SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks

Abstract

Communications between nodes in Vehicular Ad-Hoc Networks (VANETs) are inherently vulnerable to security attacks, which may mean disruption to the system. Therefore, the security and privacy issues in VANETs are entitled to be the most important. To address these issues, the existing Conditional Privacy-Preserving Authentication (CPPA) schemes based on either public key infrastructure, group signature, or identity have been proposed. However, an attacker could impersonate an authenticated node in these schemes for broadcasting fake messages. Besides, none of these schemes have satisfactorily addressed the performance efficiency related to signing and verifying safety traffic-related messages. For resisting impersonation attacks and achieving better performance efficiency, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed in this paper. The proposed SE-CPPA scheme is based on the cryptographic hash function and bilinear pair cryptography for the signing and verifying of messages. Through security analysis and comparison, the proposed SE-CPPA scheme can accomplish security goals in terms of formal and informal analysis. More precisely, to resist impersonation attacks, the true identity of the vehicle stored in the tamper-proof device (TPD) is frequently updated, having a short period of validity. Since the MapToPoint hash function and a large number of cryptography operations are not employed, simulation results show that the proposed SE-CPPA scheme outperforms the existing schemes in terms of computation and communication costs. Finally, the proposed SE-CPPA scheme reduces the computation costs of signing the message and verifying the message by 99.95% and 35.93%, respectively. Meanwhile, the proposed SE-CPPA scheme reduces the communication costs of the message size by 27.3%.

1. Introduction

Annually, approximately 1.3 million persons die, and between 20 and 50 million more persons are non-fatally injured as a result of a road traffic accidents [1,2]. Therefore, the technology of Vehicular Ad-Hoc Networks (VANETs) is expected to play a major role in reducing the number of accidents and increasing road safety [3,4]. VANETs have attracted increasing attention from academia, the motor industry, and even the government in recent years [5].

VANETs are an extreme case of Mobile Ad-Hoc Networks (MANETs), in which the vehicle nodes are highly mobile. The main structure includes three components of the VANET, namely a trusted authority (TA), some fixed road-side units (RSUs), and many mobility on-board units (OBUs), as shown in Figure 1. Each vehicle has OBU to share safety traffic-related messages with others or neighbor RSU via vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication, respectively. More precisely, the main goals of intelligent transport system (ITS) are to offer safety improving, and driving efficiency in the road environment. With these goals in mind, VANETs have become a promising technology.

Nevertheless, this advantage comes with issues of security, privacy, and performance efficiency. Hence, these issues should be carefully considered in VANETs [6,7,8]. The security issue is crucial in V2V and V2I communications. Due to the inherently insecure nature of the communication between nodes, a VANET is vulnerable to security attacks which may mean disruption to the system [9,10]. It is possible for attackers to replay, modify, and intercept legitimate transmitted safety traffic-related messages. Furthermore, by using a side-channel attack [11,12,13,14], the attacker could obtain the true identity of a vehicle stored in the tamper-proof device (TPD). Consequently, this attacker is being considered as impersonates registered vehicles in VANETs. Once the impersonation attacks broadcast fake messages, it results in creating road chaos and traffic incidents, or even inducing wrong decisions by other vehicles [15,16,17,18,19,20,21].

In addition, the privacy issue is also critical. In a VANET, attackers might obtain the vehicle’s true identity and trace its journey by investigating the captured messages. Such an attack exposes the driver’s personal and other vehicular details, and it can be leveraged to carry out other forms of attacks. Thus, the drivers would be reluctant to use the VANET technology.

Apart from the requirements of security and privacy, performance efficiency is also important in V2V and V2I communications. Within 100–300 ms, the vehicle must send exchanged information according to the DSRC technology. For instance, based on the communication range of vehicle or RSU, when there are 100 vehicles, the receiver is required to authenticate 333–1000 messages per second. Each message can certainly be signed and tested in a secure communication.

Therefore, the received messages should verify the authenticity and validate the integrity by receivers (RSUs or OBUs) before accepting them. Anonymous communication is needed to preserve privacy and to fulfill the unlinkability requirement for the drivers. The existing Conditional Privacy-Preserving Authentication (CPPA), based on either public key infrastructure, group signature, or identity, can be used to satisfy both security and privacy in VANETs. Nevertheless, these schemes have several drawbacks, as discussed in Section 2.

This paper proposes a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme for VANETs in order to address drawbacks in the existing CPPA schemes. More precisely, the main contributions of the proposed SE-CPPA scheme are as follows:

• First, this efficient bilinear pair cryptography based on the conditional privacy-preserving authentication (SE-CPPA) scheme satisfies the security and privacy requirements.
• Second, since the vehicle’s true identity is regularly updated at short intervals of time, the proposed SE-CPPA scheme is resistant to impersonation attacks, as attackers are unable to launch side-channel attacks for obtaining the vehicle’s true identity.
• Third, since the signing and verifying of the messages do not employ a MapToPoint hash operation function, the proposed SE-CPPA scheme has a lower overhead compared to the existing schemes based on bilinear pair cryptography.

The remainder of this paper is structured as follows. The existing CPPA schemes for VANETs are reviewed in Section 2. Section 3 introduces the background for the proposed SE-CPPA scheme. The phases of the proposed SE-CPPA schemes are presented in detail in Section 4. Section 5 introduces a security analysis and comparison in this paper. In Section 6, the performance efficiencies of the SE-CPPA and the existing CPPA schemes are evaluated and compared. Lastly, our conclusion is introduced in Section 7.

2. Related Work

In this section, the existing CPPA schemes for VANETs are briefly reviewed. The following categories for the existing CPPA schemes are, namely: Public key infrastructure, group signature, and Identity. These categories will be separately reviewed in the next subsections.

2.1. Public Key Infrastructure-Based CPPA

The main idea of the public key infrastructure-based CPPA schemes [22,23,24,25,26,27,28,29,30] is to preload a massive pool of private/public keys and their matching certificates to the OBUs of vehicles, generated by the TA during the registration process. This approach supports privacy-preserving, since a massive pool of private/public keys and their matching certificates are preloaded in advance.

Joshi et al. [29] designed an event-triggered authentication scheme that sends messages to investigate problems regarding security in the VANET. Asghar et al. [30] designed a feasible PKI-CPPA scheme to tackle the process of authenticating requests, in which the size of the Certificate Revocation List (CRL) is linear. Thus, this scheme enhances the scalability of vehicles’ obtaining services.

Nevertheless, the main limitations of a public key infrastructure based-CPPA schemes are: (i) preloading a massive pool of private/public keys and their matching certificates to the OBUs of the vehicles makes the management of the certificates a serious burden; (ii) the storage of a vehicle in a VANET is limited, since massive keys and their matching certificates are preloaded; (iii) there are additional computational and communication costs, since the certificate is included in the message signature, and the verifier must verify these certificates as well.

2.2. Group Signature Based-CPPA

To address the limitations regarding a public key infrastructure based-CPPA scheme, several researchers design a group signature based-CPPA scheme [31,32,33,34]. These schemes enable the members of the group to sign on behalf of the whole group anonymously. In the event of a dispute, the group manager could retrieve the identification of the sender. Thus, the existing group signature-based CPPA schemes preserve the anonymity of secured authenticated messages. Besides, these schemes ensure secure communication with conditional privacy. Therefore, signing the messages with these schemes can hide the signer’s identity.

Nevertheless, the main limitations of a group signature based-CPPA schemes are: (i) the whole group must be reconstructed; (ii) it is not easy for nodes’ VANETs to update their private keys; (iii) the adversary identifies the group members when the size of the group is small; and (iv) once the number of vehicles revoked is high, the signature’s verification technique becomes time-consumed for VANETs.

2.3. Identity-Based CPPA

To address the limitations regarding a public key infrastructure-based CPPA and group signature-based CPPA schemes, several researchers propose an identity-based CPPA scheme [35,36,37,38,39,40,41]. The primary insight of identity based-CPPA scheme is to extract the public key from the identity information, while the TA creates a private key with the same information. The sender signs the message using its private key, and the verifier can verify this signature by using the sender’s public key.

Bayat et al. [36] designed an identity-based CPPA scheme to save the TA’s private key on the TPD of the OBU on the vehicle. However, the revocation requirement is not satisfied in the scheme designed by [36], which is vulnerable to impersonation attacks. Lei Zhang et al. [37] designed a distributed aggregate CPPA scheme by using a realistic TPD rather than an ideal TPD, since this is more practical. Bayat et al. [38] designed an identity-based CPPA to propose an RSU-based authentication scheme that uses bilinear pair operations to secure the communications. Pournaghi et al. [39] designed an identity-based CPPA to provide secure communications between nodes for VANETs. Nevertheless, it is vulnerable to replay attacks. Zhong et al. [40] found that the CPPA process of the scheme proposed by Lei Zhang et al. [37] introduced a massive computational cost, and it did not indicate who is the aggregator in the aggregation process. Bayat et al. [41] introduced an identity based-CPPA scheme without using an online RSU, for the sake of the security of the communication in the VANET.

Nevertheless, the two evident limitations of an identity based-CPPA scheme are: (i) the vehicle’s true identity preloaded by the TA is vulnerable to impersonation attacks by launching side-channel attacks, since it is not updated rapidly enough; and (ii) the MapToPoint hash function and a large number of cryptography operations are used, which cause a huge performance overhead by the verifier. To address these issues, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed for resisting impersonation attacks and achieving better performance efficiency during the broadcasting process. The proposed SE-CPPA scheme regularly updates the vehicle’s true identity for the short period of validity assigned by the TA. As well, it does not use the MapToPoint hash function and a large number of cryptography operations.

3. Preliminaries

This section first presents the network model of the proposed scheme; this is followed by a presentation of the security and privacy requirements for VANETs, and finally, the bilinear pair cryptography (BPC) used in the proposed SE-CPPA scheme is defined.

3.1. Network Model

As shown in Figure 1, the main structure of the network model for the proposed SE-CPPA scheme includes three components: TA, RSU, and OBU.

• TA: TA is a fully trusted unit with a great number of resources in terms of computation and communication costs. The TA issues the public parameters of the system for each node in VANETs, and transmits them to each respective node.
• RSU: An RSU is a wireless base station deployed on the road as a bridge interface between the TA and the OBUs. Since RSU has a TPD to save a sensitive information, RSU is considered as a trusted entity in this paper. An RSU connects with the TA by wired technology and connects with vehicles by wireless technology.
• OBU: Each vehicle has an OBU to allow the vehicle to process, receive, and broadcast messages. Each OBU has a TPD that is usually used to keep secrets.

3.2. Security and Privacy Requirements

To maintain the security and privacy of V2V and V2I communications in VANETs, the proposed SE-CPPA scheme should fulfill the following requirements.

• Authentication and integrity: The vehicle or RSU must be able to identify any alteration of the received message, by checking the authentication process and validating integrity, in order to ensure the security of the communications in the VANET.
• Identity privacy-preserving: An attacker must not be able to retrieve the true identity of the vehicle by the capturing messages transmitted. Therefore, the vehicle’s true identity must be kept anonymous from the other legal and illegal nodes for the sake of ensuring the privacy of the drivers.
• Traceability and revocation: The TA must be able to retrieve the true identity of the vehicle from its message in the event of a dispute, so as to avoid misbehaving vehicles from denying their responsibility for a disruption of the system by broadcasting false messages to other registered vehicles.
• Unlinkability: An attacker must not be able to cross-match several messages transmitted by the same source for ensuring privacy-preserving.
• Resistance to security attack: A secure proposed SE-CPPA scheme should resist the following security attacks.

  –

  Replay attacks.

  The malicious nodes aim to replay a previously generated legitimate signature to the recipient.

  –

  Modification attacks.

  The malicious nodes aim to alter the authentic message and broadcast that to other users.

  –

  Impersonation attacks.

  After launching a side-channel attack to retrieve the true identity of the vehicle, the malicious nodes aim to impersonate an authenticated node to broadcast a legitimate message to other nodes. Therefore, the vehicle’s true identity must be frequently updated within a short period of validity.

  –

  Man-In-The-Middle attacks.

  The malicious nodes aim to intercept two sides of the communication and perform data tampering and sniffing.

3.3. Bilinear Pair Cryptography (BPC)

Let $G_1$ and $G_2$ be a cyclic additive and a cyclic multiplicative group, respectively. Both $G_1$ and $G_2$ have the same generator P and prime order p.

BPC is a map e: $G_1\ast G_1$→$G_2$ which has the following properties.

• Bilinearity: Every X, Y∈$G_1$ and a, b∈$Z_p^{*}$, $e(aX,bY)={(X,Y)}^{ab}$.
• Non-degeneracy:e:$(P,P)$≠ 1.
• Computability: Every $X,Y\in G_1$, there is an efficient approach to calculate $e(X,Y)$.

4. Proposed Scheme

In this section, the proposed SE-CPPA scheme is discussed. More precisely, the proposed SE-CPPA scheme consists of seven phases, namely initialization, vehicle registration, mutual authentication, message signing, individual-signature verification, batch-signature verification, and updating the vehicle’s true identity.

Table 1. Notation and their description.

Notation	Description
$TA$	The Trusted Authority
$OBU$	The On-Board Unit
$RSU$	The Road-Side Unit
$TPD$	The Tamper Proof Device
CRL	Certificate Revocation List
P	The base generator P ∈ $G_1$
$h_1,h_2,h_3$	Three secure hash functions
$I{D}_{vi}$, $Pwd$	Identity and password of vehicle
$TI{D}_{SV{P}_i}$	Vehicle’s true identity
$SVP$, $svp$	Short valid period of vehicle’s signature key
$svt$	Short valid period of vehicle’s true identity
${\delta }_{m_i}$, ${\delta }_{RJ}$	The message signature
${\zeta }_i$, k	Random integer
$s_{TA},P_{TA}$	The private/public keys of TA
$S{K}_{svt}$	The signature key of vehicle
⊕	XOR operator
${\gamma }_i$	a random vector
$m_i$	Safety traffic-related messages
‖	Concatenation operation
$ts$	Current timestamp

presents the notation used, and their description in the following phases.

We noted that an external attacker has the ability to impersonate legitimate vehicles by launching side channel attack to disclose the sensitive information stored on TPD of legitimate vehicle when information is not updated; in the result, the external attacker should be possible to forge a secret.

4.1. Initialization

As explained in Section 3.3, the TA executes the initial public parameters of the BPC for the system in the following steps:

• Consider $G_1$ and $G_2$ be groups of a cyclic additive a cyclic multiplicative, respectively, with the same prime order q and generator P. Consider e: $G_1·G_1$∗$G_2$ as a bilinear pairing.
• The TA chooses three functions of secure cryptographic hash $h_1:G\to Z_q^{*}$, $h_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times G\to Z_q^{*}$, and $h_3:{\{0,1\}}^{*}\to Z_q^{*}$.
• The TA chooses a random integer $s_{TA}\in Z_q^{*}$ to be the TA’s master private key, and then calculates $P_{TA}$= $s_{TA}P$ to be its matching master public key.
• The TA preloads the system’s public parameters {$G_1$, $G_2$, P, q, $P_{TA}$, $h_1$, $h_2$, $h_3$} and the TA master private key $s_{TA}$ in each TPD on RSU.

4.2. Vehicle Registration

Prior to the vehicle leaving the factory, the vehicle registration phase via a secure channel (offline) should be executed. Due to the core problem study in this paper, the vehicle’s true identity should be regularly updated to avoid side channel attack. Hence, the proposed scheme is resisting impersonation attacks. As shown in Figure 2, the TA registers each vehicle as follows:

• The driver of the vehicle submits the personal information including the identity $I{D}_{vi}$ and password $Pwd$ to the TA via a secure communication network.
• After the personal information is received, the TA first starts the authenticity of $I{D}_{vi}$.
• After the TA chooses a short period of validity $SVP$, the TA computes the vehicle’s true identity $TI{D}_{SV{P}_i}=h_1(I{D}_{vi}\left|\right|SVP)$.
• The TA saves the tuple {$I{D}_{vi}$, $Pwd$, $TI{D}_{SV{P}_i},SVP$} to its vehicle registration list, and then preloads the system’s public parameters {$G_1$, $G_2$, P, q, $P_{TA}$, $h_1$, $h_2$, $h_3$} and $TI{D}_{SV{P}_i}$ into TPD of $OB{U}_i$ on the vehicle.

4.3. Mutual Authentication

Before the vehicle signs and verifies exchanged messages, it should be authorized with a nearby RSU. Therefore, when a vehicle enters the communication area of an RSU, it starts to broadcast an entering request message. After the messages are validated, the RSU sends a signature key $S{K}_{svt}$ to the vehicle with a chosen timestamp $svt$ that will be valid for a short period of time. To execute the mutual authentication process, the following process should be done.

• The vehicle randomly selects a value ${\zeta }_i$∈$Z_q^{*}$ and then calculates the following pseudonym ID:

  $$\begin{array}{cc}\hfill pi{d}_i& =\{pi{d}_i^1,pi{d}_i^2\}\hfill \\ \hfill & =\{{\zeta }_{i}P,TI{D}_{SV{P}_i}\oplus h_1({\zeta }_i{P}_{TA})\}\hfill \end{array}$$

  (1)
• The vehicle broadcasts the join request {$pi{d}_i^1,pi{d}_i^2,{\delta }_{RJ}$} to a nearby RSU, where ${\delta }_{RJ}=h_2(TI{D}_{SV{P}_i}\left|\right|pi{d}_i^1\left|\right|pi{d}_i^2)$.
• The RSU obtains the vehicle’s true identity using the following equation,

  $$\begin{array}{c}\hfill TI{D}_{SV{P}_i}=pi{d}_i^2\oplus h_1(s_{TA}·pi{d}_i^1)\end{array}$$

  (2)
• The RSU then computes the validity of the request to join {$pi{d}_i^1,pi{d}_i^2,{\delta }_{RJ}$} by calculating

  $$\begin{array}{c}\hfill {\delta }_{RJ}\stackrel{?}{=}{h}_2(TI{D}_{SV{P}_i}\left|\right|pi{d}_i^1\left|\right|pi{d}_i^2).\end{array}$$

  (3)
• The RSU then checks the vehicle’s true identity on its certificate revocation list (CRL). If it is on the list, the request is rejected by the RSU for joining the session. Otherwise, the RSU continues the process.
• The RSU computes the signature key $S{K}_{svt}$ of the vehicle’s true identity from the request to join, as follows:

  $$\begin{array}{c}\hfill S{K}_{svt}=s_{TA}·h_3(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt).\end{array}$$

  (4)
  Here, $svt$ is the expiry of a certain brief period of validity of the timestamp of the created signature key.
• The RSU sends the message of the acceptance of the joining {$S{K}_{svt}^{ENC},pi{d}_i^1,pi{d}_i^2{\delta }_{AJ}$} to the vehicle, where $S{K}_{svt}^{ENC}=S{K}_{svt}\oplus h_2(s_{TA}·pi{d}_i^1)$ and ${\delta }_{AJ}=h_2(S{K}_{svt}\left|\right|pi{d}_i^1\left|\right|pi{d}_i^2)$.
• The vehicle retrieves the signature key from the message of acceptance {$S{K}_{svt}^{ENC},svt,pi{d}_i^1,pi{d}_i^2{\delta }_{AJ}$} by calculating $S{K}_{svt}=S{K}_{svt}^{ENC}\oplus h_2({\zeta }_i{P}_{TA})$, and then verifies the validity of the acceptance by utilizing the following equation.

  $$\begin{array}{c}\hfill {\delta }_{AJ}\stackrel{?}{=}{h}_2(S{K}_{svt}\left|\right|pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt).\end{array}$$

  (5)

The process in the proposed SE-CPPA scheme of preloading, as introduced in [42,43], fulfills the requirements of security and privacy of ${\zeta }_l$, the pseudonym IDs, and the signature keys. The TA preloads a new list of ${\zeta }_l$, pseudonym IDs, and signature keys, used for an $svt$ for each vehicle moving in a VANET; close to the expiration time, they are renewed with a new pseudonym ID and pool of signature keys.

4.4. Message Signing

After the signature key, $S{K}_{svt}$ of the vehicle’s true identity has been received, the vehicle is taken into consideration as an authorized component in the VANET. The vehicle signs and sends safety traffic-related messages $m_i$ to other vehicles and RSUs in the VANET. This is executed in the phases listed below.

• The vehicle computes the message signature ${\delta }_{m_i}=S{K}_{svt}·h_3(m_i\left|\right|ts)$, where $ts$ is a current timestamp.
• The vehicle then broadcasts the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} to the neighboring recipient.

4.5. Individual Signature Verification

At a given point of time, the main aim of this method is to verify only one message with the signature ${\delta }_{m_i}$ on the message $m_i$ by the recipient (OBU or RSU). Once having received the signed message $m_i$, and before accepting it, the recipient checks the authenticity of the node and the validity of the message. This guarantees that no illegitimate recipient is impersonating a legitimate recipient or sending fake messages. The recipient receives an authentic signature ${\delta }_{m_i}=S{K}_{svt}·h_3(m_i\left|\right|ts)$ on the message $m_i$ from the vehicle with a pseudonym ID $pi{d}_i$ and timestamp $ts$, where $i=1$, and checks its authenticity and validity following the steps below.

• Once the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $ts$, ${\delta }_{m_i}$} has been received, the vehicle first verifies the timestamp $TS$ and $svt$ validity. If ($ts$ > $t{s}_r-t{s}_{▽}$), where $t{s}_r$ is the time of receiving and $t{s}_{▽}$ is a predefined delay, then $ts$ is considered as fresh. Otherwise, the message is rejected.
• The vehicle uses the public parameters and functions of the system and signature ${\delta }_{m_i}=S{K}_{svt}·h_3(m_i\left|\right|ts)$ on the message $m_i$. When the following Equation (6) holds, the vehicle accepts it.

$$e:({\delta }_{m_i}P)=e:(h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P_{TA})$$

(6)

4.6. Batch-Signature Verification

The main aim of this method is to authenticate a batch of signature messages ${\delta }_{m_i}=\{{\delta }_{m_1},{\delta }_{m_2},{\delta }_{m_3},\dots ,{\delta }_{m_n}\}$ on n traffic-related messages $m_i=\{m_1,m_2,m_3,\dots ,m_n\}$ from n vehicles with n pseudonym IDs $pi{d}_i=\{pi{d}_1,pi{d}_2$, $pi{d}_3,\dots ,$ $pi{d}_n\}$. The verifying recipient checks its authenticity and validity, as shown in the following steps.

• The vehicle verifies the validity of $ts$ and $svt$. If ($ts$ > $t{s}_r-t{s}_{▽}$), $ts$ is considered as fresh. Otherwise, the message is rejected.
• The vehicle uses the small exponent technique [44,45] to avoid denying the validity of the message sent in the SE-CPPA proposed. The vehicle generates a random vector ${\gamma }_i$ = {${\gamma }_1,{\gamma }_2,{\gamma }_3,\dots ,{\gamma }_n$}, where ${\gamma }_i\in$ $[1:2^t]$ and t is a small value.
• To accept them, the vehicle checks whether

$$e\left(\sum _{i=1}^n({\gamma }_i·{\delta }_{m_i})\right)·P=e\left(\sum _{i=1}^n{\gamma }_i·h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P_{TA}\right)$$

(7)

4.7. Updating the Vehicle’s True Identity

In order to resist impersonation attacks, the vehicle’s true identity stored in the TPD should be frequently updated through an online process and annual examination. However, if one were to wait for the next annual examination to update the vehicle’s stored true identity, the adversary would have a long enough period to retrieve a vehicle’s true identity, something that can disrupt the entire VANET by impersonating as an authorized vehicle. During the vehicle, true identity $SVP$ is close to expired; the registered vehicle could not have requested update the lists before the process of $TI{D}_{svp}$ is totally completed to avoid contradictions. As presented in Figure 3, the following steps are used to update the vehicle’s true identity saved in the vehicle by using an online process:

• The vehicle selects a random value $k\in Z_q^{*}$ and calculates $PsI{D}_{i,1}=kP$ and $PsI{D}_{i,2}=TI{D}_{svp}\oplus h_1(k·P_{TA})$. Then, the vehicle broadcasts an update message {$PsI{D}_{v,new}$, $t{s}_1$, ${\delta }_{OB{U}_{new}^i}$} to the TA, where $PsI{D}_v^{new}$ = {$PsI{D}_{i,1}=kP$, $PsI{D}_{i,2}=TI{D}_{svp}\oplus h_1(k·P_{TA})$} and ${\delta }_{OB{U}_{new}^i}$ = $h_3(TI{D}_{svp}\parallel PsI{D}_{i,1}\parallel PsI{D}_{i,2}\parallel$ $t{s}_1)$.
• Once the TA receives the update message {$PsI{D}_{v,new}$, $t{s}_1$, ${\delta }_{OB{U}_{new}^i}$}, the timestamp $t{s}_1$ validity is tested. If $t{s}_1$ is freshness, then the TA computes the vehicle’s old true identity of the authenticated vehicle $TI{D}_{svp}=PsI{D}_{i,2}\oplus h_1(k·P_{TA})$. The TA tests whether ${\delta }_{OB{U}_{new}^i}$ $\stackrel{?}{=}$ $h_3(TI{D}_{svp}\parallel PsI{D}_{i,1}\parallel PsI{D}_{i,2}\parallel$ $t{s}_1)$ holds. The TA then checks whether the tuple ($TI{D}_{svp},svp,I{D}_{vi}$) existing in its registration list; else TA checks the $svp$ validity.
• When the $svp$ has expired, a new short period of validity $sv{p}^{New}$ is chosen by the TA. Then, the TA generates a new true identity $TI{D}_{svp}^{New}=h_3(I{D}_{vi}\parallel sv{p}^{New})$ for the vehicle. It will be discarded if $svp$ is still valid.
• The TA sends an accepted update message ($TI{D}_{svp}^{\mathit{\text{New-enc}}},$ $sv{p}^{New}$) to the vehicle, where $TI{D}_{svp}^{\mathit{\text{New-enc}}}$ = $I{D}_{svp}^{New}\oplus h_1(s_{TA}·PsI{D}_{i,1})$.
• Finally, the vehicle retrieves its new true identity $TI{D}_{svp}^{New}$ = $TI{D}_{svp}^{\mathit{\text{New-enc}}}\oplus h_1(s_{TA}·PsI{D}_{i,1})$ to get the new true identity of the vehicle.

5. Security Analysis and Comparison

This section presents the formal and informal analysis of the proposed SE-CPPA scheme. In addition, the security-based privacy requirements are listed.

5.1. Formal Analysis

The formal analysis presents the security proof regarding the verification equations; this is followed by a description of the steps of the random oracle model.

5.1.1. Security Proof

Theorem 1.

The equations utilized in the proposed SE-CPPA scheme are true.

Proof of Equation (6).

In individual-signature verification, the verifier checks the message using the following Equation (6).

$$\begin{array}{cc}\hfill & L·H·Se\left(\delta m_i·P\right)\hfill \\ \hfill & =e\left(S{K}_{svt}{h}_3(m_i\left|\right|ts),P\right)\hfill \\ \hfill & =e\left(s_{TA}{h}_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P\right)\hfill \\ \hfill & =e\left(h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),s_{TA}P\right)\hfill \\ \hfill & =e\left(h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P_{TA}\right)\hfill \\ \hfill & =R·H·S\hfill \end{array}$$

Hence, the individual signature verification correctness is true. □

Proof of Equation (7).

In batch-signature verification, the verifier checks a large number of messages by using the following Equation (7). Proof of the correctness:

$$\begin{array}{cc}\hfill & L·H·Se\left(\sum _{i=1}^n{\gamma }_i·\delta m_i·P\right)\hfill \\ \hfill & =e\left(\sum _{i=1}^n{\gamma }_i·S{K}_{svt}{h}_3(m_i\left|\right|ts),P\right)\hfill \\ \hfill & =e\left(\sum _{i=1}^n{\gamma }_i·s_{TA}{h}_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P\right)\hfill \\ \hfill & =e\left(\sum _{i=1}^n{\gamma }_i·h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),s_{TA}P\right)\hfill \\ \hfill & =e\left(\sum _{i=1}^n{\gamma }_i·h_2(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)h_3(m_i\left|\right|ts),P_{TA}\right)\hfill \\ \hfill & =R·H·S\hfill \end{array}$$

Hence, the batch-signature verification correctness is true. □

5.1.2. Random Oracle Model

In order to analyze the security proof in the SE-CPPA scheme, the random oracle model analysis defines a game between an attacker $ER$ and the challenger $Ch$. Once $ER$ wins the game, it is easily retrieved from a valid faked signature. Furthermore, the proposed SE-CPPA scheme is secure for VANETs when $ER$ is negligible for any attack.

Theorem 2.

The proposed SE-CPPA scheme for VANETs is unforgeable against an adaptively chosen message attack under the random oracle model.

Proof. 

Assuming $ER$ could forge a valid message of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} for the message $m_i$, it would follow that a challenger $Ch$ can be generated to resolve the ECDL problem with non-negligible probability by launching $ER$ as a subroutine. □

Setup initialization phase: Challenger $Ch$ first randomly chooses a value $s_{TA}$∈$Z_q^{*}$ as the system’s private key and computes $P_{TA}$ = $s_{TA}P$ as the system’s public key. Then, $Ch$ broadcasts the public parameters and functions of the system to $ER$.

$Oracle-h_1$. $Ch$ starts the $h_{lis{t}_1}$ with $(\alpha ,\tau h_1)$ form. After, $ER$ receives a message with $(\alpha )$ form, $Ch$ sees whether $(\alpha )$ is in $h_{lis{t}_1}$; if so, $Ch$ transmits $(\tau h_1=h(\alpha ))$ to $ER$. Otherwise, $Ch$ chooses $\tau h_1\in Z_q^{*}$ randomly and adds $(\alpha ,\tau h_1)$ into $h_{lis{t}_1}$. Then, $ER$ broadcasts $\tau h_1=h(\alpha )$ to $Ch$.

$Oracle-h_2$. $Ch$ starts the $h_{lis{t}_2}$ with $(pi{d}_i^1,pi{d}_i^2,\tau h_2)$ form. After, $ER$ receives a message with $(pi{d}_i^1,pi{d}_i^2)$ form, $Ch$ tests whether $(pi{d}_i^1,pi{d}_i^2)$ is in $h_{lis{t}_2}$; if so, $Ch$ broadcasts $\tau h_2=h(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|\tau h_2)$ to $ER$. Otherwise, $Ch$ randomly chooses $\tau h_2\in Z_q^{*}$ and puts $(pi{d}_i^1,pi{d}_i^2,\tau h_2)$ into $h_{lis{t}_2}$. Then, $ER$ broadcasts $\tau h_2=h(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|\tau h_2)$ to $Ch$.

$Oracle-h_3$. $Ch$ starts the $h_{lis{t}_3}$ with $(m_i,ts,svt,\tau h_3)$ form. After $ER$ receives a message with $(m_i,ts,svt)$ form, $Ch$ tests whether $(m_i,ts,svt)$ is in $h_{lis{t}_3}$; if so, $Ch$ broadcasts $\tau h_3=h(m_i\left|\right|ts\left|\right|svt\left|\right|\tau h_3)$ to $ER$. Otherwise, $Ch$ chooses $\tau h_3\in Z_q^{*}$ randomly and puts $(m_i,ts,svt,\tau h_3)$ into $h_{lis{t}_3}$. Then, $ER$ broadcasts $\tau h_3=h(m_i\left|\right|ts\left|\right|svt\left|\right|\tau h_3)$ to $Ch$.

Sign Oracle: Once $ER$ sends a sign request, $Ch$ calculates three random numbers, $h_{i,2}$; $h_{i,3}$; ${\sigma }_{m,i}\in Z_q^{*}$, and a random point $pi{d}_i^2$∈G. Then, $Ch$ computes $P_{TA}$ = (${\sigma }_{m,i}P/h_{i,2}·h_{i,3}$). $Ch$ puts $(pi{d}_i^1,pi{d}_i^2,\tau h_2)$ into $h_{lis{t}_2}$ and $(m_i,ts,svt)$ into $h_{lis{t}_3}$. Finally, $Ch$ generates the message of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} and transmits it to $ER$. The reply is a valid sign-oracle, since the message of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} fulfills the following Equation:

$$\begin{array}{cc}\hfill {\sigma }_{m_i}·P& =h_{i,2}·h_{i,3}{P}_{TA}\hfill \\ \hfill {\sigma }_{m_i}·P& =h_{i,2}{h}_{i,3}·({\sigma }_{m,i}P/h_{i,2}·h_{i,3})\hfill \\ \hfill {\sigma }_{m_i}·P& =(h_{i,2}{h}_{i,3}/h_{i,2}·h_{i,3}){\sigma }_{m,i}P\hfill \\ \hfill & ={\sigma }_{m,i}P\hfill \end{array}$$

Output: Finally, $ER$ outputs the message of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$}. $Ch$ tests the message using the following Equation (8):

$${\sigma }_{m_i}P=h_{i,2}·h_{i,3}{P}_{TA}$$

(8)

Once (8) does not hold, the game is finished by $Ch$.

According to the Cross Lemma, $ER$ can output another message of signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} that achieves the following Equation (9):

$${\sigma }_{m_i}^{*}P=h_{i,2}^{*}·h_{i,3}^{*}{P}_{TA}$$

(9)

From Equations (8) and (9), it can be obtained

$$\begin{array}{cc}\hfill ({\sigma }_{m_i}-{\sigma }_{m_i}^{*})P& ={\sigma }_{m_i}P-{\sigma }_{m_i}^{*}P\hfill \\ \hfill & =(h_{i,2}·h_{i,3}{P}_{TA})-(h_{i,2}^{*}·h_{i,3}^{*}{P}_{TA})\hfill \\ & =(h_{i,2}·h_{i,3})-(h_{i,2}^{*}·h_{i,3}^{*})P_{TA}\hfill \\ \hfill & =(h_{i,2}·h_{i,3})-(h_{i,2}^{*}·h_{i,3}^{*})s_{TA}·P\hfill \end{array}$$

Then, we can get $({\sigma }_{m_i}-{\sigma }_{m_i}^{*})=(h_{i,2}·h_{i,3}-h_{i,2}^{*}·h_{i,3}^{*})$ $s_{TA}$ mod P. $Ch$ resolves the ECDL problem by calculating $({\sigma }_{m_i}-{\sigma }_{m_i}^{*}).{(h_{i,2}·h_{i,3}-h_{i,2}^{*}·h_{i,3}^{*})}^{-1}$. However, since the difficulty of the ECDL problem with non-negligible probability, the proposed SE-CPPA scheme for VANETs is unforgeable against an adaptively chosen message attack under the random oracle model.

5.2. Informal Analysis

In this subsection, the proposed SE-CPPA scheme is shown below to fulfill the following security and privacy requirements for VANETs.

• Message integrity and authentication:
  Consistent with Theorem 2, when the problem of ECDLP is hard to solve, then no attacker can generate a legal message of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} in a specified polynomial time. Thus, the message of the signature tuple fulfills the equation e:$({\delta }_{m_i}P)$ = e:$(h_2(pi{d}_i^1$ $\left|\right|pi{d}_i^2\left|\right|svt)$ $h_3(m_i\left|\right|ts),P_{TA})$, and so the proposed EPBC-CPPA can ensure message integrity and authentication.
• Identity privacy-preserving:
  Assume that an authorized vehicle sends a message of signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} to neighbouring RSUs or vehicles in a VANET, where $pi{d}_i=\{pi{d}_i^1,pi{d}_i^2\}$ = $\{{\zeta }_{i}P,TI{D}_{SV{P}_i}\oplus h_1({\zeta }_i{P}_{TA})\}$ and ${\zeta }_i$∈$Z_q^{*}$. In order to obtain the vehicle’s true identity, the attacker should calculate $TI{D}_{SV{P}_i}=pi{d}_i^2\oplus h_1(s_{TA}·pi{d}_i^1)$. Nevertheless, ${\zeta }_i$ is saved in the TPD, $s_{TA}$ is a random value, and therefore the attacker does not have the ability to obtain $TI{D}_{SV{P}_i}$, since the hardness of the problem is related to the hardness of the Diffie–Hellman problem. So, the proposed EPBC-CPPA can ensure identity privacy-preserving.
• Unlinkability:
  A random number ${\zeta }_i$∈$Z_q^{*}$ is used in the proposed scheme to compute $pi{d}_i=\{pi{d}_i^1,pi{d}_i^2\}$ = $\{{\zeta }_{i}P,TI{D}_{SV{P}_i}\oplus h_1({\zeta }_i{P}_{TA})\}$. The vehicle periodically requests an update of its pseudonym IDs with timestamps $svt$ that are only valid for brief periods. This scheme provides a list of them, to support unlinkability. Thus, no attacker could relate two or more signatures sent by the same vehicle for a long trip. Therefore, the proposed EPBC-CPPA scheme can fulfill the unlinkability requirement.
• Traceability and revocation:
  In the proposed SE-CPPA scheme, the TA has the ability to obtain the vehicle’s true identity from the received pseudonym ID that includes two parts—$pi{d}_i^1={\zeta }_{i}P$ and $pi{d}_i^2=TI{D}_{SV{P}_i}\oplus h_1({\zeta }_i{P}_{TA})$. The TA uses its master private key $s_{TA}$, and calculates

  $$\begin{array}{cc}\hfill & TI{D}_{SV{P}_i}=pi{d}_i^2\oplus h_1({\zeta }_i{P}_{TA})\hfill \\ \hfill & =pi{d}_i^2\oplus h_1({\zeta }_i{s}_{TA}·P)\hfill \\ \hfill & =pi{d}_i^2\oplus h_1(s_{TA}pi{d}_i^1)\hfill \end{array}$$

  (10)
  After the vehicle’s true identity has been traced, the TA should revoke it on the database registration list, saving it in the CRL. Therefore, the proposed EPBC-CPPA scheme can fulfill traceability and revocation requirements.
• Resistance to replay attacks:
  The message of a signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} in the proposed SE-CPPA scheme includes the current timestamp $ts$ to generate the signature of the message ${\delta }_{m_i}=S{K}_{svt}·h_3(m_i\left|\right|ts)$, where $S{K}_{svt}=s_{TA}·h_3(pi{d}_i^1\left|\right|pi{d}_i^2\left|\right|svt)$ and $svt$ is only valid for a brief period of time. Hence, the proposed SE-CPPA scheme for VANETs can resist replay attacks.
• Resistance to modification attacks:
  Consistent with Theorem 2, we show that any alteration of the message of a signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} can be determined by testing whether the equation e:$({\delta }_{m_i}P)$ = e:$(h_2(pi{d}_i^1$ $\left|\right|pi{d}_i^2\left|\right|svt)$ $h_3(m_i\left|\right|ts),P_{TA})$ holds or not. Hence, the proposed SE-CPPA scheme for VANETs can resist the modification attack.
• Resistance to impersonation attacks:
  Many researchers have resorted to storing the vehicle’s true identity in the TPD of the OBU to avoid its being compromised by an adversary. Nonetheless, a misbehaving vehicle could easily obtain the vehicle’s true identity saved in the TPD by launching a side-channel attack. To address this attack, the proposed SE-CPPA scheme frequently updates the ($TI{D}_{SV{P}_i}$) in the TPD during $SVP$, where $TI{D}_{SV{P}_i}=h_1(I{D}_{vi}\left|\right|SVP)$ and $SVP$ is a short period of validity. It has been stated that the vehicle’s true identity is used repeatedly; thus, if the $TI{D}_{SV{P}_i}$ is not regularly updated, this will offer a wide opportunity for an attacker for impersonating and exploiting the registered vehicle’s true identity related to the safety messages. However, $TI{D}_{SV{P}_i}$ is already updated before the vehicle can be impersonated and exploited by a misbehaving vehicle.
• Resistance to man-in-the-middle attacks:
  This SE-CPPA scheme executes mutual authentication between the signer and the recipient. If an attacker launches this attack, the attacker wants to send false messages for sharing with the the signer and the recipient. Nevertheless, based on Theorem 2, the attacker cannot succeed with this attack. Hence, the proposed SE-CPPA scheme for VANETs can resist man-in-the-middle attacks.

5.3. Security and Privacy Comparison

This subsection presents a comparison in terms of security and privacy requirements of the proposed SE-CPPA scheme with the existing schemes.

Table 2. Security analysis-based privacy requirements.

Requirements	Bayat et al. [36]	Lei Zhang et al. [37]	Bayat et al. [38]	Pournaghi et al. [39]	Bayat et al. [41]	SE-CPPA
Message Integrity and Authentication	✓	✓	✓	✓	✓	✓
Identity Privacy-Preserving	✓	✓	✓	✓	✓	✓
Unlinkability	✓	✓	✓	✓	✗	✓
Traceability and Revocation	✗	✗	✓	✓	✓	✓
Resistance to Modification Attacks	✓	✓	✓	✓	✓	✓
Resistance to Replay Attacks	✓	✓	✗	✗	✓	✓
Resistance to Man-in-the-Middle Attacks	✓	✓	✓	✓	✓	✓
Resistance to Impersonation Attacks	✗	✗	✗	✗	✗	✓

presents the results of this comparison. As presented in Table 2, all the existing schemes suffer from impersonation attacks by lunching side channel attacks to retrieve the vehicle’s true identity that saved on the OBU of the registered vehicle for broadcasting fake messages. In contrast, the proposed SE-CPPA scheme regularly updates the vehicle’s true identity at short intervals of time. Therefore, the impersonation attack is resisting by the proposed SE-CPPA scheme.

Furthermore, we know that the schemes proposed by Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39] and Bayat et al. [41] for VANETs cannot satisfy all of the security analysis-based privacy requirements, as presented in Table 2. Nevertheless, the SE-CPPA scheme can satisfy all of the security analysis-based privacy requirements.

6. Performance Evaluation and Comparison

In this section, the performance evaluation of the proposed SE-CPPA scheme is analyzed in terms of computation and communication costs. Besides, the performance of the proposed SE-CPPA scheme is compared with Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39], and Bayat et al. [41] through a simulation experiment. As shown in Figure 4, this paper uses OMNeT++ [46], Veins [47], MIRACL [48,49], OpenStreetMap [50], GatcomSUMO [51] and SUMO [52] to carry out simulation experiments for VANETs. OMNeT++ is a modular, component-based C++ simulation library for communication networks. Veins is combined with road traffic generation and network generation. MIRACL is a cryptography library used to execute cryptography operations for algorithms. OpenStreetMap is the most prominent crowd-sourced web-based mapping platform. GatcomSUMO is a graphical application used to simplify the utilization of VANET simulation, specifically the SUMO traffic and the OMNeT++ network generation. SUMO is a highly portable, multi-model traffic simulation.

Table 3. Simulation experiment parameters.

Parameters	Value
Simulation time	200 s
Playground size	x = 3463 m, y = 4270 m and z = 50 m
Mac Layer	IEEE 1609.4
Physical Layer	IEEE 802.11 p
Maximum transmission	20 mW
Bit rate	6 Mbps

presents the simulation experiment parameters.

6.1. Computation Cost and Comparison

The bilinear pairing is constructed on the 80 bits security level: e: $G_1$ ∗ $G_1$ → $G_2$, where $G_1$ is an additive group created on a super-singular EC E: $y^2=x^3+xmodp$ with embedding degree 2. For performance evaluation, the following bilinear pairing operations are considered.

• $T_{bp}$: The running time of the operation involving the bilinear pairing $\stackrel{-}{e}$ (P, Q), where $\stackrel{-}{P}$, $\stackrel{-}{Q}$∈$G_1$.
• $T_{bp·pm}$: The running time of the operation of scalar multiplication $s·\stackrel{-}{P}$ involved in the bilinear pairing, where $s\in Z_q^{*}$ and $\stackrel{-}{P}\in G_1$.
• $T_{bp·pa}$: The running time of the operation of point addition $\stackrel{-}{P}$ + $\stackrel{-}{Q}$ involved in the bilinear pairing, where $\stackrel{-}{Q},\stackrel{-}{P}\in G_1$.
• $T_{M·T·P}$: The running time of the MapToPoint hash function.
• $T_h$: The running time of the secure cryptographic hash function.

Table 4. The single cryptographic operation time.

Cryptography Operations	Time (ms)
$T_{bp}$	5.811
$T_{bp·pm}$	1.5654
$T_{bp·pa}$	0.0106
$T_{M·T·P}$	4.1724
$T_h$	0.001

tabulates the single cryptographic operation time are taken into account.

Table 5. Cost of computation comparison.

Schemes	$\mathit{MSP}$	$\mathit{ISVP}$	$\mathit{BSVP}$
Bayat et al. [36]	$5T_{bp}+T_{M·T·P}+2T_h$	$4T_{bp}+3T_{bp·pm}+T_{M·T·P}+2T_h$	$n{T}_{bp}+n{T}_{bp·pm}+n{T}_{M·T·P}+n{T}_h$
Lei Zhang et al. [37]	$2T_{M·T·P}+3T_h$	$3T_{bp}+2T_{M·T·P}+3T_h$	$3T_{bp}+(2n)T_{M·T·P}+(3n)T_h$
Bayat et al. [38]	$1T_{M·T·P}$	$3T_{bp}+1T_{bp·pm}+1T_{M·T·P}$	$3T_{bp}+n{T}_{bp·pm}+n{T}_{M·T·P}$
Pournaghi et al. [39]	$3T_{bp·pm}+T_{bp·pa}+1T_{M·T·P}+2T_h$	$3T_{bp}+3T_{bp·pm}+1T_{M·T·P}+1T_h$	$3T_{bp}+(3n)T_{bp·pm}+n{T}_{M·T·P}+n{T}_h$
Bayat et al. [41]	$1T_{bp}+4T_{bp·pm}+1T_{M·T·P}+1T_{bp·pa}+3T_h$	$2T_{bp}+4T_{bp·pm}+1T_{M·T·P}+1T_{bp·pa}+3T_h$	$(4+n)T_{bp·pm}+n{T}_{M·T·P}+(n)T_{bp·pa}+n{T}_h$
SE-CPPA	$1T_h$	$2T_{bp}+2T_{bp·pm}+2T_h$	$T_{bp}+n{T}_{bp·pm}+(2n)T_h$

presents a comparison of the computational costs of the proposed SE-CPPA and the other existing schemes. For simplicity, $MSP$ denotes the message-signing phase, $ISVP$ denotes the single-signature verification phase, $BSVP$ denotes the batch-signature verification phase. These steps will be separately explained in the following,

6.1.1. MSP

The process of message signing in Bayat et al. [36] scheme consists of five bilinear pair operations $5T_{bp}$, a MapToPoint hash function operation $1T_{M·T·P}$ and two cryptographic hash function operations $2T_h$, hence, the whole computation cost of the message signing process is $5T_{bp}+1T_{M·T·P}+2T_h$. The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations $T_{M·T·P}$ and three cryptographic hash function operations $3T_h$; hence, the whole computation cost of the message signing process is $2T_{M·T·P}+3T_h$. The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations $2T_{M·T·P}$ and three cryptographic hash function operations $3T_h$; hence, the whole computation cost of the message signing process is $2T_{M·T·P}+3T_h$. The process of message signing in Bayat et al. [38] scheme consists of only one MapToPoint hash function operation $1T_{M·T·P}$; hence, the whole computation cost of the message signing process is $1T_{M·T·P}$. The process of message signing in the Pournaghi et al. [39] scheme consists of three scalar multiplication operations $3T_{bp·pm}$, an addition point operation $1T_{bp·pa}$, one MapToPoint hash function operation $1T_{M·T·P}$ and two cryptographic hash function operations $2T_h$; hence, the whole computation cost of the message signing process is $3T_{bp·pm}+T_{bp·pa}+1T_{M·T·P}+2T_h$. The process of message signing in Bayat et al. [41] scheme consists of two bilinear pair operations $2T_{bp}$, four scalar multiplication operations $4T_{bp·pm}$, an addition point operation $1T_{bp·pa}$, one MapToPoint hash function operation $1T_{M·T·P}$ and three cryptographic hash function operations $3T_h$; hence, the whole computation cost of the message signing process is $2T_{bp}+4T_{bp·pm}+1T_{bp·pa}+1T_{M·T·P}+3T_h$. The process of message signing in the proposed SE-CPPA scheme consists of only one cryptographic hash function operation $1T_h$, hence, the whole computation cost of the message signing process is $1T_h$. Figure 5 shows the comparison of message signing process.

6.1.2. ISVP

The process of single-signature verification in Bayat et al. [36] scheme consists of four bilinear pair operations $4T_{bp}$, three scalar multiplication operations $3T_{bp·pm}$, a MapToPoint hash function operation $1T_{M·T·P}$ and two cryptographic hash function operations $2T_h$; hence, the whole computation cost of the single-signature verification process is $4T_{bp}+3T_{bp·pm}+T_{M·T·P}+2T_h$. The process of single-signature verification in Lei Zhang et al. [37] scheme consists of three bilinear pair operations $3T_{bp}$, two MapToPoint hash function operations $1T_{M·T·P}$ and three cryptographic hash function operations $3T_h$; hence, the whole computation cost of the single-signature verification process is $3T_{bp}+2T_{M·T·P}+3T_h$. The process of single-signature verification in Bayat et al. [38] scheme consists of three bilinear pair operations $3T_{bp}$, a scalar multiplication operation $1T_{bp·pm}$, and a MapToPoint hash function operation $1T_{M·T·P}$; hence, the whole computation cost of the single-signature verification process is $3T_{bp}+1T_{bp·pm}+1T_{M·T·P}$. The process of single-signature verification in Pournaghi et al. [39] scheme consists of three bilinear pair operations $3T_{bp}$, three scalar multiplication operations $3T_{bp·pm}$, a MapToPoint hash function operation $1T_{M·T·P}$ and a cryptographic hash function operation $1T_h$; hence, the whole computation cost of the single-signature verification process is $3T_{bp}+3T_{bp·pm}+1T_{M·T·P}+1T_h$. The process of single-signature verification in the Bayat et al. [41] scheme consists of a bilinear pair operation $1T_{bp}$, four scalar multiplication operations $4T_{bp·pm}$, an addition point operation $1T_{bp·pa}$, a MapToPoint hash function operation $1T_{M·T·P}$, and two cryptographic hash function operations $2T_h$; hence, the whole computation cost of the single-signature verification process is $1T_{bp}+4T_{bp·pm}+1T_{bp·pa}+1T_{M·T·P}+2T_h$. The process of single-signature verification in the proposed SE-CPPA scheme consists of two bilinear pair operations $2T_{bp}$, two scalar multiplication operations $2T_{bp·pm}$, and two cryptographic hash function operations $2T_h$; hence, the whole computation cost of the single-signature verification process is $2T_{bp}+2T_{bp·pm}+2T_h$. Figure 6 shows the comparison of single-signature verification process.

6.1.3. BSVP

The process of batch-signature verification in Bayat et al. [36] scheme consists of n bilinear pair operations $n{T}_{bp}$, n scalar multiplication operations $n{T}_{bp·pm}$, n MapToPoint hash function operations $n{T}_{M·T·P}$ and n cryptographic hash function operations $n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $n{T}_{bp}+n{T}_{bp·pm}+n{T}_{M·T·P}+n{T}_h$. The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations $3T_{bp}$, 2n MapToPoint hash function operations $2n{T}_{M·T·P}$ and 3n cryptographic hash function operations $3n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $3T_{bp}+(2n)T_{M·T·P}+(3n)T_h$. The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations $3T_{bp}$, 2n MapToPoint hash function operations $2n{T}_{M·T·P}$ and 3n cryptographic hash function operations $3n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $3T_{bp}+(2n)T_{M·T·P}+(3n)T_h$. The process of batch-signature verification in Bayat et al. [38] scheme consists of 3 bilinear pair operations $3T_{bp}$, n scalar multiplication operations $n{T}_{bp·pm}$ and n MapToPoint hash function operations $n{T}_{M·T·P}$, hence, the whole computation cost of the batch-signature verification process is $3T_{bp}+n{T}_{bp·pm}+n{T}_{M·T·P}$. The process of batch-signature verification in Pournaghi et al. [39] scheme consists of 3 bilinear pair operations $3T_{bp}$, 3n scalar multiplication operations $3n{T}_{bp·pm}$, n MapToPoint hash function operations $n{T}_{M·T·P}$ and n cryptographic hash function operations $n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $3T_{bp}+(3n)T_{bp·pm}+n{T}_{M·T·P}+n{T}_h$. The process of batch-signature verification in Bayat et al. [41] scheme consists of ($4+n$) scalar multiplication operations $(4+n)T_{bp·pm}$, n addition point operations $n{T}_{bp·pa}$, n MapToPoint hash function operations $n{T}_{M·T·P}$ and n cryptographic hash function operations $n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $(4+n)T_{bp·pm}+n{T}_{M·T·P}+(n)T_{bp·pa}+n{T}_h$. The process of batch-signature verification in the proposed SE-CPPA scheme consists of a bilinear pair operations $T_{bp}$, n scalar multiplication operations $n{T}_{bp·pm}$ and 2n cryptographic hash function operations $2n{T}_h$, hence, the whole computation cost of the batch-signature verification process is $T_{bp}+n{T}_{bp·pm}+(2n)T_h$. Figure 7 shows the comparison of batch-signature verification process.

6.2. Communication Overhead and Comparison

This section analyses and compares the communication cost of the proposed SE-CPPA and other schemes. The main focus is the communication cost involved in the pseudonym-IDs, signatures, and timestamps for the signature tuple.

Table 6. The costs of several bilinear pairing operations.

Items Size	Cost (Bytes)
$\stackrel{-}{P}$	64
The elements in $G_1$	128
The output of a hash function	20
The output of timestamp	4

presents the costs of several bilinear pairing operations.

The size of the signature tuple {$I{D}_i$, $M_i$, ${\sigma }_i$, $T_i$ } in the scheme of Bayat et al. [36] is 128 × 3 + 4 × 1 = 388 bytes, which contains three elements in $G_1$ ($I{D}_{i1},I{D}_{i2},{\sigma }_i\in G_1$) and one timestamp ($T_i$), where $I{D}_i=\{I{D}_{i1},I{D}_{i2}\}$. The size of the signature tuple {$m_i$, $PPI{D}_{i,t}$, ${\sigma }_i$ } in the scheme of Lei Zhang et al. [37] is 128 × 2 = 256 bytes, which contains two elements in $G_1$ ($PPI{D}_{i,t}$, ${\sigma }_i\in G_1$). The size of the signature tuple {$M_i$, $pi{d}_i$, ${\sigma }_i$ } in the scheme of Bayat et al. [38] is 128 × 2 + 20 = 276 bytes, which contains two elements in $G_1$ ($I{D}_{i1},{\sigma }_i\in G_1$), one outputs regarding the hash function ($I{D}_{i2}\in Z_q^{*}$) and one timestamp ($T_i$), where $pi{d}_i$= $PI{D}_1,PI{D}_2$. The size of the signature tuple {$pI{D}_i$, ${\sigma }_i$, $M_i$, $I{D}_{RSU}$ } in the scheme of Pournaghi et al. [39] is 128 × 3 + 20 = 404 bytes, which contains three elements in $G_1$ ($I{D}_{i1},I{D}_{i2},{\sigma }_i\in G_1$) and one timestamp ($T_i$), where $I{D}_i=\{I{D}_{i1},I{D}_{i2}\}$. The size of of the signature tuple {$V,m,r,T_{i1},$ $T_{i2},T_{i3},PI{D}_i,ts$} in Bayat et al. [41] is 128 × 4 + 20 × 2 + 4 × 2 = 556 bytes, which contains four elements in $G_1$ ($T_{i1},$ $T_{i2},T_{i3},PI{D}_i\in G_1$), two outputs regarding the hash function ($V,r\in Z_q^{*}$) and one timestamp ($ts$). The size of of the signature tuple {$pi{d}_i^1$, $pi{d}_i^2$, $m_i$, $svt$, $ts$, ${\delta }_{m_i}$} in the proposed SE-CPPA scheme is 128 × 1 + 20 × 2 + 4 × 2 = 216 bytes, which contains one element in $G_1$ ($pi{d}_i^1\in G_1$), two outputs regarding the hash function ($pi{d}_i^2,{\delta }_{m_i}$ $\in Z_q^{*}$) and two timestamps ($svt,ts$).

The communication cost of each scheme is presented in

Table 7. Communication cost comparison.

Schemes	Broadcasting One Message	Broadcasting n Messages
Bayat et al. [36]	388	388n
Lei Zhang et al. [37]	256	256n
Bayat et al. [38]	276	276n
Pournaghi et al. [39]	404	404n
Bayat et al. [41]	556	556n
SE-CPPA	216	216n

. Figure 8 compares the communication overheads of the SE-CPPA and the other schemes.

7. Conclusions

In this paper, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme for VANETs has been proposed. In contrast with the existing schemes, it has the ability to resist impersonation attacks, since it frequently updates the vehicle’s true identity stored on a TPD on the vehicle. In a region with dense traffic, the batch-signature verification process in the SE-CPPA scheme efficiently checks a large number of the signature tuple messages sent from different components in the VANET. The security proof showed that the proposed SE-CPPA scheme resists security attacks and fulfills requirements regarding security and privacy. Lastly, due to the fact that the proposed SE-CPPA scheme does not employ time-consuming operations involving the MapToPoint hash function while signing and verifying the messages, it has lower overhead costs in contrast to the existing schemes. Hence, SE-CPPA has a more efficient performance regarding computational and communication costs. In the future work, further performances in terms of end-to-end delay and throughput will be briefly analyzed and introduced by using OMNeT++ and SUMO simulations.