Obfuscated RSUs Vector Based Signature Scheme for Detecting Conspiracy Sybil Attack in VANETs

Given the popularity of vehicular Ad hoc networks (VANETs) in traffic management, a new challenging issue comes into traffic safety, that is, security of the networks, especially when the adversary breaks defence. Sybil attack, for example, is a potential security threat through forging several identities to carry out attacks in VANETs. At this point, the paper proposed a solution named DMON that is a Sybil attack detection method with obfuscated neighbor relationship of Road Side Units (RSUs). DMON presents a ring signature based identification scheme and replaces vehicles’ identities with their trajectory for the purpose of anonymity. Furthermore, the neighbor relationship of RSUs is obfuscated to achieve privacy preserving of locations.The proposed scheme has been formally proved in the views of security and performance. Simulation has also been implemented to validate the scheme, in which the findings reveal the lower computational overhead and higher detection rate comparing with other related solutions.


Introduction
Generally, VANETs require that all connected vehicles register with given identity codes, just as the Plata Number in reality [1].However, most vehicle users expect their identity information can be preserved in VANETs for they are afraid that their traveling will leak with the identity.Thus, anonymous methods are employed to hide their privacy [1,2].Sybil attack is a typical security thread from malicious vehicles, which can take more communication resources or offline economical profits through multiple identities [3].The false traffic messages from attackers not only cause congestions but also increase risk of traffic accidents [1,4].
Most recent Sybil detection methods can be grouped in two types: hardware based scheme [5][6][7][8] and cryptology based identification method [9][10][11][12][13].The hardware based scheme commonly applies technologies of signal strength [5][6][7] or resource testing [8].However, the overdependence on hardware restrains its application; moreover, high cost in hardware improvements is another drawback for users to connect their vehicles to VANETs.The cryptology based scheme adopts identity authentication technology which is independent of vehicles and compatible with identity based management system [1].Thus, the cryptology based scheme becomes the main solution for attack detection in VANETs.Although network users benefit from identity authentication and attack detection technologies, risks still exist in preserving users' privacy.
Conspired Sybil attacks are first presented in [14], in which attackers can masquerade as conspiracy vehicles using their identities in order to send malicious messages to other vehicles nearby.However, the conspired Sybil attacks cannot be prevented efficiently due to the weakness of current detection scheme supposing identities are always held securely.According to Sybil attack detection, reputation system based scheme was presented in [14].Reputation system issues a trust value for each node, which can be reduced by an distrustful or malicious behaviour [15][16][17].Thus, Sybil attackers can be distinguished based on the trust value.The identities with lower values will be considered as malicious nodes and ruled out no matter where these identities come from, either bound vehicles or faked attackers.However, as noted in [17], two significant features should be considered for VANETs: firstly, VANETs do not allow decreasing the reputation after the serious traffic accidents to prevent another attack, because the damage of life and things in this attack cannot be repaired; secondly, most vehicles replace their identities with pseudonyms or authorized messages to achieve privacy preserving, and it is difficult to associate an ID to a vehicle and a trust value to an ID, respectively.
This paper proposes a method that completes identity certificate through tracing vehicles' wheel path based on RSUs.The method authenticates vehicles' identification in an anonymous manner just as the trajectory based signature scheme in Footprint [10,18].RSUs' neighbor relationship is also obfuscated to prevent trajectory privacy from being leaked to RSUs and other vehicles.Our main contributions can be highlighted as follows: (i) A ring signature scheme is proposed as secret material to generate identity certificate of vehicles.The signature includes a vector with concealment information of the signing RSU's neighbor relationship.
(ii) Location privacy is preserved by obfuscating the mapping function between relationship vector and RSUs' adjacent connections.However, the obfuscated vector still marks and conceals the RSU's neighbors.
(iii) A method is presented to compute the adjacent connection of two RSUs using the obfuscated vectors of two RSUs.In the methods, RSUs and vehicles can obtain the result whether two RSUs are located in twohop neighbor area without knowing the relationship concealed in vector.
The rest of the paper is organized as follows.Section 2 describes the related work and an example of conspiracy Sybil attack.Section 3 illustrates the architecture of VANETs and the research objectives.Section 4 gives a brief description of the protocol.Section 5 conducts performance evaluation of the proposed method.Section 6 concludes the whole research.

Related Work
Sybil attack is an attack by forging multiple identities which is firstly presented in peer-to-peer networks by Douceur [19].Factually, Sybil attack also happens in ad hoc networks [3], sensor networks [7,20], and VANETs [6,9,10].This work will focus on an identity authentication scheme that benefits from the identification based Sybil attack detection.
Pseudonyms are firstly used as a privacy protected scheme for identification of vehicles.Zhou et al. [9] proposed a pseudonym based Sybil attack detection scheme for privacy preserving.In the scheme, the Trust Authority distributes a number of pseudonyms for each vehicle.Abused pseudonyms can be detected by RSUs.Since RSUs are heavily involved in the detection process, this scheme requires the full coverage of RSUs in the field and makes RSUs a little overloading in computation and communication.What is worse, in such a scheme, vehicles should be managed by a centralized trusted center.If there is no an online centralized trusted center, pseudonyms based identification is invalid to conspiracy Sybil attack, for the attacker can borrow some pseudonyms from the conspired vehicles, and it is difficult to detect because each vehicle has many pseudonyms.Each time RSU detects suspicious pseudonyms, it should send all the pseudonyms to the trust center for further decision, which makes the trust center be the bottleneck of the detection.
Lee et al. [11] lighten RSUs' load by only relaying message for vehicles, and malicious vehicles will be recognized by a local VANET server (LCertVANET).Hussain et al. [12] proposed a privacy-friendly RSU driven Sybil attack detection, in which vehicle should have obtained "tokens" from BRSU before reporting any event.Lin et al. [13] proposed an efficient local Sybil resistance scheme.In [13], RSU periodically broadcasts an authorized time stamp to vehicles in its vicinity as the proof of appearance at this location.Vehicles collect these authorized time stamps which can be used for future identity verification.Park et al. [21] present an approach where RSUs are the only components issuing the certificates.In these schemes, if a vehicle signs two or more signatures at the same time period, it would be judged as the Sybil vehicle.In these methods, a different method for identification was presented, in which vehicles obtain secret materials from authorized Trust Authority (TA) to generate their tokens served as the identity certificates, but vehicles' unique ID and master key are registered and downloaded from a VANET server and will not be revealed in the authentication process.Unfortunately, the failure of any RSU will lead to no relaying message, no tokens, and no stamps; then vehicles near the failed RSU will be unable to report any event in the scheme.
The Sybil detection schemes in [10,18] utilize location information to realize identification.Footprint [10] has been proposed to use the trajectories of vehicle for identification while still preserves the anonymity and location privacy of vehicles.However, it fails in detecting conspiracy Sybil attack; in particular, the conspired identity certificates are obtained from malicious vehicles that are far away from the area of Sybil attacker.Figure 1 shows an example of conspiracy Sybil attack: the attacker   came from RSU 1 to RSU 6 ; he will have the certificate assigned by { 1 ,  3 ,  5 ,  6 }.If   has conspired with  1 ,  2 , and  3 and gets their ID materials, then he can obtain the certificate of  1 with trajectory { 2 ,  3 ,  5 ,  6 } and  2 and  3 with trajectory { 4 ,  5 ,  6 }, although  1 ,  2 , and  3 did not come to RSU 6 .That is to say,   gets 4 identity certificates and fakes that all 4 vehicles came into RSU 6 ; then   can cheat the traffic system to get more resource with his multiple identity certificate.
We proposed DMON (a Sybil attack detection method with obfuscated neighbor relationship of RSUs) in this paper, which is based on the idea of using Footprint as vehicles' identity certificates.However, the neighbor relationship of signed RSUs is set in the certificates, and the adjacent connections are obfuscated in their relationship vectors.Based on these technologies, the conspired identity certificates can be detected with the signed relationship vectors; meanwhile, vehicles' locations are preserved as well as the adjacent connections of RSUs.

System Model and Design Objective
In vehicular networks, a moving vehicle can communicate with other neighbor vehicles or RSUs via vehicle-to-vehicle communications and roadside-to-vehicle communications.RSUs are commonly connected together and have an access to the Internet.Thus, RSUs are called road side infrastructures and the VANETs are named the Internet of Vehicles.This section will introduce key components of VANETs as well as their formal definitions and then illustrate what is conspiracy Sybil attack in detail including some security assumptions and design objectives.

System
Model and Formulized Symbol.The components of VANETs in security research include Trust Authority (TA), Road Side Units (RSU), and vehicles with on-board unit (OBU), and there are two communication models: V2V (Vehicle-to-Vehicle) and R2V (RSU-to-Vehicle) communications.Figure 2 illustrates the system architecture.We illustrate the components of Figure 2 in detail as follows.
Trust Authority (TA).Trust Authority (TA) is assumed to be completely trustable and secure.In security system, TA is responsible for security operation requiring a trusted third party of the system, such as key management and secret material generation.
Road Side Units (RSU).Road Side Units (RSU) can be deployed at intersection or any area of interest to provide wireless access to vehicles as a wireless AP.All RSUs are connected with each other, have an access to Internet, and have a secure channel with TA.RSU is equipped with a wireless model and can send messages to the vehicles located in the nearby area.In this paper, we assume that there are  RSUs in the VANET, denoted as That is to say, each RSU in VANET will map a number , 1 ≤  ≤ , and   ∈ RSU is satisfied.

On-Board Unit (OBU).
Vehicles are equipped with OBU.With current technologies, OBUs are capable of carrying out cryptographic computations.Vehicles call for authorized information from RSUs with OBUs.We denote that the number of vehicles in the VAET is , and the set of vehicles could be formulized as follows: We also give the formulized symbol and its description in Notations; these will be used in the remainder of this paper.

Conspiracy Sybil Attack.
The conspiracy Sybil attacker is based on abusing multiple identities.There are two ways to obtain the lavished identities from accomplice vehicles.
(i) Attacker takes the accomplice vehicles' identity directly as themselves.
(ii) Attacker sends the accomplice vehicles' identity to the RSU for update and then obtains a new temporal identities certificate.
If an attacker succeeds in getting identity certificate and passes the authentication, it can launch Sybil attacks.So the Sybil attack detection should be emphasized in identification.However, the conspiracy Sybil attack is different from the others for its Sybil identities are not faked but borrowed from the lavished accomplice vehicles.We conclude 3 challenges as follows.
First, the Sybil identity certificate is borrowed from the network inside vehicles, it is real and legitimate, and it has the right to pass the identification.We should recognize whether the ID certificate is used by the correct vehicle.It is more difficult than recognizing whether it is a correct certificate.
The second challenge is in the trajectory based identification.The attacker can obtain many authenticated routing messages; then he can fake a new certificate to masquerade a new trajectory based identity as illustrated in Figure 1.
Finally, the Sybil attacker can update the borrowed conspiracy identity certificate, because the attacker and the certificate are real.If the conspiracy certificate is updated by a RSU, then it is totally the same as a certificate of the attacker.Thus, conspiracy Sybil attacker should be detected before the attacker updates the conspired certificate.

Security Assumption and Design Objective.
In this work, we make assumptions as in [10,12,[21][22][23]. for the practical system.But a weak synchronization among RSUs is easy to achieve since all RSUs are interconnected by the RSU backbone network in a wire manner.
In this paper, our objective is to design an identification scheme for detecting conspiracy Sybil attacker in vehicular ad hoc networks.In the meantime, the detection scheme should satisfy the following 3 items.
Privacy Preserving in Vehicles' ID and Location.Vehicles will not conceal the real unique ID Number when they apply certificate from RSUs, and the signature should be unconditional anonymity as RSUs' information is bound with the location information of passing vehicles.
Online and Independent Detection.Sybil attack should be detected and prevented before the attack starts.An offline detection may cause unbearable loss of life and property before the attack is found.The detection should also be independent, for the collaboration with other RSU will conduct more information leakage and require higher density of RSU deployment.
High Efficiency and Low Overhead.Due to the high mobility of vehicles, signature and authentication program should also consider the efficiency requirements in terms of low computation overhead and rapid authentication.

DMON
DMON is a Sybil attack detection method using obfuscated neighbor relationship of RSUs, which is based on cryptographic ring signature.We set a label vector of the signing RSU's neighbor relationship into a ring signature scheme [22] to obtain unconditional anonymity and linkable attribution and then hide the adjacent connection relationship of RSU by obfuscating the label vector.Finally, we can detect the Sybil identity certificate by the relation information hidden in the label vectors.

System Initialization
Initializing TA.Let G be a group of prime order  such that the underlying discrete logarithm problem is intractable.Let  : {0, 1} * → G and   : {0, 1} * → Z  be two hash functions.The TA chooses two public parameters  ∈ G, ℎ ∈ G.The TA generates the public parameters Sys P as follows: where PKL is the list of RSUs' public key and Δ is the life period of a RSU signature.The Sys  will be downloaded into the registered RSU and vehicles.
Setting Up RSUs.Each RSU, denoted as   , joins the VANET; TA will send   a pair of keys of public cryptology system (Key pub i , Key sec i ) and save the public key of this key pair in its Public Key List (PKL) of the public parameters Sys .
More specifically, when a new RSU enrolls in the system, TA will update the PKL with a new version number and broadcast this updated PKL to all the RSUs in the system.
Setting Up Vehicles.Once a vehicle   gets in a VANET, it will obtain its registering information and download system parameter Sys  from TA in an offline way, which means the vehicles should not be allowed to register in Internet.That is to say, the vehicle should be driven to a TA office and the registering information will be written in the hardware of its OBU, just as a vehicle registers in DMV (Department of Motor Vehicles) to get new plate number.Vehicles communicate with RSUs for the authorized message with a session key.TA will generate some pairs of keys for the registering vehicle, we denote the key pairs as the set {(  pub  ,   sec  ) |  = 1, 2, . . ., }, and then the vehicle can arbitrarily select a pair of key from this set to communicate with a RUS.

Obfuscation for the Relationship Vectors of RSU.
After the VANET is initialized, we set a neighbor relationship matrix of RSUs, and the matrix is defined as A RSU in (4), where the set of the neighbor nodes of   are denoted as neighb(  ), Let Lab  be a label vector of   (  ∈ { 1 ,  2 , . . .,   }), as shown in Figure 3, which is a random bijection between the column vectors of A RSU and {Lab  |  = 1, 2, . . ., }.Thus, the random bijection obfuscates the mapping relation between the column vectors of A RSU and {Lab  |  = 1, 2, . . ., }.We only know that Lab  is column vectors of A RSU, but we do not know what is column of A RSU; that is to say, the obfuscation hides the correlation between the vectors and RSU.
Then (5) formulized the obfuscated label matrix composed of the label vector: (5) where → denotes that the label is a mapped neighbor relationship vector of the RSU and the vector of RSU is defined by (4).Usually, the th column of   is denoted as vector   .Obviously,   hides the neighbor relationship of a RSU (denoted as   ), and   saves   but it does not know the hidden relationship in   for the mapping function from RSU to label is random and obfuscated.Further, this obfuscated mapping will be updated by TA after a certain period of time.
Proof.From ( 4) and ( 5), when   is a neighbor RSU of   , we have   =   = 1 and   =   = 2; then Thus, ( 6) is satisfied.In Lemma 4, we assume that a node is not the neighbor of itself, so we let  ̸ = .In fact, if we define that  RSU  = 1 when  =  in (4); then the following equation is obtained: Equation ( 6) is still satisfied.For clearance in illustration, we denote the label vector of   as (  ), when Lab  →   ; that is,  (  ) ≡   when Lab  →   . (9)

Ring Signature Based Identification.
In DMON, registered vehicles should apply signed messages from the RSU they are passing, and the signature will be used as the secret materials to generate their identity certificates.And an identity certificate will be updated if the owned vehicle passes the authentication of another RSU.The signature of RSU, the identity generation, and the updating process will be discussed in this subsection.

Temporal Identity Generation.
When a vehicle   approaches a RSU, denoted as   , it calls for authorized messages by sending one of its public keys  0 =   pub  to   .Then   generates a message  1 as follows: where (  ) is the obfuscated label vector as defined by ( 9) and   is the sending time recorded from   's application message that belong to period [  ,  +1 ] as mentioned before.
Then   signs the message  1 and obtains Sign R p (M 1 ).Considering the location privacy, we chose Liu et al. [22] ring signature scheme to provide the RSU anonymity for its security and efficiency.
Checking by Algorithm 6; Figure 4: Temporal identity generation protocol.
After receiving  1 , vehicle   encrypts Sign   ( 1 ) by the secret key of the pair (  pub  ,   sec  ) and obtains the core material of its temporal identity Id   (  ,   ); that is, where symbol ∝ illustrates that Encrypt   sec(Sign   ( 1 )) is only a core component and is not equal to Id   (  ,   ).The complete description of Id   (  ,   ) is given in (16).Figure 4 gives a concise illustration for the temporal identity generation protocol, and the detailed description of the algorithms in the protocol is as follows.It is assumed that the system is driven by the time period event.We denote that the current time   belongs to time period [  ,  +1 ], and the public key pair of   is (Key pub  , Key sec  ).In discrete logarithm based signature, we denote that Key sec  = (, ) , (12) where  and  are prime number.With the system parameters defined in (1),   will sign the application from   at the th time period.Algorithm 5 describes the operating process of   in Sign   ( 1 ).
After receiving Sign R p (M 1 ) from   ,   will check the signature Sign R p (M 1 ), and the checking process is descripted in Algorithm 6.If the signature checking of Sign R p (M 1 ) is passed in Algorithm 6,   can obtain its temporal identity certificate as where   pub  is another public key of   gotten from TA in the setting phase; that is,   pub  ∈ {(  pub  ,   sec  ) |  = 1, 2, . . ., }.

Temporal Identity Update.
In VANETs, vehicles ask for authentication when driving in the area of a new RSU.This subsection considers the authentication process of a vehicle   coming from the area of   and joining in the area of   , and we let   update the identity certificate of   .
Figure 5 gives a concise description of the updating process of the temporal identity, and Protocol 7 gives detailed operation and computing process, where Id   (  ,   ) was denoted in (16),  1 was defined by (10), Sign   ( 1 ) denotes message  1 signed by   , and Algorithm 6 was presented in Section 4.3.1.
Checking by Algorithm 6; Protocol 7 (update protocol of vehicle's temporal identity).
Step 1.   send Id   (  ,   ) to   and request an update. Step obtains Sign R q ( 2 ) by using Algorithm 6 to sign on  2 and sends  2 ‖ Sign   ( 2 ) to   .
In Figure 1, when a vehicle   calls for an identity update, it sends its current temporal identity Id   (  ,   ) to the nearest RUS, denoted as   , where   was the former RSU who signed the current identity and   is the RSU who will sign a new identity in this protocol.After receiving the application message from   ,   starts the checking process as Step 2 in Protocol 7 and then generates and sends  2 ‖ Sign   ( 2 ) to   if the application message passes the checking.And   will obtain the new temporal identity Id   (  ,  +1 ) by Step 3 in Protocol 7.

Detection Method for Conspiracy Sybil Attack.
Obtaining multiple legal identity is the basic and key step of Sybil attack; thus, we detect the abusing identity certificates to prevent the attack.In DMON, we employ multiple pairs of public key for vehicles and ring signature scheme of RSU as discussed in [10,22].The prevention of the abusing in multiple public key pairs or ring signature is also discussed in the related work [10,22].So we focus on conspiracy Sybil attack in this subsection.
In conspiracy Sybil attack, the conspired vehicles send their identity information to the attacker; thus, the attacker brings multiple certificate in travel.There are two situations: one is that the conspired vehicle comes along with the attacker; then we think it is not an attack for the identity certificate is always generated by the correct vehicle; another situation is that the conspired vehicles send their identity certificates to the attack far away from the attacker, and the attacker generates a new legal identity by passing the authentication of RSU and further update the certificate.Theorem 8.If an attacker  obtains the temporal identity certificate Id   (  ,   ) of a vehicle   , it cannot replace the signature information of   in    ( 1 ), even if it gets the secret key of   .
Proof.We assume that discrete logarithm problem is hardsolved.If an attacker fakes a new signature New Sign   ( 1 ) to replace Sign   ( 1 ), according to Algorithm 5, it should make the parameters in New Sign   ( 1 ) satisfy ( 13) and (14).
Assume that  =   ℎ   , where ,   ∈ Z  , if the attacker succeeds in faking the authentication message (tag  ,    ,    ,   ,   ,   1 , . . .,    ),  = 1, . . ., , then we have a linear system of  equations as follows: By the forking Lemma in [24], there is a chance that each successful rewind simulation is at most (/4)  , where  is the probability that an attacker knows all the parameters, but the attacker did not know   .Hence, it is quite a small chance to forge New Sign R p ( 1 ).

Theorem 9. When a vehicle obtains a temporal certificate from R p and updates the certificate in R p by Protocol 7, if
Sign   ( 1 ) and Sign   ( 2 ) cannot be replaced from Theorem 8. Then (  ) and (  ) cannot be altered, which are the label vectors contained in Sign   ( 1 ) and Sign   ( 2 ).According to the proof of Lemma 4, if (  ) T ⋅ (  ) ≥ 2, then there are at least 2 values of , satisfying that   ̸ = 0 and   ̸ = 0, where Lab  →   and Lab  →   .That is to say,   and   have 2 mutual neighbors RSU at least.Thus,   is the neighboror 2-hop neighbor of   .
We can conclude that the certificate of our DMON cannot be faked from Theorem 8, and the conspiracy identity certificate from 2-hop away will be detected by Theorem 8.As mentioned before, the conspiracy identity in the nearby area and the abusing of multiple pseudonym will be detected by the scheme proposed in [10,22], and we can directly use these schemes in DMON.Now we will also limit the life period of the signature message of RSU, which will recognize the fresh identity from the certificates deliberately assembled by repeated signature.For example, in Figure 1, if   saves the used certificates those were obtained when it travels the routing just like  1 ,  2 , and  3 in the past.In this detection process, it can still use these old certificates with another pseudonym to cheat.Hence, we set a judgment condition in Algorithm 6 to check the freshness and validity of identity certificate: where time   belongs to time period [  ,  +1 ] and  is the current identification time which should belong to period [ +1 ,  +2 ].In the meantime, the life period Δ in Sys P should be carefully set: although a short life period could largely increase the detection rate, a longer period will permit a vehicle drive from a RSU to another and never need to apply a certificate in the same RSU.

Performance Analysis and Evaluation
Four objectives are given in designing DMON: detecting conspiracy Sybil attack, preserving privacy information (vehicles' ID and Location), achieving online and independent detection, and obtaining high efficiency and low overhead.Section 4.4 descripts the detection method, and Theorems 8 and 9 support online and independent detection.This section will evaluate the performance of proposed scheme in views of privacy leaking and computation overhead; thereafter, detection rates will be simulated.

Privacy Protection.
Vehicles have two aspects of privacy, identity privacy and trajectory privacy.The ring signature scheme is employed in DMON ensuring the identity privacy.
Trajectory privacy can be guaranteed by Theorem 10.
Theorem 10.Attacker cannot obtain the vehicle's trajectory from the location of RSU included in the identity certificate defined by Algorithms 5 and 6 and Protocol 7.
Proof.In Algorithm 5, a vehicle   will generate tag   =   when it drives in the area of a RSU, where  is abstracted from the random selected public key of   .Thus, RSU signs different messages for different vehicles, and the signature is unlinkable and untraceable.That is to say, the attacker cannot obtain the location and trajectory information from the signed certificate of RSU.
On the other hand, the identity certificate defined in ( 16) does not reveal any information of RSU in plain text.The label vector (  ) contains the neighbor relationship, but the relationship was obfuscated and hidden by Figure 3, (4), (5), and (9).Unordered obfuscation and periodic update make the other RSUs and vehicle unable to catch the relation between (  ) and   .Hence, the attacker cannot analyze the routing information from the label vector (  ) contained in the signature of RSU.

Computation Cost.
There are four kinds of operations in the ring signature scheme.They are modular addition, modular multiplication, modular exponentiation, and secure cryptographic hash, denoted as Add, Mul, Exp, and Hash, respectively.Since the Exp and Hash operations are far more computationally expensive than the other two operations, so we only consider the number of Expand Hash operations to analyze the computational complexity of this scheme.We evaluate the computation cost of DMON as follows.
(1) Cost of Signing a Signature in Algorithm 5. Once a RSU joins in the system, it first gets the system parameter and computes  and tag   .Then RSUs randomly choose parameters for signature, that is,   ,   ,  1 , . . .,  ℎ−1 ,  ℎ+1 , . . .,   , and compute  1 and  2 .The computed  1 and  2 are both multibases exponentiation.However,  1 ,  2 , , and tag   can be used in the next signature after one-time computing until the certificate updates.Therefore, at most occasion, the RSU just computes the hash value   .
(2) Cost of Signature Verification in Algorithm 6.When a vehicle verifies a signature issued by a certain RSU, it should compute  1 ,  2 , and  0 , where the cost of computing  1 and  2 are almost two multibases exponentiation.So we need two multibases exponentiation and one hash to verify the signature.We contrast the computation overhead of verification of DMON with Footprint [10] as shown in Figure 6.[25] and SUMO [26] are used to configure experimental environments.The real world map is downloaded from TIGER database file, as showed in Figure 7.In this map, there are 383 points and 1,188 road segments in total.

Performance Simulation. MOVE
In the simulation experiments, the traffic light is set to get more reliable results.In the situation of traffic congestion, vehicles would wait for a long time, but in a smooth traffic, a conspiracy vehicle might pass 2 or 3 RSUs in one minute.The number of Sybil attackers is set as the ratio  = 10% of all nodes.The attackers can independently launch a Sybil attack by the conspired ID, but the conspiracy vehicles are not involved in the attacks.
We first study the influence of RSU deployment in detection.In the experiment, we set the minimum distance between RSUs change from 150 meters to 350 meters; Figure 8 shows an obvious influence on the conspiracy Sybil attack detection, in which sparser RSU deployment would rapidly reduce the system performance.From Figure 8, we argue that 250 is a good minimum distance for RSU quantity which is not too large, and false positive error and false negative error are adoptable.
Then we simulate the life period Δ of vehicle identities to analyze its influence.We set the RSU in 2 steps.First, we deploy RSUs at the intersections which have large traffic volume.Then an RSU is deployed at an intersection if it is more than 250 meters away from the nearest deployed RSU, where 250 meters is a good value concluded from Figure 7.By this way, we deploy 100 RSUs in the map.We define that 2 RSUs are neighbors if the distance between them is less than 400 meters.As shown in Figure 9(a), 10 percent of vehicles are set as conspiracy vehicles in the simulation system; when Δ comes to 200 seconds, the false negative error increases in Figure 9(a).The reason is that attackers have enough time to obtain more valid conspiracy temporal identity certificates.Meanwhile, the false positive drops for the reason that legal vehicles would not be verified illegal for the life period when they collect more temporal identity certificates in their trajectory.
In Figure 9(b), we still set 10 percent of vehicles are conspired, but the conspiracy vehicles are randomly selected by the attacker.Then the false negative is a higher than that with static ones in Figure 9(a).The reason is that the mobility of vehicles is independent; an attacker will get more temporal identity certificate if it can choose the conspiracy vehicles nearby.

Conclusion
This paper focuses on a novel conspiracy Sybil attack which has main difference in obtaining Sybil identities from conspired vehicles.The forged identities are legal and cannot be detected by a general detection scheme.For this reason, a new detection scheme, named DMON, is proposed to detect conspiracy Sybil attack.DMON applies the signed certificate as the temporal identity of vehicles in VANETs and adopts the neighbor relationship of RSUs to detect faked identity.Meanwhile, an obfuscated label is presented to hide RSU's neighbor relationship with the purpose of preventing trajectory based privacy from leakage.DMON also has limitations in an assumption that indicates information synchronization of all RSUs in signature verification.The assumption is argued to be a little strong in practice, though the independent detection is realized through computing vector product in DMON.In future work, we will focus on identity authentication with local information only.

Figure 3 :
Figure 3: Obfuscated mapping from RSU to label vector.

Figure 6 :
Figure 6: Computation cost of signature verification.

Figure 7 :Figure 8 :
Figure 7: Real world map downloaded from TIGER.