Research Article  Open Access
Yang Ming, Hongliang Cheng, "Efficient Certificateless Conditional PrivacyPreserving Authentication Scheme in VANETs", Mobile Information Systems, vol. 2019, Article ID 7593138, 19 pages, 2019. https://doi.org/10.1155/2019/7593138
Efficient Certificateless Conditional PrivacyPreserving Authentication Scheme in VANETs
Abstract
Vehicular ad hoc networks (VANETs) are an increasing important paradigm for greatly enhancing roadway system efficiency and traffic safety. To widely deploy VANETs in real life, it is critical to deal with the security and privacy issues in VANETs. In this paper, we propose a certificateless conditional privacy preserving authentication (CCPPA) scheme based on certificateless cryptography and elliptic curve cryptography for secure vehicletoinfrastructure communication in VANETs. In the proposed scheme, a roadside unit (RSU) can simultaneously verify plenty of received messages such that the total verification time may be sharply decreased. Furthermore, the security analysis indicates that the proposed scheme is provably secure in the random oracle model and fulfills all the requirements on security and privacy. To further improve efficiency, both maptopoint hash operation and bilinear pairing operation are not employed. Compared with previous CCPPA schemes, the proposed scheme prominently cuts down computation delay of message signing and verification by 66.9%–85.5% and 91.8%–93.4%, respectively, and reduces communication cost by 44.4%. Extensive simulations show that the proposed scheme is practicable and achieves prominent performances of very little average message delay and average message loss ratio and thus is appropriate for realistic applications.
1. Introduction
The speedy evolution of wireless technology has elevated Intelligent Transportation System (ITS) to higher levels and also made vehicular ad hoc networks (VANETs) more attractive from academia and industry [1]. VANETs, as a special application of Mobile Ad Hoc Networks (MANETs), are an important component of ITS, rapidly changing, and selfconfiguring and employ multiplehops topologies on wireless links [2].
A typical architecture of the VANETs is shown in Figure 1. Usually, the VANETs system comprises four main components, i.e., the Trusted Authorities (TAs), the Application Servers (ASs), the Roadside Units (RSUs), and the vehicles, which is equipped with Onboard Units (OBUs). The responsibility of TAs is to maintain the whole system. The work of ASs is to provide a further data analysis. The RSUs are along the roadside deployment, which serve as transfer stations or carry out the authentication works to lighten the burden of the TAs. The OBUs are embedded in the vehicles to collect and process the trafficrelated information and communicate with other entities. The communications mode in VANETs can be classified into two basic types, i.e., VehicletoInfrastructure (V2I) communication and VehicletoVehicle (V2V) communication. In V2I communication, the vehicles communicate directly with the RSUs fixed in roadside. The vehicles communicate directly with each other to exchange the information in V2V communication. The vehicles (OBUs) communicate with the RUSs and other vehicles via a public wireless channel. Through the wired channel, the RSUs also connect with TAs and ASs. In VANETs, utilizing Dedicated Short Range Communications (DSRC) standard [3], each vehicle periodically broadcasts the vehiclerelated condition messages (e.g., speed, turning intention, direction, and position) and trafficrelated safety messages (e.g., congestion state, traffic events, and weather) every 100–300 milliseconds (ms). One side, all the messages are forwarded to the traffic control center (AS) by the RSUs through wired connection. Based on the received messages, the management strategy and optimized control can be generated by the traffic control center to improve efficiency and traffic safety through analyzing the current traffic load in each intersection. On the other side, an early response can be made by the vehicles under the specific situations such as emergent braking, traffic jams, accidents, etc.
The appearing of VANETs stems from enhancing the safe driving conditions and road safety. As the trafficrelated messages are transmitted in the wireless channel, the malicious attackers can easily eavesdrop, modify, replay, and delete the messages. Hence, for the practical applications of VANETs, the security and privacy challenges are needed to be tackled.
Facing all kinds of security attacks mentioned above, the message authentication is a crucial security problem for VANETs. In practice, the messages from the vehicle (OBU) need to be integritychecked and authenticated before depended on. The reason is that an attacker can replace or modify the original safety messages or even impersonate a vehicle to broadcast bogus messages. The message authentication, which consists of identity authentication check and the message integrity check, is implemented to allow vehicle to differentiate trustworthy messages from broadcast messages and to resist impersonation attacks and modification attacks. The digital signature technology would be used to solve this problem in VANETs, which not only allows the receiver to identify the sender, but also prevents the message contents from being altered in transmission.
In addition, privacy is also a significant issue in VANETs. In real life, the vehiclerelated privacy information like a vehicle’s real identity should be hidden; otherwise, the moving patterns and location of the vehicle can be traced by the attacker. For instance, the leakage of vehicle’s traveling routes information will disclose privacy of the vehicle and lead to serious consequences since the information may be utilized for crimes or traffic collisions. Therefore, the vehicles’ privacy must be ensured in VANETs. Nonetheless, sometimes there is a conflict between the security and the privacy. The former needs to know the message’s origin and integrity, while the latter requires that no entity can trace a message to its generator. Hence, conditional privacy is usually considered in VANETs. That is to say, vehicle’s privacy is normally guaranteed, but if a malicious vehicle broadcasts fake messages and causes accidents or crimes, a legal authority will be capable to trace or retrieve the messages of vehicle through revealing the vehicle’s real identity.
The conditional privacypreserving authentication (CPPA) mechanism, which is able to achieve message authentication and conditional privacy simultaneously, is fully appropriate for solving the security and privacy issues in VANETs.
Several research works about privacy preserving authentication for VANETs have been proposed in recent years, which include public key infrastructure based (PKIbased) CPPA schemes [2, 4–6], identitybased (IDbased) CPPA schemes from bilinear pairing [7–19], binary authentication tree [20, 21] and elliptic curve [22–29], and certificateless CPPA schemes [30, 31]. Although certificateless conditional privacy preserving authentication (CCPPA) schemes for VANETs [30, 31] solve the public key certification management problem in PKIbased CPPA schemes and the key escrow problem in IDbased CPPA schemes, the performance of [30, 31] is not efficient owing to the need of maptopoint hash and bilinear pairing operations. We know that these two operations are more complex, which means they need more time to execute than other operations. Therefore, it is important for secure and practical VANETs to design a CCPPA scheme without maptopoint hash and bilinear pairing operations.
Based on certificateless cryptography [32] and elliptic curve cryptography (ECC) [33, 34], an efficient CCPPA scheme for VANETs is proposed in this paper. The major contributions are as follows:(i)An efficient CCPPA scheme for VANETs is proposed without employing maptopoint hash and bilinear pairing operations. The proposed scheme achieves the fast batch message verification.(ii)The security analysis shows that the proposed scheme is provably secure under the assumption of elliptic curve discrete logarithm in the random oracle model and satisfies all security and privacy requirements.(iii)The performances in computation delay and communication overhead are evaluated. The experimental simulations indicate that the proposed CCPPA scheme is more efficient than schemes in [30, 31] for VANETs.(iv)An extensive simulation is conducted, and the results demonstrate that the proposed CCPPA scheme has extremely low average message delay and average message loss ratio.
The remainder of this paper is organized as follows. In Section 2, we provide a review of the previous related works. The system model, security requirements, and elliptic curve group are presented in Section 3. We propose a concrete CCPPA scheme for secure V2I communication in Section 4 and the security analysis for the proposed scheme in Section 5. Section 6 conducts the performance evaluation and experimental simulations of the proposed scheme with other schemes. Finally, we conclude the paper in Section 7.
2. Related Works
In VANETs, the security and privacy problems have attracted strong interest and research from industry and academia. Recently, lots of CPPA schemes for VANETs have been put forward and roughly classified into three categories: PKIbased schemes, IDbased schemes, and certificateless schemes.
In 2004, Hubaux et al. [4] firstly pointed out the security and privacy issues in VANETs and declared that the public key infrastructure (PKI) technology could be used to protect transmitted messages in the vehicles. In 2007, based on anonymous certificates, an anonymous authentication scheme for VANETs was proposed by Raya and Hubaux [2]. They showed that the proposed scheme can provide message authentication and conditional privacy preservation. In this scheme, each vehicle requires to preload a huge quantity of anonymous public/private key pairs and corresponding public key certificates and then to sign a message using one of the private keys for anonymity in each communication. Therefore, a huge storage space is needed to store keys and corresponding certificates in all vehicles, while the certificate authority also needs to store all vehicles’ certificates. In 2008, Lu et al. [5] put forward an efficient conditional privacy preservation (ECPP) scheme for VANETs to solve the problem of a large storage space for the vehicles in [2] by employing the temporary anonymous certificates. Based on the hash message authentication code (HMAC) and kanonymity approach, an efficient RSUaided message authentication scheme was proposed by Zhang et al. [6] to realize the privacy preserving of the vehicles. In summary, all the PKIbased authentication schemes for VANETs have a bottleneck problem on the storage and management of certificates.
To tackle the problem mentioned above, identitybased (IDbased) authentication schemes for VANETs have been proposed. Based on the IDbased cryptography [35], Zhang et al. [7, 8] proposed IDbased CPPA schemes. In their schemes, both the vehicle (OBU) and RSU use the identity information (such as license plate number, device number) as the public keys and the corresponding private keys are generated by a trusted third party, called the Private Key Generator (PKG). Therefore, these schemes can eliminate the need for certificates storage in vehicles and RSUs. Also, the technology of batch message verification can be provided to realize the function of verifying large number of messages simultaneously. In 2011, Chim et al. [9] claimed that Zhang et al.’s schemes [7, 8] are vulnerable to the impersonation attack and antitraceability attack. Using the two shared secrets, Chim et al. [9] also proposed a communication scheme for VANETs. The new scheme not only satisfies the requirements of the security and privacy and but also has lower communication overhead. In 2012, based on the pseudoidentitybased signature, an IDbased CPPA scheme for VANETs was established in [10] which provided the batch message verification. In 2013, Lee and Lai [11] showed that scheme in [7] was insecure against repudiation and relay attacks. And, an improved IDbased privacypreserving authentication scheme for VANETs was put forward to overcome the weaknesses in [7] and maintain the efficiency. Horng et al. [12] pointed out that scheme in [9] is vulnerable to impersonation attack and gave a new scheme to remedy the security flaw mentioned in [9]. In 2014, Liu et al. [13] indicated that the underlying Shim’s identitybased signature scheme in [10] was insecure and thus the corresponding authentication mechanism suffers from modification attacks. An improved IDbased CPPA scheme was proposed in [14] to make up for the weaknesses in [11] and maintain the efficiency as scheme in [11]. In 2015, Bayat et al. [15], aiming at the security flaw in [11], proposed a new scheme. In 2016, exploring the IDbased signature with message recovery, Liu et al. [16] presented an efficient authentication scheme for VANETs that realized the anonymity of vehicles and batch message authentication. Based on bilinear pairing, a CPPA scheme for VANETs was proposed by Wang et al. [17]. This scheme is proven secure under the computational Differ–Hellman (CDH) assumption in the random oracle model. Based on HMAC and identity based signature, an anonymous batch authentication protocol for VANETs was proposed by Jiang et al. [18]. In 2017, Tzeng et al. [19] found that the scheme in [11] was exposed to some security risks in VANETs and proposed a secure scheme in the random oracle model. In 2009, Jiang et al. [20] firstly presented an IDbased authentication algorithm for V2I communication using a binary authentication tree. This scheme achieves high efficiency when verifying many signatures and filtering bogus messages. However, Shim [21] claimed that Jiang et al.’s scheme in [20] was unable to resist replay, forgery and sybil attacks, and proposed an improved scheme using aggregate signature, IDbased signature, and binary authentication tree. In 2015, by utilizing the ECC, He et al. [22] firstly proposed an IDbased CPPA scheme for VANETs without using maptopoint hash as well as bilinear pairing operations. This scheme has better performances in terms of computation and communication costs. Based on BLS short signature [36] and ECC, Xie et al. [23, 24] put forward IDbased conditional privacy preserving authentication schemes for VANETs, respectively. These schemes satisfy the security and privacy requirements in VANETs and achieve lower computation costs. For the secure communication and vehicle privacy in VANETs, Lo and Tsai [25] presented an efficient CPPA scheme, which does not need maptopoint hash and bilinear pairing operations to achieve better performances. Zhong et al. [26] proposed a provably secure CPPA scheme in the random oracle model which provides a practical service application for VANETs. In 2017, based on the ECC, Wu et al. [27] established an efficient locationbased CPPA protocol for VANETs without using the bilinear pairing and tamperproof device, which could satisfy the security and privacy requirements. Exploiting the binary search and cuckoo filter techniques, Cui et al. [28] proposed a secure privacypreserving authentication scheme with high success rate in batch verification. In 2018, Li et al. [29] put forward an efficient and anonymous CPPA scheme, which achieves an optimal performance in terms of computation and communication costs. In the aforementioned IDbased CPPA schemes, all the entities’ private keys are generated by PKG, which eliminates the management and storage of certificates in PKIbased schemes. However, the schemes suffer from the inherent key escrow problem, i.e., PKG knows the private keys of all vehicles and RSUs and thus literally decrypts any ciphertexts and forges signatures on any messages as any entity. Therefore, it seems that IDbased schemes may not suitable for VANETs.
To solve the key escrow problem of IDbased schemes as well as the certificate management problem in PKIbased schemes, Horng et al. [30] proposed a provable secure CCPPA scheme for VANETs based on the certificateless cryptography [32]. In CCPPA scheme, only the partial private key for the users (vehicles and RSUs) is generated by the trusted Key Generator Center (KGC). The user chooses a secret value itself and combines the partial private key to form the private key and hence KGC cannot obtain the private keys of the users. Note that the certificates are no longer required to guarantee the authenticity of public keys in CCPPA scheme. In 2016, Li et al. [31] pointed out that the scheme in [30] was insecure under the maliciousbutpassive KGC attack, i.e., KGC can forge a signature or decrypt a ciphertext using maliciously embedded trapdoors in the public parameters. Furthermore, an improved scheme was put forward. In 2018, based on the new paradigm of certificateless signature with message signature (CLSMR), Ming and Shen [37] proposed a CCPPA scheme for VANETs. The advantage is that the scheme achieved better communication efficiency. The only imperfection is that the maximum message length was limited to , where is a positive integer such that less than a prime number . In this paper, the certificateless signature technology is used to design an efficient CCPPA scheme, where the length of message is arbitrary size. Hence, this scheme is more suitable for practical VANETs system.
3. Preliminaries
3.1. System Model
The system model of the proposed scheme is shown in Figure 2. This model consists of two layers. The lower layer comprises OBUs installed in the vehicles and RSUs along with roadsides. The communication between RSU and OBU is based on the DSRC protocol [3]. The upper layer includes two trust authorities (TAs), i.e., Key Generator Center (KGC) and Trace Authority (TRA), and Application Servers (ASs) (data analysis center or traffic control center), where message exchange would be implemented over the secure channel provided by the transport layer security (TLS) protocol.
KGC. The KGC is assumed to be a trusted third party and has sufficient storage space and computing power. KGC is in charge of producing public system parameters and preloading them on RSUs and OBUs in the offline mode. Furthermore, it also generates and distributes the partial private keys for RSUs and OBUs.
TRA. The TRA is assumed to be a trusted third party and has sufficient storage space and computing power. TRA is responsible for the registration of RSUs and OBUs. It can trace messages to their sources and reveal the real identities of the vehicles.
AS. The AS is a safetyrelated application server, like a trafficdata analysis center, or a traffic manage center. AS is working for first gathering the trafficrelated messages including current location, time, and traffic accidents from RSUs and then making further analysis and/or providing feedbacks to them. The AS communicates with KGC, TRA, and RSUs via the wired channel.
RSU. The RSU is located along the roadside with higher computation capabilities. It can communicate with OBU of the vehicle in their coverage region by a wireless channel and communicate with KGC, TRA, and AS via a secure wired channel. In VANETs, the RSU is assumed to be a fully trusted party and is used for verifying messages and processing them locally or sending them to TA or AS when received trafficrelated messages.
OBU. The OBU is embedded in the vehicle to communicate with other OBUs and RSUs using Dedicated Short Range Communication (DSRC) [3] technology recognized as IEEE 802.11p (5.9 GHz). It warns the driver about jams and to avoid road accidents through periodically broadcasting the trafficrelated status messages like speed, direction, and position to other vehicles.
3.2. Security Requirements
In V2I communication scenario, the following security requirements are needed to be satisfied in the proposed CCPPA scheme.
Message Authentication. The receiver should be able to verify the trafficrelated messages and appended signatures in VANETs in order to preserve the integrity of messages sent by the vehicle.
Identity Privacy Preserving. The real identity of each vehicle should be kept secret from other entities in VANETs. Any entity ought not break the vehicle’s privacy and disclose the real identity of the vehicle by analyzing transmitted messages.
Traceability. The TRA, as a trusted party must have the capability to expose the real identity of any malicious vehicle, which has broadcasted forged messages to other vehicles in order to disrupt the traffic.
Unlinkability. In addition to TRA, it is difficult to determine for anyone whether two messages are sent by the same vehicle.
Role Separation. Two trusted authorities TRA and KGC are involved in VANETs. TRA is in charge of constructing pseudo identities of the vehicle and if necessary, tracing the vehicle’s real identity. KGC is for creating the vehicle’s partial private key on the pseudo identity.
Key Escrow Resilience. In VANETs, KGC is normally a semitrusted commercial organization rather than fulltrusted and trustworthy entity. Therefore, it is required that KGC cannot impersonate the legitimate vehicle and to generate a valid signature using the vehicle’s private key.
Resistance to Attack. Apart from the conventional security and privacy requirements, the CCPPA scheme must be capable to resist various common attacks in the lower layer communication, for example, the impersonation attack, modification attack, replay attack, and maninthemiddle attack.
3.3. Elliptic Curve Group
The elliptic curve cryptography (ECC) was initially introduced by Miller [33] and Koblitz [34].
An elliptic curve E over a finite field , where is a large prime, is defined by the following equation:where .
An infinity point O and all points form an additive cyclic group . Scalar multiplication over is defines aswhere .
Elliptic curve discrete logarithm (ECDL) problem [22, 37]: given two random points P and Q on the elliptic curve E, find an integer x, such that .
Elliptic curve discrete logarithm (ECDL) assumption [22, 37]: the ECDL assumption means that there are no know polynomialtime algorithms to solve the ECDL problem with nonnegligible probability.
Elliptic curve computational Differ–Hellman (ECCDH) problem [22, 37]: given two random points and on the elliptic curve E, where are two unknown integers, compute the point .
Elliptic curve computational Differ–Hellman (ECCDH) assumption [22, 37]: the ECCDH assumption means that there are no know polynomialtime algorithms to solve the ECCDH problem with nonnegligible probability.
4. The Proposed Scheme
This section describes a CCPPA scheme for V2I communication. The proposed CCPPA scheme includes the following four phases: system initialization, pseudo identity generation and partial private key extraction, private key generation and message signing, and message verification. The definition of notations used in the present paper is listed in Table 1.

4.1. System Initialization
This phase is executed by the two TAs (KGC and TRA) to generate system parameters for all RSUs and OBUs. The following steps are performed in this phase:(1)The TAs randomly choose two large prime numbers p and q. Then TAs select a nonsingular elliptic curve E defined by the equation , where .(2)The TAs pick a group of elliptic curve points with prime order q and a generator P of .(3)The KGC randomly chooses as the master key for partial private key extraction and computes .(4)The TRA randomly selects as the master key for identity traceability and computes .(5)The TAs choose four oneway hash functions: , , and .
The TAs publish as the public system parameters and send them to all RSUs and vehicles (OBUs). The master keys s and t are kept secretly by KGC and TRA, respectively. Here, the system parameters are preloaded into the tamperproof devices (TPD) of all vehicles in VANETs.
4.2. Pseudo Identity Generation and Partial Private Key Extraction
This phase is executed between the vehicles and the TAs (TRA, KGC). The TRA calculates the pseudo identities for the vehicle , and then the KGC generates the partial private keys corresponding to the pseudo identities, when TRA receiving the real identity from , where uniquely identifies the vehicle . Based on this fact, the TRA and KGC preload the pseudo identities and partial private keys in TPD of vehicle after successful completion of own offline registration. The following steps are executed in this phase:(1)The vehicle transmits the real identity to the TRA in a secure manner.(2)After confirming the real identity , the TRA randomly chooses and computeswhere defines the valid period of this pseudo identity. Then, a pseudo identity is delivered to the KGC in a secure channel.(3)For a given pseudo identity , the KGC randomly chooses and computes the partial private key (), where
The KGC sends the pseudo identity and partial private key to the vehicle .
4.3. Private Key Generation and Message Signing
At the private key generation and message signing phase, the vehicle generates private key and signs messages. Then, the vehicle broadcasts a message including the pseudo identity, trafficrelated message and signature, public key, and timestamp, to nearby RUSs. This phase is depicted as follows:(1)The vehicle randomly picks and sets as the secret value and computes . Then, the vehicle ’s private key is and the public key is .(2)The vehicle randomly chooses a pseudo identity from its storage and a current timestamp , which supports the freshness of message so as to resist the replay attack. Given a trafficrelated message , the vehicle randomly selects and computes
The signature of a trafficrelated message is . Then, the vehicle issues the message to nearby RSUs.
4.4. Message Verification
The verifier (RSU) performs a validity check on the received trafficrelated messages in this phase, who can verify the correctness of the signature to ensure that the corresponding vehicle is not attempting to impersonate any other legitimate vehicles or disseminate false messages. The single message verification and batch message verification are as follows, respectively.
4.4.1. Single Message Verification
The verifier receives the message to verify the validity of the message by the performing the following steps:(1)The verifier checks whether is valid and is fresh. If is not valid or is not fresh, the message will be dropped.(2)The verifier checks whether the equationholds or not. If it holds, accept the message.
4.4.2. Batch Message Verification
The batch message verification can be used to verify multiple messages simultaneously in order to enhance the efficiency of verification. When receiving the distinct n messages generated by the different vehicles, respectively, the verifier checks the validity of the messages as follows:(1)The verifier checks whether is valid and is fresh, where . If any is not valid or is not fresh, the messages will be dropped.(2)The verifier checks whether the equationholds or not. If it holds, accept the messages.
To detect any invalid signature in batch message verification of n messages, we use the small exponent test technology [14, 16] to realize batch message verification. The verifier checks whether the following equationholds or not. If it holds, accept the messages, where and l is a small integer.
5. Security Proof and Analysis
In this section, the security analysis of the proposed CCPPA scheme for VANETs is provided. We describe the security model and prove the security of the proposed scheme under the random oracle model. Then, an evaluation on the security requirements of the proposed scheme as well as its comparison with other schemes in [22, 25, 27, 30, 31] is conducted.
5.1. Security Model
According to certificateless cryptography [32, 38–41], there are two types of adversaries with different capabilities: Type I adversary and Type II adversary . The adversary models an outside adversary and acts as a malicious third party while the adversary models an inside adversary and serves as a maliciousbutpassive KGC.(i)Type I adversary . The adversary cannot access the master key, but has the ability to replace the vehicle’s public key with a value chosen by itself.(ii)Type II adversary . The adversary can access the master key, but cannot replace the vehicle’s public key.
The following queries can be made by and adversaries.(i)Hash queries. Given a query, output a random value.(ii)Create vehicle queries. Given a query on the pseudo identity of the vehicle, output the vehicle’s public key .(iii)Partial private key queries. Given a query on the pseudo identity of the vehicle, output the vehicle’s partial private key .(iv)Secret value queries. Given a query on the pseudo identity of the vehicle, output the vehicle’s secret value if the public key has not been replaced; otherwise, output symbol .(v)Vehicle public key replacement queries. Given a query on the pseudo identity of the vehicle and a new vehicle’s public key , replace the corresponding vehicle’s public key with a new public key .(vi)Sign queries. Given a query on the trafficrelated message under , output a signature .
The security of the proposed CCPPA scheme is defined by the following two interaction games: Game 1 and Game 2 between the adversary or and a challenger .
Game 1. Security against the Adversary . This game is played between the adversary and the challenger for the proposed CCPPA scheme as follows:(i)Initialization. The challenger runs the algorithm System Initialization to generate master key and the system parameters . Then returns to .(ii)Queries. The adversary can adaptively issue and create vehicle, partial private key, secret value, vehicle public key replacement, and sign queries to .(iii)Forgery. Eventually, outputs the signature on under such that(a) is a valid signature on under .(b) has not been requested as one of the sign queries.(c) has not been requested as one of the secret value queries and the partial private key queries.
The success probability of the adversary wins in Game 1 is defined as .
Definition 1. A CCPPA scheme for VANETs is secure against Type I adversary if is negligible.
Game 2. Security against the Adversary . This game is played between the adversary and the challenger for the proposed CCPPA scheme as follows:(i)Initialization. The challenger runs the algorithm System Initialization to generate the master key and system parameters . Then, returns the master key and to .(ii)Queries. can adaptively issue , create vehicle, secret value, and sign queries to . Note that here does not need to issue any partial private key queries, because he has known the master key and has the ability to compute the partial private keys of any vehicles. also cannot replace any public keys of the vehicles.(iii)Forgery. Eventually, outputs the signature on under such that(a) is a valid signature on under .(b) has not been requested as one of the sign queries.
The success probability of the adversary wins in Game 2 is defined as .
Definition 2. A CCPPA scheme for VANETs is secure against Type II adversary if is negligible.
5.2. Provable Security
Theorem 1. The proposed CCPPA scheme for VANETs is existentially unforgeable under the ECDL assumption in the random oracle model.
Proof. This theorem is proved based on Lemma 1 and Lemma 2.
Lemma 1. The proposed CCPPA scheme for VANETs is existential unforgeable against Type I adversary under the ECDL assumption in the random oracle model.
Proof. Assuming that polynomially bounded Type I adversary , who can break our proposed scheme with probability ε in time t, there exists an algorithm that can compute x with a nonnegligible probability when receiving a random ECDL problem instance . The algorithm runs as subroutine and acts as the challenger in Game 1 and interacts with as described below.
Initialization. The algorithm sets and sends system parameters to . Here, hash functions are considered as random oracles in the proof.
To keep the consistency and rapidly response, maintains the initially empty lists as follows:(i) list . This list consists of tuples .(ii) list . This list consists of tuples .(iii) list . This list consists of tuples .(iv) list . This list consists of tuples .(v). This list consists of tuples . Queries. Suppose submits a query on , checks the list and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , chooses a random number , adds in and returns to . Queries. Suppose submits a query on , checks the list and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , chooses a random number , adds in , and returns to . Queries. Suppose submits a query on , checks the list , and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , chooses a random number , adds in , and returns to . Queries. Suppose submits a query on , checks the list , and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , chooses a random number , adds in , and returns to .Create Vehicle Queries. Suppose submits a public key query on a pseudo identity of the vehicle, checks the list and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , randomly chooses , and computes . Finally, returns to , and inserts to .Partial Private Key Queries. Suppose submits a partial private key query on a pseudo identity of the vehicle, checks the list , and executes as follows:(i)If the list includes , responds with previous value to .(ii)If the list does not include , picks random numbers , and sets and . Finally, returns to , and inserts and to and , respectively.Secret Value Queries. Suppose submits a secret value query on a pseudo identity of the vehicle, checks the list , and executes as follows: (i)If the list includes , responds with previous value to .(ii)If the list does not include , makes a create vehicle query itself to generate . Finally, returns to and inserts to .Vehicle Public Key Replacement Queries. Suppose submits a public key replacement query on , checks the list , and executes as follows:(i)If the list includes , sets and and updates to .(ii)If the list does not include , sets and and inserts to .Sign Queries. Suppose submits a sign query on , firstly conducts a partial private key query itself to generate . chooses a random value and computes . If the tuple including already appear on the list , picks another , and tries again. Finally, returns to .
Forgery. outputs a valid signature on under . Based on the Forking Lemma [42], can obtain another valid signature on under by replaying procedure with the same random tape but a different choice of . Then we haveFollowing equations (9) and (10), we can obtainFinally, outputs , which is the solution to the ECDL problem.
After completing the above simulation, we will analyze the probability and time of to solve the ECDL problem instance.
Assuming that can make at most times queries, times create vehicle queries, times partial private key queries, times secret value queries, times vehicle public key replacement queries, and times sign queries.
The probability of failure in handling a partial private key query resulted from a conflict on is at most . The probability of failure in handling a sign query caused by a conflict on is at most . In addition, the probability of outputs a valid forgery without asking the corresponding is at most . guesses it correctly as the point of rewind, with probability at least . Therefore, the probability of success of to solve the ECDL problem is at least .
The running time of is equal to the running time of plus the time it takes to respond to create vehicle queries, partial private key queries, secret value queries, and sign queries. Each create vehicle query requires 1 scale multiplication operation in . Each partial private key query requires 2 scale multiplication operations in . Each secret value query requires 1 scale multiplication operation in . Each sign query requires 2 scale multiplication operations in . Assuming that each scale multiplication in needs time , the total running time of is at most .
Lemma 2. The proposed CCPPA scheme for VANETs is existential unforgeable against Type II adversary under the ECDL assumption in the random oracle model.
Proof. Assuming that a polynomially bounded Type II adversary , who can break our proposed scheme with probability ε in time t, there exists an algorithm that can compute x with a nonnegligible probability when receiving a random ECDL problem instance . The algorithm runs as subroutine and acts as the challenger in Game 2 and interacts with as described below:
Initialization. The algorithm randomly chooses and sets , then sends master key θ and system parameters to . It should be pointed out has the master key and does not require to issue any partial private key query. Similar to Lemma 1, the lists , , , and are maintained by . also keeps a list , which is initialempty.
Hash , , , queries. It is same to Lemma 1.
Create Vehicle Queries. Suppose submits a public key query on a pseudo identity of the vehicle, checks the list , and executes as follows: (i)If the list includes , responds with previous value to .(ii)If the list does not include , using Coron’s technique [43], tosses a coin that yields 1 with probability and 0 with probability δ. randomly chooses a value . If , sets ; if , sets . Finally, returns to and inserts to .Secret Value Queries. Suppose submits a secret value query on a pseudo identity of the vehicle, checks the list , and executes as follows:(i)If the list includes , if , halts; if , responds with previous value to .(ii)If the list does not include , submits a create vehicle query itself, and inserts to . If , halts; if , returns to .Sign Queries. It is the same to Lemma 1.
Forgery. outputs a valid signature on under . Based on the Forking Lemma [42], can obtain another valid signature on under by replaying process with the same random tape but a different choice of . Then we have checks the , if , aborts; if , according to equations (12) and (13), we haveFinally, outputs , which is the solution to the ECDL problem.
Same to Lemma 1, the analysis on the probability and time of is as follows.
Assuming that can make at most times queries, times create vehicle queries, times secret value queries, and times sign queries.
The probability of failure in handing a sign query because of a conflict on is at most . In a secret value query and forgery phase, the probability of success is according to Coron’s technique [43]. When the optimal probability is , it is greater than . The probability of outputs a valid forgery signature without asking the corresponding or or is at most . guesses it correctly as the point of rewind, with probability at least . Therefore, the probability of success of to solve the ECDL problem is at least .
The running time of is equal to the running time of plus the time it takes to respond to create vehicle queries, secret value queries, and sign queries. Each create vehicle query requires 1 scale multiplication operation in . Each secret value query requires 1 scale multiplication operation in . Each sign query requires 2 scale multiplication operations in . Assuming that each scale multiplication in needs time , the total running time of is at most .
5.3. Analysis and Comparison of Security Requirements
An evaluation on the security of the proposed scheme as well as its comparison with other schemes is conducted in this subsection.
Message Authentication. As Theorem 1, any polynomialtime adversary cannot be able to forge a valid signature due to the assumption that the ECDL problem is hard. By verifying whether equation (6) holds, a verifier (RSU) can confirm the validity and integrity of a message . Therefore, the message authentication can be ensured in the proposed CCPPA scheme.
Identity Privacy Preserving. In the proposed scheme, the vehicle broadcasts the message , by and , where the real identity of the vehicle is perfectly hidden in random pseudo identity . To extract the vehicle ’s real identity , the adversary should compute . However, without knowing and t, it is impossible for any adversary to obtain because it is an instance of ECCDH problem to solve . Hence, any adversary is not able to obtain the real identity of the vehicle, even if he/or she knows the pseudo identity . Therefore, the identity preserving can be ensured in the proposed CCPPA scheme.
Traceability. The real identity of the vehicle is involved in a pseudo identity , where , , , and . By computing and , the TRA can extract the real identity using its own master key t. Therefore, the proposed CCPPA scheme satisfies the traceability.
Unlinkability. In the proposed scheme, the TRA, KGC, and the vehicle randomly select , and , respectively, and generate a message , where , , , , , , and . Owning to the randomness of , , and , any adversary is unable to link two messages sent from the same vehicle or two anonymous pseudo identities. Therefore, the proposed CCPPA scheme realizes the unlinkability.
Role Separation. There are two trusted authorities, namely, KGC and TRA, in the proposed scheme. The real identity of a vehicle can be only revealed by TRA, even if KGC cannot have the capability to do this. Here, t must be strongly protected in order to achieve the vehicle’s anonymous, in which the threshold cryptography [44] would be a better candidate. But, the master key s of KGC should not be strongly protected, because no adversaries can generate a valid message under only knowing s without the vehicle’s secret value.
Key Escrow Resilience. In the proposed scheme, the private key of the vehicle includes the secret value and partial private key , where the vehicle calculates the secret value itself, and it cannot be accessed by the KGC. Hence, the malicious KGC cannot impersonate a vehicle to generate a valid signature without knowing the secret value . The key escrow resilience is satisfied in the proposed CCPPA scheme.
Resistance to Attacks. The proposed CCPPA scheme can resist the main security attacks of VANETs as follows:(i)Replay attack. Replay attack is a class of network attack with repeating valid messages fraudulently. In the proposed scheme, the timestamp is involved in a message . By checking freshness of , the verifier (RSU) can withstand any replay attacks.(ii)Modification attack. In the proposed CCPPA scheme, a digital signature on the trafficrelated message under is the tuples . According to Theorem 1, any modified message made by an adversary cannot satisfy equations (6).(iii)Impersonation attack. To launch an impersonation attack, an adversary needs to generate a fake message that satisfies equations (6). However, according to Theorem 1, the probability of the forged message for the adversary to satisfy equation (6) can be negligible.(iv)Maninthemiddle attack. Based on the aforementioned analysis for message authentication and modification attack, any modification about message in transmitting can be found by verifying equation (6).
Table 2 shows the security comparisons of the proposed scheme with related schemes in [22, 25, 27, 30, 31], in which ✔ indicates “satisfy” and ✘ means “not satisfy”.

According to Table 2, He et al.’s scheme [22], Lo and Tsai’s scheme [25], and Wu et al.’s scheme [27] cannot provide key escrow resilience, i.e., the vehicles’ private key is entirely generated by the KGC, and it is not fully trusted, it can impersonate any legal vehicle whenever it wants. This may be a strong assumption in VANETs that the KGC is fully trusted for solving key escrow problem. In addition, Horng et al.’s scheme [30] cannot achieve message authentication and resist modification attack, impersonation attack and maninthemiddle attack. In contrast, the proposed scheme can satisfy all security requirements. Therefore, the proposed scheme has better security than the schemes in [22, 25, 27, 30].
6. Performance Evaluation and Simulation
In this section, the computation delay and communication overhead of the proposed CCPPA scheme are compared with the identitybased CPPA schemes [22, 25, 27] and the certificateless CCPPA schemes [30, 31]. In addition, an extensive simulation is performed using ns3.26 simulator [45] and the simulation of urban mobility (SUMO) [46]. The ns3.26 simulator is used for wireless network simulation and SUMO, a traffic simulation tool, provides the realistic traffic mobility model. The simulations are evaluating the average message delay and average message loss ratio in real scenario.
6.1. Computation Delay
The computation delay for the message signing and message verification is evaluated. For computation complexity estimation, the time cost for performing the cryptographic operations is defined below. Let be the time for performing a bilinear pairing operation, be the time for performing a maptopoint hash function operation. The time for performing a scale multiplication operation in bilinear pairing and ECC are denoted as and , respectively. Because the used in batch verification is very small, the computation cost can be negligible. Other lightweight operations (oneway hash function and point addition) are not taken into account.
In terms of the proposed CCPPA scheme, He et al.’s scheme [22], Lo and Tsai’s scheme [25], and Wu et al.’s scheme [27], the ECC for the security level of 80 bits can be established as follows: is an additive group generated by a point P on a nonsingular elliptic curve , the order of it is q, where , b is a random 160bit prime number and p and q are two 160bit prime numbers. For the CCPPA schemes in [30, 31], the symmetric bilinear pairing for the security level of 80 bits can be constructed as follows: , where is an additive group formed by a generator P with the order q on a super singular elliptic curve with embedding degree 2. p is 512bit prime number, and q is 160bit Solinas prime number, which satisfy .
To quantify the running time of the cryptographic operations, the MIRACL Crypto SDK [47] is used in this paper. The experiment is performed on Intel Corei54590, 3.3 GHz CPU, 8 gigabytes memory with Windows 7. The average execution times of , , , and are listed in Table 3.

Based on the experiment results, the computation delay of the proposed CCPPA scheme, He et al.’s scheme [22], Lo and Tsai’s scheme [25], Wu et al.’s scheme [27], Horng et al.’s scheme [30], and Li et al.’s scheme [31] are summarized and shown in Table 4.

In terms of the computation delay of one message signing, He et al.’s scheme [22], Lo and Tsai’s scheme [25], and Wu et al.’s scheme [27] require two scalar multiplication operations in ECC. Therefore, the total signing time is 2 = 1.6620 ms. Horng et al.’s scheme [30] requires two scalar multiplication operations in bilinear pairing. Therefore, the total signing time is 2 = 7.5540 ms. Li et al.’s scheme [31] requires two scalar multiplication operations in bilinear pairing and one maptopoint hash operation. Therefore, the total signing time is 2 + = 17.2592 ms. The proposed scheme requires three scalar multiplication operations in ECC. Therefore, the total signing time is 3 = 2.4930 ms.
In terms of the computation delay of one message verification, He et al.’s scheme [22] and Lo and Tsai’s scheme [25] require three scalar multiplication operations in ECC. Therefore, the total verification time is 3 = 2.4930 ms. Wu et al.’s scheme [27] requires four scalar multiplication operations in ECC. Therefore, the total verification time is 4 = 3.3240 ms. Horng et al.’s scheme [30] requires three bilinear pairing operations, one scalar multiplication operation in bilinear pairing and one maptopoint hash operation. Therefore, the total verification time is 3 + + = 40.7195 ms. Li et al.’s scheme [31] requires three bilinear pairing operations, one scalar multiplication operation in bilinear pairing, and two maptopoint hash operations. Therefore, the total verification time is 3 + + 2 = 50.4247 ms. The proposed scheme requires four scalar multiplication operations in ECC. Therefore, the total verification time is 4 = 3.3240 ms.
The computation delay for one message and its correlation with the number of messages (n) are shown in Figure 3. It is known from Table 4 and Figure 3(a), the computation delay of a message signing is 2.4930 ms in the proposed scheme, which decreases by 66.9% and 85.5% compared with those in Horng et al.’s scheme [30] and Li et al.’s scheme [31], respectively. In terms of computation delay of a message verification, the proposed scheme needs 3.3240 ms, which decreases by 91.8% and 93.4% compared with those in Horng et al.’s scheme [30] and Li et al.’s scheme [31], respectively.
(a)
(b)
(c)
To obtain computation delay of multiple (n) messages signing, the computation delay of one message signing should be repeated n times. Therefore, the total n messages signing times in the proposed scheme, He et al.’s scheme [22], Lo and Tsai’s scheme [25], Wu et al.’s scheme [27], Horng et al.’s scheme [30], and Li et al.’s scheme [31] are 2.4930n ms, 1.6620n ms, 1.6620n ms, 1.6620n ms, 7.5540n ms, and 17.2592n ms, respectively. To obtain the computation delay of multiple (n) messages verification, He et al.’s scheme [22] and Lo and Tsai’s scheme [25] require () scalar multiplication operations in ECC. Therefore, the total verification time is () = 0.8310n + 1.6620 ms. Wu et al.’s scheme [27] requires () scalar multiplication operations in ECC. Therefore, the total verification time is () = 1.6620n + 1.6620 ms. Horng et al.’s scheme [30] requires three bilinear pairing operations, n scalar multiplication operations in bilinear pairing, and n maptopoint hash operations. Therefore, the total verification time is 3 + + = 13.4822n + 27.2373 ms. Li et al.’s scheme [31] requires three bilinear pairing operations, n scalar multiplication operations in bilinear pairing, and () maptopoint hash operations. Therefore, the total verification time is 3 + + = 13.4822n + 36.9425 ms. The proposed scheme requires () scalar multiplication operations in ECC. Therefore, the total verification time is () = 1.6620n + 1.6620 ms.
As is shown in Figure 3(b) and Figure 3(c), that with the increase of number of messages, the signing delay and verification delay grows linearly in all schemes. And the proposed scheme has the lowest slope compared with schemes [30, 31]. It is shown in Figure 3(c), the verification delay of the schemes in [22, 25, 27, 30] and [31] and the proposed scheme, respectively, is 9.9720 ms, 9.9720 ms, 18.2820 ms, 162.0593 ms, 171.7645 ms, and 18.2820 ms when n = 10, and 51.5520 ms, 51.5520 ms, 101.3830 ms, 836.1693 ms, 845.8745 ms, and 101.3830 ms when n = 60. Apparently, the proposed scheme achieves the lowest verification delay as the number of messages grows in all CCPPA schemes.
Therefore, the proposed scheme has much more superiority than other CCPPA schemes in [30, 31] in the signing and verification process, regardless of the number of messages, and is more suitable for VANETs. The proposed CCPPA scheme is slightly less efficient than He et al.’s scheme [22], Lo and Tsai’s scheme [25], and Wu et al.’s scheme [27]. This degradation is forgivable due to the fact that the proposed scheme is a certificateless system and provides key escrow resilience, however, is not the case in [22, 25, 27].
6.2. Communication Cost
In this subsection, the proposed scheme is compared with He et al.’s scheme [22], Lo and Tsai’s scheme [25], Wu et al.’s scheme [27], Horng et al.’s scheme [30], and Li et al.’s scheme [31] in terms of the communication cost. In V2I communication, the communication cost refers to the size of message transmitted from a vehicle (OBU) to an RSU. Just as the before analysis, the length of p is 512 bits (64 bytes) and that of q is 160 bits (20 bytes), so the length of elements in and , respectively, are 64 bytes and 20 bytes. Assuming the length of output of general oneway hash function is 160 bits (20 bytes), and the length of a timestamp is 32 bits (4 bytes). According to the IEEE TrialUse standard [48] for VANET security, the length of message is defined as 67 bytes. Table 5 illustrates the comparison of communication costs.
In He et al.’s scheme [22], the message is sent from the vehicle to a RSU, where , , , and is the timestamp. Thus, the communication cost of He et al.’s scheme is 155 bytes as
In Lo and Tsai’s scheme [25], the message is sent from the vehicle to a RSU, where , , and is the timestamp. Thus, the communication cost of Lo and Tsai’s scheme is 175 bytes as
In Wu et al.’s scheme [27], the message is sent from the vehicle to a RSU, where , , , and is the timestamp. Thus, the communication cost of Wu et al.’s scheme is 175 bytes as
In Horng et al.’s scheme [30] and Li et al.’s scheme [31], the message is sent from the vehicle to a RSU, where , , , and is the timestamp. Thus, the communication cost of these two schemes is 351 bytes as
In the proposed scheme, the message is sent from the vehicle to a RSU, where is the same one as [22]. Thus, the communication cost of the proposed scheme is 195 bytes as
The comparison on the communication costs of one message and multiple messages is shown in Figure 4. Clearly, the communication costs increase linearly as the number of messages increases in six schemes. The same communication costs exist in the IDbased schemes [25, 27] and the certificateless schemes [30, 31], whether one message or multiple messages are transmitted. The communication cost of the proposed scheme is the lowest in the CCPPA schemes, which significantly decreases by 44.44%. When the number of messages rises to 30 000, the proposed scheme can save 4.46 MB of bandwidth compared with the schemes in [30, 31]. The communication cost of the proposed scheme is slightly larger than that of He et al.’s scheme [22], Lo and Tsai’s scheme [25], and Wu et al.’s scheme [27]. The reason is that the proposed scheme is a certificatless scheme, in which an additional user’s public key is needed to transmit.
(a)
(b)
6.3. Simulations
The popular network simulator ns3.26 [45] on a Ubuntu platform is adopted to evaluate the performances of the proposed CCPPA scheme by comparing with those of He et al.’s scheme [22], Lo and Tsai’s scheme [25], Wu et al.’s scheme [27], Horng et al.’s scheme [30], and Li et al.’s scheme [31]. In addition, a road traffic simulator SUMO [46] is used to generate a realistic traffic mobility trace for the road scenario shown in Figure 5.
In our road scenario, the RSUs are assigned every 500 m along each road, and each vehicle broadcasts trafficrelated messages every 300 ms. The vehicles are distributed at random on the road and move toward randomly selected intersections. The important simulation parameters are summarized in Table 6.

Generally, the average message delay