A Provably Secure and Lightweight Identity-Based Two-Party Authenticated Key Agreement Protocol for Vehicular Ad Hoc Networks

,


Introduction
As smart cities become a reality, vehicle ad hoc networks (VANETs) will become increasingly crucial.erefore, data communications in a VANET are no longer restricted to a small number of vehicles, as such communications can occur among a wide range of vehicles (including driverless vehicles and unmanned aerial vehicles), roadside units (e.g., smart tra c lights), and other supporting infrastructure (e.g., IPbased CCTV). is allows the collection of tra c and other environmental information that can be analyzed to facilitate a smooth city operation.For example, information gathered from hurricane sensors and tra c monitoring devices can help to alert nearby vehicles to avoid a certain route.
In general, a typical VANET setup comprises a trusted authority, some roadside infrastructures and some smart vehicles.VANETs can provide connectivity among vehicles and other Internet-connected entities and devices (e.g., via other local networks or the Internet).For instance, it can realize e cient vehicle-to-vehicle communications in the Internet Transportation System (ITS) [1], and so on.
Two kinds of communication modes are included in a typical VANET (see also Figure 1), namely, vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication.Since the increasing devices and electronic products around us are digitalized and Internetconnected, vehicle to everything(V2X) security has been an essential security attribute in our daily life [2].
In VANETs, communication channels between vehicles and nearby roadside infrastructures are usually established using dedicated short-range communication (DSRC) protocols [3].By using these channels, a vehicle can transmit messages, such as traffic information or conditions, to nearby vehicles and roadside infrastructures at a uniform time period.Such information can be used by drivers to plan, revise, and optimize their routes.Depending on a city's connectivity level, local traffic control center (a trusted authority) may be able to reroute traffic, make certain adjustments to improve the traffic flow, and hence reduce traffic build up.
As more vehicles and devices join the network, there are operational challenges, for example, to deal with latency (e.g., communication delay) and minimize computational costs.It is known that computing capability of smart vehicles and roadside units usually is limited in comparison to other computationally powerful devices such as a dedicated laptop or server.In time-critical application such as VANETs within a smart city, a large volume of traffic and other related information may need to be handled in time for making accurate traffic decision and timely instructions.In addition, messages exchanged between the different entities (e.g., vehicles and/or devices) in the VANETs can be sensitive and private.Hence, security and privacy are both two key properties.However, due to the open nature of VANETs, an adversary can easily obtain sensitive user messages through various attacks such as replay, masquerading, impersonation, and password guessing.e leakage of such messages may have real-world consequences, such as facilitating the planning and execution of a kidnapping or assassination attempt.erefore, one fundamental design feature is to build a fast and secure communication channel between the different entities in a VANET, such as using two-party authenticated key agreement (2PAKA) protocols or group authenticated key agreement protocols.Specifically, in VANETs, a reliable 2PAKA protocol can help two communication entities to realize mutual authentication and get a valid session key.Unsurprisingly, a large number of 2PAKA protocols have been proposed to facilitate secure message exchange in VANETs.Simultaneously, such protocols are broadly divided into public key infrastructure (PKI)-based 2PAKA protocols, identity (ID)-based 2PAKA protocols, and certificateless 2PAKA protocols (i.e., based on how public keys are generated in these protocols).One limitation associated with PKI-based protocols is the surprising cost incurred in maintaining, issuing, and authenticating a large number of certificates.To mitigate such a limitation, we could use 2PAKA protocol based on identitybased cryptography (IBC) [4][5][6][7][8][9][10][11].While ID-based 2PAKA protocols, such as those presented in [5][6][7], could overcome certain shortcomings associated with PKI-based 2PAKA protocols, bilinear pairing used in these protocols makes them unrealistic for deployment on lightweight devices.Hence, to overcome inefficiency caused by bilinear pairing, Zhu et al. [12] presented an ID-based 2PAKA protocol including no pairings in 2007.Nevertheless, the protocol suffers from limitations, such as the requirement for significant bandwidth.In recent times, we can find that a large number of similar protocols have been designed in the literature.However, most of these protocols provide no security proof, use a weak model to prove safety, take more than two communication rounds, or are found to be insecure.Based on gap Diffie-Hellman assumption, for example, Dang et al. [13] designed a two-round ID-based 2PAKA protocol in 2018, which has security proof in the eCK model.However, we reveal in this paper that their protocol could suffer from the man-in-the-middle attack, contrary to their claim.In our paper, we will build on their work and introduce a two-round  Security and Communication Networks ID-based 2PAKA protocol.We demonstrate that our protocol requires less computation and communication costs, in comparison to the protocol of Dang et al. [13].
e key properties of our proposed protocol are summarized as below: (1) Mutual authentication of the two parties and negotiation of the session key can be realized by our IDbased two-party AKA protocol.(2) We show our protocol can get strong security in the eCK model, unlike most other existing protocols.(3) e proposed protocol is two-round and pairingfree.Hence, it is more superior to other competing protocols in terms of performance.
e rest of this paper is organized as follows.Some related works on ID-based 2PAKA protocol and background materials (i.e., mathematical assumptions and security attributes relating to ID-based AKA protocols) are introduced in Sections 2 and 3, respectively.Our new ID-based 2PAKA protocol is shown in Section 4. In Sections 5 and 6, we demonstrate the security of the protocol in the eCK model and give out the corresponding performance analysis.A comparative summary of the performance between the proposed protocol and the ID-based 2PAKA protocols of [13,14] is also presented in Section 6.In the end, the last section shows our paper's conclusion.

Related Work
is section mainly shows some related works on the IDbased two-party AKA protocols.At first, we divide these protocols into two types: ID-based 2PAKA protocols with pairings and ID-based 2PAKA protocols without bilinear functions [15,16].Next, we respectively review the related works about the two different types of protocols:

ID-Based 2PAKA Protocols with Pairings.
e first key agreement protocol employing pairings was presented by Joux [17] in 2000.en Boneh and Franklin used bilinear pairing to construct the first ID-based encryption scheme in 2001 [18].After Boneh and Franklin's work, a lot of ID-based authenticated key agreement protocols with pairings have been presented.According to this ID-based encryption scheme, the first ID-based 2PAKA protocol with pairings was presented by Smart [4].Unfortunately, Shim [19] found that the protocol presented by Smart [4] had some security flaws and constructed another one ID-based 2PAKA protocol with stronger security, which had lesser quantity of bilinear pairings.In Shim's protocol [19], only one Weil pairing and scalar multiplication were used in the computation of session key.Meanwhile, Shim declared that his protocol could resist the general attacks.However, the protocol of Shim [20] was shown that it suffers from man-inthe-middle attack in the paper of Hsieh [19].

ID-Based 2PAKA Protocols without Bilinear Pairing
Operations.To eliminate efficiency flaw in ID-based 2PAKA protocols with pairings, all kinds of ID-based 2PAKA protocols using no bilinear functions have been presented in the last decade.In 2007, the first ID-based 2PAKA protocol using no bilinear operations was presented by Zhu et al. [12] based on an ID-based signature scheme.Nevertheless, their protocol was still inefficient and needed three message exchanges.To reduce communication traffic, Fiore and Gennaro [21] used exponentiation operation to make an IDbased 2PAKA protocol in 2010.Besides, this protocol's security was proved by them in the CK model.But this weak security model could not describe the ability of real adversary well.In the same year, Cao et al. [22] proposed a new ID-based 2PAKA protocol employing no pairings to reduce message exchange.Unfortunately, Cao et al.'s protocol was vulnerable to ephemeral key revealed attack.After Cao et al.'s work, lots of ID-based 2PAKA protocols using no bilinear functions were proposed, but these protocols still could not deal with the efficiency problem and security issue effectively.
But because ID-based 2PAKA protocol without pairings can fit real-time application environment such as VANETs perfectly, cryptologists still put a lot of effort into improving these protocols' performance and security.Until recently, some responding protocols with better properties have been presented.In 2015, Sun et al. [23] presented an improved 2PAKA protocol based on the identity with security proof in the eCK security model.But disadvantages were that this protocol used six scalar multiplications on elliptic curve and security proof was incomplete because only passive adversary was taken into consideration in the security model.After the Sun et al.'s work, Ni et al. [24] designed other new ID-based 2PAKA protocol that only needed five scalar multiplications in 2016.In addition, it was proved secure in the eCK security model completely.Although this protocol was far more efficient than previously proposed protocols, the communication traffic was still very large.en, in 2017, an ID-based 2PAKA protocol including no pairings based on the BAN logic model was constructed by Islam and Biswas [25].Sadly, their protocol was unsafe.

Preliminaries
In this section, we show several difficult mathematical problems and indispensable security attributes in the IDbased AKA protocol.

Mathematical Assumptions.
e following difficult mathematical problems are some basic tools used to analyze the security of AKA protocol.
We assume that q is the order for a finite cyclic additive group G, where q is a big prime number.Meanwhile, G has a generator P.

Essential Security Attributes.
If an AKA protocol is safe and reliable, it must have some essential security attributes, because these security attributes show that the proposed protocol is capable of resisting corresponding attacks.So security attribute is an important index to measure quality of a protocol.e following security attributes are some basic conditions that a secure ID-based 2PAKA protocol needs to meet [26][27][28].

Known-Key Security (K-SKS).
Even though the adversary has known a protocol's all previous session keys, this protocol can still keep the current session key secure.

Forward Secrecy (FS).
e leakage of users' long-term private keys has no impact on the security of preceding session keys.Generally, forward secrecy mainly includes the following two different categories: (1) Partial forward secrecy.Even though the adversary has known some users' long-term secret keys, session keys made in preceding sessions still can keep safe.(2) Perfect forward secrecy.For any probability polynomial time adversary, learning all long-term secrets has little help to make session keys known.

Key Compromise Impersonation (KCI) Resistance.
Even though an adversary knows entity A's long-term private key, he still cannot masquerade as any other user to A.

Unknown Key Share (UKS)
Resistance.An adversary makes a group of users believe that they are sharing a secret with him.Actually, this secret should be shared by them and another user (e.g., B holds the viewpoint that a session key is established by itself and an adversary E. In fact, this key is generated by A and B together).

No Key Control (NKC).
No entity can enforce a session key to be preselected or predetermined.

Basic Impersonation (BI)
Resistance.If a party A's long-term secret key is leaked to an adversary, he can make full use of this key to disguise himself as A.

Ephemeral Key Reveal (EKR) Resistance.
Even if an adversary acquires the ephemeral private keys of all participants in a session, the session key is kept private as before.

Our Presented Protocol
We describe our ID-based two-round 2PAKA protocol Π without bilinear pairings in this section.ere are three main algorithms included in this protocol Π, namely, setup algorithm, key generation algorithm, and key agreement algorithm.In our protocol, it is worth noting that the trusted authority plays the role of KGC.

Setup Phase.
At this stage, all vital system parameters are generated by the trusted authority performing this setup algorithm with security parameter k.
e specific implementation steps are as follows: (1) Chooses one additive group G with a generator P.
Meanwhile, p is a prime order of G (2) Selects randomly a number s ∈ Z * p as KGC's private key, and then calculates P pub � sP as its public key (3) Picks three high-efficiency hash functions, where public information and preserves the confidentiality of key s 4.2.Extract Key Phase.Here, we always suppose every vehicle has its own ID i ∈ 0, 1 { } * .e trusted authority (acts as KGC) uses the Schnorr signature algorithm to compute these vehicles' long-term private keys.Besides, the trusted authority distributes these key pairs to the corresponding vehicles.e trusted authority does as below: (1) Picks randomly a number r i ∈ Z * p for each vehicle, and then does calculations about R i � r i P and ) e corresponding vehicle could receive this pair (s i , R i ) sent by using a secure channel.en, the vehicle can check the validity of its long-term private key after receiving the pair because they can verify whether the equation s i P � R i + h 1 (ID i , R i )P pub is satisfied or not.If it passes, the vehicle sets PK i � s i P as its long-term public key.

Key Agreement Phase.
After the extract key phase, two vehicles A and B have their own key pair (s i , R i ) and relevant ID i .Now, A and B want to establish a session key through mutual communication, which is used to keep latter data secure.Our new protocol is displayed in Figure 2.

4
Security and Communication Networks (1) Firstly, the ephemeral private key a ∈ Z * p of vehicle A is randomly chosen, and its ephemeral public key is set as T A � aP.en, A sends ID A , R A , and T A to vehicle B: (2) Meanwhile, a random value b ∈ Z * p is selected as vehicle B's ephemeral private key, similarly.en, B also computes T B � bP as the ephemeral public key.B transmits ID B , R B , and T B to A: ( (3) After receiving messages from B, A can calculate ) In the same way, when B gets data that A sends, vehicle B can compute Correctness.e correctness of our protocol is shown as below: (3)

Security Analysis
In the following content, the security of our protocol Π is displayed in detail.Firstly, it is necessary to give out the eCK security model that we use in our protocol.After that, we give the security proof and some security attributes of our protocol in detail.

Protocol Participants.
ere is a set U that is composed of all protocol participants.Every party in set U has a unique ID i and corresponding private and public key pair (s i , PK i ).Besides, PK i is relative with its ID i and s i always is generated by the trusted authority (acts as KGC).In security proof, the ability of each participant is usually described by a probability polynomial time (PPT) algorithm.We consider that a polynomial number of sessions are the maximum value that every participant can take part in at the same time.Furthermore, the sth session of party ID A is denoted as Π s A,B that is established by party ID A and party ID B .If A finally gets a valid session key by communicating with B, we think participant A completes the session Π s A,B .Because k is security parameter, it indicates that the size of session key is k bit.erefore, the guessing directly attack is successful with probability O(1/2 k ).Besides, the role of H 3 is the same as a random oracle in the security model.If this random oracle produces no collisions, the event that a session key is jointly owned by two nonmatching sessions occurs with a negligible probability because two nonmatching sessions cannot have the same SI D under the de nition of matching session.Namely, key replication attack's successful probability is negligible.Consequently, we only need to consider about the successful probability of the forging attack.

eCK
Before we analyze a forging attack in detail, we rstly review the GDH problem. is mathematical assumption is that the value (X xP, Y yP) is given, where x, y∈ R Z * p is unknown, the aim of challenger S is to get the result of G DH(X, Y) xyP by using a DDH oracle.en, a challenger S plays the ID-eCK game with the adversary C who can break the protocol Π.During the game, S must make Figure 2: e key agreement phase.6 Security and Communication Networks responses to all kinds of queries of the adversary C. If the adversary C can make a successful forging attack with nonnegligible probability, the challenger S can construct a gap Diffie-Hellman solver by using C as a subroutine.As fresh definition shown in the eCK model, we need to consider about two special cases: (1) e session Π t B,A is the matching session of the test session Π s A,B (2) ere is no corresponding session matching with the session Π s A,B In the first scenario, we only consider about passive adversary who cannot change messages transmitted among all parties.Contrary to the first scenario, challenger S has an active adversary that could modify the party ID B 's long-term secret key element R B in the second scenario.Above analysis results show that the adversary can adopt different attack strategies.So before the challenger S plays game with the adversary C, S can ensure C's test session is Π s A,B with probability 1/n(k) 2 q s (k).In addition, S must guess the attack way that the adversary could choose from the following six strategies: Obviously, the six cases above cover all attack manners of different adversaries, including the passive adversary and the active adversary.On the basis of the above result, the correct test session and strategy are chosen by challenger S with the probability 1/6n(k) 2 q s (k).(3) For other parties ID i , the challenger S randomly selects h i , s i ∈ Z * p as H 1 (ID i , R i ) and long-term private key.Similarly, the challenger can compute R i � s i P − h i P pub .erefore, PK i � R i + h i P pub � s i P is ID i 's long-term public key.After the above process, for each ID i , the challenger passes (ID i , R i ) to the adversary C and this new entry (ii) Queries.In order to deal with H 1 , H 2 , H 3 , and Ses-sionKeyReveal queries from C, the challenger first maintains the corresponding empty lists H list 1 , H list 2 , H list 3 , and R list .en, the challenger S responds to all queries from C as below: (1) H 1 (ID i , R i ).In the setup phase, when the long-term secret key of each party ID i is set, S inserts the entry  (3) H 3 (ID i , ID j , T i , T j , SK, a i PK j , s i T j ).Before this query, S keeps an empty table H list 3 whose entries are the form of (ID i , ID j , T i , T j , SK, a i PK j , s i T j , h 3 ).
(i) If the corresponding entry is found in H list 3 , the challenger S responds to the query with h 3 .(ii) Otherwise, S checks the whole list R list .If i has a correct value B and target item is stored, S uses the D D H oracle to verify whether and D D H(PK i , T j , s i T j ) � 1.If SK, a i PK j , and s i T j are correct, S sets sk ij � h 3 and inserts the entry (ID i , ID j , T i , T j , sk ij ) to the list R list .But if the list H list 3 does not have the entry or one of SK, a i PK j , and s i T j is wrong, S chooses randomly sk ij ∈ 0,1 { } k and writes new information to R list .(iii) If B is not the correct value for i, S answers this Send query according to protocol rule.
(10) Test(Π s i,j ).If the session Π s i,j is Π s A,B , S chooses randomly β ∈ 0, 1 { } k and this data is returned to adversary C. On the contrary, S is not playing this game.
(iii) Analysis.If a forgery attack is successfully launched by adversary C with great probability, C must have used SK � H 2 (s A Y)DLOG(X)bP, a i PK B � DLOG(X)Y, and s A T B � s A bP to query H 3 random oracle.To cope with the G DH(X, Y) difficult problem, challenger S checks whether the value of an H 3 query from C is using this query.Assume that the probability of the event that a forgery attack is made by adversary C is Adv Π C (k), so S successfully deals with the G DH problems with the advantage Case 2. e long-term secret keys of ID A and ID B are not known by C. e value of R B still is not modified by C.
(i) Setup.All parties' long-term secret keys and KGC's public key are given by challenger C as follows: (1) P pub ∈ G selected by the challenger S is assigned to KGC's public key.(2) As for ID A , a random value h A ∈ Z * p is selected by S as the value of H 1 (ID A , R A ). en, S does the calculation on R A � X − h A P pub and ID A 's long-term secret key is given the value (Δ, R A ).
us, X is relevant public key of ID A . ( (ii) Queries.To deal with the query about SessionKeyReveal and three hash queries H 1 , H 2 , and H 3 , challenger S stores four tables R list and H list 1 , H list 2 , H list 3 .And S uses the following ways to answer those queries asked by C.
(1) H 3 (ID i , ID j , T i , T j , SK, a i PK j , s i T j ).S has an empty list H list 3 in the form of (ID i , ID j , T i , T j , SK, a i PK j , s i T j , h 3 ).
(i) If H list 3 already has the relevant entry (ID i , ID j , T i , T j , SK, a i PK j , s i T j , h 3 ), S returns h 3 to the adversary C. (ii) If not, S looks up target item in the whole table R list .If the item is found and the value of i is A or B, challenger S verifies whether and  D D H(PK i , T j , s i T j ) � 1.If all of them are correct, S sets h 3 � sk ij and stores the new entry into the list H list 3 .If R list has the goal entry (A and B are both not the right value of i), S assigns h 3 to sk ij .en, S adds the new entry to the list H list 3 .Otherwise, If the corresponding entry does not exist in the list R list or SK, a i PK j and s i T j are not right, S chooses h 3 ∈ 0, 1 { } k and inserts (ID i , ID j , T i , T j , SK, a i PK j , s i T j , h 3 ) into the list H list 3 .( 2 and D D H(PK i , T j , s i T j ) � 1.If all of them are right, S sets sk ij � h 3 and stores the new entry to R list .But if this corresponding item is not found or three values verified by D D H oracle are not correct, S randomly selects sk ij ∈ 0, 1 { } k and writes new data to R list .(ii) If i is equal to B, S uses a similar way in the simulation.(iii) For other conditions, the challenger S responds according to the protocol specification.
It is worth noting that S responds to the H 1 (ID i , R i ), H 2 (s i PK j ), EstablishParty(ID i ), MasterPrivateKey, Session KeyReveal(Π s i,j ), and Test(Π s i,j ) in the manner of case 1.
(iii) Analysis.Similarly, if the adversary C makes a successful forging attack with non-negligible probability Adv Π C , C must make the use of SK � H 2 (DLOG(X)Y)abP, a A PK B � aY, and s A T B � bX to query H 3 .To deal with G DH(X, Y), S checks whether the content of an erefore, G DH difficult problem can be solved by S successfully with the advantage Case 3. e temporary private keys of ID A and ID B are not revealed to adversary C. (i) Setup.S assigns the values to all parties' long-term secret keys and KGC's master keys as follows.
(1) s ∈ Z * p is chosen by S as KGC's master secret key and the challenger S also calculates P pub � sP.us, P pub is its public key.In fact, case 3 simulates MFS.
(2) For each party, S selects s i , h i ∈ Z * p at random.S sets h i � H 1 (ID i , R i ) and calculates R i � s i P − h i P pub .So ID i 's long-term secret key is (s i , R i ).en, S computes PK i � R i + h i P pub � s i P. In the end, S sends (ID i , R i ) to the adversary C. In addition, (ii) Queries.As before, S holds four blank tables H list 1 , H list 2 , H list 3 , and R list to cope with corresponding queries.ose queries from C are responded by S in the following ways.
(1) H 3 (ID i , ID j , T i , T j , SK, a i PK j , s i T j ).e challenger S has an empty list H list 3 in the form of (ID i , ID j , T i , T j , SK, a i PK j , s i T j , h 3 ).
(i) If the list H list 3 already has the matching entry, S returns h 3 to C. (ii) Otherwise, S checks the whole table R list .If the item is found out, S sets h 3 � sk ij and puts the new entry into the list H list 3 .If not, h 3 ∈ 0, 1 { } k is randomly chosen by S and the corresponding data is written into to this query with s.
A , S aborts.Otherwise, S returns the ephemeral key of ID i to C. ( 5) Send(Π s i,j , M). S maintains an empty list R list in the form of (ID i , ID j , T i , T j , sk ij ).
A , S returns Y to C. en, S searches for the relevant entry in H list 3 .If the item is gotten by S, challenger S sets sk ij � h 3 and the table R list is added with this new entry.Conversely, sk ij ∈ 0, 1 { } k is randomly selected by S and the corresponding item is inserted into table R list .(iii) For other conditions, S responds to the C according to the protocol specification.
(iii) Analysis.Assume that adversary C can make a successful forging attack with non-negligible probability Adv Π C , C must make a query to H 3 with the input SK � h 2 DLOG(X)Y and a A PK B � s B X and s A Y. To solve the G DH(X, Y), S checks whether the value of an H 3 query from C is Case 4. ID B 's temporary private key and the long-term secret key of ID A are not acquired by adversary C. For case 4, we can consider this case as case 1. us, S can use the similar way used in case 1 to make this simulation.erefore, G DH problem is dealt by S successfully with great advantage Case 5. Adversary C does not get long-term secret key of ID B and ID A 's temporary private key.But the value of R B is changed by C.

Security and Communication Networks
Firstly, KGC's master public key is selected as X ∈ G.For all participants, S randomly chooses h i , s i ∈ Z * p .Next, S makes the equation h i � H 1 (ID i , R i ) and gets the value of R i � s i P − h i P pub .So (s i , R i ) is ID i 's long-term secret key.Meanwhile, PK i � R i + h i P pub � s i P is its long-term public key.en, for every ID i , challenger S returns (ID i , R i ) to the adversary C and adds (ID i , R i , h i ) to the table H On the basis of forking lemma, S restarts the game with adversary C using the same data.Similarly,  h B ′ is randomly selected and assigned to H 1 (ID B , R B,C ) by S, and  h B ′ is not equal to  h B .Assume that the probability of a forgery attack launched successfully can not be ignored.An H 3 query must be requested by C with the input SK � h 2 bY, aPK B � DLOG(Y)(R B +  h B ′ X), and s A T B � s A bP. en, S does as above.
In order to cope with the G DH, challenger S does a simple calculation on ) − 1 K can be acquired by S. If λ is forking lemma's utilization parameter, GDH difficult problem can be successfully dealt by S with the advantage Case 6. Adversary C knows nothing about long-term secret keys of ID A and ID B .But C alters R B 's real value.At first, KGC's public key is assigned by S using a random number X ∈ G. Considering about ID i , where A is not the right value of i, h i , s i ∈ Z * p is selected and R i � s i P − h i P pub is calculated by S.
en, S makes the equation h i � H 1 (ID i , R i ) true and gives ID i the long-term secret key (s i , R i ).us, relevant public key of ID i gets the value PK i � R i + h i P pub � s i P. Particularly, for ID A , H 1 (ID A , R A ) is assigned to h A ∈ Z * p picked by S at random and R A � Y − h A P pub can be worked out.en, the long-term secret key of ID A gets the value (Δ, R A ).So its long-term public key is PK A � R A + h A P pub � Y. Besides, S sends (ID i , R i ) of all parties to the adversary C and stores Similarly, based on forking lemma, S replays the game with adversary C using the same data.S gets h B ′ ∈ Z * P as H 1 (ID B , R B,C ).We should note that h B ′ ≠ h B .As above, if the probability of a forgery attack cannot be ignored, adversary C must make an H 3 query with the input en, S verifies whether such an H 3 query from the adversary C exists on the value In order to deal with the G DH problem, S calculates erefore, S can compute GDH(X, Y) � (h B − h B ′ ) − 1 K.If λ is forking lemma's utilization parameter, GDH difficult problem can be successfully dealt by S with an advantage All in all, because Adv Π C (k) is considered to be nonnegligible, Adv GDH S (k) also cannot be ignored.But it is contradictory to the G DH assumption.4, and 5, the security still can be held by our protocol while its temporary secret keys are leaked partially.In case 2 and 6, when the ephemeral keys are compromised completely, this protocol also keeps safe.

Performance Analysis
Within this module, our protocol's performance is analyzed from computational cost and running time.Besides, we display that our protocol is compared with other related protocols [13,14] in terms of efficiency.
In our experiment, an additive group G is selected by us, where q is its order.is group has a generator P. e order q is a big prime number with 160-bits and P is a point chosen from a common elliptic curve E/F p : y 2 � x 3 + 1.Here, the number of bits of prime number p is 512.

Analysis of Computational Cost.
For better computational cost analysis, we firstly give out the comparison results between our protocol and some valuable protocols [13,14] in terms of message size in the Table 1.en, on the basis of message size, we analyze their computational cost and give the results in Figure 3.
Assume that the ID of one party is 2 bytes long.In addition, messages exchanged between two parties in our protocol are ID i , R i , T i .Here, R i and T i belong to G.So the messages are one ID and two points, whose total size is (2 * 8 + 160 * 2)/8 � 42 bytes.Similarly, the size of exchanged messages in the Bala et al.'s protocol is also 42 bytes.However, in Dang et al.'s protocol, the messages' size is 62 bytes.
Next, we present the executing time of some basic operations in Table 2.
We have achieved these basic operations in the MIRACL library [30].e implementations were deployed in a personal computer and the platform's parameters are displayed in the following Table 3.
What deserves our attention is that our protocol is a symmetrical structure.In other words, the party ID A and ID B are making the computational operations at the same time.us, we only need to consider about the computational cost of one party.In our protocol, the computational operation only includes T i � a i P. Fortunately, this operation is only a simple scalar multiplication.But among the other two protocols being compared, we can find the computational operations are both four scalar multiplications.When precomputation is considered, there are still three scalar multiplications in the Bala et al.'s protocol and two scalar multiplications in the Dang et al.'s protocol.e result of computational cost is shown in the following figure.Now, we know the computational operations in the three protocols.Moreover, we can find that most of these computational operations can be completed offline.We can know that a scalar multiplication needs 2.165 ms in the personal computer according to Table 2. erefore, we can get the respective computational time of the three protocols.In general, we take the precomputation into consideration.So the computational time of Bala et al.'s protocol is 3 * 2.165 ms � 6.495 ms.In the Dang et al.'s protocol, it needs 2 * 2.156 ms � 4.33 ms.But in our protocol, we only need 1 * 2.165 ms � 2.165 ms to achieve the required operation.erefore, our protocol has better performance.

Analysis of Running Time.
Generally, the running time of an AKA protocol is approximately made up of computational time and transmission time.Here, we can only consider the transmission time, because we already know the corresponding computational time of each protocol.As for the transmission time, we think the transmission time is mainly related to message size and hardware performance.We assume that these hardware equipments have similar performance.Hence, if the message size is longer, more time is needed to transmit it.Fortunately, we have analyzed these protocols' message size in the analysis of computational cost.

Security and Communication Networks
Table 1 shows that our protocol has smaller message size than Dang's protocol and the same size as Bala's protocol.erefore, compared with other ID-based protocols, our protocol can get stronger or be at the same level of security with less running time.
In conclusion, the performance of our protocol is better than that of the other two protocols.Besides, our protocol is superior to the Dang's protocol in resisting attacks.erefore, our protocol has better performance in VANETs environment compared with previous ID-based 2PAKA protocols.

Conclusion
To be able to deal with the increasing demands of VANETs (e.g., due to the increasing number of connected vehicles and devices), we constructed a new efficient 2PAKA protocol based on the identity in this paper.
is protocol was designed to provide an authentication function and a session key to two users in an efficient way.Besides, we showed that our protocol has strong security in the eCK model, and it outperforms two other recently proposed 2PAKA protocols [13,14].
Future research includes extending the protocol to achieve other desirable properties, as well as implementing an initial model of the extended protocol for evaluation in a practical application.

2
(i) Case 1. ID B 's long-term secret key and ID A 's temporary private key are not leaked to adversary C.Meanwhile, C transmits R B correctly.(ii) Case 2. e long-term secret keys of ID A and ID B are not known by C. e value of R B still is not modified by C. (iii) Case 3. e temporary private keys of ID A and ID B are not revealed to adversary C. (iv) Case 4. ID B 's temporary private key and the long-term secret key of ID A are not acquired by adversary C. (v) Case 5. Adversary C does not get the long-term secret key of ID B and ID A 's temporary private key.But the value of R B is changed by C. (vi) Case 6. Adversary C knows nothing about longterm secret keys of ID A and ID B .But C alters R B 's real value.

Case 1 .
ID B 's long-term secret key and ID A 's temporary private key are not leaked to adversary C.Meanwhile, C correctly transmits R B .(i) Setup.e challenger S initializes the long-term keys of all parties and KGC's public key as follows:(1) e challenger S chooses the value P pub ∈ G at random as the KGC's public key.(2) Challenger S randomly chooses h B ∈ Z * p as H 1 (ID B , R B ) and calculates R B � Y − h B P pub .So we can know PK B � R B + h B P pub � Y is the long-term public key of ID B .ID B can get its long-term secret key's value (Δ, R B ).

2 and returns h 2
to the adversary C.
Model.Without loss of generality, an adversary C always is deemed as a PPT algorithm in the security model.is established by ID A and ID B together.Adversary C can only use the following three methods to get the correct value of test session key.Forging attack.Adversary C can query H 3 random oracle with the input (ID A , ID B , T A ).After requesting this query, a legitimate user ID A can be registered.But the adversary can acquire ID A 's private key.In addition, party ID A is considered to be dishonest.(vi)Send(Π s A,B , M).A message M is transmitted to Π s A,B by adversary C.After receiving this message, Π sProof.On the basis of ID-eCK security, we know the two properties in Definition3 are the basic conditions that a secure AKA protocol should satisfy.We can know the second condition is met in the correctness of our protocol.Next, we show that the rst condition also can be met in the following content.In the eCK security model, our protocol Π's security parameter is speci ed as k.Meanwhile, the maximum value of truthful users activated by an adversary is n(k).e symbol q s (k) is the maximum number of sessions that each party can take part in.Besides, it is also an assumed condition that the test session selected by adversary C is Π s A,B , which A , T B , SK A , aPK B , and s A T B ). Obviously, the adversary C calculates the value (SK A , aPK B , and s A T B ) by itself.
H 2 (s i PK j ).When C launches an H 2 query, S first searches for the relevant entry in the whole list H list 2 .If S finds the entry out, S transmits h 2 to C. Conversely, S computes s i * PK j and checks whether this value is already in H list 2 or not.If the H list 2 has the corresponding value, the challenger gives h 2 to C. Otherwise, S chooses h 2 ∈ Z * p at random.en, S inserts the entry (s i , PK j , s i PK j , h 2 ) to H list StaticKeyReveal(ID i ).If i � B, S aborts.Otherwise, the challenger provides C with (s i , R i ).(6) MasterPrivateKeyReveal(). e challenger S aborts.(7)EstablishParty(ID i ).For this query, the challenger S chooses s i , h i ∈ Z * p at random.en S assigns the value of H 1 (ID i , R i ) to h i and calculates R i � s i P − h i P pub .Finally, S sends (s i , R i ) to C as its long-term secret key.erefore, the adversary C can control ID i completely, it is because the long-term secret key of ID i is known by C. , M).A blank table R list is held by S whose element is (ID i , ID j , T i , T j , sk ij ) for the Send query.If the value of i is B and M � W, S selects b ∈ Z * p at random and returns the bP to C. Besides, S verifies whether D D H (H 2 (s j 3) Using the same method, S selects h B ∈ Z * p at random as H 1 (ID B , R B ) for the party ID B and calculates R B � Y − h B P pub .So ID B 's long-term secret key can be assigned to the value (Δ, R B ). Additionally, ID B 's corresponding public key is PK B � R B + h B P pub � Y. (4) Considering about other parties ID i , where i ≠ A and i ≠ B, challenger S randomly chooses h i , s i ∈ Z * p .Similarly, S sets h i � H 1 (ID i , R i ) and computes the relevant value of R i � s i P − h i P pub .us, the longterm secret key of entry ID i is (s i , R i ).Its public key is PK i � R i + h i P pub .S sends (ID i , R i ) to the adversary C, and this new entry If i is equal to A, its temporary secret key is a ∈ Z * p picked up by challenger S at random and the value aP is given to C. Next, S seeks the relevant item in the table H list 3 .If the entry exists, S checks whether D D H(h 2 i ).If A or B is the correct value of i, challenger S terminates this program.Otherwise, (s i , R i ) is transmitted to C. (4) Send(Π s i,j , M).As before, a blank table R list is held by S, the form of which is (ID i , ID j , T i , T j , sk ij ).
, R B,C , bP) made by adversary C is sent to the session Π s A,B .Here, the adversary C selects b ∈ Z * p at random and may change R B of ID B to R B,C .For participant ID B ,  h B ∈ Z * p is chosen by the challenger S and H 1 (ID B , R B,C ) �  h B is also assigned by S. Finally, we make an assumption that the successful probability of a forgery attack made by C is Adv Π C .So C must make a query to H 3 with the input SK � H 2 (s A PK B )bY � h 2 bY, aPK B � DLOG(Y)(R B +  h B X), and s A T B � s A bP. S checks whether C makes an H 3 query on the value (ID A , ID B , T A , T B , SK, DLOG(Y) table H list 1 .Particularly, the temporary secret key of ID A is given the value a ∈ Z * ID B ).Moreover, the simulation does not abort.A message (ID B , R B,C , bP) made by C is sent to the session Π s A,B .b∈Z * p is randomly selected by the adversary and C can also change R B .Assume that S chooses h B ∈ Z * P at randomly as H 1 (ID B , R B,C ).If the probability of a successful forgery attack maked by C cannot be ignored, the adversary must launch an H 3 asking with the input sA T B � DLOG(Y)bP, a A PK B � a(R B + h B X), and SK � H 2 (DLOG(Y)PK B ) abP � H 2 (DLOG(Y)(R B + h B X))abP.Next, Schecks whether there is an H 3 query from the adversary C on the value (ID A , ID B , T A , T B , SK, DLOG(Y)bP, aPK B ) such that D D H(h 2 T A , T B , SK) � 1, D D H(T A , PK B , aPK B ) � 1, and Discussions.We will show some essential security attributes that our pairing-free 2PAKA protocol holds in the following content.
(ii) Session Key Agreement.According to our protocol shown in the Key Agreement phase, one session key sk ij � H 3 (ID i , ID j , SK, a i PK j , s i T j ) � H 3 (ID i , ID j , SK, b j PK i , s j T i ) can be obtained by two users after communication.

Table 1 :
Message size of ID-based 2PAKA protocols.

Table 2 :
Executing time of basic operations (ms).