Recent Advances in Next Generation Cybersecurity TechnologiesView this Special Issue
A Novel Privacy-Preserving Authentication Protocol Using Bilinear Pairings for the VANET Environment
With the rapid development of communication and microelectronic technology, the vehicular ad hoc network (VANET) has received extensive attention. However, due to the open nature of wireless communication links, it will cause VANET to generate many network security issues such as data leakage, network hijacking, and eavesdropping. To solve the above problem, this paper proposes a new authentication protocol which uses bilinear pairings and temporary pseudonyms. The proposed authentication protocol can realize functions such as the identity authentication of the vehicle and the verification of the message sent by the vehicle. Moreover, the proposed authentication protocol is capable of preventing any party (peer vehicles, service providers, etc.) from tracking the vehicle. To improve the efficiency of message verification, this paper also presents a batch authentication method for the vehicle to verify all messages received within a certain period of time. Finally, through security and performance analysis, it is actually easy to find that the proposed authentication protocol can not only resist various security threats but also have good computing and communication performance in the VANET environment.
In recent years, the vehicular ad hoc network (VANET) has attracted more and more attention in improving people’s lives. The VANET is a special mobile self-organizing network used in the intelligent transportation field . In this application scenario, a vehicle can share the information with other vehicles via vehicle-to-vehicle (V2V) or vehicle-to-roadside unit (V2R) communications, respectively . And both the above two communication scenarios follow the dedicated short-range communication (DSRC) protocol . According to the DSRC protocol, each vehicle must periodically broadcast traffic-related messages. The traffic-related message mainly includes the vehicle’s location, speed, and traffic status. Due to the open nature of wireless connections, the messages transmitted between the vehicles and the roadside unit (RSU) are easily intercepted or eavesdropped on by attackers . Consequently, the security and privacy protection of the message is one of the key components towards the success of VANET applications.
The user privacy should be preserved during authentication in VANET . In order to hide the actual identities of the vehicles, the anonymity of vehicles is required for VANET. On the other hand, the VANET backend server must have the ability to extract a vehicle’s actual identity for tracing the malicious vehicles’ activities . Otherwise, a malicious vehicle will randomly send a large amount of false messages in VANET, which will lead to serious consequences . Therefore, privacy preservation and traceability are two seemly conflicting requirements, and hence, we must solve them properly. In addition, unlike other types of self-organizing networks, the VANET has the characteristics of very high node movement speed . Consequently, during the authentication period, the communication time among different nodes will be very short. We must improve the efficiency of the authentication protocol as much as possible.
To solve the above issues, in this paper, we present an authentication protocol based on bilinear pairings and temporary pseudonyms. The contributions of this work can be summarized as follows: (1)We propose a bilinear pairing-based vehicle authentication and the message verification protocol. In addition, to protect privacy, the proposed protocol uses temporary pseudoidentity to identify the messages transmitted between vehicles(2)To improve the authentication efficiency, the proposed protocol verifies the messages with the single or batch authentication manner on the recipient’s side(3)In our proposed protocol, the TA and RSU have the ability to trace and revoke a compromised vehicle. The TA is also able to find the RSU who has authenticated the compromised vehicle by the traffic-related message that was sent from the compromised vehicle(4)The detailed security analysis demonstrated that the proposed vehicle authentication and the message verification protocol can not only resist various security threats but also have good security features, such as unforgeability of identity and message integrity(5)We evaluate the performance of the proposed authentication protocol and compare it with the related authentication protocols in terms of computation and transmission overheads. In addition, we also have analyzed the relationship between different factors and the message loss rate or the message delay of the authentication protocol
The remainder of this paper is organized as follows. Section 2 summarizes the related work. Section 3 explains the system model and some mathematics-related preliminaries. In Section 4, the proposed privacy-preserving anonymous mutual authentication protocol is given. Moreover, we give the security analysis and performance evaluation of the proposed authentication protocol in Sections 5 and 6, respectively. Finally, Section 7 concludes the paper.
2. Related Work
In the past few years, many researchers have focused on the VANET’s security and privacy issues. Many solutions based on pseudonyms, group signatures, symmetric cryptography, and identity identifier encryption have been proposed. The existing research works in VANETs can be classified into the following main categories: pseudonym-based authentication protocols [9–14], group signature-based authentication protocols [15–17], and hybrid-based authentication protocols [18, 19].
2.1. Pseudonym-Based Authentication Protocols
The main idea of the pseudonym-based protocol  is to use the pseudonyms generated by random functions or other methods instead of the vehicles’ identities in the process of authentication in VANET. One of the earliest works in this field is proposed by Raya and Hubaux . The main idea of Raya and Hubaux’s protocol is that the vehicles need to preload a huge number of anonymous certificates and their corresponding private keys based on the anonymity level they require. The main drawback of this protocol is that vehicles need to check a long list of revoked certificates when verifying the received signed message, which is very time-consuming. Sun et al.  proposed a pseudonym-based authentication protocol. Their protocol allows RSU to distribute certificate service and allows a vehicle to update its certificate on the way.
Although the above method can hide the user’s real identity information successfully, the background server cannot complete the trajectory of the vehicle, which is necessary for certain scenarios. Then, Shen et al.  presented an ECC-based privacy-preserving authentication protocol with authority traceability for VANET. Li et al.  proposed an ID and pseudonym generation-based privacy-preserving authentication for VANET. He et al.  proposed an ID-based conditional privacy-preserving authentication protocol for VANETs based on elliptic curve cryptography. To improve performance further, the batch verification method is introduced in their protocol. Wang et al.  proposed a hybrid authentication protocol based on the PKI and identity-based signature, which can meet the requirements of security and conditional privacy in VANETs. However, in most of the abovementioned protocols, they cannot avoid the time-consuming identity legality detection in the message verification process.
2.2. Group Signature-Based Authentication Protocols
Another category of privacy-preserving authentication protocols is the group-based protocol [15–17, 20, 21]. In group-based authentication protocols, each group member can sign on behalf of the group without revealing its real identity when it sends traffic-related messages. Other vehicles can only verify that these messages are from a valid group member, but there is no way to determine who sent them. For example, Hao et al.  proposed a group signature-based distributed key management scheme for VANETs, which is expected to considerably facilitate location privacy protection and heterogeneous security policies. Later, Zhu et al.  presented an efficient privacy-preserving authentication protocol based on group signatures for VANET. In Zhu et al.’s protocol, they use a hash message authentication code (HMAC) to avoid time-consuming CRL checking and to ensure the integrity of messages before batch group authentication. Shao et al.  innovatively grouped the vehicle by RSU and proposed a new group signature-based authentication protocol for VANET.
With the assistance of the new group signature scheme, the proposed authentication protocol is featured with threshold authentication, efficient revocation, unforgeability, anonymity, and traceability. Wang and Yao  proposed a group signature-based conditional privacy-preserving authentication for VANET. In addition, their authentication protocol also supports batch verification. Islam et al.  proposed a password-based conditional privacy-preserving authentication and group key generation protocol for VANET. Their protocol offers group key generation, user joining and leaving, and password change facilities. Besides the group-based signature scheme, other techniques have also been proposed to achieve anonymity within a group. For example, Zhang et al.  used the -anonymity concept to protect the user privacy so that a vehicle is indistinguishable from vehicles. In addition, some researchers use the ring signature or blind signature to build the privacy-preserving authentication protocol [23, 24].
2.3. Hybrid-Based Authentication Protocols
Some research activities use a combination of pseudonyms and group signatures to complete the design of authentication protocols in VANET [18, 19, 25]. For instance, Giorgio et al.  suggested an authentication protocol for VANET which uses the above methods in combination to protect the messages transmitted between the vehicles. Later, Liu et al.  proposed a protocol for VANET which is based on identity-based and group-based signatures. In Liu et al.’s proposal, the vehicles are divided into two different categories: the public vehicles and the private vehicles. The role of a public vehicle is similar to an RSU. The messages sent from the public vehicles and RSUs are authenticated using the identity-based signature . And the messages sent from the private vehicles are authenticated via the group signature for safety reasons.
In general, most of the existing group-based protocols have some disadvantages. First, the group manager has all the knowledge about group members. Hence, there is the possibility of internal privilege attacks. Second, the joining and leaving of group members will result in the need to update the group key. Therefore, when the number of vehicles is large and the movement is frequent, a large amount of computing resources is required for updating the group key.
3. System Model and Preliminaries
3.1. System Model
A typical VANET system model is shown in Figure 1. There are three important components in VANET: the trusted authority (TA), on-board unit (OBU), and roadside unit (RSU) . The TA is mainly responsible for the registration and certification of OBUs and RSUs. It is a trusted management and certification center. Generally, it is assumed that the TA is powerful enough in terms of communication, computation, and storage capabilities, and it is infeasible to compromise by the adversary.
The RSU, deployed on the roadside, can be regarded as the communication medium between OBU and TA. It is generally believed that there is a secure communication channel between RSU and TA, while the channel between RSU and OBU is an insecure wireless communication channel. In addition, due to working in unattended environments, the RSU can send secret information to the attackers when they are compromised. For the above reasons, all the RSUs must be managed and monitored by the TA. The OBU’s role is to achieve the communication between vehicles and vehicles or vehicles and RSUs. In addition, it periodically broadcasts traffic-related messages such as location and speed to other vehicles to alert them to avoid traffic jams or accidents . It is generally assumed that the OBU is a tamper-proof device to store the real identity of the vehicle and some other key materials.
3.2. Attacker Model
Since the VANET uses open-featured wireless links to transmit traffic-related messages, attackers can launch various attacks against the VANET through eavesdropping and tampering. In the VANET environment, attackers are mainly divided into the external attacker and internal attacker . The external attacker can eavesdrop or modify all the exchanged information in VANET. Based on these capabilities, the attacker may masquerade as a legitimate vehicle or RSU and communicate with the target entity to obtain illegal benefits. In addition, the external attacker has the ability to launch a denial-of-service attack. And the external attacker may be performed by a single attacker or a group of colluding attackers. In general, the external attacker has more computing and communication capabilities than the vehicle or RSU [29, 30].
The internal attacker mainly refers to the malicious vehicle inside the VANET or the internal administrator [31–33]. The vehicle itself may also be a malicious node that can launch attacks such as the man-in-the-middle attack and replay attack. Besides, the attacker seeks to breach the anonymity of the vehicle. The internal attackers are potent as well since they are part of the system and have access to shared secrets. In addition, the attacker may eavesdrop on the communication link among the vehicles and RSUs. He/she may also attempt to establish the relationship between the successive pseudonyms and link these pseudonyms to a unique real entity.
In addition, the impact of certain human factors will also pose a great threat to the security of the VANET. For example, the OBU may be stolen by the thief. The thief may use the stolen OBU to send false messages to the other vehicle or the RSUs, which may cause new security threats to the VANET. Therefore, we need to take into account the negative impact of the stolen device.
3.3. Elliptic Curve Cryptosystem (ECC)
ECC is one of the commonly used public key encryption algorithms, and its security relies on the difficulties of the discrete logarithm problem of the elliptic curve . Compared to the well-known RSA public key encryption algorithm, ECC can achieve the same public key strength as RSA with a shorter key.
Let be a large prime number, and let be a field of integers modulo . A nonsuper singular elliptic curve over leads to an equation of the following form: where and . And then we look at the points on with coordinates in which we denote by the following form:
In order to prove the security of our proposed protocol, here, we present two important mathematical problems on elliptic curves as follows:
Elliptic curve discrete logarithm problem (ECDLP). Given an elliptic curve defined over a finite field , and two points of order , it is hard to find an integer such that .
Computational Diffie-Hellman problem (CDHP). Given an elliptic curve defined over a finite field , and the points , it is hard to compute .
3.4. Bilinear Pairings
The bilinear mapping defines three multiplicative cyclic groups with prime order . Let be a computable bilinear map, which satisfies the following properties:
Bilinearity. For any and , , where . This can be restated in the following way: for any and , .
Nondegenerate. For any , , where is the identity element of the group .
Computability. There exists an efficient algorithm to compute for any and .
Then, we called a bilinear map. The bilinear mapping can be constructed by Tate pairs or Weil pairs on elliptic curves over a finite field.
4. The Proposed Authentication Scheme
In this section, we present a bilinear pairing-based vehicle authentication and the message authentication protocol to improve the security and efficiency of communication in VANET. It contains seven phases, namely, system initialization, registration, RSU temporary key retrieval, vehicle authentication, vehicle verification, message signing, and message verification. To facilitate the subsequent description, the various symbols used in this paper are listed in Table 1.
In the initialization phase, TA sets the required parameters used in the proposed scheme:
Step I1. TA first selects a prime number and an appropriate elliptic curve over the finite field and then selects a base point over the elliptic curve , and the order of is . Let be a cyclic additive group generated by and be a cyclic multiplicative group with the same order . Then, TA constructs an appropriate bilinear map .
Step I2. The TA selects two secure cryptographic hash functions , , and , where is a secure hash function, , where is the length of the string, and is a map-to-point hash function.
Step I3. Next, TA chooses its private key and computes its corresponding public key . Then, TA selects two secret values and saves them properly.
Step I4. After completing the above operations, the TA publishes the system parameters .
4.2. Registration Phase
Due to different roles and characteristics, the registration phase is divided into two parts: OBU registration and RSU registration.
4.2.1. OBU Registration
When the vehicle wants to accept the services provided by VANET, it must be registered by the TA:
Step OR1. The vehicle selects a unique identity and a password . Then, it chooses a random number and computes . Next, the sends to the TA through a secure channel.
Step OR2. Upon receiving the message , the TA randomly generates a number and then calculates
Then, TA chooses a random number as the user’s private key and computes the corresponding public key .
Step OR3. Next, the TA embedded the information into the ’s tamper-proof device (TPD) and keeps in its tracking list.
4.2.2. RSU Registration
The registration process of the RSU , , is explained as follows:
Step RR1. The RSU sends the information about the network to which it is connected to the TA securely.
Step RR2. The TA chooses a random value as ’s private key and computes the corresponding public key .
Step RR3. The TA generates the signature , where is ’s identifier number. Then, TA injects the information into the RSU via a secure channel.
4.3. RSU Temporary Key Retrieval Phase
In order to improve the efficiency of message verification, RSU is responsible for regularly distributing its local temporary keys for the vehicles which enter into the RSU’s communication range.
The RSU randomly chooses a value and calculates the temporary master key . Then, the RSU stores the temporary master key in its TPD. And then, the RSU calculates the corresponding temporary public key .
Next, the RSU releases its temporary public key together with the random number in its coverage area periodically.
4.4. The Vehicle Authentication Phase
When a vehicle arrives at the area covered by the RSU , it first checks the identity of and determines whether it is a new RSU. If so, the vehicle should be authenticated to to get the of ’s temporary master key. Then, calculates its anonymous identity via the ’s temporary master key.
In this phase, the vehicle generates an anonymous identity and constructs a message authentication code. Then, the TA verifies the authentication message to verify the legality of the vehicle . The detailed message authentication process is described as follows:
Step A1. The user of the vehicle enters the identity and the password into the . The OBU of the vehicle calculates the following formulas:
And then, it verifies whether holds. If they are not equal, the will require the user to enter the correct identity and password again. Otherwise, the generates a timestamp and computes and .
Step A2. Then, the OBU of the vehicle sends the message to the via a public communication channel.
Step A3. Upon receiving the message, the first checks the freshness of the timestamp . If it holds, the then computes and sends the message to the TA via a public channel.
4.5. The Vehicle Verification Phase
Step V1. Upon receiving the message , the TA first checks the timestamp . If the condition holds, the TA computes
Then, TA determines whether the equation is true. If they are equal, the TA considers to be a legitimate RSU.
Step V2. Next, the TA extracts the message and continues to calculate
And then it checks whether holds. If they are equal, the TA considers to be a legitimate vehicle.
Step V3. The TA computes and sends the message to via a public channel to tell the vehicle is a legitimate vehicle. Upon receiving the message, computes and sends to the vehicle via a public communication channel.
Step V4. Upon receiving the message, the vehicle computes and extracts ’s local master keys to prepare for the next message signing phase. The sequence diagram of the vehicle’s login and certification steps is described in Figure 2.
4.6. Message Signing Phase
As discussed previously, the vehicle driving on the road needs to send out traffic-related messages periodically. To protect the privacy of the vehicle, the message should be signed with the vehicle’s pseudoidentity. However, in order to ensure the legitimacy of the received traffic-related messages, the receiver needs to verify the messages. Hence, message authentication is very important in VANET. The receiver checks the integrity and validity of the traffic-related message by verifying the correctness of the signature. The details of the signing phase can be described as follows:
Step M1. The vehicle first chooses a random number and generates its pseudo-ID and the corresponding private key as follows:
Step M2. The vehicle then generates a traffic message which includes the timestamp and the traffic information related to the vehicle. Next, signs the message as follows:
Step M3. Finally, the vehicle releases the traffic-related message . Here, is the identity of the RSU . It is used to let the verifier know that the traffic-related message is signed by the key which is based on the temporary master key of .
4.7. Message Verification Phase
When the traffic-related message is received by other recipients, they should check the validity of this message. And the validity of the traffic-related message can be verified when the value of the following equation is true:
Equation (10) can be derived as follow:
The recipients have obtained the system parameter , the RSU’s temporary public key , and the random number . After receiving vehicle ’s traffic-related message, they can get the traffic-related message , the signature , and the anonymous identity . If the above formula is true, it proves that the sender of the traffic-related message is legal, and the integrity of this message can also be confirmed.
When the recipient receives multiple messages at the same time, the recipient can use the batch verification method to verify these messages. Suppose these messages are marked as . The batch verification of these messages uses the following equation:
Verifying a number of signatures with the batch verification method is much faster than verifying them individually. In addition, the proof process of formula (12) is similar to that of formula (10). For brevity, we omit the proof process of formula (12). The sequence diagram of the message signing and verification processes is described in Figure 3.
4.8. Real Identity Tracking and Revocation
In the proposed authentication protocol, the traffic-related messages are signed with pseudoidentities to protect privacy. When an OBU is compromised and releases false traffic-related messages, TA should have the ability to reveal its real identity and revoke its long-term certificate. In the proposed protocol, only the TA and RSU have the ability to trace and revoke a compromised vehicle. Therefore, TA is able to find the compromised vehicle by the which is contained in the traffic-related messages. Then, TA calculates the real identity of the compromised vehicle using the following equation:
Next, TA adds the genuine identity of this vehicle to its compromised vehicle list (CVL) and sends the updated CVL to all RSUs. When a vehicle is compromised, the RSU will discard its request message in the early stages of mutual authentication. Consequently, the compromised vehicle will not get the RSU’s local master keys. And it cannot calculate the corresponding temporary key to release the malicious wrong traffic-related message.
5. Security Analysis
In this section, we analyze the security and privacy features of the proposed authentication protocol as follows.
5.1. Unforgeability of Identity
The proposed protocol guarantees that no one can use an identity that does not belong to him/her to take part in the system. When the vehicle needs to be authenticated at the , the message sent by does contain its real identity . However, due to the one-way nature of the hash function, the attacker cannot get from the above message.
On the other hand, the attacker also cannot pretend to be an RSU to spoof. Even if the attacker obtains the ’s identity and the corresponding public key , the attacker is unable to calculate the parameter for authentication with the TA because it cannot obtain the ’s private key . Then, the attacker is unable to establish a secure connection with the vehicle and perform subsequent operations.
5.2. Replay Attacks
Due to the open nature of the wireless channel, the message can be easily captured or modified by the attacker. Therefore, the attacker may use the captured traffic-related message to launch a replay attack. In our proposed scheme, the timestamp is used to keep the freshness of the messages and resist the replay attack in the vehicle authentication phase. Although the attacker may obtain another vehicle’s authentication message , without knowing the secure variable , he/she cannot get the session key and finish the authentication successfully.
Similarly, the attacker cannot replay the traffic-related message. The reason is that the traffic-related message contains the random number and the corresponding private key which is only owned by the vehicle . If an attacker replays this data, he/she will not be able to structure a valid signature about the traffic-related message. Through the above analysis, it is clear that the proposed authentication protocol has the ability to resist the replay attack.
5.3. Message Integrity and Authentication
For VANET, which is composed of open communication links, the integrity and authenticity of the message must be guaranteed. In the proposed authentication protocol, the TA injects the relevant secret information into every RSU’s and OBU’s memory in the registration phase. In V2R communication, the vehicle sends the request message to to authenticate with the and obtain its local master keys . Then, the returns its local master key to the requested vehicle. All the messages mentioned above are encrypted with the secret values obtained from the TA. Therefore, the receiver can easily verify the integrity and identity of the messages.
After mutual authentication, the vehicle obtains the local master key from the . In the next V2V communication, the vehicle uses the ’s local master key to generate its pseudo-ID and the corresponding private key . Because of the use of identity-based signature algorithms, the receiver can easily verify the integrity of the traffic-related messages broadcasted by vehicle . With the above analysis, we can find that our proposed protocol satisfies the requirements of message integrity and authentication.
5.4. Conditional Privacy-Preserving Property
As described earlier, in the authentication phase, the main role of RSU is to distribute the temporary public key to the vehicles nearby it. However, the privacy of the vehicle’s identity must be protected in this environment. The proposed authentication protocol achieves the conditional privacy-preserving property in two aspects.
First, when a vehicle moves near the RSU, needs to generate a fresh timestamp and uses it to calculate with the user’s real identity via the hash function to generate an authentication message. Since the timestamp used to calculate the authentication message is different each time and the hash function has a strong collision resistance property, the adversary cannot get the genuine identity information of the vehicle through the message .
Second, when the vehicle joins an RSU ’s group, it obtains the ’s local master key and the corresponding temporary public key . And then, it generates a new pseudo-ID and the corresponding private key to sign the traffic-related message by the temporary master key of . Since the traffic-related message is signed with different temporary master keys of at different time, no entity except TA and can establish the link between signatures and pseudo-IDs of the vehicle . In summary, we can find that the proposed authentication protocol satisfies the conditional privacy-preserving property.
5.5. Traceability and Revocability
In the proposed authentication protocol, only the TA can get the authentic identity of the vehicle from its authentication request message. Other participants (including vehicles and attackers) cannot extract the authentic identity of the vehicle from the authentication request message.
In addition, to protect privacy, the proposed protocol signs the traffic-related messages with different pseudo-IDs in the message signing phase. And the TA can get the authentic identity of the vehicle by using equation (13). Consequently, when a vehicle is compromised, the TA could reveal its authentic identity to other entities. As a result, the revoked vehicle cannot join the RSU’s communication group to release any messages. This means that the proposed authentication protocol supports the traceability and revocability property.
6. Performance Evaluations
In this section, we evaluate the performance of the proposed authentication protocol and compare it with the related authentication protocols in terms of computation and transmission overheads. In our implementation, we use a PC with Intel Core i7 CPU 2.6 GHz and 8 GB memory to run the verification authentication protocol. Then, we use currently very popular experimental platforms, OMNeT++ and SUMO, to implement the proposed authentication protocol and test the indicators of communication performance and reliability.
The various parameters used in the experimental simulation platform are shown in Table 2. In the implementation of our protocol, the point multiplication operations of ECC are based on a 160-bit private key. And we select SHA-256 as the elementary hash function to structure the hash functions used in the proposed authentication protocol (i.e., , ). We use the pairing-based cryptography library  for algorithm experimental verification. The computation overhead of the proposed authentication protocol consists of the vehicle authentication phase and the signature verification phase.
6.1. Computation Overhead Analysis
Table 3 illustrates the experimental results for related pairing-based operations on the Intel Core i7 CPU 2.6 GHz machine. In our simulation, each randomized ID is 1024 bits, and the size of the ECC point is 160 bits. From the results, we observe that the bilinear pairing operation takes 3.61 milliseconds at the application server when averaging over 10 experiments to run the pairing-based operation. Figure 4 further shows the results on Intel Core i7 CPU 2.6 GHz for the above metrics. Furthermore, if the proposed authentication protocol is implemented on a more powerful high-end server, the running time will be greatly reduced, as shown in Table 3.
The main computational cost involved in the proposed authentication protocol is the registration phase, vehicle authentication phase, and message verification phase. However, in the proposed authentication protocol, it is not required to register a large number of vehicles and RSUs at the same time. Therefore, the time consumed in this phase does not require counting in the real-time running process. We focus on the time-consuming vehicle authentication phase and message signing and verification phases. In Table 4, we illustrate the running time of the proposed authentication protocol in different phases.
On the TA side, it is only involved in the system initialization phase and the vehicle verification phase. Note that the system initialization phase can be computed offline, and thus, we omit the computational overhead of this phase. And the TA’s computation cost in the vehicle verification phase is . On the OBU side, it is involved in the vehicle authentication phase, vehicle verification phase, message signing phase, and message verification phase. On the RSU side, it is only involved in the following stages: vehicle authentication and vehicle verification. From the proposed authentication, it is easy to find that the OBU is involved in almost all phases, except the identity tracking and revocation phase. Table 4 gives the detailed numbers.
From Table 4, we can see that if there are many message signatures for the OBU to verify, it will take a long time to run the message verification phase. To speed up the verification process, the proposed authentication protocol uses the batch authentication manner (see equation (12)) to reduce the time of pairing computation. We can analyze that the computation overhead in the single authentication manner is from equation (10). And the computation overhead in the batch authentication manner is only from equation (12). As a result, we can reduce the number of pairing computation from to only 3. In Table 5, we have compared the computational cost of the proposed authentication protocol with the related works for each step.
6.2. Communication Overhead Analysis
We assume that the vehicles and RSUs have the same communication speed. Then, the communication overhead can be estimated by the length of messages. In our implementation, we adopt SHA-256 as the elementary hash function to structure the hash function, whose output length is 32 bytes. We use the vehicle identification number (VIN)  proposed by the International Organization for Standardization as the identifier of the vehicle. In Table 6, we illustrate the default length of the elements used in the proposed authentication protocol.
In the vehicle authentication phase, the communication overhead is mainly caused by the authentication request message . Just as summarized in the previous part, the sizes of and are 32 bytes. And the sizes of , , and are 8 bytes, 8 bytes, and 40 bytes, respectively. Therefore, the size of the authentication message is . Similarly, the size of the safety-related message is . From Table 7, the communication cost of our protocol is slightly higher than that of the protocols in . However, the proposed protocol provides more security of the vehicle authentication than the related research.
6.3. Authentication Message Loss Rate Analysis
The message loss rate (MLR) is defined by formula (14), where is used to represent the total number of authentication messages, represents the total number of messages received by vehicle , and represents the total number of authentication messages sent by the RSU.
Figure 4 shows the relationship between the message loss rate and the number of vehicles in the system. It can be seen from the simulation results that as the volume of message authentication services increases, the message loss rate is gradually increasing. In addition, in the same environment, we also compare the proposed protocol with the PKI-based protocol and that in  in terms of the message loss rate. It can be found that the message loss rate of the authentication protocol proposed in this paper is the lowest.
6.4. Authentication Protocol’s Delay Factor Analysis
In the simulation environment, we obtained the relationship between different factors and the delay of the authentication protocol by modifying the relevant parameters, such as the speed of the vehicle and the number of vehicles. Figure 5 reflects the relationship between vehicle speed and message delay, and Figure 6 reflects the relationship between the number of vehicles and the delay of authentication messages.
It can be seen from Figure 5 that when the speed is lower than 35 m/s (126 km/h), the increase in vehicle speed does not have much impact on the message delay of the authentication protocol. This shows that the proposed protocol can meet the demand for message delay under the condition of normal vehicle speed. From Figure 6, it is easy to see that when the proposed is used for high traffic density occasions, the authentication message delay time will increase a bit. However, when the number of vehicles in the area covered by an RSU is less than 80, the delay is still relatively small. In fact, the probability that the number of vehicles in the area covered by an RSU exceeds 80 is negligible. Obviously, the message delay of the proposed protocol is very small in the daily traffic environment.
In the future smart transportation system, VANET will play an increasingly important role. The communication security and vehicle privacy protection in VANET are the fundamental requirements for its rapid development. In this paper, we proposed a bilinear pairing-based vehicle authentication and the message verification protocol to solve these problems. To protect user privacy, the proposed protocol uses a temporary pseudoidentity-based anonymous method in the message signing and verification phases. In addition, to improve the efficiency of the proposed authentication protocol, the recipients can verify the traffic-related messages with the single or batch authentication manner. Finally, we give the security and performance analysis of the proposed protocol. The security analysis shows that the proposed authentication protocol can resist various security threats and protect user privacy in the VANET environment. The performance analysis results show that the proposed scheme has lower communication overhead and computational cost when compared with the related protocol. Therefore, the proposed authentication protocol is very suitable for the VANET environment.
Data is available from http://crypto.stanford.edu/pbc/.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This research was supported by the National Natural Science Foundation of China (Grant nos. 61772477 and U1804263) and the Key Scientific Research Project of Colleges and Universities in Henan Province (no. 21A520048).
R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: efficient conditional privacy preservation protocol for secure vehicular communications,” in 2008 Proceedings IEEE INFOCOM - The 27th Conference on Computer Communications, pp. 1903–1911, Phoenix, AZ, USA, April 2008.View at: Publisher Site | Google Scholar
J. Cui, X. Zhang, H. Zhong, J. Zhang, and L. Liu, “Extensible conditional privacy protection authentication scheme for secure vehicular networks in a multi-cloud environment,” IEEE Transactions on Information Forensics and Security, vol. 15, no. 1, pp. 1654–1667, 2020.View at: Publisher Site | Google Scholar
S. S. Manvi and S. Tangade, “A survey on authentication schemes in VANETs for secured communication,” Vehicular Communications, vol. 9, pp. 19–30, 2017.View at: Google Scholar
A.-N. Shen, S. Guo, D. Zeng, and M. Guizani, “A lightweight privacy-preserving protocol using chameleon hashing for secure vehicular communications,” in 2012 IEEE Wireless Communications and Networking Conference (WCNC), pp. 2543–2548, Paris, France, April 2012.View at: Publisher Site | Google Scholar
S. H. Islam, M. S. Obaidat, P. Vijayakumar, E. Abdulhay, F. Li, and M. K. C. Reddy, “A robust and efficient password-based conditional privacy preserving authentication and group-key agreement protocol for VANETs,” Future Generation Computer Systems, vol. 84, pp. 216–227, 2018.View at: Publisher Site | Google Scholar
S. Zeng, Y. Huang, and X. Liu, “Privacy-preserving communication for VANETs with conditionally anonymous ring signature,” International Journal of Network Security, vol. 17, no. 2, pp. 135–141, 2015.View at: Google Scholar
A. B. Shakeel Ahamed, N. Kanagaraj, and M. Azees, “EMBA: an efficient anonymous mutual and batch authentication schemes for VANETs,” in 2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT), pp. 1320–1326, Coimbatore, India, April 2018.View at: Publisher Site | Google Scholar
Y. Wang, H. Zhong, Y. Xu, J. Cui, and G. Wu, “Enhanced Security Identity-Based Privacy-Preserving Authentication Scheme Supporting Revocation for VANETs,” IEEE Systems Journal, vol. 14, no. 4, pp. 5373–5383, 2020.View at: Google Scholar
D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography, Springer, New York, NY, USA, 2004.