SPECIAL SECTION ON INTERNET-OF-THINGS (IOT) BIG DATA TRUST MANAGEMENT

Received November 6, 2017, accepted December 1, 2017, date of publication December 27, 2017,
date of current version February 14, 2018.
Digital Object Identifier 10.1109/ACCESS.2017.2782672

Conditional Privacy-Preserving Authentication

Using Registration List in Vehicular
Ad Hoc Networks
HONG ZHONG 1, BO HUANG1 , JIE CUI 1, YAN XU1 AND LU LIU 2
1 Schoolof Computer Science and Technology, Anhui University, Hefei 230601, China
2 Department of Computing and Mathematics, University of Derby, Derby DE22 1GB, U.K.

Corresponding author: Jie Cui (cuijie@mail.ustc.edu.cn)

This work was supported in part by the National Natural Science Foundation of China under Grant 61572001, Grant 61502008, and
Grant 61702005, in part by the Natural Science Foundation of Anhui Province under Grant 1508085QF132 and Grant 1708085QF136, and
in part by the Doctoral Research Start-up Funds Project of Anhui University.

ABSTRACT Vehicular ad hoc networks (VANETs) have increased in popularity in recent years and
play an extremely important role in the intelligent transportation field. However, the demands of larger
communication networks and the integrated message verification process for ensuring security incur more
communication and computation overheads, and directly affect the efficiency of existing VANET schemes.
To address this issue, this paper proposes a novel and practical conditional privacy-preserving authentication
scheme, which uses the registration list instead of the revocation list to reduce the communication overhead.
Specifically, our scheme can prevent malicious vehicles from disrupting the security features of VANETs.
Moreover, we do not use the bilinear pairing operation, which is the most complicated operation in modern
cryptography, thus significantly reducing the computation overhead and communication overhead. Security
and performance analyses demonstrate that our proposed scheme is more secure and efficient than current
schemes, and that the proposed scheme is more suitable for VANET deployments.

INDEX TERMS Registration list, resistance to continuous disruption, modification of passwords,

conditional privacy, elliptic curve.

I. INTRODUCTION storage capacity that is responsible for generating the sys-

A vehicular ad hoc network (VANET) is a special type of tem parameters and distributing secret materials. RSU is a
mobile ad hoc network that enables communication through communication node deployed as a road-side infrastructure
multi-hops among the nodes in a wireless network. VANETs, that can communicate with vehicles on a section of a road
which are increasing in popularity, can provide real-time through wireless channels. OBU, which is placed in vehicles,
information exchange by establishing connections among is responsible for issuing and receiving traffic-related mes-
vehicles on roads and road-side infrastructures [1]. VANETs sages so that drivers can obtain a better driving experience.
are efficient in providing travel assistance and can effec- In addition, a Tamper-Proof Device (TPD) is used in some
tively reduce the driver’s workload through automatic and VANETs, which is equated to a black box that prevents access
intelligent driving controls, and facilitate higher comfort and to attackers. However, manufacturing overheads of TPD are
rich travel experience for passengers. VANETs can also pro- relatively expensive, so it has not generally been deployed on
vide personal entertainment and in-car office functions by VANETs on a large scale.
facilitating Internet access to drivers and passengers [2], [3]. However, security remains one of the prevailing concerns
In short, VANETs extend the functionalities and facilities of in VANET applications. Adversaries can control communi-
vehicles as mobile information platforms rather than simple cation with ease because communication is often enabled
transport entities, which significantly enrich the functions and through a wireless channel. There are two immediate impli-
applications of vehicle systems. cations; first, it is fairly straightforward for attackers to issue
The structure of VANETs generally consists of three illegal messages in order to affect traffic patterns, or to
modules, namely a Trusted Authority (TA), a Road Side forge malicious information for the purpose of causing traffic
Unit (RSU), and an On-Board Unit (OBU) [4]. TA is a accidents. Second, attackers can easily track a vehicle, thus
trusted third party with high computing power and large violating user privacy. These two malicious behaviors have

2169-3536 2017 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 2241
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

had serious impacts upon the efficiency of VANETs in the of the attacker, thus resulting in larger time and memory
recent past and have threatened the safety of passenger lives overheads.
and property in some cases [5]. Zhang et al. [8] highlighted that the computation power of
Also, VANET requires that the sender of the message needs the OBU in vehicles is not capable of performing complex
to be tracked quickly [6], and at the same time it should computational operations within a short time when the num-
has the ability to disqualify malicious vehicles from sending ber of vehicles in the VANET is relatively large. Allowing
messages quickly.Nowadays, many people make the same the nearby RSU to verify the message can assist the OBU
password in different agencies for convenience, for example, in the computation, but a more effective method of reduc-
the bank card password and the vehicle password are the ing the OBUs computation and communication overheads in
same. Then the owner will not convenient tell the password VANETs is an urgent problem.
to other people directly while many drivers share a vehicle. Wu et al. [9] and Zhang et al. [10] proposed a CPPA
At this point, the function of modification of the password scheme based on a group signature in which the OBU no
quickly and convenient is very important and necessary. longer needs to store more private data and the TA can
In summary, VANETs require further study to enhance effectively track the true identity of an attacker based on the
security features, robustness, and reliability. To this end, this revocation list without incurring the overheads caused by the
paper proposes a novel and practical conditional privacy- retrieval of the revocation list. However, because the speed of
preserving authentication (CPPA) scheme, which uses the the vehicle is fast and network topology changes quickly as
registration list instead of the revocation list for reducing the vehicle progresses, it is difficult to update and select the
the communication overhead. Important contributions of this group managers and group members dynamically.
paper include the following: Chim et al. [11] proposed a scheme using a software-based
1) Reduction in the retrieval time of the revocation bilinear pairing operation in which the RSU uses a pseudo
list when it is represented by the registration list in identity to protect its true identity during message communi-
order to reduce the think time available to attackers. cation by establishing a shared key in the handshaking phase
Moreover, the proposed scheme can prevent the between the RSU and the TA, where the TA can also track
attacker from continually issuing malicious infor- the true identity behind the pseudo identity. In the certifi-
mation, which effectively improves the security of cation phase, the RSU issues a notification message with a
VANETs. Bloom filter to reduce the OBUs computation overhead. But
2) The proposed scheme allows the owner of a vehicle to Horng et al. [12] later pointed out that the scheme proposed
modify passwords anytime, anywhere, which provides by Chim et al. [11] cannot resist an impersonation attack; that
more flexibility and privileges to the VANET user. is, malicious vehicles can disguise themselves as legitimate
3) The proposed scheme does not use bilinear pairing, vehicles to send a malicious message after intercepting a legal
which is the most complicated operation in modern message.
cryptography, and additionally reduces the message K. A. Shim. [13] proposed a security ID-based CPPA
length to minimize both the computation and commu- scheme in which the RSU supports batch authentication of
nication overheads in VANETs. messages to reduce the computation overhead of the RSU
The remainder of the paper is organized as follows. when the number of messages is large. However, the TA must
Section introduces the related research of CPPA schemes in consume more time in retrieving the entire revocation list, and
VANETs. The background knowledge and system model are furthermore it does not address the additional authentication
introduced in Section III. Section IV describes our proposed overheads caused by illegal information.
scheme in detail and Section V presents the security analysis Zhang et al. [14] proposed another ID-based CPPA scheme
of the proposed scheme. Section VI presents the performance to optimize the computation overheads in the message sig-
evaluation, including calculation overhead and communica- nature and authentication process, while the scheme also
tion overhead comparisons. Finally, Section VII discusses the supports batch authentication in order to improve the effi-
conclusion and future research. ciency of identity authentication. However, Lee et al. [15]
later pointed out that this scheme cannot achieve the function
II. RELATED WORK of non-repudiation, and Liu et al. [16] pointed out that the
A wide range of research has focused on enhancing the safety scheme cannot resist a modification attack.
and efficiencies of VANETs in the recent past. In order to improve the communication efficiency while
Raya et al. [7] proposed a CPPA scheme based on the ensuring the conditional privacy protection of the vehicles
public key infrastructure (PKI), which used public/private in VANETs, He et al. [17] proposed an efficient and fast
key pairs and corresponding certificates to hide a vehicle’s signature scheme without using the bilinear pairing operation.
true identity. However, there are two obvious shortcomings: This scheme reduces the computation overhead significantly
first, the OBU of each vehicle requires large storage space while meeting security requirements.
to save the public/private key pairs and the correspond- Zhong et al. [18] proposed a CPPA scheme to optimize the
ing certificates; second, the TA must carry out a complete computation process and to reduce the computation overhead
traversal in its storage space while seeking the true identity based on the scheme proposed by He et al. [17]. However,

2242 VOLUME 6, 2018

H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

the schemes proposed by He et al. [17] and Zhong et al. [18] messages and receiving notification messages from the
include several security assumptions, as it is difficult to equip RSU.
each vehicle with a TPD in practice. During an attack, TA System assumptions in our scheme are as follows:
can track the true identity of the attacker but cannot prevent 1) TA is completely trustworthy and will not be compro-
it from sending additional malicious messages. mised by attackers in anytime.
In order to solve the above problems, this paper proposes 2) The time in various parts of the entire VANET is syn-
a novel and practical conditional privacy protection scheme chronized.
based on the scheme of He et al. [19], which improves 3) RSU’s computing power and storage capacity are lower
communication efficiency under the premise of reducing the than TA and higher than OBUs.
demands in the security hypothesis. Additionally, our scheme B. SECURITY REQUIREMENTS
can effectively prevent the attacker from continually sending 1) Identity privacy preservation: The attacker should not
malicious information because of the presence of the regis- be able to obtain the real identity of the vehicles through
tration list, which improves the security features of VANETs. the messages sent by the vehicles. Only the TA can
track the real identity of the sender of a given message.
III. BACKGROUND 2) Traceability: The TA should be able to track the real
In this section, we introduce the system model of our scheme identity of the attacker through malicious messages and
and a background on the security requirements in VANETs. counteract if necessary.
3) Non-repudiation: When the vehicle sends a message,
it cannot deny it.
4) Un-linkability: The attacker should not be able to deter-
mine whether the messages are issued by the same
vehicle through the message content.
5) Resistant to continuous disruption: As a kind of real-
time network, VANETs should not only be able to
trace the real identity when the attacker appears, but
should also possess the ability to cease the continuous
malicious behaviors.
6) Modification of passwords: The owner of a vehicle
should be able to modify the passwords anytime, any-
FIGURE 1. System Model.
where.
7) Resistance to ordinary attacks: The CPPA scheme in
A. SYSTEM MODEL
VANETs should have the ability to resist some ordinary
The structure of VANETs consists of three parts in general: attacks, such as replay attack, modification attack and
Trusted Authority (TA), Road Side Unit (RSU) and On Board impersonation attack.
Unit (OBU), as showed in Fig. 1.
Information among OBUs or between OBU and RSU C. PRELIMINARY KNOWLEDGE
is transmitted over the wireless channel, and informa- 1) The one-way hash function h(·) is said to be secure if
tion between TA and RSU is transmitted over the wired the following properties are satisfied [21]:
channel [20]. • h can take a message of arbitrary length as input
TA, a trusted third party with very high computing power and produces a message digest of a fixed-length
and storage capacity, is responsible for generating the system output;
parameters and distributing the secret material. It is also • Given x, it is easy to compute y = h(x). However,
responsible for the offline registration of OBU and RSU and given y, it is hard to compute x = h−1 (y);
stores the registration list of RSU and OBU. • Given x, it is computationally infeasible to find
RSU, a trusted roadside node with high computing power x 0 6 = x that h(x 0 ) 6 = h(x).
and storage capacity, verifies the validity and integrity of 2) Elliptic Curve Discrete Logarithm Problem (ECDLP):
the message and then broadcasts the relevant message to the The ECDLP problem [22] is to determine the integer
surrounding vehicles by the notification message. It can also x, 0 ≤ x ≤ q − 1 , such as Q = xP,while two points
identify the real identity of the attacker if necessary, and then P, Q of order q are on a given elliptic curve.
notify the real identity to the TA. Because the number of RSU 3) Computation Diffie-Hellman problem (CDH):
is less than OBU, and RSU is easier to be maintained than the The CDH problem [22] is to compute abP ∈ G,
OBU in VANETs, RSUs are more equipped with TPD than while P, aP, bP ∈ G is given and a, b ∈ Zq∗ is
OBU in practice. unknown.
OBU is a semi-trusted computing unit with lower com- 4) Bloom Filter:
puting power and storage capacity load on the vehicle. A bloom filter [11] is an algorithm for representing
It is responsible for calculating and issuing traffic-related a set A = a1 , a2 , a3 , . . . an of n elements to support

VOLUME 6, 2018 2243

 H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

TABLE 1. Notation. • b. Registration of RSU

TA chooses the identity I DR of RSU according to its
reg
location, and computes KR = h(I DR ||s), where TRSU is
the corresponding registration time. After that, TA saves <
reg
TRSU , I DR > to registration list LRSU and sends {KR , I DR } to
RSU.
• c. Registration of Vehicle
TA chooses the identity I DV and two passwords PW1 , PW2
and then calculates KV = h(I DV ||s) andZV = KV ⊕
reg
h(PW1 ||PW2 ), where TOBU is the corresponding registration
time, KV and ZV will be used in the modification of passwords
reg
if needed. After that, TA saves < TOBU , I DV > to registra-
reg
tion list LOBU , and then sends {I DV , PW1 , PW2 , ZV , TOBU }
and {I DV , PW1 , PW2 } to OBU and the owner of the vehicle
respectively.
membership queries. The idea is to allocate a vector vn
with m bits, initially all set to 0, and a secure hash B. DRIVING STAGE
functions h(·), and used to compute the hash value of At this phase, RSU periodicity broadcasts message
element, if the element in the set A, and then the bit {I DR , PKRSU } to all vehicles in its range, where PKRSU is
of the corresponding position is set to 1. To determine the public key of RSU. Whenever a given vehicle enters the
whether a given value b is in A, we can check the bits range of a new RSU, OBU generates a pseudo identity and
at positions h(b). If this position is set as 1, then b is sends it to the corresponding RSU. After that, RSU sends
definitely in the set A. the message related to the vehicles pseudo identity to the TA
after receiving and processing the message from the vehicle.
IV. THE PROPOSED SCHEME TA returns the message to the RSU after confirming the legal
The proposed scheme in our paper mainly includes two main presence of RSU and OBU in the registration list based on the
phases such as the offline registration and the driving stage. timestamp. RSU the broadcasts the corresponding message
Offline registration includes the initialization of TA and reg- after the computation process. When the vehicle receives the
istration of RSUs and vehicles. The driving stage includes message and confirms its legitimacy, OBU, RSU and TA
five phases including mutual authentication, release of traf- should have completed the mutual authentication process.
fic information, message verification, release of notification After the authentication process, OBU can issue the traffic
message and receiving messages. The main symbols used in information with the help of RSU. The details are as follows:
our scheme and their definitions are illustrated in Table 1.
• a. Mutual Authentication

A. OFFLINE REGISTRATION
1) Driver needs to input the identity and two passwords
I DV , PW1 , PW2 to start OBU, and then OBU will
In this section, we introduce the system initialization phase.
check whether I DV and PW1 , PW2 are identical to
RSU and OBU get registered offline while in the fac-
the stored ones. If so, OBU computes KV = ZV ⊕
tory or annual inspection. TA is responsible for the corre-
h(PW1 ||PW2 ). After that, OBU chooses a random num-
sponding identity (ID) distribution and management.
ber x ∈ Zq∗ , and computes X = x · P, X ∗ = x · Ppub
• a. Initialization of TA
and PI DV = I DV ⊕ h(X ∗ ). Obviously, the above
TA is a trusted third party with a high computing power and calculation process can be done off-line in advance.
storage capacity that coordinates and controls the operation When a vehicle enters the range of a new
of the entire VANETs. Details of TAs Initialization are as RSU, it computes the two signature hash equations
follows: σOBU = h(T1 ||I DV ||I DR ||KV ||X ||X ∗ )and σcheck =
reg
1) TA chooses two large prime numbers p, q and an addi- h(TOBU ||T1 ||X ||PI DV ||σOBU ).
reg
tive group G with the order q and its generator is P, Finally, OBU sends {TOBU , T1 , X , PI DV , σOBU ,
which consists of all points on the elliptic curve E σcheck } to RSU.
reg
defined by the equation y2 = x 3 + ax + b mod p, where 2) Upon receiving the message { TOBU , T1 , X , PI DV ,
a, b ∈ Fp . σOBU } sent by the vehicle, RSU checks whether the
2) TA chooses a random number s ∈ Zq∗ as the master timestamp T1 is the latest or not. All the timestamps
private key, and computes Ppub = s · P as the master are tested in the following way: t1 is the value that
public key. the current time value minus the time value contained
3) TA chooses a secure hash function h(·). in the received timestamp, t2 is the value that the
4) TA broadcasts the system parameter {p, q, a, b, P, clock difference value plus the time delay value, and
Ppub , h} periodicity. then judge that whether t1 is less than t2 . If yes, that

2244 VOLUME 6, 2018

H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

means it is the latest, than RSU checks whether the By now, OBU, RSU and TA should have completed the
? reg
equation σcheck = h(TOBU ||T1 ||X ||PI DV ||σOBU ) exists. mutual certification process, therefore, the vehicle is legal and
If so, RSU chooses a random number y ∈ Zq∗ and RSU has not been compromised.
computes Y = y·P, Y ∗ = y·Ppub , PI DR = I DR ⊕h(Y ∗ ) • b. Release of Traffic Information
and σRSU = h(T2 ||PI DV ||X ||σOBU ||I DR ||KV ||Y ||Y ∗ ). If a vehicle in travel wants to issue traffic information ,
Now, RSU saves the item < T2 , X , Y , Y ∗ > to the OBU sends {T5 , m, σm } to RSU and to other vehicles, where
handshaking list Lhs stored in TPD, and then sends σm = h(T5 ||m||I DR ||I DV ||X ||Y ||SK ||σTA−OBU ).
reg reg
{TRSU , T2 , Y , PI DR , σRSU , TOBU , T1 , X , PI DV , σOBU } • c. Message Verification
to TA. Data stored in TPD are periodically deleted in Upon receiving the message {T5 , m, σm }, RSU checks
order to reduce its storage burden. whether the timestamp T5 is the latest. If it is the latest,
reg
3) Upon receiving the message {TRSU , T2 , Y , PI DR , reg
RSU finds out the item< TOBU , I DV , X , Y , SK , σTA−OBU >
reg
σRSU , TOBU , T1 , X , PI DV , σOBU }, TA checks whether in the authentication list Lauth according to the equation
the timestamp T2 is the latest. If it is the latest, TA ?
σm = h(T5 ||m||I DR ||I DV ||X ||Y ||SK ||σTA−OBU ). If the equa-
computes Y ∗ = Y · s and I DR = PI DR ⊕ h(Y ∗ ).
tion is not satisfied, the message {T5 , m, σm } is invalid.
Now TA checks whether I DR is contained in the
reg • d. Release of Notification Message
registration list LRSU according to the timestamp TRSU .
If so, TA computes KR = h(I DR ||s) and checks At this stage, the notification message is issued by the
? RSU, consisting of the bloom filters (a positive filter and
whether the equation σRSU = h(T2 ||PI DV ||X ||σOBU
a negative filter). The positive filter stores the hash value
||I DR ||KV ||Y ||Y ∗ ) holds. exists. If so, TA computes
of legitimate traffic message and their timestamp, and the
X ∗ = X · s and I DV = PI DV ⊕ h(X ∗ ).
negative filter stores the hash value of illegitimate Traffic
Third, TA checks whether I DV is contained in the
reg information and their timestamp. [11]. It is encrypted with the
registration list LOBU according to timestamp TOBU .
private key SKRSU of the RSU which can prevent an attacker
If yes, TA computes KV = h(I DV ||s) and checks
? from modifying or forging the notification message.
whether the equation σOBU = h(T1 ||I DV ||I DR ||KV ||X ||
• e. Receiving Messages
X ∗ ) exists. If so, TA computes TAI DV = I DV ⊕
Upon receiving the notification message from RSU, OBU
h(Y ||Y ∗ ||KR ), σTA−RSU = h(T3 ||I DV ||TAI DV
decrypts it using the public key PKRSU of RSU. If a vehicle
||X ||I DR ||Y ||KR ),TAI DR = I DR ⊕ h(X ||X ∗ ||KV ) and
wants to verify the validity of the message {T5 , m, σm } sent
I DV = PI DV ⊕ h(X ∗ ).
reg by the other vehicles, OBU will compute h(T5 , m) and check
Finally, TA sends the message {T3 , T2 , TOBU , σTA−OBU ,
whether this value is in the notification message. There are
σTA−RSU , TAI DV , TAI DR } to RSU.
reg three cases of the results, as showed in Table 2.
4) Upon receiving the message {T3 , T2 , TOBU , σTA−OBU ,
σTA−RSU , TAI DV , TAI DR }, RSU checks whether the TABLE 2. The search results.
timestamp T3 is the latest. If it is the latest, RSU identi-
fies the item < T2 , X , Y , Y ∗ > in the handshaking list
Lhs according to T2 , and computes I DV = TAI DV ⊕
h(Y ||Y ∗ ||KR ) and further checks whether the equa-
?
tion σTA−RSU = h(T3 ||I DV ||TAI DV ||X ||I DR ||Y ||KR ) Case 1 means that the message is legitimate, and case 2
exists. If so, RSU computes SK = y · X and indicates that the message is illegitimate. Case 3 depicts that
σRSU −OBU = h(T4 ||I DV ||I DR ||X ||Y ||SK ||σTA−OBU ). the message has not been authenticated by RSU, therefore,
reg
At last, RSU saves the item < TOBU , I DV , X , Y , SK , the vehicle just needs to wait for the next notification message
σTA−OBU > to the authentication list Lauth which is from RSU.
stored in TPD, and sends {T4 , TAI DR , σTA−OBU ,
V. SECURITY ANLYSIS AND COMPARISONS
σRSU −OBU , Y } to RSU. To reduce the storage burden
Security is one of the basic requirements and core elements of
of TPD, the data that stored in it will be deleted
VANETs. In this section, the security features of the proposed
periodically.
scheme is proven to ensure that VANETs security require-
5) Upon receiving the message {T4 , TAI DR , σTA−OBU ,
ments have been met, and further the proposed scheme has
σRSU −OBU , Y } , OBU checks the whether the
been evaluated against a few existing security schemes.
timestamp T4 is the latest. If it is the latest,
OBU computes the equation I DR = TAI DR ⊕ A. SECURITY PROOF
h(X ||X ∗ ||KV ) and checks whether the equation The security model of our scheme is to designed construct a
?
σTA−OBU = h(I DV ||X ||X ∗ ||I DR ||Y ||KV ) exists. If yes, game between challenger C and adversary A that is, whether
OBU calculates SK = x·Y checks whether the equation the adversary A can win the game of overcoming the chal-
σRSU −OBU = h(T4 ||I DV ||I DR ||X ||Y ||SK || lenge given by the challenger C in the polynomial time with
σTA−OBU ) exists. a non-negligible probability.

VOLUME 6, 2018 2245

 H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

Definition 1: In the game constructed by the security model h(PW1 ||PW2 ), saves {h(PW1 ||PW2 ), τ 0 } to L⊕ , and sends τ 0
of the CPPA scheme in VANETs, the scheme is secure if to A.
the advantage of the adversary A is negligible in polynomial Sign − Oracle: Upon receiving a query I DV and
time. h(PW1 ||PW2 ) from A, C computes KV = h(I DV ||s) and
Theorem 1: The registration of RSU in the proposed ZV = KV ⊕ h(PW1 ||PW2 ), sends {I DV , h(PW1 ||PW2 ),
scheme is secure in the random oracle model. KV , ZV } to A. We can know that KV and ZV is the signature
Proof: Suppose there is an adversary A who can forge of I DV and h(PW1 ||PW2 ) those are calculated by TA in our
a legitimate message {I DR , KR }, we construct a challenger scheme.
C that can solve the ECDLP problem with a non-negligible Output: At last, A outputs {ID0V , h0 (PW1 ||PW2 ),
probability by running A as a subroutine. KV , ZV0 }, and then C checks whether the equation KV0 =
0

Setup − Oracle: C chooses a random number s ∈ Zq∗ h(ID0V ||s) and ZV0 = KV0 ⊕ h0 (PW1 ||PW2 ) is satisfied. If not,
as the master private key, and computes Ppub = s · P the game is over and A fails in the game. If yes, according
as the master public key and generates public parameters to the forgery lemma [23], A will output another valid
{p, q, a, b, P, Ppub , h}. signature {ID00V , h00 (PW1 ||PW2 ), KV00 , ZV00 } which the equation
h − Oracle: C keeps the list Lh which maintains the item of KV00 = h(ID00V ||s) and ZV00 = KV00 ⊕ h00 (PW1 ||PW2 ) is
query from A along with its corresponding answer {I DR , τ }, satisfied.
while the list is initialized to be empty. Upon receiving a It means that A can work out KR00 − KR0 = h(ID00V ||s) −
query I DR from A, C checks whether the item {I DR , τ } is in h(ID0V ||s). However, the result is contradictory with the uni-
the list or not. If yes, C sends τ to A. Otherwise C computes directionality of the secure hash function and the ECDLP is a
τ = h(I DR ||s), saves {I DR , τ } to Lh , and sends τ to A. difficult problem, which means A cannot work out the above
Sign − Oracle: Upon receiving a query I DR from A, A equation. Therefore, theorem 2 is proved.
computes KR = h(I DR ||s) and sends {I DR , KR } to A. We can Theorem 3: The process of sending an authentication mes-
know that KR is the signature of I DR that is calculated by TA sage by OBU in the proposed scheme is secure in the random
in our scheme. oracle model.
Output: At last, A outputs {ID0R , KR0 }, and then C checks Theorem 4: The process of calculating an authentication
whether the equation KR0 = h(ID0R ||s) is satisfied. If not, message from OBU by RSU in the proposed scheme is secure
the game is over and A fails in the game. If yes, according to in the random oracle model.
the forgery lemma [23], A will output another valid signature Theorem 3 and Theorem 4 can be proved by the same
{ID00R , KR00 } when the equation KR00 = h(ID00R ||s) is satisfied. way. Therefore, the proposed scheme is secure in the random
It means that A can work out KR00 − KR0 = h(ID00R ||s) − oracle model.
h(ID0R ||s). However, the result is contradictory with the un- The next section analyzes the security requirements of the
idirectionality of the secure hash function and the ECDLP is a CPPA scheme in VANETs.
difficult problem, which means A cannot work out the above 1) Identity privacy preservation: Normally, the vehicle
equation. Therefore, theorem 1 is proved. only sends the pseudo identity once it comes within the
Theorem 2: The registration of a vehicle in the proposed range of RSU. Pseudo identity is computed by the equa-
scheme is secure in the random oracle model. tion X ∗ = x · Ppub and PI DV = I DV ⊕ h(X ∗ ), where
Proof: Suppose there is an adversary A who can forge a x ∈ Zq∗ is a random number. Therefore, no attacker
legitimate message {I DV , KV , ZV }, we construct a challenger can obtain the real identity I DV of the vehicle through
C that can solve the ECDLP problem with a non-negligible the pseudo identity PI DV . It means that our proposed
probability by running A as a subroutine. scheme has met the requirements of identity privacy
Setup − Oracle: C chooses a random number s ∈ Zq∗ as the preservation.
reg
master private key, computes Ppub = s·P as the master public 2) Traceability: RSU can search the item < TOBU , T5 , m,
key and generates public parameters {p, q, a, b, P, Ppub , h}. I DV > according to T5 in the message list Lm when
h − Oracle: C keeps the list Lh which maintains the item it encounters malicious messages, and then sends <
reg
of query from A and its corresponding answer {I DV , τ }, TOBU , I DV > to TA. TA can search the item <
reg reg
while the list is initialized to be empty. Upon receiving a TOBU , I DV > according to TOBU in the registration list
query I DV from A, C checks whether the item {I DV , τ } LRSU while RSU is comprised.
is in the list or not. If yes, C sends τ to A. Otherwise C 3) Non-repudiation: RSU can search out the item <
reg
computes τ = h(I DV ||s), saves {I DV , τ } to , and sends τ TOBU , T5 , m, I DV > according to the timestamp T5
to A. in the message list Lm quickly, which includes the
⊕ − Oracle: C keeps the list L⊕ which maintains real identity of the vehicle and its registration time.
the item of query from A and its corresponding answer Therefore, our scheme has met the requirements of
{h(PW1 ||PW2 ), τ 0 }, while the list is initialized to be empty. Non-repudiation.
Upon receiving a query h(PW1 ||PW2 ) from A, C checks 4) Un-linkability: The format of message related to traffic
whether the item {h(PW1 ||PW2 ), τ 0 } is in the list. If yes, information in our proposed scheme is {T5 , m, σm },
C sends τ 0 to A. Otherwise C computes τ 0 = KV ⊕ where σm = h(I DR ||I DV ||X ||Y ||SK ||σTA−OBU ||m||T5 ),

2246 VOLUME 6, 2018

H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

therefore, the attacker cannot determine whether the TABLE 3. Security comparisons.
two given messages are issued by the same vehicle
using the message content, which achieves the security
requirements of un-linkability.
5) Resistant to continuous disruption: TA will delete the
registration form in the corresponding registration list
when either the real identity of a malicious vehicle or a
compromised RSU is detected. Therefore, when either
a malicious vehicle is authenticated by a valid RSU or a
legitimate vehicle is authenticated by a compromised
RSU, TA will immediately stop the certification pro-
cess to prevent continuous damage.
6) Modification of passwords: The owner of a vehicle can
change the passwords anytime anywhere whenever he TABLE 4. The definition and execution time of related operations.
considers the passwords is not secure and the details are
as follows. Owner inputs IDV , PW1old , PW2 , PW1new
to start OBU. OBU will check whether I DV and
PW1old , PW2 are identical to the stored ones. If yes,
OBU computes KV = ZV ⊕ h(PW1old ||PW2 ) and
ZVnew = KV ⊕h(PW1new ||PW2 ). At last, OBU only needs
to replace ZVold with ZVnew .
7) Resistance to ordinary attacks:
• Replay attack: RSU will check the timestamp
while receiving a message, once it is found not to
be the latest, RSU will drop it immediately.
• Modification attack: It is impossible that the
attacker can modify a legal message {T5 , m, σm } to
{T5 , m0 , σm0 } where σm0 = h(I DR ||I DV ||X ||Y ||
SK ||σTA−OBU ||m0 ||T5 ), while the sent real identity
of a vehicle {T5 , m, σm } is unknown.
• Impersonation attack: If the attacker wants to send
a legal message by impersonating the legal vehi-
cle, it must obtain the real identity of the vehi-
cle. However the attacker cannot obtain the real
identity of the vehicle according to the preceding
knowledge. Therefore, our proposed scheme can
resist the impersonation attack. A. COMPUTATION OVERHEAD ANALYSIS
B. SECURITY COMPARISONS
The CPPA schemes proposed by Shim et al. [13] and
Zhang et al. [14] are based on bilinear pairing, where the addi-
In general, the security requirements of VANETs mainly
tive group G with the order q and its generator Pconstitutes
span across message authentication, preservation of iden-
all points on the elliptic curve E defined by the equation
tity privacy, traceability, un-linkability, resistant to contin-
y2 = x 3 + x mod p , where p is a 512-bit prime number
uous disruption, modification of passwords, and resistance
and q is a 160-bit prime number. The schemes proposed by
to ordinary attacks. We evaluate the performance of our
He et al. [17] and Zhong et al. [18] are based on Elliptic
scheme against four existing schemes in terms of the secu-
Curve Cryptography (ECC) to achieve the same level of
rity requirements of VANETs. The results are presented
security, where the additive group G with the order q and
in Table 3.
its generator pconstitutes all points on the elliptic curve E
Among the evaluated schemes, the other four schemes are
defined by the equation y2 = x 3 + ax + b mod p, where
not resistant to continuous disruption and modification of
a, b ∈ Fp , p and q is a 160-bit prime number. The cryptogra-
passwords. Though, our proposed scheme effectively satisfies
phy library used in our experiment is MIRACL[30], which
all the security requirements of VANETs.
is a well-known and widely used cryptographic library in
VI. PERFORMANCE ANALYSIS computing the time required for various cryptographic opera-
The performance of VANETs is susceptible to computa- tions. And our hardware platform consists of an Intel I7-6700
tion and communication overheads due to the rapid speed processor8 gigabytes memory and runs Windows 7 operating
of the vehicles and the rapid changes in the network system. The definition and execution time of related opera-
topology. tions in cryptography are shown in Table 4.

VOLUME 6, 2018 2247

 H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

TABLE 5. The comparison of the execution time.

FIGURE 2. The comparison of the execution time.

The calculation and storage capacity of OBU are low and

the number of vehicles is more than RSU, therefore one of the
purposes of our scheme is to reduce the OBUs computation
overhead. The performance evaluation of the schemes in
terms of the execution time consumed to send traffic-related
message (that is generating the pseudo identity and message
signature) by OBU is shown in Table 5.
In the scheme of Jianhong et al. [14], the execution time of
issuing single traffic-related messages is 6Tsm−bp +2Tpa−bp + FIGURE 3. The comparison of authenticating message time.

1Tmtp + 4Th ≈ 14.6746 ms and the execution time of issue n

traffic-related message is (6n)Tsm−bp +(2n)Tpa−bp +(4n)Th ≈ The speed of traffic-related message verification pro-
14.6746n ms, while the execution time in the scheme pro- cess also determines the computation efficiency of
posed by Zhong et al. [18] is 2Tsm−ecc + 2Th ≈ 0.8842 ms VANETs. Assuming there are 500 vehicles in the range
and (2n)Tsm−ecc + (2n)Th ≈ 0.8842n ms respectively. of RSU, the RSU needs to verify 2500-5000 messages
In our scheme, whenever the vehicle enters the range of a per second [25].
new RSU, it is necessary to send the identity authentication Traffic-related message verification process in our scheme
message to RSU, and the RSU will send messages to TA after is carried out by RSU which usually comprises more storage
processing the identity authentication message which ensures and computing power. RSU issues the notification informa-
that no malicious vehicle or compromised RSU is involved tion which is encrypted with the private key and the OBU
in the transmission process of traffic-related message. When only needs to decrypt the notification information using the
n traffic-related messages needs to be sent, the worst case public key, and the operation time of decryption is negligible.
is that the OBU sends an identity authentication message Upon receiving the traffic information message, the RSU will
reg
to the RSU for each traffic-related messages. Therefore the find out the item < TOBU , I DV , X , Y , SK , σTA−OBU > in the
execution time of OBU is nTsm−ecc + (6n)Th ≈ 0.4426n ms. list Lauth which satisfies the signature equation. Considering
While the best case is when OBU sends the identity authen- the storage capacity of TPD in the VANETs, TPD will delete
tication message only once in the range of RSU, therefore the private data before a certain time. Therefore, the data
the execution time of the OBU is 1Tsm−ecc + (n + 5)Th ≈ in the list Lauth will be deleted periodically, and the number
0.0001n + 0.4435 ms. of item in the list is usually maintained at a level more than
Consider, the coverage of the RSU is about 600 m, that of vehicles in order to continue the process when the
the vehicle speed is between 0 km/h and 120 km/h [7] and vehicle speed is low. Assuming there are 500 vehicles within
the time taken for sending traffic information message is the RSU coverage, the number of item saved in the list Lauth
100-300 ms [24]. Now, OBU needs to send at least 50 traffic- is 1000, the best case in message authentication process is
related messages in the range of RSU. From Fig. 2, the exe- that only one hash function is performed and the worst case
cution time required by OBU to issue traffic-related message is carried out with 1000 hash functions. The execution time
in our proposed scheme is much less than that of the other of the message verification process with 500 hash functions
four schemes even in the worst case. by all the evaluated schemes is depicted in Table 6.

2248 VOLUME 6, 2018

H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

TABLE 6. The execution time of message verification process. TABLE 7. The comparison of communication overhead.

in Table 7, the traffic-related messages in the scheme

of He et al. [17] are {M , AID, T , R, σ }, where AID =
{AI D1 , AI D2 }, AI D1 , R ∈ G and AI D2 , σ ∈ Zq∗ , and the
length of a single traffic-related message is 40 ∗ 2 + 20 ∗
2 + 4 = 124 bytes. Moreover, In the CPPA scheme of
Zhong et al. [18], the vehicle broadcasts the traffic-
related messages {AID, M , σ, T } to others, where AID =
{AI D1 , AI D2 }, AID ∈ G and AI D2 , σ ∈ Zq∗ , and the length
of a single traffic-related message is 40 + 20 ∗ 2 + 4 =
84 bytes. Traffic-related messages are {T , m, σ } in our pro-
posed scheme, where σ ∈ Zq∗ , and the length of a single
traffic-related message is 20 + 4 = 24 bytes.Therefore,
the proposed scheme is superior to the other four schemes in
From Fig.3, it can be observed that the time consumed
terms of reducing the communication overheads. Thus, from
to authenticate a message in the schemes proposed by
the aforementioned comparative evaluations of the schemes
Shim et al. [13] and Jianhong et al. [14] is similar, and
in terms of reducing the computation and communication
the time consumed in our scheme is significantly lower
overheads, we can draw the conclusion that our proposed
than them. Yet, the result is almost the same to the
scheme has obvious advantages than the other four schemes
schemes proposed by He et al. [17] and Zhong et al. [18].
in both the aspects. Therefore, our scheme can accommodate
However, the above results are based on the fact that all of the
more transmission tasks while realizing higher level of secu-
authenticated messages are legitimate, but batch authentica-
rity in VANETs, and it is more suitable for VANETs.
tion usually fails when illegal messages appear. Under such a
scenario, the TA only detects the illegal messages by adopting VII. CONCLUSION AND FUTURE WORK
the binary search strategy [11], which will lead to obvious This paper proposed a novel and practical ID-based CPPA
reduction in the efficiency of batch authentication. Although scheme based on invocating the registration list to reflect
our proposed scheme does not support batch certification, the role of the revocation list. The proposed scheme greatly
the efficiency of the message verification process is relatively reduces the time taken to retrieve the registration list and
stable, thus our scheme is superior to the other evaluated effectively improves the security of VANETs. Moreover, our
schemes in VANETs. scheme does not use bilinear pairing, which is the most com-
plicated operation in modern cryptography, and effectively
B. COMMUNICATION OVERHEAD ANALYSIS
reduces the length of messages sent by vehicles. Therefore,
This section evaluated the communication overhead efficien- the proposed scheme also effectively improves the communi-
cies of the evaluated schemes. The additive group G with cation performance and efficiency of VANETs.
the order q and its generator Pconstitutes all the points on Security analyses showed that the proposed scheme is not
the elliptic curve E defined by the equation y2 = x 3 + only effective in satisfying the basic security requirements
x mod p, where p is a 512-bit prime number and q is a of VANETs but also efficient in preventing the malicious
160-bit prime number. The additive group G with the order vehicle or the compromised RSU from disrupting VANET
q and its generator pconstitutes all the points on the elliptic security protocols because of the presence of the registra-
curve E defined by the equation y2 = x 3 + ax + b mod p, tion list. Performance analyses demonstrated that our pro-
where a, b ∈ Fp , p and q is a 160-bit prime number. There- posed scheme achieves better performance in reducing both
fore, the size of each element in G and G is 128 bytes and the computation overhead and the communication overhead
40 bytes respectively [26]. We assume that the timestamp compared to existing schemes, and further exhibits better
and the output of the secure hash function are 4 bytes and practical application in current VANETs. As future work,
20 bytes respectively [27] and the size of each element in we plan to study means of reducing the operation time of the
Zq∗ is 20 bytes. If the traffic information in the messages TA and RSU and the delay time between them, which can
are the same, we only need to consider the message length. obviously increase the security and efficiency of VANETs.
Table 7 presents the communication overhead performance
of the evaluated schemes. ACKNOWLEDGMENT
In CPPA scheme of VANETs, the value T in the The authors are very grateful to the anonymous referees for
traffic-related message denotes the timestamp. As is shown their detailed comments and suggestions regarding this paper.

VOLUME 6, 2018 2249

 H. Zhong et al.: Conditional Privacy-Preserving Authentication Using Registration List in VANETs

REFERENCES [25] Y. Liu, L. Wang, and H. Chen, ‘‘Message authentication using proxy
vehicles in vehicular ad hoc networks,’’ IEEE Trans. Veh. Technol., vol. 64,
[1] P. Papadimitratos, A. De La Fortelle, K. Evenssen, R. Brignolo, and
no. 8, pp. 3697–3710, Aug. 2014.
S. Cosenza, ‘‘Vehicular communication systems: Enabling technologies,
[26] L. Martin, Identity-Based Cryptography Standard (IBCS) #1: Supersingu-
applications, and future outlook on intelligent transportation,’’ IEEE
lar Curve Implementations of the BF and BB1 Cryptosystems, document
Commun. Mag., vol. 47, no. 11, pp. 84–95, Nov. 2009.
RFC 5091, 2007.
[2] A. Boukerche, H. A. B. FOliveira, E. F. Nakamura, and A. A. F. Loureiro,
[27] C. Adams and D. Pinkas, Internet x. 509 Public Key Infrastructure Time
‘‘Vehicular ad hoc networks: A new challenge for localization-based sys-
Stamp Protocol (TSP), document RFC 3161, 2001.
tems,’’ Comput. Commun., vol. 31, no. 12, pp. 2838–2849, 2008.
[3] IEEE Standard for Wireless Access in Vehicular Environments–
Security Services for Applications and Management Messages,
IEEE Standard 1609.2a, Intelligent Transportation Systems Committee,
2013. HONG ZHONG received the Ph.D. degree from
[4] X. Lin, R. Lu, C. Zhang, H. Zhu, P.-H. Ho, and X. Shen, ‘‘Security the University of Science and Technology of China
in vehicular ad hoc networks,’’ IEEE Commun. Mag., vol. 46, no. 4, in 2005. She has been a Professor and the Dean
pp. 88–95, Apr. 2008. of the School of Computer Science and Technol-
[5] F. Qu, Z. Wu, F.-Y. Wang, and W. Cho, ‘‘A security and privacy review of ogy, Anhui University, China, since 2009. She has
VANETs,’’ IEEE Trans. Intell. Transp. Syst., vol. 16, no. 6, pp. 2985–2996, published over 100 papers. Her research interests
Dec. 2015. include applied cryptography, IoT security, vehic-
[6] V. Daza, J. Domingo-Ferrer, and F. Sebé, and A. Viejo, ‘‘Trustwor- ular ad hoc network, and software-defined net-
thy privacy-preserving car-generated announcements in vehicular ad hoc working.
networks,’’ IEEE Trans. Veh. Technol., vol. 58, no. 4, pp. 1876–1886,
May 2009.
[7] M. Raya and J.-P. Hubaux, ‘‘Securing vehicular ad hoc networks,’’
J. Comput. Secur., vol. 15, no. 1, pp. 39–68, 2007.
[8] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, ‘‘RAISE: An efficient RSU-aided BO HUANG is currently pursuing the Ph.D.
message authentication scheme in vehicular communication networks,’’ in degree with the School of Computer Science and
Proc. IEEE Int. Conf. Commun. (ICC), May 2008, pp. 1451–1457. Technology, Anhui University. His research inter-
[9] Q. Wu, J. Domingo-Ferrer, and U. González-Nicolás, ‘‘Balanced trustwor- est is vehicle ad hoc network.
thiness, safety, and privacy in vehicle-to-vehicle communications,’’ IEEE
Trans. Veh. Technol., vol. 59, no. 2, pp. 559–573, Feb. 2010.
[10] L. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, ‘‘A scalable
robust authentication protocol for secure vehicular communications,’’
IEEE Trans. Veh. Technol., vol. 59, no. 4, pp. 1606–1617, May 2010.
[11] T. W. Chim, S. M. Yiu, L. C. K. Hui, and V. O. K. Li, ‘‘SPECS: Secure and
privacy enhancing communications schemes for VANETs,’’ Ad Hoc Netw.,
vol. 9, no. 2, pp. 189–203, 2011.
[12] S.-J. Horng et al., ‘‘B-SPECS+: Batch verification for secure pseudony- JIE CUI received the Ph.D. degree in computer
mous authentication in VANET,’’ IEEE Trans. Inf. Forensics Security, science and technology from the University of
vol. 8, no. 11, pp. 1860–1875, Nov. 2013. Science and Technology, China, in 2012. He is
[13] K.-A. Shim, ‘‘CPAS: An efficient conditional privacy-preserving authenti- currently an Associate Professor with the School
cation scheme for vehicular sensor networks,’’ IEEE Trans. Veh. Technol., of Computer Science and Technology, Anhui Uni-
vol. 61, no. 4, pp. 1874–1883, May 2012. versity, China. He has published over 50 papers.
[14] Z. Jianhong, X. Min, and L. Liying, ‘‘On the security of a secure batch His current research interests include applied cryp-
verification with group testing for VANET,’’ Int. J. Netw. Secur., vol. 16, tography, IoT security, vehicular ad hoc network,
no. 5, pp. 351–358, 2014. and software-defined networking.
[15] C.-C. Lee and Y.-M. Lai, ‘‘Toward a secure batch verification with group
testing for VANET,’’ Wireless Netw., vol. 19, no. 6, pp. 1441–1449, 2013.
[16] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, ‘‘Improvements on an
authentication scheme for vehicular sensor networks,’’ Expert Syst. Appl.,
vol. 41, no. 5, pp. 2559–2564, 2014. YAN XU received the Ph.D. degree from the
[17] D. He, S. Zeadally, B. Xu, and X. Huang, ‘‘An efficient identity-based University of Science and Technology of China
conditional privacy-preserving authentication scheme for vehicular ad in 2015. She is currently a Lecturer with the School
hoc networks,’’ IEEE Trans. Inf. Forensics Security, vol. 10, no. 12, of Computer Science and Technology, Anhui Uni-
pp. 2681–2691, Dec. 2015. versity, China. Her research interests cover net-
[18] H. Zhong, J. Wen, J. Cui, and S. Zhang, ‘‘Efficient conditional privacy- work and information security.
preserving and authentication scheme for secure service provision in
VANET,’’ Tsinghua Sci. Technol., vol. 21, no. 6, pp. 620–629, 2016.
[19] D. He and D. Wang, ‘‘Robust biometrics-based authentication scheme
for multiserver environment,’’ IEEE Syst. J., vol. 9, no. 3, pp. 816–823,
Sep. 2015.
[20] S. Jiang, X. Zhu, and L. Wang, ‘‘An efficient anonymous batch authenti-
cation scheme based on HMAC for VANETs,’’ IEEE Trans. Intell. Transp. LU LIU received the M.Sc. degree in data com-
Syst., vol. 17, no. 8, pp. 2193–2204, Aug. 2016.
munication systems from Brunel University, U.K.,
[21] W. Mao, Modern Cryptography: Theory and Practice. Englewood Cliffs,
and the Ph.D. degree from University of Surrey,
NJ, USA: Prentice-Hall, 2003.
U.K. (funded by DIF DTC). He is currently a
[22] N. Koblitz, A. Menezes, and S. Vanstone, ‘‘The state of elliptic curve
Professor of distributed computing with the Uni-
cryptography,’’ Des., Codes Cryptogr., vol. 19, nos. 2–3, pp. 173–193,
Mar. 2000. versity of Derby, U.K. His research interests are
[23] D. Pointcheval and J. Stern, ‘‘Security arguments for digital signatures and
in areas of cloud computing, service computing,
blind signatures,’’ J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000. computer networks and peer-to-peer networking.
[24] J. B. Kenney, ‘‘Dedicated short-range communications (DSRC) standards He is a Fellow of British Computer Society.
in the United States,’’ Proc. IEEE, vol. 99, no. 7, pp. 1162–1182, Jul. 2011.

2250 VOLUME 6, 2018