- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 615906, 9 pages
A Distributed Pseudonym Management Scheme in VANETs
1School of Computer and Information, Hefei University of Technology, Hefei 230009, China
2The Anhui Provincial Key Laboratory of Mine IoT and Mine Safety Supervisory Control, Hefei 230088, China
Received 22 December 2012; Accepted 3 April 2013
Academic Editor: Xu Yongjun
Copyright © 2013 Xiaoling Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Security and privacy have been important issues in VANETs. Anonymity is an effective way to achieve privacy protection, and it sometimes requires to be disclosed for determining traffic liability. In most pseudonym schemes, an authority is aware of a vehicle's secret, and its compromise will result in the leakage of a large amount of privacy information. So, we propose a distributed traceable pseudonym management scheme in VANETs. In the scheme, a blind signature method is adopted to achieve strict separation of issuance and tracking. The distributed tracking protocol is proposed to enhance the robustness for tracking, which is based on the improved scheme for shared generation of RSA keys. An efficient pseudonymous authentication mechanism is proposed to reduce the communication overhead. Compared with other related proposals, our scheme is unforgeability, especially against authority forge attacks, and has better robustness. Moreover, the performance analysis shows that it is efficient in VANETs.
Vehicle-to-vehicle and vehicle-to-infrastructure communications improve vehicle’s perception from the surrounding environment. Vehicular ad hoc networks (VANETs) will be used widely in collision avoidance, road-hazard notification, and coordinated driving systems . Nonetheless, there are many security threats in VANETs [2–4]. For example, an attacker might tamper with messages to evade accident liability or forge information to meet specific needs. The attacker also might eavesdrop on broadcast messages, analyze data, and track a vehicle. So, security and privacy have been important issues in VANETs.
A number of studies have been made on the issues of security and privacy preservation. Raya and Hubaux [5, 6] pointed out that anonymity is conditional for liability purposes and that authority can disclose the pseudonym. In [5, 6], a security protocol was introduced. Although this protocol can effectively meet the conditional privacy requirement, it is far from efficient and can hardly become a scalable and reliable approach, because the authority has to keep all the anonymous certificates for each vehicle. Lin et al.  proposed a security and privacy preserving protocol. With group signature, security, privacy, and traceability can be achieved without inducing the overhead of managing a huge number of stored certificates at the authorities’ sides. Calandriello et al. [8, 9] proposed on-the-fly pseudonym generation and self-certification, which alleviates the overhead of managing certificates. Group signature method is adopted to ensure that legitimate nodes can generate their pseudonyms anonymously. Lu et al.  presented a conditional privacy preservation protocol, which improves efficiency in terms of the minimized anonymous keys storage at each vehicle. Performance evaluation shows that the protocol can achieve much better efficiency than Raya and Hubaux’s [5, 6] and Lin et al.’s  when vehicles are revoked. Zhang et al.  proposed a scalable robust authentication protocol. In , some roadside units (RSUs) serve as the issuer of vehicles’ private key, and a signcryption method is employed to distribute the keys securely. Hao et al.  proposed a distributed key management framework, which has advantages in the revocation of malicious vehicles and system maintenance. An efficient cooperative message authentication protocol is developed to reduce the computation and communication overhead in the group signature.
The above reported schemes [7–12] are based on group signature. In Boneh et al.’s group signature scheme , each user’s private key is generated by the private-key issuer, which is a hidden security threat. In [7–9], each vehicle’s group private key is computed by a member manager. In , a trusted authority is required; the authority generates valid private keys for on-board unit and RSU. In , RSU generates and sends the group private key to the vehicle. In , some measures are adopted to prevent RSU from misbehaving, but authorities cannot decide which is the malicious, RSU or the vehicle or both, when they find a mismatch. Therefore, these schemes [7–12] suffered from private key revealing attacks, in which the private-key issuer knows each user’s private key.
Schaub et al.  adopted blind signature technology to achieve the separation of issuing and tracking. But the disadvantages of the scheme are that -token () is produced by a vehicle alone; thus, the vehicle might forge other vehicle’s -token. Moreover, if CA is not credible, it can generate -token by itself and sign it. CA can obtain the pseudonym certificate from a pseudonym provider and impersonate any vehicle.
To solve the above problems, this paper presents a distributed pseudonym management scheme in secure VANETs. The main contributions of the scheme are as follows. (1) Pseudonym is coproduced by the issuer and the vehicle. Either party attempting to deceive can be detected. It can resist authority forge attacks. (2) An efficient pseudonym authentication mechanism is proposed by finding the optimal number of messages with the pseudonym certificate, which not only reduces the communication overhead but also ensures the message authentication probability . (3) Distributed pseudonym tracking based on secret sharing method is presented. The initialization of the tracking protocol does not require a trusted center, thus avoiding any single point of failure. It offers better robustness.
The remainder of this paper is organized as follows. The pseudonym management model is given in Section 2. The pseudonym issuance protocol, the pseudonymous authentication protocol, and the distributed tracking protocol are presented in Sections 3, 4, and 5, respectively. Section 6 analyzes and compares the security and the performance of our scheme with other related schemes. Finally, the conclusion of this paper is given in Section 7.
2. Pseudonym Management Model
There are three types of entities: (1) a vehicle (). Its identity is , corresponding to a long-term public key and a long-term private key . Its pseudonym is IDPV, corresponding to a short-term public key and a short-term private key . The vehicle contains a sensing input module, a wireless communication module, a central processing module, and a hardware security module (HSM) . The HSM generates public and private keys, stores private keys, and provides digital signature service. (2) An authority: it is divided into certificate authority (CA), pseudonym certificate authority (PCA), and tracking authority (TA). PCA issues pseudonym certificates, but it does not know the pseudonym. Only TA knows the relation between the pseudonym and the identity. CA issues , and contains and . PCA issues CertPV, and CertPV contains IDPV and . PCA’s public and private keys are denoted as and , respectively. TA’s public and private keys are denoted as and , respectively. There are some PCAs in the model, and may apply for a pseudonym to the neighboring PCA. Only a few suspicious vehicles need to be disclosed, so TAs are rare. But if only one authority acts as TA, abuse can occur. Based on the secret sharing method, we extend one authority to authorities forming . () may be a law enforcement agency, a judge, or a privacy protection agency. ’s identity is . Assume that the vehicle is preloaded with the public keys of CA, PCA, and TAs during the vehicle’s initialization. (3) Roadside unit (RSU): it communicates with vehicles and other devices on the internet.
The security and privacy requirements in the model are as follows.
Anonymity. For other entities (such as PCA, attackers) except TAs, it is computationally infeasible to disclose the identity from a pseudonym.
Traceability. If the members in TAs implement the protocol honestly, at least members can disclose collaboratively the identity from a pseudonym.
Unforgeability. For any entity, it is computationally infeasible to forge a false signature or impersonate another entity.
Robustness. If any authority compromises, the implementation of pseudonym issuance, pseudonymous authentication, and tracking are not affected.
The process of pseudonym management is shown in Figure 1. (1) The vehicle gets an identity certification from CA. (2) applies for pseudonym certificates. (3) PCA issues some pseudonym certificates to . (4) communicates with other vehicles and RSU with the pseudonym certificates. (5) Once other vehicles find suspicious vehicles, they submit a tracking request to TAs. (6) TAs disclose the identity from the pseudonym.
The model consists of three protocols: a pseudonym issuance protocol, a pseudonymous authentication protocol, and a distributed tracking protocol. TAs’ public key is generated during the initialization stage and used in the pseudonym issuance protocol. Pseudonym certificates are generated in the issuance protocol and used in the pseudonymous authentication protocol. Once suspicious messages appear in pseudonymous authentication, the distributed tracking protocol is activated.
3. Pseudonym Issuance Protocol
Chaum  first proposed the concept of a blind signature, which allows users to get a message signature without leaking any contents. The pseudonym certificate issuance protocol adopts the blind signature method.(1) sends to PCA, where is the number of pseudonyms.(2) PCA verifies , if passed, and sends to , where is the expiration date. (3) extracts , decrypts it, and gets . Then verifies PCA’s signature, if passed, picks two random integers and (), and generates the pseudonyms as follows: extends them to sends PCA the blind alternative commitments (), where SHA is a message digest function.(4) PCA randomly generates verification set , , and , and sends to .(5) shows to PCA.(6) PCA computes , and and checks . If passed, PCA sends the blind signatures of the remaining commitments to .(7) removes the blind factors and gets the pseudonym certificates as follows:
The prerequisite of implementing the protocol is that during the initialization stage, has got TAs’ public key and PCA’s public key . Before applying for a pseudonym, the short-time public and private keys of the vehicle have been already generated. (1) sends a request signed with to PCA to prove its identity . (2) PCA sends the signature secretly, not only to prove PCA’s identity but also to coproduce ’s pseudonym. Sending the signature secretly can prevent the signature from leaking. (3) produces pseudonyms and blinds them. In (4), (5), and (6) PCA opens commitments among commitments to verify. If passed, PCA signs blindly the remaining commitments. (7) removes the blind factors and gets the pseudonym certificates.
In Schaub et al.’s issuance protocol , CA signs -tokens for a vehicle. Pseudonym provider (PP) checks the validity of -tokens; if valid, PP issues a pseudonym certificate. Four rounds of interaction are required. If CA wants to cheat, it will not interact with a vehicle. And it will obtain a fake pseudonym certificate and impersonate a vehicle, so will PP.
In our issuance protocol, PCA issues directly a pseudonym certificate to a vehicle, and three rounds of interaction are required. A pseudonym is coproduced by and PCA. PCA cannot provide to forge a pseudonym of . cannot provide to forge the pseudonym of another vehicle . Even if eavesdrops on the communication between and PCA, cannot decrypt . So, it fails to forge the pseudonym. Furthermore, the cut-choose method is also adopted in our protocol, like in Schaub et al.’s protocol, and prevents content spoofing to a certain extent.
As a result, our issuance protocol maintains good property of vehicular privacy in the presence of an authority and provides security against authority forge attack. Moreover, the communication overhead is reduced from four rounds to three rounds.
4. Pseudonymous Authentication Protocol
A complete authentication message consists of six fields: messageID payload timestamp signature certificate TTL. “MessageID” is the message number during the same pseudonym period. “Payload” contains collision data, location, direction, speed, and so on. “Timestamp” is to prevent from replaying attacks. “Signature” is the signature of the first three fields. The next field is , where . “TTL” means how long the message is allowed to remain to prevent message flooding. If the key has 1024 bits, the signature has 1024 bits. As has 26 bytes , the pseudonym certificate length is B. Finally, the total message length is B, and the pseudonym certificate accounts for 77% of the total message length.
If each message carries a certificate of 796 bytes during the same pseudonym period, the communication overhead is high. If only the first message carries the certificate, the message length is reduced from 1031 bytes to 235 bytes. However, if the first message with the certificate does not arrive at the receiver, other received messages which do not contain the certificate cannot be verified.
Some researchers proposed a mechanism to reduce the communication overhead of secure messages by omitting the inclusion of certificates in messages. Concrete methods such as the periodic omission of certificates, neighbor-based certificate omission, and congestion-based certificate omission were proposed in , , and , respectively. In these schemes, the optimal parameter was obtained by means of simulation. In contrast to the earlier proposals, we found the optimal parameter by means of probability analysis.
Define that is the number of messages and is the number of messages with pseudonym certificate during one pseudonym period. If at least one message with certificate is accepted by the receiver, other arrived messages with the same pseudonym can be authenticated. Define the message authentication probability as , where is the packet reception rate. We used a packet reception rate model of broadcast channel in a good channel condition , where is the distance between the sender and the receiver.
Figure 2 shows the relationship among the message authentication probability , the intervehicle distance , and the number of messages with certificate . Assuming that is a constant, decreases with the increase of ; assuming that is a constant, increases with the increase of . From the figure, it can be further observed that if and , then . That means we take , which can meet the need of most vehicles for broadcast message authentication. Thus, is the optimal number of messages with the pseudonym certificate.
We define as the average message length, and Figure 3 shows the relationship between and under the condition of . The parameter decreases with the increase of . It means that during a pseudonym period the more the messages are, the less communication overhead is.
5. Distributed Tracking Protocol
Based on the secret sharing scheme , TAs’ private key is assigned to the authorities, and any one subset of at least of them can disclose the secret. Generally, there is a trusted center during the initialization stage of the secret sharing scheme. Once the center compromises, the privacy will be leaked. Boneh and Franklin  discussed the generation of RSA keys without a dealer, but the protocol required the help of a third party. Cocks  presented another protocol to generate shared RSA keys without the help of a third party. There exists a large number of modular exponentiation operations to generate the modulus, and thus the efficiency of the protocol is poor. Malkin et al.  extended two parties  to parties.
Instead of time-consuming modular exponentiation, we use modular multiplication to generate , where is the modulus of RSA. And furthermore, we extend the threshold schemeto a more general form , where is the number of members and is the threshold value. Based on the above ideas, the distributed tracking protocol is developed. It consists of distributed generation of modulus , distributed generation of private key and secret share, and collaborative tracking. The first two parts are completed collaboratively by all members during initialization, and the third part is implemented collaboratively by at least members during the tracking stage.
5.1. Distributed Generation of Modulus
Each member () picks random primes , and computes modulus without revealing , . Assuming that is an odd, the steps are as follows:(1) picks two random primes , and a random (prime ). computes and sends and to (, ).(2) computes and and sends to . (3) computes (), and broadcasts in TAs.(4) All members compute and get .(5) Any member in TAs picks an integer randomly and broadcasts in TAs.(6)TA1 computes and broadcasts ; all other members () compute and broadcast ; all members verify .(7) If the verification fails, all members execute steps (1)–(6) again. Otherwise, success is returned.
5.2. Distributed Generation of Private Key and Secret Share
is Euler function of , denoted as . If is the product of two primes, (1)TA1 computes , and another member () computes . Then, each member () broadcasts in TAs.(2) collects , and computes and . obtains its own private key (3) picks a random degree polynomial , satisfying . It computes and sends to () secretly. (4) collects , then computes the secret share
After implementing the protocol, each member obtains the private key and secret share . The operation of computing reveals low bits of . In order to protect from revealing more bits, we take a small .
5.3. Collaborative Tracking
(1)The vehicle reports the signed message with a certificate to a tracking authority such as TA1. TA1 checks whether the signed message and the certificate are valid. (2)If passed, TA1 extracts IDPV from CertPV and sends IDPV to other members. If members accept a tracking request, they constitute a tracking group. Assume that their identities are .(3)Participants () send to TA1, where .(4)TA1 tries all possible and (, ) and computes It extracts and further gets with . TA1 gets according to the actual meaning of the strings.
Then TA1 submits to PCA, and PCA puts it into the blacklist. PCA will reject the request of the vehicle in the blacklist for pseudonym certificates. So, the pseudonym tracking protocol combined with the pseudonym issuance protocol can realize the revocation of malicious vehicles.
In Lin et al.’s protocol , a centralized method for tracking is adopted. A trace manager (TM) computes a vehicle’s private key from a signed message in order to disclose the vehicle’s identity. Once TM is compromised, a large amount of privacy information is leaked.
In Schaub et al.’s protocol , the secret sharing method for tracking is adopted to prevent misuse and abuse of a system. The method is distributed, but it generally requires a trusted center to distribute secret share in the initialization phase. Therefore, the trusted center will be a secure bottleneck.
In our tracking protocol, all the processes in the secret sharing method adopt a fully distributed structure, such as generation of private key and secret share, generation of modulus and collaborative tracking. As a result, our tracking protocol avoids a single point of failure.
6.1. Security Analysis
Proposition 1. Neither issuing authorities nor other vehicles can determine the relationship between a pseudonym and an identity in the protocol family, so the scheme achieves anonymity.
Proof. (1) During the issuance stage, PCA gets . picks randomly, so PCA cannot get and . Though PCA knows , it cannot establish the relationship between and .
(2) Other vehicles get the signed messages and extract . They do not know TAs’ private key and thus cannot obtain ’s identity .
Proposition 2. The authorities in TAs can disclose the identity from a pseudonym , so the scheme achieves traceability.
Proof. Let , , and then , indicating .
Since , this gives . Let ; then
Construct a degree polynomial , obviously satisfying and . According to the Lagrange interpolation formula , let , so Since , , , therefore .
Taking the formula (10) into the formula (9), we can obtain the following formula:
Consider the issuance protocol and obtain
Compute with and obtain ’s identity .
Proposition 3. Regardless of the PCA, the vehicles and the outside attacker, forging the pseudonym certificate is as difficult as solving a large integer factorization problem.
Proof. A pseudonym is coproduced by and PCA, because is provided by and is provided by PCA. (1)PCA cannot provide to forge a pseudonym. (2) cannot provide to forge the pseudonym of . (3)An external attacker without ’s and PCA’s private keys cannot pass the authentication, because the issuance protocol is with two-way authentication. Therefore, the attacker neither obtains the blind signature nor personates PCA to sign the pseudonym certificate.
In short, forging an RSA signature or cracking an RSA cipher is as difficult as factorizing a large integer, so the scheme achieves unforgeability.
Proposition 4. The scheme is robust.
Proof. (1) The separation of pseudonym issuance authorities and tracking authorities, to some extent, reduces the risk.
(2) Some PCAs are deployed in the model. Once a PCA fails, other PCAs can still provide pseudonym issuance service.
(3) In the pseudonymous authentication protocol, the optimal number of messages with the pseudonym certificates is suggested. It ensures the message authentication probability . That means when a message arrives, a vehicle can verify the signature with high probability. Therefore, the protocol not only reduces the communication overhead but also ensures robustness.
(4) During the TAs initialization stage, the generation of modulus and the generation of the private key and the secret share are distributed fully. So, the scheme does not require a trusted center, and it avoids any single point of failure.
(5) During the TAs operation stage, as long as the number of compromised members is not more than , privacy cannot be leaked.
We further compared our scheme with similar works that are intended to ensure conditional privacy preserving communication [7, 14]. The results of comparisons of security features among our scheme, Lin et al.'s scheme , and Schaub et al.'s scheme are shown in Table 1. All the three schemes provide anonymity, traceability, and authentication.
Lin et al.’s scheme is based on a group signature method, in which a member manager (MM) generates member private keys and sends them privately; MM knows all private keys, and it can forge a valid group signature on an arbitrary message. Schaub et al.’s scheme adopts a blind signature method to issue certificates, and thus CA or PP does not know the relationship of an identity and a pseudonym; unfortunately, CA or PP can forge a pseudonym certificate for itself. Therefore, Lin et al. and Schaub et al.’s schemes are not secure against authority forge attacks. In our scheme, a pseudonym is coproduced by a manager and a vehicle; neither PCA nor is capable of providing complete data to forge a pseudonym; our scheme is unforgeability, especially against authority forge attacks.
As mentioned in Section 5, the tracking methods for Lin et al., Schaub et al. and ours are centralized, distributed, and fully distributed, respectively. Our scheme has better robustness.
6.2. Performance Analysis
6.2.1. Computation Overhead
For convenience to evaluate the computation cost of the protocol, we ignored the computation cost of some operations such as a hash function and a multiplication operation, since they are quite light in terms of load. We focused on some time-consuming operations defined in the following notations. : The time of executing a bilinear map operation. : The time of executing a modular exponentiation operation in the cyclic group. : The time of executing RSA encryption or RSA verification. : The time of executing RSA decryption or RSA signature.
In order to provide the precise comparisons of computation cost, we use the experiment data in [24–26] to evaluate them. The experiment environment is operated on a standard PC, whose processor is Pentium IV with the maximum clock speed of 3 GHz. The pairing system is considered the Tate pairing system. The order of a nonsupersingular curve over a finite field is 160 bits, which is as difficult to break as 1024-bit RSA. In this experiment environment, it requires 4.5 ms to perform a bilinear map operation and 0.6 ms to perform a modular exponentiation operation [25, 26]. It requires 0.2 ms to perform RSA encryption/verification and 4 ms to perform RSA decryption/signature .
The results of comparisons of computation cost are shown in Table 2, where is the number of pseudonym certificates obtained at one time and is the number of tracking authorities. Some common parameters and secret keys are generated in the system initialization, and for convenience we did not evaluate the computation cost of the initialization in all the three schemes. In Schaub et al.’s scheme and ours, the average computation costs for issuance and tracking are considered.
Compared with Lin et al.’s scheme, ours and Schaub et al.’s scheme require less computation for signature and verification and more computation for issuance and track. Compared with Schaub et al.’s, our scheme requires less computation for issuance if and more computation for tracking.
6.2.2. Communication Overhead
In Table 3, is the number of signed messages and is the number of signed messages with pseudonym certificate during one pseudonym period in the authentication protocol; is the threshold value in the distributed tracking protocol. The communication cost of Lin et al.’s scheme is the lowest, but their scheme suffered from the private key revealing attacks, in which MM knows the private key of each member. Schaub et al.’s scheme and ours rely on the blind signature method and achieve vehicular privacy protection in the presence of the authority. Compared with Schaub et al.’s scheme, our scheme is efficient in terms of the communication overhead.
6.2.3. Storage Overhead
In Schaub et al.’s scheme and ours, the storage cost of the vehicle is high because some pseudonym certificates need to be stored; the storage cost of the manager for tracking is very little because an identity can be obtained directly from the pseudonym certificate. On the contrary, the storage cost of the manager in Lin et al.’s scheme is high because the record set needs to be stored.
In this paper, a secure and efficient pseudonym management scheme for vehicular ad hoc networks is proposed. The scheme not only maintains the property of conditional privacy preservation but also provides the advantages in security against authority forge attacks and better robustness. In the scheme, a pseudonym is coproduced by and PCA to avoid the deception of either party. A blind signature method is used to achieve the separation of issuance and tracking. Based on the improved share generation scheme of the RSA keys, the distributed tracking protocol is proposed to avoid a single point of failure. By searching for the optimal number of messages with a pseudonym certificate, the efficient pseudonym authentication mechanism is given to reduce communication overhead. By uniting the pseudonym issuance protocol and the tracking protocol, malicious vehicles are revoked easily. Moreover, compared with Schaub et al.’s scheme, the communication cost and computation cost in our scheme are lower. As a result, our proposed scheme is suitable for anonymous communication with tracking requirements in VANETs, since it provides security, robustness, and efficiency.
For future research, we will discuss interdependencies of various factors, establish systematic evaluation mechanism of the overall performance, and further enhance the performance.
The authors acknowledge the financial support of the National Natural Science Foundation of China (no. 60873195), the National High Technology Research and Development Program (“863” Program) of China (no. 2011AA060406), and the Natural Science Foundation of Anhui Province (no. 090412051). The authors are grateful for the anonymous referee for the careful checking and helpful comments that improved this paper.
- J. Blum, A. Eskandarian, and L. Hoffman, “Challenges of intervehicle adhoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 5, no. 4, pp. 347–351, 2004.
- J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smart vehicles,” IEEE Security and Privacy, vol. 2, no. 3, pp. 49–55, 2004.
- B. Parno and A. Perrig, “Challenges in securing vehicular networks,” in Proceedings of the 4th Workshop on Hot Topics in Networks (HotNets-IV), pp. 1–6, College Park, Md, USA, November 2005.
- S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, and A. Hassan, “Vehicular ad hoc networks (VANETS): status, results, and challenges,” Telecommunication Systems, vol. 50, no. 4, pp. 217–241, 2012.
- M. Raya and J. P. Hubaux, “The security of vehicular ad hoc networks,” in Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks (SASN '05), pp. 11–21, Alexandria, Va, USA, November 2005.
- M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computer Security, vol. 15, no. 1, pp. 39–68, 2007.
- X. Lin, X. Sun, P. H. Ho, and X. Shen, “GSIS: a secure and privacy-preserving protocol for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442–3456, 2007.
- G. Calandriello, P. Papadimitratos, J. P. Hubaux, and A. Lioy, “Efficient and robust pseudonymous authentication in VANET,” in Proceedings of the 4th ACM International Workshop on Vehicular Ad Hoc Networks (VANET '07), pp. 19–28, Montreal, Canada, September 2007.
- G. Calandriello, P. Papadimitratos, J. P. Hubaux, and A. Lioy, “On the performance of secure vehicular communication systems,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 6, pp. 898–912, 2011.
- R. Lu, X. Lin, H. Zhu et al., “ECPP: eficient conditional privacy preservation protocol for secure vehicular communications,” in Proceedings of the IEEE 27th Conference on Computer Communications (INFOCOM '08), pp. 1229–1237, Phoenix, Ariz, USA, 2008.
- L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable robust authentication protocol for secure vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 4, pp. 1606–1617, 2010.
- Y. Hao, Y. Cheng, C. Zhou, and W. Song, “A distributed key management framework with cooperative message authentication in VANETs,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp. 616–629, 2011.
- D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Advances in Crypto '04, vol. 3152 of Lecture Notes in Computer Science (LNCS), pp. 41–55, 2004.
- F. Schaub, F. Kargl, Z. Ma, and M. Weber, “V-tokens for conditional pseudonymity in VANETs,” in Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC '10), pp. 1–6, Sydney, Australia, April 2010.
- P. Papadimitratos, L. Buttyan, T. Holczer et al., “Secure vehicular communication systems: design and architecture,” IEEE Communications Magazine, vol. 46, no. 11, pp. 100–109, 2008.
- D. Chaum, “Blind signatures for untraceable payments,” in Advances in Crypto '82, pp. 199–203, Plenum, 1982.
- R. Housley, W. Ford, W. Polk, and D. Solo, “Internet X. 509 Public Key Infrastructure Certificate and CRL Profile,” 2011, http://www.ietf.org/rfc/rfc2459.txt.
- E. Schoch and F. Kargl, “On the efficiency of secure beaconing in VANETs,” in Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec '10), pp. 111–116, New York, NY, USA, March 2010.
- M. Feiri, J. Petit, and F. Kargl, “Congestion-based certificate omission in VANETs,” in Proceedings of the 9th ACM international workshop on Vehicular Inter-Networking, Systems, and Applications, pp. 135–138, 2012.
- A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
- D. Boneh and M. Franklin, “Efficient generation of shared rsa keys,” in Proceedings of Crypto '97, pp. 425–439, 1997.
- C. Cocks, “Split knowledge generation of rsa parameters,” in Proceedings of the 6th IMA International Conference on Cryptography and Coding, pp. 89–95, 1997.
- M. Malkin, T. Wu, and D. Boneh, “Experimenting with shared generation of RSA keys,” in Proceedings of the Internet Society's 1999 Symposium on Network and Distributed System Security, pp. 43–56, San Diego, Calif, USA, 1999.
- OpenSSL, “The Open Source Toolkit for SSL/TLS,” 2012, http://openssl.org/.
- M. Scott, “Efficient implementation of cryptographic pairings,” 2007, ftp://ftp.disi.unige.it/pub/.person/MoraF/CRYPTO/PARING/mscott-samos07.pdf.
- L. Chen, S. L. Ng, and G. Wang, “Threshold anonymous announcement in VANETs,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp. 605–615, 2011.