Vehicular ad hoc networks (VANETs) are an increasing important paradigm for greatly enhancing roadway system efficiency and traffic safety. To widely deploy VANETs in real life, it is critical to deal with the security and privacy issues in VANETs. In this paper, we propose a certificateless conditional privacy preserving authentication (CCPPA) scheme based on certificateless cryptography and elliptic curve cryptography for secure vehicle-to-infrastructure communication in VANETs. In the proposed scheme, a roadside unit (RSU) can simultaneously verify plenty of received messages such that the total verification time may be sharply decreased. Furthermore, the security analysis indicates that the proposed scheme is provably secure in the random oracle model and fulfills all the requirements on security and privacy. To further improve efficiency, both map-to-point hash operation and bilinear pairing operation are not employed. Compared with previous CCPPA schemes, the proposed scheme prominently cuts down computation delay of message signing and verification by 66.9%–85.5% and 91.8%–93.4%, respectively, and reduces communication cost by 44.4%. Extensive simulations show that the proposed scheme is practicable and achieves prominent performances of very little average message delay and average message loss ratio and thus is appropriate for realistic applications.
The speedy evolution of wireless technology has elevated Intelligent Transportation System (ITS) to higher levels and also made vehicular ad hoc networks (VANETs) more attractive from academia and industry [
A typical architecture of the VANETs is shown in Figure
A typical architecture of VANETs.
The appearing of VANETs stems from enhancing the safe driving conditions and road safety. As the traffic-related messages are transmitted in the wireless channel, the malicious attackers can easily eavesdrop, modify, replay, and delete the messages. Hence, for the practical applications of VANETs, the security and privacy challenges are needed to be tackled.
Facing all kinds of security attacks mentioned above, the message authentication is a crucial security problem for VANETs. In practice, the messages from the vehicle (OBU) need to be integrity-checked and authenticated before depended on. The reason is that an attacker can replace or modify the original safety messages or even impersonate a vehicle to broadcast bogus messages. The message authentication, which consists of identity authentication check and the message integrity check, is implemented to allow vehicle to differentiate trustworthy messages from broadcast messages and to resist impersonation attacks and modification attacks. The digital signature technology would be used to solve this problem in VANETs, which not only allows the receiver to identify the sender, but also prevents the message contents from being altered in transmission.
In addition, privacy is also a significant issue in VANETs. In real life, the vehicle-related privacy information like a vehicle’s real identity should be hidden; otherwise, the moving patterns and location of the vehicle can be traced by the attacker. For instance, the leakage of vehicle’s traveling routes information will disclose privacy of the vehicle and lead to serious consequences since the information may be utilized for crimes or traffic collisions. Therefore, the vehicles’ privacy must be ensured in VANETs. Nonetheless, sometimes there is a conflict between the security and the privacy. The former needs to know the message’s origin and integrity, while the latter requires that no entity can trace a message to its generator. Hence, conditional privacy is usually considered in VANETs. That is to say, vehicle’s privacy is normally guaranteed, but if a malicious vehicle broadcasts fake messages and causes accidents or crimes, a legal authority will be capable to trace or retrieve the messages of vehicle through revealing the vehicle’s real identity.
The conditional privacy-preserving authentication (CPPA) mechanism, which is able to achieve message authentication and conditional privacy simultaneously, is fully appropriate for solving the security and privacy issues in VANETs.
Several research works about privacy preserving authentication for VANETs have been proposed in recent years, which include public key infrastructure based (PKI-based) CPPA schemes [
Based on certificateless cryptography [ An efficient CCPPA scheme for VANETs is proposed without employing map-to-point hash and bilinear pairing operations. The proposed scheme achieves the fast batch message verification. The security analysis shows that the proposed scheme is provably secure under the assumption of elliptic curve discrete logarithm in the random oracle model and satisfies all security and privacy requirements. The performances in computation delay and communication overhead are evaluated. The experimental simulations indicate that the proposed CCPPA scheme is more efficient than schemes in [ An extensive simulation is conducted, and the results demonstrate that the proposed CCPPA scheme has extremely low average message delay and average message loss ratio.
The remainder of this paper is organized as follows. In Section
In VANETs, the security and privacy problems have attracted strong interest and research from industry and academia. Recently, lots of CPPA schemes for VANETs have been put forward and roughly classified into three categories: PKI-based schemes, ID-based schemes, and certificateless schemes.
In 2004, Hubaux et al. [
To tackle the problem mentioned above, identity-based (ID-based) authentication schemes for VANETs have been proposed. Based on the ID-based cryptography [
To solve the key escrow problem of ID-based schemes as well as the certificate management problem in PKI-based schemes, Horng et al. [
The system model of the proposed scheme is shown in Figure
System model of VANETs.
In V2I communication scenario, the following security requirements are needed to be satisfied in the proposed CCPPA scheme.
The elliptic curve cryptography (ECC) was initially introduced by Miller [
An elliptic curve
An infinity point
Elliptic curve discrete logarithm (ECDL) problem [
Elliptic curve discrete logarithm (ECDL) assumption [
Elliptic curve computational Differ–Hellman (ECCDH) problem [
Elliptic curve computational Differ–Hellman (ECCDH) assumption [
This section describes a CCPPA scheme for V2I communication. The proposed CCPPA scheme includes the following four phases: system initialization, pseudo identity generation and partial private key extraction, private key generation and message signing, and message verification. The definition of notations used in the present paper is listed in Table
Notations.
Symbol | Description |
---|---|
|
The |
RSU | A roadside unit |
OBU | A onboard unit |
KGC | A key generation center |
TRA | A trace authority |
|
Two large prime numbers |
|
The finite field over |
|
An additive group with the order |
|
A generator of |
|
The |
|
The |
|
Four one-way hash functions, |
|
The KGC’s public key and private key |
|
The TRA’s public key and private key |
|
The |
|
The |
|
The exclusive OR operation |
|
The current timestamp |
|
The valid period of the pseudo identity |
This phase is executed by the two TAs (KGC and TRA) to generate system parameters for all RSUs and OBUs. The following steps are performed in this phase: The TAs randomly choose two large prime numbers The TAs pick a group The KGC randomly chooses The TRA randomly selects The TAs choose four one-way hash functions:
The TAs publish
This phase is executed between the vehicles and the TAs (TRA, KGC). The TRA calculates the pseudo identities for the vehicle The vehicle After confirming the real identity For a given pseudo identity
The KGC sends the pseudo identity and partial private key
At the private key generation and message signing phase, the vehicle The vehicle The vehicle
The signature of a traffic-related message
The verifier (RSU) performs a validity check on the received traffic-related messages in this phase, who can verify the correctness of the signature to ensure that the corresponding vehicle is not attempting to impersonate any other legitimate vehicles or disseminate false messages. The single message verification and batch message verification are as follows, respectively.
The verifier receives the message The verifier checks whether The verifier checks whether the equation
The batch message verification can be used to verify multiple messages simultaneously in order to enhance the efficiency of verification. When receiving the distinct The verifier checks whether The verifier checks whether the equation
To detect any invalid signature in batch message verification of
In this section, the security analysis of the proposed CCPPA scheme for VANETs is provided. We describe the security model and prove the security of the proposed scheme under the random oracle model. Then, an evaluation on the security requirements of the proposed scheme as well as its comparison with other schemes in [
According to certificateless cryptography [
The following queries can be made by
The security of the proposed CCPPA scheme is defined by the following two interaction games: Game 1 and Game 2 between the adversary
The success probability of the adversary
A CCPPA scheme for VANETs is secure against Type I adversary
The success probability of the adversary
A CCPPA scheme for VANETs is secure against Type II adversary
The proposed CCPPA scheme for VANETs is existentially unforgeable under the ECDL assumption in the random oracle model.
This theorem is proved based on
The proposed CCPPA scheme for VANETs is existential unforgeable against Type I adversary
Assuming that polynomially bounded Type I adversary
To keep the consistency and rapidly response,
If the list If the list
If the list If the list
If the list If the list
If the list If the list
If the list If the list
If the list If the list
If the list If the list
If the list If the list
Following equations (
Finally,
After completing the above simulation, we will analyze the probability and time of
Assuming that
The probability of failure in handling a partial private key query resulted from a conflict on
The running time of
The proposed CCPPA scheme for VANETs is existential unforgeable against Type II adversary
Assuming that a polynomially bounded Type II adversary
If the list If the list
If the list If the list
Finally,
Same to
Assuming that
The probability of failure in handing a sign query because of a conflict on
The running time of
An evaluation on the security of the proposed scheme as well as its comparison with other schemes is conducted in this subsection.
Table
Security comparisons.
Security | [ |
[ |
[ |
[ |
[ |
The proposed scheme |
---|---|---|---|---|---|---|
Message authentication | ✔ | ✔ | ✔ | ✘ | ✔ | ✔ |
Identity privacy preserving | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Traceability | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Unlinkability | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Role separation | ✘ | ✘ | ✘ | ✔ | ✔ | ✔ |
Key escrow resilience | ✘ | ✘ | ✘ | ✔ | ✔ | ✔ |
Resistance to replay attack | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Resistance to modification attack | ✔ | ✔ | ✔ | ✘ | ✔ | ✔ |
Resistance to impersonation attack | ✔ | ✔ | ✔ | ✘ | ✔ | ✔ |
Resistance to man-in-the-middle attack | ✔ | ✔ | ✔ | ✘ | ✔ | ✔ |
According to Table
In this section, the computation delay and communication overhead of the proposed CCPPA scheme are compared with the identity-based CPPA schemes [
The computation delay for the message signing and message verification is evaluated. For computation complexity estimation, the time cost for performing the cryptographic operations is defined below. Let
In terms of the proposed CCPPA scheme, He et al.’s scheme [
To quantify the running time of the cryptographic operations, the MIRACL Crypto SDK [
Execution time of cryptographic operation (in milliseconds).
Cryptographic operation | Execution time |
---|---|
Bilinear pairing |
9.0791 |
Map-to-point hash function in bilinear pairing |
9.7052 |
Scalar multiplication in bilinear pairing |
3.7770 |
Scalar multiplication in ECC |
0.8310 |
Based on the experiment results, the computation delay of the proposed CCPPA scheme, He et al.’s scheme [
Comparison of computation delay.
Scheme | A message signing | A message verification |
|
|
---|---|---|---|---|
[ |
2 |
3 |
2 |
( |
[ |
2 |
3 |
2 |
( |
[ |
2 |
4 |
2 |
(2 |
[ |
2 |
3 |
2 |
3 |
[ |
2 |
3 |
2 |
3 |
The proposed scheme | 3 |
4 |
3 |
(2 |
In terms of the computation delay of one message signing, He et al.’s scheme [
In terms of the computation delay of one message verification, He et al.’s scheme [
The computation delay for one message and its correlation with the number of messages (
Computation delay. (a) Computation delay in one message signing and verification. (b) Signing delay vs number of messages. (c) Verification delay vs number of messages.
To obtain computation delay of multiple (
As is shown in Figure
Therefore, the proposed scheme has much more superiority than other CCPPA schemes in [
In this subsection, the proposed scheme is compared with He et al.’s scheme [
Comparison of communication cost.
Scheme | Send a message | Send |
---|---|---|
[ |
155 bytes | 155 |
[ |
175 bytes | 175 |
[ |
175 bytes | 175 |
[ |
351 bytes | 351 |
[ |
351 bytes | 351 |
The proposed scheme | 195 bytes | 195 |
In He et al.’s scheme [
In Lo and Tsai’s scheme [
In Wu et al.’s scheme [
In Horng et al.’s scheme [
In the proposed scheme, the message
The comparison on the communication costs of one message and multiple messages is shown in Figure
Communication cost. (a) Communication cost of one message. (b) Communication cost vs number of messages.
The popular network simulator ns-3.26 [
Road scenario for simulation.
In our road scenario, the RSUs are assigned every 500 m along each road, and each vehicle broadcasts traffic-related messages every 300 ms. The vehicles are distributed at random on the road and move toward randomly selected intersections. The important simulation parameters are summarized in Table
Simulation parameters.
Parameters | Values |
---|---|
Wireless protocol | 802.11p |
Channel bandwidth | 6 mbs |
Buffer size | 1 M bytes |
Simulation area | 1000 m |
Number of RSU | 9 |
Simulation time | 200 s |
Network simulation tool | ns-3.26 |
Traffic simulation tool | SUMO |
Vehicle speed | 10–50 m/s |
Generally, the average message delay
The
The
Two experiments are conducted to analyze the influence of the vehicle density on
Average message delay and message loss ratio under different number of vehicles. (a) Average message delay vs number of vehicles. (b) Average message loss ratio vs number of vehicles.
Figure
Figure
Two experiments are conducted to evaluate the impact of speed of vehicles on
Average message delay and message loss ratio under different speed of vehicles. (a) Average message delay vs speed of vehicles. (b) Average message loss ratio vs speed of vehicles.
Figure
Figure
This paper has presented a novel and efficient CCPPA scheme in V2I communication for VANETs. Our proposed scheme is not only provably secure in the random oracle model under the ECDL assumption, but also satisfies all security requirements such as message authentication and conditional privacy preserving. Furthermore, the proposed scheme does not need any map-to-point hash operations and bilinear pairing operations. The performance evaluation demonstrates that the proposed scheme has higher efficient in terms of computation delay and communication cost than that of two recently proposed CCPPA schemes. Extensive simulation results indicate that the proposed scheme is feasible in the average message delay and average message loss ratio, and thus the proposed scheme is extremely appropriate in realistic VANETs.
The data used to support the findings of this study are included within the article.
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This work was supported by the Natural Science Foundation of Shaanxi Province under grant 2018JM6081 and the Project of Science and Technology of Xi’an City under grant 2017088CG/RC051(CADX002).