1

A Secure and Efficient Authentication Techniquefor Vehicular Ad-Hoc Networks

Maryam Rajabzadeh Asaar, Mahmoud Salmasizadeh, Willy Susilo∗, Senior Member, IEEE, Akbar Majidi

Abstract—Vehicular ad-hoc networks (VANETs) have beenemerging due to the recent technologies in wireless and networkcommunications. The most fundamental part in VANETs is toenable message authentications between vehicles and roadsideunits. Message authentication using proxy vehicles has beenproposed to reduce the computational overhead of roadside unitssignificantly. In this type of message authentication schemes,proxy vehicles with verifying multiple messages at the same timeimprove computational efficiency of roadside units when thereare a large number of vehicles in their coverage areas. In thispaper, first we show that the only proxy-based authenticationscheme (PBAS) presented for this goal by Liu et al. cannot achieveauthenticity of messages, and also it is not resistant againstimpersonation and modification attacks and false acceptance ofbatching invalid signatures. Next, we propose a new identity-based message authentication using proxy vehicles (ID-MAP).Then, to guarantee that it can satisfy message authenticationrequirement, existential unforgeability of underlying signatureagainst adaptively chosen-message and identity attack is provedunder Elliptic Curve Discrete Logarithm Problem in the randomoracle model. It should be highlighted that ID-MAP not only ismore efficient than PBAS since it is pairing-free and does notuse map-to-point hash functions, but also it satisfies security andprivacy requirements of vehicular ad hoc networks. Furthermore,analysis shows that the required time to verify 3000 messages inID-MAP is reduced by 76% compared to that of PBAS.

Index Terms—proxy vehicles, authentication, privacy preserv-ing, vehicular ad-hoc network.

I. INTRODUCTION

In the last few years, the vehicular ad hoc network (VANET)has been emerged due to the advances in wireless commu-nications and networking technologies [1]–[3]. The VANETsimprove traffic safety and efficiency. For communications inVANETs, each vehicle has a wireless communication devicenamed as an on board unit (OBU), and a wireless communica-tion protocol named as dedicated short range communication(DSRC), which applies the IEEE 802.11p standard for wireless

M. R. Asaar is with Department of Electrical and Computer Engineering,Science and Research Branch, Islamic Azad University, Tehran, Iran.

(asaar@srbiau.ac.ir)M. Salmasizadeh is with Electronics Research Institute of Sharif University

of Technology, Tehran, Iran.(salmasi@sharif.edu)W.Susilo is with Centre for Computer and Information Security Research,

School of Computing and Information Technology University of Wollongong,Wollongong, Australia

(wsusilo@uow.edu.au)Corresponding Author: Willy Susilo. Phone: +61-2-4221-5533. Fax: +61-

2-4221-5550.A. Majidi is with Department of Computer Science and Engineering,

Shanghai Jiao Tong University, Shanghai, China.(majidi@sjtu.edu.cn)

communication, and is used for vehicle-to-vehicle (V2V) andvehicle-to-infrastructure (V2I) communications.

Because of the wireless communication mode, it is easy foran adversary to take control of communication links and canchange, delete and replay messages. Hence, the impersonation,modification, replay and man in the middle attacks are seriousthreats for VANETs. These threats may lead to traffic chaos oraccident [4], [5]. Therefore, security of transmitted messages isone of the main requirements in VANETs. In addition, privacyof the vehicle’s identity must be achieved since leakage oftheir identities may result in serious threats for drivers sincemalicious entities can trace their messages and traveling roadsfor crimes [6]. However, unconditional privacy preserving isnot desirable for VANETs, since malicious vehicles should betraced and punished in case of any misbehavior [7], [8].

To satisfy security and privacy issues in VANETs, somePublic Key Infrastructure-based (PKI-based) authenticationschemes [4], [6] have been proposed. These schemes arenot efficient since vehicles need to store a large numberof key pairs and their corresponding certificates, and thesecertificates are required to be transmitted with messages. Toaddress certificate management in PKI-based authenticationschemes, various privacy preserving identity-based authenti-cation schemes [8]–[15] have been proposed. These authen-tication schemes are designed based on bilinear pairings anddue to their heavy computational cost, recently two efficientauthentication schemes by Lo and Tsai [16] and He et al.[17] have been proposed. In fact, they proposed identity-basedsignatures without employing bilinear pairings to improveperformance of these schemes. However, these schemes arenot enough fast when there are a large number of messagesin the coverage area of a roadside unit (RSU). For example,consider this scenario: since each vehicle broadcasts its trafficsafety message every 100-300 milliseconds according to thespecification of DSRC protocol, when there are 500 vehiclesin the coverage area of an RSU, the RSU has to verify around2500-5000 signatures in a second. This issue is a big challengefor the current authentication schemes [16]–[18] as stated byLiu et al. [19] in 2015. To tackle the aforementioned problem,Liu et al. [19] proposed an interesting authentication protocolusing proxy vehicles for vehicular networks, and called itas PBAS. In PBAS, proxy vehicles help RSUs to verify alarge number of signatures simultaneously using distributedcomputing. In fact, Liu et al. [19] claimed that in their proposalthe time required to verify 3000 signatures is decreased by88% compared to previous efficient authentication schemesbased on batch verification method at RSUs.

2

A. Our contributions

Contributions of this paper are as follows.• First, we show that the proxy-based authentication

scheme (PBAS) for vehicular networks presented by Liuet al. [19] is not resistant against false acceptance of in-valid signatures sent by vehicles, and also it does not havemessage authentication which is the main requirementof authentication schemes for VANETs. Consequently,we show that it is not secure against impersonation andmodification attacks.

• Second, to tackle the aforementioned problems and havea more efficient scheme, a new identity-based authenti-cation scheme using proxy vehicles (ID-MAP) withoutbilinear pairings is proposed.

• Third, security analysis of ID-MAP is presented to showthat it can satisfy security and privacy requirements ofVANETs. In this direction, unforgebility of the underlyingsignature scheme against adaptively chosen-message andidentity attack is proved under Elliptic Curve DiscreteLogarithm Problem in the random oracle model to guar-antee resistancy against modification and impersonationattacks.

• Finally, its performance analysis including comparison ofcomputation and communication overheads and simula-tion is presented to show that ID-MAP is more efficientthan previous schemes for VANETs.

B. Organization of the paper

The rest of this paper is organized as follows. SectionsII and III present related works and background informationused in the paper, respectively. Review of PBAS [19] and itssecurity weaknesses are given in Section IV. The proposedID-MAP and its security analysis are presented in SectionV. Sections VI and VII present the performance analysis andconclusion, respectively.

II. RELATED WORKS

In 2006, Raya et al. [4] introduced potential security andprivacy threats for VANETs, and presented a robust securityarchitecture which is resistant against these threats. They mod-ified PKI to achieve authentication, integrity and privacy in away that many key pairs and their corresponding certificateshas been preloaded into vehicles which every pair is used foreach communication. In Raya et al. ’s scheme [4], each vehicleneeds to have a large storage space to keep key pairs and theircertificates, and also the trusted authority requires to have alarge storage space to save vehicles’certificates to check theirvalidity and trace them in case of any disputes. In 2008, Lu etal. [8] proposed a new authentication scheme using temporaryanonymous certificates issued by RSUs to improve efficiencyand large storage space issues of Raya et al.’s scheme [4].Due to the high interactions of vehicles with RSUs to getanonymous certificates, Freudiger et al. [20] used the idea ofmix-zones to have an efficient scheme, while in their schemeRSUs and vehicles have to have large storage space. In 2008,Zhang et al. [21] exploited message authentication codes alongwith a key agreement protocol to create a shared key between

a vehicle and an RSU to propose an efficient authenticationscheme. However, their scheme needs a large storage spaceto keep a large number of key pairs and their certificates tosatisfy privacy requirement.

In 2008, Zhang et al. [9] exploited identity-based cryptog-raphy [22] in designing authentication schemes for VANETsto address certificate management problem of the previousschemes [4], [8], [20], [21]. They proposed an identity-basedsignature scheme with batch verification, and employed itin their scheme to reduce verification costs at RSUs [9]. Inaddition, their scheme satisfies conditional privacy preserving.However, in 2011, Chim et al. [10] showed that Zhang etal.’s scheme [9] is not resistant against impersonation, anti-tractability and privacy violating attacks, and proposed a newidentity-based authentication scheme using two shared secretsto satisfy the privacy requirement and also the bloom filter andthe binary search techniques. Their scheme is efficient in termsof communication overhead and for message verification by afactor of 45% compared to Zhang et al.’s scheme [9].

In addition, Lee and Lai [11] in 2013 showed that Zhanget al.’s scheme is vulnerable to the replay attack and also itdoes not have non-repudiation property, then they modifiedtheir scheme to have a secure identity-based authenticationscheme, while keeping Zhang et al.’s scheme efficiency. In2013, Horng et al. [12] indicated that Chim et al.’schemeis not resistant against impersonation attack, and then theymodified the message signing phase of their scheme in away that it can meet security and privacy requirements ofChim et al.’scheme [10]. In 2012, Shim [13] presented anefficient identity-based signature with batch verification, andused it in proposing an efficient conditional privacy preservingauthentication scheme. In 2014, Liu et al. [18] explainedthat Shim’s scheme [13] has some security weaknesses, i.e.,false acceptance of batching invalid signatures and securityflaws in the proof of Shim’s signature scheme. Furthermore,they showed Shim’s authentication scheme is vulnerable tomodification attack, and presented some improvements for that[18]. In 2014, Zhang et al. [14] indicated that Lee and Lie’s au-thentication scheme [11] is vulnerable to impersonation attackand does not have non-repudiation, and presented an improvedscheme by modifying the signing algorithm. Furthermore, in2015 Bayat et al. [15] presented an impersonation attack forLee and Lie’s authentication scheme [11], and tried to solvetheir security weakness which lead to a new and efficientauthentication scheme. Unfortunately, Bayat et al.’s scheme[15] and Zhang et al.’s scheme [14] are vulnerable to themodification attack. In 2015, Liu et al. [19] proposed a newscheme for VANETs to improve computational overheads atRSUs, and named it proxy-based authentication scheme, andthey showed that it has a great advantage in verification ofvehicles’ signatures when many vehicles are in the coverageareas of an RSU. Recently, Lo and Tsai [16] and He et al. [17]proposed efficient authentication schemes without employingbilinear pairings. However, their schemes are not suitable forsituations in which it is necessary to verify a large number ofmessages by an RSU in a second.

3

III. BACKGROUND

In this section, first the used notations in the paper areintroduced, then, we review several fundamental backgroundsemployed in this research, including outline of algorithms for atypical identity-based signature scheme and its security model.

A. NotationsIn this subsection, the notations used in the paper are

defined.• TA: a trusted authority.• RSU: a roadside unit.• vi: the ith vehicle.• IDi: the real identity of a vehicle.• PIDi: the pseudo identity of a vehicle, where PIDi =

(PIDi,1, P IDi,2).• mi: a message sent by the vehicle vi.• ci: the total computational cost of a vehicle vi.• cs: the computational cost of one signature generation of

a vehicle vi.• cv: the computational cost of one signature verification

of a vehicle vi.• ci,r: the extra computational resources of a vehicle vi.• y: the number of vehicles communicating directly with

each other.• u: the number of signed messages by a vehicle vi.• p: the number of proxy vehicles.• Ti: the timestamp of a message.• p, q: two large primes.• P : a generator of the group G• G: an additive group with order q.• GT : a multiplicative group.• e : a bilinear pairing, where e : G×G −→ GT .• Ppub, Ppub,1 and Ppub,2: system public keys.• β, β1 and β2: system secret keys.• Pr,1 and Pr,2: RSU’s public keys.• IDr = (IDr,1, IDr,2): RSU’s identity.• β3, βr: RSU’s secret keys.• xi, xi,1 and xi,2: vehicle’s secret keys.• xr, xr,1 and xr,2: RSU’s secret keys.• g(.), k(.), h(.), f(.) and H(.): secure hash functions,

where g(.), k(.), h(.) and f(.) : {0, 1}∗ → Z∗q and H(.) :{0, 1}∗ → G.

• |w|: the number of bits of the string w.• ⊥: an empty string.• θ ← B(w1, ...): the operation of assigning the output of

algorithm B on inputs w1, ... to θ.• w

$←W : the operation of assigning a uniformly randomelement of W to w.

• ⊕ : X-OR operation.

B. Outline of identity-based signature schemesA signer with identity ID and a verifier are participants of

an identity-based signature, and the scheme consists of Setup,KeyExtract, Sign and Ver algorithms as follows [23].• Setup: Given the system security parameter λ, it out-

puts system’s parameters Para and the master key pair(msk,mpk), i.e. (Para, (msk,mpk))← Setup(λ).

• KeyExtrat: Given the system’s parameter Para, mas-ter secret key msk and an identity ID, it out-puts its corresponding secret key x, i.e. x ←KeyExtract(Para,msk, ID)

• Sign: Given the system’s parameter Para, signer’s secretkey x and the message m to be signed, it outputs thesignature θ, i.e. θ ← Sign(Para, x,m).

• Ver: Given the system’s parameter Para, the masterpublic key mpk, the signer’s identity ID, the signatureθ and the message m, it outputs 1 if θ is a validsignature of the message m and outputs 0 otherwise,i.e. {0, 1} ← Ver(Para,mpk, ID, θ,m).

C. Security model of identity-based signature schemes

An identity-based signature scheme should be secure againstexistential forgery under an adaptive-chosen-message andidentity attack [23].

To have a formal definition for existential unforgeability, theadversary A and a challenger C should interact through thefollowing game [23].

1) Setup: Algorithm C runs the Setup algorithm witha security parameter λ to obtain system’s parameterPara and master key pair (mpk,msk), then it sends(mpk, Para) to A.

2) The adversary A in addition to making queries to ran-dom oracles adaptively issues a polynomially boundednumber of questions to the KeyExtract and Sign oraclesas follows.• KeyExtract: Adversary A can request for the secret

key of an identity ID of its choice. Then, C returnsx← KeyExtract(Para,msk, ID) to A.

• Sign: Adversary A can request for a signature on themessage m with respect to identity ID of its choice.Algorithm C makes a KeyExtract query on identityID to obtain x ← KeyExtract(Para,msk, ID),and then returns θ ← Sign(Para, x,m) to A.

3) Eventually, A returns a valid signature θ∗ on the messagem∗ under identity ID∗, and wins the game if m∗ hasnot been requested to the Sign oracle, and ID∗ has notbeen requested to KeyExtract oracle.

The formal definition of existential unforgeability is ex-pressed in Definition 1.

Definition 1. A signature is (τ, qro, qe, qs, ε)-existentially un-forgeable against adaptive chosen message and identity attackif there is no adversary which runs in time at most τ , makesat most qro random oracle queries, qe KeyExtract queries andqs Sign queries, and can win the aforementioned game withprobability at least ε.

IV. REVIEW AND SECURITY ANALYSIS OF PBAS

In this section, first we briefly review PBAS [19], and thenwe show its security drawbacks.

A. Review of PBAS

The PBAS [19] consists of the following phases:

4

1) Setup: In this phase, the trusted authority (TA) choosestwo cyclic additive and multiplicative groups G and GTof prime order q, and P as a generator of the group G.The map e : G×G −→ GT is said to be an admissiblebilinear pairing if the following conditions hold true.- The map e(., .) is bilinear, i.e. e(aP, bP ) = e(P, P )ab

for all a and b ∈ Z∗q .- The value e(P, P ) is non-degenerate, i.e.e(P, P ) 6= 1GT

.- The map e(., .) is efficiently computable.

We refer readers to [24] for more details on the con-struction of bilinear pairings.Then, TA chooses random numbers β1, β2, β3 andβr

$← Z∗q , where β1 and β2 are secret keys of the systemand β3 is RSU’s secret key, and computes the systempublic keys as Ppub,1 = β1P and Ppub,2 = β2P andRSU’s public keys as Pr,1 = β3P and Pr,2 = βrP .The tamper proof device of each vehicle is preloadedwith (β1, β2, β3). In addition, each RSU computesxr,2 = βrPr,1, where Pr,1 = β3P and Pr,2 = βrP .Therefore, the secret key of the RSU is (xr,1, xr,2) andthe public key is (Pr,1, Pr,2), where xr,1 = β3. Alsoeach vehicle chooses ki

$← Z∗q , computes PIDi,1 = kiPand PIDi,2 = IDi ⊕ g(kiPpub,1). Hence, vehicle’ssecret key is the tuple (xi,1 = β1PIDi,1, xi,2 =β2H(PIDi,1, P IDi,2)). The TA also selects three se-cure hash functions g(.), H(.) and h(.), where g(.) :{0, 1}∗ → Z∗q , H(.) : {0, 1}∗ → G and h : {0, 1}∗ →Z∗q . Therefore, the public parameters are Para ={G, q, P, Ppub,1, Ppub,2, Pr,1, Pr,2, H(.), g(.), h(.)}.

2) Message signing: Given a message (mi, Ti), where Tiis the message timestamp and mi is a traffic mes-sage, a vehicle computes si,1 = xi,1 + h(mi, Ti)xi,2,and its tamper proof device computes si,2 = (ki +β3(h(mi, Ti) + si,1))Pr,2. Then, the vehicle sends(PIDi, Ti,mi, si,1, si,2) to the proxy vehicle.

3) Batch verification by proxy vehicles: given(PIDi, Ti,mi, si,1, si,2) for 1 ≤ i ≤ d, a proxyvehicle verifies received signatures in batch bychecking if Equation (1) holds or not.

e(∑di=1 si,1, P ) = e(

∑di=1 PIDi,1, Ppub,1)×

e(∑di=1 h(mi, Ti)H(PIDi,1, P IDi,2), Ppub,2)

(1)

If it holds, the proxy vehicle computes σ1 =∑di=1 si,1,

σ2 =∏di=1 si,2 and sp,1 as given in Equation (2).

sp,1 = xp,1 + h(mp, Tp)xp,2, (2)

where mp = (b, σ1, σ2, P IDi, Ti,mi, 1 ≤ i ≤ d, Tp),and Tp is a timestamp, and b indicates that the batchresult is valid (b = 1) or invalid (b = 0).Then, it sends (b, σ1, σ2, P IDi,mi, 1 ≤ i ≤ d, Tp, sp,1)to the RSU.

4) Verification by an RSU at proxy vehicle’s output: TheRSU verifies the proxy vehicle’s signature sp,1 by check-

ing Equation (3) to be sure about integrity of the receivedmessage.

e(sp,1, P ) = e(PIDp,1, Ppub,1)×e(h(mp, Tp)H(PIDp,1, P IDp,2), Ppub,2),

(3)

where mp = (b, σ1, σ2, P IDi, Ti,mi, 1 ≤ i ≤ d, Tp).If sp,1 is valid and the received message is fresh bychecking Ti, 1 ≤ i ≤ d and Tp, then, it checks ifEquation (4) holds or not.

e(∏di=1 si,2, Pr,2) =

e(∏di=1 PIDi,1[

∑di=1(h(mi, Ti)) + σ1]xr,2, xr,1)

(4)If Equation (4) holds, the batch result, σ1, is correctlygenerated by the proxy vehicle, and is accepted by theRSU. If Equation (4) holds and b = 0, or if Equation (4)does not hold, the RSU asks TA to revoke the privacyof the malicious proxy vehicle.

B. Security analysis of PBAS

In this subsection, we show that PBAS [19] cannot preservemessage authentication requirement, and consequently it isvulnerable against common attacks such as modification andimpersonation attack. In addition, it is vulnerable againstfalse acceptance of invalid signatures. In what follows, thementioned weaknesses are described.

1) Weakness 1. The PBAS [19] does not satisfy authen-ticity of messages, the main requirement of VANETs.Hence, it is not resistant against modification and im-personation attacks. To show this weakness, we indicatethat the signature si,1 is forgeable. For this goal, itis assumed that a vehicle sends a message in formof (PIDi, Ti,mi, si,1, si,2) to a proxy vehicle, andalso it plays the role of a proxy vehicle and sends(b, σ1, σ2, P IDi,mi, 1 ≤ i ≤ d, sp,1, Tp) to an RSU,every malicious entity can extract the vehicle’s secretkeys xi,1 and xi,2 from two relations si,1 = xi,1 +h(mi, Ti)xi,2 and sp,1 = xi,1 + h(mp, Tp)xi,2 as givenin Equation (5).

xi,2 = (h(mi, Ti)− h(mp, Tp))−1(si,1 − sp,1),

xi,1 = si,1 − h(mi, Ti)xi,2.(5)

Hence, the adversary with having vehicle’s secret keysxi,1 and xi,2 can forge new signatures on each newmessage m′i and also on each message sent to theRSU in the validity period of pseudo identities. Asa consequence, the message authentication cannot bepreserved. In fact, the main reason for this vulnerabilityis that the underlying signature scheme used to generatesi,1 is not secure against adaptively-chosen-messageattack, and can be forged. In what follows, we showits vulnerabilities to modification and impersonationattacks.• Vulnerability to the modification attack: To show

this weakness, consider the following scenario. An

5

adversary can modify some messages in transmis-sion from proxy vehicles to an RSU such as b ina way that b = 0 is replaced with b = 1, and thensigned the new message with proxy vehicle’s secretkeys xi,1 and xi,2 obtained from Equation (5). Whenthe RSU checks the correctness of proxy vehicle’soutput, it seems to the RSU that the proxy vehicleis malicious since Equation (4) holds but b = 0.Hence, RSU asks TA to revoke proxy vehicle’sprivacy, while the proxy vehicle is honest and theadversary has modified the message.

• Vulnerability to the impersonation attack: Toshow this weakness, consider the following sce-nario. A malicious entity with having vehicle’ssecret keys xi,1 and xi,2 obtained from Equation(5) can forge new signatures on new messagesm′i it wants, and plays the role of a vehicle vi.For this purpose, it generates the new signatures′i,1 = xi,1+h(m′i, T

′i )xi,2, and sends it to the proxy

vehicle. Since the signature s′i,1 is generated basedon the protocol, it will be accepted by the proxyvehicle since Equation (1) holds. Then, the proxyvehicle sends the message (b, σ′1, σ2, P IDi,m

′i, 1 ≤

i ≤ d, sp,1, Tp) to an RSU, where σ2 is RSU’ssignature on messages mi, 1 ≤ i ≤ d, and cannot bechanged by the adversary, while σ′1 is adversary’ssignature on messages m′i, 1 ≤ i ≤ d. Whenthe RSU verifies the correctness of proxy vehicle’soperations, it seems to the RSU that the proxyvehicle is malicious since Equation (4) does nothold (since signatures σ1 and σ′1 are generated ondifferent messages mi and m′i) and b = 1. Hence,the RSU asks TA to revoke proxy vehicle’s privacy,while the adversary has forged the signature s′i,1 onthe message m′i and the proxy vehicle is honest.

2) Weakness 2. The PBAS [19] is not resistant against falseacceptance of invalid signatures. To show this weaknessconsider the following scenario.If an adversary changes two valid signatures in trans-mission s1,1 and s2,1 to two invalid signatures s′1,1 =

s1,1 + wP and s′2,1 = s2,1 − wP , where w $← Z∗q . Thebatch verification of the proxy vehicle outputs validityof these signatures since the Equation (1) holds, whilevehicles’ signatures are invalid. This is due to the factthat in batch verification, the term wP is omitted by theterm −wP in the relation

∑2i=1 si,1. As a consequence,

proxy vehicles cannot detect this issue, and send thebatch result and its corresponding signature σ2 to anRSU. Since in verification of the result by RSUs inEquation (4) there exists the term σ1, hence, RSUscannot detect this issue, while two invalid signatureshave been batched. Therefore, this scheme is not re-sistant against batching two or more invalid signatures,and verification by proxy vehicles and also by the RSUoutput validity of received invalid signatures. Actually,the reason of this vulnerability is that signatures areadded simply to verify signatures in batch.

V. ID-MAP SCHEME

In this section, first the system model, problem definitionand security model of ID-MAP are reviewed. Then, details ofID-MAP and its security analysis are given.

A. System model

In ID-MAP, there are three participants which are explainedbelow :• Trusted authority (TA): The TA is a trusted third party

which generates system parameters and master public keyand secret key, generates members’ secret key, preloadsthem into vehicles, and can trace vehicles from theirpseudo identities in case of any misbehavior. In addi-tion, TA considers some benefits for vehicles with extracomputational capabilities to promote them to behave asproxy vehicles. Note that computation and communica-tion capabilities of TA are high.

• Roadside units (RSUs): The RSUs are at roadsides,communicate with vehicles (proxy vehicles), can checkthe validity of received messages from vehicles (proxyvehicles), and sends them to the traffic control center. Inaddition, RSUs record proxy vehicles’ pseudo identitiesand their history to send to TA. Note that since thenumber of proxy vehicles are small, it does not have anyimpact on efficiency of the protocol.

• Vehicles: These are equipped with tamper-proof deviceson board units (OBU), and communicate with each othersand RSUs. In addition, if they have extra computationalresources, they can be proxy vehicles and serve for RSUsin authenticating received messages.

Communications between vehicles and between vehiclesand RSUs are through DSRC protocol as identified in IEEE802.11p [16], [17], [19].

B. Problem definition

An important and challenging issue for VANETs is fastvalidation of vehicles’ messages by RSUs when there aremany vehicles in the coverage area of an RSU. For example,an RSU must verify 5000 messages in one second once thenumber of vehicles is 500 and each vehicle broadcasts a trafficmessage every 100 ms according to the specification of DSRCprotocol, while as shown in the recently proposed efficientauthentication schemes [17], [19], the maximum number ofmessages can be verified in a second are about 2500.

Proxy-based authentication technique which was proposedby Liu et al. [19] is a solution to this issue in which vehicleswith extra computational capacities can behave as proxy vehi-cles to help RSUs to validate multiple messages at the sametime. For this purpose, proxy vehicles send the verificationresult along with a proof to show the correctness of theresult to RSUs. In fact, the goal of employing proxy vehiclesis to reduce centralized computing overheads at RSUs withusing distributed computing to have efficient authenticationfor VANETs when there are a large number of vehicles inthe coverage area of an RSU. The only proposed schemebased on this technique is not secure as aforementioned in

6

Subsection IV-B. Therefore, it is necessary to propose a secureand efficient scheme for this aim.

C. Security model

The ID-MAP needs to satisfy the following security andprivacy requirements:• Message authentication: (Proxy) vehicles and RSUs

should be able to check authenticity, integrity and validityof the received messages.

• Identity privacy preserving: Vehicles and RSUs except forTA should not be able extract real identity of a vehicleor a proxy vehicle from its messages.

• Traceability: The TA can find out the real identity of a(proxy) vehicle from its message in case of any misbe-havior.

• Unlinkability: Vehicles and RSUs should not be ableto find a link between two messages sent by the samevehicle.

• Resistance to attacks: Common attacks in VANETs suchas the impersonation attack, modification attack, thereplay attack and man in the middle attack should beprevented.

D. Details of ID-MAP

There are five phases in this scheme, Setup, Anonymousidentity generation, Message generation, Verification of mes-sages by proxy vehicles and Verification of proxy vehicles’output by RSUs, which are described in what follows.

1) Setup: In this phase, system parameters are generated byTA, and have been loaded into vehicles’ tamper proofdevices and into RSUs. For this goal, the following stepsare done by TA.• The TA chooses two large prime numbers p and q,

and an elliptic curve E over a prime finite field Fpdefined by equation y2 = x3 + ax + b for a andb ∈ Fp such that ∆ = 4a3 + 27b2 6= 0.

• The TA chooses a cyclic additive group, G, withorder q, and P as the generator of G. The group Gconsists of all points on the elliptic curve E and thepoint at infinity O.

• The TA chooses β $← Z∗q as the system secret key.Then, it computes the system public key as Ppub =βP .

• The TA selects four secure hash functions h(.),k(.), g(.) and f(.), where h(.), k(.), g(.) andf(.) : {0, 1}∗ → Z∗q . Therefore, public parametersare Para = {G, p, q, P, Ppub, h(.), k(.), g(.), f(.)}.

• The TA for RSU’s identity ID chooses βr$← Z∗q ,

and sets IDr,1 = βrP , IDr,2 = ID and IDr =(IDr,1, IDr,2). Then, TA computes RSU’s secretkey xr as xr = βr+βf(IDr). Hence, RSU’s secretkey corresponding to its identity IDr is xr.

• The TA puts {Para, IDi, β, xr, IDr} into tamper-proof devices of each vehicle.

2) Anonymous identity generation: In this phase, eachvehicle vi hides its real identity, IDi, through getting

Algorithm 1 . Proxy vehicle selection algorithmInput: (ci, cs, cv, u, y)Output: (p, {vp,1, ..., vp,p})1: z = 0.2: p = 0.3: for 1 ≤ i ≤ y do4: the computation of ci,r = ci − ucs.5: if ci,r > 0 then6: vi is a potential proxy vehicle and di,r = ci,r .7: end if8: z = z + 19: end for10: compute the mean value dmr of di,r for 1 ≤ i ≤ z.11: for 1 ≤ i ≤ z do12: if di,r > dmr then13: vi is selected as a proxy vehicle vp,i and the number of signatures that

can be verified are dmr−ucscv

.14: end if15: p = p+ 116: end for

a registered pseudo identity PIDi, and then generatesits corresponding secret key. To do this, the tamperproof device of a vehicle vi, which is preloaded withPara and β, chooses αi at random from Z∗q , computesPIDi,1 = αiP , PIDi,2 = IDi ⊕ g(αiPpub) to attainthe pseudo identity PIDi = (PIDi,1, P IDi,2). Then,it computes xi = αi + βg(PIDi) mod q to generatevehicle’s secret key xi, and gives (xi, P IDi) to thevehicle.

3) Message generation: In this phase, a vehicle choosesa random number ri from Z∗q , computes Ri = riP ,hi = h(mi, P IDi, Ti, Ri) and si,1 = rihi + xi modq, and also its tamper proof device selects a ran-dom number wi from Z∗q , computes Wi = wiP andsi,2 = xr(k(mi, Ti, P IDi,Wi) + si,1) +wi mod q, andsends (PIDi, Ti,mi, Ri,Wi, si,1, si,2) to proxy vehi-cles, where Ti is a timestamp.Note that methodology of proxy vehicle selection pre-sented by Liu et al. [19] is given in Algorithm 1.In fact, this selection method algorithm is based oncalculating vehicles’ extra computational resources, andthis algorithm can be run by each vehicle without help ofTA. If there is no vehicle with this criteria, the validationof vehicle’s signatures is done by RSUs as done inprevious works [16], [17]. In Algorithm 1, let ci bethe total computational cost of a vehicle vi, cs be thecomputational cost of one signature generation, cv be thecomputational cost of one signature verification, u be thenumber of signed messages by vi, y be the number ofvehicles communicating directly with each other, ci,r bethe extra computational resources of a vehicle vi and pbe the number of proxy vehicles.

Remark 1. To promote vehicles with extra computa-tional resources to behave as a proxy vehicle, RSUsrecord their pseudo identities and their history, and sendthem to TA to consider some benefits for them such asa reduction at vehicle’s payments or at vehicles’ taxes.Note that this does not have any impact on the efficiencyof the protocol since the number of proxy vehicles aresmall as mentioned by Liu et al. [19].

4) Verification of messages by proxy vehicles: In

7

this phase, a proxy vehicle verifies the integrityand senders’ identities of received messages,(PIDi, Ti,mi, Ri,Wi, si,1, si,2) for 1 ≤ i ≤ d.For this goal, the proxy vehicle first checks thefreshness of the received message by the timestampTi and the validity period of pseudo identities. Ifmessages are fresh and pseudo identities are valid, theproxy vehicle computes hi = h(mi, P IDi, Ti, Ri),gi = g(PIDi), for 1 ≤ i ≤ d, and it chooses a vector−→A = (a1, ..., ad), where ai is an integer from [1, 2γ ]for the security parameter γ. Note that the size of γ isselected according to the trade-off between security andefficiency, and this value usually is set to 80 in VANETscenarios [18]. Then, it checks if Equation (6) holds ornot.

(∑di=1 aisi,1)P =∑di=1(aihi)Ri +

∑di=1 aiPIDi,1

+(∑di=1(aigi))Ppub.

(6)

If Equation (6) holds, d distinct signatures si,1 are valid.Then, the proxy vehicle computes σ1 =

∑di=1 si,1.

After that, the proxy vehicle computes ki =k(mi, Ti, P IDi,Wi) for 1 ≤ i ≤ d. Then, it checksif Equation (7) holds or not.

(∑di=1 aisi,2)P =

(∑di=1 ai(ki + si,1))(IDr,1 + f(IDr,1, IDr,2)Ppub)

+∑di=1 aiWi.

(7)If Equation (7) holds, d distinct signatures si,2 arevalid. Then, the proxy vehicle computes σ2 =∑di=1 si,2, and sends {b, PIDp, P IDi,Wi, Ti, 1 ≤ i ≤

d, σ1, σ2, Rp, sp} to an RSU. Here, the value of bindicates that the result of the batch is valid or not,b = 1 means that the batch result is valid and b =0 indicates that the result is invalid. The signature(Rp, sp) is proxy vehicle’s signature on the messagemp = (b, PIDp, P IDi,Wi, Ti, 1 ≤ i ≤ d, σ1, σ2)to guarantee message integrity, where Rp = rpP ,hp = h(mp, P IDp, Tp, Rp) and sp = rphp+xp mod q.The correctness of Equation (6) is verified as follows.

(∑di=1 aisi,1)P

=∑di=1 ai(rihi + xi))P

=∑di=1 ai(hiRi + xiP )

=∑di=1((aihi)Ri + aixiP )

=∑di=1((aihi)Ri + ai(PIDi,1 + giPpub))

=∑di=1(aihi)Ri +

∑di=1 aiPIDi,1

+(∑di=1(aigi))Ppub,

(8)

where hi = h(mi, P IDi, Ti, Ri), gi = g(PIDi), for1 ≤ i ≤ d. Similarly, the correctness of Equation (7)can be shown.

5) Verification of proxy vehicles’ output by RSUs: In thisphase, an RSU verifies the results received from proxyvehicles to detect false results and revoke malicious

proxy vehicles. For this purpose, the following tasks aredone as described below.• An RSU first verifies proxy vehicle’s signature,

(Rp, sp), to check integrity and sender’s identity ofthe received message as given in Equation (9). If itis valid, the RSU goes to the next step; otherwise,it rejects the received message.

spP = hpRp + PIDp,1 + gpPpub, (9)

where hp = h(mp, P IDp, Tp, Rp), gp = g(PIDp)and mp = (b, PIDp, P IDi,Wi, Ti, 1 ≤ i ≤d, σ1, σ2).

• It checks the freshness of the received messageby timestamp Ti and validity of pseudo identitiesPIDi. If messages are fresh and PIDi are valid,the RSU goes to the next step; otherwise, it rejectsthe received message.

• The RSU checks correctness of the received resultgenerated by the proxy vehicle. If Equation (10)holds, the correctness of the batch result is checked.

σ2P = ((∑di=1 ki) + σ1)

(IDr,1 + f(IDr,1, IDr,2)Ppub) +∑di=1Wi,

(10)where σ2 =

∑di=1 si,2 and σ1 =

∑di=1 si,1, ki =

k(mi, Ti, P IDi,Wi) for 1 ≤ i ≤ d.The correctness of Equation (10) is verified asfollows.

σ2P = (∑di=1 si,2)P

=∑di=1[xr(k(mi, Ti, P IDi,Wi) + si,1) + wi]P

=∑di=1[(ki + si,1)

(IDr,1 + h(IDr,1, IDr,2)Ppub) +Wi]

= (∑di=1(ki + si,1))(IDr,1 + h(IDr,1, IDr,2)Ppub)

+∑di=1Wi

= (∑di=1 ki +

∑di=1 si,1)

(IDr,1 + h(IDr,1, IDr,2)Ppub) +∑di=1Wi

= (∑di=1 ki + σ1)(IDr,1 + h(IDr,1, IDr,2)Ppub)

+∑di=1Wi

(11)• If Equation (10) does not hold or Equation (10)

holds and b = 0, the RSU indicates that the proxyvehicle is malicious, and asks TA to revoke theprivacy of that proxy vehicle. This action avoidsdisturbing authentication process later. Methodologyof malicious proxy vehicle revocation is given inAlgorithm 2.Note that if some proxy vehicles are malicious andrevoked, a backup server must immediately takeover failed vehicles, which are authenticated by ma-licious proxy vehicles, for time-critical information.In addition, this revocation mechanism makes thenumber of malicious proxy vehicles be below 10%of proxy vehicles as mentioned by Liu et al. [19]and Huang et al. [25].

8

Algorithm 2 . Malicious proxy vehicle revocation algorithmInput: (Para, b, β, IDr, PIDp, PIDi,Wi, Ti,mi, 1 ≤ i ≤ d, σ1, σ2)Output: IDp

1: if Equation (10) does not hold then2: TA computes IDp = PIDp,2 ⊕ g(βPIDp,1) to revoke PIDp.3: end if4: if Equation (10) holds and b = 0 then5: TA computes IDp = PIDp,2 ⊕ g(βPIDp,1) to revoke PIDp.6: end if

E. Security analysis

In this subsection, before we show that ID-MAP has thesecurity and privacy requirements, existential unforgeabilityof the signature on the batch result, σ2, is proved in therandom oracle model (see [26] for the background). In orderto prove unforgeability of the proposed scheme, we need toshow that it is unforgeable against adversary A (as definedin Section III-C). Our main result on the security of σ2 orequivalently si,2 is summarized in Theorem 1.

To start let us present the mathematical problem which isused in the proof of our scheme.

Definition 2. Elliptic Curve Discrete Logarithm Problem(ECDLP). Given G, P as the generator of G and Q = γP ,output γ ∈ Z∗q .

Theorem 1. If ECDLP problem is (τECDLP , εECDLP )-hard,then the signature scheme is (τ, qk, qf , qe, qs, ε)-existentiallyunforgeable against adaptively chosen-message and identityattack in the random oracle model such that

εECDLP ≥ ε1(ε31

qk+qf− 1|G| ),

τECDLP ≤ 4(τ + (3qs + 2qe)tm),(12)

where ε1 = ε − qs(2qs+qk)|G| − qe(qs+2qe+qf )

|G| and tm is therequired time for scalar multiplication. In addition, qk, qf ,qe and qs are the number of queries to oracles k(.), f(.),KeyExtract and Sign, respectively.

Proof. It is supposed that there is an adversary A againstunforgeability of the scheme with success probability ε. Weconstruct another algorithm C to solve ECDLP problem withsuccess probability εECDLP . Given a random instance ofECDLP (G, P,Q = γP ), algorithm C outputs γ.

The algorithm C runs Setup on a security parameter λ,and gets a random instance of the ECDLP (G, P,Q = γP ),to set the system public key, Ppub, to Q and generate thepublic parameters Para = {G, q, P, Ppub}, and then invokesthe adversary A on Para. The adversary A runs in time atmost τ , makes qk and qf queries to the random oracles k(.),f(.), respectively, and also makes qe and qs queries to theKeyExtract and Sign oracles, respectively. Finally, it can winthe unforgeability game with probability at least ε. AlgorithmC maintains initially empty associative tables Tk[.] and Tf [.]to simulate random oracles k(.) and f(.), and answers A’soracle queries as described below.• k(.) queries: If Tk[.] is defined for the query

(mi, Ti, P IDi,Wi), then, C returns its value; otherwise,C chooses Tk[mi, Ti, P IDi,Wi]

$← Z∗q , and returnsk(mi, Ti, P IDi,Wi) to A.

• f(.) queries: If Tf [.] is defined for query IDr =(IDr,1, IDr,2), then, C returns its value; otherwise, Cchooses Tf [IDr]

$← Z∗q , and returns f(IDr) to A.• KeyExtract queries: For a query ID, C sets IDr,2 =ID, chooses two random numbers f and xr from Z∗q ,computes IDr,1 = −xrP + fPpub. If Tf [IDr,1, IDr,2]has already been defined, then, C halts, returns ⊥ and setsbad ← true; otherwise, it sets Tf [IDr,1, IDr,2] ← f ,and returns RSU’s secret key (xr, IDr,1) correspondingto the identity ID to A.

• Sign queries: For a query (mi, si,1, Ti, P IDi) underidentity IDr, C first makes an f query on IDr toattain the value of f . Then, C chooses two ran-dom numbers ki and si,2 from Z∗q , computes Wi =−si,2P + (ki + si,1)(IDr,1 + f(IDr,1, IDr,2)Ppub). IfTk[mi, Ti, P IDi,Wi] has already been defined, then, Chalts, returns ⊥ and sets bad ← true; otherwise, it setsTk[mi, Ti, P IDi,Wi] ← ki, and returns the signature(si,2, ki,Wi) on the message (mi, si,1, Ti, P IDi) underidentity IDr to A.

• Finally, it is assumed that A outputs a forged signature(si,2, ki,Wi) on the message (mi, si,1, Ti, P IDi) underidentity IDr. The forgery is non-trivial if A has not madea Sign query on the input of (mi, si,1, Ti, P IDi) underIDr, and a KeyExtract query on the input of ID.

The probability of A in returning a forged signature(si,2, ki,Wi) on the message (mi, si,1, Ti, P IDi) under iden-tity IDr is ε1 = Pr[E1] Pr[E2|E1] which is computed asfollows. First of all, we define events E1 and E2.

• Event E1 : Algorithm C does not abort as a result ofsignature simulation.

• Event E2: Adversary A returns a non-trivial forgery.

To lower-bound the probability of Pr[E1] and Pr[E2|E1],we need to compute the probability Pr[¬bad], where theevent bad indicates that C aborts in signature simulation as aresult of A’s KeyExtract and Sign queries. This probability iscomputed as follows.

Claim 1. Pr[E1] = Pr[¬bad] ≥ 1 − qs(2qs+qk)|G| −

qe(qs+2qe+qf )|G| .

Proof. The value of Pr[bad], is multiplication of thefollowing probabilities.

• Case 1. We have bad ← true if the pair(IDr,1, IDr,2) generated in a KeyExtract simu-lation has been occurred by chance in a previousquery to the oracle f(.). Since there are at mostqe + qf + qs entries in the table Tf [.] and thenumber of IDr,1, uniformly distributed in G,is |G|, the probability of this event for oneKeyExtract query is at most (qe+qf+qs)

|G| . Hence,the probability of this event for qe queries is atmost qe(qe+qf+qs)

|G| .• Case 2. We have bad ← true if C previ-

ously used the same randomness IDr,1 in oneKeyExtract simulation. Since there are at mostqe KeyExtract queries, this probability is at most

9

qe|G| . Therefore, for qe KeyExtract queries, the

probability of this event is at most q2e|G| .

• Case 3. We have bad ← true if the pair(mi, Ti, P IDi,Wi) generated in a Sign simula-tion has been occurred by chance in a previousquery to the oracle k(.). Similar to the probabil-ity analysis given in Case 1, the probability ofthis event for qs queries is at most qs(qs+qk)

|G| .• Case 4. We have bad ← true if C previously

used the same randomness Wi in one Sign sim-ulation, and similar to the probability analysisgiven in Case 2 this probability for qs Signqueries is at most q2s

|G| .Claim 2. Pr[E2|E1] ≥ ε.

Proof. The value of Pr[E2|E1] is the probability thatA returns a valid forgery provided that C does notabort as a result of A’s KeyExtract and Sign queries.If C did not abort as a result of A’s queries, all itsresponses to those queries are valid. Therefore, byhypothesis A will produce a non-trivial forgery withprobability at least ε.

Therefore, the probability that A returns a valid forgery(si,2, ki,Wi) on the message (mi, si,1, Ti, P IDi) under iden-tity IDr is at least

ε1 = ε− qs(2qs + qk)

|G|− qe(2qe + qf + qs)

|G|.

Then, C runs Multiple Forking algorithm of Boldyrevaet al. [27] to obtain four valid forgeries on the sametuple (mi, si,1, Ti, P IDi,Wi) with different values fork(mi, Ti, P IDi,Wi) and f(IDr,1, IDr,2) under IDr as pre-sented in Equation (13).

s1i,2 = (γf + βr)(k1i + si,1) + wi mod q

s2i,2 = (γf + βr)(k2i + si,1) + wi mod q

s3i,2 = (γf ′ + βr)(k3i + si,1) + wi mod q

s4i,2 = (γf ′ + βr)(k4i + si,1) + wi mod q,

(13)

where f 6= f ′, k2i 6= k1i and k3i 6= k4i .As a result, the solution to ECDLP, γ, is computed in

Equation (14).

γ =s3i,2+s

2i,2−s

1i,2−s

4i,2

f ′(k3i−k4i )−f(k1i−k2i )(14)

The success probability of C according to the Multiple-Forking Lemma of Boldyreva et al. [27] is bounded byε1(

ε31qk+qf

− 1|G| ), where ε1 = ε− qs(2qs+qk)

|G| − qe(qs+2qe+qf )|G| .

In order to compute the value τECDLP , it is assumed that ascalar multiplication takes time tm, while all other operationstake zero time. The running time of C is A’s run-time, τ , plusthe time required to respond to hash queries, qe KeyExtractand qs Sign queries. Therefore, C’s run-time is τECDLP ≤4(τ + (2qe + 3qs)tm). This completes the proof.

• Message authentication: The proposed ID-MAP providesmessage integrity and validity of the sender’s identity dueto the following reasons:

– Signatures si,1 and si,2, 1 ≤ i ≤ d are used tocheck authenticity of the received messages fromvehicles to proxy vehicles and from proxy vehiclesto RSUs, respectively. In addition, signatures si,1 andsi,2, 1 ≤ i ≤ d are existentially unforgeable againstadaptively chosen-message and identity attack underdifficulty of ECDLP problem in the random oraclemodel as proved by Lo and Tsai [16] and in Theorem1, respectively.To make it clear, proxy vehicles verify vehicles’signatures, si,1 and si,2 for 1 ≤ i ≤ d in batch tocheck message integrity and vehicles’ identities. Asa consequence, authenticity and validity of vehicle’sidentities are checked by proxy vehicles. In addition,with employing the small exponent test methodology[12], [14] in the batch verification of multiple mes-sages as used in Equation (6) and Equation (7), ID-MAP is resistant against false acceptance of invalidsignatures.

– The validity of proxy vehicle’s identity, integrityand authenticity of received messages from proxyvehicles which include the batch result σ1 and its cor-responding signature σ2 are also checked by proxyvehicle’s signature (Rp, sp) which is existentiallyunforgeable against adaptively chosen-message andidentity attack in the random oracle model as provedby Lo and Tsai [16].

– An RSU can check the correctness of the batch resultwhich is generated by proxy vehicles by verifying σ2as presented in Equation (10). In addition, security ofour proposed signature scheme is proved under thedifficulty of ECDLP problem in the random oraclemodel in Theorem 1. In fact, the tamper proof deviceof each vehicle generates si,2 for RSUs to checkintegrity of the signature si,1. As a consequence,informally without knowing RSUs’ secret keys, xr, itis impossible to generate si,2. Therefore, maliciousproxy vehicles cannot generate σ2 for its false re-sults.

• Identity privacy preserving: The ID-MAP has conditionalprivacy preserving since the real identity of each vehicle,IDi, is converted to a pseudo identity PIDi by vehicle’stamper proof device, where PIDi,1 = αiP , PIDi,2 =IDi ⊕ g(αiPpub). In addition, the pseudo identity andits corresponding secret key of each vehicle dynamicallychanges. To extract the real identity of a vehicle IDi fromPIDi, an adversary needs to compute αiPpub from Ppuband PIDi,1 = αiP which means that it has to solveComputational Diffie-Hellman Problem (CDHP). As aconsequence, due to the difficulty of CDHP or informallywithout knowing TA’s secret key, β, no one can find outthe real identity of a vehicle from its pseudo identityPIDi. Hence, vehicles and RSUs except for TA cannotextract the real identity of a vehicle from its messages.

• Traceability: The TA can find out the real identity, IDi,of a vehicle from its pseudo identity (PIDi,1, P IDi,2),where PIDi,1 = αiP , PIDi,2 = IDi ⊕ g(αiPpub). To

10

TABLE ICOMPARISON OF COMPUTATION OVERHEADS

Schemes Computational cost Computational costof a proxy vehicle of an RSU

ID-MAP 306Tmul 5d n300eTmul

PBAS [19] 300(4Tmul + 5Tp 2d n300eTmul

+Tmtp) +(2d n300e+ 3)Tp

+Tmtp

CPPA-1 [16] NA (n+ 2)Tmul

CPPA-2 [17] NA (n+ 2)Tmul

do this, TA uses its secret key β, and computes IDi =PIDi,2 ⊕ g(βPIDi,1). Therefore, TA can trace vehiclesfrom its messages in case of any misbehavior.

• Unlinkability: In this scheme, since two different mes-sages generated by the same vehicle are signed by differ-ent pseudo identities and their corresponding secret keys,and also these pseudo identities are not related since dif-ferent αi are used in their generation. As a consequence,vehicles and RSUs cannot link two messages sent by thesame vehicle.

• Resistance to attacks: Since si,1 and si,2 are existentiallyunforgeable against adaptively chosen-message and iden-tity attack, and our authentication scheme is designedbased on those signature schemes to provide authenticity,integrity and validity of the sender’s identities. Thisleads to resistancy against common attacks such as theimpersonation attack, modification attack and man inthe middle attack. In addition, timestamp Ti is used insignatures si,1, si,2 and in transmitted messages to proxyvehicles and RSUs to provide freshness of messages andavoid replay attack.

VI. PERFORMANCE ANALYSIS

A. Computational overhead

Comparison of ID-MAP, PBAS [19], the only proxy-basedauthentication scheme, and two recently proposed authentica-tion schemes [16], [17] in terms of computational overheadat an RSU and at a proxy vehicle for proxy-based schemes issummarized in Table I. In Table I, Tmtp, Tmul and Tp denotethe time required for computing a Map-to-Point hash function,scalar multiplication and one pairing, respectively. Also, NAmeans not applicable.

In the comparison, it is assumed that each proxy vehicle canverify at most 300 messages (d = 300) which is reasonable asassumed by Liu et al. in PBAS [19], and traffic density is thenumber of messages, n, in a verification period. Hence, d n

300eis the number of proxy vehicles.

Since verifying a single message at an RSU in ID-MAPcosts about 5Tmul, and that in PBAS [19] costs about2Tmul + 5Tp + Tmtp, verifying n messages, which are sentby d n

300e proxy vehicles, at an RSU costs about 5d n300eTmul,

and that costs about (2d n300eTmul + (2d n

300e+ 3)Tp + Tmtp)in PBAS [19]. Computational cost of a proxy vehicle in ID-MAP includes the cost of verifying 300 messages in batch

0 500 1000 1500 2000 2500 3000 35000

200

400

600

800

1000

1200

1400

Number of messages

Com

puta

tion

over

head

(m

s)

ID−MAPPBASCPPA−1CPPA−2

Fig. 1. Comparison of computation overheads in terms of number of messagesin an RSU

and the cost of one signature generation, 306Tmul, whilethe computational cost of a proxy vehicle in PBAS [19] is300(4Tmul + 5Tp + Tmtp). In addition, as shown in Table I,verifying n messages in an RSU in both CPPA-1 [16] andCPPA-2 [17] costs about (n+ 2)Tmul.

According to the experimental results, which calculate therequired time for employing MIRACL cryptographic library[28] by choosing the Tate pairing on a 160-bit subgroup of anMNT curve [29] with an embedding degree 6 for the securitylevel of 280, running on an Intel i7 3.07GHz machine, Tmtp,Tmul and Tp take 0.09 ms, 0.39 ms and 3.21 ms, respectively.Computational costs of other operations are negligible, andthey are not considered in the comparison [12].

To verify 3000 signatures, the required time at an RSU inID-MAP is 19.5 ms (= 5d n

300eTmul = 5d 3000300 e×0.39), whilethis value in PBAS [19], CPPA-1 [16] and CPPA-2 [17] isapproximately 81.6 ms (= 2d n

300eTmul + (2d n300e + 3)Tp +

Tmtp = 2d 3000300 e × 0.39 + (2d 3000300 e+ 3)× 3.21 + 0.09), 1170ms (= (3000 + 2)0.39) and 1170 ms (= (3000 + 2)0.39),respectively. Therefore, ID-MAP is more efficient than PBAS[19] and other efficient schemes [16], [17] in terms of compu-tational overhead at an RSU since it is pairing-free, and alsoit employs distributed computing method.

In addition, the required time at a proxy vehicle in ID-MAPis 119.5 ms (= 306Tmul = 306 × 0.39), while this value inPBAS [19] is approximately 5010 ms (= 300(4Tmul + 5Tp +Tmtp) = 300(4 × 0.39 + 5 × 3.21 + 0.09)). Hence, ID-MAPhas a better performance compared to PBAS [19].

It should be mentioned that the computational load ofproxy vehicles in proxy-based schemes ID-MAP and PBASwhich are based on distributed computing method is increasedcompared to efficient schemes [16], [17] as shown in Table I.But this issue does not have any impact on the efficiency ofthese schemes since proxy vehicles are selected vehicles withextra computational resources as given in Algorithm 1.

In other words, as shown in Fig.1, the maximum numberof the messages can be verified at an RSU per second inPBAS [19], CPPA-1 [16] and CPPA-2 [17] is approximately25650, 2562 and 2562, respectively, while in ID-MAP thisnumber reaches to 153846. As a consequence, ID-MAP is agood candidate to improve computational cost at RSUs withemploying proxy vehicles when there are a large number ofvehicles in their coverage areas compared to previous efficient

11

TABLE IICOMPARISON OF COMMUNICATION OVERHEADS (IN BYTES)

Schemes Sending 300 messages Sending n messagesto a proxy vehicle to an RSU

PBAS [19] 164(300) 204d n300e+ 84n

CPPA-1 [16] NA 144nCPPA-2 [17] NA 144nID-MAP 204(300) 184d n

300e+ 124n

schemes.

B. Communication overhead

In this subsection, comparison of communication costs ofID-MAP, PBAS [19] and two recently proposed schemes;CPPA-1 [16] and CPPA-2 [17] is given in Table II. Note thatNA means not applicable. For the security level of 280, it isassumed that q be 160 bits or 20 bytes, and each elementin G is 40 bytes. In addition, the size of the timestampis 4 bytes. This comparison is in terms of transmitting nmessages to an RSU. In addition, it is assumed that eachproxy vehicle receives 300 (d = 300) messages, so thenumber of proxy vehicles is d n

300e. In the comparison, thesize of the message mi is not considered since they arethe same in all authentication schemes. In PBAS [19], themessage sent by a vehicle to a proxy vehicle (V2PV) is(PIDi,1, P IDi,2, Ti, si,1, si,2), where PIDi,1, PIDi,2, si,1and si,2 ∈ G, and so its size is 40×4+4 = 164 bytes, and sofor sending 300 messages to a proxy vehicle we have 300(164)bytes, while in ID-MAP the message sent by a vehicle to aproxy vehicle (V2PV) is (PIDi,1, P IDi,2, Ti,Wi, si,1, si,2),where PIDi,1, PIDi,2 and Wi ∈ G, si,1 and si,2 ∈ Z∗q , andits size is 40×4+2×20+4 = 204. Hence, the communicationoverhead for transmitting 300 messages is 300(204) bytes.

Note that since it is assumed that each proxy vehi-cle verifies 300 messages, so the number of proxy vehi-cles to verify n messages is d n

300e. In PBAS [19], themessage sent by a proxy vehicle to an RSU (PV2R) is(PIDp,1, P IDp,2, Tp, sp,1, σ1, σ2, P IDi,1, P IDi,2, Ti,1 ≤ i ≤ 300), where PIDp,1, PIDp,2, PIDi,1, PIDi,2,sp,1, σ1 and σ2 ∈ G. Hence, the size of the transmittedmessages by d n

300e proxy vehicles is (40 × 5 + 4)d n300e +

(2 × 40 + 4)n = 204d n300e + 84n bytes, while in ID-MAP

the transmitted message from a proxy vehicle to an RSU is(PIDp,1, P IDp,2, Tp, Rp, sp,1, σ1, σ2, P IDi,1, P IDi,2,Wi,Ti, 1 ≤ i ≤ 300), where PIDp,1, PIDp,2, PIDi,1, PIDi,2,Wi and Rp ∈ G, sp,1, σ1 and σ2 ∈ Z∗q , and its size is(40×3+3×20+4)d n

300e+(3×40+4)n = 184d n300e+124n

bytes. By the same analysis, the message size sent by vehiclesto an RSU (V2R) for n messages in both CPPA-1 [16] andCPPA-2 [17] is 144n bytes.To send 3000 signatures to an RSU, the message size sent to anRSU in ID-MAP is 373840 bytes (= 184d 3000300 e+124×3000),while this value in PBAS [19] is 254040 bytes (= 204d 3000300 e+84× 3000). In addition, message size transmitted to an RSUin both CPPA-1 [16] and CPPA-2 [17] is 432000 bytes(= 144 × 3000). It should be noted that 300(164) = 49200and 300(204) = 61200 bytes are sent to a proxy vehicle by

0 500 1000 1500 2000 2500 3000 35000

1

2

3

4

5

6x 10

5

Number of messages

Com

mun

icat

ion

over

head

(M

B)

ID−MAP

PBAS

CPPA−1

CPPA−2

Fig. 2. Comparison of communication overheads in terms of number ofmessages

vehicles in PBAS [19] and ID-MAP schemes, respectively. Butthis issue does not have any impact on VANET’s efficiencysince vehicles are close to proxy vehicles, and communicateddirectly with them, and also this communication overhead isdistributed between vehicles, while all communication loadis put on RSUs in both CPPA-1 [16] and CPPA-2 [17]. Thisresult is consistent with the goal of proxy-based authenticationschemes which reduces the communication load of RSUs.However, the communication overhead of ID-MAP comparedto that of PBAS is increased, it should be highlighted thatPBAS is not secure as aforementioned in Subsection IV-B. Asa consequence, ID-MAP has a better communication overheadat the side of RSUs compared to the previous efficient andsecure authentication schemes as shown in Fig. 2.

C. Simulations

We simulate the proposed protocol in NS2.35, which isflexible and provides us a comparison environment withexisting protocols. VanetMobiSim [30] is used to simulatemobility model of vehicles. The simulation results show thatthe average message delay and the average loss ratios in RSUswith running each simulation result 100 times to analyze theperformance of ID-MAP and compare it with the recentlyproposed efficient schemes: PBAS [19], CPPA-1 [16] andCPPA-2 [17]. Note that in the first two simulation results,the speeds of vehicles are about 10 ∼ 30 m/s. Parameters androad scenario of mobility model used by Liu et al. [19] aregiven in Table III.

Fig. 3 demonstrates the comparison of average messagedelays (AMD), the required time for transmission of messagesfrom vehicles to an RSU, of ID-MAP, PBAS [19], CPPA-1[16] and CPPA-2 [17] in terms of the number of vehicles. It isobvious that the value of AMD becomes large with an increasein the number of vehicles. As shown in Fig. 3, ID-MAP hasthe lowest AMD when the number of vehicles are increasedsince ID-MAP has faster message validation by RSUs. As aconsequence, the simulation results indicate that performanceof ID-MAP is slightly affected by an increase in the numberof vehicles or traffic density.

In Fig. 4, comparison of average message loss ratio(AMLR), the ratio between the number of dropped messagesand the total number of messages received by an RSU in every

12

TABLE IIISIMULATION PARAMETERS [19]

Parameters ValuesCoverage area 8000× 16m2

No. of traffic lanes 4No. of RSUs 5Maximum No. of proxy vehicles 20Simulation duration 100 sMAC layer protocol 802.11pChannel bandwidth 6 MbpsTransmission range of a vehicle 300mTransmission range of an RSU 1000 mMinimum inter-vehicle distance 40 mRouting protocol AODVSlot time 13µsSIFS 32µsAIFS (high priority) 58 µsContention window size (CW) 15 ∼ 1023 µs

25 50 75 100 125 150 175 2002000

0.2

0.4

0.6

0.8

1

1.2

1.4

Number of vehicles

Ave

rage

mes

sage

del

ay A

MD

(S

econ

ds)

ID−MAPPBASCPPA−1CPPA−2

Fig. 3. Comparison of average message delays in terms of vehicles’ numberin RSUs

100s, of ID-MAP, PBAS [19], CPPA-1 [16] and CPPA-2 [17]in terms of the number of vehicles is given. Since AODVprotocol which employs relays for routing is employed insimulation, and assists vehicles with 300 m transmission rangein forwarding messages, the AMLR of schemes reduces at thebeginning of the frame with an increase in the number ofvehicles in the light of this fact that the quantity of relays in-crements as the quantity of vehicles increments. However, theAMLR of schemes increases due to the collisions caused byhidden terminal problem and frequent transmissions betweenRSUs and vehicles in the same communication area, ID-MAPhas the lowest AMLR compared to previous schemes as shownin the simulation result.

Fig. 5 represents the comparison of average message delays(AMD) of our proposed scheme ID-MAP, PBAS [19], CPPA-1[16] and CPPA-2 [17] in terms of average speed of vehicles. Asshown in Fig. 5, AMD of schemes is approximately constantfor different values of speeds. Hence, the simulation resultsindicate that AMD of schemes is slightly affected by anincrease at vehicles’ speeds, and also ID-MAP has the lowestAMD compared to previous schemes.

In Fig. 6, comparison of average message loss ratio (AMLR)of our proposed scheme ID-MAP, PBAS [19], CPPA-1 [16]and CPPA-2 [17] in terms of average speed of vehicles isgiven. However, an increase in the average speed of vehicles

25 50 75 100 125 150 175 20000.001

0.005

0.010

0.015

0.02

0.025

0.03

0.035

0.04

0.045

0.05

0.055

Number of vehicles

Ave

rage

mes

sage

loss

rat

io (

AM

LR)

ID−MAPPBASCPPA−1CPPA−2

Fig. 4. Comparison of average message loss ratios in terms of vehicles’number in RSUs

0 5 10 15 20 25 30 35 40 450.01

0.02

0.03

0.04

0.05

0.06

0.07

Average speed of the vehicles (m/s)

Ave

rage

mes

sage

del

ay A

MD

(S

econ

ds)

ID−MAPPBASCPPA−1CPPA−2

Fig. 5. Comparison of average message delays in terms of vehicles’ speedin RSUs

incredibly affects AMLR of schemes, ID-MAP has the lowestAMLR compared to other schemes as shown in the simulationresult.

VII. CONCLUSION

In this paper, we showed that PBAS proposed by Liu et al.[19] for VANETs has some security drawbacks: it does not sat-isfy message authentication, and also it is not resistant againstimpersonation and modification attacks and false acceptanceof invalid signatures. Then, to tackle the security weaknessesof PBAS, we proposed ID-MAP for vehicular networks. Toshow that it is secure against aforementioned attacks andit has message authenticity, we proved that the underlyingsignature scheme is secure against adaptively chosen-messageand identity attack under ECDLP problem in the randomoracle model. As shown in the comparison, ID-MAP is moreefficient than PBAS, and also the simulation results show thatID-MAP is an efficient candidate for VANET’s authenticationin realistic environments. We should emphasize that ID-MAPis useful where there are a large number of vehicles inthe coverage area of an RSU, and it was shown from theanalysis that the required time to verify 3000 signatures in onesecond for ID-MAP was improved by 76% and 98% comparedto PBAS [19] and the two recently efficient authenticationschemes [16], [17], respectively.

13

0 5 10 15 20 25 30 35 40 450

0.05

0.1

0.15

0.2

0.25

Average speed of the vehicles (m/s)

Ave

rage

mes

sage

loss

rat

io (

AM

LR)

ID−MAPPBASCPPA−1CPPA−2

Fig. 6. Comparison of average message loss ratios in terms of vehicles’ speedin RSUs

ACKNOWLEDGEMENTS

The authors would like to appreciate anonymous reviewerfor their valuable comments on this work. In addition, we aregrateful to Dr. Liu for useful discussions and providing us theexact code for comparison with their study.

REFERENCES

[1] S. Zeadally, R. Hun, Y.-S. Chen, A. Irwin, and A. Hassan, “Vehicularad hoc networks (VANETs): Status, results, and challenges,” Telecom-munication Systems, vol. 50, no. 4, pp. 217–241, 2012.

[2] M. Ghosh, A. Varghese, A. Gupta, A. A. Kherani, and S. N. Muthaiah,“Detecting misbehaviors in VANET with integrated root-cause analysis,”Ad Hoc Networks, vol. 8, no. 7, pp. 778–790, 2010.

[3] Y. Toor, P. Muhlethaler, and A. Laouiti, “Vehicle ad hoc networks: Ap-plications and related technical issues,” IEEE Communications Surveys& Tutorials, vol. 10, no. 3, pp. 74–88, 2008.

[4] M. Raya, P. Papadimitratos, and J.-P. Hubaux, “Securing vehicularcommunications,” IEEE Wireless Communications, vol. 13, no. 5, pp.8–15, 2006.

[5] J. T. Isaac, S. Zeadally, and J. S. Camara, “Security attacks and solutionsfor vehicular ad hoc networks,” IET Communications, vol. 4, no. 7, pp.894–903, 2010.

[6] J. P. Hubaux, S. Capkun, and J. Luo, “The security and privacy of smartvehicles,” IEEE Security Privacy, vol. 2, no. 3, pp. 49–55, 2004.

[7] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”Journal of Computer Security, vol. 15, no. 1, pp. 39–68, 2007.

[8] R. Lu, X. Lin, H. Zhu, P.-H. Ho, and X. Shen, “ECPP: Efficient con-ditional privacy preservation protocol for secure vehicular communica-tions,” in Proc. of the 27th Int. Conf. on the Computer Communications-IEEE INFOCOM 2008. Phoenix, AZ, USA: IEEE, 13-18 April 2008,pp. 1903–1911.

[9] C. Zhang, R. Lu, X. Lin, P.-H. Ho, and X. Shen, “An efficient identity-based batch verification scheme for vehicular sensor networks,” in Proc.of the 27th Int. Conf. on Computer Communications-IEEE INFOCOM2008. Phoenix, AZ, USA: IEEE, 13-18 April 2008, pp. 816–824.

[10] T. W. Chim, S. M. Yiu, L. C. K. Hui, and V. O. K. Li, “SPECS: Secureand privacy enhancing communications schemes for VANETs,” Ad HocNetworks, vol. 9, no. 2, pp. 189–203, 2011.

[11] C.-C. Lee and Y.-M. Lai, “Toward a secure batch verification with grouptesting for VANET,” Wireless Network, vol. 19, no. 6, pp. 1441–1449,2013.

[12] S.-J. Horng, S.-F. Tzeng, Y. Pan, P. Fan, X. Wang, T. Li, and M. K. Khan,“b-SPECS+: Batch verification for secure pseudonymous authenticationin VANET,” IEEE Transactions on Information Forensics and Security,vol. 8, no. 11, pp. 1860–1875, 2013.

[13] K.-A. Shim, “CPAS: An efficient conditional privacy-preserving authen-tication scheme for vehicular sensor networks,” IEEE Transactions onVehicular Technology, vol. 61, no. 4, pp. 1874–1883, 2012.

[14] J. Zhang, M. Xu, and L. Liu, “On the security of a secure batchverification with group testing for VANET,” International Journal ofNetwork Security, vol. 16, no. 5, pp. 355–362, 2014.

[15] M. Bayat, M. Barmshoory, M. Rahimi, and M. R. Aref, “A secureauthentication scheme for VANETs with batch verification,” WirelessNetworks, vol. 21, no. 5, pp. 1733–1743, 2015.

[16] N.-W. Lo and J. L. Tsai, “An efficient conditional privacy-preservingauthentication scheme for vehicular sensor networks without bilinearpairings,” IEEE Transactions on Intelligent Transportation Systems,vol. 17, no. 5, pp. 1319–1328, 2015.

[17] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicularad hoc networks,” IEEE Transactions on Information Forensics andSecurity, vol. 10, no. 12, pp. 2681–2691, 2015.

[18] J. K. Liu, T. H. Yuen, M. H. Au, and W. Susilo, “Improvements on anauthentication scheme for vehicular sensor networks,” Expert Systemswith Applications, vol. 41, no. 5, pp. 2559–2564, 2014.

[19] Y. Liu, L. Wang, and H.-H. Chen, “Message authentication using proxyvehicles in vehicular ad hoc networks,” IEEE Transactions on VehicularTechnology, vol. 64, no. 8, pp. 3697–3710, 2015.

[20] J. Freudiger, M. Raya, M. Felegyhazi, P. Papadimitratos, and J.-P.Hubaux, “Mix-zones for location privacy in vehicular networks,” inProc. of the 1st Int. ACM Workshop on Wireless Networking forIntelligent Transportation Systems (WiN-ITS). Vancouver, BC, Canada:ACM, 14 August 2007, pp. 1–7.

[21] C. Zhang, X. Lin, R. Lu, and P.-H. Ho, “RAISE: An efficient RSU-aidedmessage authentication scheme in vehicular communication networks,”in Proc. of IEEE Int. Conf. on Communications (ICC 2008). Beijing,China: IEEE, 30 May 2008, pp. 1451–1457.

[22] A. Shamir, “Identity-based cryptosystems and signature schemes,” inProc. of 4th Annual Int. Cryptology Conf. on Advances in Cryptology-CRYPTO 1984. Santa Barbara, CA, USA: Springer-Verlag, Berlin,19-22 August 1985, pp. 47–53.

[23] M. Bellare, C. Namprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes,” Journal of Cryptology,vol. 22, no. 1, pp. 1–61, 2009.

[24] D. Boneh and M. Franklin, “Identity-based encryption from the Weilpairing,” in Proc. of the 21st Ann. Int. Crypto. Conf., Advances inCryptology-Crypto 2001. Santa Barbara, California, USA: Springer-Verlag, Berlin, 19-23 August 2001, pp. 213–229.

[25] J.-L. Huang, L.-Y. Yeh, and H.-Y. Chien, “ABAKA: An anonymousbatch authenticated and key agreement scheme for value-added servicesin vehicular ad hoc networks,” IEEE Transactions on Vehicular Tech-nology, vol. 60, no. 1, pp. 248–262, 2011.

[26] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigmfor designing efficient protocols,” in Proc. of the 1st ACM Conf. onComputer and Communications Security (CCS 1993). Fairfax, VA,USA: ACM, New York, NY, 3-5 November 1993, pp. 62–73.

[27] A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signatureschemes for delegation of signing rights,” Journal of Cryptology, vol. 25,no. 1, pp. 57–115, 2012.

[28] MIRACL Cryptographic Library: Multiprecision Integer and RationalArithmetic C/C++ Library. Available: http:// indigo.ie /

[29] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions ofelliptic curve traces for FR-reduction,” IEICE Transactions on Funda-mentals, vol. E84-A, no. 5, pp. 1234–1243, 2001.

[30] VanetMobiSim Project Home Page. Available: http://vanet.eurecom.fr.

Maryam Rajabzadeh Asaar received her B.S. de-gree in Electrical Engineering from Shahid BahonarUniversity of Kerman, Kerman, Iran, in 2004, andreceived her M.S. and Ph.D. degrees in ElectricalEngineering from Sharif University of Technology,Tehran, Iran in 2008 and 2014, respectively. Sheis currently an asistant professor at Department ofElectrical and Computer Engineering, Science andResearch Branch, Islamic Azad University, Tehran,Iran. Her research interests include provable security,digital signatures, design and analysis of crypto-

graphic protocols and network security and security in industrial controlsystems.

14

Mahmoud Salmasizadeh received the B.S. andM.S. degrees in electrical engineering from SharifUniversity of Technology, Tehran, Iran, in 1972 and1989, respectively. He also received the Ph.D. degreein information technology from Queensland Univer-sity of Technology, Australia, in 1997. Currently, heis an associate professor in the Electronics ResearchInstitute and adjunct associate professor in the Elec-trical Engineering Department, Sharif University ofTechnology. His research interests include Designand Cryptanalysis of cryptographic algorithms and

protocols, E-commerce Security, and Information Theoretic Secrecy. He is afounding member of Iranian Society of Cryptology.

Willy Susilo (SM’01) received a Ph.D. in ComputerScience from University of Wollongong, Australia.He is a Professor and Head of School of Comput-ing and Information Technology at the Universityof Wollongong. He is also the director of Centrefor Computer and Information Security Research(CCISR) at the University of Wollongong. Previ-ously, he held a prestigious ARC Future Fellowawarded by the Australian Research Council (ARC).His main research interests include cryptography andinformation security. His main contribution is in the

area of digital signature schemes. He has served as a program committeemember in dozens of international conferences. He has published numerouspublications in the area of digital signature schemes and encryption schemes.He is a senior member of IEEE since 2001.

Akbar Majidi received the B.S. and M.S. degreesin computer engineering in 2009 and 2013, respec-tively. He is currently pursuing the Ph.D. degree withthe Department of Computer Science and Engineer-ing, Shanghai Jiao Tong University, He is conductingresearch in networking and computer engineering.His research interests are wireless body area net-works, 5th generation wireless network, softwaredefined networking and network function virtualiza-tion.