PCP: A Pseudonym Change Scheme for Location Privacy Preserving in VANETs

In vehicular ad hoc networks (VANETs), pseudonym change is considered as the vital mechanism to support vehicles’ anonymity. Due to the complicated road conditions and network environment, it is a challenge to design an efficient and adaptive pseudonym change protocol. In this paper, a pseudonym change protocol for location privacy preserving (PCP) is proposed. We first present the requirements of pseudonym change in different scenarios. According to variable network states and road conditions, vehicles are able to take different pseudonym change strategies to resist the tracking by global passive adversaries. Furthermore, the registration protocol, authentication protocol, pseudonym issuance protocol, and pseudonym revocation protocol are introduced for the pseudonym management mechanism. As a consequence, it is not feasible for global passive adversaries to track a vehicle for a long time and obtain the trajectory of the vehicle. The analysis results show that the security and performance of PCP are improved compared with the traditional ones.


Introduction
The intelligent transportation system (ITS) is regarded as an important part of nextgeneration urban transport, which integrates a variety of advanced technologies (e.g., sensor technology, intelligent control technology) to improve convenience for drivers and pedestrians [1]. Being able to keep a stable network connection and provide a diversity of services, vehicular ad hoc networks (VANETs), as the essential part of the ITS, have had increasing attention paid to them [2]. According to the current features of urban traffic (e.g., rapid vehicle movement, uneven traffic distribution), VANETs have formed the standard in line with the future development of intelligent transportation [3], while still facing the following challenges: (1) Fast topology change: The fast-changing network topology caused by the instability of vehicle velocity has put forward more requirements for VANETs to provide stable network communication services, such as routing algorithms and congestion prediction mechanisms. (2) Non-static network density: The fast topology change causes the continuous change of the service intensity of roadside units (RSUs), which leads to a delay in responding to requests from vehicles. In addition, the instability of the signal-to-noise ratio caused by network density also affects the stability of communication.
(3) Wireless communication environment: Owing to the wireless medium's nature, it is difficult to protect the security of communication. (4) Limited communication duration: Vehicles need to avoid performing high calculations or storing excessive data to complete the authentication and data transmission as soon as possible. Figure 1 shows the framework of VANETs. RSUs, as the roadside infrastructure, are deployed on both sides of the road. RSUs are able to collect the driving state of the surrounding vehicles, predict the traffic flow situation nearby, provide certain driving suggestions for vehicles, and support the road condition warning service. In addition, RSUs support providing network services for vehicles by connecting with the base station.
Vehicles equipped with on-board units (OBUs) can communicate with surrounding vehicles and RSUs to obtain a variety of application services. In addition, each vehicle is also secured with a GPS receiver to have an accurate location and time [4]. In order to ensure the driving safety of vehicles, vehicles are required to send the message related to their driving status regularly to surrounding vehicles and RSUs [5], e.g., basic safety message (BSM) [6]. The BSM guarantees that vehicles are aware of the danger so as to make appropriate decisions in time. However, the adversaries in the communication range are able to collect and aggregate received data through eavesdropping on the BSM. Consequently, the location privacy of vehicles and the individual privacy of vehicles owners are threatened. For the purpose of protecting vehicle location privacy, the IEEE 1609.2 standard suggests using a pseudonym instead of the real identity [7]. Accordingly, it becomes impossible to obtain the private information of the vehicle owners through utilizing the real identity of vehicles. However, if there is no effective strategy to support pseudonym change, the adversaries can still link the pseudonym and the real identity through tracking vehicles for a long time, thus invading the location privacy of vehicles [8].
Figures 2 and 3 depict the syntactic linking scenario and the semantic linking scenario of VANETs, respectively [9].
In the syntactic linking scenario, if a vehicle changes from pseudonym PS 1 to pseudonym PS 2 while other vehicles decide not to change their pseudonyms at the same time, it is obvious that the adversaries are able to determine that PS 1 and PS 2 are from the same vehicle. In the semantic linking scenario, vehicles at the intersections are required to change their pseudonyms. However, if the vehicle (holding PS 1 ) does not change its trajectory or there is no vehicle with a similar driving status around the vehicle, the adversaries are still able to utilize advanced tracking algorithms to predict the location of the vehicle according to the BSM regularly sent by the vehicle. As a result, the semantic linking attack makes adversaries believe that PS 1 and PS 2 belong to the same vehicle.
Moreover, the frequency of pseudonym change is the important factor that affects the location privacy degree. The higher the frequency of pseudonym change, the better the degree of privacy protection. However, due to limited bandwidth, the frequency should not seriously hinder the performance. Consequently, it is crucial to design a secure and efficient pseudonym change scheme to guarantee that any adversaries can not associate the same vehicle with two different pseudonyms or track a certain vehicle for a long time.  Up to the present moment, a large number of pseudonym change strategies have been proposed, such as mix zones and silent periods. The core idea of these strategies is to find or create opportunities to break the continuous tracking of vehicles. However, in the silent period mechanism, the time window is limited by the interval of the BSMs. In the mix zone mechanism, the security of the pseudonym change depends on the number of pseudonyms changed synchronously in the mix zone. Moreover, the glaring issue is that the strength of the privacy protection of the above schemes heavily depends on the vehicle density within the communication range. Under low-density conditions, it is difficult to keep high location privacy. In order to address the above issues, we propose a novel pseudonym change scheme for location privacy preserving in VANETs (PCP): (1) We improve the ID-based linearly homomorphic signature scheme and construct a pseudonym generation and aggregate protocol, where vehicles are able to calculate legitimate pseudonym certificates without the participation of the RSUs. Meanwhile, vehicles can judge the conditions for pseudonym change independently and obtain the necessary information through vehicle-to-vehicle (V2V) communication to enhance the safety of the subsequent pseudonym change protocol. (2) The vehicle registration protocol, authentication protocol, and pseudonym revocation protocol are proposed, which guarantee that all legal vehicles are able to communicate with surrounding entities and compromised vehicles can be revealed in time. (3) The computational cost and communication cost are adopted to evaluate the performance of the V2I authentication protocol in PCP. In addition, the vehicles in network simulation framework (Veins) is introduced to simulate the pseudonym change protocol of the proposed scheme to verify the effectiveness.
The remainder of the paper is organized as follows. Section 2 discusses the related works on pseudonym change. Section 3 revisits the preliminaries and presents the improved identity-based signature mechanism. The details of the proposed scheme (PCP) are given in Section 4. Sections 5 and 6 analyze the security and performance of PCP, respectively. Finally, we conclude the work and present the future work in Section 7.

Related Works
In recent years, a large number of pseudonym change schemes have been proposed. Generally, the taxonomy of pseudonym change strategies includes mix-zone-based strategies and silent-period-based strategies.

Mix-Zone-Based Strategies
This strategy requires that vehicles change their pseudonyms in fixed areas, called mix zones, where the location of the mix zones is usually determined by the RSUs. Ref. [10] proposed cryptographic mix zones (CMIX zones). In a CMIX zone, the BSMs are transmitted as ciphertext. External adversaries cannot obtain any useful information related to the pseudonym change. However, the proposed scheme does not consider the size of the anonymity set. If there are few vehicles in a CMIX zone, adversaries still have the ability to track the target vehicle with high probability. In order to solve the problem, Lu et al. suggested a mix zone that is deployed at social spots [11], such as intersections or a spot near a shopping mall. The most feasible case is the intersection with high traffic flow and traffic lights, where there are a large number of slow-moving vehicles that have enough time to change their pseudonyms. Refs. [12][13][14] utilized roadside infrastructure to support vehicle pseudonym changing. Ref. [12] suggested building the vehicular location privacy zone, where two infrastructures called the router and aggregator are deployed at both ends of the vehicular location privacy zone (VLPZ), which are responsible for ensuring the unlinkability of the pseudonym changing, respectively. When a vehicle arrives at the router in the VLPZ, the vehicle stops broadcasting the BSM. The router selects a lane for the vehicle randomly, and the vehicle is required to change its pseudonym before reaching the aggregator. As the exit order is different from the entering order due to random residency periods, it is difficult to link the same vehicle. Ref. [13] depended on fog computing to provide the pseudonym change service for vehicles. Different from ref. [12], the new pseudonyms for all vehicles in the mix zone are provided by the RSUs. Ref. [13] alleviated the computational cost and storage cost of the central authority to improve the efficiency of updating pseudonyms. In the above schemes, the shared key is usually adopted to resist external attacks. However, if a vehicle is compromised, the adversaries can eavesdrop on the communication message from the vehicle inside the mix zone and still be able to track the target vehicle. In order to solve this issue, ref. [14] proposed a pseudonym swap scheme based on differential privacy. When a vehicle needs to change its pseudonym, the vehicle sends the request message to the RSUs and the surrounding vehicles. Other vehicles that need to change the pseudonym send the same message to the RSUs and apply to join the pseudonym swap. The RSUs collect the request messages and use the pseudonym swap algorithm to assign a new pseudonym for each vehicle according to differential privacy. The scheme realizes a pseudonym exchange scheme where the RSUs have the ability to guarantee pseudonym indistinguishability and achieve the unlinkability between the new pseudonym and the old one. However, the heavy computation and communication costs result in the low efficiency of the scheme. In LIAP [15], vehicles are able to use the certificate from the CA to enter the security domain in the RSU. The RSU is required to periodically change the public key in the domain, and vehicles can change their pseudonyms according to the change of the public key, thereby guaranteeing that the pseudonyms are changed periodically. Nevertheless, vehicles have to communicate with the RSU before changing their pseudonyms. As a result, under special conditions, the pseudonym of vehicles cannot be changed since they cannot communicate with the RSU in time.

Silent-Period-Based Strategies
The silent-period-based strategy refers to the transition period of the pseudonym change. In a silent period, no vehicle is allowed to disclose either the old or the new identity and location [16]. Different from mix-zone-based strategies, silent-period-based strategies support the vehicles in choosing the area of the pseudonym change independently, and the time of the pseudonym change can be determined through negotiation among the vehicles. Normally, silent-period-based strategies require that the vehicles in VANETs establish a group through communication. These vehicles in the group determine the time and mechanism of the pseudonym change, and other vehicles outside the group cannot obtain any useful information within the group [17]. In ref. [18], vehicles detected whether the surrounding vehicles have the possibility of expected the cooperation in the pseudonym exchange by receiving the BSM. If the driving state of the surrounding vehicles is similar to the vehicle, the pseudonym change scheme will be activated. When changing the pseudonym, each vehicle is requested to broadcast a BSM with the position where the pseudonym change starts and set the speed to 0 until the pseudonym change is complete. Nevertheless, since vehicles cannot provide accurate road information to the owners, a serious impact on traffic may be caused consequently. In ref. [19], each vehicle owned a time-slotted pseudonym pool. In each time slot, only one pseudonym is legal. At the end of each time slot, vehicles are required to exchange pseudonyms to guarantee anonymity. In particular, the time of exchanging pseudonyms is determined by the driving state of the surrounding vehicles. The proposed scheme eliminates the mapping between the pseudonym and vehicle and achieves the reuse of old pseudonyms. Furthermore, due to the fixed-size pseudonym pool, the workload of the certificate authority (CA) only depends on the number of vehicles joining the network. However, the scheme does not give the details of to verify the legality of the pseudonym. Ref. [20] provided a pseudonym changing strategy (SLOW), which does not require extensive RSUs or a complex communication procedure. When the speed of the vehicle is slower than the given threshold, the vehicle stops broadcasting the BSM and any other message containing location or trajectory data and changes its pseudonym. However, if the vehicle stops broadcasting the BSM, it is difficult for other vehicles to accurately obtain the surrounding road condition information [21]. Ref. [22] proposed a cooperative pseudonym change scheme based on a trigger. In the proposed scheme, a "Readyflag" bit is inserted into the BSM. According to the value of "Readyflag" (0 or 1) in the received BSM, the vehicle determines whether to cooperate with the vehicles in the vicinity to change the pseudonym together. Ref. [22] not only enabled vehicles to obtain the willingness of surrounding vehicles to change pseudonyms in time, but also expanded the size of the anonymous set. However, ref. [22] did not give the details about how to change the pseudonym. Besides, the influence of the vehicle running state on the security of pseudonym change was not considered. Ref. [23] proposed Mix Group to solve the issue that a small group is weak in preserving privacy while a large-scale group leads to low efficiency in managing the signatures. According to the "Pareto principle", Mix Group supports the pseudonym exchange protocol for vehicles with a common driving status under any road condition, which guarantees that the location privacy is substantially enhanced. However, the pseudonym exchange is carried out independently between vehicles. Once a vehicles is compromised, it is difficult to track the illegal vehicle. Ref. [24] gave three options: cooperative pseudonym exchange (CPE), scheme permutation (SP), and CPE plus SP (CPESP), to improve the location privacy. Vehicles are able to choose the appropriate option according to different traffic statuses. As the scheme does not give the details about the pseudonym change, we cannot determine the security of the scheme. In SPA [25], vehicles store the password issued by the TA in tamper-proof devices (TPDs). The TDP is responsible for generating and changing the pseudonyms of vehicles. However, in order to protect the privacy, vehicles have to choose the appropriate time to change the pseudonym according to the nearby road conditions. Ref. [26] adopted blockchain technology to support the location privacy preserving of vehicles (BELP). BELP removes the central authority, which effectively prevents vehicle privacy from being tampered with or leaked by internal adversaries. However, the proposed scheme does not give the details of pseudonym generation and illegal vehicle revocation. Once a vehicle misbehaves, it is critical to track the vehicle and remove it from the VANET in a timely manner.
Due to the heavy dependence on the deployment density of mix zones and the driving state of surrounding vehicles, mix-zone-based strategies lack the flexibility to support the pseudonym change. Silent-period-based strategies makes the vehicle unable to transmit or receive accurate road condition information in time, which may affect the driving safety of the vehicle. Consequently, it is very important to design an effective mechanism to adapt to the pseudonym change in various scenarios.

Bilinear Pairing
Let G 1 be the additive cyclic group of prime order q with λ bits and G T be the multiplicative cyclic group of the same order. e : G 1 × G 1 → G T is a bilinear pairing with the following properties [27]: (1) Bilinearity: ∀P, Q, ← G 1 and ∀a, b ← Z * q , there is e(P a , Q b ) = e(P, Q) ab . (2) Non-degeneracy: ∃P, Q ← G 1 , e(P, Q) = 1 G T .

Computational Diffie-Hellman Assumption
Given a random generator P ← G 1 , random numbers a, b ← Z * q , and security parameter λ, the advantage of an algorithm A in solving the computational Diffie-Hellman problem in group G 1 is We say that an algorithm A(t, τ)-breaks the computational Diffie-Hellman problem in G 1 if A runs in time at most t and ADV CDH A ≥ τ.

Identity-Based Signature Mechanism
The identity-based signature (IBS) is a special signature where the verifier is able to verify the signature given the identity information from the signer. PCP adopts the CC signature [28] and improves Lin's signature scheme [29] to support the anonymous authentication protocol and pseudonym change protocol, which includes a tuple of four PPT algorithms: Setup, Extract, Sign, Verify.
(msk, params) ← Setup(1 λ ). Let G 1 , G T be the additive group and multiplicative group such that |G 1 | = |G T | = q. A bilinear pairing is defined by e : Setup(1 λ ) outputs the master key msk = {x, x } and the public parameters params = {G 1 , G T , q, e, P, P pub , P pub , H, H 1 , H 2 }. SK ID ← Extract(msk, ID). Given the master key msk and user identity ID, return secret key . This algorithm takes the user identity ID, secret key SK ID , and messages M 1 , M 2 as the input and outputs the signature Given the signer's identity ID, messages M 1 , M 2 , and signature σ, the verifier checks CC_Veri f y(ID, w, σ 1 ) ? = 1 and e(σ 2 , P) . If both of the above equations hold, output 1, and 0 otherwise.
The security of the above signature algorithms is based on the CDH assumption. The formal security proof is detailed in Appendix A.2.

The Proposed Scheme
In this section, a pseudonym change scheme for location privacy preserving in VANETs is elaborated. Figure 4 shows the scenario and participating entities of each protocol, which include system initialization, the registration protocol, the authentication protocol, the pseudonym issuance protocol, the pseudonym change protocol, and the pseudonym revocation protocol. In addition, the system architecture, adversary model, and security requirements are introduced first before describing the details of the scheme. The notations and descriptions are listed in Table 1.

ID A
The real identity of entity A.

PS i
The ith pseudonym of the vehicle issued by the TA. Each vehicle owns n pseudonyms PS = {PS i } i∈n . PK i /SK i The public and private key pair of vehicle A's pseudonym PS i .

PS BS i
The ith pseudonym of the vehicle issued by the base station. Each vehicle owns w pseudonyms The session key between entity A and entity B. Cert BS

PS i
The ith certification of PS BS i generated by the base station.

TS i
The ith current timestamp.

N i
The ith challenge value.

EXP
The expiration of the pseudonym.

H i
The ith hash function.
The signature generated by entity A.

Enc_K{M}
Encrypt message M with the key K.
The ciphertext generated by entity A and the ciphertext sent to entity B. num The number of responses received by the vehicle when it sends a pseudonym change request.
The start time, the end time of pseudonym broadcast, and the pseudonym change time, respectively. Figure 5 shows the system architecture of PCP, which includes four components: trust authority (TA), base station (BS), roadside unit (RSU), and vehicle.

System Architecture
The TA is responsible for generating public parameters, pseudonyms, and public/private key pairs for vehicles, BSs, and RSUs. In addition, when a vehicle is compromised or conducts illegal behavior, the TA can assist other entities to disclose the real identity of the vehicle and exclude the vehicle from the system in time.
The BSs are deployed in multiple regions in the city, and the RSUs in each region are managed by the BSs. Besides, in PCP, the BSs generate temporary pseudonyms for vehicles in the region.
The RSUs adopt DSRC/WAVE to connect with the vehicles in the vicinity and provide a series of application services for legal vehicles [3,30]. Meanwhile, RSUs provide the pseudonyms' related authentication and change services for the vehicles.
The vehicles communicate with the surrounding RSUs and other vehicles to obtain the services. In order to protect vehicles' location privacy, available strategies are required to support pseudonym changes under the four scenarios shown in Figure 4. • Scenario 1: In the area with a low vehicle density and no RSUs, if there are nonnegligible differences in vehicle driving statuses, it is difficult to make an effective mechanism of pseudonym change in order to resist the tracking of external attackers. However, we hope to provide an efficient mechanism to make full use of such a scenario and obtain enough useful information as much as possible, so as to provide a higher level of location privacy preserving. • Scenario 2: There is a high vehicle density in this area, and RSUs exist to provide services for surrounding vehicles. In this scenario, the vehicles and RSUs can cooperate to change their pseudonyms and resist the attacks from external adversaries for protecting the location privacy of vehicles. • Scenario 3: The RSUs exist, but the vehicle density is low. The RSUs can provide the pseudonym update service for vehicles that are running out of pseudonyms. Multiple pseudonym change mechanisms are available. • Scenario 4: This area has a high vehicle density without RSUs. The vehicles can use the pseudonym change mechanism to change their pseudonyms through their cooperation.
Since a variety of pseudonym change schemes are proposed in Scenario 2 and Scenario 3, PCP focuses on the details of pseudonym change in Scenario 1 and Scenario 4.

Adversary Model
It is assumed that the adversaries are the global passive adversaries (GPAs). The global adversary holds the capacity to eavesdrop on the communication message of the whole network. The passive adversary refers to the adversary that does no more than eavesdropping on the communication traffic in the VANET [9]. Therefore, a GPA has the ability to eavesdrop on the BSMs of all vehicles in the region of interest. In PCP, we assume that the GPAs know the pseudonym change strategy and vehicles are required to broadcast BSMs to vehicles in the vicinity periodically while driving, which includes the identifier, position, velocity, direction, etc. If a vehicle does not change its identifiers for a long time, the GPAs are able to eavesdrop on the BSM sent by the vehicle, track the designated vehicle, and obtain the vehicle's trajectory and privacy via the syntactic linking attack and the semantic linking attack.

Security Requirements
In this section, we assume that the TA is honest and trustworthy, but there is no trust relationship among the other entities in the VANET. According to [8,31], the proposed scheme should meet the following goals: • Anonymity: No adversary is able to extract the vehicle's real identity from its pseudonym. The identities broadcast by vehicles are required to be anonymous within a set of potential vehicles, which ensures that no entities can obtain useful information about the real identity of vehicles. Moreover, anonymity is supposed to be conditional according to the security requirements of VANETs. • Unlinkability: If the adversaries can obtain the messages sent by vehicles through monitoring, it is difficult to determine whether the consecutive received messages are sent by the same vehicle. In the pseudonym change protocol, no pseudonym should reveal any connections among vehicles. • Mutual authentication: As the basic security requirement, mutual authentication focuses on identities and messages. Identity authentication means that the identity claimed by the entity is legal. Message authentication requires that the integrity of the message be able to be verified. • Traceability: In a secure network architecture, it is essential to provide an efficient mechanism to trace the origin of the message. However, such a mechanism can only be effective under an authorized authority. • Session key agreement: For data transmission, the confidentiality of the data is also a security requirement of VANETs. Therefore, after finishing the initial authentication, designing a session key agreement mechanism between entities in VANETs to encrypt the communication messages usually needs to be considered. • Location privacy: Vehicle owners usually do not want their location to be exposed in sensitive areas. Consequently, vehicles need to change their identity information at specific areas, so that the adversaries cannot track the specific vehicle for a long time or obtain the driving trajectory. • DoS attack resistance: The external adversaries are able to forge and broadcast a large number of invalid messages to consume the computational resource of the vehicles, which leads to legitimate messages possibly being dropped. As a result, it is necessary to ensure a low computational overhead for vehicles during communication.

System Initialization
During system initialization, the TA generates and broadcasts public parameters to the whole network. The details are shown as follows: • Let G 1 and G T be the additive group and multiplicative group, respectively, where |G 1 | = |G T | = q for the same prime order p. P is the generator of G 1 . Let e be a bilinear pairing: The TA chooses x, x ← Z * q as the master key and s ← {0, 1} n as the key of the AES-256 encryption algorithm and computes the public key P pub = xP, P pub = x P.
The TA broadcasts public parameters param={G 1 , G T , q, e, P, P pub , P pub , H, H 1 , H 2 , H 3 , H 4 , H 5 } to all entities in the system.

Vehicle Registration Protocol
When vehicle v with ID v enters the VANET, it requests to apply for registration with the TAs. The TAs are able to generate a series of pseudonyms {PS i } i∈ [1,n] , public keys {PK i } i∈ [1,n] , and private keys {SK i } i∈ [1,n] for the vehicle. The protocol is performed as Figure 6 and Protocol 1.
The TA utilizes K v−TA to encrypt PS, EXP, and SK and obtains Upon receiving the message from the TA, vehicle v i uses K v−TA to decrypt C TA−v to obtain PS, EXP, and SK.

BS and RSU Registration Protocol
In this protocol, the BS is able to obtain its public key PK BS , private key SK BS , SK BS , and expiration EXP BS , and the RSU can obtain its public/private key PK RSU /SK RSU , and expiration EXP RSU from the TA via a secure channel, where Finally, the BS chooses r BS ← Z * q and computes the public key P BS pub = r BS P used in the BS domain.
decrypt C TA−v to obtain PS, EXP, SK store PS, EXP, SK locally.

V2I Authentication and Pseudonym Issuance Protocols
When entering the signal coverage of the RSU, the vehicle is able to apply for new pseudonyms from the BS via the RSU. The RSU first verifies the legality of the vehicle through V2I authentication. If the vehicle is legal, the BS issues multiple pseudonyms for the vehicle, where these pseudonyms are valid within the scope of the BS.

V2I Authentication Protocol
V2I authentication supports the establishment of the trust relationship between the vehicle and RSU, as well as the construction of a secure channel. The details are depicted in Figure 7 and Protocol 2.

•
Vehicle v chooses PS i , SK i , and EXP i and signs message PS i , EXP i , TS 1 , N 1 , and r v P to obtain signature The vehicle sends PS i , EXP i , TS 1 , N 1 , r v P, and sign v to the RSU.
• When receiving the message from the nearby v, the RSU first checks whether TS 1 and EXP i are fresh. Then, the RSU computes h=H 5 (PS i ||EXP i ||TS 1 ||N 1 ||r v P, V) and PK i =H 1 (PS i || EXP i ). After that, the RSU checks whether e(P, W) = e(P pub , V + hPK i ) holds. If the above equations are valid, the RSU believes v is legal. Otherwise, the message from the vehicle is discarded. The RSU signs ID RSU , EXP RSU , TS 2 , N 2 , and r RSU P to obtain Finally, the RSU computes session key K RSU−v =r RSU r v P and encrypts N 1 to obtain The RSU sends ID RSU , EXP RSU , TS 2 , N 2 , r RSU P,sign RSU , and C RSU−v to v. = e(P pub , V + h PK RSU ). If the equation holds, v i computes K v−RSU = r v r RSU P and decrypts C RSU−v to obtain N 1 . If N 1 is legal, v i believes RSU is legal, and the secure channel between v i and the RSU is established. Finally, v encrypts N 2 to obtain The RSU decrypts C v−RSU and checks N 2 . If N 2 is valid, the RSU believes that the secure channel between the RSU and v is built.

Pseudonym Issuance Protocol
The pseudonym issuance protocol is presented as Figure 8 and Protocol 3. After finishing the V2I authentication, vehicle v is able to send the message to the RSU and apply for multiple temporary pseudonyms and certificates within the BS domain via a secure channel. When receiving the message from v, the RSU forwards the message to the BS. The BS is able to generate multiple new pseudonyms, public keys, private keys, certificates, and group keys for the vehicle. Afterwards, the BS computes the session key between the BS and vehicle, encrypts the message by the session key to generate the ciphertext, and sends the ciphertext, its identity ID BS , and the public key P BS pub to the vehicle via the RSU. When receiving the message from the BS, v computes the session key between v and the BS to decrypt the ciphertext to obtain multiple new pseudonyms, public keys, private keys, certificates, and group keys from the BS. Here, v is able to use the pseudonyms issued by the BS to communicate with other entities in the BS domain and change the pseudonyms regularly to improve its anonymity. The details are depicted as follows.
The BS sets the session key K BS−v = r BS r v P and encrypts PS BS i , SK BS i , PK BS i , and K BS to The BS sends C BS−v , ID BS , and P BS pub to vehicle v via the RSU. • After receiving the ciphertext from the BS, vehicle v computes the session key K v−BS = r v P BS pub and decrypts C BS−v to obtain the message from the BS. Finally, vehicle v stores PS BS i , PK BS i , SK BS i , Cert BS i , K BS , ID BS , and P BS pub locally.

Pseudonym Change Protocol
When vehicle v i runs on the road, it is requested to broadcast the BSM with PS BS i . If meeting other vehicles in the BS domain, vehicle v i believes that there is a chance to change its pseudonym. Now, v i is able to broadcast a pseudonym change request and try to communicate with other vehicles in the vicinity to change its pseudonym. Different from the traditional mix zone mechanism, the proposed pseudonym change protocol does not need the assistance of the RSUs, which means all vehicles in the BS domain can change their pseudonyms independently.
The pseudonym change protocol includes two periods: pseudonym sharing period and pseudonym change period. In the pseudonym sharing period, vehicles share their own stored pseudonyms, certificates, and driving status. If the number of pseudonyms received is not enough or there are considerable differences in the driving among vehicles, vehicles only store the information received. Otherwise, vehicles store the information received and start the pseudonym change period. In this period, all vehicles change their pseudonyms and communicate with other entities as group members. The details of the pseudonym change protocol are depicted as Figure 9 and Protocol 4: i ; PK BS = PK BS ∪ PK BS j ; 6: all vehicles: if num ≥ threshold then all vehicles change pseudonym PS BS and certificate Cert BS after t change ; end if The number of vehicles changing pseudonyms depends on the current user-centric location privacy level (as depicted in Section 5.3.2). When the location privacy level of the vehicle is low, the vehicle has to share more pseudonyms. When the user-centric location privacy is at a high level, the vehicle does not need to sacrifice too many pseudonyms to protect its privacy. In addition, due to the limited communication range of the BS, when the vehicle is driven from one BS (e.g., BS 1 ) to another BS (e.g., BS 2 ), the vehicle is required to reapply to BS 2 for the new pseudonym list. Therefore, the number of pseudonyms only needs to guarantee the privacy and security of vehicles within the BS domain.

Pseudonym Revocation Protocol
Generally, the pseudonym revocation protocol is used in the following conditions: (1) The vehicle's pseudonym and certificate have expired. In the pseudonym issuance protocol, K BS is required to be regularly updated by the BS and the period of the availability of K BS cannot be longer than that of EXP i . Since the BS issues enough pseudonyms to the vehicles, the validity period of K BS can be set long enough, which can reduce the communication overhead caused by the frequent requests for new pseudonyms. However, once K BS or EXP i expires, vehicles have to reapply for new pseudonyms from the BS or TA.
(2) Legal vehicles are compromised. In PCP, two cuckoo filters [32] are used and maintained by the BS: the positive filter pos f ilter and the negative filter neg f ilter, where pos f ilter stores the valid pseudonyms and neg f ilter stores the illegal pseudonyms. After receiving the illegal vehicles' information including signature σ, message M, multiple group pseudonyms PS BS , and proo f , the BS queries the local pseudonym list and obtains the multiple private keys SK BS according to PS BS firstly. Then, the BS computes the signatures of M to obtain {σ 1 , σ 2 , . . . , σ n }, respectively. If σ i = σ, the BS believes that the pseudonym PS BS i and private key SK BS i corresponding to σ i are the identity information of the illegal vehicle. After that, the BS selects all pseudonyms PS i issued by the BS and the pseudonym issued by the TA about the illegal vehicle, removes these pseudonyms from posFilter, and adds them to negFilter to exclude the illegal vehicles from the VANET. The BS further broadcasts two filters in the BS domain via the RSU. Finally, the BS sends PS i to the TA and reveals the real identity of the illegal vehicle. When receiving the message from the BS, the TA decrypts PS i to obtain the real identity ID i . The TA sends all pseudonyms related to the illegal vehicles to the BS and prevents the illegal vehicles from reapplying for new pseudonyms.

Performance Analysis
In this section, we discuss the performance of the proposed scheme in V2I authentication in terms of the computational cost and communication cost compared with LIAP [15] and SPA [25]. In addition, the Veins simulation framework is adopted to conduct the simulation experiment in terms of the average anonymous set size and user-centric location privacy level to manifest the security of the proposed pseudonym change protocol.

Computation Cost
The computational cost is defined to evaluate the total computation time required for pseudonym change, which is mainly dominated by hash-to-point (T mtp ), point exponentiation (T pe ), point multiplication (T pm ), and bilinear pairing (T bp ) all over the group.
In LIAP, given system parameters {P, q, G 1 , G 2 , e, PK CA , H, h}, where H : {0, 1} * → Z * q and h is the one-way hash function, such as SHA-2, the RSU broadcasts message are the RSU local public keys, and σ r is the signature of message M. When receiving the message from the RSU, vehicle v is required to verify the legality of Cert R and σ r . If the message from the RSU is legal, v uses PK R to encrypt the vehicle's public key PK v , certificate Cert v , timestamp T , and signature σ v = Sign v {PK v , Cert v , T} and obtains C v−RSU . When receiving the message from the vehicle, the RSU first decrypts C v−RSU and checks T . Then, the RSU verifies the legality of Cert v and σ v . If the above verification is successful, the RSU believes that v is legal; otherwise, the message will be dropped. Since LIAP does not give the detail of the certification and signature generation mechanisms, we adopted the same CC signature mechanism as PCP and the BF-IBE encryption algorithm to derive the computational cost of LIAP.
In SPA, the RSU is used as the fog-edge node (FEN) to provide the communication service for the vehicles. Given public parameter {p, q, a, b, G 1 , G 2 , e, P, Q, Q , h 1 , h 2 , h 3 }, when entering in the communication range of the RSU, vehicle v is able to send PID v , M v , and signature µ v to the RSU for authentication, where holds. If it does hold, v believes that the RSU is legal; otherwise, the message from the RSU is discarded.
In PCP, vehicle v generates signature sign v = {V, W} and sends PS i , EXP i , TS 1 , When obtaining the message from v, the RSU computes h and PK i . Then, the RSU checks the equation e(P, W) ? = e(P pub , V + hPK i ). If the equation holds, the RSU believes v is legal. Afterwards, the RSU signs ID RSU , EXP RSU , TS 2 , N 2 , and r RSU P to ob- After that, the RSU sends ID RSU , TS 2 , N 2 , r RSU P, sign RSU , and C RSU−v to v. v computes h , PK RSU and verifies the legality of the RSU by checking e(P, W ) ? = e(P pub , V + h PK RSU ). Table 2 depicts the comparisons of the computational costs for the vehicle and RSU. In LIAP, in order to protect the public key and certificate of the vehicle from being exposed, the vehicle is requested to use the public key of the RSU to encrypt its certificate and public key, which leads to extra computational cost. Since the complicated signature mechanism is adopted, the V2I authentication protocol in SPA requires the vehicle and RSU to execute more point multiplications and bilinear pairing operations, causing a high computational cost. In PCP, the identity-based signature mechanism is adopted, so the computational cost of the hash-to-point operation becomes the vital factor for the efficiency of V2I authentication.

Communication Cost
The communication cost refers to the total size of the message transmitted during authentication. According to [33], the size of each single element in G 1 and Z * q is 128 bytes and 40 bytes, respectively. The sizes of the expiration and timestamp are 4 bytes. In the authentication protocol, since LIAP and SPA only transmit authentication-related messages and ignore the necessary messages to establish a secure channel, we only considered the communication cost related to V2I authentication.
In LIPA, the RSU broadcasts message Thus, the total communication cost of LIAP is: In SPA, the vehicle needs to send PID v , M v , and signature Consequently, the communication cost of SPA is: 4 × |G 1 | + 2|TS| + 2 × |Z * q | In PCP, the vehicle sends PS i , TS 1 , and sign v to the RSU. When finishing the verification of the received message, the RSU sends ID RSU , TS 2 , and sign RSU to the vehicle, where |PS i | = |ID RSU | = |Z * q |, |sign v | = |sign RSU | = 2|G 1 |. Thus, the communication cost of PCP is: 4 × |G 1 | + 2|TS| + 2 × |Z * q | We can see that PCP and SPA have a low communication cost. In LIPA, the vehicle and RSU are requested to send extra certificates and public keys, which causes a high communication cost.

Simulation
In this section, Veins [34] is introduced to evaluate PCP in terms of the average anonymous set size and the average strength of location privacy. The proposed protocols were implemented using C++, where the experimental environment included a 2.6 GHz Intel(R) Core(TM) i7-6700HQ CPU, 2GB RAM, and the Debian 9.4 operating system. The Pairing Based Cryptography Library [35] was adopted to implement the cryptographic operations. We used the Veins simulation framework to conduct extensive simulations, through the tools of SUMO and OMNET++. A SUMO network file was edited to simulate the scenario of pseudonym change depicted in Figure 5 (Simulation 1). In addition, a road map of Xi'an from OpenStreetMap (OSM) [36] was chosen as the real simulation scenario (Simulation 2). The road map from OSM can be converted into the network file by NETCONVERT. POLY-CONVERT was used to generate the topographic file. The RandomTrips Python script was adopted to generate random vehicle trips. A SUMO configuration file was edited to integrate the network file, topographic file, and vehicle trips file. The SUMO simulation from the real map and Veins simulation are shown in Figure 10. The parameters used in the simulations are shown in Table 3.  The average anonymous set size is defined as the set of available candidate pseudonyms that are used in the pseudonym change protocol [14]. The larger the set of pseudonyms, the better it is able to confuse the tracking of GPAs. Figures 11 and 12 show the average anonymous set size in Simulation 1 and Simulation 2, respectively.
In Figure 11, the vehicle switches to the different scenarios shown in Figure 5 every 15 s. In Scenario 1 of Figure 5, since there are not enough vehicles to guarantee that the vehicles' anonymity set meets the pseudonym change security requirements and there is no RSU to provide pseudonym change support, the PCP, mix zone and silent period schemes cannot support pseudonym change in Scenario 1. However, in order to evaluate Scenario 1 for the effect of pseudonym change in subsequent scenarios, Scenario 1 is supplemented during the switching process of Scenarios 2-4. In Scenario 2, the above three schemes are able to support pseudonym change. Mix zones support more vehicles participating in pseudonym change than silent periods due to the wider communication range of RSUs. Since the vehicle collects more pseudonyms form other vehicles in Scenario 1, PCP guarantees providing larger pseudonym sets in Scenario 2. In Scenario 3, due to the low numbers of vehicles, the silent period scheme cannot protect the location privacy of vehicles that want to change pseudonyms. Because the RSU is not deployed, mix zones cannot provide the pseudonym change service for vehicles in Scenario 4. In Figure 12, we can see that the average anonymous set size increases rapidly due to the pseudonym change protocol. However, more notably, we observe that the vehicle density and traffic conditions have a significant impact on the anonymous set size since the vehicles have a greater chance to communicate with surrounding vehicles and share local pseudonym sets. The denser traffic conditions make it easier for the vehicle to meet other vehicles with a similar driving status. Moreover, the average anonymous set size in mix zones depends entirely on the deployment density of the RSUs. However, the high-density deployment of the RSUs requires a very high cost in a short time, which makes the silent period and PCP more suitable for the actual traffic scene. Meanwhile, as it depends on the number of pseudonyms shared by the vehicles in the communication group rather than the number of vehicles, PCP has a higher average anonymous set size compared with the silent period.

User-Centric Location Privacy Level
The user-centric location privacy level [37] of the vehicles in VANETs is modeled by the location privacy loss function β i (t, T i ) : (IR + , IR + ) → IR + , where t and T i refer to the current time and the time when v i changes pseudonym successful. According to a sensitivity parameter 0 < λ i < 1, the privacy loss is set 0 initially and increases with the time. The higher the value of λ i , the faster the rate of privacy loss is. The privacy loss function is defined as + T i refers to the time when the privacy loss function arrives at the maximal value. Given the location privacy loss function, the user-centric location privacy level of vehicle v i at time t is Since vehicles cannot compute A i (T i ), an approximation log 2 (n) was used in the simulation [37]. Figure 13 gives the result of the user-centric location privacy level in different scenarios from Figure 5, where λ is defined as 0.1 and 0.8. Before changing the pseudonym, the usercentric location privacy level of each vehicle decreases linearly. Consequently, in Scenario 1 and other scenarios that do not meet the pseudonym change, the user-centric location privacy level of each vehicle gradually decreases and rises after changing pseudonym. Moreover, since the user-centric location privacy level is positively correlated with anonymous integration, the growth trend of the location privacy protection level is consistent with Figure 11.  Figure 14 shows the changes in the user-centric location privacy level of PCP, mix zones, and silent periods under different traffic conditions, respectively. We can see that the location privacy level increases dramatically at the beginning and remains stable after about 40 s. The greater the number of vehicles, the shorter the time for the user-centric location privacy level to reach the high level. Since silent periods and mix zones have more stringent requirements on pseudonym change conditions (e.g., slow speed, RSU deployment), PCP is able to improve the location privacy level faster than the other two schemes and maintains a high location privacy level.

Discussion
Aiming at the uneven distribution of vehicle density and low-density RSU deployment, this paper proposed a pseudonym change scheme for location privacy preserving in VANETs (PCP). PCP follows the 1609 standard proposed by the IEEE and is able to effectively guarantee the protection of the privacy of vehicles. However, there are several open problems that need to be addressed to support the large-scale deployment of VANETs: • Mac address change: PCP supports the pseudonym change in the application layer. However, according to the 1609.4 standard [38], in order to protect the full location privacy and security of the vehicle, it is necessary to propose an effective mechanism to support the change of MAC address. Otherwise, only the pseudonym is changed, and the adversaries can still be associated with the tracked vehicle through the MAC address. • Beacon interval: According to DSRC, each vehicle periodically broadcasts a BSM every 100-300 milliseconds [39,40]. Thus, the period of pseudonym change has to be limited to the beacon interval. However, a long time interval may cause the vehicle to be unable to obtain the driving status of the surrounding vehicles in time, and a short time interval cannot guarantee that the vehicle has enough time to change its pseudonym through cooperation. It is vital for VANETs to support an efficient beacon strategy. • Non-cooperative behavior: The cooperation among vehicles is a key factor for a successful pseudonym changing strategy. However, due to the costs that are involved in changing the pseudonym, some vehicles may not be willing to cooperate with other vehicles. Therefore, how to improve the willingness of vehicles to change pseudonyms and ensure that the pseudonyms can be changed at a high location privacy level need to be further researched.

Conclusions
In this paper, we proposed a pseudonym change scheme for location privacy preserving in VANETs (PCP) to address the issue of location privacy. PCP first proposes a registration protocol, authentication protocol, and pseudonym revocation protocol to guarantee that all legal vehicles are able to communicate with surrounding entities and compromised vehicles can be revealed in time. Furthermore, we improved the ID-based linearly homomorphic signature scheme to support vehicle pseudonym change in various conditions, which can protect vehicle location privacy more effectively. Security and performance analysis showed that PCP is able to resist attacks from GPAs and keep a high location privacy level.
Our work leaves several open problems to be solved, for example designing an efficient signature mechanism to support vehicle anonymous communication and how many pseudonyms should a vehicle store to keep the balance between vehicle communication security and performance. In the future, we will focus on the above issues.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Security Analysis
In this section, we first prove the correction of certificate Cert BS in the pseudonym change protocol, which is able to guarantee the legality of the vehicle after changing the pseudonym. Then, the formal security proof is conducted to show that the certificate generation mechanism executed by the BS in the pseudonym generation protocol is secure. Finally, the necessary security requirements are also discussed.
Appendix A.1. Correctness Theorem A1. In the pseudonym change protocol, the certificate generation is correct if the algorithm Veri f y outputs 1.
Given pseudonyms < PS BS 1 , PS BS 2 , . . . , PS BS num >, < s 1 , s 2 , . . . , s num >, w, ID BS , EXP BS , and P pub , σ 2 are verified through checking The equation is considered correct by the following derivation: Obviously, if the verifier follows the above algorithm, legal σ 2 is always verified successfully. In addition, the correctness of σ 1 was proven in reference [28]. Thus, Theorem 1 is proven.

Appendix A.3. Security Analysis
Theorem A3. (Anonymity). The real identity of the vehicles in VANETs should not be disclosed, and the messages sent by the vehicles are required to be hidden within a set of potential vehicles.
Proof. In the V2I authentication protocol, the real identity of each vehicle is concealed in PS i ; any RSU or BS that does not know the secret value s cannot obtain ID i through PS i unless AES becomes insecure. In the pseudonym change protocol, PS BS i is randomly picked by the BS. No vehicle can link PS BS i to ID i .
Theorem A4. (Unlinkability). Two messages related to the same vehicle cannot be linked for a long time.
Proof. Firstly, the vehicles that cooperate to change the pseudonym must have a similar driving trajectory, so as to guarantee that no adversaries can use the beacon received before changing the pseudonym to track the target vehicle by predicting the driving trajectory. Secondly, the pseudonym change is required within the time interval when the vehicle sends the beacon. After changing the pseudonyms, each vehicle broadcasts the beacon with the new pseudonym. Since the vehicles execute the pseudonym change protocol in ciphertext within the time interval of two beacons, the adversaries cannot obtain any details of the pseudonym change, so it is impossible to link to the target vehicle through received beacon after changing the pseudonym.
Theorem A5. (Mutual authentication). The identity declared by the sender must be verified, and the integrity of the sent message should be confirmed by all receivers.
Proof. V2I authentication is based on the IBS signature mechanism. Any vehicle is able to compute the public key H 1 (PS i ||EXP i ). Vehicles cannot generate the legal public/private key independently unless they have the ability to solve the CDH problem. Consequently, as long as the signatures are verified correctly, the vehicles can be regarded as the legal ones by the TA or BS. The integrity of the message from the sender can be verified through the hash function.
Theorem A6. (Traceability). An efficient mechanism should be designed so that the TA and BS are able to trace the real identity of a misbehaving vehicle.
Proof. If there is a malicious vehicle in the VANET and its misbehavior is proven, the BS is able to query PS i , EXP i according to PS BS i and send PS i , EXP i to the TA. Then, the TA can track the real identity of the malicious vehicle by computing ID i =Dec_s{PS i ||EXP i }. Consequently, only the cooperation between the BS and TA can reveal the true identity of the illegal vehicles, which also meets the requirement of restricted credential usage and conditional privacy protection in VANETs.
Theorem A7. (Session key agreement). After finishing the mutual authentication, entities in VANETs should establish a session key to guarantee that the messages can be transmitted through a secure channel.
Proof. The proposed scheme adopts the Diffie-Hellman key exchange algorithm to support session key agreement. In V2I authentication, the vehicle and RSU compute r v R RSU P and R RSU r v P, respectively, and obtain session key K v−RSU .
Theorem A8. (Location privacy). No adversary can track the target vehicle by eavesdropping on the communications of vehicles within a region of interest.
Proof. The Shannon entropy is considered as the pseudonym entropy to assess the level of location privacy protection for vehicles, which can be interpreted as the effective size of the anonymity set. In the traditional scheme, a group of vehicles that change pseudonyms is defined as V = {v 1 , v 2 , . . . , v m }. Let p i represent the probability that vehicle v i is tracked successfully. Then, the pseudonym entropy of V can be expressed as: Different from traditional schemes, the achieved entropy in PCP depends on the number of pseudonyms that the vehicle broadcasts, rather than the number of pseudonyms changed simultaneously. We define PS = {PS BS 1 , PS BS 2 , . . . , PS BS n } to represent the pseudonyms used in the pseudonym change protocol for group V. Let p i refer to the probability that vehicle PS BS i is linked to a vehicle v i , respectively. Obviously, under the same conditions, m ≤ n. Consequently, Theorem A9. DoS attack resistance: The adversaries can launch DoS attacks by injecting a large number of legitimate or false messages into the VANET, which makes the useful resources unavailable and leads to a serious decline in performance. The proposed pseudonym change scheme is able to resist the DoS attack by the broadcast communication and low computational cost.
Proof. As depicted in Section 4.7, vehicle v i broadcasts a pseudonym change request to the surrounding vehicles. The surrounding vehicles do not need to respond to the request from v i before t start . When the time reaches t start , the vehicles participating in the pseudonym change conduct AES to encrypt PS − Cert − List and broadcast the ciphertext to other vehicles. According to reference [41], the ciphertext verification operation can be performed within 0.8µs; therefore, the proposed pseudonym change scheme is robust against the DoS attack.