An Enhanced Secure Identity-Based Certificateless Public Key Authentication Scheme for Vehicular Sensor Networks

Vehicular sensor networks have been widely applied in intelligent traffic systems in recent years. Because of the specificity of vehicular sensor networks, they require an enhanced, secure and efficient authentication scheme. Existing authentication protocols are vulnerable to some problems, such as a high computational overhead with certificate distribution and revocation, strong reliance on tamper-proof devices, limited scalability when building many secure channels, and an inability to detect hardware tampering attacks. In this paper, an improved authentication scheme using certificateless public key cryptography is proposed to address these problems. A security analysis of our scheme shows that our protocol provides an enhanced secure anonymous authentication, which is resilient against major security threats. Furthermore, the proposed scheme reduces the incidence of node compromise and replication attacks. The scheme also provides a malicious-node detection and warning mechanism, which can quickly identify compromised static nodes and immediately alert the administrative department. With performance evaluations, the scheme can obtain better trade-offs between security and efficiency than the well-known available schemes.


Introduction
According to a report by the World Health Organization (WHO), the total number of worldwide road traffic deaths caused by various traffic accidents is 1.25 million per year [1]. To manage increasingly heavy traffic scenarios and enhance driving safety, wireless sensor networks and smart devices have recently been implemented on a large scale in the transportation systems of many countries. As part of an intelligent transportation system (ITS), vehicle sensor networks (VSNs) provide a better resolution to traffic problems via the collection, processing and dissemination of traffic information within the scope of interconnected sensor nodes, which are mounted on vehicles and roadsides. The static wireless access nodes alongside the roads, which are called Road Side Units (RSUs), are used to provide communication to vehicles and infrastructure in their coverage area. VSNs involve different network modules, such as Wireless Access in Vehicular Environment (WAVE) [2]/Dedicated Short-Range Communication (DSRC), Wireless Fidelity (Wi-Fi) and the 4th Generation Communication System (4G)/Long Term Evolution (LTE) that work together. Among them, Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications are two main forms of VSNs that use the DSRC protocol [3] and WAVE to perform their operations in collaboration.

1.
The proposed scheme is based on the certificateless public key cryptograph (CLPKC) [8], which can solve the certificate management problem in the public key infrastructure (PKI) [9] and the key escrow' problem in identity-based encryption (IBE) [10,11]. The scheme use the elliptic curve multiplication instead of the bilinear pairing because that the relative computational costs of a pairing operation are approximately 20 times higher than that of an elliptic curve scalar multiplication [12]. In addition, this scheme supports batch authentication by simultaneously verifying several messages. Moreover, the proposed scheme is provably secure against the adaptive chosen message attack in the random oracle model as long as the computational elliptic curve discrete logarithm problem (ECDLP) is intractable. 2.
In the scheme, an anonymous communication and conditional privacy-preserving authentication are supported to protect users' privacy. Every user is issued a smart card with distinct pseudo identities, which are generated by trusted authorities (TAs) according to user's actual identity and secret information. The user's actual identity can be uniquely revealed by the TA when necessary. 3.
The proposed scheme uses a position-based authentication scheme to reduce the possibility of RSU capture attacks. The proposed scheme also provides a compromised-RSU detection and alarm mechanism to identify misbehaving RSUs and immediately alert the traffic administrative department.

Related Work
In this section, we provide a brief summary of the related literature focused on authentication schemes in VSNs. Many authentication schemes have been proposed in recent years, and most of them are certificate-based or ID-based authentication schemes. Paruchuri et al. [13] proposed a certificate-based scheme, which provides anonymous authentication and location privacy using a smart card that stores the session keys of RSUs. However, this scheme fails to support V-to-V authentication. The RSUs and vehicles require additional computations to verify the certificates issued by the TA. In addition, each on-board unit (OBU) stores many session keys from different RSUs. And during the authentication process, the encrypted message is transmitted to identify the owner of the session key to be decrypted, which is inefficient for VSN authentication. Finally, if one RSU based on ECC without using the special MaptoPoint hash function, which is efficient and consumes more computing time. This scheme also supports the batch signature and conditional privacy-preserving authentication; however, it is significantly dependent on secure communication channels. In the particle scenario, the vehicle-specific information is easily collected from overhearing the wireless network [7]. From the implementation perspective, the scheme has high costs and lacks of scalability. In addition, the schemes [26,27] suffered from privileged insider attacks in the PKG. If an adversary obtains the private key of one user issued by the PKG, he can easily forge a valid signature.

Background
In this section, we briefly introduce the network model and adversary model of our scheme.

Network Model
The proposed scheme applies a two-layer network model. The upper layer consists of the PKG, TA and a traffic information service center. The bottom layer includes vehicles equipped with wireless communication device and RSUs, which can communicate with one another using the DSRC/WAVE protocol.
Here, we should consider two application scenarios according to different locations of RSUs. First, RSUs are built on main roadways, which are the focus of most other schemes. The infrastructure and RSUs communicate through secure channels, such as the transport layer security protocol via wired connections [19]. Second, RSUs are deployed in unattended environments, such as highway roads. Thus, the cost of constructing optic and electric composite cables to provide power and communication between the RSUs and the infrastructure is high. In the second scenario, we deploy RSUs with batteries and short wireless communication ranges. Users can contact RSUs via single-hop or multi-hop communication, which is more robust and suitable for the second scenarios.
The two scenarios are shown in the Figures 1 and 2.

TA:
The TA registers the drivers and generates pseudo identities for valid users. The TA is the only party that can trace the vehicle and reveal the identities from the signers. The TA cannot be compromised and is fully trusted by all parties in the system. PKG: The PKG is a trusted third party that generates partial private keys for the signers. RSUs: RSUs are distributed along road sides equipped with an on-board sensory, processing, and wireless access point, and they are mainly used to verify the messages and transfer data among the vehicles and infrastructure in its coverage area, such as the traffic information service center, TA and PKG.
Vehicle: All vehicles are equipped with card reader, on-board sensory, processing, and wireless communication modules. All users who want to access the services from the VSNs will be issued a smart card with system parameters, which can help the TA to track the behaviors back to the owner of the smart card instead of the car. Smart card technology conforms to international standards (ISO/IEC 7816 and ISO/IEC 14443) [28,29]. With an embedded microcontroller, each smart card can store large amounts of data, and they have the computing ability to perform on-card functions (e.g., signature and authentication). The smart card can interact with card reader, which is mounted on the car. The communication protocol with neighboring vehicles and RSUs is 5.9-GHz DSRC [3] IEEE 802.11p.
Anchor nodes: In Figure 2, to prevent adversaries from inserting malicious nodes into the networks, the key point of our approach is to deploy certain anchor nodes with higher processing capabilities and a global position system (GPS) receiver. These nodes can help the system to reduce the possibility of static nodes (RSUs and anchor nodes) compromise attacks and immediately detect nearby controlled nodes using our method. We elaborate on the function of anchor nodes in Section 4.3.

Adversary Model
In reality, all communication channels among VSN entities are not explicitly secure. In Lo's scheme, every transmit channel is assumed to be secure without considering this fact. In this paper, we assume that the communication channels are public and adversaries can conduct attacks, such as eavesdropping, insider attacks, stolen smart-card attacks and impersonation attacks, in which adversaries attempt to impersonate a legitimate user or a node. In addition, the adversary can conduct a physical attack on static nodes (RSUs and anchor nodes) and retrieve secret information and stored data from them particularly in an unwatched location. In further attacks, the adversary

TA:
The TA registers the drivers and generates pseudo identities for valid users. The TA is the only party that can trace the vehicle and reveal the identities from the signers. The TA cannot be compromised and is fully trusted by all parties in the system. PKG: The PKG is a trusted third party that generates partial private keys for the signers. RSUs: RSUs are distributed along road sides equipped with an on-board sensory, processing, and wireless access point, and they are mainly used to verify the messages and transfer data among the vehicles and infrastructure in its coverage area, such as the traffic information service center, TA and PKG.
Vehicle: All vehicles are equipped with card reader, on-board sensory, processing, and wireless communication modules. All users who want to access the services from the VSNs will be issued a smart card with system parameters, which can help the TA to track the behaviors back to the owner of the smart card instead of the car. Smart card technology conforms to international standards (ISO/IEC 7816 and ISO/IEC 14443) [28,29]. With an embedded microcontroller, each smart card can store large amounts of data, and they have the computing ability to perform on-card functions (e.g., signature and authentication). The smart card can interact with card reader, which is mounted on the car. The communication protocol with neighboring vehicles and RSUs is 5.9-GHz DSRC [3] IEEE 802.11p.
Anchor nodes: In Figure 2, to prevent adversaries from inserting malicious nodes into the networks, the key point of our approach is to deploy certain anchor nodes with higher processing capabilities and a global position system (GPS) receiver. These nodes can help the system to reduce the possibility of static nodes (RSUs and anchor nodes) compromise attacks and immediately detect nearby controlled nodes using our method. We elaborate on the function of anchor nodes in Section 4.3.

Adversary Model
In reality, all communication channels among VSN entities are not explicitly secure. In Lo's scheme, every transmit channel is assumed to be secure without considering this fact. In this paper, we assume that the communication channels are public and adversaries can conduct attacks, such as eavesdropping, insider attacks, stolen smart-card attacks and impersonation attacks, in which adversaries attempt to impersonate a legitimate user or a node. In addition, the adversary can conduct a physical attack on static nodes (RSUs and anchor nodes) and retrieve secret information and stored data from them particularly in an unwatched location. In further attacks, the adversary attempts to replicate the controlled nodes, deploy them in other places and manipulate the network with the clones or captured nodes.

Proposed Scheme
In this section, we proposed an enhanced ID-based certificateless authentication scheme based on the modification of the original CLPKC mechanism [8]. The scheme supports the V2I and V2V communication, and it consists of five phases: System Initialization, Register, Login, Signing and Verification. The symbols of our scheme are described in Table 1.

System Initialization
The PKG generates system parameters via running following steps. First, the PKG chooses a k-bit prime number n and generates the tuple {F n , E(F n ), G q , P}. Then the PKG picks a random number s ∈ Z * q as its private key and computes P PKG = s·P. Furthermore, the PKG determines four one way hash functions: The TA also selects a random r ∈ Z * q as its private key and computes P TA = r·P. At last, the PKG publish system parameters Z = {F n , E(F n ), G q , P, P PKG , P TA , h 0 , h 1 , h 2 , h 3 }. The PKG and TA keep s and r secret, respectively.

Register
Every user who wants to access the services from VSNs is issued a smart card with system parameters offline from the TA at first. Note that the user must disclose his valid credentials such as ID card or driving license to the TA to get the smart card. The user's credential number (the real identity ID of the user) is input to the smart card by the TA and will be recorded in the list of TA. In the beginning of the smart card activation, the user inserts his smart card into a card reader mounted on a car, and input his real identity ID and password PW. Note that the real identity is registered in the TA offline and can uniquely identify the user.
Upon receiving the ID and PW, in which ID ∈ Z * q and PW ∈ Z * q , the smart card compares ID with the stored one. If true, the smart card calculates h 0 (PW ⊕ b) and h 0 (ID), in which the b ∈ Z * q is an arbitrary number and the length of b is enough large. Then the smart card selects a random number d 1 ∈ Z * q as the user's secret value and generates the public key P 1 = d 1 ·P. Subsequently, the smart card sets s 1 = h 0 (PW ⊕ b) ⊕ ID and s 2 = s 1 + d 1 . The smart card encrypts {ID, h 0 (PW ⊕ b), P 1 } using the TA's public key and sends it to the TA. Upon receiving the register request, the TA decrypts it using the TA's private key r and checks whether the ID is legal, and if so, the TA will make m pseudo identities for the user. The TA computes: where n i ∈ Z * q is a random number, T ∈ Z * q is the expiration date of the PID 1 and m is the number of PIDs. For convenience, we set {Enc P TA (ID) ⊕ h 0 (PW ⊕ b)} = H 1 . The TA encrypts these PIDs {PID 1 , H 1 , N, T} using P 1 and sends it to the smart card. Note that the TA stores the Enc P TA (ID) instead of the ID to prevent stolen ID list attacks. The TA stores the {PID, Enc P TA (ID), h 0 (PW ⊕ b), H 1 , N} in its memory.
When receives Enc P 1 {PID 1 , H 1 , N, T}, the smart card decrypts and checks them via running PID 1,i ·P = P TA ·h 1 (H 1 ||P 1 ||T) + N i , (i = 1 . . . m). If the equations hold, which mean that adversaries do not tamper the pseudo identities, and the smart card calculates PID i = PID 1,i + d 1 , (i = 1 . . . m). Otherwise, reject the PID 1 . Here, every PID. is generated as a combination of secret value of the TA and the user-chosen secret. Thus, adversaries cannot forge the valid PID without the user-chosen secret d 1 . Subsequently, the smart card sends the tuples {PID, H 1 , P 1 , N, T} to the PKG through a public channel.
Upon receiving the partial-secret-key request {PID, H 1 , P 1 , N, T}, the PKG validates the PIDs by checking whether the following equations: hold within the validity of T. If yes, then the PKG generates partial secret keys for users as below: where k i ∈ Z * q is a random number. The PKG sends {PID, P 2 , d 2 } back to the smart card. Else, reject the partial-secret-key request.
Upon receiving the partial secret keys, the smart card checks the authenticity of {PID, P 2 , d 2 } via running: If the equations hold, which imply that the {P 2 , d 2 } are generated by the PKG. Otherwise, reject them. Then the smart card stores {PID, h 0 (PW ⊕ b), h 0 (ID), s 2 , P 1 , P 2 , d 2 , b, T, N, H 1 } in the memory and deletes d 1 , ID, PW, s 1 to prevent smart card compromise attacks. The steps of the phase are depicted in Figure 3.

Login and Message Signing
The user inserts his smart card into a card reader, and inputs ID and PW . Then the smart card compares h 0 (PW ⊕ b) and h 0 (ID ) with the stored ones in it. If true, the smart card computes s 1 = h 0 (PW ⊕ b) ⊕ ID and d 1 = s 1 ⊕ s 2 , and checks the validity period of PIDs, then performs the following operations. Otherwise, reject the request. The smart card deletes the ID , s 1 and PW .

1.
Generate a traffic-related message M, then pick a random number l ∈ Z * q and calculate L = l·P to give a freshness.

2.
Choose a PID i and its corresponding d 2,i , and calculate: where time is the current timestamp of the users' system.

Verification
This phase is invoked when the verifier (a vehicle or RSU) receives the information PID i , P 1 ,

The verifier checks the equation:
If it holds, the verifier accepts the M, else outputs "invalid".
After the user log out, the smart card delete the d 1 from its memory to prevent stolen smart card attacks. The steps of the phase are depicted in Figure 4.

Verification
This phase is invoked when the verifier (a vehicle or RSU) receives the information {PID i , P 1 , P 2,i , M, L, T, v, time} at the time time * , it uses the system parameters Z = {F n , E(F n ), G q , P, P PKG , P TA , h 0 , h 1 , h 2 , h 3 } to perform the following steps: 1.
Validate the freshness of time * . If time * − time ≤ ·T, then the verifier proceeds to the next step, else rejects the request, where ·T indicates the valid time interval.

2.
Then the verifier checks the expire time T of PID i .

3.
The verifier checks the equation: If it holds, the verifier accepts the M, else outputs "invalid".
After the user log out, the smart card delete the d 1 from its memory to prevent stolen smart card attacks. The steps of the phase are depicted in Figure 4.

Batch Verification
To enhance the effectiveness of the message verification, we require that vehicles or RSUs can aggregate n signatures into a single one and handle it at the same time. In the batch verification scheme, if one of the signatures is invalid, all signatures will be dropped or rejected. The proposed scheme supports batch verification. When the verifier receives numbers of requests, denoted as PID i,x , P 1,x , P 2i,x , M x , L x , T x , v x , time x , (x = 1⋯ n), it adds several random numbers to quickly detect which message is invalid in the batch. The concept is regarded as an efficient method in the batch verification [24].
The verifier checks the following equation: where y x (x = 1 ⋯ n) are small random numbers.
If the equation holds, than the verifier accepts these messages, else detects the invalid messages and rejects them.

RSU to Vehicle (the Vehicle Verifies the RSU)
In this subsection, we use a position-based authentication method to reduce the possibility of node capture attacks.
As indicated in Section 3.1, there are two types of nodes. The anchor nodes and normal RSUs. The difference between them is that the anchor nodes obtain their position with the help of the built-in GPS receivers, whereas they are unknown for the RSUs. The anchor nodes have more computation and energy power than that of the RSUs. The anchor node has two main functions. First, it broadcasts its position in real time to help nearby RSUs calculate their coordinates. Second, it can immediately detect abnormal RSUs inside its range.

Batch Verification
To enhance the effectiveness of the message verification, we require that vehicles or RSUs can aggregate n signatures into a single one and handle it at the same time. In the batch verification scheme, if one of the signatures is invalid, all signatures will be dropped or rejected. The proposed scheme supports batch verification. When the verifier receives numbers of requests, denoted as , it adds several random numbers to quickly detect which message is invalid in the batch. The concept is regarded as an efficient method in the batch verification [24].
The verifier checks the following equation: where y x (x = 1 · · · n) are small random numbers. If the equation holds, than the verifier accepts these messages, else detects the invalid messages and rejects them.

RSU to Vehicle (the Vehicle Verifies the RSU)
In this subsection, we use a position-based authentication method to reduce the possibility of node capture attacks.
As indicated in Section 3.1, there are two types of nodes. The anchor nodes and normal RSUs. The difference between them is that the anchor nodes obtain their position with the help of the built-in GPS receivers, whereas they are unknown for the RSUs. The anchor nodes have more computation and energy power than that of the RSUs. The anchor node has two main functions. First, it broadcasts its position in real time to help nearby RSUs calculate their coordinates. Second, it can immediately detect abnormal RSUs inside its range.
We implement an efficient approach based on the Received Signal Strength Indication (RSSI) combined with the centroid algorithm [30], which is high accurate to obtain the position. RSSI-based location schemes are the most prevalent ones due to their easier implementation and less complexity [31], especially for the energy-constrained nodes. Therefore, with this method, if a RSU is captured and moved to another location, it will fail to be verified because that the new position incorporated in the signature is changed. Furthermore, the anchor node can immediately detect abnormal RSUs via comparing the two locations, and the first one is obtained by the GPS and the other one is calculated by nearby RSUs. If the value does not change a lot within the measurement uncertainties, then the nearby RSUs are valid, else abnormal RSUs must be surrounding the anchor node, say get captured, replicated, or moved by adversaries, and the anchor nodes will immediately alert to the PKG.

Initialization
Every RSU is preloaded a legitimate ID R1 assigned by the PKG, which is stored in its tamper-proof device. Every anchor node is assigned a ID c and deployed in its pre-setup position by the PKG. After deployment, the RSU receives the position information from nearby anchor nodes at the first time. The details of the information are as follows: where L ci denotes the position information broadcasted by the anchor node, and P ci = d ci ·P is its public key, in which d ci ∈ Z * q is a random number as its secret key, and (x ci , y ci ) is the current coordinates measured by the GPS.
The RSU computes its current coordinates (x R , y R ) according to the any of three coordinates of anchor nodes through centroid algorithm based on the RSSI [30] mentioned above and sets ID R2 = h 0 ((x R , y R )). Subsequently, the RSU chooses a random number d R1 ∈ Z * q as its secret key, and sets P R1 = d R1 ·P. Then the RSU set S d R1 = Sign d R1 {ID R1 ID R2 L c1 L c2 L c3 · · · L cn P R1 } signing with the secret key d R1 and encrypts the tuple {S d R1 ID R1 ID R2 L c1 L c2 L c3 · · · L cn P R1 } using the public key of the PKG, and the RSU sends it to the PKG.
Upon receiving the tuple, the PKG decrypts it and verifies the signature. Then the PKG compares the L ci and ID R1 with the stored list to make sure that they are legitimate ones without being modified at the initialization step.
The PKG generates the partial secret key for RSUs as follows: where k R ∈ Z * q is a random number and t is the expiration date of d R2 , then the PKG sends {ID R2 , P R2 , d R2 , t} back to the RSU.
The PKG calculates ID R = ID R1 ⊕ ID R2 and h 0 (ID R1 ) in the next step, and deletes ID R1 and ID R2 from the list to avoid the stolen ID list attacks.
Upon receiving the {ID R2 , P R2 , d R2 , t}, the RSU verifies the validity of d R2 via checking the equation d R2 ·P = P R2 + h 2 (P R1 , P R2 , ID R2 , t)·P PKG . If the equation holds, then it accepts the d R2 , else it applies the PKG for the partial secret key again. Then the RSU calculates the short-term pairwise encryption keys: between the anchor nodes and RSUs.

Message signing
The RSU picks a random number l R ∈ Z * q and sets L R = l R ·P, and it receives the location information from the anchor nodes and calculates the current coordinates (x R , y R ) by the location algorithm. Let B be a position tolerance value, and the RSU should compare the new coordinates Then the RSU calculates: in which time is the current timestamp of the RSU's system and M is a traffic-related message.

Verification
When verifier such as a vehicle, anchor node or a RSU receives {(x R , y R ), ID R2 , P R1 , P R2 , M, L R , t, time, v R } at time time * , it firstly checks the fressness of time * and the expiration time t of the partial private key d R2 .
The verifier checks the equation: If the equation holds, the verifier accepts the message M. Upon receiving the signed message, the nearby anchor nodes perform the different steps inside their range, which firstly check the list and if there is no short-term pairwise encryption key k i with the RSU, the nodes calculate the k i via k i = d cj ·P R1,i . Furthermore, the anchor nodes recount their coordinates according to ID R2 and compare with previous ones. If the value significantly changes, then the RSU is abnormal, which is forged by the adversaries, and the anchor node generates an alert that is sent to the PKG. To prevent location information tampering attacks by adversaries, the anchor node encrypts its location using k i and broadcasts L cj = ID cj , P cj , x cj , y cj , h k i x cj , y cj to RSUs next time.
Here, h k i x cj , y cj is an encrypted digest called HMAC, which is viewed as a hash function and encrypted by the session key k i shared between the two entities. The steps of the phase are depicted in Figure 5.
The proposed scheme also supports the batch verification, and the process is as same as the one in Section 4.2.4. ? ?

Key Update
To prevent key compromise attacks for a long time, key update periodically is required. We divide this section into two parts, the user-key update and the RSU-key update: (1) Updating a user's PW i . This function is invoked whenever the user wants to update his password of the smart card. First, the user inserts his card into a card reader and inputs the original ID i and PW i . Then, the smart card calculates h (PW i ⊕ b) and h (ID ), and it checks

Key Update
To prevent key compromise attacks for a long time, key update periodically is required. We divide this section into two parts, the user-key update and the RSU-key update: (1) Updating a user's P i W . This function is invoked whenever the user wants to update his password of the smart card. First, the user inserts his card into a card reader and inputs the original ID i and PW i . Then, the smart card calculates h 0 (PW i ⊕ b) and h 0 (ID i ), and it checks whether h 0 (PW i ⊕ b) = h 0 (PW i ⊕ b) and h 0 (ID i ) = h 0 (ID i ). If yes, the user will be allowed to input his new password PW * i and proceed to the next step, else abort. Subsequently, the smart card recounts h 0 (PW * i ⊕ b ) and h 0 (ID * i ), in which b is a new arbitrary number picked by the smart card, then it updates s * , as the user's new secret value, is a random number reselected by the smart card. The subsequent steps are as same as the ones in Section 4.2.1.
(2) Updating a user's pseudo identities and partial secret keys. User's pseudo identities PIDs and partial secret keys share a same refresh cycle T. Every PID is appended an expiring time T by the TA for all users. Note that the period of T, which is relative to the key length and the complexity of circumstances, can be fixed by the administrator of the TA. When a user logs in the smart card, it firstly checks the T of PIDs, if the T is out of the valid date, the smart card terminates the following authentication process and informs the user to update the PIDs and related the partial secret keys. Note that any user cannot change the valid date T without the secret key of the PKG. (3) Updating a RSU's partial secret key. In general, the process is as same as the one of user's.
In addition, the updating phase is invoked when a valid RSU is authorized by the PKG to change its position. After deploying in a new location, the RSU will lunch a new handshake with the PKG to get a new partial secret key as same as the one in Section 4.3.1. Any node that attempts to change the position and tries to get a new key without the PKG's authority is considered as a malicious node.

Security Proof
In this section, we design four experiments to prove the security of the proposed scheme.

Experiment 1
We divide the kinds of adversaries into three according to their attack abilities in the scheme. The Type I adversary A1 is not able to access the master key of the PKG or the secret keys of users. The Type II adversary A2 represents a curious PKG who can access the master key of the PKG and obtain the partial secret keys of users but cannot forge secret keys of users. The type III adversary A3 represents a malicious PKG who not only obtains the master key of the PKG but also has the right to generate secret keys of users at will, but the keys are different from that of users. Theorem 1. We will demonstrate that our scheme is unforgeable against adaptive chosen message attacks of the adversary A1 under the random oracle due to the intractability of ECDLP.
Proof. There are two roles in the game, the challenger C and the adversary A. C can solve the ECDLP problem with a non-negligible probability by running A as a subroutine. For instance, when C receives a problem Q = s·P, s ∈ Z * q is a random number, to calculates s is his target. C picks PID * as a challenged identity and sets system public key P PKG = x·P, then C sends the system params (p, q, P, P PKG , h 1 , h 2 ) to the adversary A1. We show the process, in which C can break ECDLP by using the adversary A as follows. C maintains 4 lists h list 1 , h list 2 , d list 1 , d list 2 , which are initially empty, and simulates oracles queried by A.

1.
h 1 query. C maintains a list with the form of (PID i , P 1i , P 2i , T i , B i , coin). When A makes a query on (PID i , P 1i , P 2i , T i ), if the list contains the tuple (PID i , P 1i , P 2i , T i , B i , coin) matched PID i , C returns B i to A as a response. Otherwise, C chooses a random number coin ← R {0, 1} and sets Pr[coin = 0] = δ, in which coin = 0 means that this PID i is the challenged identity. Then C picks B i ← R Z * q and sends B i = h 1 (PID i , P 1i , P 2i , T i ) to A as a response. C adds (PID i , P 1i , P 2i , T i , B i , coin) to h list 1 .

2.
h 2 query. When A makes a query on (PID i , P 1i , P 2i , M i , L i , time i ), if the tuple (PID i , P 1i , P 2i , M i , L i , time i , D i ) exists in the list, then C sends it to A as a response. Otherwise, C picks a random D i ∈ Z * q and sets D i = h 2 (PID i , P 1i , P 2i , M i , L i , time i ), and C sends it to A as a response. C adds (PID i , P 1i , P 2i , M i , L i , time i , D i ) to h list 2 .

3.
Private-key-extract query. If coin = 0, then C stops the session. Otherwise, C chooses a random number d 1i ∈ Z * q as a private key of PID i , and generates another two random numbers d 2i , a i ∈ Z * q , and C sets P 1i = d 1i ·P, h 1i ← a i and P 2i ← d 2i ·P − h 1i ·P PKG . C adds (PID i , d 1i , P 1i ) and (PID i , d 2i , P 2i ) to d list 1 and d list 2 respectively, then C returns d 1i to A as a response.

4.
Partial-private-key-extract query. If coin = 0, then C stops the session. Otherwise, C looks up d list 2 and checks whether the tuple (PID i , d 2i , P 2i ) exist in the list first. If yes, C returns d 2i to A as a response. Else, C makes a private-key-extract query on PID i itself and returns d 2i to A as a response. 5.
Sign query.
A makes a query on PID i and M i . C looks up (PID i , P 1i , P 2i , T i , B i , coin) firstly. If coin = 0, then C finds (PID i , d 1i , P 1i ) and (PID i , d 2i , P 2i ) in d list 1 and d list 2 respectively, and generates two random numbers b i , v i ∈ Z * q , and sets h 2i Note that it is easy to verify the equation v i ·P = L i + P 2i + c·P PKG + P 1i ·h 2i holds. If coin = 1, the signature is ordinary because that C knows the private key and partial private key. 6.
Finally, A outputs (PID * , M * , v * ). Note that (PID * , M * ) is not submitted to the query of private key, partial private key and signature. If coin = 1, then C stops the simulation. Otherwise, according to [32], A can generate another valid signature with the same random tape but the different value of h 1i as follows: According to the Equations (13) and (14), we can get: Thus, C outputs x as the solution of ECDLP problem P PKG = x·P. It is contradict to solve the ECDLP hard problem.

Theorem 2.
Our scheme is secure against adaptive chosen message attacks of the super adversary A2 under the random oracle.
Proof. There are two roles in the game, the challenger C and the adversary A. C use A as a subroutine to break our scheme via solving the ECDLP problem with a non-negligible probability. C picks a random number s ∈ Z * q as the master key of the PKG and sets P PKG = s·P, then C generates the system params (p, q, P, P PKG , h 1 , h 2 ). C sends s and the params (p, q, P, P PKG , h 1 , h 2 ) to the adversary A2. C maintains 4 lists h list 1 , h list 2 , d list 1 , d list 2 , which are initially empty. C answers h 1 query and h 2 query like it does in the first oracle query phase. C simulates another oracles queried by A as follows.

1.
Partial-private-key-extract query. If coin = 0, then C looks up h list 1 and identifies the tuple (PID i , P 1i , P 2i , T i , B i , coin) , then C picks a random number k i ∈ Z * q , and calculates d 2i = k i + s × h 1i mod q. C adds (PID i , ⊥, P 1i ) and (PID i , d 2i , P 2i ) to d list 1 and d list 2 respectively. C returns d 2i to A as a response. If coin = 1, then C looks up h list 1 and identifies the tuple (PID i , P 1i , P 2i , T i , B i , coin), then C picks two random numbers a i , k i ∈ Z * q . C sets d 1i ← a i , and calculates d 2i = k i + s × h 1i mod q and P 1i = d 1i ·P. C adds (PID i , d 1i , P 1i ) and (PID i , d 2i , P 2i ) to d list 1 and d list 2 respectively. C returns d 2i to A as a response.

2.
Private-key-extract query. When A makes the query, C does as follows: If coin = 0, then C stops the session. Otherwise, C looks up d list 1 and identifies the tuple (PID i , d 1i , P 1i ), and sends d 1i to A as a response. If there is no tuple in the list, C makes a partial-private-key-extract query on PID i itself, then C returns d 1i as a response. 3.
Sign query. A makes a query on PID i and M i . C looks up (PID i , P 1i , P 2i , T i , B i , coin) firstly. If coin = 0, then C finds (PID i , ⊥ , P 1i ) and (PID i , d 2i , P 2i ) in d list 1 and d list 2 respectively. C picks three random numbers x, b i , v i ∈ Z * q and sets P 1i = x·P, h 2i ← b i and If coin = 1, the signature is ordinary.

4.
Finally, A outputs (PID * , M * , v * ). Note that (PID * , M * ) is not submitted to the query of private key and signature. If coin = 1, then C stops the simulation. Otherwise, according to [32], A can generate another valid signature with the same random tape but the different value of b i as follows: According to the Equations (17) and (18), we can obtain: Thus, C outputs x as the solution ECDLP problem P 1i = x·P.

Theorem 3.
Our scheme is secure against the super adversary A3 attacks.
Proof. In this scenario, A3 presents a malicious PKG who can obtain the master key s of the PKG and forge the secret key d i at will. His target is to obtain the successful verification by another valid VSN entities. Nevertheless, a valid signature cannot be produced without the unique secret key d 1 . In our scheme, PID is generated via calculating PID i = r × h 1 (H 1 ||P 1 ||T) + n i + d 1 mod q. Thus, the adversary has to obtain d 1 from valid users. It is difficult to steal d 1 from the smart card without the user's PW because that there is no d 1 stored in the smart card after logging out. Moreover, because of the intractability of ECDLP problem, the adversary cannot obtain d 1 from P 1 = d 1 ·P and the TA's master key r from P TA = r·P. The probability of this malicious PKG managing to collude with the TA and stealing the master key from the TA is negligible. Therefore, the scheme is secure against this kind of adversary attacks, which leaves the opportunity to adversaries in [26,27], though.

Experiment 2
In the register phrase, the proposed scheme can resist against the inner attacker from the TA. Every pseudo identity PID i contains the TA's master secret key r and the user's private key d 1 .
Without knowing the user's private key d 1 , any insider adversaries fail to impersonate the valid user to proceed with the next step. In this experiment, if the adversary cannot forge a valid pseudo identity PID i verified by PKG successfully, the proposed scheme is secure against impersonation attacks by insider adversaries. The secure module with proof in the random oracle is as follows: Proof. Suppose there is an adversary A that represents an inner attacker from TA and he is able to access TA's master secret key r but cannot get user's private key d 1 or forge it. This assumption is reasonable, because that the adversary has no right to modify the ID table in the TA. We construct a challenger C, which can solve ECDLP with a non-negligible probability by running A as a subroutine. C picks ID * as a challenged identity and sets system public key P TA = r·P, in which r ∈ Z * q is the master secret key, then C sends the system params (p, q, P, P TA , h) to the adversary A. C maintains 3 lists h list , d list 1 and TA list which are initially empty.

1.
h query. C maintains a list with the form of (ID i , P 1i , T i , H 1 , δ i , coin). When A makes a query on (ID i , P 1i , T i , H 1 ), C checks whether the tuple exist in the list h list . If so, C responds δ i = h(ID i , P 1i , T i , H 1 ); otherwise, C generates a random number coin ← R {0, 1} and sets Pr[coin = 0] = η, in which coin = 0 means that this ID i is the challenged identity. Then C picks δ i ← R Z * q and sends δ i = h(ID i , P 1i , T i , H 1 ) to A as a response. C adds Master-secret-key query. When A makes the query, C does as follows: C looks up (ID i , P 1i , T i , H 1 , δ i , coin) firstly. If coin = 1, C picks a random number a i ∈ Z * q . C sets d 1i ← a i and calculates P 1i = d 1i ·P, then C adds (ID i , d 1i , P 1i ) and (ID i , r) to d list 1 and TA list respectively. C returns r to A as a response. If coin = 0, C adds (ID i , ⊥, P 1i ) and (ID i , r) to d list 1 and TA list respectively. C returns r to A as a response.

3.
Private-key-extract query. C looks up (ID i , P 1i , T i , H 1 , δ i , coin) firstly. If coin = 0, then C stops the session. Otherwise, C looks up d list 1 and identifies the tuple (PID i , d 1i , P 1i ). Then C sends d 1i to A as a response. If there is no tuple in the list, C makes a master-secret-key query on ID i itself, then C returns d 1i as a response. 4.
PID query. A makes a PID i query on ID i . C looks up (ID i , P 1i , T i , H 1 , δ i , coin) firstly. If coin = 0, then C finds (ID i , ⊥, P 1i ) and (ID i , r) in d list 1 and TA list respectively. C picks three random numbers Finally, A outputs (ID * , PID * ). Note that (ID * , PID * ) is not submitted to the query of private key and PID. If coin = 1, then C stops the simulation. Otherwise, according to [32], A can generate another valid pseudo identity with the same random tape but the different coefficient m of P 1i as follows: According to the Equations (21) and (22), we can obtain: Thus, C outputs x as the solution ECDLP problem P 1i = x·P. The ability of solving the ECDLP problem contradicts the hardness of the ECDLP problem. Therefore, the proposed scheme is secure against impersonation attacks by insider attackers from TA.

Experiment 3
In the authentication process, we make use of two elements to provide the freshness of the signed message. The comparison of different schemes in the Figure 6 shows the importance of k i and l in the signed message {PID i , P 1 , P 2,i , M, L, T, v, time}.  Figure 6. Comparison of two different schemes.
Proof. Note that without k i and l it is easy for adversaries to get master secret key s and of PKG and private key d in the Equations (25) and (26).
The adversary can acquire PID, P , d from the public channel. It is easy to compute s by following steps: (1) Get P 1 and T from the public message PID, H 1 , P , N, T .
(2) Get PID, P , d from the public channel.
(3) Compute s: It is easy to compute d for adversaries in the same way.
(1) Get d from the public message PID, P , d .
(2) Compute h 3 PID i , P 1 , P 2,i , M, time by PID i , P 1 , ,i , M, T, v, time from the public channel.
□ In order to protect the master key of PKG and user's private key, we add two elements to the Equations (25) and (26). The secure module with proof using random oracle is as follows: In this experiment, assume that to forge the valid k that make d 2,i = k i + h 2 P 1 ,P 2,i ,PID i ,T × s mod q, (i = 1…m) be verified successfully is the adversary's target. That means the adversary can compute right k and then achieve the value of s.

Proof.
Suppose there is an adversary A that is not able to access the master key of the PKG or the secret value k but can access the partial private key d 2 of users. Note that in this experiment the adversary just play this game by himself to forge the k, so d 2 can be seemed as a public number without being verified by others. We construct a challenger C, which can solve ECDLP with a non-negligible probability by running A as a subroutine. C picks PID * as a challenged identity and sets system public key P PKG = s • P, in which s ∈ Z q * is the master secret key, then C sends the system params (p, ,P, P PKG ,h) to the adversary A. C maintains 2 lists h list and PKG list which are initially empty. Proof. Note that without k i and l it is easy for adversaries to get master secret key s and of PKG and private key d 1 in the Equations (25) and (26). The adversary can acquire {PID, P 2 , d 2 } from the public channel. It is easy to compute s by following steps: (1) Get P 1 and T from the public message {PID, H 1 , P 1 , N, T}.
(3) Compute s: It is easy to compute d 1 for adversaries in the same way.
In order to protect the master key of PKG and user's private key, we add two elements to the Equations (25) and (26). The secure module with proof using random oracle is as follows: In this experiment, assume that to forge the valid k that make d 2,i = k i + h 2 (P 1 , P 2,i , PID i , T) × s mod q, (i = 1 . . . m) be verified successfully is the adversary's target. That means the adversary can compute right k and then achieve the value of s.

Proof.
Suppose there is an adversary A that is not able to access the master key of the PKG or the secret value k but can access the partial private key d 2 of users. Note that in this experiment the adversary just play this game by himself to forge the k, so d 2 can be seemed as a public number without being verified by others. We construct a challenger C, which can solve ECDLP with a non-negligible probability by running A as a subroutine. C picks PID * as a challenged identity and sets system public key P PKG = s·P, in which s ∈ Z * q is the master secret key, then C sends the system params(p, q, P, P PKG , h) to the adversary A. C maintains 2 lists h list and PKG list which are initially empty.

1.
h query. C maintains a list with the form of (PID i , P 1i , P 2i , θ i , coin). When A makes a query on (PID i , P 1i , P 2i ), C checks whether the tuple exist in the list h list . If so, C responds θ i = h(PID i , P 1i , P 2i ); otherwise, C generates a random number coin ← R {0, 1} and sets Pr[coin = 0] = η, in which coin = 0 means that this PID i is the challenged identity. Then C picks θ ii ← R Z * q and sends θ i = h(PID i , P 1i , P 2i ) to A as a response. C adds (PID i , P 1i , P 2i , θ i , coin) to h list .

2.
Master-secret-key query. When A makes the query, C does as follows: C looks up (PID i , P 1i , P 2i , θ i , coin) firstly. If coin = 1, C adds (PID i , s) to PKG list . C returns s to A as a response. If coin = 0. , then C stops the session. 3.
k query. When A makes a k query on PID i . C looks up (PID i , P 1i , P 2i , θ i , coin) firstly. If coin = 0, then C finds (PID i , s) in the PKG list . C picks a random number b i ∈ Z * q , then C sets Finally, A outputs (PID * , k * ). Note that (PID * , k * ) is not submitted to the query of k. If coin = 1, then C stops the simulation. Otherwise, according to [32], A can generate another valid pseudo identity with the same random tape but the different values of b i as follows: According to the Equations (33) and (34), we can obtain Thus, C outputs s as the solution ECDLP problem P PKG = s·P. The ability of solving the ECDLP problem contradicts the hardness of the ECDLP problem. Thus, the adversary cannot forge a valid k to compute the master key of the PKG.
The freshness of L in the Equation (27) that has the same function with k is to protect the private key of users. We will omit the same proof.

Experiment 4
The proposed scheme implements a location-based method, with which every RSU can acquire their current coordinates and apply them in every signature. The freshness of current location protects RSUs from being captured and compromised.
Furthermore, every signature including a timestamp time is to record the current sending time of the signer. Verifiers can check out the replay attack easily by validating the freshness of receiving time * . If time * − time>∆T, in which ∆T indicates the valid time interval, the verifier will reject the signature. Figure 7 shows the function of the coordinates (x R , y R ) and the timestamp time * included in the signature. Analysis: In Figure 7, there are two attackers. The first one implements node captured attacks and the second one captures valid signatures to carry out replay attacks. Because of the different location, the attacker 1 can access any of information in the compromised RSU expect d 2 . The ability of this kind of attackers is weaker than the adversary A3 as mentioned in the experiment 1. The ability of the attacker 2 is as same as the adversary A1 that is not able to access the master key of the PKG or the secret keys of users. However, they all fail to generate valid signatures and the proof is mentioned above.

Security Analysis
Considering the implementation costs, it's difficult to make all communication channels secure in VSNs. In our scheme, all communication channels are public, which is different from that in [27]. The TA is credible without being stolen its secret key by adversaries and its master key must be strongly protected by hardware technology.
The proposed scheme is on the basis of the CLPKC. Thus, our scheme can provide message authentication and integrity. The unforgeability against adaptive chosen messages attacks is defined in Section 5, which also provides the details of the scheme and its security proof. Thus, our scheme supports message authentication, integrity and unforgeability. The other security analyses are given in details as follows.

Previous coordinates
• Validate identity • Generate partial secret key P K G Coordinates Analysis: In Figure 7, there are two attackers. The first one implements node captured attacks and the second one captures valid signatures to carry out replay attacks. Because of the different location, the attacker 1 can access any of information in the compromised RSU expect d 2 . The ability of this kind of attackers is weaker than the adversary A3 as mentioned in the experiment 1. The ability of the attacker 2 is as same as the adversary A1 that is not able to access the master key of the PKG or the secret keys of users. However, they all fail to generate valid signatures and the proof is mentioned above.

Security Analysis
Considering the implementation costs, it's difficult to make all communication channels secure in VSNs. In our scheme, all communication channels are public, which is different from that in [27]. The TA is credible without being stolen its secret key by adversaries and its master key must be strongly protected by hardware technology.
The proposed scheme is on the basis of the CLPKC. Thus, our scheme can provide message authentication and integrity. The unforgeability against adaptive chosen messages attacks is defined in Section 5, which also provides the details of the scheme and its security proof. Thus, our scheme supports message authentication, integrity and unforgeability. The other security analyses are given in details as follows.

Traceability
The proposed scheme provides traceability. If one message is disputable, TA, the only authorized entity, can perform the tracing procedure and extract the real identity from the signature {PID, P 1 , P 2 , M, L, T, v, time} via calculating PID·P = P TA ·h 1 (H 1 ||P 1 ||T) + N + P 1 , in which H 1 and N are stored in its repository. If one H 1,j satisfied the equation as above, the TA can obtain the (ID j ) P TA from (ID j ) P TA ⊕ h 0 (PW j ⊕ b) = H 1,j and extract the real identity ID j by decrypting (ID j ) P TA using the secret key r of the TA. Note that no one can obtain ID j since r is only known by the TA itself.

Unlinkability
Unlinkability is that an adversary cannot link the signature messages generated by the same vehicle. Every signature message {PID, P 1 , P 2 , M, L, T, v, time} is different, because it is signed by different PIDs and related partial private keys. PID = r × h 1 (H 1 ||P 1 ||T) + n + d 1 mod q is generated by the random number n which any adversary who want to obtain will encounter the ECDLP problem. Therefore, the proposed scheme supports unlinkability.

Resistance against Impersonation Attacks
An adversary can impersonate a legitimate user to access RSUs by generating a valid PID and a signature message {PID, P 1 , P 2 , M, L, T, v, time}. With our scheme, every pseudo identity PID i contains the TA's master secret key r and the user's private key d 1 . Furthermore, every signature includes the PKG's master secret key s and d 1 . Without knowing the user's private key d 1 , any insider adversaries of the PKG fail to calculate the valid PIDs and signatures. The proof is given in Section 5.2. Note that d 1 is not transferred through any channels or stored in the smart card, and when the user does not input his valid PW, the smart card cannot obtain the valid d 1 . Therefore, it is difficult for any adversaries to obtain d 1 by various methods of attack and because of the ECDLP problems, they cannot extract d 1 from P 1 = d 1 ·P. Assume that there is an adversary who eavesdrops the information {PID 1 , H 1 , N, T} of one user or eavesdrops {P 2 , d 2 } from the PKG through the public channels instead of the valid user, they all fail to generate valid PIDs and signatures because of lacking d 1 .

Resistance against Node Compromise Attacks and Node Replication Attacks
The proposed scheme can prevent against node compromise and replication attacks to a large extent, and it incorporates three subsections according to the attacker's abilities: (1) We assume that an adversary captures a node RSU i and does not move this node to another location. The adversary extracts all stored information from the node, however, the information is independent of other nodes. And the adversary modifies the safety messages according to his specific needs and causes data anomalies. The position-based authentication method can help the PKG identify the malicious node based on its coordinates. Note that the adversary cannot change the node's coordinates or it will fail to be verified. In addition, there is no need to compromise the anchor node because this type of node does not contain important traffic information or privacy of users. (2) Assuming that an adversary captures a node RSU i and replicates it in another place, this new replicated node executes the same program as before. However, the node cannot generate valid signatures because it computes a current position ID R2 = h 0 (x R , y R ) according to new nearby anchor nodes. Note that ID R2 is different from the original ID R2 in d R2 = k R + h 2 (P R1 , P R2 , ID R2 , t) × s mod q. Therefore, these malicious nodes will be identified quickly by the verifiers because of their invalid signatures. (3) We assume that there is a powerful adversary who can modify the original program in the node after capturing and replicating it in another location. Note that the adversary cannot change ID R2 in d R2 = k R + h 2 (P R1 , P R2 , ID R2 , t) × s mod q. without knowing the master private key s. Therefore, to generate a valid signature the adversary only uses the original value of ID R2 instead of updating it vie the new anchor nodes. Unfortunately, these malicious nodes will be identified rapidly by the detection mechanism of the proposed method because of their wrong coordinates. When the adjacent anchor nodes receive the signature {(x R , y R ), ID R2 , P R1 , P R2 , M, L R , t, time, v R }, they compare their current location calculated by (x R , y R ) with the previous one, which is obtained from the GPS. If the value significantly changes, then abnormal RSUs must be surrounding the anchor node, and the anchor node will generate an alert to the PKG. Therefore, our scheme can withstand node compromise and replication attacks.

Resistance against Stolen Smart Card Attacks
We assume that the smart card of user U i has been lost or stolen by an adversary. The adversary can then extract the parameters {h 0 (PW ⊕ b), h 0 (ID), s 2 , P 1 , P 2 , d 2 , b, T, N, H 1 } stored in the smart card, although the user's independent information {d 1 , PW, ID, s 1 } is not contained in the card. Moreover, calculating or guessing the user's correct value of PW i , ID i and d 1,i is difficult. Therefore, the adversary cannot acquire the secret credentials of the target user. In addition, our proposal does not maintain any real-identity table, such as the RSU's ID R1 , ID R2 in the PKG and the user's ID i in the TA to safeguard against stolen identity attacks by privileged insiders.

Resistance against Replay Attacks
All valid signatures maintain the timestamp time. The verifiers can find the replay message via checking whether time * − time ≤ ∆T. Therefore, the proposed scheme can withstand the replay attacks. Table 2 shows the security compared with recently proposed authentication schemes in [15,22,27].

Performance Evaluation
In this section, we analyze the computational costs and transmission overhead of our scheme. We implement our scheme using a Lenovo computer (Beijing, China) equipped with an Intel I7 dual-core processor, a 2.60 GHZ clock frequency and 1 gigabytes of memory running the VMWare Ubuntu12.03 operating system. For our ID-based scheme with ECC, we use an additive group G generated by a point p with the order q on the secp256r1 elliptic curve to achieve the security level of 128 bits, in which p and q are two 256-bit prime numbers. For the bilinear pairings based scheme, we use the bilinear pairings y = x 3 + b mod q with embedding degree 12 and the q is a 256-bit prime number.

Computational Overhead
For convenience, we define some notations about the execution time as follows. First, Let T bp denote the execution time of a bilinear pairing operation, T hmtp be the time to execute one MapToPoint hash operation that is different from the general hash function operation T h . Then T epm and T epa denote the time of executing one point multiplication and one point addition over an elliptic curve respectively. T RSSI represents the time of computing coordinates of a RSU. At last, T ecc − sign and T ecc − veri f y represent the time of signing one message and verifying one message based on the secp256r1 elliptic curve respectively. The execution time of aforementioned operations is listed in Table 3. We compare the execution time of our scheme with other related works in [15,19,22,27]. Table 4 shows the execution time of signing a single message and a batch verification of five different schemes. Table 4. Comparisons of the execution time of five schemes.

Method Signing a Single Message (µs) Verify a Single Message (µs) Verify n Messages (µs)
Giorgio's scheme Lo's scheme Horng's scheme Our scheme Vehicle: 2n RSU: T= T RSSI + T h + T epm = 13.4 a n is the number of messages.
In our scheme, a vehicle signing a message takes 2.3 µs and the RSU processing 13.4 µs, which is slightly slower than that of Lo's scheme. However, the proposed scheme provides better scalability without providing a specific secure channel, which is different from Lo's scheme, and our scheme can resist node compromise attacks, which other schemes do not consider. Therefore, the proposed scheme is efficient in terms of computational overhead and more secure than other schemes. More precisely, the proposed scheme can obtain better trade-offs than the four other schemes.
Next, we compare the performance of batch verification in the proposed scheme with that of the other three proposed ID-based batch verification schemes. Figure 8 shows the relationship between the density of signing messages at a VSN entity inside its wireless range and the verification delay. The verification delay of the proposed scheme, which is 6.5 µs for one message, is slightly longer than the one in Lo's scheme. However, the difference is small, and the safety of our scheme is enhanced largely.

Communication Overhead
In this subsection, we analyze the communication overhead in our scheme and compare it with other proposed schemes. In our scheme, the signed message contains PID, P 1 , , M, L, T, v, time and x R , y R , ID R , P R , P R , M, L R , t, time, v R for a vehicle and a RSU respectively. Since the length of p and q is 256 bits, so the length of element of G is 512 bits. The length of M is about 256 bits, which is the same as the value of the general hash function. Let timestamp, expiration time and the coordinates of one node be 32 bits. Table 5 shows the communication costs of our scheme and Table  6 shows the comparison of communication overhead among four schemes.  The communication overhead of proposed scheme is about 296 bytes and 300 bytes for a vehicle and a RSU respectively. To reduce the communication overhead, the key point in the proposed scheme is how to reduce the costs of the elements in G. Shim [22] developed a method, which can reduce the size of a point x,y in G . In this method, the entity (RSU or vehicle) only sends the x-coordinate of the point, and the receiver can acquire the y-coordinate by calculating the square root. Therefore, the size of the x,y is reduced by applying this method, and in our scheme, the total communication overhead for a vehicle is about 256 + 256 + 256 + 256 + 256 + 256 + 32 + 32 = 1600 bits = 200 bytes, and for a RSU is about 32 + 256 + 256 + 256 + 256 + 256 + 256 + 32 + 32 = 1632 bits = 204 bytes. Therefore, the proposed method obtains the smallest communication overhead compared with the other three schemes.

Communication Overhead
In this subsection, we analyze the communication overhead in our scheme and compare it with other proposed schemes. In our scheme, the signed message contains {PID, P 1 , P 2 , M, L, T, v, time} and {(x R , y R ), ID R2 , P R1 , P R2 , M, L R , t, time, v R } for a vehicle and a RSU respectively. Since the length of p and q is 256 bits, so the length of element of G is 512 bits. The length of M is about 256 bits, which is the same as the value of the general hash function. Let timestamp, expiration time and the coordinates of one node be 32 bits. Table 5 shows the communication costs of our scheme and Table 6 shows the comparison of communication overhead among four schemes.  The communication overhead of proposed scheme is about 296 bytes and 300 bytes for a vehicle and a RSU respectively. To reduce the communication overhead, the key point in the proposed scheme is how to reduce the costs of the elements in G. Shim [22] developed a method, which can reduce the size of a point (x, y) in G. In this method, the entity (RSU or vehicle) only sends the x-coordinate of the point, and the receiver can acquire the y-coordinate by calculating the square root. Therefore, the size of the (x, y) is reduced by applying this method, and in our scheme, the total communication overhead for a vehicle is about 256 + 256 + 256 + 256 + 256 + 256 + 32 + 32 = 1600 bits = 200 bytes, and for a RSU is about 32 + 256 + 256 + 256 + 256 + 256 + 256 + 32 + 32 = 1632 bits = 204 bytes. Therefore, the proposed method obtains the smallest communication overhead compared with the other three schemes. Figure 9 shows the relationship between the communication overhead and the number of received messages. Obviously, the communication costs for RSUs are the smallest for the proposed scheme compared with the other three schemes.
Sensors 2018, 18,194 24 of 26 Figure 9 shows the relationship between the communication overhead and the number of received messages. Obviously, the communication costs for RSUs are the smallest for the proposed scheme compared with the other three schemes. In summary, the proposed scheme requires a smaller communication bandwidth than the other schemes when it transmits signed messages to other VSN entities.

Conclusions
In this work, we have proposed an enhanced secure ID-based, certificateless authentication scheme for VSNs that supports batch verification and conditional privacy-preserving authentication. In addition, the proposed scheme provides compromised-RSU detection and an alarm mechanism, which many related works have not considered. The security analysis shows that the proposed scheme is secure against adaptive chosen message attacks by three types of adversaries under a random oracle. Furthermore, the proposed scheme can resist against major threats like impersonation attacks, node replication attacks, hardware (RSU) tampering attacks, stolen smart card attacks and replay attacks. At last, the scheme can obtain better trade-offs between security and efficiency than other proposed schemes.
In future studies, researchers will focus on different network architectures of VSNs. We will focus on different scenarios in VSNs and consider compatible secure models that can co-exist in heterogeneous networks of VSNs. A designed scheme with better compatibility and scalability will be more suitable for the VSNs. In summary, the proposed scheme requires a smaller communication bandwidth than the other schemes when it transmits signed messages to other VSN entities.

Conclusions
In this work, we have proposed an enhanced secure ID-based, certificateless authentication scheme for VSNs that supports batch verification and conditional privacy-preserving authentication. In addition, the proposed scheme provides compromised-RSU detection and an alarm mechanism, which many related works have not considered. The security analysis shows that the proposed scheme is secure against adaptive chosen message attacks by three types of adversaries under a random oracle. Furthermore, the proposed scheme can resist against major threats like impersonation attacks, node replication attacks, hardware (RSU) tampering attacks, stolen smart card attacks and replay attacks. At last, the scheme can obtain better trade-offs between security and efficiency than other proposed schemes.
In future studies, researchers will focus on different network architectures of VSNs. We will focus on different scenarios in VSNs and consider compatible secure models that can co-exist in heterogeneous networks of VSNs. A designed scheme with better compatibility and scalability will be more suitable for the VSNs.