Next Article in Journal
Development of a Wireless Corrosion Detection System for Steel-Framed Structures Using Pulsed Eddy Currents
Next Article in Special Issue
Multimedia Cryptosystem for IoT Applications Based on a Novel Chaotic System around a Predefined Manifold
Previous Article in Journal
ARTFLOW: A Fast, Biologically Inspired Neural Network that Learns Optic Flow Templates for Self-Motion Estimation
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks

by
Mahmood A. Al-Shareeda
,
Mohammed Anbar
*,
Selvakumar Manickam
and
Iznan H. Hasbullah
National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia (USM), Penang 11800, Malaysia
*
Author to whom correspondence should be addressed.
Sensors 2021, 21(24), 8206; https://doi.org/10.3390/s21248206
Submission received: 27 October 2021 / Revised: 1 December 2021 / Accepted: 3 December 2021 / Published: 8 December 2021
(This article belongs to the Special Issue Recent Trends in Wireless Sensor and Actuator Networks)

Abstract

:
Communications between nodes in Vehicular Ad-Hoc Networks (VANETs) are inherently vulnerable to security attacks, which may mean disruption to the system. Therefore, the security and privacy issues in VANETs are entitled to be the most important. To address these issues, the existing Conditional Privacy-Preserving Authentication (CPPA) schemes based on either public key infrastructure, group signature, or identity have been proposed. However, an attacker could impersonate an authenticated node in these schemes for broadcasting fake messages. Besides, none of these schemes have satisfactorily addressed the performance efficiency related to signing and verifying safety traffic-related messages. For resisting impersonation attacks and achieving better performance efficiency, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed in this paper. The proposed SE-CPPA scheme is based on the cryptographic hash function and bilinear pair cryptography for the signing and verifying of messages. Through security analysis and comparison, the proposed SE-CPPA scheme can accomplish security goals in terms of formal and informal analysis. More precisely, to resist impersonation attacks, the true identity of the vehicle stored in the tamper-proof device (TPD) is frequently updated, having a short period of validity. Since the MapToPoint hash function and a large number of cryptography operations are not employed, simulation results show that the proposed SE-CPPA scheme outperforms the existing schemes in terms of computation and communication costs. Finally, the proposed SE-CPPA scheme reduces the computation costs of signing the message and verifying the message by 99.95% and 35.93%, respectively. Meanwhile, the proposed SE-CPPA scheme reduces the communication costs of the message size by 27.3%.

1. Introduction

Annually, approximately 1.3 million persons die, and between 20 and 50 million more persons are non-fatally injured as a result of a road traffic accidents [1,2]. Therefore, the technology of Vehicular Ad-Hoc Networks (VANETs) is expected to play a major role in reducing the number of accidents and increasing road safety [3,4]. VANETs have attracted increasing attention from academia, the motor industry, and even the government in recent years [5].
VANETs are an extreme case of Mobile Ad-Hoc Networks (MANETs), in which the vehicle nodes are highly mobile. The main structure includes three components of the VANET, namely a trusted authority (TA), some fixed road-side units (RSUs), and many mobility on-board units (OBUs), as shown in Figure 1. Each vehicle has OBU to share safety traffic-related messages with others or neighbor RSU via vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication, respectively. More precisely, the main goals of intelligent transport system (ITS) are to offer safety improving, and driving efficiency in the road environment. With these goals in mind, VANETs have become a promising technology.
Nevertheless, this advantage comes with issues of security, privacy, and performance efficiency. Hence, these issues should be carefully considered in VANETs [6,7,8]. The security issue is crucial in V2V and V2I communications. Due to the inherently insecure nature of the communication between nodes, a VANET is vulnerable to security attacks which may mean disruption to the system [9,10]. It is possible for attackers to replay, modify, and intercept legitimate transmitted safety traffic-related messages. Furthermore, by using a side-channel attack [11,12,13,14], the attacker could obtain the true identity of a vehicle stored in the tamper-proof device (TPD). Consequently, this attacker is being considered as impersonates registered vehicles in VANETs. Once the impersonation attacks broadcast fake messages, it results in creating road chaos and traffic incidents, or even inducing wrong decisions by other vehicles [15,16,17,18,19,20,21].
In addition, the privacy issue is also critical. In a VANET, attackers might obtain the vehicle’s true identity and trace its journey by investigating the captured messages. Such an attack exposes the driver’s personal and other vehicular details, and it can be leveraged to carry out other forms of attacks. Thus, the drivers would be reluctant to use the VANET technology.
Apart from the requirements of security and privacy, performance efficiency is also important in V2V and V2I communications. Within 100–300 ms, the vehicle must send exchanged information according to the DSRC technology. For instance, based on the communication range of vehicle or RSU, when there are 100 vehicles, the receiver is required to authenticate 333–1000 messages per second. Each message can certainly be signed and tested in a secure communication.
Therefore, the received messages should verify the authenticity and validate the integrity by receivers (RSUs or OBUs) before accepting them. Anonymous communication is needed to preserve privacy and to fulfill the unlinkability requirement for the drivers. The existing Conditional Privacy-Preserving Authentication (CPPA), based on either public key infrastructure, group signature, or identity, can be used to satisfy both security and privacy in VANETs. Nevertheless, these schemes have several drawbacks, as discussed in Section 2.
This paper proposes a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme for VANETs in order to address drawbacks in the existing CPPA schemes. More precisely, the main contributions of the proposed SE-CPPA scheme are as follows:
  • First, this efficient bilinear pair cryptography based on the conditional privacy-preserving authentication (SE-CPPA) scheme satisfies the security and privacy requirements.
  • Second, since the vehicle’s true identity is regularly updated at short intervals of time, the proposed SE-CPPA scheme is resistant to impersonation attacks, as attackers are unable to launch side-channel attacks for obtaining the vehicle’s true identity.
  • Third, since the signing and verifying of the messages do not employ a MapToPoint hash operation function, the proposed SE-CPPA scheme has a lower overhead compared to the existing schemes based on bilinear pair cryptography.
The remainder of this paper is structured as follows. The existing CPPA schemes for VANETs are reviewed in Section 2. Section 3 introduces the background for the proposed SE-CPPA scheme. The phases of the proposed SE-CPPA schemes are presented in detail in Section 4. Section 5 introduces a security analysis and comparison in this paper. In Section 6, the performance efficiencies of the SE-CPPA and the existing CPPA schemes are evaluated and compared. Lastly, our conclusion is introduced in Section 7.

2. Related Work

In this section, the existing CPPA schemes for VANETs are briefly reviewed. The following categories for the existing CPPA schemes are, namely: Public key infrastructure, group signature, and Identity. These categories will be separately reviewed in the next subsections.

2.1. Public Key Infrastructure-Based CPPA

The main idea of the public key infrastructure-based CPPA schemes [22,23,24,25,26,27,28,29,30] is to preload a massive pool of private/public keys and their matching certificates to the OBUs of vehicles, generated by the TA during the registration process. This approach supports privacy-preserving, since a massive pool of private/public keys and their matching certificates are preloaded in advance.
Joshi et al. [29] designed an event-triggered authentication scheme that sends messages to investigate problems regarding security in the VANET. Asghar et al. [30] designed a feasible PKI-CPPA scheme to tackle the process of authenticating requests, in which the size of the Certificate Revocation List (CRL) is linear. Thus, this scheme enhances the scalability of vehicles’ obtaining services.
Nevertheless, the main limitations of a public key infrastructure based-CPPA schemes are: (i) preloading a massive pool of private/public keys and their matching certificates to the OBUs of the vehicles makes the management of the certificates a serious burden; (ii) the storage of a vehicle in a VANET is limited, since massive keys and their matching certificates are preloaded; (iii) there are additional computational and communication costs, since the certificate is included in the message signature, and the verifier must verify these certificates as well.

2.2. Group Signature Based-CPPA

To address the limitations regarding a public key infrastructure based-CPPA scheme, several researchers design a group signature based-CPPA scheme [31,32,33,34]. These schemes enable the members of the group to sign on behalf of the whole group anonymously. In the event of a dispute, the group manager could retrieve the identification of the sender. Thus, the existing group signature-based CPPA schemes preserve the anonymity of secured authenticated messages. Besides, these schemes ensure secure communication with conditional privacy. Therefore, signing the messages with these schemes can hide the signer’s identity.
Nevertheless, the main limitations of a group signature based-CPPA schemes are: (i) the whole group must be reconstructed; (ii) it is not easy for nodes’ VANETs to update their private keys; (iii) the adversary identifies the group members when the size of the group is small; and (iv) once the number of vehicles revoked is high, the signature’s verification technique becomes time-consumed for VANETs.

2.3. Identity-Based CPPA

To address the limitations regarding a public key infrastructure-based CPPA and group signature-based CPPA schemes, several researchers propose an identity-based CPPA scheme [35,36,37,38,39,40,41]. The primary insight of identity based-CPPA scheme is to extract the public key from the identity information, while the TA creates a private key with the same information. The sender signs the message using its private key, and the verifier can verify this signature by using the sender’s public key.
Bayat et al. [36] designed an identity-based CPPA scheme to save the TA’s private key on the TPD of the OBU on the vehicle. However, the revocation requirement is not satisfied in the scheme designed by [36], which is vulnerable to impersonation attacks. Lei Zhang et al. [37] designed a distributed aggregate CPPA scheme by using a realistic TPD rather than an ideal TPD, since this is more practical. Bayat et al. [38] designed an identity-based CPPA to propose an RSU-based authentication scheme that uses bilinear pair operations to secure the communications. Pournaghi et al. [39] designed an identity-based CPPA to provide secure communications between nodes for VANETs. Nevertheless, it is vulnerable to replay attacks. Zhong et al. [40] found that the CPPA process of the scheme proposed by Lei Zhang et al. [37] introduced a massive computational cost, and it did not indicate who is the aggregator in the aggregation process. Bayat et al. [41] introduced an identity based-CPPA scheme without using an online RSU, for the sake of the security of the communication in the VANET.
Nevertheless, the two evident limitations of an identity based-CPPA scheme are: (i) the vehicle’s true identity preloaded by the TA is vulnerable to impersonation attacks by launching side-channel attacks, since it is not updated rapidly enough; and (ii) the MapToPoint hash function and a large number of cryptography operations are used, which cause a huge performance overhead by the verifier. To address these issues, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed for resisting impersonation attacks and achieving better performance efficiency during the broadcasting process. The proposed SE-CPPA scheme regularly updates the vehicle’s true identity for the short period of validity assigned by the TA. As well, it does not use the MapToPoint hash function and a large number of cryptography operations.

3. Preliminaries

This section first presents the network model of the proposed scheme; this is followed by a presentation of the security and privacy requirements for VANETs, and finally, the bilinear pair cryptography (BPC) used in the proposed SE-CPPA scheme is defined.

3.1. Network Model

As shown in Figure 1, the main structure of the network model for the proposed SE-CPPA scheme includes three components: TA, RSU, and OBU.
  • TA: TA is a fully trusted unit with a great number of resources in terms of computation and communication costs. The TA issues the public parameters of the system for each node in VANETs, and transmits them to each respective node.
  • RSU: An RSU is a wireless base station deployed on the road as a bridge interface between the TA and the OBUs. Since RSU has a TPD to save a sensitive information, RSU is considered as a trusted entity in this paper. An RSU connects with the TA by wired technology and connects with vehicles by wireless technology.
  • OBU: Each vehicle has an OBU to allow the vehicle to process, receive, and broadcast messages. Each OBU has a TPD that is usually used to keep secrets.

3.2. Security and Privacy Requirements

To maintain the security and privacy of V2V and V2I communications in VANETs, the proposed SE-CPPA scheme should fulfill the following requirements.
  • Authentication and integrity: The vehicle or RSU must be able to identify any alteration of the received message, by checking the authentication process and validating integrity, in order to ensure the security of the communications in the VANET.
  • Identity privacy-preserving: An attacker must not be able to retrieve the true identity of the vehicle by the capturing messages transmitted. Therefore, the vehicle’s true identity must be kept anonymous from the other legal and illegal nodes for the sake of ensuring the privacy of the drivers.
  • Traceability and revocation: The TA must be able to retrieve the true identity of the vehicle from its message in the event of a dispute, so as to avoid misbehaving vehicles from denying their responsibility for a disruption of the system by broadcasting false messages to other registered vehicles.
  • Unlinkability: An attacker must not be able to cross-match several messages transmitted by the same source for ensuring privacy-preserving.
  • Resistance to security attack: A secure proposed SE-CPPA scheme should resist the following security attacks.
    Replay attacks.
    The malicious nodes aim to replay a previously generated legitimate signature to the recipient.
    Modification attacks.
    The malicious nodes aim to alter the authentic message and broadcast that to other users.
    Impersonation attacks.
    After launching a side-channel attack to retrieve the true identity of the vehicle, the malicious nodes aim to impersonate an authenticated node to broadcast a legitimate message to other nodes. Therefore, the vehicle’s true identity must be frequently updated within a short period of validity.
    Man-In-The-Middle attacks.
    The malicious nodes aim to intercept two sides of the communication and perform data tampering and sniffing.

3.3. Bilinear Pair Cryptography (BPC)

Let G 1 and G 2 be a cyclic additive and a cyclic multiplicative group, respectively. Both G 1 and G 2 have the same generator P and prime order p.
BPC is a map e: G 1 G 1 G 2 which has the following properties.
  • Bilinearity: Every X, Y G 1 and a, b Z p * , e ( a X , b Y ) = ( X , Y ) a b .
  • Non-degeneracy:e: ( P , P ) ≠ 1.
  • Computability: Every X , Y G 1 , there is an efficient approach to calculate e ( X , Y ) .

4. Proposed Scheme

In this section, the proposed SE-CPPA scheme is discussed. More precisely, the proposed SE-CPPA scheme consists of seven phases, namely initialization, vehicle registration, mutual authentication, message signing, individual-signature verification, batch-signature verification, and updating the vehicle’s true identity. Table 1 presents the notation used, and their description in the following phases.
We noted that an external attacker has the ability to impersonate legitimate vehicles by launching side channel attack to disclose the sensitive information stored on TPD of legitimate vehicle when information is not updated; in the result, the external attacker should be possible to forge a secret.

4.1. Initialization

As explained in Section 3.3, the TA executes the initial public parameters of the BPC for the system in the following steps:
  • Consider G 1 and G 2 be groups of a cyclic additive a cyclic multiplicative, respectively, with the same prime order q and generator P. Consider e: G 1 · G 1 G 2 as a bilinear pairing.
  • The TA chooses three functions of secure cryptographic hash h 1 : G Z q * , h 2 : { 0 , 1 } * × { 0 , 1 } * × G Z q * , and h 3 : { 0 , 1 } * Z q * .
  • The TA chooses a random integer s T A Z q * to be the TA’s master private key, and then calculates P T A = s T A P to be its matching master public key.
  • The TA preloads the system’s public parameters { G 1 , G 2 , P, q, P T A , h 1 , h 2 , h 3 } and the TA master private key s T A in each TPD on RSU.

4.2. Vehicle Registration

Prior to the vehicle leaving the factory, the vehicle registration phase via a secure channel (offline) should be executed. Due to the core problem study in this paper, the vehicle’s true identity should be regularly updated to avoid side channel attack. Hence, the proposed scheme is resisting impersonation attacks. As shown in Figure 2, the TA registers each vehicle as follows:
  • The driver of the vehicle submits the personal information including the identity I D v i and password P w d to the TA via a secure communication network.
  • After the personal information is received, the TA first starts the authenticity of I D v i .
  • After the TA chooses a short period of validity S V P , the TA computes the vehicle’s true identity T I D S V P i = h 1 ( I D v i | | S V P ) .
  • The TA saves the tuple { I D v i , P w d , T I D S V P i , S V P } to its vehicle registration list, and then preloads the system’s public parameters { G 1 , G 2 , P, q, P T A , h 1 , h 2 , h 3 } and T I D S V P i into TPD of O B U i on the vehicle.

4.3. Mutual Authentication

Before the vehicle signs and verifies exchanged messages, it should be authorized with a nearby RSU. Therefore, when a vehicle enters the communication area of an RSU, it starts to broadcast an entering request message. After the messages are validated, the RSU sends a signature key S K s v t to the vehicle with a chosen timestamp s v t that will be valid for a short period of time. To execute the mutual authentication process, the following process should be done.
  • The vehicle randomly selects a value ζ i Z q * and then calculates the following pseudonym ID:
    p i d i = { p i d i 1 , p i d i 2 } = { ζ i P , T I D S V P i h 1 ( ζ i P T A ) }
  • The vehicle broadcasts the join request { p i d i 1 , p i d i 2 , δ R J } to a nearby RSU, where δ R J = h 2 ( T I D S V P i | | p i d i 1 | | p i d i 2 ) .
  • The RSU obtains the vehicle’s true identity using the following equation,
    T I D S V P i = p i d i 2 h 1 ( s T A · p i d i 1 )
  • The RSU then computes the validity of the request to join { p i d i 1 , p i d i 2 , δ R J } by calculating
    δ R J = ? h 2 ( T I D S V P i | | p i d i 1 | | p i d i 2 ) .
  • The RSU then checks the vehicle’s true identity on its certificate revocation list (CRL). If it is on the list, the request is rejected by the RSU for joining the session. Otherwise, the RSU continues the process.
  • The RSU computes the signature key S K s v t of the vehicle’s true identity from the request to join, as follows:
    S K s v t = s T A · h 3 ( p i d i 1 | | p i d i 2 | | s v t ) .
    Here, s v t is the expiry of a certain brief period of validity of the timestamp of the created signature key.
  • The RSU sends the message of the acceptance of the joining { S K s v t E N C , p i d i 1 , p i d i 2 δ A J } to the vehicle, where S K s v t E N C = S K s v t h 2 ( s T A · p i d i 1 ) and δ A J = h 2 ( S K s v t | | p i d i 1 | | p i d i 2 ) .
  • The vehicle retrieves the signature key from the message of acceptance { S K s v t E N C , s v t , p i d i 1 , p i d i 2 δ A J } by calculating S K s v t = S K s v t E N C h 2 ( ζ i P T A ) , and then verifies the validity of the acceptance by utilizing the following equation.
    δ A J = ? h 2 ( S K s v t | | p i d i 1 | | p i d i 2 | | s v t ) .
The process in the proposed SE-CPPA scheme of preloading, as introduced in [42,43], fulfills the requirements of security and privacy of ζ l , the pseudonym IDs, and the signature keys. The TA preloads a new list of ζ l , pseudonym IDs, and signature keys, used for an s v t for each vehicle moving in a VANET; close to the expiration time, they are renewed with a new pseudonym ID and pool of signature keys.

4.4. Message Signing

After the signature key, S K s v t of the vehicle’s true identity has been received, the vehicle is taken into consideration as an authorized component in the VANET. The vehicle signs and sends safety traffic-related messages m i to other vehicles and RSUs in the VANET. This is executed in the phases listed below.
  • The vehicle computes the message signature δ m i = S K s v t · h 3 ( m i | | t s ) , where t s is a current timestamp.
  • The vehicle then broadcasts the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } to the neighboring recipient.

4.5. Individual Signature Verification

At a given point of time, the main aim of this method is to verify only one message with the signature δ m i on the message m i by the recipient (OBU or RSU). Once having received the signed message m i , and before accepting it, the recipient checks the authenticity of the node and the validity of the message. This guarantees that no illegitimate recipient is impersonating a legitimate recipient or sending fake messages. The recipient receives an authentic signature δ m i = S K s v t · h 3 ( m i | | t s ) on the message m i from the vehicle with a pseudonym ID p i d i and timestamp t s , where i = 1 , and checks its authenticity and validity following the steps below.
  • Once the signature tuple { p i d i 1 , p i d i 2 , m i , t s , δ m i } has been received, the vehicle first verifies the timestamp T S and s v t validity. If ( t s > t s r t s ), where t s r is the time of receiving and t s is a predefined delay, then t s is considered as fresh. Otherwise, the message is rejected.
  • The vehicle uses the public parameters and functions of the system and signature δ m i = S K s v t · h 3 ( m i | | t s ) on the message m i . When the following Equation (6) holds, the vehicle accepts it.
e : ( δ m i P ) = e : ( h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A )

4.6. Batch-Signature Verification

The main aim of this method is to authenticate a batch of signature messages δ m i = { δ m 1 , δ m 2 , δ m 3 , , δ m n } on n traffic-related messages m i = { m 1 , m 2 , m 3 , , m n } from n vehicles with n pseudonym IDs p i d i = { p i d 1 , p i d 2 , p i d 3 , , p i d n } . The verifying recipient checks its authenticity and validity, as shown in the following steps.
  • The vehicle verifies the validity of t s and s v t . If ( t s > t s r t s ), t s is considered as fresh. Otherwise, the message is rejected.
  • The vehicle uses the small exponent technique [44,45] to avoid denying the validity of the message sent in the SE-CPPA proposed. The vehicle generates a random vector γ i = { γ 1 , γ 2 , γ 3 , , γ n }, where γ i [ 1 : 2 t ] and t is a small value.
  • To accept them, the vehicle checks whether
e i = 1 n ( γ i · δ m i ) · P = e i = 1 n γ i · h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A

4.7. Updating the Vehicle’s True Identity

In order to resist impersonation attacks, the vehicle’s true identity stored in the TPD should be frequently updated through an online process and annual examination. However, if one were to wait for the next annual examination to update the vehicle’s stored true identity, the adversary would have a long enough period to retrieve a vehicle’s true identity, something that can disrupt the entire VANET by impersonating as an authorized vehicle. During the vehicle, true identity S V P is close to expired; the registered vehicle could not have requested update the lists before the process of T I D s v p is totally completed to avoid contradictions. As presented in Figure 3, the following steps are used to update the vehicle’s true identity saved in the vehicle by using an online process:
  • The vehicle selects a random value k Z q * and calculates P s I D i , 1 = k P and P s I D i , 2 = T I D s v p h 1 ( k · P T A ) . Then, the vehicle broadcasts an update message { P s I D v , n e w , t s 1 , δ O B U n e w i } to the TA, where P s I D v n e w = { P s I D i , 1 = k P , P s I D i , 2 = T I D s v p h 1 ( k · P T A ) } and δ O B U n e w i = h 3 ( T I D s v p P s I D i , 1 P s I D i , 2 t s 1 ) .
  • Once the TA receives the update message { P s I D v , n e w , t s 1 , δ O B U n e w i }, the timestamp t s 1 validity is tested. If t s 1 is freshness, then the TA computes the vehicle’s old true identity of the authenticated vehicle T I D s v p = P s I D i , 2 h 1 ( k · P T A ) . The TA tests whether δ O B U n e w i = ? h 3 ( T I D s v p P s I D i , 1 P s I D i , 2 t s 1 ) holds. The TA then checks whether the tuple ( T I D s v p , s v p , I D v i ) existing in its registration list; else TA checks the s v p validity.
  • When the s v p has expired, a new short period of validity s v p N e w is chosen by the TA. Then, the TA generates a new true identity T I D s v p N e w = h 3 ( I D v i s v p N e w ) for the vehicle. It will be discarded if s v p is still valid.
  • The TA sends an accepted update message ( T I D s v p New-enc , s v p N e w ) to the vehicle, where T I D s v p New-enc = I D s v p N e w h 1 ( s T A · P s I D i , 1 ) .
  • Finally, the vehicle retrieves its new true identity T I D s v p N e w = T I D s v p New-enc h 1 ( s T A · P s I D i , 1 ) to get the new true identity of the vehicle.

5. Security Analysis and Comparison

This section presents the formal and informal analysis of the proposed SE-CPPA scheme. In addition, the security-based privacy requirements are listed.

5.1. Formal Analysis

The formal analysis presents the security proof regarding the verification equations; this is followed by a description of the steps of the random oracle model.

5.1.1. Security Proof

Theorem 1.
The equations utilized in the proposed SE-CPPA scheme are true.
Proof of Equation (6).
In individual-signature verification, the verifier checks the message using the following Equation (6).
L · H · S e δ m i · P = e S K s v t h 3 ( m i | | t s ) , P = e s T A h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P = e h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , s T A P = e h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A = R · H · S
Hence, the individual signature verification correctness is true. □
Proof of Equation (7).
In batch-signature verification, the verifier checks a large number of messages by using the following Equation (7). Proof of the correctness:
L · H · S e i = 1 n γ i · δ m i · P = e i = 1 n γ i · S K s v t h 3 ( m i | | t s ) , P = e i = 1 n γ i · s T A h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P = e i = 1 n γ i · h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , s T A P = e i = 1 n γ i · h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A = R · H · S
Hence, the batch-signature verification correctness is true. □

5.1.2. Random Oracle Model

In order to analyze the security proof in the SE-CPPA scheme, the random oracle model analysis defines a game between an attacker E R and the challenger C h . Once E R wins the game, it is easily retrieved from a valid faked signature. Furthermore, the proposed SE-CPPA scheme is secure for VANETs when E R is negligible for any attack.
Theorem 2.
The proposed SE-CPPA scheme for VANETs is unforgeable against an adaptively chosen message attack under the random oracle model.
Proof. 
Assuming E R could forge a valid message of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } for the message m i , it would follow that a challenger C h can be generated to resolve the ECDL problem with non-negligible probability by launching E R as a subroutine. □
Setup initialization phase: Challenger C h first randomly chooses a value s T A Z q * as the system’s private key and computes P T A = s T A P as the system’s public key. Then, C h broadcasts the public parameters and functions of the system to E R .
O r a c l e h 1 . C h starts the h l i s t 1 with ( α , τ h 1 ) form. After, E R receives a message with ( α ) form, C h sees whether ( α ) is in h l i s t 1 ; if so, C h transmits ( τ h 1 = h ( α ) ) to E R . Otherwise, C h chooses τ h 1 Z q * randomly and adds ( α , τ h 1 ) into h l i s t 1 . Then, E R broadcasts τ h 1 = h ( α ) to C h .
O r a c l e h 2 . C h starts the h l i s t 2 with ( p i d i 1 , p i d i 2 , τ h 2 ) form. After, E R receives a message with ( p i d i 1 , p i d i 2 ) form, C h tests whether ( p i d i 1 , p i d i 2 ) is in h l i s t 2 ; if so, C h broadcasts τ h 2 = h ( p i d i 1 | | p i d i 2 | | τ h 2 ) to E R . Otherwise, C h randomly chooses τ h 2 Z q * and puts ( p i d i 1 , p i d i 2 , τ h 2 ) into h l i s t 2 . Then, E R broadcasts τ h 2 = h ( p i d i 1 | | p i d i 2 | | τ h 2 ) to C h .
O r a c l e h 3 . C h starts the h l i s t 3 with ( m i , t s , s v t , τ h 3 ) form. After E R receives a message with ( m i , t s , s v t ) form, C h tests whether ( m i , t s , s v t ) is in h l i s t 3 ; if so, C h broadcasts τ h 3 = h ( m i | | t s | | s v t | | τ h 3 ) to E R . Otherwise, C h chooses τ h 3 Z q * randomly and puts ( m i , t s , s v t , τ h 3 ) into h l i s t 3 . Then, E R broadcasts τ h 3 = h ( m i | | t s | | s v t | | τ h 3 ) to C h .
Sign Oracle: Once E R sends a sign request, C h calculates three random numbers, h i , 2 ; h i , 3 ; σ m , i Z q * , and a random point p i d i 2 G. Then, C h computes P T A = ( σ m , i P / h i , 2 · h i , 3 ). C h puts ( p i d i 1 , p i d i 2 , τ h 2 ) into h l i s t 2 and ( m i , t s , s v t ) into h l i s t 3 . Finally, C h generates the message of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } and transmits it to E R . The reply is a valid sign-oracle, since the message of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } fulfills the following Equation:
σ m i · P = h i , 2 · h i , 3 P T A σ m i · P = h i , 2 h i , 3 · ( σ m , i P / h i , 2 · h i , 3 ) σ m i · P = ( h i , 2 h i , 3 / h i , 2 · h i , 3 ) σ m , i P = σ m , i P
Output: Finally, E R outputs the message of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i }. C h tests the message using the following Equation (8):
σ m i P = h i , 2 · h i , 3 P T A
Once (8) does not hold, the game is finished by C h .
According to the Cross Lemma, E R can output another message of signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } that achieves the following Equation (9):
σ m i * P = h i , 2 * · h i , 3 * P T A
From Equations (8) and (9), it can be obtained
( σ m i σ m i * ) P = σ m i P σ m i * P = ( h i , 2 · h i , 3 P T A ) ( h i , 2 * · h i , 3 * P T A ) = ( h i , 2 · h i , 3 ) ( h i , 2 * · h i , 3 * ) P T A = ( h i , 2 · h i , 3 ) ( h i , 2 * · h i , 3 * ) s T A · P
Then, we can get ( σ m i σ m i * ) = ( h i , 2 · h i , 3 h i , 2 * · h i , 3 * ) s T A mod P. C h resolves the ECDL problem by calculating ( σ m i σ m i * ) . ( h i , 2 · h i , 3 h i , 2 * · h i , 3 * ) 1 . However, since the difficulty of the ECDL problem with non-negligible probability, the proposed SE-CPPA scheme for VANETs is unforgeable against an adaptively chosen message attack under the random oracle model.

5.2. Informal Analysis

In this subsection, the proposed SE-CPPA scheme is shown below to fulfill the following security and privacy requirements for VANETs.
  • Message integrity and authentication:
    Consistent with Theorem 2, when the problem of ECDLP is hard to solve, then no attacker can generate a legal message of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } in a specified polynomial time. Thus, the message of the signature tuple fulfills the equation e: ( δ m i P ) = e: ( h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A ) , and so the proposed EPBC-CPPA can ensure message integrity and authentication.
  • Identity privacy-preserving:
    Assume that an authorized vehicle sends a message of signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } to neighbouring RSUs or vehicles in a VANET, where p i d i = { p i d i 1 , p i d i 2 } = { ζ i P , T I D S V P i h 1 ( ζ i P T A ) } and ζ i Z q * . In order to obtain the vehicle’s true identity, the attacker should calculate T I D S V P i = p i d i 2 h 1 ( s T A · p i d i 1 ) . Nevertheless, ζ i is saved in the TPD, s T A is a random value, and therefore the attacker does not have the ability to obtain T I D S V P i , since the hardness of the problem is related to the hardness of the Diffie–Hellman problem. So, the proposed EPBC-CPPA can ensure identity privacy-preserving.
  • Unlinkability:
    A random number ζ i Z q * is used in the proposed scheme to compute p i d i = { p i d i 1 , p i d i 2 } = { ζ i P , T I D S V P i h 1 ( ζ i P T A ) } . The vehicle periodically requests an update of its pseudonym IDs with timestamps s v t that are only valid for brief periods. This scheme provides a list of them, to support unlinkability. Thus, no attacker could relate two or more signatures sent by the same vehicle for a long trip. Therefore, the proposed EPBC-CPPA scheme can fulfill the unlinkability requirement.
  • Traceability and revocation:
    In the proposed SE-CPPA scheme, the TA has the ability to obtain the vehicle’s true identity from the received pseudonym ID that includes two parts— p i d i 1 = ζ i P and p i d i 2 = T I D S V P i h 1 ( ζ i P T A ) . The TA uses its master private key s T A , and calculates
    T I D S V P i = p i d i 2 h 1 ( ζ i P T A ) = p i d i 2 h 1 ( ζ i s T A · P ) = p i d i 2 h 1 ( s T A p i d i 1 )
    After the vehicle’s true identity has been traced, the TA should revoke it on the database registration list, saving it in the CRL. Therefore, the proposed EPBC-CPPA scheme can fulfill traceability and revocation requirements.
  • Resistance to replay attacks:
    The message of a signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } in the proposed SE-CPPA scheme includes the current timestamp t s to generate the signature of the message δ m i = S K s v t · h 3 ( m i | | t s ) , where S K s v t = s T A · h 3 ( p i d i 1 | | p i d i 2 | | s v t ) and s v t is only valid for a brief period of time. Hence, the proposed SE-CPPA scheme for VANETs can resist replay attacks.
  • Resistance to modification attacks:
    Consistent with Theorem 2, we show that any alteration of the message of a signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } can be determined by testing whether the equation e: ( δ m i P ) = e: ( h 2 ( p i d i 1 | | p i d i 2 | | s v t ) h 3 ( m i | | t s ) , P T A ) holds or not. Hence, the proposed SE-CPPA scheme for VANETs can resist the modification attack.
  • Resistance to impersonation attacks:
    Many researchers have resorted to storing the vehicle’s true identity in the TPD of the OBU to avoid its being compromised by an adversary. Nonetheless, a misbehaving vehicle could easily obtain the vehicle’s true identity saved in the TPD by launching a side-channel attack. To address this attack, the proposed SE-CPPA scheme frequently updates the ( T I D S V P i ) in the TPD during S V P , where T I D S V P i = h 1 ( I D v i | | S V P ) and S V P is a short period of validity. It has been stated that the vehicle’s true identity is used repeatedly; thus, if the T I D S V P i is not regularly updated, this will offer a wide opportunity for an attacker for impersonating and exploiting the registered vehicle’s true identity related to the safety messages. However, T I D S V P i is already updated before the vehicle can be impersonated and exploited by a misbehaving vehicle.
  • Resistance to man-in-the-middle attacks:
    This SE-CPPA scheme executes mutual authentication between the signer and the recipient. If an attacker launches this attack, the attacker wants to send false messages for sharing with the the signer and the recipient. Nevertheless, based on Theorem 2, the attacker cannot succeed with this attack. Hence, the proposed SE-CPPA scheme for VANETs can resist man-in-the-middle attacks.

5.3. Security and Privacy Comparison

This subsection presents a comparison in terms of security and privacy requirements of the proposed SE-CPPA scheme with the existing schemes. Table 2 presents the results of this comparison. As presented in Table 2, all the existing schemes suffer from impersonation attacks by lunching side channel attacks to retrieve the vehicle’s true identity that saved on the OBU of the registered vehicle for broadcasting fake messages. In contrast, the proposed SE-CPPA scheme regularly updates the vehicle’s true identity at short intervals of time. Therefore, the impersonation attack is resisting by the proposed SE-CPPA scheme.
Furthermore, we know that the schemes proposed by Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39] and Bayat et al. [41] for VANETs cannot satisfy all of the security analysis-based privacy requirements, as presented in Table 2. Nevertheless, the SE-CPPA scheme can satisfy all of the security analysis-based privacy requirements.

6. Performance Evaluation and Comparison

In this section, the performance evaluation of the proposed SE-CPPA scheme is analyzed in terms of computation and communication costs. Besides, the performance of the proposed SE-CPPA scheme is compared with Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39], and Bayat et al. [41] through a simulation experiment. As shown in Figure 4, this paper uses OMNeT++ [46], Veins [47], MIRACL [48,49], OpenStreetMap [50], GatcomSUMO [51] and SUMO [52] to carry out simulation experiments for VANETs. OMNeT++ is a modular, component-based C++ simulation library for communication networks. Veins is combined with road traffic generation and network generation. MIRACL is a cryptography library used to execute cryptography operations for algorithms. OpenStreetMap is the most prominent crowd-sourced web-based mapping platform. GatcomSUMO is a graphical application used to simplify the utilization of VANET simulation, specifically the SUMO traffic and the OMNeT++ network generation. SUMO is a highly portable, multi-model traffic simulation. Table 3 presents the simulation experiment parameters.

6.1. Computation Cost and Comparison

The bilinear pairing is constructed on the 80 bits security level: e: G 1 G 1 G 2 , where G 1 is an additive group created on a super-singular EC E: y 2 = x 3 + x m o d p with embedding degree 2. For performance evaluation, the following bilinear pairing operations are considered.
  • T b p : The running time of the operation involving the bilinear pairing e (P, Q), where P , Q G 1 .
  • T b p · p m : The running time of the operation of scalar multiplication s · P involved in the bilinear pairing, where s Z q * and P G 1 .
  • T b p · p a : The running time of the operation of point addition P + Q involved in the bilinear pairing, where Q , P G 1 .
  • T M · T · P : The running time of the MapToPoint hash function.
  • T h : The running time of the secure cryptographic hash function.
Table 4 tabulates the single cryptographic operation time are taken into account. Table 5 presents a comparison of the computational costs of the proposed SE-CPPA and the other existing schemes. For simplicity, M S P denotes the message-signing phase, I S V P denotes the single-signature verification phase, B S V P denotes the batch-signature verification phase. These steps will be separately explained in the following,

6.1.1. MSP

The process of message signing in Bayat et al. [36] scheme consists of five bilinear pair operations 5 T b p , a MapToPoint hash function operation 1 T M · T · P and two cryptographic hash function operations 2 T h , hence, the whole computation cost of the message signing process is 5 T b p + 1 T M · T · P + 2 T h . The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations T M · T · P and three cryptographic hash function operations 3 T h ; hence, the whole computation cost of the message signing process is 2 T M · T · P + 3 T h . The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations 2 T M · T · P and three cryptographic hash function operations 3 T h ; hence, the whole computation cost of the message signing process is 2 T M · T · P + 3 T h . The process of message signing in Bayat et al. [38] scheme consists of only one MapToPoint hash function operation 1 T M · T · P ; hence, the whole computation cost of the message signing process is 1 T M · T · P . The process of message signing in the Pournaghi et al. [39] scheme consists of three scalar multiplication operations 3 T b p · p m , an addition point operation 1 T b p · p a , one MapToPoint hash function operation 1 T M · T · P and two cryptographic hash function operations 2 T h ; hence, the whole computation cost of the message signing process is 3 T b p · p m + T b p · p a + 1 T M · T · P + 2 T h . The process of message signing in Bayat et al. [41] scheme consists of two bilinear pair operations 2 T b p , four scalar multiplication operations 4 T b p · p m , an addition point operation 1 T b p · p a , one MapToPoint hash function operation 1 T M · T · P and three cryptographic hash function operations 3 T h ; hence, the whole computation cost of the message signing process is 2 T b p + 4 T b p · p m + 1 T b p · p a + 1 T M · T · P + 3 T h . The process of message signing in the proposed SE-CPPA scheme consists of only one cryptographic hash function operation 1 T h , hence, the whole computation cost of the message signing process is 1 T h . Figure 5 shows the comparison of message signing process.

6.1.2. ISVP

The process of single-signature verification in Bayat et al. [36] scheme consists of four bilinear pair operations 4 T b p , three scalar multiplication operations 3 T b p · p m , a MapToPoint hash function operation 1 T M · T · P and two cryptographic hash function operations 2 T h ; hence, the whole computation cost of the single-signature verification process is 4 T b p + 3 T b p · p m + T M · T · P + 2 T h . The process of single-signature verification in Lei Zhang et al. [37] scheme consists of three bilinear pair operations 3 T b p , two MapToPoint hash function operations 1 T M · T · P and three cryptographic hash function operations 3 T h ; hence, the whole computation cost of the single-signature verification process is 3 T b p + 2 T M · T · P + 3 T h . The process of single-signature verification in Bayat et al. [38] scheme consists of three bilinear pair operations 3 T b p , a scalar multiplication operation 1 T b p · p m , and a MapToPoint hash function operation 1 T M · T · P ; hence, the whole computation cost of the single-signature verification process is 3 T b p + 1 T b p · p m + 1 T M · T · P . The process of single-signature verification in Pournaghi et al. [39] scheme consists of three bilinear pair operations 3 T b p , three scalar multiplication operations 3 T b p · p m , a MapToPoint hash function operation 1 T M · T · P and a cryptographic hash function operation 1 T h ; hence, the whole computation cost of the single-signature verification process is 3 T b p + 3 T b p · p m + 1 T M · T · P + 1 T h . The process of single-signature verification in the Bayat et al. [41] scheme consists of a bilinear pair operation 1 T b p , four scalar multiplication operations 4 T b p · p m , an addition point operation 1 T b p · p a , a MapToPoint hash function operation 1 T M · T · P , and two cryptographic hash function operations 2 T h ; hence, the whole computation cost of the single-signature verification process is 1 T b p + 4 T b p · p m + 1 T b p · p a + 1 T M · T · P + 2 T h . The process of single-signature verification in the proposed SE-CPPA scheme consists of two bilinear pair operations 2 T b p , two scalar multiplication operations 2 T b p · p m , and two cryptographic hash function operations 2 T h ; hence, the whole computation cost of the single-signature verification process is 2 T b p + 2 T b p · p m + 2 T h . Figure 6 shows the comparison of single-signature verification process.

6.1.3. BSVP

The process of batch-signature verification in Bayat et al. [36] scheme consists of n bilinear pair operations n T b p , n scalar multiplication operations n T b p · p m , n MapToPoint hash function operations n T M · T · P and n cryptographic hash function operations n T h , hence, the whole computation cost of the batch-signature verification process is n T b p + n T b p · p m + n T M · T · P + n T h . The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations 3 T b p , 2n MapToPoint hash function operations 2 n T M · T · P and 3n cryptographic hash function operations 3 n T h , hence, the whole computation cost of the batch-signature verification process is 3 T b p + ( 2 n ) T M · T · P + ( 3 n ) T h . The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations 3 T b p , 2n MapToPoint hash function operations 2 n T M · T · P and 3n cryptographic hash function operations 3 n T h , hence, the whole computation cost of the batch-signature verification process is 3 T b p + ( 2 n ) T M · T · P + ( 3 n ) T h . The process of batch-signature verification in Bayat et al. [38] scheme consists of 3 bilinear pair operations 3 T b p , n scalar multiplication operations n T b p · p m and n MapToPoint hash function operations n T M · T · P , hence, the whole computation cost of the batch-signature verification process is 3 T b p + n T b p · p m + n T M · T · P . The process of batch-signature verification in Pournaghi et al. [39] scheme consists of 3 bilinear pair operations 3 T b p , 3n scalar multiplication operations 3 n T b p · p m , n MapToPoint hash function operations n T M · T · P and n cryptographic hash function operations n T h , hence, the whole computation cost of the batch-signature verification process is 3 T b p + ( 3 n ) T b p · p m + n T M · T · P + n T h . The process of batch-signature verification in Bayat et al. [41] scheme consists of ( 4 + n ) scalar multiplication operations ( 4 + n ) T b p · p m , n addition point operations n T b p · p a , n MapToPoint hash function operations n T M · T · P and n cryptographic hash function operations n T h , hence, the whole computation cost of the batch-signature verification process is ( 4 + n ) T b p · p m + n T M · T · P + ( n ) T b p · p a + n T h . The process of batch-signature verification in the proposed SE-CPPA scheme consists of a bilinear pair operations T b p , n scalar multiplication operations n T b p · p m and 2n cryptographic hash function operations 2 n T h , hence, the whole computation cost of the batch-signature verification process is T b p + n T b p · p m + ( 2 n ) T h . Figure 7 shows the comparison of batch-signature verification process.

6.2. Communication Overhead and Comparison

This section analyses and compares the communication cost of the proposed SE-CPPA and other schemes. The main focus is the communication cost involved in the pseudonym-IDs, signatures, and timestamps for the signature tuple. Table 6 presents the costs of several bilinear pairing operations.
The size of the signature tuple { I D i , M i , σ i , T i } in the scheme of Bayat et al. [36] is 128 × 3 + 4 × 1 = 388 bytes, which contains three elements in G 1 ( I D i 1 , I D i 2 , σ i G 1 ) and one timestamp ( T i ), where I D i = { I D i 1 , I D i 2 } . The size of the signature tuple { m i , P P I D i , t , σ i } in the scheme of Lei Zhang et al. [37] is 128 × 2 = 256 bytes, which contains two elements in G 1 ( P P I D i , t , σ i G 1 ). The size of the signature tuple { M i , p i d i , σ i } in the scheme of Bayat et al. [38] is 128 × 2 + 20 = 276 bytes, which contains two elements in G 1 ( I D i 1 , σ i G 1 ), one outputs regarding the hash function ( I D i 2 Z q * ) and one timestamp ( T i ), where p i d i = P I D 1 , P I D 2 . The size of the signature tuple { p I D i , σ i , M i , I D R S U } in the scheme of Pournaghi et al. [39] is 128 × 3 + 20 = 404 bytes, which contains three elements in G 1 ( I D i 1 , I D i 2 , σ i G 1 ) and one timestamp ( T i ), where I D i = { I D i 1 , I D i 2 } . The size of of the signature tuple { V , m , r , T i 1 , T i 2 , T i 3 , P I D i , t s } in Bayat et al. [41] is 128 × 4 + 20 × 2 + 4 × 2 = 556 bytes, which contains four elements in G 1 ( T i 1 , T i 2 , T i 3 , P I D i G 1 ), two outputs regarding the hash function ( V , r Z q * ) and one timestamp ( t s ). The size of of the signature tuple { p i d i 1 , p i d i 2 , m i , s v t , t s , δ m i } in the proposed SE-CPPA scheme is 128 × 1 + 20 × 2 + 4 × 2 = 216 bytes, which contains one element in G 1 ( p i d i 1 G 1 ), two outputs regarding the hash function ( p i d i 2 , δ m i Z q * ) and two timestamps ( s v t , t s ).
The communication cost of each scheme is presented in Table 7. Figure 8 compares the communication overheads of the SE-CPPA and the other schemes.

7. Conclusions

In this paper, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme for VANETs has been proposed. In contrast with the existing schemes, it has the ability to resist impersonation attacks, since it frequently updates the vehicle’s true identity stored on a TPD on the vehicle. In a region with dense traffic, the batch-signature verification process in the SE-CPPA scheme efficiently checks a large number of the signature tuple messages sent from different components in the VANET. The security proof showed that the proposed SE-CPPA scheme resists security attacks and fulfills requirements regarding security and privacy. Lastly, due to the fact that the proposed SE-CPPA scheme does not employ time-consuming operations involving the MapToPoint hash function while signing and verifying the messages, it has lower overhead costs in contrast to the existing schemes. Hence, SE-CPPA has a more efficient performance regarding computational and communication costs. In the future work, further performances in terms of end-to-end delay and throughput will be briefly analyzed and introduced by using OMNeT++ and SUMO simulations.

Author Contributions

Conceptualization, M.A.A.-S., M.A. and S.M.; methodology, M.A.A.-S., M.A. and S.M.; software, M.A.A.-S. and M.A.; validation, M.A.A.-S., M.A. and S.M.; formal analysis, M.A.A.-S., M.A. and S.M.; investigation, M.A.A.-S., M.A. and S.M.; resources, I.H.H.; data curation, M.A.A.-S., M.A. and S.M.; writing—original draft preparation, M.A.A.-S., M.A. and S.M.; writing—review and editing, M.A.A.-S., M.A. and S.M.; visualization, M.A.A.-S., M.A. and S.M.; supervision, M.A. and S.M.; project administration, M.A.A.-S.; funding acquisition, I.H.H. All authors have read and agreed to the published version of the manuscript.

Funding

This work is supported by Universiti Sains Malaysia (USM) external grantnumber 304/PNAV/650958/U154.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data sharing not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Sheikh, M.S.; Liang, J.; Wang, W. A Survey of Security Services, Attacks, and Applications for Vehicular Ad Hoc Networks (VANETs). Sensors 2019, 19, 3589. [Google Scholar] [CrossRef] [Green Version]
  2. Al-Shareeda, M.A.; Anbar, M.; Manickam, S.; Yassin, A.A. Vppcs: Vanet-based privacy-preserving communication scheme. IEEE Access 2020, 8, 150914–150928. [Google Scholar] [CrossRef]
  3. Cui, J.; Wang, Y.; Zhang, J.; Xu, Y.; Zhong, H. Full Session Key Agreement Scheme Based on Chaotic Map in Vehicular Ad hoc Networks. IEEE Trans. Veh. Technol. 2020, 69, 8914–8924. [Google Scholar] [CrossRef]
  4. Al-shareeda, M.A.; Anbar, M.; Hasbullah, I.H.; Manickam, S. Survey of Authentication and Privacy Schemes in Vehicular ad hoc Networks. IEEE Sens. J. 2020, 21, 2422–2433. [Google Scholar] [CrossRef]
  5. Cui, J.; Chen, J.; Zhong, H.; Zhang, J.; Liu, L. Reliable and Efficient Content Sharing for 5G-Enabled Vehicular Networks. IEEE Trans. Intell. Transp. Syst. 2020, 1–13. [Google Scholar] [CrossRef]
  6. Yang, X.; Yi, X.; Khalil, I.; Zeng, Y.; Huang, X.; Nepal, S.; Yang, X.; Cui, H. A lightweight authentication scheme for vehicular ad hoc networks based on MSR. Veh. Commun. 2019, 15, 16–27. [Google Scholar] [CrossRef]
  7. Muhammad, M.; Safdar, G.A. Survey on existing authentication issues for cellular-assisted V2X communication. Veh. Commun. 2018, 12, 50–65. [Google Scholar] [CrossRef]
  8. Cui, J.; Wei, L.; Zhong, H.; Zhang, J.; Xu, Y.; Liu, L. Edge Computing in VANETs-An Efficient and Privacy-Preserving Cooperative Downloading Scheme. IEEE J. Sel. Areas Commun. 2020, 38, 1191–1204. [Google Scholar] [CrossRef]
  9. Adil, M.; Khan, R.; Almaiah, M.A.; Al-Zahrani, M.; Zakarya, M.; Amjad, M.S.; Ahmed, R. MAC-AODV based mutual authentication scheme for constraint oriented networks. IEEE Access 2020, 8, 44459–44469. [Google Scholar] [CrossRef]
  10. Zhang, J.; Zhong, H.; Cui, J.; Tian, M.; Xu, Y.; Liu, L. Edge Computing-based Privacy Preserving Authentication Framework and Protocol for 5G-enabled Vehicular Networks. IEEE Trans. Veh. Technol. 2020, 69, 7940–7954. [Google Scholar] [CrossRef]
  11. Alshudukhi, J.S.; Mohammed, B.A.; Al-Mekhlafi, Z.G. An Efficient Conditional Privacy-Preserving Authentication Scheme for the Prevention of Side-Channel Attacks in Vehicular Ad hoc Networks. IEEE Access 2020, 8, 226624–226636. [Google Scholar] [CrossRef]
  12. Almaiah, M.A.; Dawahdeh, Z.; Almomani, O.; Alsaaidah, A.; Al-khasawneh, A.; Khawatreh, S. A new hybrid text encryption approach over mobile ad hoc network. Int. J. Electr. Comput. Eng. (IJECE) 2020, 10, 6461–6471. [Google Scholar] [CrossRef]
  13. Al-shareeda, M.A.; Anbar, M.; Manickam, S.; Hasbullah, I.H. An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Secure Communication in a Vehicular Ad Hoc Network. Symmetry 2020, 12, 1687. [Google Scholar] [CrossRef]
  14. Adil, M.; Khan, R.; Ali, J.; Roh, B.H.; Ta, Q.T.H.; Almaiah, M.A. An energy proficient load balancing routing scheme for wireless sensor networks to maximize their lifespan in an operational environment. IEEE Access 2020, 8, 163209–163224. [Google Scholar] [CrossRef]
  15. Al Shareeda, M.; Khalil, A.; Fahs, W. Towards the Optimization of Road Side Unit Placement Using Genetic Algorithm. In Proceedings of the International Arab Conference on Information Technology (ACIT), Werdanye, Lebanon, 28–30 November 2018; pp. 1–5. [Google Scholar]
  16. Hamdi, M.M.; Audah, L.; Rashid, S.A.; Al Shareeda, M. Techniques of Early Incident Detection and Traffic Monitoring Centre in VANETs: A Review. J. Commun. 2020, 15, 896–904. [Google Scholar] [CrossRef]
  17. Alazzawi, M.A.; Al-behadili, H.A.; Almalki, M.N.S.; Challoob, A.L.; Al-shareeda, M.A. ID-PPA: Robust Identity-Based Privacy-Preserving Authentication Scheme for a Vehicular Ad-Hoc Network. In International Conference on Advances in Cyber Security, Proceedings of the Second International Conference, ACeS 2020, Penang, Malaysia, 8–9 December 2020; Springer: Singapore, 2020; pp. 80–94. [Google Scholar]
  18. Al-Shareeda, M.A.; Anbar, M.; Manickam, S.; Khalil, A.; Hasbullah, I.H. Security and Privacy Schemes in Vehicular Ad-Hoc Network With Identity-Based Cryptography Approach: A Survey. IEEE Access 2021, 9, 121522–121531. [Google Scholar] [CrossRef]
  19. Hamdi, M.M.; Mustafa, A.S.; Mahd, H.F.; Abood, M.S.; Kumar, C.; Al-shareeda, M.A. Performance Analysis of QoS in MANET based on IEEE 802.11 b. In Proceedings of the IEEE International Conference for Innovation in Technology (INOCON), Bangluru, India, 6–8 November 2020; pp. 1–5. [Google Scholar]
  20. Adil, M.; Almaiah, M.A.; Omar Alsayed, A.; Almomani, O. An anonymous channel categorization scheme of edge nodes to detect jamming attacks in wireless sensor networks. Sensors 2020, 20, 2311. [Google Scholar] [CrossRef] [Green Version]
  21. Al-Shareeda, M.A.; Anbar, M.; Manickam, S.; Hasbullah, I.H. Towards Identity-based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks. IEEE Access 2021, 9, 113226–113238. [Google Scholar] [CrossRef]
  22. Huang, D.; Misra, S.; Verma, M.; Xue, G. PACP: An efficient pseudonymous authentication-based conditional privacy protocol for VANETs. IEEE Trans. Intell. Transp. Syst. 2011, 12, 736–746. [Google Scholar] [CrossRef]
  23. Lu, R.; Lin, X.; Luan, T.H.; Liang, X.; Shen, X. Pseudonym changing at social spots: An effective strategy for location privacy in vanets. IEEE Trans. Veh. Technol. 2011, 61, 86–96. [Google Scholar] [CrossRef] [Green Version]
  24. Förster, D.; Kargl, F.; Löhr, H. PUCA: A pseudonym scheme with user-controlled anonymity for vehicular ad-hoc networks (VANET). In Proceedings of the IEEE Vehicular Networking Conference (VNC), Paderborn, Germany, 3–5 December 2014; pp. 25–32. [Google Scholar]
  25. Sun, Y.; Zhang, B.; Zhao, B.; Su, X.; Su, J. Mix-zones optimal deployment for protecting location privacy in VANET. Peer-to-Peer Netw. Appl. 2015, 8, 1108–1121. [Google Scholar] [CrossRef]
  26. Thenmozhi, T.; Somasundaram, R. Pseudonyms based blind signature approach for an improved secured communication at social spots in VANETs. Wirel. Pers. Commun. 2015, 82, 643–658. [Google Scholar] [CrossRef]
  27. Cincilla, P.; Hicham, O.; Charles, B. Vehicular PKI scalability-consistency trade-offs in large scale distributed scenarios. In Proceedings of the IEEE Vehicular Networking Conference (VNC), Columbus, OH, USA, 8–10 December 2016; pp. 1–8. [Google Scholar]
  28. Rajput, U.; Abbas, F.; Oh, H. A hierarchical privacy preserving pseudonymous authentication protocol for VANET. IEEE Access 2016, 4, 7770–7784. [Google Scholar] [CrossRef]
  29. Joshi, A.; Gaonkar, P.; Bapat, J. A reliable and secure approach for efficient Car-to-Car communication in intelligent transportation systems. In Proceedings of the International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, India, 22–24 March 2017; pp. 1617–1620. [Google Scholar]
  30. Asghar, M.; Doss, R.R.M.; Pan, L. A scalable and efficient PKI based authentication protocol for VANETs. In Proceedings of the 28th International Telecommunication Networks and Applications Conference (ITNAC), Sydney, NSW, Australia, 21–23 November 2018; pp. 1–3. [Google Scholar]
  31. Zhang, L.; Wu, Q.; Qin, B.; Domingo-Ferrer, J.; Liu, B. Practical secure and privacy-preserving scheme for value-added applications in VANETs. Comput. Commun. 2015, 71, 50–60. [Google Scholar] [CrossRef]
  32. Alimohammadi, M.; Pouyan, A.A. Sybil attack detection using a low cost short group signature in VANET. In Proceedings of the 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), Rasht, Iran, 8–10 September 2015; pp. 23–28. [Google Scholar]
  33. Shao, J.; Lin, X.; Lu, R.; Zuo, C. A Threshold Anonymous Authentication Protocol for VANETs. IEEE Trans. Veh. Technol. 2015, 65, 1711–1720. [Google Scholar] [CrossRef]
  34. Lim, K.; Tuladhar, K.M.; Wang, X.; Liu, W. A scalable and secure key distribution scheme for group signature based authentication in VANET. In Proceedings of the IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA, 19–21 October 2017; pp. 478–483. [Google Scholar]
  35. He, D.; Zeadally, S.; Xu, B.; Huang, X. An Efficient Identity-based Conditional Privacy-preserving Authentication Scheme for Vehicular Ad hoc Networks. IEEE Trans. Inf. Forensics Secur. 2015, 10, 2681–2691. [Google Scholar] [CrossRef]
  36. Bayat, M.; Barmshoory, M.; Rahimi, M.; Aref, M.R. A secure authentication scheme for VANETs with batch verification. Wirel. Netw. 2015, 21, 1733–1743. [Google Scholar] [CrossRef]
  37. Zhang, L.; Wu, Q.; Domingo-Ferrer, J.; Qin, B.; Hu, C. Distributed aggregate privacy-preserving authentication in VANETs. IEEE Trans. Intell. Transp. Syst. 2016, 18, 516–526. [Google Scholar] [CrossRef]
  38. Bayat, M.; Pournaghi, M.; Rahimi, M.; Barmshoory, M. NERA: A New and Efficient RSU based Authentication Scheme for VANETs. Wirel. Netw. 2019, 26, 3083–3098. [Google Scholar] [CrossRef]
  39. Pournaghi, S.M.; Zahednejad, B.; Bayat, M.; Farjami, Y. NECPPA: A novel and efficient conditional privacy-preserving authentication scheme for VANET. Comput. Netw. 2018, 134, 78–92. [Google Scholar] [CrossRef]
  40. Zhong, H.; Han, S.; Cui, J.; Zhang, J.; Xu, Y. Privacy-preserving authentication scheme with full aggregation in VANET. Inf. Sci. 2019, 476, 211–221. [Google Scholar] [CrossRef]
  41. Bayat, M.; Barmshoory, M.; Pournaghi, S.M.; Rahimi, M.; Farjami, Y.; Aref, M.R. A new and efficient authentication scheme for vehicular ad hoc networks. J. Intell. Transp. Syst. 2020, 24, 171–183. [Google Scholar] [CrossRef]
  42. Zhong, H.; Wen, J.; Cui, J.; Zhang, S. Efficient conditional privacy-preserving and authentication scheme for secure service provision in VANET. Tsinghua Sci. Technol. 2016, 21, 620–629. [Google Scholar] [CrossRef]
  43. Ali, I.; Lawrence, T.; Li, F. An efficient identity-based signature scheme without bilinear pairing for vehicle-to-vehicle communication in VANETs. J. Syst. Archit. 2020, 103, 101692. [Google Scholar] [CrossRef]
  44. Horng, S.J.; Tzeng, S.F.; Pan, Y.; Fan, P.; Wang, X.; Li, T.; Khan, M.K. b-SPECS+: Batch Verification For Secure Pseudonymous Authentication in VANET. IEEE Trans. Inf. Forensics Secur. 2013, 8, 1860–1875. [Google Scholar] [CrossRef]
  45. Li, J.; Choo, K.K.R.; Zhang, W.; Kumari, S.; Rodrigues, J.J.; Khan, M.K.; Hogrefe, D. EPA-CPPA: An efficient, provably-secure and anonymous conditional privacy-preserving authentication scheme for vehicular ad hoc networks. Veh. Commun. 2018, 13, 104–113. [Google Scholar] [CrossRef]
  46. Varga, A. Discrete event simulation system. In Proceedings of the European Simulation Multiconference (ESM’2001), Prague, Czech Republic, 6–9 June 2001; pp. 1–7. [Google Scholar]
  47. Sommer, C.; German, R.; Dressler, F. Bidirectionally coupled network and road traffic simulation for improved IVC analysis. IEEE Trans. Mob. Comput. 2010, 10, 3–15. [Google Scholar] [CrossRef] [Green Version]
  48. Scott, M. MIRACL—A Multiprecision Integer and Rational Arithmetic C/C++ Library. 2003. Available online: http://www.shamus.ie (accessed on 4 December 2021).
  49. Multi Precision Integer and Rational Arithmetic Cryptographic Library (MIRACL). 2018. Available online: Http://www.certivox.com/miracl/ (accessed on 4 December 2021).
  50. Haklay, M.; Weber, P. Openstreetmap: User-generated street maps. IEEE Pervasive Comput. 2008, 7, 12–18. [Google Scholar] [CrossRef] [Green Version]
  51. Abenza, P.P.G.; Malumbres, M.P.; Peral, P.P. 10 GatcomSUMO: A Graphical Tool for VANET Simulations Using SUMO and OMNeT+. In Proceedings of the SUMO 2017 Towards Simulation for Autonomous Mobility, Berlin, Germany, 8–10 May 2017; p. 113. [Google Scholar]
  52. Behrisch, M.; Bieker, L.; Erdmann, J.; Krajzewicz, D. SUMO—Simulation of urban mobility: An overview. In Proceedings of the SIMUL 2011, The Third International Conference on Advances in System Simulation, Barcelona, Spain, 23–28 October 2011. [Google Scholar]
Figure 1. The main structure of the VANET.
Figure 1. The main structure of the VANET.
Sensors 21 08206 g001
Figure 2. Process of vehicle registration phase.
Figure 2. Process of vehicle registration phase.
Sensors 21 08206 g002
Figure 3. Update vehicle true identity process.
Figure 3. Update vehicle true identity process.
Sensors 21 08206 g003
Figure 4. VANET simulation.
Figure 4. VANET simulation.
Sensors 21 08206 g004
Figure 5. The comparison of message signing process.
Figure 5. The comparison of message signing process.
Sensors 21 08206 g005
Figure 6. The comparison of single-signature verification process.
Figure 6. The comparison of single-signature verification process.
Sensors 21 08206 g006
Figure 7. The comparison of batch-signature verification process.
Figure 7. The comparison of batch-signature verification process.
Sensors 21 08206 g007
Figure 8. Communication overhead comparison based on bilinear pair.
Figure 8. Communication overhead comparison based on bilinear pair.
Sensors 21 08206 g008
Table 1. Notation and their description.
Table 1. Notation and their description.
NotationDescription
T A The Trusted Authority
O B U The On-Board Unit
R S U The Road-Side Unit
T P D The Tamper Proof Device
CRLCertificate Revocation List
PThe base generator P ∈ G 1
h 1 , h 2 , h 3 Three secure hash functions
I D v i , P w d Identity and password of vehicle
T I D S V P i Vehicle’s true identity
S V P , s v p Short valid period of vehicle’s signature key
s v t Short valid period of vehicle’s true identity
δ m i , δ R J The message signature
ζ i , kRandom integer
s T A , P T A The private/public keys of TA
S K s v t The signature key of vehicle
XOR operator
γ i a random vector
m i Safety traffic-related messages
Concatenation operation
t s Current timestamp
Table 2. Security analysis-based privacy requirements.
Table 2. Security analysis-based privacy requirements.
RequirementsBayat et al. [36]Lei Zhang et al. [37]Bayat et al. [38]Pournaghi et al. [39]Bayat et al. [41]SE-CPPA
Message Integrity and Authentication
Identity Privacy-Preserving
Unlinkability
Traceability and Revocation
Resistance to Modification Attacks
Resistance to Replay Attacks
Resistance to Man-in-the-Middle Attacks
Resistance to Impersonation Attacks
Table 3. Simulation experiment parameters.
Table 3. Simulation experiment parameters.
ParametersValue
Simulation time200 s
Playground sizex = 3463 m, y = 4270 m and z = 50 m
Mac LayerIEEE 1609.4
Physical LayerIEEE 802.11 p
Maximum transmission20 mW
Bit rate6 Mbps
Table 4. The single cryptographic operation time.
Table 4. The single cryptographic operation time.
Cryptography OperationsTime (ms)
T b p 5.811
T b p · p m 1.5654
T b p · p a 0.0106
T M · T · P 4.1724
T h 0.001
Table 5. Cost of computation comparison.
Table 5. Cost of computation comparison.
Schemes MSP ISVP BSVP
Bayat et al. [36] 5 T b p + T M · T · P + 2 T h 4 T b p + 3 T b p · p m + T M · T · P + 2 T h n T b p + n T b p · p m + n T M · T · P + n T h
Lei Zhang et al. [37] 2 T M · T · P + 3 T h 3 T b p + 2 T M · T · P + 3 T h 3 T b p + ( 2 n ) T M · T · P + ( 3 n ) T h
Bayat et al. [38] 1 T M · T · P 3 T b p + 1 T b p · p m + 1 T M · T · P 3 T b p + n T b p · p m + n T M · T · P
Pournaghi et al. [39] 3 T b p · p m + T b p · p a + 1 T M · T · P + 2 T h 3 T b p + 3 T b p · p m + 1 T M · T · P + 1 T h 3 T b p + ( 3 n ) T b p · p m + n T M · T · P + n T h
Bayat et al. [41] 1 T b p + 4 T b p · p m + 1 T M · T · P + 1 T b p · p a + 3 T h 2 T b p + 4 T b p · p m + 1 T M · T · P + 1 T b p · p a + 3 T h ( 4 + n ) T b p · p m + n T M · T · P + ( n ) T b p · p a + n T h
SE-CPPA 1 T h 2 T b p + 2 T b p · p m + 2 T h T b p + n T b p · p m + ( 2 n ) T h
Table 6. The costs of several bilinear pairing operations.
Table 6. The costs of several bilinear pairing operations.
Items SizeCost (Bytes)
P 64
The elements in G 1 128
The output of a hash function20
The output of timestamp4
Table 7. Communication cost comparison.
Table 7. Communication cost comparison.
SchemesBroadcasting One MessageBroadcasting n Messages
Bayat et al. [36]388388n
Lei Zhang et al. [37]256256n
Bayat et al. [38]276276n
Pournaghi et al. [39]404404n
Bayat et al. [41]556556n
SE-CPPA216216n
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Al-Shareeda, M.A.; Anbar, M.; Manickam, S.; Hasbullah, I.H. SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks. Sensors 2021, 21, 8206. https://doi.org/10.3390/s21248206

AMA Style

Al-Shareeda MA, Anbar M, Manickam S, Hasbullah IH. SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks. Sensors. 2021; 21(24):8206. https://doi.org/10.3390/s21248206

Chicago/Turabian Style

Al-Shareeda, Mahmood A., Mohammed Anbar, Selvakumar Manickam, and Iznan H. Hasbullah. 2021. "SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks" Sensors 21, no. 24: 8206. https://doi.org/10.3390/s21248206

APA Style

Al-Shareeda, M. A., Anbar, M., Manickam, S., & Hasbullah, I. H. (2021). SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks. Sensors, 21(24), 8206. https://doi.org/10.3390/s21248206

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop