#### Abstract

Vehicular ad hoc network (VANETs) plays a major part in intelligent transportation to enhance traffic efficiency and safety. Security and privacy are the essential matters needed to be tackled due to the open communication channel. Most of the existing schemes only provide message authentication without identity authentication, especially the inability to support forward secrecy which is a major security goal of authentication schemes. In this article, we propose a privacy-preserving mutual authentication scheme with batch verification for VANETs which support both message authentication and identity authentication. More importantly, the proposed scheme achieves forward secrecy, which means the exposure of the shared key will not compromise the previous interaction. The security proof shows that our scheme can withstand various known security attacks, such as the impersonation attack and forgery attack. The experiment analysis results based on communication and computation cost demonstrate that our scheme is more efficient compared with the related schemes.

#### 1. Introduction

With the rapid development of wireless communication technology, VANETs has drawn widespread attention in society over the decades. VANETs will bring great benefits to people in many ways. It can not only help drivers obtain traffic information in advance and provide better routes to ensure traffic safety and reduce traffic burden but also supply other services, such as toll collection and car infotainment and location-based services [1].

In spite of the huge advantages offered by VANETs, it is still confronted with some problems that need to be solved such as privacy preserving and secure authentication since the communication in VANETs is on an open channel. Numerous schemes [2–5] have provided message authentication. The receiver must first verify the legality and integrity of the messages broadcast by other vehicles before it trusts them. However, in these schemes, the identity of the vehicle is not authenticated before it communicates with others. So, any vehicle can join the communication range and broadcast messages to others. If there are numerous vicious vehicles in communication area, a lot of false information will be generated and broadcast in the Internet of vehicle system, which has an adverse impact on the efficiency of the entire system. Therefore, the identity authentication before communication is also essential for VANETs.

Recently, Cui et al. [6] proposed a mutual authentication scheme for VANETs. In their scheme, the mutual authentication process between the vehicle and TA needs to be executed before the vehicle can communicate with other vehicles and RSUs. However, we find their scheme actually has some security defects. It is vulnerable to forgery attack and impersonation attack and does not provide forward secrecy which is an important security property of authentication scheme. In addition, their scheme cannot meet batch verification. Batch verification allows the verifier to check the validity of many signatures at the same time, which can greatly reduce delay. Many schemes [7–10] with batch verification have been proposed using bilinear pairing or based on elliptic curve.

In this paper, we present an improved mutual authentication scheme with forward secrecy for VANETs in order to withstand various known attacks. Concretely, the main contributions of our scheme are given as follows:(1)We identify and analyze security flaws in Cui et al.’s scheme for VANETs. Their scheme exits forgery attack and impersonation attack.(2)We propose an improved mutual authentication scheme for VANETs to resist the security attacks in Cui et al.’s scheme. Our solution provides not only message authentication but also identity authentication. Moreover, our scheme can also achieve batch verification without using bilinear pairing.(3)Finally, the proposed scheme can provide stronger security property, forward secrecy. That is to say, even if the current shared key is exposed, the adversary cannot construct the previous shared key. The security proof and analysis indicate that our scheme is secure. Performance evaluation shows that our scheme has low computation and communication overhead.

The rest of the paper is organized as follows. The related work is introduced in Section 2. Section 3 presents the system model, security assumptions, and security requirements. In Section 4, we briefly review the scheme of Cui et al. In Section 5, we analyze the security attacks of their scheme. Section 6 introduces the improved mutual authentication scheme with forward secrecy. In Section 7, we give the security proof and analysis. Section 8 presents the performance analysis. Finally, Section 9 shows the conclusion of this paper.

#### 2. Related Work

In recent years, the issues of privacy protection and secure authentication for VANETs have drawn more and more attention. To settle the problems mentioned above, many signature and authentication schemes have been proposed. For example, in 2006, a ring signature scheme was first proposed by Gamage et al. [11] to conceal the signer’s real identity. However, their scheme is not suitable for VANETs because no entity could trace the real identities of vehicles when false messages are sent by malicious vehicles caused damage. A year later, a PKI-based authentication scheme using anonymous certificates was proposed in [12]. However, in this scheme, vehicles need to store many public-private keys and corresponding anonymous certificates, which would impose storage burden to vehicles and huge certification management burden to TA. Later, Lin et al. [13] introduced a privacy-preserving authentication protocol based on a group signature [14]. Then, an efficient conditional privacy-preserving authentication (CPPA) scheme using bilinear pairing was proposed in [15]. In this scheme, the RSU needs to update the temporary anonymous certificates periodically and stores them, which would cause huge burden for the RSU and have low efficiency.

In order to mitigate the certificate management problem, many identity-based schemes were proposed such as [16–21]. Zhang et al. [16] introduced an identity-based solution with batch verification called IBV. In their paper, the signature key of the vehicle is generated based on its identity. Both vehicles and RSUs do not need to save any certificate. In addition, their solution can simultaneously verify many received messages, which greatly increases the efficiency of verification. Then, the flaws of Zhang et al.’s IBV scheme [16] were found by Lee and Lai [17]. First of all, Zhang et al.’s scheme is subject to the replaying attack. Secondly, the signature nonrepudiation is not achieved in Zhang et al.’s BIV scheme. So, Lee and Lai proposed an improved scheme to resist the above two types of attacks without extra overhead. Unfortunately, Zeng et al. [18] showed Lee and Lai’s scheme [17] exits some weakness in VANETs. Firstly, Lee and Lai’s approach did not achieve privacy preserving because anyone who only knows the public system parameters can calculate the real identity of the sender. Secondly, a malicious vehicle can imitate a valid vehicle to send false messages and even can use an arbitrary identity to escape the TA tracking. For the above weakness in VANETs, Zeng et al. [18] proposed an improved IBV scheme.

Soon after, many scholars combined certificateless cryptography and aggregation signature and further constructed various certificateless aggregation signature (CLAS) schemes [22–30]. For example, a CLAS scheme was proposed by Xiong et al. [22]; however, He et al. [23] pointed out that the adversary could forge a legal signature of any message in their scheme and presented an improved CLAS scheme. Unluckily, a security drawback in He et al.’s scheme [23] was found by Li et al. [24]. Xu et al. [30] found that the scheme of Horng et al. [25] cannot resist any type of adversary in the certificateless security model and built a new CLAS scheme. Lately, Cui et al. [26] presented an efficient CLS scheme for VANETs, which was proved to be insecure by Kamil and Ogundoyin [27].

To improve the efficiency, some schemes [31–34] have been designed shortly after. For example, in 2015, a new ID-based CPPA scheme for VANETs was firstly introduced by He et al. [31] based on Elliptic Curve Cryptography (ECC) without bilinear pairing. Cui et al. [35] built a secure privacy-preserving authentication (SPACF) scheme for VANETs using cuckoo filter and binary search methods to enhance the efficiency of batch verification. Azees et al. [36] constructed an efficient anonymous authentication (EAAP) protocol with an efficient conditional privacy tracking mechanism for VANETs. Nevertheless, they did not provide batch signatures verification. Soon after, Zhong et al. [37] proposed a privacy-preserving authentication scheme with full aggregation. In their scheme, the RSU could aggregate the signatures of vehicles which are passing through it. However, this scheme has low efficiency due to the use of map-to-point hash functions and bilinear pairing. Later, Ali and Li [38] introduced an efficient CPPA scheme for VANETs based on general one-way hash functions with lower computation overhead. A conditional privacy-preserving authentication protocol based on Chinese remainder theorem (CRT) for VANETs was elaborated by Zhang et al. [39]. In their protocol, they eliminated the need for preloading the master key of the system into Tamper-Proof Device (TPD) of vehicle, thus avoiding the risk of compromising a vehicle’s TPD leading to entire system failure.

Some mutual authentication schemes [40–42] in other different scenarios have been proposed. Recently, Cui et al. [6] introduced a secure mutual authentication for VANETs. However, we find their scheme exits some security weaknesses, such as forgery attack and impersonation attack. In this paper, we introduce an improved mutual authentication scheme with forward secrecy. Meanwhile, we provide batch verification, which greatly increases the efficiency of verification.

#### 3. Preliminaries

In this part, the system model and security requirements will be given.

##### 3.1. System Model

As shown in Figure 1, a typical architecture of VANETs is made up of the following units:(1)Trusted authority (TA): TA is a trusted third party with large storage capacity and powerful computing capabilities. It is in charge of generating system parameters and authenticating the identity of vehicles. Furthermore, the true identities of vehicles could only be revealed by TA.(2)Road side unit (RSU): RSU is the roadside infrastructure unit and not fully trusted. It can serve as a bridge between TA and the vehicle communication. And, it can also monitor suspicious message signatures broadcast by vehicles.(3)Vehicles: each vehicle communicates with other vehicles or RSUs by an open dedicated shortrange communication (DSRC) protocol [43].

##### 3.2. Security Assumptions

The security of our scheme is based on the elliptic curve discrete logarithm (ECDL) problem and the computational Diffie–Hellman (CDH) problem.(1)ECDL problem: the ECDL problem is to calculate , where satisfies the known point on the curve(2)CDH problem: the CDH problem is to obtain the point given two random points , , where and are secret

##### 3.3. Security Requirements

On the basis of the previous works for VANETs, the following secure requirements should be met in the proposed scheme:(1)Message authentication: the receiver must check the integrity and validity of the message signatures sent by other vehicles before it trusts them(2)Identity authentication: the vehicle needs to complete identity authentication to prove it is legal before allowing it to communicate with other RSUs and vehicles(3)Traceability: if a malicious vehicle transmits a false message to mislead others, the true identity of it could be traced by TA(4)Forward secrecy: even if the adversary knows the current shared key, it is impossible to generate the pervious shared key(5)Resistance against numerous types of attacks: the proposed scheme should be capable of withstanding the following security attacks that exist in VANETs(1)Replay attack: an adversary may gather and save a message signature and try to send it after the primitive signature becomes invalid(2)Impersonate attack: a malicious vehicle could diffuse a legal vehicle to send fake messages in order to make profits.(3)Forgery attack: an adversary could forge some secret information such as identity or authentication credential to generate a signature without being detected(4)Known key secrecy attack: an adversary could construct the current key if it obtains the key generated in the previous interaction

#### 4. Review of Cui et al.’s Mutual Authentication Scheme

Recently, Cui et al. [6] proposed a secure mutual authentication scheme for VANETs. In this section, we briefly review their scheme.

##### 4.1. TA Initialization Phase

Step 1: TA picks two large prime numbers , an additive group with order , which is formed by points on the elliptic curve (, where ). is a generator of . Step 2: TA randomly picks a number as its secret key and calculates as its public key. Step 3: TA selects symmetric encryption function (.) and several hash functions: , , , , where is a hash with key. Step 4: finally, TA publishes as public system parameters.##### 4.2. Vehicle Setup Phase

The vehicle first transmits real identity to TA. Then, TA calculates interpseudonym identity , where is the valid period. Then, TA sends to by a secure channel. Finally, randomly picks an integer as the encryption key and stores and into the TPD. Simultaneously, TA saves the tuple (RID, , , ).

##### 4.3. Mutual Authentication Phase

The mutual authentication process is completed between TA and the vehicle . The details are as follows: Step 1: firstly, picks a random integer and calculates a hash code . Then, it encrypts , and using the shared key . Next, sends the messages to nearby RSU, where is the identity of TA, and is the current timestamp. Step 2: when RSU obtains a message from , it first inspects the validity of the timestamp. If the timestamp is expired, it fails. Otherwise, RSU attaches its identity and a new timestamp to the message. Then, it uses its private key shared with TA to encrypt messages. Finally, it broadcasts the encrypted messages to TA. When TA receives the messages, it first decrypts to get the tuple . Next, it continues to decrypt to get and . Then, it computes . If , it continues to execute the next step; else it aborts. Step 3: TA calculates the authentication code . Then, it sends the encrypted messages to the nearby RSU, where is the valid period of . Step 4: as the RSU receives the messages sent by TA, it decrypts the messages to get . Then, RSU authenticates if is invalid, it fails; else it sends to . After receives the messages, it first uses to decrypt them and then uses the system public key to decrypt to get . If it is equal to the stored in the TPD, the vehicle successfully completes the mutual authentication with TA and is allowed to broadcast messages to other vehicles and RSU.

##### 4.4. Vehicle Signature Phase

In this part, randomly chooses a number and computes . Next, calculates its public pseudonym identity . Then, it generates the signature and broadcasts the messages to other RSUs and vehicles.

##### 4.5. Message Verification Phase

As RSU obtains the messages from , it calculates . If , the message is considered valid; otherwise, the verifier directly discards the messages.

#### 5. Attacks on Cui et al.’s Mutual Authentication Scheme

In this section, we describe some attacks existing in the scheme of Cui et al. [6]. The details are as follows.

##### 5.1. Forgery Attack

According to our analysis, Cui et al.’s scheme exits forgery attack in VANETs. We consider a case in which an attacker forges the authentication code. Then, it can use the authentication code to generate a message signature and the signature can be successfully verified. The details are described as follows.

Suppose an attacker forges an arbitrary authentication code . Then, it selects a random integer , computes , and generates a signature of false message as the following equation:

Finally, it sends the messages to other vehicles and RSUs.

After RSU receives the messages , it will check that the following equation is satisfied; hence, the message will be considered valid:

From the above, we notice that a vehicle without executing the mutual authentication process can forge the authentication code and uses it as a credential to successfully communicate with others. Essentially, this is because RSU can only verify whether AC sent by has been tampered with the public channel, but cannot verify AC which is distributed by TA.

##### 5.2. Impersonation Attack

We find the scheme of Cui et al. cannot withstand the impersonation attack in VANETs. A malicious vehicle could imitate other valid vehicles to broadcast messages. The details of impersonation attack are as follows.

Suppose an attacker intercepts the authentication code AC and the pseudonym identity on the open channel, and it executes the following steps:(1)First, it randomly selects an integer and calculates .(2)Next, it uses the intercepted AC and to generate the signature of an arbitrary message as . Subsequently, it broadcasts the messages to nearby vehicles and RSUs.

When the verifier receives the messages , it will consider the messages to be valid by checking that the following equation holds

As a result, when the message caused an accident, the TA needs to obtain the true identity of the sender from in order to trace responsibility. However, the TA will obtain the real identity and think the message is sent by . Thus, the attacker is able to imitate any vehicle to generate valid signatures of fake messages and escape accountability. Therefore, Cui et al.’s scheme is prone to impersonation attack.

#### 6. The Proposed Scheme

To overcome the security attacks in Cui et al.’s scheme [6], we construct an improved mutual authentication scheme with forward secrecy. Table 1 displays the notations and descriptions used in the proposed scheme.

##### 6.1. System Initialization

Step 1: TA picks two large prime numbers and an additive group with order formed by points on the elliptic curve (, where ). Then, TA picks as a generator of . Step 2: TA randomly selects a number as its secret key and calculates as the corresponding public key. Step 3: TA chooses some hash functions: , , , , and . The system parameters are published.##### 6.2. Vehicle Registration

In this section, the vehicle registers with the TA to get the shared key , and the process is given as follows.

The vehicle randomly picks an integer as its secret key and computes . Subsequently, it transmits the real identity and to TA via a secure channel. When receiving the information, TA randomly picks an integer as the key shared with the vehicle , and calculates , where is the valid period of and . Next, TA sends the shared key and pseudonym identity to . Meanwhile, TA saves the tuple ().

##### 6.3. Mutual Authentication and Signing Key Generation

As shown in Table 2, the vehicle completes the mutual authentication process with TA by the help of RSU. After mutual authentication, is considered legal and generates the signing key . Step 1: the vehicle first randomly selects numbers and computes . Then, it sends the messages to nearby RSU, where is the current timestamp. Step 2: after getting the messages , RSU first checks the validity of . If is invalid, it ends; otherwise, it chooses a random number and calculates , where is the identity of RSU and is only known to TA and RSU. Finally, RSU sends the messages to TA, where is current timestamp. Step 3: when TA receives the messages , it first inspects the expiration date of . If is expired, it aborts; else it checks the identity of the RSU. It computes ; if , it aborts; else, it continues to authenticate . TA computes ; if , it ends; otherwise, is successfully authenticated by TA. Then, TA randomly selects numbers and computes , and . Finally, TA sends the messages to nearby RSU, where is current timestamp. At the same time, TA updates the shared key as . Step 4: upon getting the message , RSU first checks the freshness of and then calculates . If , it forwards the messages to the vehicle , otherwise it aborts. Step 5: upon receiving the message first inspects the validity of . Then, it retrieves and computes . If , it ends; else, the vehicle successfully authenticates the TA and updates . Finally, generates the signing key .

##### 6.4. Message Signing

When the vehicle is ready to broadcast message to others, it picks a random integer and computes . Then, it generates the signature , where is the current time. Subsequently, it broadcasts the messages to nearby vehicles and RSUs.

##### 6.5. Message Verification

When the RSU obtains the messages , it first checks the freshness of and valid period of . Then, it verifies the signature by checking whether satisfies. If it satisfies, the RSU accepts the messages; otherwise, it directly discards the messages. The correctness proof of the above equation is as follows.

###### 6.5.1. Correctness Proof

##### 6.6. Batch Verification

When receiving lots of messages from multiple vehicles, the RSU can verify these messages in batch to effectively reduce the computation cost and raise the efficiency of verification. Assume that the RSU obtains the messages from vehicles, which are denoted as , where . Similar to the single verification, the process of batch verification is executed by the verifier as follows.

The RSU first checks the freshness of and valid period of ; if is not fresh or is expired, RSU discards this message; otherwise, it randomly selects a vector , where and is a tiny number. Then, it performs batch verification by inspecting the validity of the following equation:

#### 7. Security Analysis and Comparison

##### 7.1. Security Analysis

Based on the hard problems introduced in Section 3.2, we prove that our scheme is secure by a game played between an adversary and a challenger using random oracle model.

Theorem 1. *The proposed scheme for VANETs is secure under the random oracle model in the adaptive chosen-message attack with an assumption that the ECDL problem is hard.*

*Proof. *Suppose an adversary could forge a message , and a challenger could tackle the ECDL problem with a nonnegligible probability by running as a subroutine. The details are as follows: Setup phase: initializes public system parameters and delivers them to . Note that , where is randomly selected by TA. Query phase: in each random oracle, the adversary initiates an inquiry to the challenger , and returns the result of the inquiry to from the list. Suppose are the lists maintained by and are initially empty. -Oracle: if launches an inquiry on , will check whether exists in . If does exist, delivers to ; otherwise, sets and adds into . Finally, sends to . -Oracle: if initiates an inquiry on , will check whether exists in . If does exist, delivers to ; else, sets and adds to . Finally, sends to . Sign-Oracle: after obtains the query on the message from , it randomly generates three integers and then adds into and adds into . Finally, sends the messages to . It is obvious that the equation holds.In the end, outputs messages and checks whether the following equation satisfies:If not, terminates the game. Otherwise, according to the forgery lemma [44], if the process is executed with different once again, could generate another valid messages . Obviously, we can get the following equation:According to equations (6) and (7), could compute:So, outputs as the result of ECDL problem which conflicts the difficulty of the ECDL problem. Consequently, our scheme for VANETs is secure under random oracle model in adaptively chosen message attack. Next, we will briefly analyze the security requirements for VANETS mentioned in Section 3.3.(1)Message authentication: based on Theorem 1, it is known that if the ECDL problem is difficult, any polynomial adversary cannot forge a valid message signature. Thus, the verifier can inspect the integrity and validity of the messages by checking whether the equation holds. Consequently, the proposed scheme for VANETs ensures the validity and integrity of the broadcast messages.(2)Identity authentication: during the mutual authentication phase, TA authenticates the identity of the vehicle by calculating ; verifies the validity of TA by computing .(3)Traceability: once the traffic-related message broadcast by the vehicle causes an accident, TA can compute the real identity of by . Then, TA adds the vehicle to the blacklist and deletes the information of from its database. TA periodically broadcasts the blacklist to other vehicles and RSUs.(4)Forward secrecy: the adversary cannot obtain the previous shared key between TA and , even though the current shared key is exposed. In each interaction, the shared key will be updated to with the random numbers and chosen by TA and , respectively. The updated shared key has nothing to do with the previous key, but only related to the random numbers and . According to the CDH problem, it is known that the adversary cannot obtain even if it intercepts and from the public channel. Hence, the proposed scheme provides forward security.(5)Replay attack: upon receiving the messages , the RSU will first verify the freshness of by checking wether holds. Even if is fresh, it cannot satisfy the verification equation .(6)Impersonation attack: according to Theorem 1, it is not possible for an adversary to imitate other valid vehicles to successfully broadcast the signatures of messages. Because once the RSU receives the messages , it will first check the validity of the verification equation . Hence, the impersonation attack can be resisted in our scheme.(7)Forgery attack: according to Theorem 1, any adversary cannot forge a valid messages because this attack can be detected by the verifier through checking whether the equation holds. So, our scheme is resistant of the forgery attack.(8)Known key secrecy attack: even though the previous shared key between TA and is stolen, the adversary cannot generate the current shared key. This is because the shared key will be replaced as in each round. It is just associated with the random numbers and , which are selected, respectively, by the vehicle and TA for each session. The adversary cannot obtain from and unless it could solve CDH problem. The CDH problem is recognized as hard; hence, the proposed scheme can withstand known key secrecy attack.

##### 7.2. Security Comparison

We compare the security of our scheme with three related schemes [6, 37, 38] for VANETs. Suppose S1, S2, S3, S4, S5, S6, S7, and S8, respectively, denote message authentication, identity authentication, traceability, forward secrecy, resistance against replay attack, impersonation attack, forgery attack, and known key secrecy attack. The result of security comparison is shown in Table 3.

From Table 3, we can see that all the four schemes can satisfy the security requirements of message authentication, traceability, and resistance against replay attack. Identity authentication is only met in our scheme and the scheme [6]. Our scheme is the only one that can provide forward secrecy and resist known key secrecy attack. In summary, our scheme provides better security property compared with the recent proposed schemes.

#### 8. Performance Analysis

In this part, we present the performance analysis with respect to the computational and communication overhead of our scheme and the schemes proposed by Ali and Li [38], Zhong et al. [37], and Cui et al. [6].

##### 8.1. Computation Cost Analysis

To estimate the computational cost of our scheme and other related schemes [6, 37, 38], we adapt the Java Pairing-Based Cryptography (JPBC) library. In terms of the bilinear map , we choose the Type A pairing for schemes [37, 38]. It is constructed on the elliptic curve : over the field , where and the order of group are, respectively, 512 bits and 160 bits. While in the proposed scheme using the elliptic curve, the group is generated by the elliptic curve :, where the order of and the prime are both 160 bits. The experiment is conducted on a Laptop running Intel I5–8250U, 4 GB memory, 1.8 GHz processor with Windows 10 operating system. In our simulation experiment, we only consider the cryptographic operations which have a major impact on efficiency and ignore the execution time of addition operation. Table 4 shows the notations and the execution time of several cryptographic-related operations.

Table 5 lists the total computation overhead about message signing, single signature verification, and signatures’ verification. In the process of message signing, our scheme requires one multiplication operation based on ECC and one hash function operation. Accordingly, the computation overhead of this process is . In Ali and Li’s scheme [38], the computation overhead of message signing is . The cost of generating a signature is in Zhong et al.’s scheme [37]. In Cui et al.’s scheme [6], the computation overhead of generating a signature is .

During the message verification phase, in our scheme, the verifier takes three multiplication operations based on ECC and two hash function operations for single message verification, multiplication operations based on ECC, and hash function operations for signatures verification. Therefore, the computation cost of verifying a single signature and signatures are and , respectively. In the scheme of Ali and Li [38], the computation overhead of single signature verification and batch verification are and , respectively. In the scheme of Zhong et al. [37], and are, respectively, spent on the phase of single verification and batch verification. In Cui et al.’s scheme [6], the verifier spends and on verifying a single signature and signatures, respectively.

From Figures 2–4, compared with the three recently proposed schemes [6, 37, 38], we can more intuitively and clearly find that our scheme has the least computation overhead in the message signing step. During the single verification and batch verification phases, although the computation overhead of Cui et al.’s scheme [6] is negligible, their scheme is subject to some security attacks such as impersonation attack and forgery attack; the computation overhead of our scheme is far lower than that of Zhong et al. [37] and slightly higher than that of Ali and Li [38]. However, our scheme has better security performance such as supporting identity authentication and forward secrecy, withstanding known key secrecy attack. On the whole, our solution is suitable for VANETs in terms of security and efficiency.

##### 8.2. Communication Cost Analysis

In this part, we analyze and compare the communication overhead between the proposed scheme and other schemes [6, 37, 38]. For the group using the bilinear pairing and the group using the ECC, the size of is, respectively, 512 bits and 160 bits. Hence, the size of each element in group is 128 bytes and that of each element in is 40 bytes. Besides, the length of timestamp is 4 bytes; the elements in an integer group and the general hash are both considered 20 bytes. We assume that the length of all traffic-related messages is the same, so we ignore the size of traffic-related messages when calculating the communication overhead.

As shown in Table 6, in the scheme of Ali and Li [38], the vehicle broadcasts a signature on the message for the pseudonym identity with the timestamp to the verifier, where . Accordingly, the total communication cost of Ali et al.’ scheme is bytes. In the scheme of Zhong et al. [37], transmits the messages to the RSU, where is the timestamp, and . Hence, the sum of communication overhead is bytes. In Cui et al.’s scheme [6], sends the messages to the verifier, where are all hash values, and . Thus, the sum of communication overhead is bytes. Then, in our scheme, transmits the messages , where , and , and is the timestamp. So, the whole communication overhead is bytes.

From Table 6, we can see that the total communication cost of our scheme is far less than that of the schemes [37, 38], but slightly more than that of Cui et al.’s scheme [6]. However, the scheme of Cui et al. is subject to the impersonation attack and forgery attack. In addition, our scheme can not only provide identity authentication and forward secrecy but also resist known key secrecy attack. Therefore, our scheme is appropriate for VANETs with respect to communication overhead.

#### 9. Conclusion

In this paper, we first analyze and point out that the mutual authentication scheme of Cui et al. is subject to the impersonation attack and the forgery attack. Then, we propose an improved mutual authentication scheme with forward security for VANETs. Security proof and analysis show that our scheme can not only resist general attacks but also achieve forward secrecy and withstand known key secrecy key attack, which are not achieved in other related schemes [6, 37, 38]. In addition, our solution has relatively balanced performance.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

All authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was partially supported by the National Natural Science Foundation of China under Grant no. 61932010.