Vehicular Communications 13 (2018) 104–113

Contents lists available at ScienceDirect

Vehicular Communications
www.elsevier.com/locate/vehcom

EPA-CPPA: An efficient, provably-secure and anonymous conditional

privacy-preserving authentication scheme for vehicular ad hoc
networks
JiLiang Li a , Kim-Kwang Raymond Choo b , WeiGuo Zhang c,∗ , Saru Kumari d ,
Joel J.P.C. Rodrigues e,f,g,h , Muhammad Khurram Khan i , Dieter Hogrefe a
a
Institute of Computer Science, University of Goettingen, Goettingen 37077, Germany
b
Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249, USA
c
State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an 710071, China
d
Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India
e
National Institute of Telecommunications, Santa Rita do Sapucaí, MG 37540-000, Brazil
f
Instituto de Telecomunicações, Lisboa 1049-001, Portugal
g
ITMO University, St. Petersburg, Russia
h
University of Fortaleza (UNIFOR), Brazil
i
Center of Excellence in Information Assurance (CoEIA), King Saud University, Saudi Arabia

a r t i c l e i n f o a b s t r a c t

Article history: Unlike wired networks, vehicular ad hoc networks (VANETs) are subject to a broader range of attacks due
Received 5 April 2018 to its wireless broadcast nature. One of the potential cryptographic solutions to ensure authentication
Received in revised form 15 May 2018 and privacy preservation is conditional privacy-preserving authentication (CPPA) schemes. Although a
Accepted 8 July 2018
number of CPPA schemes have been proposed in the literature, existing approaches generally suffer
Available online 18 July 2018
from limitations such as the security problem of system private keys, high computation requirement
Keywords: during certificate generation and message verification phases. To resolve these issues, in this paper,
Authentication it presents a provably-secure CPPA scheme for VANETs and demonstrates that the proposed solution
Privacy-preserving provides both security and privacy required in a VANET application. It also demonstrates its utility in
Provably-secure terms of computation and communication overheads and owns an optimal performance compared with
Vehicular ad hoc networks rather related schemes.
© 2018 Elsevier Inc. All rights reserved.

1. Introduction are not usually resource constrained in terms of power, storage

Due to constant and rapid advancements in the development
of wireless communication and network technologies, vehicular
ad hoc networks (VANETs) have regained renewed interest due to
their capability to support vehicles with wireless devices to com-
municate with other vehicles and roadside units (RSUs) and ensure
traffic safety and enhance driving efficiency [1–5]. Other benefits
associated with VANETs include collision avoidance, lane merging,
traffic optimization, toll collection, location-based services, info-
tainment, etc. [6]. In the literature, such settings have also been
considered Internet of Vehicles and smart cities [7,8].
One can think of VANETs as a combination of mobile ad hoc
networks (MANETs) with vehicles (e.g. cars, buses, trucks and mo-
torcycles) and RSUs [3,9,10]. Unlike nodes in a MANET, vehicles
* Corresponding author.
E-mail address: wgzhang@foxmail.com (W.G. Zhang).
space and computing capability. A typical VANET includes trusted
authorities (TAs), RSUs (e.g. placed on road sides or other installa-
tions), and onboard units (OBUs) equipped on vehicles [3,11,12] –
see Fig. 1.
Communications in VANETs, such as vehicle-to-vehicle (V2V)
and vehicle-to-infrastructure (V2I), use dedicated short range com-
munication (DSRC), which is a short medium range communica-
tions protocol [11]. Every vehicle could communicate with adjacent
vehicles and the nearby RSUs located at the roadside through the
OBU installed in the vehicle and DSRC protocol. For example, on-
vehicle OBUs periodically broadcast traffic-related information cov-
ering factors such as position, weather conditions, direction, speed,
and traffic situation. Such information allow participating vehicles
in the vicinity to take the required actions, for example take an
alternate route to avoid a traffic accident, traffic congestion, etc.
[13,14]. RSUs and other vehicles can also transmit traffic-related
information (e.g. an accident that has just taken place) to the traf-

https://doi.org/10.1016/j.vehcom.2018.07.001
2214-2096/© 2018 Elsevier Inc. All rights reserved.
 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
Fig. 1. An example of VANETs.
fic administration department or other relevant department (e.g.
law enforcement or fire department), so that the necessary actions
can be undertaken [15]. Hence, it is not surprising that VANETS
and the many variants (e.g. Internet of Vehicles, intelligent trans-
port systems, and smart cities) have received recent attention [6].
Similar to other wireless networks, there are a number of other
features important to VANETS, such as the following:
Security: Once attackers have control over the communication
channels, they could easily eavesdrop, tamper, replay or even drop
messages sent within VANETs. In other words, designers of VANETs
need to ensure the system is secure against a wide range of attacks
such as masquerading, replaying, tunneling, message modification,
key and certificate replication attacks [6,11,15]. For example, a ma-
licious adversary may hijack and modify the initial messages or
masquerade one legitimate vehicle to broadcast ‘fake’ messages,
resulting in chaos or traffic incidents [15]. Hence, the capability
to ensure the authenticity of messages from vehicles in VANETs is
crucial.
Anonymity: In addition, if the vehicle user sends his/her identity
to RSUs or other vehicles without masking, a malicious attacker
may track the user’s routes through capturing of the messages.
The leakage of routes may have real-world consequences such as
physical stalking, kidnapping, and assassination (e.g. a malicious
adversary intercept and replace intercepted messages with fabri-
cated messages in order to reroute the victim’s vehicles). Therefore,
anonymity is another key feature in VANETs [16].
Traceability (and conditional privacy): If a misbehaving vehicle
transmits malicious or suspicious information to RSUs or nearby
vehicles, then the system needs to have the capability to identify
the vehicle (and the owner) so that the vehicle (and the owner)
can be taken to task (e.g. monetary penalties to other criminal
sanctions). Thus, both traceability and conditional privacy are im-
portant features [15]. Conditional privacy restricts to the TA being
the only party who can extract the vehicle’s real identity.
Conditional privacy-preserving authentication (CPPA) schemes
such as those presented in [3,6,9,15–22] can be used to achieve
both security and privacy related properties in VANETs. There are,
however, limitations in these existing schemes as discussed in Sec-
tion 2.
In this paper, it introduces an efficient, provably-secure and
anonymous conditional privacy-preserving solution for VANETs in
order to overcome limitations in existing CPPA schemes. To be spe-
cific, four main contributions of our work are described as follows.
• First, the vulnerabilities of existing schemes are retrospected
and analyzed. Meantime, several security weaknesses of these
schemes are pointed out. Then, it gives the vehicular system
architecture consisting of network model and design goals.
105
• Second, this paper presents an efficient, provably-secure and
anonymous CPPA protocol for VANETs. To improve efficiency
further, the proposed CPPA scheme added the function of
batch verification.
• Third, this paper proves the security of the proposed CPPA
scheme deeply (e.g. taking the advantage of the random ora-
cle model) in order to demonstrate the proposed efficient and
anonymous CPPA scheme could satisfy security and privacy re-
quirements within VANETs.
• Finally, we also conducted an analysis of the computation
overhead and the communication overhead to prove that the
proposed efficient and anonymous CPPA scheme processes
more favorable performance compared with existing solutions
for VANETs.
The rest of this paper is organized as follows. Section 2 provides
an overview of some related works in this field. Some background
knowledge is prepared in Section 3. Section 4 presents an efficient
and anonymous conditional privacy-preserving scheme. Section 5
and Section 6 evaluate the security and performance of our pro-
posed method respectively. At last, we conclude this paper in Sec-
tion 7.
2. Related literature
This section briefly reviews existing literature on CCPA schemes
designed for VANETs.
In 2006, Gamage et al. [18] introduced an identity-based ring
signature solution to ensure privacy for VANETs applications. How-
ever, the presented approach does not provide traceability and this
implies a lack of conditional privacy. A year later in 2007, Raya
et al. [6] introduced a CPPA solution based on anonymous cer-
tificates. Specifically, to mask the vehicle’s real identity, a large
number of public/private key pairs and corresponding certificates
based on Public Key Infrastructure (PKI) are preloaded into the
memory space of vehicles’ OBUs and the OBU randomly selects
a pair of public/private key that can be used for authentication.
This imposes storage requirements for each vehicle (e.g. to store
its public/private key pairs and corresponding certificates), and the
TA (e.g. to store all vehicles’ certificates). For a large system with
vehicles constantly joining and leaving, it is not a trivial task to
search for and identify a misbehaving vehicle in practice. In 2008,
a new CPPA solution using bilinear pairing is designed by Lu et
al. [20]. In this solution, the RSU sends a temporary anonymous
certificate to the vehicle which passes by the region of the RSU.
The RSUs also provide the vehicles a new anonymous certificate
periodically to enforce conditional privacy. However, this solution
has a low efficiency. In the same year, Lin et al. [23] provided
a privacy-preserving protocol utilizing group signature technique,
which provides traceability. However, in Lin et al.’s solution, each
vehicle has to store the revocation list to avoid communicating
with the ‘blacklisted’ vehicles. Therefore, as the number of revoked
vehicles increases, the vehicles will need to spend considerably
amount of time on the verification phase alone. This is clearly not
practical.
In 2008, Zhang et al. [22] constructed an identity (ID)-based
batch authentication protocol based on pairing-based cryptogra-
phy. In their approach, both vehicles and RSUs do not need to store
any certificate. Moreover, their solution provides batch verification
for multiple messages. In other words, this CPPA solution over-
comes the limitation in the approaches of Raya et al. [6] and Lu et
al. [20]. However, in the approach of Zhang et al. [22], a long-term
system master secret s is embedded in the vehicle’s tamper-proof
devices, which could be extracted by an adversary (e.g. via side-
channel attacks [24]), particularly when the adversary has physical
access to the tamper-proof devices.
106 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
In 2009, Jiang et al. [19] presented an authentication scheme
using the binary authentication tree (BAT), in which the RSU could
quickly differentiate the fabricated messages from the legitimate
ones. However, Shim [9] demonstrated that an adversary can suc-
cessfully forge an aggregate signature on two bogus messages in
the scheme of Jiang et al. [19]. Shim [3] also introduced a CPPA
solution using pseudo-identity (PID)-based signature for secure
VANETs. Liu et al. [25], however, revealed that Shim’s solution in
[3] has an error in the batch verification phase. In 2013, Li and Liu
introduced a lightweight identity authentication scheme for VANET
to improve the efficiency of the authentication process while con-
cealing the sensitive information of the vehicle simultaneously
[26]. Then, Lee and Lai proposed a secure batch verification pro-
tocol with group testing for VANET [27]. In 2015, He et al. [15]
proposed an ID-based CPPA solution for VANETs utilizing Schnor-
r’s signature [30]. In the proposed solution, the system’s private
key is pre-loaded on the vehicle’s tamper-proof device. In other
words, the proposed solution suffers from the same limitation as
the solution of Zhang et al. [22]. In 2016, Oulhaci et al. also de-
signed a secure and distributed certification system framework for
security message authentication in VANETs, which is against fake
public-key certification [28]. In the same year, Lee et al. uses the
Chinese remainder theorem to build a safer and quicker batch key-
agreement protocol for establishing communication channels [29].
More recently in 2016 and 2017, Shao et al. [16] and Azees et al.
[17] proposed a group signature-based CPPA solution for VANETs
and an authentication solution based on short-time anonymous
certificates and public keys, respectively. The proposed solution
of Azees et al. [17] does not support batch verification. In ad-
dition, the adversary against Azees et al.’s protocol cannot resist
bogus message attack, framing attack and sybil attack. The rea-
son of suffering from the above attacks is because the authors use
a temporarily generated number as the private key to sign traffic
message, which is an invalid signature and easily counterfeited by
adversary. In 2017, Zhang et al. [31] proposed a novel distributed
aggregate privacy-preserving authentication solution for vehicular
ad hoc networks. In their solution, one roadside unit (RSU) is re-
sponsible for a subgroup of VANET and holds a private key used
to produce secret shares for vehicles. Although, they give some as-
sumptions guaranteeing that no other items can learn the secrets
in a vehicle’s tamper-proof device (TPD), if a vehicle is corrupted
in one RSU, the private key of the RSU would be calculated by the
malicious adversary. Later, Zhang et al. gives a novel method to
establish cryptographic mix-zones which resist malicious attackers
and reinforce privacy protection in VANETs [32]. In 2018, Asaar et
al. proposed a novel identity-based message authentication scheme
using proxy vehicles (ID-MAP) [33].
3. Vehicular system architecture
In this section, it will present the network model and design
goals in the proposed CPPA solution.
3.1. Network model
As shown in Fig. 2, the two-level network model is pretty
adaptable for VANETs, in which the trusted authority (TA) is set
as the first-level, and RSUs as well as vehicles are set as the sec-
ond level, respectively. The functions of these three entities are
described as below.
Trusted authority: TA is fully trusted by all parties in the
VANETs and has sufficient computation, communication and stor-
age capabilities. The TA is also responsible for the generation of
system parameters and the registration of RSUs and vehicles. In
addition, upon successful completion of their registration, the TA
generates the initial security parameters for all vehicles and RSUs,
Fig. 2. The network model of VANETs.
and sends these parameters to the vehicles offline. It could recover
the real identity of a vehicle from the transmitted message.
RSUs: RSUs are stationary infrastructures deployed on the road-
side or some installations (e.g. bus stops). RSUs serve as the ‘inter-
face’ between the TA and vehicles, and utilizes the dedicated short
range communication (DSRC) [34] protocol for V2V and V2R wire-
less communications. It could authenticate traffic messages from
vehicles and process them locally or forward them to traffic au-
thority center (e.g. TA). In our solution, RSUs are semi-trusted. If
an RSU is found to be compromised, then the TA could detect and
either reset the compromised RSU or remove/replace it.
Vehicle: Every vehicle is equipped with an OBU, which allows
the vehicle to communicate wirelessly with other vehicles and
RSUs using the DSRC protocol. Each OBU has a tamper-proof de-
vice (TPD) to protect stored sensitive information such as secret
keys, and location information (e.g. those from the global position-
ing system – GPS).
3.2. Design goals
Based on the literature [15–17,20,21,36], a secure and efficient
CPPA solution for VANETs should satisfy the following require-
ments or goals.
Identity privacy preservation: RSUs, vehicles and third-party
participants are not capable of extracting the vehicle’s actual iden-
tity from the messages transmitted from any vehicle.
Message authentication and integrity: Each message transmit-
ted by a vehicle is verified by RSUs, and RSUs are capable of
detecting any modification or fabrication of received messages.
Traceability: The TA is the only party capable of extracting the
vehicle’s actual identity when the need arises (e.g. a complaint
against a misbehaving vehicle).
Unlinkability: RSUs, vehicles and third-party participants are
not capable of tracing the vehicle’s behavior by analyzing its trans-
mitted messages. That is, they cannot link and determine whether
two messages are transmitted from the same vehicle.
Bogus message attack: The adversary may transmit bogus in-
formation around the VANET system in order to achieve his/her
specific goal. For example, an adversary would transmit fake traf-
fic information to his/her nearby vehicles for the sake of obtaining
an optimal traffic route.
Impersonation attack: Such attacks are generally targeted at
other legal vehicles. They are executed by sending fake messages
to other vehicles in which the adversary attempts to masquerade
as a trusted vehicle.
Full batch verification: It is not practical for the receiver to ver-
ify the validity of the received messages one at a time; thus, full
batch verification in a CPPA scheme is an essential feature (i.e. a
verifier can check the authenticity of multiple messages from ve-
hicles simultaneously).
No map-to-point operation: It is expensive and complicated
to execute the map-to-point operation, and consequently, it will
degrade the performance of the VANET system. Therefore, map-to-
 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113 107

point operation is supposed to be avoided in a CPPA scheme for
VANET.
No certificates management: The complexity and overhead of
certificates management increase with the number of the vehicles.
In addition, it is necessary to verify the authenticity of the certifi-
cate prior to use. To guarantee better feasibility and performance
in the vehicular system, it is capable of supporting no certificates
management in the design of a CPPA scheme.
No verifier table: To avoid governance issue and attacks relating
to verifier table, a CPPA protocol for VANET must be capable of
supporting no verifier table.
Provable security: The security of the cryptographic scheme
is demonstrated using a widely accepted security model [35]. In
other words, without the preciseness of a security proof, the cus-
tomers would not be sure of the security of the cryptographic
system. Therefore, a CPPA scheme is supposed to be proved se-
curely under a security model.
4. Our proposed CPPA scheme
The proposed CPPA protocol consists of two parts, namely: an
anonymous CPPA solution for the vehicle and a similar anonymous
CPPA solution for the RSU. For each part, there are five phases –
i.e. system parameters setup phase, pseudo-identity generation and
private key extraction phase, message signing phase, single mes-
sage verification, and batch message verification.
4.1. Anonymous CPPA scheme for vehicle
System parameters setup: Prior to the arrangement of the
VANETs, TA generates the system parameters P arams as follows:
a. Given a security parameter k ∈ Z + , TA generates a prime q and
a group G of the order q, where g is a generator of G. TA also
chooses four cryptographic hash functions H 0 : G × G → Z q∗ ,
H 1 : {0, 1}∗ → Z q∗ , H 2 : {0, 1}∗ × {0, 1}∗ × G × G × {0, 1}∗ → Z q∗
and H 3 : G → Z q∗ .
b. TA selects a random number a ∈ Z q∗ and sets A pub = g a , where
a is a master secret key for private key extraction and is only
known to TA. A chooses a random number b ∈ Z q∗ and sets
B pub = g b , where b is a master secret key for traceability and
is only known to TA.
c. Finally, TA publishes system parameters P arams = {q, G , g ,
A pub , B pub , H 0 , H 1 , H 2 , H 3 }.
Pseudo-identity generation and private key extraction: Utiliz-
ing the pseudo-identities ( P I Ds) that are uniquely associated with
the corresponding real identities I Ds allows us to achieve anony-
mous conditional privacy-preserving authentication in our solution.
a. A legitimate vehicle V i transmits information including its
unique identity I D i (e.g. license plate number) to TA. Upon
confirming the validity of I D i , TA selects a group of private
random numbers {ki ,1 , ki ,2 , · · · , ki ,z } ∈ Z q∗ and computes the
corresponding public values P K i∗ = { P K i ,1 , P K i ,2 , · · · , P K i ,z },
Vehicle message signing: In order to guarantee message au-
thentication and integrity, each message issued by a vehicle should
be signed and verified before it is accepted by the RSUs or other
vehicles. The signature on one traffic-related message M i by V i is
explained as follows.
a. V i randomly selects a private key S K i ,l , a corresponding P K i ,l
and pseudo-identity P I D i ,l from the sets S K i∗ , P K i∗ and P I D ∗i
separately. Then, V i chooses a random r i ∈ Z q∗ and com-
putes R i = g ri , H i = H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈ Z q∗ , Sig i =
( H 3 ( R i ) − S K i ,l · H i ) · r i−1 , where T i is the current timestamp
that supports the freshness of a valid signed message.
b. Then, V i issues the signature message Msgs = { M i , P I D i ,l ,
P K i ,l , R i , T i , Sig i } to a nearby RSU.
Single message verification: Once an RSU has received a single
message signed by V i , RSU will authenticate the message in or-
der to ensure that the sender is a legitimate user rather than an
adversary impersonating some legitimate user.
a. After receiving Msgs = { M i , P I D i ,l , P K i ,l , R i , T i , Sig i } signed
by V i , the receiver checks the freshness of timestamp T i . The
verifier drops the message if it is not fresh.
b. If T i is valid, the receiver then computes H 1 ( P I D i ,l ), H i =
H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈ Z q∗ and verifies whether R i
Sig i
·
H 1 ( P I D i ,l )· H i
A pub = g H 3 ( R i ) . If the equation is satisfied, then the re-
ceiver accepts the validity of the message M i ; otherwise, the
receiver rejects it.
Batch messages verification: When there are a large number of
vehicles in the communication range of an RSU, single message au-
thentication for vehicle users may result in computation overhead
on each RSU due to verification delay. Therefore, this paper also
presents a batch verification method so that RSU can efficiently
verify multiple messages from vehicles at the same time. This will
significantly reduce verification delay. Upon receiving n messages
{ M 1 , P I D 1,l , P K 1,l , R 1 , T 1 , Sig 1 }, { M 2 , P I D 2,l , P K 2,l , R 2 , T 2 , Sig 2 },
· · · , { Mn , P I D n,l , P K n,l , R n , T n , Sign } simultaneously, RSU uses
P arams = {q, G , g , A pub , B pub , H 0 , H 1 , H 2 , H 3 } to authenticate
batch messages, as follows.
a. RSU checks the freshness of { T 1 , T 2 , · · · , T n }, and rejects the
messages if some of them are not fresh.
b. RSU randomly selects n numbers {1 , 2 , · · · , n }, where i ∈ R
[1, 2m ] for i = 1, 2, · · · , n and m = 80 is typically adequate
[25].
c. RSU computes H 1 ( P I D i ,l ), H i = H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈
Z q∗ for i ∈ {1, 2, · · · , n} and checks whether the below verifica-
tion equation holds.
n 
n
i · Sig i
n
(i · H 1 ( P I D i ,l )· H i )
g i =1 (i · H 3 ( R i )) = Ri · A pubi=1 .
i =1

where P K i ,l = g ki,l and l ∈ {1, 2, · · · , z}. Then, TA generates a If it is equal, then RSU accepts the messages; otherwise, RSU
group of P I Ds for V i as P I D ∗i = { P I D i ,1 , P I D i ,2 , · · · , P I D i ,z }, rejects the messages.
where P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ) and l ∈ {1, 2, · · · , z}. The correctness of the batch messages verification is demon-
Hence, the real identity I D i of vehicle V i is concealed in the strated as follows:
pseudo-IDs P I D ∗i .
b. After computing the P I D ∗i , T A computes private keys S K i∗ = 
n n
(i · H 1 ( P I D i ,l )· H i )
i · Sig i
{ S K i ,1 , S K i ,2 , · · · , S K i ,z }, where S K i ,l = a · H 1 ( P I D i ,l ) and l ∈ Ri · A pubi=1
{1, 2, · · · , z}. i =1
c. Finally, TA sends system parameters P arams and { P I D ∗i , S K i∗ ,

n
P K i∗ } to vehicle V i via a secure channel delivering a tamper- =
 · Sig i · H 1 ( P I D i ,l )· H i
( R i i i · A pub )
proof device for V i .
i =1
108 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113


n
−1 accepts the validity of the message M j ; otherwise, V i rejects
= (( g ri )i ·( H 3 ( R i )− S K i,l · H i )·ri · ( g a )i · H 1 ( P I D i,l )· H i ) it.
i =1

n
−1 Batch messages verification: To handle the situation when a
= ( g ri ·i ·( H 3 ( R i )−(a· H 1 ( P I D i,l ))· H i )·ri · g a·i · H 1 ( P I D i,l )· H i ) vehicle receives multiple signed messages from the same RSU in
i =1 a time interval, a batch verification method is also presented. This

n
−1
allows the vehicle to efficiently verify multiple messages from ve-
= ( g ri ·ri ·i ·( H 3 ( R i )−(a· H 1 ( P I D i,l ))· H i ) · g i ·a· H 1 ( P I D i,l )· H i ) hicles at the same time. Specifically, after receiving t messages
i =1 { M 1 , R I D 1 , Y 1,l , W 1 , T 1 , Rsig 1 }, { M 2 , R I D 2 , Y 2,l , W 2 , T 2 , Rsig 2 },

n · · · , { M t , R I D t , Y t ,l , W t , T t , Rsigt } simultaneously, the vehicle veri-
= ( g i · H 3 ( R i )−i ·a· H 1 ( P I D i,l )· H i · g i ·a· H 1 ( P I D i,l )· H i ) fies them using the following steps.
i =1
a. The vehicle checks the freshness of { T 1 , T 2 , · · · , T t }, and re-

n
= ( g i · H 3 ( R i )−i ·a· H 1 ( P I D i,l )· H i ·+i ·a· H 1 ( P I D i,l )· H i ) jects the messages if some of them are not fresh.
b. The vehicle randomly selects t numbers {ς1 , ς2 , · · · , ςt },
i =1
where ς j ∈ R [1, 2m ] for j = 1, 2, · · · , t and m = 80 is typically

n
adequate [25].
= g i · H 3 ( R i )
c. The vehicle computes R H j = H 2 ( M j , R I D j , Y j ,l , W j , T j ) ∈ Z q∗ ,
i =1
n H 1 ( R I D j ) for j ∈ {1, 2, · · · , t } and checks whether the below
=g i =1 (i · H 3 ( R i ))
verification equation holds.


t t t
4.2. Anonymous CPPA scheme for RSU ς j · Sig j (ς j · H 1 ( R I D j )· R H j )
Wj · A pubj=1 =g j =1 (ς j · H 3 ( W j )) .
The system parameters setup phase in anonymous CPPA solu- j =1

tion for RSU is the same as those described in Section 4.1; thus, If it is equal, then the vehicle accepts the messages; otherwise,
this section omits this phase in the discussion that follows. the vehicle rejects the messages.
RSU-identity generation and private key extraction: TA gen- The correctness of the batch messages verification is demon-
erates a unique identity R I D j for each RSU, which includes its strated, as follows.
corresponding location information. Then, TA computes the private

t t
key for RSU as follows. ς j · Sig j (ς j · H 1 ( R I D j )· R H j )
Wj · A pubj=1
a. For a given RSU’s identity R I D j , TA selects a group of private j =1
random numbers {x j ,1 , x j ,2 , · · · , x j ,z } ∈ Z q∗ and computes the 
t
ς · Rsig i ς · H 1 ( R I D j )· R H j
corresponding public values Y ∗j = {Y j ,1 , Y j ,2 , · · · , Y j ,z }, where = (W j j · A pub
j
)
Y j ,l = g and l ∈ {1, 2, · · · , z}.
x j ,l
j =1
b. T A computes private keys R S K ∗j = { R S K j ,1 , R S K j ,2 , · · · ,

t
ς j ·( H 3 ( W j )− S K i ,l · R H j )· w −j 1
R S K j ,z }, where R S K j ,l = a · H 1 ( R I D j ) and l ∈ {1, 2, · · · , z}. = (( g w j ) · ( g a )ς j · H 1 ( R I D j )· R H j )
c. Finally, the TA sends P arams and { R I D j , R S K ∗j , Y ∗j } to RSU via j =1
a secure channel. Then, RSU stores its private key { R S K ∗j , Y ∗j }

t
w j ·ς j ·( H 3 ( W j )−(a· H 1 ( R I D j ))· R H j )· w − 1
with its corresponding identity R I D j into its storage memory.
= (g j

j =1
RSU message signing: In the event when an RSU broadcasts
location-based traffic information to nearby vehicles, the signature · g a·ς j · H 1 ( R I D j )· R H j )
on a traffic-related message M j generated by the RSU is as follows:  t
w · w −1 ·ς ·( H ( W )−(a· H 1 ( R I D j ))· R H j )
= (g j j j 3 j
a. RSU chooses a private key R S K j ,l from the set R S K ∗j , a cor- j =1
responding Y j ,l from the set Y ∗j , a random w j ∈ Z q∗ and com-
· g ς j ·a· H 1 ( R I D j )· R H j )
putes W j = g w j , R H j = H 2 ( M j , R I D j , Y j ,l , W j , T j ) ∈ Z q∗ , and
Rsig j = ( H 3 ( W j ) − R S K j ,l · R H j ) · w − 1
, whereby T j is the cur-
 t
j = ( g ς j · H 3 (W j )−ς j ·a· H 1 ( R I D j )· R H j · g ς j ·a· H 1 ( R I D j )· R H j )
rent timestamp which supports the freshness of a valid signed
j =1
message.
b. Then, RSU broadcasts the signature message Msgs = { M j , 
t

R I D j , Y j ,l , W j , T j , Rsig j } to nearby vehicles. = ( g ς j · H 3 (W j )−ς j ·a· H 1 ( R I D j )· R H j ·+ς j ·a· H 1 ( R I D j )· R H j )

j =1
Single message verification: When a vehicle V i receives single 
t
message signed by an RSU, V i will have to authenticate the mes- = g ς j · H 3 (W j )
sage in order to ensure the legitimacy of RSU. j =1
t
=g j =1 (ς j · H 3 ( W j ))
a. After receiving Msgs = { M j , R I D j , Y j ,l , W j , T j , Rsig j } signed
by the RSU, V i checks the freshness of timestamp T j and drops
the message if T j is not fresh. 5. Security and soundness proofs
b. If T j is valid, then V i computes R H j = H 2 ( M j , R I D j , Y j ,l ,
Rsig j In this section, it will demonstrate that the presented CPPA so-
W j , T j ) ∈ Z q∗ , H 1 ( R I D j ) and verifies whether Wj ·
lution for VANETs achieve the security and privacy requirements
H 1 ( R I D j )· R H j
A pub = g H 3 (W j ) . If the equation is satisfied, then V i outlined in Section 3.2.
 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
5.1. Security model
The definition of security for our proposed solution is given by
a game executed between a polynomial-time adversary A and a
challenger I . In the game, A mounts a number of oracle queries
to I as follows, which can be requested adaptively.
Setup: This query simulates the initialization of the VANET sys-
tem. When receiving this query, I creates the master keys and
P arams, and returns P arams to A.
H i : After A sends the query with the information I , I selects
a random number πi ∈ Z q∗ , stores ( I , πi ) in the list L H i and returns
πi to A, where i = 0, 1, 2, 3.
GenerateVehicle: Upon receiving the vehicle V i ’s identity I D i ,
I produces V i ’s pseudo-identities P I D ∗i , private keys S K i∗ and
stores { I D i , P I D ∗i , S K i∗ } in the list L vehicle .
CorruptVehicle: Upon receiving the vehicle V i ’s identity I D i ,
I transmits V i ’s pseudo-identities P I D ∗i and private keys S K i∗
to A.
Signature: Upon receiving A’s message M and pseudo-identity
P I D i , I generates and returns the corresponding signature mes-
sage Msgs to A.
Upon executing the aforementioned queries, A fabricates a sig-
nature Sig i∗ of a traffic message M i∗ associated with V i∗ ’s identity
I D ∗i .
A wins the above experiment if all the below conditions are
fulfilled.
1) Sig i∗ is legitimate, namely: Verification( M ∗ , V i∗ , I D ∗i , Sig i∗ ) = 1.
2) A has not made a CorruptVehicle query associated with V i∗ ’s
identity I D ∗i .
3) A has not made a Signature query associated with V i∗ ’s
pseudo-identity P I D ∗i and message M i∗ .
,A denote the advantage of A in break-
CPPA
Let the function Adv 
ing conditional privacy-preserving authentication of the presented
solution .
Definition 5.1. The proposed solution  is chosen-identity and
chosen-message secure, if for any polynomial-time adversary A,
CPPA
the function Adv  ,A is negligible.
5.2. Provable security
Based on Definition 5.1, the chosen-identity and chosen-mes-
sage security of the proposed solution using random oracles are
proved.
Theorem 5.1. Assuming that the underlying discrete logarithm (DL)
problem is intractable, the proposed CPPA solution for VANETs is secure
in the random oracle model.
Proof. Assume that a polynomial-time adversary A could fabricate
a valid signature message Msgs = { M i , P I D i ,l , P K i ,l , R i , T i , Sig i } by
a non-negligible advantage ε , then the challenger I can solve the
DL problem with a non-negligible advantage through executing the
A as a subroutine. Let A pub = g a be an instance of the DL problem,
and the aim of the I is to compute a. First, I issues P arams =
{q, G , g , A pub , B pub , H 0 , H 1 , H 2 , H 3 } to A, and A performs random
oracle queries adaptively simulated by I as below.
H0 oracle: I maintains a list L H 0 in the form of {, B pub , π0 },
which is empty initially. When A issues a query {, B pub } to I ,
I checks whether the tuple {, B pub , π0 } is in the list L H 0 . If
so, I issues π0 = H 0 (, B pub ) to A, otherwise, I selects a ran-
dom nonce π0 ∈ Z p , issues π0 = H 0 (, B pub ) to A and appends
{, B pub , π0 } to the list L H 0 .
109
H1 oracle: I maintains a list L H 1 in the form of {ϒ, π1 }, which
is empty initially. When A issues a query ϒ to I , I checks
whether the tuple {ϒ, π1 } is in the list L H 1 . If so, I issues π1 =
H 1 (ϒ) to A, otherwise, I selects a random nonce π1 ∈ Z p , issues
π1 = H 1 (ϒ) to A and appends {ϒ, π1 } to the list L H 1 .
H2 oracle: I maintains a list L H 2 in the form of { M i , P I D i , P K i ,
R i , T i , π2 }, which is empty initially. When A issues a query
{ M i , P I D i , P K i , R i , T i } to I , I checks whether the tuple { M i , P I D i ,
P K i , R i , T i , π2 } is in the list L H 2 . If so, I issues π2 = H 2 ( M i , P I D i ,
P K i , R i , T i ) to A, otherwise, I selects a random nonce π2 ∈
Z p , issues π2 = H 2 ( M i , P I D i , P K i , R i , T i ) to A and appends
{ M i , P I D i , P K i , R i , T i , π2 } to the list L H 2 .
H3 oracle: I maintains a list L H 3 in the form of { R i , π3 }, which
is empty initially. When A issues a query { R i } to I , I checks
whether the tuple { R i , π3 } is in the list L H 2 . If so, I issues π3 =
H 3 ( R i ) to A, otherwise, I selects a random nonce π3 ∈ Z p , issues
π3 = H 3 ( R i ) to A and appends { R i , π3 } to the list L H 3 .
GenerateVehicle oracle: I maintains a list L vehicle in the form
of { I D i , ki , P K i , P I D i , S K i } which is empty initially. Once A sends
this query to I , A checks whether the tuple { I D i , ki , P K i , P I D i ,
S K i } is in the list L vehicle . If so, I returns P K i to A; otherwise I
executes the steps as below.
1) If I D i = I D ∗i , I selects three random numbers ki , π0 and
π1 , computes P K i = g ki and holds { P I D i , S K i }. I stores
{ I D i , ki , P K i , P I D i , S K i }, {, B pub , π0 } and {ϒ, π1 } in the lists
L vehicle , L H 0 and L H 1 respectively. At last, I returns P K i to A.
2) If I D i = I D ∗i , I selects three random numbers ki , π0 and π1 ,
computes P K i = g ki , P I D i = I D i ⊕ π0 , S K i = a · π1 . I stores
{ I D i , ki , P K i , P I D i , S K i }, {, B pub , π0 } and {ϒ, π1 } in the lists
L vehicle , L H 0 and L H 1 respectively and finally returns P K i to A.
CorruptVehicle oracle: A inquiries { I D i , ki , P K i , P I D i , S K i }
from L vehicle and issues { P I D i , S K i } to A.
Signature oracle: Upon receiving A’s query with message M i
and pseudo-identity P I D i , I selects two random numbers r i , π2 ,
π3 and computes R i = g ri and Sig i = (π3 − S K i · π2 ) · ri−1 . I stores
{ M i , P I D i , P K i , R i , T i , π2 } to the list L H 2 , { R i , π3 } to the list L H 3
and returns the signature message Msgs = { M i , P I D i , P K i , R i ,
T i , Sig i } to A.
Finally, A outputs a signature message { M i , P I D i ,l , P K i ,l , R i , T i ,
Sig i } to I with P I D i ,l . If P I D i = P I D ∗i , then I aborts the game.
I checks whether the below equation is correct.
Sig i H ( P I D i ,l )· H i
Ri · A pub
1
= g H3(Ri ) (1)
If it is not correct, then I interrupts the game. Based on the
forking lemma in [37], if the challenger repeats the procedure with
a different selection H 1 , then A can output another legitimate sig-
nature message { M i , P I D i ,l , P K i ,l , R i , T i , Sig i } with the advantage
ε ≥ 19 . Thus, the following equation is obtained:
Sig i H 1 ( P I D i ,l )· H i
Ri · A pub = g H3(Ri ) (2)
According to the above two equations, the following equations
are obtained:
Sig i − Sig i H 1 ( P I D i ,l )·( H i − H i )
Ri = A pub (3)
Sig i · H i − Sig i H i 
Ri = g H 3 ( R i )·( H i − H i ) (4)
Hence, based on Equations (3) and (4), the following equations
could be respectively obtained.
110
Sig i − Sig i H 1 ( P I D i ,l )·( H i − H i )
• Ri = A pub , { P I D i ,1 , P I D i ,2 , · · · , P I D i ,z }, P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ), S K i∗ =
(g) r i ·( Sig i − Sig i )
= g x· H 1 ( P I D i,l )·( H  − Hi i)
r i · ( Sig i − Sig i ) = a · H 1 ( P I D i ,l ) · ( H i − H i )
Sig i · H i − Sig i H i 
• Ri = g H 3 ( R i )·( H i − H i ) ,
   to determine whether they are sent by the same vehicle). Thus,
g ri ( Sigi · H i − Sigi H i ) = g H 3 ( R i )·( H i − H i )
r i · ( Sig i · H i − Sig i · H i ) = H 3 ( R i ) · ( H i − H i )
According to Equations (5) and (6), I outputs H 3 ( R i ) ·
H 1 ( P I D i ,l )−1 ( Sig i − Sig i ) · ( Sig i · H i − Sig i · H i )−1 as the result
of the DL problem. The advantage that I solves the DL problem
can be analyzed via the following events.
1) E pid denotes the event that P I D i and P I D ∗i are equal.
2) E f orge denotes the event that A can forge two legitimate sig-
natures.
Let N H 1 denote the number of H 1 oracle queries executed in
the above experiments. Thus, it can be got that P rob[ E pid ] = N1 ,
P rob[ E f orge | E pid ] ≥ 19 · ε and the advantage that A can solve the
DL problem is as below.
P rob[ E f orge ∧ E pid ] = P rob[ E f orge | E pid ] · P rob[ E pid ]
1 1 ε wireless medium. In order to protect the integrity of the mes-
≥ ·ε· = .
9 N H1 9N H 1
Therefore I solves the DL problem with a non-negligible advan-
tage 9Nε due to the non-negligible ε and bounded N H 1 . However,
H1
this is a contradiction with the hardness of the DL problem in G.
Consequently, this completes the proof. 2
5.3. Security and attributes analysis
Message authentication and integrity: Upon receiving Msgs =
{ M i , P I D i ,l , P K i ,l , R i , T i , Sig i } from V i , the verifier (one nearby
Sig i
RSU or vehicle) verifies the correctness of R i
H3(Ri )
g in order to check the message’s validity and integrity. Based
on Theorem 5.1 in Section 5.2, there is no polynomial-time adver-
sary A that could fabricate a valid message when the DL problem
is hard. Thus, A cannot obtain the master private key of TA and
generates legitimate information for message authentication and
integrity.
Traceability: In the pseudo-identity generation and private key
extraction phase, the vehicle’s genuine identity is in the pseudo-
IDs P I D ∗i = { P I D i ,1 , P I D i ,2 , · · · , P I D i ,z }, where P I D i ,l = I D i ⊕
H 0 ( P K ib,l , B pub ) and l ∈ {1, 2, · · · , z}. By knowing the master se-
cret key b of the VANET system, TA could extract the real identity
I D i = P I D i ,l ⊕ H 0 ( P K ib,l , B pub ). Consequently, the function of trace-
ability is provided by the proposed CPPA solution.
Identity privacy preservation: In the pseudo-identity genera-
tion and private key extraction phase, the vehicle’s genuine iden-
tity is concealed in the P I D ∗i = { P I D i ,1 , P I D i ,2 , · · · , P I D i ,z } by TA,
where P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ) and l ∈ {1, 2, · · · , z}. To reveal
the real identity I D i from P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ), A needs
to compute P K ib,l = g ki,l ·b based on P K i ,l = g ki,l and B pub = g b .
This, however, contradicts the hardness of CDH problem. Therefore,
the proposed CPPA solution for VANETs preserve identity privacy.
Unlinkability: TA selects a group of private random num-
bers {ki ,1 , ki ,2 , · · · , ki ,z } ∈ Z q∗ in the pseudo-identity generation
and private key extraction phase and the vehicle also chooses
random r i ∈ Z q∗ in the message signing phase, where P I D ∗i =
J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
{ S K i ,1 , S K i ,2 , · · · , S K i ,z }, R i = g ri , H i = H 2 ( M i , P I D i , P K i ,l , R i , T i )
∈ Z q∗ , Sig i = ( H 3 ( R i ) − S K i ,l · H i ) · r i−1 . Due to the randomness
(5) of ki ,1 and r i , the vehicle could generate random identities and
signatures from which the adversary cannot find the connection
between two anonymous identities or two signatures (i.e. not able
our solution achieves unlinkability.
(6) No certificate management: In the proposed anonymous CPPA
solution for vehicle, neither vehicle nor RSUs store any certificates
for message verification. The vehicle only needs to memorize the
system parameters P arams and { P I D ∗i , S K i∗ , P K i∗ }, where P I D ∗i =
{ P I D i ,1 , P I D i ,2 , · · · , P I D i ,z }, P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ), S K i∗ =
{ S K i ,1 , S K i ,2 , · · · , S K i ,z }, S K i ,l = a · H 1 ( P I D i ,l ), P K i∗ = { P K i ,1 ,
P K i ,2 , · · · , P K i ,z }, P K i ,l = g ki,l , and l ∈ {1, 2, · · · , z} generated by
the TA is necessary for the message signature. Therefore, TA does
not need to manage any certificate.
Full batch verification: According to the function of batch ver-
ification in Section 4.1, upon receiving n messages { M 1 , P I D 1,l ,
P K 1,l , R 1 , T 1 , Sig 1 }, { M 2 , P I D 2,l , P K 2,l , R 2 , T 2 , Sig 2 }, · · · , { M n ,
P I D n,l , P K n,l , R n , T n , Sign } from different vehicles during the same
H1
time interval, RSUs could verify their legitimacy simultaneously.
Message modification attack: Each vehicle user broadcasts an
anonymous signature message to nearby RSUs and other vehicles
in the format Msgs = { M i , P I D i ,l , P K i ,l , R i , T i , Sig i }. A has the ca-
pability to change the content of M i after eavesdropping on the
sage, a vehicle’s signature on M i is generated as Sig i = ( H 3 ( R i ) −
S K i ,l · H i ) · r i−1 , where T i is the current timestamp and R i = g ri ,
H i = H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈ Z q∗ . Since the private key S K i is
only known by the particular vehicle, no attacker cannot generate
a valid signature. Besides, the private key S K i is changed peri-
odically. Thus, the presented CPPA solution for VANETs is secure
against message modification attacks.
Impersonation attack: To execute an impersonation attack,
A has to be able to generate valid Msgs = { M i , P I D i ,l , P K i ,l , R i , T i ,
Sig
Sig i }, where R i i · A pub
H 1 ( P I D i ,l )· H i
= g H 3 ( R i ) . Based on Theorem 5.1,
H ( P I D i ,l )· H i
A cannot forge such a signature message. RSUs and other vehi-
· A pub
1
= cles can check the validity of the messages through verifying the
correctness of the aforementioned equation.
Man-in-the-middle attack: Based on the aforementioned anal-
ysis for message authentication and integrity, it is easy to infer
that authentication between sender and receiver is supported by
our solution. Therefore, our proposed CPPA method is able to re-
sist man-in-the-middle attacks.
Replay attack: Timestamp T i is included in the signature mes-
sage Msgs = { M i , P I D i ,l , P K i ,l , R i , T i , Sig i } and is also included in
the generation of Sig i . Thus, the verifier could detect a replay at-
tack when T i is no longer fresh. Thus, the proposed CPPA solution
for VANETs is replay attack resilience.
Stolen verifier table attack: The adversary is not capable of
stealing any verifier table since there is no verifier table main-
tained by RSUs or vehicles. Therefore, the presented CPPA solution
for VANETs is stolen verifier table attack resilience.
Full batch verification: It is necessary for the receiver to verify
the validity of multiple received messages at the same time; there-
fore, we provided the full batch verification in the presented CPPA
scheme.
No map-to-point operation: It is expensive and complicated to
execute the map-to-point operation, thus, map-to-point operation
is avoided in our CPPA scheme for VANET.
No certificates management: The presented CPPA scheme does
not use the certificate verification in order to decrease the com-
plexity and overhead of certificates management with the increas-
ing number of the vehicles.
 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113 111

Table 1
Run time of multiple cryptographic operations.

Cryptographic operation Running time (milliseconds)

T bp 4.211 ms
T sm−bp 1.709 ms
T pa−bp 0.0071 ms
T sm−ecc 0.442 ms
T pa−ecc 0.0018 ms
Th 0.0001 ms

Provable security: The security proof of the cryptographic

scheme is widely adopted by cryptography protocols, so that
the customers (e.g. individuals, companies and governments etc.)
would believe the security of the cryptographic system. Therefore,
the presented CPPA scheme is proved securely under a security
Fig. 3. Computation costs of MSG phase.
model.

related to the bilinear pairing and one cryptographic hash func-

6. Performance analysis
In this section, we analyze the performance of the proposed
solution as well as those of [15–17], in terms of computation and
communication overheads.
6.1. Computation overheads
Notations used are as follows:
a. ê : G 1 × G 1 → G 2 denotes a bilinear pairing.
b. T bp denotes the run time required for a bilinear pairing oper-
ation ê (Û , V̂ ), where Û , V̂ ∈ G 1 .
c. T sm−bp denotes the runtime for a scale multiplication opera-
tion about the bilinear pairing in G 1 .
d. T pa−bp denotes the runtime for a point addition operation
about the bilinear pairing in G 1 .
e. T sm−ecc denotes the runtime for a scale multiplication opera-
tion about the ECC in an additive group G.
f. T pa−ecc denotes the runtime for a point addition operation
about the ECC in an additive group G.
g. T h denotes the time required for executing a cryptographic
hash function operation.
For a fair evaluation, the same run time in He et al.’s evaluation
[36] is used – see Table 1.
Let M S G, S M V and B M V denote the message signing gen-
eration, the single message verification, and the batch messages
verification, respectively.
A comparative summary for the computation overheads is pre-
sented in Table 2. Besides, Figs. 3, 4a, 4b are shown to illus-
trate the results visually for computation overheads in M S G, S M V
and B M V phases respectively, whereby Fig. 4a demonstrates the
wholly comparative results and Fig. 4b specially demonstrates
those for the proposed scheme and He et al.’s scheme.
In the M S G phase of Azees et al.’s [17] CPPA solution, the ve-
hicle user needs to perform one scalar multiplication operation
tion operations. Thus, the run time of this phase is 1T sm−bp +
1T h ≈ 1.7091 ms. In the S M V phase, the vehicle user needs to
perform two bilinear pairing operations, five scalar multiplication
operations related to the bilinear pairing, and two point addi-
tion operations related to the bilinear pairing. Thus, the run time
of this phase is 2T bp + 5T sm−bp + 2T pa−bp ≈ 16.9812 ms. In the
B M V phase, the vehicle user needs to perform (1 + n) bilinear
pairing operations, (5n) scalar multiplication operations related to
the bilinear pairing and (2n) point addition operations. Thus, the
run time of this phase is (1 + n) T bp + (5n) T sm−bp + (2n) T pa−bp ≈
12.7702n + 4.211 ms.
In the M S G phase of the proposed CPPA solution, the vehicle
user needs to perform one scalar multiplication operation related
to ECC and two cryptographic hash function operations. Hence, the
run time of this phase is 1T sm−ecc + 2T h ≈ 0.4422 ms. In the S M V
phase, the vehicle user needs to perform four scalar multiplication
operations related to ECC, one point addition operations related
to ECC and two cryptographic hash function operations. Therefore,
the run time of this phase is 4T sm−ecc + 1T pa−ecc + 2T h ≈ 1.77 ms.
In the B M V phase, the vehicle user needs to perform (2 + 2n)
scalar multiplication operations related to ECC, n point addition
operations related to ECC and 2n cryptographic hash function op-
erations. Therefore, the run time of this phase is (2 + 2n) T sm−ecc +
(n) T pa−ecc + (2n) T h ≈ 0.886n + 0.884 ms. Therefore, the computa-
tion overhead in the M S G, S M V and B M V phases of our solution
are lower than those in Azees et al.’s CPPA solution (see Figs. 3, 4a,
4b for details).
Similarly, the computation costs in the proposed CPPA solution
(i.e. M S G, S M V and B M V phases) are lower than those in [15,16]
respectively (see Figs. 3, 4a, 4b for details).
6.2. Communication overheads
The communication overheads is now evaluated. According to
He et al.’s [15] experiment, let the sizes of the elements in G 1 and
G are 128 bytes and 40 bytes respectively. In addition, let the ele-
ment in Z q∗ , the value of hash function and timestamp be 20 bytes,

Table 2
Computation overheads: a comparative summary.

Schemes M S G phase S M V phase B M V phase

He et al.’s 3T sm−ecc + 3T h ≈ 1.3263 ms 5T sm−ecc + 1T pa−ecc + 2T h ≈ 2.212 ms (2 + 3n) T sm−ecc + (2n − 1) T pa−ecc + (2n) T h ≈ 1.3298n + 0.8822 ms
solution [15]
Shao et al.’s 12T sm−bp + 2T h + 3T pa−bp 10T bp + 4T sm−bp + 2T h ≈ 48.9462 ms (10n) T bp + (4n) T sm−bp + (2n) T h ≈ 48.9462n ms
solution [16] ≈ 20.5295 ms
Azees et al.’s 1T sm−bp + 1T h ≈ 1.7091 ms 2T bp + 5T sm−bp + 2T pa−bp ≈ 16.9812 ms (1 + n) T bp + (5n) T sm−bp + (2n) T pa−bp ≈ 12.7702n + 4.211 ms
solution [17]
Proposed 1T sm−ecc + 2T h ≈ 0.4422 ms 4T sm−ecc + 1T pa−ecc + 2T h ≈ 1.77 ms (2 + 2n) T sm−ecc + (n) T pa−ecc + (2n) T h ≈ 0.886n + 0.884 ms
solution
112 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113

Fig. 4a. Computation costs of BMV phase.

Fig. 5. Communication costs.

Therefore, the proposed solution incurs a favorable communica-

tion overhead, in comparison to the three other schemes [15–17].

7. Conclusion

VANETs will be increasingly popular and potentially be more

Fig. 4b. Computation costs of BMV phase.
Table 3
Communication overheads: a comparative summary.
Schemes
He et al.’s solution [15]
Shao et al.’s solution [16]
Azees et al.’s solution [17]
The proposed solution
interconnected with our fabrics of our society. For example, in the
future, sensors on vehicles may be used to collect our body data
that can be linked to healthcare and other relevant industries in
order to deliver appropriate services. Security and privacy will re-
main two of several key research topics in such applications, at
least in the foreseeable future.
In this paper, it studied CPPA schemes for VANETs. Specifically,
it presented an efficient and anonymous CPPA scheme, which can
be utilized in safety-related VANET applications. It then proved the
security of the proposed solution as well as evaluating its perfor-
mance.
In the future, a prototype of the proposed solution for real-
Sending of Sending of n world evaluation is going to be implemented, for example within
one message messages a closed environment (e.g. within the campus grounds of the au-
144 bytes 144n bytes thors’ institutions in Germany and U.S.). This will allow us to
1192 bytes 1192n bytes evaluate and re-define the proposed scheme, in order to be more
848 bytes 848n bytes
practical and efficient.
144 bytes 144n bytes

20 bytes and 4 bytes, respectively. Since the message about traf-
fic status is similar, the size of messages relating to the signature
and the certificate is only considered in this section. A compara-
tive summary is given in Table 3 and the comparative results is
illustrated visually in Fig. 5.
In He et al.’s solution [15], the vehicle transmits its signa-
ture messages { A I D i , T i , R i , M i } to the verifier, where A I D i =
{ A I D i ,1 , A I D i ,2 }, A I D i ,1 ∈ G, A I D i ,2 ∈ G, R i ∈ G, σi ∈ Z q and T i is a
timestamp. Thus, the communication overhead is 3 × 40 + 20 + 4 =
144 bytes. In Shao et al.’s solution [16], the vehicle transmits
its signature messages {σ1 , σ2 , σ3 , σ4 , σ5 , σ6 , σ7 , σ8 , σ9 , σ10 , σ11 }
to the verifier, where {σ1 , σ2 , σ3 , σ4 , σ5 , σ6 , σ7 , σ8 , σ9 } ∈ G 1 , σ11 ∈
Z q∗ , σ10 is a hash operation result. Hence, the communication over-
head is 9 × 128 + 2 × 20 = 1192 bytes. In Azees et al.’s solution
[17], the vehicle transmits its signature messages {sig Y k C ertk }
to the verifier, where C ertk = {Y k E i D I D u i γu γ v c λ σ1 σ2 },
{sig , E i , D I D u i , γu , γ v , Y k } ∈ G 1 , {λ, σ1 , σ2 } ∈ Z q∗ , c is a hash op-
eration result. Hence, the communication overhead is 6 × 128 +
4 × 20 = 848 bytes. In the proposed solution, the vehicle transmits
the pseudo-identity and signature { P I D i ,l , P K i ,l , R i , T i , Sig i } to the
verifier, where { R i , Sig i , P K i ,l } ∈ G, P I D i ,l is a hash operation re-
sult, T i is the timestamp. Therefore, the communication overhead
is 3 × 40 + 20 + 4 = 144 bytes.
Acknowledgements
This work was partially supported by the National Natural
Science Foundation of China under grant 61672414; by the Na-
tional Cryptography Development Fund of China under grant
MMJJ20170113; by National Funding from the FCT – Fundação para
a Ciência e a Tecnologia through the UID/EEA/500008/2013 Project;
by the Government of the Russian Federation, Grant 08-08; by
Brazilian National Council for Research and Development (CNPq)
via Grant No. 309335/2017-5; by FINEP, with resources from Funt-
tel, Grant No. 01.14.0231.00, under the Radiocommunication Refer-
ence Center (Centro de Referência em Radiocomunicações – CRR)
project of the National Institute of Telecommunications (Instituto
Nacional de Telecomunicações – Inatel), Brazil; and by the Dean-
ship of Scientific Research at King Saud University through research
group No. (RG-1439-58). Jiliang Li would also like to thank for the
scholarship support from China Scholarship Council (CSC) under
grant 201606960049.
References
[1] H. La Vinh, A.R. Cavalli, Security attacks and solutions in vehicular ad hoc net-
works: a survey, Int. J. AdHoc Netw. Syst. 4 (2) (2014) 1–20.
[2] F. Qu, Z. Wu, F.Y. Wang, W. Cho, A security and privacy review of VANETs, IEEE
Trans. Intell. Transp. Syst. 16 (6) (2015) 2985–2996.
 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
[3] K.A. Shim, CPAS: an efficient conditional privacy-preserving authentication
scheme for vehicular sensor networks, IEEE Trans. Veh. Technol. 61 (4) (2012)
1874–1883.
[4] S.F. Tzeng, S.J. Horng, T. Li, X. Wang, P.H. Huang, M.K. Khan, Enhancing security
and privacy for identity-based batch verification scheme in VANETs, IEEE Trans.
Veh. Technol. 66 (4) (2017) 3235–3248.
[5] T.W. Chim, S.M. Yiu, L.C.K. Hui, V.O.K. Li, SPECS: secure and privacy enhancing
communications solutions for VANETs, Ad Hoc Netw. 9 (2) (2011) 189–203.
[6] M. Raya, J.P. Hubaux, Securing vehicular ad hoc networks, J. Comput. Secur.
15 (1) (2007) 39–68.
[7] M.R. Jabbarpour, H. Zarrabi, R.H. Khokhar, S. Shamshirband, K.-K.R. Choo, Ap-
plications of computational intelligence in vehicle traffic congestion problem:
a survey, Soft Comput. 22 (7) (2018) 2299–2320.
[8] Z. Zhou, C. Gao, C. Xu, Y. Zhang, S. Mumtaz, J. Rodriguez, Social big data based
content dissemination in Internet of Vehicles, IEEE Trans. Ind. Inform. 14 (2)
(2018) 768–777.
[9] K.A. Shim, Reconstruction of a secure authentication solution for vehicular ad
hoc networks using a binary authentication tree, IEEE Trans. Wirel. Commun.
12 (11) (2013) 5386–5393.
[10] J. Song, F. Yang, K.-K.R. Choo, Z. Zhuang, L. Wang, SIPF: a secure installment
payment framework for drive-thru internet, ACM Trans. Embed. Comput. Syst.
16 (2) (2017) 52.
[11] S. Zeadally, R. Hunt, Y.S. Chen, A. Irwin, A. Hassan, Vehicular ad hoc networks
(VANETS): status, results, and challenges, Telecommun. Syst. 50 (4) (2012)
217–241.
[12] D. Jacobs, K.-K.R. Choo, N.H. Le-Khac, M.T. Kechadi, Volkswagen car entertain-
ment system forensics, in: 16th IEEE International Conference on Trust, Se-
curity and Privacy in Computing and Communications, TrustCom 2017, 2017,
pp. 1076–1081.
[13] R.G. Engoulou, M. Bellaïche, S. Pierre, A. Quintero, VANET security surveys,
Comput. Commun. 44 (2014) 1–3.
[14] J. Wan, D. Zhang, S. Zhao, L. Yang, J. Lloret, Context-aware vehicular cyber-
physical systems with cloud support: architecture, challenges, and solutions,
IEEE Commun. Mag. 52 (8) (2014) 106–113.
[15] D. He, S. Zeadally, B. Xu, X. Huang, An efficient identity-based conditional
privacy-preserving authentication solution for vehicular ad hoc networks, IEEE
Trans. Inf. Forensics Secur. 10 (12) (2015) 2681–2691.
[16] J. Shao, X. Lin, R. Lu, C. Zuo, A threshold anonymous authentication protocol
for VANETs, IEEE Trans. Veh. Technol. 65 (3) (2016) 1711–1720.
[17] M. Azees, P. Vijayakumar, L.J. Deboarh, EAAP: efficient anonymous authentica-
tion with conditional privacy-preserving scheme for vehicular ad hoc networks,
IEEE Trans. Intell. Transp. Syst. 18 (9) (2017) 2467–2476.
[18] C. Gamage, B. Gras, B. Crispo, A.S. Tanenbaum, An identity-based ring signature
solution with enhanced privacy, in: Securecomm Workshops, 2006, pp. 1–5.
[19] Y. Jiang, M. Shi, X.S. Shen, BAT: a robust signature solution for vehicular net-
works using binary authentication tree, IEEE Trans. Wirel. Commun. 8 (4)
(2009) 1974–1983.
[20] R. Lu, X. Lin, H. Zhu, P. Ho, X. Shen, ECPP: efficient conditional privacy preser-
vation protocol for secure vehicular communications, in: IEEE INFOCOM, 2008,
pp. 1229–1237.
113
[21] R. Lu, X. Lin, T.-H. Luan, Pseudonym changing at social spots: an effective strat-
egy for location privacy in VANETs, IEEE Trans. Veh. Technol. 61 (1) (2012)
86–96.
[22] C. Zhang, R. Lu, X. Lin, P.-H. Ho, X. Shen, An efficient identity based batch
verification solution for vehicular sensor networks, in: IEEE INFOCOM, 2008,
pp. 816–824.
[23] X. Lin, X. Sun, P.-H. Ho, X. Shen, GSIS: a secure and privacy preserving pro-
tocol for vehicular communication, IEEE Trans. Veh. Technol. 56 (6) (2007)
3442–3456.
[24] Y. Nozaki, Y. Ikezaki, M. Yoshikawa, Tamper resistance of IoT devices against
electromagnetic analysis, in: 2016 IEEE International Meeting for Future of
Electron Devices (IMFEDK), Kansai, 2016, pp. 1–2.
[25] J.K. Liu, T.H. Yuen, M.H. Au, W. Susilo, Improvements on an authentication solu-
tion for vehicular sensor networks, Expert Syst. Appl. 41 (5) (2014) 2559–2564.
[26] J.S. Li, K.H. Liu, A lightweight identity authentication protocol for vehicular net-
works, Telecommun. Syst. 53 (4) (2013) 425–438.
[27] C.C. Lee, Y.M. Lai, Toward a secure batch verification with group testing for
VANET, Wirel. Netw. 19 (6) (2013) 1441–1449.
[28] T. Oulhaci, M. Omar, F. Harzine, I. Harfi, Secure and distributed certification
system architecture for safety message authentication in VANET, Telecommun.
Syst. 64 (4) (2017) 679–694.
[29] C.C. Lee, Y.M. Lai, P.J. Cheng, An efficient multiple session key establishment
scheme for VANET group integration, IEEE Intell. Syst. 31 (6) (2016) 35–43.
[30] C.P. Schnorr, Efficient signature generation by smart cards, J. Cryptol. 4 (3)
(1991) 161–174.
[31] L. Zhang, et al., Distributed aggregate privacy-preserving authentication in
VANETs, IEEE Trans. Intell. Transp. Syst. 18 (3) (2017) 516–526.
[32] L. Zhang, OTIBAAGKA: a new security tool for cryptographic mix-zone estab-
lishment in vehicular ad hoc networks, IEEE Trans. Inf. Forensics Secur. 12 (12)
(2017) 2998–3010.
[33] M.R. Asaar, M. Salmasizadeh, W. Susilo, A. Majidi, A secure and efficient au-
thentication technique for vehicular ad-hoc networks, IEEE Trans. Veh. Technol.
67 (6) (2018) 5409.
[34] B. Ko, H. Lee, S.H. Son, GPS-less localization system in vehicular networks us-
ing dedicated short range communication, in: 2016 IEEE 22nd International
Conference on Embedded and Real-Time Computing Systems and Applications
(RTCSA), 2016, p. 106.
[35] D. Galindo, J. Herranz, E. Kiltz, On the generic construction of identity-based
signatures with additional properties, in: Proc. Int. Conf. Theory Appl. Cryptol.
Inf. Secur, 2006, pp. 178–193.
[36] D. He, N. Kumar, K.-K.R. Choo, W. Wu, Efficient hierarchical identity-based sig-
nature with batch verification for automatic dependent surveillance-broadcast
system, IEEE Trans. Inf. Forensics Secur. 12 (2) (2017) 454–464.
[37] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind sig-
natures, J. Cryptol. 13 (3) (2000) 361–396.