Vehicular Communications 36 (2022) 100490

Contents lists available at ScienceDirect

Vehicular Communications
www.elsevier.com/locate/vehcom

Location privacy in VANETs: Provably secure anonymous key exchange

protocol based on self-blindable signatures
Mishri Saleh AlMarshoud ∗ , Ali H. Al-Bayatti, Mehmet Sabir Kiraz
Cyber Technology Institute, De Montfort University, Leicester, UK

a r t i c l e i n f o a b s t r a c t

Article history: Security and privacy in vehicular ad hoc networks (VANETs) are challenging in terms of Intelligent
Received 13 November 2021 Transportation Systems (ITS) features. The distribution and decentralisation of vehicles could threaten
Received in revised form 13 April 2022 location privacy and confidentiality in the absence of trusted third parties (TTP)s or if they are
Accepted 24 May 2022
otherwise compromised. If the same digital signatures (or the same certificates) are used for different
Available online 1 June 2022
communications, then adversaries could easily apply linking attacks. Unfortunately, most of the existing
Keywords: schemes for VANETs in the literature do not satisfy the required levels of security, location privacy,
VANETs and efficiency simultaneously. This paper presents a new and efficient end-to-end anonymous key
Security exchange protocol based on Yang et al. ’s self-blindable signatures. In our protocol, vehicles first privately
Privacy blind their own private certificates for each communication outside the mix-zone and then compute
Location privacy an anonymous shared key based on zero-knowledge proof of knowledge (P oK ). The efficiency comes
Pseudonym change from the fact that once the signatures are verified, the ephemeral values in P oK are also used to
Vehicle-to-vehicle
compute a shared key through an authenticated Diffie-Hellman key exchange protocol. Therefore, the
protocol does not require any further external information to generate a shared key. Our protocol also
does not require an interference with the Roadside Units or Certificate Authorities, and hence can be
securely run outside the mixed-zones. We demonstrate the security of our protocol in an ideal/real
simulation paradigm. Hence, our protocol achieves secure authentication, forward unlinkability, and
accountability. Furthermore, the performance analysis shows that our protocol is more efficient in terms
of computational and communication overheads compared to existing schemes.
© 2022 Published by Elsevier Inc.

1. Introduction DSRC performance is sufficient for nearly all vehicular safety ap-
plications that need an end-to-end latency of around 100 ms. Due
There has been continuous advancement in Intelligent Trans- to their high mobility, vehicles’ On-Board Units (O BU s) have to
portation Systems (ITS), particularly in Vehicular Ad Hoc Networks broadcast Cooperative Awareness Messages (CAMs), which include
(VANETs). Safety and efficiency in VANETs are mainly achieved via real-time information about speed, position, and trajectory [4].
safety and non-safety applications. Beaconing services are essential According to the global standards (i.e., IEEE 1609.2 WG [5] and
to safety applications as they are crucial for ITS efficiency; other- the European Telecommunications Standards Institute ETSI-ITS [6]),
wise, accidents may occur. A VANET is considered an open net- there is a need to guarantee authenticity, message integrity, and
work that is accessible by any node. In general, Vehicle-to-Vehicle entities’ non-repudiation on the road.
(V2V) and Vehicle-to-Infrastructure (V2I) are two forms of com- In the technical report by ETSI ITS, the infrastructure was built
munication performed by VANETs; communication occurs via the on Vehicular Public-key Infrastructure (VPKI), which includes sev-
recent Radio Access Technology (RAD) IEEE 802.11bd for Dedicated eral Certificate Authorities (CAs) managing entities’ certificates [7,
Short-Range Communications (DSRC) and NR-V2X for Cellular-V2X 8]. During registration, the CA authorises certificates for vehi-
(C-V2X). These are applicable in different circumstances, such as cles and Roadside Unit R SU s. After that, the CA issues certifi-
tunnels and confined areas [1] and increase the packet delivery ra-
cates based on pseudonyms to prevent any linking attacks on the
tio while decreasing packet collisions [2]. As demonstrated in [3],
road. However, the standard body ETSI [9] recommends frequently
changing the whole communication stack layers’ identifiers with
pseudonyms, i.e., the MAC and IP addresses [10]. Nevertheless, an
* Corresponding author.
adversary can collect CAMs offline and then can track vehicles’
E-mail addresses: mishrey.almarshoud@hotmail.com (M.S. AlMarshoud),
alihmohd@dmu.ac.uk (A.H. Al-Bayatti), mehmet.kiraz@dmu.ac.uk (M.S. Kiraz). locations smoothly via either syntactic linking or semantic linking at-

https://doi.org/10.1016/j.vehcom.2022.100490
2214-2096/© 2022 Published by Elsevier Inc.
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

tacks by linking pseudonyms. Moreover, pseudonyms can be linked Our scheme uses Yang et al. ’s self-blindable signatures so that
through the content of the signed messages, whereby an adversary once the signatures are verified, the signature values (i.e., the
can easily predict the vehicle’s next position, also known as a se- ephemeral values of the zero-knowledge proofs) will be used
mantic linking attack. It should be noted that a semantic linking to generate a shared key between the participants, in a simi-
attack is superior to a syntactic linking attack because the adver- lar manner to the authenticated Diffie-Hellman key exchange
sary focuses on the data contained in the safety messages used to protocol. Since the signature blinding values are fresh and ran-
link the pseudonyms [11]. dom, the shared key becomes fully secure. On a high level,
Extensive research has developed numerous strategies for vehicles first privately blind their own private certificates for
pseudonym changing to overcome these linking attacks, as men- each communication outside the mix-zone by hiding their cer-
tioned in the technical report by ETSI ITS [9,11–14]. For instance, tificates and then compute an anonymous shared key based on
some strategies propose that vehicles initiate a silent period, which zero- knowledge proof of knowledge ( P oK ). Due to the under-
means they are not sending messages but do receive and process lying discrete logarithm problem, the verifier (or a third party)
them. Tracking is quite difficult during this period, but it is haz- cannot link the newly blinded certificates from the previously
ardous in terms of safety [15–18]. The use of such strategies thus used certificates. Hence, to the best of our knowledge, this
clearly increases the possibility of accidents. On the other hand, paper is the first to provide an end-to-end cryptographically
the concept of a mix-zone has been proposed to enhance the pri- secure mechanism against linkability attacks for the commu-
vacy technique for pseudonym-change strategies in Cooperative-ITS nication of vehicles outside the mix-zone without the help of
(C-ITS). any other participant. We demonstrate the security of our pro-
The mix-zone proposed by Beresford et al. [19] is a prespecified tocol under the ideal/real simulation paradigm.
geographical area (bound to an R SU ’s coverage) wherein vehi- • We would like to highlight that accountability can still be
cles can exchange messages and change pseudonyms. The cryp- achieved because if a vehicle is corrupted and sends wrong or
tographic mix-zone (CMIX) method depends on a secret key dis- misused information to vehicles, then the CAs can still iden-
tributed among vehicles to exchange encrypted messages inside tify the dishonest vehicle. Suppose the corrupted vehicle starts
the R SU ’s communication range. This method is constructed to the communication with an honest vehicle outside the range
prevent tracking inside the mix-zone [20]. As revealed in ETSI of the trusted third party (e.g., R SU ) and receives the blinded
ITS [9], certificate of that actual vehicle but does send wrong or invalid
pseudonym changes, silent periods, randomness, fixed parameters, information. The honest vehicle would then stop the com-
mix-zones, and CMIX all have their particular vulnerabilities. munication immediately and send the communication record
The self-blindable certificates scheme proposed by Verheul [21] once the CAs becomes available again. Once the CAs obtain
are efficient and effective credential-pseudonymous certificate sys- their real identity and are sure that this was indeed dishonest
tems that provide anonymity without the requirement for a trusted behaviour, they can immediately issue revocation through the
third party. The system includes cryptographic protection against vehicle’s present dynamic accumulator. We would like to high-
forging and unlinkability. The certificates are constructed by Weil light that our scheme can be applicable outside the mix-zone
pairing in supersingular elliptic curves. The certificate owner blinds in the absence of the TTP since it is important to achieve both
the certificate for anonymous vehicle authentication on the road. accountability and revocability without using conventional PKI.
A self-blindable certificate is a version of the regular public key Hence, our scheme accomplishes forward unlinkability, revoca-
certificate that preserves privacy. While the CA signature remains bility, and accountability simultaneously.
valid, the certificate holder can blind the certificate’s public key, • We conduct a performance analysis of our anonymous key
preventing successive uses of the same certificate from being exchange protocol and compare it with other schemes. This
linked via modification of the digital signature with specific homo- comparison illustrates that our scheme is better than other
morphic properties. The self-blindable certificates work in a similar protocols in terms of security. To reduce the online compu-
manner to anonymous certificates for vehicle authentication on the tations associated with our protocol, the vehicles can generate
road, but with less computation. Nonetheless, despite its superior blinded signatures offline (or in parallel). Our scheme is effi-
performance for intelligent devices, it lacks an efficient creden- cient since Yang et al. ’s scheme allows us to use group oper-
tial revocation mechanism. We follow the notion of self-blindable ations in only G1 instead of expensive pairing computations.
credentials and the associated security structure of [22], involving Performance improvements in our scheme show the ostensi-
a credential revocation system towards the need of vehicle com- bly VANET-based prover to operate entirely on G1 for faster
munication for a privacy-preserving to a lightweight anonymous pairing operations. The anonymous key generation reduces
entity authentication scheme. the communication overhead. Furthermore, the revocation in
our scheme has a dynamic accumulator  that prevents the
1.1. Our contributions growth in the number of revoked vehicles by updating that
number. Moreover, the efficiency of our protocol comes from
This paper presents a novel anonymous key exchange proto- the fact that the key exchange protocol does not have any ex-
col for V2V communications to accomplish forward unlinkability ternal data or any other expensive computation like pairings
without the need for a trusted third party. At a high level, the or additional signatures; instead, it just uses the existing P oK
contributions of the paper can be outlined as follows: data to generate the key.

• We first address generic security and privacy issues in the ex- 1.2. Roadmap
isting schemes wherein an adversary could apply linkability
attacks. Some of these schemes are subject to linking attacks The remainder of this paper is structured as follows: Section 2
due to the misuse of the VANETs’ Certificate Revocation Lists reviews the related work on location privacy via unlinkability
(C R Ls) and the use of the same certificates outside the mix- schemes. Section 3 outlines the security and privacy model of our
zone where R SU s are not available. We next propose the first architecture, which utilises self-blindable signatures. In Section 4,
novel anonymous key exchange protocol that ensures com- we demonstrate our improved scheme using self-blindable signa-
plete location privacy and accountability among the vehicles tures; this is followed by the security analysis of this scheme in
outside the mix-zone (without communicating to the R SU s). Section 5. Section 6 includes the performance and the compari-

2
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

son between our scheme with similar existing security mechanism vulnerable to impersonation attacks because bilinear pairing has a
schemes in the literature. Finally, Section 7 concludes the paper. high computational cost.
Some researchers use anonymous certificates in a primitive
2. Related work cryptographic manner that allows entity authentication to occur
anonymously in order to achieve unlinkability [30–34]. A certifi-
This section first describes three common categories in VANET cate can only be used once in some of the schemes in [30,33] since
safety message authentication, namely PKI-based protocols, any reuse would lead to unlinkability attacks. Although these one-
identity-based protocols, and group-signature-based protocols. We use anonymous certificates operate well [35,36], k-TAA (k-Times
then present the most recent self-blindable certificate method, Anonymous Authentication) extends the life of a one-time anony-
which forms the basis of our scheme. mous certificate by allowing it to be used k times without being
linked, such that certificate holders must regularly obtain fresh
2.1. PKI-based VANETs certificates from the certificate issuer. Certificates require an on-
line connection with a CA, leading to a security vulnerability if
PKI-based protocols use public-key certificates, loading numer- the CA has been corrupted. In general, CAs are kept online. If CAs
ous pseudonym certificates for vehicles via the Trust Authority were kept offline, then many certificates would have to be gen-
(TA) [23]. Vehicles attach a relevant certificate to a safety mes- erated offline, which would require significant overhead from the
sage. The TA can revoke malicious vehicles’ certificates by submit- users. Zhou et al. [37] proposed a system based on mutual authen-
ting them to the C R L and updating the C R L across the network. tication using Elliptic Curve Cryptography (ECC). Nonetheless, this
To manage certificates and perform C R L checks, this system re- approach is vulnerable to identity guessing and impersonation at-
quires significant storage, computational, and communication re- tacks and has lower levels of user anonymity. In 2017, Li et al. [38]
sources [24]. However, the suggested system largely depends on suggested a strategy that utilises IDB for the authentication and
R SU s, and if it is hacked, the system will be destroyed, which PKI for the pseudonym generation, although it lacks traceability if
means it is inefficient. a malicious vehicle is involved in malicious activities. Furthermore,
Wasef and Shen [25] used a Hash Message Authentication several potential attacks, such as modification, replay, DoS, and bo-
Code (HMAC) check to increase authentication efficiency. How- gus information, weaken their system. In 2019, Wang et al. [39]
ever, because the corresponding key used to acquire the HMAC proposed that an R SU can be fully trusted while being vulnerable
is a global key, updating the key’s time and resource costs are to being compromised, which may break the whole scheme. Also,
quite large. Simplicio et al. [26] presented a new design, called Ac- they did not explain the communication between V2V outside the
tivation Codes for Pseudonym Certificates (ACPC), to address the range of the R SU .
problem of huge C R Ls. To decrease the total size of the C R L,
specific short-bit activation codes can be assigned to vehicles. 2.3. Group signature-based VANETs
However, because of the decentralised structure and the massive
scope of vehicle networks, the distribution of revocation informa- In group signature protocols, the common group public key can
tion through the C R L represents a significant challenge in terms authenticate signatures generated by any group member. Group
of operative pseudonym and node revocation. Lu et al. [27] em- signatures are a primitive method that works in a similar man-
ployed R SU s to give short-lifetime pseudonyms and certificates to ner to anonymous certificates in that they allow signatures to
vehicles to avoid the limitations of centralised management, but be constructed in an unlinkable manner. The distinction is that
they did not consider a revocation system. Despite the anonymity a CA can undermine the signatures’ anonymity and track down
features given, the ECPP system has several flaws. First, ECPP is the actual signers in group signatures [40–45]. The ring signa-
inefficient since it has a relatively high latency for R SU s to gen- ture is also primitive, generating unlinkable signatures, and un-
erate pseudonym keys and requires R SU s to be present to help linkability is preserved among a collection of dynamically spec-
cars generate their pseudonyms at any given road position. Sec- ified vehicles [46]. Lin et al. [47] built a privacy-preserving con-
ond, the ECPP requires the issuing authority to know the issued ditional V2V communication system based on group signatures.
pseudonyms (i.e., R SU s). R SU s are vulnerable to physical assaults They assigned private keys to vehicles using a single member-
since they are distributed in open locations along highways. As a ship manager, making it hard for the manager to successfully re-
result, unless they are fitted with tamper-resistant hardware, they voke malicious vehicles in large-scale VANETs. In Zhang et al. ’s
should not be entirely trusted. Third, there is no specific ECPP re- scheme [24], R SU s are responsible for revoking malicious vehicles
vocation method. Malicious vehicles cannot be revoked since they by updating private/public keys according to the communication
can obtain their pseudonyms from any R SU , even a hacked one. range. In this case, however, if the vehicle is outside the range,
When many R SU s are compromised, ECPP does not provide un- the system will crash. Zhu et al. [48] proposed an HMAC as an
linkability or untraceability. Because each R SU retains unchanged alternative for the time-consuming C R L check. A hacked R SU ,
pseudonyms for O BU s in ECPP, an attacker can monitor the ve- on the other hand, could launch an impersonation attack under
hicle movement trajectory using the information contained in the such a scheme. Shao et al. [49] integrated the decentralised group
compromised R SU s. model and threshold authentication approach to accomplish ef-
ficient message authentication and message dependability at the
2.2. Identity-based VANETs same time. Unfortunately, this does not meet the requirements
for traceability [50]. In general, progress has been made in the
The public key of a vehicle user can be deduced from its IDs current study on anonymous message authentication for VANETs.
in identity-based protocols. Zhang et al. [28] suggested a batch au- More research is needed, however, to increase message authenti-
thentication approach for R SU s based on identity in which cars cation efficiency while still maintaining security and privacy.
generate pseudonyms and private keys on their own. Their scheme Recently, [51] proposed a two-party key agreement based on
relied on the R SU and suffered from apparent enlargement in the a lightweight ECC that extends to a Dynamic Group Key Agree-
C R L. ment. A fixed R SU runs as Group Controller (GC) with a higher
Chim et al. [29] suggested a scheme in which vehicles occasion- processing ability than the vehicles’ O BU . Only two lightweight
ally receive pseudonyms and private keys from the TA, which holds operations, XOR and hashing, are used to create identity-based au-
the master secret key. The proposed scheme in Chim et al. [29] was thentication and privacy-preserving systems. XOR and hashing are

3
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

used for lightweight encryption and decryption. To improve perfor- ing R SU s, leading to high bandwidth requirements. Also, using a
mance and security in VANETs, Wu et al. [52] presented a mutual private key with an ID-based signature might create delays and
authentication password-based approach for V2V in 2019, although severely weaken communication efficiency in their VANET system.
an attack can occur from offline password guessing [53]. Furthermore, we would like to highlight that their construction re-
quires R SU for any communication, and therefore if a vehicle is
2.4. Self-blindable certificates outside the range or the R SU is not available, their system will
not work at all.
Structure-preserving anonymous certificates have been pre-
sented (e.g., [54,35,41,55,30,42,56–58]) that make use of non- 3. The use of self-blindable signatures in VANETs
interactive zero-knowledge proofs [59]. If all the public keys,
messages, certificates, and authentication data (produced when re- We will now present self-blindable signatures, which are used
vealing a certificate) in an anonymous certificate scheme are G1 to ensure anonymous communication without a trusted third
and G2 group elements, the system is structure-preserving. The party. More specifically, this allows intelligent vehicles to anony-
goal of their structure-preserving anonymous certificates was to mously authenticate themselves to a device reader so that a cor-
display certificates in a non-interactive manner while avoiding the rupted reader cannot correlate multiple certificate use. The infras-
Fiat–Shamir heuristics [60].
tructure of the scheme is presented in Fig. 1, while Fig. 2 illustrates
Self-blindable certificates are a cryptographic primitive tech-
the communication between vehicles without the trusted third
nique that is similar to conventional certificates, except it also en-
party or the R SU s. In our scheme, we follow the ETSI standards of
sures the privacy of the entities [21]. The certificate owner blinds
PKI as the types of CAs [9]:
his/her certificate (hence the Public-key) so that no one can link
the newly generated certificates, while the signature can still be
• The Root CA ( RC A ) is a governance organization in charge of
validated successfully. The authentication data created by display-
all subordinate CAs.
ing a self-blindable certificate that only contains G1 group ele-
• Long Term CA ( LT C A ) for entity registration and certificate
ments is more efficient compared to their protocol. As a result, we
issuance.
use Fiat–Shamir heuristics to achieve non-interactive self-blindable
• Resolution Authority ( R A ) works to retrieve the certificates of
certificates. However, the certificate revocation usually has two op-
misbehaving vehicles.
tions. 1) The first method is verifier-local revocation, where the
• Pseudonym CA ( P C A ) is in charge of issuing pseudonyms.
revoked certificates are collected on a list managed by the ver-
ifier. Then, the verifier must check the certificate against all the
Furthermore, security policies have been widely analysed in
revoked certificates during the validation check (for anonymous
several works. Access control through the administration of au-
entity authentication) [61,31,44,32,33]. 2) The second method uses
thorization systems in VANETs is also very crucial in terms of
a dynamic accumulator, a revocation approach extensively used in
security and privacy. The value of the subject and object charac-
anonymous credentials and group signatures, to avoid linear com-
teristics determines the permission decision for usage control. As
putation on the verifier side. It is a group of values that are col-
a result of attribute mutability, three types of activities can influ-
lected into a single value called the accumulator, with a witness
ence usage decisions: preupdate, onupdate, and postupdate. These
confirming that the accumulated value is genuinely present in the
activities can be carried out by the system or the subject before,
accumulator for each accumulated value [34,45,62]. Prominently,
during, or after access, resulting in system state changes [84], [83].
the revocation of the certificates based on the dynamic accumu-
The SPIN model checker was used by the authors in [83] to ver-
lator solves the linear computation problem in the verifier-local
ify a policy implementation of a usage control system. The im-
approach. However, there is an issue here: all remaining legiti-
plementation was built for a web-based conference management
mate users must update their witnesses based on the updated
application that supports several applications via a single com-
accumulator whenever a certificate is removed. While a user can
munication channel. However, the usage scenario does not enable
choose to make witness updates in batch mode and thus avoid be-
ongoing rules. The poster was introduced by Rajkumar and Sandhu
ing online 24 hours a day, a significant computational overhead is
to improve administrative role-based access control. By establish-
incurred [22].
ing three necessary key actions, it has incorporated obligations via
[63] proposed a privacy-preserving authentication mechanism
an administrative model. The model was limited to administrative
called the multiple trusted authority one-time identity-based ag-
actions inside the system [65]. Apart from traditional access con-
gregate signature method. In this scheme, credentials are gener-
trol, usage control is a unified authorization system that supports
ated by a root trusted authority (TA) for R SU s and vehicles. This
a wide variety of security policies. Safety decidability is a nec-
scheme assumes R SU s to be semi-honest (honest but curious),
essary condition for decentralizing and automating authorization
which they named lower-level TA. The TA generates the certifi-
cate and Public-keys for R SU s and provides a vehicle’s internal system administration like that in VANETs. It is a fundamental re-
pseudo-identity and authentication key. Also, it has a member list quirement for the development of policy analysis tools for system
in its database containing information about the vehicles. After re- administrators, as they must determine whether the given set of
ceiving the member secrets and the approved period, the vehicle policies and initial configuration can grant unintended access cor-
stores them in a tamper-proof device. The vehicle then broadcasts rectly in any future state. This is referred to as safety analysis, and
the message along with its signature across the network. it is well established that it is undecidable in general for the pre-
f inite
The receiver validates the signature pairs using bilinear pairing to authorization usage control model, referred to as P reU C O N A .
guarantee correctness and non-repudiation. The TAs can accom- As a result, P reU C O N A ’s safety checking cannot be automated in
plish traceability by utilising the vehicle information recorded in its entirety, and its safety decidable sub-models must impose con-
the member list. Each time a vehicle switches networks, it must straints on their attributes and update functions. Recently, it was
go through a new authentication process, and R SU s manage all demonstrated that even with unbounded object creation, the safety
the vehicles’ private keys. The scheme is attractive because it ag- problem for the pre-authorization usage control sub-model with
f inite
gregates multiple signatures into one, allowing efficient verifica- finite attribute domains, called P reU C O N A , is decidable. A sig-
tion and minimising storage requirements. This construction has nificant limitation of finite attributes is their inability to connect
multiple issues. First, vehicles have to seek shares from neighbour- objects via their attribute values when unbounded object creation

4
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

3.2. Types of adversaries

In this section, we explore some of the distinctions in attackers’

attributes and list the different types of adversaries, as follows:

1. Global and Local: The scope of an attacker is used to evaluate

whether the adversary is global or local. Global attackers are
assumed to have complete network access. Local adversaries,
on the other hand, are constrained to a certain segment of
the network; eavesdroppers, for instance, may have access to
a restricted number of RSUs stationed at traffic junctions [66].
2. Active and Passive: An active attacker might compromise the
security or privacy on the network by injecting new mes-
Fig. 1. Our C-ITS PKI High-Level Architecture.
sages or modifying existing communication messages. Passive
attackers, on the other hand, are incapable of altering com-
munication messages. They can only read and monitor data
transmitted by the network nodes [12].
occurs (since attributes that reference other objects must be in-
3. Static and Adaptive: Regardless of how the attack proceeds,
finite in this case). It would be desirable to have models with
static adversaries are assumed to select an attacking tech-
safety-decidable attributes that incorporate both finite and infinite
nique or plan before initiating the attack. Adversaries that are
attributes (though necessarily with some restrictions) [82].
adaptive monitor the network by obtaining knowledge of the
Rajkumar et al. [64] proposes a pre-authorization usage con-
system’s configuration and parameters. The majority of threat
trol sub-model, called P reU C O N A , where attribute domains are
models in location privacy are adaptive adversaries, referred to
entirely composed of infinite object identifiers with significant
as inference attacks in the context of location privacy [67–70].
constraints on how these attributes can be updated. The safety de- 4. Internal and External: The internal attacker is an authenti-
cidability of P reU C O N A is established by defining the concept of cated member or network who can send and receive messages
equivalent usage configurations and demonstrating that the reach- as part of the communication range. An external adversary can
able set of these configurations is computable and can be used to eavesdrop on messages using sniffing stations [71–75].
answer safety questions. An example demonstrates the utility of
such models in practice. In addition, the paper demonstrates that In our paper, we consider active and static adversaries, who can
even a single finite domain attribute added to P reU C O N idA results be internal or external.
in undecidable safety. These findings suggest that combining finite
and infinite attributes in a safety decidable model is a difficult task 3.3. Self-blindable certificate management
that will almost certainly require carefully crafted constraints on
attribute updates. Our anonymous key exchange protocol uses Yang et al. ’s Self-
Blindable Signature scheme [22] as the basis of our scheme, which
is described as follows:
3.1. Privacy requirements of VANETs
Let e : G1 × G2 → G T be a bilinear map for a multiplicative cyclic
group of prime order q, and g be generator of G1 , and h be a
In general, VANETs should ensure the following security and generator of G2 , e ( g , h) = 1.
privacy properties:
Apart from the general confidentiality, authentication, integrity, 3.3.1. Setup(1k )
and non-repudiation security requirements, a VANET system must The following algorithm will be executed by the long-term CA
also specifically ensure privacy protection. In our protocol, we (denoted as LT C A):
achieve this through the following requirements:
1. Choose a, b, d, t 1 , t 2 ∈ R G1 .
• Unlinkability: Unlinkability in vehicular networks is generally 2. Compute Z = h z and compute T 1 = t 1z , T 2 = t 2z , where z ∈ R Zq∗ .
considered to constitute identity and location privacy. The un- Note that z is the master secret key of LT C A, i.e., sk LT C A = z.
linkability feature basically prevents any types of adversaries 3. Create an accumulator with the value  ∈ R G1 .
from linking multiple messages by means of different interac- 4. Set the public parameters
tions to compromise their privacy. Also, any compromise of a
vehicle’s identity should not affect any other vehicles’ privacy pp = (e , a, b, d, h, t 1 , t 2 , Z , T 1 , T 2 , , C R L = ∅).
at all. In general, identities are generated by means of digital
certificates. The user certificate for every vehicular communi- 3.3.2. CertIssue (sk LT C A , sk O BU )
cation must be unlinkable, i.e., an adversary (or the verifier) We now generate certificates for O BU s. Let m = sk O BU be the
should not be able to link a vehicle’s certificate with previous private key of an O BU . We use the key pair of an ElGamal type as
communications. In this paper, this will be achieved through (m, y = g m ) where the public key denoted by y is certified by the
blinded-certificates. LT C A. The LT C A issues the O BU ’s certificate as follows.
• Unforgeability: For any certificate-based system, the certifi-
1. Compute a self-blindable certificate ( M , k, s), where M =
cates might be unforgeable as this is a core requirement. 1
Hence, the adversary should be incapable of forging the cer- (am b s d) k+z , and k, s ∈ R Zq .
1
tificate. 2. Compute the witness W =  k+z , where  is the most recent
• Revocability: In the ETSI ITS design, CAs can revoke misbehav- accumulator.
ing vehicles’ certificates [9], and this is essential for practical 3. Set the certificate to C ert = ( M , k, s, m, W ). Note that this real
certificate systems. certificate will not be shared with anyone; instead, it will be

5
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

first blinded, and the blinded ones will be used to ensure pri- witness for each accumulated value, as well as evidence that the
vacy during the communication. collected value is genuinely held in the accumulator, and its cor-
rectness can be verified through zero-knowledge proofs (which do
The accumulator is used to prevent the certificate holder from not require any relevant data about the witness to be revealed).
sharing the real certificate. In the following, we describe blinded
certificate generation for O BU s: 1. The R A revokes the value k j of the O BU j in the current ac-
cumulator old and computes a new accumulator as ne w =
1
3.3.3. CertBlind(C ert) k +z
Given pp , C ert = ( M , k, s, m, W ), we generate a blinded certifi- oldj . Then, it publishes a new item on a public board as
cate, BC ert, with the most recent accumulator, . ne w , k j .
2. The witness can be updated for the holder by a witness as W i
1 1 1
1. Choose f , r1 , r2 ∈ R Zq . k j +z k +z
(related to ki ) by computing W ine w = W i = (old
i
) k j +z =
M  = ( M · W ) f · t 11 .
r
2. ( k 1+z − k 1
)· 1 1
 f ·k r j + z k j −ki
3. M = ( M · W ) · T 22 . oldi = ( Wneiw ) k j −ki . Note that the witness holder
4. 
A = (a b d · ) .
m s f updates the W without z’s knowledge using the proof of
T 1 = T 11 .
r
5. knowledge, whereby the accumulator  is P oK {( W , k) :
6.  r2
T 2 = t2 . e ( W , Z · hk ) = e (, h)} [35,62].
−γ  3. Addsa new entry (k, ne w ) to the C R L, so that C R L :=
7. P oK {(k, μ, ς , f , γ , r1 , r2 ) : M  = M  k t 1 T 22 A  = aμ b ς d f  f
r
  r1   r2 C R L (k, ne w ).
T1 = T1 T 2 = t 2 }, where γ = k · r1 , μ = m · f , ς = s · f .
Set the blinded certificate BC ert = ( M  , M  , A  , T 1 , T 2 , P oK ).
3.4. Efficient construction of privacy-preserving authentication through
self-blindable signatures
3.3.4. CertVerify( BC ert , C R L ):
For a given blinded certificate BC ert = ( M  , M  , A  , T 1 , T 2 ,
As shown in Section 2, it is hard to preserve both privacy
P oK ), the verifier retrieves the most recent accumulator from the
and accountability simultaneously outside the mix-zone, the rea-
C R L (which includes the most up-to-date accumulator) and veri-
son for which is that both vehicles must verify the credentials
fies all of the following verifier output as follows:
before generating a secure shared key. However, this generally re-
⎧ 
quires a public key scheme and, in particular, digital signatures.
⎨ A = 1 ∈ G1
⎪
However, if the vehicles keep using the same certificates (e.g., RSA,
PoK is valid
⎪
⎩ ?
ECDSA), then an adversary (including one of the communicating
e ( M  , Z )e ( M  , h) = e ( A  , h)e ( T 1 , h)e ( T 2 , Z ) corrupted parties) can eavesdrop the channel and can link with
previous communication as the vehicles keep using the same cer-
The P oK assures the validity of the blinded certificates and the
tificates (unless a bunch of different certificates were generated
correctness can easily be shown as follows:
offline, which would bring additional significant storage, commu-
    nication, and computational overhead). Therefore, the unlinkability
e M  , Z e M  , h =
feature would be broken, as addressed in Section 2 for several pre-
= e ( M · W ) f t 1r1 , h z e ( M · W ) f k t 2r2 , h vious constructions.
Self-blind certificates could be an alternative solution by elim-
= e ( M · W ) f z t 1r1 z , h e ( M · W ) f k t 2r2 , h inating conventional signatures due to their randomised blinding
structure and accountability feature. Also, we would like to high-
= e ( M · W ) f z t 1r1 z ( M · W ) f k t 2r2 , h light that VANETs generally should not use a fully anonymous key
exchange protocol since the identity of the malicious participants
 
= e ( M · W ) f (z+k) , h e t 1r1 z t 2r2 z , h must be obtained by the help of R A if there is a safety issue. In
this paper, we have used the self-blindable signatures to ensure
   
= e ( M · W ) f (z+k) , h e t 1r1 z , h e t 2r2 z , h privacy outside the mix-zone as well as providing accountability,
    and used in an ingenious way where the private values of the
= e ( M · W ) f (z+k) , h e T 1 , h e T 2 z , h zero-knowledge proofs are used to construct a fresh shared key
r
(i.e., the private values of the proofs of knowledge T 1 1 and T 1 1
r
   
= e ( M · W ) f (z+k) , h e T 1 , h e T 2 , Z in P oK O BU j and P oK O BU j , respectively in the blind signature algo-
 rithm). More specifically, once the certificates are blinded, shared,
f ( z+k)
 m s  1 1     and verified by both parties, the parties do not have to send extra
=e a b d k + z  k+ z , h e T 1 , h e T 2 , Z
values like signed fresh values to perform an authenticated Diffie-
 Hellman key exchange protocol. Instead, since the zero-knowledge
f ( z+k)
  1     proofs are already used as part of the verification of the under-
=e m s
a b d k+ z , h e T 1 , h e T 2 , Z
lying signatures, they are fully random and are also using private
 f     values in the exponent. We could directly use those public and
= e am b s d , h e T 1 , h e T 2 , Z private values to perform an authenticated DH protocol to gen-
      r
erate the shared key K i j = T 1 1 = T 1 1 . Therefore, this ensures
r
= e A  , h e T 1 , h e T 2 , Z (3.1)
that both parties can compute the symmetric key, eliminating any
type of eavesdropping attack. Thus, the vehicles can efficiently and
3.3.5. CertRevoke(z, C ert , old ) securely transmit their shared secret data during communication
A dynamic accumulator method combines a large number of outside the mix-zone.
values in one single value, which is known as the accumulator. We Hence, this proposed work extends Yang et al. ’s [22] scheme by
use the dynamic accumulator in [62], which is a revocation ap- generating a privacy-preserving key exchange protocol providing
proach to avoid linear computation on the verifier side. There is a accountability without the need for a trusted intermediary. Surely,

6
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

Fig. 2. Anonymous and Authenticated Key Exchange Protocol using Self-Blindable Certificates.

both parties can use this key continuously until the session is ter- BC ert O BU i = (N  , N  , B  , T 1 , T 2 , P oK O BU i ) and sends it to
minated. In Section 5, we give the security proof of our protocol, O BU j .
and in Section 6 we demonstrate that ours is faster than the cur- ?
6. O BU j checks if B  = 1 ∈ G1 .
rent state-of-the-art.
?
7. Checks if e ( N  , Z )e ( N  , h) = e ( B  , h) e ( T 1 , h) e ( T 2 , Z ).
4. Our anonymous key exchange protocol using self-blindable 8. Verifies P oK O BU i . If the proof is valid, then O BU j computes
the shared key as K i j = T 1 1 .
r
certificates
r
9. Similarly, O BU i computes the same shared key as K i j = T 1 1 .
We are now ready to present our anonymous key exchange 10. Finally, they securely communicate with each other through
scheme employing Yang et al. ’s Self-Blindable Signature scheme the shared secret key K i j .
[22]. As described in Section 3.3, after running CertIssue(), vehicles
can blind their certificates. In case of revocation, they get the lat- In the next section, we show that our protocol achieves forward
est dynamic accumulator, , and the witness, W , from the C R L, unlinkability, unforgeability, and revocability (see Fig. 2 for a high-
and run CertRevoke(). We would like to highlight that our new level illustration of the protocol). With the above construction,
protocol generates an indistinguishable shared key for every com- three fundamental requirements for location privacy in VANETs
munication between vehicles. have been addressed. First, we achieve unlinkability by end-to-
Suppose that there are two vehicles, O BU i and O BU j , outside end anonymous communication. It is essential to clarify that the
the range of the R SU s and they are willing to communicate. On R SU s and the CAs are not involved in this communication, it does
a high level, our anonymous key exchange protocol is as follows. not rely on security assumptions, and it solves these requirements
At the first stage, O BU i blinds its certificate by generating proof cryptographically following the DDH assumption. The communica-
of knowledge ( P oK O BU i ), and sends it to O BU j . Similarly, O BU j tion between any two vehicles starts with blinding the certificates
also blinds its certificate by generating P oK O BU j and sends it to and exchanging proofs of knowledge P oK s to ensure the validity
the O BU i . Both vehicles utilize the proofs to securely compute a of their credentials among each other. The underlying signature
shared and fresh key (see Fig. 3 for an illustration of the protocol). scheme will achieve the second requirement, i.e., unforgeability.
Finally, forward unlinkability is accomplished by hiding k in the
1. O BU j picks a blinding factor f , r1 , r2 ∈ R Zq and computes C R L through the accumulator  and the witness W (which en-
M  = ( M . W ) f .t 11 . Next, it computes T 1 = T 11 and T 2 = t 22 .
r r r
sures security against linkability attacks from the revoked vehicles’
Then, it constructs a proof of knowledge P oK O BU j {(k, μ, information).
 
ς , f , γ , r1 , r2 ) : M  = M  k t 1−γ T 2r2 A  = aμ b ς d f  f T 1 =

T 2 = t 22 } [76,77]. After that, it sets
r r
T 11 its new blinded cer- 5. Security analysis
tificate BC ert O BU j = (M  , M  , A  , T 1 , T 2 , P oK O BU j ) and sends
it to O BU i .
? We now present the security analysis of our protocol. We start
2. O BU i checks if A  = 1 ∈ G1 . with the correctness of our protocol and then the soundness,
?
3. Verify P oK O BU j , check if e ( M  , Z )e ( M  , h) = e ( A  , h) e ( T 1 , h) which covers the forward unlinkable self-blindable certificates,
e ( T 2 , Z ) to ensure that the new blinded certificate is valid. communication integrity, signature unforgeability, and revocability.
4. If the proof is valid, it next picks a random blinding fac-
 r
tor f  , r1 , r2 ∈ R Zq , computes N  = ( N . W ) f .t 11 , and computes 5.1. Correctness
r r
T 1 = T 11 and T 2 = t 22 .
5. Then, it constructs a proof of knowledge as P oK O BU i {(k , μ ,
k −γ   μ ς f  If O BU i and O BU j are honest, then they generate a shared
ς  , f  , γ  , r1 , r2 ): N  = N  t1
r
T 22 B = a b d  f key, K i j , outside the range of the R SU s correctly from the proofs
 r  r
T 1 = T 11 T 2 = t 22 . It also sets its new blinded certificate of knowledge in the blinded certificates as follows:

7
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

O BU j O BU i
Public: pp Public: pp
Private: C ert = ( M , k, s, m, W ) Private: C ert = ( N , k , s , m , W  )

Select a blinding factor f , r1 , r2 ∈ R Zq

Compute M  = ( M · W ) f · t 11
r

Compute T 1 = T 11
r

Compute T 2 = t 22
r
−γ r 
Compute P oK O BU j {(k, μ, ς , f , γ , r1 , r2 ) : M  = M  k t 1 T 22
  r  
A  = aμ b ς d f  f
r
T 1 = T 11 T 2 = t 22 } where γ = k.r1 ,
μ = m. f , ς = s. f
Set BC ert O BU j = ( M  , M  , A  , T 1 , T 2 , P oK O BU j )
BC ert O BU j
−−−−−−−−−−−−−−−−−−−−−−−−−−−→
?
Check if A  = 1 ∈ G1
Verify P oK O BU j
?
Check if e ( M  , Z )e ( M  , h) = e ( A  , h)e ( T 1 , h)e ( T 2 , Z )
Select a new blinding factor f  , r1 , r2 ∈ R Zq
 r
Compute N  = ( N · W  ) f · t 11
r
Compute T 1 = T 11
r2
Compute T 2 = t2
Compute P oK O BU i {(k , μ , ς  , f  , γ  , r1 , r2 ) :
k −γ  r      
N  = N  t 1 T 22 B  = am bς d f  f
r  r2
T 
1 = T1 1
T 2 = t2 } where γ  = k .r1 ,
μ = m  . f  , ς  = s  . f 
Set BC ert O BU i = ( N  , N  , B  , T 1 , T 2 , P oK O BU i )
BC ert O BU i
←−−−−−−−−−−−−−−−−−−−−−−−−−−

?
Check if B  = 1 ∈ G1
Verify P oK O BU i
?
Check if e ( N  , Z )e ( N  , h) = e ( B  , h)e ( T 1 , h)e ( T 2 , Z )
r1
Compute K i j = T 1 Compute K i j = T 1
r1

Enc K i j ( Data)
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Fig. 3. Anonymous Key Exchange Protocol using Self-Blindable Signatures.

K i j = T 1
r1
described above is indistinguishable and achieves forward unlinkability.
r If either O BU i or O BU j is corrupted, then the corrupted vehicle will not
= ( T 11 )r1 obtain any information about the honest vehicle.
r  r1 (5.2)
= T 11
r Proof. Case 1: Assume that OBUi is corrupted.
= ( T 1r1 ) 1
The simulator already has the public parameters and can extract
r
= T 1 1
the corrupted party’s witness from BC ert O BU i , as described in the
r anonymous key exchange protocol (i.e., ( N, k , s , m , W  )). From
Note that T 1 1 is computed by O BU i while T 1
r1
is computed this information, the simulator constructs the view for the O BU i ,
by O BU j , as given in Fig. 3. which is statistically close to the one when the vehicle interacts
with the honest verifier. Since the simulator already knows the
5.2. Soundness
private values of O BU i , it can blind this certificate in exactly the
same manner as in the protocol, and outputs BC ert ∗O BU . More
Our scheme constructs an anonymous key exchange between i
specifically,
the prover and the verifier in end-to-end communication using the
XDH assumption based on zero- proof of knowledge from non-
1. It first selects a random blinding factor f  ∗ , r1 ∗ , r2 ∗ ∈ R Zq and
interactive self-blindable certificates.
∗ r ∗ r ∗
Also, we assume the vehicles are authentic, and any corrupt ones computes N ∗ = ( N . W  ) f .t 11 and computes T 1 ∗ = T 11 and
will not be able to compute proof of knowledge P oK and blind the r ∗
T 2 ∗ = t 22 .
certificate (Check the correctness (5.2)). If the XDH assumption is 2. Then, it constructs a proof of knowledge as P oK O BU i {(k ∗ ,
accurate, the anonymous shared key is resistant to impersonation ∗ ∗ r ∗ 
attacks.1 The theorem is as follows: μ ∗ , ς  ∗ , f  ∗ , γ  , r1 ∗ , r2 ∗ ) : N ∗∗ = N ∗ k t 1−γ T 22 B∗ =
μ ∗ ς∗ f ∗ f ∗
 r ∗  r ∗
a b d  T 1 ∗ = T 11 T 2 ∗ = t 22 .
Theorem 1. Assume that Yang et al. ’s self-blindable certificate scheme 3. It finally outputs BC ert ∗O BU = ( N ∗ , N ∗∗ , B ∗, T 1 ∗ , T 2 ∗ ,
i
is secure as the XDH assumption is accurate, and the blinded certificate ∗
P oK O BU ). i

1
BC ert ∗O BU is computationally indistinguishable from the actual
Let the CDH (Computational Diffie-Hellman) be intractable in both G1 and i

G2 . The external Diffie-Hellman (XDH) assumption states that the DDH (Decisional blinded certificate BC ert O BU j = ( M  , M  , A  , T 1 , T 2 , P oK O BU j ) due
Diffie-Hellman) is also intractable in G1 [78–80]. to the XDH assumption.

8
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

Table 1
Comparison in terms of security and privacy.
Our Scheme [39] [38] [51] [52] [63]
Mutual Authentication      
Unforgeability  × ×   
Revocability  × ×   
Traceability   ×   
Attack resistance  × ×  × ×
Forward unlinkability  × × × × ×

Case 2: Assume that OBU j is corrupted. also be unable forge the certificate of an honest participant, hence
The simulator already has the public parameters and can extract unforgeability has been achieved in the presence of internal (ac-
the corrupted party’s witness from BC ert O BU j , as described in tive) attackers.
the anonymous key exchange protocol (i.e., ( M , k, s, m, W )). From
this information, the simulator constructs the view for the O BU j , 5.5. Revocability
which is statistically close to the one when the vehicle interacts
with the honest verifier. Since the simulator knows the private The revocation process has two main goals: the vehicle can
values of O BU j , which is C ert = ( M , k, s, m, W ), it blinds this cer- change the pseudonym certificate, or it can be revoked due to
tificate in exactly the same manner as in the protocol, and outputs malicious activities. The RA can revoke the vehicle certificate due
BC ert ∗O BU . More specifically, to either malicious activities of a vehicle or the certificate key of
j
the owner or the issuer being compromised. Also, honest vehi-
1. It first selects a random blinding factor f ∗ , r1∗ , r2∗ ∈ R Zq and cles are expected to report malicious vehicles to the R A when it
∗ r∗ r∗ becomes available again. The R A will receive the communication
computes M ∗ = ( M . W ) f .t 11 and computes T 1 ∗ = T 11 and record from the vehicle, and after the investigation it will revoke
r∗
T 2 ∗ = t 22 . the vehicle by deleting k j from old and updating the accumulator
2. Then, it constructs a proof of knowledge as P oK O BU i {(k∗ , ne w . The accumulation number ne w is basically a unique num-
∗ −γ ∗ r2∗  ber accumulating the revocation numbers of corrupted vehicles
μ∗ , ς ∗ , f ∗ , γ , r1∗ , r2∗ ) : M ∗∗ = M ∗k t1 T2 A∗ =
μ∗ ς∗ f∗ f∗
 r∗  r∗ so that anyone can efficiently check whether a particular device
a b d  1 = T ∗ T 11 T 2 ∗ = t 22 . has been corrupted or otherwise. Furthermore, the witness holder
3. It finally outputs BC ert ∗O BU = ( M ∗ , M ∗∗ , A ∗, T 1 ∗ , T 2 ∗ , updates the W without z’s knowledge using the proof of knowl-
j
∗
P oK O BU ) and sends it to O BU i .
j
edge, whereby the accumulator  is P oK {( W , k) : e ( W , Z · hk ) =
e (, h)}. Then, the C R L for both sides is updated. This approach
Hence, the blinded certificate BC ert ∗O BU is computationally in- ensures forward unlinkability as the accumulator updates via zero-
j
distinguishable from the actual blinded certificate, BC ert O BU i = knowledge proof P oK , which do not reveal any extra data about
( N  , N  , B  , T 1 , T 2 , P oK O BU i ), due to the XDH assumption.  the witness.
In general, our scheme does not need additional certificates be-
cause the vehicles will not change the pseudonym certificate until
As a result, each step of the proposed authentication protocol
the TTPs are available. The vehicles will keep blinding their certifi-
for the simulator is simulated, and the simulation for the mali-
cates in a fresh manner for each communication. Thus, the number
cious party is completed. When engaging with the honest user, the
of certificates on the system will be significantly reduced com-
transcript is consistent and statistically indistinguishable from the
pared to the current works. Hence, the revocation execution will
corrupted party’s point of view. Hence, the proof ensures that the
not be complex or of high intensity.
proposed is unlinkable and unforgeable.
6. Comparison
5.3. Unlinkability
In this section, we first analyse the performance of our proto-
Our scheme achieves unlinkability as the attacker cannot obtain col and compare it with existing schemes in terms of performance,
any data from the blinded certificates through the communication and security and privacy. The metrics of performance include sig-
outside the mix-zone as the vehicles can interact with each other nature size, multiplication, exponentiation, and pairing operations.
once the verification through proof of knowledge proofs are vali- The metrics of security and privacy include mutual authentication,
dated. Hence, a newly generated fresh key will ensure the unlink- forward unlinkability, unforgeability, revocability, traceability, and
ability feature. The newly generated symmetric key will be used attack resistance.
for the end-to-end confidential communication between the au-
thenticated vehicles. Hence, any eavesdroppers, including CAs and 6.1. Performance comparison
service providers, would not be able to obtain any private data
from this secure communication. Thus, our scheme guarantees the The V2V communication in our scheme has four main per-
unlinkability, which was proven in the Theorem 1 and 1. formance stages: 1) The vehicle offline computation reduces the
real-time execution addressing the VANETs requirements. In par-
5.4. Unforgeability ticular, both vehicles must compute blinded signatures to generate
a shared key once the proof is validated. Computation of blinded
Theorem 1 and Proof 1 basically cover the following two pos- certificates can be computed offline as this does not require any
sible scenarios: 1) O BU i corruption, 2) O BU j corruption. If either data from the other party. 2) We can also reduce the overall
vehicle is corrupted, then they will not be able to authenticate to time complexity by allowing the parties to simultaneously blind
the honest participant and hence they will not be able to gen- their certificates in parallel. 3) The computation of the shared key
erate a shared key. Because the malicious entity cannot gain any does not require any additional data since the ephemeral data in
data from the proof of knowledge proof, the blinded certificate will the P oK will be used to generate an anonymous and authenti-
be computationally indistinguishable. The corrupted parties would cated Diffie-Hellman key exchange. This significantly improves the

9
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

Table 2
Performance comparison. 17.48
Protocol Signature Generation Verification

Comparison of Total execution time

[63] 17T h 12T h + 10T mult + 6T add
15
[52] 8T mult + 2T add 4T h + 5T exp
[51] 12T h 4T mult
[38] 2T pair + 6T mpair + T apair 3T h + 5T exp
[39] 8T mult + 5T add 8T mul + 2T add
Our scheme 8T exp 8T exp 10
7.88
Table 3
5.83
Execution time of basic operations.
5 4.53
Symbol Description Execution time (ms) 3.58
Th Hash function Execution 0.010
T add Scalar Point Addition Execution 0.38 1.42
T mult Scalar Point Multiplication Execution 0.326
T exp Exponentiation Execution 0.224 0
T pair Bilinear Pairing Execution 4.28
a b c d e f
T mpair Multiplication with Pairings Execution 1.27
T apair Addition with Pairings Execution 0.148 a=Our Scheme, b= [39],c= [38],d= [63],e= [52],f= [51]

Fig. 4. Total execution comparison.

performance compared to others. 4) The communication will be
conducted using only one symmetric key (i.e., K i j ) to ensure con-
fidential communication.
Let mult (G ) denote a scalar point multiplication operation in G1 is sufficient for nearly all vehicular safety applications that need an
and G2 , and the exponentiation operation is exp(G ) in G T . Let also end-to-end latency of around 100 ms [3]. We compare our scheme
|G| signify the bit length of an element in group G. In our architec- computation with the existing schemes in Fig. 4. The results show
tures, the vehicle computes exclusively on G1 , and the verifier per- that our scheme is second-fastest, at 3.58 ms. If we consider that
forms the group computation and bilinear pairings on G T like [22]. our scheme is generating the signature offline and it is only one
This feature distinguishes our method from practically all existing round verification, then our scheme can be considered sufficiently
anonymous certificates’ bilinear map-based and group signatures, fast for vehicular communication.
such as those described in Section 2. Note that |G1 | is substantially
shorter than |G2 | and |G T | in the context of bilinear maps, and
exp (G1 ) is significantly quicker than exp (G2 ), exp (G T ) and the pair- 6.2. Security and privacy comparison
ing operation. While we claim that our technique is more efficient
than existing anonymous certificate and group signature protocols, In Table 1, we compare the existing schemes with our own in
we recognize that different protocols rely on varying cryptographic terms of forward unlinkability, revocability, unforgeability, trace-
assumptions. ability, attack resistance, and mutual authentication; more pre-
The comparison in terms of signature generation and the ver- cisely, those concepts in V2V communication with the absence of
ification is given in Table 2. Furthermore, Table 3 illustrates the the TTPs. Some of these schemes rely on TTP, which would not
execution time of each basic operation by considering the compu- work for the cases outside the mix-zone. The scheme proposed
tation costs. Note that in our calculations, the proof of knowledge in [52] has various drawbacks in terms of security and privacy.
P oK in the blinded certificate incurs 8exp (G1 ) in total computa- Their scheme lacks forward unlinkability and uses a password-
tion [77,76]. We would like to highlight that in our scheme, O BU i based authentication protocol that is not resistant to offline pass-
can blind its signature in parallel with O BU j to reduce commu- word guessing attacks [53]. The scheme in [39] has mutual au-
nications, instead of waiting for the blinded signature of O BU j .
thentication and traceability, but their protocol does not consider
Our main goal is to provide an accountable and privacy-preserving
R SU corruption. In the scheme proposed by [63], the R SU is re-
key exchange protocol without utilizing any external parties such
sponsible for managing the vehicle’s private key, which is objec-
as RSUs (due to outside the mixed-zone), and this is achieved by
tionable [81]. Li et al. ’s scheme [38] has no traceability if a ma-
blinding their own signatures in an ingenious way where the data
licious vehicle shows malicious activities. Moreover, some possible
within the P oK is used to generate a shared key. Furthermore, the
attacks threaten these systems, such as modification, replay, DoS,
results show that our scheme is fast and has a low overhead com-
and bogus info [13]. The recent proposal in [51] has a mutual au-
pared to others because the entities O BU i and O BU j only share
thentication and attack resistance and achieves unforgeability and
one single blinded signature together with a proof of knowledge.
Our calculations demonstrate that our scheme is practical since the revocability. However, their proposal relies entirely on the R SU .
execution time is less than 100 ms. If the R SU has been corrupted, this will break the whole system.
In our certificate anonymous credential system, we use a Also, their scheme does not accomplish forward unlinkability be-
lightweight signing method (a short signature length of 154 bits cause attackers could execute linking attacks through the C R L.
only, based on the Weil pairing that is obtained from certain Our approach has forward unlinkability, which means that our
subgroups of low dimensional abelian varieties over finite fields scheme is secure and has privacy against linkability attacks from
[42,80]), which ensures privacy and trust outside the mix-zone the C R L. Also, our scheme allows mutual authentication in the
without interference from any third parties. The signature method communication through P oK s verification. Furthermore, freshness
is based on Boneh–Lynn–Shacham (BLS), which fulfils our essential and unforgeability are guaranteed through generating a K i j shared
goals. Hence, the schemes in Table 2 failed to guarantee simulta- key based on the P oK that has been computed through the com-
neous accountability, privacy, and trust, while we provide them in munication. Moreover, the anonymous key K i j uses the XDH as-
our scheme. sumption, which means that giving the P oK s to attackers is not
On the other hand, our signature generation and verification sufficient to generate that key. Our scheme is secure and over-
computations are in range. More precisely, the DSRC performance comes the vulnerabilities of existing works.

10
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

7. Conclusion [11] A. Boualouache, S.-M. Senouci, S. Moussaoui, A survey on pseudonym chang-

ing strategies for vehicular ad-hoc networks, IEEE Commun. Surv. Tutor. 20 (1)
(2017) 770–790.
In this paper, we focused on the security protocols of exist-
[12] J. Petit, F. Schaub, M. Feiri, F. Kargl, Pseudonym schemes in vehicular networks:
ing works without a trusted third party and pointed out that they a survey, IEEE Commun. Surv. Tutor. 17 (1) (2014) 228–255.
are vulnerable to linkability attacks. This generally occurs because [13] S.S. Manvi, S. Tangade, A survey on authentication schemes in vanets for se-
they share certain deterministic values (e.g., the same digital cer- cured communication, Veh. Commun. 9 (2017) 19–30.
tificates) in each communication. We also address the security [14] B. Wiedersheim, Z. Ma, F. Kargl, P. Papadimitratos, Privacy in inter-vehicular
networks: why simple pseudonym change is not enough, in: 2010 Seventh In-
and privacy issues in the existing works concerning pseudonym ternational Conference on Wireless on-Demand Network Systems and Services
change management, which degrades privacy and obstructs unlink- (WONS), IEEE, 2010, pp. 176–183.
ability. In this respect, we proposed an (end-to-end) anonymous [15] J. Cui, J. Wen, S. Han, H. Zhong, Efficient privacy-preserving scheme for real-
key exchange protocol based on self-blindable certificates, which time location data in vehicular ad-hoc network, IEEE Int. Things J. 5 (5) (2018)
3491–3498.
achieves forward unlinkability in vehicles’ communications. Hence,
[16] M.B. Mansour, C. Salama, H.K. Mohamed, S.A. Hammad, Vanet security and
our end-to-end protocol prevents eavesdroppers, including the CAs privacy-an overview, Int. J. Netw. Secur. Appl. 10 (2018).
and service providers, in terms of addressing location privacy. Fur- [17] R. Al-ani, B. Zhou, Q. Shi, T. Baker, M. Abdlhamed, Adjusted location privacy
thermore, in our system, the vehicles generate signatures offline scheme for vanet safety applications, in: NOMS 2020-2020 IEEE/IFIP Network
and, in real-time, they blind their certificates in parallel to lessen Operations and Management Symposium, IEEE, 2020, pp. 1–4.
[18] M. Babaghayou, N. Labraoui, A.A.A. Ari, N. Lagraa, M.A. Ferrag, Pseudonym
the communication time. Similarly, our shared key requires a one-
change-based privacy-preserving schemes in vehicular ad-hoc networks: a sur-
time certificate blind, decreasing the number of the more compu- vey, J. Inform. Sec. Appl. 55 (2020) 102618.
tationally intensive bilinear pairing operations. To the best of our [19] A.R. Beresford, F. Stajano, Location privacy in pervasive computing, IEEE Perva-
knowledge, this is the first paper to present a complete unlinkabil- sive Comput. 2 (2003), https://doi.org/10.1109/MPRV.2003.1186725.
ity solution for location privacy in VANETs that is cryptographically [20] J. Freudiger, M. Raya, M. Falegyhazi, P. Papadimitratos, J.-P. Hubaux, Mix-zones
for location privacy in vehicular networks, ACM Workshop Wir. Netw. Int.
secure. The access control of the VANETs entities and architecture’s Transp. Syst. (2007).
policies is also an essential aspect for the future. However, a full [21] E.R. Verheul, Self-blindable credential certificates from the weil pairing, in:
examination of such expansions is outside the scope of this arti- International Conference on the Theory and Application of Cryptology and In-
cle. Furthermore, as potential future work, implementation of this formation Security, Springer, 2001, pp. 533–551.
[22] Y. Yang, X. Ding, H. Lu, J. Weng, J. Zhou, Self-blindable credential: towards
scheme could be given as a proof-of-concept for benchmarking and
anonymous entity authentication upon resource constrained devices, in: Infor-
tracking of outcomes. mation Security, Springer, 2015, pp. 238–247.
[23] M. Raya, J.-P. Hubaux, Securing vehicular ad hoc networks, J. Comput. Secur.
Declaration of competing interest 15 (1) (2007) 39–68.
[24] L. Zhang, Q. Wu, A. Solanas, J. Domingo-Ferrer, A scalable robust authentication
protocol for secure vehicular communications, IEEE Trans. Veh. Technol. 59 (4)
The authors declare that they have no known competing finan- (2009) 1606–1617.
cial interests or personal relationships that could have appeared to [25] A. Wasef, X. Shen, Emap: expedite message authentication protocol for vehicu-
influence the work reported in this paper. lar ad hoc networks, IEEE Trans. Mob. Comput. 12 (1) (2011) 78–89.
[26] M.A. Simplicio Jr, E.L. Cominetti, H.K. Patil, J.E. Ricardini, M.V.M. Silva, Acpc:
efficient revocation of pseudonym certificates using activation codes, Ad Hoc
Acknowledgement
Netw. 90 (2019) 101708.
[27] R. Lu, X. Lin, H. Zhu, P.-H. Ho, X. Shen, Ecpp: efficient conditional privacy
We would like to thank the anonymous referees and preservation protocol for secure vehicular communications, in: IEEE INFO-
Muhammed Ali Bingol for their insightful comments and sugges- COM 2008-the 27th Conference on Computer Communications, IEEE, 2008,
pp. 1229–1237.
tions.
[28] C. Zhang, R. Lu, X. Lin, P.-H. Ho, X. Shen, An efficient identity-based batch ver-
ification scheme for vehicular sensor networks, in: IEEE INFOCOM 2008-the
References 27th Conference on Computer Communications, IEEE, 2008, pp. 246–250.
[29] T.W. Chim, S.-M. Yiu, L.C. Hui, V.O. Li, Specs: secure and privacy enhancing
[1] A. Chehri, H. Chehri, N. Hakim, R. Saadane, Realistic 5.9 ghz dsrc vehicle-to- communications schemes for vanets, Ad Hoc Netw. 9 (2) (2011) 189–203.
vehicle wireless communication protocols for cooperative collision warning in [30] S. Brands, Rethinking Public Key Infrastructures and Digital Certificates: Build-
underground mining, in: Smart Transportation Systems 2020, Springer, 2020, ing in Privacy, Mit Press, 2000.
pp. 133–141. [31] D. Chaum, Security without identification: transaction systems to make big
[2] G. Naik, B. Choudhury, J.-M. Park, IEEE 802.11 bd & 5G NR V2X: evolution brother obsolete, Commun. ACM 28 (10) (1985) 1030–1044.
of radio access technologies for V2X communications, IEEE Access 7 (2019) [32] J. Camenisch, E. Van Herreweghen, Design and implementation of the idemix
70169–70184. anonymous credential system, in: Proceedings of the 9th ACM Conference on
[3] M.I. Hassan, H.L. Vu, T. Sakurai, Performance analysis of the ieee 802.11 mac Computer and Communications Security, 2002, pp. 21–30.
protocol for dsrc safety applications, IEEE Trans. Veh. Technol. 60 (8) (2011) [33] J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anony-
3882–3896. mous credentials with optional anonymity revocation, in: International Con-
[4] Z. Doukha, S. Moussaoui, An SDMA-based mechanism for accurate and efficient ference on the Theory and Applications of Cryptographic Techniques, Springer,
neighborhood-discovery link-layer service, IEEE Trans. Veh. Technol. 65 (2) 2001, pp. 93–118.
(2015) 603–613. [34] J. Camenisch, M. Kohlweiss, C. Soriente, An accumulator based on bilinear maps
[5] I.V. Technology, IEEE Standard for Wireless Access in Wireless Access in Vehic- and efficient revocation for anonymous credentials, in: International Workshop
ular Environments (WAVE)– Networking Services, 2016. on Public Key Cryptography, Springer, 2009, pp. 481–500.
[6] E. ITS, Intelligent transport systems (ITS); vehicular communications; ba- [35] M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-taa, in: International
sic set of applications, https://www.etsi.org/deliver/etsi_en/302600_302699/ Conference on Security and Cryptography for Networks, Springer, 2006,
30263702/01.04.01_60/en_30263702v010401p.pdf, 2019. pp. 111–125.
[7] E. ITS, Intelligent transport systems (ITS); security; trust and privacy manage- [36] I. Teranishi, J. Furukawa, K. Sako, K-times anonymous authentication, in: Inter-
ment, https://www.etsi.org/deliver/etsi_ts/102900_102999/102941/01.04.01_ national Conference on the Theory and Application of Cryptology and Informa-
60/ts_102941v010401p.pdf, 2021. tion Security, Springer, 2004, pp. 308–322.
[8] I.V. Technology, IEEE standard for Wireless Access in Vehicular Environments [37] Y. Zhou, X. Zhao, Y. Jiang, F. Shang, S. Deng, X. Wang, An enhanced privacy-
Security Services for Applications and Management Messages, 2013. preserving authentication scheme for vehicle sensor networks, Sensors 17 (12)
[9] E. ITS, Intelligent transport systems (ITS); security; pre-standardization (2017) 2854.
study on pseudonym change management, https://www.etsi.org/deliver/etsi_tr/ [38] J. Li, H. Lu, M. Guizani, Acpn: a novel authentication framework with condi-
103400_103499/103415/01.01.01_60/tr_103415v010101p.pdf, 2018. tional privacy-preservation and non-repudiation for vanets, IEEE Trans. Parallel
[10] P. Papadimitratos, L. Buttyan, J.-P. Hubaux, F. Kargl, A. Kung, M. Raya, Architec- Distrib. Syst. 26 (4) (2014) 938–948.
ture for Secure and Private Vehicular Communications, in: 2007 7th Interna- [39] B. Wang, Y. Wang, R. Chen, A practical authentication framework for VANETs,
tional Conference on ITS Telecommunications, IEEE, 2007, pp. 1–6. Secur. Commun. Netw. (2019) 2019.

11
M.S. AlMarshoud, A.H. Al-Bayatti and M.S. Kiraz Vehicular Communications 36 (2022) 100490

[40] G. Ateniese, J. Camenisch, M. Joye, G. Tsudik, A practical and provably secure [62] L. Nguyen, Accumulators from bilinear pairings and applications, in: Cryptog-
coalition-resistant group signature scheme, in: Annual International Cryptology raphers’ Track at the RSA Conference, Springer, 2005, pp. 275–292.
Conference, Springer, 2000, pp. 255–270. [63] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, C. Hu, Distributed aggregate privacy-
[41] G. Ateniese, B. de Medeiros, Efficient group signatures without trapdoors, in: preserving authentication in VANETs, IEEE Trans. Intell. Transp. Syst. 18 (3)
International Conference on the Theory and Application of Cryptology and In- (2016) 516–526.
formation Security, Springer, 2003, pp. 246–268. [64] P. Rajkumar, R. Sandhu, Safety decidability for pre-authorization usage con-
[42] D. Boneh, X. Boyen, Short signatures without random oracles, in: Interna- trol with identifier attribute domains, IEEE Trans. Dependable Secure Comput.
tional Conference on the Theory and Applications of Cryptographic Techniques, 17 (3) (2018) 465–478.
Springer, 2004, pp. 56–73. [65] R. PV, R. Sandhu, Poster: security enhanced administrative role based access
[43] D. Boneh, H. Shacham, Group signatures with verifier-local revocation, in: Pro- control models, in: Proceedings of the 2016 ACM SIGSAC Conference on Com-
ceedings of the 11th ACM Conference on Computer and Communications Se- puter and Communications Security, 2016, pp. 1802–1804.
curity, 2004, pp. 168–177. [66] M. Humbert, M.H. Manshaei, J. Freudiger, J.-P. Hubaux, Tracking games in mo-
[44] D. Chaum, E. Van Heyst, Group Signatures, in: Workshop on the Theory and bile networks, in: International Conference on Decision and Game Theory for
Application of Cryptographic Techniques, Springer, 1991, pp. 257–265. Security, Springer, 2010, pp. 38–57.
[45] J. Camenisch, M. Michels, A group signature scheme with improved efficiency, [67] M. Gerlach, Assessing and Improving Privacy in Vanets, ESCAR, Embedded Se-
in: International Conference on the Theory and Application of Cryptology and curity in Cars, 2006.
Information Security, Springer, 1998, pp. 160–174. [68] M.L. Yiu, C.S. Jensen, X. Huang, H. Lu, Spacetwist: managing the trade-offs
[46] R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in: International Con- among location privacy, query performance, and query accuracy in mobile ser-
ference on the Theory and Application of Cryptology and Information Security, vices, in: 2008 IEEE 24th International Conference on Data Engineering, IEEE,
Springer, 2001, pp. 552–565. 2008, pp. 366–375.
[47] X. Lin, X. Sun, P.-H. Ho, X. Shen, Gsis: a secure and privacy-preserving pro- [69] R. Cheng, Y. Zhang, E. Bertino, S. Prabhakar, Preserving user location privacy in
tocol for vehicular communications, IEEE Trans. Veh. Technol. 56 (6) (2007) mobile data management infrastructures, in: International Workshop on Pri-
3442–3456. vacy Enhancing Technologies, Springer, 2006, pp. 393–412.
[48] X. Zhu, S. Jiang, L. Wang, H. Li, Efficient privacy-preserving authentication for [70] T. Hara, A. Suzuki, M. Iwata, Y. Arase, X. Xie, Dummy-based user location
vehicular ad hoc networks, IEEE Trans. Veh. Technol. 63 (2) (2013) 907–919. anonymization under real-world constraints, IEEE Access 4 (2016) 673–687.
[49] J. Shao, X. Lin, R. Lu, C. Zuo, A threshold anonymous authentication protocol [71] B. Niu, S. Gao, F. Li, H. Li, Z. Lu, Protection of Location Privacy in Continuous
for vanets, IEEE Trans. Veh. Technol. 65 (3) (2015) 1711–1720. lbss Against Adversaries with Background Information, 2016, pp. 1–6.
[50] J. Zhang, Z. Sun, S. Liu, P. Liu, On the security of a threshold anonymous au- [72] B. Niu, Q. Li, X. Zhu, G. Cao, H. Li, Enhancing Privacy Through Caching in
thentication protocol for vanets, in: International Conference on Security, Pri- Location-Based Services, 2015, pp. 1017–1025.
vacy and Anonymity in Computation, Communication and Storage, Springer, [73] C.-Y. Chow, M.F. Mokbel, Enabling Private Continuous Queries for Revealed User
2016, pp. 145–155. Locations, 2007, pp. 258–275.
[51] V.S. Naresh, S. Reddi, V.D. Allavarpu, Provable secure dynamic lightweight [74] Z. Zhu, G. Cao, Toward privacy preserving and collusion resistance in a location
group communication in vanets, Trans. Emerg. Telecommun. Technol. (2021). proof updating system, IEEE Trans. Mob. Comput. 12 (1) (2011) 51–64.
[52] L. Wu, Q. Sun, X. Wang, J. Wang, S. Yu, Y. Zou, B. Liu, Z. Zhu, An efficient [75] A. Solanas, J. Domingo-Ferrer, A. Martínez-Ballesté, Location Privacy in
privacy-preserving mutual authentication scheme for secure v2v communica- Location-Based Services: Beyond ttp-Based Schemes, 2008, pp. 12–23.
tion in vehicular ad hoc network, IEEE Access 7 (2019) 55050–55063. [76] R. Cramer, I. Damgård, B. Schoenmakers, Proofs of partial knowledge and
[53] M.J. Sadri, M. Rajabzadeh Asaar, A lightweight anonymous two-factor authen- simplified design of witness hiding protocols, in: Advances in Cryptology —
tication protocol for wireless sensor networks in internet of vehicles, Int. J. CRYPTO ’94, Springer, 1994, pp. 174–187.
Commun. Syst. 33 (14) (2020) e4511. [77] B. Schoenmakers, Lecture notes: cryptographic protocols, https://www.win.tue.
[54] M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure- nl/~berry/CryptographicProtocols/LectureNotes.pdf, Jan 2021.
preserving signatures and commitments to group elements, in: Annual Cryp- [78] W. Diffie, P.C. Van Oorschot, M.J. Wiener, Authentication and authenticated
tology Conference, Springer, 2010, pp. 209–236. key exchanges, Des. Codes Cryptogr. (1992) 107–125, https://doi.org/10.1007/
[55] J. Balasch, Smart ard implementation of anonymous redentials, Ph.D. thesis, BF00124891.
Katholieke Universiteit Leuven, 2008. [79] IEEE, Ieee Standard Specifications for Public-Key Cryptography - Amendment 1:
[56] D. Boneh, X. Boyen, H. Shacham, Short group signatures, in: Annual Interna- Additional Techniques, 2004.
tional Cryptology Conference, Springer, 2004, pp. 41–55. [80] O. Uzunkol, M.S. Kiraz, Still wrong use of pairings in cryptography, Appl. Math.
[57] P. Bichsel, J. Camenisch, T. Groß, V. Shoup, Anonymous credentials on a stan- Comput. 333 (2018) 467–479.
dard java card, in: Proceedings of the 16th ACM Conference on Computer and [81] V. Kumar, M. Ahmad, A. Kumari, S. Kumari, M.K. Khan, Sebap: a secure and ef-
Communications Security, 2009, pp. 600–610. ficient biometric-assisted authentication protocol using ecc for vehicular cloud
[58] M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, P-signatures and non- computing, Int. J. Commun. Syst. 34 (2) (2021).
interactive anonymous credentials, in: Theory of Cryptography Conference, [82] P. Rajkumar, R. Sandhu, Safety decidability for pre-authorization usage control
Springer, 2008, pp. 356–374. with finite attribute domains, IEEE Trans. Dependable Secure Comput. 13 (5)
[59] J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, (2015) 582–590.
in: Annual International Conference on the Theory and Applications of Crypto- [83] P. Rajkumar, S.K. Ghosh, D. Pallab, Concurrent Usage Control Implementation
graphic Techniques, Springer, 2008, pp. 415–432. Verification Using the Spin Model Checker, International Conference on Net-
[60] A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification work Security and Applications, Springer, 2010, pp. 214–223.
and signature problems, in: Conference on the Theory and Application of Cryp- [84] P. Rajkumar, S.K. Ghosh, D. Pallab, Application specific usage control implemen-
tographic Techniques, Springer, 1986, pp. 186–194. tation verification, Int. J. Netw. Secur. Appl. Citeseer 1 (3) (2009) 116–128.
[61] X. Boyen, A tapestry of identity-based encryption: practical frameworks com-
pared, Int. J. Appl. Cryptogr. 1 (1) (2008) 3–21.

12