A Privacy Preserving Authentication Protocol Using Quantum Computing for V2I Authentication in Vehicular Ad Hoc Networks

Many cryptographic techniques have been proposed to conceive a secure and privacy-oriented vehicular ad hoc network (VANET) for its practical deployment. The security of these techniques requires a common secret key to be shared between the communicating entities or depend upon the premise that some mathematical problems are computationally hard. However, because of the open nature of the wireless medium, the communication cannot be kept conﬁdential and is prone to eavesdropping. Furthermore, with the arrival of quantum computers, these techniques are prone to quantum attacks—the time complexity of the assumed hard problem gets reduced from millions of years to a few seconds. In this paper, we propose a conditional privacy-preserving authentication scheme based on a quantum key distribution protocol for vehicle-to-infrastructure (V2I) communication. Our scheme inherits the properties of the quantum key distribution protocol. It does not require a secret authentication key to be transmitted conventionally and is resistant to quantum attacks. Apart from protecting VANETs against generic security threats, including node impersonation, message tampering, and repudiation, our scheme defends VANETs against man-in-the-middle attacks, replay attacks, etc. Besides, our protocol ensures message unlinkability, vehicle-identity privacy, and vehicle traceability if a vehicle misbehaves. The results obtained from the performance evaluation of our scheme conﬁrm reasonable values of information leakage, key length, bit error probability, etc.


Introduction
Recently, vehicular ad hoc networks (VANETs) [1][2][3] have received considerable attention from industry, academia, and governments worldwide. A typical VANET comprises fast-moving, self-organizing vehicles that exchange information over the wireless channel. By exploiting the received information, many applications are being deployed for commuter safety and convenience, traffic management, and commercial purposes. However, because of the open nature of the wireless channel, VANETs are prone to security risks, including vehicle impersonation, message tampering, and message-repudiation. Besides, vehicles are vulnerable to privacy attacks. For example, an ill-intentions party could track a vehicle from its transmitted messages with the help of publicly linkable identity information. erefore, it is necessary to deploy procedures in order to conceive a truthful and privacy-oriented VANET [4][5][6]. Nevertheless, the privacy protection should not be absolute but conditional-the deployed procedure should allow identity disclosure if a vehicle misbehaves.
In literature, VANETs get safeguarded against security and privacy risks with the help of various techniques implemented using symmetric-key cryptography (SKC) [7][8][9][10][11], public-key cryptography (PKC) [12][13][14][15][16][17], or their combination. While using a generic symmetric key-based scheme such as Caesar's [18] and one-time pad protocol [19], a vehicle may establish a unique secret key with all entities it intends to communicate with. e vehicle may derive this key from an initial seed value shared between the two preauthenticated vehicles or can establish the key with the help of a trusted key distribution center (KDC). e security of these protocols depends on the robustness of the algorithm used and the secrecy of the key. Since VANETs are dynamic, pre-authentication via a seed value is nearly impossible. On the other hand, KDC needs to establish the secret key securely to protect it from an eavesdropper and man-in-themiddle adversary. e existence of trapdoor functions, which are easy to compute yet hard to invert without extra information, leads us to the techniques based on public key cryptography (PKC) [17]. PKC defends against the eavesdropping adversary without any need to share the common secret key between the communicating parties. Instead, Alice and Bob can easily verify the authenticity of messages exchanged using public keys of one another with no access to corresponding private keys. Yet, PKC-based techniques are slower than their symmetric key-based peers. However, the marriage of PKC with symmetric key-based protocols improves the efficiency when PKC gets employed only to distribute secret keys of symmetric key-based protocols. Once two parties share the common secret key, they can continue their communication using faster symmetric keybased protocol. e security of PKC-based algorithms are based on the premise that computation of a private key of a user from its public key is computationally hard, i.e., there exists no polynomial time algorithm to extract private keys from the corresponding public keys. e advancement in easy availability of computational resources, specifically the quantum computers, has paved the way for attackers to attack the classical PKC-based protocols, assuming their security on computationally hard problems. e quantum cryptography [20][21][22][23], which combines quantum computations with classical cryptography, uses laws of physics and quantum mechanics for secure exchange of information between the participating parties. A quantum key exchange or distribution algorithm [24][25][26][27][28][29] does not depend on the computationally hard nature of some mathematical problem. Rather, it uses the laws of quantum mechanics to provide unconditional security. Such a key distribution has an edge over classical key distribution scheme because of its properties including impossibility for an eavesdropper to copy the quantum bits during transmission, no use of unbounded computational power to the attacker as it does not depend on computationally hard problem, and flexibility to participating parties to detect an eavesdropper, i.e., whether an attacker is observing data during transmission. is makes quantum key distribution a perfect candidate for key exchange in an open network like VANET. e unconditional security of a quantum key distribution protocol arises because of: no-cloning theorem and Heisenberg Uncertainty Principle [30]. e no-cloning theorem prohibits an attacker from duplicating or copying the channel state of quantum bits (qubits) without preliminary information regarding bases [31]. Besides, in the absence of perfect prediction of sender's random basis, an eavesdropper easily gets detected while eavesdropping on a quantum channel. Measuring of state in quantum computing destroys the state, which enables easy detection of the existence of eavesdroppers, alerting the participating parties that someone is trying to disturb the communication.
Recently, in Refs. [32][33][34], authentication protocols involving quantum key distributions have been proposed for various application areas, such as cloud computing etc. However, these protocols cannot provide the vehicle-identity privacy which is a crucial requirement in VANET scenarios. In these protocols, messages get transmitted using a single identity, thus risking the privacy of a user. Besides, authentication request sent by a vehicle to TA via RSU is susceptible to replay attack and could lead to impersonation attack. In this paper, we overcome these limitations and propose a new privacy-preserving authentication protocol for VANETs. Specifically, the contribution of this paper is as follows: (1) We propose a new conditional privacy-preserving authentication protocol for V2I communication in VANETs by employing quantum key distribution protocol and classical identity (CID)-based authentication. After registering its unique identity with a trusted authority (TA), both vehicle and TA execute a quantum key exchange protocol, resulting in both parties sharing a common secret key. Upon authenticating with a semi-trusted RSU via TA using the shared quantum secret, the vehicle receives key material as a set of pseudo-identities and secret keys from RSU. e vehicle then authenticates its outgoing messages by using the key material received from RSU. (2) We have comprehensively analyzed the security of the proposed scheme. Our analysis confirms that the proposed protocol successfully defends against the eavesdropping, replay attack, man-in-the-middle attack, etc., apart from ensuring message authentication, integrity and nonrepudiation. e proposed protocol also enables efficient traceability in case a vehicle misbehaves. (3) We have also evaluated the performance of our protocol by implementing it on QKD simulator [35]. e results obtained confirm that it performs reasonably regarding information leakage and key length. e organization of the rest of the article is as follows. e basics of quantum computing and vehicular ad hoc networks (VANETs) are discussed in the preliminaries section. We investigated the related work in Section 2. We describe the background and design goal of the proposed protocol in Section 4. Section 5 describes the proposed privacy-preserving authentication protocol. Section 6 outlines privacy and security analysis, besides the evaluation of performance parameters with simulation results. Finally, Section 7 concludes the paper with future work.

Related Work
In this section, we discuss the existing work whose objectives are very similar to that of our proposed protocol and analyze their major limitations. e scheme proposed by Calandriello et al. utilizes pseudonym to provide privacy using baseline pseudonym (BP) and group signature (GS), but the scheme suffers from the maintenance and distribution of large certificate revocation list (CRL) [36]. Alazzawi and Lue tried to address the problem of VANETs by designing pseudo identities-based scheme to provide conditional anonymity, integrity, and authentication [37]. e scheme designed by Raya and Hubaux provides conditional privacy on public key infrastructure. e scheme stores different parameters like public key, private key pairs, and certificates which result in the requirement of large storage capability of OBU's in the vehicle [38]. Zhang et al. in their scheme address the problem of computational capabilities of OBU, i.e., they highlighted the inabilities of OBU to perform complex computations in short time. So, they proposed a method using bilinear pairings which not only allow the nearby RSU to assist the OBU in computations but also verify the messages [39].
Some message authentication schemes are also designed in VANETs using message authentication code, such as Lin et al. [40] and Rhim [41]. With the use of group signature [42], a conditional privacy-preserving authentication scheme is proposed by Wu et al. Also, a new privacy preserving scheme using hybrid cryptography gets proposed by Tangade et al. which abolishes the use of time-consuming CRL by utilizing public key infrastructure (PKI) for V2I pre authentication and HMAC for V2V authentication [43]. Privacy-preserving authentication along with group key agreement-based protocol is well discussed in Refs. [44,45]. Various researchers also tried to leverage the power of cloud computing [46,47] and fog computing in VANETS such as the proposal of a 3-layer architecture for fog-VANET in which the user vehicle acts as the data generation layer, RSU acts as intermediate fog nodes, and the cloud server as cloud Layer [48]. Use of the movable fog node by Ref. [49] for efficient V2V communication and traffic-related issues also have been proposed. A hybrid framework for vehicular cloud using fog computing in Ref. [50] is proposed which discusses various security issues such as authentication, privacy, availability of resources, etc. In addition, lightweight secure authentication and key agreement protocols are very well discussed in Refs. [51][52][53][54]. Leveraging authentication as service, a privacy-preserving implicit authentication framework utilizing cosine similarity and partial homomorphic public key encryption scheme is designed in Ref. [55]. e scheme resists the security and privacy threats of mobile intelligent terminals. Besides, the scheme [56] discusses a computationally efficient anonymous authentication framework enabling secure legitimacy inspection of authorized doctor, authorized patient, and medical experts with each other and features location privacy. Similarly, the scheme [57] constructs noninteractive zero knowledge scheme to protect data security and privacy of IoT devices responsible for collection and transmission of data in smart cities. Li et al. describe a novel lightweight privacy-preserving authentication protocol [58], which authenticates the vehicles guaranteeing anonymity, whereas Y. Wang et al. discuss the security issues and challenges related to fog computing, besides the comparison between cloud computing [59] and fog computing. e fast-developing quantum computer brings hope for the increased application area of quantum computing. ese days, different application areas such as simulation, machine learning, and transportation sector are exploring the use of quantum computing techniques. In quantum computation, the quantum key distribution (QKD) plays a pivotal role. Various protocols such as BB84 communication protocol [60], which utilizes quantum entanglement and no-cloning theorem, have the ability to encode a binary bit to quantum bits with the help of two polarizers, namely, circular polarizer and linear polarizer. e security and stability of these protocols are well discussed in Refs. [61][62][63]. A scheme [32] designed by Sharma and Kalra, namely, "Identity based secure authentication based on quantum key distribution for cloud computing" utilizes quantum key distribution and identity-based authentication for cloud infrastructure. Various researchers also discussed the authentication relying on quantum key distribution for cloud infrastructure in Refs. [64][65][66]. Also, Ref. [33] introduced a secure quantum algorithm which employs public key encryption to generate keys to enhance user authentication in quantum channel. In the scheme, Ref. [34] designed by Ankur and Karambir uses quantum key distribution and payload-based mutual authentication using elliptic curve cryptography (ECC) for Internet of things (IoT) devices. Using one-time quantum pad and five-particle cluster state, a secure quantum authentication and communication protocol gets discussed in Ref. [67]. In the scheme, [68], a novel enrollment and verification process for the entities of VANET using QKD gets investigated. However, this scheme is susceptible to replay attacks and does not preserve the privacy of a vehicle. In order to summarize the basic characteristics and the limitations of QKD network parameters, the practical implementation of the QKD network simulation module gets evaluated in network simulator NS-3 [69]. Although many QKD-based authentication protocols are available in the literature; they do not possess privacy preservation. is work aims to design a privacy-preserving QKD-based authentication protocol in VANETs.

Preliminaries
We aim this section to discuss the preliminarily concepts of quantum computing and vehicular ad hoc networks (VANETs).

Quantum Computing.
is subsection summarizes quantum computing and summarizes the key quantum computing characteristics following a discussion on the basics of VANETs. e ability of the quantum computer to solve various problems such as integer factorization (IF) in a few seconds, which usually takes billions of years by classical computers, fascinate the extreme industry interest of major corporations such as Google Inc., Microsoft Inc., and Amazon Inc. e extreme industry interest will boost the arrival of a quantum computer to market much sooner than the expected time.
e quantum computer comprises quantum chips rather than silicon chips used in classical computers.

Basics of Quantum Systems.
Quantum mechanics works with complex numbers in contrast to real numbers. e generalization of the concept of bit, known as a qubit, gets used in quantum computing. As we know, the evolution of quantum systems is reversible and the bit is a way of describing the system that has two states, i.e., either 1 or 0, either true or false.
(1) However, the above "either A (true/1) or B (false/0)" paradigm is not sufficient in the quantum world, i.e., any object can be in state A and state B simultaneously, which means there exists a system where the switch can be on and off at the same time. erefore, a qubit is a way of describing a 2- and |c 0 | 2 and |c 1 | 2 denote the probabilities that, after measuring qubit, it exists in state |0 > and state |1 > , respectively. One can understand the implementation of the qubit in the universe by the fact that an electron might be in two different orbits around the nucleus. A photon may be in one of two polarized states. erefore, there is an occurrence of enough quantum indeterminacy and superposition effects within all systems to represent qubits in the universe.

Architecture of Quantum
Systems. e evolution of quantum systems is reversible, which means the manipulation that can be done must also be able to be undone. is undoing translates the architecture into reversible gates. All operations that are not measurements and represented by unitary matrices are reversible gates. Moreover, gates, such as identity gates, NOT gate, controlled NOT gate, Toffoli gate (similar to controlled NOT gate but with two controlling bits), and Fredkin gate, are classical examples of reversible gates which act as underlying hardware for quantum gate thus enabling quantum computations. Also, Toffoli and Fredkin gates are universal and unitary besides being reversible, but no-cloning theorem limits all quantum gates mimicking the fanout operation. Although in contrast to cloning, transportation of arbitrary quantum states from one system to another can be done.

Key Characteristics of Quantum Computing.
e quantum computing harnesses the key behaviour of quantum mechanics, which is discussed in detail as follows: (1) Superposition. It is also called as coherence which allows any particle to be in more than one state with some probability. We can better understand it with the light bulb example. In the usual scenario, one can either switch-on (state 1) or switch-off (state 0) the light bulb, but if the light bulb gets assumed to be a quantum particle, then it can be in both states with some probability, i.e., we can find the light bulb with probability P and probability Q in state 0 and state 1, respectively, where holds. e real-world example of quantum particles is the electron with its own "ON and OFF" properties, i.e., spin, which is usually referred to as either up or down, similar to 1 or 0 of classical binary computing. A quantum particle possesses the linear combination of an infinite number of states between 1 and 0 when it is in a superposition state. Also, it is impossible to find the state of the particle when it is in superposition, which brings us to the essential feature, namely, quantum measurement.
(2) Measurement. Whenever the quantum particle gets measured, the superposition state of the quantum particle gets collapsed (also known as decoherence) and results in a classical binary state of either 0 or 1. Referring to the previous example of the light bulb, if we realize the bulb after measurement, the bulb is either in the switch-on state or in the switch-off state. However, some operations also exist in quantum computing, which resets the particles back to the superposition state to perform another calculation.
(3) Entanglement. is is the most valuable property of quantum mechanics, which allows for two or more quantum particles to become entangled. After entanglement, the participating quantum particles become a single system, resulting in the impossibility of differentiating the quantum state of the particles. Also, after entanglement, any operation applied on one particle correlates with the other particles, and the interconnection between particles remains unchanged if separated over enormous distances, even lightyears. Because of the correlation between entangled qubits, the effect of quantum measurement of one particle collapses not only that particle but also other particles.

Vehicular Ad Hoc Networks.
is subsection briefly describes VANET's detailing components, types of communications, and various challenges associated with VANETs, respectively.

Overview.
e infrastructure and vehicles sum up to form vehicular ad hoc networks (VANETs). Infrastructure is further divided into two parts, namely, roadside units (RSUs) and trusted authority (TA), whereas vehicles contain onboard units (OBU), which can communicate with the infrastructure and other vehicles on the road. We describe the architecture of VANETs in Figure 1. We assume that the existing architecture incorporates quantum communication capable infrastructure and a quantum communication capable OBU embedded within each vehicle. e trusted authority and road side units can enable quantum communication.
e advent of the quantum computer does not bring the need to eliminate all existing infrastructure. However, to enhance communication security, the existing infrastructure requires the inclusion of a new embedded board, namely, quantum processing units (QPUs) similar to graphics processing units (GPUs ese are the embedded processing units assembled in a vehicle. ey are used for periodically broadcasting vehicle information ranging from the position, driver location, acceleration, and traffic-related data on the road through DSRC protocol. e assumption of QPUs attached with OBU enables quantum communication capabilities to vehicle.

Challenges of VANETs.
Vehicular ad hoc network comprises three entities out of which the vehicle's OBU storage capacity is of enormous concern. Moreover, vehicle continuously moves, thus encountering the following challenges: (1) Resource Constraint. e OBUs of vehicles are not capable enough to perform high computations. (2) Intermittent Connectivity. e network management of vehicles in VANETs needs to be efficient, i.e., less number of network packets loss needs to be maintained.
e future of VANETs needs to be equipped with some sort of intelligence to meet the demands of thousands of vehicle's cooperation in a congested traffic scenario. (4) Privacy Requirement. e privacy of users is of extreme importance. e data and location information are enough for any attacker to act. e infrastructure needs to give flexibility to vehicles regarding the information they want to share.

Design Goal of the Proposed Protocol.
For providing secure communication in VANETs, the design goal of any protocol must consider security and privacy as the primary aim. Due to an increase in computing resources, the attacker nowadays started injecting malicious codes easily for one's personal benefit. erefore, prevention of the following is the design goal in VANETs.

Conversion of Bits from One State to Another.
Since the proposed protocol deals with quantum properties, it involves the use of the quantum bit. e use of photon polarization and interconversion rule enables the interconversion process between binary and quantum bits. We described the photon polarization with two sequences, namely, the decision sequence and the measurement sequence. Decision and measurement sequences both have the same polarization but perform different functions. Besides, the notations used in the proposed work are reported in Table 1.

Decision
Sequence. e conversion of a binary bit into a quantum bit is accomplished by the decision sequence, which comprises two kinds of polarizers: linear polarizer and circular polarizer. Furthermore, linear polarizer gets denoted by horizontal | ⟶ 〉 and vertical |↑〉 directions, whereas circular polarizer is denoted by |↗〉 and |↖〉 directions. We used L and C notations for denoting linear and circular polarizers, respectively. Also, both polarizers have two states which possess the orthogonality property, i.e., they are orthogonal to each other.

Interconversion Rule.
We define the interconversion rule between a binary and quantum bit as:

Measurement
Sequence. Measurement sequence accomplishes the conversion of the quantum bit back to a binary bit. It comprises two types of polarizers, namely, rectilinear (R) and diagonal (D) polarizers. ese two polarizers were used to measure quantum bits corresponding to the L and C polarizers of the decision sequence. Under the uncertainty principle, decision sequence and measurement sequence are conjugate bases, whereas rectilinear and linear as well as diagonal and circular polarizers are conjugate states, i.e., to get specific results, the receiver needs to measure the R polarizer with L polarizer only and D polarizer with C polarizer only. In addition, nonorthogonality between R and L, as well as D and C, makes them indistinguishable.
As shown in Table 2, the conversion of binary bit to quantum bit takes place. With the help of the decision sequence [LLCCLCCL], the binary bit [10100010] gets converted to quantum bit and then the pre-master secret gets produced after applying measurement basis [RDDRRDDR]. We may note that the receiver randomly chose a measurement basis.

Encrypted Id.
To protect the real id ID v i of the vehicle from the malicious attacker, we use the concept of encrypted id in our scheme, which is denoted by EncId v i . Whenever biological characteristics of the user are XORed with NOT translation of the real id of the vehicle, then only we obtain EncId v i , as reported in Table 3. Additional equipment attached with OBU can extract the biological characteristics, which comprise the facial or fingerprint identity of the user. However, because of the fuzzy nature of biological characteristics, each time the generation of EncId v i may vary slightly. Still, the assumption of the generation of a particular EncId v i from a set of biological characteristics (set of biological characteristics with small (few bits) differences get mapped to unique biological characteristics) prohibits the possibility of information leakage. Table 3 shows that the vehicle identification number in the binary bit string is [1000111] and biological characteristics after obtaining from OBU are [10111000]. We may note that the length of the biological characteristics and vehicle identification number must be the same. As shown in the table, NOT gate translates the vehicle identification bit string and then XOR with string obtained from the biological characteristics of the user to obtain the encrypted id. erefore, the result constitutes one at i th position where the binary bits are the same for vehicle identification and biological characteristics, otherwise 0. e encrypted id in the above example is [1100000].

Template and Encrypted Key Generation.
e proposed scheme uses a decision sequence and a measurement sequence, which gets selected randomly by both parties involved in communication. After that, the decision sequence and measurement sequence together produce the template. In addition, the pre-master secret mentioned in the table comprises correct and incorrect binary bits. erefore, the selection probability of the correct measurement sequence is 1/2 k , where k indicates the total length of the bit string. e green color shows the correct measurement base. Encrypted key [1000] gets generated with pre-master secret and template, as shown in Table 4.

Proposed Work
We propose a privacy-preserving authentication protocol for V2I communication, which utilizes the properties of quantum physics. e proposed protocol authenticates the vehicle with infrastructure and generates some secrets. ese secrets enable further privacy-preserving V2I and V2V communication.
e proposed protocol uses classical identity (CID)-based authentication and quantum key distribution to exchange keys with each other to secure privacy-preserving V2I communication.
e proposed scheme comprises four phases for V2I communication and two phases for V2V communication, which are described in detail as follows: Encrypted key of k th RSU Q EncKey v i Encrypted query key of i th vehicle Q EncKey r k Encrypted query key of k th RSU Table 2: Generation of the pre-master secret.
Binary bit 1 0 is phase includes the initialization process of all participating parties of VANETs, such as trusted authorities, roadside units, and vehicles.

Trusted Authority Initialization.
e responsibility for generating the measurement sequence and the set of EPR entangled pair |q a > and|q b > is with trusted authority (TA). ese two particles are entangled with each other, displaying entanglement property as discussed in preliminaries. During RSU and vehicle registration process, TA updates one's database with the decision sequence, measurement sequence, and an encrypted key.

Road Side Unit
Initialization. RSU obtains and unique id ID r k from TA. e detailed registration process of RSU is as follows: (i) After obtaining the unique id ID r k from TA, RSU generates decision sequence DS r k and interconversion rule IR r k which converts the binary bit ID r k into a quantum bit. Classical channel is used to transfer decision sequence DS r k and interconversion Rule IR r k to TA. (ii) TA prepares a set of EPR entangled pairs |q c > &|q d > for each quantum bit string obtained from ID r k . TA separates the set of EPR entangled pair |q c > and|q d > into a set of EPR entangled pair |q c > k and|q d > k . Finally, TA stores |q d > k to itself and sends |q c > k to RSU. (iii) TA produces a measurement sequence MS r k randomly that measures |q d > k quantum bit string, already available with the TA. As soon as |q d > k quantum bit string gets measured, the EPR quantum bit string |q d > k collapses into the same eigen state as the eigen states of |q c > k quantum bit string. After that, RSU k measures the quantum bit |q d > k which corresponds to |q c > k , using MS r k , thus collecting the same eigen state of |q d > k because of the entanglement property, which has already been discussed in the preliminaries. (iv) Now, RSU converts back |q d > k into a binary string using the interconversion rule IR r k already available to RSU, thus generating a pre-master secret. Furthermore, TA compares decision sequence DS r k and measurement sequence MS r k to produce the template, as discussed in Table 4. In addition, TA generates the encrypted key EncKey r k with the help of the template and pre-master secret, as discussed in the previous section. (

Phase 2: V2I Pre-Authentication.
is phase checks the legitimacy of each registered vehicle before one takes part in V2V communications. TA performs the process of verifying (i) First, TA checks the legitimacy of RSU k as follows: (ii) TA sends decision sequence DS r k and interconversion rule IR r k to RSU k . ereafter, RSU k translates binary string ID r k into quantum strings using the interconversion rule IR r k . (iii) Meanwhile, RSU k generates a set of EPR entangled pairs |q at > and|q bt > with the length equaling that of quantum bit strings obtained from ID r k . RSU k separates a set of EPR entangled pair |q at > and|q bt > into a set of EPR entangled pair |q at > k and|q bt > k . Finally, RSU k stores |q bt > k to itself and sends |q at > k to TA.
(iv) Now, TA searches for measurement sequence MS r k in its database corresponding to the received Id r k . After that, TA measures |q at > k quantum bit string, which were received from RSU k in the previous step using the measurement sequence MS r k . As soon as |q at > k quantum bit string gets measured, the EPR quantum bit string |q at > k collapses into the same eigen state as the eigen states of |q bt > k quantum bit string. Next, RSU k measures |q bt > k , which corresponds to |q at > k using measurement sequence MS r k , thus collecting the same eigen state of |q bt > k because of entanglement property.
(v) Next, RSU k converts back quantum string |q bt > k into the binary string using already shared interconversion rule IR r k available with it, thus producing a pre-master secret. Furthermore, TA generates the template by comparing the decision sequence DS r k and the measurement sequence MS r k . In addition, TA extracts query encrypted key QEncKey r k with the help of the template and premaster secret.
(vi) Finally, TA searches the query encrypted key QEncKey r k in its own database. If found, RSU k is considered legitimate otherwise, illegitimate, and TA discards the request.  Figure 2 clearly illustrates the V2I pre-authentication and pseudo identity and session key generation phase through the flowchart. A randomly chosen key from the set of session keys SKEY v i 1 , . . ., SKEY v i n is used later as a session key between RSU k and vehicle V i for further communication, where At the end of this phase, the vehicle is pre-authenticated in VANETs and has established a set of session keys SKEY v i 1 , . . ., SKEY v i n with RSU k for further communication.

Phase 4: Message Authentication and Verification.
Vehicle V i sends a tuple T = (MSG 2, MSG, TS) to RSU k to report MSG containing the information related to its status such as speed, position, traffic congestion, etc. e MSG is embedded in MSG 1 after proper time stamping (TS). After receiving the tuple T, RSU k authenticates the MSG 2 by Security and Communication Networks looking at each session key in a set of session keys SKEY v i 1 . . .. SKEY v i n corresponding to sender vehicle, in its database. Finally, to verify the MSG 2, the RSU k computes the HMAC digest MSG 2 ′ using each session key stored in its database corresponding to vehicle V i and then compares the received HMAC digest MSG 2 with its computed one MSG 2 ′ . If the results match, then MSG 2 is accepted as legal; otherwise, the message is illegal, and RSU k discards the message. session key shared between vehicle V i and V j respectively during phase 3 of the proposed protocol. At the end of this phase, a common key Key V i j is established between vehicle V i and V j , which can later be used by vehicle V i and V j for secure V2V communication with each other.

Evaluation
is section discusses the assessment of the proposed privacy-preserving authentication protocol, which includes privacy and security analysis and measurement of performance parameters subsequently.

Privacy and Security Analysis.
We analyze the security and privacy of the proposed authentication protocol in two criteria. First, we discuss the security analysis of quantum communication, which provides unconditional security. Second, we investigate the security and privacy analysis of our protocol in a particular context.
Our protocol uses BB84 quantum key distribution algorithm, whose security and privacy are demonstrated in Ref. [61]. Also, our protocol does not depend on any hard problem, rather uses the inherent properties of quantum physics. erefore, the proposed protocol obtains the same theoretically unconditional security as described in detail in Ref. [62]. e security in VANETs from various attacks, as mentioned in the designed goal of the proposed protocol, gets also ensured by the proposed protocol as follows: 6.1.1. Authentication. During the V2I pre-authentication phase in our proposed protocol, the authentication gets enabled by checking the legitimacy of roadside units (RSUs) and vehicles. In addition, the assurance that TA can successfully discard the illegitimate vehicle's request gets performed by TA upon looking in its database. TA stores EncKey v i , EncKey r k corresponding to one's real identities EncId v i and Id r k . For instance, TA produces an encrypted key from real identities (binary bit) after applying a decision sequence (randomly chosen by TA), resulting in a quantum bit containing imprecise quantum states. ese quantum bits are now converted back to a binary bit using the interconversion rule. We note that the converted binary bit is not the same as that of the original binary bit. e TA stores the encrypted key in its database after applying the corresponding template. Although, encrypted keys and real identities are different, they hold corresponding relationships, enabling TA to discard illegitimate vehicles by looking up its database. Also, during the system initialization of the proposed protocol, RSU and vehicle register themselves with TA and get corresponding EncKey r k and EncKey v i . During V2I pre-authentication phase, TA uses the same encrypted key of the corresponding vehicle and RSU to investigate the legitimacy of the vehicle and RSU.

Identity Revocation.
e secret keys are stored in the OBU of the vehicle and RSU. If an attacker can access these keys, i.e., EncKey v i , then the attacker becomes capable of communicating with TA easily. However, the assumption of tamper-proof OBU prevents this scenario, Even if an attacker gains access to EncKey v i , he or she cannot get any information about the user, as EncKey v i does not reveal the real identity of the user. We recommend that whenever the system gets compromised, generation of a new decision sequence, interconversion rule, template, and EncKey v i can be performed, and old credentials can be deleted immediately. e vehicle can update one's EncKey v i ⊲ and template after a specific interval of time by executing updating secret key phase. Although, the newly generated template key, EncKey v i , is from the same real id of the vehicle, they are different because TA and vehicle choose a decision sequence and measurement sequence randomly forbidding attacker from using previously compromised keys.
6.1.3. Irreversibility. Till now, we described whether the attacker can get access to TA, if the attacker can get EncKey v i . Now we discuss, in the same situation, the difficulty of recovering original Id v i . In our proposed protocol, EncKey v i is generated because of the template and premaster secret, where the template is obtained as the difference of the measurement sequence and decision sequence. However, measurement sequence and decision sequences are chosen randomly. erefore, an attacker never generates the exact template as done by V i at the time of registration. In the scenario when the attacker somehow gets the exact template and EncKey v i , the attacker does not become capable of retrieving real identity Id v i because there exists nonorthogonality relationship between the circularly polarized photon and the linear polarized photon, thus making them indistinguishable. In addition, a measurement sequence is needed to measure quantum bits, which are randomly selected by TA successfully. If the attacker tries to choose the measurement sequence randomly, he or she obtains uncertain and fragmented results.

Defense against Quantum Attacks.
e special type of attacks such as entanglement, missing decision sequence, missing measurement sequence, missing template, missing quantum bit string, etc., can also be encountered in the proposed protocol. Losing the decision sequence, measurement sequence, and interconversion rule does not reveal any information about the vehicle user because these are chosen randomly and contain no information about the user. ese are used to generate an EPR quantum bit for the legitimate vehicle. Also, losing a template used to generate encrypted keys reveals to the attacker the bits which are correct, but the inability to know exact information of that bit persists. However, if an attacker somehow knows the template, he or she will still require a pre-master secret to generate the encrypted key.
6.1.5. Anonymity. Given a message M 1 , the inability of the adversary to retrieve any identification information of the sender vehicle results in anonymity. Anonymity is further classified as void anonymity, apparent anonymity, revocable anonymity, and forfeitable anonymity based on recognizability (identifiability or traceability) of the vehicle. e void and apparent anonymity are unconditional types of anonymity, whereas revocable and forfeitable anonymity are conditional types of anonymity. In VANETs, anonymity is not unconditional in nature, i.e., in case transmission of fake messages by the vehicle occurs, TA should be able to trace the real identities of vehicle. In phase 4 of the proposed protocol, tuple T is sent to RSU by vehicle for authentication and verification. However, tuple T � (MSG 2, MSG, TS) does not contain any identification information related to the vehicle, thus ensuring anonymity. In addition, in phase 3 of the proposed protocol, RSU stores and generates session keys corresponding to the received encrypted pseudo identities for a particular vehicle. Whenever any vehicle transmits fake messages to RSU, encrypted pseudo identities are used by RSU to report to TA. Later, TA can trace and penalize the vehicle as per policy.
us, the proposed protocol ensures conditional anonymity, in particular, revocable anonymity.
6.1.6. Protection against Replay Attack. In the proposed scheme, protection against replay attack by RSU k is ensured as BS v , which comprises EncId v i , is properly timestamped and authenticated using HMAC. Also, MSG 2 is properly timestamped and authenticated using HMAC in phase 4 of the proposed protocol.
6.1.7. Information Integrity. Information integrity is one of the key features for secure communication in VANETs. In VANETs, information integrity is basically the guarantee of accuracy and consistency of message exchanged between entities of VANET like vehicles, RSU, and TA. It ensures that the exchanged message has not been changed in transit. Generally, cryptographic techniques such as message integrity code (MIC) also known as message authentication code (MAC) are used to protect information integrity. During the V2I pre-authentication phase of the proposed protocol, TA receives request BS v containing HMAC from OBU of vehicle V i through RSU k for the purpose of verification of vehicle V i identity. Also, during message authentication and verification phase of the proposed protocol, tuple T is sent by vehicle V i to RSU k for message authentication and verification. e tuple T consists of MSG2 which contains HMAC, an extension of MAC, which not only enables authentication of source of messages but also information integrity.  e traditional authentication protocol deals with classical bits, whereas the proposed privacy-preserving authentication protocol makes use of qubits, thus the quality of qubits, error correction, and qubit control are the significant challenges for large-scale practical implementation. e requirement of high-quality qubits for the generation of gate operations and complex instructions cannot be overlooked while designing any quantum computing-based authentication protocol. Although few qubit quantum computers are accessible through cloud, their efficiency is of high concern. Frequently, they produce incorrect results while performing any calculation using qubits and thus efficient error correction algorithms are indeed the need of the hour. In addition, implementation of error control algorithms require control over multiple qubits with low latency, preferably in nanoseconds. erefore, multiple qubits control is also one of the significant design challenges for the practical implementation of quantum computing-based authentication protocol.

Performance Evaluation and Comparison.
e demonstration and comparison of the computational and communication cost of the proposed protocol with Refs. [44,45,58] is discussed. e comparison standard includes the vehicle joining and vehicle leaving phase; thus, a scenario where some vehicles enter within the range of K th RSU and other vehicle leaves that range simultaneously is not overlooked. e detection distance d w , which equals 300 m using DSRC, is the coverage distance for any RSU on each side concerning its installation [70]; thus, a total distance of 600 m gets covered by any RSU. e safe distance d v is the distance between two vehicles that need to be maintained to avoid accidents and is calculated based on the speed of vehicles [71]. For example, d v should be 70 m between two vehicles, moving at a speed of 70 km/h. erefore, considering fixed d v corresponding to the moving vehicle speed, our performance simulation uses a fixed number of vehicles within any RSU range, i.e., considering vehicle length to be 5 m [72], vehicle speed to be 55 km/h, d v to be 55 m, a maximum of 9 vehicles can commute the journey including the entering vehicle within any RSU range. Similarly, a maximum of ten vehicles can commute in another lane, which leads to a maximum of n j = n l = 19 vehicles where n j denotes the number of joining vehicles and n l denotes the number the leaving vehicles. e calculation and comparison of communication and computation cost are performed considering n j and n l whenever any vehicle commutes through the K th RSU detection scope. For the calculation of computation cost, the parameters such as time cost for the multiplicative group, time cost for a hash function, time cost for inversion in the group, time cost for the calculation of Chinese remainder theorem are denoted by t m , t H , t i , t CRT and has values 1.80, 3.20, 25.58, and 150.589, respectively. In addition, t S and t E denote searching time and encryption time. For the calculation of the communication cost, the bit length of timestamp, random number, identity, and pseudo-identity are assumed as 64b, 160b, 160b, and 160b, respectively. We obtain the time parameter for computation cost using Miracle library [73] on ubuntu 18.04, and we use SHA-256 for performing a comparison with Refs. [44,45,58]. Also, a qualitative comparison of security features with some existing authentication protocols has been shown in Table 5, whereas the individual computation cost of TA, RSU, and vehicle, along with the total communication cost, is reported in Table 6. e computation cost of our protocol at vehicle, RSU, and TA are t H , f * t * (1 + n j )t H , and (1 + n j )(t S + t E ), respectively, which is a significant reduction of the computation overhead when compared to Refs. [44,45,58]. Also, the communication overhead of our protocol is 2864 * (1 + n j ), which is again a significant reduction in communication overhead when compared to Refs. [44,58]. However, the obtained communication cost of the proposed protocol is higher when compared to Ref. [45], but the proposed work provides unconditional security, which is not guaranteed by any of the other works. In addition, as the proposed protocol utilizes one of the quantum key distribution protocols, namely, BB84 protocol, we have also evaluated the performance parameters of BB84 protocol by performing simulation in QKD simulator [35]. QKD simulator, which is purely written in Python and applies standard libraries such as Scipy, Numpy, Pycrypto, etc., is well-known for returning simulation results by utilizing QKD stack, which includes a quantum channel, shifting, authentication using hashing, error estimation, error correction, and privacy amplification. Figuredepicts the variation when several initial qubits, which equals 600, are constant, and the eavesdropping rate varies from 0.1 to 0.6 one after another, i.e., Figure 3 shows the variation of performance parameters with the constant number of initial qubits. In contrast, Figure 4 shows how performance parameters vary when the eavesdropping rate, which equals 0.1, is taken to be constant. It is clear from the figures that the final key length and key length before privacy amplification increase linearly as the initial number of qubits get increased. In contrast, there is a linear decrement in key size and linear growth in information leakage regarding increasing eavesdropping rate.

Storage Overhead.
In the proposed protocol, TA generates and stores a pseudo-identity for vehicle V i after successfully pre-authenticating vehicle V i using the BB84 protocol featuring unconditional security. Assuming all vehicles can pass through a particular RSU in 10 min, f denotes the number of messages sent by the vehicle per second, and t shows time (in seconds). e number of session keys N � f * 10 * 60 gets generated. Besides, in the proposed protocol, RSU generates and stores N number of session keys corresponding to the encrypted pseudo-identity of the vehicle as soon as RSU receives them from TA. erefore, the vehicle gets one pseudo-identity and two quantum secrets, namely, template and Q EncKey v i from TA along with N number of session keys from RSU. erefore, based on the already defined bit length of keys and identities, the storage overhead of the vehicle is (N + 2) times the size of the secret key. e storage overhead of TA for a particular vehicle V i , assuming a vehicle updates its pseudo-identity n times, equals the size of (n + 1) pseudo identities + 2 * size of quantum secret + size of the real identity of the vehicle. e storage overhead for RSU for a particular vehicle V i equals N * the size of session keys + length of the encrypted pseudo-identity.

Conclusion
e efficient use of quantum computing techniques can enhance the privacy and security of VANETs. is article proposes a novel V2I privacy-preserving authentication protocol by combining quantum communication protocol and CID-based authentication. In addition, the proposed protocol exploits the inherent properties of quantum mechanics, such as no-cloning theorem and entanglement, thus providing unconditional security to vehicles and RSUs. e proposed mechanism authenticates the vehicle with infrastructure and provides a mechanism for the vehicle to communicate with RSU and TA. e privacy and security analysis section reveals that our protocol, utilizing the inherent properties of quantum mechanics, provides unconditional security, is scalable, and possesses a privacypreserving nature. e proposed work assumes the TA to be completely trusted; therefore, modification of the current protocol under the assumption of malicious TA could be included in future work. Also, future work may incorporate decentralization by adopting blockchain technology, i.e., to propose an extended version of our protocol in the blockchain environment.

Data Availability
e data used to support the findings of this study are included within the article.