Rethinking Authentication on Smart Mobile DevicesView this Special Issue
Efficient Message Authentication Scheme with Conditional Privacy-Preserving and Signature Aggregation for Vehicular Cloud Network
Vehicular cloud network (VCN) is deemed as the most promising platform for providing transportation safety, road optimization, and valued-added application services. Because VCN is of distinguishing feature with super-large scale and unstable communication, it is a challenging task to study efficient authentication scheme for VCN without losing security and conditional privacy-preserving. To meet the challenge, a new efficient message authentication scheme is proposed in this paper. A batch message verification and signature aggregation are included in the proposed scheme to improve the authentication efficiency and decrease the communication cost. Compared with the similar conditional privacy-preserving authentication schemes, the proposed scheme has superior performance in computation and communication cost. Simulation analysis further proves that the proposed scheme has better advantages in reducing the verification loss rate and message delay in the application of VCN.
As the growing demand for transportation safety, driver comfort, and traffic efficiency, it is crucial for vehicles to obtain current traffic-related information accurately and timely. To meet the goal, vehicular ad hoc networks (VANETs) have been raised and caused heated joint researches among researchers, car manufactures, and governments in recent years . Due to the specific features and applications of VANETs, people expect that a vehicle can perform all the tasks of communication, computing, sensing, and storage. On the one hand, a vehicle has some in-car resources, such as sensor, power, CPU, communication units, and actuator, and it should schedule the in-car resource harmoniously to achieve optimal efficiency. On the other hand, a vehicle should cooperate with other units, such as other vehicles and Roadside Units (RSUs), to make use of the unstable external resources in an effective way . Therefore, vehicle will gradually become a complicated integrated intelligent system with computing, mechanical, and communication function in the near future.
Because cloud computing technology has shown many outstanding advantages in practice application, some researchers have proposed vehicular cloud computing, which has been a new paradigm employed by vehicle (driver) to leverage services as a utility and handle a mass of data on demand at any time and anywhere . Thus, to improve efficiency of vehicle-related services to vehicles, some interesting vehicular cloud network (VCN) architectures over VANETs have been proposed recently [4, 5]. A general VCN architecture consists of three tiers: the top tier includes the trusted authority (TA) and cloud servers; the middle tier includes intermediate units including road side units (RSUs), 3/4G base stations (BSs), and other network access units; the bottom tier includes in-car units of vehicles including On-Board Unit (OBU), sensors, 3/4G module, and other modules, as shown in Figure 1. RSUs and BSs are placed on the side of road and can communicate with TA and cloud servers via wired communication. OBU is in charge of communication with other vehicle’s OBUs by Vehicle-to-Vehicle (V2V) communication technology, and it also can communicate with RSUs by Vehicle-to-Infrastructure (V2I) communication technology. Ranging from transportation safety to valued-added application services, VCN is regarded as one of the most promising platforms for future vehicle-centered applications .
Nonetheless, benefits usually come with challenges. Because messages in VCN are usually life-critical, the foremost issue is security that the messages must be authenticated and reliable . Nowadays, privacy protection has become the most urgent requirement that users are most concerned about in the open and insecure wireless communication environment [8, 9]. If an attacker could retrieve the private information of a vehicle by linking the messages, the most promising VCN will be gutted. Therefore, the second important issue is privacy-preserving. However, privacy-preserving is the double-edged sword of VCN: A honest vehicle is willing to broadcast real message to its neighbor vehicles; a malicious vehicle may send wrong messages for personal gain by abusing the privacy protection mechanisms, where wrong message has a valid signature and untrue content. Because a wrong message may cause inestimable damage to the traffic system or people’s personal safety, there must be one and only one (usually is the TA) that should have the ability to trace the real identity of wrong message generator. Therefore, conditional privacy-preserving (CPP) should be involved in VCN. It is generally known that a huge volume of messages of VCN may be produced in a short time and the communication instability problems of VCN is particularly serious. In order to improve the quality of VCN service, it should decrease communication cost and computation cost. Therefore, the third key issue is to improve authentication efficiency and decrease communication cost without losing security and cryptographic witnesses. To solve the three challenges, industry and academia have done a lot of research works and put forward a lot of interesting results .
1.1. Motivations and Contributions
In VCN, there are usually millions of messages being produced in a very short time, and many messages must be processed timely because they are time sensitive and life-critical. However, it is an arduous task for OBUs or RSUs to verify vast messages timely . Thus, it is a significant challenge to design a practical message authentication scheme for VCN under the precondition of ensuring safety and conditional privacy-preserving.
To meet this challenge, we propose a new message authentication scheme with CPP and signature aggregation. In short, our main contributions can be summarized as follows:
(i) A new efficient message authentication scheme is proposed for VCN using elliptic curves cryptography (ECC). Signature aggregation and batch verification are involved to improve verification efficiency further, where the batch verification allows verifier to verify multiple messages simultaneously and the signature aggregation allows verifiers to aggregate multiple signatures into a single one before forwarding them to its top manager (e.g., cloud servers).
(ii) A rigorous security analysis shows that the proposed scheme could satisfy all security requirements of VCN and provides CPP.
(iii) Performance analysis indicates that our proposed scheme can perform much better in terms of computation cost and the communication cost than most recent schemes proposed in [12–14]. The signature aggregation of the proposed scheme could further decrease communication cost. Simulations show that the proposed scheme also could reduce verification loss rate and message delay in VCN scenario.
1.2. Organization of the Paper
The rest of the paper is organized as follows. Preliminaries and background are introduced in Section 2. Section 3 shows background and Section 4 puts forward a new message authentication scheme for VCN. Section 5 demonstrates security proof and analysis. Section 6 discusses complexity analysis and comparisons. The last section concludes the current and future works.
2. Related Work
To achieve CPP authentication, some researchers have proposed classic authentication schemes by using group signature [15–18]. Before a vehicle communicates with other vehicles, it should join in the group to get signing key from the group manager. After then the vehicle uses signing key to sign messages on behalf of the group. Only the group manager can retrieve the identity of message signer, so this kind of authentication schemes can meet conditional privacy-preserving requirement. But, these authentications have much higher communication and computation cost than traditional signatures and have inextricable problem on member revocation .
To decrease communication and computation cost, Raya et al.  adopted anonymous certificate based on Public Key Infrastructure (PKI) to construct an anonymous authentication scheme for vehicle network. Later, some similar CPP authentication scheme has been proposed [16, 21, 22]. However, it is extremely difficult for these schemes using PKI to overcome issues related to certificate management.
To overcome certificate issues, researchers introduced identity-based public key cryptosystem (ID-PKC)  to design message authentication scheme for vehicle network, where no certificate is needed to bind to public key pairs. Zhang et al.  used bilinear pairing to construct message authentication scheme based on IP-PKC. Zhang et al.’s scheme  no longer needs any certificates. Unfortunately, relay attack and impersonation attack can be launched easily in their scheme. By using two shared secretes, Chim et al.  put forward one identity-based authentication scheme. Under the condition of providing anonymity, Chim et al.’s scheme need less communication cost than Zhang et al.’s . But, Chim et al.’s scheme is demonstrated to suffer from impersonation attack. Lee et al.  presented a new message authentication scheme employing bilinear pairing. Unfortunately, their scheme could not provide tracing and nonrepudiation and also suffers from relay attacking. To overcome secure issues, Bayat et al.’s  presented an reformative authentication scheme over Lee et al.’s scheme . They demonstrated security analysis to show that their scheme can resist various security attacks. However, the aforementioned schemes based on PKC use complex bilinear pairing operations, which is quit complex cryptographic operation in modern cryptography and not suited for OBUs that is limited in computational capacity. To wipe off bilinear pairing, He et al.’s  proposed a new conditional preserving scheme by using ECC. He et al. demonstrated that their scheme takes more lower computation cost and communication cost, which makes their scheme more suited for deployment in VCN. Xie et al.  proposed an identity-based message authentication scheme for vehicle network using ECC. Their scheme provides not only single message verification but also batch message verification; it can decrease much authentication costs. Unfortunately, it can not provide aggregate authentication. Kang et al.  used homomorphic encryption to allow every vehicle to generate any number of authenticated identities to realize anonymity in vehicle network. Recently, Liu et al.  proposed a mutual authentication and key agreement scheme for secure vehicle-to-vehicle communication. But the TA should include each authentication process in their scheme, which brings a very large computational overhead to the TA.
Signature aggregation on cryptographic witnesses has drawn more attention due to its special way to improve system performance. Zhang et al.  proposed an aggregate privacy-preserving authentication scheme for VANETs. In their scheme, aggregate signature technique is used as an important way to decrease computation and communication overhead during data transmission and signature authentication. But when a vehicle joins a RSU authentication group, the RSU must forward vehicle’s information to the root TA through a secure channel. Wasef et al.  proposed aggregation protocols based on PKI in vehicle ad hoc network, respectively. The two protocols can aggregate multiple signatures into a single one but cannot aggregate different certificates, which remains a problem on certificate management. To eliminate problem on certificate management, signature aggregation based on identity-based PKC was proposed in . Zhang et al.  proposed a hierarchical aggregation to suit for hierarchical management in VANETs. In their scheme, a secure channel must be preestablished between an RSU and the KGC for vehicle’s identity authentication.
All kinds of identity-based schemes for vehicle networks proposed during the last decades can be divided into two major categories. One is using traditional authentication way without using Tamper-proof devises (TPD) ; the other more efficient authentication way is by using TPDs. Compared with non-TPD, schemes using TPD are more efficient. Therefore, we construct the proposed scheme using TPD to solve the very arduous message authentication tasks in vehicular cloud network.
3.1. System Architecture of VCN
The three-tier architecture proposed in  is used in this paper. The top tier consists of the trusted authority (TA) and cloud services, the middle tier consists of intermediate units, the bottom tier consists of in-car units of vehicles, as shown in Figure 1.
(i) Top Tier. The same assumption applies with ; the TA is a fully trusted administrator, and it is in charge of generating system parameters and allocating Tamper-proof devises (TPD) to each registered role, such as RSUs, vehicles, and cloud serves. A secure access password will be set according to the rules proposed in [33, 34] for each TPD and can be used when the user inputs the correct password. In the system, only the TA is able to retrieve the real identities from valid messages when necessary. The TA is assumed to be never compromised by any adversaries. The cloud services are provided cloud servers by using cloud computing technique and are usually made up of road traffic monitoring, diver body monitoring, whether information, entertainment service, and other services that can be customized by users.
(ii) Middle Tier. This tier consists of communication entities, such as RSU, Base stations, and satellite (for connecting to Internet), GPS module (for connecting to satellite network), and 3/4G communication module (for connecting 3/4G wireless network). RSUs are a number of substance units placed on the side of roads. A RSU communicates with vehicles’ OBUs by using DSRC protocol and with TA and cloud servers using wired channel. A RSU must verify signatures as soon as receiving messages from vehicles and decides whether to process them locally or deliver them to the top server (including cloud service). BS and satellite connect the 3/4G module and GPS module of vehicles, respectively.
(iii) Bottom Tier. This tier consists of On-Board Unit (OBU), TPD, GPS module, 3/4G module, sensors and reactors, and other in-car units. The TA will issue a TPD for each registered vehicle. TPD has high-level ability to withstand any security attacks and no one can extract any data from TPDs, such as secret key and codes [12, 16]. Any message will be signed by TPD before being broadcasted. The OBU collects raw data from other in-car units and then broadcasts messages about traffic status and other service request message. In addition, it is also responsible for communicating with other OBUs and RSUs under DSRC protocol. The 3/4G module is responsible for communicating with the BS.
3.2. Security Requirements
A lot of attacks threaten the security of VCN, such as privacy disclosure, relay attack, man-in-the-middle attack, and modification attack. To avoid these attacks, the following security requirements should be provided in the authentication scheme.
(1) Message Authentication. In VCN, each verifier can authenticate every message and determines whether the message signer is a registered member and judges whether the message is modified by others.
(2) Conditional Privacy-Preserving (CPP) . As with other scenarios of privacy protection, the true identity of the vehicle should be anonymous, including other vehicles, RSUs, and attackers. But registered vehicles with malicious behavior may abuse anonymous mechanism and broadcast wrong messages. In order to restrict the registered vehicles to use anonymity mechanism in rational way, the TA must extract the signer of valid message (with valid signature). As a consequence, authentication schemes must provide CCP functionality .
(3) Resistance to Attacks. To meet the requirements of security, authentication schemes must be able to withstand all possible attacks, e.g., forgery attack and man-in-the-middle attacks.
4. The Proposed Scheme
In this section, we propose a new efficient identity-based authentication scheme for VCN, which achieves CPP functionality. The proposed scheme includes four phases: initialization, pseudonym generation and message signing phase, message verification phase, and identity extraction phase. To improve efficiency, batch message verification and signature aggregation are involved in message verification phase.
In order to understand the phases of the proposed scheme more intuitively, the main phases of proposed scheme are illustrated as in Figure 2. In Figure 2, PMS denotes Pseudonym Generation and Message Signing, which is executed by the messages signer, i.e., vehicles; SMV, BMV, and SA denote single message verification, batch message verification, and signature aggregation, respectively, which are executed by low-lever verifier, such as RSUs or vehicles; AMV denotes aggregated messages verification, which is executed by top manager, such as cloud severs or application servers.
Next, we will show the details of each phase as in the following subsections.
In this phase, the system parameter is initialized by the TA, the detailed steps are as follows:
I1: the TA selects an elliptic curve , which is defined by , where is a large prime number, . Then the TA chooses a generator point from , and generates group by with order . Next, the TA chooses as its private key and computes public key .
I2: two hash functions, , , are chosen as cryptographic hash function. Now, is set as system public parameter.
I3: when a vehicle registers in the system, the TA assigns a TPD to the vehicle, where the TPD will be preloaded parameters . Therefore, each vehicle will obtain unique identifier and password .
I4: at last, the public parameter is published to each registered vehicle, RSU and cloud server.
4.2. Pseudonym Generation and Message Signing Phase
When a vehicle wants to broadcast or send a message, it generates a pseudonym and sign messages by using its TPD as follows.
S0: the user input the valid and to gain the right to use the TPD. To be practical, the user can employ the TPD to generate pseudonym for a period after he/she has input valid and ; i.e., this step will not be run during the next period, while steps S1-S3 will be run in this phase.
S1; when a message is generated by the OBU or sensors, it is transmitted to the TPD.
S2: on receiving , the TPD chooses and current timestamp and then calculates , . Let denote . Next, the TPD computes , . Finally, the TPD sends to the OBU.
S3: the vehicle broadcasts .
The steps of this phase are outlined in Figure 3.
4.3. Message Verification Phase
It is a normal state in VCN that an entity (such as a vehicle or a RSU) receives a mass of messages in a brief period. To improve the efficiency of message verification, there are two ways to verify that the received messages are presented in our scheme. One is traditional single message verification for one message. The other is batch verification for multiple messages simultaneously.
(i) Single Message Verification. Assume generated by the vehicle is a message needed to be verified. The of message will be checked firstly. If is not fresh, the verifier discards this message. Otherwise, the verifier computes and then examines if this message satisfies the verification equation as follows:If not, this message will be discarded. Or, it will be accepted.
(ii) Batch Message Verification. After messages are received by the verifier, they could be verified simultaneously as the following steps.
B1: the of message () will firstly be checked. If it is not fresh, the verifier discards .
B2: to reduce false acceptation, the small exponent test technology  is included in batch verification. A vector including small random integers is used to distinguish any modification on multiple signatures during batch verification. The verifier chooses , where is randomly chosen in , ]; is a very small integer and only causes little computational overhead .
B3: the verifier checks whether (2) holds or not.
where . If (2) holds, the messages will be accepted. Or, one or more messages are invalid in the messages. To detect invalid message, the way proposed in  is used in the proposed scheme. For more details, please see .
If the messages are valid, the verifier accepts the messages and can send messages as to its top manager in traditional ways. To improve efficiency and decrease communication cost, a signature aggregation is included in the proposed scheme.
(iii) Signature Aggregation. To decreasing communication cost, a verifier in the lower layer of system can make aggregate signature on the messages that have been verified before forwarding these messages to its top managers.
Firstly, the verifier computes . Then he/she generates the aggregated message . At last, the verifier forwards the aggregated message to its top manager.
When the top manager receives aggregated messages , , it can verify single aggregated message by following verification equation (3):
where . If (3) holds, the top manager accepts the aggregated message. To improve efficiency, the top manager also can verify the aggregated messages by following verification equation (4):If (4) holds, the top manager accepts the aggregated messages.
4.4. Identity Tracing Phase
To obtain profit or disrupt traffic, a registered vehicle perhaps sends false message ; that is, has wrong/untrue context with valid signature. Therefore, the functionality of tracing the identity of false messages must be provided in message authentication scheme. Assume the message in . Note that the messages have passed the signature verification. The TA traces the real identity from by calculating , where is its private key.
5. Security Proof and Analysis
In this section, we demonstrate that the proposed scheme satisfies the security requirements of VCN described in Section 3.2. In order to prove that the proposed scheme is secure against all types of attacks, we show the nonforgery of the proposed scheme firstly.
5.1. Security Proof
In order to prove the security of the proposed scheme, the security model is defined as a game that is performed by an adversary and a challenger based on the ability of the adversary and the network model.
Theorem 1. The proposed scheme is existentially unforgeable against an adaptive chosen-message under the random oracle model.
Proof. Assume an ECDLP instance is given, where are two points on and an adversary could forge message . Now, we set up a game between and a challenger , which is able to solve the ECDLP by running as a subroutine with a probability that cannot be ignored.
Setup. The challenger executes system setup algorithm, lets as system public key, and defines system parameter params= and then creates and preserves two lists. One is list formed by , which contains the queries and answers of -Oracle and is empty initially. Another is list formed by , which includes the queries and answers of -Oracle and is empty initially. At last sends params to .
-Oracle. When queries message , checks whether the tuple is already in or not. If so, sends to . Otherwise, chooses at random and then adds to . At last, sends to .
-Oracle. When queries message , checks if the tuple is already in . If so, sends to . Or, randomly chooses and then adds to . At last, sends to .
Sign-Queries. When makes sign-query on message , randomly chooses , , and computes . Then, adds to . At last, constructs a message and sends it to . According to the rules of the game, each response to the Sign-queries is valid because answered in the game is able to meet the following equation:Output. At last, outputs as a valid message with nonnegligible probability. can verify the message using If it does not hold, terminates this progress.
could output as another valid message if executes the progress with another -oracle query (let its answer be ) on the basis of the forgery lemma . Likewise, the message is able to satisfyAccording to (6) and (7), we can deduce From (8), we could obtain (9) as follows:Now, outputs as a solution for the given instance of the ECDLP. However, it contradicts with the difficulty of solving the ECDLP. So the proposed scheme can resist forgery attack.
5.2. Security Analysis
In the subsection, we analyze how the proposed scheme meets the security requirements of VCN.
(1) Message Authentication . In the proposed scheme, an adversary cannot forge a message with nonnegligible probability to meet the verification equation according to Theorem 1. Therefore, a verifier is able to check the validity of message by the verification equation (1). Not that in signature can also be used to check the integrity of message. Therefore, the proposed scheme is able to accomplish signature and integrity verification for VCN.
(2) Conditional Privacy-Preserving (CPP). Vehicle sends message to others with form of , where , . The identity of the vehicle is perfectly protected for is a pseudoidentity including a random number. To reveal ’s real identity, an adversary needs to compute . However, without knowing and , the adversary cannot reveal because it is an instance of CDH problem to compute . On the contrary, only the TA could reveal the identity from the message by calculating , if it is necessary. Therefore, the proposed scheme can achieve CPP.
(3) Resistance to Attacks. The proposed scheme can resist the main security attacks of VCN as follows.
(i) Replay Attack. When an attacker launches a replay attack on , it should forge another to pass the exam of time freshness. According to Theorem 1, the attacker cannot forge another valid signature to pass message authentication. So this scheme can resist replay attack.
(ii) Modification Attack . As the design of scheme, a valid message consists of its digital signature . If an attacker makes any modification on the message, the verifier can easily find the modification by verifying (1). Thus, the proposed scheme can resist modification attack.
(iii) Impersonation Attack. An attacker launches an impersonation attack; it should forge a message . However, the probability of the forged message to meet the verification equation can be negligible according to Theorem 1. Therefore, the proposed scheme can resist the impersonation attack.
(iv) Verifier Table Attack. As attacks on verifier table become a more and more serious security attack, authentication scheme should focus more attention on these attacks. In the proposed scheme, there is no need for a verifier table in the TA, vehicles, or RSUs. Therefore, an attacker cannot launch any attack on verifier table. Therefore, the proposed scheme can resist the verifier table attack.
6. Performance Analysis and Comparison
In this section, we analyze the performance of the proposed scheme in terms of computation cost and communication cost. The performance comparisons are demonstrated between the proposed scheme and several newly proposed CPP authentication schemes for vehicle network, which are Bayat et al.’s scheme  (BAS-CPP, for short), Zhang et al.’s scheme  (ZAS-CPP, for short), and He et al.’s scheme  (HAS-CPP, for short). Then, the impact on system performance posed by signature aggregation is analyzed. At last, detailed simulations and analysis are shown to evaluate the performance of the proposed scheme according to verification loss rate and message delay.
6.1. Computation Cost Analysis and Comparison
Due to the difference in design, BAS-CPP  and ZAS-CPP’s  cryptographic operations are built on bilinear pairings, while HAS-CPP  and our proposed scheme’s cryptographic operations are built on ECC. We construct a bilinear pairing cryptography system and an ECC system at 80-bit security level. Table 1 lists the cryptographic operations and corresponding abbreviations and execution times in the four schemes.
Column Abbr. lists the abbreviation of cryptographic operations. Bilinear pairing operation is abbreviated as . Three operations related to bilinear pairing, i.e., scale multiplication, small scale multiplication, and point addition, are abbreviated as , , and , respectively. Three operations related to ECC, i.e., normal scale multiplication, small scale multiplication, and point addition, are abbreviated as , , and , respectively.
Pseudonym-generating and message signing phase, single message verification phase, and batch message verification phase are called PMS, SMV, and BMV for short.
In BAS-CPP , the PMS includes five scalar-multiplication operations, one point-addition operation, one Map-To-Point function operation, and two one-way hash operations. The total execution time of BAS-CCP’s PMS is ≈ 12.9583 ms. The SMV includes three bilinear pairing operations, one point-addition operation, one operation of Map-To-Point function, and one operation of one-way hash function. So the total execution time of BAS-CCP’s SMV is 18.7481 ms. The BMV includes three bilinear pairings, operations of scalar multiplication, small scalar-multiplication operations, point-addition operations, and one-way hash function operations. So the total execution time of BAS-CPP’s BMV is ms. We also can compute ZAS-CPP’s  computation cost in the same way. For simplicity, the detailed analysis of its computation cost is not presented here.
The PMS of the proposed scheme includes two scalar-multiplication operations and two one-way hash function operations. So the total execution time of PMS in the proposed scheme is ms. The SMV of the proposed scheme includes two scalar-multiplication operations, one point-addition operation, and one one-way hash function operation. So the total execution time of SMV in the proposed scheme is ≈ 0.8859 ms. The BMV of the proposed scheme includes two scalar-multiplication operations, small-scalar-multiplication operations, point-addition operations, and one-way hash function operations. So the total execution time of BMV in the proposed scheme is ms. The cryptographic construction of the HAS-CPP  is same as the proposed scheme. For simplicity, the detail analysis of its computation cost is not presented here.
Therefore, we can compute the computation cost of each phase of the four schemes according to Table 1, as shown in Table 2. The result indicates that the proposed scheme has the higher superiority in the computation cost.
Figure 4 illustrates the computation costs of BMV for the different number of messages. As shown in Figure 4, the proposed scheme is more efficient than the three others in BMV phase regardless of the number of messages
6.2. Communication Cost Analysis and Comparison
In this subsection, the proposed scheme is compared with BAS-CPP , ZAS-CPP , and HAS-CPP  in communication cost. According to the definition in previous section, the size of a bilinear pairing group element is 128 bytes, and the size of an ECC system group element is 40 bytes. Let the sizes of a timestamp and a one-way hash output be 4 and 20 bytes. Here we do not consider original content in message for it is the same to all schemes. According to the component of single message of the four schemes, Table 3 shows their communication costs. Obviously, compared with BAS-CPP, ZAS-CPP, and HAS-CPP, the proposed scheme requires less communication cost.
6.3. Signature Aggregation Analysis
In this subsection, we show the performance improvement of signature aggregation over traditional ways, i.e., forwarding message one by one.
BAS-CPP  and HAS-CPP  do not offer signature aggregation. Different from them, the proposed scheme and ZAS-CPP  provide signature aggregation. As shown in message verification phase in Section 4, after the verifier has checked messages, the verifier forwards the messages to top managers one by one. To decrease communication and computation cost, the verifier can aggregate multiple signatures into a single one, i.e., the verifier could make messages into an aggregated signature , where the size of in is identical to the size of in a single message , regardless of the number of messages. During forwarding 50 messages to top managers, the verifier in our scheme can decrease communication cost by 1000 bytes using signature aggregation compared to using traditional way, details shown in Figure 5. As far as signature aggregation is concerned, ZAS-CPP  can decrease more communication cost, though it needs more sign and verification cost. Therefore, our scheme and ZAS-CPP  can further decrease communication cost by signature aggregation.
From the above performance analysis and comparison, it is easy to draw a conclusion that the proposed scheme has more advantages. Compared with BAS-CPP and HAS-CPP, the proposed scheme not only has less computation and communication cost in message signing phase, single message verification phase, and batch message verification phase, but also decreases communications cost by signature aggregation. Compared with ZAS-CPP, although the proposed scheme is insufficient in signature aggregation, it has a great advantage in computation and communication cost in signing phase and verification phase. Table 4 shows the comprehensive comparison results of the four schemes in terms of the computation costs of PMS, SMV, and BMV, the communication cost (C-cost for short), and the signature aggregation functionality (SA-func for short). It obviously shows that the proposed scheme has most advantages. Therefore, the proposed scheme can further satisfy the requirements of VCN.
6.4. Simulation and Analysis
In this section, we evaluate the performance of the proposed scheme by several simulations. The simulation scenarios are constructed in the Veins framework  and the OMNeT++ simulation platform  with the surrounding roads of Wuhan University, as shown in Figure 6, where all roads are two-way multilane. The main goal of this simulation is to test the advantages and disadvantages of the proposed scheme in terms of loss rate and message delay.
In the simulation, one RSU is deployed every 2 km along the roads, and it can send messages to vehicles within 800 m; vehicles run along roads and communicate with others within 250 m. Let each vehicle generate a traffic message every 300 ms and send it to RSUs and other vehicles; then RSUs verify and aggregate the messages to cloud sever. Let the size of a message be 200 bytes, the wired communication bandwidth between RSUs and cloud server is 10 mb/s, and the wireless communication bandwidth between vehicles is 200 kb/s. The vehicle density (the number of vehicles in the scenario) in the scene is set between 200 and 800. Let 2% vehicles be malicious ones that have invalid signature messages. The speed of vehicles is randomly generated by the system in a normal distribution between 40 and 90 km/h.
In order to test the impact of batch authentication time interval setting on the proposed scheme, four batch verification simulations with different intervals are designed, where the intervals are 20 ms, 30 ms, 40 ms, and 50 ms. The verification loss rate and message delay during the simulations are shown in Figures 7 and 8.
The in Figure 7 denotes the interval for batch verification, and the verification loss rate has a certain function with vehicle density under different . It shows that the greater the vehicle density, the greater the communication overhead of the whole system. Meanwhile, the verification loss rate is rising as communication overhead is rising under any . Of course, as T decreases, the verification loss rate of the proposed scheme increases, but its increase is in a smaller range.
Figure 8 shows the relationship between message delay and vehicle density in the proposed scheme. It shows that the greater the vehicle density is, the greater the communication overhead is, which results in adding the instability of the communication system. Therefore, message delay is rising as vehicle density is rising under any . However, the message delay increases slightly as decreases.
Next, the comparison simulations are executed among the proposed scheme, BAS-CPP , and HAS-CPP  in terms of verification loss rate and message delay. In these simulations, ms. Figure 9 shows the comparison of verification loss rate among three schemes in the simulations. As can be seen from Figure 9, as the vehicle density increases, the message loss rate of the three schemes increases. The verification loss rate of BAS-CPP is increasing rapidly, and the rates of HAS-CPP and the proposed scheme are relatively slow, which could prove that the improved message verification efficiency can improve the speed of receiving and processing messages and reduce the loss rate.
Figure 10 shows the comparison of message delay among three schemes. As the vehicle density increases, the message delay of the proposed scheme and HAS-CPP increases, but the delay growth rate is smaller than BAS-CPP. The simulation results further prove that the proposed scheme can reduce the message delay and improve the performance of the VCN system.
A new efficient message authentication scheme for VCN is presented in this paper, and it achieves conditional privacy-preserving. In order to solve urgent authentication issue for life-critical message in VCN, batch message verification and signature aggregation are included in the proposed scheme, which is suitable for VCN because verifiers are limited in computation capacity and communication channel is very strained in VCN. The security proof and analysis show that the proposed scheme could satisfy the security requirements of VCN. The performance analyses show that the proposed scheme has obvious advantages in decreasing communication and computation cost when compared with recent proposed identity-based authentication schemes. A detailed simulations and analysis are shown to evaluate the performance of the proposed scheme according to verification loss rate and message delay, which prove that the proposed scheme can reduce verification loss rate and message delay, and improve the performance of the VCN system.
Our next research will focus on improving the signature aggregation to decrease more communication cost while keeping the efficiency of signature and verification.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
The work was supported in part by the National Natural Science Foundation of China under Grant 61862052, the MOE (Ministry of Education in China) Project of Humanities and Social Sciences (17YJCZH203), and the Hubei Provincial Department of Education research projects (D20182702).
H. Tan, D. Choi, P. Kim, S. Pan, and I. Chung, “Comments on 'dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks',” IEEE Transactions on Intelligent Transportation Systems, 2017.View at: Google Scholar
J. Wang, J. Cho, S. Lee, and T. Ma, “Real time services for future cloud computing enabled vehicle networks,” in Proceedings of the International Conference on Wireless Communications and Signal Processing (WCSP '11), pp. 1–5, November 2011.View at: Google Scholar
D. Wang, H. Cheng, H. Debiao, and P. Wang, “On the challenges in designing identity-based privacy-preserving authentication schemes for mobile devices,” IEEE Systems Journal, vol. 12, no. 1, pp. 916–925, 2018.View at: Google Scholar
R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: efficient conditional privacy preservation protocol for secure vehicular communications,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 1229–1237, April 2008.View at: Publisher Site | Google Scholar
Y. Liu, W. Guo, Q. Zhong, and G. Yao, “LVAP: Lightweight V2I authentication protocol using group communication in VANETs,” International Journal of Communication Systems, vol. 30, no. 16, 2017.View at: Google Scholar
J. Freudiger, R. Maxim, M. Félegyházi, P. Papadimitratos, and H. Jean-Pierre, “Mix-zones for location privacy in vehicular networks,” in Proceedings of the ACM Workshop on Wireless Networking for Intelligent Transportation Systems (WiN-ITS '07), number LCA-CONF-2007-016, 2007.View at: Google Scholar
C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 246–250, April 2008.View at: Publisher Site | Google Scholar
A. Wasef and X. Shen, “ASIC: Aggregate signatures and certificates verification scheme for vehicular networks,” in Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM '09), pp. 1–6, December 2009.View at: Google Scholar
R. W. Van Der Heijden, S. Dietzel, and F. Kargl, “SeDyA: Secure dynamic aggregation in VANETs,” in Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '13), pp. 131–142, April 2013.View at: Google Scholar
L. Wu, J. Fan, Y. Xie, J. Wang, and Q. Liu, “Efficient location-based conditional privacy-preserving authentication scheme for vehicle ad hoc networks,” International Journal of Distributed Sensor Networks, vol. 13, no. 3, 2017.View at: Google Scholar
D. Hankerson, S. Vanstone, and A. J. Menezes, Guide to Elliptic Curve Cryptography, Springer, New York, NY, USA, 2004.View at: MathSciNet
Q. Jiang, C. Zhiren, L. Bingyan, J. Shen, L. Yang, and M. Jianfeng, “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 4, pp. 1061–1073, 2018.View at: Google Scholar
M. Segata, S. Joerer, B. Bloessl, C. Sommer, F. Dressler, and R. L. Cigno, “Plexe: A platooning extension for Veins,” in Proceedings of the IEEE Vehicular Networking Conference (VNC '14), pp. 53–60, Paderborn, Germany, December 2014.View at: Google Scholar