Deep Structure Representation and Learning for Complex Information NetworksView this Special Issue
Anonymous Authentication and Key Agreement Scheme Combining the Group Key for Vehicular Ad Hoc Networks
Vehicular ad hoc network (VANET) is a multihop mobile wireless communication network that can realize many vehicle-related applications through multitop communication. In the open wireless communication environment, security and privacy protection are important contents of VANET research. The most basic method of VANET privacy protection is anonymous authentication. Even through, there are many existing schemes to provide anonymous authentication for VANETs. Many existing schemes suffer from high computational cost by using bilinear pairing operation or need the assistance of the trust authorities (TAs) during the authentication process or rely on an ideal tamper-proof device (TPD), which requires very strong security assumption. In this study, an anonymous authentication and key negotiation scheme by using private key and group key is proposed, which is based on pseudonym using the nonsingular elliptic curve. In this scheme, there is no third party trust center to participate in the authentication, there is no need to query the database, and there is no need of the local database to save the identity information of many vehicles, which reduce the storage space and the authentication time compared with other schemes. The proposed scheme only needs realistic TPDs. In the proposed scheme, TPDs do not need to preinstall the system key as many other schemes do; hence, the failure of a single TPD does not affect the security of the entire system. The security of the scheme is proved under the random oracle model. Compared with the related schemes using bilinear pairings, the computational cost and communication cost of the proposed scheme are reduced by 82% and 50%, respectively.
With the development of network technology, there are many forms of network and new technologies [1, 2]. Vehicular ad hoc network (VANET) is a highly mobile self-organizing wireless communication network. By using VANET, vehicles in front can in a timely manner report the road condition information to the rear vehicles; this can improve the travel efficiency and reduce road congestion and traffic accidents. VANET plays a significant role in traffic optimization and safety . Since VANET mainly adopts a wireless communication mode, messages are vulnerable to various attacks, such as counterfeiting, interception, tampering, tracking, and other attacks [4, 5]. These attacks seriously threaten the safety of vehicles and the privacy of users. Therefore, security authentication and privacy protection are important research directions of VANET. VANET generally has the following main components: road side unit (RSU), trust agency (TA), and on-board unit (OBU) . OBU is installed in the vehicle and can realize the communication between the vehicle and RSU or other vehicles. The communication between OBU and RSU adopts dedicated short range communication (DSRC) . The communication with vehicles requires authenticating one another and negotiating the communication key to prevent attacks such as tracking, privacy exposure, and message counterfeiting. Authentication and key agreement in VANETs are anonymous. Hence, even if an attacker intercepts the message, the specific source of the message cannot be determined. Additionally, the authority of VANET can identify every message sent by vehicles, and this can prevent vehicles from sending false messages maliciously.
1.1. Related Works
In recent years, some authentication protocols based on public key infrastructure (PKI) [8–10] have been proposed. In these works, some anonymous authentication and key agreement schemes are proposed, in which a large number of certificates are assigned to vehicles. However, these schemes require vehicles to be equipped with many anonymous certificates in advance; this leads to many problems such as certificate storage and certificate management. Lu et al.  proposed a key agreement and authentication scheme for generating a short-term key and certificate between the vehicle and RSU. However, the communication efficiency of the scheme is low due to the frequent interaction between the vehicle and RSU for changing the authenticated group. Rajput et al.  proposed an anonymous authentication scheme with hierarchical privacy protection to solve the defects based on PKI. This protocol does not need to manage the certificate revocation list (CRL), and each vehicle uses two pseudonyms to complete anonymous authentication, but once the pseudonym expires, the vehicle needs to acquire the pseudonym from TA or RSU again; this increased the number of communications. Wang  proposed a local identity-based anonymous authentication protocol for VANET (LIAP). In this method, each vehicle and RSU are assigned a unique long-term certificate from the certification authority (CA) in the registration phase. The vehicle and RSU complete mutual authentication through certificates. After successful authentication, RSU distributes a local-master key to the vehicle. The vehicle randomly generates a pseudonym to communicate with the RSU through the local-master key. The use of the local-master key improves the communication efficiency and system security. But this scheme needs to manage CRL.
The storage and management of certificates restrict the development of authentication schemes based on PKI. To overcome the problems caused by authentication certificates, some identity-based public key cryptosystems are introduced into authentication of VANET [4, 14–19]. In 1984, Miller first proposed an identity cryptosystem . In this cryptosystem, the user’s public key is calculated by the user’s identity, and the user’s private key is generated by the authentication center through the system key according to the user’s identity. In 2008, Zhang et al.  proposed an authentication protocol for VANET using the identity of the vehicle user, solving the certificate storage and management problem and supporting batch authentication. In 2011, Huang  proposed an anonymous batch authenticated and key agreement scheme based on identity authentication for VANET. Shim et al.  noted that the scheme  was vulnerable to replay attack and did not achieve the nonrepudiation of signature and proposed a vehicle-to-infrastructure (V2I) authentication scheme. However, the scheme is vulnerable to tampering attacks  and cannot satisfy its claimed chosen message attack resistance . Wang et al.  mentioned that Huang et al.  could not resist a collusion attack, and therefore, they proposed an improved scheme. And, in , it is indicated that the scheme  cannot resist replay attacks and cannot track the real identity of the message sender. In 2016, Azees and Vijayakumar  proposed a novel key distribution scheme for secure group communication using Lagrange polynomials. The limitation of the scheme is that it only provides one-way authentication from vehicle to TA. Then, Vijayakumar et al.  proposed a privacy-preserving anonymous mutual and batch authentication scheme for vehicle-to-vehicle. This scheme implements the authentication of message source and message integrity and has the mechanism of tracking and revoking vehicles. In 2017, Azees et al.  proposed an anonymous authentication scheme to avoid malicious vehicles into the VANET based on bilinear pairing. Each user computes multiple temporary short time certificates to realize anonymous authentication in the scheme. The scheme has high computing performance and security. However, the dummy identity () in each certificate is the same, and the scheme does not consider the unlinkability of different sessions. In 2018, Pournaghi et al. . proposed an anonymous authentication and key agreement scheme combining TPD and RSU. The scheme saves the system master key in the TPD of RSU instead of the TPD of each vehicle, which improves the security and authentication efficiency of the system. In 2019, Ikram et al.  proposed a conditional privacy-preserving authentication scheme for V2I. This scheme uses general one-way hash functions instead of map-to-point hash functions to achieve high efficiency.
The identity-based authentication schemes for VANET address the problems presented by the schemes based on PKI. The existing schemes [21–25] are novel in design and have good security. However, the bilinear pairing operations of elliptic curve are used, and the computational efficiency of bilinear pairing operation is low. The works [26–28] based on pseudonym on elliptic curve, which do not use bilinear pairing operation and have achieved high computational efficiency. However, TA is required to participate in authentication, this increases communication times and communication burden. He et al.  proposed a privacy protection authentication scheme based on identity. This scheme also uses elliptic curve instead of bilinear pairing operations and achieves satisfactory performance in both computation and communication. However, the scheme is based on ideal TPD, and the master key is stored on the TPD of each vehicle. Islam et al.  proposed a conditional privacy-preserving authentication scheme based on hash function. And the scheme offers group-key generation, user leaving, user join, and password change facilities. The scheme does not need bilinear pairing mapping or elliptic curve operation and is lightweight in terms computation and communication. However, TA is required to participate in each authentication between the vehicle and RSU. Wu et al.  proposed an effective location-based conditional secret authentication scheme. The scheme does not require bilinear pairing operations or TPDs. However, when RSU is certified by vehicle, TA needs to query the database and return the results. Cui et al.  proposed a scheme without relying on any special hardware such as TPD. The scheme is based on elliptic discrete logarithm and has high computational performance. The cuckoo filter and binary tree search method are used to achieve a higher success rate in batch authentication. However, TA is required to generate communication key for the vehicle and RSU. Zhong et al.  proposed an authentication and key agreement scheme based on hash function and registration list. And the scheme does not require the strong security assumptions of TPD. Xiong Li et al.  proposed a lightweight authentication scheme for VANETs with only hash functions and exclusive-OR operations. Compared with previous schemes, the computational cost of the schemes [32, 33] has been greatly improved. However, the schemes also need TA to participate in the authentication. In recent years, there are some authentication schemes using group key, which can reduce the authentication burden of TA. The works [34, 35] introduce group key management schemes based on Chinese remainder theorem, which reduces computation complexity of the key server. In 2019, Jing Zhang et al.  proposed a message authentication scheme based on the group key using Chinese remainder theorem. The TPD of the vehicle only save the real identity and the group key. So the proposed scheme only requires realistic TPDs and ensures higher security for the entire system. In 2020, Wei et al.  proposed tow privacy-preserving multimodal implicit authentication protocols for Internet of connected vehicles. The proposed protocols use the password and vehicle owner’s behavior features as the authentication factors skillfully and do not reveal any information about vehicle owner’s behavior. The protocols have advantages in computational cost and accuracy. However, the protocols do not consider the unlinkability of sessions. Vinoth et al.  proposed a multifactor authenticated key agreement scheme for industrial Internet of things (IoT). The scheme implements authentication and key agreement between the user and multiple sensing devices at the same time. The scheme only used hash function, bit-wise XOR operation, and symmetric cryptography. It has less communication cost and computational cost compared with other correlative schemes. However, the scheme does not consider internal attack.
1.2. Our Contributions
In this study, an anonymous authentication and key agreement scheme based on elliptic curve for VANET is proposed. Each vehicle is equipped with a TPD. The TPD saves the private key of the vehicle and the group key for multivehicle communication. The vehicle can authenticate with RSU anonymously by combining a private key with a group key. After successful authentication, the session key can be negotiated for both parties. The scheme can also implement message signature and anonymous verification. In this scheme, the TPD only saves the private key of the vehicle and the group key instead of the system key. The attack on the TPD will not affect other nodes in VANET. So, we only need realistic TPD instead of ideal TPD. There is no need for the third party to participate in the authentication and key agreement between vehicle and RSU compared with the works [6, 30–33], and there is no need to query the database in the scheme. In addition, the use of group key in this scheme can help RSU resist certain denial of service (DoS) attacks.
The main contributions of this study are summarized as follows.(1)In order to optimize the computational cost and key management, we present an efficient anonymous authentication and key agreement scheme for RSUs and vehicles using the private key of the vehicle and the group key(2)In order to reduce the communication time and storage space, we implement independent authentication and key agreement between vehicle and RSU, and RSU does not need to save vehicle information or query database.(3)In this scheme, we also implement anonymous signature and verification of messages(4)In this scheme, we use realistic TPDs instead of ideal TPDs, which is more suitable for VANET
1.3. Organization of This Article
The rest of the study is structured as follows: Section 2 describes the preliminaries of the proposed scheme, Section 3 gives the working of the proposed scheme, Sections 4 and 5 present a security analysis and a performance analysis, respectively. Our study is concluded in Section 6.
In this section, we introduce the related background information of VANET and the proposed scheme.
2.1. Network Model
As shown in Figure 1, the network model of VANET mainly includes TA, RSU, OBU, TPD, and application server (AS). TA is a trusted service center. It is responsible for generating the private and public keys for RSU and vehicle and the group key for multivehicle communication. TA is an entity with the highest level of security protection and is completely trusted. RSU is the communication equipment installed on both sides of the road, with high security, thus providing access service for vehicles. The RSU communicates with the vehicle using DSRC protocol. Each vehicle is equipped with an OBU. The OBU of the vehicle realizes short distance communication with RSU and OBUs of other vehicles. TA allocates a TPD to each vehicle. TPD has high security, and other attackers cannot obtain sensitive information from the device . AS is an application server and provides data service for TA. AS has high security and is credible.
2.2. Elliptic Curve
Suppose that FP denotes a finite field of order p, where p is a large prime number. E denotes an elliptic curve over FP. The curve E is defined as , where . The group G is a cyclic additive group of order q on E, and P is the generator and O is the infinite point.
The group G has the following properties:(1)Additive (±). For , if P ≠Q, R = P + Q, then R is the intersection point of the straight line passing through P and Q with E; if P = Q, R = P + Q, then R is the tangent intersection point of P and Q with E; if P = -Q, then P + Q = P - P = O.(2)Scalar multiplication (.). Let , scalar point multiplication in G is defined as m. P = P + P + … + P (m times).
Two difficult problems are defined as follows:
Definition 1. Elliptic curve discrete logarithm problem (ECDLP). Let Q be a random point on G and calculate a solution x which satisfies Q = xP, where .
Definition 2. Elliptic curve computational Diffie–Hellman problem (ECCDH). Assume a generator P of G, , where are unknown. The ECCDH problem is to compute .
If ECDLP or ECCDH on a group G cannot be solved with nonnegligible probability in time t, then ECDLP or ECCDH is said to be a difficult problem on elliptic curve.
2.3. Security Requirements
The open multihop wireless network is vulnerable to various attacks. Therefore, the authentication and key agreement for VANET need to meet the following security requirements [29, 39]:(1)Authentication and integrity. After receiving the message, VANET needs to determine whether the source of the message is reliable and whether the message has been tampered by others(2)Privacy protection. When users are communicating, VANET should protect the confidential information such as user’s identity, session record, location, and driving path. VANET provides privacy protection by imparting anonymity.(3)Session key agreement. When the vehicle transmits data with RSU, the session key should be used to encrypt the data to protect the session privacy(4)Traceability. To prevent malicious users from sending false messages by anonymity, the authentication scheme should trace the real identity of the sender when the message is in dispute(5)Resistance to attacks. VANET is vulnerable to various attacks, such as replay attacks and forgery attacks. Authentication and key agreement of VANET needs to be able to resist all kinds of attacks to ensure the security and reliability of the scheme.(6)Unlinkability. In order to protect privacy, attackers or other vehicles cannot link different sessions of the same vehicle via the public channel.
3. Proposed Authentication Scheme for VANET
Our scheme includes the following phases: initialization, RSU and vehicle registration, authentication and communication key agreement, message signing, signature verification, identity extraction, and updating the group key. The mutual authentication and the key agreement process between RSU and the vehicle is shown in Figure 2. The main notations used in the scheme are given in Table 1.
3.1. Initialization Phase
TA selects random numbers , s is the private key of the system, x is the group key for multivehicle communication, and it can be used to compute the public key . Furthermore, . TA selects five secure hash functions: , , , , , and . TA also broadcasts the system parameters: .
3.2. RSU and Vehicle Registration Phase
Roadside unit RSUj applies to TA for registration. After TA verifies the information of RSUj successfully, it allocates the identity IDj to RSUj. Then, TA selects a random number , computes and . TA also generates the private key and then returns , to RSUj. RSUj computes and verifies whether the following equation holds.
If (1) holds, RSUj broadcasts Rj, IDj, and Pj. Otherwise, the message is rejected. After RSU broadcasts the public key Pj, the vehicle can use Pj to compute the pseudonym of the vehicle. The detailed process is shown in Section 3.3.
During the registration process, the vehicle users go to TA directly. The vehicle users submit the required information such as identification, phone number, and license, etc., to TA. TA checks whether the vehicle user is qualified. If the vehicle user is qualified, TA allocates a TPD to the vehicle Vi and assigns a unique identity RIDi to the vehicle Vi. TA allows users to set a username and password for TPD. Then, TA chooses a random number and computes , , , and . TA saves , , , , and in the TPD of the vehicle Vi. At the same time, the vehicle information such as RIDi, Ri, and Pi is saved in AS.
3.3. Authentication and Communication Key Agreement Phase
RSUj broadcasts , and ; the OBU of the vehicle receives them and verifies whether (1) holds. If it holds, the OBU forwards them to the TPD of the vehicle. The TPD selects the random numbers , and the timestamp Ti. The TPD computes the pseudonym and generates the signatures and , where , , , , and . It sends to RSUj through the OBU.
RSUj receives ), and then, it computes and verifies whether the following equation holds.
If (2) holds, RSUj computes , , , and and verifies whether the following equation holds.if both (2) and (3) hold, the vehicle is legal. RSUj chooses a random number and computes , , , and . RSUj sends to the vehicle Vi.
The vehicle Vi receives, and then, it computes and and verifies whether the following equation holds.
If (4) holds, the vehicle Vi computes , which is the session key between Vi and RSUj.
The process of authentication and key agreement between vehicle and RSU is shown in Figure 2.
3.4. Message Signing Phase
When a vehicle needs to send a message in the area covered by the roadside unit RSUj, the TPD of the vehicle chooses a random number and the timestamp and computes , , the pseudonym , and , where , , and . The TPD then broadcasts the signature .
3.5. Signature Verification
RSUj receives , and then, it checks whether the timestamp Tm is within the valid time. If it is, RSUj extracts the real identity of the vehicle and computes , , , , , and verifies whether (5) holds.
If it holds, RSUj accepts the message. If it does not, it means that the TPD of the vehicle is damaged. For example, suppose the attackers stole the private and group keys of the TPD, faked the identity , generated the pseudonym , forged the signature (), and enabled it to satisfy (6). However, according to the TPD security assumption, this situation is extremely rare. If RSUj detects that the TPD has been attacked, it immediately broadcasts that the signature is not valid.
Other vehicles receive , and then, they check whether the timestamp Tm is within the valid time. If it is, the vehicles compute and and verify whether the following equation holds.
If it does and the vehicles do not receive an invalid signature broadcasted by RSUj within the specified time, the vehicles accept the message Mi.
3.6. Identity Extraction
When a valid message signature is in dispute, it is necessary to track the real identity of a vehicle. RSUj can extract the real identity of the vehicle through computing .
3.7. Updating the Group Key Phase
TA chooses a random number and the timestamp and computes , , , where is as a new group public key. TA broadcasts the signature .
After the vehicles receive, they compute and verify whether the following equation holds. If it does, the vehicles update the group key as .
4. Security Analysis
Under the random oracle model, the security model of  is used to prove the security of our scheme.
4.1. Proof of Safety
Lemma 1. The authentication request message of the vehicle cannot be forged. When ECDLP is a difficult problem, our scheme can resist the forgery attack of adaptive chosen message.
Proof:. We assume that there is an attacker Ad who can successfully forge the request message of a vehicle in polynomial time . Given an ECDLP instance , the challenger Ch can solve the ECDLP in polynomial time .
The challenger Ch sets system parameters paras = . Ch randomly chooses RIDi of a vehicle as the identity of the challenger Ch. Ch builds and maintains six hash lists: , where . Finally, Ch sends params to Ad.
h1- Oracle. When Ad makes a query with , Ch checks whether the tuple is already in Lh1 or not. If it is, Ch sends to Ad. Otherwise, Ch randomly selects and adds to Lh1. Finally, Ch sends to Ad.
h2- Oracle. When Ad makes a query with , Ch checks whether the tuple is already in Lh2 or not. If it is, Ch sends to Ad. Otherwise, Ch randomly selects and adds to Lh2. Finally, Ch sends to Ad.
h3- Oracle. When Ad makes a query with , Ch checks whether the tuple is already in Lh3 or not. If it is, Ch sends to Ad. Otherwise, Ch randomly selects and adds to Lh3. Finally, Ch sends to Ad.
Extract (RIDi). Ch builds and maintains the list . When Ad makes a query with and , Ch checks whether the tuple is in . If it is, Ch sends to Ad. Otherwise, Ch randomly selects , lets , and adds them to . Finally, Ch sends to Ad.
Sign-Oracle. When Ad makes a query with , Ch randomly selects and sets , , , and . Finally, Ch sends to Ad.
Output. Finally, Ad outputs an authentication request message with nonnegligible probability. According to the forgery lemma ,.Ad chooses different and and generates another valid authentication request message in polynomial time. At this time, the two authentication request messages satisfy the following:From (8)–(11), we can obtainNow, according to (12) and (13), Ad outputs, and .However, solving x or s is an ECDLP problem. Furthermore, it is impossible for an adversary to solve the ECDLP problem in polynomial time.
Lemma 2. The authentication response message cannot be forged. Since ECDLP is difficult to solve, our scheme can resist the forgery attack of adaptive chosen message.
Proof. We assume that there is an attacker Ad who can successfully forge an authentication response message in polynomial time. Given an ECDLP instance , then the challenger Ch can solve the ECDLP with nonnegligible probability. The challenger Ch sets system parameters paras = . Ch builds and maintains six lists: , where . Finally, Ch sends params to Ad.
h1-Oracle. When Ad makes a query with , Ch checks whether the tuple is already in Lh1 or not. If it is, Ch sends to Ad. Otherwise, Ch randomly selects and adds to Lh1. Finally, Ch sends to Ad.
h2-Oracle. When Ad makes a query with , Ch checks whether the tuple is already in Lh2 or not. If it is, Ch sends to Ad. Otherwise, Ch randomly selects and adds to hh22. Finally, Ch sends to Ad.
Extract (IDj). Ch builds and maintains the list . When Ad makes a query with , Ch checks whether the tuple is in LR. If it is, Ch sends to Ad. Otherwise, Ch randomly selects, lets , and adds to LR. Finally, Ch sends to Ad.
Sign - Oracle. When Ad makes a query with (), Ch randomly chooses and sets . Finally, Ch sends to Ad.
Output. Finally, Ad outputs an authentication request message with nonnegligible probability. According to the forgery lemma .Ad chooses different and generates another valid authentication request message in polynomial time. Now, the two authentication request messages satisfy the following:From (14) and (15), we can deduce the following expression:Next, Ch can output . However, solving s is an ECDLP, which is impossible for an adversary to solve in polynomial time.
Theorem 1. From Lemma 1 and Lemma 2, we know that when the ECDLP problem is difficult to solve, and the adversary cannot forge the authentication request message and response message, that is, our authentication scheme can resist adaptive chosen message forgery attack.
Theorem 2. The message signature cannot be forged. Since ECDLP is hard to solve, our scheme can resist the forgery attack of adaptive chosen message attack.
Proof. We assume that there is an attacker Ad who can successfully forge an authentication response message in polynomial time. Given an ECDLP instance , the challenger Ch can solve the ECDLP in polynomial time .
The challenger Ch sets system parameters paras = . Ch randomly chooses IDj as the identity of the challenger Ch. Ch builds and maintains six lists: , where . Then, Ad adaptively queries the oracle machine to Ch, and Ch replies to Ad in the following way.
When Ad makes a query with , Ch randomly chooses , and ; furthermore, it sets . Finally, Ch sends to Ad.
Subsequently, Ad outputs a valid signature with a nonnegligible probability. According to the forgery lemma , Ad chooses different and generates another valid signature in polynomial time. At this time, the two signatures satisfy the following relationships:From (17) and (18), we can obtain the following equation:Now, according to (19), Ch can output . However, solving for x is an ECDLP problem, which is impossible for an adversary to solve in polynomial time. Thus, our proposed signature scheme under the random oracle model is resistant against a chosen adaptive message attack.
Theorem 3. The key agreement of our scheme is secure under the ECCDH problem.
Proof. Given an ECCDH instance, and , where . In our key agreement, we let , ,. In this method, if the attacker Ad gets according to , the key negotiated between the vehicle and RSU can be obtained. However, it is impossible for the adversary to solve the ECCDH problem in polynomial time, implying that the key agreement proposed in this study is secure.
Theorem 4. In the random oracle model, we can achieve conditional anonymity and traceability.
Proof. In the proposed scheme, the authentication request message uses the pseudonym , where , . According to ECDLP, it is not feasible for the adversary to solve without knowing . The request authentication signatures are and , where , , and are the random numbers. Every time a vehicle is certified, it can produce unrelated pseudonyms and different authentication requests. Similarly, the pseudonym is also used in message signature , . The message signature is , , , and . The pseudonym used in the signature is different every time. Therefore, the scheme can provide anonymity for vehicle users in authentication and message signature. In addition, this scheme can also realize the traceability of the real identity; RSU can calculate the real identity of the vehicle through the private key. Similarly, through pseudonym of signature message , RSU can also calculate using the private key. Therefore, this scheme can realize the traceability of identity.
Theorem 5. In the proposed scheme, we can achieve unlinkability.
Proof. In our scheme, the authentication request message of the vehicle is different for each session. Meanwhile, the signature message is also different for each message. Therefore, all elements from the message of the vehicle are different, and any attacker cannot tell apart if two different messages from the same vehicle. Thus, our proposed scheme supports unlinkability.
4.2. Other Security Analysis and Feature Comparison
From Theorem 1 and Theorem 2, it is ascertained that under the random oracle model, the authentication, key agreement, and message signature can resist adaptive chosen message forgery attacks. Additionally, there is no need for the certification table or TA to participate in the certification between vehicle and RSU. Both authentication and message signature use timestamp, which can resist replay attack. In the authentication process, RSU first checks whether the group key signature is legal, and then, it verifies the vehicle private key signature. If the group key signature is illegal, the signature is discarded directly, which can resist DoS attack to a certain extent. In this scheme, the vehicle is equipped with a TPD, which stores the private key of the vehicle and the group key. Even if a single TPD is attacked, the attacker can only intercept the group key and the private key of the vehicle. The authentication, key agreement, and message signature all need the private key of the vehicle. Thus, the attacker can only forge the signature of a single vehicle, without affecting the communication security of other VANET nodes. The schemes [13, 24] keep the system key in the TPD of each vehicle; this requires a strong TPD security assumption. If a single TPD is successfully attacked, the whole system will not be secure. Table 2 provides the features comparison with other schemes. It can be seen from Table 2 that the proposed scheme has strong advantages in security and communication efficiency.
5. Performance Analysis
In this section, we analyze the computation cost and communication cost of message authentication.
5.1. Computation Performance Analysis
In this study, nonsingular elliptic curve cryptography is used, whereas bilinear pairing construction scheme is utilized in works [13, 24]. To compare at the same security level, we construct two 80 bit security level cryptographic operation schemes. Bilinear pairing cryptographic schemes are set as follows: . is a hyper singular curve with degree 2, where is a 512 bit prime. is an additive group based on with order and is the generator of with order . The elliptic curve cryptography of the same security level is set as follows: is a nonsuper singular elliptic curve, where p and q are 160 bit primes, . G is an additive group on E. P is the generator of G with order q. Let denote the execution time of bilinear pairing operation, scalar multiplication operation, and scalar addition operation, respectively. and denote the execution time of scalar multiplication and scalar addition on elliptic curve cryptography, and denotes the hash operation time of map-to-point. We use MIRACL cryptographic library, an i5-7200U processor with 2.5 GHz clock frequency and 8 GB memory in our experiment. The operating system is Windows 10. Table 3 provides the average execution time of cryptographic operations.
Next, we analyze the computation cost of the message signature and verification with the protocols given in Table 4. Message signature of LIAP  requires five bilinear scalar multiplication operations, one bilinear scalar addition operation, and one map-to-point operation; signature verification requires three bilinear pair operations, one bilinear scalar multiplication operation, and one map-to-point operation. Similarly, we can calculate the computation cost of message signature and signature verification for NECPPA , Wu et al.’ scheme , and our scheme. As given in Table 4, the message signature cost of the vehicle is 2.475 ms in our scheme. Compared with LIAP and NECPPA, the message signature computation cost of our scheme is reduced by 74% and 87%, respectively. However, compared with Wu et al., it costs 1.65 ms more. Compared with LIAP and NECPPA, the cost of signature verification is reduced by 69% and 87%, and it is equal to Wu et al.‘s scheme.
Figure 3 presents the comparisons of these computational costs graphically.
5.2. Communication Overhead
It can be seen from the analysis in the previous section that is 64 bytes, is 128 bytes, and is 20 bytes, is 40 bytes. Suppose the timestamp is 4 bytes, the hash function value is 20 bytes, and the other nongroup elements have a value of 20 bytes. The signature message of the proposed method is , and the communication length is 20 + 20 + 20 + 40 + 40 + 40 + 4 = 184 bytes. The signature message of LIAP is , and the communication length is 128 + 20 + 20 + 128 + 128 = 424 bytes. The signature message of NECPPA is , and the communication length is 128 + 20 + 128 + 20 + 20 = 316 bytes. The signature message of Wu et al.’ scheme is , and the communication length is 20 + 40 + 4 + 4 + 20 + 40 + 20 = 148 bytes. Compared with LIAP and NECPPA, the proposed scheme can save 57% and 42% of the communication cost, respectively. Compared with Wu et al.’ scheme, the communication length is slightly increased by 40 bytes. However, in the scheme proposed by Wu et al., RSU needs to store t pairs of the pseudonyms and local private keys  for each vehicle. When there are too many vehicles, it will cause a heavy burden on the memory of RSU. Similarly, each TPD also needs additional 60t bytes of storage space. The communication cost of message signature is provided in Table 5.
Figure 4 presents the comparisons graphically.
5.3. Comparison with Other Authentication Protocols
Wei et al.’ protocols  use cosine similarity to realize the authentication for the intelligent and the authentication server. They have less computation cost and better accuracy compared with other implicit authentication schemes. The optimized computation complexity of two protocols is 3O(n2.3) and 3O(n2.3) + 2Encp + Decp, respectively, where n is the dimension of the multimodal behavior feature vector, and Encp and Decp are Pailler operations; our scheme is based on elliptic curve. Elliptic curve can achieve high security in 160-bit finite field. The complex operation used in our scheme is scalar multiplication operation. The complexity of scalar multiplication operation can be optimized to O (k), where k is the length of the coefficient, which is 160-bit in our scheme. In the process of mutual authentication between the vehicle and RSU, there are 15 scalar multiplication operations, and the computation complexity is 15O (160). It can be seen from the above analysis that when n is small, the work  has an advantage in computation cost, and when n is large, our scheme is better. In addition, in Wei et al.’ protocols, the identity of the vehicle Ui is the same in different sessions, so they do not consider the unlinkability of sessions. In our scheme, we use different pseudonyms to realize unlinkability of the sessions.
Vinoth et at.’ scheme  is a lightweight authentication and key agreement scheme, which is better than our scheme in terms of computation cost, communication cost, and storage cost. However, the scheme does not consider the internal attack. If one sensing device is attacked, the symmetric key KEYGWN-Ui and the session key SK can be obtained by the attacker. The attacker can monitor the communication between the user and the gateway node as well as between the user and other sensing devices. In our scheme, the vehicle is equipped with TPD, which stores the private key of the vehicle and the group key. Even if a single TPD is attacked, the attacker can only intercept the group key and the private key of the vehicle. The authentication, key agreement, and message signature all need the private key of the vehicle. Thus, the attacker can only forge the signature of a single vehicle, without affecting the communication security of other VANET nodes.
The instantaneous characteristic of VANET communication requires high efficiency in authentication and key agreement. Therefore, this study proposes an efficient anonymous authentication and key agreement scheme. The scheme includes mutual authentication and key agreement between vehicle and RSU, as well as signature and verification of the vehicle message. In the proposed scheme, an elliptic curve is used to improve the efficiency of computation and communication. Our authentication and key agreement scheme does not need to communicate with the third party authority or establish a local database, and furthermore, it avoids database query operation. It can effectively save the communication time and storage space of related nodes and is more suitable for VANET. Compared with other schemes, this scheme also has strong computing and communication advantages in message authentication. However, we do not address key negotiation and authentication between vehicles and vehicles. Lightweight and effective encryption methods to achieve anonymous authentication and communication between vehicles and vehicles is a worthy research direction. The implementation of anonymous authentication and key agreement based on channel condition is also one of the directions worthy of discussion [41, 42].
In this study, the authentication technology combined with cryptography is mainly presented. At present, deep learning and cloud computing are increasingly used in network applications. In the next step, more technologies such as deep learning [43, 44] and cloud computing can be combined into authentication and privacy protection of VANET.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported in part by the Natural Science Foundation of Anhui University (KJ2018A0396, KJ2017B015, KJ2019A0605, and KJ2020A0032), in part by the National Natural Science Foundation of China (61902140), and in part by the Anhui Provincial Natural Science Foundation (1908085QF288).
J. Wu and Z. Cai, “Attribute weighting via differential evolution algorithm for attribute weighted naive bayes (WNB),” Journal of Computational Information Systems, vol. 7, no. 5, pp. 1672–1679, 2011.View at: Google Scholar
C. Cseh, “Architecture of the dedicated short-range communications(DSRC) protocol,” in Proceedings of the 1998 IEEE Conference on Vehicular Technology (VTC), May 1998.View at: Google Scholar
C. Zhang, X. Lin, R. Lu, and P. H. Ho, “An efficient RSU-aided message authentication scheme in vehicular communication networks,” in Proceedings of IEEE International Conference on Communications, pp. 1451–1457, Phoenix, AZ, USA, 2008.View at: Google Scholar
R. Lu, X. Lin, H. Zhu, P. H. Ho, and X. Shen, “ECPP: efficient conditional privacy preservation protocol for secure vehicular communications,” in Proceedings of the 27th Conference on Computer Communications, pp. 1229–1237, Phoenix, AZ, USA, April 2008.View at: Google Scholar
V. S. Miller, “Use of elliptic curves in cryptography,” in Proceedings of CRYPTO: Conference on the Theory and Application of Cryptographic Techniques, vol. 218, pp. 417–426, Springer, Berlin, Germany, 1986.View at: Google Scholar
C. Zhang, R. Lu, X. Lin, P. H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proceedings the 2008 IEEE Conference on Computer Communications, pp. 246–250, Phoenix, AZ, USA, April 2008.View at: Google Scholar
P. Vijayakumar, V. Chang, L. Jegatha Deborah, B. Balusamy, and P. G. Shynu, “Computationally efficient privacy preserving anonymous mutual and batch authentication schemes for vehicular ad hoc networks,” Future Generation Computer Systems, vol. 78, pp. 943–955, 2018.View at: Publisher Site | Google Scholar
M. A.P. Vijayakumar and L. J. Deboarh, “EAAP: efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 9, pp. 2467–2476, 2017.View at: Google Scholar
I. Ali and F. Li, “An efficient conditional privacy-preserving authentication scheme for Vehicle-To-Infrastructure communication in VANETs,” Vehicular Communications, vol. 22, 2019.View at: Google Scholar
J. Zhang, M. Xu, and L. Liu, “On the security of a secure batch verification with group testing for VANET,” International Journal of Network Security, vol. 16, no. 5, pp. 355–362, 2014.View at: Google Scholar
S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li, and M. K. C. Reddy, “A robust and efficient password-based conditional privacy preserving authentication and group-key agreement protocol for VANETs,” Future Generation Computer Systems, vol. 84, pp. 216–227, 2018.View at: Publisher Site | Google Scholar
H. Zhong, B. Huang, J. Cui, Y. Xu, and L. Liu, “Conditional privacy-preserving authentication using registration list in vehicular ad hoc networks,” IEEE Access, vol. 6, pp. 2241–2250, 2017.View at: Google Scholar
J. Zhang, J. Cui, H. Zhong, Z. Chen, and L. Liu, “PA-CRT: Chinese remainder theorem based conditional privacy-preserving authentication scheme in vehicular ad-hoc networks,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 2, pp. 722–735, 2019.View at: Google Scholar
F. Wei, S. Zeadally, P. Vijayakumar, N. Kumar, and D. He, “An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for Internet of connected vehicles,” IEEE Transactions on Intelligent Transportation Systems, pp. 1–13, 2020.View at: Publisher Site | Google Scholar
K. Li, W. Ni, Y. Emami et al., “Design and implementation of secret key agreement for platoon-based vehicular cyber-physical systems,” ACM Transactions on Cyber-Physical Systems, vol. 4, no. 2, 2019.View at: Google Scholar
J. Wu, S. Pan, X. Zhu, and Z. Cai, “Boosting for multi-graph classification,” IEEE Transactions on Cybernetics, vol. 45, no. 3, pp. 416–429, 2015.View at: Google Scholar
F. Liu, S. Xue, J. Wu et al., “Deep learning for community detection: progress, challenges and opportunities,” in Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI 20), pp. 4981–4987, Yokohama, Japan, 2020.View at: Google Scholar