An autonomous lightweight conditional privacy

International Journal of Computers and Applications

ISSN: 1206-212X (Print) 1925-7074 (Online) Journal homepage: http://www.tandfonline.com/loi/tjca20

An autonomous lightweight conditional privacypreserving authentication scheme with provable security for vehicular ad-hoc networks Sunday Oyinlola Ogundoyin To cite this article: Sunday Oyinlola Ogundoyin (2018): An autonomous lightweight conditional privacy-preserving authentication scheme with provable security for vehicular ad-hoc networks, International Journal of Computers and Applications, DOI: 10.1080/1206212X.2018.1477320 To link to this article: https://doi.org/10.1080/1206212X.2018.1477320

Published online: 27 May 2018.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=tjca20

INTERNATIONAL JOURNAL OF COMPUTERS AND APPLICATIONS https://doi.org/10.1080/1206212X.2018.1477320

An autonomous lightweight conditional privacy-preserving authentication scheme with provable security for vehicular ad-hoc networks Sunday Oyinlola Ogundoyin Department of Electrical and Electronic Engineering, University of Ibadan, Ibadan, Nigeria ABSTRACT

ARTICLE HISTORY

Vehicular ad hoc network (VANET) is an emerging technology in wireless communications which has the prospect to improve traffic safety and efficiency, as well as reduce air pollution. The trafficrelated messages transmitted between vehicles and roadside units must be signed and verified without revealing the real identities of the vehicles. However, an authorized trusted party must be able to obtain the real identity of a vehicle on a controversial message. Existing conditional privacy-preserving authentication (CPPA) schemes in VANETs either rely on a tamper-proof device or complex mathematical operations such as bilinear pairing and map-to-point hash function or cannot meet the privacy and security requirements in VANETs. In this work, we propose an efficient CPPA scheme for VANETs based on the elliptic curve cryptography without relying on any hardware device. The scheme satisfies the security and privacy requirements of VANETs, solves private key compromise problem, and provides countermeasure against privilege escalation. We show that the scheme is existentially secure against an adaptive chosen message and identity attacks in the random oracle model based on the hardness of the elliptic curve discrete logarithm problem. The performance results show that the proposed scheme is more efficient than previous schemes in VANETs.

Received 24 July 2017 Accepted 9 May 2018

1. Introduction Intelligent transportation system (ITS) is gaining attention in recent times because it has the potential to improve traffic safety, reduce traffic congestion, provide convenience, and minimize environmental pollution. Vehicular ad hoc network (VANET) is a component of ITS with a self-organized network consisting of vehicles installed with a communication device known as onboard unit (OBU), a road side unit (RSU) installed along the road side and at intersections, and a trusted authority (TA) which manages the system. There are two categories of communications in VANETs: vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I). The communication among OBUs, and between an OBU and an RSU is achieved using an open wireless technology called dedicated short range communication (DSRC) protocol [1], whereas the TA, RSUs, and application server can communicate using a secure wired network such as Internet. A typical VANET architecture is shown in Figure 1. By using DSRC protocol, OBUs constantly broadcast and exchange traffic-related messages such as location, traffic conditions, speed, direction, current time, and vehicle’s movement to the network in an interval of CONTACT Sunday Oyinlola Ogundoyin

[email protected]

© 2018 Informa UK Limited, trading as Taylor & Francis Group

KEYWORDS

Authentication; vehicular ad hoc networks; elliptic curve discrete logarithm problem; privacy; security

100–300 ms [2]. Based on this information, other vehicles can take necessary measures to prevent possible catastrophe or use alternate routes to avoid traffic congestion and accident. It also allows RSUs to instruct the traffic control center to take some proactive actions such as adjusting or changing the traffic lights for improved traffic efficiency and safety [2]. In addition, when VANET is connected to the Internet, the passengers can enjoy the benefits of unbounded Internet services such as files uploading and downloading, viewing electronic adverts, and retrieving local information such as hotel information and road map [3]. As a result of the ubiquitous nature of wireless networks, attackers can launch several attacks such as sniffing, replay, collusion, modification, man-in-themiddle, and impersonation to obtain sensitive information and compromise user’s privacy. Therefore, before VANET applications are deployed, the privacy and security issues should be considered [4]. Moreover, there are some security issues [5,6] that need serious concern prior to the construction of the communication model in VANETs. Otherwise, the reliability, dependability, and general acceptability of the VANET systems are likely to be low because adversaries may modify

2

S. O. OGUNDOYIN

Figure 1. A typical model of VANET.

or alter transmitted messages and track the location of vehicles [7]. Anonymity is necessary to achieve privacy preservation in VANETs. However, traceability becomes a serious issue because a trusted party (TP) must be able to reveal the real identity of a message signer on a controversial or malicious message and take necessary legal action. Thus, conditional traceability must be provided by allowing the TP to extract the real identity of a message sender. In recent times, several CPPA schemes have been proposed in VANETs to address the privacy and security challenges, however their performance is dissatisfactory because they are constructed using complex mathematical operations like bilinear pairing and map-to-point hash function. In addition, some schemes [2,3,8] used a hardware device known as tamper-proof device (TPD) installed in the OBU where the system master secret key and other parameters are pre-installed. Unfortunately, if a TPD is attacked or corrupted, the master secret key is revealed and the whole system is compromised. Hence, the security assumption of the TPD is very high. It is also expensive and may be unaffordable for vehicle owners [4]. Besides, most of the existing CPPA schemes in VANETs are not scalable. To address the computation overhead resulting from certificate revocation list (CRL) checking, Wasef and Shen [9] proposed an efficient message authentication protocol known as EMAP which verified a keyed Hash message authentication (HMAC) instead of the costly CRL checking. The scheme solved the problem of CRL checking but certificate verification is required for every message; however the key is difficult to implement. Jiang et al. [10] proposed an anonymous batch authentication scheme known as ABAH to remedy the CRL checking issue by using HMAC. This scheme had certificate

verification issue. In addition, the certificate authority (CA) must issue several pseudonyms to every vehicle to communicate for a long period of time over the network. This means that in ABAH, if a vehicle is revoked, the remaining pseudonyms are wasted. Wang and Yao [11] proposed a local identity-based message authentication protocol known as LIAP which employed the combination of public key infrastructure (PKI)-based certificate and identity-based signature. The certificate is used for node identity authentication while the identity-based signature is used for message verification. Although, the scheme is more efficient than EMAP and ABAH, there is still certificate management issue in the scheme. The CRL grows linearly with the number of revoked users. Besides, the scheme utilizes a TPD which is known to have a strong security assumption. More importantly, the mathematical model of the scheme is wrong which makes the scheme unsuitable for practical implementation in VANETs. In the identity-based authentication scheme, every vehicle must store a large amount of pseudonyms for privacy-preservation. Different pseudonym is used to sign each traffic-related message. However, when a vehicle is identified as a malicious node, it can still continue to communicate using the remaining pseudonyms. Besides, it is difficult to perform revocation of malicious vehicles in the identity-based authentication schemes without the CA management [11]. In the existing identity-based CPPA schemes, a set of pseudonyms and the corresponding private keys are issued to a vehicle to communicate over the network. These schemes provide conditional traceability by providing efficient revocation process, computational efficiency, and allow vehicles to change their pseudonyms for privacy protection. However, a vehicle must store a huge amount of pseudonyms and private keys, and must maintain frequent contacts with the TA for pseudonym renewal. Besides, the TA must keep and maintain a repository containing real identityprivate key pair of every vehicle to provide conditional traceability. Therefore, to provide efficient revocation process while supporting conditional privacy, there is a trade-off between the numbers of pseudonyms the TA can issue to a vehicle: (1) Issuing small set of pseudonyms to the vehicle makes it to have frequent contact with the TA. This results to increased transmission overhead and hinders the autonomy of the scheme. (2) Granting a huge set of pseudonyms to the vehicle increases the size of the database of the TA. Consequently, there is reduced efficiency in the revocation process because more time is required to execute the time-consuming CRL checking.

INTERNATIONAL JOURNAL OF COMPUTERS AND APPLICATIONS

To address the aforementioned challenges in VANETs, we propose a provably secure autonomous lightweight CPPA scheme without using any special device or complex mathematical operations. The proposed scheme is scalable, in which the number of RTMC is increased when the size of the network increases. To be specific, the main contributions of this paper are as follows. (1) A certificateless CPPA scheme is proposed for VANETs without using a TPD. (2) To achieve scalability, we introduce a semi-trusted public key generator (PKG) which is responsible for generating temporary secret keys for vehicles. (3) We employ an encoding technique known as 0/1encoding to introduce expiration time into the temporary secret key and signature of a vehicle. After the expiration of the secret key, the vehicle will no longer generate a valid traffic-related message. This solves the problem of privilege escalation. (4) To solve the key escrow problem, we introduce autonomy into the proposed CPPA scheme. This allows a vehicle to independently generate its pseudonyms, secret keys, and public keys without any permanent contact with the TA or RTMC. (5) We implement a very efficient revocation mechanism that perfectly addresses the CA management in the traditional PKI-based and identity-based schemes. (6) To improve efficiency, the proposed scheme supports batch verification of multiple messages. In addition, the construction of the scheme relies on elliptic curve cryptography (ECC) which makes it suitable for practical application in a resourceconstrained application like VANETs. The remainder of this paper is organized as follows: Section 2 presents an extensive literature review of the related works while Section 3 gives the background knowledge required in the proposed scheme. Section 4 describes the system model, and the privacy and security requirements in VANETs. Section 5 proposes the autonomous CPPA scheme which includes system initialization, temporary secret key generation, pseudonym and secret key generation, message signing and verification, and revocation mechanism. In Section 6, we analyze the security of the proposed scheme and carry out performance analysis and comparison. We conclude the work in Section 7.

2. Related work In general, three categories of CPPA schemes exist in VANETs: PKI-based, group signature-based, and

3

pseudonym and identity-based schemes [12]. In 2007, Raya and Hubaux [13] propose a PKI-based scheme for VANETs in which a vehicle is pre-stored with a large number of secret/public key pairs for communication. A vehicle chooses at random a private key for generating the signature on a traffic-related message while the receiver can verify the received message using the sender’s public key. Although, the scheme provides the security and privacy of the communication, there is a high communication overhead and storage space due to the large number of public key certificates. Besides, the traffic manager is required to store the anonymous certificates of all the vehicles which increases the system overhead and makes vehicle’s management difficult. To remedy the weakness in Raya and Hubaux’s scheme, Lu et al. [14] propose a group-signature-based CPPA scheme for VANETs using temporary anonymous certificates, in which vehicles obtain anonymous certificates when entering an RSU network coverage. Each vehicle maintains frequent communication with an RSU to achieve conditional traceability. However, an RSU is untrustworthy because it can be compromised. Moreover, frequent communication with the RSU results to high communication overhead. Zhang et al. [15] later used the HMAC to propose an efficient CPPA scheme for VANETs. The scheme achieves conditional privacy by allowing each vehicle to use different public/private key pair and the corresponding certificate to communicate with an RSU. However, the scheme is inefficient because each vehicle has to pre-store and manage a huge amount of private/public key pairs. To address the certificate management issue in PKIbased scheme, Zhang et al. [16,17] employed identitybased signature to construct CPPA schemes for VANETs. These schemes are efficient with low verification delay because they support batch verification. However, it is assumed that each vehicle is equipped with a TPD to generate pseudonyms and the corresponding cryptographic keys. In addition, the schemes are vulnerable to replay attack, non-repudiation [3,18], and nontraceability attack [19]. Some authentication schemes similar to [17,18] have been proposed in VANETs [20–24]. These schems are conditional privacy-preserving and address the certificate management issue in PKI-based schemes. However, they incur high computation and communication overhead because their constructions rely on complex mathematical operations like bilinear pairing and map-to-point hash function. In 2015, He et al. [2] proposed a pairingfree CPPA scheme in VANETs. The scheme is efficient in terms of computation and communication costs, but uses a TPD which is known to have a high security assumption [25] and costly [26].

4

S. O. OGUNDOYIN

Chim et al. [19] propose an identity-based CPPA scheme for VANETs known as SPECS. In SPECS, a vehicle uses different pseudonym for every communication session to provide conditional privacy. Although, the scheme is more efficient than the previous CPPA schemes in VANETs, it is vulnerable to impersonation attack [27]. To address the security issues in [18]. Bayat et al. [28] propose an improved identity-based CPPA scheme in VANETs. However, the scheme is vulnerable to modification attack where an adversary can modify a previously transmitted message to generate a new valid one. Besides, Bayat et al.’s scheme employs a TPD. The pseudonyms and the cryptographic keys of each vehicle including the master secret key is pre-stores in the TPD. If the TPD is attacked or corrupted, the whole system is compromised. Some group signature-based CPPA schemes have been proposed in VANETs [29–37] in which a vehicle uses its group signature for message signing. The advantage of the group signature is that it guarantees strong anonymity [37]. Moreover, a group signature-based CPPA scheme can achieve some security and privacy requirements in VANETs. However, it has a high computation and communication overheads due to the bilinear pairing and map-to-point hash function operations used in their construction [38]. Jiang et al. [10] propose an anonymous batch authentication scheme known as ABAH using HMAC to address the costly CRL checking and achieve message integrity. The security and performance analyses of the scheme show that it is efficient and conditional privacy-preserving. However, the scheme has certificate management issue. Besides, the CA must issue many pseudonyms to every vehicle for long-term communication. When a vehicle is revoked in ABAH, the remaining pseudonyms are wasted. Wang et al. [11] propose a local identity-based message authentication protocol for VANETs known as LIAP using the duo of traditional PKI-based certificate and identity-based signature. The certificate is used for node identity authentication while the identity-based signature is used for validating traffic-related messages. In LIAP, an RSU manages and assigns local master key to every vehicle. The CA manages two types of CRL: RSU CRL (RCRL) and the vehicle CRL (VCRL). However, frequent communication with the RSU results to high communication overhead due to the time-consuming CRL checking. In addition, RSUs are not fully trusted and may be compromised. The scheme is not efficient in terms of computation, even with the batch verification. Moreover, the mathematical model of the scheme is wrong. In the scheme, the signature of a vehicle is computed as σi = PSK i 1 + h(Ms )PSK i 2 , where PSK i 1 ∈ G1 , h(Ms ) ∈ Z∗q , and PSK i 2 = mi 2 H(PIDi 1 , PIDi 2 ), where mi 2 ∈ Z∗q ,

H(PIDi 1 , PIDi 2 ) ∈ Z∗q . It is wrong to add an element in G1 to an element in Z∗q . Hence, the LIAP scheme can not be adopted for practical implementation. Rajput et al. [39] propose an efficient CPPA scheme in VANETs using the combined features of pseudonymbased and group signature-based schemes. The scheme employs pseudonyms for message authentication and trapdoor for conditional privacy. The introduced trapdoor mechanism allows tracking of malicious nodes for proper identification and revocation. Moreover, the scheme implements the region-based grouping in which groups are managed by the CA. However, the size of the revocation list grows linearly with the network size, thus resulting to system overhead. Besides, there is a high computation and communication costs in the scheme. Recently, Zhou et al. [40] propose an efficient V2I authentication scheme for VANETs using the key-insulation approach. The scheme uses two categories of user’s privacy key. One is managed by a helper or assistant, and the other is maintained by the user. Both keys are updated periodically. The construction is based on ECC which makes it more efficient. In addition, the scheme supports backward and forward secrecy. However, it uses a TPD which is known to have a strong security assumption. The scheme does not support batch verification of multiple messages, hence the number of scalar multiplication operation increases with the number of messages. In the scheme, the PKG is assumed to be trustworthy. However, if the PKG turned to be malicious, then the whole system becomes compromised. This results to key escrow problem.

3. Preliminaries This section presents the preliminary knowledge of the proposed scheme. 3.1. Hash chain A hash chain is a cryptographic hash function operation on a message which produces multiple random values. Let us consider a message M and a hash function h, then a hash chain of length k is denoted by hk (M) which means hashing the output of h(M) (k − 1) times. In other words, hk (M) = hk−1 (h(M)) = hk−2 (h(h(M))) = hk−3 (h(h(h(M)))) = . . .. In the random oracle model, the k values obtained are random numbers, but only one value is required to be stored to reconstruct the k set values. 3.2. Elliptic curve cryptography An elliptic curve equation is expressed in the form: Eq (a, b) : y2 = x3 + ax + b(modp) over a prime finite


field Fq , where q > 3, a, b ∈ Fq , and 4a3 + 27b2 (modp) = 0. Given n ∈ Fq and a point P ∈ Eq (a, b), nP is the scalar multiplication over Eq (a, b). In this work, we use a non-singular elliptic curve E/Fq where Fq is a finite field with prime order q, E : y2 = x3 + ax + b, and 4a3 + 27b2 (modp) = 0, where a, b ∈ Fq . The point P on the elliptic curve forms an additive cyclic group G with order q and consists of all points on the elliptic curve E and the point at infinity [42,43]. 3.3. Computational assumption The construction of our scheme relies on the hardness of elliptic curve discrete logarithm problem (ECDLP). ECDLP: Suppose P1 and P2 are points over an elliptic curve E/Fq and a ∈ Fq . Given P2 = aP1 and P1 , output a. We say that the (tˆ, ε)-elliptic curve discrete logarithm assumption (ECDLA) holds if no tˆ-time algorithm has the probability of at least ε in solving the ECDLP.

5

(3) Then we pad with dummy elements to obtain the same number of elements in the two sets. Thus, we have the following two functions: 0 − ENC ← {m[l] , m[l−1] , . . . m1 }, where 0 z, z ∈ T¯m , log10 z − 1 = j m[j] = 2 · 10j , otherwise. 1 − ENC ← {m[l] , m[l−1] , . . . m1 }, where 1 z, z ∈ T¯m , log10 z − 1 = j m[j] = 3 · 10j , otherwise. For better understanding of the 0/1-encoding technique, the readers can refer to [41–44,46] for detailed examples.

4. System model and privacy and security requirements 4.1. System model

3.4. 0/1-Encoding An encoding technique known as 0-Encoding and 1Encoding [41–46] is used to convert greater than predicate to set intersection predicate. It allows the RTMC to include an expiration time into the temporary secret key of a vehicle. 0/1-Encoding converts a binary date format to a value in Zp as follows [41–43]: (1) Given an m-bit string, m = m[l] m[l−1] . . . m[1] . The 0-encoding of a string, m, is defined as a set: 0 − ENC : Tm 0 = {m[l] m[l−1] . . . m[j+1] 1 m[j] = 0, 1 ≤ j ≤ l}

As shown in Figure 2, the system model of the proposed scheme consists of four entities: TA, RTMC, RSU, and Vehicle. Two types of communications are involved: upper and lower layer. In the upper layer, the TA and the RTMC communicate via a secure channel such as secure socket layer (SSL) protocol, while the lower layer involves the communication between an RSU and a vehicle using a DSRC protocol. The detailed description of each participant is as follows. (1) TA: The TA is a trusted entity responsible for trust management, vehicle registration, and system parameter generation. It is also responsible for creating and managing the revocation process. It has

Similarly, the 1-encoding of the string, m is expressed by the set:1-ENC: Tm 1 = {m[l] m[l−1] . . . m[j] 1 m[j] = 1, 1 ≤ j ≤ l} (2) According to the theorem in [45], if x ≥ y then there is a common element in Tx 1 and Ty 0 .Then, we redefine the sets in Tm 0 and Tm 1 to start with 1 given sets of decimal numbers as: ¯ 0 = {1 · 10l−j+1 + m · 10l−j + · · · + m Tm [l] [j+1] · 101 + 1 m[j] = 0, 1 ≤ j ≤ l}, and ¯ 1 = {1 · 10l−j+1 + m · 10l−j + · · · + m Tm [l] [j+1] · 101 + m[j] m[j] = 1, 1 ≤ j ≤ l}.

Figure 2. System model.

6

S. O. OGUNDOYIN

the ability to revoke a malicious vehicle temporarily or permanently by extracting the pseudonym of the vehicle from any malicious or controversial message and adds its to the revocation list. (2) RTMC: The RTMC is also a honest-but-curious entity responsible for generating temporary secret key to registered vehicles and RSUs within its territory. (3) RSU: This is a semi-trusted wireless communication device responsible for managing the communication of all OBUs within its network coverage by using the DSRC protocol. The RSU communicates with other RSUs and with TA or RTMC via a secure wired network. (4) Vehicle: Each vehicle is installed with a communication device known as OBU. OBUs broadcast trafficrelated beacon messages such as, location, driving status, vehicle movement, current time and traffic condition using the DSRC protocol.

5. The proposed scheme

4.2. Privacy and security requirements

5.1. System initialization

A secure CPPA scheme in VANETs must meet the following privacy and security requirements.

As shown in Figure 3, this algorithm is executed by the TA to output the system and user’s parameter as follows:

(1) Message authentication and integrity: In VANETs, a receiver must be certain that the received message is from a legitimate user and that its content has not been modified or altered. (2) Anonymity: Other vehicles, RSUs, or adversaries should not be able to reveal the real identity of the message sender from the signed message. (3) Unlinkability: An adversary or malicious vehicle/RSU should be unable to link any two or more messages to the same sender. (4) Non-repudiation: An authenticated vehicle should not be able to deny sending a message after it has been revealed by the TA. (5) Conditional traceability: The TA should be able to identify the real identity of the signer of a malicious or controversial message when necessary. For example, if a malicious vehicle sends a false or erroneous message, the TA should be able to trace the real identity of the vehicle and take the necessary legal action. (6) Revocation: The TA should be able revoke the licence of a vehicle if it is found to be a malicious one. (7) Resistance to various attacks: A secure CPPA scheme should be resistant against common attacks such as impersonation, replay, man-in-the-middle, modification, and stolen verifier table attacks that exist in VANETs [2].

(1) The TA picks at random two secure large prime numbers p,q and a non-singular elliptic curve E defined by the equation y2 = x3 + ax + b(modp), where a, b ∈ Fq . (2) The TA selects an additive group G of generator P with order q consisting of all points on the elliptic curve E and the point 0 at infinity.

In this section, we give an extensive description of our autonomous lightweight CPPA scheme. The proposed scheme is applicable to V2V and V2I communications. It is divided into four parts: system setup, temporary secret key generation, pseudonym and secret key generation, message signing and verification, and revocation mechanism. In this work, we assume that the TA is a fully trusted entity, which means it does not disclose the secret information of users or collude with adversaries. The RTMC and RSU are modeled as honest-but-curious entities, while vehicles are untrustworthy. We also assume that the TA decides the time in the network and divides it into timeslots; the division is known to all RSUs and vehicles. The clock of all devices in the network is synchronized. For better understanding, the methodological framework and notations used in this paper are shown in Figure 3 and Table 1, respectively.

Figure 3. Framework for the proposed scheme.


7

Table 1. List of notations. Notation

Description

TA vi RSU RTMC IDx Pseudoi hx (·) p,q G P x s Ppub ts T ENC τij E C ⊕ PK x E/Fq Zq Mi σi

Trusted authority Vehicle i Road side unit Regional traffic management center Real identity of entity x Pseudonym of vehicle i One-way collision resistant hash functions Two large prime numbers Additive group of prime order q Generator of G Secret key of TA Secret key of RTMC Ppub = x · P, the public key of TA The timestamp Transmission delay Concatenation operation Encoding technique Encoded date Bit-wise exclusive-OR (XOR) operation Public key of entity x An elliptic curve E over Fq Set of least residues modulo q Traffic-related message Signature of the message Mi

(3) The TA selects at random x ∈ Z∗q and computes Ppub = x · P, where x is the master secret key of TA and Ppub is its public key or the system public key. (4) The TA chooses four hash functions, h1 : {0, 1}∗ → Zq , h2 : {0, 1}∗ → Z∗q , and h3 : {0, 1}∗ × G × G → Z∗q , and h4 : {0, 1}∗ × G × G × G → Z∗q . (5) A vehicle i submits its real identity IDi (chassis number, engine number, plate number, etc.) to the TA. The TA verifies IDi and then selects ri ∈ Z∗q and computes δi = h1 (IDTA IDri Ppub ) and tki = h1 (δi IDRTMC param) ⊕ IDRTMC , where IDRTMC and IDTA are the real identities of RTMC and TA, respectively. (6) The TA selects a random 1,i ∈ Z∗q and obtains the hash chain set x,i = {1,i , 2,i , 3,i , . . . n,i }, 1 ≤ x ≤ n, using a hash chain k,i = h1 k−1 (1,i ). In other words, 2,i = h1 (1,i ), 3,i = h1 (2,i ), . . .. (7) The TA sends the tuple {tki , x,i } to vehicle i, δi to RTMC, stores {1,i , IDi } in its repository, and publishes the system parameter param = {p, q, a, b, P, Ppub , h1 , h2 , h3 , h4 }.

Figure 4. System initialization phase.

IDRTMC param). If true, it checks the revocation list whether IDi has not been revoked. If the vehicle is valid, the RTMC can compute TSK i for i. Otherwise, the request is rejected.. (2) The RTMC selects at random s ∈ Z∗q as its secret key and computes the public key PK RTMC = s · P. It also sets the expiration time τi,j EC of the temporary secret key and publishes PK RTMC . (3) The RTMC computes ki = h2 (param PK RTMC IDi ), αi = h3 (IDi s IDRTMC τi,j EC ), βi = h2 (param Ppub PK RTMC ), θi = h2 (Ppub PK RTMC ), i = αi · βi , Ai = i · P, xi = i + ki · s, i = θi · s, ϑi = i ⊕ h1 (Ai xi PK RTMC param). The time-bound temporary secret key of i is TSK i = (Ai , xi ) (4) The RTMC sends (TSK i , ϑi ) to i via a secure channel and stores {TSK i , tki , τi,j EC } in its database. 5.3. Pseudonym and secret key generation This algorithm is executed by the vehicle i to generate its pseudonym set, secret key, and the corresponding public key. On receiving TSK i from the RTMC, i performs the following steps as shown in Figure 5. (1) It confirms the validity of the temporary secret key by checking ?

xi · P = Ai + h1 (param PK RTMC IDi ).

5.2. Temporary secret key generation This algorithm is performed by the RTMC to generate a temporary secret key for a user as shown in Figure 4. The process is as follows. (1) First, vehicle i requests for a temporary secret key TSK i by sending tki to RTMC which confirms the ?

validity of i by checking IDRTMC = tki ⊕ h1 (δi

If the verification is successful, the algorithm proceeds, otherwise it is aborted. (2) For each timeslot tst, i generates a set of pseudonym as {pseudo1,i , pseudo2,i , pseudo3,i , . . . pseudon,i }, where pseudox,i = h1 (x,i IDi Ppub param). (3) It picks at random ψi ∈ Z∗q , sets ξi = ψi + xi , computes SK i = h3 (ξi Ai pseudox,i IDi Ppub

8

S. O. OGUNDOYIN

Figure 5. Temporary secret key generation phase.

τi,j EC ) and PK i = SK i · P, where SK i and PK i are the secret and public keys of vehicle i, and τi,j EC is the expiration time of the signature encoded using 1-encoding technique.

5.4. Message signing and verification Each vehicle signs a message using its pseudonym and secret key. A different pseudonym and secret key is used to generate signature on different messages to guarantee location privacy. A verifier uses the public key of the message sender to determine the authenticity and integrity of the message. The procedure for message signing and verification is summarized in Figure 6 and is described as follows. Message signing: (1) The vehicle i picks at random ai ∈ Z∗q and computes λi = h4 (SK i ai Ai xi IDi Ppub ts), i = λi · P, i = ϑi ⊕ h1 (Ai xi PK RTMC param), hi = h4 (Mi i pseudox,i param ts), where ts is the current timestamp to thwart replay attack and Mi is the traffic-related message. (2) The vehicle computes its signature on Mi as: σi = λi + hi · i . (3) At last, the vehicle transmits (Mi , pseudox,i , i , σi , ts) to other nodes on the network. Message verification: On receiving the tuple (Mi , pseudox,i , i , σi , ts), a verifier executes the following steps. (1) First, the verifier checks the revocation list (consisting of pseudonyms of revoked users with unexpired

Figure 6. Secret key generation, message signing, and message verification.

keys) whether the pseudonym of the message sender pseudox,i is not present. If present, the message is discarded. Otherwise, the algorithm proceeds. (2) The verifier checks whether the message is fresh or not. That is, it checks if T2 − T1 ≤ T, where T1 is the time the message was generated, T2 is the time the message is received, and T is the allowable transmission delay. If the freshness check fails, replay attack is detected and the message is discarded. Otherwise, the verifier proceeds with the verification process. (3) The verifier checks the time-validity of the signature using the 0-encoding technique discussed in Section 3. The algorithm is aborted if the signature is not time-valid, otherwise the algorithm proceeds. (4) The verifier recalculates hi = h4 (Mi i pseudox,i param ts), θi = h2 (Ppub PK RTMC ), and checks the validity of the equation ?

σi · P = i + hi · θi · PK RTMC . Batch verification. To provide non-repudiation of signatures using batch verification, we employ the small exponent test technology [27], in which a vector consisting of some small integers generated at random


is used to detect any modification of a batch of signatures. To improve efficiency, an RSU performs batch verification of multiple messages as follows. (1) The RSU checks the freshness of the timestamps on all the received messages. Any message with invalid timestamp is rejected, otherwise the algorithm continues. (2) The RSU checks the time-validity of the messages using 0-encoding. Any message that fails timevalidity check is discarded. (3) The RSU selects at random a vector v = {v1 , v2 , v3 , . . . vm }, where vi ∈ [1, 2 ] and is a small integer with a negligible computation overhead and m is the number of messages. (4) The RSU checks the validity of the equation m i=1

+

?

vi · σi · P =

m

(vi · i )

i=1 m

vi · hi · θi · PK RTMC .

i=1

The RSU accepts the messages if the above verification equation holds.

5.5. Revocation mechanism In the proposed scheme, there are two categories of revocation: temporary and permanent. In temporary revocation, the TA adds the m set of pseudonyms of a malicious vehicle for the remaining timeslots in the revocation list and sends it to other users in the network. To limit the size of the revocation list and reduce transmission overhead, only the revoked pseudonyms in the active timeslot is included. In permanent revocation, the TA revokes a malicious vehicle permanently when the vehicle is found to transmit erroneous message capable of attacking or compromising the system. To achieve this, the TA includes the hash chain end 1,i of the malicious vehicle in the revocation list and broadcasts it to all users. With this 1,i , other nodes can compute the pseudonym set of the malicious vehicle for any timeslot. This revocation process incurs low overhead because it has the ability to revoke all pseudonyms for all timeslots with only one hash value included in the revocation list. Moreover, the computation overhead of the revoked pseudonyms from the hash value 1,i is very low since only a one-way hash function operation is performed to compute pseudox,i = h1 (x,i , Ppub param).

9

6. Security analysis and performance analysis 6.1. Security analysis In this section, we analyze the security of the proposed CPPA scheme. Correctness Proof: On receiving a traffic-related message (Mi , pseudox,i , i , σi , ts ), the verifier (vehicle or RSU) checks the validity of the equation σi · P = i + hi · θi · PK RTMC . We show that the verification is correct. σi · P = (λi + hi · i ) · P = λi · P + hi · i · P = i + hi · θi · s · P = i + hi · θi · PK RTMC . Hence, the single message verification of the proposed scheme is correct. To improve efficiency, an RSU performs batch verification of multiple messages using the verification equation m ? m ( m i=1 vi · σi ) · P = i=1 (vi · i ) + ( i=1 vi · hi · θi ) · PK RTMC . We show that the batch verification is correct as follows. m m vi · σi · P = vi · (λi + hi · i ) · P i=1

=

i=1 m

(vi · λi + vi · hi · i ) · P

i=1

=

m

(vi · λi · P + vi · hi · i · P)

i=1

=

m

(vi · i + vi · hi · θi · s · P)

i=1

=

m

(vi · i + vi · hi · θi · PK RTMC )

i=1

=

m

vi · i +

i=1

m

vi · hi · θi

i=1

· PK RTMC . Hence, the batch verification equation of the proposed scheme is correct. Security Proof: We demonstrate the formal security of the proposed CPPA scheme using a game played between an adversary A and a challenger C based on the ability of A and the VANET network model. The formal security proof is as follows.

10

S. O. OGUNDOYIN

Lemma 6.1: The proposed CPPA scheme is existentially secure against an adaptive chosen-message and identity attacks in the random oracle model. Let there be an adversary A which can forge a valid message (Mi , pseudox,i , i , σi , ts ) in the game. Given an instance of an ECDL problem (ECDLP) PK RTMC = Q = s · P, where P and Q are two random points on E/Fq and s ∈ Z∗q . Our goal is to construct a challenger C which can solve the ECDLP with a non-negligible probability by running A as a subroutine.

Sign-Oracle When A queries on (Mi , pseudox,i ), C checks if pseudox,i = pseudox,i ∗ . If true, it aborts the game process. Otherwise, it picks at random hi , θi , σi ∈ Z∗q , computes i = σi · P − hi · θi · PK RTMC , and then adds the above information to the corresponding list. Finally, C generates a message (Mi , pseudox,i , i , σi , ts) and sends it to A. All responses to the sign-oracle are valid since the message (Mi , pseudox,i , i , σi , ts) received from C satisfies the message verification equation ?

Setup C picks a random identity pseudo∗x,i as the challenged identity in the game process, runs the system setup, sets the system public key as Ppub = s · P, and computes the system parameter param = {p, q, a, b, P, Ppub , h1 , h2 , h3 , h4 }. Subsequently, C creates and manages four list Lh1 , Lh2 , Lh3 , and Lh4 which are initially empty. Finally, it sends param to A and then simulates the following oracle queries. h1 -Oracle When A makes a query on a traffic-related message α, C checks whether the tuple (α, τh1 ) exists in the list Lh1 . If true, C sends τh1 = h1 (α) to A. Otherwise, it selects at random τh1 ∈ Z∗q and then adds (α, τh1 ) to the list Lh1 . At last, C returns τh1 = h1 (α) to A. h2 -Oracle When A queries (param, PK RTMC , IDi ) or (param, Ppub , PK RTMC ) or (Ppub , PK RTMC ), C checks whether the tuple (param, PK RTMC , IDi , ki ) or (param, Ppub , PK RTMC , βi ) or (Ppub , PK RTMC , θi ) is present in the list Lh2 . If yes, C returns Lh2 to A. Otherwise, it selects at random ki , βi , θi ∈ Z∗q and adds (param, PK RTMC , IDi , ki ), (param, Ppub , PK RTMC , βi ), and (Ppub , PK RTMC , θi ) to Lh2 . Finally, C returns ki = h2 (param PK RTMC IDi ) or βi = h2 (param Ppub PK RTMC ) or θi = h2 (Ppub PK RTMC ) to A. h3 -Oracle When A makes a query on (IDi , s, IDRTMC , EC τi,j ) or (ξi , Ai , pseudox,i , IDi , Ppub , τi,j EC ), C checks if the tuple (IDi , s, IDRTMC , τi,j EC , αi ) or (ξi , Ai , pseudox,i , IDi , Ppub , τi,j EC , SK i ) already present in the list Lh3 . If so, C returns Lh3 to A. Otherwise, it picks at random αi , SK i ∈ Z∗q and adds (IDi , s, IDRTMC , τi,j EC , αi ) or (ξi , Ai , pseudox,i , IDi , Ppub , τi,j EC , SK i ) to Lh3 . Finally, C sends αi = h3 (IDi s IDRTMC τi,j EC ) or SK i = h3 (ξi Ai pseudox,i IDi Ppub τi,j EC ) to A. h4 -Oracle When A queries (SK i , ai , Ai , xi , IDi , Ppub , ts) or (Mi , i , pseudox,i , param, ts), C checks the list Lh4 whether the tuple (SK i , ai , Ai , xi , IDi , Ppub , ts, λi ) or (Mi , i , pseudox,i , param, ts, hi ) is present. If yes, C returns Lh4 to A. Otherwise, it selects randomly λi , hi ∈ Z∗q and adds (SK i , ai , Ai , xi , IDi , Ppub , ts, λi ) or (Mi , i , pseudox,i , param, ts, hi ) to Lh4 . At last, C returns λi = h4 (SK i ai Ai xi IDi Ppub ts) or hi = h4 (Mi i pseudox,i param ts) to A.

σi · P = i + hi · θi · PK RTMC . Forgery Finally, A outputs a message (Mi , pseudox,i , i , σi , ts) with a non-negligible probability. However, the following conditions must be satisfied, otherwise C aborts the game process. • σi · P = i + hi · θi · PK RTMC .

(1)

• (Mi , pseudox,i ) has not been queried before during the sign-query. According to Forking Lemma [47], A can output another valid message (Mi , pseudox,i , i , σi ∗ , ts) if it makes a different choice of h4 -oracle satisfying the equation σi ∗ · P =i + hi ∗ · θi · PK RTMC .

(2)

From Equations (1) and (2), we get (σi − σi ∗ ) · P =θi · (hi − hi ∗ ) · PK RTMC =θi · (hi − hi ∗ ) · s · P.

(3)

Based on Equation (3), we get (σi − σi ∗ ) = θi · (hi − hi ∗ ) · s. Hence, C outputs (σi − σi ∗ ) · θi −1 · (hi − hi ∗ )−1 as the solution of the given ECDLP (PK RTMC = Q = s · P). However, this contradicts with the hardness of ECDLP. Hence, the proposed CPPA scheme is secure against forgery under an adaptive chosen message and identity attacks in the random oracle model based on the assumption of ECDLP. Security evaluation: In this section, we show that the proposed CPPA scheme satisfies all the security and privacy requirements of VANETs. (1) The proposed scheme provides message authentication and integrity: According to Lemma 6.1, an adversary cannot forge a valid message satis?

fying the message verification equation σi · P =


(2)

(3)

(4)

(5)

(6)

11

on TA, RSU, RTMC, and vehicle is infeasible. To i + hi · θi · PK RTMC . In addition, the verifier impersonate the TA and RTMC, an adversay must can check the integrity of a traffic message have the knowledge of their secret keys x and s, (Mi , pseudox,i , i , σi , ts ) using the message verificarespectively, which is not possible. Similarly, to tion equation. So, the proposed scheme provides impersonate a vehicle or an RSU, an adversary must message authentication and integrity. compute a valid message satisfying the verification The proposed scheme is privacy-preserving: The ? pseudonym pseudox,i = h1 (x,i IDi Ppub equation σi · P = i + hi · θi · PK RTMC . According param). The secret values x,i and IDi are known to Lemma 6.1, no adversary can forge such mesto the vehicle i and the TA, hence other vehicles, sage. The verifier can detect this attack easily by RTMC, and adversaries cannot obtain the real idenchecking whether the received message satisfies the tity of the vehicle. Moreover, the real identity of message verification equation. IDi is used to compute ki , SK i , and λi . But, due (7) The proposed scheme is resistant against man-into the one-way property of hash function operathe-middle attack: To launch a man-in-the-middle tion, no adversary can obtain IDi in the random (MITM) attack, an adversary must generate a valid oracle model. In addition, different pseudonym is message for communication over the network. used for every communication session, hence no According to Lemma 6.1, it is infeasible for the adversary can track the vehicle from the message adversary to forge this kind of message. Hence, the it sends. Therefore, the proposed CPPA scheme proposed scheme could thwart MITM attack. provides both identity and location privacies. (8) The proposed scheme could withstand replay attack: The proposed scheme provides conditional traceabilIn the proposed CPPA scheme, a timestamp ts ity: Though, the real identity of the vehicle i is is introduced into every digital signature and concealed in its pseudonym pseudox,i = h1 (x,i appended to every traffic-related message (Mi , IDi Ppub param), it is possible for the TA to pseudoxi , i , σi , ts ). An adversary may attempt extract the real identity of the vehicle on a conto replay the message (Mi , pseudox,i , i , σi , ts ∗ ), troversial message and take necessary legal action. the modified timestamp ts ∗ can pass the freshBecause the TA has stored the tuple (1,i , IDi ) in its ness check, but it can not satisfy the verificadatabase, it can obtain any value x,i for computa? tion equation σi · P = i + hi · θi · PK RTMC . So, tion of all valid pseudonyms of i in the remaining the proposed scheme is resistant against replay timeslots. However, an adversary or curious users attack. can not obtain the real identity of i except the secret (9) The proposed scheme could withstand modificavalue 1,i is known. However, it can not be obtained tion attack: An adversary may attempt to modfrom x,i due to the non-invertibility property of ify the traffic message (Mi , pseudox,i , i , σi , ts ) to the one-way hash function operation. (Mi ∗ , pseudox,i ∗ , i ∗ , σi ∗ , ts ∗ ). According to The proposed scheme provides unlinkability: In the Lemma 6.1, the verifier can detect this modification message signing algorithm, different secret keys ? by checking the validity of the equation σi · P = (Ai , xi ), ai , and SK i are used. Besides, different and i + hi · θi · PK RTMC . unlinkable pseudonyms are used for signing every (10) The proposed scheme could resist stolen verifier table message. Hence, no adversary can link any two or attack: In the proposed CPPA scheme, neither an more signatures or pseudonyms on different mesRSU nor a vehicle maintains a verifier table for sages to the same signer. So, the proposed CPPA message authentication. That is, message authentischeme satisfies the unlinkability requirement in cation is done without a verifier table. Hence, the VANETs. proposed scheme is not vulnerable to the stolen The proposed scheme supports non-repudiation: In verifier table attack. the proposed scheme, the TA can extract the real (11) The proposed scheme could solve private key comidentity of a message sender. Thus, it is impossible promise problem: Suppose the temporary secret key for the signer to deny its signature on the message. of the vehicle i (Ai , xi ) has been compromised. The Meanwhile, a random vector v = {v1 , v2 , v3 , · · · · vehicle can detect this attack by the validity of ·, vm } is used in the batch verification. Therefore, ? the equation xi · P = Ai + h1 (param PK RTMC no user can deny its signature on a message sent IDi ). If the equation fails, the vehicle discards the by exchanging several signatures among different key because it has been compromised. Therefore, messages [27]. the proposed scheme could solve the problem of The proposed scheme is resistant against impersonation private-key compromise. attack: In the proposed scheme, an impersonation

12

S. O. OGUNDOYIN

(12) The proposed scheme provides countermeasure against privilege escalation: The RTMC has introduced the expiration time into the temporary secret key of the vehicle using 1-encoding technique. This key is used to sign a trafficrelated message. The verifier checks the validity of the time-validity of the signature using the 0encoding. If the verification fails, the message is discarded. Thus, no user can utilize the VANET service beyond the expiration time. Therefore, the proposed scheme provides countermeasure against privilege escalation. (13) The proposed scheme is autonomous: In the proposed CPPA scheme, a user is required to contact the TA only once for set pseudonym and afterward it can computes its own pseudonyms using the hash chain set x,i = {1,i , 2,i , 3,i , . . . n,i }. The TA does not store a huge number of pseudonymprivate key pair for achieving conditional traceability. Moreover, there is no frequent communication between the TA and the users in the proposed scheme. Thus, there is an improved efficiency in the transmission overhead. Therefore, the proposed scheme supports autonomy. 6.2. Performance analysis and comparison In this section, we demonstrate the efficiency of the proposed scheme and then make comparison with the related CPPA schemes in VANETs. Computation cost analysis and comparison: We adopt the experimental computation of He et al. [2] in this work. In schemes whose construction rely on bilinear pairings such as Wang et al. [12], Wang and Yao [11], and Bayat et al. [28], He et al. creates the bilinear pairing on the security level of 80 bits as follows: e¯ : G1 × G1 → GT , where G1 is an additive group generated by a point P¯ with order q¯ on a super singular elliptic curve E¯ : y2 = x3 + x mod p¯ with embedding degree 2, p¯ is a 512-bit prime number, q¯ is a 160-bit Solinas prime number. In schemes based on ECC such as He et al. [2], Wu et al. [4], Zhou et al. [40], and the proposed scheme, the construction is based on the security of 80 bits as follows: G is an additive group with order q generated on a non-singular elliptic curve E : y2 = x3 + ax + b mod p, where p,q are 160-bit prime numbers and a, b ∈ zq ∗ . As shown in Table 2, the notations of the cryptographic operations and their execution times are defined for better understanding. Tp represents the execution time of bilinear pairing operation, Tp−m , Tp−sm , and Tp−a are execution times of scalar multiplication operation, small scale multiplication operation, and point addition operation related to bilinear pairing, respectively.

Table 2. Cryptographic operations and execution time. Cryptographic operation Operations related to bilinear pairing

Operations related to ECC

Map-to-point hash function One-way hash function

Abbreviation Time (ms) e¯ (P, Q), where P, Q ∈ G1

Tp

4.2110

xP, where P ∈ G1 , x ∈ Zq ∗ λi P, where λi ∈ [1, 2 ], is a small number, P ∈ G1 P+Q, where P, Q ∈ G1 xP, where P ∈ G, x ∈ Zq ∗

Tp−m Tp−sm

1.7090 0.0535

Tp−a TECC−m

0.0071 0.4420

λi P, where λi ∈ [1, 2 ], is a small number, P ∈ G P+Q, where P, Q ∈ G

TECC−sm

0.0138

TECC−a TH

0.0018 4.4060

Th

0.0001

TECC−m , TECC−sm , and TECC−a denote the execution times of scalar multiplication operation, small scale multiplication operation, and point addition operation related to ECC, respectively. Th is the execution time of a one-way hash function operation. We do not consider the execution times of exclusive-OR (XOR) and concatenation operations in our analysis because they are negligible. We analyze the computation costs of He et al. [2], Wu et al. [4], Wang et al. [12], Wang and Yao [11], Bayat et al. [28], Zhou et al. [40], in the message signing phase (MSP), message verification phase (MVP), and batch verification phase (BVP), and then make comparison with the proposed scheme. For convenience, the results are summarized in Table 3. In the MSP of He et al. [2], a node requires three scalar multiplication operations related to ECC and three oneway hash function operations. Hence, the cost of computation is 3TECC−m + 3Th = 3 × 0.4420 + 3 × 0.0001 = 1.3263 ms. In the MVP of He et al.’s scheme, a node needs to perform three scalar multiplication operations related to ECC, two point addition operations related to ECC, and two one-way hash function operations. So, the cost of computation is 3TECC−m + 2TECC−a + 2Th = 3 × 0.4420 + 2 × 0.0018 + 2 × 0.0001 = 1.3298 ms. For the BVP of the He et al.’s scheme, a verifier requires (n + 2) scalar multiplication operations related to ECC, 2n small scale multiplication operation, (3n − 1) point addition operations related to ECC, and 2n one-way hash function operations to batch-verify n messages. Thus, the cost of computation is (n + 2)TECC−m + 2nTECC−sm + (3n − 1)TECC−a + 2nTh = (n + 2) × 0.4420 + 2n × 0.0138 + (3n − 1) × 0.0018 + 2n × 0.0001 = (0.8822 + 0.4252n) ms. In the MSP of the proposed scheme, a node requires one scalar multiplication related to ECC and two one-way hash function operations. Hence, the cost of computation


13

Table 3. Computation cost comparison. Phase Scheme

MSP

MVP

BVP

3TECC−m + 2TECC−a + 2Th = 1.3298 ms (n + 2)TECC−m + (2n)TECC−sm + (3n − 1)TECC−a + (2n)Th = (0.8822 + 0.425n) ms 3TECC−m + 2TECC−a + 2Th = 1.3298 ms (2n + 2)TECC−m + (2n)TECC−a + (2n)TECC−sm + Wu et al. [4] 2TECC−m + 2Th = 0.8842 ms (2n)Th = (0.884 + 0.9154n) ms 2Tp + 2Tp−m + TH = 16.246 ms 2Tp + (n + 1)Tp−m + nTH = (10.131 + 6.115n) ms Wang et al. [12] 3Tp−m + Tp−a + Th = 5.1342 ms Wang and Yao [11] 4Tp−m + Tp−a + 3Th = 16.8514 ms 3Tp−m + Tp−a + 2Th = 12.6403 ms 3Tp−m + 2nTp − m + 2nTp − a + 2nTh = (12.633 + 3.4322n) ms Bayat et al. [28] 5Tp−m + Tp−a + TH + 2Th = 12.9583 ms 3Tp + Tp−sm + TH + Th = 18.7481 ms 3Tp + nTp−sm + (3n − 3)Tp−a + nTH + nTh = (12.6117 + 6.1364n) ms Zhou et al. [40] 2TECC−m + 4Th = 0.8844 ms 7TECC−m + 2TECC−a + 4Th = 3.098 ms 7nTECC−m + 2nTECC−a + 4nTh = 3.098n ms 2TECC−m + TECC−a + 2Th = 0.886 ms 2TECC−m + nTECC−a + nTECC−sm + (2n)Th = Proposed TECC−m + 2Th = 0.4422 ms (0.884 + 0.0158n) ms He et al. [2]

3TECC−m + 3Th = 1.3263 ms

Note: n, number of messages.

is TECC−m + 2Th = 0.4420 + 2 × 0.0001 = 0.4422 ms. For the MVP of the proposed scheme, a vehicle executes two scalar multiplication operations related to ECC, one point addition operation, and two oneway hash function operations. Thus, the cost of computation is 2TECC−m + TECC−a + 2Th = 2 × 0.4420 + 0.0018 + 2 × 0.0001 = 0.886 ms. To batch-verify n messages in the proposed scheme, the verifier executes two scalar multiplication operations related to ECC, n small scale multiplication operations, n point addition operations, and 2n one-way hash function operations. So, the cost of computation in the BVP of the proposed scheme is 2TECC−m + nTECC−a + nTECC−sm + 2nTh = 2 × 0.4420 + n × 0.0018 + n × 0.0138 + 2n × 0.0001 = (0.884 + 0.0158n) ms. The computation cost of the other schemes could be analyzed in the same manner. Moreover, we analyze the improvement in the proposed scheme compared to the related schemes [2,4,9,11, 28,40] in the MSP, MVP, and BVP. The proposed scheme has an improvement of about (1.3263 − 0.4422)/1.3263 × 100% = 66.66% in the MSP of He et al.’s scheme. The performance improvement in the remaining schemes in the MSP, MVP, and BVP could be analyzed in the same way. The improvement in the cost of computation of the proposed scheme over the related schemes is shown in Table 4. According to the requirement of VANETs, a vehicle must broadcast its beacon message every 100–300 ms when entering the coverage of an RSU. When the traffic Table 4. Improvement on computation cost. Phase Scheme He et al. [2] Wu et al. [4] Wang et al. [12] Wang and Yao [11] Bayat et al. [28] Zhou et al. [40]

MSP

MVP

BVP (100 messages)

66.66% 50% 91.39% 97.38% 96.56% 50%

33.37% 33.37% 94.55% 92.99% 95.27% 71.40%

94.32% 97.33% 99.60% 99.31% 99.61% 99.21%

Figure 7. Computation cost for batch verification.

density in the VANETs increases, the RSU receives several traffic-related messages. To improve efficiency of the proposed scheme, we introduce a batch verification process. The cost of computation in the batch verification step in the related schemes and the proposed scheme is shown in Figure 7. It could be observed that the proposed scheme is more efficient the the other six schemes. For example, in a high density traffic scenario, an RSU may receive messages from about 180 vehicles every 300 ms. This means that it must verify about 600–2000 messages per second [3]. Suppose 600 messages are to be verified, the cost of computation in the proposed scheme is 10.36 ms while that of the schemes in [2,4,9,11,28,40] cost 255.88 , 550.12 , 3679.13 , 2071.95 , 3694.45 , and 1858.80 ms. The schemes in [9,11,28,40] do not satisfy the requirement in [3]. In fact, an RSU in the proposed scheme can verify about 63,235 messages per second. Subsequently, we analyze the verification delay ratio between the proposed scheme and the schemes in [2,4,9,11,28,40] as shown in Figure 8. When the traffic messages are more than 160, the verification delay ratio

14

S. O. OGUNDOYIN

Table 5. Communication cost for different schemes. Scheme He et al. [2] Wu et al. [4] Wang et al. [12] Wang and Yao [11] Bayat et al. [28] Zhou et al. [40] Proposed

Single message

n messages

144 bytes 148 bytes 104 bytes 276 bytes 280 bytes 104 bytes 84 bytes

144n bytes 148n bytes 104n bytes 276n bytes 280n bytes 104n bytes 84n bytes

Note: n, number of messages.

Figure 8. Verification delay ratio versus traffic density.

between the proposed scheme and He et al.’s scheme is visible. The value is constant and is about 0.05. The result of the delay ratio between the proposed scheme and Wu et al.’s scheme can be observed when the number of messages is greater than 125 and tends to a constant value of about 0.025. The verification delay between the proposed scheme and Wang et al.’s scheme, Wang and Yao’s scheme, and Bayat et al.’s scheme is the same and can be visualized when the number of messages is greater than 30. It approaches a constant value of about 0.005. The verification delay ratio of the proposed scheme with the Zhou et al.’s scheme becomes visible when the amount of messages is more than 90 and approaches a constant value of about 0.007. Hence, the verification speed of the proposed scheme is about 95%, 97.5%, 99.5%, 99.5%, 99.5%, and 99.3% faster than the He et al’s scheme [2], Wu et al.’s scheme [4], Wang et al.’s scheme [12], Wang and Yao’s scheme [11], Bayat et al.’s scheme [28], and Zhou et al.’s scheme [40], respectively. Therefore, the proposed scheme is very efficient compared to the related schemes in VANETs in terms of computation overhead. Communication cost analysis and comparison: This section presents an analysis of the communication cost of the proposed scheme and the related schemes. According to the construction of He et al. [2], the sizes of P¯ and P are 64 bytes and 20 bytes, respectively. Thus, the sizes of an element in G1 and G are 64 × 2 = 128 bytes and 20 × 2 = 40 bytes, respectively. It is assumed that the sizes of the output of a one-way hash function operation and a timestamp are 20 bytes and 4 bytes, respectively. The traffic-related message is the same in all schemes, hence they are not considered in our analysis. As a matter of convenience, the results of the cost of communication in all the schemes are shown in Table 5.

In He et al.’s scheme, a vehicle transmits {AIDi , Ti , Ri , σi } which includes AIDi = {AIDi 1 , AIDi 2 }, AIDi 1 , AIDi 2 , Ri ∈ G, σi ∈ Z∗q and Ti is the current timestamp. Hence, the cost of communication of a message is 40 × 3 + 20 + 4 = 144 bytes and 144n bytes for n messages. In Wu et al. [4], a vehicle sends {PIDvi , Ti , Tvi , hki , Ri , δi } to the verifier, where PIDvi , hki , Ri ∈ G, δi ∈ Z∗q , Ti and Tvi are timestamps. Thus, the cost of communication is 40 + 20 + 4 × 2 = 148 bytes and 148n bytes for n messages. A broadcast message in Wang et al.’s scheme is {PN i , Ti , σi }, where PN i = {PN ai , PN bi , PN ci , }, PN ai , PN bi , PN ci ∈ Z∗q , σi ∈ G, and Ti is the timestamp. Thus, the cost of communication of a message is 20 × 3 + 40 + 4 = 104 bytes and 104 bytes for n messages. In Wang and Yao [11], a vehicle transmits {PIDi , PK Ri , σi } to the verifier, PIDi , PK Ri ∈ G1 , σi ∈ Z∗q . So, the communication cost of a message is 128 × 2 + 20 = 176 bytes and 176n bytes for n messages. For Bayat et al. [28], a single transmitted message is {IDi , σi , Ti }, IDi = {ID1 i , ID2 i }, ID1 i , ID2 i ∈ G1 , σi ∈ Z∗q and Ti is the current timestamp. The the communication cost is 128 × 2 + 20 + 4 = 280 bytes and 280n for n messages. A communication message in Zhou et al.’s scheme is {Ui , σi , wi , θi , Ti }, where Ui ∈ G, σi , wi , θi , ∈ Z∗q , and Ti is the current timesamp. Thus, the cost of communication is 40 + 20 × 3 + 4 = 104 bytes and 104n bytes for n messages. In the proposed scheme, a communication message is {pseudox,i , i , σi , ts }, where pseudox,i , σi ∈ Zq ∗ , i ∈ G, and ts is the current timestamp. Hence, the cost of communication of a message is 20 × 2 + 40 + 4 = 84 bytes and 84n bytes for n messages. Therefore, the proposed scheme incurs less communication overhead than the other schemes in VANETs. To further demonstrate the efficiency of the proposed scheme in terms of transmission overhead, we consider the relationship between the communication and the number of messages received by an RSU in 50 seconds from 200 vehicles in all the schemes. The result is shown in Figure 9. The transmission overhead of the proposed scheme is less than the other schemes while Wang and Yao [11] and Bayat et al. [28] incur the maximum transmission overhead. When the number of messages reaches 10,000, the proposed scheme compared to the schemes


15

ORCID Sunday Oyinlola Ogundoyin 1564-2818

http://orcid.org/0000-0003-

References

Figure 9. Transmission Overhead when 200 messages is received in 50 s by an RSU.

in [2,4,9,11,28,40] saves 60, 64, 20, 192, 196, and 20 Megabytes, respectively. Therefore, the proposed scheme is more efficient than the related schemes in terms of communication overhead.

7. Conclusion In this paper, a provably-secure autonomous lightweight CPPA scheme for VANETs is proposed. The construction of the scheme is based on ECC without any special hardware device such as TPD. A trusted-but-curious party known as RTMC is included which is responsible for generating temporary secret keys to nodes. When the size of the network increases, the scheme only needs to increase the number of RTMCs, thus making it scalable. Moreover, we demonstrated that the scheme is secure in the random oracle model based on the elliptic curve discrete logarithm assumption (ECDLA). The security analysis further showed that the proposed scheme is autonomous, provided countermeasure against privilege escalation, solved private key compromise problem, and satisfied all the privacy and security requirements in VANETs. The performance analysis and comparison showed that the proposed scheme has a lower computation cost and communication overhead compared with the recent CPPA schemes in VANETs. Therefore, the proposed scheme is very suitable for applications in resource-constrained internet-of-things environments such as VANETs.

Acknowledgements The author is grateful to Mr. M.A. Alao of the Department of Electrical and Electronic Engineering, University of Ibadan for his invaluable support in the language editing of this article.

Disclosure statement No potential conflict of interest was reported by the author.

[1] Kenney JB. Dedicated short-range communications (DSRC) standards in the United States. Proc IEEE. 2011;99(7):1162–1182. [2] He D, Zeadally S, Xu B, et al. An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad-hoc networks. IEEE Trans Inf Forensics Sec. 2015;10(12):2681–2691. [3] Shim K. CPAS: an efficient conditional privacy-preserving authentication scheme for vehicular sensor networks. IEEE Trans Veh Technol. 2012;61(4):1874–1883. [4] Wu L, Fan J, Xie Y, et al. Efficient location-based conditional privacy-preserving authentication scheme for vehicle ad hoc networks. Int J Distrib Sensor Netw. 2017;13(3):1–13. [5] Isaac JT, Zeadally S, Camara J. Security attacks and solutions for vehicular ad-doc networks. IET Commun J. 2010;4(7):894–903. [6] Sari A, Onursal O, Akkaya M. Review of the security issues in vehicular ad hoc networks (VANET). Int J Commun Netw Syst Sci. 2015;8:552–566. [7] De Fuentes JM, Gonzlez-Tablas AI, Ribagorda A. Overview of security issues in vehicular ad-hoc networks. The handbook of research on mobility and computing: Evolving technologies and ubiquitous impacts, IGI global, 2010, https://doi.org/10.4018/978-1-60960-042-6.ch056. [8] Zhong H, Wen J, Cue J, et al. Efficient conditional privacy-preserving and authentication scheme for secure service provision in VANET. Tsinghua Sci Technol. 2016;21(6):620–629. [9] Wasef A, Shen X. Efficient group signature scheme supporting batch verification for securing vehicular networks. IEEE Int Conf Commun. 2010;29(16):1–5. [10] Jiang S, Zhu X, Wang L. An efficient anonymous batch authentication scheme based on HMAC for VANETs. IEEE Trans Intell Transp Syst. 2016;17(8):2193–2204. [11] Wang S, Yao N. LIAP: a local identity-based anonymous message authentication protocol in VANEETs. Comput Commun. 2017;112:154–164. [12] Wang Y, Zhong H, Xu Y, et al. Efficient extensible conditional privacy-preserving authentication scheme supporting batch verification for VANETs. Secur Commun Netw. 2017. https://doi.org/10.1002/sec.1710. [13] Raya M, Hubaux J-P. Securing vehicular ad hoc networks. J Comput Secur. 2007;15(1):39–68. [14] Lu R, Lin X, Zhu H, et al. ECPP: efficient conditional privacy preservation protocol for secure vehicular communications, INFOCOM; 2008. https://doi.org/10.1109/ INFOCOM.2008.179. [15] Zhang C, Lin X, Lu R, et al. RAISE: an efficient RSU-aided message authentication scheme in vehicular communication networks. In: Proceedings of the IEEE International Conference on Communications (ICC’08); 2008. p. 1451–1457. [16] Zhang C, Lin X, Ho PH, et al. An efficient identitybased batch verification scheme for vehicular sensor

16

[17] [18] [19] [20]

[21] [22]

[23]

[24]

[25]

[26] [27] [28] [29]

[30] [31]

[32]

S. O. OGUNDOYIN

networks. In: Proceedings of IEEE INFOCOM’08; 2008. p. 816–824. Zhang C, Ho PH, Tapolcai J. On batch verification with group testing for vehicular communications. Wirel Netw. 2011;17(8):1851–1865. Lee CC, Lai YM. Towards a secure batch verification with group testing for VANET. Wirel Netw. 2013;19(6): 1441–1449. Chim C, Yiu S, Hui L, et al. SPECS: Secure and privacy enhancing communication schemes for VANETs. Ad Hoc Netw. 2011;9(2):189–203. Li J, Lu H, Guizani M. ACPN: a novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs. IEEE Trans Parallel Distrib Syst. 2015;24(6):938–948. Zhang J-H, Xu M, Liu L. On the security of a secure batch verification with group testing for VANETs. Int J Netw Secur. 2014;16(5):355–362. Huang J-L, Yeh L-Y, Chien H-Y. ABAKA: an anonymous batch authenticated and key agreement scheme for valueadded services in vehicular ad hoc networks. IEEE Trans Veh Technol. 2011;60(1):248–262. Lo N-W, Tsai J-L. An efficient conditional privacypreserving authentication scheme for vehicular sensor networks without pairings. IEEE Trans Intell Transp Syst. 2016;17(5):1319–1328. Xie Y, Wu L, Shen J, et al. EIAS-CP: new efficient identity-based authentication scheme with conditional privacy-preserving for VANETs. Telecommun Syst. 2016. SPRINGER Telecommun Syst. https://doi.org/10.1007/ s11235-016-0222-y. Samara G, Al-Salihy W, Sures R. Security issues and challenges of vehicular ad hoc networks (VANET). In: Proceedings of the 4th IEEE International Conference on New Trends in Information Science and Service (NISS), Gyeongju, South Korea; 2010. p. 393–398. IBM 4764 PCI-X Cryptographic coprocessor. [cited 2017 June 15]. Available from: https://www.ibm.com/support/ knowledgecenter/POWER6/iphcd/fc4764.htm Horng S, Tzeng S, Pan Y, et al. b-SPECS+: batch verification for secure pseudonymous authentication in VANET. IEEE Trans Inf Forensics Sec. 2013;8(11):1860–1875. Bayat M, Barmshoory M, Rahimi M, et al. A secure authentication scheme for VANETs with batch verification. Wirel Netw. 2015;21(5):1733–1743. Boneh D, Boyen X, Shacham H. Short group signatures. In: Proceedings of the Advances in Cryptology – CRYPTO 2004, 24th Annual International Cryptology Conference; 2004 August 15–19; Santa Barbara, CA: Springer; 2004. p. 41–55. Zhang J, Wu Q, Wang Y. A novel efficient group signature scheme with forward security. IEEE ICICS 2003, LNCS 2836; 2003. p. 292–300. Saiful M, Mamun I, Miyaji A. Secure VANET applications with a refined group signature. In: IEEE Twelfth Annual Conference on Privacy, Security and Trust (PST); 2014. p. 199–206. Malina L, Hajny J, Martinasek Z. Efficient group signatures with verifier-local revocation employing a natural expiration. In: Proceedings of the 10th International Conference on Security and Cryptography

[33]

[34] [35]

[36]

[37]

[38]

[39] [40] [41]

[42] [43]

[44]

[45]

[46]

[47]

(SECRYPT-2013); 2013. p. 555–560. https://doi.org/10. 5220/0004600105550560. Chen X, Zhang F, Konidala D-M, et al. New ID-based threshold signature scheme from bilinear pairings. In: Canteaut A, Viswanathan K, editors. INDOCRYPT 2004, LNCS 3348; 2004. p. 371–383. Chu C, Liu J-K, Miyaji A. Verifier-local revocation group signatures with time-bound keys. ACM ASIACCS 12; 2012 May 24; Seoul, Korea; 2014. Hwang J-Y, Chen L, Cho H-S, et al. Short dynamic group signature scheme supporting controllable linkability. In: IEEE Trans. Information Forensic and Security; 2015. p. 1556–6013. https://doi.org/10.1109/TIFS.2015. 2390497. Jesudoss A, Raja SVK, Park SH. GRAS: a group reliant authentication scheme for V2V communication in VANET. Systemics Cybern Inform. 2013;11(6): 47–52. Lin X, Lu R. GSIS: group signature and ID-based signature-based secure and privacy-preserving protocol. John Wiley & Sons Inc.; 2015. IEEE Vehicular ad hoc network security and privacy. Chapter 2; 21–49. https://doi. org/10.1002/9781119082163.ch2 Wang Y, Zhong H, Xu Y, et al. ECPB: efficient conditional privacy-preserving authentication scheme supporting batch verification for VANETs. Int J Netw Secur. 2016;18(2):374–382. Rajput U, Abbas F, Eun H, et al. A hybrid approach for efficient-privacy-preserving authentication in VANET. IEEE Access. 2017;5:12014–12030. Zhou Y, Liu S, Xiao M, et al. An efficient V2I authentication scheme for VANETs. Hindawi Mob Inf Syst. 2018;2018:1–11. https://doi.org/10.1155/2018/4070283. Kamil I, Olakanmi O, Ogundoyin SO. A secure and privacy-preserving lightweight authentication protocol for wireless communications. Inf Secur J A Glob Perspect. 2017;26(6):287–304. https://doi.org/10.1080/ 19393555.2017.1385116. Olakanmi O, Kamil I, Ogundoyin S. Secure and privacypreserving referral framework for e-health system. Int J Inform Secur Sci. 2017;6(2):1–15. Ogundoyin SO. An anonymous lightweight authentication scheme with scalability for trustworthy pervasive social networking. J Cyber Secur Technol. 2018;1(34):225–250. Ogundoyin SO, Awoyemi SO. EDAS: efficient data aggregation scheme for Internet of things. J Appl Secur Res. 2018;0(0):0–00. https://doi.org/10.1080/19361610.2018. 1463139. Lin H-Y, Tzeng W-G. An efficient solution to the millionares’ problem based on homomorphic encryption. In: Proceedings of Applied Cryptography and Network Security (ACNS ’05), Vol. 3531 of LNCS; 2005. p. 456–466. Ogundoyin SO. An efficient, secure and conditional privacy-preserving authentication scheme for vehicular ad-hoc networks. J Inf Assurance Secur. 2017;12(5): 179–192. David P, Jacque S. Security arguments for digital signatures and blind signatures. J Cryptogr. 2000;13(3): 361–396.