Self-Controllable Secure Location Sharing for Trajectory-Based Message Delivery on Cloud-Assisted VANETs

Abstract

In vehicular ad hoc networks, trajectory-based message delivery is a message forwarding strategy that utilizes the vehicle’s preferred driving routes information to deliver messages to the moving vehicles with the help of roadside units. For the purpose of supporting trajectory-based message delivery to a moving vehicle, the driving locations of the vehicle need to be shared with message senders. However, from a security perspective, vehicle users do not want their driving locations to be exposed to others except their desired senders for location privacy preservation. Therefore, in this paper, we propose a secure location-sharing system to allow a vehicle user (or driver) to share his/her driving trajectory information with roadside units authorized by the user. To design the proposed system, we put a central service manager which maintains vehicle trajectory data and acts as a broker between vehicles and roadside units to share the trajectory data on the cloud. Nevertheless, we make the trajectory data be hidden from not only unauthorized entities but also the service manager by taking advantage of a proxy re-encryption scheme. Hence, a vehicle can control that only the roadside units designated by the vehicle can access the trajectory data of the vehicle.

1. Introduction

For the last decade, vehicular ad hoc networks (VANETs) have attracted a great deal of attentions due to the development of vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication technologies. It is a trend of modern vehicles to equip on-board unit (OBU) devices which allow vehicles to communicate with each other as well as roadside units (RSUs) [1]. As a result, up to date, various VANET applications using V2V and V2I communications have been presented to realize not only comfortable driving conditions but also valuable infotainment services on the road. Furthermore, recently, the concept of vehicular networking is extended to vehicular cloud computing by integrating vehicular communications with cloud computing to provide vehicles with pervasive services on the road [2,3,4].

One of the promising applications is a location-aware service [5] which provides vehicles with useful information for a certain geographic area of interest by taking advantage of vehicular cloud computing. Based on vehicular cloud computing technologies, RSUs deployed on the certain areas can collect and provide local-interesting information to vehicles such as traffic conditions and available facilities. However, it is challenging on the VANET how we can effectively deliver such service messages to vehicles which are continuously moving on the road. Due to the dynamic mobility and opportunistic connectivity in VANETs, the probability of successful hop-by-hop (among neighboring vehicles) message forwarding to a destination vehicle at a long distance is low and it would result in high message loss. As a solution to this challenge, trajectory-based message delivery with the help of RSUs in VANETs have been researched [6,7].

For example, let us consider a scenario as shown in Figure 1 in which the area around ${\mathrm{sRSU}}_1$ is an interested spot (named socialspot) of a vehicle ${\mathrm{V}}_{\mathrm{d}}$ and ${\mathrm{sRSU}}_1$ provides location-aware service around its local area to ${\mathrm{V}}_{\mathrm{d}}$. By using trajectory-based message delivery, it would be possible that ${\mathrm{sRSU}}_1$ can efficiently disseminate the service messages to ${\mathrm{V}}_{\mathrm{d}}$ through ${\mathrm{RSU}}_1$ and ${\mathrm{RSU}}_2$ acting as relay nodes along ${\mathrm{V}}_{\mathrm{d}}$’s trajectory assuming that ${\mathrm{sRSU}}_1$ knows the driving path of ${\mathrm{V}}_{\mathrm{d}}$.

On the other hand, driving route or location information of a vehicle is regarded as personal data of the driver, so location privacy is one of the critical security requirements for VANETs as well as identity privacy preservation. In the above trajectory-based message delivery environment, if a vehicle needs to share its driving route with message senders (sRSUs) deployed on some socialspots in which the vehicle is interested for location-aware service, how to share vehicle’s trajectory securely with the sRSUs in the system for privacy preservation is required. In other words, the system must be carefully designed not to expose the driving locations of a vehicle to other entities except the sRSUs designated by the vehicle.

1.1. Related Work

While various VANET applications have been emerging, studies on secure vehicular communications have also been widely performed [4,8,9,10,11,12,13,14,15,16]. One of the challenging issues is privacy-preserving vehicular communications for protecting location privacy of vehicles in VANETs. To prevent a global eavesdropping attacker from tracking a target vehicle, most privacy-preserving secure vehicular communications recommend using anonymous authentication schemes based on a group signature or pseudonymous credentials of vehicles when exchanging messages [17]. In addition to sender’s anonymity, to achieve message receiver’s location privacy preservation in VANETs, Lu et al. [18] and Lin et al. [19] proposed secure RSU-assisted message delivery protocols from a source vehicle to a destination vehicle, respectively. However, their work assumes that a receiver vehicle is stationary at a fixed location [18] and the location of a receiver is already known to senders beforehand [19].

For efficient message delivery from an RSU to moving vehicles in VANETS, Jeong et al. proposed an architecture for trajectory-based data delivery [7]. Their work was not focused on security mechanisms for protecting location privacy of vehicles. Instead, they just assume that a control center maintains vehicle trajectories and will not expose the trajectory data to others. In their system, we cannot help but rely on the control center that the center will carry out its role faithfully. However, from user’s viewpoint, the control center may be also a source of concern and users want to control who can access their trajectory data by themselves with a proper security mechanism.

With regard to secure location-sharing in mobile environments, the works in [20,21,22,23,24] proposed some methods to protect user’s privacy for location-sharing in mobile online social network services. They are mainly focused on a proximity application to find a nearby friend whose current location is within some distance. Some previous work did not consider preventing a service provider from accessing user’s locations data except the work of [20,24]. Even though a service provider is usually involved in location sharing services to distribute the location data of one user to other authorized users, the provider does not need to know the data content. Freudiger et al. [20] and Li et al. [24] proposed a system for protecting user location data from the provider by using data encryption, respectively. However, if a user wants to share his/her location data with multiple friends, the user has to generate multiple encrypted data for the same location data under a different key of each friend or needs interactions to establish a shared secret key with his friends. It burdens the user with computation and communication overheads proportional to the number of friends.

Dong et al. introduced a concept of secure location-sharing based on a proxy re-encryption scheme for mobile applications [25]. Proxy re-encryption is a cryptographic technique to allow a semi-trusted proxy to convert a ciphertext under one party’s public key (e.g., ${\mathrm{V}}_{\mathrm{d}}$ in our scenario) into a new ciphertext under another party’s public key (e.g., $\mathrm{sRSU}$ designated by ${\mathrm{V}}_{\mathrm{d}}$). While the proxy uses re-encryption keys to perform the conversion, the proxy cannot learn any information about the underlying plaintext. Dong et al. presented an idea that a user can efficiently share its location data with other users as shifting computational overheads for distributing encrypted location data to a proxy, and their idea motivated our work. However, if we adopt an ordinary public key based proxy re-encryption scheme, $\mathrm{sRSU}$ has to be involved in generating a re-encryption key to be used for converting a ciphertext by giving its public key certificate to ${\mathrm{V}}_{\mathrm{d}}$. Moreover, to revoke a re-encryption key of an unwanted $\mathrm{sRSU}$ and update re-encryption keys of other valid parties, ${\mathrm{V}}_{\mathrm{d}}$ must change its public key and obtain a new public key certificate. Such interactions are not always available in VANET environments due to the occasional connectivity. Therefore, we need to devise a more flexible and practical method to manage the keys for proxy re-encryption scheme in our VANET service scenario.

In our previous work [26], we presented a secure location sharing based on an id-based proxy re-encryption scheme as considering the non-interactive property of id-based public key cryptography. However, to revoke or update re-encryption keys in the previous work, this system needs to renew user’s identity functioning as a public key but it may be impractical to change the identity used in the system. As an alternative, in this paper, we employ a certificateless proxy re-encryption scheme which can provide more flexible key management to our self-controllable secure location-sharing system.

1.2. Our Contribution

Based on the above considerations, in this paper, we propose a secure driving location (trajectory) data sharing system for trajectory-based message delivery in VANETs which can prevent the shared location data on the cloud from being illegitimately exposed to others. We consider a location-aware service scenario in which a vehicle allows some socialspot RSUs designated by the vehicle to access its preferred driving trajectory data stored on the cloud. For secure vehicular communications, group signatures or pseudonymous credentials have been used for anonymous authentication so that the identity and location of a vehicle cannot be linked and tracked on VANETs. However, the main goal of our work is to securely share the trajectory data of a vehicle with only authorized entities from confidentiality view point and to control who can access the location data by vehicle itself. To achieve our goal, we present a system architecture for sharing the trajectory data of vehicles with the help of a service manager acting as a broker between vehicles and socialspot RSUs, then design a secure location-sharing and authenticated message delivery protocols by making use of a certificateless proxy re-encryption scheme and an id-based signature scheme with pseudonymous identities.

In our proposed system, a vehicle can upload driving trajectory data encrypted under its own public key to a semi-trusted service manager on the cloud. The uploaded trajectory data are coupled with re-encryption keys associated with the designated socialspot RSUs so that the manager re-encrypts vehicle’s trajectory data and distributes to the intended socialspot RSUs. Then, the socialspot RSUs can send service messages to the vehicle by way of some RSUs along the driving route of the vehicle. We make the vehicle revoke the access rights of unwanted socialspot RSUs by changing vehicle’s public key and re-encryption keys but the vehicle does not need to obtain a certificate for the new public key. Therefore, the proposed system can be self-controllable and more flexible.

The rest of this paper is organized as follows: We first present a system architecture and security considerations in Section 2 and cryptographic building blocks to design the proposed system in Section 3. Then, we describe our proposed secure location-sharing and authenticated message delivery protocols in Section 4. We discuss the security and performance of our protocol in Section 5, and finally conclude this paper in Section 6.

2. System Architecture

2.1. Architecture

To design a secure location-sharing system for trajectory-based message delivery on VANETs, we consider the system architecture shown in Figure 2 which consists of trusted authority (TA), service manager (SM), roadside units, and vehicles.

• TA is a fully trusted entity responsible for managing security parameters for the system and issues id-based key pairs to the registered RSUs and vehicles denoted as $\mathcal{R}=\{RS{U}_1,\dots ,RS{U}_m\}$ and $\mathcal{V}=\{V_1,\dots .,V_n\}$, respectively. TA also manages pseudonymous identities for the vehicles to guarantee anonymity of vehicles on VANET communications.
• SM is a manager which provides storage service on the cloud. To support secure trajectory data sharing, SM maintains encrypted trajectory data of vehicles and acts as a broker which handles to distribute re-encrypted trajectory data to RSUs authorized by the vehicle of the trajectory owner.
• RSUs are subordinated to the TA and sparsely deployed on the roads such as main intersections, and their geographical location information are available through the system. The roles of RSUs in $\mathcal{R}$ are divided into socialspot RSUs and relaying RSUs. Socialspot RSUs (sRSUs), denoted as $\mathcal{SR}=\{sRS{U}_1,\dots ,sRS{U}_l\}\subseteq \mathcal{R}$, are deployed on the specific locations of interest. A set of RSUs establish a local cloud with dedicated servers so that they collect and provide location-aware information to vehicles by means of trajectory-based message delivery. On the other hand, a relaying node RSU equips storage for temporarily holding messages to support message forwarding to the destination vehicles passing by its coverage.
• Vehicles are equipped with OBU and GPS-based navigation system with digital maps. A registering vehicle $V_d\in \mathcal{V}$ selects sRSUs among $\mathcal{SR}$ in which $V_d$ is interested and generates a re-encryption key for the selected sRSUs to share its driving trajectory data through the cloud storage under the control of SM. Whenever $V_d$ changes its preferred driving route, $V_d$ uploads its encrypted driving route data to SM.

Moreover, to clarify the proposed system, we also make the following assumptions.

• Public security parameters of TA are already known to all entities in the system.
• SM and socialspot RSUs are interconnected to each other through a secure and reliable channel.
• Locations and identities of RSUs are publicly available to the system so that vehicles can know which RSUs are deployed at which locations.

2.2. Threat Model and Security Considerations

In our system architecture, we consider two types of attack. One is an attack by a compromised SM. In other words, we assume that SM is a honest-but-curious entity that will follow the protocol but may try to extract vehicle’s driving trajectory data stored on the cloud for the purpose of collecting and profiling driver’s preferences. The other is an attack by an outside attacker which has no access privilege to the cloud but try to learn vehicle’s driving locations over VANET communications. However, when we assume that SM and RSUs are interconnected through a secure channel, it is hard for an outsider attacker to control the communications between SM and an RSU. In addition, we assume that all RSUs are trusted under the control of the TA so that SM is not allowed to collude with any RSU. Thus, it is assumed that TA can inspect all RSUs subordinated to it and the collusion or compromise of an RSU is detectable by the TA.

Under the threat model and assumptions, we consider the following security requirements to design a secure vehicle trajectory data sharing system and message delivery protocol to guarantee the location privacy of vehicles in VANETs.

• Authorized access to trajectory data: Access to driving trajectory data of a vehicle on the cloud must be restricted to only the RSUs authorized by the owner vehicle of the trajectory data. Even though vehicle’s trajectory data are managed under the control of SM, driving trajectory data must be hidden from SM as well as unauthorized entities.
• Self-control: When a vehicle uploads its trajectory data to SM, it should be possible for the vehicle to control that which RSUs can or cannot access its trajectory data by the vehicle itself.
• Authenticated communications: For secure message delivery on VANETs, vehicles and RSUs involved in message delivery must be authenticated to each others. In message forwarding, a relaying RSU must authenticate a vehicle to check if the vehicle is a valid destination specified in the message. Besides, a vehicle must be convinced that the received message originated from a valid source claimed in the message.
• Avoiding location tracking: While a vehicle connects to RSUs on its driving routes to receive messages, driving trajectory of the vehicle must not be tracked by an outside attacker on VANETs. That is, it must be hard for an outside attacker to learn that a vehicle has moved from and to which of RSUs by overhearing vehicle-to-RSU communications.

3. Preliminaries

Before presenting our proposed system, in this section, we briefly outline the properties of a bilinear map and introduce some cryptographic schemes using a bilinear map which serve as the basis of the proposed system. More specifically, we design the proposed system using certificateless proxy re-encryption and id-based signature schemes with pseudonymous identities of vehicles.

3.1. Bilinear Map

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be two cyclic groups of the same prime order q. There is a bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ satisfying the following properties.

• Bilinear: $\widehat{e}(g^a,g^b)=\widehat{e}{(g,g)}^{ab}$, for all $a,b\in Z_q^{\ast }$ and $g\in {\mathbb{G}}_1$.
• Non-degenerate: If g is a generator of ${\mathbb{G}}_1$, then $\widehat{e}(g,g)$ is a generator of ${\mathbb{G}}_2$.
• Computable: $\widehat{e}(g,h)$ is efficiently computable for any $g,h\in {\mathbb{G}}_1$.

3.2. Cryptographic Building Blocks

As our building blocks, we adopt a certificateless proxy re-encryption (CL-PRE) scheme [27] and an id-based signature (ID-SIG) scheme [28] described in the followings.

• Setup(): A private key generator chooses bilinear map groups $({\mathbb{G}}_1,{\mathbb{G}}_2)$ of the same prime order q, random generators $g,h\in {\mathbb{G}}_1$, and hash functions $H_1:{\{0,1\}}^{\ast }\to {\mathbb{G}}_1$, $H_2:{\{0,1\}}^{\ast }\to Z_q^{\ast }$, $H_3:G_2\times G_2\to {\{0,1\}}^{n+{\kappa }_0}$. It also chooses a random $s\in Z_q^{\ast }$ as a master secret then computes $g_1=g^s$, $g_2=\widehat{e}(g,g)$, $g_3=\widehat{e}(g,h)$. Public system parameters are set as $params:=〈{\mathbb{G}}_1,{\mathbb{G}}_2,q,\widehat{e},g,h,g_1,g_2,g_3,H_1,H_2,H_3〉$.
• idKeyGen(s, $id$): Given an identity $id$, this algorithm outputs an id-based private key $d_{id}=g^{1/(s+H_2\left(id\right))}$ under the master secret key s of a private key generator.
• SetPrvKey($d_{id}$): Given a $d_{id}$ generated by idKeyGen for an $id$, this algorithm chooses random values $a,b\in Z_q^{\ast }$ and sets $s{k}_{id}=(d_{id},a,b)$ as a private key for CL-PRE for a user of the $id$.
• SetPubKey($s{k}_{id}$): This algorithm returns a public key $p{k}_{id}=(g_3^a,g^b)$ corresponding to $s{k}_{id}$ for CL-PRE.
• clEnc(m, $id$, $p{k}_{id}$): Certificateless encryption algorithm generates a ciphertext for a given message m under the $id$ and $p{k}_{id}$ as follows:
  • Choose a random $\alpha \in {\{0,1\}}^{{\kappa }_0}$ for a security parameter ${\kappa }_0$.
  • Compute $\beta =H_2\left(m\right|\alpha \left|id\right|p{k}_{id})$.
  • Compute $c_1={(g^{H_2\left(id\right)}·g_1)}^{\beta }$, $c_2=h^{\beta }$, $c_3=\left(m\right|\alpha )\oplus H_3\left(g_2^{\beta }\right|{\left(g_3^a\right)}^{\beta })$, and $c_4=u^{\beta }$ where $u=H_1\left(id\right|p{k}_{id}|c_1|c_2\left|c_3\right)$.
  • Output the ciphertext $C=(c_1,c_2,c_3,c_4)$.
• clReKeyGen($s{k}_{i{d}_i}$, $i{d}_i$, $i{d}_j$, $p{k}_{i{d}_i}$, $p{k}_{i{d}_j}$): Re-encryption key generation algorithm returns a proxy re-encryption key $r{k}_{i{d}_i\to i{d}_j}$ as follows:
  • Choose a random $\gamma \in Z_q^{\ast }$ and compute $\mu =H_2(g_2^{\gamma }|i{d}_i|p{k}_{i{d}_i}|i{d}_j\left|p{k}_{i{d}_j}\right)$.
  • Compute $r{k}^{\left(1\right)}=g^{\mu /(s+H_2\left(i{d}_i\right))}$, $r{k}^{\left(2\right)}={(g^{H_2\left(i{d}_j\right)}·g_1)}^{\gamma }$, and $r{k}^{\left(3\right)}={\left(g^{b_j}\right)}^{a_i}$ where $a_i\in s{k}_{i{d}_i}$ and $g^{b_j}\in p{k}_{i{d}_j}$, respectively.
  • Output the re-encryption key $r{k}_{i{d}_i\to i{d}_j}=(r{k}^{\left(1\right)},r{k}^{\left(2\right)},r{k}^{\left(3\right)})$.
• clReEnc($i{d}_i$, $p{k}_{i{d}_i}$, C, $r{k}_{i\to j}$): Given a ciphertext C under the identity $i{d}_i$ and public key $p{k}_{i{d}_i}$, this algorithm outputs a re-encrypted ciphertext $C_j$ delegated to $i{d}_j$ under the $r{k}_{i{d}_i\to i{d}_j}$ as follows:
  • Parse C as $C=(c_1,c_2,c_3,c_4)$
  • Compute $u=H_1(i{d}_i|p{k}_{i{d}_i}|c_1|c_2\left|c_3\right)$ and $y_i=H_2\left(i{d}_i\right)$.
  • If $\widehat{e}(c_1,u)\stackrel{?}{=}\widehat{e}((g^{y_i}·g_1),c_4)$ and $\widehat{e}(c_2,u)\stackrel{?}{=}\widehat{e}(h,c_4)$ holds,
  • Set the re-encrypted ciphertext $C_j=(c_1^{\prime },c_2^{\prime },c_3^{\prime },c_4^{\prime },i{d}_i,p{k}_{i{d}_i})$, where $c_1^{\prime }=\widehat{e}(c_1,r{k}^{\left(1\right)})$, $c_2^{\prime }=r{k}^{\left(2\right)}$, $c_3^{\prime }=\widehat{e}(c_2,r{k}^{\left(3\right)})$, and $c_4^{\prime }=c_3$.
• clReDec($s{k}_{i{d}_j}$, $C_j$): Given a re-encrypted ciphertext $C_j$ delegated to $i{d}_j$ from $i{d}_i$, decryption algorithm outputs the message m as follows:
  • Parse $C_j$ as $C_j=(c_1^{\prime },c_2^{\prime },c_3^{\prime },c_4^{\prime },i{d}_i,p{k}_{i{d}_i})$.
  • Compute $\rho =\widehat{e}(c_2^{\prime },d_{i{d}_j})$ where $d_{i{d}_j}\in s{k}_{i{d}_j}$, and $\mu =H_2\left(\rho \right|i{d}_i|p{k}_{i{d}_i}|i{d}_j\left|p{k}_{i{d}_j}\right)$.
  • Compute $\left(m\right|\alpha )=c_4^{\prime }\oplus H_3\left({c_1^{\prime }}^{1/\mu }\right|{c_3^{\prime }}^{1/b_j})$.
  • Compute $\beta =H_2\left(m\right|\alpha |i{d}_i\left|p{k}_{i{d}_i}\right)$.
  • If $c_1^{\prime }\stackrel{?}{=}{g}_2^{\mu \beta }$ and $c_3^{\prime }\stackrel{?}{=}{\left(g_3^{a_i}\right)}^{\beta b_j}$ holds, return m. Otherwise output ⊥.
• idSig($d_{id}$, m): On input an id-based secret key $d_{id}$ and a message m, this algorithm computes a signature S for the m as follows:
  • Pick a random $x\in Z_q^{\ast }$ and compute $\theta =g_2^x$.
  • Set the signature $S=({\sigma }_1,{\sigma }_2)$, where ${\sigma }_1=H_2(m,\theta )$ and ${\sigma }_2=d_{id}^{x+{\sigma }_1}$.
• idVrf($id$, m, S): ID-based signature verification algorithm accepts the message m if ${\sigma }_1\stackrel{?}{=}{H}_2(m,A)$ holds, where $A=\widehat{e}({\sigma }_2,g^{H_2\left(id\right)}{g}_1)·g_2^{-{\sigma }_1}$.

4. Proposed System

In this section, we describe the proposed secure trajectory data sharing system for supporting trajectory-based message delivery protocol on VANETs by making use of cryptographic techniques presented in Section 3. The proposed system consists of setup, enrolment, trajectory sharing, and message delivery phases.

Table 1. Notations and descriptions.

Notation	Description
${\mathbb{G}}_1$, ${\mathbb{G}}_2$	bilinear map groups of a prime order q
$e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$	bilinear map
$g,h\in {\mathbb{G}}_1$	generators of ${\mathbb{G}}_1$
$s\in Z_q^{\ast }$	master secret key of TA
$g^s$	public key of TA corresponding to s
$RS{U}_i$	identity of a roadside unit
$sRS{U}_j$	identity of a socialspot RSU
$rs{k}_j$	id-based secret key for an $RS{U}_j$
$pi{d}_{di}$	i-th pseudonym of a vehicle $V_d$
$vs{k}_{di}$	id-based private key of a vehicle $V_d$ for $pi{d}_{di}$
$s{k}_X$, $p{k}_X$	private and public key of X for CL-PRE
$r{k}_{V_d\to sRS{U}_j}$	re-encryption key of $V_d$ to $sRS{U}_j$
$ts$	current timestamp
$En{c}_k\left(\right)$	symmetric encryption under the key k
$De{c}_k\left(\right)$	symmetric decryption under the key k
$MA{C}_k\left(\right)$	message authentication code under the key k

shows the notations used to describe the proposed protocol.

4.1. Setup

TA first picks a random $s\in Z_q^{\ast }$ as its master secret and runs Setup() algorithm to generate public system parameters $params:=〈{\mathbb{G}}_1,{\mathbb{G}}_2,q,\widehat{e},g,h,g_1,g_2,g_3,H_1,H_2,H_3〉$. TA also issues id-based secret keys to RSUs and vehicles registered to the system. Note, at this phase, we assume that id-based secret keys can be issued to RSUs and vehicles through an out-of-band secure channel before they participate in VANETs. Let $\mathcal{R}=\{RS{U}_1,\dots ,RS{U}_m\}$ be the RSUs subordinated by the TA and $\mathcal{V}=\{V_1,\dots ,V_n\}$ be the registering vehicles. For each $RS{U}_j\in \mathcal{R}$, TA generates $RS{U}_j$’s id-based secret key $rs{k}_j\leftarrow$ idKeyGen(s, $RS{U}_j$) and preloads $rs{k}_j$ to each $RS{U}_j$ securely. Then, $RS{U}_j$ sets its private key as $s{k}_{RS{U}_j}=(rs{k}_j,a_j,b_j)\leftarrow$ SetPrvKey($rs{k}_j$) and public key $p{k}_{RS{U}_j}=(g_3^{a_j},g^{b_j})\leftarrow$ SetPubKey($s{k}_{RS{U}_j}$) for CL-PRE.

On the other hand, for a vehicle $V_d\in \mathcal{V}$, TA chooses $w+1$ pseudonymous identities $PI{D}_d=\left\{pi{d}_{di}\right|0\le i\le w\}$ for $V_d$ after checking the eligibility of $V_d$. TA issues $V_d$’s id-based secret keys $vs{k}_{di}\leftarrow$ idKeyGen(s, $pi{d}_{di}$) for each $pi{d}_{di}\in PI{D}_d$. In our system, $pi{d}_{d0}$ is used for re-encryption procedure while $\{pi{d}_{d1},\dots ,pi{d}_{dw}\}$ are used for VANET communications. When obtaining id-based keys for the pseudonyms, $V_d$ sets its private key and public key for proxy re-encryption procedure as $s{k}_{V_d}=(vs{k}_{d0},a_d,b_d)\leftarrow$ SetPrvKey($vs{k}_{d0}$) and public key $p{k}_{V_d}=(g_3^{a_d},g^{b_d})\leftarrow$ SetPubKey($s{k}_{V_d}$) for CL-PRE. Then, each $V_d$ and each $RS{U}_j$, respectively, store $(pi{d}_{d0},p{k}_{V_d})$ and $(RS{U}_j,p{k}_{RS{U}_j})$ to the cloud storage so as for them to retrieve the public key of each others.

4.2. Enrolment

For a vehicle to receive location-aware service messages by means of trajectory-based message delivery, $V_d$ configures desired socialspots in which $V_d$ is interested for receiving the service messages and selects sRSUs installed at the socialspots denoted as $S{R}_d=\left\{sRS{U}_j\right|1\le j\le k\}\subseteq \mathcal{SR}$. Then, to allow each $sRS{U}_j\in S{R}_d$ to access $V_d$’s trajectory data under the control of SM using a proxy re-encryption scheme, $V_d$ generates the re-encryption key $r{k}_{V_d\to sRS{U}_j}$ for each $sRS{U}_j$ as follows:

• Retrieve $sRS{U}_j$’s public key $p{k}_{sRS{U}_j}$ from the cloud storage.
• Set a re-encryption key as $r{k}_{V_d\to sRS{U}_j}\leftarrow$ clReKeyGen($s{k}_{V_d}$, $pi{d}_{d0}$, $sRS{U}_j$, $p{k}_{V_d}$, $p{k}_{sRS{U}_j}$).
• Compose a message $RS{M}_d=\{pi{d}_{d0},p{k}_{V_d},S{R}_d$, $R{K}_d\}$, where $R{K}_d=\left\{r{k}_{V_d\to sRS{U}_j}\right|sRS{U}_j\in S{R}_d\}$.

$V_d$ entrusts $RS{M}_d$, consisting of sRSUs list and re-encryption keys, to SM so as for SM to re-encrypt $V_d$’s trajectory data and delegate decryption right to each $sRS{U}_j$ when $V_d$ uploads its encrypted trajectory data to SM.

4.3. Trajectory Sharing on the Cloud

Let $T_d=\{lo{c}_1\to \dots \to lo{c}_t\}$ be the driving trajectory of a vehicle $V_d$ consisting of some specific locations such as main roads or intersections on $V_d$’s preference driving routes. When $V_d$ participates in VANETs, $V_d$ will expects to receive service messages provided by the socialspot RSUs ($S{R}_d$) of $V_d$’s interest through some contact point RSUs deployed on $V_d$’s driving trajectory $T_d$. To securely share $V_d$’s trajectory data and pseudonyms used for message delivery in VANETs with the socialspot RSUs in $S{R}_d$ through the cloud storage, $V_d$ uploads encrypted trajectory data and pseudonyms to SM as follows:

• Choose a pseudonym $pi{d}_{di}\in PI{D}_d$ to be used for connecting to a contact point $RS{U}_i$.
• Compose a pseudonym-location pair message $tr{j}_d=\left\{(pi{d}_{di},lo{c}_i)\right|1\le i\le t\}$.
• Generate a ciphertext C for $tr{j}_d$ as $C\leftarrow$ clEnc($tr{j}_d$, $pi{d}_{d0}$, $p{k}_{V_d}$) under $V_d$’s own public key.
• Upload $T{M}_d=\{pi{d}_{d0},C,ts,S_d\}$ to SM, where $S_d\leftarrow$ idSig($vs{k}_{d0}$, $pi{d}_{d0}\left|C\right|ts$) is $V_d$’s signature under the id-based secret key $vs{k}_{d0}$ of $pi{d}_{d0}$.

Once $V_d$ uploads its trajectory sharing message $T{M}_d$ to the cloud storage, SM controls to transform and provide $V_d$’s encrypted trajectory to the sRSUs in $S{R}_d$ specified by $V_d$ as follows:

• Parse $T{M}_d$ as $\{pi{d}_{d0},C,ts,S_d\}$ and verify the signature $S_d$ as idVrf($pi{d}_{d0}$, $pi{d}_{d0}\left|C\right|ts$, $S_d$) under the given $pi{d}_{d0}$.
• Retrieve $RS{M}_d=\{pi{d}_{d0},p{k}_{V_d},S{R}_d,R{K}_d\}$ for the given $pi{d}_{d0}$ from SM’s storage.
• For each $sRS{U}_j\in S{R}_d$, extract $r{k}_{V_d\to sRS{U}_j}\in R{K}_d$ and transform the ciphertext C to $C_j^{\prime }$ as $C_j^{\prime }\leftarrow$ clReEnc ($pi{d}_{d0}$, $p{k}_{V_d}$, C, $r{k}_{V_d\to sRS{U}_j}$).
• Store $\{C_j^{\prime },ts\}$ to $sRS{U}_j$’s directory on the cloud.

While SM maintains vehicles encrypted trajectory information, each socialspot RSU, $sRS{U}_j$, periodically access its directory to get the updated trajectory of $V_d$ as follows:

• Downloads $\{C_j^{\prime },ts\}$ from its directory on the cloud.
• Decrypt $C_j^{\prime }$ to get $tr{j}_d$ as $tr{j}_d=\left\{(pi{d}_{di},lo{c}_i)\right|1\le i\le t\}\leftarrow$ clReDec($s{k}_{sRS{U}_j}$, $C_j^{\prime }$).
• Add $(pi{d}_{di},lo{c}_i)$ pairs to the vehicle list $VList$.

4.4. Trajectory-based Message Delivery

Suppose that $sRS{U}_j$ collects and provides location-aware service information, such as traffic condition, gas station, and so on. Once $tr{j}_d=\left\{(pi{d}_{di},lo{c}_i)\right\}$ of $V_d$ is loaded, $sRS{U}_j$ can disseminate location-aware service messages for $V_d$ through an $RS{U}_i$ deployed on around $lo{c}_i$. Message delivery from $sRS{U}_j$ to $V_d$ can be subdivided into three phases: (1) message distribution of $sRS{U}_j$ to $RS{U}_i$; (2) immediate message forwarding by $RS{U}_i$ to $V_d$ if $V_d$ is within $RS{U}_i$’s transmission coverage; and (3) message carry-and-forwarding by other vehicles to $V_d$ if $V_d$ is out of $RS{U}_i$’s transmission coverage, as shown in the Figure 3.

4.4.1. Message Distribution to RSUs

Let $msg$ be a content of location-aware service provided by $sRS{U}_j$. In this phase, $sRS{U}_j$ compose a message package $M_{jd}$ for $V_d$ and distributes $M_{jd}$ to $V_d$’s contact point $RS{U}_i$ as follows:

• Extract $pi{d}_{di}$ corresponding to $lo{c}_i$ from $VList$.
• Set a message $M_{jd}=\{pi{d}_{di},sRS{U}_j,msg,t{s}^{\prime },S_j,ttl\}$ where $S_j\leftarrow idSig(rs{k}_j,pi{d}_{di}|sRS{U}_j\left|msg\right|t{s}^{\prime })$ is $sRS{U}_j$’s signature and $ttl$ is the message lifetime.
• Distribute $M_{jd}$ to $RS{U}_i$ nearby $lo{c}_i$.

When we assume that RSUs are inter-connected, a message $M_{jd}$ can be easily distributed to other RSUs. During the message delivery, a message bundle has a certain lifetime specified as $ttl$ so that an expired message bundle is discarded. This is for RSUs or carrying vehicles to avoid consuming their storage excessively for a long time even if a target vehicle $V_d$ is not met on the roads.

4.4.2. Immediate Message Forwarding

If a message is distributed to contact point RSUs, each RSU stores the received messages and forwards them when a target vehicles for the message passes by RSU’s coverage before $ttl$ is expired. Suppose that a vehicle $V_d$ enters $RS{U}_i$’s coverage and $M_{jd}$ sent from $sRS{U}_j$ for $V_d$ is kept by $RS{U}_i$. The followings describe message forwarding protocol from $RS{U}_i$ to $V_d$.

• $RS{U}_i$ periodically broadcasts beacon message containing $pi{d}_{di}$ specified as a destination of $M_{jd}$.
• If $pi{d}_{di}$ is found in the beacon message, $V_d$ sends a message request $\{req,pi{d}_{di},S_d^{\prime }\}$ to $RS{U}_i$, where $req$ is a metadata for message requesting and $S_d^{\prime }\leftarrow$ idSig($vs{k}_{di}$, $req|pi{d}_{di}$).
• Upon receiving the request message, $RS{U}_i$ authenticates $V_d$ by verifying $S_d^{\prime }$ as idVrf($pi{d}_{di}$, $req|pi{d}_{di}$, $S_d^{\prime }$). If it holds, $RS{U}_i$ sends $M_{jd}$ to $V_d$.

When $M_{jd}$ is downloaded, $V_d$ checks the authenticity of the received message $msg$ to be convinced whether the message actually originated from $V_d$’s desired $sRS{U}_j$ as follows:

• Parse $M_{jd}=\{pi{d}_{di},sRS{U}_j,msg,t{s}^{\prime },S_j,ttl\}$.
• Verify the signature $S_j$ as $idVrf(sRS{U}_j,pi{d}_{di}|sRS{U}_j\left|msg\right|t{s}^{\prime },S_j)$; and, if it holds,
• Accept $msg$ as a valid message from $sRS{U}_j$.

4.4.3. Message Carry-and-Forwarding

If we consider that a target vehicle drives beyond contact point RSU’s transmission coverage, another strategy to deliver a message is to rely on VANET routing by means of carry-and-forwarding among neighboring vehicles on the road. For instance, to deliver a message $M_{jd}$ on VANET, $RS{U}_i$ requests and finds a volunteer vehicle which willingly joins carrying and forwarding the message. Suppose that a vehicle $V_c$ within $RS{U}_i$’s range is a volunteer vehicle. For $RS{U}_i$’s request, $V_c$ responds acceptance message $\{acc,pi{d}_{ci},S_c\}$ to $RS{U}_i$ to obtain $M_{jd}$, where $acc$ is a metadata and $S_c\leftarrow$ idSig($pi{d}_{ci}$, $acc|pi{d}_{ci}$). $RS{U}_i$ authenticates $V_c$ by verifying the signature $S_c$ under $pi{d}_{ci}$, if it holds, provides $V_c$ with $M_{jd}$.

Once $M_{jd}$ is stored in $V_c$’s storage, $V_c$ carries $M_{jd}$ by itself until $V_c$ runs into the target vehicle $V_d$ of $pi{d}_{di}$ on the road before $ttl$ is expired, or $V_c$ forwards $M_{jd}$ to a next-hop vehicle in accordance with VANET routing protocol. For the former case, if $V_c$ detects $V_d$ on driving, $V_c$ sends notification message to $V_d$ to inform that $V_c$ has a message $M_{dj}$ for $V_d$. Then, $V_d$ requests the message to $V_c$ in authenticated manner as follows:

• $V_d$ requests the message to $V_c$ by sending $\{req,pi{d}_{di},S_d^{\prime }\}$.
• $V_c$ verifies the signature $S_d^{\prime }$ and forwards $M_{jd}$ attached with its signature as $\{res,pi{d}_{ci},M_{jd},S_c\leftarrow$ idSig($vs{k}_{ci}$, $res|pi{d}_{ci}|M_{jd}$)}, where $res$ is a metadata for the response.
• $V_d$ first verifies $V_c$’s signature $S_c$ and extracts $M_{jd}$. Then, $V_d$ checks if $M_{jd}$ actually originated from $sRS{U}_j$ by checking $sRS{U}_j$’s signature $S_j$ in $M_{jd}$ as described in step 2) of immediate forwarding.

On the other hand, if a message is delivered by hop-by-hop forwarding, each intermediary vehicle involved in VANET routing protocol must append its signature to the forwarded message. For instance, suppose that $hop=\{V_1\to V_2\to \dots \to V_l\}$ is a set of vehicles involved in message forwarding to the destination vehicle $V_d$ (Note, how to establish a route and forward a message to the destination node is beyond our scope. We can assume the existing VANET routing protocols such as [6,29]). The message arriving to $V_d$ consists of $\{fwd,M_{jd},{\left\{pi{d}_{hi}\right|S_h\}}_{V_h\in hop}\}$ where $fwd$ is a metadata for message forwarding and $S_h$ is a signature of each $V_h$. The last hop vehicle can forward $M_{jd}$ to $V_d$ as described in the above. By verifying each signature $S_h$ under $pi{d}_{hi}$, $V_d$ can be convinced that the received message $M_{jd}$ was forwarded via authenticated vehicles.

4.5. Trajectory Update and Sharing Revocation

After vehicles initially upload their trajectory data to SM, they can update their trajectory data whenever they want to change preference driving routes. Remind, in trajectory sharing phase in Section 4.3, $V_d$’s trajectory $T_d$ is uploaded to the cloud in the encrypted form of C in $tr{j}_d$, and then C is transformed to a re-encrypted ciphertext $C_j$ by the SM to be shared with an $sRS{U}_j\in S{R}_d$. Suppose that $V_d$’s trajectory $T_d$ is changed to different driving locations $T_d^{\prime }=\{lo{c}_1^{\prime }\to \dots \to lo{c}_t^{\prime }\}$ but $V_d$ still wants to share the changed trajectory with the current sRSUs in $S{R}_d$. In this case, the operation required to $V_d$ is just to generate a ciphertext $C^{\prime }$ for the changed trajectory $T_d^{\prime }$ in accordance with the procedures of Section 4.3, and update $T{M}_d$ to include $C^{\prime }$ on the cloud storage. Then, SM can transform $C^{\prime }$ to $C_j^{\prime }$ for each $sRS{U}_j$ using the existing re-encryption keys $R{K}_d$ in $RS{M}_d$.

Sometimes, however, a vehicle will not wish to share the updated trajectory data with some sRSUs any more if the vehicle changes its interested socialspots. That is, a vehicle needs to revoke unwilling trajectory sharing. Suppose that $V_d$ does not want to share updated trajectory data with an $sRS{U}_j$. In the proposed system, $V_d$ can revoke trajectory sharing with $sRS{U}_j$ by updating $V_d$’s private and public key pair and re-encryption keys for sRSUs except the $sRS{U}_j$ as follows:

• Renew its private key as $s{k}_{V_d}=(vs{k}_{d0},a_d^{\prime },b_d^{\prime })\leftarrow$ SetPrvKey($vs{k}_{d0}$) and public key as $p{k}_{V_d}=(g_3^{a_d^{\prime }},g^{b_d^{\prime }})\leftarrow$ SetPubKey($s{k}_{V_d}$) by choosing new random values $a_d^{\prime },b_d^{\prime }\in Z_q^{\ast }$.
• Change the socialspot RSUs list as $S{R}_d$ to $S{R}_d^{\prime }$ by adding new sRSUs and deleting revoked sRSUs.
• Set $R{K}_d^{\prime }=\left\{r{k}_{V_d\to sRS{U}_i}\right|sRS{U}_i\in S{R}_d^{\prime }\}$ by running $r{k}_{V_d\to sRS{U}_i}\leftarrow$ clReKeyGen($s{k}_{V_d}$, $pi{d}_{d0}$, $sRS{U}_i$, $p{k}_{V_d}$, $p{k}_{sRS{U}_i}$) for each $sRS{U}_i$.
• Replace the existing $RS{M}_d$ uploaded in enrolment phase of Section 4.2 with the updated $RS{M}_d^{\prime }$ including $R{K}_d^{\prime }$ and $S{R}_d^{\prime }$.

5. Analysis

5.1. Security

5.1.1. Authorized Access to Trajectory Data

Since the locations of a vehicle can be regarded as personal information of a driver, driving trajectory data maintained on the cloud must not be exposed to not only outsiders but also SM illegally in the system. In our proposed system, a trajectory data $tr{j}_d$ consisting of pseudonym-location pairs of a vehicle $V_d$ is maintained by SM in the encrypted form under $V_d$’s public key $p{k}_{V_d}$ as $C\leftarrow$ clEnc($tr{j}_d$, $pi{d}_{d0}$, $p{k}_{V_d}$). Essentially, nobody can gain $V_d$’s trajectory data as trying to decrypt C without knowing $V_d$’s private key $s{k}_{V_d}$ corresponding to $p{k}_{V_d}$. On the other hand, some sRSUs of $V_d$’s interested socialspots specified in $S{R}_d$ need to know $V_d$’s driving trajectories for disseminating service messages through contact point RSUs along $V_d$’s driving routes. $V_d$ can allow an $sRS{U}_j\in S{R}_d$ to get its trajectory data by giving a re-encryption key $r{k}_{V_d\to sRS{U}_j}\leftarrow$ clReKeyGen($s{k}_{V_d}$, $pi{d}_{d0}$, $sRS{U}_j$, $p{k}_{V_d}$, $p{k}_{sRS{U}_j}$) to SM instead of entrusting plaintext trajectory data. The encrypted trajectory data C are then re-encrypted to $C_j^{\prime }\leftarrow$ clReEnc ($pi{d}_{d0}$, $p{k}_{V_d}$, C, $r{k}_{V_d\to sRS{U}_j}$) for $sRS{U}_j$ under the key $r{k}_{V_d\to sRS{U}_j}$ by SM. Hence, only a valid $sRS{U}_j$ that possesses a private key $s{k}_{sRS{U}_j}$ corresponding to $p{k}_{sRS{U}_j}$ involved in $r{k}_{V_d\to sRS{U}_j}$ can get $tr{j}_d$ by decrypting $C_j$.

In addition to an outside attacker and unauthorized RSUs, another concern is the security threat of SM to the trajectory data managed on the cloud since a semi-honest SM may be curious to know vehicle’s driving locations for the purpose of collecting and profiling driver’s preferences. At this phase, even though the encrypted trajectory data and re-encryption keys are given to SM, it is hard for SM to deduce the private key of $V_d$ or $sRS{U}_j$ for the purpose of recovering the trajectory data $tr{j}_d$ from C or $C_j$ if we assume the security properties of the underlying proxy re-encryption scheme [27]. Therefore, neither SM nor unauthorized RSUs can access vehicle’s trajectory data on the cloud unless the vehicle authorizes decryption rights for the encrypted trajectory data under re-encryption keys.

5.1.2. Self-Controllable Trajectory Sharing

In our proposed system, even though vehicle’s shared trajectory data are maintained and transferred by SM, it is the owner vehicle of the trajectory data that can decide what RSUs can access its trajectory data on the cloud. As mentioned before, distribution of the trajectory data of $V_d$ is performed by SM according to socialspot list $S{R}_d$ and re-encryption keys $R{K}_d=\left\{r{k}_{V_d\to sRS{U}_j}\right|sRS{U}_j\in S{R}_d\}$ generated by $V_d$ in the enrolment phase. If $V_d$ does not want an $sRS{U}_j$ existing in $S{R}_d$ to access its trajectory data any more, $V_d$ can revoke $sRS{U}_j$’s decryption right by generating new re-encryption keys for sRSUs in $S{R}_d$ except $sRS{U}_j$. Once $V_d$ uploads updated $S{R}_d^{\prime }\setminus \left\{sRS{U}_j\right\}$ and $R{K}_d^{\prime }$ for each sRSU in $S{R}_d^{\prime }$, SM will exclude $sRS{U}_j$ and not provide $sRS{U}_j$ with the re-encrypted trajectory data of $V_d$. In our revocation procedure of Section 4.5, $V_d$ can generate re-encryption keys without involvement of SM and sRSUs, and it does not require renewing public keys of sRSUs due to the functionality of certificateless proxy re-encryption scheme. Therefore, our proposed system can provide a flexible and self-controllable trajectory data sharing mechanism.

5.1.3. Authenticated Vehicular Communications

To receive a service message in the form of $M=\{pi{d}_{di},sRS{U}_j,msg,t{s}^{\prime },S_j,ttl\}$ served by sRSUs on VANETs, $V_d$ must be authenticated to a contact point $RS{U}_i$ or carrier vehicle $V_c$ as $V_d$ is the valid destination vehicle of $pi{d}_{di}$ specified in the message M. In message forwarding phase of Section 4.4, when $V_d$ requests a message M kept by a contact point $RS{U}_i$ or a carrying vehicle $V_c$, $V_d$ must present its id-based signature $S_d^{\prime }\leftarrow$ idSig($vs{k}_{di}$, $req|pi{d}_{di}$) which is in turn verified under the given $pi{d}_{di}$ of the message M. If we assume the security of an id-based signature scheme, any vehicle which does not know the private key corresponding to $pi{d}_{di}$ except $V_d$ cannot forge the signature nor impersonate $V_d$. Therefore, only the valid vehicle $V_d$ authenticated under the $pi{d}_{di}$ can receive the message M.

In addition, when $V_d$ receives a message M, $V_d$ also authenticates the message sender sRSU by verifying the attached id-based signature $S_j$ under the sRUS’s identity $sRS{U}_j$ specified in M. That is, $V_d$ can be convinced that the message M was sent from the $sRS{U}_j$, in which $V_d$ is interested, if the signature $S_j$ is verified as valid under the id of $sRS{U}_j$.

5.1.4. Avoiding Location Tracking

Due to the access control to the trajectory data, we can prevent an outside attacker as well as any unauthorized entity from learning vehicle’s driving trajectory stored on the cloud. On the other hand, to prevent an outside attacker from tracking driving path of a vehicle by eavesdropping on the vehicle-to-RSU communications, it must be difficult for an outside attacker to guess that the observed vehicle at different RSU’s coverage is the same vehicle while a vehicle connects to contact point RSUs for receiving a message over VANET on its driving. In our proposed system, a vehicle $V_d$ has a set of pseudonyms $\{pi{d}_{d1},..,pi{d}_{dw}\}$, which can be independently generated random values, and it is recommended to use a different pseudonym for identification and authentication whenever $V_d$ connects to a different contact point $RS{U}_i$ deployed at the location of $lo{c}_i$ along $V_d$’s driving path. Therefore, we can make it hard for an outside attacker to track moving locations of a vehicle if any two pseudonyms $pi{d}_{di}\ne pi{d}_{dj}$, respectively, observed by the attacker at $RS{U}_i$ and $RS{U}_j$ are unlinkable to the same vehicle from attacker’s viewpoint.

Moreover, $〈pi{d}_{di},lo{c}_i〉$ pairs are only known to the sRSUs authorized by $V_d$ by means of a re-encryption technique. Another possible attack for an outside attacker is to compromise an sRSU to extract $V_d$’s pseudonyms and driving trajectory data $〈pi{d}_{di},lo{c}_i〉$ kept by the sRSU on the VANET. As a countermeasure to this threat, in this paper, we just assume that all RSUs are inspected by the TA and compromise of an RSU can be preventable and detectable by means of a security module such as tamper proof device. RSUs would not disclose any information without the authorization of the TA. Nevertheless, if an sRSU is detected as abused, TA can take an action to recover the sRSU and the vehicle can generate new re-encryption keys for sRSUs to protect the changed trajectory data after that.

5.2. Performance

We simulated the message delivery on VANETs to evaluate the impact of the proposed security protocol to the performance of message forwarding from RSUs to destination vehicles. We implemented the simulation by using NS-2 and SUMO [30] simulators as considering an urban road environment. Figure 4 and

Table 2. NS-2 simulation parameters.

Simulation Setting
road dimension	4600 m × 3800 m
# of vehicles	{30, 45, 60, 75, 90, 105, 120, 135, 150}
# of contact point RSUs	5
# of destination vehicles	15
moving speed	{40, 50, 60, 70} km/h
mobility model	Manhattan model
wireless/bandwidth	802.11 p/6 Mbps
radio coverage	250 m
message size	100 KB
message lifetime	500 s
simulation time	2000 s

show the 4600 m × 3800 m road configuration and simulation settings, respectively.

For our simulation, we applied Manhattan mobility model in which each vehicle moves in horizontal or vertical direction on an urban road and the probability of going straight is 0.5 and taking a left or right is, respectively, 0.25 [31]. We varied the number of vehicles from 30 to 150 moving with 11.1 m/s (40 km/h) to 19.4 m/s (70 km/h) speed on average, and put five contact point RSUs relaying messages to 15 destination vehicles. For message carry-and-forwarding, we adopted the DTN routing protocol of [32] and adjusted message forwarding time to compensate for the delay caused by the authentication process. To measure the authentication overhead of message delivery, we used the benchmark results of pairing-based cryptography library [33] implemented on Intel Quad Core2 2.4 GHz machine by using the supersingular curve $y^2=x^3+x$ for the group ${\mathbb{G}}_1$ with 512-bit base field size and 160-bit group order providing 1024-bit security. Then, we evaluated the performance in terms of message delivery delay and successful delivery ratio on average of 15 destination vehicles for each experiment by varying the number of vehicles and their moving speed.

Let D be the total message delay from a contact point RSU to a destination vehicle. The message delay can be estimated as $D=D_{tr}+D_{auth}$ where $D_{tr}$ is the delay for message transmission and $D_{auth}$ is for authentication process resulting from signature generation and verification. Depending on message forwarding method, $D_{auth}$ can be classified as

$$D_{auth}=\left\{\begin{array}{cc}{T}_{sig}+T_{vrf},\hfill & \mathrm{immediate};\hfill \\ 2(T_{sig}+T_{vrf})+{\sum }_{i=1}^{l-1}{T}_{si{g}_i},\hfill & \mathrm{carry}-\mathrm{forward}.\hfill \end{array}\right.$$

where l is the number of hops and $T_{sig}$ and $T_{vrf}$ are the times for signature generation and verification evaluated as $T_{sig}$ = 4.65 ms and $T_{vrf}$ = 10.93 ms, respectively. For immediate forwarding, it requires signature generation of the destination vehicle and verification of a contact point RSU before message forwarding. On the other hand, for carry-and-forwarding, authentication of the first carrier vehicle to a contact point RSU and authentication between the last hop vehicle and the destination vehicle are required while each intermediary vehicle only appends its signature to the forwarded message.

With regard to our experiments depending on the number of vehicles and the moving speed, the initial positions of vehicles are randomly generated and the distributions of vehicles on the road in each experiment are not consistent. Thus, those experiments are independent of each other and cause uneven variations in the results of Figure 5, Figure 6, Figure 7 and Figure 8. However, we would like to estimate the performance by observing the trend of changes through the experiment results.

Figure 5 shows the average number of hops, and Figure 6 shows the average authentication delay evaluated by our simulations, respectively. We can observe that the number of intermediary vehicles participating in message forwarding is increased as the more vehicles are distributed on the road. It is obvious that the authentication delay gets longer as the number of hops are increased. However, it should be noted that the more vehicles participate in message forwarding the shorter message delay occurs, as shown in Figure 7, because the carry delay depending on the moving speed of vehicles is much longer than the communication delay. Therefore, the authentication delay is insignificant and has little effect on the total message delay.

We also evaluated the successful message delivery ratio for 500 s of message lifetime and Figure 8 shows the results. As aforementioned, if more vehicles are distributed on the VANET and move with high speed, vehicles can have more chance to meet other vehicles which results in higher possibility of message carrying-and-forwarding as well as shorter message delay. From our simulation results, we can see that almost all of the messages can be successfully delivered to the destination vehicles within 350 s when we put more than 135 vehicles moving with higher than 50 km/h speed.

6. Conclusions

Trajectory-based message delivery with the help of roadside units have been considered as an efficient message dissemination method on VANETs under the assumption that message senders know the driving routes of message receiver vehicles. However, from a security viewpoint of location privacy, users of VANETs want to limit sharing of their driving locations to the desired message senders by themselves to prevent the location information from being illegitimately exposed to others. Therefore, in this paper, we propose a secure location sharing system in which vehicles control what roadside units can access vehicles driving locations on their own decision for trajectory-based message delivery services. To effectively share vehicle’s trajectory data with the socialspot roadside units designated by the vehicle on the cloud, we devised a secure trajectory data sharing mechanism by taking advantage of a certificateless proxy re-encryption scheme in which the role of maintaining and distributing encrypted trajectory data can be delegated to a semi-trusted service manager but the access rights to the trajectory data are controlled by vehicles themselves. Therefore, even though vehicles trajectory data are managed by a service manager on the cloud, the trajectory data are hidden from not only unauthorized entities but also the service manager. In addition, whenever vehicles change their preferred driving routes, vehicles can efficiently revoke the access rights of unwanted roadside units to the updated trajectory data just by updating re-encryption keys without involvement of the service manager and roadside units. Consequently, we can design a more flexible and self-controllable secure trajectory data sharing system on VANETs.