#### Abstract

Vehicular ad hoc networks (VANETs) have been widely researched in recent years. VANETs are used mostly for road safety and traffic efficiency; therefore, it is imperative that the communication between vehicles is rapid and secure in a VANET environment. In the present study, bilinear pairings were used to construct a complete message authentication scheme. This scheme provided the following features: (1) vehicle or roadside unit (RSU) parameters were determined via a hierarchical protocol, which prevented potentially a large computational overhead for a single node; (2) message broadcasts and private communications between vehicles in the transmission range of the same RSU were enabled; (3) message broadcasts and private communications between vehicles in the transmission ranges of different RSUs were enabled; (4) a fast handoff mechanism was established for vehicles in the transmission ranges of different RSUs; and (5) mechanisms for message broadcasts and private communication were established for vehicles in areas where RSUs were sparsely located. Based on the experimental results, our scheme was confirmed to be superior to previous schemes. In terms of security, our scheme offered the following features: confidentiality, message integrity, nonrepudiation, conditional anonymity, and conditional untraceability.

#### 1. Introduction

Vehicular ad hoc networks (VANETs) have been widely researched in recent years. VANETs are mobile networks in which vehicles equipped with on-board units (OBUs) communicate with each other or roadside units (RSUs) [1, 2]. Vehicles can broadcast traffic information to one another over VANETs [3]. In addition, passengers can communicate with passengers in other vehicles or send electronic mail using hand-held devices over VANETs [4]. VANETs have drawn special attention for traffic safety and management [5, 6]. The information exchanged between vehicles over VANETs enhances road safety and improves traffic efficiency. Generally, there are two different modes in VANETs for sending messages: the message broadcast mode, in which neighboring vehicles may provide one another with up-to-date proximal vehicle state information via message broadcasts, and the one-hop broadcast mode, in which a vehicle can send messages to one other specific vehicle. One-hop broadcasts are mainly used for private communication between vehicles.

There are two vehicular communication modes in VANETs [7], vehicle-to-vehicle communication (IVC) and RSU-to-vehicle communication (RVC). IVC allows each vehicle to broadcast information to other vehicles or send information to one specific vehicle via others. RVC allows vehicles to exchange information with one another within the broadcast range or communicate with and obtain information from other vehicles via wireless-device equipped RSUs. VANETs enable vehicles to exchange up-to-date traffic information, which improves the flow of traffic and driving safety. However, if the information is modified or falsified by a malicious vehicle user, serious consequences such as traffic congestion and even a traffic accident can occur. A scheme for ensuring information security is proposed in the present study.

A message authentication scheme for VANETs should take the following problems into consideration: the exchange of information between vehicles in VANETs is accomplished through wireless communication. Therefore, to be timely, the volume of information cannot be excessively high nor can the method for message authentication be excessively complicated. Vehicles should be able to not only broadcast information but additionally communicate privately with other devices. Vehicles use a short-range wireless communication technique to communicate with RSUs and are usually moving at high speeds, requiring frequent handoffs with RSUs. Handoff schemes with long computation times adversely affect the communication quality. (4) RSUs may be available only on main roads and not on minor ones.

In the present study, a complete message authentication scheme is constructed using the bilinear pairings technique. The encryption scheme from bilinear pairings is appropriate for VANETs. The parameters for each node in this study are generated in a hierarchical way. The long-term parameters for each vehicle are generated by the trusted authority (TA). Vehicles use their long-term parameters to perform identity (ID) authentication with RSUs and then gain trust from them. RSUs then produce short-term parameters for the vehicles that allow them to broadcast information and conduct private communications. When the vehicles are not within the transmission range of any RSUs, they can use their long-term parameters to broadcast information and communicate privately with one another. The trust gained from one RSU enables the vehicle to perform handoffs with other RSUs. Based on the experimental results, the scheme proposed in this study shows excellent performance and is superior to other schemes in the literature.

#### 2. Related Works

The conventional public key infrastructure (PKI) scheme was used in [8]. Assuming that a certificate authority (CA) provides each vehicle with a digital certificate of identity, that is, a private key together with its associated public key, the vehicle can then use the asymmetric key for signing and verifying a message. However, the computational complexity increases when a vehicle uses the PKI for message signature and verification, resulting in communication overhead. In addition, for the purposes of privacy and untraceability, a vehicle must constantly change its certificate, which adversely affects the CA overhead.

A solution is defined in [9] in which vehicles can generate public/private key pairs on their own. The benefits lie in the fact that a vehicle uses a different key each time it sends a message and that the vehicle is not required to update the related parameters with the CA. Assuming that there is a cryptographic device, or black box, installed in each vehicle and in each black box there are an asymmetric key and a certificate issued by the CA, the black box generates the public/private key pair for the vehicle. However, the public/private key pair is the continuous product of two values, resulting in each key pair having a long message length. This long message length may result in communication overhead when the vehicle is sending messages.

The scheme for vehicular communications used in [10] was constructed with a hierarchy in which the keys were generated in a top-to-bottom manner. The hierarchical method allows vehicles to generate parameters such as their IDs through RSUs, which mitigates the key escrow problem in the CA. The generated keys are reliable and nonforgeable. However, this scheme requires the use of vehicle certificates. Thus, the information exchanged between vehicles is verified via the contents of the certificates. The requirement for a certificate with each message may nevertheless result in data packet overhead. In addition, message encryption based on bilinear pairings may result in computation overhead.

In [11], to provide network access services, a vehicle must establish a common key with the recipient vehicle via a broadcast message. The common key ensures the security of the subsequent information exchange, authentication, message integrity, and nonrepudiation. However, the common key is established using the identity-based cryptography (IBC) scheme, which is based on bilinear pairings. The establishment of a shared common key with each vehicle may result in vehicle computation overhead. The authors in [11] did not discuss the problems of rekeying and pseudonym changes. These problems are significant in vehicle networks, warranting resolution. A dynamic, privacy-preserving key management scheme for location-based services in VANETs was proposed in [12]. This scheme ensures the anonymous authentication of a vehicle and enables double-registration detection. In addition, each vehicle can use a one-way hash function to update the vehicles new session key. However, the computations for message signature and verification presented in [12] are complicated, and the author did not investigate a private communication scheme.

In [13], an elliptic curve digital signature algorithm (ECDSA) was used for message authentication. The current position information is used together with the ECDSA for signing messages from anonymous IDs. Other vehicles do not require a third-party public key certificate for message authentication. However, the authors did not discuss the problems of rekeying and private communication.

The delay in long-term verification of centralized AAA architecture in literature [14] has been alleviated. In this paper, a set of network security approaches based on bilinear Diffie-Hellman (BDH) problem are proposed to protect the privacy of vehicles and network security of portable electronic currency in VANETs environment. However, the proposed method requires a key to be generated at regular intervals on each vehicle in advance for privacy, which is a big burden for the vehicle.

In literature [15], a set of network security mechanisms based on chameleon hashing was proposed to ensure vehicle privacy and network communications security in VANETs. However, owing to computational complexity and packet length of chameleon hashing, it constitutes a big burden for VANETs.

In literature [16], a set of network security mechanisms based on bilinear pairing was proposed. Although it can ensure network communications security of vehicles in VANETs, it does not provide private communications between vehicles. Besides, the changes of relevant parameters for vehicles involved have to be updated via TA. Therefore, it has a centralized authentication issue.

#### 3. Background

This section will introduce the technologies used in the method developed in this study. Section 3.1 introduces bilinear pairing and hard problems, Section 3.2 discusses Boneh and Franklins ID-based encryption, Section 3.3 discusses Shamirs ID-based cryptosystem, and Section 3.4 covers bilinear Diffie-Hellman message authentication.

##### 3.1. Bilinear Pairings and Hard Problems

Let and denote an additive and a multiplicative group and both of them with prime order . Let be generator of and let be a bilinear mapping with the following properties.(1)Bilinear:(2)Nondegeneracy: such that . That is, the mapping does not send all pairs in to the identity in .(3)Computable: there exists an efficient algorithm to compute for all .

The bilinear map can be implemented using the Weil [9] and Tate [10] pairings on elliptic curves. We consider the implementation of a Tate pairing on a Miyaji–Nakabayashi–Takano (MNT) curve [11] with embedding degree 6, where is represented by 161 bits and the order is represented by 160 bits.

The following part will define and specify various relevant mathematical problems [12] which will be applied in the essay subsequently.

Bilinear Diffie-Hellman problem: Given , where , compute .

Elliptic curve discrete logarithm problem (ECDLP): Given two elements , find an integer , such that .

##### 3.2. ID-Based Encryption

We used ID-based encryption [17] to encrypt and decrypt messages. A private key generator (PKG) chooses a random number as its master key and selects two distinct hash functions, and . Given a user with an identity , any party can obtain the user’s public key . The PKG sets the user’s private key . User chooses as her/his own secret value and sets . In the final step, the PKG publishes the system parameters and withholds .

*Encrypt*. To encrypt a message for the user with identity is as follows.(1)Choose a random number .(2)Set the cipher text to be

*Decryption*. Let . To decrypt using the secret value , compute , where

##### 3.3. ID-Based Cryptosystem

The advantage of ID-based cryptosystems [17] is that public key certificates are no longer needless, and this possibly causes a saving of space requirements. Besides, it also reduces the key management cost, which is a heavy burden in conventional public key infrastructure (PKI). However, it has a serious drawback, called key escrow problem. PKG is responsible for generating a user’s private key, so it can decrypt any ciphertext or forge any user’s signature on any message.

##### 3.4. Message Authentication Based on the Bilinear Hard Problems (BHD) Method

In this study, message signatures and verification are established based on the BDH method. In this scheme, user selects a random number as the secret value, calculates the public value (), and then broadcasts to all other users. Notations of the BDH list the notation used in this study. User broadcasts message by executing the following steps.(1)User calculates .(2)User calculates , where represents the quotient and represents the remainder.(3)User broadcasts .

Other users can then verify the message upon receipt by executing the following steps.(1)Calculate .(2)Check whether .

If the equality in step is satisfied, then this condition verifies that the user sent the message. During the verification process, other users receive only , , and . Based on elliptic curves and the discrete logarithm problem (ECDLP), cannot be calculated without and . Therefore, message security is ensured. Furthermore, because belongs to the user alone, nonrepudiation of the message is also ensured.

#### 4. Message Authentication Scheme

The scheme proposed in this study consists of five parts: (1) system initialization and RSU registration; intra-RSU message authentication; (3) inter-RSU message authentication; (4) handoff; and (5) message authentication when RSUs are not available.

##### 4.1. System Model

Figure 1 shows the system environment used in this study. We assume that the TA is a legal organization and is responsible for the security of the entire network. When there is an attack on the network infrastructure from a malicious node, the TA will broadcast the true identity of the node and take necessary action. We further assume that RSUs are installed on streetlights or traffic signs on main roads and there are no RSUs installed on minor roads. Each vehicle is equipped with an OBU. Communication between the TA and RSUs is via a wired network, whereas communication between OBUs and the TA is via an IEEE 802.11p wireless network. Notation used in this paper lists the notation used in this study.

##### 4.2. System Initialization

Given the bilinear parameters as defined in Section 3.1, the TA sets up the system by executing the following steps.(1)The TA chooses as its secret value.(2)The TA selects three hash functions: , , and .(3)The TA calculates as its public value.(4)The TA sets .(5)The TA sets .(6)The TA sets .

The TA broadcasts the parameters , while remain undisclosed. In addition, the TA sets the related parameters for each RSU by executing the following steps.(1)The node chooses as its secret value.(2)It calculates as its public value.(3)It sets .(4)It sets .

The TA sets up the system by executing the following steps.(1)Set .(2)Calculate .(3)Calculate , .

The RSU broadcasts the parameters and does not disclose the parameters . All nodes can verify the legitimacy of the ID of the RSU by executing the following steps.(1)Calculate .(2)Calculate .(3)Check if

The TA generates the related parameters for the vehicle by executing the following steps.(1)The node chooses as its secret value.(2)It calculates as its public value.(3)It sets .(4)It selects an anonymous identity , and all users can obtain its public key by computing .

The TA sets up the system by executing the following steps.(1)Set .(2)Calculate .(3)Calculate , .

Each vehicle broadcasts the parameters and does not disclose the parameters . The TA records the parameters for each vehicle.

Each vehicle or RSU can verify the legitimacy of the vehicle ID by executing the following steps.(1)Calculate .(2)Calculate .(3)Check if . If the equality is satisfied, then the user is legal.

##### 4.3. Registration

When a vehicle is within the transmission range of RSU , the vehicle and will send an ID verification request to each other. After successful verification, RSU will then generate the short-term parameters for . Vehicle can retain its anonymity and security using the short-term parameters by executing the following steps.(1)Use the identity-based cryptography (IBC) technique to generatethe common session key for RSU and vehicle . Vehicle uses its own private key and the public key of RSU to generate the common session key. The public key of RSU is calculated from the true ID of RSU . Therefore, vehicle does not require the public key of RSU . The calculation is as follows: Because the TA generates the private keys for both RSU and vehicle , the common session keys generated from RSU and vehicle are the same. Therefore, RSU and vehicle can communicate with each other privately.(2) generates the short-term parameters , , and and uses symmetric encryption to encrypt the common session key () as a security key. The encryption is supplemented by the plain-text parameters . The calculation is as follows: Vehicle sends the message to .(3)When RSU receives the message, first verifies whether the parameters of vehicle are within the valid limits through the following steps.(3.1)Calculate .(3.2)Calculate .(3.3)Check if . If the equality is satisfied, then the user is legal.(4)To decrypt the encrypted message, RSU first calculates the common session key shared with vehicle . Then, RSU uses the common session key to decrypt the message. The calculation is as follows:

(5)RSU calculates the private key, the common secret key, and the signature of . The calculations are as follows.(5.1) calculates as its private key.(5.2) chooses as its common secret key.(5.3) calculates , , .(6)RSU encrypts the parameters using the common session key. The calculation is as follows: RSU sends the message to vehicle .(7)When vehicle receives the message, the vehicle uses the common session key to decrypt the message.(8) records and publishes to all vehicles in its domain.

To improve the efficiency of the handoff process, RSU generates a common secret key for vehicle and each RSU. RSU uses a one-way hash chain [13] to generate keys . The method for generating the keys is as follows:RSU uses a one-way hash chain [13] to generate anonymous IDs . The method for generating the IDs is as follows:

Each RSU has two tables, an RID-key table and an SID-key table. The RID-key table is used to store the related parameters generated by RSU (Table 1). RSU uses the common session key that it shares with each RSU to encrypt the common secret key that vehicle has with each RSU and the anonymous ID. RSU then sends the encrypted message to other RSUs. When another RSU receives the encrypted message, that RSU first uses the common session key that it shares with RSU to decrypt the message and then stores the parameters for vehicle in the table (Table 2). Because vehicle has the related parameters , it can generate a common secret key shared with each RSU and an anonymous ID on its own. The parameters are stored in the table (Table 3). The parameters for vehicle do not permit any one RSU to obtain the parameters that vehicle shares with other RSUs. Because other RSUs cannot obtain the private key and the common secret key of vehicle , the security of vehicle is ensured.

##### 4.4. Intra-RSU Message Authentication

Vehicle broadcasts messages to other vehicles within the transmission range of an RSU. The calculations are as follows.(1)Vehicle uses the BDH method to authorize a message signature. The calculations are as follows.(1.1)Vehicle calculates .(1.2)Vehicle calculates , °.(1.3)Vehicle broadcasts the message to other vehicles within range.(2)When other vehicles receive the message, they can verify the authenticity of the message. The calculations are as follows.(2.1)Calculate °.(2.2)Calculate .(2.3)Check if . If the equality is satisfied, then vehicle sent the message.

Assuming that two vehicles within the transmission range of a given RSU want to send private messages to each other (Figure 1), vehicle and vehicle will calculate their common key. The calculation is as follows:

Then, vehicle uses the common session key () to first encrypt the message and then send it to vehicle . When receives the encrypted message, the vehicle uses the common session key () to decrypt the message and then obtain the contents of the message. The benefits of using IBC lie in the fact that the other vehicle’s public key can be easily calculated based on its ID and that the common session key can be calculated based on the other vehicle’s public key and its own private key. Conversely, the other vehicle can also calculate the common session key because the secret value of the common session key is the same.

##### 4.5. Inter-RSU Message Authentication

Assuming that vehicle wants to broadcast a message within the transmission ranges of several RSUs and uses the BDH signature to ensure the security of the message, vehicle will first send the parameters , to nearby RSUs, and then the RSUs will relay the message to other vehicles. Then, other vehicles will first verify the legitimacy of vehicle by calculating and then calculating . If it is the case, then it proves that vehicle is the legitimate user of RSU .

Other vehicles will verify the authenticity of the message from vehicle by first calculating and then calculating . If it is the case, then the message was sent from vehicle .

In private communications, the secret private key value of each vehicle is different because there are multiple RSUs. Therefore, an ID-based encryption method should be used. Let vehicle and vehicle calculate their common session keys. Assuming that vehicle wants to privately communicate with vehicle , which is within the transmission range of a different RSU, vehicle will first encrypt the message. Vehicle will then calculate the public key using the anonymous ID of vehicle . Upon obtaining the data key for vehicle , vehicle will encrypt the message using the public key and the data key of vehicle . The calculation is as follows:

Subsequently, vehicle uses the private key to decrypt the message. Equation (2) shows the decryption method. Vehicle then uses ID-based encryption to generate an encrypted message for vehicle . The calculation is as follows:

Vehicle uses the private key to decrypt the message. Equation (2) shows the decryption method. When vehicle receives thecommon session key that it shares with vehicle , can communicate with vehicle privately. The common session key is

##### 4.6. Handoff Problem

When vehicle comes within the transmission range of the next RSU (), vehicle will first inquire for the common secret key that it shares with RSU in Table 3 and then initiate the handoff. The calculation is as follows.(1)Vehicle first generates short-term parameters , and uses the common secret key () to encrypt the parameters. Then, vehicle sends the parameters and its anonymous ID to RSU .(2)RSU inquires for the common secret key and the time of validity that it shares with vehicle in Table 2 based on the anonymous ID of vehicle . If the time of validity has expired, then vehicle will reregister with RSU (Section 4.2). If the time of validity has not expired, will generate the short-term parameters for vehicle . The calculations are as follows.(2.1) calculates as its private key.(2.2) calculates .(2.3) calculates , .(3)RSU uses the common secret key to encrypt the parameters . The calculation is as follows: RSU sends the message to vehicle .(4)When vehicle receives the message, the vehicle uses the common secret key to decrypt the message.(5) records , and publishes to all vehicles in its domain.

##### 4.7. Message Authentication When RSUs Are Not Available

When RSUs are not available, vehicles can broadcast messages and conduct private communications using the parameters generated by the TA by executing the following steps.(1)Vehicle uses the BDH signature method to authorize a message signature. The calculations are as follows.(1.1)Vehicle calculates .(1.2)Vehicle calculates , .(1.3)Vehicle broadcasts the message , , to other vehicles.(2)Other vehicles first verify the ID of vehicle . The calculations are as follows.(2.1)Calculate .(2.2)Calculate .(2.3)Check if . If the equality is satisfied, then the user is legal.(3)Other vehicles then verify the authenticity of the message. The calculations are as follows.(3.1)Calculate .(3.2)Calculate .(3.3)Check if . Satisfaction of the equality is proof that vehicle sent the message.

Assuming that two vehicles within the transmission range of the same RSU want to communicate privately with each other (Figure 1), vehicle and vehicle will calculate their common key. The calculation is as follows:

Subsequently, vehicle uses the common session key () to encrypt the message and send the message to vehicle . When vehicle receives the encrypted message, it uses the common session key () to decrypt the message and obtain the contents of the message.

#### 5. Security and Performance Analysis

This section gives a security analysis to demonstrate that the method developed in this study can provide confidentiality, authentication, nonrepudiation, conditional anonymity, and conditional untraceability. A performance analysis is conducted by comparing the results of the present study with those in [12–15].

##### 5.1. Security Analysis

The following subsections discuss the specific aspects of the security analysis of the proposed method.

*(1) Confidentiality*. Assuming that the ID of every node is not repeated as confidential communications are occurring among vehicles within the range of a single RSU, the property of IBC is used to establish the common session keys. The common session key of a vehicle is calculated based on the bilinear pairings map. According to the elliptic curve discrete logarithm problem (ECDLP), the common session key of a malicious node and node is . It is difficult for node to determine a secret value from , node* b*’s private key () and node* a*’s public key (). Other vehicles are unable to calculate the common session key from their own private keys and the public keys of nodes and , and thus the security of confidential communications is ensured.

*(2) Authentication and Nonrepudiation*. As a vehicle registers and gains the trust of an RSU, the RSU will broadcast the vehicle’s value to all vehicles within range, and that specific represents the vehicle itself. The parameters are broadcast as the vehicle is broadcasting messages. Other vehicles will calculate upon receipt of the messages and then calculate . Other vehicles are unable to calculate from based on the ECDLP, but , , and can be calculated from the parameters , based on the BDH method, provided that the equality , which is calculated from the messages of the vehicle, is satisfied. Therefore, the vehicle sending the messages achieves undeniability, and the source of the messages is known.

*(3) Conditional Anonymity*. The true ID of a vehicle is known only to the TA. An anonymous ID () is used when a vehicle registers with the TA, and this anonymous ID () is renewed every time the vehicle registers with the TA. A vehicle will renegotiate a new anonymous ID () within the range of every RSU. Therefore, it is difficult for another vehicle to obtain the true ID of the vehicle by tracking from because the true IDs of the vehicles are known only to the TA and the individual vehicles bearing those IDs. Every RSU knows the anonymous ID () of each vehicle, but each vehicle has a different ID () for every RSU, which prevents malicious RSUs from tracking the current location of the vehicle.

*(4) Conditional Untraceability*. When a vehicle is involved in a criminal act, an RSU is able to trace the anonymous ID () from the vehicle’s anonymous ID (). The RSU transmits to the TA, which in turn identifies the true ID of the vehicle with the identity . Every vehicular parameter will eventually expire, therefore ensuring the validity of the anonymous ID of a vehicle.

##### 5.2. Performance Analysis

The method developed in this study was compared with those in [12–15] regarding performance, execution time, and data volume. Table 4 compares the results of the present study and those of [12–15], showing that the method developed in the present study is superior to the other methods.

To analyze efficiency, the times required for a message to be broadcast and verified in the present study and in [12–15] were calculated, and the results are listed in Tables 5–7. Table 8 shows the results of the efficiency analysis. The experimental results show that the method proposed in this paper is superior to those in other literatures regardless of computational complexity and packet length. The network security mechanisms proposed in literature [14] and this paper are both based on the use of bilinear pairing, so all the packet lengths are within a reasonable range. However, in computational complexity, the proposed method is superior to that of literature [14]. In literature [15], there are network security mechanisms based on chameleon hashing, which employ exponential calculation. The multiplication result of three values will be huge. Although the computational complexity is not high, the transfer of large amounts of packets will affect network bandwidth and also cause packet losses in VANETs environment.

#### 6. Conclusion

VANETs improve transportation safety and efficiency. If the information shared between vehicles is tampered with, there will be dire consequences such as vehicle collisions. The scheme proposed in this study ensures the security of the information shared between vehicles and is superior to other schemes in terms of message verification and handoff. Additionally, in terms of security, the scheme in this study ensures conditional untraceability, conditional anonymity, authentication, and nonrepudiation. Future work will include supplementing the scheme proposed in this study with revocation and trust mechanisms to corroborate the security scheme.

#### Notations

*Notations of the BDH*

The user chooses a random number as its secret value | |

The public value of user such that | |

The is the quotient | |

The is the remainder | |

. |

*Notation Used in This Paper*

Bilinear mapping | |

Additive group | |

Multiplicative group | |

Generator of | |

A secure symmetric encryption algorithm | |

ID-based encryption | |

ID-based decrypt | |

Public key of node | |

Private key of node | |

Data key of node | |

Real identity of node | |

Original pseudonym of node | |

Requested pseudonym of node | |

Secret value of node | |

Handoff secret value | |

The public value of user such that | |

The common session key between node and node | |

The common secret key between node and node | |

is the finite field of mod | |

Hash function such that | |

Hash function such that | |

Hash function such that | |

Time interval | |

Lifetime of the corresponding parameters | |

The message concatenation operation, which appends several messages together in a special format. |

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This paper is the partial result of project MOST103-2632-E-366-001 and 103-2221-E-268-003. The authors would like to thank the supporting of Ministry of Science and Technology, Taiwan.