Research Article  Open Access
Ping Yu, Wei Ni, Guangsheng Yu, Hua Zhang, Ren Ping Liu, Qiaoyan Wen, "Efficient Anonymous Data Authentication for Vehicular Ad Hoc Networks", Security and Communication Networks, vol. 2021, Article ID 6638453, 14 pages, 2021. https://doi.org/10.1155/2021/6638453
Efficient Anonymous Data Authentication for Vehicular Ad Hoc Networks
Abstract
Vehicular ad hoc network (VANET) encounters a critical challenge of efficiently and securely authenticating massive onroad data while preserving the anonymity and traceability of vehicles. This paper designs a new anonymous authentication approach by using an attributebased signature. Each vehicle is defined by using a set of attributes, and each message is signed with multiple attributes, enabling the anonymity of vehicles. First, a batch verification algorithm is developed to accelerate the verification processes of a massive volume of messages in largescale VANETs. Second, replicate messages captured by different vehicles and signed under different sets of attributes can be dereplicated with the traceability of all the signers preserved. Third, the malicious vehicles forging data can be traced from their signatures and revoked from attribute groups. The security aspects of the proposed approach are also analyzed by proving the anonymity of vehicles and the unforgeability of signatures. The efficiency of the proposed approach is numerically verified, as compared to the state of the art.
1. Introduction
Vehicular ad hoc network (VANET), also known as the Internet of Vehicles (IoV), enables vehicles to broadcast road incidents and supports critical road safety and traffic management applications, such as emergency warning, collision avoidance, road condition broadcast, and lanechanging assistance [1]. Each vehicle is expected to be equipped with an onboard unit (OBU) to collect traffic information and transmit captured data to the network to support various applications [2]. Road side units (RSUs) are infrastructures that connect vehicles to the internet and collect data captured by vehicles [3]. They can communicate with vehicles by using communication protocols, such as IEEE 802.11p protocol [4]. Based on the aggregated data, some timely actions can be taken, and hence, traffic safety and efficiency can be improved.
As a largescale open network, VANET faces a critical issue in message authentication [5]. One of the key challenges is how to protect the anonymity of vehicles that capture, authenticate, and upload data against potential adversaries, while preserving the traceability of any malicious vehicles which forge data and infrastructure which conclude with those vehicles. Another challenge is efficiency in terms of computation and storage [6]. There can be large amounts of data captured and certified by different vehicles at every moment in a largescale VANET. Computational efficiency is critical to the authentication process. There can also be many replicas of the same data in the network. Multiple vehicles can make the same observation, separately authenticate, and upload replicas [7]. The replicas would incur substantial storage overhead, e.g., at cloud service provider (CSP).
1.1. Aim, Background, and Motivation
Typical solutions for anonymous message authentication are pseudonymbased techniques, group signature, ring signature, and attributebased signature (ABS). In pseudonymbased schemes [8–10], each vehicle is equipped with multiple credentials or public keys to break the linkage between its messages. Such schemes define a time period and require each vehicle to change its pseudonym every time. Besides the anonymity of vehicles, the signature techniques, such as group signature [11–13], ring signature [14, 15], and ABS [16, 17], can be applied to achieve data integrity. Specifically, a message can be embedded into its signature by using a public hash function and then attached to the signature [17]. If the attached message is incomplete or tampered with, the hash value would be different from the embedded, and then the verification fails. In group signature schemes [11–13], a group manager integrates the identities of individuals in a group as the public information of the group, and each vehicle signs its messages on the behalf of the group [18]. In these schemes [11–13], each vehicle maintains a list of revoked vehicles. This method makes the verification time (or delay) of the signatures to grow linearly with the number of revoked vehicles. Ring signature [14, 15, 19] is considered to be a simplified group signature that only consists of vehicles, not managers. Each signer collects the public keys of vehicles in the ring and signs its messages on the behalf of the ring for anonymity. However, the revocation of compromised signers is challenging in many practical scenarios [20].
Attributebased cryptography defines each vehicle by referring to a set of attributes, all of which are owned by multiple vehicles [21]. It protects the identities of the signers from being obtained by the public network and thus provides the anonymity of the signers. A trusted authority (TA) validates the attributes of each vehicle and generates the corresponding secret keys to ensure that data is only uploaded by vehicles with legitimate attributes. Most of the ABS techniques, such as [16, 17], only allow the signatures to be verified one by one, resulting in linear growth of the delay required to verify signatures with an increasing number of messages. The attributebased techniques are generally unsuitable to largescale systems where the volume of data is large, such as VANETs [22].
1.2. Contribution
This paper presents a new and effective ABS approach for data authentication in VANETs, which protects the anonymity of vehicles against adversaries and the integrity and unforgeability of data, preserves the traceability of malicious vehicles, and facilitates revocations of malicious vehicles. The approach is also efficient in the sense that multiple signatures by different vehicles for different data can be computationally and efficiently verified together. Moreover, replicas signed by different vehicles can be aggregated and dereplicated with improved storage efficiency. The key contributions of the paper are summarized as follows:(1)We propose a new ABS scheme enabling the identification of malicious vehicles and infrastructures and the revocation of the attribute memberships of the vehicles. The malicious vehicles forging data can be revoked from their attribute groups.(2)Multiple messages generated and authenticated by different vehicles can be verified together via batch operations. New algorithms are developed to verify the signatures, based on the attributes involved, and are independent of the number of messages, hence substantially cutting off the authentication delay.(3)The same data signed by different vehicles can be dereplicated while the traceability of each of the vehicles remains, hence significantly saving the storage overhead of the data.
The proposed anonymous authentication approach is numerically verified by comparing it with the state of the art. As shown by the simulations, the batch verification algorithm and the data dereplication approaches can significantly reduce the computational cost in verifying multiple signatures and the storage overhead of replicas at the CSP, respectively.
1.3. Organization and Notation
The rest of this paper is organized as follows. In Section 2, related studies are reviewed, followed by the system architecture in Section 3. In Sections 4 and 5, we propose the new authentication approach and two new efficient algorithms to accelerate signature verification. We define the security model and prove the security of the proposed approach in Section 6. In Section 7, the efficiency of the proposed approach is validated numerically in comparison with existing techniques, followed by concluding remarks in Section 8. Table 1 lists the notations used in the paper.

2. Related Work
In pseudonymbased schemes, each vehicle is issued a shortterm pseudonym and corresponding private key. With the pseudonym and private key, a vehicle can anonymously generate identitybased aggregate signatures by choosing a onetime string. In [9], the authors adopted a hash message authentication code to achieve efficient authentication. However, frequent changes of pseudonyms could not be avoided. In [22], a pseudonymbased anonymous authentication in VANET was proposed. Multiple vehicles shared the same secret value to support batch verification. This would be inconvenient for highly dynamic networks, such as VANET, where vehicles move all the time and the messages to be batchverified may be from the vehicles not sharing the same secret value.
In group signature schemes [11–13], a group manager integrates the identities of individuals in a group as the public information of the group, and each vehicle signs its messages on the behalf of the group [18]. In these schemes [11–13], each vehicle maintains a list of revoked vehicles. This method makes the verification time (or delay) of the signatures to grow linearly with the number of revoked vehicles. The authors of [23] proposed an anonymous authentication system by using a timedependent group signature technique supportive of signer revocation. The authors assumed the existence of a timedependent token. Each signer with a unique identity can generate a signature on a message by using its secret keys and the time token. Multiple messages of the same signer are linkable if they are signed within a given period. The authors of [12] proposed a threshold group signature scheme, where receivers only accept messages confirmed by more than a prespecified number of vehicles.
Ring signature [14, 15, 19] is considered to be a simplified group signature that only consists of vehicles, not managers. Each signer collects the public keys of vehicles in the ring and signs its messages on the behalf of the ring for anonymity. Au [14] proposed a scheme with constant signature size and proved its security under the Diffie–Hellman inversion assumption. In [19], a secure and unrestricted identitybased ring signature scheme was developed. The authors proved that their scheme can achieve signer anonymity in the standard model. However, the revocation of compromised signers is challenging in many practical scenarios [20].
ABS was first proposed in [21] as a primitive to protect the privacy of message signers. Each message is signed by a predicate of attributes. In [16], the ABS technique was employed to achieve outsourced cloud data integrity auditing. A data owner could specify designated auditors with particular attributes to confirm the integrity of the data. In [17], the anonymity of vehicles was ensured by a threshold predicate. In addition, the authors designed that the identity of a malicious vehicle could be traced from its signature and revoked from the attribute groups. In [20], all data were signed under a threshold predicate. Specifically, a signature was generated under a threshold gate predicate. The verification of the signature could only confirm that the signatures were generated by attributes out of .
Batch verification has been widely employed in anonymous vehicular scenarios to accelerate signature verification [9, 22, 24–30]. Multiple signatures can be verified together, thus shortening latency. An identitybased aggregate signature was proposed in [26]. The individual identitybased signatures generated by different vehicles can be aggregated and verified together. The messages signed under the same onetime string can be aggregated and verified by the nearby RSUs. Zhang et al. [30] proposed a onetime identitybased aggregate signature. The system proposed in [30] includes a trusted authority (TA) and multiple lowerlevel TAs. The signature is only valid under the user’s identity and public information of the lowerlevel TAs. Multiple signatures can be verified together, and the signatures can be compressed into one to reduce storage requirement.
3. System Architecture
Figure 1 shows the proposed system which consists of a TA, a large number of vehicles, multiple RSUs, and a CSP.
The TA is the only fully trusted entity in the system. It produces public parameters of the system, initializes RSUs by publishing public keys, and registers vehicles by issuing secret keys for their legitimate attributes. The TA is also responsible for identifying malicious vehicles that forge messages and revoking the vehicles and/or their attributes. Each vehicle registers at the TA and requests the secret keys corresponding to its attributes. The TA issues a dedicated random value (as the identity of the vehicle) and embeds the value into all of the attributerelated secret keys of the vehicle. This ensures the traceability of the signatures of the vehicle by the TA.
Each vehicle can sign messages by using a subset of its attribute secret keys and send the signed messages to its nearest RSU. The use of attributes ensures the anonymity of vehicles. Any adversaries can only infer that the message is generated by a qualified vehicle with legitimate attributes and cannot identify the vehicle.
The RSUs are fixed infrastructures at the roadside and act as a bridge between vehicles and CSP. They are responsible for collecting messages sent by vehicles, transferring the messages to the CSP, and providing services to nearby vehicles.
In our scheme, the CSP is connected to all the RSUs. It has the ability to verify all the signatures from the network and make decisions based on these data. The CSP can verify multiple signatures at once by using the proposed batch verification algorithm and suppress replicas signed by different vehicles to improve its storage efficiency.
The proposed efficient attributebased anonymous authentication system constitutes the following suite of new algorithms:(i)Initialization: . The TA takes a security parameter as the input and outputs the system public keys (PKs) and , the system master secret key (MSK) , and system attribute public keys for each legitimate attribute of the system.(ii)Vehicle registration: . By taking and as the input, the TA generates the vehicle secret key for the vehicle and vehicle attribute secret keys for each attribute of the vehicle .(iii)Signature generation: , , . With the input of the public parameters, i.e., , , and , the vehicle signs the data by using a subset of its attribute set, denoted by . The vehicle outputs the signature with the data .(iv)Signature verification: . The CSP takes the system public parameters and the signature as the input, verifies the signature, and outputs “0” or “1” to indicate that the signature is verified unsuccessfully or successfully, respectively.(v)Trace: . Given the MSK and , the TA retrieves the identity of the vehicle by running this algorithm.(vi)Attribute revocation: . The TA can revoke any attribute of any vehicle by taking the system attribute public key of attribute as the input and then generates a new system attribute public key and vehicle attribute secret keys.
As part of the suite of algorithms, two new algorithms are explicitly designed to accelerate the verification process of the proposed attributebased anonymous authentication system in VANETs.(i)Batch verification: . The CSP is designed to verify multiple messages signed by different vehicles together using batch operations. Given the signatures , the CSP outputs “1” to indicate that all the signatures are legitimate. Otherwise, the CSP outputs “0.”(ii)Dereplication: . Given signatures of the same message, the CSP generates a new signature , which records that the message has been signed by vehicles and preserves the traceability of the vehicles.
4. Anonymous Authentication Algorithm
4.1. System Parameter Initialization
The TA initializes the system by generating the system public key, MSK, and the system attribute public keys. Suppose that there are attributes in the system. The set collects all the attributes. The TA first generates two groups and . Let and be the generators of groups and , respectively. is a bilinear mapping (given two multiplicative groups and with prime order , the bilinear mapping maps two elements in to another element in , i.e., . This mapping has two properties: (1) bilinearity: = = , , where is an additive cyclic group [31]. (2) Nondegeneracy: . Here, the number of bits in an element of the multiplicative group depends on a security parameter ) which maps any two elements in to an element in . is a hash function which maps a binary sequence to an element in , i.e., . By using , any message can be mapped to a group element in and embedded into a signature.
The TA selects two random values as the system master secret key (MSK), , and publishes the system public keys and . The MSK is only known to the TA to trace misbehaved or malicious vehicles. For each attribute , the TA selects random values and , sets , and generates the system attribute public keys for attribute , denoted by , as given bywhere indicates the current version of the membership of attribute group . is important to revoke the attributes of vehicles (as will be described in Section 4.5). The system public key and system attribute public keys are given by
For each attribute , the TA maintains the vehicle public keys of all the vehicles equipped with the attribute, denoted by :where is the current set of vehicles with attribute . The TA publishes . If the membership of attribute changes, the TA updates the value and the system attribute public key and cancels of any revoked vehicle from , i.e., .
4.2. Registration of the Vehicle
For each vehicle, the TA assigns a unique random value and generates as the vehicle public key of the vehicle. The TA also computes the vehicle secret key for the vehicle. . Suppose that each vehicle has the set of attributes . The vehicle can sign messages by using a subset of its attributes. For each attribute of the vehicle , the TA generates the vehicle attribute secret key as follows:
The secret key of vehicle is given by
Note that the random value which is specific to the th vehicle is embedded into the vehicle attribute secret key to retain the traceability of the vehicle. The vehicle may broadcast faked messages. The unique value of the vehicle, , can be recovered by the TA from any signature of the vehicle, as will be described in Section 4.5, and thus ensures the traceability of the vehicle. Moreover, no attacker can forge the signatures of the vehicle without the secret value .
4.3. Signature Generation
Any vehicle can sign a message by using a subset of its attributes . The vehicle selects a random value and maps to an element in by using a hash function . The resultant signature of the vehicle consists of the following:
The message is sent to the CSP, together with the attribute set and the signature, as given by
4.4. Signature Verification
Given the system public parameters in (2) and the signature in (10), any data users can verify the signature with no need for the identity of the vehicle producing the signature. The data users can confirm that the data is signed by a legitimate vehicle with the uptodate secret keys of all the attributes in if and only if
Proof. Suppose that the version of the attributes embedded in the signature is , and the latest membership version of the th attribute is . The lefthand side (LHS) of (11) can be written aswhere the equalities are taken based on the bilinearity of the bilinear mapping . Similarly, we can rewrite the righthand side (RHS) of (11), as given byBy comparing (12) and (13), we can see that the LHS and RHS of (11) are equal if and only if . In other words, it is confirmed that the signature is signed by a legitimate vehicle with the uptodate vehicle secret keys for the attributes if and only if (11) holds.
4.5. Traceability of Vehicles and Attribute Revocation
4.5.1. Traceability of Malicious Vehicles
An important aspect of the proposed approach is its traceability of malicious vehicles through anonymous signatures. As described in Section 4.1, is a unique random value for vehicle , and the TA can use it to identify the vehicle at the TA. The TA stores all the values . Then, the TA can take each as the input and test whether the following equation holds:
If (14) holds, the TA identifies as the identity of the malicious vehicle. Otherwise, the TA iterates other values until (14) holds.
4.5.2. Attribute Revocation
When a malicious vehicle is found, as described in Section 4.5.1, the TA first detects the attributes of the vehicle and generates new public keys for the attributes. After that, the TA updates the attributerelated secret keys of the other legitimate vehicles equipped with the attributes. In this case, the attributerelated secret keys of the malicious vehicle are no longer up to date and cannot be used to generate legitimate signatures. In other words, the malicious vehicle is revoked from the system.
The TA is able to revoke any attribute, e.g., attribute , of any vehicle in two steps. The TA chooses a new membership version of the attribute, denoted by , and updates the system public key of this attribute, as given by
The TA also generates an update key for each vehicle equipped with attribute since the membership of attribute has changed. The update key can be given by
After receiving , updates its secret key of attribute as follows:
5. Batch Verification and Dereplication
5.1. Batch Verification
The proposed approach allows multiple signatures to be verified at one go, referred to as “batch verification.” This is important to reduce the computational complexity and delay of signature verification, especially in the presence of a large number of devices and a high volume of data. Without loss of generality, we consider that messages, , , , are signed by different vehicles, , by using the attribute sets , respectively. From (10), for each of the vehicles, i.e., vehicle , the signatures are given bywhere, based on (6)–(9), we have
Let . The set collects vehicles that have signed one of the messages by using attribute . is the set of RSUs included in the signatures. It is confirmed that the signatures are signed by the legitimate vehicles with the updatetodate secret keys if and only if
Proof. The correctness of (20) is proved as follows. Referring to the proof of (11), we assume that the membership version embedded into the signatures is , and the current membership version of attribute is . We rewrite the LHS of (20) aswhere the two equalities are due to the bilinearity of bilinear mapping. In specific, (21) can be written as the product of three bilinear mappings: (a) , (b) , and (c) . Both (a) and (b) can be rearranged according to the attribute set which is the union of , . The collection of vehicles signing messages by using attribute is . (22) is rewritten as (23) based on the bilinearity of . Specifically, the exponents of and inside the bilinear mappings (a), (b), and (c) are moved out of the mappings.
We also rewrite the RHS of (20), as given bywhere the bilinearity of the mapping ensures the correctness of the equalities.
By comparing (23) and (26), we conclude that the LHS and RHS of (20) are equal if and only if . In other words, if (20) holds, all the signatures are generated with uptodate vehicle attribute secret keys. The signatures are all legitimate.
5.2. Data Dereplication
The second feature of the proposed approach is its dereplication of signatures describing the same message while preserving the traceability of the vehicles certifying the message. Suppose that message is signed by vehicles, denoted by , by using the attribute sets , respectively. Let . The set collects the vehicles equipped with attribute . With reference to (10), the signatures are given bywhere, based on (6)–(9), we have
Here, stand for the random values selected by the vehicles , respectively.
Let a matrix specify the attributes used to sign the message :where is the size of and . indicates that vehicle signs by using attribute . indicates otherwise.
The CSP defines the aggregated signature, as given bywhere
Any data user has the ability to verify the aggregated signature, i.e., , if and only if
Proof. As defined in the proof of (11), the membership version of attribute embedded into the signatures is , and the membership version in the system attribute public key, i.e., , is . We rewrite the LHS of (32) aswhere the two equalities are due to the bilinearity of bilinear mapping. (33) can be rewritten as the product of three mappings in (34). The exponents of the group elements of are moved outside the mapping in (35).
We also rewrite the RHS of (32) asBy comparing (35) and (37), we show that the LHS and RHS of (32) are equal if and only if . Then, we conclude that message is signed by vehicles with legitimate secret keys.
6. Security Analysis
We consider two security properties of the system, namely, the unforgeability of signatures and the anonymity of vehicles. The unforgeability of signatures ensures that the attackers, such as malicious vehicles or RSUs, cannot forge a signature of other vehicles. The anonymity of vehicles indicates that signatures can only certify that a message is signed by a qualified vehicle with uptodate related attributes and cannot reveal the identity of the vehicle. This ensures that any adversary cannot retrieve the identity of the signer from a signature. We first define the decisional Diffie–Hellman (DDH) assumption [32] as follows.
Definition 1 (decisional Diffie–Hellman (DDH) assumption). Given two elements in group , denoted by and . It is hard to decide or is a random element in , denoted by . Here, is a random value in .
6.1. Security Model
6.1.1. Unforgeability of the Signature
With reference to [21, 33, 34], we prove the unforgeability of the proposed system by constructing a game between a challenger and a forger. In this section, we define the game between a challenger and a forger as follows:(i)Init: the forger first chooses a vehicle with attribute set as the target vehicle and attempts to forge a signature of this vehicle.(ii)Setup: the challenger initializes the system, generates the public parameters, and sends them to the forger.(iii)Phase 1: the forger can request the secret keys of any vehicle other than . The forger can revoke any attribute of a vehicle whose secret keys have been queried and obtain the updated attributerelated public keys.(iv)Forgery: with the results of the queries in phase 1, the forger generates a forged signature of a message under the targeted attribute set .(v)Guess: the challenger checks whether is a valid signature. If yes, the challenger outputs ‘1’ to indicate that .
We say that the proposed approach ensures the unforgeability of the signature if the forger cannot generate a valid signature with the unique value of embedded.
6.1.2. Anonymity of the Signer
We adopt the selective indistinguishability of signatures to prove the anonymity of the vehicles with reference to [35]. We define the interaction between a challenger and an adversary as follows:(i)Init: the adversary chooses a vehicle as its target.(ii)Setup: the challenger sets up the system and sends the public parameters with the parameters of DDH assumption embedded into the adversary.(iii)Phase 1: the adversary can query for the secret keys of any vehicle with the restriction that .(iv)Challenge: the adversary submits a message and an attribute set to the challenger. The challenger signs under the attribute set by using the secret keys of .(v)Phase 2: the adversary continues to query for the secret keys of other vehicles different from .(vi)Guess: the adversary outputs a guess and sends it to the challenger. Here, “1” and “0” represent is a valid and invalid signature of .
We say that the proposed approach achieves the anonymity of the signer if the adversary cannot output a guess with a nonnegligible probability.
6.2. Security Proof
6.2.1. Unforgeability of the Signature
With reference to [34], we verify the unforgeability of the proposed authentication technique by constructing a game between a challenger and a forger, where the forger can be an adversarial vehicle or RSU which attempts to forge the signature of a predefined attribute set . The challenger interacts with the forger by initializing the system and responding to queries. The details are given as follows:(i)Setup: the challenger selects two random values and sets and , respectively. This is achieved by generating the system public keys and as follows: For each attribute , the challenger initializes an empty vehicle list , chooses random values , and sets . The challenger also selects a random value and generates the attributerelated public key as follows:(ii)Phase 1: the forger can process three types of queries, namely, “ query,” “secret key query,” and “attribute revocation query,” as follows: query: the challenger models as a random oracle and maintains a list of history recordings, denoted by . When the forger requests the hash value of a message , the challenger first checks if has been recorded in the list . If has been recorded, the challenger returns the corresponding value to the forger. Otherwise, the challenger selects a random value , generates , and sets . Secret key query: the forger is able to request the secret keys of a vehicle whose attribute set satisfies the requirement that . Specifically, the forger submits a query, denoted by , to the challenger. represents that vehicle is equipped with an attribute set . The challenger selects a random value and computes . For each attribute , the challenger maintains a vehicle list by setting . Then, the challenger generates as given by Then, the challenger sends to the forger. Attribute revocation query: the forger is able to revoke any vehicle in the vehicle list . It first transmits to the challenger. The challenger checks whether . If , the challenger rejects this query. Otherwise, it chooses a new value and updates the attributerelated public key as follows:(iii)Forgery: the forger first queries the oracle and obtains . Then, the forger selects a random value and outputs a forged signature on message by using the queried public keys and secret keys under the predefined attribute set .(iv)Guess: the challenger checks whether is a valid signature and outputs a guess of in the DDH assumption. If is a valid signature, the challenger outputs “1” to indicate that .
We say that the forger can violate the unforgeability of the proposed algorithm if and only if is a valid signature. According to (11), can be successfully verified if and only if the parameter in (38) is , instead of . This contradicts the DDH assumption, where the uncertainty of is proved to be hard against any polynomial adversaries [32]. Therefore, the unforgeability of the proposed approach is ensured.
6.2.2. Anonymity of the Signer
We proceed to prove the anonymity of the vehicles based on the signature indistinguishability. Given a vehicle with a set of attributes and a signature generated by using a subset of , we prove in the following that it is hard to distinguish whether has signed the data or not. We define interactions between a challenger and an adversary as follows:(i)Init: the adversary chooses a vehicle whose attribute set is as its target vehicle.(ii)Setup: the challenger selects a random value and sets as the secret value for . The challenger publishes the public key of as follows: As described in Section 6.2.1, the challenger chooses random values and generates , , and . The challenger also sets for each attribute by generating It is noteworthy that the attributerelated public key still preserves the randomness and uniqueness of because of the random values and . Then, the challenger sends the public parameters, i.e., , , and , to the adversary.(iii)Secret key query: the adversary can query the secret keys of vehicle whose attribute set is , and . The challenger chooses a random value and generates . Let represent the secret key query of . For each attribute , the challenger computes the attributerelated secret keys, as given by Then, the challenger transmits the secret key of the vehicle , i.e., , to the adversary.(iv)Challenge: in this phase, the adversary chooses a message and sends it to the challenger. As done in Section 6.2.1, we model as . The challenger signs by using the secret keys of vehicle . It also selects a random value . The details are given as follows: Then, the challenger transmits to the adversary.(v)Phase 2: can repeatedly query for the secret keys of vehicles .(vi)Guess: the adversary can output a guess and send to the challenger. Here, “1” and “0” indicate that is a legitimate signature of or not, respectively.
If , the adversary can break the anonymity of the proposed signature algorithm, but in this case, the challenger can confirm that , which indicates that the challenger could breach the DDH assumption. Since the security of DDH has been proved in [32], we can assert that the anonymity of the proposed system is ensured.
7. Numerical and Experimental Study
In this section, we implement the proposed attributebased anonymous authentication approach and conduct a comparison study of efficiency between the proposed scheme and three stateoftheart ABS techniques, namely, Yu et al.’s algorithm [16], Cui et al.’s algorithm [17], and Xiong et al.’s algorithm [36]. These techniques are based on ABS techniques and can be applied to VANETs to support anonymous authentication. We first compare the schemes from the functionalities and security aspects. The details are provided in Table 2.
 
^{1}In this example, we use the number of operations to represent the encryption overhead of IoT devices. denotes the bilinear mapping operation . and represent the exponential operation in group and , respectively, and and stand for the multiplicative operation in and . ^{2} denotes the size of the whole set of attributes in the system. is the number of attributes involved in an access structure (an access tree or matrix), and stands for the number of users in the ABE systems. denotes the average number of vehicles equipped with an attribute. 
Our experimental testbed runs CharmCrypto in a Mac laptop to provide the framework of our cryptosystem. CharmCrypto supports a range of cryptographic settings, including pairing, exponential, and multiplicative operations in bilinear elliptic curve groups. We choose “SS512” as the target elliptic curve to simulate the stateoftheart algorithms [16, 17, 36] and the proposed approach. The Mac laptop runs 10.14.5 operating system and has an Intel Core i5 with an operating frequency of 2.3 GHz and a memory of 8G bytes.
7.1. Efficiency of Batch Verification
We start by comparing the proposed approach with the stateoftheart techniques in terms of computational overhead at the signature verification phase. We assume that there are signatures to be verified and use the verification time (or delay) to represent the computational cost of the schemes. denotes the number of attributes included in the signatures. Three variations of the proposed approach, referred to as “proposed algorithm without batch,” “proposed batch verification when ,” and “proposed batch verification when ,” are plotted in Figure 2. We set ; in other words, each message is signed under five attributes. Every result is the average of 100 independent experimental tests in the figure.
In Figure 2, we can see that the verification time of all the schemes increases with the number of messages, and the proposed approaches take shorter verification time than the existing techniques. We also see that “proposed algorithm without batch” intersects “proposed batch verification ” and “proposed batch verification ” when the number of signatures is 10 and 20, respectively. With the increase of , the two variations of the proposed batch verification algorithm can outperform the algorithm without batch verification when the number of data is greater than the number of attributes. Moreover, the batch verification algorithms can perform better when the number of attributes is 10, i.e., , than they do when .
7.2. Efficiency of Data Dereplication
We compare the communication overhead of the proposed dereplication with that of the existing works in Figure 3(a). We use the length of signatures to represent the communication cost. Assume that there are signature/replicas describing the same message . We evaluate the communication overhead of the signatures by using the bitlength of signatures. Table 3 shows the comparison of the proposed approach and the existing algorithms, i.e., Yu et al.’s scheme [16], Cui et al.’s scheme [17], and Xiong et al.’s scheme [36]. is the length of an element in the group . denotes the length of a message . is the size of an access structure (an attribute set or matrix). is the average size of attributes included in an ABS signature scheme. As shown in Figure 3(a), the proposed dereplication algorithms can show their advantage when the number of replicas is larger than the number of attributes included in the signatures. Specifically, “proposed dereplication ” and “proposed dereplication ” can outperform the “proposed without dereplication” when the number of signatures is around and above 10 and 20, respectively. The proposed approach requires substantially lower communication cost than Yu et al.’s scheme [16] and Cui et al.’s scheme [17].
(a)
(b)
Besides the communication overhead, we also compare the storage overhead of vehicles in different schemes. We assume that there are up to 50 replicas to be stored. The schemes without dereplication, i.e., Yu et al.’s scheme [16], Cui et al.’s scheme [17], and Xiong et al.’s scheme [36], are expected to store the replicas separately to record the responsible vehicle. The proposed scheme can aggregate the replicas and preserve the traceability of the signers. The aggregated signature is given by ; see (30). In our design, is preserved in to trace the signers of the replicas and can be stored at a central server only. In this case, the vehicles can store to reduce storage overhead. We also evaluate the storage overhead of , called “proposed without traceability,” as shown in Figure 3(b). In the figure, we show that the proposed scheme can compress the storage space of replicas and largely reduce the storage overhead of vehicles.
7.3. Experiment Analysis
We evaluate the network performance of the proposed scheme by using SUMO and NS3 [4]. OpenStreetMap can help us get traffic data in a certain area and import the data to SUMO, which is a tool for building network simulators. As a C++ library, SUMO can load the road conditions from OpenStreetMap and simulate traffic flows. NS3 is a network simulator and can be combined with SUMO to simulate various communication protocols in different scenarios. We adopt IEEE 802.11p as the transmission protocol.
We generate a realistic map near the University of Technology Sydney (UTS) to simulate the performance of the proposed scheme. Figures 4 and 5 show the map of UTS in the real scenario and in SUMO, respectively. We consider average message transmission delay (ATD) to evaluate the performance of our scheme in VANET. The ATD can be defined as the average time cost to transmit messages from a sender to a receiver, denoted by
Here, is the total number of vehicles in the experiment. denotes the number of messages received by the th vehicle . and represent the receiving time and the sending time of the th message of , respectively.
Figure 6 illustrates the relationship between the average transmission delay and the number of vehicles in the considered area. We can observe that the ATD grows linearly with the number of vehicles in the map. We also analyze how the size of packet influences the transmission delay. We take “packet size = 512 bytes” and “packet size = 1024 bytes” into consideration. From Figure 6, we can conclude that the ATD increases with the size of packet.
8. Conclusion
This paper presents a new approach for secure, efficient, and anonymous data authentication in VANET. The approach defines each vehicle by using a set of attributes and enables the vehicle to sign messages under part of its attributes. The malicious vehicles forging data can be identified and revoked. The verification of multiple messages can be conducted together in a batch, hence reducing the delay of verifying massive data in largescale VANETs. The replicas of the same data can be dereplicated to reduce the storage requirement for data, e.g., at the CSP. The approach is experimentally verified to outperform existing techniques in terms of verification delay and storage requirement.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
References
 F. Qu, Z. Wu, F. Wang, W. Cho, and W. Cho, “A security and privacy review of VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 16, no. 6, pp. 2985–2996, 2015. View at: Publisher Site  Google Scholar
 Y. Wang, Y. Ding, Q. Wu, Y. Wei, B. Qin, and H. Wang, “Privacypreserving cloudbased road condition monitoring with source authentication in VANETs,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 7, pp. 1779–1790, 2018. View at: Google Scholar
 J. Zhang, J. Cui, H. Zhong, Z. Chen, and L. Liu, “Pacrt: Chinese remainder theorem based conditional privacypreserving authentication scheme in vehicular adhoc networks,” IEEE Transactions on Dependable and Secure Computing, vol. 1, 2019. View at: Google Scholar
 J. Cui, L. Wei, H. Zhong, J. Zhang, Y. Xu, and L. Liu, “Edge computing in vanetsan efficient and privacypreserving cooperative downloading scheme,” IEEE Journal on Selected Areas in Communications, vol. 38, no. 6, pp. 1191–1204, 2020. View at: Publisher Site  Google Scholar
 R. G. Engoulou, M. Bellaïche, S. Pierre, and A. Quintero, “VANET security surveys,” Computer Communications, vol. 44, pp. 1–13, 2014. View at: Publisher Site  Google Scholar
 D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identitybased conditional privacypreserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015. View at: Publisher Site  Google Scholar
 J. Ni, K. Zhang, Y. Yu, X. Lin, and X. S. Shen, “Providing task allocation and secure deduplication for mobile crowdsensing via fog computing,” IEEE Transactions on Dependable and Secure Computing, vol. 2018, 2018. View at: Google Scholar
 J. Li, H. Lu, and M. Guizani, “ACPN: a novel authentication framework with conditional privacypreservation and nonrepudiation for VANETs,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 4, pp. 938–948, 2015. View at: Publisher Site  Google Scholar
 S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authentication scheme based on HMAC for VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 8, pp. 2193–2204, 2016. View at: Publisher Site  Google Scholar
 J. Cui, J. Zhang, H. Zhong, and Y. Xu, “SPACF: a secure privacypreserving authentication scheme for VANET with cuckoo filter,” IEEE Transactions on Vehicular Technology, vol. 66, no. 11, pp. 10283–10295, 2017. View at: Publisher Site  Google Scholar
 X. Zhu, S. Jiang, L. Wang, H. Li, W. Zhang, and Z. Li, “Privacypreserving authentication based on group signature for VANETs,” 2013. View at: Google Scholar
 J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authentication protocol for VANETs,” IEEE Transactions on Vehicular Technology, vol. 65, no. 3, pp. 1711–1720, 2016. View at: Publisher Site  Google Scholar
 J. Cui, D. Wu, J. Zhang, Y. Xu, and H. Zhong, “An efficient authentication scheme based on semitrusted authority in VANETs,” IEEE Transactions on Vehicular Technology, vol. 68, no. 3, pp. 2972–2986, 2019. View at: Publisher Site  Google Scholar
 M. H. Au, “IDbased ring signature scheme secure in the standard model,” 2006. View at: Google Scholar
 K. Amit, “IDbased ring signature and proxy ring signature schemes from bilinear pairings,” 2005. View at: Google Scholar
 Y. Yu, Y. Li, B. Yang, W. Susilo, G. Yang, and J. Bai, “Attributebased cloud data integrity auditing for secure outsourced storage,” IEEE Transactions on Emerging Topics in Computing, vol. 2017, 2017. View at: Google Scholar
 H. Cui, R. H. Deng, and G. Wang, “An attributebased framework for secure communications in vehicular ad hoc networks,” IEEE/ACM Transactions on Networking, vol. 2019, 2019. View at: Google Scholar
 G. Calandriello, P. Papadimitratos, J.P. Hubaux, and A. Lioy, “Efficient and robust pseudonymous authentication in VANET,” 2007. View at: Google Scholar
 M. H. Au, W. Susilo, and J. Zhou, “Realizing fully secure unrestricted IDbased ring signature in the standard model based on HIBE,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 12, p. 1909, 2013. View at: Google Scholar
 J. Sun, Y. Su, J. Qin, J. Hu, and J. Ma, “Outsourced decentralized multiauthority attribute based signature and its application in IoT,” IEEE Transactions on Cloud Computing, vol. 2019, 2019. View at: Google Scholar
 M. Prabhakaran and M. Rosulek, “Attributebased signatures,” 2011. View at: Google Scholar
 S.J. Horng, S.F. Tzeng, Y. Pan et al., “bSPECS+: batch verification for secure pseudonymous authentication in VANET,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 11, pp. 1860–1875, 2013. View at: Publisher Site  Google Scholar
 K. Emura and T. Hayashi, “Roadtovehicle communications with timedependent anonymity: a lightweight construction and its experimental results,” IEEE Transactions on Vehicular Technology, vol. 67, no. 2, pp. 1582–1597, 2017. View at: Google Scholar
 D. He, N. Kumar, and W. Wu, “Efficient hierarchical identitybased signature with batch verification for automatic dependent surveillancebroadcast system,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 2, pp. 454–464, 2016. View at: Google Scholar
 K.A. Shim, “CPAS: an efficient conditional privacypreserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012. View at: Publisher Site  Google Scholar
 L. Zhang, C. Hu, Q. Wu, J. DomingoFerrer, and B. Qin, “Privacypreserving vehicular communication authentication with hierarchical aggregation and fast response,” IEEE Transactions on Computers, vol. 65, no. 8, pp. 2562–2574, 2016. View at: Publisher Site  Google Scholar
 N. Lewis, C. H. Liu, and J. S. Song, “Towards secure and privacy preserving collision avoidance system in 5G fog based Internet of Vehicles,” Future Generation Computer Systems, vol. 95, pp. 488–499, 2019. View at: Google Scholar
 S.F. Tzeng, S.J. Horng, T. Li, X. Wang, P.H. Huang, and M. K. Khan, “Enhancing security and privacy for identitybased batch verification scheme in VANETs,” IEEE Transactions on Vehicular Technology, vol. 66, no. 4, pp. 3235–3248, 2017. View at: Publisher Site  Google Scholar
 M. Azees, P. Vijayakumar, and L. J. Deboarh, “EAAP: efficient anonymous authentication with conditional privacypreserving scheme for vehicular ad hoc networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 9, pp. 2467–2476, 2017. View at: Publisher Site  Google Scholar
 L. Zhang, Q. Wu, J. DomingoFerrer, B. Qin, and C. Hu, “Distributed aggregate privacypreserving authentication in VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 3, pp. 516–526, 2017. View at: Publisher Site  Google Scholar
 D. Boneh and M. Franklin, “Identitybased encryption from the Weil pairing,” 2001. View at: Google Scholar
 D. Boneh, “The decision diffiehellman problem,” 1998. View at: Google Scholar
 D. Boneh, E. Shen, and B. Waters, “Strongly unforgeable signatures based on computational DiffieHellman,” 2006. View at: Google Scholar
 J. Herranz, F. Laguillaumie, B. Libert, and C. Ràfols, “Short attributebased signatures for threshold predicates,” 2012. View at: Google Scholar
 D. Khader, “Attribute based group signature with revocation,” IACR Cryptology ePrint Archive, vol. 241, 2007. View at: Google Scholar
 X. Hu, Y. Bao, and X. Nie, “Serveraided attributebased signature supporting expressive access structures for Industrial Internet of Things,” IEEE Transactions on Industrial Informatics, vol. 2019, 2019. View at: Google Scholar
Copyright
Copyright © 2021 Ping Yu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.