Sage Journals: Discover world-class research

Abstract

With the rapid booming of intelligent traffic system, vehicular ad hoc networks have attracted wide attention from both academic and industry. However, security is the main obstacle for the wide deployment of vehicular ad hoc networks. Vehicular ad hoc networks security has two critical issues: access authentication and privacy preservation. How to ensure privacy preservation and improve the efficiency of authentication has become the urgent needs. However, the existing access authentication schemes for vehicular ad hoc networks with different flaws cannot maintain the balance between security and efficiency. Thus, an anonymous access authentication scheme for vehicular ad hoc networks under edge computing based on ID-based short group signature mechanism is proposed in this article to improve the efficiency and anonymity of access authentication. Multiple pseudonyms are presented to preserve the privacy of vehicle node. Besides, a new method is designed to identify and revoke malicious vehicles in the evaluation manner. The core protocols of the proposed scheme are proved to be secure by SVO logic. According to the computation cost and transmission overhead analysis, we indicate that our scheme owns better performance. Moreover, in this article, we combine vehicular ad hoc networks with edge computing together to provide a new clue for the development of mobile edge computing.

Keywords

Vehicular ad hoc networks access authentication privacy preservation identity-based short group signature edge computing

Introduction

The increasing requirement for improving security and privacy for user has brought wide interest on anonymous access authentication for vehicular ad hoc networks (VANETs). The VANETs, a type of wireless mesh network (WMN¹), are designed for car interconnection communication under roadside infrastructures.² The rapid advances in intelligent vehicles and cloud computing technologies in recent years motivate researchers to investigate a new concept of edge computing.³ As a new paradigm, edge computing works between the cloud and the terminal nodes, which enables to take full advantage of cloud computing, thereby providing vehicles with powerful computing resources and useful services.^4,5 Different from cloud computing in the data center, edge computing can furthest promote the computing capabilities of terminal. In VANETs, the high mobility of vehicles and massive data from data center make the real-time communication hard under the common cloud computing environment.^6,7 Edge computing can move the large amount of calculating pressure from the vehicle terminal to the roadside infrastructure (edge computing node),^8,9 which is thus considered to be an ideal solution to the computational-cost process in VANETs during access authentication. However, few solutions are focused on the combination of access authentication with edge computing in VANETs.¹⁰

VANETs can provide a lot of convenience for the vehicle user. For example, vehicles can share traffic information via VANETs to select better travel routes. If necessary, special vehicles, such as emergency vehicles, may even apply to control the traffic lights through VANETs to save more time for patients. In the future, massive data generated by vehicles accessed into VANETs require real-time processing to make decisions. In the future, as an essential part of intelligent transportation system (ITS), VANETs are becoming the focus of academia and industry.¹¹

Features and challenges of VANETs

As shown in Figure 1. VANETs contain three types of network entities: on-board unit (OBU), the intelligent module, which is loaded with integrated embedded systems, global positioning system (GPS), and the tamper-proof device (TPD). The roadside unit (RSU) is a roadside infrastructure, acts as the role of edge node, that can provide edge computing and access services for vehicles. The third-party trust authority (TA) is the central institution of the management for vehicles. VANETs communication is able to be divided into two modes that are vehicle-to-vehicle communication (V2V) and vehicle-to-infrastructure communication (V2I). The communication follows the dedicated short range communications (DSRCs¹²) protocol.

Figure 1.

The architecture of VANETs under edge computing.

VANETs have their unique features:

Vehicles own strong computing ability and rich storage capacity.

VANETs are more constant and stable than other ad hoc networks, due to the movements of the vehicles on the same direction are foreseeable.

However, the current technology of VANETs is still not mature enough and facing many security challenges such as access authentication, privacy preservation, traceability, unlinkability, and identification and revocation of malicious nodes.

In the aspect of security mechanisms for VANETs, access authentication and privacy preservation have been paid more and more attentions. How to construct concrete scheme of access authentication and privacy preservation has become a hotspot.¹³

Related work

In previous years, some scholars have proposed a number of typical anonymous-certificates-based schemes^14–16 for VANETs. There is no doubt that the utilization of certificates improves the efficiency of verification. However, with high overhead of certificate management as well as key distribution and management, all of the proposals are not suitable for deploying VANETs in a large scale. Furthermore, some schemes have a high requirement of OBU storage. Instead, several group-signature-based VANETs authentication schemes^17–21 are proposed. Depending on group signature mechanisms, the authentication schemes may eradicate the high certificate management overhead and preserve the user privacy. In addition, each group member is able to sign the message to represent for the group. Thus, the adversary may not identify the signer according to the signed message. Nevertheless, once the number of vehicles increases dramatically, the packet loss rate is increased simultaneously. In recent years, ID-based cryptography (IBC) is put forward as a rising form of public key cryptography.²² The most important ascendancy of IBC is that it streamlines the key management burden compared to traditional certificate-based public key systems.²³ A number of identity-based authentication solutions for VANETs are then put forward.^24–30 But, there are still no mature solutions for VANETs to guarantee both security and high efficiency. In addition, the schemes have defects in preserving privacy and identifying and revoking malicious node. Moreover, few access authentication schemes combining edge computing with VANETs have been proposed.

Different from the above reported schemes, we have published an article³¹ in IMIS 2017: an anonymous access authentication scheme (AAAS) for VANETs Based on identity-based short group signature (ISGS),³² which could ensure efficient access authentication and strong privacy preservation. In this article, a novel AAAS for VANETs under edge computing based on ISGS mechanism is proposed, which could achieve efficient access authentication and formidable privacy preservation. Besides, in this article, we extend the paper³¹ published in IMIS 2017 and combine access authentication with edge computing together with security proof as well as more comprehensive performance analysis. Specifically, the major contributions of this article are fivefold:

An AAAS for VANETs under edge computing is proposed, in which the usage of identity-based group signature and multiple pseudonyms can provide strong privacy preservation for users.

We design a new VANETs framework combining with edge computing, in which, RSUs play the role of edge computing nodes and the computation burden of OBUs is thus reduced.

We present a new identification and revocation approach of malicious node through evaluation mechanism.

The security analysis is carried out to indicate that our proposed scheme may meet the security and privacy needs in VANETs. In addition, the security proof of the fundamental protocols is presented through Syverson–Van Oorschot (SVO) logic.

Finally, the analysis of computation cost, transmission overhead, and serving ratio are performed to illustrate that our scheme performs better in both V2I and V2V authentication compared with previously proposed schemes for VANETs.

The rest of this article is arranged as given below. Section “Preliminaries” elaborates the related preliminaries. In section “The proposed anonymous authentication scheme,” we introduce the trust model, security requirements, and the details of the proposed access authentication scheme. The security proof of the fundamental protocols and formal security analysis are given out in section “Security proof and analysis.” In section “Performance analysis,” the comparisons of performance analysis are carried out. Finally, the conclusion is drawn in section “Conclusion.”

Preliminaries

We utilize CC signature mechanism for authentication between OBUs and RSUs, and ISGS mechanism for authentication among OBUs. The corresponding cryptography building blocks will be presented in this section.

Bilinear pairing

The bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ holds the following features. And, the given $G_{1}$ is an additive group and $G_{2}$ is a multiplicative group with prime order $p$ , where $p = q^{n}$ , $q$ is prime and $n \in Z +$ :

Bilinearity. The pairing $e : G_{1} \times G_{1} \to G_{2}$ is said to be bilinear if the equation $e (aP, bQ) = e (P, Q)^{ab}$ holds with $\forall P, Q \in G_{1}$ and $\forall a, b \in Z_{q}^{*}$ , where $Z_{q}^{*} = [1, \dots, q - 1]$ .

Nondegeneracy. For any $Q \in G_{1}$ , if $e (P, Q) = 1$ , then $e (P, P)$ is an element of $G_{2}$ , and $P$ is a generator in $G_{1}$ .

Computability. The bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ can be efficiently computed.

In this scheme, elliptic curve–based mathematical hard problem in cryptography is also involved:

ECDLP (Elliptic Curve Discrete Logarithm Problem). For randomly selected points $P, Q$ on elliptic curve $E$ , it is difficult to compute an integer $x$ satisfying $Q = xP$ .

CDHP (Computational Diffie–Hellman Problem). It is difficult to calculate $abP$ according the given $P, aP$ , and $bP$ , where $a, b \in Z_{q}^{*}$ .

CC signature

CC signature mechanism,³² a type of identity based signature (IBS) mechanism, which includes four algorithms $Setup, Extract, Sign$ , and $Verify$ .

CC Setup. Given the bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ of prime order $q$ , where $P$ is a generator of $G_{1}$ . Randomly choose $s \in Z_{q}^{*}$ as the system master key and set $P_{pub} = sP$ . $H_{1} : {0, 1}^{*} \to G_{1}$ and $H_{2} : {0, 1}^{*} \times G_{1} \to Z_{q}^{*}$ are selected as two hash functions. The system parameter $params = {q, P, P_{pub}, e, H_{1}, H_{2}}$ .

CC Extract. Given user’s $ID \in {0, 1}^{*}$ to create a private key. Compute the verifying public key $Q_{ID} = H_{1} (ID) \in G_{1}$ . Calculate the user signing private key $d_{ID} = s Q_{ID}$ .

CC Sign. Sign the message $m \in {0, 1}^{*}$ with the user signing private key $d_{ID}$ . Select a random number $r \in Z_{q}^{*}$ , compute $U = r Q_{ID}$ , $V = (r + h) d_{ID}$ , where $h = H_{2} (m, U)$ , then get the signature $δ = {U, V}$ .

CC Verify. In order to verify $δ$ , the receiver examines the equation $e (P_{pub}, U + h Q_{ID}) ? = e (P, V)$ , if it holds, $δ$ is valid, or else $δ$ is invalid.

ISGS

The ISGS was proposed by Song et al.,³³ which is based on bilinear pairing and designed to guarantee the privacy preservation of group members. The specific algorithm are as below:

ISGS setup:

Given a additive group $G_{1}$ and a multiplicative group $G_{2}$ with two large primes $p$ and $q$ as well as a bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ . Selects two hash functions $H : {0, 1}^{*} \to G_{1}$ and $H_{1} : {0, 1}^{*} \times G_{1} \to G_{1}$ .

Selects the random generator $P \in G_{1}$ . Chooses $s_{g} \in Z_{q}^{*}$ as the private key of group manager (GM). Computes group public key $P K_{g} = s_{g} P$ .

Generates $V_{i} \in {0, 1}^{*}$ as the group member identity. GM calculates $Q V_{i} = H (V_{i})$ as the group signature verifying public key of the group member.

ISGS extract:

Assuming a new member $U_{i}$ joining to the group, the GM and $U_{i}$ are required to communicate through a secure channel as follows:

$U_{i}$ sends the identity $V_{i}$ to GM.

GM calculates $s k_{i} = s_{g} Q_{Vi}$ and sends it back to $U_{i}$ .

$U_{i}$ computes $b_{i}$ , to meet $b_{i} V_{i} \equiv 1 \mod φ (n)$ , where $n = pq$ .

$U_{i}$ gets the private key pair $〈 b_{i}, s k_{i} 〉$ .

ISGS sign:

For a given message $m$ ∈ ${0, 1}^{*}$ , $U_{i}$ signs $m$ as below:

Chooses a random number $x \in Z_{q}^{*}$ and calculates $A = xP$ .

Computes $B = x^{- 1} s k_{i} + H_{1} (m, A) b_{i}$ , where $x^{- 1}$ is the inverse of $x$ . The $M = {A, B, V_{i}}$ is the signature on $m$ .

ISGS verify:

For a signature $M = {A, B, V_{i}}$ on message $m$ , the verifier verifies $M$ through the group public key as below:

Computes: $α = e (V_{i} P k_{g}, Q_{Vi})$ , $β = e (A, V_{i} B)$ , $γ = e (A, H (m, A))$ .

Checks the equation $β ? = A γ$ , if it holds, $M$ is valid, otherwise $M$ is invalid.

The proposed anonymous authentication scheme

In this article, we extend the paper³¹ to combine VANETs anonymous access authentication with edge computing and propose a novel AAAS for VANETs under edge computing (AAAS). In this section, we mainly introduce the detail of the proposed authentication scheme.

Trust model and assumptions

The general VANETs consist of three types of network entities: OBU, RSU (edge node), and TA.

The trust model of the proposed scheme is shown in Figure 2. TA is one-way trusted to both RSU and OBU. TA and RSU are connected through a secure wired channel, while RSU and OBU communicate over the wireless channel and distrust to each other. Amid OBUs, they correspond via ad hoc and do not trust each other. Suppose that the TA is entirely trusted and that only TA can modify the information in the TPD integrated on the OBU.

Figure 2.

Trust model.

We assume that the adversary only has the common attack capabilities, such as impersonation, tampering, replay, and key-stealing attack.

Security requirements

As a public transportation network, VANETs face many security issues. In order to achieve the purpose of anonymous authentication, VANETs must meet the following security requirements:

Access authentication. Only completing the access authentication should vehicles be allowed to join the VANETs.

Anonymity. The true identity of the vehicle is very important for the vehicle owner. If it is leaked, the adversary can follow the vehicle for tracking and attacking or even endanger the owner’s life.

Traceability. Once a liability disputes occurs or malicious vehicle sending illegal messages, the system should be capable to expose the real identity of OBU to prevent the node utilizing anonymous identity to escape responsibility.

Unlinkability. The unlinkability is that the adversary cannot tell the different messages from the same OBU.

Identification and revocation of malicious nodes. Identifying and revoking malicious nodes is a key issue in VANETs. When some nodes fail, for example, sensors are manipulated, keys are extracted and used for spoofing messages, or other malicious behavior occurs, the system must be able to identify and remove these malicious nodes to avoid the potential security threats.

Resistance of typical attacks. The system should also be able to defend some common attacks such as impersonation, tampering, replay, and key-stealing attack.

The proposed scheme in this article try to meet the above requirements to be a complete solution.

AAAS

The AAAS proposed in this article is based ISGS to achieve the purpose of anonymous authentication. AAAS comprises five parts: System initialization, Registration, V2I authentication protocol, V2V authentication protocol, and Identification and revocation of malicious nodes. The notations and acronyms throughout this article are described as Table 1.

Table 1.

Notation and meaning.

Notation	Meaning
$ID$	The real identity of OBU
$V_{ID}$	Anonymous identity of OBU
$R_{ID}$	The real identity of RSU
$T S_{i}$	Current time stamp
$T$	Valid period of the group signing key
$P K_{A} / S K_{A}$	The public/private key of entity A
$P k_{g}$ / $s_{g}$	Group public/private key
$GS K_{A}$	The group signing key of entity A
$s_{v} / s_{R}$	OBU’s private key/RSU’s private key
$V_{i} / x_{i}$	The $i th$ pseudonym/the $i th$ random number of OBU
$b_{i} / s k_{i}$	Group signing key pair
$K_{A - B}$	The shared key between entity A and entity B
$N$	The trust value of OBU
$Enc_BF_P K_{A} (M)$	Using entity A’s $P K_{A}$ to encrypt message $M$ through $BF$ ³⁴ mechanism
$Enc_K (M)$	Using shared key $K$ to encrypt message $M$ through symmetric encryption mechanism
$Sign_CC_S K_{A} (M)$	Using entity A’s $S K_{A}$ to sign message $M$ through $CC$ mechanism
$Sign_ISGS_GS K_{A} (M)$	Using entity A’s $GS K_{A}$ to sign message $M$ through $ISGS$ mechanism

OBU: on-board unit; RSU: roadside unit.

System initialization

During system initialization, TA generates and publishes the public parameters as below:

TA opts for two large primes $p$ , $q$ and a elliptic curve $E : y^{2} \equiv x^{3} + 1$ .

TA generates cyclic groups $G_{1}$ and $G_{2}$ with prime order $q$ and a bilinear pairing $e : G_{1} \times G_{1} \to G_{2}$ .

TA randomly selects a generator $P \in G_{1}$ and $s \in Z_{q}^{*}$ as the system master key, then calculates the system public key $P_{pub} = sP$ .

TA selects four hash functions $H : {0, 1}^{*} \to G_{1}$ , $H_{1} : {0, 1}^{*} \times G_{1} \to Z_{q}^{*}$ , $H_{2} : G_{1} \to Z_{q}^{*}$ , and $H_{3} : {0, 1}^{*} \times G_{1} \to G_{1}$ .

TA publishes the system public parameters $param = {p, q, e, P, P_{pub}, H, H_{1}, H_{2}, H_{3}}$ .

Registration

For the purpose of achieving mutual authentication, OBU and RSU should register to TA:

Registration of OBU:

OBU sends $ID$ to TA over the secure channel.

TA calculates $V_{ID}$ = $Enc_BF_P K_{TA} (ID)$ for OBU. TA sets an initial trust value $N$ and computes the private key $s_{V}$ = $s Q_{IDV}$ for OBU, where $Q_{IDV}$ = $H (V_{ID})$ .

TA sends ${s_{V}, Q_{IDV}, V_{ID}, N}$ to OBU over the secure channel.

OBU stores ${s_{V}, Q_{IDV}, V_{ID}, N}$ in the TPD.

Registration of RSU:

RSU sends the real identity $R_{ID}$ to TA through the secure channel.

TA generates the private key $s_{R} = s Q_{IDR}$ for RSU, where $Q_{IDR} = H (R_{ID})$ . TA then selects $s_{g} \in Z_{q}^{*}$ as the group private key for RSU and calculates $P k_{g} = s_{g} P$ as the group public key.

TA sends ${s_{R}, Q_{IDR}, s_{g}, P k_{g}}$ to RSU over the secure channel.

RSU saves ${s_{R}, Q_{IDR}, s_{g}, P k_{g}}$ locally.

V2I authentication protocol

The V2I authentication protocol between OBU and RSU is executed when the mobile OBU moves to the wireless communication range of the accessed RSU. RSU is playing the role of edge node which owns richer computational power than OBU. During V2I authentication, we try to shift the large computational pressures from OBU to RSU to gain a better overall performance. As shown in Figure 3, the authentication protocol is composed of following steps:

RSU generates $δ_{1}$ = $Sign_CC_S K_{RSU} {P k_{g}, T S_{1}} = {U_{RSU}, V_{RSU}}$ , where $U_{RSU} = r_{RSU} Q_{IDR}$ , $V_{RSU} = (r_{RSU} + h_{RSU}) s_{R}$ , $h_{RSU} = H_{1} (P k_{g} | | T S_{1}, U_{RSU})$ , $r_{RSU} \in Z_{q}^{*}$ is randomly selected.

RSU periodically broadcasts ${δ_{1}, R_{ID}, P k_{g}, T S_{1}}$ .

When receiving { $δ_{1}$ , $R_{ID}$ , $P k_{g}$ , $T S_{1}$ }, OBU first checks the freshness of $T S_{1}$ . If $T S_{1}$ is fresh, OBU continues to verify $δ_{1}$ by checking $e (P, V_{RSU}) ? = e (P_{pub}, U_{RSU} + h_{RSU} Q_{IDR})$ . If the equation holds, RSU is regarded as a legal one. Otherwise, OBU rejects to access the RSU. OBU then computes $δ_{2} = Sign_CC_S K_{OBU} {r_{OBU}, T S_{2}} = {U_{OBU}, V_{OBU}}$ , where $r_{OBU} \in Z_{q}^{*}$ is randomly selected, $U_{OBU} = r_{OBU} Q_{IDV}$ , $V_{OBU} = (r_{OBU} + h_{OBU}) s_{V}$ , $h_{OBU} = H_{1} (r_{OBU} | | T S_{2}, U_{OBU})$ . OBU computes $K_{v - r} = P k_{g} r_{OBU} = s_{R} P r_{OBU}$ and $c = E_K_{r - v} {V_{ID}}$ .

OBU sends ${c, δ_{2}, r_{OBU} P, T S_{2}}$ to RSU.

After getting the message from OBU, RSU checks if $T S_{2}$ is fresh. If it is fresh, RSU calculates the shared key $K_{r - v} = r_{OBU} P s_{R} = r_{OBU} P k_{g}$ and exploits $K_{r - v}$ to decrypt $c$ to obtain $V_{ID}$ . Afterward, RSU checks $e (P, V_{OBU}) ? = e (P_{pub}, U_{OBU} + h_{OBU} Q_{IDV})$ . Then, OBU will be taken as a legal node if the equation holds. Otherwise RSU refuses to supply access service to the OBU. RSU randomly selects $x_{i} \in Z_{q}^{*}, i = {1, 2, 3, . . ., k}$ computes $V_{i} = {V_{i, 1}, V_{i, 2}}$ and $Q_{Vi}$ , where $V_{i, 1} = x_{i} P, V_{i, 2} = V_{ID} \oplus H_{2} (x_{i} P_{pub})$ , $Q_{Vi} = H (V_{i, 2})$ , $s k_{i} = s_{R} Q_{Vi}$ . RSU chooses $T$ as the valid period of the group signing key and calculates $c_{1} = E_K_{r - v} {〈 s k_{i}, V_{i}, T 〉}$ .

RSU sends $c_{1}$ back to OBU.

After getting $c_{1}$ , OBU decrypts $c_{1}$ to obtain $〈 s k_{i}, V_{i}, T 〉$ . Then, OBU selects $b_{i}$ for each $V_{i}$ , satisfying $b_{i} V_{i} \equiv 1 \mod φ (n)$ . $〈 b_{i}, s k_{i}, V_{i}, T 〉$ is stored in the TPD and the V2I authentication is completed.

Hence, we can see that edge computing has the unique feature to reduce the calculating pressure of vehicle terminal to guarantee the users demand for real-time authentication.

Figure 3.

V2I authentication protocol.

V2V authentication protocol

After V2I authentication, the accessed legal OBUs get their pseudonyms and group signing key pairs. Thus, OBUs may certificate each other for secure communication, which is known as V2V authentication. As shown in Figure 4, the V2V authentication (between $OB U_{i}$ and $OB U_{j}$ ) is triggered as the following steps:

$OB U_{i}$ chooses pseudonym $V_{i}$ , group signing key pair $〈 s k_{i}, b_{i} 〉$ and random $x_{OBUi} \in Z_{q}^{*}$ , then calculates $A_{i} = x_{OB U_{i}} P$ , $B_{i} = x_{OB U_{i}}^{- 1} s k_{i} + H_{3} (V_{i} | | T S_{i}, A_{i}) b_{i}$ to generate the signature $δ_{3} = Sign_ISGS_S K_{OB U_{i}} {V_{i}, T S_{i}} = {A_{i}, B_{i}}$ .

$OB U_{i}$ sends ${δ_{3}, T S_{i}, V_{i}, Pkg}$ to $OB U_{j}$ .

After getting { $δ_{3},$ $T S_{i}$ , $V_{i}$ , $Pkg}$ , $OB U_{j}$ first checks if $T S_{i}$ is fresh. If $T S_{i}$ is fresh, $OB U_{j}$ verifies the signature $δ_{3}$ : computes $α = e (V_{i} P k_{g}, Q_{Vi})$ , $β = e (A_{i}, V_{i} B)$ , and $γ = e (A_{i}, H (P k_{g} | | T S_{i}, A_{i}))$ , checks the equation $β ? = α γ$ . If the equation holds, $OB U_{j}$ chooses random $x_{OB U_{j}} \in Z_{q}^{*}$ and calculates the shared key $K_{v - v} = A_{i} r_{OB U_{j}} = r_{OB U_{i}} P r_{OB U_{j}}$ , then stores it in the TPD. After that, $OB U_{j}$ chooses a pseudonym $V_{j}$ , a group signing key pair $〈 s k_{j}, b_{j} 〉$ and computes $A_{j} = x_{OB U_{j}} P$ , $B_{j} = x_{OB U_{j}}^{- 1} s k_{j} + H_{3} (P k_{g} | | T S_{j}, A_{j}) b_{j}$ to get the signature $δ_{4} = Sign_ISGS_S K_{OB U_{j}} {V_{j}, T S_{j}} = {A_{j}, B_{j}}$ .

$OB U_{j}$ sends ${δ_{4}, T S_{j}, V_{j}, Pkg}$ to $OB U_{i}$ .

After receiving ${δ_{4}, T S_{j}, V_{j}, Pkg}$ , $OB U_{i}$ first checks if $T S_{j}$ is fresh. If $T S_{j}$ is fresh, $OB U_{j}$ verifies the signature $δ_{4}$ : computes $α' = e (V_{i} P k_{g}, Q_{Vi})$ , $β' = e (A_{i}, V_{i} B)$ , $γ' = e (A_{i}, H (P k_{g} | | T S_{i}, A_{i}))$ , then checks the equation $β' ? = α' γ'$ . If the equation holds, $OB U_{i}$ calculates the shared key $K_{v - v} = A_{j} r_{OB U_{i}} = r_{OB U_{j}} P r_{OB U_{i}}$ and stores it in the TPD. V2V authentication is thus finished.

Figure 4.

V2V authentication protocol.

Identification and revocation of malicious nodes

The identification and revocation of malicious nodes is a major challenge for VANETs. The process in this article is shown in Figure 5 below:

When a node $OB U_{j}$ accounts a message $m$ sent by $OB U_{i}$ as a malicious message, it generates a $report$ , which contains $V_{i}$ and $m$ .

$OB U_{j}$ sends the $report$ to the neighbor RSU.

After receiving a $report$ , RSU transmits the $report$ to TA through the secure channel.

After getting a $report$ from RSU, TA first checks whether $m$ is a malicious message. If it is, TA traces the real identity of $OB U_{i}$ according to $V_{i}$ below: for given $V_{i} = (V_{i, 1}, V_{i, 2})$ , where $V_{i, 1} = x_{i} P$ and $V_{i, 2} = V_{ID} \oplus H_{2} (x_{i} P_{pub})$ , TA calculates $s V_{i, 1} = s x_{i} P = x_{i} sP = x_{i} P_{pub}$ and gets $V_{ID} = V_{i, 2} \oplus H_{2} (x_{i} P_{pub}) = V_{i, 2} \oplus H_{2} (s V_{i, 1})$ . TA decrypts $V_{ID}$ with its own private key $s$ to obtain the real identity of $OB U_{i}$ .

After getting the real identity of $OB U_{i}$ , TA subtracts $w$ from the trust value $N$ . If the new trust value of $OB U_{i}$ is less than the threshold value $k$ , that is when $N - w < k$ , $OB U_{i}$ will be confirmed as a malicious node.

Finally, TA broadcasts $V_{ID}$ of $OB U_{i}$ to all RSUs to stop providing services for $OB U_{i}$ .

Figure 5.

Identification and revocation of malicious node.

Security proof and analysis

Formal security analysis and proof of security for the proposed core protocols will be presented in this section. First, we will use SVO logic³⁵ to prove the security of the fundamental protocols. Then the further security analysis will be provided to prove that our scheme may satisfy the security requirements described in section “The proposed anonymous authentication scheme.”

Foundation of SVO logic

SVO logic is more intuitive, convenient, and practical than other logic analysis methods in the following aspects:

The axioms in SVO can be adjusted or extended easily to meet the security proof needs rather than Burrows–Abadi–Needham (BAN)³⁶ or other logical approaches.

SVO is detailed and legible, which helps to accurately express the actual meaning of the protocol, thus avoid the misunderstandings.

SVO is rigorous and reliable, and the semantics is clear.

SVO rules

SVO has two initial rules:

The separation rule $MP$ (Modous Ponens): $φ \land φ \supset ψ \Rightarrow ψ$ .

The necessity of rules $Nec$ (Necessitation): $⊢ φ \Rightarrow believes φ$ .

$ψ$ denotes a theorem of $φ$ , indicating inference, that is, “if … … then …” relationship.

SVO axiom

For any subject $P$ and $Q$ , the sum of the formulas $φ$ and $ψ$ has the following axiom:

Believes:

Ax1: $P believes φ \land P believes (φ \supset ψ) \supset P believes ψ$ .

Ax2: $P believes φ \supset P believes (P believes φ)$ .

Source association:

Ax3: $SharedKey (K, P, Q) \land R recieved {X^{Q}}_{K} \supset Q said X \land Q sees K$ .

Ax4: $P K_{σ} (Q, K) \land R received X \land SV (X, K, Y) \supset Q said Y$ .

Key agreement:

Ax5: $P K_{σ} (P, K_{P}) \land (Q, K_{Q}) \supset SharedKey (F_{0} (K_{P}, K_{Q}), P, Q)$ .

Ax6: $φ \equiv φ [F_{0} (K, K_{0}) / F_{0} (K_{0}, K)]$ .

Receiving:

Ax7: $P received (X_{1}, \dots, X_{n}) \supset P receives X_{i}$ .

Ax8: $P received {X}_{K} \land P sees K^{- 1} \supset P recieves X$ .

Ax9: $P received [X]_{K} \supset P received X$ .

Seeing:

Ax10: $P received X \supset P sees X$ .

Ax11: $P sees (X_{1}, \dots, X_{n}) \supset P sees X_{i}$ .

Ax12: $P sees X_{1} \land \dots \land P sees F (X_{1}, \dots, X_{n})$ .

Comprehending:

Ax 13: $P believes (P sees F (X)) \supset P believes (P sees X)$ .

Saying:

Ax14: $P said (X_{1}, \dots, X_{n}) \supset P said X_{i} \land P sees X_{i}$ .

Ax15: $P says (X_{1}, \dots, X_{n}) \supset P says X_{i} \land Psaid (X_{1}, \dots, X_{n})$ .

Jurisdiction:

Ax16: $P controls φ \land P says φ \supset ψ$ .

Freshness:

Ax17: $fresh (X_{i}) \supset fresh (X_{1}, \dots, X_{n})$ .

Ax18: $fresh (X_{1}, \dots, X_{n}) \supset (F (X_{1},, X_{n}))$ .

Nonce-verification:

Ax19: $fresh (X) \land P said X \supset P says X$ .

Symmetric goodness of shared keys:

Ax20: $SharedKey (K, P, Q) \equiv SharedKey (K, Q, P)$ .

SVO objectives

The following SVO objectives are given according to the security requirements of our scheme to prove the security of V2I and V2V protocols:

SVO objectives of V2I protocol:

G1: Survival acknowledgment: OBU believes RSU says $(r_{OBU} P, 〈 V_{i}, s k_{i} 〉)$ .

G1′: Survival acknowledgment: RSU believes OBU says $(s_{V} P)$ .

G2: Secure key establishment: OBU believes $SharedKey (K_{v - r} -, OBU, RSU)$ .

G2′: Secure key establishment: RSU believes $SharedKey (K_{v - r} -, RSU, OBU)$ .

G3: Key confirmation: OBU believes $SharedKey (K +, OBU, RSU)$ .

G3′: Key confirmation: RSU believes $SharedKey (K +, RSU, OBU)$ .

G4: Key Freshness: OBU believes $fresh (K_{v - r})$ .

G4′: Key Freshness: RSU believes $fresh (K_{v - r})$ .

SVO objectives of V2V protocol:

G5: Survival acknowledgment: $OB U_{i}$ believes $OB U_{j}$ says $(r_{OB U_{j}} P)$ .

G5′: Survival acknowledgment: $OB U_{j}$ believes $OB U_{i}$ says $(r_{OB U_{i}} P)$ .

G6: Secure key establishment: $OB U_{i}$ believes $SharedKey (K_{v - v} -, OB U_{i}, OB U_{j})$ .

G6′: Secure key establishment: $OBUj$ believes $SharedKey (K_{v - v} -, OB U_{i}, OB U_{j})$ .

G7: Key freshness: $OB U_{i}$ believes $fresh (K_{v - v})$ .

G7′: Key freshness: $OB U_{j}$ believes $fresh (K_{v - v})$ .

Security proof of the authentication protocols

Initial assumptions

In order to prove the security of V2I and V2V protocols, first, the assumptions are given below:

Assumptions of V2I protocol:

P1: OBU believes $P K_{σ} (TA, P_{Pub})$ .RSU believes $P K_{σ} (TA, P_{Pub})$ .

P2: OBU believes $S_{V} ({T S_{1}, s_{R} P} Q_{IDR}^{- 1}, Q_{IDR}, (T S_{1}, s_{R} P))$ .RSU believes $S_{V} ({{T S_{2}, r_{OBUP}} P_{Pub}^{- 1}, T S_{2}, r_{OBU} P} Q_{IDV}^{- 1}, Q_{IDV}, (T S_{2}, r_{OBU} P))$ .

P3: OBU believes $((TA said P K_{σ} (RSU, Q_{IDR})) \supset P K_{σ} (RSU, Q_{IDR}))$ .RSU believes $((TA said P K_{σ} (OBU, Q_{IDV})) \supset P K_{σ} (OBU, Q_{IDV}))$ .

P4: OBU believes $P K_{δ} (OBU, s_{V} P)$ .RSU believes $P K_{δ} (RSU, s_{R} P)$ .

P5: OBU believes $fresh (T S_{2})$ .RSU believes $fresh (T S_{1})$ .

P6: OBU believes OBU sees $(r_{OBU} P)$ .RSU believes RSU sees $(s_{R} P)$ .

P7: OBU received $Q_{IDR}, ({T S_{1}, s_{R} P} Q_{IDR}^{- 1}, T S_{1}, s_{R} P), {〈 V_{i}, s k_{i} 〉} K_{v - r}$ .RSU received $({T S_{2}, r_{OBU} P} Q_{IDV}^{- 1}, T S_{2}, r_{OBU} P), {V_{I} D} K_{v - r}$ .

P8: OBU believes OBU received ${{}^{*}s}_{R}, {T S_{1},^{*} s_{R}} Q_{IDR}^{- 1}, Q_{IDR}, {〈 V_{i}, s k_{i} 〉} K_{v - r}$ .RSU believes RSU received ${{}^{*}r}_{OBU}, {T S_{2},^{*} r_{OBU}} Q_{IDV}, {V_{I} D} K_{v - r}$ .

P9: OBU believes $(OBU$ received ${T S_{1},^{*} s_{R}} Q_{IDR}^{- 1} \land P K_{σ} (RSU, Q_{IDR}) \land P K_{δ} (OBU, r_{OBU} P)) \supset P K_{δ} (RSU,^{*} s_{R})$ .RSU believes (RSU received ${T S_{2},^{*} r_{OBU}} Q_{IDR}^{- 1} \land {V_{ID}} K_{v - r} \land P K_{σ} (OBU, Q_{IDV}) \land P K_{δ} (RSU, s_{R} P)) \supset P K_{δ} (OBU,^{*} r_{OBU})$ .

P10: OBU believes (OBU said ${〈 V_{i}, s k_{i} 〉} K_{v - r}$ ).RSU believes (RSU said ${V_{ID}} K_{v - r}$ ).

P11: OBU believes $((TA said (RSU, Q_{IDR})) \supset TA said P K_{σ} (RSU, Q_{IDR}))$ .RSU believes ((TA said (OBU, $Q_{IDV}$ )) ⊃ TA said $P K_{σ} (OBU, Q_{IDV})$ ).

Assumptions of V2V protocol:

P12: $OB U_{i}$ believes $P K_{σ} (RSU, P k_{g})$ . $OB U_{j}$ believes $P K_{σ} (RSU, P k_{g})$ .

P13: $OB U_{i}$ believes $S_{V} ({T S_{j}, P k_{g}} V_{j}^{- 1}, V_{j}, (T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ . $OB U_{j}$ believes $S_{V} ({T S_{i}, r_{OB U_{i}} P} V_{i}^{- 1}, V_{j}, (T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ .

P14: $O B U_{i}$ believes $((RSU said P K_{σ} (OB U_{i}, V_{i})) \supset P K_{σ} (OB U_{i}, V_{i})$ . $OB U_{j}$ believes $((RSU said P K_{σ} (OB U_{j}, V_{j})) \supset P K_{σ} (OB U_{j}, V_{j})$ .

P15: $OB U_{i}$ believes $P K_{δ} (OB U_{i}, (T S_{i}, P k_{g}) \supset r_{OB U_{i}} P)$ . $OB U_{j}$ believes $P K_{δ} (OB U_{j}, (T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ .

P16: $OB U_{i}$ believes $fresh (T S_{i})$ . $OB U_{j}$ believes $fresh (T S_{j})$ .

P17: $OB U_{i}$ believes $OB U_{i}$ sees $((T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ . $OB U_{j}$ believes $OB U_{j}$ sees $((T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ .

P18: $OB U_{i}$ received $V_{j}, ({T S_{j}, P k_{g}} V_{j}^{- 1}, TSj, (T S_{j}, P k_{g}) \supset r_{OB U_{j}} P)$ . $OB U_{j}$ received $V_{i}, ({T S_{i}, P k_{g}} V_{i}^{- 1}, TSj, (T S_{i}, P k_{g}) \supset r_{OB U_{i}} P)$ .

P19: $OB U_{i}$ believes $OB U_{i}$ received $((T S_{j}, P k_{g}) \supset^{*} r_{OB U_{j}}), {T S_{j}, P k_{g}} V_{j}^{- 1}, V_{j}$ . $OB U_{j}$ believes $OB U_{j}$ received $((T S_{i}, P k_{g}) \supset^{*} r_{OB U_{i}}), {T S_{i}, P k_{g}} V_{i}^{- 1}, V_{i}$ .

P20: $OB U_{i}$ believes $(OB U_{i} said^{*} r_{OB U_{j}}, r_{OB U_{j}} P)$ . $OB U_{j}$ believes $(OB U_{j} said^{*} r_{OB U_{i}}, r_{OB U_{i}} P)$ .

P21: $OB U_{i}$ believes ((RSU said ( $(OB U_{j}, V_{j})$ ) ⊃ RSU said $P K_{σ} (OB U_{j}, V_{j})$ ). $OB U_{j}$ believes ((RSU said ( $(OB U_{i}, V_{i})$ ) ⊃ RSU said $P K_{σ} (OB U_{i}, V_{i})$ ).

Security proof of V2I authentication protocol

From the assumptions, we can get:

S1: Obtain from P1, P2, P11, Ax1, Ax14, and $Nec$ .OBU believes TA said $P K_{σ} (RSU, P k_{g})$ .

S2: Obtain from S1, P3, and Ax1.OBU believes $P K_{σ} (RSU, Q_{IDR})$ .

S3: Obtain from P7, P9, and Ax7.OBU received ${T S_{1}, s_{R} P} Q_{IDR - 1}$ .

S4: Obtain from S2, S3, P2, Ax4, Ax14, and Nec.OBU believes RSU said $s_{R} P$ .

S5: Obtain from P5, P7, Ax1, Ax9, and Ax17.OBU believes $fresh s_{R} P$ .

S6: Obtain from S4, S5, Ax1, Ax19, and Nec.OBU believes RSU says $s_{R} P$ .

S7: Obtain from P8, Ax1, Ax1, Ax7, and Nec.OBU believes OBU received ${〈 V_{i}, s k_{i} 〉} K_{v - r}$ .

S8: Obtain from S2, S7, P4, P9, and Ax1.OBU believes $P K_{σ} (RSU,^{*} s_{R})$ .

S9: Obtain from S8, P4, Ax1, Ax5, and $Nec$ .OBU believes $SharedKey (K_{v - r}, OBU, RSU)$ for $K_{v - r} = F_{0} (s_{V} P,^{*} s_{R})$ .

S10: Obtain from P8, P6, Ax1, Ax10, Ax11, Ax12, and Nec.OBU believes OBU sees $K_{v - r}$ .

S11: Obtained from the definitions of S9, S10, Ax1, and $SharedKey (K -, A, B)$ .OBU believes $SharedKey (K_{v - r} -, OBU, RSU) (G 2 is proved)$ .

S12: Obtain from S5, Ax18 $(G 4 is proved)$ .OBU believes $fresh K_{v - r}$ .

S13: As defined by S3, S12, P10, Ax1, and Confirm $P (X)$ .OBU believes $SharedKey$ $(K_{v - r} +, OBU, RSU) (G 3 is proved)$ .

S14: Obtain from S7, S10, Ax1, Ax8, and $Nec$ .OBU believes $fresh 〈 V_{i}, s k_{i} 〉$ .

S15: Obtain from P10, S13, S14, and Ax13.OBU believes RSU said $〈 V_{i}, s k_{i} 〉$ .

S16: Obtain from S14, S15, Ax19, and Nec.OBU believes RSU says $〈 V_{i}, s k_{i} 〉 (G 1 is proved)$ .

The SVO object of RSU can also be proved similar as OBU. According to the security proof presented above, we can prove that the V2I authentication protocol is secure.

Security proof of V2V authentication protocol

From the assumptions, we can get:

S1: Obtain from P12, P13, P22, Ax1, Ax14, and $Nec$ . $OB U_{i}$ believes RSU said $P K_{σ} (OB U_{j}, V_{j})$ .

S2: Obtain from S1, P14, and Ax1. $OB U_{i}$ believes $P K_{σ} (OB U_{j}, V_{j})$ .

S3: Obtain from P18, P20, and Ax7. $OB U_{i}$ received ${T S_{j}, P k_{g}} V_{j}^{- 1}$ .

S4: Obtain from S2, S3, P13, Ax4, Ax14, and $Nec$ . $OB U_{i}$ believes $OB U_{j}$ said $r_{OB U_{j}} P$ .

S5: Obtain from P16, P18, Ax1, Ax9, and Ax17. $OB U_{i}$ believes $fresh r_{OB U_{j}} P$ .

S6: Obtain from S4, S5, Ax1, Ax19, and $Nec$ . $OB U_{i}$ believes $OB U_{j}$ says $r_{O B U_{j}} P (G 5 is proved)$ .

S7: Obtain from P19, Ax1, Ax1, Ax7, and $Nec$ . $OB U_{i}$ believes $OB U_{i}$ received $r_{OB U_{j}} P$ .

S8: Obtain from S2, S7, P15, P9 and Ax1. $OB U_{i}$ believes $P K_{σ} (OB U_{j}, V_{j})$ .

S9: Obtain from S8, P15, Ax1, Ax5, $Nec$ . $OB U_{i}$ believes $SharedKey (K_{v - v}, OB U_{i}, OB U_{j})$ for $K_{v - v} = F_{0} (r_{OB U_{i}},^{*} r_{OB U_{j}})$ .

S10: Obtain from P19, P17, Ax1, Ax10, Ax11, Ax12, and $Nec$ . $OB U_{i}$ believes $OB U_{i}$ sees $K_{v - v}$ .

S11: Obtain from the definitions of S9, S10, Ax1, and $SharedKey (K -, A, B) (G 6 is proved)$ . $OB U_{i}$ believes $SharedKey (K_{v - v} -, OB U_{i}, OB U_{j})$ .

S12: Obtain from S5 and Ax18. $OB U_{i}$ believes $fresh K_{v - v} (G 7 is proved)$ .

The SVO object of $OB U_{j}$ is able to be proved similar as $OB U_{i}$ . According to the security proof presented in this subsection, we can prove that the V2V authentication protocol is secure.

Security analysis

We carry out the security analysis from the following aspects in terms of the security requirements:

Access authentication. Mutual authentication for OBU to RSU (V2I) and OBU to OBU (V2V) communications are provided in the proposed scheme. Section “Security proof and analysis” has given the formal security proof of the authentication protocols.

Anonymity. In the V2I authentication, OBU employs anonymous identity issued by TA. While in the V2V authentication, OBU randomly chooses a pseudonym issued by RSU. Therefore, in the worst case, if multiple RSUs are compromised, the adversary cannot reveal the real identity of OBU. Besides, other compromised OBUs cannot obtain the real identity through the random pseudonym of the right OBU. Thus, the user’s privacy is well protected in the proposed scheme.

Traceability. Once the true identity of vehicle needs to be revealed, TA can calculate its real identity according to the communication pseudonyms of the vehicle, and the detailed introduction is given in section “Identification and revocation of malicious nodes.”

Unlinkability. After OBU accessing to a RSU, the RSU issues multiple pseudonyms for the OBU. OBU randomly chooses a pseudonym as anonymous identity during later V2V authentication procedure, the adversary cannot tell that several messages are sent by the same OBU.

Malicious node identification and revocation. As described in section “Identification and revocation of malicious nodes,” the AAAS provides an approach to identify and revoke malicious nodes based on the evaluation mechanism.

Resistance of typical attacks. Our scheme can also resist impersonation attack, tampering attack, replay attack, and key-stealing attack:

Impersonation attack. During V2I authentication, the OBU and RSU exploit CC signature, where the public keys and private keys are calculated by TA. Thus, the adversary cannot impersonate other nodes to forge a legitimate signature.

Tampering attack. According to AAAS, after the V2I and V2V authentication, the entities (RSU or OBU) can generate a shared key to encrypt the subsequent communication message. It is impossible for the adversary to tamper with the communication message since it does not know the shared key.

Replay attack. During V2I and V2V authentication, the current time stamp $T S_{i}$ is attached to the signed message, which can effectively prevent replay attack.

Key-stealing attack. During registration phase, we assume that TA issues keys to OBU and RSU through secure channel. As for V2I authentication, RSU encrypts the group signing keys and the anonymous identities with the shared key $k_{r - v}$ as $c_{1} = E_K_{r - v} (< ski, Vi, T >)$ . Furthermore, OBU stores private keys and shared keys in TPD, which is assumed absolutely secure. So, we can conclude that our AAAS can effectively prevent key-stealing attack either in key distributing or storing process.

From the above analysis, we can see that the proposed scheme (AAAS) can meet the security requirements described in section “The proposed anonymous authentication scheme.” Thus, the proposed AAAS is considered to be complete.

Performance analysis

The performance analysis of the proposed scheme (AAAS) is elaborated from three aspects: computation cost, transmission overhead, and serving ratio. Besides, the comparison analysis is presented among AAAS, CPAS,³⁰ ACPN,²⁷ and PACP.³⁷

Computation cost

Computation cost is the amount of computations made by related network entities during the V2I and V2V authentication procedure. With the deployment of edge computing, the computation cost on RSU side is not critical since RSU usually owes rich computation resource. Thus, in this section, we mainly give the comparison analysis of computation cost on vehicle side among different schemes. The main operations involved in the authentication of the schemes includes: bilinear pairing, hash-to-point, encryption, point addition, and point multiplication. Compared with the above operations, the cost of hash, point addition, and symmetric encryption can be neglected. In order to facilitate the expression, Table 2 presents the symbols and execution time (in milliseconds) for a curve with k = 6 and 160-bit q. The execution platform is a Intel Pentium IV 3.0-GHz machine.

Table 2.

Symbols and description.

Symbol	Description	Execution time (ms)
$T_{mtp}$	Time for hash-to-point operation	4.406
$T_{RSA}$	Time for RSA encryption operation	0.19
$T_{bm}$	Time for the bilinear pairing operation	4.5
$T_{pm}$	Time for the point multiplication	0.6

RSA: Rivest–Shamir–Adleman.

During V2I authentication of AAAS, OBU verifies the CC signature by checking $e (P, V_{RSU}) ? = e (P_{pub}, U_{RSU} + h_{RSU} Q_{IDR})$ and generates the CC signature as $U_{OBU} r_{OBU} Q_{IDV}$ , $V_{OBU} = (r_{OBU} + h_{OBU}) s_{V}$ , and $h_{OBU} = H_{1} (r_{OBU} | | T S_{2}, U_{OBU})$ . OBU also computes the shared key $K_{v - r} = P k_{g} r_{OBU}$ . Thus, we can get the computation cost of AAAS in V2I authentication $(C C_{AAAS - V 2 I})$ is

C C_{AAAS - V 2 I} = 2 T_{mtp} + 2 T_{bm} + 3 T_{pm}

(1)

In AAAS’ V2V authentication, OBU first generates the ISGS signature as $A_{i} = x_{OB U_{i}} P$ , $B_{i} = x_{OB U_{i}}^{- 1} s k_{i} + H_{3} (P k_{g} | | T S_{i}, A_{i}) b_{i}$ . Then OBU verifies the ISGS signature as $α = e (V_{j, 2} P k_{g}, Q_{V_{j}})$ , $β = e (A_{j}, V_{j} B_{j})$ , and $γ = e (A_{j}, H (P k_{g} | | T S_{j}, A_{j}))$ and checks the equation $β ? = α γ$ . We can thus get that computation cost of AAAS in V2V authentication $(C C_{AAAS - V 2 V})$ is

C C_{AAAS - V 2 V} = 2 T_{mtp} + 3 T_{bm} + 7 T_{pm}

(2)

In V2I authentication of CPAS, OBU generates the digital signature as $U_{i} = r_{i} \cdot P \in G_{1}$ , $h'_{i} = H_{2} (PI D_{i}, M_{i}, t t_{i}, T_{i}, U_{i}) = H_{2} (PI D_{i}, M_{i}, t t_{i}, T_{i}, U_{i}) \in Z_{q}^{*}$ and $V_{i} = h'_{i} \cdot S_{i} + r_{i} \cdot Q'$ . In addition, OBU verifies the signature generated from RSU as $h_{R} = H_{1} (I D_{R}, T_{R})$ and $h_{i} = H_{2} (I D_{R}, M_{i}, t t_{i}, T_{R}, U R_{i}) \in Z_{q}^{*}$ and checks the equation $e (V_{i}^{R}, P) ? = e (h'_{i} \cdot (P_{Pub} + h_{R} T_{R}), Q) \cdot e (U_{i}^{R}, Q')$ . Thus, the computation cost of CPAS in V2I authentication $(C C_{CPAS - V 2 I})$ is

C C_{CPAS - V 2 I} = 3 T_{mtp} + 3 T_{bm} + 7 T_{pm}

(3)

While during the V2V authentication of CPAS, OBU generates the signature as $h_{i} = H_{1} (PI D_{i}, T_{i})$ and $h'_{i} = H_{2} (PI D_{i}, M_{i}, t t_{i}, T_{i}, U_{i}) \in Z_{q}^{*}$ . Afterward, OBU checks the equation $e (V_{i}, P) ? = e (h_{i} P_{pub} + h' i h_{i} T_{i}, Q) \cdot e (U_{i}, Q')$ . Therefore, the computation cost of CPAS in V2V authentication $(C C_{CPAS - V 2 V})$ is

C C_{CPAS - V 2 V} = 3 T_{mtp} + 3 T_{bm} + 5 T_{pm}

(4)

In the V2I authentication of ACPN, OBU generates a pseudonym as $P S_{v} = Time | | E_{PK} (I D_{v}) | | HR | | RSU$ , where $I D_{v}$ is encrypted by RSA. OBU generates the IBS signature as $r = e (P_{1}, P)$ , $v = h (m, r)$ , and $u = v \cdot S_{I} D + k P_{1}$ . Then OBU verifies the IBS signature twice as $r = e (u, P) \cdot e (H (ID), - Q_{T} A)$ and checks the equation $v = h (m, r)$ . Hence, we can obtain that the computation cost of ACPN in V2I authentication $(C C_{ACPN - V 2 I})$ is

C C_{ACPN - V 2 I} = 5 T_{mtp} + 5 T_{bm} + 4 T_{pm} + 1 T_{RSA}

(5)

During V2V authentication of ACPN, OBU generates the online signature as $σ = H_{1} (m, R) x + r$ and verifies the online/offline signature $(S, σ, R)$ as checking the equation $e (P_{pub}, S) ? = e (σ P \cdot H_{1} (m, R) R, Q_{ID})$ . We can thus obtain that the computation cost of ACPN in V2V authentication $(C C_{ACPN - V 2 V})$ is

C C_{ACPN - V 2 V} = 2 T_{mtp} + 1 T_{bm} + 3 T_{pm}

(6)

During V2I authentication of PACP, OBU generates an IBS signature and verifies the signature from RSU. In addition, OBU executes the encryption and decryption operation as $λ_{j} (a, i) = e (τ_{(a, i)}^{j}, σ_{j} aP)$ , $ρ = H_{2} (k, M)$ , $C = 〈 H (ρ P) \oplus (λ_{(a, i)}^{j}) k$ , $e (P, σ_{j} aP) k, M \oplus H_{1} (e (σ_{j} aP, H (ρ P) P)) 〉$ , $Γ_{(a, i)}^{j} = U \oplus {VS}_{(a, i)}^{j}$ , and $M' = W \oplus H_{1} (e (σ^{j} aP, Γ_{(a, i)}^{j} P))$ . However, the author does not give the specific IBS mechanism, in order to take the objective analysis between AAAS and PACP, we assume that the IBS in PACP is CC signature mechanism. Hence, it is easy to get that the computation cost of PACP in V2I authentication $(C C_{PACP - V 2 I})$ is

C C_{PACP - V 2 I} = 6 T_{mtp} + 6 T_{bm} + 18 T_{pm}

(7)

In the V2V authentication of PACP, OBU do the same encryption and decryption operations as that in V2I authentication. Besides, OBU generates a Boneh–Lynn–Shacham (BLS) signature and verifies the BLS signature from RSU. To sign and verify a BLS signature, OBU executes 1 hash-to-point operations, 1 point multiplication operations, 1 hash-to-point operations, and 2 bilinear pairing operations. Therefore, we can get the computation cost of PACP in V2V authentication $(C C_{PACP - V 2 V})$ is

C C_{PACP - V 2 V} = 6 T_{mtp} + 6 T_{bm} + 16 T_{pm}

(8)

To illustrate the better performance of the proposed AAAS scheme in the V2I and V2V authentication, we compare the computation cost of AAAS in V2I and V2V authentications with CPAS, ACPN, and PACP as shown in Table 3. According to the results, it is obviously that the AAAS scheme we proposed owes lower computation cost compared to the other three in V2I authentication. While during V2V authentication, the AAAS scheme has lower computation cost compared with CPAS, PACP, but slightly higher than ACPN. Furthermore, the total computation cost of the proposed AAAS scheme is lower than CPAS, ACPN, and PACP.

Table 3.

Computation cost analysis.

$Authentication phase$	AAAS (ms)	CPAS (ms)	ACPN (ms)	PACP (ms)
$V 2 I$	$2 T_{mtp} + 2 T_{bm} + 3 T_{pm} = 19.612$	$3 T_{mtp} + 3 T_{bm} + 7 T_{pm} = 30.918$	$5 T_{mtp} + 5 T_{bm} + 4 T_{pm} + 1 T_{RSA} = 47.12$	$6 T_{mtp} + 6 T_{bm} + 18 T_{pm} = 64.236$
$V 2 V$	$2 T_{mtp} + 3 T_{bm} + 7 T_{pm} = 26.512$	$3 T_{mtp} + 3 T_{bm} + 5 T_{pm} = 29.718$	$2 T_{mtp} + 2 T_{bm} + 3 T_{pm} = 19.612$	$6 T_{mtp} + 6 T_{bm} + 16 T_{pm} = 63.036$
$Total$	$4 T_{mtp} + 5 T_{bm} + 10 T_{pm} = 46.124$	$6 T_{mtp} + 6 T_{bm} + 12 T_{pm} = 60.636$	$7 T_{mtp} + 7 T_{bm} + 7 T_{pm} + 1 T_{RSA} = 66.732$	$12 T_{mtp} + 12 T_{bm} + 34 T_{pm} = 127.272$

AAAS: anonymous access authentication scheme.

Transmission overhead

The transmission overhead is analyzed by the size of total messages transmitted during V2I and V2V authentication procedures. For ease of description, the following assumptions are given out in Table 4 with size of $\bar{p}$ is 64 bytes and $p$ is 20 bytes.

AAAS: during V2I authentication, OBU receives ${δ_{1}, R_{ID}, P k_{g}, T S_{1}}$ from RSU and sends ${c, δ_{2}, r_{OBU} P, T S_{2}}$ to RSU, where $δ_{1} = {U_{RSU}, V_{RSU}}$ , $δ_{2} = {U_{OBU}, V_{OBU}}$ , $V_{i} = {V_{i, 1}, V_{i, 2}}$ , $c = E_K_{r - v} {V_{ID}}$ , $R_{ID}$ and $V_{ID}$ is the identity of RSU and OBU. While $V_{i, 1}$ , $V_{i, 2}$ , $P k_{g}$ , $r_{OBU} P \in G_{2}$ , $U_{RSU}$ , $V_{RSU}$ , $U_{OBU}$ , $V_{OBU} \in G_{1}$ , $T S_{1}$ , and $T S_{2}$ are the time stamps. Hence, the transmission overhead of AAAS in V2I authentication $(T O_{AAAS - V 2 I})$ is

\begin{matrix} T O_{AAAS - V 2 I} = 40 \times 4 + 128 \times 4 + 20 \times 2 + 4 \times 2 \\ = 720 bytes \end{matrix}

(9)

Table 4.

Assumptions.

$Factor$	$Size (byte)$
$G_{1}$ in group	64 × 2 = 128
$G_{2}$ in group	20 × 2 = 40
$Timestamp$	4
$Certificate of OBU$	120
$Output of general hash function$	20

OBU: on-board unit.

In the V2V authentication of AAAS, $OB U_{i}$ sends ${δ_{3}, T S_{i}, V_{i}, P k_{g}}$ to $OB U_{j}$ and receives ${δ_{4}, T S_{j}, V_{j}, P k_{g}}$ from $OB U_{j}$ , where $δ_{3} = {U_{OB U_{i}}, V_{OB U_{i}}}$ , $δ_{4} = {U_{OB U_{j}}, V_{OB U_{j}}}$ , $V_{i} = {V_{i, 1}, V_{i, 2}}$ , $V_{j} = {V_{j, 1}, V_{j, 2}}$ , $T S_{1}$ , and $T S_{2}$ are the time stamps. We can thus obtain the transmission overhead of AAAS in V2V authentication $(T O_{AAAS - V 2 V})$ is

\begin{matrix} T O_{AAAS - V 2 V} = 40 \times 6 + 128 \times 4 + 4 \times 2 \\ = 760 bytes \end{matrix}

(10)

CPAS: in V2I authentication, OBU receives $〈 I D_{R}, M_{i}, t t_{i}, τ_{i}^{R} 〉$ and sends $〈 PI D_{i}, M_{i}, t t_{i}, τ_{i} 〉$ , where $τ_{i}^{R} = (T_{R}, U_{i}^{R}, V_{i}^{R})$ , $T_{R}, U_{i}^{R}, V_{i}^{R} \in G_{1}$ . Thus, the transmission overhead of CPAS in V2I authentication $(T O_{CPAS - V 2 I})$ is

\begin{matrix} T O_{CPAS - V 2 I} = 128 \times 6 + 20 \times 4 + 4 \times 2 \\ = 856 bytes \end{matrix}

(11)

During V2V authentication of CPAS, OBU sends $〈 PI D_{i}, M_{i}, t t_{i}, τ_{i} 〉$ and receives $〈 PI D'_{i}, M_{i}, t t'_{i}, τ'_{i} 〉$ from another OBU. It is clearly that the transmission overhead of CPAS in V2V authentication $(T O_{CPAS - V 2 V})$ is

\begin{matrix} T O_{CPAS - V 2 V} = 128 \times 6 + 20 \times 4 + 4 \times 2 \\ = 856 bytes \end{matrix}

(12)

ACPN: in V2I authentication, OBU receives $〈 I D_{r}, T, pkc, adv, nonce, SI G_{r} (I D_{r} | | T) 〉$ , $〈 I D_{r}, t, nonce, SI G_{r} (I D_{r} | | t) 〉$ from RSU and sends $〈 I D_{r}, P S_{v}, T, join, SI G_{v} (P S_{v} | | T) 〉$ , where $SI G_{r} (I D_{r} | | T) = {u, v, r}$ . For $u \in G_{1}, r, pkc \in G_{1}$ , $T$ and $t$ are time stamps. Therefore, the transmission overhead of ACPN in V2I authentication $(T O_{ACPN - V 2 I})$ is

\begin{matrix} T O_{ACPN - V 2 I} = 40 \times 1 + 128 \times 6 + 20 \times 7 + 4 \times 3 \\ = 960 bytes \end{matrix}

(13)

While during V2V authentication of ACPN, OBU sends $〈 P S_{v}, t, nonce, {SIG}_{v}^{online} ({SIG}_{v}^{offline} (P S_{v} | | T)) 〉$ and receives $〈 P S'_{v}, T', nonce', {SIG}_{v}^{online'} ({SIG}_{v}^{offline'} (P S'_{v} | | T')) 〉$ from another OBU, where ${SIG}_{v}^{online} ({SIG}_{v}^{offline} (P S_{v} | | T)) = {S, σ, R}$ . And $S, σ, R \in G_{1}$ , T is a time stamp. We can thus obtain that the transmission overhead of ACPN in V2V authentication $(T O_{ACPN - V 2 V})$ is

\begin{matrix} T O_{ACPN - V 2 V} = 40 \times 2 + 128 \times 6 + 20 \times 2 + 4 \times 2 \\ = 896 bytes \end{matrix}

(14)

PACP: during V2I authentication of PACP, OBU sends $〈 Δ_{a}, SIG (Δ_{a}, S_{a}) 〉$ to RSU and receives $〈 τ_{(a, i)}, SIG (τ_{(a, i)}, t_{(a, i)}, S_{R_{i}}), γ (a, i), Cer t_{(a, i)} 〉$ from RSU, where $Δ_{a} = 〈 β_{a}, SIG (β_{a}, S_{MVD}), k_{(a, i)} 〉$ . We assume that $SIG (Δ_{a}, S_{a})$ is CC signature. For $Δ_{a}$ , $τ_{(a, i)}$ ∈ $G_{1}$ , we can thus obtain that the transmission overhead of PACP in V2I authentication $(T O_{PACP - V 2 I})$ is

\begin{matrix} T O_{PACP - V 2 I} = 40 + 128 \times 8 + 4 + 120 \\ = 1188 bytes \end{matrix}

(15)

In the period of V2V authentication of PACP, OBU sends $〈 P N^{j}, σ_{j} 〉$ and receives $〈 P N^{i}, σ_{i} 〉$ from another OBU, where $P N^{j}$ = $〈 σ_{a}^{j} P, τ_{(a, i)}^{j}, t_{(a, i)}^{j}, SIG (τ_{(a, i)}^{j}, t_{(a, i)}^{j}), Cer t_{R_{i}} 〉$ , and $σ_{j}, σ_{a}^{j} P, τ_{(a, i)}^{j}, t_{(a, i)}^{j} \in G_{1}$ . Hence, the transmission overhead of PACP in V2V authentication $(T O_{PACP - V 2 V})$ is

\begin{matrix} T O_{PACP - V 2 V} = 128 \times 10 + 4 + 120 \times 2 + 40 \times 2 \\ = 1528 bytes \end{matrix}

(16)

Comparison with CPAS, ACPN, and PACP, the proposed AAAS scheme has the lower transmission overhead in both V2I and V2V authentication as shown in Table 5.

Table 5.

Transmission overhead analysis.

$Authentication phase$	AAAS (byte)	CPAS (byte)	ACPN (byte)	PACP (byte)
$V 2 I$	720	856	960	1188
$V 2 V$	760	856	896	1528
$Total$	1480	1712	1856	2716

AAAS: anonymous access authentication scheme.

Serving ratio

During V2I authentication, RSU provides service for OBU. To weigh the capability of RSU providing service for OBU, we denote it as the serving ratio. In order to compare the serving ratio of RSU providing access service for vehicles of different schemes in the V2I communication, we give some symbols and parameters as shown in Table 6.

Table 6.

Notations of symbol.

Symbol	Notation
$R_{range}$	The wireless communication coverage range of RSU is 300 m
$v$	The vehicle average speed varies from 10 to 40 m/s
$d$	The density of vehicles under one RSU varies from 100 to 400
$ρ$	The probability for one OBU to apply for access service
$B (d, ρ)$	The Binomial distribution
$X$	The number of requesting OBUs, which follows $B (d, ρ)$
$T_{k}$	The computation cost on RSU and OBU side in V2I authentication

RSU: roadside unit; OBU: on-board unit.

We borrow the approach from¹² for the analysis of serving ratio below

P {X = x} = (\begin{matrix} d \\ x \end{matrix}) ρ^{x} (1 - ρ)^{d - x}, x = 0, 1, 2, \dots, d

(17)

E (X) = \sum_{x = 0}^{d} k^{2} (\begin{matrix} d \\ x \end{matrix}) ρ^{x} (1 - ρ)^{d - x}

(18)

where $E (X)$ stands for the expectation of the average number of access service requests, which is represented as

S_{req} = E (X) = d ρ

(19)

To weigh the capability of serving for OBU, we assume the maximal number of access services that the RSU can provide as $S_{\max}$ , the vehicle average speed is $v$ , the RSU valid wireless communication coverage range is $R_{range}$ as well as the computation cost $(T_{k})$ . Hence, we define

S_{\max} = \frac{R_{range}}{v T_{k}}

(20)

Thus, the number of completed access services denoted as $S_{cas}$ is

S_{cas} = (\begin{matrix} \begin{matrix} S_{req}, if S_{req} \leq S_{\max} \\ S_{\max}, otherwise \end{matrix} \end{matrix}

(21)

Therefore, the serving ratio $(S_{ratio})$ is defined as

S_{ratio} = \frac{S_{cas}}{S_{req}}

(22)

Then, $S_{ratio}$ can be measured by

S_{ratio} = (\begin{matrix} \begin{matrix} 1, if \frac{R_{range}}{T_{k} ρ} \cdot \frac{1}{vd} \\ \frac{R_{range}}{T_{k} ρ} . \frac{1}{vd}, otherwise \end{matrix} \end{matrix}

(23)

Based on the execution time results from section “Computation cost,” we analyze the serving ratio with different computation cost on RSU side:

Assume the low computation cost of the given schemes on RSU side as 19.612 ms, which is derived from Table 3

\begin{matrix} T_{k - AAAS} = 19.612 + (2 T_{mtp} + 2 T_{bm} + 3 T_{pm}) \\ = 39.224 ms \end{matrix}

(24)

\begin{matrix} T_{k - CPAS} = 19.612 + (3 T_{mtp} + 3 T_{bm} + 7 T_{pm}) \\ = 50.53 ms \end{matrix}

(25)

\begin{matrix} T_{k - ACPN} = 19.612 + (5 T_{mtp} + 5 T_{bm} + 4 T_{pm} + 1 T_{RSA}) \\ = 66.732 ms \end{matrix}

(26)

\begin{matrix} T_{k - PACP} = 19.612 + (6 T_{mtp} + 6 T_{bm} + 18 T_{pm}) \\ = 83.848 ms \end{matrix}

(27)

Assume that the high computation cost of given schemes on RSU side is 64.236 ms from Table 3

\begin{matrix} T_{k - AAAS} = 64.236 + (2 T_{mtp} + 2 T_{bm} + 3 T_{pm}) \\ = 83.848 ms \end{matrix}

(28)

\begin{matrix} T_{k - CPAS} = 64.236 + (3 T_{mtp} + 3 T_{bm} + 7 T_{pm}) \\ = 95.154 ms \end{matrix}

(29)

\begin{matrix} T_{k - ACPN} = 64.236 + (5 T_{mtp} + 5 T_{bm} + 4 T_{pm} + 1 T_{RSA}) \\ = 111.356 ms \end{matrix}

(30)

\begin{matrix} T_{k - PACP} = 64.236 + (6 T_{mtp} + 6 T_{bm} + 18 T_{pm}) \\ = 128.472 ms \end{matrix}

(31)

Finally, the comparison of serving ratio is given among the schemes as Figures 6 and 7. From the results, it is obvious to get that AAAS has better performance in serving ratio with the increasing vehicle speed and vehicle density. Besides, the serving ratio will be lower with increasing computation cost on RSU side. However, in the future, with the rapid development of edge computing, the computation on RSU side will have a sharp decline to improve serving ratio.

Figure 6.

Serving ratio with low computation on RSU as 19.612 ms.

Figure 7.

Serving ratio with high computation on RSU as 64.236 ms.

Conclusion

In this article, we combine the edge computing with VANETs and propose a novel AAAS for VANETs under edge computing that focus on preserving privacy and improving the access authentication efficiency. We adopt the ISGS mechanism to effectively protect the privacy of users in both V2I and V2V authentication procedures. The reputation mechanism is also introduced to identify and revoke malicious nodes. The security of the authentication protocols is proved by SVO logic. Compared with other typical schemes, the proposed scheme owns better performance.

However, the proposed scheme does not provide a fine solution to the preservation of user’s location privacy. In the future research, we will concentrate on this issue to pave the way for the wide deployment of VANETs. Besides, we will explore more efficient group signature mechanisms (such as IBV³⁸) and a new cryptography mechanism to improve the efficiency of anonymous authentication.

Footnotes

Handling Editor: Qiang Duan

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by National Natural Science Foundation of China under (grant number: 61402095). This work was, in part, supported by the Soonchunhyang University Research Fund.

ORCID iD

Ilsun You

References

Martinez

Toh

Cano

et al . A survey and comparative study of simulators for vehicular ad hoc networks (vanets). Wirel Commun Mob Com 2011; 11(7): 813–828.

Golle

Greene

Staddon

. Detecting and correcting malicious data in vanets. In: ACM international workshop on vehicular ad hoc networks, Philadelphia, PA, 1 October 2004, pp.29–37. New York: ACM.

Bonomi

Milito

Zhu

et al . Fog computing and its role in the internet of things. In: Proceedings of the first edition of the MCC workshop on mobile cloud computing, Helsinki, 17 August 2012, pp.13–16. New York: ACM.

Beck

Feld

Linnhoff-Popien

. Mobile edge computing. Informatik-Spektrum 2016; 39(2): 108–114.

Shi

Cao

Zhang

et al . Edge computing: vision and challenges. IEEE Internet Things 2016; 3(5): 637–646.

Uchida

Ito

Ishida

et al . Adaptive array antenna control methods with delay tolerant networking for the winter road surveillance system. Journal of Internet Services and Information Security (JISIS) 2017; 7(1): 2–13.

Jeong

Yim

Lee

et al . Semantic similarity calculation method using information contents-based edge weighting. J Int Serv Inf Secur 2017; 7(1): 40–53.

Skarmeta

Moreno

Iera

. Guest editorial: smart things, big data technology and ubiquitous computing solutions for the future internet of things. J Wirel Mob Netw Ubiquitous Comput Appl 2015; 6(1): 1–3.

Kotenko

. Guest editorial: security in distributed and network-based computing. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (Jowua) 2015; 6(2): 1–3.

10.

Zhahe

. Boundary computation model of internet of things: fog computing. Internet of Things Technology 2014; 12: 65–67.

11.

Zhang

Wang

et al . Data-driven intelligent transportation systems: a survey. IEEE T Intell Transp 2011; 12(4): 1624–1639.

12.

Mak

et al . Vehicle-to-vehicle safety messaging in DSRC. In: ACM international workshop on vehicular ad hoc networks, Philadelphia, PA, 1 October 2004, pp.19–28. New York: ACM.

13.

Samara

Al-Salihy

WAH

Sures

. Security analysis of vehicular ad hoc networks (VANET). In: Second international conference on network applications protocols and services, Kedah, Malaysia, 22–23 September 2010, pp.55–60. New York: IEEE.

14.

Liu

Fang

Shi

. Securing vehicular ad hoc networks. In: International conference on pervasive computing and applications, Birmingham, 26–27 July 2007, pp.424–429. New York: IEEE.

15.

Lin

Zhu

et al . ECPP: efﬁcient conditional privacy preservation protocol for secure vehicular communications. In: IEEE international conference on computer communications, Phoenix, AZ, 13–18 April 2008, pp.1229–1237. New York: IEEE.

16.

Jung

Sur

Park

et al . A robust and efﬁcient anonymous authentication protocol in vanets. J Commun Netw 2012; 11(6): 607–614.

17.

Chaum

Heyst

. Group signatures. Berlin: Springer, 1991.

18.

Chen

Zhang

Konidala

et al . A new id-based group signature scheme from bilinear pairings. In: Proceedings of international workshop on information security applications, Jeju Island, Korea, 25–27 August 2003, vol. 3348, pp.585–592. New York: IEEE.

19.

Chaurasia

Verma

Bhasker

. Message broadcast in vanets using group signature. In: International conference on wireless communication and sensor networks, Allahabad, India, 27–29 December 2008, pp.131–136. New York: IEEE.

20.

Camenisch

Stadler

. Efficient group signature schemes for large groups. Berlin: Springer, 1997.

21.

Phaneendra

. Identity-based cryptography and comparison with traditional public key encryption: a survey. Int J Comput Sci Inform Tech 2014; 5: 5521–5525.

22.

Bresson

Stern

Szydlo

. Threshold ring signatures and applications to ad-hoc groups. Berlin: Springer, 2002.

23.

Chow

SSM

Hui

LCK

Yiu

. Identity based threshold ring signature. In: Park

Chee

(eds) Information security and cryptology. Berlin: Springer, 2005, pp.697–699.

24.

Zhao

Aggarwal

Frost

et al . A survey of applications of identity-based cryptography in mobile ad-hoc networks. IEEE Commun Surv Tut 2012; 14(2): 380–400.

25.

Lin

Sun

et al . GSIS: a secure and privacy-preserving protocol for vehicular communications. IEEE T Veh Technol 2007; 56(6): 3442–3456.

26.

Guizani

. A novel id-based authentication framework with adaptive privacy preservation for vanets. In: Computing, communications and applications conference, Hong Kong, China, 11–13 January 2012, pp.345–350. New York: IEEE.

27.

Guizani

. ACPN: a novel authentication framework with conditional privacy-preservation and non-repudiation for vanets. IEEE T Parall Distr 2015; 26(4): 938–948.

28.

Sun

Zhang

et al . An identity-based security system for user privacy in vehicular ad hoc networks. IEEE T Parall Distr 2010; 21(9): 1227–1239.

29.

Bayat

Barmshoory

Rahimi

et al . A secure authentication scheme for VANETs with batch verification. Wirel Netw 2015; 21(5): 1733–1743.

30.

Shim

. CPAS: an efficient conditional privacy-preserving authentication scheme for vehicular sensor networks. IEEE T Veh Technol 2012; 61(4): 1874–1883.

31.

Gao

Guo

. An anonymous access authentication scheme for VANETs based on ISGS. In: International conference on innovative mobile and internet services in ubiquitous computing, Torino, 10–12 July 2012, pp.310–320. Berlin: Springer.

32.

Choon

Cheon

. An identity-based signature from gap diffie-hellman groups. In: Desmedt

(ed.) International workshop on theory and practice in public key cryptography: Public key cryptography. Berlin: Spring-Verlag, 2003, pp.18–30.

33.

Han

Wang

Liu

. An efficient identity-based group signature scheme over elliptic curves. In: Third European conference on universal multiservice networks, Porto, 25–27 October 2004, pp.417–429. Berlin: Springer.

34.

Dan

Franklin

. Identity-based encryption from the Weil pairing. Berlin: Springer, 2001.

35.

Wei Jian

Chen

. Analysis and design of security protocol. Beijing: Posts and Telecom Press, 2010.

36.

Burrows

Abadi

Needham

. A logic of authentication. ACM T Comput Syst 1989; 23(5): 18–36.

37.

Huang

Misra

Verma

et al . PACP: an efficient pseudonymous authentication-based conditional privacy protocol for VANETs. IEEE T Intell Transp 2011; 12(3): 736–746.

38.

Zhang

Lin

et al . An efficient identity-based batch verification scheme for vehicular sensor networks. In: 27th conference on computer communications, Phoenix, AZ, 13–18 April 2008, pp.246–250. New York: IEEE.

An anonymous access authentication scheme for vehicular ad hoc networks under edge computing

Abstract

Keywords

Introduction

Features and challenges of VANETs

Related work

Preliminaries

Bilinear pairing

CC signature

ISGS

The proposed anonymous authentication scheme

Trust model and assumptions

Security requirements

AAAS

System initialization

Registration

V2I authentication protocol

V2V authentication protocol

Identification and revocation of malicious nodes

Security proof and analysis

Foundation of SVO logic

SVO rules

SVO axiom

SVO objectives

Security proof of the authentication protocols

Initial assumptions

Security proof of V2I authentication protocol

Security proof of V2V authentication protocol

Security analysis

Performance analysis

Computation cost

Transmission overhead

Serving ratio

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References