Table of Contents Author Guidelines Submit a Manuscript
Wireless Communications and Mobile Computing
Volume 2018, Article ID 7978027, 13 pages
https://doi.org/10.1155/2018/7978027
Research Article

Secure Certificateless Authentication and Road Message Dissemination Protocol in VANETs

1Department of Computer Engineering, Chosun University, 309 Pilmun-daero, Seonam-dong, Dong-gu, Gwangju 61452, Republic of Korea
2Division of Undeclared Majors, Chosun University, 309 Pilmun-daero, Seonam-dong, Dong-gu, Gwangju 61452, Republic of Korea
3Department of Electronic Engineering, Chosun University, 309 Pilmun-daero, Seonam-dong, Dong-gu, Gwangju 61452, Republic of Korea

Correspondence should be addressed to Ilyong Chung; rk.ca.nusohc@cyi

Received 17 January 2018; Revised 21 March 2018; Accepted 10 April 2018; Published 20 May 2018

Academic Editor: Ding Wang

Copyright © 2018 Haowen Tan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

As a crucial component of Internet-of-Thing (IoT), vehicular ad hoc networks (VANETs) have attracted increasing attentions from both academia and industry fields in recent years. With the extensive VANETs deployment in transportation systems of more and more countries, drivers’ driving experience can be drastically improved. In this case, the real-time road information needs to be disseminated to the correlated vehicles. However, due to inherent wireless communicating characteristics of VANETs, authentication and group key management strategies are indispensable for security assurance. Furthermore, effective road message dissemination mechanism is of significance. In this paper, we address the above problems by developing a certificateless authentication and road message dissemination protocol. In our design, certificateless signature and the relevant feedback mechanism are adopted for authentication and group key distribution. Subsequently, message evaluating and ranking strategy is introduced. Security analysis shows that our protocol achieves desirable security properties. Additionally, performance analysis demonstrates that the proposed protocol is efficient compared with the state of the art.

1. Introduction

Vehicular ad hoc networks (VANETs) are distributed, self-organized wireless networks constructed by vehicles and nearby road-side units (RSUs). The real-time dynamic communication enables efficient and durative information exchange between vehicles and RSUs. Hence, intelligent transportation system (ITS) is achievable with the widely implementation of VANETs [1, 2]. A variety of VANET-based applications, which can be mainly classified into safety-related applications and commercial-oriented applications, not only enhance the driving safety but also provide better driving experience. Typical safety-related applications include emergency vehicle warnings, traffic congestion report, road accident informing, and speed monitoring [3, 4]. Commercial-oriented applications provide convenience service and entertainment applications such as weather forecast, information broadcasting of nearby petrol stations and restaurants, navigation, and Internet access.

In general, a basic VANET consists of three important components: the trusted authority (TA), road-side units (RSUs), and vehicles [57]. Considered as both the application provider and key server, TA is responsible for providing various services to vehicles through RSUs. Moreover, pivotal secret key assignment, along with the user management for correlated vehicles, is conducted by TA. The RSUs are deployed by the road sides one after another. Commonly, RSUs are built aside the road in every kilometer. Thus the effective range of VANET system can cover each section of the road. In this case, RSUs are considered as the communication bridge connecting TA and vehicles, which provides timely transmission of vital personal data. To a certain degree, RSUs have the capability of conducting computation and storing essential information in its memories [8]. The vehicle performs as both terminal customer and information collector. In other words, useful information including traffic congestion and emergency road condition is forwarded to the corresponded RSU. Each vehicle is equipped with an onboard unit (OBU), which conducts all the computation and communication [9, 10]. Compared with regular wireless sensor networks [11], vehicle’s high mobility is the unique characteristic of VANETs.

In VANETs, the data exchange between TA and RSUs are via secure wired connection, where the adopted cryptographic strategies guarantee transmission security and message confidentiality. Meanwhile, vehicle-to-vehicle (V2V) communication and vehicle-to-RSU (V2R) communication are conducted through open wireless channel, which employs the dedicated short-range communications (DSRC) [1214]. On the one hand, the moving vehicle can carry out interactive data exchange with specific RSU through V2R communication. On the other hand, one vehicle is capable of sharing essential messages with other vehicles in its vicinity through V2V communication. In this way, a VANET with high connectivity can be built accordingly [15].

As a particular variant of wireless sensor networks, apparently the VANETs suffer from multiple charted and uncharted security attacks [9, 14]. In V2V and V2R communications, the transmitted messages may be eavesdropped, blocked, or even forged by malicious devices. Hence, significant user information is revealed to the attacker accordingly, which compromises the whole VANET and brings severe user privacy disclosure issue [1, 13]. Under this circumstance, proper authentication strategies are required so as to provide security and privacy assurance. Moreover, high mobility feature of the vehicles brings uncertainty to the communication process, which should also be taken into consideration.

Among the aforementioned safety-related applications, road message dissemination is one of the essential functions for VANET [16]. With the assistance of RSUs and remote server, the vehicles of the same VANET could share necessary driving-related information with each other. By analyzing the acquired traffic information of current areas, the driver is able to make better driving decisions such as choosing the best navigation route ahead of time. Furthermore, occurrences of road accidents and traffic jams can be drastically reduced [9]. Thus, the drivers’ driving experience is improved.

In VANETs, typical road message management strategies are mainly composed of information collection and dissemination. First, the road messages are reported by the participating vehicles through OBUs [17]. Afterwards, the acquired messages will be processed and then disseminated to the legitimate vehicles. In some VANETs scenarios, TA arranges all the road messages collected from RSUs via wired transmission [18]. Meanwhile, in decentralized VANETs scenarios, most of the computation and storing are done in the RSU side [7], while TA performs as the key generation center (KGC). Consequently, in particular dense scenarios with large amounts of emerging vehicles, the decentralized architecture could reduce the computation overload and storage complexity in TA.

As described above, authentication strategies are necessary during road message dissemination [4, 19]. Furthermore, the characteristic group communication between RSU and vehicles is indispensable, which enables convenient data exchange. In this case, the group key shared between RSU and all the legitimate vehicles is required. Note that the group key distribution should be conducted after mutual authentication [6, 20].

As for message dissemination in practical VANETs occasions, two channels are required [21], namely, the official channel and normal channel. Official channel is provided by governmental agencies, where the broadcast road information is precise and trustworthy. Note that this channel is assumed to be based on real-time monitoring with satellites and road cameras. Thus it is precise and trustworthy. Meanwhile, normal channel is the more ordinary way, where the road information is gathered from normal vehicles. In this case, some of the vehicles are assumed to be benign devices which transmit precise messages, while the rest are negative vehicles [22]. Note that the negative vehicles may report trivial or even false information to the VANET system. For this consideration, with the purpose of guaranteeing the dissemination exactitude, impartial and effective message evaluation mechanism is necessary [23]. For instance, in extreme scenarios with massive road messages to be disseminated, before dissemination, it is necessary for the RSUs to aggregate and evaluate the acquired road messages before dissemination. Hence the RSUs could broadcast in a particular sequence according to the significance and reliability of each message. Urgent and authentic road messages can be broadcast in the first place.

During the message dissemination of the entire VANETs, the accuracy and efficiency of message dissemination closely depend on the participating vehicles [15, 24]. Hence, it is vital to deploy appropriate rewarding strategy so as to motivate the drivers’ enthusiasm on reporting [20, 25]. For example, coupons or discounts on certain commodities can be granted to the trustworthy drivers with timely and precise reporting records. In other words, the drivers are encouraged with incentives, which is of great benefit to the entire VANET.

In this paper, we propose a secure certificateless authentication and road message dissemination protocol in vehicular ad hoc networks. Our nontrivial efforts can be summarized as follows:

(i) Secure Certificateless Authentication Scheme for Group Key Distribution. With the purpose of enhancing transmission security, we adopt the bilinear pairing based on elliptic curve into our authentication scheme. Hence, the active vehicles within the effective range can be identified and then allocated with the group key. The proposed scheme yields desirable security properties.

(ii) Road Message Priority Management and Dissemination Mechanism. The encrypted road messages are delivered to the corresponding RSU. The received road message is evaluated based on both the vehicle priority and the assessment. In this way, accuracy and efficiency of the messages dissemination process are provided. Hence, the drivers can timely arrange their routes according to the delivered road information.

(iii) Security and Performance Analysis. The formal security analysis is provided, involving some necessary proofs on resistance to the existing malicious attacks. Furthermore, performance analysis emphasizing the transmission overload and computation cost is hereby presented.

The remainder of this paper is organized as follows. Section 2 provides brief description of the related research achievements. Section 3 introduces some necessary preliminary works and the designed system model in order for the reader to obtain better understanding of this topic. Section 4 presents the proposed secure certificateless authentication scheme in detail. Section 5 describes the proposed road message dissemination scheme. Section 6 demonstrates the security analysis. Section 7 displays the performance analysis. The conclusion is drawn in Section 8.

2. Related Work

In order to provide enhanced authentication and secure transmission in VANETs, various cryptographic techniques have been deployed in existing researches [2, 3, 6, 16, 2628]. In 2009, Studer et al. [3] developed a hybrid VANET authentication mechanism (VAST) based on the elliptic curve digital signature algorithm (ECDSA) [29] and TESLA [30] with the purpose of providing fast and extensible authentication and nonrepudiation. Subsequently, emphasizing group authentication and conditional privacy, Zhang et al. [26] proposed a scalable decentralized group authentication protocol, where certain vehicle is able to verify anonymous messages from neighboring vehicles. Motivated by chameleon hash signature based on elliptic curve, in 2011, Huang et al. [27] designed pseudonymous authentication-based conditional privacy protocol (PACP), which adopts the pseudonyms for anonymous communication. Similarly, ABAKA [6] with batch verification was proposed by Huang et al. After that, Lu et al. [28] presented a dynamic privacy-preserving key management scheme (DIKE) enabling both vehicle anonymous authentication and double-registration detection. Guo et al. [2] designed a privacy-preserving anonymous authentication protocol with vehicle unlinkability and authority trackability in 2014, where high efficiency and desired security properties can be achieved accordingly. Afterwards, multiple authentication and group key management protocols in VANETs have been designed recently [8, 31].

Specifically, identity-based encryption, which was first presented by Shamir [33] for certificate management of KGC, has been widely implemented in VANETs authentication protocols. In 2007, Lin et al. [34] combined group signature with identity-based cryptography in the proposed GSIS protocol. Hence, appropriate traceability toward specific vehicle is achieved. After that, Zhang et al. [15] designed an identity-based batch signature verification scheme in VANETs, where multiple signatures can be simultaneously verified in one RSU. Nevertheless, this scheme suffers from replay attack [35]. Subsequently, Sun et al. [5] constructed an identity-based security framework in order to address the misbehavior issue in VANET system. In 2012, Shim [9] developed an identity-based conditional privacy-preserving authentication scheme (CPAS) supporting fast batch verification. However, the proposed protocol is vulnerable to modification attack [36]. Another signature scheme for VANETs, named EIBS [37], was proposed in 2015, where the RSUs perform as the certificate verifiers in order to decrease the computation overload in TA side. Moreover, the anonymity of the legitimate vehicle is provided by using pseudo identity instead of real identity. Hence, the vehicle privacy is preserved. Aiming to decrease the computational complexity, He et al. [10] designed an identity-based conditional privacy-preserving authentication scheme in VANETs. With relatively limited computation and communication requirements, the proposed protocol is suitable for practical VANETs applications.

With the purpose of addressing the key escrow issue in identity-based public key cryptography system (ID-PKC), certificateless public key cryptography (CL-PKC) was first introduced by Al-Riyami and Paterson [38] in 2003. In CL-PKC design, the private partial keys are, respectively, generated by the semitrusted key generation center (KGC) and the user itself. Multiple certificateless authentication protocols were proposed afterwards [25, 39]. Thereafter, Li and Wang [17] presented a fast certificateless authentication scheme (RCS) employing bilinear pairing, where particular vehicles are selected as the assistance to the relevant RSUs. In this case, the transmission overload can be alleviated. Afterwards, Xiong and Qin proposed a certificateless encryption scheme and another certificateless signature scheme with efficient revocation against short-term key exposure in [40]. In 2016, Peng [1] designed an anonymous authentication protocol based on certificateless signature scheme, which provides conditional privacy and mutual authentication.

Furthermore, as the crucial and unique feature of VANETs, message dissemination has been studied due to its promising advantages in both safety-related and commercial-oriented applications. Focusing on commercial advertisements dissemination, Tseng et al. [7] adopted Reed-Solomon Code in the incentive scheme through interactions between vehicles. Similarly, a cooperative message authentication scheme [18] is developed to alleviate the verification overload in the RSU side, where the legitimate vehicles are responsible for message verification in the vicinity. Thereafter, in order to achieve high reliability and low dissemination delay at the same time, density-aware emergency message extension protocol (DEEP) [22] is constructed. As illustrated, emergency warning messages can be timely delivered to all the vehicles within the operating range, which could drastically improve driving safety. As one of the significant services offered by VANETs, RSU-assisted navigation is studied by Chim et al. in [20]. In the assumption, the real-time road conditions are used to compute a better route for the requesting vehicles. The privacy of the drivers can be protected with the advantages of anonymous credential. In [23], Milojevic and Rakocevic developed a location-aware data aggregation mechanism for real-time observation and efficient message dissemination. The communication cost is minimized with the use of intelligent passive clustering and adaptive broadcasting. For improving the accuracy of the delivered message, the aggregated information is arranged by real-time spatiotemporal database refreshing. Recently, Liu et al. presented a cloud-assisted message downlink dissemination scheme (CMDS) under a developed VANET-cellular heterogeneous framework combining cloud computing [21, 41].

3. Model Definition and Preliminaries

In this section, some necessary preliminaries are introduced with the purpose of facilitating the readers’ understanding, including the definition of bilinear pairing and hash function. Subsequently, the corresponding notations, the system model, and network assumptions are illustrated.

3.1. Bilinear Pairing

Let and be two additive cyclic groups of a large prime order . A map function is a bilinear pairing if it satisfies the three properties below:(1)Bilinear: for and , there is . In addition, for , there are and .(2)Nondegeneracy: for , there is .(3)Computability: for , there is an efficient algorithm to compute .

In order to prove the security of our schemes, the following intractable problems are briefly presented as(1)discrete logarithm problem (DLP): for , it is difficult to find an integer , such that holds;(2)computational Diffie-Hellman problem (CDHP): for , it is difficult to compute ;(3)decisional Diffie-Hellman problem (DDHP): for and , it is difficult to decide whether holds;(4)pairing inversion problem (PIP): for a pairing and , it is difficult to find , such that holds.

3.2. Hash Function

A one-way hash function is considered to be secure if the following properties can be satisfied [42]:(1)Inputting a message of arbitrary length, it is easy to compute a message digest of a fixed length output .(2)Given , it is difficult to compute .(3)Given , it is computationally infeasible to find such that holds.

3.3. Notations

The notations and the brief description are listed in Notations.

3.4. System Model

The structure of VANET system of our design is shown in Figure 1, where the whole VANET system is composed of three entities: the trusted authority (TA), the road-side units (RSUs), and the vehicles. Descriptions of these entities are, respectively, illustrated below.

Figure 1: System Model.

Trusted Authority (TA) is a trustworthy management center in charge of all the involving RSUs and vehicles. The vital system operations, including vehicle registration, assignment, and secret key generation, are all conducted by TA. Additionally, TA stores the significant user data in its memory. Hence, TA is assumed to have adequate storage and computing capability. Moreover, performing as both the trustworthy verifier and key generation center, TA is infeasible to be compromised by the adversaries. Thus various services can be securely presented to the designated vehicles. In this case, the group key is necessary for secure message exchange.

Road-side units (RSUs) are vital VANET infrastructure implemented at the roadside, which perform as the sole intermediaries between TA and vehicles. RSUs are responsible for verifying the vehicles. Furthermore, the group key issued by TA will also be delivered by RSUs. Note that RSUs are assumed to have adequate storage in order to manage the acquired data. Hence, in our scheme, the gathered road messages are stored and managed in RSUs. In general, RSUs are connected with TA in a secure wired way. However, since the RSUs are placed along the roadside far from TA, it is possible that these RSUs may be physically compromised. In this case, the stored user information may be illegally acquired [20]. For this consideration, the RSUs are assumed to be semitrusted devices.

Vehicles are referred to as terminal users of the VANET system. It is designed to be both service receiver and information collector. In other words, with the implemented OBU, each vehicle is able to receive the broadcasting messages. Meanwhile, the vehicle reports real-time road information to RSU wirelessly. In this case, it is essential to adopt effective cryptographic strategies in order to guarantee the secure transmission. Furthermore, each vehicle is equipped with a tamper-proof device (TPD), where the corresponding secrets and derived group key are stored. In our system model, each driver is relevant to certain vehicles during the registration to TA. Every time when the driver activates the vehicles, his/her fingerprint and the assigned certification card are verified. This way, the driver and the correlative vehicle are closely connected. Consequently, for better description, the driver, the OBU, and the vehicle are considered the same entity in this paper.

3.5. Network Assumption

As illustrated in Figure 1, TA manages all the operative RSUs of the VANET system through wired communication. Various safe strategies deployed for TA-RSU communication guarantee the security of the key data exchange. Therefore, the vehicle secret keys can be securely delivered to the correlative RSUs. However, it is possible that some RSUs are compromised physically since they are far from the TA. In this way, the distributed vehicle secret keys are illegally acquired by the adversaries, which could damage both the VANET system and the user privacy. Considered as semitrusted devices, it is not appropriate for the RSUs to manage all the vehicle-related secret keys. As a result, we assume in this paper the TA-RSU communication channel is safe for data transmission, while the RSU itself may be damaged, which results in vehicle information disclosure.

Two types of wireless communication are displayed in the proposed system model, including the vehicle-to-vehicle communication (V2V) and the vehicle-to-RSU communication (V2R). Due to the inherent wireless transmission characteristics, both V2V and V2R communication suffer from charted and uncharted attacks. In a nutshell, the V2V communication is used for information sharing and cooperative data processing between the neighboring vehicles. While the V2R communication emphasizes longitudinal message acquisition and feedback between vehicle and RSU. Note that in our scheme the operative vehicles safely exchange messages with RSUs on road condition using the derived group key.

4. Proposed Secure Certificateless Authentication Scheme

In a nutshell, two principal factors are taken into consideration in this paper: the secure authentication and road message management mechanism, which will be, respectively, discussed in two sections. In this section, we describe the proposed secure certificateless authentication scheme between RSU and vehicles. The proposed scheme can be clarified into three different phases, including initialization phase, authentication phase, and group key distribution phase. Accordingly, some nontrivial preparations are made in the initialization phase. Subsequently, verification on the vehicles is conducted in the following authentication phase. Finally, the generated group key is allocated to the legitimate vehicle.

Our design adopts the certificateless encryption strategy based on elliptic curve cryptography (ECC). Note that the corresponding public keys have been previously revealed to the devices. Meanwhile, the confidential information is assigned to vehicle during registration. Based on this, the adopted cryptographic techniques are available, which could provide adequate security assurance for the VANET system. Emphasizing the authentication between RSU and vehicle, we describe our scheme in the scenario involving single RSU and single vehicle. Note that the scheme for regular VANET scenarios with multiple RSUs and vehicles is similar.

4.1. Initialization Phase

Necessary preliminary works are conducted in the initialization phase, which can be generally classified into user registration and key information allocation. It is desirable that each vehicle should register to TA first. After that, TA assigns the secret information to the corresponding vehicle. Moreover, TA stores the drivers’ personal information such as the car plate number, the contact information, and the address. Let be the generator of a cyclic additive group and be the unique identifier for vehicle. Additionally, TA adopts secure hash functions , where is defined as a nonnegative integer set less than the large prime number . Hence, TA generates the secret key for each vehicle illustrated aswhich is allocated to the relevant vehicle after user registration. Note that the secret keys of all the registered vehicles are securely stored in TA’s database. At the same time, TA chooses a random integer as the RSU private key. Let be the cyclic additive group generated by with the order . Hence the RSU public key can be computed according toIt is worth noting that the RSU public key , the generator , the hash function , and will be published to all the devices, while the private key is kept secret during the entire process.

Now we assume that the registered vehicle approaches the working range of a fixed RSU. If certain vehicle wants to receive services from the VANET system, identification and key assignment are essential. In this assumption, the vehicle chooses as its partial private key. Then the corresponding partial public key is defined aswhere is the system parameter as mentioned above. Subsequently, are delivered to RSU.

After deriving the partial public key , RSU requests TA for the secret key of vehicle . Let denote the secure hash function. Related computations can be conducted for partial key generation as follows:Thereafter, the generated is delivered to vehicle. Hence the vehicle derives the partial private key according to

At this point, the public key set for vehicle can be displayed as . Meanwhile, the relevant private key set is defined as . Note that the two partial private keys are, respectively, decided by RSU and vehicle. In other words, RSU has no access to , so that the privacy protection based on certificateless cryptography is achieved even if RSU is compromised by attackers.

4.2. Authentication Phase

After initialization, RSU conducts authentication on the requesting vehicle. In certain time point , we assume that vehicle starts to use the road message service. Then the following computation is conducted:which combines the current time with the partial public key. In addition, let be the cyclic group of prime order and be the bilinear pairing operator. Hence the vehicle gets the intermediate value bywhere the vehicle identity and RSU public key are known to vehicle. Subsequently, two necessary parameters and are generated aswhere is the secret key previously allocated to vehicle in the initialization. Accordingly, the signature is generated based on

At this point, vehicle sends to the RSU. In the RSU side, the validity of the received and will be verified first. Then RSU computes whetherholds. The correctness is elaborated as follows:If the delivered signature passes the above verification, the validity of the requesting vehicle can be guaranteed. Thereafter, the authentication phase is completed.

4.3. Group Key Distribution Phase

After the authentication phase, the generated group key is distributed to the legitimate vehicle. It is worth emphasizing that the group key is assumed to be chosen by TA. Meanwhile, the key is delivered to RSUs in a secure way. In this way, when a certain vehicle travels from the effective range of one RSU to the next, the group key is always effective and can be continuously used.

We assume that the secret is randomly chosen by TA and then delivered to RSU. In certain time point , RSU computesand sends to vehicle. Note that the RSU could generate the partial private key using the known information. In this way, the secret is combined with current time stamp and previously acquired intermediate value .

Similarly, the vehicle first compares the received value with the stored one. If is valid, vehicle derives the secret by computingAt this point, the final group key can be acquired according toTherefore, the group key is successfully allocated to the legitimate vehicle. Note that will be used in the subsequent communication such as road message dissemination, reporting, and evaluation. The delivered packet format is as follows:where the transmitted message is symmetrically encrypted using both and the group key . Similarly, the current time stamp denoted as is adopted in the encryption. Note that represents the symmetric encryption on using secret key . Additionally, indicates the type of . For security consideration, the communication between vehicle and RSU adopts the assigned group key for encryption.

5. Proposed Road Message Dissemination Scheme

In this section, we describe the corresponding road message dissemination scheme in detail. Meanwhile, the message evaluation and award mechanism are presented.

5.1. Road Message Reporting

We assume the scenario that a specific vehicle with identity is within the effective range of a RSU. Note that the vehicle has successfully passed the authentication and acquired the group key . Subsequently, in a certain time point , the vehicle passes through a particular spot where road event occurs. For example, when the vehicle passes through the road accident scene, the driver could consider this accident as a road message and report it to the RSU. According to (15) in previous section, the RSU gets the packet involving the encrypted message and the detailed time point . The decryption process is as follows.

First, the decryption with group key is conducted in the RSU side according to

Next, RSU checks the time stamp with the derived one in order to ensure that the received message is timely and effective. Additionally, of the vehicle is derived. According to the aforementioned design, the RSU acquires the relevant secret in its storage so that the transmitted road message can be acquired according to

At this point, the RSU is aware of the identity information of the reporting vehicle. Hence, according to , RSU requests TA for the vehicle priority parameter, which is considered as the initial element in the message management process. In practical scenario with multiple vehicles existing in one RSU’s effective range, it is possible that more than one vehicles report the same road message to TA. For example, two vehicles and may successively pass through a certain accident scene. Hence, both of them report this event to RSU. In this case, the RSU stores this road message in its storage and assigns the broadcast priority for , which can be calculated using the priority of the two reporting vehicles as follows:where the identifiers of and are denoted as and , respectively. Meanwhile, the priorities of the two vehicles are and . The calculated here represents the broadcast priority right after the two vehicles report the message. Moreover, among all the vehicles, it is assumed that only and report to RSU such that is achieved as the average value of all the reporting vehicles’ priority.

In a nutshell, we assume that the vehicle set denotes the legitimate vehicles that have already passed the authentication process conducted by the effective RSU. Among these vehicles, the vehicle subset consists of all the vehicles that report road message . Note that the identity of is denoted as . Hence, the broadcast priority is and holds. It is assumed that the vehicles report message following the sequence of . Moreover, the road event is denoted as follows:which indicates that happened in location and the detailed information is showed in . Moreover, the event type is defined as . In this way, the road message contains the essential elements of .

In our assumption, after occurred, within certain time interval vehicles will report the event to the RSU. Hence, after RSU receives the road report from for the first time, the broadcast priority is computed as . Similarly, the broadcast priority after RSU receives the road report for () times, and can be computed aswhich is defined as the average vehicle priorities of all the reporting vehicles. Hence after , the broadcast priority for isPractically, one RSU handles multiple different road messages simultaneously. Therefore, each message will be assigned a broadcast priority and then stored in the storage. In our design, the creditability and accuracy of the road message are highly related to the reporter’s previous records. And the vehicle priority is able to reflect this property properly. Consequently, RSU sorts all these messages so that the reliable messages will be broadcast first.

5.2. Road Message Dissemination

As illustrated in the above section, the RSU manages all the road information within its effective range. Periodically, RSU broadcasts the messages in certain sequence. Note that all the road messages are encrypted using the distributed group key . Hence, only the registered vehicles can get access to this service. The aforementioned broadcast priority is roughly decided by reliability of the reporting vehicles. In this way, a predefined parameter is set as the minimum requirement for message dissemination. That is to say, the messages will be broadcast only if . Otherwise it will be considered as unreliable information and then temporarily disabled from the broadcast list. In this case, in future, if other vehicles report the same message, will be compared with again. After a predefined time interval, if , RSU permanently deletes the message in its storage. Following the above procedure, vehicles could acquire road messages in an accurate way. Thus the driving security can be improved with this service.

5.3. Evaluation and Priority Management

For practical consideration, an appropriate evaluation mechanism towards the road messages is necessary. In this subsection, we describe the proposed evaluation and priority management scheme. The value of the stored road message is decided by not only the reputation of the reporter but also the message itself. In order to achieve this, we assume that the vehicles have the capability of evaluating the received road messages. Following the above assumptions, the vehicle subset denotes vehicles who receive the road message within time interval . After approaches the location where the road event happened, could evaluate whether the received road information is correct, which helps improve the road report accuracy. The format of the evaluation message is as follows:where the message type denoted as here indicates that it is an evaluation message. denotes the assigned information number for message . In addition, is the current time stamp. Note that this evaluation will be sent back to RSU. According toRSU checks the time stamp with the derived one in order to ensure that the message is timely and effective. Additionally, of the vehicle is derived. RSU acquires the relevant secret in its storage so that the transmitted evaluation on message can be acquired according to

In this way, the evaluation can be combined to according to . As a result, for road message , the RSU could receive evaluation messages where . For practical consideration, the can be analyzed using different state parameters such as , where means that is totally accurate and helpful, while means that is of no help and thus is considered as the fake message. The state parameters are . During every certain period , RSU analyzes all the received evaluation messages and updates the broadcast priority following the steps below:(i)Screening: firstly, RSU checks whetherholds, where denotes the proportion of the received whose among all the evaluation on . Furthermore, is the predefined system parameter according to different practical scenarios. In this case, if most of the users give negative assessments, is considered as invalid information and must be discarded from the storage immediately.(ii)Updating: secondly, the updating on broadcast priority is conducted aswhere denotes the priority of vehicles.

At this point, the updating process for is completed. Similarly, after time periods , the broadcast priority for iswhere , , and are the parameters in th time periods . Note that the above process should be conducted for each stored road message in RSU. Hence, the broadcast sequence is updated. In future, after , will be deleted if , where is the preset system parameter.

5.4. Vehicle Priority Management

As illustrated above, the vehicle priority on vehicle is , which is a significant user property in both the broadcast priority computing and updating processes. As a matter of fact, the reporting vehicle plays a crucial role in the message dissemination scheme. Hence, appropriate rewarding strategy is essential to motivate drivers’ enthusiasm on road situation reporting. The incentives will be given according to the vehicle priority. To achieve this, will be updated according to the value of his reporting road message.

We assume that road message is reported by several vehicles in . After a sufficient time period, for example, twenty-four hours, one road message has been evaluated by multiple vehicles. According to (25) in the previous section, is valid ifholds. In this way, of all are updated asIn contrast, if is evaluated to be invalid and discarded by RSU, of all are updated asNote that the driver could change it into incentives such as coupons of cooperative stores or scorecard in the road service area.

6. Security Analysis

In this section, we analyze the security properties of the proposed authentication scheme. The security theorems as well as the corresponding proofs are given below.

6.1. Unforgeability against Chosen Message Attack

We analyze the unforgeability against chosen message attack in the proposed protocol.

Theorem 1. The proposed certificateless authentication scheme is existentially unforgeable against adaptive chosen message attack under the assumption of random oracle model if and only if the CDHP is hard.

Proof. The security of unforgeability is formally defined through game . Let be a probabilistic polynomial time adversary. denotes the challenger; and denote the random oracles. In order to solve CDHP problem, it is assumed that is able to simulate all the related oracles. In , can conduct the following corresponding queries to .
h Query. We assume that the adversary itself does not have the ability to directly compute the hash function . Hence, the response to h Query is simulated by maintaining a list initialized to be empty. That is to say, when the oracle is queried with the input values , if the query already exists in , outputs to . Otherwise, chooses a random number and forwards it to . After that, will be subsequently added to .
Extract Query. The adversary is able to query the partial private key of any given key set . According to , outputs the partial private key to .
H Query. can query the random oracle at any time. The response to H Query is simulated by maintaining a list . Note that is initialized to be empty. When the oracle is queried with input values , if the query already exists in , outputs to . Otherwise, chooses a random number and forwards it to . After that, will be subsequently added to .
Authenticating Query. simulates the authenticating oracle by responding to the authenticating query as follows: (i) randomly chooses as the certificate and as the intermediate parameter.(ii) computes . If already exists in , chooses other values and tries again.(iii) adds the above to .(iv) outputs as the certificate.According to the Forking Lemma [43], produces two valid certificates and (). In this case, hold. Hence we can getIn this way, we show that the CDHP problem can be solved. In other words, the attacker needs to solve the CDHP problem in order to forge the certificate. However, this contradicts the hardness of the CDHP problem [44, 45]. In conclusion, an attacker cannot forge the certificate in the authentication process [46, 47].

6.2. Resistance to Replay Attack

The replay attack is achieved by reusing the previous generated message to pass the current authentication process. The security property against replay attack is discussed in this section.

Theorem 2. During the certificateless authentication process, replay attack can be prevented. That is, the previous messages of the past authentication sessions cannot pass the current authentication process in RSU side.

Proof. We discuss the resistance to replay attack through game . Similarly, let be a probabilistic polynomial time adversary. It is assumed that, in time point , has access to all the published system parameters as well as the transmitted messages from to (). Randomly, chooses the message at time . At , sends as the replaying message. Note that . In this way, . Hence, the previous message cannot pass the current authentication.

6.3. Forward Security

In this section, we analyze the forward security property of the proposed protocol.

Theorem 3. The proposed authentication scheme provides forward security against adversary. That is, the adversary cannot pass the authentication with the acquired vehicle secret key from the compromised RSU.

Proof. We assume that the RSU has already been compromised by brute-force attack and all the stored key information is leaked to the adversary . The secret key set denotes the private keys of all the vehicles. In this case, is able to use the derived partial private key for certificate generation. However, the private key contains both and , while is chosen by the vehicle itself. Due to the hardness of the aforementioned DLP problem, the probability that can be correctly computed is illustrated as , where is the size of . In general, the certificateless authentication property guarantees the forward security of the proposed scheme.

6.4. Session Key Establishment

In the system model of this paper, it is necessary to generate a shared session key between the RSU and vehicle so as to guarantee the data confidentiality and transmission security, which is analyzed as follows.

Theorem 4. In the proposed protocol, the shared session key is established after successfully authentication between RSU and vehicle.

Proof. According to the protocol design, , along with the current time stamp and the previously acquired intermediate value , is transmitted to the vehicle. In the vehicle side, the below derivation of is conducted as , where is stored in vehicle already. Note that the security assurance of the message transmission is based on the hardness of DLP problem. The final group key is generated and adopted to the following message transmission.

6.5. Mutual Authentication

In this section, we analyze the mutual authentication property in the proposed authentication protocol.

Theorem 5. The proposed protocol can provide mutual authentication between RSU and vehicle if the DLP problem is intractable.

Proof. During the authentication process, the RSU-to-vehicle security is preserved by the aforementioned certificate , which has been discussed in the proof of Theorem 1. On the other hand, the vehicle-to-RSU security is based on the hardness of DLP problem. Specifically, is contained in the delivered and will be verified by the RSU with the known key information. Therefore, we could conclude that the proposed authentication scheme provides mutual authentication property.

7. Performance Analysis

In this section, we present the performance analysis towards the proposed protocol. Our analysis on the performance mainly emphasizes the storage overhead, the computation cost, and the communication cost, which are the dominant factors in the proposed protocol.

7.1. Storage Overhead

In the proposed protocol, storage overhead is a crucial parameter for VANETs, especially for vehicles. Due to the inherent resource restriction, it is impractical for the vehicle to store massive key messages and communication data in its own memory. Moreover, the RSU is designed to handle both the key distribution and road message management simultaneously. As a result, the storage overhead in both the vehicle and RSU sides should be considered.

As for the vehicle in the proposed protocol, some essential key information is previously stored during the registration including . The published public key of RSU, namely, , as well as the intermediate value , is also stored in vehicle. Moreover, the transmitted message , and the necessary group key distribution value are stored, respectively, in the group key distribution phase. According to [48], we assume that the length of elements in and is 256 bits. The lengths of relevant vehicle secret keys such as , , and are 160 bits. Moreover, it is assumed than the lengths of the adopted time stamps and the identity of vehicle are 32 bits and 24 bits each. In this way, the storage overhead for each vehicle is bits. Similarly, we assume that the number of vehicles in the RSU range is . Consequently, the storage overhead in RSU side includes key information of RSU itself and secret messages of all the vehicles. In this way, the storage overhead for the RSU is bits. The comparison with the state-of-the-art VANETs authentication protocols ICPA [10], DAKM [4], ABAP [8], and SAAP [32] is illustrated in Table 1.

Table 1: Comparison of storage overhead.
7.2. Computation Cost

In this section, we analyze the computation cost of the proposed protocol. The computation cost is defined as the time consumption for the group key distribution process. The comparison result with ICPA, DAKM, ABAP, and SAAP is given in Table 2. We denote modulo operation as , exponential operation as , and bilinear pairing as . and refer to encryption and decryption. Additionally, , , , and represent one-way hash function, multiplication operation, division operation, and addition operation, respectively. Finally, the point multiplication operation is dented as .

Table 2: Comparison of computation cost.
7.3. Communication Cost

The communication cost refers to the time consumption for message transmission. In this subsection, we consider the required communication passes for RSU to successfully authenticate vehicles. The comparison result on communication cost is given in Table 3.

Table 3: Comparison of communication cost.

8. Conclusion

Emphasizing the secure authentication and road message dissemination in VANETs, a secure certificateless authentication and road message dissemination protocol is proposed in this paper. In our design, certificateless cryptographic technique is employed for authentication and key distribution. Subsequently, an appropriate road message dissemination mechanism is designed. The security analysis and performance evaluation are given accordingly. The proposed protocol is suitable for practical VANET scenarios and is capable of providing timely road information services, which improves both the user safety and the driving experience.

Notations

TA, RSU:Trustworthy authority, road-side units
:Cyclic additive group
:Generator of
:Unique identifier of vehicle
:Secure hash function,
:Secret key for vehicle
:RSU private key
:Generator of cyclic additive group
:RSU public key
:Vehicle partial private key
:Vehicle partial public key
:Secure hash function,
:Vehicle partial private key
:Intermediate authenticating value
:Secret key generated by TA
:Group key
, :Symmetric encryption and decryption on with
:The disseminated message
:Broadcast priority of
:Vehicle priority
:Road event
:Number of reporting vehicles
:Predefined system parameters.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Research Foundation of Korea (NRF) grants funded by the Korean government (MSIP) (nos. NRF-2016R1A2B4012638 and NRF-2017R1D1A3B03034005) and by the MIST (Ministry of Science & ICT), Korea, under the National Program for Excellence in SW, supervised by the IITP (Institute for Information & Communication Technology Promotion) (2017-0-00137).

References

  1. X. Peng, “A novel authentication protocol for vehicle network,” in Proceedings of the 2016 3rd International Conference on Systems and Informatics, ICSAI 2016, pp. 664–668, Shanghai, China, November 2016. View at Publisher · View at Google Scholar · View at Scopus
  2. S. Guo, D. Zeng, and Y. Xiang, “Chameleon hashing for secure and privacy-preserving vehicular communications,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 11, pp. 2794–2803, 2014. View at Publisher · View at Google Scholar
  3. A. Studer, F. Bai, B. Bellur, and A. Perrig, “Flexible, extensible, and efficient VANET authentication,” Journal of Communications and Networks, vol. 11, no. 6, pp. 574–588, 2009. View at Publisher · View at Google Scholar · View at Scopus
  4. P. Vijayakumar, M. Azees, A. Kannan, and L. J. Deborah, “Dual Authentication and Key Management Techniques for Secure Data Transmission in Vehicular Ad Hoc Networks,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 4, pp. 1015–1028, 2015. View at Publisher · View at Google Scholar · View at Scopus
  5. J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “An identity-based security system for user privacy in vehicular ad hoc networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 9, pp. 1227–1239, 2010. View at Publisher · View at Google Scholar · View at Scopus
  6. J.-L. Huang, L.-Y. Yeh, and H.-Y. Chien, “ABAKA: An anonymous batch authenticated and key agreement scheme for value-added services in vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, vol. 60, no. 1, pp. 248–262, 2011. View at Publisher · View at Google Scholar · View at Scopus
  7. F.-K. Tseng, Y.-H. Liu, J.-S. Hwu, and R.-J. Chen, “A secure reed-solomon code incentive scheme for commercial Ad dissemination over VANETs,” IEEE Transactions on Vehicular Technology, vol. 60, no. 9, pp. 4598–4608, 2011. View at Publisher · View at Google Scholar · View at Scopus
  8. S. Jiang, X. Zhu, and L. Wang, “An efficient anonymous batch authentication scheme based on HMAC for VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 17, no. 8, pp. 2193–2204, 2016. View at Publisher · View at Google Scholar · View at Scopus
  9. K.-A. Shim, “CPAS: An efficient conditional privacy-preserving authentication scheme for vehicular sensor networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012. View at Publisher · View at Google Scholar · View at Scopus
  10. D. He, S. Zeadally, B. Xu, and X. Huang, “An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015. View at Publisher · View at Google Scholar · View at Scopus
  11. J. Shen, H. Tan, Y. Zhang, X. Sun, and Y. Xiang, “A new lightweight RFID grouping authentication protocol for multiple tags in mobile environment,” Multimedia Tools and Applications, vol. 76, no. 21, pp. 22761–22783, 2017. View at Publisher · View at Google Scholar · View at Scopus
  12. X. Sun, X. Lin, and P.-H. Ho, “Secure vehicular communications based on group signature and ID-based signature scheme,” in Proceedings of the 2007 IEEE International Conference on Communications, ICC'07, pp. 1539–1545, Glasgow, UK, June 2007. View at Publisher · View at Google Scholar · View at Scopus
  13. K. Ansari, C. Wang, L. Wang, and Y. Feng, “Vehicle-to-vehicle real-time relative positioning using 5.9–GHZ DSRC media,” in Proceedings of the IEEE 78th Vehicular Technology Conference (VTC Fall' 13), pp. 1–7, September 2013. View at Publisher · View at Google Scholar · View at Scopus
  14. X. Cheng, L. Yang, and X. Shen, “D2D for intelligent transportation systems: A feasibility study,” IEEE Transactions on Intelligent Transportation Systems, vol. 16, no. 4, pp. 1784–1793, 2015. View at Publisher · View at Google Scholar · View at Scopus
  15. C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08), pp. 816–824, Phoenix, AZ, USA, April 2008. View at Publisher · View at Google Scholar · View at Scopus
  16. F. Wang, Y. Xu, H. Zhang, Y. Zhang, and L. Zhu, “2FLIP: A two-factor lightweight privacy-preserving authentication scheme for VANET,” IEEE Transactions on Vehicular Technology, vol. 65, no. 2, pp. 896–911, 2016. View at Publisher · View at Google Scholar · View at Scopus
  17. X. Li and L. Wang, “A rapid certification protocol from bilinear pairings for vehicular ad hoc networks,” in Proceedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom-2012, pp. 890–895, Liverpool, UK, June 2012. View at Publisher · View at Google Scholar · View at Scopus
  18. Y. Hao, Y. Cheng, C. Zhou, and W. Song, “A distributed key management framework with cooperative message authentication in VANETs,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp. 616–629, 2011. View at Publisher · View at Google Scholar · View at Scopus
  19. H. Tan, D. Choi, P. Kim, S. Pan, and I. Chung, “Comments on ''Dual Authentication and Key Management Techniques for Secure Data Transmission in Vehicular Ad Hoc Networks'',” IEEE Transactions on Intelligent Transportation Systems, no. 99, pp. 1–3, 2017. View at Publisher · View at Google Scholar
  20. T. W. Chim, S. M. Yiu, L. C. Hui, and V. . Li, “VSPN: VANET-based secure and privacy-preserving navigation,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 63, no. 2, pp. 510–524, 2014. View at Publisher · View at Google Scholar · View at MathSciNet
  21. B. Liu, D. Jia, J. Wang, K. Lu, and L. Wu, “Cloud-assisted safety message dissemination in VANET-cellular heterogeneous wireless network,” IEEE Systems Journal, vol. 11, no. 1, pp. 128–139, 2017. View at Publisher · View at Google Scholar · View at Scopus
  22. M.-C. Chuang and M. C. Chen, “DEEP: density-aware emergency message extension protocol for VANETs,” IEEE Transactions on Wireless Communications, vol. 12, no. 10, pp. 4983–4993, 2013. View at Publisher · View at Google Scholar · View at Scopus
  23. M. Milojevic and V. Rakocevic, “Location aware data aggregation for efficient message dissemination in vehicular ad hoc networks,” IEEE Transactions on Vehicular Technology, vol. 64, no. 12, pp. 5575–5583, 2015. View at Publisher · View at Google Scholar · View at Scopus
  24. J. Shen, T. Zhou, X. Chen, J. Li, and W. Susilo, “Anonymous and Traceable Group Data Sharing in Cloud Computing,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 4, pp. 912–925, 2018. View at Publisher · View at Google Scholar
  25. J. Song, C. He, L. Zhang, S. Tang, and H. Zhang, “Toward an RSU-unavailable lightweight certificateless key agreement scheme for VANETs,” China Communications, vol. 11, no. 9, pp. 93–103, 2014. View at Publisher · View at Google Scholar · View at Scopus
  26. L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable robust authentication protocol for secure vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 4, pp. 1606–1617, 2010. View at Publisher · View at Google Scholar · View at Scopus
  27. D. Huang, S. Misra, M. Verma, and G. Xue, “PACP: An efficient pseudonymous authentication-based conditional privacy protocol for VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 12, no. 3, pp. 736–746, 2011. View at Publisher · View at Google Scholar · View at Scopus
  28. R. Lu, X. Lin, X. Liang, and X. Shen, “A dynamic privacy-preserving key management scheme for location-based services in VANETs,” IEEE Transactions on Intelligent Transportation Systems, vol. 13, no. 1, pp. 127–139, 2012. View at Publisher · View at Google Scholar · View at Scopus
  29. D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm (ECDSA),” International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001. View at Publisher · View at Google Scholar
  30. A. Perrig, R. Canetti, J. D. Tygar, and D. Song, “The TESLA broadcast authentication protocol,” RSA CryptoBytes, vol. 5, 2005. View at Google Scholar
  31. J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authentication protocol for VANETs,” IEEE Transactions on Vehicular Technology, vol. 65, no. 3, pp. 1711–1720, 2016. View at Publisher · View at Google Scholar
  32. H. Xiong, “Cost-effective scalable and anonymous certificateless remote authentication protocol,” IEEE Transactions on Information Forensics & Security, vol. 9, no. 12, pp. 2327–2339, 2014. View at Publisher · View at Google Scholar
  33. A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Advances in Cryptology, pp. 47–53, 1984.
  34. X. Lin, X. Sun, P.-H. Ho, and X. Shen, “GSIS: a secure and privacy-preserving protocol for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 56, no. 6 I, pp. 3442–3456, 2007. View at Publisher · View at Google Scholar · View at Scopus
  35. C.-C. Lee and Y.-M. Lai, “Toward a secure batch verification with group testing for VANET,” Wireless Networks, vol. 19, no. 6, pp. 1441–1449, 2013. View at Publisher · View at Google Scholar · View at Scopus
  36. J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on an authentication scheme for vehicular sensor networks,” Expert Systems with Applications, vol. 41, no. 5, pp. 2559–2564, 2014. View at Publisher · View at Google Scholar · View at Scopus
  37. Y. Zhang, L. Yang, and S. Wang, “An efficient identity-based signature scheme for vehicular communications,” in Proceedings of the 11th International Conference on Computational Intelligence and Security, CIS 2015, pp. 326–330, Shenzhen, China, December 2015. View at Publisher · View at Google Scholar · View at Scopus
  38. S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings of the Advances in Cryptology-ASIACRYPT2003, pp. 452–473, 2003.
  39. H. Xiong, Z. Chen, and F. Li, “Provably secure and efficient certificateless authenticated tripartite key agreement protocol,” Mathematical and Computer Modelling, vol. 55, no. 3-4, pp. 1213–1221, 2012. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  40. H. Xiong and Z. Qin, “Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 7, pp. 1442–1455, 2015. View at Publisher · View at Google Scholar · View at Scopus
  41. J. Shen, T. Zhou, F. Wei, X. Sun, and Y. Xiang, “Privacy-Preserving and Lightweight Key Agreement Protocol for V2G in the Social Internet of Things,” IEEE Internet of Things Journal, pp. 1–1, 2017. View at Publisher · View at Google Scholar
  42. J. L. Carter and M. N. Wegman, “Universal classes of hash functions,” Journal of Computer and System Sciences, vol. 18, no. 2, pp. 143–154, 1979. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  43. D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000. View at Publisher · View at Google Scholar · View at Scopus
  44. D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015. View at Publisher · View at Google Scholar · View at Scopus
  45. C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user authentication scheme using elliptic curve cryptosystem for wireless sensor networks,” Sensors, vol. 17, no. 12, article no. 2946, 2017. View at Publisher · View at Google Scholar · View at Scopus
  46. D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound,” IEEE Transactions on Dependable and Secure Computing, no. 99, pp. 1–14, 2016. View at Publisher · View at Google Scholar
  47. D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipfs law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017. View at Publisher · View at Google Scholar
  48. D. He, S. Zeadally, N. Kumar, and J. H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, no. 99, pp. 1–12, 2016. View at Google Scholar