A Provably Secure Authentication and Key Exchange Protocol in Vehicular Ad Hoc Networks

While cloud computing and Internet of *ings (IoT) technologies have gradually matured, mobile intelligent transportation systems have begun to be widely used. In particular, the application of vehicular ad hoc networks (VANETs) is very convenient for real-time collection and analysis of traffic data. VANETs provide a great convenience for drivers and passengers, making it easier to choose routes. Currently, most research on VANETs obtains data through cloud servers. However, there are few studies on cloud servers obtaining vehicle information through the roadside unit (RSU). In the process of reading traffic information, there will be some private and sensitive information, which may be intercepted or tampered with in untrusted public channels. *erefore, it is necessary to propose a protocol to protect vehicle data during the information reading phase. In this paper, we propose a new provably secure authentication protocol to negotiate a session key before transmitting traffic information. *is protocol can complete mutual authentication and generate a session key. Finally, security analysis and performance analysis show that our protocol is secure and efficient.


Introduction
Due to social and economic development, motor vehicles are rapidly spreading. At the same time, the rapid increase in the number of vehicles on the road has also made the traffic situation more complicated, and there will be many traffic problems, such as traffic accidents and road congestion. erefore, researchers apply artificial intelligence [1][2][3][4], wireless networks, and sensor technology [5,6] to road vehicle management, so that vehicles can share information and release relevant road information to alleviate traffic problems. is is the vehicular ad hoc network, which consists of vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication. In the VANETs, the vehicle is equipped with an on-board unit (OBU), so the vehicle can be regarded as a mobile network node that can communicate. erefore, the vehicle can obtain the corresponding road information from the cloud server through the RSU and can also send the relevant information recorded by itself to the cloud server. e main goal of VANET technology is to improve traffic efficiency and increase driving experience. With the popularity and development of VANET, it plays a key role in user travel planning and road safety.
Although VANETs have various obvious benefits, their security and privacy issues [7][8][9] are still the keys to whether they can be widely used. In VANETs, the network environment is open; attackers can capture various messages transmitted in the network and can forge a legitimate vehicle to send wrong information. e transmission of wrong information will mislead the driver to make the wrong decision, bringing corresponding troubles and even dangers. First, before information transmission, mutual authentication must be performed, and a corresponding session key must be generated for subsequent information transmission.
en the integrity of the message must be verified every time a message is received. In addition, anonymity is indispensable in VANET, because if the vehicle transmits its identity on the network in clear text, the attacker captures the information, and the vehicle can be faked or the vehicle can be tracked.
However, several kinds of research in VANETs mainly focus on how to ensure that vehicles obtain corresponding road information. In other aspects, vehicles can receive current traffic conditions through RSU. Based on the information received, the driver can adjust the driving decision. Because the road conditions are changing, the RSU can actively establish a communication request with the vehicle to obtain the road condition information stored by the vehicle sensor (as shown in Figure 1). Based on our best knowledge, we propose a new provably secure mutual authentication scheme for negotiating session keys before transmitting traffic information in this paper. e main contributions of this paper are summarized as follows: (1) A three-party AKE scheme is proposed, with vehicles, RSU, and cloud servers. RSU actively sends a request, completes mutual authentication with the vehicle through the cloud server, and generates a session key. (2) Due to environmental constraints, the proposed scheme only performs simple operations, such as elliptic curve (ECC), bitwise XOR, and hash functions. (3) We conduct a security analysis of the protocol, including formal analysis, informal analysis, and ProVerif simulation. (4) Finally, the performance of the proposed protocol is evaluated. Compared with the existing methods, we show that our protocol is feasible. e remainder of this paper is organized as follows. In Section 2, the latest research results of the AKE protocol and related research on security authentication in the VANET environment are reviewed. Section 3 describes our proposed protocol in detail. en, in Sections 4 and 5, the security analysis and performance analysis of the protocol proposed in Section 3 are carried out. Finally, the article is summarized in Section 6.

Related Work
Many researchers have conducted a series of studies on authentication and key exchange protocols in VANETs. However, with the changes of various needs and scenarios, many security issues have emerged in these studies.
First of all, in terms of an authentication protocol, Lamport [10] proposed for the first time password authentication in an insecure channel. Immediately afterward, various two-party authentication schemes were proposed [11,12]. But, for the VANETs environment, the communication between vehicles can use a two-party authentication scheme, and if the vehicle and the cloud server are authenticated, the two-party authentication will cause transmission delay, because two-party identity authentication is generally used in a single-server environment. In 2001, Li et al. [13] first proposed an authentication scheme in a multiserver environment, but their scheme is inefficient because it takes a lot of time to train neural networks. Later, to complete efficient and secure identity authentication, researchers began to introduce multifactor security. In addition to passwords, security factors such as smart cards and biological information were introduced [14][15][16]. Recently, Irshad et al. [17] proposed an authentication scheme under a multiserver architecture based on the chaotic mapping. But Wu et al. [18] found that Irshad et al.'s protocol cannot guarantee user anonymity and is vulnerable to attacks by privileged insiders. erefore, Wu et al. proposed an authentication protocol for distributed cloud environments, claiming that their protocol can resist various known attacks. However, Wu et al. [19] recently proposed an authentication key exchange protocol under a multiserver architecture and found that [18] has multiple security problems, including the inability to provide perfect forward secrecy (PFS) and being vulnerable to privileged internal attacks. Also, in a multiserver environment, in 2017, Truong et al. [20] proposed an ECC-based authentication scheme. eir article discussed that Yeh et al.'s [21] protocol cannot provide mutual authentication and the key agreement phase is incorrect. In 2018, Zhao et al. [22] proposed a secure and efficient authentication protocol based on passwords and smart cards. ey claimed that the scheme of Truong et al. could not achieve the security authentication requirements of multiserver authentication and could not resist offline password guessing and impersonation attacks. However, Hassan et al. [23] conducted a security analysis on the scheme proposed by Zhao et al. and found that the scheme is vulnerable to anonymity and traceability issues and is not suitable for a multiserver environment. en, on this basis, Hassan et al. proposed an improved multiserver authentication scheme.
Currently, there are two research focuses on the VANETs environment; one is efficient authentication, and the other is privacy protection. e former appeared because of the large number of vehicles in the VANETs environment, and data transmission and processing are very challenging. In order to solve this problem, cloud computing began to be applied to the VANETs [24]. In VANETs, cloud computingbased authentication schemes have also begun to be widely proposed [25][26][27][28][29].
ese solutions reduce the server-side service response time and improve authentication efficiency. However, due to the number of vehicles involved and management issues, network delays can also be caused. en cloud computing began to decentralize and fog computing was used to solve the above shortcomings [15,[30][31][32]. e latter is because, in an open network environment, the private information of vehicle users must be protected. erefore, the Conditional Privacy Preservation Authentication (CPPA) agreement was proposed [33]. In this protocol, the attacker cannot obtain the true identity of the vehicle user through messages intercepted on the public channel, but a trusted third party can calculate the identity of the vehicle user who sent the message. In 2008, Zhang et al. [34] proposed an identity-based verification scheme and proved that their proposed scheme can practice conditional privacy protection, trusting the authority to retrieve the true identity of the vehicle from any false identity. In 2014, Chuang and Lee [35] proposed the first authentication mechanism using transitive trust relationship. Later, Zhou et al. [36] used elliptic curve cryptography (ECC) to propose a new mutual authentication scheme based on the mechanism proposed by Chuang and Lee and mentioned in their paper that the scheme of Chang and Lee cannot resist internal attacks. However, Wu et al. [37] found that Zhou et al.'s scheme could not guarantee anonymity and was vulnerable to identity guessing and impersonation attacks. At the same time, they designed a new privacy protection authentication protocol using ECC technology. Some researchers have proposed the use of fog computing for information processing in the VANET environment. In 2019, Ma et al. [30] proposed a new AKE protocol without bilinear pairing. ey believed that the proposed protocol is safe and efficient. However, Eftekhari et al. [38] found that the protocol of Ma et al. had security problems, such as internal attacks, known session-specific temporary information attacks, and stolen smart card attacks, and then they proposed a safer and more efficient protocol. In 2017, Mohit et al. [39] proposed a new vehicle communication protocol and believed that their protocol could resist attacks such as stolen smart card attacks and impersonation attacks. However, Yu et al. [40] found that Mohit et al.'s scheme could not provide security attributes such as anonymity and mutual authentication and would suffer impersonation and traceability attacks. en Yu et al. proposed a new security authentication protocol and proved that their protocol can resist various known attacks. In 2020, Sadri and Rajabzadeh Asaar [41] proved that Yu et al.'s protocol is vulnerable to tracking attacks, impersonation attacks, sensor capture attacks, and so forth and proposed a secure protocol for application in VANETs.
Some studies have begun to design the AKE protocol for the advantages of low latency and high reliability in the 5G environment [42]; and, for some special occasions, blockchain technology [43] is also used to complete the authentication key exchange. Research similar to VANET currently has similar flying ad hoc networks (FANETs). Moreover, this environment is also vulnerable to serious security threats. Due to these security threats, many security protocols have been proposed in this environment [44][45][46][47]. erefore, when studying VANETs, you can refer to some security solutions in FANETs. However, most of the research is carried out on the premise that the vehicle initiates a communication request. So, it is necessary to propose an authentication scheme in which a cloud server or RSU initiates a communication request to the vehicle user to meet the timely update of road condition information.

Proposed Scheme
In this section, we introduce in detail a new provably secure mutual authentication scheme used to negotiate session keys before transmitting traffic information. e communication entities in the proposed protocol include vehicle users, roadside units, and cloud servers. For the convenience of reading, the symbols used in the scheme are listed in Table 1.
e proposed protocol has five phases, namely, the initialization phase, the vehicle registration phase, the RSU registration phase, the login phase, and the authentication phase.

Initialization Phase
(1) e cloud server CS selects two large prime numbers p and q and then constructs an elliptic curve E defined about the domain Z q for q. e points on E Security and Communication Networks form a cyclic additive elliptic curve group G, and the generator P of G is obtained. (2) CS selects two random numbers x and α and computes β � α · P, where x is the long-term key of the CS, α is the private key, and β is the public key. (3) Finally, CS chooses a one-way hash function h(·).

Vehicle User Registration
Phase. When the vehicle user V i wants to get the corresponding service, he/she must register through the cloud server CS. e main steps are as follows. Figure 2 describes the process of vehicle user registration in detail.
(1) V i chooses its own VID i and then sends it to CS through a secret channel. (2) On receiving VID i , CS selects n i and computes en, CS saves PVID i , VID i , n i to memory and securely transmits

RSU Registration Phase.
rough the registration phase, RSU j can obtain the private key, as shown in Figure 3.
(1) RSU j selects a random number c j and computes d j � c j · P and then sends the identity RID j and d j to CS securely. (2) CS selects the pseudoidentity PRID j of RSU j and the random number k j . en CS computes y j � k j · P + d j and z j � k j + (y j + PRID j ) · αmodp, stores PRID j , RID j , y j , k j in its database, and finally sends PRID j , y j , z j to RSU j .
(3) RSU j computes x j � z j + c j and then verifies whether x j · P is equal to z j · P + c j · P. If the verification is passed, the private key distribution is successful. en PRID j , y j , z j is stored in RSU j memory.

Login
Phase. Since the environment proposed by the scheme is to complete mutual authentication and key exchange during vehicle operation, the vehicle user login will be completed in advance. Figure 4 shows the login information of the vehicle user.

Authentication Phase.
e entire authentication phase is initiated by RSU j , which wants to communicate with the running vehicle. e detailed information is shown in Figure 5.
(1) First, RSU j makes a communication request Request and selects a random number r j to compute R j � r j · P. RSU j sends Request and R j to V i . (2) After V i receives the communication request, it selects a random number a i and the current timestamp T 1 and computes (3) RSU j verifies the validity of the timestamp (by |T 2 − T 1 | < ΔT). RSU j computes M j , C 3 , C 4 (as shown in equations (5)- (7)). Finally, RSU j sends R j , C 3 , C 4 , T 2 to CS.
(4) After CS receives the message, it first verifies whether the timestamp is valid (by . en it takes out VID i from the memory through PVID i and computes . If C 2 ′ and C 2 are equal, then perform the operation; otherwise, terminate the session. en, CS computes M j ′ � α · R j and PRID j ′ � C 3 − h(M j ′ ‖ R j ‖ T 2 ) and then retrieves RID j in the database through PRID j . After that, CS computes and completes the authentication operation. If authenticated, CS selects a random number b s and a One-way hash function x ‖ y Concatenation x ⊕ y e exclusive-or operation with x and y timestamp T 3 and computes N s , C 5 , C 6 , PVID inew , PRID jnew , C 7 (see equations (8)-(13)). Finally, CS updates the values of PRID j and PVID i in memory and sends C 5 , C 6 , C 7 , N s , T 3 to RSU j .   Security and Communication Networks (5) RSU j also verifies the validity of the timestamp. en it computes C 5 ′ � x j · N s and verifies that C 5 ′ is equal to C 5 . If authenticated, RSU j computes PVID inew , C 8 , PRID jnew (see equations (14)- (16)). en it updates the values of PRID j in memory. Finally, RSU j computes the session key (6) After V i receives the message, it checks the freshness of timestamp. If it is confirmed,

Security Analysis
In this section, we conduct a security analysis of the proposed protocol and use the ROR model and ProVerif tool to complete the formal security analysis [48,49]; and, through informal security analysis, we verified that the proposed protocol has security features and can resist various known attacks.

Informal Security Analysis.
is section is an informal security analysis of the proposed protocol. We verify the security attributes and attacks that the proposed protocol needs to have one by one.

Mutual Authentication. After receiving the authentication request from RSU
and sends it to CS through RSU j . After CS receives the RSU j message, the computed C 2 contains the parameters PVID i , VID i . Only legitimate users can generate correct C 2 , so that CS can verify the identity of the user and the legitimacy of the information by verifying whether C 2 ′ is equal to C 2 ; that is, CS authenticates V i . Similarly, the server computes C 4 , RSU j computes C 5 , and V i computes C 8 , respectively, indicating that CS has authenticated RSU j , RSU j has authenticated CS, and V i has authenticated CS. In summary, V i and RSU j can perform mutual authentication in the protocol.

Man-in-the-Middle Attacks.
By intercepting the information in the public channel, A may launch man-in-the- middle attacks. But after CS receives the message, it needs to verify to authenticate the sender. Suppose that when A tries to tamper with the information sent to RSU j , he needs to generate a new authentication information C 5 , but he cannot obtain the parameters x j , b s , and so forth. is means that A cannot complete the verification after tampering with the information. Similarly, when A tampered with the information sent to V i and CS, he could not complete the relevant authentication. is shows that the protocol can resist man-in-the-middle attacks.

Replay Attacks.
In the protocol, when a new round of authentication is performed, new random numbers r j , a i , and b s will be generated; and every time the authentication is completed, the values stored in the memory such as PVID i and PRID j will be updated. e random number and the updated PVID i are used when generating the session key. erefore, when A resends the previous message, new random numbers and related parameters updated in the memory have been generated, and he cannot pass the verification and cannot compute the session key. erefore, the proposed protocol can resist replay attacks.

Known Session-Specific Temporary Information
Attacks. Under the CK attack model [50], A can obtain the random number a i or r j generated during the authentication phase. Assuming that A obtains the random number a i generated by V i ; then N i , M i , and PVID i can be calculated. However, since A cannot obtain VID i and PRID j , he still cannot compute the session key SK; and when A tries to use a random number to perform a man-in-the-middle attack or an impersonation attack, he cannot complete the verification by recalculating C 2 . erefore, the proposed protocol can resist known session-specific temporary information attacks.

Perfect Forward Secrecy.
is security feature requires that the leakage of the long-term key does not reveal the previously generated session key.
at is, the long-term key x of CS is not used in the calculation of the session key. Since the private key α of CS does not change after each authentication, it is assumed that , and the updated PVID inew � h(PVID i ‖ M i ) and PRID jnew � h(PRID j ‖ M j ). However, A cannot obtain the random number a i or r j needed to compute SK, so there is no way to compute SK; that is, the proposed protocol can provide perfect forward secrecy.

Internal Attacks.
Assuming that A is a CS internal staff, he can easily obtain the information transmitted during the registration phase, including VID i , PVID i , K v , RID j , d j , and PRID j , y j , z j . However, A cannot compute a i and r j from this information. erefore, the proposed protocol can resist internal attacks.

User Anonymity and Untraceability.
During the authentication process, VID i is used to compute C 2 and A cannot obtain PVID i to guess VID i . So, the scheme can guarantee anonymity. At the same time, due to the use of random numbers and the update of the pseudoidentity after each authentication, it is also ensured that A cannot confirm the user's identity by tracing a specific piece of information. erefore, the protocol satisfies anonymity and untraceability.

4.1.8.
ree-Factor Secrecy. e proposed protocol uses passwords, biological information, and storage devices (OBU) for security encryption, so it is a three-factor authentication protocol. For this type of protocol, it is assumed that the extreme case is that A can obtain two of the three factors and can launch an attack on the protocol.
Assume that A obtains VID i , Pw i , and Bio i . It is necessary to compute Auth i when logging in, where K v � HP i ⊕ h(Pw i ‖ ϕ i ), but HP i is stored in OBU. In other words, A cannot complete the login operation. e proposed protocol is safe in this situation. Assume that A obtains VID i , Pw i , and OBU. Since ϕ i cannot be computed through Bio i , A cannot compute K v and Auth and cannot complete login verification. at is, the protocol is safe in this situation. Similarly, when A knows Bio i and OBU, there is no way to compute Auth i because there is no password and identity. erefore, the protocol is safe in the three situations, and the proposed protocol satisfies the threefactor security characteristics.

No Key Control.
In this protocol, the session key SK can only be generated through negotiation between V i and RSU j ; that is, a single entity cannot generate SK by itself. When computing SK, V i needs to know PRID j and R j generated by RSU j . In the same way, RSU j needs to negotiate to obtain PVID inew and N i during the calculation to compute SK. erefore, the proposed protocol is satisfied with no key control property.

Formal Security Analysis Based on Random Oracle Model.
In this section, a random oracle model (ROR model) is used to formally prove the security of our proposed protocol. is analysis model was proposed by Canetti et al. [51]. By launching different rounds of Games, the ROR model can compute the probability of A successfully guessing the SK in various situations and thus judge the security of the protocol. If the result is C � 1, A will receive the correct session key returned; if the result is C � 0, A will receive a random string.
Definition 1. (elliptic curve discrete logarithm problem (ECDLP)). Our proposed protocol uses elliptic curve cryptography (ECC). Here, we describe the computational difficulties and assumptions of ECC. Suppose that C is an elliptic curve generation group. At the same time, given points P and a · P, where P belongs to C and a belongs to F p , it is computationally infeasible to obtain a. In polynomial time, the probability that A solves this problem is defined as follows: Adv ECDLP For a sufficiently small η, we have Adv ECDLP A (ξ) < η. Theorem 1. If A attempts to initiate some queries in polynomial time, then the advantage that he can break through the proposed protocol P is as follows: Adv P A (ξ) � (q 2 hash /2 l )Adv ECDLP A (ξ) + 2max C ′ · q s send , (q send /2 l )} + 2q send Adv ECDLP A (ξ) + ((q send + q exe ) 2 /p) + (q 2 hash /2 l ) + (q send / 2 (l−1) ), where q hash represents the number of times to execute Hash(string) queries, q send represents the number of times to execute Send(O, M) queries, q exe represents the number of times to Execute(O) queries, l represents the number of bits of the operation, and C ′ and s are constants in Zipf's law [52].
Proof. We use the game sequence GM 0 , GM 1 , GM 2 , GM 3 , GM 4 , GM 5 , GM 6 to verify the above theorem. Succ GM n A (ξ) represents the probability of A's success in game GM n . Finally, using the Test query to determine Succ GM 5 A (ξ), the specific description is as follows: (i) Game GM 0 : GM 0 represents a real attack, and A did not initiate any query at this time. erefore, in GM 0 , the probability of A cracking P is Adv P A (ξ) � |2Pr[Succ (iv) Game GM 3 : GM 3 adds Hash query on the basis of GM 2 . According to the birthday paradox, we can get the maximum probability of hash collision as q 2 hash /2 l+1 ; the maximum probability of collision in the transmitted text is (q send + q exe ) 2 /2p; and so |Pr[Succ 4 : In this game, we consider the security of the session key. Here, we divide the discussion into two situations. e first is to obtain a long-term private key to verify perfect forward secrecy; the second is to provide temporary information leakage to verify whether the known session-specific temporary information attacks can be resisted.
Perfect forward secrecy: A uses Corrupt(I y RSU ) to try to get the private key x j of RSU j or uses Corrupt(I x V ) or Corrupt(I z Cs ) to try to get a certain secret value in the registration phase Known session-specific temporary information attacks: A uses Corrupt(I x V ) or Corrupt(I y RSU ) or Corrupt(I z Cs ) to try to obtain temporary information of one party In both cases, ECDLP needs to be solved to compute the session key SK. For SK � h(PVID inew ‖ PRID j ‖ a i · R j ), in the first case, even if M i and PVID i are calculated by x j , the random number r j is unknown. While getting a i through Corrupt(I x V ), A cannot get VID i , PVID i . In the second case, even if a i · R j is calculated through a i , the long-term private key is unknown. Similarly, for the second formula SK � h(PVID inew ‖ PRID j ‖ r j · N i ) also holds, |Pr[Succ   e user uses the password and biological information to register. A wants to guess +, but the possibility of guessing the biological characteristics is (1/2 l ), which can be almost ignored. Using Zipf's law, we can get |Pr[Succ 6 : the purpose of this game is to verify forgery attacks. In query, the game is terminated. At this point, the probability of A guessing SK is |Pr[Succ   In summary, we can get the following conclusions: us, we can obtain e tool is based on the DY model and can handle basic cryptographic operations such as symmetric encryption and decryption, public-key encryption and decryption, hash operations, and XOR operations. e security attributes that can be verified are confidentiality, authentication, consistency, and equivalence between processes. rough the use of code to achieve the registration and authentication phases of vehicle users, RSU, and cloud server, a protocol simulation experiment is created in this section. e following is the whole process: (1) e definition of the channel is ch and sch. e former is a common channel used in the login and authentication phases, and the latter is a secure channel used in the registration phase. SK v and SK r are the session keys generated by OBU i and S j . e subsequent definitions are string concatenation operations, XOR operations, hash functions, and fuzzy extractor functions. Next is to use some queries to verify the security requirements. e entire definition is shown in Figure 6.
(2) e process of V i is shown in Figure 7.
(3) e process of RSU j is shown in Figure 8. (4) e process of CS is shown in Figure 9. (5) In Figure 10, we show the results of the verification.
We use VehicleStarted(), VehicleAuthed(), Server-AcVehicle(), ServerAcRSU(), RSUAcServer(), and VehicleAcRSU() to declare the beginning and the end of the agreement and whether the mutual authentication between the vehicle user, RSU, and CS is correct. e verification result shows that the session key we established has withstood the attack, and the mutual authentication is successful and correct. e protocol proposed in this chapter has passed the security verification of ProVerif.

Security and Performance Comparisons
is section will analyze the performance of the proposed protocol and verify the performance of the protocol by comparing its security, computing consumption, and communication consumption among similar protocols.  [54]. e details are shown in Table 2. According to the informal security analysis above, it can be seen that the current common network attacks mainly include A1: mutual authentication; A2: man-in-the-middle attacks, A3: replay attacks, A4: known session-specific temporary information attacks, A5: perfect forward secrecy, A6: internal attacks, A7: user anonymity, A8: three-factor secrecy, A9: no key control, and A10: impersonation attacks. Yes means that it can resist this attack or has this security feature.

Performance Comparisons.
In the performance analysis of the AKE protocol, the computation cost is an important part to be considered. In the VANETs environment, due to the mobility of vehicles, the required computational time needs to be less, which reduces the time required for key establishment and makes the proposed protocol more practical. e experimental environment we used here is shown in Table 3 to test the time-consuming performance of different encryption and decryption algorithms. e algorithm was run 30 times on the device to find the average value. e results are shown in Table 4. We found that the time of the fuzzy extraction function is similar to that of the hash function during the experiment, so we use the fuzzy extraction function as a hash function.
Compared with other phases, in order to ensure the security of the session key, the authentication phase will be executed multiple times, so the calculation cost in this section only considers the calculation performed in the authentication phase. e comparison is shown in Table 5. Substitute the execution data in Table 4 to get the computation cost histogram in Figure 11.
Next, we analyze the communication consumption of the proposed protocol and compare it with related protocols. We use the number of bits specified in [11]. For example, the point of the ECC is 320 bits, the hash function is set to 256 bits, the length of the identity information is 64 bits, and the length of the random number and timestamp is 32 bits. e protocol we propose has four transmission rounds in the authentication phase, and the transmitted information is {R j , N i , C 1 , C 2 , T 1 , R j , C 3 , C 4 , T 2 , C 5 , C 6 C 7 , N s , T 3 , C 8 Table 6. In order to see the comparison effect more clearly, we have generated Figure 12.
Combined with Tables 2, 5, and 6, we discussed the results of the performance analysis. e protocol of Eftekhari et al. has no obvious security vulnerabilities, and the computation cost is similar to that of the protocol we proposed; the main computation cost gap is on the server side. Because the server has strong computing power, it has little effect on the overall computation cost; and, from Table 6   performance is very poor. e computation cost and communication cost of Ma et al.'s protocol are relatively average, but both are slightly higher than those of our proposed protocol, and their protocol is vulnerable to known session-specific temporary information attacks and internal attacks and cannot guarantee user anonymity. In general, it is more reasonable for the proposed protocol to combine security, computation cost, and communication cost analysis.     Computation cost (ms) Figure 11: Computation cost histogram.

Conclusion
Based on ECC, this paper designs a new provably safe AKE scheme before transmitting road condition information. We first reviewed the research status of AKE protocol in the VANET environment and found that it is necessary to propose a scheme to protect vehicle data in the information reading phase. We conducted an informal security analysis of the proposed protocol from mutual authentication, anonymity, perfect forward secrecy, man-in-the-middle attacks, internal attacks, and so forth and passed strict formal security analyses, such as the ROR model and ProVerif security verification tools, indicating that the proposed protocol is secure. rough the comparison of security and performance, the proposed protocol is secure, more effective, and more reasonable than the existing protocol. e application of authentication and key exchange in the VANETs environment is the general trend of the development of the VANETs. With the continuous development of the VANETs, subsequent application scenarios are also diverse, such as social Internet of Vehicles, which involve more user privacy information, and this topic will have great research value and research space in the future. erefore, the communication security of the VANETs environment must also be a key research topic for scholars.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest.