A Batch Authentication Design to Protect Conditional Privacy in Internet of Vehicles
Internet of vehicles (IoV), a novel technology, holds paramount importance within the transportation domain due to its ability to increase traffic efficiency and safety. Information privacy is of vital importance in IoV when sharing information among vehicles. However, due to the openness of the communication network, information sharing is vulnerable to potential attacks, such as impersonation, modification, side-channel and replay attacks, and so on. In order to resolve the aforementioned problem, we present a conditional privacy-preserving batch authentication (CPPBA) scheme based on elliptic curve cryptography (ECC). The proposed scheme avoids the certificate management problem, conducing to efficiency improvement. When a message is transmitted by a vehicle, its pseudo identity rather than the real identity is also broadcasted along with the shared message, which protects the privacy of the vehicle’s identity. But this privacy is conditional because TA and only the TA can reveal the real identity of the vehicle by tracing. The proposed scheme is batch verifiable, which reduces the computation costs. In addition, our scheme does not involve bilinear pairing operations and does not use the map-to-point hash function, thus making the verification process more effective. An exhaustive efficiency comparison has been carried to show that the proposed CPPBA scheme has lower computation, communication, and storage overheads than the state-of-the-art ones. A relatively comprehensive security analysis has also been carried, which not only shows that the signature design in the CPPBA scheme is unforgeable under the random oracle model but also illustrates that the CPPBA scheme is resistant to various potential attacks. The security is also verified by a popular automated simulation tool, that is, AVISPA.
With the rapid growth of networks and information technology, the internet of vehicles (IoV) has attracted more and more attention because of its ability to provide communication between vehicles, road side units (RSUs), and other devices (including personal devices and sensors), known as vehicle-to-everything (V2X) . The vehicles ad hoc network (VANET), as a predecessor of IoV, effectively combines the driver, vehicle, and roads so as to provide the driver with information about the state of other vehicles outside the visual range , road conditions , and location-related life services , which is helpful to improve road safety and traffic efficiency. The VANET is equipped with wireless communication equipment road side units distributed along both sides of the road, which have sufficient energy supply, good wireless communication capabilities, and strong computing storage capabilities, and can also bear part of the computing overhead for the vehicle nodes. However, the VANET is a network that treats each vehicle node as a router and a custom node. The network coverage of these nodes is small, and the computing power is limited. Moreover, in the VANET, the network capacity is limited, and the wireless channel quality is unstable because it is affected by many factors, such as interference signals, complex infrastructure, and relative vehicle speed . The IoV, as an evolution of the conventional VANET, is expected to remove these restrictions and promises huge commercial interest and research value .
To realize V2X communication, various protocols including the IEEE 802.11p standard, the dedicated short-range communication (DSRC), and cellular wireless communication are employed in IoV. Vehicles in IoV, equipped with an on-board unit (OBU), are usually connected by DSRC. Through GPS, radio frequency identification (RFID), sensors, cameras, image processing equipment, and so on, the vehicle can collect information about its own environment and surrounding vehicle status (e.g., road status, weather, and driving directions) and then broadcast the information within the coverage of the RSU. The RSU collects this information and rebroadcasts it along with other services or warning messages to other vehicles  (e.g., it is expected that safety information will be broadcasted every 100–300 milliseconds ). This information can be analyzed and processed by the OBU to provide the driver with a safe driving environment and plan the optimal driving route . It can be seen that vehicles in IoV act as information providers and consumers at the same time. Therefore, it is very important to successfully realize effective data distribution in IoV applications.
When the information is shared in the IoV network, it is necessary to ensure that the right information reaches the right places at the right time. However, due to the openness of the communication network, hackers, malicious vehicles, and other nodes may change the information transmitted in IoV and pretend a legitimate node to send the bogus information over the IoV network. This results that the information sharing is vulnerable to potential attacks , such as side-channel attacks, impersonation attacks, modification attacks, and replay attacks. In order to resist various malicious attacks, one solution is to design a secure authentication scheme. Moreover, the environment in the IoV always changes because the vehicle communication range is short and the speed of the vehicle is high (over 36 km/h) . This rapid change of the IoV network topology limits the communication time between vehicles. In addition, when in a traffic-intensive area, information exchange is very frequent, and the vehicle is usually required to be able to quickly authenticate a large amount of traffic-related information. In particular, when the shared information is a collision warning or emergency notification, this information is related to the safety of life and property, and a quick response must be made. To overcome the limitations of the computing and communication capabilities of the IoV, it is necessary to ask that the designed secure authentication scheme is efficient enough with a very low overhead in computation, communication, and storage.
Although extensive research of the authentication design has been conducted on the IoV in recent years, it has not yet been fully commercialized, partly because the above-mentioned challenges of security and efficiency still need to be resolved. (A short review of the related work on authentication designs for IoV will be given in the next section.) Therefore, a new CPPBA scheme is proposed. The main contributions of this article are summarized as follows:(1)The proposed scheme is conditional privacy-preserving. That is, the vehicle uses a pseudo identity to share information, but TA and only the TA can reveal the real identity of the vehicle by tracing.(2)The proposed scheme for IoV does not use the expensive pairing operations and map-to-point hash function so that it improves the computational efficiency of the system.(3)The proposed scheme is proven secure and unforgeable against the potential adversaries and under the ECDLP assumption, and the AVISPA tool is used to simulate the proposed scheme.(4)Compared with the state-of-the-art schemes, our scheme has lower computation, communication, and storage overhead.
The remainder of this article is organized as follows. In Section 2, we present related work on various authentication schemes in VANET and IoV. System model and preliminaries are introduced in Section 3. Based on the model, our scheme is proposed in detail in Section 4. The security proof and analysis of the proposed scheme are presented in Section 5. In Section 6, the performance analysis of our scheme is shown to demonstrate its efficiency. Finally, we conclude this article in Section 7.
2. Related Work
There are mainly two types of authentication designs in IoV: one is on the basis of public-key infrastructure (PKI) and the other is on the basis of identity-based (ID-based) cryptography. The PKI-based authentication scheme has a disadvantage of low efficiency mainly because it requires a certificate authority (CA) to manage the identity/public key of the vehicle, which increases the computation, communication, and storage burdens. For example, in the anonymous certificate authentication scheme proposed by Raya and Hubaux in 2007 , it is necessary to install many anonymous certificates and public and private keys for each vehicle in advance, which brings a huge certificate management burden to CA. In the pseudonymous authentication scheme, called PASS, proposed by Sun et al. in 2010 , the size of the certificate revocation list (CRL) is linear with the number of revoked vehicles, and the vehicles are allowed to update certificates on road by the aid of RSU, which reduces the certificate management overhead to an acceptable extent at that time.
To improve efficiency, many researchers have invested a lot of energy to design ID-based authentication schemes because they exploit ID-based signatures and do not need to use certificates for identity verification. In order to protect the privacy of the user’s identity, ID-based authentication schemes use pseudo identity to communicate over the IoV network. The ID-based authentication schemes can be roughly divided into two categories, namely, the bilinear-pairing-based authentication schemes those adopt bilinear pairings operations (e.g., see [14–17]), and the elliptic-curve-based authentication schemes are designed on the basis of the elliptic curve cryptography (ECC) without bilinear pairings (such as references [18–22]).
In 2016, to solve the problem of privacy leakage caused by the CRL checking process, Jiang et al.  proposed an anonymous batch authentication scheme using bilinear pairings, called ABAH, where the CRL checking process is performed by calculating a hash message authentication code. But the ABAH scheme  is inefficient due to the frequent update and revocation of the group key under the group key agreement and the complicated operations of bilinear pairings in processing batch authentication. In 2017, based on short-time anonymous certificates, Azees et al.  presented an authentication scheme using bilinear pairings, called EAAP. But the EAAP scheme does not protect against the bogus message attack, framing attack, Sybil attack, and replay attack . In 2020, Ali and Li  proposed a scheme using bilinear pairings to achieve V2I secure communication. This scheme supports batch verification of messages to improve the efficiency of message verification, but compared with other schemes using elliptic curve construction, this scheme still has a larger computational and communication overhead. In 2021, Mei et al.  proposed an effective certificateless aggregation signature scheme. However, it suffers from the modification attack as proposed by Liu et al. , and has a huge computational and communication overhead because it uses bilinear pairings and map-to-point hash operations.
It is well-known that the bilinear pairings are the most expensive operation among all the cryptographic operations because of their highest computation and storage overhead. It is also well-known that ECC can provide higher security with smaller keys in size and then improve the computational and communication efficiency, storage capacity, and bandwidth efficiency. Particularly, ECC with 160 bit keys provides the same level of security as RSA with 1,024 bit keys . Therefore, researchers are dedicated to studying the use of ECC to implement an identity-based signature scheme without bilinear pairings. In 2017, in order to solve the existing schemes that rely heavily on a tamper-proof device (TPD) or cannot satisfy the security requirement, Cui et al.  proposed the SPACF scheme that is based on software without relying on any special hardware. In the SPACF scheme , the Cuckoo filter and the binary search methods are presented to improve performance in the batch verification phase, but the communication interactions are very frequent such that it is less efficient in practical applications. Contrary to , in 2018, Xie et al.  proposed an efficient message authentication scheme supporting batch messages verification as well as signatures aggregation. In their scheme, the master key of the system will be loaded into the TPD of each registered vehicle. However, this approach is very dangerous because it means that the TPD of each vehicle contains the master key of the system. When the TPD of a certain vehicle is compromised, the entire authentication system will collapse. As we know, such an attack on TPD exists. That is, some attackers can obtain part of TPD information through side-channel attacks [26, 27], such as power analysis and laser scanning. In addition, it is more troublesome to revoke the identity of the vehicle because the master key of the system is already loaded in the TPD of each vehicle. Therefore, this approach is not advisable, and few researchers have continued this method afterwards. In the same year, Gayathri et al.  proposed a certificateless authentication scheme without pairings, thereby improving communication and computing efficiency. However, in Gayathri et al.’s scheme, a vehicle can impersonate other vehicles through the pseudonym generated by itself, and the secure key update is not provided, so it is vulnerable to impersonate attack and side-channel attack. In 2020, Sutrala et al.  proposed a conditional privacy protection certification scheme with pairings. However, we found that the scheme was not secure because the signature was forgeable and a forgery of the signature was constructed . In 2021, Thumbur et al.  proposed an efficient authentication scheme based on signature aggregation. Similar to Mei et al.’s scheme , Thumbur et al.’s scheme is also vulnerable to modification attacks . Finally, we summarize the related work on the authentication schemes for IoV in Table 1, which shows each design with the basis of ECC or bilinears and the property of batch authentication.
From the above review, it can be seen that the above authentication schemes for IoV still have some problems in security and efficiency. In order to fill these problems, we propose a secure and efficient ID-based conditional privacy protection batch authentication scheme on the basis of ECC without pairings. It can be shown that our scheme meets the security requirements, including anonymous authentication, message integrity, traceability, unlinkability, and so on and that our scheme has low computation, communication, and storage cost.
3. System Model and Preliminaries
In this section, the system model, security model, security goals, and the elliptic curve discrete logarithm assumption are briefly introduced.
3.1. System Model
As shown in Figure 1, the system model of the IoV in this paper consists of four entities: the trusted authority (TA), the key generation center (KGC), road side units (RSUs) fixed at the road side, and vehicles.(1)TA: The TA is considered to be a fully trusted third party, which can be a government entity or a trusted organization entity with sufficient calculation and storage capabilities. It is responsible for generating system parameters and the registration of vehicles. Moreover, TA is the only entity that can track the vehicle’s real identity when it maliciously spreads false information.(2)KGC: The KGC is another trusted entity enriched with computation and communication resources in the system. The KGC is responsible for generating the pseudo identity and partial private key of the vehicle, and KGC and TA are two independent third parties.(3)RSUs: RSUs are wireless communication equipment, such as base stations deployed along the road. The RSU acts as an intermediate node between the TA/KGC and the vehicle. The RSU connects with the TA/KGC by a wired link and the vehicle by a wireless channel under the DSRC protocol (IEEE 802.11p)  or the cellular communication technology. The RSU can inspect the validity of the messages received from the vehicle and forward the valid message to nearby vehicles and RSUs.(4)Vehicles: Each vehicle is equipped with an OBU, which is responsible for message generation and transmission to nearby vehicles and RSUs, and stores sensitive information in its TPD.
3.2. Security Model of CPPBA Scheme
In this subsection, the security model of CPPBA schemes will be described. Similar to [17, 21, 22, 30–32], we consider the following types of adversaries:(1)Type-I adversary : This adversary is also called a public-key replacement attacker, who can compromise the vehicle’s secret value or is capable to replace the public key of any vehicle with a value of his choice but cannot access the KGC’s master secret key.(2)Type-II adversary : This adversary is also called a malicious KGC attacker, who can access the KGC’s master secret key but cannot replace the public key of any vehicle.
To show the capabilities of adversaries, the following two games, that is, Game I and Game II, are introduced, which are, respectively, performed by a Type-I adversary and a Type-II adversary interaction with some challengers.
Game I: This game is executed between the challenger and an adversary as follows:(1)Setup phase: In this phase, challenger initializes system parameters params and , and then forwards params to the adversary and keeps secretly.(2)_query: The adversary makes _query on identity , and then challenger returns to .(3)_query: The adversary makes _query on identity and message , and then challenger returns to .(4)Sign_query: The adversary makes signature queries on messages under identity that are adaptively chosen by the adversary himself. Then, the challenger runs the signing algorithm to compute the signature to the adversary.(5)Forgery: The adversary outputs a forged signature on message under identity and wins the game if:(a) is a valid signature on the message under identity .(b)There exists the case in the valid signature forged by .(c)When the adversary makes _query on identity , challenger returns .
Game II: This game is executed between the challenger and an adversary as follows:(1)Setup phase: In this phase, challenger initializes system parameters params and , and then forwards params and to the adversary .(2)_query: The adversary makes _query on identity , and then challenger returns to .(3)_query: The adversary makes _query on identity and message , and then challenger returns to .(4)Extract_query: The adversary makes Extract_query for and the partial private key using ; runs the Extract_query algorithm to compute the and the partial private key and returns them to adversary .(5)Sign_query: The adversary makes signature queries on messages under identity that are adaptively chosen by the adversary himself. Then, the challenger runs the signing algorithm to compute the signature to the adversary.(6)Forgery: The adversary outputs a forged signature on message under identity and wins the game if(a) is a valid signature on the message under identity ,(b)there exists the case in the valid signature forged by ,(c)when the adversary makes _query on identity , challenger returns
Definition 1: An authentication scheme in IoV is said to be provable security (i.e., existential unforgeability) if there are no polynomial-time Type-I and Type-II adversaries who can, respectively, win Game I and Game II with non-negligible advantages.
3.3. Security Goals
According to [16, 17, 21–23], we find that a secure authentication scheme in IoV should satisfy the following security requirements:(1)Message authentication and integrity: The receiver should be able to verify the signature and inspect whether the received message was modified or forged.(2)Conditional privacy-preserving or traceability: The vehicle’s real identity should be hidden during message transmission and authentication processes to prevent the leakage of the vehicle’s sensitive information. Only TA is able to track the vehicle’s real identity from its signature.(3)Unthinkability: No attacker can link any two received messages, even if two messages are sent from the same vehicle.(4)Resistance to impersonation attack: In this type of attack, the attacker is able to imitate a legitimate vehicle to generate a valid signature. A secure CPPBA scheme should be able to prevent the impersonation attack.(5)Resistance to message modification attack: In this type of attack, the attacker is able to modify the legitimate message that is transmitted over the network to achieve its specific purpose. For example, the attacker sends a fable traffic jam message to nearby vehicles to get a better traffic condition for itself. A secure CPPBA scheme should be able to prevent the message from modification attacks.(6)Resistance to side-channel attack: In this type of attack, the attacker is able to attack the TPD of the vehicle by some physical methods to obtain part information stored in the TPD. In the secure CPPBA scheme, the secret stored in the TPD of the vehicle should not be disclosed by side-channel attacks.(7)Resistance to replay attack: This attack is a type of network attack, in which some valid data is maliciously repeated or delayed in transmission. A secure CPPBA scheme should be able to withstand such an attack.
The security requirements of the CPPBA scheme will be analyzed in detail in Section 5.2.
3.4. Elliptic Curve Discrete Logarithm Assumption
Let and be two large prime numbers, and represent a finite field of elements. Suppose an elliptic curve is defined by the equation as follows: , where and . Let be the point at infinity. The point and all points on the elliptic curve form an additive group of order . Let be a generator of group . The scalar multiplication of the elliptic curve is defined as , where .
Elliptic curve discrete logarithm problem (ECDLP) and assumption: Given two points on the elliptic curve , where and , the ECDLP problem is to determine the integer . It is assumed that the ECDLP problem is hard when is large.
4. The Proposed Scheme
For the requirement of conditional privacy-preserving and high authentication efficiency in IoV, a CPPBA scheme is proposed. Table 2 describes the notations used in our scheme. The details of the proposed scheme are described as follows, whose working flow is also illustrated in Figure 2.
4.1. System Initialization
This phase is performed by TA and KGC to generate the initial system parameters along with their public and private key pairs using the following steps:(1)TA chooses two large primes and . TA selects elliptic curve additive group of order , which is defined by , where and . is a generator of the group .(2)TA randomly selects as its master key and computes as the corresponding public key.(3)KGC randomly selects as its master private key and computes as the corresponding public key.(4)TA chooses four one-way cryptographic hash functions , , .(5)Finally, TA and KGC broadcast public parameters .
4.2. Vehicle Registration
In this stage, TA communicates with the vehicle in a secure channel. The following steps will be performed:(1) first sends its real identity to TA, which contains the real information of the user, such as the ID number of the vehicle owner, the license plate number, and vehicle identification number.(2)TA computes and stores the pair . Then TA marks as a registered vehicle and sends to via the secure channel.
4.3. Vehicle Partial Key and Pseudo Identity Generation
In order to protect the privacy of the vehicle, anonymous communication is necessary. On the other hand, the TA is asked to be able to reveal the real identity of the vehicle if necessary. Hence, this privacy is conditional. To this end, a pseudo identity is generated for each registered vehicle along with the partial private key by KGC interaction with the vehicle through a secure channel before signing a message. This phase consists of the following steps:(1) sends to KGC via the secure channel.(2)KGC checks whether exists in the registered vehicle list obtained from TA via the secure channel. If it does not exist, KGC terminates. Otherwise, KGC generates ’s partial private key and pseudo identity by steps (3) and (4).(3)KGC randomly chooses and computes and . Let ’s pseudo identity as , where is the validity period of .(4)Then, KGC computes ’s partial private key as , where .(5)Finally, KGC sends to via the secure channel. stores in its TPD.
This phase is also shown in Figure 3.
4.4. Vehicle Key Generation and Message Signature
To ensure the integrity and validity of the message , the vehicle signs the message before broadcasting it.(1) randomly selects as its private key and computes .(2) computes , where is the current timestamp. Then generates the signature , where . Finally, broadcasts the message-signature tuple to the vicinal RSUs and other vehicles.
4.5. Signature Verification
When the RSU and other vehicles receive the message broadcasted by the vehicle , the validity of the message is verified through the following steps:(1)The receiver first validates of and then checks the validity of the timestamp . If , the receiver discards this message, where is the time when the receiver receives the message and represents the difference between the clock of the vehicle and the local clock. Otherwise, the receiver continues to do the next verification.(2)The receiver computes and and checks whether equation (1) holds or not. If it holds, the receiver accepts the message. Otherwise, the receiver discards it.
The correctness of equation (1) is proved as follows:
4.6. Batch Verification
A vehicle may broadcast or receive multiple messages at the same time, especially in traffic-extensive areas. If the receiver verifies the messages one by one, it may cause redundant computation and a relatively long delay. In our scheme, efficient batch verification is developed, which is shown as follows:(1)Suppose messages-signature tuples are received. The receiver first checks the freshness of the timestamp for message and . If or has expired, it rejects this message . Otherwise, it performs the next verification.(2)Let be the list of signatures that are freshly generated having valid pseudo identities. The receiver selects a random vector , where , is usually 80 .(3)The receiver computes and and inspects whether the equation (3) holds. If it holds, the receiver accepts these messages.The correctness of equation (3) is as follows:
5. Security Proof and Analysis
In this section, the security proof and analysis of our scheme proposed in Section 4 are given.
5.1. Security Proof
This subsection shows the provable security of our new scheme by using random oracle models under the Type-I (with Game I) adversary and the Type-II (with Game II) adversary as shown in Section 3.2.
Theorem 1. If a polynomial adversary can forge a valid signature by querying random oracles , , and , then there exists a simulation algorithm that solves the ECDLP problem with non-negligible advantage.
Proof. Suppose a polynomial adversary can crack the proposed scheme with a non-negligible probability > 0. Our goal is to produce an algorithm that can use the adversary’s ability to solve the ECDLP problem with non-negligible probability. That is, is able to compute given two points , . For this, takes as the target identity of on a message . The specific process is as follows: Setup phase: Algorithm sets and initializes system parameters , and then forwards to the adversary and keeps secretly. also maintains the lists and , which are initially empty. _query: When the adversary makes query on , checks the list for . If such tuple exists, returns to . Otherwise, randomly chooses and returns to . adds the tuple to . _query: When the adversary makes query on , checks the list for . If such tuple exists, returns to . Otherwise, randomly chooses and returns to . adds the tuple to . Sign_query: When queries the oracle using . If , aborts the process. If , queries and oracles to obtain the tuples and , respectively. randomly chooses and computes and , let . Next, sends to . The signature is valid because satisfies equation (1) as follows: Forgery: makes query on to get the valid signature . By applying the forking lemma , when , can obtain another valid signature if it chooses different values in random oracle with by performing the same steps. Likewise, the signature is able to satisfyAccording to equations (5) and (6), we can deduceThen by equation (7), the discrete logarithm can be computed . Therefore, solves the ECDLP problem by outputting .
The probability that resolves the ECDLP problem can be induced through the following events:(1) can forge a valid signature(2)There exists the case in the valid signature forged by (3)When the adversary makes _query on identity , challenger returns Let denotes the number of querying Sign_query oracle. So the probability that solves the ECDLP problem is at least . And for large , this probability turns to , where is the base of the natural logarithm. As a result, given the two points , can resolve the ECDLP problem with a non-negligible probability , which causes a contradiction with the ECDLP assumption.
Theorem 2. If a polynomial adversary can forge a valid signature by querying random oracles , , , and , then there exists a simulation algorithm that solves the ECDLP problem with non-negligible advantage.
Proof. Suppose a polynomial adversary can crack the proposed scheme with a non-negligible probability > 0. Our goal is to produce an algorithm that can use the adversary’s ability to solve the ECDLP problem with non-negligible probability. That is, is able to compute given two points and . For this, takes as the target identity of on a message . The specific process is as follows: Setup phase: Algorithm chooses , computes , and initializes system parameters , and then forwards and secret key to the adversary . also maintains the lists , , and , which are initially empty. _query: When the adversary makes query on , checks the list for . If such tuple exists, returns to . Otherwise, randomly chooses and returns to . adds the tuple to . _query: When the adversary makes query on , checks the list for . If such tuple exists, returns to . Otherwise, randomly chooses and returns to . adds the tuple to . Extract_query: When queries Extract_query for and the partial private key using , inspects whether the tuple exists in the list Exlist. If such tuple exists, forwards and to . Otherwise, if , makes query to get the tuple , then randomly chooses and computes and . Then returns and to and adds to the list Exlist. If , aborts the process. Sign_query: When uses to query the Sign_query oracle, if , queries and Extract_query oracles to obtain the tuple and , respectively. chooses a random number and computes and . Next, sends the signature to . If , queries and oracles to obtain the tuples and , respectively. randomly chooses and computes and ; let . Next, sends to . The signature is valid because satisfies equation (1) as follows: Forgery: makes query on to get the valid signature . By applying the forking lemma , when , can obtain another valid signature if it chooses different values in random oracle with by performing the same steps. Likewise, the signature is able to satisfyAccording to equations (8) and (9), we can deduceThen by equation (10), the discrete logarithm can be computed . Therefore, solves the ECDLP problem by outputting .
The probability that resolves the ECDLP problem can be induced through the following events:(1) can forge a valid signature(2)There exists the case in the valid signature forged by (3)When the adversary makes on identity , challenger returns Let denotes the number of querying Extract_query oracle. So the probability that solves the ECDLP problem is at least . And for large , this probability turns to , where is the base of the natural logarithm. As a result, given the two points , can resolve the ECDLP problem with a non-negligible probability , which causes a contradiction with the ECDLP assumption.
According to Definition 1 defined in Section 3.2, we can see, from the above two theorems, that our authentication scheme is existentially unforgeable (i.e., provably secure).
5.2. Security Analysis
In this subsection, the security analysis of the scheme proposed in Section 4 is discussed, which is similar to [16, 17, 21–23].(1)Message authentication and integrity: When receiving message tuple , the receiver can verify message through equation (1). Note that will change if the message is modified, which will cause a failure of verification in equation (1). As a result, the proposed scheme can guarantee message authentication and integrity.(2)Conditional privacy-preserving or traceability: Given the vehicle’s pseudo identity , where and , the pseudo identity of the vehicle does not contain the real information, so the attacker cannot obtain any real information from the vehicle’s pseudo identity. However, once a legitimate vehicle deliberately spreads false information, TA can recover the real identity of the vehicle by computing and use to query the data list to get the tuple . Then TA adds to the revocation list.(3)Unthinkability: In the proposed scheme, the vehicle’s pseudo identity is , where and , and the signature is . Given the randomness of and , it is impossible for an adversary to link any two pseudo identities and , or any two messages and sent from the same vehicle .(4)Resistance to impersonation attack: According to Theorem 1, it is known that an attacker cannot impersonate other legitimate vehicles to generate a signature that satisfies equation (1). Hence, the proposed scheme can resist the impersonation attack.(5)Resistance to message modification attack: In the signing phase, the vehicle generates the signature , where involves the hash value of the traffic-related message . Once is maliciously modified, the hash value changes, thereby resulting in the failure of the verification of equation (1). Therefore, the proposed scheme can withstand the modification attack.(6)Resistance to side-channel attack: In our scheme, the partial private key and the pseudo identity of the vehicle is stored in its TPD, where is the validity period of . When the vehicle’s pseudo identity expires, the vehicle needs to reapply for a pseudo identity. KGC randomly chooses a new value , computes a new pseudo identity and a new partial private key , where is the validity period of the new pseudo identity. Regular updates of the pseudo identity and the partial private key can effectively resist side-channel attacks.(7)Resistance to replay attack: Timestamp is involved in the message-signature tuple , where the signature is , , and . Hence, the receiver can detect whether the message has expired by verifying the freshness of . Accordingly, the proposed scheme is able to withstand the replay attack.
5.3. Simulation Result Analysis
In this subsection, we use the popular AVISPA tool to simulate the proposed scheme, and the simulation results are shown in Figure 4. The parts in the output format are as follows:(1)SUMMARY: This part indicates whether the scheme is secure (safe or unsafe) or if the analysis was inconclusive(2)DETAILS: This part provides information on the conditions in which the scheme is safe or the attack determining conditions or finally, why the analysis was inconclusive(3)PROTOCOL: This defines the “HLPSL specification of the target protocol in IF”(4)GOAL: It is the goal of the analysis performed by AVISPA using the HLPSL specification (5)BACKEND: It is the name of the backend used for analysis(6)STATISTICS: This is to track possible loopholes of the target protocol and statistics of some related data
The proposed scheme is simulated for formal security verification using the OFMC and CL-AtSe backends under the SPAN, the security protocol for AVISPA . From Figure 4, it is clear that our scheme has passed the executability checking on non-trivial HLPSL specifications, replay attack checking, and Dolev–Yao model checking verifications . Hence, our scheme is secure against replay and man-in-the-middle attacks.
6. Performance Analysis
In this section, we evaluate our scheme from the aspects of computation, communication, storage costs, and security performance by a comprehensive comparison with the state-of-the-art schemes proposed by Gayathri et al.  in 2018, Sutrala et al.  in 2020, and Mei et al.  in 2021. Among these three schemes, Mei et al.’s scheme uses bilinear pairings, while the other two schemes are pairing-free.
6.1. Computation Cost
The symbols used in the calculation and comparison with other schemes are listed below:(1): The execution time of bilinear pairing operation (2): The execution time of the scale multiplication in (3): The execution time of a point addition operation in (4): The execution time of the scale multiplication operation in the elliptic curve, where , (5): The execution time of the addition operation in the elliptic curve, where (6): The execution time of a map-to-point hash function operation(7): The execution time of a one-way hash function operation
In order to evaluate the time cost of the above cryptographic operations, we choose a Type A pairing that uses Java pairing-based cryptography (JPBC) library . It is executed on a Dell desktop computer with the operating system being Windows 10 and the processor being CPU i7-9700, 8 GB RAM. We use the average time of 1,000 executions of the algorithm. The execution times of the above cryptographic operations are shown in Table 3.
In this paper, we adopt a similar evaluation method of computation costs as proposed in reference . Let PKM, SMV, and BMV, respectively, represent the phase of pseudo identity generation, private key generation and message-signature generation, the phase of single message verification, and the phase of batch message verification. We only consider the vehicle’s calculation time because the OBU’s computing power is limited.
In our scheme, the vehicle needs to perform one multiplication operation and one one-way hash function operation in the PKM stage, which requires ms in time. In the SMV stage, three multiplication operations, two addition operations, and two one-way hash function operations are needed to be performed, which requires ms in time. In the BMV stage, multiplication operations, addition operations, and one-way hash function operations are needed to be performed when messages are verified at one time, which requires ms in time. The above computation costs of our scheme are also shown in Table 4. For comparison, we also present the computation costs of those schemes proposed by Gayathri et al. , Sutrala et al. , and Mei et al.  in Table 4. According to the conclusion put forward by Liu et al. , in Mei et al.’s scheme, messages are authenticated at a time by checking the equation , where is a random vector as defined in Section 4.6. The computation cost is ms in time.
The percentage improvements of our scheme with respect to the related schemes are listed in Table 7. For instance, it has the improvement of , , and in the PKM, SMV, and BMV phases, respectively, over the Gayathri et al.’s scheme, where is the number of signatures. The percentage improvements in the PKM, SMV, and BMV phases over other related schemes can be calculated in a similar manner and are also shown in Table 5. From Table 5, it can be clearly seen that our scheme outperforms much better than these three schemes in terms of computational efficiency.
The computation costs in the PKM and SMV stages of different schemes are also represented graphically in Figure 5. From Figure 5, we can see easily that in the PKM and SMV phase, our scheme is much more efficient than Gayathri et al.’s scheme, Sutrala et al.’s scheme, and Mei et al.’s scheme. The curves of computation costs in the BMV phase for different schemes for various numbers of messages are depicted in Figure 6, which shows that our scheme is much superior to the other three schemes in the BMV phase.
6.2. Communication Cost
In this subsection, we evaluate the communication costs of our scheme with that of Gayathri et al.’s scheme, Sutrala et al.’s scheme, and Mei et al.’s scheme. Since the security level provided by the 160 bit ECC is the same as that by the 1024 bit RSA public-key cryptosystem , 160 bit ECC is adopted for the comparison of communication costs. A point on the elliptic curve, usually denoted by , is of length 320 bits or 40 bytes, while a point in the group over which a bilinear pairing is defined is of length 128 bytes. Then an element in is of length 20 bytes. Moreover, the timestamp is supposed to be of length 4 bytes.
In our scheme, the vehicle sends a message-signature tuple to the verifier, where are two elements in the elliptic curve group , are two elements in , and are two timestamps. So the communication cost is bytes as shown in Table 6. Here, the cost of the message does not included, which is a common means used in the communication cost comparison. Table 6 also shows us the communication costs of sending a single message-signature tuple by the vehicle in Gayathri et al.’s scheme, Sutra et al.’s scheme, and Mei et al.’s scheme, which are 228, 228, and 668 bytes, respectively. The communication costs for these schemes are also compared graphically in Figure 7. From Table 6 and Figure 7, it is clear that the communication cost of our scheme is significantly less than the other three schemes.
6.3. Storage Cost
In this subsection, the comparison of the storage space required by the vehicle in the signature phase for different schemes is presented.
In our scheme, the vehicle needs to store the secret , the pseudo identity , and the partial private key into its memory. So the required storage cost is bytes as shown in Table 7. Also, shown in Table 7 are the storage costs required for Gayathri et al.’s scheme, Sutrala et al.’s scheme, and Mei et al.’s scheme, which are 184, 244, and 536 bytes, respectively. From Table 7, it can be clearly seen that the vehicle of our scheme has the smallest storage space compared with the other three schemes.
6.4. Security Comparison
In this subsection, we compare the various security and functionality features of our scheme with that of Gayathri et al.’s scheme, Sutrala et al.’s scheme, and Mei et al.’s scheme. Let , , , , , , , and represent the goals of 1 message authentication and integrity, 2 identity privacy-preservation, 3 traceability, 4 unthinkability, 5 modification attack resistance, 6 impersonate attack resistance, 7 side-channel attack resistance, and 8 replay attack resistance, respectively. The comparison of security goals is indicated in Table 8. The symbol denotes that the security goal is satisfied, and the symbol denotes that the security goal is unsatisfied.
From Table 8, it can be seen that our scheme provides all the mentioned necessary security features and is not vulnerable to any known attacks. In Gayathri et al.’s scheme, the vehicle can impersonate other vehicles through the pseudonym generated by itself, and a secure key update is not provided, so it is vulnerable to the impersonate attack and the side-channel attack. Sutrala et al.’s scheme is vulnerable to the modification attack and the impersonate attack, and TA cannot track the vehicle . In Mei et al.’s scheme, the modification attack is possible . Overall, compared with the existing related solutions in Table 8, our scheme provides a better security performance.
7. Conclusion and Discussion
In this article, we present a secure and efficient conditional privacy-preserving batch authentication scheme based on elliptic curve cryptography. In our scheme, TA is responsible for vehicle registration and generates information that is bound to the vehicle’s real identity for the vehicle. Then the vehicle can request KGC to generate a pseudo identity and partial private key for it through message . This procedure of pseudo identity and partial private key generation is renewed periodically as needed, which prevents side-channel attacks on the TPD of the vehicle. After the vehicle obtains the pseudo identity and partial private key, the vehicle generates the private key and uses the private key to sign the message and then broadcasts the signature together with its pseudo identity and the message. The identity privacy of the vehicle is preserved by broadcasting its pseudo identity rather than the real identity over the IoV network, and this privacy is conditional since any entity except the TA cannot reveal the real identity from the pseudo identity. When many messages are received simultaneously at the vehicle or the RSU, a procedure of batch verification can be conducted to reduce the computation. Our scheme is shown to be secure by proof of unforgeability for the signature and a comprehensive analysis of necessary security features and resistances to various potential attacks. The cost of our scheme in terms of computation, communication, and storage is exhaustive compared to several state-of-the-art schemes that demonstrates that the overall performance of our new scheme is better.
Our authentication scheme protects the vehicle’s identity privacy and meets the necessary security features, but it, similar to previous designs [15–22], has some limitations. For example, it does not resist a collusion attack. That is, if a (large) group of vehicles collude and send a bogus message by the authentication scheme, the message will pass verification, and no collusive vehicle will be revealed. As the development of the internet of things and artificial intelligence, data poisoning attacks , under which a large number of users may be trapped to broadcast bogus traffic-related information over the IoV network, have attracted more and more attention, which will make the (automated) vehicle fail to schedule the best route. A solution to recover this limitation is to introduce the trust mechanism  into the cryptographic authentication approaches, which is our future work. In addition, motivated by the three-factor authentication and key agreement technology over the users/vehicles and the servers , the factor of biometrics can also be introduced in the design of a CPPBA scheme to realize an effective connection between the vehicles and the users. Before the user logs in to the vehicle, the user will be recognized by its biometric, and only the legitimate user can access the vehicle. When in disputes and responsibilities, the TA can reveal not only the real identity of the vehicle but also the real identity of the user. This is also an interesting and important direction in the future.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported by the NSF of China under Grant no. 61871201, the Guangdong Provincial NSF under Grant no. 2021A1515011906, and the Teaching Reform Research Projects of Jinan University under Grant no. JG2020158.
H. Noori and B. B. Olyaei, “A novel study on beaconing for VANET-based vehicle to vehicle communication: Probability of beacon delivery in realistic large-scale urban area using 802.11p,” in Proceedings of the 2013 International Conference on Smart Communications in Network Technologies (SaCoNeT), pp. 1–6, IEEE, Paris, France, June 2013.View at: Publisher Site | Google Scholar
S. Kumar and K. S. Mann, “Prevention of DoS Attacks by Detection of Multiple Malicious Nodes in VANETs,” in Proceedings of the 2019 International Conference on Automation, Computational and Technology Management (ICACTM), pp. 89–94, IEEE, London, UK, April 2019.View at: Publisher Site | Google Scholar
I. Ali, T. Lawrence, A. A. Omala, and F. Li, “An Efficient Hybrid Signcryption Scheme With Conditional Privacy-Preservation for Heterogeneous Vehicular Communication in VANETs,” IEEE Transactions on Vehicular Technology, vol. 69, no. 10, pp. 11266–11280, 2020.View at: Publisher Site | Google Scholar
A. K. Sutrala, P. Bagga, A. K. Das, N. Kumar, J. J. P. C. Rodrigues, and P. Lorenz, “On the Design of Conditional Privacy Preserving Batch Verification-Based Authentication Scheme for Internet of Vehicles Deployment,” IEEE Transactions on Vehicular Technology, vol. 69, no. 5, pp. 5535–5548, 2020.View at: Publisher Site | Google Scholar
G. Thumbur, G. S. Rao, P. V. Reddy, N. B. Gayathri, D. V. R. K. Reddy, and M. Padmavathamma, “Efficient and Secure Certificateless Aggregate Signature-Based Authentication Scheme for Vehicular Ad Hoc Networks,” IEEE Internet of Things Journal, vol. 8, no. 3, pp. 1908–1920, 2021.View at: Publisher Site | Google Scholar
N. Jansma and B. Arrendondo, “Performance comparison of elliptic curve and RSA digital signatures,” Efficiency Comparison of Elliptic Curve and RSA Signatures, vol. 5.View at: Google Scholar
H. J. Mahanta, A. K. Azad, and A. K. Khan, “Differential Power Analysis: attacks and Resisting Techniques,” in Information Systems Design and Intelligent Applications, J. K. Mandal, S. C. Satapathy, M. Kumar Sanyal, P. P. Sarkar, and A. Mukhopadhyay, Eds., pp. 349–358, Springer India, New Delhi, 2015.View at: Publisher Site | Google Scholar
Y. Yang and X. Huang, Comments on “On the Design of Conditional Privacy Preserving Batch Verification-Based Authentication Scheme for Internet of Vehicles Deployment”, Cryptology ePrint Archive, IEEE, Guangzhou, China, 2021.
A. K. Malhi and S. Batra, “An efficient certificateless aggregate signature scheme for vehicular ad-hoc networks,” Discrete Mathematics & Theoretical Computer Science, vol. 17, no. 1.View at: Google Scholar
Java Pairing-Based Cryptography Library (JPBC), http://gas.dia.unisa.it/projects/jpbc/docs/pairing.html.
S.-J. Horng, S.-F. Tzeng, Y. Pan et al., “b-SPECS+: batch verification for secure pseudonymous authentication in VANET,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1860–1875, 2013.View at: Google Scholar
Q. Jiang, N. Zhang, J. Ni, J. Ma, X. Ma, and K.-K. R. Choo, “Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles,” IEEE Transactions on Vehicular Technology, vol. 69, no. 9, pp. 9390–9401, 2020.View at: Publisher Site | Google Scholar