Professional Documents
Culture Documents
Vehicular Communications
Vehicular Communications
Vehicular Communications
www.elsevier.com/locate/vehcom
a r t i c l e i n f o a b s t r a c t
Article history: Unlike wired networks, vehicular ad hoc networks (VANETs) are subject to a broader range of attacks due
Received 5 April 2018 to its wireless broadcast nature. One of the potential cryptographic solutions to ensure authentication
Received in revised form 15 May 2018 and privacy preservation is conditional privacy-preserving authentication (CPPA) schemes. Although a
Accepted 8 July 2018
number of CPPA schemes have been proposed in the literature, existing approaches generally suffer
Available online 18 July 2018
from limitations such as the security problem of system private keys, high computation requirement
Keywords: during certificate generation and message verification phases. To resolve these issues, in this paper,
Authentication it presents a provably-secure CPPA scheme for VANETs and demonstrates that the proposed solution
Privacy-preserving provides both security and privacy required in a VANET application. It also demonstrates its utility in
Provably-secure terms of computation and communication overheads and owns an optimal performance compared with
Vehicular ad hoc networks rather related schemes.
© 2018 Elsevier Inc. All rights reserved.
https://doi.org/10.1016/j.vehcom.2018.07.001
2214-2096/© 2018 Elsevier Inc. All rights reserved.
J.L. Li et al. / Vehicular Communications 13 (2018) 104–113 105
Fig. 1. An example of VANETs. The rest of this paper is organized as follows. Section 2 provides
an overview of some related works in this field. Some background
knowledge is prepared in Section 3. Section 4 presents an efficient
fic administration department or other relevant department (e.g. and anonymous conditional privacy-preserving scheme. Section 5
law enforcement or fire department), so that the necessary actions and Section 6 evaluate the security and performance of our pro-
can be undertaken [15]. Hence, it is not surprising that VANETS posed method respectively. At last, we conclude this paper in Sec-
and the many variants (e.g. Internet of Vehicles, intelligent trans- tion 7.
port systems, and smart cities) have received recent attention [6].
Similar to other wireless networks, there are a number of other 2. Related literature
features important to VANETS, such as the following:
Security: Once attackers have control over the communication This section briefly reviews existing literature on CCPA schemes
channels, they could easily eavesdrop, tamper, replay or even drop designed for VANETs.
messages sent within VANETs. In other words, designers of VANETs In 2006, Gamage et al. [18] introduced an identity-based ring
need to ensure the system is secure against a wide range of attacks signature solution to ensure privacy for VANETs applications. How-
such as masquerading, replaying, tunneling, message modification, ever, the presented approach does not provide traceability and this
key and certificate replication attacks [6,11,15]. For example, a ma- implies a lack of conditional privacy. A year later in 2007, Raya
licious adversary may hijack and modify the initial messages or et al. [6] introduced a CPPA solution based on anonymous cer-
masquerade one legitimate vehicle to broadcast ‘fake’ messages, tificates. Specifically, to mask the vehicle’s real identity, a large
resulting in chaos or traffic incidents [15]. Hence, the capability number of public/private key pairs and corresponding certificates
to ensure the authenticity of messages from vehicles in VANETs is based on Public Key Infrastructure (PKI) are preloaded into the
crucial. memory space of vehicles’ OBUs and the OBU randomly selects
Anonymity: In addition, if the vehicle user sends his/her identity a pair of public/private key that can be used for authentication.
to RSUs or other vehicles without masking, a malicious attacker This imposes storage requirements for each vehicle (e.g. to store
may track the user’s routes through capturing of the messages. its public/private key pairs and corresponding certificates), and the
The leakage of routes may have real-world consequences such as TA (e.g. to store all vehicles’ certificates). For a large system with
physical stalking, kidnapping, and assassination (e.g. a malicious vehicles constantly joining and leaving, it is not a trivial task to
adversary intercept and replace intercepted messages with fabri- search for and identify a misbehaving vehicle in practice. In 2008,
cated messages in order to reroute the victim’s vehicles). Therefore, a new CPPA solution using bilinear pairing is designed by Lu et
anonymity is another key feature in VANETs [16]. al. [20]. In this solution, the RSU sends a temporary anonymous
Traceability (and conditional privacy): If a misbehaving vehicle certificate to the vehicle which passes by the region of the RSU.
transmits malicious or suspicious information to RSUs or nearby The RSUs also provide the vehicles a new anonymous certificate
vehicles, then the system needs to have the capability to identify periodically to enforce conditional privacy. However, this solution
the vehicle (and the owner) so that the vehicle (and the owner) has a low efficiency. In the same year, Lin et al. [23] provided
can be taken to task (e.g. monetary penalties to other criminal a privacy-preserving protocol utilizing group signature technique,
sanctions). Thus, both traceability and conditional privacy are im- which provides traceability. However, in Lin et al.’s solution, each
portant features [15]. Conditional privacy restricts to the TA being vehicle has to store the revocation list to avoid communicating
the only party who can extract the vehicle’s real identity. with the ‘blacklisted’ vehicles. Therefore, as the number of revoked
Conditional privacy-preserving authentication (CPPA) schemes vehicles increases, the vehicles will need to spend considerably
such as those presented in [3,6,9,15–22] can be used to achieve amount of time on the verification phase alone. This is clearly not
both security and privacy related properties in VANETs. There are, practical.
however, limitations in these existing schemes as discussed in Sec- In 2008, Zhang et al. [22] constructed an identity (ID)-based
tion 2. batch authentication protocol based on pairing-based cryptogra-
In this paper, it introduces an efficient, provably-secure and phy. In their approach, both vehicles and RSUs do not need to store
anonymous conditional privacy-preserving solution for VANETs in any certificate. Moreover, their solution provides batch verification
order to overcome limitations in existing CPPA schemes. To be spe- for multiple messages. In other words, this CPPA solution over-
cific, four main contributions of our work are described as follows. comes the limitation in the approaches of Raya et al. [6] and Lu et
al. [20]. However, in the approach of Zhang et al. [22], a long-term
• First, the vulnerabilities of existing schemes are retrospected system master secret s is embedded in the vehicle’s tamper-proof
and analyzed. Meantime, several security weaknesses of these devices, which could be extracted by an adversary (e.g. via side-
schemes are pointed out. Then, it gives the vehicular system channel attacks [24]), particularly when the adversary has physical
architecture consisting of network model and design goals. access to the tamper-proof devices.
106 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
point operation is supposed to be avoided in a CPPA scheme for Vehicle message signing: In order to guarantee message au-
VANET. thentication and integrity, each message issued by a vehicle should
No certificates management: The complexity and overhead of be signed and verified before it is accepted by the RSUs or other
certificates management increase with the number of the vehicles. vehicles. The signature on one traffic-related message M i by V i is
In addition, it is necessary to verify the authenticity of the certifi- explained as follows.
cate prior to use. To guarantee better feasibility and performance
in the vehicular system, it is capable of supporting no certificates a. V i randomly selects a private key S K i ,l , a corresponding P K i ,l
management in the design of a CPPA scheme. and pseudo-identity P I D i ,l from the sets S K i∗ , P K i∗ and P I D ∗i
No verifier table: To avoid governance issue and attacks relating separately. Then, V i chooses a random r i ∈ Z q∗ and com-
to verifier table, a CPPA protocol for VANET must be capable of putes R i = g ri , H i = H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈ Z q∗ , Sig i =
supporting no verifier table. ( H 3 ( R i ) − S K i ,l · H i ) · r i−1 , where T i is the current timestamp
Provable security: The security of the cryptographic scheme
that supports the freshness of a valid signed message.
is demonstrated using a widely accepted security model [35]. In
b. Then, V i issues the signature message Msgs = { M i , P I D i ,l ,
other words, without the preciseness of a security proof, the cus-
P K i ,l , R i , T i , Sig i } to a nearby RSU.
tomers would not be sure of the security of the cryptographic
system. Therefore, a CPPA scheme is supposed to be proved se-
Single message verification: Once an RSU has received a single
curely under a security model.
message signed by V i , RSU will authenticate the message in or-
der to ensure that the sender is a legitimate user rather than an
4. Our proposed CPPA scheme
adversary impersonating some legitimate user.
The proposed CPPA protocol consists of two parts, namely: an
a. After receiving Msgs = { M i , P I D i ,l , P K i ,l , R i , T i , Sig i } signed
anonymous CPPA solution for the vehicle and a similar anonymous
CPPA solution for the RSU. For each part, there are five phases – by V i , the receiver checks the freshness of timestamp T i . The
i.e. system parameters setup phase, pseudo-identity generation and verifier drops the message if it is not fresh.
private key extraction phase, message signing phase, single mes- b. If T i is valid, the receiver then computes H 1 ( P I D i ,l ), H i =
H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈ Z q∗ and verifies whether R i
Sig i
sage verification, and batch message verification. ·
H 1 ( P I D i ,l )· H i
A pub = g H 3 ( R i ) . If the equation is satisfied, then the re-
4.1. Anonymous CPPA scheme for vehicle
ceiver accepts the validity of the message M i ; otherwise, the
receiver rejects it.
System parameters setup: Prior to the arrangement of the
VANETs, TA generates the system parameters P arams as follows:
Batch messages verification: When there are a large number of
vehicles in the communication range of an RSU, single message au-
a. Given a security parameter k ∈ Z + , TA generates a prime q and
thentication for vehicle users may result in computation overhead
a group G of the order q, where g is a generator of G. TA also
on each RSU due to verification delay. Therefore, this paper also
chooses four cryptographic hash functions H 0 : G × G → Z q∗ ,
presents a batch verification method so that RSU can efficiently
H 1 : {0, 1}∗ → Z q∗ , H 2 : {0, 1}∗ × {0, 1}∗ × G × G × {0, 1}∗ → Z q∗
and H 3 : G → Z q∗ . verify multiple messages from vehicles at the same time. This will
b. TA selects a random number a ∈ Z q∗ and sets A pub = g a , where significantly reduce verification delay. Upon receiving n messages
a is a master secret key for private key extraction and is only { M 1 , P I D 1,l , P K 1,l , R 1 , T 1 , Sig 1 }, { M 2 , P I D 2,l , P K 2,l , R 2 , T 2 , Sig 2 },
known to TA. A chooses a random number b ∈ Z q∗ and sets · · · , { Mn , P I D n,l , P K n,l , R n , T n , Sign } simultaneously, RSU uses
P arams = {q, G , g , A pub , B pub , H 0 , H 1 , H 2 , H 3 } to authenticate
B pub = g b , where b is a master secret key for traceability and
batch messages, as follows.
is only known to TA.
c. Finally, TA publishes system parameters P arams = {q, G , g ,
a. RSU checks the freshness of { T 1 , T 2 , · · · , T n }, and rejects the
A pub , B pub , H 0 , H 1 , H 2 , H 3 }.
messages if some of them are not fresh.
b. RSU randomly selects n numbers {1 , 2 , · · · , n }, where i ∈ R
Pseudo-identity generation and private key extraction: Utiliz-
[1, 2m ] for i = 1, 2, · · · , n and m = 80 is typically adequate
ing the pseudo-identities ( P I Ds) that are uniquely associated with
[25].
the corresponding real identities I Ds allows us to achieve anony-
mous conditional privacy-preserving authentication in our solution. c. RSU computes H 1 ( P I D i ,l ), H i = H 2 ( M i , P I D i ,l , P K i ,l , R i , T i ) ∈
Z q∗ for i ∈ {1, 2, · · · , n} and checks whether the below verifica-
a. A legitimate vehicle V i transmits information including its tion equation holds.
unique identity I D i (e.g. license plate number) to TA. Upon
confirming the validity of I D i , TA selects a group of private n
n
i · Sig i
n
(i · H 1 ( P I D i ,l )· H i )
g i =1 (i · H 3 ( R i )) = Ri · A pubi=1 .
random numbers {ki ,1 , ki ,2 , · · · , ki ,z } ∈ Z q∗ and computes the
corresponding public values P K i∗ = { P K i ,1 , P K i ,2 , · · · , P K i ,z }, i =1
where P K i ,l = g ki,l and l ∈ {1, 2, · · · , z}. Then, TA generates a If it is equal, then RSU accepts the messages; otherwise, RSU
group of P I Ds for V i as P I D ∗i = { P I D i ,1 , P I D i ,2 , · · · , P I D i ,z }, rejects the messages.
where P I D i ,l = I D i ⊕ H 0 ( P K ib,l , B pub ) and l ∈ {1, 2, · · · , z}. The correctness of the batch messages verification is demon-
Hence, the real identity I D i of vehicle V i is concealed in the strated as follows:
pseudo-IDs P I D ∗i .
b. After computing the P I D ∗i , T A computes private keys S K i∗ =
n n
(i · H 1 ( P I D i ,l )· H i )
i · Sig i
{ S K i ,1 , S K i ,2 , · · · , S K i ,z }, where S K i ,l = a · H 1 ( P I D i ,l ) and l ∈ Ri · A pubi=1
{1, 2, · · · , z}. i =1
c. Finally, TA sends system parameters P arams and { P I D ∗i , S K i∗ ,
n
P K i∗ } to vehicle V i via a secure channel delivering a tamper- =
· Sig i · H 1 ( P I D i ,l )· H i
( R i i i · A pub )
proof device for V i .
i =1
108 J.L. Li et al. / Vehicular Communications 13 (2018) 104–113
n
−1 accepts the validity of the message M j ; otherwise, V i rejects
= (( g ri )i ·( H 3 ( R i )− S K i,l · H i )·ri · ( g a )i · H 1 ( P I D i,l )· H i ) it.
i =1
n
−1 Batch messages verification: To handle the situation when a
= ( g ri ·i ·( H 3 ( R i )−(a· H 1 ( P I D i,l ))· H i )·ri · g a·i · H 1 ( P I D i,l )· H i ) vehicle receives multiple signed messages from the same RSU in
i =1 a time interval, a batch verification method is also presented. This
n
−1
allows the vehicle to efficiently verify multiple messages from ve-
= ( g ri ·ri ·i ·( H 3 ( R i )−(a· H 1 ( P I D i,l ))· H i ) · g i ·a· H 1 ( P I D i,l )· H i ) hicles at the same time. Specifically, after receiving t messages
i =1 { M 1 , R I D 1 , Y 1,l , W 1 , T 1 , Rsig 1 }, { M 2 , R I D 2 , Y 2,l , W 2 , T 2 , Rsig 2 },
n · · · , { M t , R I D t , Y t ,l , W t , T t , Rsigt } simultaneously, the vehicle veri-
= ( g i · H 3 ( R i )−i ·a· H 1 ( P I D i,l )· H i · g i ·a· H 1 ( P I D i,l )· H i ) fies them using the following steps.
i =1
a. The vehicle checks the freshness of { T 1 , T 2 , · · · , T t }, and re-
n
= ( g i · H 3 ( R i )−i ·a· H 1 ( P I D i,l )· H i ·+i ·a· H 1 ( P I D i,l )· H i ) jects the messages if some of them are not fresh.
b. The vehicle randomly selects t numbers {ς1 , ς2 , · · · , ςt },
i =1
where ς j ∈ R [1, 2m ] for j = 1, 2, · · · , t and m = 80 is typically
n
adequate [25].
= g i · H 3 ( R i )
c. The vehicle computes R H j = H 2 ( M j , R I D j , Y j ,l , W j , T j ) ∈ Z q∗ ,
i =1
n H 1 ( R I D j ) for j ∈ {1, 2, · · · , t } and checks whether the below
=g i =1 (i · H 3 ( R i ))
verification equation holds.
t t t
4.2. Anonymous CPPA scheme for RSU ς j · Sig j (ς j · H 1 ( R I D j )· R H j )
Wj · A pubj=1 =g j =1 (ς j · H 3 ( W j )) .
The system parameters setup phase in anonymous CPPA solu- j =1
tion for RSU is the same as those described in Section 4.1; thus, If it is equal, then the vehicle accepts the messages; otherwise,
this section omits this phase in the discussion that follows. the vehicle rejects the messages.
RSU-identity generation and private key extraction: TA gen- The correctness of the batch messages verification is demon-
erates a unique identity R I D j for each RSU, which includes its strated, as follows.
corresponding location information. Then, TA computes the private
t t
key for RSU as follows. ς j · Sig j (ς j · H 1 ( R I D j )· R H j )
Wj · A pubj=1
a. For a given RSU’s identity R I D j , TA selects a group of private j =1
random numbers {x j ,1 , x j ,2 , · · · , x j ,z } ∈ Z q∗ and computes the
t
ς · Rsig i ς · H 1 ( R I D j )· R H j
corresponding public values Y ∗j = {Y j ,1 , Y j ,2 , · · · , Y j ,z }, where = (W j j · A pub
j
)
Y j ,l = g and l ∈ {1, 2, · · · , z}.
x j ,l
j =1
b. T A computes private keys R S K ∗j = { R S K j ,1 , R S K j ,2 , · · · ,
t
ς j ·( H 3 ( W j )− S K i ,l · R H j )· w −j 1
R S K j ,z }, where R S K j ,l = a · H 1 ( R I D j ) and l ∈ {1, 2, · · · , z}. = (( g w j ) · ( g a )ς j · H 1 ( R I D j )· R H j )
c. Finally, the TA sends P arams and { R I D j , R S K ∗j , Y ∗j } to RSU via j =1
a secure channel. Then, RSU stores its private key { R S K ∗j , Y ∗j }
t
w j ·ς j ·( H 3 ( W j )−(a· H 1 ( R I D j ))· R H j )· w − 1
with its corresponding identity R I D j into its storage memory.
= (g j
j =1
RSU message signing: In the event when an RSU broadcasts
location-based traffic information to nearby vehicles, the signature · g a·ς j · H 1 ( R I D j )· R H j )
on a traffic-related message M j generated by the RSU is as follows: t
w · w −1 ·ς ·( H ( W )−(a· H 1 ( R I D j ))· R H j )
= (g j j j 3 j
a. RSU chooses a private key R S K j ,l from the set R S K ∗j , a cor- j =1
responding Y j ,l from the set Y ∗j , a random w j ∈ Z q∗ and com-
· g ς j ·a· H 1 ( R I D j )· R H j )
putes W j = g w j , R H j = H 2 ( M j , R I D j , Y j ,l , W j , T j ) ∈ Z q∗ , and
Rsig j = ( H 3 ( W j ) − R S K j ,l · R H j ) · w − 1
, whereby T j is the cur-
t
j = ( g ς j · H 3 (W j )−ς j ·a· H 1 ( R I D j )· R H j · g ς j ·a· H 1 ( R I D j )· R H j )
rent timestamp which supports the freshness of a valid signed
j =1
message.
b. Then, RSU broadcasts the signature message Msgs = { M j ,
t
5.1. Security model H1 oracle: I maintains a list L H 1 in the form of {ϒ, π1 }, which
is empty initially. When A issues a query ϒ to I , I checks
The definition of security for our proposed solution is given by whether the tuple {ϒ, π1 } is in the list L H 1 . If so, I issues π1 =
a game executed between a polynomial-time adversary A and a H 1 (ϒ) to A, otherwise, I selects a random nonce π1 ∈ Z p , issues
challenger I . In the game, A mounts a number of oracle queries π1 = H 1 (ϒ) to A and appends {ϒ, π1 } to the list L H 1 .
to I as follows, which can be requested adaptively. H2 oracle: I maintains a list L H 2 in the form of { M i , P I D i , P K i ,
Setup: This query simulates the initialization of the VANET sys- R i , T i , π2 }, which is empty initially. When A issues a query
tem. When receiving this query, I creates the master keys and { M i , P I D i , P K i , R i , T i } to I , I checks whether the tuple { M i , P I D i ,
P arams, and returns P arams to A. P K i , R i , T i , π2 } is in the list L H 2 . If so, I issues π2 = H 2 ( M i , P I D i ,
H i : After A sends the query with the information I , I selects P K i , R i , T i ) to A, otherwise, I selects a random nonce π2 ∈
a random number πi ∈ Z q∗ , stores ( I , πi ) in the list L H i and returns Z p , issues π2 = H 2 ( M i , P I D i , P K i , R i , T i ) to A and appends
πi to A, where i = 0, 1, 2, 3. { M i , P I D i , P K i , R i , T i , π2 } to the list L H 2 .
GenerateVehicle: Upon receiving the vehicle V i ’s identity I D i , H3 oracle: I maintains a list L H 3 in the form of { R i , π3 }, which
I produces V i ’s pseudo-identities P I D ∗i , private keys S K i∗ and is empty initially. When A issues a query { R i } to I , I checks
stores { I D i , P I D ∗i , S K i∗ } in the list L vehicle . whether the tuple { R i , π3 } is in the list L H 2 . If so, I issues π3 =
CorruptVehicle: Upon receiving the vehicle V i ’s identity I D i , H 3 ( R i ) to A, otherwise, I selects a random nonce π3 ∈ Z p , issues
I transmits V i ’s pseudo-identities P I D ∗i and private keys S K i∗ π3 = H 3 ( R i ) to A and appends { R i , π3 } to the list L H 3 .
to A. GenerateVehicle oracle: I maintains a list L vehicle in the form
Signature: Upon receiving A’s message M and pseudo-identity of { I D i , ki , P K i , P I D i , S K i } which is empty initially. Once A sends
P I D i , I generates and returns the corresponding signature mes- this query to I , A checks whether the tuple { I D i , ki , P K i , P I D i ,
sage Msgs to A. S K i } is in the list L vehicle . If so, I returns P K i to A; otherwise I
Upon executing the aforementioned queries, A fabricates a sig- executes the steps as below.
nature Sig i∗ of a traffic message M i∗ associated with V i∗ ’s identity
I D ∗i . 1) If I D i = I D ∗i , I selects three random numbers ki , π0 and
A wins the above experiment if all the below conditions are π1 , computes P K i = g ki and holds { P I D i , S K i }. I stores
fulfilled.
{ I D i , ki , P K i , P I D i , S K i }, {, B pub , π0 } and {ϒ, π1 } in the lists
L vehicle , L H 0 and L H 1 respectively. At last, I returns P K i to A.
1) Sig i∗ is legitimate, namely: Verification( M ∗ , V i∗ , I D ∗i , Sig i∗ ) = 1.
2) If I D i = I D ∗i , I selects three random numbers ki , π0 and π1 ,
2) A has not made a CorruptVehicle query associated with V i∗ ’s
computes P K i = g ki , P I D i = I D i ⊕ π0 , S K i = a · π1 . I stores
identity I D ∗i .
3) A has not made a Signature query associated with V i∗ ’s
{ I D i , ki , P K i , P I D i , S K i }, {, B pub , π0 } and {ϒ, π1 } in the lists
L vehicle , L H 0 and L H 1 respectively and finally returns P K i to A.
pseudo-identity P I D ∗i and message M i∗ .
Table 1
Run time of multiple cryptographic operations.
Table 2
Computation overheads: a comparative summary.
7. Conclusion
Acknowledgements
20 bytes and 4 bytes, respectively. Since the message about traf-
fic status is similar, the size of messages relating to the signature This work was partially supported by the National Natural
and the certificate is only considered in this section. A compara- Science Foundation of China under grant 61672414; by the Na-
tive summary is given in Table 3 and the comparative results is tional Cryptography Development Fund of China under grant
illustrated visually in Fig. 5. MMJJ20170113; by National Funding from the FCT – Fundação para
In He et al.’s solution [15], the vehicle transmits its signa- a Ciência e a Tecnologia through the UID/EEA/500008/2013 Project;
ture messages { A I D i , T i , R i , M i } to the verifier, where A I D i = by the Government of the Russian Federation, Grant 08-08; by
{ A I D i ,1 , A I D i ,2 }, A I D i ,1 ∈ G, A I D i ,2 ∈ G, R i ∈ G, σi ∈ Z q and T i is a Brazilian National Council for Research and Development (CNPq)
timestamp. Thus, the communication overhead is 3 × 40 + 20 + 4 = via Grant No. 309335/2017-5; by FINEP, with resources from Funt-
144 bytes. In Shao et al.’s solution [16], the vehicle transmits tel, Grant No. 01.14.0231.00, under the Radiocommunication Refer-
its signature messages {σ1 , σ2 , σ3 , σ4 , σ5 , σ6 , σ7 , σ8 , σ9 , σ10 , σ11 } ence Center (Centro de Referência em Radiocomunicações – CRR)
to the verifier, where {σ1 , σ2 , σ3 , σ4 , σ5 , σ6 , σ7 , σ8 , σ9 } ∈ G 1 , σ11 ∈ project of the National Institute of Telecommunications (Instituto
Z q∗ , σ10 is a hash operation result. Hence, the communication over- Nacional de Telecomunicações – Inatel), Brazil; and by the Dean-
head is 9 × 128 + 2 × 20 = 1192 bytes. In Azees et al.’s solution ship of Scientific Research at King Saud University through research
[17], the vehicle transmits its signature messages {sig Y k C ertk } group No. (RG-1439-58). Jiliang Li would also like to thank for the
to the verifier, where C ertk = {Y k E i D I D u i γu γ v c λ σ1 σ2 }, scholarship support from China Scholarship Council (CSC) under
{sig , E i , D I D u i , γu , γ v , Y k } ∈ G 1 , {λ, σ1 , σ2 } ∈ Z q∗ , c is a hash op- grant 201606960049.
eration result. Hence, the communication overhead is 6 × 128 +
4 × 20 = 848 bytes. In the proposed solution, the vehicle transmits References
the pseudo-identity and signature { P I D i ,l , P K i ,l , R i , T i , Sig i } to the
[1] H. La Vinh, A.R. Cavalli, Security attacks and solutions in vehicular ad hoc net-
verifier, where { R i , Sig i , P K i ,l } ∈ G, P I D i ,l is a hash operation re- works: a survey, Int. J. AdHoc Netw. Syst. 4 (2) (2014) 1–20.
sult, T i is the timestamp. Therefore, the communication overhead [2] F. Qu, Z. Wu, F.Y. Wang, W. Cho, A security and privacy review of VANETs, IEEE
is 3 × 40 + 20 + 4 = 144 bytes. Trans. Intell. Transp. Syst. 16 (6) (2015) 2985–2996.
J.L. Li et al. / Vehicular Communications 13 (2018) 104–113 113
[3] K.A. Shim, CPAS: an efficient conditional privacy-preserving authentication [21] R. Lu, X. Lin, T.-H. Luan, Pseudonym changing at social spots: an effective strat-
scheme for vehicular sensor networks, IEEE Trans. Veh. Technol. 61 (4) (2012) egy for location privacy in VANETs, IEEE Trans. Veh. Technol. 61 (1) (2012)
1874–1883. 86–96.
[4] S.F. Tzeng, S.J. Horng, T. Li, X. Wang, P.H. Huang, M.K. Khan, Enhancing security [22] C. Zhang, R. Lu, X. Lin, P.-H. Ho, X. Shen, An efficient identity based batch
and privacy for identity-based batch verification scheme in VANETs, IEEE Trans. verification solution for vehicular sensor networks, in: IEEE INFOCOM, 2008,
Veh. Technol. 66 (4) (2017) 3235–3248. pp. 816–824.
[5] T.W. Chim, S.M. Yiu, L.C.K. Hui, V.O.K. Li, SPECS: secure and privacy enhancing
[23] X. Lin, X. Sun, P.-H. Ho, X. Shen, GSIS: a secure and privacy preserving pro-
communications solutions for VANETs, Ad Hoc Netw. 9 (2) (2011) 189–203.
tocol for vehicular communication, IEEE Trans. Veh. Technol. 56 (6) (2007)
[6] M. Raya, J.P. Hubaux, Securing vehicular ad hoc networks, J. Comput. Secur.
3442–3456.
15 (1) (2007) 39–68.
[7] M.R. Jabbarpour, H. Zarrabi, R.H. Khokhar, S. Shamshirband, K.-K.R. Choo, Ap- [24] Y. Nozaki, Y. Ikezaki, M. Yoshikawa, Tamper resistance of IoT devices against
plications of computational intelligence in vehicle traffic congestion problem: electromagnetic analysis, in: 2016 IEEE International Meeting for Future of
a survey, Soft Comput. 22 (7) (2018) 2299–2320. Electron Devices (IMFEDK), Kansai, 2016, pp. 1–2.
[8] Z. Zhou, C. Gao, C. Xu, Y. Zhang, S. Mumtaz, J. Rodriguez, Social big data based [25] J.K. Liu, T.H. Yuen, M.H. Au, W. Susilo, Improvements on an authentication solu-
content dissemination in Internet of Vehicles, IEEE Trans. Ind. Inform. 14 (2) tion for vehicular sensor networks, Expert Syst. Appl. 41 (5) (2014) 2559–2564.
(2018) 768–777. [26] J.S. Li, K.H. Liu, A lightweight identity authentication protocol for vehicular net-
[9] K.A. Shim, Reconstruction of a secure authentication solution for vehicular ad works, Telecommun. Syst. 53 (4) (2013) 425–438.
hoc networks using a binary authentication tree, IEEE Trans. Wirel. Commun. [27] C.C. Lee, Y.M. Lai, Toward a secure batch verification with group testing for
12 (11) (2013) 5386–5393. VANET, Wirel. Netw. 19 (6) (2013) 1441–1449.
[10] J. Song, F. Yang, K.-K.R. Choo, Z. Zhuang, L. Wang, SIPF: a secure installment
[28] T. Oulhaci, M. Omar, F. Harzine, I. Harfi, Secure and distributed certification
payment framework for drive-thru internet, ACM Trans. Embed. Comput. Syst.
system architecture for safety message authentication in VANET, Telecommun.
16 (2) (2017) 52.
Syst. 64 (4) (2017) 679–694.
[11] S. Zeadally, R. Hunt, Y.S. Chen, A. Irwin, A. Hassan, Vehicular ad hoc networks
(VANETS): status, results, and challenges, Telecommun. Syst. 50 (4) (2012) [29] C.C. Lee, Y.M. Lai, P.J. Cheng, An efficient multiple session key establishment
217–241. scheme for VANET group integration, IEEE Intell. Syst. 31 (6) (2016) 35–43.
[12] D. Jacobs, K.-K.R. Choo, N.H. Le-Khac, M.T. Kechadi, Volkswagen car entertain- [30] C.P. Schnorr, Efficient signature generation by smart cards, J. Cryptol. 4 (3)
ment system forensics, in: 16th IEEE International Conference on Trust, Se- (1991) 161–174.
curity and Privacy in Computing and Communications, TrustCom 2017, 2017, [31] L. Zhang, et al., Distributed aggregate privacy-preserving authentication in
pp. 1076–1081. VANETs, IEEE Trans. Intell. Transp. Syst. 18 (3) (2017) 516–526.
[13] R.G. Engoulou, M. Bellaïche, S. Pierre, A. Quintero, VANET security surveys, [32] L. Zhang, OTIBAAGKA: a new security tool for cryptographic mix-zone estab-
Comput. Commun. 44 (2014) 1–3. lishment in vehicular ad hoc networks, IEEE Trans. Inf. Forensics Secur. 12 (12)
[14] J. Wan, D. Zhang, S. Zhao, L. Yang, J. Lloret, Context-aware vehicular cyber- (2017) 2998–3010.
physical systems with cloud support: architecture, challenges, and solutions,
[33] M.R. Asaar, M. Salmasizadeh, W. Susilo, A. Majidi, A secure and efficient au-
IEEE Commun. Mag. 52 (8) (2014) 106–113.
thentication technique for vehicular ad-hoc networks, IEEE Trans. Veh. Technol.
[15] D. He, S. Zeadally, B. Xu, X. Huang, An efficient identity-based conditional
67 (6) (2018) 5409.
privacy-preserving authentication solution for vehicular ad hoc networks, IEEE
Trans. Inf. Forensics Secur. 10 (12) (2015) 2681–2691. [34] B. Ko, H. Lee, S.H. Son, GPS-less localization system in vehicular networks us-
[16] J. Shao, X. Lin, R. Lu, C. Zuo, A threshold anonymous authentication protocol ing dedicated short range communication, in: 2016 IEEE 22nd International
for VANETs, IEEE Trans. Veh. Technol. 65 (3) (2016) 1711–1720. Conference on Embedded and Real-Time Computing Systems and Applications
[17] M. Azees, P. Vijayakumar, L.J. Deboarh, EAAP: efficient anonymous authentica- (RTCSA), 2016, p. 106.
tion with conditional privacy-preserving scheme for vehicular ad hoc networks, [35] D. Galindo, J. Herranz, E. Kiltz, On the generic construction of identity-based
IEEE Trans. Intell. Transp. Syst. 18 (9) (2017) 2467–2476. signatures with additional properties, in: Proc. Int. Conf. Theory Appl. Cryptol.
[18] C. Gamage, B. Gras, B. Crispo, A.S. Tanenbaum, An identity-based ring signature Inf. Secur, 2006, pp. 178–193.
solution with enhanced privacy, in: Securecomm Workshops, 2006, pp. 1–5. [36] D. He, N. Kumar, K.-K.R. Choo, W. Wu, Efficient hierarchical identity-based sig-
[19] Y. Jiang, M. Shi, X.S. Shen, BAT: a robust signature solution for vehicular net- nature with batch verification for automatic dependent surveillance-broadcast
works using binary authentication tree, IEEE Trans. Wirel. Commun. 8 (4) system, IEEE Trans. Inf. Forensics Secur. 12 (2) (2017) 454–464.
(2009) 1974–1983. [37] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind sig-
[20] R. Lu, X. Lin, H. Zhu, P. Ho, X. Shen, ECPP: efficient conditional privacy preser-
natures, J. Cryptol. 13 (3) (2000) 361–396.
vation protocol for secure vehicular communications, in: IEEE INFOCOM, 2008,
pp. 1229–1237.