A Novel Privacy-Preserving Authentication Protocol Using Bilinear Pairings for the VANET Environment

With the rapid development of communication and microelectronic technology, the vehicular ad hoc network (VANET) has received extensive attention. However, due to the open nature of wireless communication links, it will cause VANET to generate many network security issues such as data leakage, network hijacking, and eavesdropping. To solve the above problem, this paper proposes a new authentication protocol which uses bilinear pairings and temporary pseudonyms. The proposed authentication protocol can realize functions such as the identity authentication of the vehicle and the verification of the message sent by the vehicle. Moreover, the proposed authentication protocol is capable of preventing any party (peer vehicles, service providers, etc.) from tracking the vehicle. To improve the efficiency of message verification, this paper also presents a batch authentication method for the vehicle to verify all messages received within a certain period of time. Finally, through security and performance analysis, it is actually easy to find that the proposed authentication protocol can not only resist various security threats but also have good computing and communication performance in the VANET environment.


Introduction
In recent years, the vehicular ad hoc network (VANET) has attracted more and more attention in improving people's lives. The VANET is a special mobile self-organizing network used in the intelligent transportation field [1]. In this application scenario, a vehicle can share the information with other vehicles via vehicle-to-vehicle (V2V) or vehicle-to-roadside unit (V2R) communications, respectively [2]. And both the above two communication scenarios follow the dedicated short-range communication (DSRC) protocol [3]. According to the DSRC protocol, each vehicle must periodically broadcast traffic-related messages. The traffic-related message mainly includes the vehicle's location, speed, and traffic status. Due to the open nature of wireless connections, the messages transmitted between the vehicles and the roadside unit (RSU) are easily intercepted or eavesdropped on by attackers [4]. Consequently, the security and privacy protection of the message is one of the key components towards the success of VANET applications.
The user privacy should be preserved during authentication in VANET [5]. In order to hide the actual identities of the vehicles, the anonymity of vehicles is required for VANET. On the other hand, the VANET backend server must have the ability to extract a vehicle's actual identity for tracing the malicious vehicles' activities [6]. Otherwise, a malicious vehicle will randomly send a large amount of false messages in VANET, which will lead to serious consequences [7]. Therefore, privacy preservation and traceability are two seemly conflicting requirements, and hence, we must solve them properly. In addition, unlike other types of selforganizing networks, the VANET has the characteristics of very high node movement speed [8]. Consequently, during the authentication period, the communication time among different nodes will be very short. We must improve the efficiency of the authentication protocol as much as possible.
To solve the above issues, in this paper, we present an authentication protocol based on bilinear pairings and temporary pseudonyms. The contributions of this work can be summarized as follows: (1) We propose a bilinear pairing-based vehicle authentication and the message verification protocol. In addition, to protect privacy, the proposed protocol uses temporary pseudoidentity to identify the messages transmitted between vehicles (2) To improve the authentication efficiency, the proposed protocol verifies the messages with the single or batch authentication manner on the recipient's side (3) In our proposed protocol, the TA and RSU have the ability to trace and revoke a compromised vehicle. The TA is also able to find the RSU who has authenticated the compromised vehicle by the traffic-related message that was sent from the compromised vehicle (4) The detailed security analysis demonstrated that the proposed vehicle authentication and the message verification protocol can not only resist various security threats but also have good security features, such as unforgeability of identity and message integrity (5) We evaluate the performance of the proposed authentication protocol and compare it with the related authentication protocols in terms of computation and transmission overheads. In addition, we also have analyzed the relationship between different factors and the message loss rate or the message delay of the authentication protocol The remainder of this paper is organized as follows. Section 2 summarizes the related work. Section 3 explains the system model and some mathematics-related preliminaries. In Section 4, the proposed privacy-preserving anonymous mutual authentication protocol is given. Moreover, we give the security analysis and performance evaluation of the proposed authentication protocol in Sections 5 and 6, respectively. Finally, Section 7 concludes the paper.

Related Work
In the past few years, many researchers have focused on the VANET's security and privacy issues. Many solutions based on pseudonyms, group signatures, symmetric cryptography, and identity identifier encryption have been proposed. The existing research works in VANETs can be classified into the following main categories: pseudonym-based authentication protocols [9][10][11][12][13][14], group signature-based authentication protocols [15][16][17], and hybrid-based authentication protocols [18,19].
2.1. Pseudonym-Based Authentication Protocols. The main idea of the pseudonym-based protocol [13] is to use the pseudonyms generated by random functions or other methods instead of the vehicles' identities in the process of authentication in VANET. One of the earliest works in this field is proposed by Raya and Hubaux [9]. The main idea of Raya and Hubaux's protocol is that the vehicles need to preload a huge number of anonymous certificates and their corresponding private keys based on the anonymity level they require. The main drawback of this protocol is that vehicles need to check a long list of revoked certificates when verifying the received signed message, which is very time-consuming. Sun et al. [10] proposed a pseudonym-based authentication protocol. Their protocol allows RSU to distribute certificate service and allows a vehicle to update its certificate on the way.
Although the above method can hide the user's real identity information successfully, the background server cannot complete the trajectory of the vehicle, which is necessary for certain scenarios. Then, Shen et al. [11] presented an ECC-based privacy-preserving authentication protocol with authority traceability for VANET. Li et al. [12] proposed an ID and pseudonym generation-based privacy-preserving authentication for VANET. He et al. [13] proposed an IDbased conditional privacy-preserving authentication protocol for VANETs based on elliptic curve cryptography. To improve performance further, the batch verification method is introduced in their protocol. Wang et al. [14] proposed a hybrid authentication protocol based on the PKI and identity-based signature, which can meet the requirements of security and conditional privacy in VANETs. However, in most of the abovementioned protocols, they cannot avoid the time-consuming identity legality detection in the message verification process.

Group Signature-Based Authentication Protocols.
Another category of privacy-preserving authentication protocols is the group-based protocol [15-17, 20, 21]. In group-based authentication protocols, each group member can sign on behalf of the group without revealing its real identity when it sends traffic-related messages. Other vehicles can only verify that these messages are from a valid group member, but there is no way to determine who sent them. For example, Hao et al. [15] proposed a group signaturebased distributed key management scheme for VANETs, which is expected to considerably facilitate location privacy protection and heterogeneous security policies. Later, Zhu et al. [16] presented an efficient privacy-preserving authentication protocol based on group signatures for VANET. In Zhu et al.'s protocol, they use a hash message authentication code (HMAC) to avoid time-consuming CRL checking and to ensure the integrity of messages before batch group authentication. Shao et al. [17] innovatively grouped the vehicle by RSU and proposed a new group signature-based authentication protocol for VANET.
With the assistance of the new group signature scheme, the proposed authentication protocol is featured with threshold authentication, efficient revocation, unforgeability, anonymity, and traceability. Wang and Yao [20] proposed a group signature-based conditional privacy-preserving authentication for VANET. In addition, their authentication protocol also supports batch verification. Islam et al. [21] proposed a password-based conditional privacy-preserving authentication and group key generation protocol for VANET. Their protocol offers group key generation, user joining and leaving, and password change facilities. Besides the group-based signature scheme, other techniques have also been proposed to achieve anonymity within a group. For example, Zhang et al. [22] used the k-anonymity concept 2 Wireless Communications and Mobile Computing to protect the user privacy so that a vehicle is indistinguishable from k − 1 vehicles. In addition, some researchers use the ring signature or blind signature to build the privacypreserving authentication protocol [23,24].

Hybrid-Based Authentication
Protocols. Some research activities use a combination of pseudonyms and group signatures to complete the design of authentication protocols in VANET [18,19,25]. For instance, Giorgio et al. [18] suggested an authentication protocol for VANET which uses the above methods in combination to protect the messages transmitted between the vehicles. Later, Liu et al. [19] proposed a protocol for VANET which is based on identitybased and group-based signatures. In Liu et al.'s proposal, the vehicles are divided into two different categories: the public vehicles and the private vehicles. The role of a public vehicle is similar to an RSU. The messages sent from the public vehicles and RSUs are authenticated using the identity-based signature [25]. And the messages sent from the private vehicles are authenticated via the group signature for safety reasons.
In general, most of the existing group-based protocols have some disadvantages. First, the group manager has all the knowledge about group members. Hence, there is the possibility of internal privilege attacks. Second, the joining and leaving of group members will result in the need to update the group key. Therefore, when the number of vehicles is large and the movement is frequent, a large amount of computing resources is required for updating the group key.

System Model and Preliminaries
3.1. System Model. A typical VANET system model is shown in Figure 1. There are three important components in VANET: the trusted authority (TA), on-board unit (OBU), and roadside unit (RSU) [26]. The TA is mainly responsible for the registration and certification of OBUs and RSUs. It is a trusted management and certification center. Generally, it is assumed that the TA is powerful enough in terms of communication, computation, and storage capabilities, and it is infeasible to compromise by the adversary.
The RSU, deployed on the roadside, can be regarded as the communication medium between OBU and TA. It is generally believed that there is a secure communication channel between RSU and TA, while the channel between RSU and OBU is an insecure wireless communication channel. In addition, due to working in unattended environments, the RSU can send secret information to the attackers when they are compromised. For the above reasons, all the RSUs must be managed and monitored by the TA. The OBU's role is to achieve the communication between vehicles and vehicles or vehicles and RSUs. In addition, it periodically broadcasts traffic-related messages such as location and speed to other vehicles to alert them to avoid traffic jams or accidents [27]. It is generally assumed that the OBU is a tamper-proof device to store the real identity of the vehicle and some other key materials.

Attacker Model.
Since the VANET uses open-featured wireless links to transmit traffic-related messages, attackers can launch various attacks against the VANET through eavesdropping and tampering. In the VANET environment, attackers are mainly divided into the external attacker and internal attacker [28]. The external attacker can eavesdrop or modify all the exchanged information in VANET. Based on these capabilities, the attacker may masquerade as a legitimate vehicle or RSU and communicate with the target entity to obtain illegal benefits. In addition, the external attacker has the ability to launch a denial-of-service attack. And the external attacker may be performed by a single attacker or a group of colluding attackers. In general, the external attacker has more computing and communication capabilities than the vehicle or RSU [29,30].
The internal attacker mainly refers to the malicious vehicle inside the VANET or the internal administrator [31][32][33]. The vehicle itself may also be a malicious node that can launch attacks such as the man-in-the-middle attack and replay attack. Besides, the attacker seeks to breach the anonymity of the vehicle. The internal attackers are potent as well since they are part of the system and have access to shared secrets. In addition, the attacker may eavesdrop on the communication link among the vehicles and RSUs. He/she may also attempt to establish the relationship between the successive pseudonyms and link these pseudonyms to a unique real entity.
In addition, the impact of certain human factors will also pose a great threat to the security of the VANET. For example, the OBU may be stolen by the thief. The thief may use the stolen OBU to send false messages to the other vehicle or the RSUs, which may cause new security threats to the VANET. Therefore, we need to take into account the negative impact of the stolen device.

Elliptic Curve Cryptosystem (ECC)
. ECC is one of the commonly used public key encryption algorithms, and its security relies on the difficulties of the discrete logarithm problem of the elliptic curve [34]. Compared to the well-known RSA public key encryption algorithm, ECC can achieve the same public key strength as RSA with a shorter key.
Let p be a large prime number, and let GFðpÞ be a field of integers modulo p. A nonsuper singular elliptic curve E over GFðpÞ leads to an equation of the following form: where a, b ∈ GFðpÞ and 4a 3 + 27b 2 ≠ 0ðmod pÞ. And then we look at the points on E with coordinates in GFðpÞ which we denote by the following form: The point multiplication over E can be computed by repeated addition as 3 Wireless Communications and Mobile Computing where k ∈ GFðpÞ and P is a point P ∈ E p ða, bÞ. In view of shortness, we omit the details of ECC and refer to [35,36].
In order to prove the security of our proposed protocol, here, we present two important mathematical problems on elliptic curves as follows: Elliptic curve discrete logarithm problem (ECDLP). Given an elliptic curve E defined over a finite field GFðpÞ, and two points P, Q ∈ E of order q, it is hard to find an integer k ∈ Z * q such that Q = k P. Computational Diffie-Hellman problem (CDHP). Given an elliptic curve E defined over a finite field GFðpÞ, and the points P, aP, bP ∈ E, it is hard to compute abP.
3.4. Bilinear Pairings. The bilinear mapping defines three multiplicative cyclic groups with prime order q : G 1 , G 2 , G T . Letê : G 1 × G 2 → G T be a computable bilinear map, which satisfies the following properties: Bilinearity. For any P, This can be restated in the following way: for any P, Q ∈ G and a, ∈Z * q ,êða · P, QÞ =êðP, a · QÞ =êðP, QÞ a .
Nondegenerate. For any P ∈ G,êðP, PÞ ≠ e, where e is the identity element of the group G T .
Computability. There exists an efficient algorithm to computeêðP, QÞ for any P ∈ G 1 and Q ∈ G 2 .
Then, we called e a bilinear map. The bilinear mapping can be constructed by Tate pairs or Weil pairs on elliptic curves over a finite field.

The Proposed Authentication Scheme
In this section, we present a bilinear pairing-based vehicle authentication and the message authentication protocol to improve the security and efficiency of communication in VANET. It contains seven phases, namely, system initialization, registration, RSU temporary key retrieval, vehicle authentication, vehicle verification, message signing, and message verification. To facilitate the subsequent description, the various symbols used in this paper are listed in Table 1.
The bitwise XOR operation ‖ String concatenation operation

Wireless Communications and Mobile Computing
Step I 1 . TA first selects a prime number p and an appropriate elliptic curve E over the finite field GFðpÞ and then selects a base point P over the elliptic curve E, and the order of P is q. Let G be a cyclic additive group generated by P and G T be a cyclic multiplicative group with the same order q. Then, TA constructs an appropriate bilinear mapê : G × G → G T .
Step I 3 . Next, TA chooses its private key s ∈ Z * q and computes its corresponding public key P pub = s ⋅ P. Then, TA selects two secret values x, y ∈ Z * q and saves them properly.
Step I 4 . After completing the above operations, the TA publishes the system parameters fE, q, P, G, G T , hð·Þ, Hð·Þ, P pub g.

Registration
Phase. Due to different roles and characteristics, the registration phase is divided into two parts: OBU registration and RSU registration.

OBU Registration.
When the vehicle V j wants to accept the services provided by VANET, it must be registered by the TA: Step OR 1 . The vehicle V j selects a unique identity ID vj and a password PW vj . Then, it chooses a random number b vj ∈ Z * q and computes B vj = hðb vj kPW vj Þ. Next, the V j sends fID vj , B vj g to the TA through a secure channel.
Step OR 2 . Upon receiving the message fID vj , B vj g, the TA randomly generates a number r vj and then calculates Then, TA chooses a random number uprk j ∈ Z * q as the user's private key and computes the corresponding public key upuk j = uprk j · P.
Step OR 3 . Next, the TA embedded the information fC vj , D vj , r vj , hð·Þ, Hð·Þ, q, uprk j , upuk j g into the V j 's tamperproof device (TPD) and keeps ðID vj , upuk j Þ in its tracking list.

RSU Registration.
The registration process of the RSU R i , i ∈ f1, 2, 3, ⋯, ng, is explained as follows: Step RR 1 . The RSU R i sends the information about the network to which it is connected to the TA securely.
Step RR 2 . The TA chooses a random value rprk i ∈ Z * q as R i 's private key and computes the corresponding public key rpuk i = rprk i · P.
Step RR 3 . The TA generates the signature Sign ri = hðyk RID i Þ, where RID i is R i 's identifier number. Then, TA injects the information fRID i , Sign ri , rprk i , rpuk i g into the RSU via a secure channel.

RSU Temporary Key Retrieval Phase.
In order to improve the efficiency of message verification, RSU is responsible for regularly distributing its local temporary keys for the vehicles which enter into the RSU's communication range.
The RSU R i randomly chooses a value δ i ∈ Z * q and calculates the temporary master key MK i = hðrprk i ⊕ δ i Þ. Then, the RSU stores the temporary master key in its TPD. And then, the RSU calculates the corresponding temporary public key RPK i = MK i P.
Next, the RSU releases its temporary public key RPK i together with the random number δ i in its coverage area periodically.
4.4. The Vehicle Authentication Phase. When a vehicle arrives at the area covered by the RSU R i , it first checks the identity of R i and determines whether it is a new RSU. If so, the vehicle V j should be authenticated to R i to get the of RSU i 's temporary master key. Then, V j calculates its anonymous identity via the R i 's temporary master key.
In this phase, the vehicle V j generates an anonymous identity and constructs a message authentication code. Then, the TA verifies the authentication message to verify the legality of the vehicle V j . The detailed message authentication process is described as follows: Step A 1 . The user of the vehicle V j enters the identity ID vj and the password PW vj into the OBU j . The OBU of the vehicle V j calculates the following formulas: And then, it verifies whether D * vj = D vj holds. If they are not equal, the OBU j will require the user to enter the correct identity and password again. Otherwise, the OBU j generates a timestamp T vj and computes TID vj = ID vj ⊕ hðA vj kT vj Þ and Cert vj = hðA vj kID vj kT vj Þ.
Step A 2 . Then, the OBU of the vehicle V j sends the message M 1 = fTID vj , r vj , T vj , upuk j , Cert vj g to the RSU i via a public communication channel.
Step A 3 . Upon receiving the message, the R i first checks the freshness of the timestamp T vj . If it holds, the RSU i then computes Cert ri = Hðrprk i · P pub Þ ⊕ ðTID vj kCert vj kkSign ri k T c1 Þ and sends the message fM 1 , Cert ri , RID i , rpuk i , T c1 g to the TA via a public channel.

The Vehicle Verification Phase.
Step V 1 . Upon receiving the message fM 1 , Cert ri , RID i , rpuk i , T c1 g, the TA first checks the timestamp T c1 . If the condition holds, the TA computes 5 Wireless Communications and Mobile Computing Then, TA determines whether the equation Sign * ri = Sign ri is true. If they are equal, the TA considers R i to be a legitimate RSU.
Step V 2 . Next, the TA extracts the message M 1 and continues to calculate And then it checks whether Cert * vj = Cert vj holds. If they are equal, the TA considers V j to be a legitimate vehicle.
Step V 3 . The TA computes Cert TA = Hðs · rpuk i Þ ⊕ ðTID vj khðykRID i ÞkT c1 kT c2 Þ and sends the message fCert TA , T c2 g to R i via a public channel to tell R i the vehicle V j is a legitimate vehicle. Upon receiving the message, R i computes C 1 = Hðrprk i · upuk j Þ ⊕ ðTID vj kMK i kT c1 kT c2 Þ and sends C 1 to the vehicle V j via a public communication channel.
Step V 4 . Upon receiving the message, the vehicle V j computes C 1 ⊕ Hðuprk j · rpuk i Þ = ðTID vj kMK i kT c1 kT c2 Þ and extracts R i 's local master keys MK i to prepare for the next message signing phase. The sequence diagram of the vehicle's login and certification steps is described in Figure 2 4.6. Message Signing Phase. As discussed previously, the vehicle driving on the road needs to send out traffic-related messages periodically. To protect the privacy of the vehicle, the message should be signed with the vehicle's pseudoidentity. However, in order to ensure the legitimacy of the received traffic-related messages, the receiver needs to verify the messages. Hence, message authentication is very important in VANET. The receiver checks the integrity and validity of the traffic-related message by verifying the correctness of the signature. The details of the signing phase can be described as follows: Step M 1 . The vehicle V j first chooses a random number σ ∈ Z * q and generates its pseudo-ID pID j = fpID 1 j , pID 2 j g and the corresponding private key SK j = fSK 1 j , SK 2 j g as follows: Step M 2 . The vehicle V j then generates a traffic message M s which includes the timestamp and the traffic information related to the vehicle. Next, V j signs the message M s as follows: Step M 3 . Finally, the vehicle V j releases the traffic-related message fpID j , θ j , M s , RID i g. Here, RID i is the identity of the RSU R i . It is used to let the verifier know that the trafficrelated message is signed by the key which is based on the temporary master key of R i .

Message Verification Phase.
When the traffic-related message fpID j , θ j , M s , RID i g is received by other recipients, they should check the validity of this message. And the validity of the traffic-related message can be verified when the value of the following equation is true: Equation (10) can be derived as follow: The recipients have obtained the system parameter P, the RSU's temporary public key RPK i , and the random number δ i . After receiving vehicle V j 's traffic-related message, they can get the traffic-related message M s , the signature θ j , and the anonymous identity pID j . If the above formula is true, it proves that the sender of the traffic-related message is legal, and the integrity of this message can also be confirmed.
When the recipient receives multiple messages at the same time, the recipient can use the batch verification method to verify these messages. Suppose these messages are marked as ffpID 1 , θ 1 , M s1 , RID i g, fpID 2 , θ 2 , M s2 , RID i g , ⋯, fpID n , θ n , M sn , RID i gg. The batch verification of these messages uses the following equation: Wireless Communications and Mobile Computing Verifying a number of signatures with the batch verification method is much faster than verifying them individually. In addition, the proof process of formula (12) is similar to that of formula (10). For brevity, we omit the proof process of formula (12). The sequence diagram of the message signing and verification processes is described in Figure 3.

Real Identity Tracking and Revocation.
In the proposed authentication protocol, the traffic-related messages are signed with pseudoidentities to protect privacy. When an OBU is compromised and releases false traffic-related messages, TA should have the ability to reveal its real identity and revoke its long-term certificate. In the proposed proto-col, only the TA and RSU have the ability to trace and revoke a compromised vehicle. Therefore, TA is able to find the compromised vehicle by the RID i which is contained in the traffic-related messages. Then, TA calculates the real identity of the compromised vehicle using the following equation: Next, TA adds the genuine identity ID vj of this vehicle to its compromised vehicle list (CVL) and sends the updated CVL to all RSUs. When a vehicle is compromised, the RSU will discard its request message in the early stages of mutual authentication. Consequently, the compromised vehicle will not get the RSU's local master keys. And it cannot calculate the corresponding temporary key to release the malicious wrong traffic-related message.

Security Analysis
In this section, we analyze the security and privacy features of the proposed authentication protocol as follows.

Unforgeability of Identity.
The proposed protocol guarantees that no one can use an identity that does not belong to him/her to take part in the system. When the vehicle V j needs to be authenticated at the RSU i , the message fTID vj , r vj , T vj , upuk j , Cert vj g sent by V j does contain its real identity ID vj . However, due to the one-way nature of the hash function, the attacker cannot get ID vj from the above message.
On the other hand, the attacker also cannot pretend to be an RSU to spoof. Even if the attacker obtains the RSU i 's identity RID i and the corresponding public key rpuk i , the attacker is unable to calculate the parameter Hðrprk i · P pub Þ for authentication with the TA because it cannot obtain the RSU i 's private key rprk i . Then, the attacker is unable to establish a secure connection with the vehicle V j and perform subsequent operations.

Replay Attacks.
Due to the open nature of the wireless channel, the message can be easily captured or modified by the attacker. Therefore, the attacker may use the captured traffic-related message to launch a replay attack. In our proposed scheme, the timestamp T vj is used to keep the freshness of the messages and resist the replay attack in the vehicle authentication phase. Although the attacker may obtain another vehicle's authentication message fTID vj , r vj , T vj , upuk j , Cert vj g, without knowing the secure variable A vj , he/she cannot get the session key and finish the authentication successfully.
Similarly, the attacker cannot replay the traffic-related message. The reason is that the traffic-related message contains the random number σ and the corresponding private key SK vj which is only owned by the vehicle V j . If an attacker replays this data, he/she will not be able to structure a valid signature about the traffic-related message. Through the above analysis, it is clear that the proposed authentication protocol has the ability to resist the replay attack.

Message Integrity and Authentication.
For VANET, which is composed of open communication links, the integrity and authenticity of the message must be guaranteed. In the proposed authentication protocol, the TA injects the relevant secret information into every RSU's and OBU's memory in the registration phase. In V2R communication, the vehicle V j sends the request message to RSU i to authenticate with the RSU i and obtain its local master keys MK i . Then, the RSU i returns its local master key MK i to the requested vehicle. All the messages mentioned above are encrypted with the secret values obtained from the TA. Therefore, the receiver can easily verify the integrity and identity of the messages.
After mutual authentication, the vehicle V j obtains the local master key from the RSU i . In the next V2V communication, the vehicle V j uses the RSU i 's local master key MK i to generate its pseudo-ID pID j = fpID 1 j , pID 2 j g and the corresponding private key SK j = fSK 1 j , SK 2 j g. Because of the use of identity-based signature algorithms, the receiver can easily verify the integrity of the traffic-related messages broadcasted by vehicle V j . With the above analysis, we can find that our proposed protocol satisfies the requirements of message integrity and authentication.

Conditional
Privacy-Preserving Property. As described earlier, in the authentication phase, the main role of RSU is to distribute the temporary public key to the vehicles nearby it. However, the privacy of the vehicle's identity must be protected in this environment. The proposed authentication protocol achieves the conditional privacy-preserving property in two aspects.

Vehicle V j
Message receiver generate ∊ Z ⁎ q and compute: pID 1 j = · P, pID 2 j = ID vj ⊕ h( || MK i ), SK 1 j = MK i · pID 1 j generate message M s and signing   Wireless Communications and Mobile Computing First, when a vehicle V j moves near the RSU, V j needs to generate a fresh timestamp T vj and uses it to calculate with the user's real identity ID vj via the hash function to generate an authentication message. Since the timestamp T vj used to calculate the authentication message is different each time and the hash function has a strong collision resistance property, the adversary cannot get the genuine identity information of the vehicle V j through the message M 1 = fTID vj , r vj , T vj , upuk j , Cert vj g.
Second, when the vehicle V j joins an RSU R i 's group, it obtains the R i 's local master key MK i and the corresponding temporary public key RPK i . And then, it generates a new pseudo-ID and the corresponding private key to sign the traffic-related message by the temporary master key of R i . Since the traffic-related message is signed with different temporary master keys of R i at different time, no entity except TA and R i can establish the link between signatures and pseudo-IDs of the vehicle V j . In summary, we can find that the proposed authentication protocol satisfies the conditional privacy-preserving property.

Traceability and Revocability.
In the proposed authentication protocol, only the TA can get the authentic identity ID vj of the vehicle V j from its authentication request message. Other participants (including vehicles and attackers) cannot extract the authentic identity ID vj of the vehicle V j from the authentication request message.
In addition, to protect privacy, the proposed protocol signs the traffic-related messages with different pseudo-IDs in the message signing phase. And the TA can get the authentic identity ID vj of the vehicle V j by using equation (13). Consequently, when a vehicle is compromised, the TA could reveal its authentic identity to other entities. As a result, the revoked vehicle cannot join the RSU's communication group to release any messages. This means that the proposed authentication protocol supports the traceability and revocability property.

Performance Evaluations
In this section, we evaluate the performance of the proposed authentication protocol and compare it with the related authentication protocols in terms of computation and transmission overheads. In our implementation, we use a PC with Intel Core i7 CPU 2.6 GHz and 8 GB memory to run the verification authentication protocol. Then, we use currently very popular experimental platforms, OMNeT++ and SUMO, to implement the proposed authentication protocol and test the indicators of communication performance and reliability.
The various parameters used in the experimental simulation platform are shown in Table 2. In the implementation of our protocol, the point multiplication operations of ECC are based on a 160-bit private key. And we select SHA-256 as the elementary hash function to structure the hash functions used in the proposed authentication protocol (i.e., hð·Þ, Hð·Þ). We use the pairing-based cryptography library [37] for algorithm experimental verification. The computation overhead of the proposed authentication protocol consists of the vehicle authentication phase and the signature verification phase.
6.1. Computation Overhead Analysis. Table 3 illustrates the experimental results for related pairing-based operations on the Intel Core i7 CPU 2.6 GHz machine. In our simulation, each randomized ID is 1024 bits, and the size of the ECC point is 160 bits. From the results, we observe that the bilinear pairing operation takes 3.61 milliseconds at the application server when averaging over 10 experiments to run the pairing-based operation. Figure 4 further shows the results on Intel Core i7 CPU 2.6 GHz for the above metrics.

Wireless Communications and Mobile Computing
Furthermore, if the proposed authentication protocol is implemented on a more powerful high-end server, the running time will be greatly reduced, as shown in Table 3.
The main computational cost involved in the proposed authentication protocol is the registration phase, vehicle authentication phase, and message verification phase. However, in the proposed authentication protocol, it is not required to register a large number of vehicles and RSUs at the same time. Therefore, the time consumed in this phase does not require counting in the real-time running process. We focus on the time-consuming vehicle authentication phase and message signing and verification phases. In Table 4, we illustrate the running time of the proposed authentication protocol in different phases.
On the TA side, it is only involved in the system initialization phase and the vehicle verification phase. Note that the system initialization phase can be computed offline, and thus, we omit the computational overhead of this phase. And the TA's computation cost in the vehicle verification phase is 3 T mul + 6T h ≈ 10:89 ms. On the OBU side, it is involved in the vehicle authentication phase, vehicle verification phase, message signing phase, and message verification phase. On the RSU side, it is only involved in the following stages: vehicle authentication and vehicle verification. From the proposed authentication, it is easy to find that the OBU is involved in almost all phases, except the identity tracking and revocation phase. Table 4 gives the detailed numbers.
From Table 4, we can see that if there are many message signatures for the OBU to verify, it will take a long time to run the message verification phase. To speed up the verification process, the proposed authentication protocol uses the batch authentication manner (see equation (12)) to reduce the time of pairing computation. We can analyze that the computation overhead in the single authentication manner is ðn + 1ÞT mul + nT Gh + 3nT pair from equation (10). And the computation overhead in the batch authentication manner is only ðn + 1ÞT mul + nT Gh + 3T pair from equation (12). As a result, we can reduce the number of pairing computation from 3n to only 3. In Table 5, we have compared the computational cost of the proposed authentication protocol with the related works for each step.

Communication Overhead Analysis.
We assume that the vehicles and RSUs have the same communication speed. Then, the communication overhead can be estimated by the length of messages. In our implementation, we adopt SHA-256 as the elementary hash function to structure the hash function, whose output length is 32 bytes. We use the vehicle identification number (VIN) [38] proposed by the International Organization for Standardization as the identifier of the vehicle. In Table 6, we illustrate the default length of the elements used in the proposed authentication protocol.
In the vehicle authentication phase, the communication overhead is mainly caused by the authentication request message fTID vj , r vj , T vj , upuk j , Cert vj g. Just as summarized in the previous part, the sizes of TID vj and Cert vj are 32 bytes. And the sizes of r vj , T vj , and upuk j are 8 bytes, 8 bytes, and 40 bytes, respectively. Therefore, the size of the authentication message is 32 + 32 + 8 + 8 + 40 = 120 bytes. Similarly, the size of the safety-related message fpID j , θ j , M s , RID i g is 40 + 40 + 200 + 20 = 300 bytes. From Table 7, the communication cost of our protocol is slightly higher than that of the protocols in [25]. However, the proposed protocol provides more security of the vehicle authentication than the related research.  The proposed T mul + T h ≈ 2:63 ms 3T mul + T add + T h + T Gh ≈ 7:89 ms  (14), where N is used to represent the total number of authentication messages, M i rev represents the total number of messages received by vehicle V i , and M i send represents the total number of authentication messages sent by the RSU. Figure 4 shows the relationship between the message loss rate and the number of vehicles in the system. It can be seen from the simulation results that as the volume of message authentication services increases, the message loss rate is gradually increasing. In addition, in the same environment, we also compare the proposed protocol with the PKI-based protocol and that in [23] in terms of the message loss rate. It can be found that the message loss rate of the authentication protocol proposed in this paper is the lowest.
6.4. Authentication Protocol's Delay Factor Analysis. In the simulation environment, we obtained the relationship between different factors and the delay of the authentication protocol by modifying the relevant parameters, such as the speed of the vehicle and the number of vehicles. Figure 5 reflects the relationship between vehicle speed and message delay, and Figure 6 reflects the relationship between the number of vehicles and the delay of authentication messages.
It can be seen from Figure 5 that when the speed is lower than 35 m/s (126 km/h), the increase in vehicle speed does not have much impact on the message delay of the authentication protocol. This shows that the proposed protocol can meet the demand for message delay under the condition of normal vehicle speed. From Figure 6, it is easy to see that when the proposed is used for high traffic density occasions, the authentication message delay time will increase a bit. However, when the number of vehicles in the area covered by an RSU is less than 80, the delay is still relatively small. In fact, the probability that the number of vehicles in the area covered by an RSU exceeds 80 is negligible. Obviously, the message delay of the proposed protocol is very small in the daily traffic environment.

Conclusion
In the future smart transportation system, VANET will play an increasingly important role. The communication security and vehicle privacy protection in VANET are the fundamental requirements for its rapid development. In this paper, we proposed a bilinear pairing-based vehicle authentication and the message verification protocol to solve these problems. To protect user privacy, the proposed protocol uses a temporary pseudoidentity-based anonymous method in the message signing and verification phases. In addition, to improve the efficiency of the proposed authentication protocol, the recipients can verify the traffic-related messages with the single or batch authentication manner. Finally, we give the security and performance analysis of the proposed protocol. The security analysis shows that the proposed authentication protocol can resist various security threats and protect user privacy in the VANET environment. The performance analysis results show that the proposed scheme has lower communication overhead and computational cost when compared with the related protocol. Therefore, the proposed authentication protocol is very suitable for the VANET environment.  [20] 181 bytes 352 bytes Islam et al. [21] 324 bytes 388 bytes Ahamed et al. [29] 108 bytes 288 bytes The proposed 120 bytes 300 bytes

Conflicts of Interest
The authors declare that they have no conflicts of interest.