Mathematical and Computational Topics in Design StudiesView this Special Issue
Research Article | Open Access
Mei-Wen Huang, Hsin-Te Wu, Gwo-Jiun Horng, Wen-Shyong Hsieh, "Using BDH for the Message Authentication in VANET", Mathematical Problems in Engineering, vol. 2014, Article ID 231976, 13 pages, 2014. https://doi.org/10.1155/2014/231976
Using BDH for the Message Authentication in VANET
The transport message security provided by vehicles in VANETs is quite important; vehicle message should be real-time and it will be not complicated to validate message calculation. The method proposed in the essay is mainly to validate the identity by means of Bilinear Diffie-Hellman method, and make vehicles validate the authenticity of RSU and TA’s identity and the effectiveness of key. RSU and TA only need to validate vehicle identity, without helping vehicles produce any key. When vehicle identity validation is completed, vehicles will produce public value and transmit it to other RSU and vehicles, while other vehicles could validate the identity through the message from the sender and public value from RSU. The advantages of the method proposed in this essay are listed as follows. (1) Vehicles, RSU, and TA can validate mutual identities and the effectiveness of keys. (2) Vehicles can produce public value functions automatically, thus reducing key control risks. (3) Vehicles do not need to show certificates to validate their identities, preventing the certificates from attacking because of long-term exposure. (4) Vehicles adopt a pseudonym ID challenge to validate their own identities during the process of handoff. (5) Vehicle messages can be validated using the Bilinear Diffie-Hellman (BDH) method without waiting for the RSU to validate messages, thus improving the instantaneity of messaging. The method proposed in the essay can satisfy source authentication, message integrity, nonrepudiation, privacy, and conditional untraceability requirements.
Especially VANET receives special attention in terms of traffic security and traffic management [1, 2]. In order to reach the demand of vehicle security, vehicles often broadcast traffic related message among themselves (vehicle position, speed, traffic accidents, and so on) and other services , which could reduce traffic jams and dangerous road sections and improve the driving security. VANET usually has two message transmission modes: message broadcast mode, through which vehicles could make other vehicles nearby know the traffic condition in the neighborhood; one hop message transmission, through which vehicles could transmit message to the designated vehicle and which is mainly used for private communication among vehicles.
The essay mainly investigates message security and integral security system layout in VANET, which aims at vehicles’ safety on road. Each vehicle could use broadcast mode and inform other vehicles of the traffic condition nearby, so as to avoid traffic jam and improve driving efficiency. They could also use private communication and RSU or TA (trusted authority) for updating. Assume this message was maliciously attacked or forged, it would cause vehicle collision or traffic jam; so message integrity and source authentication is the important key.
The method proposed in the essay is based on RSU. Suppose that each main road was provided with RSU and secondary roads were not. In the whole system framework, TA utilizes Bilinear Diffie-Hellman to generate public/private key and other parameters of its own and RSU, where the effective time of key is added, so TA and RSU is forced to change key regularly and improve system security and all vehicles could validate the legality of RSU through public key and other parameters of RSU and by means of Bilinear Diffie-Hellman.
We adopt two-level pseudonym method; that is to say, vehicles have the first-level pseudonym ID in TA and the second-level pseudonym ID in RSU. There is no relationship between the two levels of pseudonym ID in terms of original generation modes, which avoids RSU maliciously conspiring and tracing vehicles. TA and RSU are only responsible for validating vehicle identity, not for the vehicle broadcast message. After the identity authentication of vehicles and RSU, vehicles would transmit public value to RSU, which will then send the public value to each RSU and vehicle, so when a vehicle is broadcasting message, all vehicles could validate the message integrity through the method of Bilinear Diffie-Hellman, without using RSU. Meanwhile, the calculation of Bilinear Diffie-Hellman signatures is not very complicated and the key of Bilinear Diffie-Hellman signatures for vehicles is different each time, so it is unable to get forged and attacked.
During the process of handoff, vehicles adopt pseudonym ID challenge method to validate their own identities, which only need communicate pseudonym generation mode with the next RSU. As only vehicles and RSU know the pseudonym generation mode, if the challenge is successful, the identities could be validated mutually, so as to reduce the identity validation time when vehicles are handoff. Meanwhile, vehicles have different public values and pseudonym ID in each RSU.
2. Related Works
Public key infrastructure (PKI) method is used in . Suppose that TA issues certificates; each vehicle has private key and certificates have public key relative to private key; when vehicle a is about to communicate with another vehicle b, a will use the public key in b’s certificates to encrypt the message, then a transmits the encrypted message to b, and b decrypts the message through private key. As the certificates are issued by TA, so they are reliable. Provided that b could decrypt the message, the message integrity could be confirmed. Vehicles utilizing PKI for message encrypting and decrypting would improve the calculation complexity and bring great calculation burden during the communication process. In order to protect privacy and not to be traced, certificates must be changed frequently, which will cause burden on TA.
A dynamic privacy-preserving key management scheme for location-based services in VANETs was proposed in . This scheme ensures the anonymous authentication of a vehicle and enables double-registration detection. In addition, each vehicle can use a one-way hash function to update the vehicles new session key. However, the computations for message signature and verification presented in  are complicated, and the author did not investigate a private communication scheme.
In , when vehicles are able to get some network access services from RSU, they must broadcast a message and establish common key with vehicles receiving the message, and then this common key could be utilized to guarantee the security while communicating the message. However, the establishment of common key is got through pairing computation of identity-based cryptography (IBC) , whose calculation is much more complicated than normal computation, and the calculation burden is quite great. The essay does not discuss the problems when vehicles rekey or change pseudonym ID, which is quite important to VANETs, so it is necessary to propose the solutions.
In , an elliptic curve digital signature algorithm (ECDSA) was used for message authentication. The current position information is used together with the ECDSA for signing messages from anonymous IDs. Other vehicles do not require a third-party public key certificate for message authentication. However, the authors did not discuss the problems of rekeying and private communication.
The literature  proposed that a driver can check the status of a road through VANET, the transmission process that utilizes bilinear technology to ensure information security and vehicle privacy. Either a vehicle or an RSU must have identity verification with TA and related key generation. Identity verification utilizes bilinear technology to ensure information security and nonrepudiation. Traditional asymmetric encryption, symmetric encryption, and signature are used for messaging of any unit (vehicle, RSU, or TA). In the literature  TA must constantly change the master secret key of a vehicle or RSU, which results in a heavy computational load of TA, and the messaging using asymmetric encryption will cause the same problem during decryption.
The literature  proposed message batch verification and group message signing and verification for vehicle privacy and information security. Vehicles form a group and each group has a related key for message encryption and decryption. Because the message is sent by a group, it cannot be traced back to a specific vehicle. If a vehicle in the group sends a malicious message, however, it may also be difficult to track down and batch verification will delay real-time messaging.
The literature  primarily involves group message signing improvement. This paper has improved the group message signing performance, but has not discussed private communications between vehicles or the replacement of relevant vehicle parameters. A vehicle is vulnerable to tracking if the relevant parameters are not replaced regularly.
3.1. Bilinear Pairings and Hard Problems
Let and denote an additive and a multiplicative group, and both of them are with prime order . Let be generator of , and let be a bilinear mapping with the following properties.(1)Bilinear: (2)Nondegeneracy: such that . That is, the mapping does not send all pairs in to the identity in .(3)Computable: there exists an efficient algorithm to compute for all .
The bilinear map can be implemented using the Weil  and Tate  pairings on elliptic curves. We consider the implementation of a Tate pairing on a Miyaji-Nakabayashi-Takano (MNT) curve  with embedding degree 6, where is represented by 161 bits and the order is represented by 160 bits.
The following part will define and specify various relevant mathematical problems  which will be applied in the essay subsequently.
Bilinear Diffie-Hellman (BDH) Problem. Given , where , compute .
Elliptic Curve Discrete Logarithm Problem (ECDLP). Given two elements , find an integer , such that .
3.2. Boneh and Franklin’s ID-Based Encryption
We use Boneh and Franklin’s ID-Based Encryption  to encrypt and decrypt message. Let be the system security parameter. Then PKG selects two groups and of prime order q, a bilinear mapping , and a generator of group . PKG also picks a random number as its master key and then selects two distinct hash functions: , . At last, PKG publishes the system parameters and keeps secretly.
Assume there are two users and . User utilizes the public key of User to encrypt message ; the identity of User is , with the public key, private key, and data key being , , and , respectively, and User selects random number randomly. The message encryption process is as follows: where is the encrypted message, User sends the encrypted message to User , and then User utilizes private key for decryption and works out message after receiving the message, with the calculation as follows:
3.3. J. H. Cheon, Y. Kim, and H. J. Yoon’s ID-Based Signature
We use J. H. Cheon, Y. Kim, and H. J. Yoon’s ID-Based Signature  to attain message signatures and the section uses the system parameters PKG publishes in Section 3.2 and keeps secretly. Assume User signatures message and broadcasts it to other users, who then use the public key and data key of User to validate the source and message integrity of signature after receiving signatures. User selects random number at random, with the calculation as follows:
When other users receive , , and , they can utilize the public key and public parameter of User to validate signatures, and the signature validation calculation is as follows:
3.4. Bilinear Diffie-Hellman (BDH) Messages Authentication
The essay applies the features of bilinear pairings hard problems . Though the calculation time increases, it is acceptable if the calculation is reasonable. The method we propose assumes that users select two random numbers and at random, where ; then we calculate public value as follows: Next, we apply them to bilinear pairings, with the calculation as follows:
If users release message , they will first work out , , and through formula (6) and then issue to other users. Other users could validate source and message integrity through formula (8). We utilize hard problems to validate the method’s security. According to ECDLP, we publish and other users cannot get from and know and from and , so users cannot forge message maliciously; according to BDH and , DBDHP feature is utilized to validate message integrity, as shown in formula (8).
4. Proposed Scheme
This chapter would introduce the methods proposed in the essay. Section 4.2 introduces the system installation for the methods in Section 4.2. Section 4.3 introduces registration of vehicles and RSU, creation of vehicles and RSU related tables, and how vehicles carry out handoff at different RSU regions. Section 4.4 describes the message transmission between vehicles and message validation, vehicle message communication between different RSU, and private communication among TA, RSU, and vehicle. Section 4.5 introduces key updating and cancellation of identity between TA and RSU.
4.1. System Model
In system environment, as shown in Figure 1, we assume that the overall environment only has one TA and TA is the legally binding unit mechanism and in charge of controlling the whole network’s security, which will provide the real identities of malicious nodes for legal prosecution when malicious nodes attack. On the one hand, the role of TA takes charge of validating vehicles or RSU’s identities and on the other hand RSU and relevant coefficients are set by TA and RSU is set up on some common traffic facilities, such as traffic lights. TA and RSU are provided with wire/wireless communication. The communication between TA and RSU adopts wire communication, such as backbone. TA, RSU, and vehicles use short distance wireless communication equipment and the communication between RSU and vehicles adopts wireless communication. The parameters used in the method are described in the Notation section.
4.2. System Initialization
The section introduces the system installation of TA, RSU, and vehicles, which need not any certificates and could validate their own identities only by BDH messages authentication. Meanwhile, key sets the effective time, whose effectiveness could be validated any time.
4.2.1. TA System Setup
Suppose the chapter would select five distinct hash functions: , , , , and .
From the beginning, TA would calculate public value to solve public key, private key, and public parameter of TA as follows.(1)Suppose and , where is the valid period of key and is the real ID of TA.(2)The calculation public value () is as follows: (3)Set public key .(4)Set private key .(5)Set data key .
TA would store and provide it for TA or RSU changing public key and other parameters in the future, which would also make the following parameters , , , , , , , , , , , , , , and public. When vehicles or RSU want to communicate with TA, it will be first to validate TA’s identity and key’s validness. , , and cannot be known from the above public parameters. Therefore, malicious attackers couldn’t forge TA and TA does not need any certificates to validate its own identity.
4.2.2. RSU System Setup
TA utilizes to set public key, private key, and other parameters of each RSU and selects as the master key of private communication. Suppose the number of RSU is and to ; then the calculation of TA is as follows.(1)TA selects as the master key of private communication.(2)Calculate private communication key of to be and .(3)Calculate public key, private key, and other parameters of as follows: where and is the real ID of RSU. (4)Set public key .(5)Set private key .(6)Set data key .
TA would create a table to record RSU’s ID, key’s valid time, being legal or not, and RSU’s common key, with the calculation method for common key proposed in Section 4.4.3.
TA will not give any certificates and it can validate the identity only by BDH messages authentication. Meanwhile, each RSU’s key has valid time and it could be known whether key is within the valid time only from the identity validation. Any unit could validate RSU or TA’s legitimacy through the following formula, with the calculation as follows: where represents TA or any one RSU.
4.2.3. Vehicle System Setup
TA is only in charge of validating vehicles’ identities and public value and it does not produce vehicles’ key, so as to avoid the risk of controlling key. Suppose the number of vehicles is and to ; then the calculation is as follows.(1)Vehicle would calculate the first-level pseudonym of it and TA’s ID (), where and is the real ID of the vehicle.(2)Vehicle would calculate public value of it and TA’s identity validation, with the calculation as follows: (3)Vehicle utilizes TA’s public key to encrypt message and transmit it to TA, with the calculation as follows: where , , and transmits the encrypted message to TA, with the calculation as follows:
TA would validate ’s first-level pseudonym ID () and then public value, as shown in the following formula:
4.3. Message Broadcast and Message Authentication in RSU
When a vehicle enters RSU region, the vehicle would first check if RID table has already had the message validated mutually with RSU. If there is none, what will be done is to start from Section 4.3.1 to carry out identity validation with RSU, create SPID table and RID table with RSU in Section 4.3.2, and then discuss the method of vehicles being handoff at different RSU in Section 4.3.3.
Suppose that when the vehicle enters region and has not created public value related functions and identity validation with , then would utilize TA to validate its own identity, so RSU could believe in the second-level pseudonym ID and public value of . Two ways could be adopted for TA to validate vehicle’s identities: challenge of vehicles’ pseudonym ID; validation of public value. The challenge of vehicles’ pseudonym ID could be adopted for RSU validating vehicles’ identities, with the calculation as follows.(1)The calculation of vehicles validating TA identity:the vehicle selects ;the vehicle recalculates the first-level pseudonym ID as follows: combines the arithmetic result after experiencing times of hash with and then goes through one hash arithmetic to produce the first-level pseudonym ID ().The vehicle calculates , and by formula (14). would utilize TA’s public key to encrypt message as C, where .(2)The calculation of RSU validating vehicles’ identities:the vehicle selects ;the vehicle calculates initializing pseudonym ID to be , where is the pseudonym ID of within range;the vehicle calculates public value () used within range; would utilize ’s public key to encrypt message as , where .
would transmit and 1 to , which would use the common key () with TA to reencrypt message by symmetric key encryption and transmit it to TA, and then TA and will validate if the identities are correct, with the calculation as follows.(1)TA validates ’s identity as follows:TA utilizes private key to decrypt the encrypted message ;TA utilizes to search public value ;TA utilizes to calculate ’s new pseudonym ID, as shown in formula (18);TA calculates the public value of the validated vehicles, as shown in formula (17);if the above is validated correctly, it shows that the identity of the vehicle is correct and TA utilizes the common key () with to tell that the vehicle is legal;TA restores ’s and in table.(2)RSU validates ’s identity as follows: receives the message from TA that is legal and utilizes private key to decrypt the encrypted message ; calculates ’s private communication key as follows: where is the random number selected by ; provides signatures to , with the calculation as follows: , , , , message , and the message after signing is ; utilizes as the key of symmetric encryption and transmits ’s private communication key and ’s signature to .
would sign public value, pseudonym ID, and key’s validness of the vehicles within the range at the fixed time and transmit the signature to each vehicle within the range. The signature is , so each vehicle only needs to validate the signature after receiving the signature message and then the public value of each vehicle could be known, with the calculation of signature validation as follows:
Each vehicle would store the message in the vehicle message table (see Table 1).
During the process, only and TA know and RSU cannot know , so pseudonym and privacy could be attained. After knowing , TA could validate ’s identity. If is a legal vehicle, RSU would also accept ’s second-level initializing pseudonym ID and public value and assist to create RID-key table.
4.3.2. Table Establishment
Each vehicle would have RID-key table (see Table 2) and vehicle message table (see Table 1); RID-key table is for storing public value and relevant parameters which vehicles establish for RSU and vehicle message table is for storing public value and relevant parameters of other vehicles. Each RSU has SPID-key for storing vehicles’ public value and relevant parameters and RSU message table (see Table 3) is used for storing the key of private communication between RSU and relevant parameters.
After the vehicle and create public value and relevant parameters, begins to produce public value and pseudonym ID close to RSU, with the calculation as follows.(1) selects at random.(2)Calculate each RSU’s pseudonym ID as follows: (3)Calculate each RSU’s public value ().(4) would calculate the common key with as the key of symmetrical encryption, encrypt message , and transmit it to . The message content comprises each RSU’s public value, random numbers and , , and common key, with the calculation as formula (31).(5)Then, the vehicle stores relevant parameters in RID table.
After receiving the encrypted message of , would calculate the common key with and only and know the common key, so the message source and integrity could be confirmed. Then, after decrypting message , would encrypt individual public value, pseudonym ID and random numbers of , and each RSU and transmit them to each RSU. Each RSU receives the message and stores ’s public value, pseudonym ID, and random numbers in SPID table, as shown in Table 4. Meanwhile, each RSU would calculate ’s pseudonym ID, as shown in formula (18) and would also report illegal RSU and valid time close to RSU to the vehicle , so as to avoid malicious attack.
4.3.3. Handoff Problem
VANET Standard 802.11P  is focused on the dedicated short-range communication (DSRC) protocol, which applies to short-range communications. As a result, vehicles use different RSUs to perform handoff when moving at high speed. A problem would be caused; that is, vehicles must revalidate identities mutually with TA and RSU and reestablish a new key. Suppose vehicles establish trusting relationship with each RSU from the beginning; they could know if other RSUs are legal or not and the validity of RSU related key through the trusted RSU and transmit vehicles’ public value and other parameters to other RSUs via the trusted RSU.
Suppose the vehicle has already created RID-key table; when is about to enter , it would first check if Table is legal and valid. If it is confirmed legal and valid, would transmit pseudonym ID () and public value () to , which would utilize to check if is within the valid time and if it is the legal user in SPID table after receiving the message. If it is legal, would calculate ’s private communication key and sign to and ’s private communication key is calculated as follows:
Use as the symmetrical encryption and transmit private communication key and signature to .
Only and know . If the message could be unlocked and represent itself, the identities of both sides could be validated by means of pseudonym ID challenge. If it is validated correctly, would periodically broadcast ’s pseudonym ID, public value, and validity by means of signature.
4.4. Message Transmission and Validation
This section mainly discusses vehicles’ message broadcasting and validation within RSU range in Section 4.4.1, that is, between different RSUs in Section 4.4.2 and the private communication from TA to RSU, from RSU to vehicles, and from vehicle to vehicle in Section 4.4.3.
4.4.1. Message Transmission and Validation within RSU Range
When is about to broadcast one message within communication range, would perform the calculation as follows:
would broadcast , , , , and to the vehicles within the communication range. After receiving the message, other vehicles would check if there is ’s public value in their own vehicle message table and if they know ’s public value, they could validate the message source and integrity through formula (24).
Assuming that after vehicle receives a message from , can judge whether message is correct. As the public value of is public, then can determine whether , , , , and are the message sent by . First calculate and then calculate whether is correct. If it is correct, it indicates that the message is issued by ; otherwise it will be discarded. Since only knows and is a problem, it cannot be forged by other vehicles.
4.4.2. Communication between Different RSUs
Two vehicles cannot communicate with each other between different RSUs; the reason lies in that the vehicle’s public value and pseudonym ID are different in different RSUs and vehicles’ public value in each RSU cannot be known between RSUs. Therefore, it is unable to assist vehicles to validate the correctness of the message transmitted from other RSUs. As shown in Figure 2, and are and , respectively, in two different RSUs. When broadcasts a message to , though receives the message, it does not know if public value is owned by itself and it cannot confirm if it is the legal user. In order to resolve the above problem, as shown in Figure 3, first transmits the message to , the message content is request message: , and informs us within different RSUs; after the successful entry of identity validation, transmits one signature to and the signature is , where . would broadcast signatures to , then could know ’s public key and public parameters and validate signatures and ’s validity. After the success of validation, could know ’s public value and validate the message source and integrity.
4.4.3. Private Communication
In the following part we will discuss five cases of private communication: Case 1: private communication between TA and RSU, Case 2: private communication between RSU and RSU, Case 3: private communication between vehicle and vehicle, Case 4: private communication between vehicle and RSU, and Case 5: private communication between TA and vehicle.
Case 1. Suppose wants to perform private communication with TA; TA has already transmitted private communication key to in Section 4.2.2. First, and TA will validate each other’s identities and key’s validity and would calculate the private communication with TA as follows: Next, TA calculates the private communication with as follows: where , ; as ID is public, it could be calculated by itself. Therefore, the common key in formulae (25) and (26) is the same and TA and could perform private communication.
Case 2. Suppose wants to perform private communication with . First, and will validate each other’s identities and key’s validity and would calculate the private communication with as follows: Next, calculates the private communication with as follows: where , ; it could be known that the private communication key is the same from the final results.
Case 3. Suppose wants to perform private communication with . First, and will validate each other’s identities and key’s validity and would calculate the private communication with as follows: Next, calculates the private communication with as follows: where and and it could be known that the private communication key is the same from the final results.
Case 4. Suppose wants to perform private communication with . First, and will validate each other’s identities and key’s validity and would calculate the private communication with as follows: Next, calculates the private communication with as follows: where and ; it could be known from the final results that the private communication key is the same.
Case 5. Suppose wants to perform private communication with TA. First, and TA will validate each other’s identities and key’s validity and would calculate the private communication with TA as follows: Next, TA calculates the private communication with as follows: where and and it could be known from the final results that the private communication key is the same.
From Case 1 to Case 5, it could be known that private communication could be performed among vehicles, RSU or TA, and the private communication key of any vehicle and RSU has the top secrets and their own secrets, so it is impossible to forge any vehicle or RSU, as you must know the top secrets.
Though the private communication method costs much more calculation time for the first time, which is spent in validating the other’s identity and calculating the private communication key between them, the calculation time during the communication within the other’s valid time is much less, as the common secret key has already been established, which will not be recalculated until the other’s valid time expires. For the symmetrical encryption, the calculation time is less. For the equipment which often uses private communication, such as RSU to RSU or RSU to TA, the time which private communication spends could be reduced.
4.5. Key Updating and Identity Cancellation
When TA’s key validity expires, TA would utilize formula (9) to replace , , , and , which will not influence the communication of RSU and vehicles during the process. TA would use as the data key (), is public key (), is private key (), is another public parameter, is TA’s public key, private key, and valid time, and TA makes new parameters public.
At RSU’s key updating part, as TA and RSU mainly perform identity validation instead of the message validation among vehicles. If finds key will expire soon, would calculate the common key () with TA, as shown in formula (26), and then encrypt message and transmit to TA, . After receiving the encrypted message, TA would calculate the common key () with , decrypt the message, and validate ’s identity, as shown in formula (13). Next, TA would search table to check if is legal. If it is legal, TA would recalculate ’s public key, private key, private communication key, and other parameters and then utilize to encrypt the parameters and transmit them back to . After receiving the message, would reutilize for decryption and revalidating if the parameters are public value (), as shown in formula (13). Thus RSU key updating is completed. During the process, only the vehicle communication within the range would be influenced, and RSU requires retransmitting a new signature to each vehicle.
Suppose vehicle is a malicious node; would first utilize Table 5 to search ’s initializing pseudonym ID () and then use the common key with each RSU to encrypt and transmit to each RSU. Before the receiving, each RSU would first check SPID table and see if there is initializing pseudonym ID. If there is, registration would be forbidden during handoff. After receiving message, TA would first validate if is a malicious node. If it is, TA would search table according to and first set ’s legality false. When TA revalidates ’s identity via RSU (as shown in Section 4.3.1), TA would forbid registration.
Suppose is a malicious node; adjacent would directly utilize the common key with TA to encrypt the message and inform TA that is a malicious node. TA would first validate if is a malicious node. If it is, TA would set ’s legality in table false and use the common key with RSU to inform all RSUs that is a malicious node, so that malicious RSU or vehicles updating KEY or communication subsequently would be stopped.
5. Security and Performance Analysis
This section mainly illustrates that the method proposed in the essay could reach message source, message integrity, nonrepudiation, pseudonym, and untraceability, in terms of security analysis. As far as the performance analysis is concerned, we carry out performance analysis in [4–6] (Table 7).
5.1. Security Analysis
We discuss the security analysis from 5 aspects as follows.
(1) Confidentiality. No matter what unit (TA, RSU, and vehicles) performs private communication, the private communication with the other side could be guaranteed, as the vehicle’s private communication key contains the vehicle, RSU, and TA’s secrets. During the communication, though the vehicle and RSU’s secrets could be eliminated, malicious nodes could not get TA’s secret from the private communication key or the results after elimination, so malicious nodes cannot forge other’s private key or listen in.
(2) Source Authentication and Nonrepudiation. Before the communication, RSU must validate vehicles’ identities. After the success of validation, RSU would utilize signature method to broadcast vehicles’ pseudonym ID and public value to each vehicle, which could then know each legal vehicle’s public value from the signature, so the message broadcasted by vehicles could be validated via BHD function. As the public value cannot be forged, it could represent the vehicle itself and the vehicle sending messages could reach nonrepudiation and know the source of the message.
(3) Message Integrity. As the public value () is public and the BHD function is , though and are public, , , or could not be got from or . Suppose the malicious node forges and the validation result is , so malicious nodes cannot forge messages and change messages and other vehicles could validate message integrity.
(4) Pseudonym. The vehicle uses different pseudonym IDs at different RSU. Suppose RSU cannot know vehicle’s real ID by collusion attack and malicious nodes cannot collect vehicle messages to calculate vehicles’ read ID, as vehicle’s pseudonym ID produces irregularity.
(5) Privacy. The essay adopts two-level pseudonym ID. The first level is the pseudonym ID between vehicle and TA, which is known to only TA and vehicle and not broadcasted to RSU or vehicles. The second-level pseudonym ID is produced by RSU and vehicle. Suppose RSU traces vehicles’ travel path by means of collusion attack and the trace time and range are limited, as after the time slice, vehicles will be revalidated by TA and replace the first-level and second-level pseudonym ID, then the pseudonym ID produces irregularity, so the vehicles’ privacy could be improved.
5.2. Performance Analysis
In Table 6, we propose encryption/decryption calculation time. According to [17, 18], the implementation of the bilinear mapping is provided based on the Tate pairing over a Miyaji-Nakabayashi-Takano (MNT) curve  with embedding degree 6 and 160-bit .