keys.
When a vehicle enters a new city (different from its reg-
istration city), it can get the current group key of the new city
from the nearest RSU after it proves its legitimacy to the
RSU (though V2I communication). As aforementioned in
section III-B, a vehicle with the correct group key is thought
to be legitimate. Then the vehicle can use it to bootstrap its
trust with other vehicles. Here, we assume that it would not
stay in the new city for a long time. Therefore, it just needs
to communicate with RSUs to get the updated group key but
without getting a large set of symmetric keys.
V. EVALUATIONS
A. Security Evaluation
In our scheme, the HMAC in the commitment message is
calculated with the group key shared between the TA and
non-revoked vehicles. This assures that only the legitimate
vehicles can create a valid commitment message while an
outside attacker cannot forge a correct commitment message
since it does not have the group key.
An attacker may try to guess the chain value that will be
released in the next message of a legitimate vehicle and
broadcast a message with it trying to pass the pre-
authentication. However, the property of one-way hash chain
promises that it is computationally infeasible for an attacker
to find the next chain value. Therefore, only the sender
knows the key element of the chain and can release it. As a
result, we can authenticate the legitimacy of the message by
authenticating the chain elements.
 Moreover, if an attacker receives a legitimate message, it
may replace the actual message with some bogus message
but keep the same chain value and re-broadcast the modified
message trying to deceive other vehicles into verifying the
signature. But according to the triangular inequality, a re-
ceiver will receive a message broadcast by a sender before it
receives a copy forwarded (maybe modified) from an attack-
er. Therefore, the receivers who have received the modified
message will consider it as forged because they have already
verified the same chain value before.
The receiver will verify the signature of a message only
after the message has passed the one-way hash chain-based
pre-authentication; otherwise it refuses to verify the signa-
ture. As a result, our scheme can mitigate such DoS attacks
against signature-based authentication.
B. Performance Evaluation
700
with pre-authentication (10% invalid)
without pre-authentication (10% invalid)
600 with pre-authentication (30% invalid)
without pre-authentication (30% invalid)
no attack
Authentication delay (ms)
500
400
300
240.05
200
240
100
100
60 80 100 120 140 160
Number of valid signatures (n)
Figure 2. Authentication delay under different scenarios
When we evaluate the performance of our scheme, we
select ECDSA as our signature scheme. According to [8], the
operation of the secure hash algorithm-1 (SHA-1) is 0.42 μs
and verifying a signature using ECDSA takes 2.4 ms.
We evaluate the authentication delay under different sce-
narios in Figure 2. The black star line indicates the scenario
where there is no DoS attack. In the scenarios where there
are DoS attacks, we add the number of invalid signatures to
be 10% and 30% of the number of valid signatures and show
the differences between the scenarios with a pre-
authentication process and without a pre-authentication
process. From the embedded small figure of Figure 2, we can
see that the pre-authentication has little effect on the authen-
tication delay compared with the scenario where there is no
DoS attack. On the other hand, without pre-authentication,
the authentication delay would be significantly influenced if
there is a DoS attack. As a result, the proposed pre-
authentication process can effectively detect the invalid sig-
natures. In other words, the proposed scheme can effectively
mitigate such DoS attacks against signature-based authenti-
cation in VANETs.
VI. CONCLUSION
Since most of the authentication schemes for VANETs
are based on signatures, outside attackers can forge messages
with invalid signatures in order to exhaust a receiver’s re-
source to verify the invalid signatures. This would cause a
DoS attack, which can prevent the benign vehicles from veri-
fying other legitimate signatures and eventually cripples
VANETs. We suggest adding a pre-authentication process,
which makes use of the one-way hash chain and a group
rekeying scheme. A receiver would verify a signature only
after the message has passed the pre-authentication process.
Evaluations demonstrate that our scheme can mitigate such
DoS attacks effectively.
As part of our future work, we will investigate how to
deal with the DoS attacks from inside attackers.
REFERENCES
[1] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”
Journal of Computer Security, vol. 15, pp. 39-68, Jan. 2007.
[2] X. Lin, X. Sun, X. Wang, C. Zhang, P.-H. Ho, and X. Shen, “TSVC:
Timed efficient and secure vehicular communications with privacy
preserving,” IEEE Transactions on Wireless Communications, vol. 7,
pp. 4987-4998, Dec. 2008.
[3] G. Calandriello, P. Papadimitratos, J.-P. Hubaux, and A. Lioy,
“Efficient and robust pseudonymous authentication in VANET,” in
proc. 4th ACM International Workshop on Vehicular Ad Hoc
Networks (VANET’07), pp. 19-28, Sept. 2007.
[4] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient
identity-based batch verification scheme for vehicular sensor
networks,” in proc. 27th IEEE Conference on Computer
Communications (INFOCOM’08), pp. 816-824, Apr. 2008.
100.01 [5] A. Wasef and X. Shen, “Efficient group signature scheme supporting
batch verification for securing vehicular networks,” in proc. IEEE
180 200 International Conference on Communications (ICC) 2010, pp. 1-5,
May 2010.
[6] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-
aided message authentication scheme in vehicular communication
networks,” in proc. IEEE International Conference on
Communications (ICC) 2008, pp. 1451-1457, May 2008.
[7] A. Studer, F. Bai, B. Bellur, and A. Perrig, “Flexible, extensible, and
efficient VANET authentication,” Journal of Communications and
Networks, vol. 11, pp. 574-588, Dec. 2009.
[8] A. Wasef, R. Lu, X. Lin, and X. Shen, “Complementing public key
infrastructure to secure vehicular ad hoc networks,” IEEE Wireless
Communications, vol. 17, pp. 22-28, Oct. 2010.
[9] P. Ning, A. Liu, and W. Du, “Mitigating DoS attacks against
broadcast authentication in wireless sensor networks,” ACM
Transactions on Sensor Networks, vol. 4, no.1, Jan. 2008.
[10] X. Du, M. Guizani, Y. Xiao, and H.-H. Chen, “Defending DoS
attacks on broadcast authentication in wireless sensor networks,” in
proc. IEEE International Conference on Communications (ICC) 2008,
pp. 1653-1657, May 2008.
[11] S. Zhu, S. Xu, S. Setia, and S. Jajodia, “LHAP: A lightweight hop-by-
hop authentication protocol for ad-hoc networks,” in proc. 23rd
International Conference on Distributed Computing Systems
Workshops, pp. 749-755, May 2003.
[12] A. Wasef and X. Shen, “REP: Location privacy for VANETs using
random encryption periods,” Mobile Networks and Applications, vol.
15, pp. 172-185, Feb. 2010.
[13] S. Zhu, S. Setia, S. Xu, and S. Jajodia, “GKMPAN: An efficient
group rekeying scheme for secure multicast in ad-hoc networks,”
Journal of Computer Security, vol. 14, pp. 301-325, July 2006.