Multimedia Tools and Applications (2023) 82:24155–24179

https://doi.org/10.1007/s11042-022-14288-8

Blockchain-based conditional privacy-preserving

authentication scheme in VANETs

Pravin Mundhe1 · Pooja Phad2 · R. Yuvaraj3 · Shekhar Verma3 · S. Venkatesan3

Received: 23 August 2021 / Revised: 30 November 2022 / Accepted: 3 December 2022 /
Published online: 21 December 2022
© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022

Abstract
In vehicular ad hoc networks (VANETs), a vehicle must be authenticated to ensure its
messages’ correctness. The authentication mechanism should be privacy-preserving to pro-
tect the vehicle’s real identity. However, an authenticated vehicle may misbehave, which
forms the basis for certificate revocation lists (CRLs) requirement. But, the CRLs need
a large storage and communication overhead. The difficulties like the huge computa-
tion overhead, the heavy burden of storing and managing pseudo-identities, and handling
ever-increasing certificate revocation makes the existing authentication schemes impracti-
cable. To overcome these difficulties, we propose a hybrid blockchain-based conditional
privacy-preserving authentication (BCPPA) scheme in VANETs. In BCPPA, vehicles obtain
pseudo-identities from the trusted authority that manages the network. A vehicle uses the
received pseudo-identities to achieve anonymous authentication and communicate with
other network members. The pseudo-identities with encrypted, real identities are both saved
into the blockchain to ensure conditional privacy and member revocation. A receiver can
verify the sender’s pseudo-identity using the proposed privacy-preserving authentication
mechanism. We evaluate the scheme’s performance using the Ethereum blockchain and
computing platform. The security analysis and experimental results show that the proposed
scheme is effective in providing authentication and privacy and has reduced computation
overhead as compared to existing schemes.

Keywords VANETs · Security · Conditional privacy · Blockchain

1 Introduction

VANET tries to increase vehicle safety and enhance traffic conditions. It contains two
basic communication modes, i.e., vehicle to infrastructure (V2I/I2V) and vehicle to vehi-
cle (V2V) [21, 26]. VANET consists of vehicles’ on-board units (OBUs), road-side units
(RSUs), and regional transport authority. The RSUs are fixed alongside the road, whereas

Pooja Phad, R. Yuvaraj, Shekhar Verma and S. Venkatesan contributed equally to this work.
 Pravin Mundhe
mundhe.pravin@gmail.com

Extended author information available on the last page of the article.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24156 Multimedia Tools and Applications (2023) 82:24155–24179

Table 1 Notations and their

description Notation Description

TA Trusted Authority
T RA Transport Authority
PID Pseudo-identity
p A large prime number
G1 , G2 Multiplicative cyclic groups of
prime order p
g1 , g2 Generators of group G1 and G2 resp.
Zp∗ Multiplicative group modulo p
(a, b) TA’s public keys
(x, y) TA’s private keys
Vi Vehicle i
(I DVi , P I DVi ) Vi ’s real identity and pseudo-identity
K Vi Vi ’s verification key
EPVi P I DVi ’s expiry period
H (·) Collision-resistant hash function
E∝ ()/D∝ () Encryption/Decryption algorithm
using key ∝
I T X Vi Vi ’s PID Issuance transaction
RT XVi Vi ’s PID Revocation transaction
tmi Timestamp associated with I T XVi
Sigk Signature produced using private key k

OBU is installed upon vehicles. The members of VANETs communicate using the dedi-
cated short-range communication (DSRC) protocol which provides 75 MHz bandwidth with
spectrum at 5.9 GHz and communication range up to 1000 m [17].
In addition to informative messages, a vehicle broadcasts safety messages to adjacent
vehicles about road conditions so that receivers can divert their original route and to RSUs
that conveys it to traffic control authority for taking appropriate action. A vehicle works
as a sensor device that can collect and transmit critical information to other members and
benefits the control authority to improve road conditions. The messages carrying safety
information (e.g., road-blocking, traffic conditions) can be transmitted and received to or
from adjoining vehicles or RSUs that may help the vehicles to travel steadily and avoid
adverse traffic conditions or fatal accidents. Hence, message integrity needs to be ensured,
which requires authentication of vehicles that transmit or forward messages. Besides, the
vehicle’s privacy must also be protected from other members or attackers. Table 1 gives the
notations and their description used in the proposed scheme.

1.1 Motivation

There are many security and privacy issues in VANETs. Among them, privacy-preserving
identity authentication and conditional privacy are the most important. The network services
and communications may get affected if a vehicle successfully carries out any major attack.
An attacker may update, steal, or forge the message contents to suspend the normal activities
of vehicles. It can easily modify the real information present in messages sent by valid

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24157

members. Also, it can delete messages or remove them from the network. An attacker may
try to find out a legal vehicle’s original identity as well as the exact location.
Moreover, a malicious vehicle may use other vehicles’ identities to transmit fraudu-
lent messages and damage the network while keeping its identity secret [19]. Besides, it
can also eavesdrop on the communication between vehicles and use that information to
harass vehicle owners. Hence, the vehicle’s real identity must be protected from an adver-
sary. Sometimes, a legal vehicle may also get involved in fraud activities and try to create
disturbances in the network. Therefore, the trusted authority must have the necessary infor-
mation about the vehicles and disclose the original identity when required. Thus, the security
mechanism must provide conditional privacy-preserving authentication.
The detection and revocation of malicious vehicles from the network are essential to
prevent them from transmitting fraud messages. If the information from a message gets
modified, vehicles may get affected, or the TA may take incorrect decisions that could result
in anomalies and unpredictable traffic conditions [4]. The receiver must verify the genuine-
ness of the message. Moreover, it must ensure that the message is not modified during the
transmission. Also, it must complete the authentication process within the appropriate time.
Many times, vehicles need to authenticate a large number of received messages. This num-
ber increases as the system progress with time because vehicles may receive a large number
of messages in a short time. It may happen that the vehicle can not complete the authentica-
tion process because of its low computation power and small storage. The process of finding
and removing malicious vehicles from the network and preserving the vehicle’s privacy at
the same time are complex operations [16].
In this paper, a conditional-privacy preserving authentication scheme using blockchain
(BCPPA) is proposed to provide transparency in VANETs. First, a vehicle sends its real
identity to TA, which provides pseudo-identity (PID) for communication. TA broadcasts
the PID issuance transaction into the network. Then, TA stores the vehicle’s PID and real
identity in encrypted format into the Merkle Patricia tree (MPT) for future conflicts. Later,
it creates a block based on the latest MPT root and provides it to RSUs for verification.
A sender transmits the PID and necessary information to the receiver for authentication. If
the given PID is present in the blockchain, it means the sender is authentic. If a vehicle is
performing malicious activity, TA can decrypt the encrypted identity and disclose its original
identity. Also, it can remove the associated PID and broadcast the PID issuance transaction.

1.2 Contributions

The TRA monitors and deals with the VANET, and TA manages the blockchain operations.
The major contributions of the proposed scheme are:
1. A hybrid blockchain-based conditional privacy-preserving authentication scheme is
proposed in which the TA issues PID to the requester. TA stores the PID and crucial
information in the blockchain to ensure vehicle authentication.
2. We save TA’s operations in blockchain transactions to achieve immutability. It provides
transparency to the whole network in case any member wants to verify TA’s broadcast
information.
3. The vehicle’s real identity in encrypted format and PID are both kept in the blockchain.
When TA needs to revoke a malicious vehicle, it uses this information to ensure
traceability and member revocation.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24158 Multimedia Tools and Applications (2023) 82:24155–24179

4. The requirement of a certificate revocation list is eliminated. The receiver can verify
whether a particular PID is issued or revoked by TA by computing the root value and
comparing it with the identity root stored in the recent block.
5. The BCPPA scheme has been analyzed, and the analysis shows that it meets the security
requirements in VANETs.

2 Related work

Many conditional privacy-preserving authentication schemes have been proposed in

VANETs over the last few years. These schemes can be divided into different types. The
first type of authentication scheme is based on symmetric-key cryptography [28, 29]. The
key management technique gives members a key to update group keys whenever the mem-
ber gets added or removed from the group [28]. The receiver uses a message authentication
code generated using the shared private key to verify the message. A dual authentication
and key management technique are proposed in [29] to transmit data securely that pre-
vents malicious vehicles from entering the network. However, these schemes do not provide
non-repudiation and also suffer from the burden of storage and communication overhead.
The second type of authentication scheme is based on public-key cryptography
[5, 9, 14, 31, 37]. Each vehicle has public-private key pair and certificate authority issues
certificates to each vehicle. This certificate and a digital signature are used to authenticate
the sender’s vehicle. These schemes have the issue of certificate revocation and scalabil-
ity because the vehicle cannot get a new certificate once its previous certificate is revoked.
Hence, a scheme using certificate revocation lists (CRLs) is proposed in [14] to achieve
scalability. However, CRL checking is time-consuming and requires high computational
power [31]. A revocation scheme based on fog computing is proposed in [5], in which
CRL is replaced with a Merkle hash tree. The scheme in [37] proposes a privacy-preserving
cloud establishment and data dissemination scheme for vehicular cloud (VC). This scheme
is based on an identity-based public-key cryptosystem. It uses the vehicle’s public key as
its pseudo-identity, which eliminates the need for certificate management. The adjacent
vehicles from a group create a secure VC by running dynamic identity-based authenticated
asymmetric group key agreement (DIBAAGKA) protocol using the pseudonym and private
key. It aims to provide low-cost computing and storage services and to enhance traffic safety
and efficiency.
The third type of authentication scheme is based on identity-based signature (IBS) [2,
13, 30, 38]. In these schemes, a vehicle’s real identity is used as a public key. The private
key generator (PKG) produces a private key using the identity and issues of the respec-
tive vehicle. The sender generates the signature using the private key and sends it to the
receiver for verification. In [30], efficient batch authentication and key exchange schemes
are proposed using bilinear pairing and anonymous identity for 6G enabled VANETs. This
scheme ensures low computational overhead in case of anonymous mutual authentication.
The batch authentication protocol reduces the total authentication overhead. It proposes an
integrity preservation protocol to transmit location-based messages to vehicles within the
region without any update or modification.
An efficient certificateless short signature-based conditional privacy-preserving authen-
tication (CLSS-CPPA) scheme is proposed in [2]. It uses the elliptic curve cryptosystem
(ECC) and general hash functions. Besides, CLSS-CPPA implements batch signature verifi-
cation for efficient and simultaneous signature verification. It ensures security against type-I

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24159

and type-II attackers against the adaptively chosen message attacks. This scheme provides
partial distribution of authority, message authentication, integrity, and conditional privacy.
A distributed aggregate privacy-preserving authentication (DAPPA) protocol is proposed
in [38] to solve the key escrow problem in VANETs. The TA generates a pseudonym using
the vehicle’s private information. A vehicle uses the pseudonym as a public identity during
communication. However, communication efficiency is reduced because of the delay dur-
ing the aggregation of id-based signatures. To overcome the issues present in IBS-based and
PKI-based schemes, certificateless signature-based schemes have been proposed in which
the certificate requirement is eliminated. Some of these schemes [15, 32] use bilinear pairing
operations that need high computation power. These schemes must store huge pseudonyms
and signatures for an undefined interval, even if a single message signature pair needs to be
verified.
The fourth type of authentication scheme is based on the ring signature and group sig-
nature. The advantage of ring signature-based schemes [12, 22, 23] is complete anonymity
and does not require a group manager. The receiver can verify the signature using the public
key of each vehicle in the ring. The scheme in [22] uses a ring signature-based conditional
privacy-preserving authentication (RCPPA) method to ensure secure message authentica-
tion and traceability. The sender transmits a pseudonym and ring signature along with the
safety message. The receiver authenticates the sender using the pseudonym and the message
using the ring signature. In [23], an efficient lattice-based ring signature scheme for mes-
sage authentication is proposed. A vehicle produces a signature using its private key and the
public keys of all ring members. The receiver verifies the message using the signature and
discards if the signature is found invalid. This scheme helps to achieve unconditional privacy
in the network when needed. In case of group signature-based schemes, a group manager is
needed to manage the network [25, 35]. Along with group signature, pseudonyms are used
in [25], and batch message verification and bilinear pairing are used in [35]. Only the group
manager can reveal the sender’s original identity. However, group signature verification is
generally a time-consuming operation. Also, defining the group manager is challenging.
The fifth type of authentication scheme is based on blockchain. In blockchain-based
identity authentication and revocation framework [3, 20, 36], certificate authority (CA)
assigns PID to vehicles. Then, PID and certificates are stored in the blockchain, and
information about the entry pointer is provided to the receiver for verification. In the
blockchain-based privacy-preserving authentication scheme [20], the law enforcement
authority (LEA) issues certificates to vehicles using CA. It can also reveal the vehicle’s real
identity if it performs any malicious activity. Similarly, a certificateless public key signature
(CL-PKS) scheme [3] for V2I communication is proposed in which blockchain is used to
achieve transparency of pseudo-identity revocation. In [36], a blockchain-based secure data-
sharing system for the internet of vehicles is proposed. In this, blockchain helps to store and
distribute safety-related messages such as announcement messages in broad regions. Also,
vehicles are encouraged to participate, and honest vehicles transmitting valid messages are
rewarded with some cryptocurrency. There are two blockchains used, i.e., parent and auxil-
iary. All the entities present in the system manage the parent blockchain, and entities present
in a region manage the respective auxiliary blockchain. A technique combined using thresh-
old secret sharing and fair blind signatures is used to implement conditional privacy in the
system. If a sender sends a malicious message, then he is punished with some monetary
penalty.
Moreover, weaker devices are insulated using local P2P network-based blockchain. The
transactions are stored on local blocks. The interaction with the public blockchain takes

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24160 Multimedia Tools and Applications (2023) 82:24155–24179

Table 2 Overview of existing schemes

Schemes Contribution and Advantages Limitations

Vijayakumar et al. In this, a dual authentication and key It does not provide non-repudiation.
[29] management technique is proposed. Also, it suffers from the burden of
This techniques transmit data securely storage and communication over-
that prevents malicious vehicles from head.
entering the network.
Kondareddy et al. This scheme is proposed using certifi- CRL checking is time-consuming
[14] cate revocation lists. It solves the issue and requires high computational
of scalability. power.
Zhang et al. [37] It proposes a privacy-preserving cloud The managing and storing of
establishment and data dissemination pseudo-identity increase the time
scheme for vehicular cloud. It aims to and space overhead.
enhance the traffic safety and efficiency.
Vijayakumar et al. It uses efficient batch authentication The bilinear pairing increases the
[30] and key exchange schemes using bilin- complexity and computation over-
ear pairing and anonymous identity for head.
6G enabled VANETs. It proposes an
integrity preservation protocol to trans-
mit location-based messages to vehicles
within the region without any update or
modification.
Ali et al. [2] It uses the elliptic curve cryptosystem It does not provide efficient identity
and general hash functions that ensures authentication.
security against type-I and type-II attack-
ers against the adaptively chosen message
attacks. It provides message authentication
and integrity along with conditional privacy.
Zhang et al. [38] This distributed aggregate privacy- The communication efficiency is
preserving authentication protocol solves reduced because of the delay during
the key escrow problem in VANETs. the aggregation of id-based signa-
The TA generates a pseudonym using the tures.
vehicle’s private information. A vehicle
uses the pseudonym as a public identity
during communication.
Yang et al. [32], These certificateless signature-based schemes These schemes must store huge
Kumar and Sharma eliminate the certificate requirement. These pseudonyms and signatures for an
[15] schemes use bilinear pairing operations that undefined interval, even if a single
need high computation power. message signature pair needs to be
verified.
Mundhe et al. These schemes use a ring signature-based The difficulty level increases due to
[22, 23] conditional privacy-preserving authentica- implementation of the ring signa-
tion method to ensure secure message ture.
authentication and conditional privacy.
Rajput et al. [25], These schemes use pseudonyms and batch However, group signature verifica-
Zhang et al. [35] message verification along with group signa- tion is generally a time-consuming
ture. Only the group manager can reveal the operation. Also, defining the group
sender’s original identity. manager is challenging.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24161

Table 2 (continued)

Schemes Contribution and Advantages Limitations

Zhang et al. [36] This is a blockchain-based secure data- The identification and revocation of
sharing system for the internet of malicious vehicles is complex and
vehicles. In this, blockchain helps to time-consuming.
store and distribute safety-related mes-
sages such as announcement messages
in broad regions. Also, vehicles are
encouraged to participate, and honest
vehicles transmitting valid messages are
rewarded with some cryptocurrency.

place through local peer nodes to manage and access control of devices. This requires cen-
tralized authorities [8], and a blockchain layer is added to provide blockchain services [7].
A blockchain network is constructed among different types of nodes to form a hybrid
blockchain model with a local chain and a public chain [10]. A node is authenticated through
the local blockchain, while the cluster head’s authentication is done in the public blockchain.
Table 2 gives an overview of the contribution and advantages along with the limitations of
the existing schemes.

3 System overview

3.1 System model

Figure 1 shows the basic system model of the proposed scheme, which consists of OBUs,
RSUs, and two TAs (i.e., TRA and TA). To avoid confusion, TRA monitors and deals with
the VANET, and TA manages the blockchain operations. TRA may act as a TA, or it may

V2I
Communication
TRA
B
RSU

V2V
Communication A

A: IEEE 802.11p

B: Wired Communication

Fig. 1 System model of VANET

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24162 Multimedia Tools and Applications (2023) 82:24155–24179

be an independent entity collocated with TA. Following are the major components of the
system with their brief narration.
1. On-Board Unit (OBU): The on-board unit is a processing device connected with dif-
ferent sensors in each vehicle. It communicates with other vehicles’ OBUs and RSUs
within the range. It receives, transmits, and processes the information, as well as
responds to received messages. Each OBU should broadcast current traffic condi-
tions and status messages every 100-300 ms to nearby vehicles according to the IEEE
802.11p standard.
2. Road-Side Unit (RSU): The road-side unit is a stationary device installed alongside
the road and at crossroads. It manages the communication between vehicles within
the communication range of up to 400-500m. Moreover, it provides crucial informa-
tion to adjacent RSUs and TRA through the secure wired channel. It also works as an
intermediate device between OBUs and TRA.
3. Transport Authority (TRA): The transport authority is a higher third party authority,
which acts as a registration center. TRA controls and manages the activities that involve
registration of vehicles, issuing high-security registration plate and license number,
storing the vehicle’s crucial information, responding to queries from RSUs, etc.
4. Trusted Authority (TA): The trusted authority manages and governs the blockchain and
its respective operations. Its role is to initialize and broadcast public parameters in the
network, issue certificates to RSUs and pseudo-identities to vehicles. Moreover, TA has
the right to remove a malicious vehicle from the network and disclose its real identity
to the network members. Besides, it updates the vehicle’s PID when its expiry period is
over.
TA, RSUs, and their communication are assumed to be reliable and confidential. Besides, it
is outside the ambit of VANET.

3.2 Security requirements

Authentication, privacy, integrity, and non-repudiation are some of the basic security
requirements in VANETs.
1. Authentication and Privacy: The receiving vehicle must verify that an authentic vehicle
has transmitted the message and not an adversary. An attacker must not get the vehicle’s
real identity to maintain privacy. Hence, the network must have an anonymous authen-
tication mechanism. However, if any vehicle is found misbehaving, TRA must reveal
its original identity and discard it from the network.
2. Integrity: The information provided by a member to the authority or other members
should not be modified during the transmission over the network.
3. Non-repudiation: If a member has performed any activity, it should not deny its involve-
ment in execution, e.g., ownership of the transmitted message. It requires privacy to be
conditional.
4. Scalability: The sudden increase in the number of vehicles should not affect the
network’s performance. If the density is high, vehicles will transmit a large num-
ber of messages in the network. Hence, it becomes difficult to analyze unnecessary
information and quickly respond in a state of emergency.
5. Transparency: The activities of authorities must be transparent. The authorities must
list each transaction so that all the vehicles can validate certificates.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24163

6. Member revocation: The revocation of certificates increase the issue related to scal-
ability. A vehicle cannot verify the sender’s certificate within the stipulated time as
verification involves huge CRLs and the transmission of related messages. Also, the
TA cannot remove the malicious vehicle and revoke its services unless the certificate’s
validity is over. Hence, the authority must revoke the membership of a malicious vehicle
at the required time.

3.3 Attack model

An attacker can modify, eavesdrop, replay or inject messages randomly to deceive authority
or interrupt the network operations.
1. Identity exposure attack: In this attack, the attacker tries to get the vehicle’s real iden-
tity by analyzing the previously used PIDs, or contents of the message transmitted, or
communicating with the legal vehicle and trying to extract the secret information. The
extracted real identity or secret information is exposed in the network.
2. Spoofing attack: As described in the identity exposure attack, the attacker uses other
vehicle’s real identities and broadcasts fraud messages in the network in a spoofing
attack.
3. Replay attack: In this attack, an adversary broadcasts previously transmitted valid
messages repetitively and tries to interrupt the normal functioning of the network.
4. Man-in-the-middle attack: In this, the attacker listens to the communication between
valid members and tries to act as an intermediate between them. Both the sender and
receiver are unaware of the eavesdropping and believe they are communicating with
each other. In this way, the attacker sends fraud information to the network and remains
hidden.

4 Problem description

A VANET must provide a safe and secure environment to its members by sending infor-
mative messages in the network. However, the attackers may breach the security or privacy
given to the vehicle owners due to the open nature of the wireless medium. Hence, the
receiver must anonymously authenticate the sender’s real identity before accepting the
messages. Additionally, the receiver must also preserve and should not disclose the real
identity in the network. The receiver must ensure protection from information leakage to
attackers. Moreover, the major limitations of current cryptographic mechanisms are compu-
tation and communication efficiency, dispensing centralized entities, and the large memory
requirement of certificates.
One of the methods applied to solve the privacy issues in VANETs is the use of CRL.
The receiver needs to query CRL each time before the message authentication to verify the
sender’s public key. Hence, the CRL requires a huge communication overhead and large
memory space to store certificates. Also, the CRL needs to have frequent modification and
is usually maintained by a trusted centralized entity. However, the assumption of trust may
not always be correct because a central entity is a single point of failure. It may also induce
large delays and increase the possibility of failures.
Simultaneously, we need to avoid multiple entities as they become a security liability
and breach the vehicle’s privacy. The vehicles need to get real identity from the motor
vehicle division before their registration to CA. Also, CA needs to create a hash map in

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24164 Multimedia Tools and Applications (2023) 82:24155–24179

its local database for mapping the vehicle’s real identity to its PID. An extra member for
certificate issuance and revocation with CA increases the risk of information leakage and
communication and computation overhead. Hence, a distributed lightweight mechanism is
needed for privacy-preserving authentication in VANETs.

5 Preliminaries

In this section, we describe the major preliminaries used in the BCPPA scheme.

5.1 Merkle Patricia Tree (MPT)

MPT is used to record the transactions and their hash values at the leaf node [34]. When a
PID is added or removed from MPT, its root value ultimately changes, and the associated
root value is saved in the latest block of the blockchain. When the pseudo-identity is added
to MPT, the respective leaf node information is provided to the sender. Any verifier can
verify the presence of the received pseudo-identity by computing the hash value using the
leaf node information and comparing it with the MPT root value that is public and secure. If
the leaf node gets modified, the root value also changes because its value depends upon the
hash values of the leaf node. Hence, to prove the presence of an absent node is impossible
for the adversary. The TA manages and maintains the MPT in VANETs.

5.2 Blockchain

The blockchain is a distributed structure containing blocks, and the hash of the previous
block is stored into its next block [24]. Also, each block consists of a header, transaction
information, block signature, and other data. Each block is identified by using the hash
value of the block header. The sender’s private key and the receiver’s public key are used
to sign the transaction. There are specific members called miners whose job is to verify the
transmitted blocks and add those verified blocks to the blockchain within a stipulated time.
The blockchain is useful in VANETS due to the following properties:
• Decentralization: The blockchain follows a distributed control policy, i.e., no sin-
gle authority controls the entire chain. Hence, each node combined with others can
withstand the DoS attack.
• Security: When the block is added to the chain, it cannot be modified in any condition,
and the data is immutable. This property gives safety to the data from malicious users.
• Transparency: Any network member can view the information stored in the transaction
to ensure transparency in the network.

5.3 Hybrid VANET blockchain

A public blockchain is accessible to and managed by all participants. A private blockchain

administrator control permissions for adding or modifying data or users. A hybrid
blockchain is a partially de-centralized blockchain whose consensus process is controlled
by some preselected nodes. It uses both private and public blockchains. We can use a public
blockchain to make the blocks accessible to each vehicle and a private blockchain running in
a subset of RSUs with trusted entities that can control access to the ledger’s modifications.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24165

The blockchain is not open to all vehicles. However, it offers integrity, transparency, and
security. Each transaction can be kept private and accessible for verification when required.
The immutability ensures that each transaction is written once and cannot be changed. Even
though a subset of users controls the blockchain, the transactions’ immutability and security
are guaranteed. The blockchain in a VANET mainly consists of RSUs’ private and public
blockchains.
1. RSUs’ private blockchain: It is a private blockchain composed of RSUs and vehicles
belonging to a predefined region. RSUs are preregistered with their identity on the
public blockchain and are a part of the corresponding RSUs’ private blockchain.
2. RSUs’ public Blockchain: All RSUs and authorities like TAs are registered and
connected to the public chain as miners.
The information of vehicles registered in a VANET is stored on the public blockchain.
RSUs’ private blockchain authenticates a vehicle upon its entry into the region and registers
it on the private blockchain. The whole list of vehicle information is obtained directly from
the adjacent private blockchain and verified with the public blockchain. All transactions
broadcast by the TA are on the RSUs’ private blockchain, and the hashes of those transac-
tions are stored and verified on the public blockchain. The transactions from the authority
and the corresponding blocks are added to the public blockchain only when RSUs verify
them. The advantages of the RSUs’ private blockchain are faster transaction speeds, data
privacy, and centralized control over providing access to the blockchain.

5.4 Transaction

There are two types of transactions present in BCPPA: issuance and revocation transactions.
The pseudo-identity of the vehicle, its expiry period, and the signature of TA are present in
the issuance transaction. The revoked pseudo-identity is present in the revocation transac-
tion. A transaction is only used to upgrade the current database, unlike other transactions
where there is a practical trade of cryptocurrency.

6 Blockchain-based Conditional Privacy-Preserving Authentication

(BCPPA) scheme

Figure 2 shows the simplified BCPPA scheme framework. It mainly contains six stages,
i.e., network initialization stage, RSU initialization stage, pseudo-identity issuance stage,
privacy-preserving authentication stage, pseudo-identity updation stage, pseudo-identity
revocation stage.
1. Network initialization stage: In this stage, TA selects the required cryptographic func-
tions (Hash H0 (·), AES E(·)/D(·), etc.) and publishes the system parameters in the
network (p, g1 , g2 , G1 , G2 , a, b).
2. RSU initialization stage: In this stage, an RSU transmits its identity and public key to
TA and, in response, gets the certificate CRj = (I DRj , (aj , bj ), Sj ) from TA.
3. Pseudo-identity issuance stage: A vehicle that wants to join the network sends the real
identity I DVi securely to TA in this stage. Then, the TA generates P I DVi and adds the
corresponding information in MPT. TA issues PID and respective MPT information to
the vehicle. Also, TA broadcasts PID issuance transaction I T XVi in the network.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24166 Multimedia Tools and Applications (2023) 82:24155–24179

ITXvi / RTXvi

(Use the blockchain

TA for authentication)
(Creates a block)
RSU
(Verifies and adds new
block to the blockchain) Blockchain

Fig. 2 BCPPA framework

4. Privacy-preserving authentication stage: In this stage, a receiver first checks the

expiry period EPVi of the sender’s PID. If it is not over, the receiver anonymously
authenticates the sender using its P I DVi and related information.
5. Pseudo-identity revocation stage: In this, TA removes the node associated with P I DVi
of the malicious vehicle or when its expiry period is over from MPT. Also, TA discloses
the vehicle’s real identity I DVi if it is performing malicious activity.
6. Pseudo-identity updation stage: In this stage, a vehicle requests TA to update its pseudo-
identity P I DVi if the expiry period EPVi is over, or there is a chance that PID is
compromised.

6.1 Network initialization

TA publishes specific parameters in this stage as shown below:

1. Select values of (p, G1 , G2 , GT , g1 , g2 , x, y), where p is a prime number, G1 , G2 , GT
are cyclic multiplicative groups (of order p), g1 , g2 are the generators of G1 , G2
respectively and (x, y) ∈ Z∗p is its private key.
2. We have used bilinear mapping to implement the scheme. It can be defined as ê :
G1 × G2 → GT if ê(g1s , g2t ) = ê(g1 , g2 )st and ê(g1 , g2 )  = 1 for all s, t ∈ Z∗p .
3. TA uses the value of x when it wants to produce certificates for RSUs and that of y to set
up a connection with RSU or vehicles. Calculate the public key (a, b) as a = g2x , b =
y
g1 .
4. Select a secure one-way hash function H0 (·) : {0, 1}∗ → {0, 1}j , H1 (·) : {0, 1}∗ → Z∗p ,
and encryption/decryption algorithm E∝ (·)/D∝ (·) like AES.
5. In the end, all the values  = (p, g1 , g2 , a, b, H2k (·), E∝ (·)/D∝ (·)) are made public.
This set of public parameters  are stored into RSUs and vehicles’ OBUs in advance.

6.2 RSU initialization

In this stage, TA generates a certificate for RSU, say Rj .

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24167

x y
1. Rj selects (xj , yj ) ∈ Z∗p and calculates public keys as aj = g2 j , bj = g1 j . Hence,
the public key of Rj is (aj , bj ) and the private key is (xj , yj ). It uses xj to produce
specific values for vehicles and yj to obtain protected communication with vehicles.
2. The public key’s expiry period or any identification information can be used as Rj ’s
unique identity.
3. Rj transmits this information to TA. Then, it generates the signature Sj upon
(I DRj , (aj , bj )) and produces a certificate CRj = (I DRj , (aj , bj ), Sj ) for Rj .
Each RSU broadcasts this certificate. It updates the certificate and key values periodically
or whenever the certificate is compromised.

6.3 Pseudo-identity issuance

All the public parameters, along with the real identity, need to be saved into the tamper-proof
device of the corresponding vehicle before joining the network. A vehicle’s real identity
is the high-security registration plate (HSRP) issued by the transport authority during the
registration. When a vehicle enters the communication range of RSU, it needs to obtain
pseudo-identity from the TA. Vi requests for pseudo-identity in case it does not have any or
if the existing PID is going to expire. RSU can verify the pseudo-identity using the signature
issued by TA. The vehicle cannot transmit fake PID to its receivers, as the TA’s signature
is also attached to PID. TA will not allow a vehicle to join and become a member of the
network as long as it gets pseudo-identity.
When the vehicle Vi travels within the range of Rj , it checks the signature present in CRj
using public key y. If it is wrong, it terminates; or else Vi requests pseudo-identity P I DVi
using the following process:
1. Vi arbitrarily selects α ∈ Z∗p and computes W = g1α .
2. Then, Vi computes key = H0 (W, bα , tvi ) and encrypts its real identity I DVi as β =
Ekey (I DVi ). In the end, it transmits (W, β, tvi ) to Rj , where tvi is a timestamp.
3. After receiving, if the value of tvi is valid, Rj further transmits (W, β, tvi ) to TA; or
else, it discards.
4. When TA receives (W, β, tvi ), it computes key  = H0 (W, W y , tvi ) and decrypts
Dkey  (β) to get I DVi . Then, TA selects a verification key KVi and calculates P I DVi
using I DVi and expiry period EPVi as

P I DVi = H0 (I DVi , EPVi ).

The value of EPVi depends upon the application. Although it can vary in real-time, we
have assumed its value to be one hour (e.g., 11.00 to 12.00).
5. Then, TA broadcasts a pseudo-identity issuance transaction

I T XVi = (P I DVi , EPVi , tmi , SI Gx ).

where tmi is the timestamp and SI Gx is the signature of TA using private key x.
6. At last, TA inserts a new leaf node containing (P I DVi , EPVi , KVi , Ex (I DVi )) to MPT,
as shown in Fig. 3.
7. In the end, the vehicle adds parameters (, P I DVi , EPVi , KVi , SI Gx ) into its TPD.
Only TA knows I DVi and the relation between the vehicle’s real identity and pseudo-
identity is kept secret. Other vehicles or RSUs can not extract the vehicle’s real identity
without TA’s private key.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24168 Multimedia Tools and Applications (2023) 82:24155–24179

Block Header

Previous Hash Timestamp

Pseudo-Identity Root Nonce

MPT

Root Value

H(·)

PIDV , EPV ,
i i

tmi , Ex(IDV )
i

Fig. 3 Pseudo-identity in MPT

6.4 Privacy-preserving authentication

Figure 4 shows the procedure of privacy-preserving authentication. In BCPPA, the sender

vehicle SVi gives its pseudo-identity P I DVi , the signature SI Gx and corresponding MPT
leaf node information MP TVi to receiving vehicle RVi for authentication. RVi authenticates
SVi using the process, as shown below:
1. The vehicle RVi first checks whether EPVi of P I DVi is over or not.
2. If EPVi is not over, it computes root value using hash values from given associated
nodes. Then, it compares this resultant hash value with the identity root present in the
recent block. If both values are the same, it means that P I DVi exists in MPT, and is not
revoked by TA.
3. The receiver verifies the signature SI Gx to make sure that an attacker did not use and
fake P I DVi .
The privacy-preserving authentication mechanism has a time complexity of O(log M ),
where M is the number of pseudo-identities.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24169

Start

PIDV , EPV , tmi, SIGx, MPTV

i i i

No
Is EPV not expired
i

Yes

No
Is PIDV
i
exist in MPT

Yes

No
Is SIGx
valid

Yes

PIDV is PIDV is
i i
authentic not authentic

Stop

Fig. 4 Privacy-preserving authentication

6.5 Pseudo-identity Revocation

In case the pseudo-identity of vehicle Vi is expired or if it is performing any malicious

activity, then P I DVi of the vehicle Vi is revoked, as shown below:
1. Rj identifies P I DVi and requests TA to revoke it.
2. TA searches P I DVi in MPT, and if it is present, TA broadcasts revocation transaction

RT XVi = (P I DVi , tmr , SI Gx ).

3. Then, TA decrypts Ex (I DVi ) and discloses the real identity I DVi of the malicious
vehicle. Later, TA deletes the leaf node associated with P I DVi from MPT.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24170 Multimedia Tools and Applications (2023) 82:24155–24179

A malicious vehicle must be prevented from participating in VANETs.

6.6 Pseudo-identity updation

In this stage, a vehicle requests TA to update its pseudo-identity P I DVi and verification key
KVi periodically so that the attacker can not track and get the vehicle’s real identity I DVi .
The PID updation process is as follows:
1. First, the vehicle Vi which wants to update PID and verification key selects an arbitrary
number δ ∈ Z∗p and calculates T = g1δ .
2. Then, it computes σ = H0 (T , bδ , tsi ) and μi = Eσ (KVi , tsi ), where tsi is a timestamp.
Vi transmits (T , tsi , μi ) to TA through adjacent RSU.
3. TA checks tsi when it receives (T , tsi , μi ). If tsi is invalid, TA discontinues, or else, it
performs the following steps:
• Calculate σ  = H0 (T , T y , tsi ) and Dσ  (μi ) to obtain (KV i , tsi ). Abort if tsi is
invalid or else continue.
• Find KVi in MPT such that KV i = KVi . If KVi is not found, terminate, or else,
continue.
• If EPVi is over, select new validity period EPV i , compute P I DV i = H0 (I DVi ||
EPV i ), and choose new verification key K˜Vi .
• Compute HT A = H1 (P I DV i , K˜Vi , tsi1 ) and μi = Eσ  (P I DV i , K˜Vi , tsi1 , HT A ).
Transmit (H1 (T ), μi ) to Vi and insert leaf node of (P I DV i , EPV i , tmi  , K˜ ,
Vi
Ex (I DVi )) to MPT.
• Broadcast new issuance transaction
 
I T XVi = P I DV i , EPV i , tmi

, SI Gx .
4. When Vi who transmitted T gets (H1 (T ), μi ), it calculates Dσ (μi ) to get
(P I DV i , K˜Vi , tsi1 , HT A ). Then, it checks tsi1 , HT A . If both the values are invalid, Vi
terminates; or else, Vi accepts (P I DV i , K˜Vi ) as new pseudo-identity and verification
key.

7 Security analysis

The properties of blockchain, along with cryptographic attributes, help to achieve secu-
rity and privacy in BCPPA. In this section, we give the security proof of anonymity and
transparency and explain how BCPPA prevents various attacks.

7.1 Security proof

Theorem 1 The proposed scheme provides anonymity to all the vehicles in the network.

Proof TA issues P I DVi to the vehicle when it provides I DVi so that the vehicle does not
need to use its real identity during the communication. TA uses hash function SHA to com-
pute pseudo-identity. An attacker cannot find out the real identity from P I DVi because the
probability of finding a collision in the collision-resistant hash function is negligible. The
receiver can verify the sender using P I DVi and associated node information MP TVi . It

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24171

computes the hash value, and if it is equal to the identity root saved into the latest block, the
sender with pseudo-identity P I DVi is an authentic vehicle. In this way, the sender is authen-
ticated using pseudo-identity and the vehicle’s real identity is kept private. At the same time,
I DVi is not made public is ensured and protected from leakage to attackers. Hence, the
proposed scheme provides anonymity to vehicles using the pseudonym and blockchain.

Theorem 2 The proposed scheme provides transparency to each member and the opera-
tions of TA can be verified.

Proof All the information about the vehicle, i.e., (P I DVi , EPVi , KVi , Ex (I DVi )) is saved
into MPT’s leaf node, and the root value of MPT is stored in the block. An adversary cannot
modify the information as MPT is constructed using SHA. All the pseudo-identities issued,
and transactions broadcasted by TA are saved in the blockchain immutably. All the trans-
actions broadcasted by TA to issue or revoke a pseudo-identity, are non-repudiable because
the TA’s signature is present in each transaction. Whenever the TA adds or removes P I DVi
from MPT, the corresponding root value changes. Anyone from the network can view trans-
actions, and the receiver can verify the modified root of MPT. Hence, the proposed scheme
provides transparency about TA’s operations and immutability to vehicle information.

7.2 Attack model

Theorem 3 The proposed scheme is secure against replay attack, man-in-the-middle attack,
and forgery attack.

Proof During the privacy-preserving authentication, the sender vehicle SVi gives
(P I DVi , SI Gx , MP TVi ). The receiver RVi computes the hash value using P I DVi , MP TVi
and compare this hash value with the identity root present in the latest block. If both val-
ues are same, then it means P I DVi is present in MPT and has not been revoked by TA. It
also confirms that the vehicle SVi is not a malicious vehicle. It is difficult for the attacker
to access the vehicle’s real identity by analyzing previous pseudo-identities or content of
earlier messages. Also, an attacker cannot compute the root hash value equal to the identity
root stored in the blockchain using the fake pseudo-identity and node information MP TVi
because of the collision-resistant hash function. Due to the security properties provided by
ECDSA, it is impossible for the adversary to forge the signature SI Gx . Therefore, the pro-
posed scheme is resistant to forgery attack and man-in-the-middle attack. Also, the value
of the timestamp is transmitted with each message. As the timestamp value changes, the
respective signature and message also become invalid. If the adversary sends this message-
signature pair repeatedly, the receiver will discard it. Hence, the proposed scheme is resistant
to a replay attack.

Theorem 4 The proposed scheme is secure against identity exposure attack and spoofing
attack.

Proof The vehicle’s real identity can be preserved in different ways. In one case, the public
keys or certificates of the vehicle can be used as a pseudonym. In another case, the link
between the real identity and its pseudonym is stored in an encrypted format. It prevents the
attacker from getting real identity I DVi . A leaf node in MPT contains the information about

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24172 Multimedia Tools and Applications (2023) 82:24155–24179

the vehicle (P I DVi , EPVi , KVi , Ex (I DVi )). The attacker can’t decrypt Ex (I DVi ) without
TA’s private key to get I DVi . Only the TA can reveal the vehicle’s real identity. The attacker
cannot even link the current and previous pseudo-identities to get the real identity since
TA uses hash function SHA to generate P I DVi . Therefore, the attacker cannot expose the
vehicle’s real identity and use it for malicious purposes. Hence, the proposed scheme is
resistant to an identity exposure attack and spoofing attack.

8 Experimental results and discussion

In this section, we provide details of the experiments, results, and authentication overhead.
We have compared the proposed scheme with the existing schemes in VANETs. The experi-
ment is performed in two parts. In the first part, we evaluate the performance of the proposed
scheme in terms of computation and communication overhead in the network. In the second
part, we evaluate the scheme in terms of authentication delay incurred in the blockchain.

8.1 Experimental setup

We used the network simulator NS-3 to evaluate the performance of the proposed scheme
in terms of computation overhead and verification time. The area of the simulation was
1 × 1 km2 controlled by the TA. We fixed the value of packet size as 64 bytes and the
communication range of the vehicle as 200 m. The average speed of the vehicle was 60
kmph, and bandwidth was 11 Mbps, as shown in Table 3. We have assumed these values
during the experiment because these values can change in real-time conditions. Table 3
gives the simulation parameters.
We used the Go Ethereum 1.9.10 for the blockchain implementation. The blockchain
setup included a Linux machine of the Intel i5 quad-core processor with a frequency rate
of 3.50 GHz and 12 GB RAM. Also, it included ten raspberry pi B devices of 64 bit, 1.2
GHz A53 processor of 1 GB RAM. Two raspberry devices act as RSUs, while the other
eight laptops act as vehicles. The Linux machine worked as a TA that broadcasts issuance
and revocation transactions. The vehicles only download block headers instead of the entire
blockchain which reduces storage requirements significantly.

8.2 Results

Figure 5 displays the simulation results. Throughout the experiment, it is assumed that the
surrounding environment is stable. It shows the pseudo-identity transmission overhead and
average time when the speed is changing. The number of vehicles within the range of an

Table 3 Simulation parameters

Parameter Value

The simulation area (km2 ) 1×1

Vehicle density(veh/km) 25 to 275
Average communication range (m) 200
Packet size (bytes) 64
Transmission rate (Mbps) 11
Number of lanes 4

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24173

110
S=15m/s S=18m/s
100 S=16m/s S=19m/s
Average time (ms)
90 S=17m/s S=20m/s
80
70
60
50
40
30
20
10
0 25 50 75 100 125 150 175 200 225 250 275 300
Density (veh/km)
Fig. 5 Pseudo-identity transmission overhead

RSU for the given time is shown by vehicle density. This figure demonstrates the transmis-
sion overhead required to transmit a pseudo-identity to the receiver. If the vehicle density is
25, for a vehicle’s average speed of 15 m/s, the overhead is 15.218 ms and for a vehicle’s
average speed of 20 m/s, the overhead is 67.479 ms. Similarly, if the vehicle density is 275,
for a vehicle’s average speed of 15 m/s, the overhead is 26.554 ms and for a vehicle’s aver-
age speed of 20 m/s, the overhead is 77.954 ms. It means that the transmission overhead
is low for less number of vehicles. Also, these statistics indicate that there is no significant
change in the transmission overhead for the given values of vehicle density and speed. It
helps to solve the issue of scalability. Besides, from this figure, it can be concluded that as
the vehicle density keep on increasing, the transmission overhead also increases given the
vehicle’s speed is constant.
Figure 6 shows the variation in the size of each block. The number of sample blocks
considered ranges from 1950 to 2300. As shown in the figure, the minimum block size is
540 of block number 2032 and the maximum is 267353 bytes of block number 2294. Hence,
the size of each block is different from other blocks and varies drastically. Figure 7 gives
the number of transactions in each block. A block number 2010 contains the minimum

150000
Block size (bytes)

100000

50000

0
1910 1950 2000 2050 2100 2150 2200 2250 2300
Block number (i)

Fig. 6 Different sizes of block

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24174 Multimedia Tools and Applications (2023) 82:24155–24179

1200

Number of transactions (n)

1000

800

600

400

200

0
1910 1950 2000 2050 2100 2150 2200 2250 2300 2340
Block number (i)

Fig. 7 Number of transactions

number of transactions, i.e., 10, and block number 2294 contains the maximum number of
transactions, i.e., 2101.
The throughput of blockchain depends on the block generation time that depends on the
difficulty. The difficulty is adjusted according to the volume of transactions and is propor-
tional to the puzzle’s hardness. The difficulty is adjusted automatically by the blockchain
to maintain appropriate mining time. If the blocks are mined at a higher pace, then the
difficulty is increased and vice versa. The throughput is different for each block since the
number of transactions issued per second is different, as shown in Fig. 8. Table 4 provides
the time taken to add pseudo-identities in the blockchain. As the number of pseudo-identities
increases, the addition time also increases. The time taken by the raspberry pi device for ver-
ifying the pseudo-identity is given in Fig. 9. The verification time depends on the location
of a particular pseudo-identity in MPT.

8.3 Comparison

In this section, we provide a comparison of the proposed BCPAA scheme with exist-
ing schemes. These schemes have proposed the mechanism to ensure privacy-preserving
authentication in VANETs. The criteria used for comparison are the security requirements
and the average time needed for single or multiple PID authentication. Table 5 gives a

800
Throughput (transactions/s)

700
600
500
400
300
200
100
0
1910 1950 2000 2050 2100 2150 2200 2250 2300 2340
Block number (i)

Fig. 8 Throughput

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24175

Table 4 Average transaction

reflection time in blockchain Number of transactions Average time (ms)

10 1.01
100 1.29
1000 2.66
10000 90.98
100000 959.39
1000000 13013

comparison of security requirements with the existing schemes. The python charm-crypto
library [1] used in these schemes gives the average time required for various cryptographic
operations, as shown below:
• TBP : The bilinear pairing execution Time (approx 17.989 ms) [31]
• TEP 1 : The bilinear pairing exponentiation time in the group G1 (approx 8.023 ms) [31]
• TEP 2 : The bilinear pairing exponentiation time in the group G2 (approx 8.956 ms) [31]
• TMT : An elliptic curve point multiplication time (approx 0.312 ms)
• TAT : An elliptic curve point addition time (approx 0.035 ms)
• TH R : A hash function running time (approx 0.002 ms)
• TEN : An Encryption function (AES) execution time (approx 0.0001 ms)
• TDN : A Decryption function (AES) execution time (approx 0.0003 ms)
• TP I : A Power to integer computation time (approx 1 ms)
This table indicates that the scheme proposed in [6] cannot provide the security require-
ments of scalability, lightweight, and traceability. Also, the scheme proposed in [11]
cannot provide the security requirements of anonymity and high efficiency. Moreover, the
scheme proposed in [18] cannot provide the security requirements of scalability, anonymity,
lightweight, and high efficiency. Besides, the scheme proposed in [33] cannot provide the
security requirements of lightweight and efficiency. On the contrary, the proposed scheme
can provide all the security requirements mentioned in the Table 5. Table 6 gives the
comparison of pseudo-identity authentication cost with Shao et al. [27], Azees et al. [6],
Vijayakumar et al. [31] and Lu et al. [20] schemes. It shows that the authentication cost is
very less which makes the proposed scheme more efficient than the existing schemes.

100
90
80
Average time (ms)

70
60
50
40
30
20
10
0
50 100 150 200 250 300 350 400 450 500 550
Number of pseudo-identities (i)

Fig. 9 Pseudo-identity verification time

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24176 Multimedia Tools and Applications (2023) 82:24155–24179

Table 5 Comparison of security requirements

Security Requirement Azees et al. Dorri et al. Liu et al. Zhang and Chen BCPPA
[6] [11] [18] [33]

Privacy preservation     
Scalability ×  ×  
Anonymity  × ×  
Lightweight ×  × × 
Traceability ×    
High efficiency and low  × × × 
overhead

Table 6 Comparison of pseudo-identity authentication cost

Schemes One PID Authentication N PID Authentication

Shao et al. [27] 3TBP + 2TEP 1 + 2TH R (2 + N )TBP + 2N TEP 1 + 2N TH R

Azees et al. [6] 2TBP + 4TEP 1 + 2TEP 2 (1 + N )TBP + 4TEP 1 + N TEP 2
Vijayakumar et al. [31] 2TBP + 2TEP 1 + TH R (1 + N )TBP + 2N TEP 1 + N TH R
Lu et al. [20] 2TMT + 2TAT + 25TH R 2N TMT + N TAT + 25N TH R
The Proposed Scheme 2TEN + 6TH R + TP I N TEN + 6N TH R + N TP I

8000
The proposed scheme
7000 Lu et. al.
Vijayakumar et. al.
Average time (ms)

6000 Azees et. al.

Shao et. al.
5000

4000

3000

2000

1000

0
50 100 150 200
Density (veh/km)

Fig. 10 Average time for pseudo-identity authentication

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24177

Figure 10 shows comparison of the proposed scheme with existing schemes consider-
ing the average time required to verify pseudo-identities of certain numbers of vehicles. It
indicates that the proposed scheme is more efficient than the existing schemes.

9 Conclusion

In this paper, we proposed a hybrid blockchain-based authentication scheme to achieve

conditional privacy, non-repudiation, and transparency in VANETs. It provides enhanced
security and privacy to ensure safe vehicular communications and improve traffic con-
ditions. Also, it eliminates the requirement of certificate revocation lists and efficiently
removes malicious vehicles from the network to achieve member revocation.
The experimental results show that the proposed scheme provides low latency and high
throughput. Also, the average transaction reflection time in the blockchain increases as
the number of transactions increases. Besides, the computation and communication over-
head of the scheme is less compared with other blockchain-based authentication schemes
in VANETs. Both the size and number of transactions stored are different for each block.
The average pseudo-identity verification time increases with vehicle density. The security
analysis demonstrates that the proposed scheme is robust against various attacks and solves
different security and privacy issues. Moreover, it meets the various security requirements
in VANETs. The comparison shows that the proposed scheme is more effective than the
existing schemes in terms of vehicle authentication and also proves its cost-effectiveness in
VANETs.

Data Availability Data sharing not applicable to this article as no datasets were generated or analyzed during
the current study.

Declarations
Conflict of Interests The authors declare that they have no known competing financial interests or personal
relationships that could have appeared to influence the work reported in this paper.

References

1. Akinyele JA, Garman C, Miers I, Pagano MW, Rushanan M, Green M, Rubin AD (2013) Charm: a
framework for rapidly prototyping cryptosystems. J Cryptogr Eng 3(2):111–128
2. Ali I, Chen Y, Ullah N, Kumar R, He W (2021) An efficient and provably secure ECC-based conditional
privacy-preserving authentication for vehicle-to-vehicle communication in VANETs. IEEE Trans Veh
Technol 70(2):1278–1291
3. Ali I, Gervais M, Ahene E, Li F (2019) A blockchain-based certificateless public key signature scheme
for vehicle-to-infrastructure communication in VANETs. J Syst Archit 99:101636
4. Aloqaily M, Otoum S, Al Ridhawi I, Jararweh Y (2019) An intrusion detection system for connected
vehicles in smart cities. Ad Hoc Networks
5. Alrawais A, Alhothaily A, Mei B, Song T, Cheng X (2018) An efficient revocation scheme for vehicular
ad-hoc networks. Procedia Comput Sci 129:312–318
6. Azees M, Vijayakumar P, Deboarh LJ (2017) EAAP: efficient anonymous authentication with con-
ditional privacy-preserving scheme for vehicular ad hoc networks. IEEE Trans Intell Transp Syst
18(9):2467–2476
7. Bao Z, Shi W, He D, Chood K-KR (2018) IoTChain: a three-tier blockchain-based IoT security
architecture. arXiv:1806.02008
8. Biswas S, Sharif K, Li F, Nour B, Wang Y (2018) A scalable blockchain framework for secure
transactions in IoT. IEEE Internet Things J 6(3):4650–4659

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

24178 Multimedia Tools and Applications (2023) 82:24155–24179

9. Canetti R, Shahaf D, Vald M (2016) Universally composable authentication and key-exchange with
global PKI. In: Public-Key Cryptography–PKC 2016. Springer, pp 265–296
10. Cui Z, Xue F, Zhang S, Cai X, Cao Y, Zhang W, Chen J (2020) A hybrid blockchain-based identity
authentication scheme for multi-WSN. IEEE Transactions on Services Computing
11. Dorri A, Steger M, Kanhere SS, Jurdak R (2017) Blockchain: a distributed solution to automotive
security and privacy. IEEE Commun Mag 55(12):119–125
12. Han Y, Xue N-N, Wang B-Y, Zhang Q, Liu C-L, Zhang W-S (2018) Improved dual-protected ring
signature for security and privacy of vehicular communications in vehicular ad-hoc networks. IEEE
Access 6:20209–20220
13. Karati A, Islam SH, Biswas GP, Bhuiyan MZA, Vijayakumar P, Karuppiah M (2018) Provably secure
identity-based signcryption scheme for crowdsourced industrial internet of things environments. IEEE
Internet of Things Journal
14. Kondareddy Y, Di Crescenzo G, Agrawal P (2010) Analysis of certificate revocation list distribution
protocols for vehicular networks. In: 2010 IEEE Global Telecommunications Conference GLOBECOM
2010. IEEE, pp 1–5
15. Kumar P, Sharma V (2018) On the security of certificateless aggregate signature scheme in vehicular ad
hoc networks. In: Soft computing: theories and applications. Springer, pp 715–722
16. Lai Y, Xu Y, Yang F, Lu W, Yu Q (2019) Privacy-aware query processing in vehicular ad-hoc networks.
Ad Hoc Networks, 101876
17. Li YJ (2010) An overview of the DSRC/WAVE technology. In: International conference on heteroge-
neous networking for quality, reliability, security and robustness. Springer, pp 544–558
18. Liu H, Zhang Y, Yang T (2018) Blockchain-enabled security in electric vehicles cloud and edge
computing. IEEE Netw 32(3):78–83
19. Lu Z, Qu G, Liu Z (2018) A survey on recent advances in vehicular network security, trust, and privacy.
IEEE Trans Intell Transp Syst 20(2):760–776
20. Lu Z, Wang Q, Qu G, Zhang H, Liu Z (2019) A blockchain-based privacy-preserving authentication
scheme for VANETs. IEEE Trans Very Large Scale Integr (VLSI) Syst 27(12):2792–2801
21. Mundhe P, Verma S, Venkatesan S (2021) A comprehensive survey on authentication and privacy-
preserving schemes in VANETs. Comput Sci Rev 41:100411
22. Mundhe P, Yadav VK, Singh A, Verma S, Venkatesan S (2020) Ring signature-based conditional privacy-
preserving authentication in VANETs. Wirel Pers Commun 114(1):853–881
23. Mundhe P, Yadav VK, Verma S, Venkatesan S (2020) Efficient lattice-based ring signature for message
authentication in VANETs. IEEE Syst J 14(4):5463–5474
24. Nakamoto S et al (2008) Bitcoin: a peer-to-peer electronic cash system
25. Rajput U, Abbas F, Eun H, Oh H (2017) A hybrid approach for efficient privacy-preserving authentica-
tion in VANET. IEEE Access 5:12014–12030
26. Sakiz F, Sen S (2017) A survey of attacks and detection mechanisms on intelligent transportation
systems: VANETs and IoV. Ad Hoc Netw 61:33–50
27. Shao J, Lin X, Lu R, Zuo C (2016) A threshold anonymous authentication protocol for VANETs. IEEE
Trans Veh Technol 65(3):1711–1720
28. Vijayakumar P, Azees M, Changri V, Deborah J, Balamurugan B (2017) Computationally efficient pri-
vacy preserving authentication and key distribution techniques for vehicular ad hoc networks. Clust
Comput 20
29. Vijayakumar P, Azees M, Kannan A, Jegatha Deborah L (2016) Dual authentication and key manage-
ment techniques for secure data transmission in vehicular ad hoc networks. IEEE Trans Intell Transp
Syst, 1015–1028
30. Vijayakumar P, Azees M, Kozlov SA, Rodrigues JJ (2021) An anonymous batch authentication and key
exchange protocols for 6G enabled VANETs. IEEE Transactions on Intelligent Transportation Systems
31. Vijayakumar P, Chang V, Deborah LJ, Balusamy B, Shynu P (2018) Computationally efficient privacy
preserving anonymous mutual and batch authentication schemes for vehicular ad hoc networks. Futur
Gener Comput Syst 78:943–955
32. Yang X, Chen C, Ma T, Li Y, Wang C (2018) An improved certificateless aggregate signature scheme
for vehicular ad-hoc networks. In: 2018 IEEE 3rd advanced information technology, electronic and
automation control conference (IAEAC). IEEE, pp 2334–2338
33. Zhang X, Chen X (2019) Data security sharing and storage based on a consortium blockchain in a
vehicular ad-hoc network. IEEE Access 7:58241–58254
34. Zhang Y, Deng RH, Liu X, Zheng D (2018) Blockchain based efficient and robust fair payment for
outsourcing services in cloud computing. Inform Sci 462:262–277

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Multimedia Tools and Applications (2023) 82:24155–24179 24179

35. Zhang L, Li C, Li Y, Luo Q, Zhu R (2017) Group signature based privacy protection algorithm for
mobile ad hoc network. In: 2017 IEEE international conference on information and automation (ICIA).
IEEE, pp 947–952
36. Zhang L, Luo M, Li J, Au MH, Choo K-KR, Chen T, Tian S (2019) Blockchain based secure data sharing
system for internet of vehicles: A position paper. Veh Commun 16:85–93
37. Zhang L, Meng X, Choo K-KR, Zhang Y, Dai F (2018) Privacy-preserving cloud establishment and data
dissemination scheme for vehicular cloud. IEEE Trans Dependable Secure Comput 17(3):634–647
38. Zhang L, Wu Q, Domingo-Ferrer J, Qin B, Hu C (2017) Distributed aggregate privacy-preserving
authentication in VANETs, vol. 18, pp. 516–526. IEEE

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps
and institutional affiliations.
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under
a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted
manuscript version of this article is solely governed by the terms of such publishing agreement and applicable
law.

Affiliations

Pravin Mundhe1 · Pooja Phad2 · R. Yuvaraj3 · Shekhar Verma3 · S. Venkatesan3

Pooja Phad
poojaphad26@gmail.com
R. Yuvaraj
pcl2016003@iiita.ac.in
Shekhar Verma
sverma@iiita.ac.in
S. Venkatesan
venkat@iiita.ac.in
1 Department of CSE, GITAM School of Technology, Hyderabad, India
2 Department of IT, G. Narayanamma Institute of Technology and Science, Hyderabad, India
3 Department of IT, IIIT, Allahabad, India

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center
GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers
and authorised users (“Users”), for small-scale personal, non-commercial use provided that all
copyright, trade and service marks and other proprietary notices are maintained. By accessing,
sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of
use (“Terms”). For these purposes, Springer Nature considers academic use (by researchers and
students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and
conditions, a relevant site licence or a personal subscription. These Terms will prevail over any
conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription (to
the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of
the Creative Commons license used will apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may
also use these personal data internally within ResearchGate and Springer Nature and as agreed share
it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not otherwise
disclose your personal data outside the ResearchGate or the Springer Nature group of companies
unless we have your permission as detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial
use, it is important to note that Users may not:

1. use such content for the purpose of providing other users with access on a regular or large scale
basis or as a means to circumvent access control;
2. use such content where to do so would be considered a criminal or statutory offence in any
jurisdiction, or gives rise to civil liability, or is otherwise unlawful;
3. falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association
unless explicitly agreed to by Springer Nature in writing;
4. use bots or other automated methods to access the content or redirect messages
5. override any security feature or exclusionary protocol; or
6. share the content in order to create substitute for Springer Nature products or services or a
systematic database of Springer Nature journal content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a
product or service that creates revenue, royalties, rent or income from our content or its inclusion as
part of a paid for service or for other commercial gain. Springer Nature journal content cannot be
used for inter-library loans and librarians may not upload Springer Nature journal content on a large
scale into their, or any other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not
obligated to publish any information or content on this website and may remove it or features or
functionality at our sole discretion, at any time with or without notice. Springer Nature may revoke
this licence to you at any time and remove access to any copies of the Springer Nature journal content
which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or
guarantees to Users, either express or implied with respect to the Springer nature journal content and
all parties disclaim and waive any implied warranties or warranties imposed by law, including
merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published
by Springer Nature that may be licensed from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a
regular basis or in any other manner not expressly permitted by these Terms, please contact Springer
Nature at

onlineservice@springernature.com