#### Abstract

The advent of intelligent transportation system has a crucial impact on the traffic safety and efficiency. To cope with security issues such as spoofing attack and forgery attack, many authentication schemes for vehicular ad hoc networks (VANETs) have been developed, which are based on the hypothesis that secret keys are kept perfectly secure. However, key exposure is inevitable on account of the openness of VANET environment. To address this problem, key insulation is introduced in our proposed scheme. With a helper device, vehicles could periodically update their own secret keys. In this way, the forward and backward secrecy has been achieved. In addition, the elliptic curve operations have been integrated to improve the performance. The random oracle model is adopted to prove the security of the proposed scheme, and the experiment has been conducted to demonstrate the comparison between our scheme and the existing similar schemes.

#### 1. Introduction

Due to the growing demands for a safer and more efficient intelligent transportation system, the development of vehicular ad hoc networks (VANETs) has captured a large amount of attentions from research institutions and industries in recent years. VANETs are deemed to be a variant of the mobile ad hoc network, which is a type of continuously self-configuring, wirelessly connected, and infrastructure-less network of mobile devices [1].

There are two indispensable infrastructure elements in VANETs: on-board units (OBUs), which are mounted in each vehicle, and roadside units (RSUs), which are used to communicate and to assist authentication [2]. In addition, a third trusted party (TA) should also be deployed in VANETs, which mainly provides services of registration and authentication.

A common model of VANETs is exhibited in Figure 1. Communication modes in VANETs could be sorted into two categories: vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. By employing the dedicated short range communication (DSRC) protocol [3], these dynamic nodes (vehicles) could broadcast and exchange traffic information via RSU and other nearby moving vehicles. Upon receiving those messages including location, speed, and traffic conditions, vehicles would take reasonable actions immediately such as rerouting and braking to avoid possible traffic emergency.

As we all know, the communication channels in VANETs are open, so an attacker could capture, modify, replay, and delete messages transmitted in VANETs easily, leading to a large number of security problems, which will have a strong impact on the whole system. Assume that an original message is actually a warning that there is a serious traffic jam ahead, if it is tampered to a different message which tells vehicles that the road is unblocked, a completely opposite result would be caused. Therefore, authentication between vehicle and infrastructure should be employed to guarantee the authenticity of the transmitted messages in this situation.

Moreover, many devices of infrastructure such as RSU are unmanned, and the units installed on the vehicles which are used to run cryptographic algorithms are resource limited; thus, the risk of key exposure is unavoidable and should not be overlooked. In addition, in the majority of cases, it is much easier for an attacker to obtain a secret key from an insecure device than to get it by breaking cryptogrammic hypothesis which system’s security relies on. Once key exposure occurs, it means that security of the whole system loses. Taken into account efficiency, difficulties of construction, and security, key insulation is a desirable method to deal with the key exposure issue.

However, the vast majority of security protocols for VANETs are established on bilinear pairing, which would inevitably cause heavy computation costs. In order to enhance the security and performance of VANET-oriented authentication schemes, a novel practical V2I authentication scheme for VANETs is proposed, which attempts to lower computation complexity and the risk of losing secret keys.

To be specific, the main contributions of this paper represent as follows:(1)Firstly, the key-insulated method is applied into V2I authentication for VANETs. In our proposed scheme, the user’s private key is divided into two portions: one is managed by a secure device called helper or assistant and the other is held by the user, and both of them are updated periodically.(2)Secondly, ECC, instead of bilinear pairing, is utilized to construct the proposed scheme. As most of devices in VANETs are resource limited, the computation consumption of the adopted schemes should be minimized as much as possible. Operations based on ECC in our construction can save far less time and computation burden than bilinear pairing operations, which is expected to gain higher efficiency.(3)Finally, the forward and backward secrecy is achieved. The secret key of OBU consists of two fractions in which private information is involved. The secret key must be generated with the helper’s participation, and it updates periodically so that malicious attackers cannot obtain the user’s private key in the previous periods or in the subsequent periods.

The remainder of this paper proceeds as follows. Section 2 reviews the related work about V2I authentication scheme for VANETs. Section 3 presents the related essential knowledge. Section 4 describes the construction of the proposed scheme in detail. The security analysis and performance evaluation are given in Sections 5 and 6, respectively. Finally, this paper is concluded.

#### 2. Related Works

In recent years, efforts on authentication have been made to address the problems of verification and efficiency. The privacy-preserving scheme [4] introduced by Wang et al. employs membership validity to replace the certificate revocation list and batch verification to improve efficiency, which achieved nonreputation, anonymity, traceability, and forward and backward secrecy. Wang [5] developed a privacy-preserving and accountable authentication protocol for IoT end-devices by adopting short group signature and secret sharing scheme. Shen et al. [6] proposed a multilayer authentication protocol with session key generation for wireless body area networks which is used for one-to-many group authentication scenario. The scheme with group testing towards a secure batch verification was introduced by Lee and Lai [7]. Unfortunately, this scheme is vulnerable to the impersonation attack since a malicious user could generate a fake signature on behalf of other vehicle. Based on this defect, another secure authentication scheme was introduced by Bayat et al. [8] to improve it. Wang and Yao [9] proposed the LIAP scheme, in which the vehicle and RSU are assigned with a long-term certification from the certificate authority (CA). If the vehicle is compromised, CA could easily revoke the vehicle’s long-term certificate to terminate its behavior in the network. Jiang et al. [10] proposed an efficient anonymous batch authentication scheme to replace the CRL checking process by calculating the hash message authentication code, which divides the whole area into several domains. However, every vehicle has stored enough pseudonyms; if any of them is revoked, the rest pseudonyms are wasted. Azees et al. [11] proposed another anonymous scheme to avoid malicious nodes attending the activities in VANETs, which provides conditional tracking mechanism, low-cost certificate, and signature verification. Many secure schemes have achieved authentication by various means; however, most of them adopt bilinear pairing to realize their security characteristics. Actually, the bilinear pairing is not efficient for limited VANET devices on account of its vast computation costs. In view of this, pairing-free schemes have been put forward over the past years. For instance, Cui et al. [12] proposed a privacy-preserving scheme, using cuckoo filter and the binary search methods instead of map-to-point hash function and bilinear pairing operations to achieve high efficiency. Xie et al. [13] proposed an ECC-based authentication scheme to realize reliability and integrity of message. Lo and Tsai [14] proposed an efficient authentication scheme for V2I in vehicular sensor networks without bilinear pairing to improve performance, which achieves message integrity, traceability, and unlinkability. He et al. [15] proposed a new ID-based and elliptic curve-based authentication scheme, which withstands diverse types of attacks and yields better performance.

To address the problem of key exposure, Dodis et al. presented the idea of key insulation and came up with the first key-insulated public key cryptosystem [16] and the first strong key-insulated signature scheme [17]. Following the pioneering works, great efforts have been devoted to the key-insulated signature (KIS) schemes [18–20]. The scheme proposed by Gonzlez-Deleito et al. [18] uses numerous power operations, which adopts multiple private keys and master keys to achieve security. Le et al. [19] utilized multiple certification authorities to shorten verification path and mitigated damage. Hanaoka et al. [20] used two helpers to update the secret key and to enhance the system security. Later, quantities of identity-based or attribution-based key insulation schemes have been proposed [21–27], which are all based on bilinear pairing with random key updating. Additionally, key insulation has been applied into various other research fields. Zhou et al. [28] proposed a certificateless key-insulated generalized signcryption scheme without bilinear pairing in the context of cloud, which is proved to be secure under the computational Diffie–Hellman (CDH) assumption and the elliptic curve discrete logarithm (EC-DL) assumption. Hong et al. [29] proposed a key-insulated attribute-based signature without pairings for wireless communications, which attempts to minimize the potential threat and to relieve the computational burden. Kun et al. [30] and Shi et al. [31] put key insulation into peer-to-peer (P2P) networks and electronic commerce environment, respectively. Moreover, key insulation was introduced into mobile ad hoc networks (MANETs) by V. Kumar and R. Kumar [32]. Park et al. [33] proposed the EA2P scheme and first used key insulation in VANET environment. Although EA2P provides anonymity, identity extraction, and traceability, it only isolates the public key certification, not the private key, which actually fails to achieve a practical sense of key insulation.

#### 3. Preliminaries

In this part, some necessary knowledge including system model, KIS framework, the random oracle model, and discrete logarithm (DL) problem is introduced.

##### 3.1. System Model

As shown in Figure 2, the whole system model in this paper consists of three kinds of entities as follows:

*PKG*: Private key generator, which is deemed to be fully trusted, is responsible for producing keys including secrete keys as well as public keys.

*RSU*: Roadside unit, the infrastructure of VANET. It is a kind of computing device located on the roadside, which uses DSRC protocol and provides connectivity support for passing vehicles [34].

*Vehicle*: Each vehicle is equipped with an on-board unit (OBU) and a tamper-proof device (TPD). OBU is used to help vehicle communicate wirelessly with RSU. TPD acts as a helper which is physically secure but computationally limited, and its stored information can never be disclosed.

There are mainly four procedures in our proposed schemes as shown in Figure 2. Firstly, PKG preloads the related keys into TPD, produces, and publishes system parameters in initialization phase (Phase 1). Secondly, TPD helps the OBU to generate the vehicle’s temporary secret key in Phase 2. Then OBU generates the signature and sends it to RSU in Phase 3. Finally, RSU validates the signature in Phase 4.

As illustrated in [15], the formalized definition of key-insulated signature (KIS) displays as follows:

*Definition 1* (key-insulated signature (KIS)). A 5-tuple of polynomial time algorithm makes up a key-insulated signature scheme as listed below: : the key generation algorithm, which falls into the initialized stage, takes a security parameter and the total number of time periods *N* as input to return a public key , a master key , and an initial key . : the key update algorithm for the device, which takes indices for time periods (throughout, ) and the master key as input to return a partial secret . : the key update algorithm for the user, which takes indices , a secret key , and a partial secret key as input to return the secret key for the time period *j*. : the signing algorithm, which takes an index *i* of a time period, a message *M*, and a secret key as input. Then returns a signature constituting the time period *i* and a signature *S*. : the verification algorithm, which takes the public key , a message *M*, and a pair as input. Then returns a bit *b*, where means that the signature is accepted.

If , we say that is a valid signature of *M* for the time period *i*.

##### 3.2. Security Model

The random oracle model was first proposed by Bellare and Rogaway [35] to prove the security of cryptographic protocols, and it is quoted in our proof. Oracle is an external device (it is usually being treated as a theoretical black box) that could provide true outputs for any inputs. In the case of inputting *x*, running a random oracle could be thought to pick a hash function at random and outputs . Besides, the relationship between the oracle’s output and input satisfies properties of function; namely, the same input corresponds to the same output. As a matter of fact, each output is selected from its output domain, and acquired inputs/outputs are completely independent of current inputs/outputs on account of randomness.

*Definition 2* (unforgeability). To prove the unforgeability, a game played between a challenger and an adversary is defined. Our scheme is unforgeable against the malicious OBU if the following condition is satisfied: for any probabilistic polynomial time (PPT) adversary , the probability that wins the following game is negligible. The adversary can adaptively issue a series of undermentioned queries in the game. : this can be considered as an initialization stage. The challenger generates the system secret key and public parameters. conveys these public parameters to the adversary . : upon receiving the query issued by the adversary with the message *m*, the challenger picks a stochastic number , puts the tuple into the list , and returns *e* to the adversary . : upon receiving the query issued by the adversary with the message *m*, the challenger picks a stochastic number , puts the tuple into the list , and returns *e* to the adversary . : upon receiving the query issued by the adversary on the secret key , the challenger computes it, puts the tuple into the list , and returns to . : upon receiving the query issued by the adversary with the message *m*, the challenger picks a stochastic number , puts the tuple into the list , and returns *e* to the adversary . : upon receiving the query issued by the adversary with the message *m*, the challenger picks a stochastic number , puts the tuple into the list , and returns *e* to the adversary . : the challenger generates the message required by the adversary and sends it to . : the adversary inputs the signature given by the challenger , and the verification algorithm returns a bit *b*, where means that the signature is valid.

After a polynomial number of queries, if the adversary can violate the unforgeability of the proposed scheme by generating a tuple on the condition that the verification phase outputs 1, then we say the adversary wins the game.

##### 3.3. Discrete Logarithm (DL) Problem

Provided with two stochastic points *P*, *Q* over an elliptic curve *E*, the DL problem is to compute a number *x* to meet the equation .

#### 4. The Proposed V2I Authentication Scheme

The proposed scheme consists of four phases: system initialization, key generation, signing stage, and verification stage. In the first place, notations used are defined in Table 1.

##### 4.1. System Initialization

In this phase, every appliance in VANETs performs initialization.(1)PKG generates fundamental system parameters including a group over the chosen elliptic curve , a random number as the system master key, and the system public key computed as follows:(2)PKG selects a random number as the private key of the helper (TPD) and calculates its corresponding public key

All these four parameters should be preloaded into TPD.(3)RSU selects a random number as its private key and computes the corresponding public key(4)PKG publishes the public parameter set:

In this paper, we assume that the OBU’s public key and its TPD public key have been preloaded.

##### 4.2. Key Generation

###### 4.2.1. Initial Key Generation

Set the parameter corresponding to the time period *i* as . Note that it is default for TPD to keep its OBU’s identity. TPD computes and the initial private key of the OBU aswhich is preloaded into the OBU.

###### 4.2.2. Partial Key Generation

TPD calculatesas the partial key corresponding to the time period *i*, and sends it to the OBU to assist in generating the temporary secret key.

###### 4.2.3. Temporary Secret Key Generation

OBU calculates its own temporary secret key in the time period *i*

as soon as it receives from the TPD.

The temporary public key in the time period *i* of OBU is set asand it is published by the OBU, while the partial key and the initial key are removed after key updating.

##### 4.3. Signing Stage

An OBU can generate the signature on message in the time period *i* as follows.

*Step 1*. Selects the random number to compute.

*Step 2*. Uses the identity , the temporary secret key in the time period *i *, the public key of RSU , the corresponding time stamp , and hash functions to compute

*Step 3*. Selects another random number and uses the identity and to compute

*Step 4*. Concatenates the hash value of identity , , , the message about traffic status and current time stamp to compute

*Step 5*. Uses the two random numbers and , , and the temporary secret key to compute

*Step 6*. Sends the message to the regional RSU.

##### 4.4. Verification Stage

Upon receiving the signature, RSU proceeds the following steps to verify it.

*Step 1*. Examines the freshness of . If it is fresh, goes to step 2; otherwise, the signature is rejected.

*Step 2*. Uses own secret key , the private key in the time period *i* of the vehicle and to count the hash value of identity of the vehicle:

*Step 3*. Uses the hash value of , its own secret key , the private key of the vehicle, the private key of TPD, and current time stamp to evaluate

*Step 4*. Uses the hash value of , , and to evaluate

*Step 5*. Concatenates the hash value of , , , the message about traffic status , and current time stamp to evaluate

*Step 6*. Checks whether the equationholds. If it holds, the signature is valid.

#### 5. Security Analysis

In this part, the correctness and the security analysis under the random oracle model of our proposed scheme are illustrated.

##### 5.1. Correctness Proof

Theorem 1. *A signature from the OBU could pass the verification of the RSU*.

*Proof*. Actually, given a signature from an OBU, the RSU could compute

Therefore, the signature is verified to be valid.

##### 5.2. Security Proof

Theorem 2. *Our proposed V2I authentication scheme is secure under the random oracle model*.

*Proof*. Assume that there is a PPT adversary who could forge a signature to pass the verification successfully. The challenger is constructed to tackle the DL problem with a nonnegligible probability by interacting with . Given a DL instance , the game between and is played as follows.

###### 5.2.1. Query Phase

: The challenger allocates and , generates the public parameter , and conveys these parameters to the adversary . : A list is set up and retained by the challenger , which is initialized to empty. Upon receiving the query about from the adversary , first examines whether the tuple is in . If so, returns to ; otherwise, picks a random number , puts the tuple into , and returns to . : A list is set up and retained by the challenger , which is initialized to empty. Upon receiving the query about from the adversary , first extracts the tuple from the list . Then, examines whether the tuple is in . If so, returns to ; otherwise, picks two random numbers and allocates . Finally, puts the tuple into and returns to . : The adversary asks for the temporary private key in the current time period *i*. The challenger first extracts the tuples and from lists and , respectively. Then, computes

Finally, adds the tuple into the list and returns to . : A list is set up and retained by the challenger , which is initialized to empty. Upon receiving the query about from the adversary , first examines whether the tuple is in . If so, returns to ; otherwise, picks a random number , puts the tuple into , and returns to . : A list is set up and retained by the challenger , which is initialized to empty. Upon receiving the query about from the adversary , first extracts the tuple from the list . Then, examines whether the tuple is in the list . If so, returns to ; otherwise, picks a random number , puts the tuple into , and returns to . : Upon receiving the query about the signature on message from the adversary , the challenger picks random numbers and . sets and and adds the tuples , , and into the lists , , and separately. At last, returns to . : The verifier checks if the equation holds. If it does not hold, the verification algorithm outputs 0 and the process is aborted. Otherwise, the verification algorithm outputs 1 and the signature is accepted.

###### 5.2.2. Forgery Phase

If an adversary could successfully output a signature which can pass the verification with nonneglectable probability according to the forking lemma [36], then could output a second signature in an attack by using a different random oracle with nonneglectable probability. Consequently, could output another signature by repeating the process with a different choice of , which leads to a distinguishing , while the value of remains unchanged. Such that, the following equation is obtained:

At last, the challenger outputs as the answer of the DL problem instance . This contradicts with the difficulty of the DL problem. Hence, our proposed V2I authentication scheme is secure against forgery under the random oracle model on the condition of adaptive chosen message attack.

#### 6. Performance Evaluation

To examine the performance of our proposed scheme in reality, an experiment has been conducted on a Windows 10-installed laptop with Intel(R) Core(TM) i7, and the cryptographic operations have been implemented by using the TEPLA library [37], which requires GMP library and OpenSSL [38].

TEPLA Elliptic Curve and Pairing Library is a free C library which provides functions such as finite field arithmetic with 254-bit prime number, elliptic curve arithmetic over Barreto–Neahrig curve, and pairing arithmetic using optimal ate pairing over BN curve. To set up the system environment as the library required, MinGW64 and MSYS are needed to simulate Linux environment to compile cryptography libraries. To install TEPLA, GNU MP library and OpenSSL are required. GNU MP is a free library for big number related operations, and OpenSSL is used to realize cryptographic operations. After finishing compiling, environment variables for Visual Studio are configured and header files of these cryptography libraries are included to conduct the experiment for our scheme.

The experimental results show that the proposed scheme costs and in terms of signing and verification, respectively. We compare our proposed scheme with seven existing similar authentication schemes [9, 22–27], including a pairing-free authentication scheme [9] for VANETs and six key-insulated authentication schemes [22–27]. Note that in our comparison, only consumption of signing phase and verification phase is put into consideration. For convenience, the description of the symbols used in the comparison is listed in Table 2, the results of the comparison on computational costs of various KIS schemes in theory are listed in Table 3, the real running time is displayed in Table 4, and the intuitive comparison about signing and verification is shown in Figure 3 and Figure 4, respectively.

Except the operations listed in Table 2, other operations have not been considered since their running time is ignorable. In terms of the verification phase, according to Table 3, in the scheme of Wang and Yao [9], RSU needs to run two hash operations, three bilinear pairing operations, and one multiplication operation. In the scheme of Weng [22] and Zhou [23], RSU needs to run three hash operations, four bilinear pairing operations, and two multiplication operations. In the scheme of Wan [24], RSU needs to run five bilinear pairing operations, and three multiplication operations. In the scheme of Zhao [25], RSU needs to run one hash operations, three bilinear pairing operations, one multiplication operation, one point addition operation, and one multiplication operation related to ECC. In the scheme of Weng [26], RSU needs to run six bilinear pairing operations and four multiplication operations. In the scheme of Chen [27], RSU needs to run one exponentiation operation, four bilinear pairing operations, and two multiplication operations. As we all know, the bilinear pairing operation is the most time-consuming, while hash function is the least time-consuming. Furthermore, time consumption for the operations listed could be ranked as follows: . It could be seen from Table 4 that our scheme possesses comparatively high efficiency in verification since our scheme is constructed by using comparatively light-weighted operations. To show the advantage clearly, the improved ratio of our scheme against other seven schemes is defined as , where refers to time costs of the scheme with the reference number “num” and refers to time costs of our scheme. In terms of the verification stage, the improved ratios of our scheme against the schemes [9, 22–27] are , , , , , and , respectively. When it comes to the total costs of signing and verifying stages, the improved ratios of our scheme against other seven schemes [9, 22–27] are 30.68%, 30.69%, 25.68%, 41.34%, 24.9%, 50.94%, and 27.74% individually. From Figures 3 and 4, the computation costs of singing phase of our proposed scheme are lightly higher than some schemes, because indispensable operations in this phase are needed to achieve key insulation and to provide better security. Even that our promotion comes at a little price of efficiency of signing, the gain of key-insulated secrecy deserves it, and on the whole, the proposed scheme achieves a better trade-off between security and efficiency than the compared schemes.

#### 7. Conclusion

Vehicular ad hoc networks (VANETs) are one of the most promising technologies nowadays. For the sake of providing efficient and secure authentication for VANETs, a key-insulated V2I authentication scheme has been constructed in this paper. The core idea of the proposed scheme is dividing private key of the vehicle into two parts which are, respectively, held by a temper-proofing device (TPD) and the vehicle itself, and these two parts of the private key are used to generate a signature. The proposed scheme supports dynamically updating private key in different time periods. For the vehicle, it obtains its updated secret key by the help of TPD before signing. For the RSU, it first checks whether the time stamp is valid before verification, and then it validates the signature from the vehicle. The security analysis manifests that the proposed scheme is secure under the adaptive chosen message attack. The comparison is also conducted among our scheme and other similar schemes. The performance evaluation shows that our bilinear pairing-free scheme harvests a better trade-off between security and efficiency, and it is feasible for VANET environment.

In our proposed scheme, the helper is assumed as a fully-trusted device, and the private key of the vehicle is generated by its helper. However, the helper is actually semitrusted in some situations, which means that the assistant device can generate signature without the user’s approval. In this situation, 2-out-of-2 threshold manner should be a considerable method to prevent the misuse of the user’s secret key by the helper. The core idea of 2-out-of-2 threshold manner is that the user and the helper device could share the threshold value *n* using standard threshold techniques, where the user keeps and the helper keeps such that . In addition, because the RSU would receive and verify numerous signatures from the vehicles within its region, this would inevitably cause burden of computational consumption if the RSU proceeds verification on by one. Taken into account the requirements for efficiency and security in the context discussed above, design of an efficient threshold key-insulated authentication scheme is our future work, which aims to achieve feasible secure V2I communication for VANETs.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was jointly supported by the National Social Science Foundation of China (no. 14CTQ026), the National Natural Science Foundation of China (no. 61702067, no. 61672119, and no. 61472464), the Chongqing Research Program of Application Foundation and Advanced Technology (no. cstc2017jcyjAX0201), the Natural Science Foundation of Shandong Province, China (no. ZR2015FL024), and the Science and Technology Research Project of Chongqing Municipal Education Commission (no. KJ1600445).