Professional Documents
Culture Documents
An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme For Vehicular Ad Hoc Networks
An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme For Vehicular Ad Hoc Networks
net/publication/282465448
CITATIONS READS
659 3,046
4 authors, including:
Debiao He Baowen Xu
Wuhan University Nanjing University
358 PUBLICATIONS 16,006 CITATIONS 510 PUBLICATIONS 9,951 CITATIONS
Xinyi Huang
Nanyang Technological University
66 PUBLICATIONS 3,675 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
How to design secure, efficient and usable authentication schemes View project
All content following this page was uploaded by Debiao He on 28 July 2016.
Abstract— By broadcasting messages about traffic status to proposed CPPA scheme retains most of the benefits obtained
vehicles wirelessly, a vehicular ad hoc network (VANET) can with the previously proposed CPPA schemes. Moreover, the
improve traffic safety and efficiency. To guarantee secure com- proposed CPPA scheme yields a better performance in terms of
munication in VANETs, security and privacy issues must be computation cost and communication cost making it be suitable
addressed before their deployment. The conditional privacy- for use by the VANET safety-related applications.
preserving authentication (CPPA) scheme is suitable for solving
security and privacy-preserving problems in VANETs, because Index Terms— Authentication, bilinear pairing, elliptic curve,
it supports both mutual authentication and privacy protection vehicular ad-hoc networks.
simultaneously. Many identity-based CPPA schemes for VANETs I. I NTRODUCTION
using bilinear pairings have been proposed over the last few years
to enhance security or to improve performance. However, it is
well known that the bilinear pairing operation is one of the
most complex operations in modern cryptography. To achieve
T HE Vehicular Ad-hoc Network (VANET), a variant of
the Mobile Ad-hoc Network (MANET), is a continu-
ously self-configuring, infrastructure-less network which has
better performance and reduce computational complexity of emerged as a result of advances in wireless communications
information processing in VANET, the design of a CPPA scheme and networking technologies over the last few years [1]–[4].
for the VANET environment that does not use bilinear paring
becomes a challenge. To address this challenge, we propose a Mobile nodes in VANETs are vehicles equipped with
CPPA scheme for VANETs that does not use bilinear paring On-Board Units (OBUs), which are wireless communication
and we demonstrate that it could supports both the mutual devices. OBUs enable vehicles in VANETs to exchange traffic
authentication and the privacy protection simultaneously. Our messages with nearby mobile nodes.
A typical structure of the VANET is shown in Fig. 1.
Manuscript received May 14, 2015; revised July 24, 2015; accepted Communications in VANETs can be divided into two types:
July 24, 2015. Date of publication August 31, 2015; date of current version
September 30, 2015. The work of D. He was supported in part by the National Vehicle-to-Vehicle (V2V) communication and Vehicle-to-
Natural Science Foundation of China under Grant 61373169, Grant 61572379, Infrastructure (V2I) communication. Both types of com-
and Grant 61501333, in part by the National High-Tech Research and munications are controlled by a short-range wireless
Development Program of China (863 Program) under Grant 2015AA016004,
in part by the Fujian Provincial Key Laboratory of Network Security and Cryp- communication protocol, called the Dedicated Short Range
tology Research Fund through Fujian Normal University under Grant 15011, Communication (DSRC) protocol. By using the OBU and the
and in part by the Natural Science Foundation of Hubei Province of China DSRC protocol, each vehicle can communicate with nearby
under Grant 2015CFB257. The work of B. Xu was supported in part by
the National Natural Science Foundation of China under Grant 91418202 vehicles and Road Side Units (RSUs) located at roadside and
and Grant 61472178 and in part by the National Key Basic Research and can communicate with the traffic control center through the
Development Program of China under Grant 2014CB340702. The work of Internet. According to the specification of the DSRC protocol,
X. Huang was supported in part by the National Natural Science Foundation
of China under Grant 61472083 and Grant U1405255, in part by the Fok Ying each vehicle periodically broadcasts messages about road
Tung Education Foundation under Grant 141065, in part by the Program for traffic and vehicles’ conditions every 100–300 milliseconds,
New Century Excellent Talents in Fujian University under Grant JA14067, where road traffic conditions include weather conditions, road
in part by the Distinguished Young Scholars Fund, Fujian Province, China,
and in part by the State Key Laboratory of Cryptology Research Fund. The defects, congestion situation, etc. and vehicle’s conditions
associate editor coordinating the review of this manuscript and approving it include location, speed, traffic status, etc. [5], [6]. Upon receipt
for publication was Prof. Willy Susilo. (Corresponding author: Xinyi Huang.) of these messages, other vehicles could change their traveling
D. He is with the State Key Laboratory of Software Engineering, Computer
School, Wuhan University, Wuhan 430072, China, and also with the Fujian routes in order to avoid possible traffic events such as traffic
Provincial Key Laboratory of Network Security and Cryptology, Fujian congestion, traffic accident, etc. Besides, RSUs can also send
Normal University, Fuzhou 350007, China (e-mail: hedebiao@163.com). messages about traffic conditions to the traffic control center.
S. Zeadally is with the College of Communication and Information, Univer-
sity of Kentucky, Lexington, KY 40506 USA (e-mail: szeadally@uky.edu). Based on received messages, the traffic control center can
B. Xu is with the Department of Computer Science and Technology, Nanjing take some timely actions (such as adjusting traffic lights) to
University, Nanjing 210093, China (e-mail: bwxu@nju.edu.cn). improve traffic safety and efficiency. All the aforementioned
X. Huang is with the Fujian Provincial Key Laboratory of Network Security
and Cryptology, School of Mathematics and Computer Science, Fujian Normal benefits make VANET a promising technology for the modern
University, Fujian 350007, China, and also with the State Key Laboratory of intelligent transportation system.
Cryptology, Beijing 100878, China (e-mail: xyhuang81@gmail.com). Due to the wireless communication mode, adversaries
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. against VANETs could control communication channels fairly
Digital Object Identifier 10.1109/TIFS.2015.2473820 easily, i.e. adversaries could intercept, modify, replay and
1556-6013 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
2682 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015
many public/private key pairs and corresponding certificates However, as Lee and Lai [18] pointed out, Zhang et al.’
are pre-loaded into vehicles’ OBUs. In each communication, ID-based CPPA scheme [15], [16] is vulnerable to the replay
the vehicle’s OBU chooses a pair of public/private key attack and cannot satisfy the property of non-repudiation.
randomly and uses them to implement functions of authentica- Later, Chim [1] pointed Zhang et al.’s ID-based CPPA scheme
tion and integrity. Raya and Hubaux’s scheme [9] suffers from is vulnerable to the impersonation attack and the anti-
the following weaknesses: 1) Each vehicle should have very traceability attack. Chim [1] also proposed another ID-based
large storage space to store its public/private key pairs and the CPPA scheme for VANETs. With only two shared secrets,
corresponding certificates; 2) The authority should also have Chim’s ID-based CPPA scheme [1] could satisfy the privacy
a very large storage space to store all vehicles’ certificates; requirements in VANETs. Besides, Chim’s ID-based CPPA
3) It is difficult to find the adversary’s real identity when he/she scheme [1] has lower communication costs than previously
sends the wrong message because the authority has to perform proposed ID-based CPPA schemes. However, Horng et al. [19]
an exhaustive search of all stored certificates. found that Chim’s ID-based CPPA scheme was vulnerable to
To address the weaknesses in Raya and Hubaux’s scheme, the impersonation attack, i.e., a malicious vehicle could imper-
Lu et al. [12] proposed a new CPPA scheme using anonymous sonate any another vehicle to broadcast counterfeit messages.
certificates. The vehicle in Lu et al.’s CPPA scheme obtains To improve performance, Shim [20] proposed an efficient
a temporary anonymous certificate when it passes by a RSU. IBS scheme and used it to design an efficient ID-based
To achieve conditional privacy, each vehicle has to request CPPA schemes. Unfortunately, Liu et al. [21] pointed out that
a new anonymous certificate from a RSU frequently because a security flaw exists in the proof of Shim’s IBS scheme and
the adversary could trace a vehicle if a certificate is used for a Shim’s ID-based CPPA scheme suffers from a modification
long time. However, frequent interactions with RSUs are not attack, i.e., the adversary can generate a new legal message
efficient. Therefore, Lu et al.’s CPPA scheme cannot satisfy the by modifying a previous message.
requirement of efficiency in VANETs [13]. To overcome the Recently, Zhang et al. [22] and Bayat et al. [23] found
weakness in Lu et al.’s CPPA scheme, Freudiger et al. [13] that Lee and Lai’s ID-based CPPA scheme [18] cannot
combined technologies of anonymous certificates and withstand the impersonation attack, i.e., a malicious vehicle
mix-zones to design a new CPPA scheme. However, in could impersonate any other vehicle to broadcast a forged
this modified CPPA scheme, the vehicles and the RSUs message. Zhang et al. [22] also pointed out that Lee and Lai’s
have to store a large number of anonymous certificates. ID-based CPPA scheme [18] cannot provide non-repudiation
Zhang et al. [14] used the Hash Message Authentication of messages. To enhance the security of previous schemes,
Code (HMAC) to construct an efficient CPPA scheme for Zhang et al. [22] and Bayat et al. [23] also proposed
VANETs where the key for the HMAC is generated through two improved ID-based CPPA schemes for VANETs.
a key agreement protocol executed between the vehicle By modifying the process of generating the anonymous
and the RSU. To achieve privacy, the vehicle must use identity and the digital signature, Zhang et al.’s ID-based
different private/public key pair along with the corresponding CPPA scheme [22] and Bayat et al.’s ID-based
certificate in each communication with the RSU. Therefore, CPPA scheme [23] could solve security problems in
vehicles have to store a large number of private/public key Lee and Lai’s ID-based CPPA scheme [18] and have better
pairs and the corresponding certificates. computation performance results. Despite these improvements,
To address the certificate management problem in the above Zhang et al. ID-based CPPA scheme [22] and Bayat et al.’s
PKI-based CPPA schemes [11]–[14], Zhang et al. [15], [16] ID-based CPPA scheme [23] still suffer from the modification
incorporated the IDentity-based Public Key Cryptography attack proposed by Liu et al. [21].
(ID-based PKC) into the design of CPPA schemes. The
concept of the ID-based PKC was proposed by Shamir [17] III. BACKGROUND
in 1984. The identity (such as name, email and phone number)
of the user in the ID-based PKC is his/her public key and A. Network Model
his/her private key is generated by a trusted third party According to novel research [26]–[28], the two-layer
called the Private Key Generator (PKG). In this case, no network model is very suitable for VANETs. The various
certificate is needed to bind the user’s identity to his/her public components of the network model are shown in Fig. 2.
key. Therefore, the ID-based PKC could solve the certificate The upper layer of the network model consists of a Trusted
management problem in the PKI. Zhang et al. [15], [16] Authority (TA) and an Application Server (AS), where they
proposed an Identity-Based Signature (IBS) scheme and could communicate with each other through a secure channel
used it in an Identity-based Conditional Privacy-Preserving that can be established through the Secure Socket Layer (SSL)
Authentication (ID-based CPPA) scheme for VANETs. Neither protocol. The bottom layer of the network model consists of a
the vehicle nor the RSU in Zhang et al.’s ID-based RSU and a vehicle, where they could communicate with each
CPPA scheme needs to store a certificate. Besides, their other through the DSRC protocol. The details of those four
scheme incurs a lower verification cost because it supports the participants are described as follows.
function of batch verification, i.e., it could verify the validity • TA: The TA is a trusted third party with high computation
of many messages simultaneously. Therefore, Zhang et al.’ and communication capabilities. It is responsible for
ID-based CPPA scheme could overcome weaknesses in generating system parameters and preloading them in the
previous PKI-based CPPA schemes [11]–[14]. OBU of the vehicle offline. It is the only participant
2684 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015
6) The TA sends the system parameters par mas = Therefore, the correctness of the single verification of one
{ p, q, a, b, P, Ppub , h 1 , h 2 , h 3 } to all RSUs and vehicles. message is proved.
• Batch verification of multiple messages: To guarantee
B. Anonymous Identity Generation and the non-repudiation of signatures using batch verification, we
Message Signing Phase use the small exponent test technology [19], [22] in the batch
In this phase, the vehicle’s tamper-proof device generates verification of multiple messages. A vector, consisting of small
an anonymous identity and a digital signature of a message. random integers, is used to quickly detect any modification of
After that, the vehicle broadcasts the anonymous identities, the a batch of signatures in the small exponent test technology.
message and the digital signature to nearby RSUs and vehicles. Upon receiving multiple messages {M1 , AI D1 , T1 , R1 , σ1 },
The following steps are executed during this phase. {M2 , AI D2 , T2 , R2 , σ2 },…, {Mn , AI Dn , Tn , Rn , σn } sent by
1) The vehicle inputs its real identity R I D and password some vehicles, the verifier uses the system parameters
PW D into its tamper-proof device. The tamper-proof device par mas = { p, q, a, b, P, Ppub , h 1 , h 2 , h 3 } to verify the valid-
checks if R I D and PW D are equal to the stored ones. The ity of those messages through the following steps.
tamper-proof device rejects the request if one of them and the 1) The verifier checks the freshness of Ti , where
corresponding stored one are not equal. i = 1, 2, . . . , n. If it is not fresh, the verifier rejects the
2) The tamper-proof device generates a random number message.
wi ∈ Z q∗ and computes AI Di,1 = wi · P, AI Di,2 = 2) The verifier chooses a vector v = {v1 , v2 , . . . , vn }
R I D ⊕ h 1 (wi · Ppub ), αi = h 2 (AI Di ||Ti ), and ski = wi + randomly, where vi is a small random integer in [1, 2t ] and
αi · x mod q, where AI Di = {AI Di,1 , AI Di,2 } and Ti is t is a small integer and has very little computation overhead.
the current timestamp. Then, the tamper-proof device gives Afterwards, the verifier checks if the following equation holds.
n n
{AI Di , ski , Ti } to the vehicle. n
3) The vehicle generates a random number ri ∈ Z q∗ , and vi · σi · P = vi · AI Di,1 + (vi · αi ) · Ppub
computes Ri = ri · P, βi = h 3 (AI Di ||Ti ||Ri ||Mi ) and i=1 i=1 i=1
σi = ski + βi · ri mod q, where Mi is a message about traffic
n
V. S ECURITY A NALYSIS AND C OMPARISONS A’s query with the message (AI Di , Ti ), C checks whether
In this section, we analyze the security of the proposed a tuple AI Di , Ti , τ exists in L h 2 first. If so, C sends
ID-based CPPA scheme for VANETs. We demonstrate that it τ = h 2 (AI Di ||Ti ) to A; otherwise, C generates a random
is able to meet all security and privacy requirements described number τ ∈ Z q , adds AI Di , Ti , τ in L h 2 and sends
in Section 2. First of all, we show that the proposed scheme is τ = h 2 (AI Di ||Ti ) to A.
able to enforce non-forgery. We also compare the security of h 3 −Or acle: C keeps a list L h 3 with the form of
the proposed ID-based CPPA scheme for VANETs with three AI Di , Ti , Ri , Mi , τ , which is initialized to empty. Upon
most recently proposed CPPA schemes. receiving A’s query with the message (AI Di , Ti , Ri , Mi ),
C checks if a tuple AI Di , Ti , Ri , Mi , τ exists in L h 3 first.
If so, C sends τ = h 3 (AI Di ||Ti ||Ri ||Mi ) to A; otherwise,
A. Security Analysis C generates a random number τ ∈ Z q , adds AI Di , Ti ,
Based on the network model and the adversaries’ ability, Ri , Mi , τ in L h 3 and sends τ = h 3 (AI Di ||Ti ||Ri ||Mi ) to A.
the security model for the CPPA scheme is defined through a Sign−Or acle: Upon receiving A’s query with the mes-
game played between a challenger C and an adversary A. The sage Mi , C generates three random numbers σi , αi , βi ∈ Z q∗ ,
adversary A could make the following queries in the game. chooses a random point AI Di,2 and computes AI Di,1 =
• Setup−Or acle: In this query, C generates the private σi · P − αi · Ppub − βi · Ri . C adds AI Di , Ti , αi and
key of the system and the system parameters. C sends AI Di , Ti , Ri , Mi , βi into L h 2 and L h 3 respectively, where
the system parameters to A. AI Di = {AI Di,1 , AI Di,2 }. Finally, C sends the message
• h 1 −Or acle: In this query, C chooses a random number {Mi , AI Di , Ti , Ri , σi } to A. It is easy to verify the equation
r ∈ Z q , inserts the tuple (m, r ) into the list L h 1 and σi · P = AI Di,1 + αi · Ppub + βi · Ri holds. Therefore,
returns r to A. all signatures generated by C are indistinguishable from those
• h 2 −Or acle: In this query, C chooses a random point generated by legal vehicles.
r ∈ Z q , inserts the tuple (m, r ) into the list L h 2 and At last, A outputs a message {Mi , AI Di , Ti , Ri , σi }.
returns r to A. C checks whether the following equation holds.
• h 3 −Or acle: In this query, C chooses a random point
σi · P = AI Di,1 + αi · Ppub + βi · Ri (4)
r ∈ Z q , inserts the tuple (m, r ) into the list L h 3 and
returns r to A. If it does not hold, C aborts the process. According to the
• Sign−Or acle: In this query, C generates a request forgery lemma [30], A could output another valid message
message {Mi , AI Di , Ti , Ri , σi } upon receiving the mes- {Mi , AI Di , Ti , Ri , σi } if we repeat the process with a different
sage Mi about traffic status. C sends {Mi , AI Di , choice of h 2 . In this case, we could get the following equation.
Ti , Ri , σi } to A.
The adversary A could violate the authentication of the σi · P = AI Di,1 + αi · Ppub + βi · Ri (5)
CPPA scheme if it could generate a login request message. According to equations (4) and (5), we could get
Let AdvAut h (A) denote the probability that A could violate
the authentication of the CPPA scheme . (σi − σi ) · P = σi · P − σi · P
Definition 1: A CPPA scheme for VANETs is secure if = AI Di,1 + αi · Ppub + βi · Ri
AdvAut h (A) is negligible for any polynomial adversary A. − (AI Di,1 + αi · Ppub + βi · Ri )
We have evaluated the security of the proposed ID-based = (αi − αi ) · Ppub = (αi − αi ) · x · P (6)
CPPA scheme for VANETs and demonstrated that the pro-
posed scheme is secure in the random oracle. and
Theorem 1: The proposed ID-based CPPA scheme for
σi − σi = (αi − αi ) · x mod q (7)
VANETs is secure in the random oracle model.
Proof: Suppose there is an adversary A that can forge C outputs (αi − αi )−1 (σi − σi ) as the answer of the DL
a message {Mi , AI D1 , Ti , Ri , σi }. We can construct a chal- problem. The ability of solving the DL problem contradicts
lenger C, which could solve the DL problem with a non- the hardness of the DL problem. Therefore, the proposed ID-
negligible probability by running A as a subroutine. Given based CPPA scheme for VANETs is secure against forgery
an instance (P, Q = x · P) of the DL problem, C simulates under adaptive chosen message attack in the random oracle
oracles queried by A as follows. model.
Setup−Or acle: C sets Ppub ← Q, and sends the system 1) Message authentication: According to Theorem 1,
parameters par mas = { p, q, a, b, P, Ppub , h 1 , h 2 , h 3 } to A. we know that no polynomial adversary can forge a valid
h 1 −Or acle: C keeps a list L h 1 with the form of , τ , message if the DL problem is hard. Therefore, the verifier
which is initialized to empty. Upon receiving A’s query with could check the validity and integrity of the message
the message , C checks whether a tuple , τ exists in L h 1 {Mi , AI Di , Ti , Ri , σi } by verifying whether the equation
first. If so, C sends τ = h 1 () to A; otherwise, C generates σi · P = AI Di,1 + αi · Ppub + βi · Ri holds. Thus, the pro-
a random number τ ∈ Z q , adds , τ in L h 1 and sends posed ID-based CPPA scheme for VANETs provides message
τ = h 1 () to A. authentication.
h 2 −Or acle: C keeps a list L h 2 with the form of 2) Preserving identity privacy: The vehicle’s real identity
AI Di , Ti , τ , which is initialized to empty. Upon receiving R I D is involved in AI Di generated by the vehicle, where
HE et al.: EFFICIENT IDENTITY-BASED CPPA SCHEME FOR VANETs 2687
TABLE III
C OMPARISON OF C OMPUTATION C OST
Thus, the proposed CPPA scheme for VANETs incurs a [14] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-aided
much lower communication cost than the three latest ID-based message authentication scheme in vehicular communication networks,”
in Proc. ICC, May 2008, pp. 1451–1457.
CPPA schemes for VANETs [20], [22], [23]. [15] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identity-
based batch verification scheme for vehicular sensor networks,” in Proc.
VII. C ONCLUSION IEEE INFOCOM, Apr. 2008, pp. 816–824.
[16] C. Zhang, P.-H. Ho, and J. Tapolcai, “On batch verification with group
In this work, we have proposed a new ID-based testing for vehicular communications,” Wireless Netw., vol. 17, no. 8,
pp. 1851–1865, 2011.
CPPA scheme, which could be used for both V2V commu- [17] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
nication and V2I communication in VANETs. To improve Proc. CRYPTO, 1984, pp. 47–53.
performance, the function of batch verification of multiple [18] C.-C. Lee and Y.-M. Lai, “Toward a secure batch verification with group
testing for VANET,” Wireless Netw., vol. 19, no. 6, pp. 1441–1449, 2013.
messages is included in the proposed ID-based CPPA scheme. [19] S.-J. Horng et al., “b-SPECS+: Batch verification for secure pseudony-
The security analysis shows that the proposed scheme can mous authentication in VANET,” IEEE Trans. Inf. Forensics Security,
overcome the weaknesses of previously proposed schemes and vol. 8, no. 11, pp. 1860–1875, Nov. 2013.
[20] K.-A. Shim, “CPAS: An efficient conditional privacy-preserving authen-
satisfy the security requirements of ID-based CPPA schemes tication scheme for vehicular sensor networks,” IEEE Trans. Veh.
for VANETs. Our performance analysis results show that Technol., vol. 61, no. 4, pp. 1874–1883, May 2012.
the proposed scheme incurs lower computation cost and [21] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on
an authentication scheme for vehicular sensor networks,” Expert Syst.
communication cost because no bilinear pairings are used Appl., vol. 41, no. 5, pp. 2559–2564, 2014.
in our proposed ID-based CPPA scheme. This makes the [22] J. Zhang, M. Xu, and L. Liu, “On the security of a secure batch
proposed scheme more suitable for deployment in the VANET verification with group testing for VANET,” Int. J. Netw. Secur., vol. 16,
no. 5, pp. 355–362, 2014.
environment. [23] M. Bayat, M. Barmshoory, M. Rahimi, and M. R. Aref, “A secure
authentication scheme for VANETs with batch verification,” Wireless
ACKNOWLEDGMENT Netw., vol. 21, no. 5, pp. 1733–1743, 2015.
[24] D. Freeman, M. Scott, and E. Teske, “A taxonomy of pairing-friendly
The authors thank the Associate Editor and the anonymous elliptic curves,” J. Cryptol., vol. 23, no. 2, pp. 224–280, 2010.
reviewers for their useful comments and suggestions which [25] X. Cao, W. Kou, and X. Du, “A pairing-free identity-based authenticated
key agreement protocol with minimal message exchanges,” Inf. Sci.,
helped us improve the quality and presentation of this paper. vol. 180, no. 15, pp. 2895–2903, 2010.
[26] L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable
R EFERENCES robust authentication protocol for secure vehicular communications,”
IEEE Trans. Veh. Technol., vol. 59, no. 4, pp. 1606–1617, May 2010.
[1] T. W. Chim, S. M. Yiu, L. C. K. Hui, and V. O. K. Li, “SPECS: [27] L. Zhang, Q. Wu, B. Qin, and J. Domingo-Ferrer, “APPA: Aggregate
Secure and privacy enhancing communications schemes for VANETs,” privacy-preserving authentication in vehicular ad hoc networks,” in
Ad Hoc Netw., vol. 9, no. 2, pp. 189–203, 2011. Proc. 14th Conf. Inf. Secur. (ISC), 2011, pp. 293–308.
[2] S. Zeadally, R. Hunt, Y.-S. Chen, A. Irwin, and A. Hassan, “Vehic- [28] X. Lin, X. Sun, P.-H. Ho, and X. Shen, “GSIS: A secure and privacy-
ular ad hoc networks (VANETs): Status, results, and challenges,” preserving protocol for vehicular communications,” IEEE Trans. Veh.
Telecommun. Syst., vol. 50, no. 4, pp. 217–241, 2012. Technol., vol. 56, no. 6, pp. 3442–3456, Nov. 2007.
[3] M. Ghosh, A. Varghese, A. Gupta, A. A. Kherani, and S. N. Muthaiah, [29] C. P. Schnorr, “Efficient signature generation by smart cards,”
“Detecting misbehaviors in VANET with integrated root-cause analysis,” J. Cryptol., vol. 4, no. 3, pp. 161–174, 1991.
Ad Hoc Netw., vol. 8, no. 7, pp. 778–790, 2010. [30] D. Pointcheval and J. Stern, “Security arguments for digital signatures
[4] Y. Toor, P. Muhlethaler, and A. Laouiti, “Vehicle ad hoc networks: and blind signatures,” J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
Applications and related technical issues,” IEEE Commun. Surveys Tuts., [31] Shamus Software Ltd. MIRACL Library. [Online]. Available:
vol. 10, no. 3, pp. 74–87, Sep. 2008. http://www.shamus.ie/index.php?page=home, accessed May 1, 2015.
[5] A. Boukerche, H. A. B. FOliveira, E. F. Nakamura, and
A. A. F. Loureiro, “Vehicular ad hoc networks: A new challenge
for localization-based systems,” Comput. Commun., vol. 31, no. 12,
pp. 2838–2849, 2008.
Debiao He received the Ph.D. degree in applied
[6] IEEE Trial-Use Standard for Wireless Access in Vehicular
mathematics from the School of Mathematics
Environment—Security Services for Applications and Management
and Statistics, Wuhan University, Wuhan, China,
Messages, IEEE Standard 1609.2-2006, Jul. 2006.
in 2009. He is currently an Associate Professor with
[7] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing vehicular
the State Key Laboratory of Software Engineering,
communications,” IEEE Wireless Commun., vol. 13, no. 5, pp. 8–15,
School of Computer Science, Wuhan University.
Oct. 2006.
His main research interests include cryptography
[8] J. T. Isaac, S. Zeadally, and J. S. Camara, “Security attacks and
and information security, in particular, cryptographic
solutions for vehicular ad hoc networks,” IET Commun. J., vol. 4, no. 7,
protocols.
pp. 894–903, 2010.
[9] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of
smart vehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55,
May/Jun. 2004.
[10] C. Gamage, B. Gras, B. Crispo, and A. S. Tanenbaum, “An identity-
based ring signature scheme with enhanced privacy,” in Proc. Sherali Zeadally received the bachelor’s degree in
Securecomm Workshops, 2006, pp. 1–5. computer science from the University of Cambridge,
[11] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” U.K., and the Ph.D. degree in computer science
J. Comput. Secur., vol. 15, no. 1, pp. 39–68, 2007. from the University of Buckingham, U.K. He is
[12] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Efficient currently an Associate Professor with the College
conditional privacy preservation protocol for secure vehicular commu- of Communication and Information, University of
nications,” in Proc. 27th Conf. IEEE INFOCOM, Apr. 2008, pp. 1903– Kentucky, Lexington, KY, USA. He is also a fellow
1911. of the British Computer Society and the Institution
[13] J. Freudiger, M. Raya, M. Felegyhazi, and P. Papadimitratos, “Mix-zones of Engineering Technology, U.K.
for location privacy in vehicular networks,” in Proc. 1st Int. Workshop
Wireless Netw. Intell. Transport. Syst. (Win-ITS), 2007, pp. 1–7.
HE et al.: EFFICIENT IDENTITY-BASED CPPA SCHEME FOR VANETs 2691
Baowen Xu (M’03) received the B.S. degree Xinyi Huang received the Ph.D. degree from the
from Wuhan University, the M.S. degree from the School of Computer Science and Software Engineer-
Huazhong University of Science and Technology, ing, University of Wollongong, Australia. He is cur-
and the Ph.D. degree from Beihang University, all in rently a Professor with the School of Mathematics
computer science. He is currently a Professor with and Computer Science, Fujian Normal University,
the Department of Computer Science and Technol- China, and the Co-Director of the Fujian Provincial
ogy, Nanjing University. His main research interests Key Laboratory of Network Security and Cryptol-
include programming languages, software testing, ogy. He has authored over 100 research papers in
software maintenance, and software metrics. He is refereed international conferences and journals. His
a member of the IEEE Computer Society. work has been cited more than 1900 times at Google
Scholar (H-Index: 25). His research interests include
applied cryptography and network security. He is also an Associate Editor of
the IEEE T RANSACTIONS ON D EPENDABLE AND S ECURE C OMPUTING, and
on the Editorial Board of the International Journal of Information Security
(IJIS, Springer). He has served as the Program/General Chair or Program
Committee Member in over 60 international conferences.