An Improved and Privacy-Preserving Mutual Authentication Scheme with Forward Secrecy in VANETs

Vehicular ad hoc network (VANETs) plays a major part in intelligent transportation to enhance traffic efficiency and safety. Security and privacy are the essential matters needed to be tackled due to the open communication channel. Most of the existing schemes only provide message authentication without identity authentication, especially the inability to support forward secrecy which is a major security goal of authentication schemes. In this article, we propose a privacy-preservingmutual authentication scheme with batch verification for VANETs which support bothmessage authentication and identity authentication.More importantly, the proposed scheme achieves forward secrecy, which means the exposure of the shared key will not compromise the previous interaction.)e security proof shows that our scheme can withstand various known security attacks, such as the impersonation attack and forgery attack. )e experiment analysis results based on communication and computation cost demonstrate that our scheme is more efficient compared with the related schemes.


Introduction
With the rapid development of wireless communication technology, VANETs has drawn widespread attention in society over the decades. VANETs will bring great benefits to people in many ways. It can not only help drivers obtain traffic information in advance and provide better routes to ensure traffic safety and reduce traffic burden but also supply other services, such as toll collection and car infotainment and location-based services [1].
In spite of the huge advantages offered by VANETs, it is still confronted with some problems that need to be solved such as privacy preserving and secure authentication since the communication in VANETs is on an open channel. Numerous schemes [2][3][4][5] have provided message authentication. e receiver must first verify the legality and integrity of the messages broadcast by other vehicles before it trusts them. However, in these schemes, the identity of the vehicle is not authenticated before it communicates with others. So, any vehicle can join the communication range and broadcast messages to others. If there are numerous vicious vehicles in communication area, a lot of false information will be generated and broadcast in the Internet of vehicle system, which has an adverse impact on the efficiency of the entire system. erefore, the identity authentication before communication is also essential for VANETs.
Recently, Cui et al. [6] proposed a mutual authentication scheme for VANETs. In their scheme, the mutual authentication process between the vehicle and TA needs to be executed before the vehicle can communicate with other vehicles and RSUs. However, we find their scheme actually has some security defects. It is vulnerable to forgery attack and impersonation attack and does not provide forward secrecy which is an important security property of authentication scheme. In addition, their scheme cannot meet batch verification. Batch verification allows the verifier to check the validity of many signatures at the same time, which can greatly reduce delay. Many schemes [7][8][9][10] with batch verification have been proposed using bilinear pairing or based on elliptic curve.
In this paper, we present an improved mutual authentication scheme with forward secrecy for VANETs in order to withstand various known attacks. Concretely, the main contributions of our scheme are given as follows: (1) We identify and analyze security flaws in Cui et al.'s scheme for VANETs. eir scheme exits forgery attack and impersonation attack. (2) We propose an improved mutual authentication scheme for VANETs to resist the security attacks in Cui et al.'s scheme. Our solution provides not only message authentication but also identity authentication. Moreover, our scheme can also achieve batch verification without using bilinear pairing. (3) Finally, the proposed scheme can provide stronger security property, forward secrecy. at is to say, even if the current shared key is exposed, the adversary cannot construct the previous shared key.
e security proof and analysis indicate that our scheme is secure. Performance evaluation shows that our scheme has low computation and communication overhead. e rest of the paper is organized as follows. e related work is introduced in Section 2. Section 3 presents the system model, security assumptions, and security requirements. In Section 4, we briefly review the scheme of Cui et al.
In Section 5, we analyze the security attacks of their scheme. Section 6 introduces the improved mutual authentication scheme with forward secrecy. In Section 7, we give the security proof and analysis. Section 8 presents the performance analysis. Finally, Section 9 shows the conclusion of this paper.

Related Work
In recent years, the issues of privacy protection and secure authentication for VANETs have drawn more and more attention. To settle the problems mentioned above, many signature and authentication schemes have been proposed. For example, in 2006, a ring signature scheme was first proposed by Gamage et al. [11] to conceal the signer's real identity. However, their scheme is not suitable for VANETs because no entity could trace the real identities of vehicles when false messages are sent by malicious vehicles caused damage. A year later, a PKI-based authentication scheme using anonymous certificates was proposed in [12]. However, in this scheme, vehicles need to store many publicprivate keys and corresponding anonymous certificates, which would impose storage burden to vehicles and huge certification management burden to TA. Later, Lin et al. [13] introduced a privacy-preserving authentication protocol based on a group signature [14]. en, an efficient conditional privacy-preserving authentication (CPPA) scheme using bilinear pairing was proposed in [15]. In this scheme, the RSU needs to update the temporary anonymous certificates periodically and stores them, which would cause huge burden for the RSU and have low efficiency.
In order to mitigate the certificate management problem, many identity-based schemes were proposed such as [16][17][18][19][20][21]. Zhang et al. [16] introduced an identity-based solution with batch verification called IBV. In their paper, the signature key of the vehicle is generated based on its identity. Both vehicles and RSUs do not need to save any certificate. In addition, their solution can simultaneously verify many received messages, which greatly increases the efficiency of verification. en, the flaws of Zhang et al.'s IBV scheme [16] were found by Lee and Lai [17]. First of all, Zhang et al.'s scheme is subject to the replaying attack. Secondly, the signature nonrepudiation is not achieved in Zhang et al.'s BIV scheme. So, Lee and Lai proposed an improved scheme to resist the above two types of attacks without extra overhead. Unfortunately, Zeng et al. [18] showed Lee and Lai's scheme [17] exits some weakness in VANETs. Firstly, Lee and Lai's approach did not achieve privacy preserving because anyone who only knows the public system parameters can calculate the real identity of the sender. Secondly, a malicious vehicle can imitate a valid vehicle to send false messages and even can use an arbitrary identity to escape the TA tracking. For the above weakness in VANETs, Zeng et al. [18] proposed an improved IBV scheme.
Soon after, many scholars combined certificateless cryptography and aggregation signature and further constructed various certificateless aggregation signature (CLAS) schemes [22][23][24][25][26][27][28][29][30]. For example, a CLAS scheme was proposed by Xiong et al. [22]; however, He et al. [23] pointed out that the adversary could forge a legal signature of any message in their scheme and presented an improved CLAS scheme. Unluckily, a security drawback in He et al.'s scheme [23] was found by Li et al. [24]. Xu et al. [30] found that the scheme of Horng et al. [25] cannot resist any type of adversary in the certificateless security model and built a new CLAS scheme. Lately, Cui et al. [26] presented an efficient CLS scheme for VANETs, which was proved to be insecure by Kamil and Ogundoyin [27].
To improve the efficiency, some schemes [31][32][33][34] have been designed shortly after. For example, in 2015, a new IDbased CPPA scheme for VANETs was firstly introduced by He et al. [31] based on Elliptic Curve Cryptography (ECC) without bilinear pairing. Cui et al. [35] built a secure privacypreserving authentication (SPACF) scheme for VANETs using cuckoo filter and binary search methods to enhance the efficiency of batch verification. Azees et al. [36] constructed an efficient anonymous authentication (EAAP) protocol with an efficient conditional privacy tracking mechanism for VANETs. Nevertheless, they did not provide batch signatures verification. Soon after, Zhong et al. [37] proposed a privacy-preserving authentication scheme with full aggregation. In their scheme, the RSU could aggregate the signatures of vehicles which are passing through it. However, this scheme has low efficiency due to the use of map-to-point hash functions and bilinear pairing. Later, Ali and Li [38] introduced an efficient CPPA scheme for VANETs based on general one-way hash functions with lower computation overhead. A conditional privacy-preserving authentication protocol based on Chinese remainder theorem (CRT) for VANETs was elaborated by Zhang et al. [39]. In their protocol, they eliminated the need for preloading the master key of the system into Tamper-Proof Device (TPD) of vehicle, thus avoiding the risk of compromising a vehicle's TPD leading to entire system failure.
Some mutual authentication schemes [40][41][42] in other different scenarios have been proposed. Recently, Cui et al. [6] introduced a secure mutual authentication for VANETs. However, we find their scheme exits some security weaknesses, such as forgery attack and impersonation attack. In this paper, we introduce an improved mutual authentication scheme with forward secrecy. Meanwhile, we provide batch verification, which greatly increases the efficiency of verification.

Preliminaries
In this part, the system model and security requirements will be given. Figure 1, a typical architecture of VANETs is made up of the following units:

System Model. As shown in
(1) Trusted authority (TA): TA is a trusted third party with large storage capacity and powerful computing capabilities. It is in charge of generating system parameters and authenticating the identity of vehicles. Furthermore, the true identities of vehicles could only be revealed by TA.

Security
Assumptions. e security of our scheme is based on the elliptic curve discrete logarithm (ECDL) problem and the computational Diffie-Hellman (CDH) problem.
(1) ECDL problem: the ECDL problem is to calculate s, where s satisfies the known point Q � s · P on the curve (2) CDH problem: the CDH problem is to obtain the point α · β · P ∈ G given two random points α · P, β · P ∈ G, where α and β are secret

Security Requirements.
On the basis of the previous works for VANETs, the following secure requirements should be met in the proposed scheme: (1) Message authentication: the receiver must check the integrity and validity of the message signatures sent by other vehicles before it trusts them (2) Identity authentication: the vehicle needs to complete identity authentication to prove it is legal before allowing it to communicate with other RSUs and vehicles (3) Traceability: if a malicious vehicle transmits a false message to mislead others, the true identity of it could be traced by TA (4) Forward secrecy: even if the adversary knows the current shared key, it is impossible to generate the pervious shared key (5) Resistance against numerous types of attacks: the proposed scheme should be capable of withstanding the following security attacks that exist in VANETs (1) Replay attack: an adversary may gather and save a message signature and try to send it after the primitive signature becomes invalid (2) Impersonate attack: a malicious vehicle could diffuse a legal vehicle to send fake messages in order to make profits. (3) Forgery attack: an adversary could forge some secret information such as identity or authentication credential to generate a signature without being detected (4) Known key secrecy attack: an adversary could construct the current key if it obtains the key generated in the previous interaction

Review of Cui et al.'s Mutual Authentication Scheme
Recently, Cui et al. [6] proposed a secure mutual authentication scheme for VANETs. In this section, we briefly review their scheme.

TA Initialization Phase
Step 1: TA picks two large prime numbers p, q, an additive group G with order q, which is formed by points on the elliptic curve E (

Security and Communication Networks
Step 2: TA randomly picks a number s ∈ Z * q as its secret key and calculates P pub � s · P as its public key.
Step 3: TA selects symmetric encryption function E π (·)/D π (.) and several hash functions: h: G ⟶ Z q , where H 1 key is a hash with key.

Vehicle Setup Phase.
e vehicle V i first transmits real identity RID to TA. en, TA calculates interpseudonym identity Finally, V i randomly picks an integer λ i ∈ Z * q as the encryption key and stores λ i and IPID V i into the TPD. Simultaneously, TA saves the tuple (RID, VP i , IPID V i , λ i ).

Mutual Authentication Phase.
e mutual authentication process is completed between TA and the vehicle V i . e details are as follows: Step 1: firstly, V i picks a random integer N v ∈ Z * q and calculates a hash code nearby RSU, where ID TA is the identity of TA, and T 1 is the current timestamp.
Step 2: when RSU obtains a message from V i , it first inspects the validity of the timestamp. If the timestamp is expired, it fails. Otherwise, RSU attaches its identity ID RSU and a new timestamp T 2 to the message. en, it uses its private key rsk shared with TA to encrypt messages. Finally, it broadcasts the encrypted messages to TA. When TA receives the messages, it first decrypts to get the tuple to execute the next step; else it aborts.
Step 3: TA calculates the authentication code AC � h(HC‖s). en, it sends the encrypted messages where Lifetime is the valid period of AC.
Step 4: as the RSU receives the messages sent by TA, it decrypts the messages to get ceives the messages, it first uses λ i to decrypt them and then uses the system public key P pub to decrypt to the IPID V i stored in the TPD, the vehicle V i successfully completes the mutual authentication with TA and is allowed to broadcast messages to other vehicles and RSU.

Vehicle Signature
Phase. In this part, V i randomly chooses a number r i ∈ Z * q and computes R i � r i · P. Next, V i calculates its public pseudonym identity and broadcasts the messages , R i to other RSUs and vehicles.

Message Verification Phase.
As RSU obtains the mes-

Attacks on Cui et al.'s Mutual Authentication Scheme
In this section, we describe some attacks existing in the scheme of Cui et al. [6]. e details are as follows.

Forgery Attack.
According to our analysis, Cui et al.'s scheme exits forgery attack in VANETs. We consider a case in which an attacker forges the authentication code. en, it can use the authentication code to generate a message signature and the signature can be successfully verified. e details are described as follows.
Suppose an attacker forges an arbitrary authentication code AC * . en, it selects a random integer r i ∈ Z * q , computes R i � r i · P, and generates a signature of false message M * i as the following equation: Finally, it sends the messages M * i , δ * i , PPID V i , AC * , R i to other vehicles and RSUs. After will check that the following equation is satisfied; hence, the message M * i will be considered valid: From the above, we notice that a vehicle without executing the mutual authentication process can forge the authentication code and uses it as a credential to successfully communicate with others. Essentially, this is because RSU can only verify whether AC sent by V i has been tampered with the public channel, but cannot verify AC which is distributed by TA. Suppose an attacker intercepts the authentication code AC and the pseudonym identity PPID V i on the open channel, and it executes the following steps:

Impersonation
(1) First, it randomly selects an integer r i ∈ Z * q and calculates R i � r i · P.
(2) Next, it uses the intercepted AC and PPID V i to generate the signature of an arbitrary message M * i as will consider the messages to be valid by checking that the following equation holds As a result, when the message M * i caused an accident, the TA needs to obtain the true identity of the sender from PPID V i in order to trace responsibility. However, the TA will obtain the real identity IPID V i and think the message M * i is sent by V i . us, the attacker is able to imitate any vehicle to generate valid signatures of fake messages and escape accountability. erefore, Cui et al.'s scheme is prone to impersonation attack.

The Proposed Scheme
To overcome the security attacks in Cui et al.'s scheme [6], we construct an improved mutual authentication scheme with forward secrecy. Table 1 displays the notations and descriptions used in the proposed scheme.

System Initialization.
Step 1: TA picks two large prime numbers p, q and an additive group G with order q formed by points on the elliptic curve E (y 2 � x 3 + ax + b mod p, where a, b ∈ F p ). en, TA picks P as a generator of G.
Step 2: TA randomly selects a number s T ∈ Z * q as its secret key and calculates P pub � s T · P as the corresponding public key.

Vehicle Registration.
In this section, the vehicle V i registers with the TA to get the shared key λ i , and the process is given as follows.
e vehicle randomly picks an integer s i ∈ Z * q as its secret key and computes PID i,1 � s i · P. Subsequently, it transmits the real identity RID and PID i,1 to TA via a secure channel. When receiving the information, TA randomly picks an integer λ i ∈ Z * q as the key shared with the vehicle V i , and calculates PID i, 2 where VP i is the valid period of PID i,1 and PID i,2 . Next, TA sends the shared key λ i and pseudonym identity PID i � PID i,1 , PID i,2 , VP i to V i . Meanwhile, TA saves the tuple (RID, VP i , λ i ).

Mutual Authentication and Signing Key Generation.
As shown in Table 2, the vehicle V i completes the mutual authentication process with TA by the help of RSU. After mutual authentication, V i is considered legal and generates the signing key SK i .
Step 1: the vehicle V i first randomly selects numbers en, it sends the messages Φ 1 � η 1 , PID i , N v , α · P, T 1 to nearby RSU, where T 1 is the current timestamp.
Step 2: after getting the messages Φ 1 , RSU first checks the validity of T 1 . If T 1 is invalid, it ends; otherwise, it chooses a random number N r ∈ Z * q and calculates η 2 � H 4 (ID RSU � � � �rsk‖N r ), where ID RSU is the identity of RSU and rsk is only known to TA and RSU. Finally, RSU sends the messages Φ 2 � η 1 , PID i , N v , α · P, η 2 , ID RSU , N r , T 2 to TA, where T 2 is current timestamp.
Step 3: when TA receives the messages Φ 2 , it first inspects the expiration date of T 2 . If T 2 is expired, it aborts; else it checks the identity of the RSU. It com- it ends; otherwise, V i is successfully authenticated by TA. en, TA randomly selects numbers β, ω i ∈ Z * q and computes Finally, TA sends the messages Φ 3 � η 3 , η 4 , Q, β · P, W i , T 3 to nearby RSU, where T 3 is current timestamp. At the same time, TA updates the shared key λ * i as H 0 (β · α · P).

Security and Communication Networks
Step 5: upon receiving the message Φ 4 , V i first inspects the validity of T 4 . en, it retrieves S i ′ � η 4 ⊕α · β · P and computes If Q * ≠ Q, it ends; else, the vehicle V i successfully authenticates the TA and updates λ * i � H 0 (α · β · P). Finally, V i generates the signing key

Message Signing. When the vehicle V i is ready to broadcast message M i to others, it picks a random integer
Subsequently, it broadcasts the messages M i , σ i , PID i , R i , W i , T i to nearby vehicles and RSUs.

Message Verification.
When the RSU obtains the messages M i , σ i , PID i , R i , W i , T i , it first checks the freshness of T i and valid period VP i of PID i . en, it verifies the signature by checking whether σ i · PID i,1 � W i + X i · P pub + Y i · R i satisfies. If it satisfies, the RSU accepts the messages; otherwise, it directly discards the messages. e correctness proof of the above equation is as follows.

Correctness Proof
6.6. Batch Verification. When receiving lots of messages from multiple vehicles, the RSU can verify these messages in batch to effectively reduce the computation cost and raise the efficiency of verification. Assume that the RSU obtains the messages from n vehicles, which are denoted as M i , σ i , PID i , R i , W i , T i , where i � 1, 2, . . . , n. Similar to the single verification, the process of batch verification is executed by the verifier as follows.
e RSU first checks the freshness of T i and valid period VP i of PID i ; if T i is not fresh or VP i is expired, RSU discards this message; otherwise, it randomly selects a vector v i � v 1 , v 2 , . . . , v n , where v i ∈ [1, 2 ε ] and ε is a tiny number. en, it performs batch verification by inspecting the validity of the following equation: Updates λ * i � H 0 (α · β · P) Generates the signing key: Security and Communication Networks

Security Analysis and Comparison
7.1. Security Analysis. Based on the hard problems introduced in Section 3.2, we prove that our scheme is secure by a game played between an adversary A and a challenger C using random oracle model.

Theorem 1. e proposed scheme for VANETs is secure under the random oracle model in the adaptive chosenmessage attack with an assumption that the ECDL problem is hard.
Proof. Suppose an adversary A could forge a message M i , σ i , PID i , R i , W i , T i , and a challenger C could tackle the ECDL problem with a nonnegligible probability by running A as a subroutine. e details are as follows: Setup phase: C initializes public system parameters ψ � a, b, p, q, P, H 0 , H 1 , H 2 , H 3 , H 4 , P pub and delivers them to A. Note that P pub � s T · P, where s T ∈ Z * q is randomly selected by TA. Query phase: in each random oracle, the adversary A initiates an inquiry to the challenger C, and C returns the result of the inquiry to A from the list. Suppose list h1 and list h2 are the lists maintained by C and are initially empty. H 1 -Oracle: if A launches an inquiry on PID i , W i , C will check whether PID i , W i , ρ h1 exists in list h1 . If does exist, C delivers ρ h1 to A; otherwise, C sets ρ h1 � H 1 (PID i � � � �W i ) and adds PID i , W i , ρ h1 into list h1 .
Finally, C sends ρ h1 to A.
and adds M i , PID i , R i , T i , ρ h2 to list h2 . Finally, C sends ρ h2 to A. Sign-Oracle: after C obtains the query on the message M i from A, it randomly generates three integers σ i , X i , Y i ∈ Z * q and then adds PID i , W i , X i into list h1 and adds M i , In the end, A outputs messages M i , PID i , R i , W i , T i , σ i and C checks whether the following equation satisfies: If not, C terminates the game. Otherwise, according to the forgery lemma [44], if the process is executed with different H 2 − oracle once again, A could generate another valid messages M i , PID i , R i , W i , T i , σ * i . Obviously, we can get the following equation: According to equations (6) and (7), C could compute: So, as the result of ECDL problem which conflicts the difficulty of the ECDL problem. Consequently, our scheme for VANETs is secure under random oracle model in adaptively chosen message attack. Next, we will briefly analyze the security requirements for VANETS mentioned in Section 3.3.
(1) Message authentication: based on eorem 1, it is known that if the ECDL problem is difficult, any polynomial adversary cannot forge a valid message signature. us, the verifier can inspect the integrity and validity of the messages holds. Consequently, the proposed scheme for VANETs ensures the validity and integrity of the broadcast messages. (2) Identity authentication: during the mutual authentication phase, TA authenticates the identity of the vehicle V i by calculating η * V i verifies the validity of TA by computing (3) Traceability: once the traffic-related message broadcast by the vehicle V i causes an accident, TA can compute the real identity of V i by RID � PID i,2 ⊕H 0 (s T · PID i,1 � � � �VP i ). en, TA adds the vehicle V i to the blacklist and deletes the information of V i from its database. TA periodically broadcasts the blacklist to other vehicles and RSUs. (4) Forward secrecy: the adversary cannot obtain the previous shared key between TA and V i , even though the current shared key is exposed. In each interaction, the shared key will be updated to λ * i � H 0 (α · β · P) with the random numbers α and β chosen by TA and V i , respectively. e updated shared key has nothing to do with the previous key, but only related to the random numbers α and β. According to the CDH problem, it is known that the adversary cannot obtain α · β · P even if it intercepts α · P and β · P from the public channel. Hence, the proposed scheme provides forward security. (5) Replay attack: upon receiving the messages M i , σ i , PID i , R i , W i , T i , the RSU will first verify the freshness of T i by checking wether T * i − T i ≤ ΔT

Security and Communication Networks
holds. Even if T i is fresh, it cannot satisfy the verification equation Impersonation attack: according to eorem 1, it is not possible for an adversary to imitate other valid vehicles to successfully broadcast the signatures of messages. Because once the RSU receives the mes- Hence, the impersonation attack can be resisted in our scheme. (7) Forgery attack: according to eorem 1, any adversary cannot forge a valid messages M i , σ i , PID i , R i , W i , T i because this attack can be detected by the verifier through checking whether the equation σ i · PID i,1 � W i + X i · P pub + Y i · R i holds. So, our scheme is resistant of the forgery attack. (8) Known key secrecy attack: even though the previous shared key between TA and V i is stolen, the adversary cannot generate the current shared key. is is because the shared key will be replaced as λ * i � H 0 (α · β · P) in each round. It is just associated with the random numbers α and β, which are selected, respectively, by the vehicle and TA for each session. e adversary cannot obtain α · β · P from α · P and β · P unless it could solve CDH problem. e CDH problem is recognized as hard; hence, the proposed scheme can withstand known key secrecy attack. □ 7.2. Security Comparison. We compare the security of our scheme with three related schemes [6,37,38] for VANETs. Suppose S1, S2, S3, S4, S5, S6, S7, and S8, respectively, denote message authentication, identity authentication, traceability, forward secrecy, resistance against replay attack, impersonation attack, forgery attack, and known key secrecy attack. e result of security comparison is shown in Table 3.
From Table 3, we can see that all the four schemes can satisfy the security requirements of message authentication, traceability, and resistance against replay attack. Identity authentication is only met in our scheme and the scheme [6]. Our scheme is the only one that can provide forward secrecy and resist known key secrecy attack. In summary, our scheme provides better security property compared with the recent proposed schemes.

Performance Analysis
In this part, we present the performance analysis with respect to the computational and communication overhead of our scheme and the schemes proposed by Ali and Li [38], Zhong et al. [37], and Cui et al. [6].

Computation Cost Analysis.
To estimate the computational cost of our scheme and other related schemes [6,37,38], we adapt the Java Pairing-Based Cryptography (JPBC) library. In terms of the bilinear map e: G × G ⟶ G T , we choose the Type A pairing for schemes [37,38]. It is constructed on the elliptic curve y 2 � x 3 + x :modp over the field F q , where p and the order of group G 1 are, respectively, 512 bits and 160 bits. While in the proposed scheme using the elliptic curve, the group G 2 is generated by the elliptic curve y 2 � x 3 + a · x + b :modp, where the order of G 2 and the prime p are both 160 bits. e experiment is conducted on a Laptop running Intel I5-8250U, 4 GB memory, 1.8 GHz processor with Windows 10 operating system. In our simulation experiment, we only consider the cryptographic operations which have a major impact on efficiency and ignore the execution time of addition operation. Table 4 shows the notations and the execution time of several cryptographic-related operations. Table 5 lists the total computation overhead about message signing, single signature verification, and n signatures' verification. In the process of message signing, our scheme requires one multiplication operation based on ECC and one hash function operation. Accordingly, the computation overhead of this process is T mp−ECC + T h ≈ 13.1 ms. In Ali and Li's scheme [38], the computation overhead of message signing is 3T mp−ECC + 2T h ≈ 38.6 ms. e cost of generating a signature is 3T mp−ECC + T mtp + T h ≈ 68.5 ms in Zhong et al.'s scheme [37]. In Cui et al.'s scheme [6], the computation overhead of generating a signature is During the message verification phase, in our scheme, the verifier takes three multiplication operations based on ECC and two hash function operations for single message verification, 2n + 1 multiplication operations based on ECC, and 2n hash function operations for n signatures verification. erefore, the computation cost of verifying a single signature and n signatures are 3T mp−ECC + 2T h ≈ 38.6 ms and (2n + 1)T mp−ECC + 2nT h ≈ (12.4 + 26.2n) ms, respectively. In the scheme of Ali and Li [38], the computation overhead of single signature verification and batch verification are T p + T mp−ECC + T h ≈ 35.5 ms and T p + nT mp−ECC + nT h ≈ (22.4 + 13.1n) ms, respectively. In the scheme of Zhong et al. [37], 3T p + T mtp + 2T mp−ECC + T mp−p + T h ≈ 126.4 ms and 3T p + nT mtp + 2nT mp−ECC + nT h + T mp−p ≈ (70.3 + 56.1n)ms are, respectively, spent on the phase of single verification and batch verification. In Cui et al.'s scheme [6], the verifier spends T h ≈ 0.7 ms and nT h ≈ (0.7n)ms on verifying a single signature and n signatures, respectively.
From Figures 2-4, compared with the three recently proposed schemes [6,37,38], we can more intuitively and clearly find that our scheme has the least computation overhead in the message signing step. During the single verification and batch verification phases, although the computation overhead of Cui et al.'s scheme [6] is negligible, their scheme is subject to some security attacks such as impersonation attack and forgery attack; the computation overhead of our scheme is far lower than that of Zhong et al. [37] and slightly higher than that of Ali and Li [38]. However, our scheme has better security performance such as supporting identity authentication and forward secrecy, withstanding known key secrecy attack. On the whole, our solution is suitable for VANETs in terms of security and efficiency.

Communication Cost Analysis.
In this part, we analyze and compare the communication overhead between the proposed scheme and other schemes [6,37,38]. For the group G 1 using the bilinear pairing and the group G 2 using the ECC, the size of p is, respectively, 512 bits and 160 bits. Hence, the size of each element in group G 1 is 128 bytes and that of each element in G 2 is 40 bytes. Besides, the length of timestamp is 4 bytes; the elements in an integer group and the general hash are both considered 20 bytes. We assume that the length of all traffic-related messages is the same, so we ignore the size of trafficrelated messages when calculating the communication overhead.
From Table 6, we can see that the total communication cost of our scheme is far less than that of the schemes [37,38], but slightly more than that of Cui et al.'s scheme [6]. However, the scheme of Cui et al. is subject to the impersonation attack and forgery attack. In addition, our scheme can not only provide identity authentication and forward secrecy but also resist known key secrecy attack. erefore, our scheme is appropriate for VANETs with respect to communication overhead.

Conclusion
In this paper, we first analyze and point out that the mutual authentication scheme of Cui et al. is subject to the impersonation attack and the forgery attack. en, we propose an improved mutual authentication scheme with forward security for VANETs. Security proof and analysis show that our scheme can not only resist general attacks but also achieve forward secrecy and withstand known key secrecy key attack, which are not achieved in other related schemes [6,37,38]. In addition, our solution has relatively balanced performance.

Data Availability
No data were used to support this study.

Conflicts of Interest
All authors declare that they have no conflicts of interest. Cui et al. [5] Our scheme