Sage Journals: Discover world-class research

Abstract

Vehicular ad hoc networks are traffic applications of the Internet of Things, which are composed of vehicle nodes, roadside units, service providers, and other components. In a vehicular ad hoc network, data transmission and management rely heavily on the wireless channel, which is subject to potential threats such as information leakage and data attacks due to the openness of the automotive network. The construction of a secure and trusted system that does not damage the privacy of vehicular ad hoc networks must be further addressed. Existing works usually focus on the anonymous authentication mechanism but neglect anonymity abuse. Furthermore, they always require a trusted third party as a central authority, which causes some security problems. In view of these problems, this article proposes a scheme that is based on the no-certificate-center algorithm. By security analysis and experiments, the scheme is proved to have higher anonymity and higher efficiency.

Keywords

Vehicular ad hoc network anonymity authentication tracking decentralization

Introduction

With the rapid development of the Internet of Things (IoT), the intelligent transportation system has attracted huge interest in society. As a key component of the intelligent transportation system, vehicular ad hoc networks (VANETs) improve road security and traffic efficiency. Drivers and passengers can perceive traffic situations such as road access, location, speed, and other travel information and openly broadcast their own information, so the user driving experience is greatly enhanced. However, VANETs have many challenges and differences from the conventional traffic network: end-to-end authentication in VANETs is difficult due to the high speeds of vehicles.¹ In addition, privacy is a wide concern of drivers.² Because of the openness of VANETs, conventional security schemes do not effectively apply to their privacy security. Thus, a new security scheme for guaranteeing vehicular privacy in VANETs is urgently needed. Ensuring both anonymity and authentication is a dual requirement in VANETs. Although anonymity and authentication seem to be contradictory, they must coexist. However, effective schemes are rare in the literature, and the existing anonymous authentication schemes cannot provide reverse tracking when anonymous abuse occurs.

Related works

In recent years, multiple authentication schemes have been proposed in the literature. Ma et al.³ combine smart card and password authentication technology to design a secure authentication scheme that can resist offline password guessing and denial of service attacks and ensures user anonymity. Wang et al.⁴ consider the trade-off between security and privacy and put forward an anonymous two-factor authentication scheme that is based on the basic evaluation index. Based on Kim–Kim two-factor authentication technology, a method⁵ is proposed to enhance the efficiency without causing additional communication and computational overhead while increasing security ability. To tackle the weakness of AdaBoost technology for vehicle authentication, Wen et al.⁶ propose a rapid incremental learning algorithm of AdaBoost for improving the vehicle detection process.

In VANET, privacy information such as user identity and location is important and sensitive in the communication process. The system should not only ensure authentic identity but also prevent privacy leakage.^2,7,8 The previous schemes for protecting VANET privacy focus on the identity of the anonymous user. Common techniques that are used in studies include the group signature scheme,^9,10 ring signature scheme,¹¹ ID-based signature scheme,^12–16 blind signature,¹⁷ and improved technology.^18–21

Guo et al.⁹ are early adopters of Boneh group signature technology for in-vehicle communications. Calandriello et al.¹⁰ note that the computational overhead and length of the group signature in the signature generation and verification process are much larger than in general public key infrastructure (PKI) digital signature schemes (such as elliptic curve digital signature algorithm (ECDSA)), so schemes that use the group signature for in-vehicle safety are inefficient. Thus, many researchers want to reduce the high overhead and security risk of the group signature. Some researchers resort to using ring signature schemes to achieve the desired objectives. A ring signature scheme is similar to a simplified group signature scheme. It uses rules to form a ring, which has anonymity features. For example, Zhang et al.¹¹ propose a privacy-preserving authentication protocol based on ring signature without bilinear pairings in VANETs. This achieves effective privacy protection and authentication mechanisms and reduces the computational overhead of the signature generation process by avoiding the complex operations of bilinear pairings. Some researchers focus on using the identity-based signature (IBS) to implement identity-based anonymous authentication, such as Sun et al.,¹² ACPN,¹³ Jinila and Komathy,¹⁴ privacy protection authentication scheme (PPAS),¹⁵ and He et al.¹⁶ Among them, Sun et al.¹² are relatively early researchers. They use zero-knowledge proof and a threshold secret sharing algorithm to design an anonymous identity authentication scheme that is based on signatures. PPAS¹⁵ uses IBS based on bilinear pairings to solve anonymous authentication issues, not only between on-board units (OBUs) but also between the roadside units (RSUs) and OBUs. In addition, to achieve conditional privacy and authentication, He et al.¹⁶ design a similar IBS. However, because it is based on the elliptic curve algorithm without bilinear pairing operations, it has less computational overhead and more security. Tian and Qiang¹⁷ propose a signature scheme (proxy blind signature scheme (PBSS)) that is based on blind signature and proxy multi-signature certification technology, which solves authentication problems between nodes. The use of two signature technologies realizes on-board authentication interactivity and improves communication security. Experimental results show that PBSS can better meet the on-board node mobility and complexity requirements and has good performance in terms of authentication efficiency.

Lu et al.¹⁸ introduce an efficient conditional privacy preservation (ECPP) protocol to guarantee an anonymous authentication scheme with authority traceability. The proposed protocol is realized using on-the-fly short-time anonymous keys between OBUs and RSUs, which can provide fast anonymous authentication and abuse tracking, as well as minimize the required storage for short-time anonymous keys. They demonstrate the large merits of the proposed protocol through extensive analysis. Shim¹⁹ proposes a conditional privacy-preserving authentication scheme, which is called CPAS, using pseudo-IBSs for secure vehicle-to-infrastructure communications in VANETs. The scheme achieves conditional privacy preservation in which each message that is sent by a vehicle is mapped to a distinct pseudo-identity, and a trusted authority can retrieve the real identity of the vehicle from the pseudo-identity. In this scheme, an RSU can simultaneously verify multiple received signatures, thereby considerably reducing the total verification time. An RSU can simultaneously verify 2540 signed messages per second. Compared with the previous scheme, the time for simultaneously verifying 800 signatures can be reduced by 18%. However, all of the aforementioned schemes depend on a trusted third party; thus, they are not suitable for the self-organized VANET environment and do not avoid the single-point failure problem. Wang et al.²⁰ introduce an efficient conditional privacy-preserving authentication scheme (ECPB) that is based on group signature for VANETs. Although group signature has been widely used in VANETs, the existing schemes that are based on group signatures suffer longer computational delays in the certificate revocation list (CRL) checking and the signature verification processes, thereby leading to lower verification efficiency. In ECPB, membership validation is required when a vehicle applies to become a group member, and validity verification is used to check whether the vehicle is a group member or not, which can be used as a substitute for CRL checking. Neglecting CRL checking sharply decreases the costs incurred in signature verification. In addition, the proposed scheme also supports batch verification. Experimental analysis proves that the proposed scheme is more efficient than existing schemes, in terms of verification delay and average delay.

A similar scheme is presented in Liu et al.²¹ Based on democratic group signatures and a decentralized secret sharing algorithm, this scheme proposes a threshold traceability anonymous authentication scheme without a trusted center. The scheme is decentralized and self-organized; thus, it is well suited to the characteristics of an ad hoc network. The scheme is proved to be anonymous, traceable, and complete; therefore, it satisfies the security requirements of anonymous authentication well. Although this scheme addresses the decentralization issue, its computational cost is huge, and it is complex if applied in VANETs.

In view of the above problems, this article presents a self-organized anonymous authentication and tracking scheme that is based on the fair blind signature and a secret sharing algorithm. It is called Without Center Certificate in VANET (WCCV) and focuses on identity information protection and communication anonymity.

System description and objectives

Basic network structure and system overview

The network structure used in this scheme mainly includes three types of entities:

An OBU is in a vehicle and stores information about the vehicle, such as vehicle identity, license plate number, and related vehicle properties and also communicates with other OBUs.

The RSU, which consists of the radio frequency controller, network communication module, power module, and microwave transceiver module, is responsible for the signal and data transmission, encoding and decoding, decryption, and so on. Compared with the OBU, it has higher storage and forwarding capabilities and can communicate with not only OBUs but also the exterior network.

An infrastructure entity provides the infrastructure for the whole system and is in charge of network connectivity.

As illustrated in Figure 1, once a vehicle wants to enter a local community, it must use its OBU to register at an RSU via the local infrastructure. As with general secure schemes, we assume that the system is secure in the registration phase and unsecure in the other phase. Because the RSU is the high-performance node in a VANET, it oversees the construction of encryption infrastructure in the registration phase. In a normal communication phase, regional vehicles generate their own signatures via an anonymous signature set and then use them as certificates to communicate with others anonymously, while other vehicles can verify the validity of these signatures. If anonymity abuse appears, the RSU can ask a certain number of vehicles to form a tracking set to retrieve the illegal vehicle.

Figure 1.

The basic network structure.

Basic objectives of the scheme

The main objectives of the scheme are as follows:

Avoid anonymity abuse. WCCV addresses the anonymity abuse issue and improves it, which makes it more suitable for the requirements of VANETs.

No single trusted center. Distributed tracking means that there is no single trusted third-party center that oversees anonymous communication. Thus, single-point failure is avoided, and the robustness of the scheme is improved.

Avoid tracking abuse. The tracking of malicious entities is jointly completed by multiple vehicles, which can prevent fraud and forgery attacks.

Proposed authentication scheme

Initialization and registration phase

In this phase, when vehicles enter a controlled region, they must register in the network. Relevant system parameters and public–private key pairs for signing are generated. This phase includes the following steps:

Assume n is the number of vehicles in the controlled region and $U_{V}$ is the vehicle set $U_{V} = {V_{1}, V_{2}, \dots, V_{n}}$ . The RSU selects a pair of large prime numbers p and q, where q is the largest prime factor of $p - 1$ . G is the cyclic group of the large prime number p, whose generator is g, which is the qth-order element of $Z_{q}$ . Then, the RSU generates the one-way hash function $H : {0, 1}^{*} \to Z_{q}^{*}$ while the threshold value t is set. Finally, the RSU publishes (p, q, g, G, H, t).

The vehicle $V_{i}$ $(1 \leq i \leq n)$ selects any sub-key $K_{i}$ as the signing key, where $K_{i}$ satisfies $K_{i} \in Z_{q}$ and is different from the sub-keys that have been selected by other vehicles. Then, using $K_{i}$ , $V_{i}$ generates the corresponding public key $Y_{i} = g^{K_{i}} mod p$ and submits it to the RSU. After receiving the keys $Y_{i}$ of all vehicles, the RSU randomly selects a t − 1-degree polynomial $f (x) = (a_{0} + a_{1 x} + \dots + a_{t - 1 x^{t - 1}}) mod q$ , where $f (0) = a_{0}$ and $a_{0}$ is the shared secret of the vehicle set and the trapdoor for tracking. Then, the RSU publishes the detection vector $u = (u_{0}, u_{1}, \dots, u_{t - 1})$ , where $u_{i} = g^{a_{i}} mod p$ , $i = (0, 1, \dots, t - 1)$ . Finally, the RSU selects the random number c $(c \neq K_{i})$ from $Z_{q}$ , where c is prime to $p - 1$ , and then calculates a public key $P_{i} = f (Y_{i}^{c}) mod q$ and $C = g^{c} mod p$ and sends $P_{i}$ and C to $V_{i}$ . The key $P_{i}$ that is published by the RSU is different because different vehicles select different values of K_i; hence, the public key $P_{i}$ is unique.

$V_{i}$ verifies whether the key $P_{i}$ that is published by the RSU is valid. To ensure the security of the sub-key $K_{i}$ , $V_{i}$ calculates $S_{i} = C^{K_{i}} mod p$ and securely preserves $S_{i}$ , which is the private key for the signature of $V_{i}$ . At the same time, according to the detection authentication equation, $V_{i}$ calculates whether $g^{P_{i}} mod = Π_{k = 0}^{t - 1} u_{k}^{S_{i}^{k}} mod p$ is successful. If it is successful, the public key $P_{i}$ that is published by the RSU is proved correct, and the vehicle will preserve $P_{i}$ as a credential on behalf of its real identity.

Anonymous authentication and communication phase

After the initialization and registration phase, if a registered vehicle wants to join the regional communication, it must prove its legal identity, namely, the message signature. A vehicle without a signature message will not be approved. This phase mainly includes two algorithms: a signature generation algorithm, which is illustrated in Figure 2, and a signature verification algorithm, which is illustrated in Figure 3. Let $V_{k}$ denote a vehicle. $V_{k}$ selects some public keys from vehicle set $U_{V}$ to constitute the anonymous public key set $UP = (P_{1} | | P_{2} | | \dots P_{d})$ , which meets the requirement of its own public key. By combining public key set UP and private key $S_{i}$ , $V_{k}$ generates a signature $φ$ and sends it to the nearby vehicles for verification. In a sense, $φ$ represents the validity of the message. The process includes signature generation and signature verification. The main steps are the following.

Signature generation of vehicle message phase

Similar to the strategy that is used in Abe et al.,²² Vehicle $V_{k}$ adopts the following algorithm for generating the signature. The input parameters are $S_{x}$ , UP, m, and T, where m is the message and T is the timestamp of the message:

$V_{k}$ randomly selects $r_{k} \in Z_{q}$ , calculates $A_{k} = g^{r_{k}} mod p$ and $B_{k} = u_{0}^{r_{k}} P_{k} mod p$ , and then publishes the parameters $A_{k}$ and $B_{k}$ .

$V_{k}$ randomly selects $w_{i} \in Z_{q} (1 \leq i \leq d)$ , where d is the number of members in the anonymous public key set UP, and calculates the value $W = Π_{i = 1, i \neq k}^{d} P_{i}^{w_{i}} mod p$ .

$V_{k}$ randomly selects $x \in Zq (1 \leq i \leq d)$ and successively calculates $Q = g^{x} W mod p$ , $w = H (UP | | m | | Q)$ , $w_{k} = w - \sum_{i = 1, i \neq k}^{d} w_{i} mod q$ , and $s = x - S_{k} w_{k} mod q$ .

Finally, $V_{k}$ generates the signature $φ = (UP, g^{s}, w_{1}, w_{2}, \dots, w_{m}, T)$ for the message m and attaches this signature to the message to be sent to nearby vehicles.

Figure 2.

Signature generation.

Figure 3.

Signature verification.

Message verification phase

When the other vehicles in the region receive the message from $V_{k}$ , they first verify the validity of the timestamp of the message. If successful, they extract the signature and verify it; otherwise, they discard this message.

The detailed process is as follows: After the neighboring vehicles extract the signature of a message from $V_{k}$ , they first calculate $w' = \sum_{i = 1}^{d} w_{i} mod q$ and then verify that the equation $H (UP | | m | | g^{s} Π_{i = 1}^{d} P_{i}^{w_{i}} mod q) = w'$ is satisfied. If successful, the signature and the message are accepted. Otherwise, they discard the whole message that is attached to this signature.

Illegal vehicle tracking phase

In this phase, when a malicious anonymous vehicle appears, other vehicles can cooperate to track the real identity of this vehicle. This phase is based on the concept of a threshold secret sharing mechanism. According to the threshold value t defined in the system initialization phase, the RSU issues a request to track a malicious vehicle in the region. After the RSU receives responses from other vehicles, it selects t vehicles to form a tracking set $U'_{V} = {V_{1}, V_{2}, \dots, V_{t}}$ :

All of the vehicles in $U'_{V}$ receive the public key $P_{i} (1 \leq i \leq t)$ and $A_{k}$ , where $A_{k}$ is the parameter that was published by $V_{k}$ in the anonymous authentication and communication phase. Then, they cooperate to calculate $E_{k}$ as $E_{k} = Π_{i = 1}^{t} A_{k}^{P_{i} e_{i}} mod p$ in which $e_{i} = Π_{j = 1, j \neq i}^{t} \frac{- S_{j}}{S_{i} - S_{j}} mod q$ , where $S_{i}$ and $S_{j}$ are the private keys for the signatures of $V_{i}$ and $V_{j}$ , respectively.

These vehicles cooperate to use the parameters $B_{k}$ that $V_{k}$ published in the anonymous authentication and communication phase to output the public key information of illegal vehicle $P'_{k} = B_{k} / E_{k} mod p$ . To prevent tracking abuse in which an unauthorized vehicle utilizes the public key of an innocent vehicle to calculate the parameter $B_{k} = u_{0}^{r_{k}} P_{k}^{″} mod p$ to publish the identity of the innocent vehicle, the tracking group will further verify, according to the signature $φ$ , whether the equation $H (UP | | m | | g^{s} P'_{k}^{w_{k}} Π_{i = 1}^{d} P_{i}^{w_{i}} mod q) = w'$ is satisfied. If successful, it proves that the illegal vehicle information is true. Because of the uniqueness of the public key, the system can determine the identity of the illegal vehicle.

Participation of a new vehicle node

When a new vehicle V_x wants to join the communication group, V_x first needs to apply for registration at the RSU. V_x selects $K_{x}$ $(K_{x} \in Z_{q})$ as a sub-key. $K_{x}$ is different from the previous keys $K_{i}$ that have been selected by other vehicles. Then, V_x calculates $Y_{x} = g^{K_{x}} mod p$ and sends it to the RSU. As in the registration phase, the RSU calculates the public key of V_x, as $P_{x} = f (Y_{x}^{c}) mod q$ and $C = g^{c} mod p$ , and then sends $P_{x}$ and C to V_x. Finally, V_x verifies the validity of this public key and securely preserves $K_{i}$ .

Key update and revocation for illegal and absent vehicles

If an illegal vehicle appears and a certain vehicle has been absent for a long time, to ensure the effectiveness of the sub-keys of other vehicles, the system needs to update and revoke the key of the long-time absent or illegal vehicle. The RSU selects a new polynomial $f (x) = (a'_{0} + a'_{1 x} + \dots + a'_{t - 1 x^{t - 1}}) mod q$ and announces a new detection equation $u' = (u_{0}, u_{1}, \dots, u_{t - 1})$ . Other vehicles will calculate new keys, as they did in the system initialization phase.

Security and attack analysis

The anonymity of the scheme

In the authentication phase of the vehicle message signature, according to the Diffe–Hellman assumption, the signer of the message can choose the vehicle anonymous signature set (which contains the anonymous public keys of all the vehicles) to guarantee the anonymity of its real identity. Since the parameter $r_{k}$ is randomly selected by the vehicle, for the public parameter $B_{k}$ , the public key $P_{k}$ is not directly associated with its identity. Similarly, $w_{i}$ (i ≠ k), which is calculated by the equation $w_{k} = w - \sum_{i = 1, i \neq k}^{d} w_{i} mod q$ , is also chosen randomly and obeys the uniform distribution. In addition, due to the randomness of the parameter x, other vehicles and external attackers cannot calculate $g^{s} = g^{x - S_{k} w_{k}} mod p = g^{x} / P_{k}^{w_{k}} mod p$ to obtain the parameters $P_{k}^{w_{k}}$ , so it is impossible to determine the specific public key information of the signer from $(g^{s}, w_{1}, w_{2}, \dots, w_{k})$ . At the same time, the message receiver can verify the validity of the message by the formula $H (UP | | m | | g^{s} Π_{i = 1}^{d} P_{i}^{w_{i}} mod q) = w'$ , even though it does not know the real identity of the message signer. In other words, the message signer belongs to the set $U_{V}$ , which meets the security certification requirements. The proof is as follows

$\begin{matrix} H (UP | | m | | g^{s} Π_{i = 1}^{d} P_{i}^{w_{i}} mod q) \\ = H (UP | | m | | g^{x - S_{k} w_{k}} Π_{i = 1}^{d} P_{i}^{w_{i}} mod q) \\ = H (UP | | m | | g^{x - S_{k} w_{k}} g^{S_{k} w_{k}} Π_{i = 1, i^{1} k}^{d} P_{i}^{w_{i}} mod q) \\ = H (UP | | m | | g^{x} Π_{i = 1, i^{1} k}^{d} P_{i}^{w_{i}} mod q) \\ = H (UP | | m | | g^{x} W) \\ = H (UA | | m | | Q) \\ = w' \end{matrix}$

Nonforgeability of the message signature

If a malicious vehicle wants to forge the signature of vehicle $V_{j}$ to pass the authentication process, the attacker needs to forge a signature $φ_{j} = (UP, g^{s}, w_{1}, w_{2}, \dots, w_{m}, T)$ . As discussed in the introduction, faking a signature requires the use of the sub-key $K_{j}$ of $V_{j}$ . However, since $K_{j}$ is unique and has been converted to private key $S_{i}$ to be preserved securely, the attacker has no access to this private key information. The only information that the attacker can obtain is the public key of $V_{j}$ . To obtain the private key from the public key, the discrete logarithm problem must be solved. However, no feasible solution can be obtained in polynomial time. Therefore, the attacker cannot forge the signature information of a legal vehicle.

Unlinkability of the signature

According to its actual needs, the vehicle will select different anonymity sets UP in different anonymous authentication cycles. At the same time, because of the random selection of parameters $w_{1}, w_{2}, \dots, w_{k - 1}, \dots, w_{k}$ , and $r_{k}$ , x has the nonrelevance property. According to the signature generation formula $φ = (UP, g^{s}, w_{1}, w_{2}, \dots, w_{k}, T)$ , the selection of signers can create different signatures $φ$ for consecutive messages to carry. This can make multiple signatures independent, thereby ensuring that the message authentication is irrelevant. The message verifier cannot determine whether the sender of multiple messages is the same vehicle from the signature authentication, which protects the sender against signature linkability attacks.

Traceability of the scheme

When malicious behavior occurs, according to the threshold t, any t vehicles from the vehicle set can jointly retrieve the message signer’s identity. Using their respective public key share segments $P_{1}, P_{2}, \dots, P_{t}$ and corresponding private key information $S_{1}, S_{2}, \dots, S_{t}$ , these t vehicles can cooperate to calculate $E_{k}$ and, by the formula $P'_{k} = B_{k} / E_{k} mod p$ , obtain the identity information of the illegal vehicle. The proof of correctness is as follows

$E_{k} = \prod_{i = 1}^{t} A_{k}^{P_{i} e_{i}} mod p = g^{r_{k} \sum_{i = 1}^{t} P_{i} e_{i}} mod p = g^{r_{k} a_{0}} mod p = u_{0}^{r_{k}} mod p$

This formula proves that only if at least t members are involved in the recovery of the signatures can the identity information of the malicious vehicle can be retrieved. According to the actual need, the system can choose a suitable threshold value t to avoid conspiracy attacks. At the same time, tracking a malicious vehicle does not require the participation of all the vehicles, which is more effective in practice.

Nontrusted center of the scheme

Compared with the other schemes, this scheme reduces the reliance on a trusted third party. If certificate issuance and the tracking process require the involvement of a trusted third party, the system security largely depends on the security of the trusted third party. In our scheme, the RSU works as a higher computing performance node, in comparison with the ordinary vehicle nodes. Even without the presence of the RSU, other vehicle nodes still can complete these signature and certification phases. In the system initialization phase, each vehicle selects a sub-key and calculates the public–private key pair for signing. In the signature generation phase, the vehicle that wants to send messages randomly selects the anonymity set and random parameter to form its signature. In the signature verification phase, only the receiver of the messages participates, namely, the verifier. In addition, when a new vehicle joins the system, the keys of illegal vehicles are revoked, and the group public key is updated; the system needs to ask only the vehicles in the controlled region to cooperate to update the group public key and threshold value, which does not rely on a trusted third party.

Experiment and analysis of results

Computational cost analysis

Because VANET is a delay-sensitive network, we use time cost as the comparison measure of computational cost. The most time-consuming phases are the system initialization, signature verification, and anonymous tracking phases. To facilitate subsequent comparison, $T_{ex}$ denotes the time cost of modular exponentiation, $T_{mu}$ denotes the time cost of modular multiplication, $T_{p}$ denotes the time cost of pairing computation, and $T_{SM}$ denotes the time cost of scalar multiplication. The costs of other low-complexity operations are not considered because of the high computing performance of current computers. During the initialization phase, the main time-consuming operation is the public key information calculation $(t - 1) T_{mu} + (t - 2) T_{ex}$ . During the signature verification process, the computational cost mainly consists of the selection of random numbers $w_{1} - w_{d}$ and the cost of calculating $w_{k}$ and s, which is $5 T_{mu} + (2 d + 2) T_{ex}$ and depends on the size of the anonymous authentication set. During the tracking process, the computing cost for t members to jointly track a malicious vehicle is $2 T_{mu} + (t + d + 1) T_{ex}$ . The following table compares the computational costs of several of the aforementioned schemes.

According to this table, the computational cost in the system initialization phase is significantly lower than that of threshold traceability anonymous authentication²¹ and ECPP¹⁸ and higher than that of ECPB²⁰ and CPAS.¹⁹ However, as mentioned in the next section, ECPB and CPAS have no ability to track anonymity abuse. In the signature verification phase, the computational cost depends mainly on the size of the anonymity set d. If the number of members of the anonymity set is small, the computational cost is less than the costs of other schemes. In the tracking phase, the computational cost depends on the choice of threshold t. Compared to Liu et al.,²¹ although the cost increases, the overall certification efficiency and the overall computational cost are improved. At the same time, according to Table 1, with the increment of parameters t, d, and n, different schemes have different computational cost increments.

Table 1.

The cost of calculation.

Scheme	Initialization	Signature authentication	Tracking
Threshold traceability anonymous authentication²¹	$n (t - 1) T_{mu} + n (t - 2) T_{ex}$	$(6 n - 2) T_{mu} + (14 n - 2) T_{ex}$	$T_{mu} + t T_{ex}$
ECPP¹⁸	$2 n (T_{mu} + T_{ex})$	$12 T_{mu} + 2 n T_{ex}$	$2 n T_{ex}$
ECPB²⁰	$2 T_{SM}$	$(n + 2) T_{SM}$	None
CPAS¹⁹	$T_{SM}$	$3 T_{p} + (n + 1) T_{SM}$	None
WCCV	$(t - 1) T_{mu} + (t - 2) T_{ex}$	$5 T_{mu} + (2 d + 2) T_{ex}$	$2 T_{mu} + (t + d + 1) T_{ex}$

ECPP: efficient conditional privacy preservation; ECPB: efficient conditional privacy-preserving authentication scheme; CPAS: conditional privacy-preserving authentication scheme; WCCV: Without Center Certificate in VANET.

Performance analysis

Table 2 presents the performance comparison of authentication and anonymity between ECPP,¹⁸ ECPB,²⁰ CPAS,¹⁹ and our scheme. Among them, ECPB improves the low efficiency of certificate revocation delay of the existing group signature scheme in which the validity certification is added to the signature to reduce the cost of CRL checking. CPAS can map every message to a pseudo-identity under the conditional privacy protection and can verify the signer’s real identity from the authority.

Table 2.

Performance comparison.

Property	Schemes
Property	ECPP	ECPB	CPAS	WCCV
Anonymity	√	√	√	√
Authentication	√	√	√	√
Conditional tracking	√	√	√	√
Threshold tracking	×	×	×	√
Decentralization	×	×	×	√

Authentication efficiency and communication cost

This section presents the simulation experiment of the authentication efficiency. The scheme uses C++ language and is based on the Visual Studio 2012 platform of the Windows 7 system with a 2.6-GHZ i5 processor and 4-G memory. The experimental dataset is generated using Thomas Brinkhoff’s road network,²³ which is widely recognized by the mobile data management industry, and the Oldenburg transportation network. The Oldenburg traffic network (5 km × 5 km) is taken as the input to generate the mobile dataset and communication node objects. The experimental parameters are shown in Table 3.

Table 3.

The parameters.

Parameter	Default value
Running time	100 s
The number of OBU nodes	1000
The selection range of the anonymity	0–1000
Signal transmission range of OBU	300 m
Speed range	0–120 km/h
The interval of information sending	200 ms
Data size carried by OBU	100 B
Signal bandwidth	6 Mb/s
Maximum hop count	5
The effective time of message	2 s

OBU: on-board unit.

Figure 4 presents the effect of the anonymous authentication set on the message response time. While keeping the other parameters constant in the experiment, we change the size of the anonymous authentication set to assess the average response time of OBU nodes in signing and verifying a message signature.

Figure 4.

The effect of the anonymity set.

According to this figure, when a small anonymity set is selected, the average response time is short. Nevertheless, as the size of the selected anonymity set increases, the response time of signature verification gradually increases.

Experimental evaluation is performed following two aspects for comparison with CPAS and ECPB:

Authentication success rate. Since the computing ability of a single-node OBU is limited, the authentication success rate refers to the ratio of the number of successful authentication messages to the total number of messages that are received by the OBU within the unit time. The higher the number of certification messages that are received per unit time, the higher the success ratio.

Average traffic cost. This refers to the average number of data messages in a running period. The lower the average traffic cost, the higher efficiency of message processing, the lower the number of retransmission messages, and the lower the communication overhead.

Figure 5 presents the efficiency of the authentication message with the variation of the number of messages. In the initial phase, the number of messages is small, so the success rates of authentication are almost equal in these three schemes. When the number of messages increases to 10, due to the largest validity time of the message, the successful authentication ratios of the three schemes undergo significant changes. The downward trends of ECPB and CPAS accelerate; however, our scheme can ensure high authentication efficiency due to the partial selection of the anonymity set. When the number of messages reached 40, the authentication efficiencies of ECPB and CPAS are reduced to 60% or less. Finally, because of the OBU computing power, with the increase in the number of authentication messages, the authentication efficiencies of the three schemes tend to decline; however, the efficiency of our scheme, in general, is higher than those of the other two schemes.

Figure 5.

The authentication proportion.

Figure 6 shows the average traffic costs of the three schemes. In the initial phase, because there are fewer messages, the average traffic costs of the three schemes are similar, and all tend to increase with running time. Finally, because the optional anonymity set in our schemes can shorten the response time, which reduces the number of invalid message retransmissions within the authentication period, our scheme reduces the communication overhead and has a relatively better effect.

Figure 6.

The overhead of communication.

Conclusion

This article presents a noncenter anonymous authentication scheme for the privacy protection of vehicles in VANET. Compared to the previous signature schemes, this scheme reduces reliance on a trusted third party. Security analysis and experiments show that it meets the necessary security requirements, such as authentication security, process simplicity, and good anonymity and can avoid the cumbersome process of certification and pseudonym issuance. In addition, illegal signature vehicles can be tracked using threshold tracking. It is suitable for noncentral, self-organizing VANET environments with anonymous demand.

Footnotes

Handling Editor: Paolo Bellavista

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This work was supported by the Internet innovation and open platform base of the Ministry of Education of China (KJRP1401),the US-China Computer Science Research Center of Nanjing University of Information Science and Technology (KJR16059),Hunan University of Science and Technology (E51372,G31410),and the Education Department of Hunan Province (17B096).

References

Mejri

Ben-Othman

Hamdi

Survey on VANET security challenges and possible cryptographic solutions. Veh Commun 2014; 1(2): 53–66.

Patil

PS.

Secured and privacy preserving navigation for VANET. Int J Electr Electron Res 2015; 3(2): 305–309.

C-G

Wang

Zhao

S-D.

Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst 2014; 27(10): 2215–2227.

Wang

Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE T Depend Secure 2014; 12(4): 428–442.

Wang

et al . Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci 2015; 321(5): 162–178.

Wen

Shao

Xue

et al . A rapid learning algorithm for vehicle classification. Inf Sci 2015; 295(1): 395–406.

Xia

Zhu

Sun

et al . Towards privacy-preserving content-based image retrieval in cloud computing. IEEE Trans Cloud Comput 2015; 295(1): 395–406.

Xia

Xiong

Vasilakos

et al . EPCBIR: an efficient and privacy-preserving content-based image retrieval scheme in cloud computing. Inf Sci 2017; 387: 195–204.

Guo

Baugh

Wang

A group signature based secure and privacy-preserving vehicular communication framework. In: Mobile networking for vehicular environments (MOVE), Anchorage, AK, 24 September 2007, pp.103–108. New York: IEEE.

10.

Calandriello

Papadimitratos

Hubaux

J-P

et al . Efficient and robust pseudonymous authentication in VANET. In: Proceedings of the fourth ACM international workshop on vehicular ad hoc networks (VANET 07), Montreal, QC, Canada, 10 September 2007, pp.19–28. New York: ACM.

11.

Zhang

Cui

A novel and efficient privacy-preserving authentication protocol in VANETs. Int J Digit Content Technol Appl 2012; 6(9): 157–164.

12.

Sun

Zhang

et al . An identity-based security system for user privacy in vehicular ad hoc networks. IEEE T Parall Distr 2010; 21(9): 1227–1239.

13.

Guizani

ACPN: a novel authentication framework with conditional privacy-preservation and non-repudiation for VANETs. IEEE T Parall Distr 2015; 26(4): 938–948.

14.

Jinila

Komathy

An efficient authentication scheme for Vanet using Cha Cheon’s ID based signatures. Indian J Appl Res 2014; 4: 106–109.

15.

Zhu

Liu

Wei

et al . PPAS: privacy protection authentication scheme for VANET. Cluster Comput 2013; 16(4): 873–886.

16.

Zeadally

et al . An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE T Inf Foren Sec 2015; 10(12): 2681–2691.

17.

Tian

Qiang

Research of an authentication scheme based on the proxy blind signature scheme for the vehicular ad-hoc networks. Bull Sci Technol 2012; 28(10): 170–173.

18.

Lin

Zhu

et al . ECPP: efficient conditional privacy preservation protocol for secure vehicular communications. In: The 27th conference on computer communications (INFOCOM 2008), Phoenix, AZ, 13–18 April 2008, pp.1903–1911. New York: IEEE.

19.

Shim

KA.

CPAS: an efficient conditional privacy-preserving authentication scheme for vehicular sensor networks. IEEE T Veh Technol 2012; 61(4): 1874–1883.

20.

Wang

Zhong

et al . ECPB: efficient conditional privacy-preserving authentication scheme supporting batch verification for VANETs. Int J Netw Secur 2016; 18(2): 374–382.

21.

Liu

F-B

Zhang

et al . Threshold traceability anonymous authentication scheme without trusted center for ad hoc network. J Commun 2012; 33(8): 208–213.

22.

Abe

Ohkubo

Suzuki

1-out-of-n signatures from a variety of keys. In: Zheng

(ed.) Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), vol. 2501. Berlin: Springer, 2002, pp.415–432.

23.

Brinkhoff

A framework for generating network-based moving objects. Geoinformatica 2002; 6(2): 153–180.