1. Introduction
The automotive industry constantly tries to improve driving safety and efficiency by applying various cutting-edge technologies, one of which is V2X technology. The V2X enables vehicles to communicate with other vehicles, infrastructure, pedestrians, mobile networks, and any entity that the vehicle may affect or be affected by. The V2X communication goal is to enhance the safety and efficiency of transportation, and the killer applications are platooning, real-time congestion warning, emergency electronic brake lights, and so on.
There are some requirements for security and privacy in V2X [
1]. First and foremost, security mechanisms ensure that sending and receiving messages can be authenticated and authorized by a reliable party. The V2X architecture must ensure message authenticity, which is usually achieved through digital certification to prevent abuse by drivers and the system itself [
2]. The digital certificate can also ensure message permissions, but identity disclosure can violate driver privacy. Authentication frameworks need to provide privacy preservation mechanisms to prevent identity disclosure attacks, as unwilling identity disclosure and location tracking can violate the privacy of drivers and users.
A location tracking attack is an attempt to track the location and path of the vehicles during a specific period. For privacy preservation, V2X should not make a detailed lifelong history of driver behavior available to others, which centers around the concept of unlink-ability, so eavesdroppers cannot quickly identify or track owners of unrevoked vehicle certificates. Many groups of researchers have designed security solutions for V2X based on the public key infrastructure (PKI) [
3]. For privacy protection purposes, they apply pseudonym certificates with a reasonably limited validity period which need to be changed regularly [
2]. The pseudonym certificates are used to sign V2X messages such as the basic safety message that is periodically transmitted by vehicles or roadside units.
By providing multiple short-term pseudonym certificates to each vehicle, the certificate revocation mechanism becomes more complex in V2X PKI. Suppose the vehicle is provided with many certificates sufficient for long-term usage, e.g., for three years. In that case, revoking the certificate will overfill certificate revocation lists (CRL) very quickly [
4]. To solve this problem, the United States (US) and European Unions (EU) take the following different approaches. The development of V2X PKI for cooperative intelligent transportation systems (C-ITS) in the EU decided to provide certificates only for thee months of use [
5].
Consequently, the vehicle must periodically contact the certificate authority (CA) for new certificates. Generating a new pseudonym certificate requires a bidirectional connection. The periodic and bidirectional connection gives a significant addition to the overall cost of the system [
6]. Conversely, the development of V2X PKI in the US, called the security credential management system (SCMS), decided to implement a linkage value and allow the vehicle to bring many certificates for three years of usage [
2]. The linkage value allows all pseudonym certificates in one vehicle to be revoked using only one link seed record in the CRL. It is still a burden on the system, especially because the link seed of a revoked certificate will stay longer in the CRL even though the individual certificate is valid for only a short time.
Both standard approaches still need improvements in efficiency, especially in supplying pseudonym certificates and revoking misbehaved vehicles. A promising approach to reducing vehicle interaction with the CA while reducing costs caused by large CRL is to use the activation codes technique [
7]. The idea is to encrypt the pseudonym certificate using a secret code before giving it to the certificate’s owner. The certificate’s owner must receive the code to activate (decrypt) their pseudonym certificate before being able to use it. Then, the activation codes are released periodically to all unrevoked vehicles, so each revoked vehicle in a new period cannot use its certificate because it does not receive the activation code for the recent period. Among the solutions that use this method is the ACPC [
8]. The ACPC allows vehicles to obtain the activation code much more efficiently because it reduces the overall cost of certificate distribution and revocation by its unique caching property due to binary tree utilization of its activation code. By its caching property, ACPC can broadcast and place its activation code anywhere on a public site safely for rebroadcast or later retrieval. Using public devices without CA control, such as web servers, RSU, and cellular phones, reduces the V2X PKI infrastructure burden. It contrasts with periodic pseudonymous certificate issuance as described in European Telecommunications Standards Institute (ETSI) [
9], which requires the vehicle to establish and maintain a secure connection to the CA for certificate renewal.
With the broadcast and caching capabilities of ACPC, the possible scenario is that the certificate access manager (CAM) broadcasts the activation code to RSU. The activation code in RSU makes it easier for vehicles to reach the activation code immediately because RSU is a device closest to the vehicle on the road. The RSU will easily receive activation code broadcasts from CAM because, topologically, it is a fixed device and is always active when the activation code broadcast is happening. In contrast, vehicles are mobile devices with intermittent wireless networks. Moreover, the vehicle is inactive when it stays in the garage or parking lot. This situation means the vehicles cannot receive the activation code broadcast, so the vehicle is more likely to request its activation code from RSU while it is active on the road.
In the original ACPC, the vehicle asks for an activation code via RSU as a cache device. The vehicle must receive all the broadcasted intermediate nodes of the binary tree, even though it only needs one of the obtained nodes to derive its activation code. The reason why such a construction is adopted is that the vehicle avoids showing its vehicle identity (
) for privacy reasons. The
is a vehicle identity that represents the binary tree leaf position, which is the location of the vehicle’s activation code [
8]. Eavesdroppers who happen to know
can track the vehicle because each vehicle has a unique
.
The ACPC allows vehicles to perform activation much more efficiently than the issue first activate later (IFAL) scheme because it utilizes the binary hash trees for efficient activation code broadcast as performed by the binary hash tree based certificate access management (BCAM) scheme [
6]. The efficiency of the ACPC can be improved in the fixed-size subset (FSS), variable-size subset (VSS), and direct request (DR) by utilizing cache devices and picking several nodes for privacy preservation [
10]. The DR is the most efficient scheme but cannot preserve privacy requirements. So, the activation code for pseudonym certificate (uACPC) [
11] proposes not to use a fixed
that matches the vehicle’s long-term identifier. Unfortunately, uACPC violates the concept of privacy by design in SCMS (II.A. Threat Models and Application Concepts [
2]), which imposes a condition that at least two SCMS components need to collude to gain meaningful information for tracking a vehicle. The registration authority (RA) alone is enough to have knowledge regarding the relationship between
and long-term identity of the vehicle.
In this paper, we propose a scheme that optimizes the use of cache devices such as the RSU based on the ACPC design to achieve efficiency of activation code distribution on V2X communications while providing privacy preservation. Contributions of the paper are as follows:
Our design ensures that during the certificate registration and activation code distribution only the vehicle knows its identity () of the activation code to maintain the concept of privacy by design in SCMS.
Our scheme provides a different for each activation period to avoid vehicle tracking during the unicast distribution model.
Our scheme can benefit from the unicast distribution model for efficient activation code distribution.
The rest of this paper is organized as follows.
Section 2 describes related work that has been completed so far to reduce the size and improve distribution efficiency of the activation code.
Section 3 explains how we design our proposed scheme to meet our goal. Then we show and discuss the result of our schemes as well as the comparison in
Section 4 and conclude our work in
Section 5. For convenience of the reader, we define the symbols and notations used in
Table 1. Since we built it on top of ACPC, most notations borrow from ACPC with some additions.
3. Proposed Scheme
To provide better privacy preservation, we consider not using the leaf node position as a vehicle identity
as in the ACPC described in
Section 2.3. In our proposed scheme, one vehicle uses different identities for each activation period. In other words, the leaf node position is specific to the code identity, not the vehicle identity. Then, we use
to denote the code identity to distinguish it from
of the previous schemes. Unlike uACPC, which assigns the role of determining
to RA, our scheme gives the right to generate
to the CAM. It is essential to maintain the concept of privacy by design of the SCMS [
2] to be strong against attacks by insiders. The uACPC allows the RA to have information regarding the relationship between
s and the long-term identity of the vehicles. Meanwhile, our scheme does not allow the RA to learn the
given to the vehicle by encrypting it before giving the encrypted
to the vehicle through RA.
The to each activation code is different and randomly chosen, so it is hard for involved entities or the adversaries to conclude the relationship between and the vehicle identity because it has no direct relationship with them. It becomes hard to track vehicles through their , even though the vehicle exposes its to the responder to retrieve its activation code. Moreover, our privacy preservation scheme retains the positive property of ACPC such that codes can be placed safely on the public responder, and vehicles have more flexibility to retrieve their code from any public cached devices.
Here are our strategies to obscure the relation between binary tree nodes and the vehicle identities: First, we do not label the node position as a single vehicle identity or on the binary tree; otherwise we label the node position as a node identity or . Second, only the corresponding vehicle has the information about its . Third, the for every activation period is different and randomly chosen.
We do not label the node position as a single vehicle identity to emphasize the concept that the leaf node in the binary tree does not represent a particular vehicle entity. We change the term vehicle identity to code identity because it is the identity of the code, not the identity of the vehicle. So CAM can determine any leaf node to assign to any vehicle. That way, there is no special relationship between the identity of the code and the identity of the vehicle.
When CAM determines a leaf node to obtain a code for a vehicle, it randomly selects a node that has not been used by the previous vehicle. Even CAM has no knowledge of which vehicle is requesting the code in order to maintain the privacy of the vehicle. After determining the leaf node, the CAM converts the code into a blinded activation code and encrypts the identity code with the requesting vehicle’s encryption key so that when handed back to RA, RA also does not obtain any information about the given by CAM to the vehicle. Only the vehicle itself can unlock the it receives using its pair of encryption codes. It means that only the corresponding vehicle has the information about its .
Our system architecture can be described in two parts. The first part shows the process of pseudonym certificates issuing to the vehicles by determining the and the encryption key for each certificate package generated by the collaboration of RA, CAM, and PCA. The second part presents activation code distribution scenarios that are supported by our proposed scheme, as well as the benefits derived from it.
3.1. Pseudonym Certificate Issuing
Before starting to issue a pseudonym certificate, the CAM needs to set an activation code for all the desired activation periods. This activation code is constructed in the form of a binary tree according to the construction in ACPC as described in
Section 2.5. We choose this construction because it has a small activation code that can benefit the distribution process. After all the activation code construction in the binary tree form is complete, vehicles can start registering to obtain their respective pseudonym certificates. The pseudonym certificate issuing phase can be described as shown in
Figure 2. Then, for the details of the process for each entity involved, it can be seen in
Figure 3.
The vehicle starts by supplying a randomly selected
caterpillar private key
s and
e with the corresponding public
caterpillar key
and
. The keys
s and
e are for signing and encryption, respectively. They also pick up two random seeds to initialize the pseudo-random functions
and
for later butterfly key expansion constructs, as was performed in the SCMS design. Then the vehicle includes
as a certificate request message to RA to trigger the creation of the number of
certificates divided into several
activation periods, where
is the number of certificates per period.
Since the
S and
parts are unchanged in our construction and remain consistent with the original SCMS design, their process details are not included in the diagram shown in
Figure 3 to simplify the explanation. However, the RA must send the public
cocoon key
and
pairs together to the PCA.
Before RA generates a public cocoon encryption key
to encrypt the certificate, it first creates a public cocoon encryption key
(Equation (
5)) and sends it to the CAM for blinded activation code
request. In order not to violate privacy goals, the system needs to prevent the CAM from knowing if two
belong to the same vehicle. The RA must have a configuration parameter for shuffling, i.e., shuffling 10,000 requests from different vehicles or waiting for all requests in one day. This shuffle mechanism is also applied to RA and PCA communications for the same reasons described in [
24].
During the activation code request, CAM will randomly select an available
(not already used by other vehicles) every time period
t using the random selection function
. Based on the selected
, CAM obtains
from the binary tree leaf
. The
parameter is the bit-string length
, and the
is the
itself. Note that each
can be associated with a single tree leaf because the tree depth matches the bit-length of
. The pseudo-random function
then generates a blind activation code
. The selected
that applies to the
function is then encrypted by
and pairs the result
with the blind activation code
.
The CAM completes every single request from the RA with one cycle of generating a blinded activation code and encrypting the associated
. Paired
and
are then returned to RA, deshuffled, and collected according to the requesting vehicle. The
is used as an additional parameter for the encryption key
generation together with the expansion function
, as shown in Equation (
10). Then,
is used in pairs with the public
cocoon keys
to generate a pseudonym certificate by PCA as performed in SCMS [
2]. The pseudonym certificate package
generated by the PCA sends to RA, then RA gives it to the vehicle together with related
, where
and
.
In this way, even though the CAM determines the along with the appropriate for each request, it does not know which vehicle is requesting it. By the encrypted and blinded made by CAM, the RA also does not have information about and given to the vehicle. Furthermore, PCA does not have any information about it either. It can be said that only the requesting vehicle knows the after decrypting the as a reference to obtain the appropriate code for its certificates.
3.2. Activation Code Usage
The stages of distribution and the activation code usage by vehicles can be seen in
Figure 4. In order for the vehicle to request its activation code, the vehicle needs to know the
for the next activation period. The vehicle computes the
as a key to decrypt
, as shown in Equations (
11) and (
12). On the other side, the CAM must distribute the activation codes before the validity period of the current pseudonym certificates expires. The CAM distributes the activation code through the responder units. Then the vehicle uses the given
as a parameter when requesting a specific activation code from the responder.
The responder will look for the requested code in its chacing unit according to the received
. Once it is found, the activation code is immediately send back to the vehicle. However, if there is no activation code that matches the
, the CAM will give an invalid response to the vehicle. After the vehicle receives its activation code, the vehicle uses it to compute the
value (Equation (
13)). Then, the vehicle decrypts its pseudonym certificate using the
. The complete diagram for the certificate activation can be seen in
Figure 5. With active pseudonym certificates, vehicles can use them for message authentication on required V2X applications.
3.3. Activation Code Distribution Scenarios
All vehicles require an activation code to use their certificate in each period. In our scheme, the activation code can be sent through various channels to make it easier for the vehicle to choose the best channel around it. For mobile networks, the delivery is performed in a unicast communication manner, i.e., the vehicle will ask the RSU, cellular tower, or public cloud to obtain its activation code, see
Figure 6. Then the V2X network only uses 40 bits
for upload and 16 bytes (128 bits) for downloads per vehicle activation period.
There are four possible scenarios for sending an activation code to the vehicles.
- 1.
Input manually
The manual input method is not a practical way. However, it is easy for the users to manually enter the code in the vehicle on-board unit (OBU) devices after users receive the code through communication media such as email or short message service (SMS). It is also possible that users obtain code from a vehicle service such as a repair shop or gas station, then enter the code manually into the vehicle OBU devices. However, this method is only possible if the activation code period is not too short, say a month or more. If the activation period is only a few hours or minutes, this method is not very useful.
- 2.
Broadcast periodically
Subscribed devices can receive all codes from the CAM periodically. Vehicles that have a good Internet connection can receive codes in this mode. A direct send activation code from CAM to vehicles is not the best choice since it burdens the CAM server and takes no advantage of binary tree construction. Moreover, this setup is hampered in practice by the situation that the OBU in the vehicles is typically only active when the vehicle is. However, the responder device that will serve the activation code request from the vehicle also receives the activation code in this mode, for example, RSU, repair shop, gas station, or web server. All of these devices are pretty easy to obtain an activation code from periodically because they are always live and stationary devices with a stable network connection to the CAM.
- 3.
Point-to-point communication
It is a direct interaction between the CAM and the vehicle. If all vehicles have a strong Internet connection, point-to-point communication is accessible. Another method used is the short message service (SMS) proposed by [
7]. However, such a connection requires users to have some subscription contracts with the service provider at additional costs. Moreover, the Internet network cannot support the whole area, for example, the suburbs.
One possible way is through the road infrastructure network. The vehicle is wirelessly connected using dedicated short range communications (DSRC) technology via the RSU along the road. The RSU then forwards it to the Internet network so the vehicle can communicate with the CAM. However, it possibly overloads the CAM and RSU.
- 4.
Indirect communication
It means that the vehicle does not receive an activation code directly from the CAM but from the caching devices or responder, such as a proxy server on the Internet network or the RSU. The responder is a device that has previously received all the codes from the CAM broadcast periodically. Responders can be web servers, vehicles, or RSU. Vehicles can use one of the responders available in the surroundings by requesting an activation code based on the selected .
All of the above communication scenarios can be used simultaneously, thus providing many options for vehicles to obtain the activation code quickly. Even so, the first to third scenarios can generally also work on the original ACPC. Therefore, we are more interested in discussing the efficiency that occurs in indirect communication, especially when using RSU as the responder. If bidirectional connectivity is available for a binary-tree-based activation code, it can benefit from a unicast distribution model. Vehicles can greatly reduce bandwidth usage when requesting an activation code. The main purpose of the V2X network is to transmit information that relates to driving safety and efficiency, and this main purpose should not be interfered with by other applications. The efficient bandwidth usage by V2X PKI is very beneficial for the V2X network.
To obtain optimal benefits of binary tree construction, we utilize a cache unit that acts as a responder. Responders can respond to vehicle requests for activation codes, as shown in
Figure 7. The closest unit to the vehicle on the road is the RSU. If the RSU becomes a responder activation code, it provides the activation code easy access by the vehicles.
With a different
for each period as described in
Section 3.1, even if the certificate authority does not control the responder, the vehicle can request an activation code to the responder without worrying about its privacy. The untrusted responder cannot track the vehicle path based on the exposed
. After the vehicle decrypts its
, the vehicle can safely show its
to ask the responder for the activation code.
Bandwidth usage on the mobile network for activation code transmission is achieved in a minimum size because the activation code sent from the responder to the vehicle is only one code (16 byte). Moreover, the cache unit utilization reduces the certificate authority burden and provides more alternatives for the vehicles to obtain their activation code.
4. Analysis of the Proposed Scheme
4.1. Unicast Distribution Model
All vehicles require an activation code to use their certificate at activation period t. For efficient activation code distribution to every vehicle on the V2X network, primarily via RSU, the activation code is sent through the broadcast and unicast distribution mechanism. In the broadcast mechanism, CAM sends the set of the activation code in period t. The broadcasted activation codes are received and stored by the RSU. Due to the reliable network between them, there are relatively no problems with the broadcast distribution to the RSU. However, it is likely impossible that all vehicles will receive the broadcasted file concurrently. Whether the vehicles are out of network or in an inactive state during parking is very likely to happen. Although it is possible to keep the OBU active while the vehicle is parked, the possibility for the vehicle to be inactive still occurs.
4.2. Privacy Protection: Different Code Identity in Each Activation Period
On the unicast distribution, the vehicles can request the activation code by showing their
, so the RSU can immediately respond to the correct activation code. The ACPC has a privacy issue when using this unicast model, so it tries to solve this issue by increasing the crowd size privacy level [
10]. However, it is still not working for DR because ACPC uses
as vehicle identity to specify its activation code. Our scheme provides better privacy protection for the DR method, so it is possible to maintain minimum bandwidth usage in V2X for activation code transmission. Our scheme provides a different
for each activation period to prevent vehicle tracking as also proposed in uACPC [
11]. The different
technique is inspired by V2X PKI, which uses different certificates to prevent vehicle tracking by others using vehicle communication paths.
During the unicast activation code distribution, the responder knows the of the vehicle for a single period only, and the activation code request will use a different in the next period, so the responder or eavesdropper has no idea whether it came from the one vehicle or not. Moreover, if the responder answers the activation code request at the first request attempt, the vehicle exposes its only once. So, this scheme provides the unlink-ability requirement of V2X privacy.
4.3. Privacy Protection: Hiding the Code Identity from V2X PKI Entity
The is used by the vehicle to request its corresponding activation code. None of the SCMS entities can fully know information about the given to a vehicle. The is encrypted using a key based on the vehicle’s public key so that only the vehicle can find its by decrypting using its key pair. If the vehicle discloses its when requesting an activation code, no V2X PKI entity can associate the with another during activation so that the privacy of the vehicle can be maintained because each time it uses a different , it will be considered a different vehicle by the V2X PKI. This technique is the same as the pseudonym certificate used in the V2X PKI for privacy protection during periodic message sending.
Unlike uACPC, which assigns the role of determining
to RA, our scheme gives the right to generate
to the CAM. It is essential to maintain the concept of privacy by design of the SCMS [
2] to be strong against attacks by insiders. The uACPC allows the RA to have information regarding the relationship between
s and long-term identity of the vehicles. Meanwhile, our scheme does not allow the RA to learn the
given to the vehicle by encrypting it before giving the encrypted
to the vehicle through RA.
4.4. Bandwidth Efficiency
The caching strategy applied to the activation code is to overcome the problem of connection and bandwidth limitations on the V2X network. By sending the entire activation code through a device connected to the reliable (non-mobile) network only, the activation code broadcast does not flood the V2X network. For comparison, let us say that
is the binary tree depth and the available leaf node to cover all active vehicles is
1,099,511,627,776 (about one trillion). If out of the total number
of vehicles there are
revoked vehicles, then the average number of nodes broadcast
by CAM is
for
[
25]. The number of variable node
on VSS is dependent on vehicle request security level [
10], while to reach maximum security level
on VSS, the
is equal to
. We assume that the first source of the activation code is CAM, although, in IFAL, it is the enrollment authority. However, in the context of broadcast activation code, they perform the same task.
From
Table 2, it can be seen that ACPC and its descendants, including our scheme, can distribute the activation code more efficiently than the IFAL; the total activation code size of ACPC is
. The enormous download size from CAM to RSU happens in the IFAL scheme because it has to send all activation codes to each unrevoked vehicle. The size of the IFAL activation code is 16 byte and 5 byte of the epoch identifier, with an additional 7 byte of the code identifier [
7]. So, the IFAL activation code for all unrevoked vehicles in total is
29,686,679
.
The storage required by the RSU to keep the activation code is equal to the activation code download size from CAM to RSU. The RSU must store 29,686,679 activation code for IFAL. With such a large size for one activation period, it is difficult to expect IFAL to use a scenario with the RSU is an activation code responder. With this, we will remove IFAL from the communication scenario between the vehicle and the RSU. As for ACPC, uACPC, FSS, VSS, and our scheme, the storage space required in RSU is only . After RSU receives all the activation codes, the vehicle can request an activation code from it.
From upload and download size, the table shows that our scheme, uACPC, and IFAL use a small amount of data because they request only a specific node from which the vehicle activation code is derived. Changes in the number of revoked vehicles or active vehicles have no effect on upload and download sizes between RSU and vehicle. Meanwhile, there are no uploaded data for ACPC data, but the size of downloaded data by the vehicle is the same as the data transmitted from CAM to RSU, which is . Overall, looking at all the total data transmitted from CAM to RSU and RSU to the vehicle, uACPC and our scheme use the smallest network resources.
4.5. Storage Usage
The storage usage on the vehicle is determined by the size of the certificate and how many certificates must cover the entire validity period . assuming that the pseudonym certificate file size is similar for all schemes with roughly 128 byte. To simplify the calculation let us say that one certificate is sufficient to cover one t, the total certificate size is . Total activation period is the total period a that every a covers some certificates batch. Each certificate has a t validity period, and the entire validity period is the sum of t. Our scheme needs to store byte of that is used for each a period, so our total storage usage is . If we give setting min and , the storage requirement on the vehicle of our schemes and uACPC is slightly higher than IFAL, ACPC, FSS, and VSS. It is because the vehicle has to store all which is 40 bits per activation period.
As shown in
Figure 8, if the certificate is prepared for three years of use as recommended by SCMS, then the vehicle will need approximately
of storage space to store the pseudonym certificates and
s. Meanwhile, if the certificates are prepared for 10 years usage, the vehicle must have a minimum of
storage space. By looking at the size of the stored data in the vehicles in varied years, our scheme is not significantly different than other systems. So there is no restriction in the storage usage of the vehicle OBU.
4.6. Reducing Vulnerability Window
The number of nodes from ACPC that a vehicle must download varies depending on the number of revoked vehicles. Shortening the certificate validity and activation period together gives malicious vehicles less time to continue using the remaining certificates. Consequently, all vehicles have to download the tree node for their activation code more often. Considering the size of the activation code, which is relatively simple on the distribution, allows V2X PKI to minimize windows vulnerabilities. Our proposed scheme allows for a shorter certificate activation period with a small node size to be downloaded by a vehicle. In addition, the nodes distributed by CAM can be placed anywhere openly and securely. This property also allows decentralized distribution of activation codes to reduce the CAM load and give vehicles more options to obtain their activation codes as soon as possible.
Consider the vehicle’s bandwidth usage to download the tree node over a certain period. If there are 50,000 revoked vehicles
out of a total of vehicles
with
, then the size of nodes is
each
t period The vehicle must download the
of total nodes size. Assume that we shorten the certificate validity
t to 5 min only, and the total valid period is 1,576,800 min (3 years) total certificates as well as
is 315,576. The
i is the number of
t that is covered by one
a. With a variation of
i, we can see by the graph in
Figure 9 that our scheme compared to VSS and FSS uses the smallest total download of node size during three years usage. On average, as shown in
Figure 9a, the average VSS is required to download the most significant amount of data, and the most extensive data size is reached when the activation period is equal to one pseudonym certificate validity period with
in total.
Although much lower than VSS, the FSS also has the same trend as VSS as shown in
Figure 9b. Our proposed scheme shows that the total data downloaded for various cover validity periods for each activation period is minimal. The most interesting point here is that our proposed scheme is always below
on average in all variations of the covered certificate validity period. Even if the activation period is equal to the validity period of a certificate, our scheme only needs to download
of nodes in total to each vehicle during three years of usage. This result shows that our scheme is very good at network bandwidth usage between RSU and vehicles for a short activation period.
4.7. Overall Comparison
In general, our scheme has the advantage of small file size in the distribution of the activation code in the unicast distribution model. However, our strategy needs a mechanism to ensure privacy preservation during the activation code distribution, one of which is encrypting the identity of the activation code. Consequently, there is an additional cost to decrypt the encrypted
in the vehicle. The comparison in
Table 3 shows that only our scheme has additional computational costs to decrypt the identity of the activation code. So it is necessary to consider the computational resources in OBU. However, the decryption of
should not interfere with the daily operation of OBU because the decryption of
can be performed when OBU is not busy with its routine tasks while on the road. For example, decryption is performed on all
immediately after receipt, so there is no need to decrypt in the future. However, the computational cost can be acceptable with the efficient use of bandwidth, the ease of obtaining activation codes, and the privacy protection offered.
5. Conclusions
In this paper, we have shown a scheme that increases the efficiency of communication between RSU and vehicles by improving activation codes distribution over the ACPC scheme. Our scheme fully utilizes the ability of ACPC, which can take advantage of caching devices openly without requiring control from a certificate authority.
We introduce an architecture to maintain the privacy of the activation code owner by providing a different code identity for each activation period. We also protect against possible insider attacks on the system by not allowing any entities to have information of the belonging to the vehicles.
The number of distributed activation codes is smaller than the previous scheme because the vehicle can request one specific code due to privacy protection of the . This small size of activation code then becomes advantageous for the V2X PKI system to reduce windows vulnerability against revoked vehicles.
The placement of the activation code in any caching device does not require encryption and authorization. The caching devices do not require any certificate authority control and do not burden the CAM. The activation code can be placed anywhere so that it is easily accessed by vehicles. This flexibility can increase vehicles’ probability of reaching their activation code as soon as possible.
As future work, we will examine how to determine the optimal management and settings for our proposed scheme by via simulations.