SmartVeh: Secure and Efficient Message Access Control and Authentication for Vehicular Cloud Computing

With the growing number of vehicles and popularity of various services in vehicular cloud computing (VCC), message exchanging among vehicles under traffic conditions and in emergency situations is one of the most pressing demands, and has attracted significant attention. However, it is an important challenge to authenticate the legitimate sources of broadcast messages and achieve fine-grained message access control. In this work, we propose SmartVeh, a secure and efficient message access control and authentication scheme in VCC. A hierarchical, attribute-based encryption technique is utilized to achieve fine-grained and flexible message sharing, which ensures that vehicles whose persistent or dynamic attributes satisfy the access policies can access the broadcast message with equipped on-board units (OBUs). Message authentication is enforced by integrating an attribute-based signature, which achieves message authentication and maintains the anonymity of the vehicles. In order to reduce the computations of the OBUs in the vehicles, we outsource the heavy computations of encryption, decryption and signing to a cloud server and road-side units. The theoretical analysis and simulation results reveal that our secure and efficient scheme is suitable for VCC.


Introduction
Vehicular cloud computing (VCC) is an emerging and promising approach to exploit the latest advances in sensing, the Internet of Things, wireless communications, and cloud computing technologies for future transportation [1,2], which may improve road safety and satisfy emerging service demands through message broadcasting. VCC typically consists of road side units (RSUs) and on-board units (OBUs). Particularly, VCC is regarded as an important development that interconnects people, vehicles and information, since numerous services based on vehicle systems may require cooperation among vehicles and RSUs. In order to maximize the overall communication and computation efficiency in VCCs, adaptive resource management has been proposed to provide hard quality of service guarantees in some recent studies [3,4]. That means, with the wireless and sensor network, the driver can enjoy various services in-vehicle based on VCC. The wide application of VCC depends on an efficient mechanism to ensure secure and effective message sharing, which is critical to enable emerging services.
Specifically speaking, let us consider the following practical VCC scenarios [5,6]. Regarding the social aspect, for instance, drivers in vehicles are often glad to share their experiences and traffic (1) We provide a secure message access control framework in VCC based on hierarchical ABE (HABE). The framework consists of a trusted authority (TA), and a group of AAs which request secret parameters from the TA and generate persistent attribute keys or dynamic attribute keys for vehicles independently. Thus, vehicles can share confidential messages with other vehicles which satisfy the pre-defined access policy. (2) We utilize ABS to enforce message authentication, which can authenticate messages by verifying whether the signer's attributes satisfy the predicate policy. It also ensures message integrity by checking and maintaining the anonymity of vehicles. (3) We present a secure outsourcing construction in VCC by delegating the heavy computations from resource-limited OBUs to the cloud server and RSUs, which means that the computation complexity of OBUs is independent of the number of attributes.
The remainder of this paper is organized as follows. The related work is overviewed in Section 2, and technical preliminaries are provided in Section 3. The system framework, security model and system definition are provided in Section 4, and our construction of the proposed scheme is elaborated in Section 5. The security and performance analyses are described in Sections 6 and 7. The conclusions are given in Section 8.

Related Works
Over recent years, eavesdropping on messages, tampering with messages and forging warning messages by malicious attackers are security threats in VCC, and many related works have been proposed that have concentrated on confidentiality, access control, authentication, etc.
Pietrowicz et al. [12] adopted identity based encryption (IBE) algorithms to effectively address the challenges in providing secure communications in vehicle networks. Mallissery et al. [13] adopted the RSU geolocation key to encrypt the exchanged messages in a vehicular ad-hoc network (VANET), which provides location confidentiality against vehicles outside the zone. The weakness is that this scheme limits the scope of message sharing only to one RSU. Nema et al. [14] proposed an RSA-algorithm-based encryption and decryption approach to provide message confidentiality in VANETs. However, all of the above schemes do not consider the fine-grained access control of the transmitted message. ABE, introduced by Sahai and Waters, is cryptographic technique to implement fine-grained access control for encrypted messages [15,16]. In fact, ABE can be adopted in many applications to realize message confidentiality and access control in vehicular communication [17][18][19][20]. Huang et al. [17] proposed a security policy enforcement scheme to achieve secure message dissemination, which is the first one to introduce CP-ABE in VANET. The main drawback of this scheme is that the vehicles under different secure groups of RSUs cannot share messages with each other directly, which was improved in [18]. For emergency services, Yeh et al. [19] proposed an access control scheme in VANETs to send messages to nearby rescue vehicles securely with ABE. Xia et al. [9] divided the attributes of vehicles into two types, dynamic attributes and persistent attributes. Dynamic attribute values would change frequently, while persistent attributes such as police car and sprinkler would never change. This brings new challenges with respect to the heavy key management of AA, since it must re-generate secret keys for both persistent attributes and dynamic attributes when any dynamic attribute changes. To solve the issue of heavy key management by adopting ABE in VCC, Liu et al. [20] extended the CP-ABE algorithm with hierarchical authorities, which can reduce the key management of a single center authority. Nevertheless, none of the above ABE-based schemes can provide mechanisms to authenticate vehicles before handling the messages.
Message authentication of vehicles, which determines that a message is from a valid source, is another important security issue in vehicular communication networks. In consideration of the identity privacy of vehicles, the traditional IBS method is no longer applicable [21]. Sánchez-Garcíaby et al. [22] proposed an electronic identity (eID) based secure authentication scheme in VANETs, which can protect drivers' real identities. The vehicle broadcasts a message containing the certificate signed by eID to prove its identity when receiving the authentication request. Kang et al. [23] integrated pseudonyms with IBS in vehicular communication, which could not only authenticate the messages, but also protect the privacy of the message sender. Chim et al. [24] adopted anonymous credentials to guarantee the identity of driver to be unlinkable to any party. However, in these two anonymous schemes, the vehicle must preset a large number of anonymous keys in order to randomly choose one to sign messages, and the authority or RSU must hold the anonymous certificates of all the vehicles in order to authenticate vehicles, which creates a heavy overhead for key management. Instead of suffering from extra overhead, as in previous anonymous identity-based schemes, ABS is introduced in VCC to ensure anonymous authentication. In order to achieve message verification and maintain anonymity, Liu et al. [20] utilized ABS to enforce message authentication.
However, most existing ABE and ABS schemes introduce heavy computation overheads in the encryption, decryption and signing phases, and these computation costs grow linearly [25,26]. Therefore, OBUs that have limited resources may encounter serious challenges during these processes [27]. To reduce the computational burden of the OBUs of vehicles, Xia et al. [9] introduced an outsourced decryption construction for ABE in VCC, but this scheme requires each RSU to restore secret keys for all vehicles and ignores the high encryption cost of ABE. Liu et al. [28] proposed a secure message dissemination construction for vehicle networks, in which the local decryption computation cost can be outsourced to nearest RSU, but this scheme ignores the computation cost of message encryption with ABE. Ma et al. [29] proposed two CP-ABE based mechanisms for achieving both outsourced encryption and outsourced decryption. However, this scheme is not practical in VCC.

Bilinear Map
Let G 0 and G T be two multiplicative groups with the same prime order p. A map e : G 0 × G 0 → G T with the following properties is said to be bilinear: (1) Computability. There is a polynomial time algorithm to compute e(g, h) ∈ G T for any g, h ∈ G 0 .
(2) Bilinearity. For all g, h ∈ G 0 and a, b ∈ Z p , we have e(g a , h b ) = e(g, h) ab .

Access Tree
Let T be a tree representing an access policy. Each non-leaf node x of the tree represents a threshold gate. Let num x denote the number of children of a node x, and k x represent its threshold value, then 1 ≤ k x ≤ num x . For each leaf node x of the tree, we have k x = 1, and denote attr x as an attribute associated with it. For a non-leaf node x, the child nodes of x are numbered from 1 to num x . The function parent(x) represents a parent node of the node x, index(x) returns the index value of node x.
We let T x be the sub-tree rooted at node x in T. We denote the result as T x (r) = 1 if the attribute set r satisfies the access tree T x . Then the value of T x (r) is computed in the following. If x is a leaf node and attr x ∈ r, T x (r) returns 1. If x is a non-leaf node, we compute T n (r) for all children n of node x. If at least k x children return 1, T x (r) returns 1.

Ciphertext-Policy, Attribute-Based Encryption
In a typical CP-ABE system, the access policy is expressed as a tree over a set of attributes. The CP-ABE scheme is composed of the following four algorithms.
(1) Setup(1 λ ): On input of a security parameter λ, the algorithm outputs a public key PK and a master key MK. (2) KeyGen(MK, PK, S): On input of the master key MK, public key PK and a set S of attributes, the algorithm outputs a secret key SK.

Attribute-Based Signature
An ABS scheme that provides anonymous message authentication generally consists of the following four algorithms.
(1) Setup(1 λ ). On input of a security parameter λ, AA generates the public key PK and master key MK.
(2) KeyGen(MK, PK, S). On input of the master key MK, public key PK, and a set of attributes S, AA generates the secret key SK.

System Framework
The system framework of SmartVeh consists of the following parties: TA, AA, cloud server, RSUs and vehicles, as shown in Figure 1. The TA is viewed as a fully trusted party that takes charge of managing AAs and generating system parameters and secret parameter to AAs. The AAs are also trusted and independent of each other. According to the different types of attributes managed by the AA, persistent AA is responsible for generating the persistent attributes of vehicles, and dynamic AA is responsible for generating the dynamic attributes of vehicles. A semi-trusted cloud server which has powerful computation and storage capabilities is intended to perform the outsourced encryption and signing computations. The RSUs are interconnected through wired lines, and provide wireless connections to vehicles. We assume that there are the dense of RSUs deployed near the road in the city, and the RSUs are responsible for performing access control with vehicles, and authenticating the origin of messages by verifying the signature of vehicles. If the signature verification is passed, RSUs would partially decrypt the encrypted messages, and then broadcast them to vehicles. The vehicles with OBUs and powerful sensors are a set of nodes that are moving on the road, and communicate with each other through RSUs. When a vehicle communicates with others, it encrypts the message with an access policy and signs message with its attributes before broadcasting to others, and intended receivers can decrypt the ciphertext with their attributes.

System Framework
The system framework of SmartVeh consists of the following parties: TA, AA, cloud server, RSUs and vehicles, as shown in Figure 1. The TA is viewed as a fully trusted party that takes charge of managing AAs and generating system parameters and secret parameter to AAs. The AAs are also trusted and independent of each other. According to the different types of attributes managed by the AA, persistent AA is responsible for generating the persistent attributes of vehicles, and dynamic AA is responsible for generating the dynamic attributes of vehicles. A semi-trusted cloud server which has powerful computation and storage capabilities is intended to perform the outsourced encryption and signing computations. The RSUs are interconnected through wired lines, and provide wireless connections to vehicles. We assume that there are the dense of RSUs deployed near the road in the city, and the RSUs are responsible for performing access control with vehicles, and authenticating the origin of messages by verifying the signature of vehicles. If the signature verification is passed, RSUs would partially decrypt the encrypted messages, and then broadcast them to vehicles. The vehicles with OBUs and powerful sensors are a set of nodes that are moving on the road, and communicate with each other through RSUs. When a vehicle communicates with others, it encrypts the message with an access policy and signs message with its attributes before broadcasting to others, and intended receivers can decrypt the ciphertext with their attributes.

Security Model
In this work, we consider TA and AA to be trusted, while the cloud server and RSUs are honest but curious. It means they may learn sensitive information from the broadcast message. Specifically, the security requirements are defined as follows: (1) Message confidentiality. The messages should be transmitted in encrypted form, and the vehicles which cannot satisfy the access policy defined by the message sender should not be allowed to access the plaintext of the message. Meanwhile, the cloud server and RSUs cannot recover the broadcast message.

Security Model
In this work, we consider TA and AA to be trusted, while the cloud server and RSUs are honest but curious. It means they may learn sensitive information from the broadcast message. Specifically, the security requirements are defined as follows: (1) Message confidentiality. The messages should be transmitted in encrypted form, and the vehicles which cannot satisfy the access policy defined by the message sender should not be allowed to access the plaintext of the message. Meanwhile, the cloud server and RSUs cannot recover the broadcast message. (2) Fine-grained access control. The vehicle can enforce an access policy for each broadcast message, which designates the messages that the vehicle is allowed to access. (3) Message authentication. If message sender's attributes could not satisfy the predicate policy, the message broadcast should not succeed. (4) Collusion resistance. The message access should not be successful if either of the vehicles cannot satisfy the access policy alone. Further, even if unauthorized vehicles collude with the RSU, the access should not take effect.

System Definition
According to the SmartVeh framework, our scheme consists of these ten algorithms.
(1) Setup(1 λ ): On input of a security parameter λ, the TA outputs a system public key PK and a master key MK.
in different AAs, the cloud server outputs a partially encrypted ciphertext CT .

Construction of SmartVeh
In order to achieve secure message broadcasting, we provided an access control framework for encrypted messages in VCC by employing a delegation mechanism based on HABE, and utilized ABS to enforce message authentication, which can authenticate messages by verifying that the sender's attributes satisfy T c in the ciphertext.

System Setup
The TA first runs the Setup algorithm to choose two multiplicative groups with prime order p, that are G 0 and G T , and a bilinear map e : G 0 × G 0 → G T . Then, the TA randomly chooses g, h ∈ G 0 and α, β ∈ Z p , and chooses cryptographic hash functions H 1 : {0, 1} * → Z * p , H 2 : {0, 1} * → G 0 . Finally, the TA outputs a system public key PK = (g, g α , g β , h, h β , e(g, g) αβ ) and a master key MK = (α, β).

Authority Setup
Our scheme divides the attributes of vehicle into two types, persistent attributes and dynamic attributes, which are managed by different AAs independently. The TA runs the CreateAA algorithm to select a random but unique value ν i ∈ Z p for AA i . For the attribute set A managed by AA i , the TA chooses random r i,j for each attribute in it. Then the TA computes the master secret key for AA i as

Key Generation
For each vehicle, the AA i runs the KeyGen algorithm to choose a unique secret γ i ∈ Z p and a random ε i ∈ Z p . For each attribute j in the attribute set S i of vehicle in AA i , the AA i chooses a random u i,j ∈ Z p . Finally, AA i outputs the key as Thus the vehicle's secret key in AA i is: For example, an ambulance can get secret keys for vehicle type from the AA 1 for persistent attributes, and get secret keys for road and direction from the AA 2 for dynamic attributes.

Message Broadcasting
Before broadcasting the message to the RSUs, the vehicle first selects a symmetric key DK ∈ Z p randomly. Then the vehicle encrypts M by utilizing a symmetric encryption algorithm, and the result is outputted as C = SE DK (M). Then the vehicle defines a collection of access policies {T a is the access tree in AA i , such as "police car OR ambulance", "(normal road AND east) AND (eall road AND north)".

Cloud Encryption
The cloud server runs the Cloud.Encrypt algorithm to execute outsourcing encryption. First, the cloud server chooses a polynomial p x for each node x in T (i) a . The polynomials are selected in a top-down manner. For each node x in T (i) a , the cloud server sets the degree d x of p x to be k x − 1. The algorithm selects a random s i ∈ Z p and sets p R (0) = s i for the root node R. Then the algorithm chooses d R other points of p R randomly to complete the definition. For the other node x, the algorithm sets p x (0) = p parent(x) (index(x)) and chooses d x other points randomly to complete the definition. In T (i) a , let Y i be the set of leaf nodes. Then, the cloud server returns the result as Finally, the cloud server outputs a partial ciphertext CT as

Vehicle Encryption
With the partial ciphertext CT , the vehicle runs the Vehicle.Encrypt algorithm to randomly choose t ∈ Z p , compute C 1 = DK · e(g, g) αβt and C 2 = g t . Then, the vehicle computes C i,3 = C i,3 · g βt , C i,4 = C i,4 · h βt and outputs the ciphertext CT as

Cloud Signing
The encrypted messages must be authenticated, since the messages may be forged by attackers. Then the vehicle computes S 0 = H 2 (CT), and sends the ciphertext CT, a predicate policy T c , such as "(middle road AND east) AND location of accident", an outsourced secret key SK k = {AK k } corresponding to attribute set S k in AA to the cloud server through RSUs. The cloud server runs the Cloud.Sign algorithm to execute computation outsourcing. For each node x of predicate policy T c , the cloud server chooses polynomial q x in a top-down manner, and sets the degree d x of q x to be k x − 1.
Starting from R, the algorithm first selects a random r ∈ Z p and sets q R (0) = r. Then, the algorithm randomly chooses d R other points of q R to complete the definition. For the other node x, it sets q x (0) = q parent(x) (index(x)) and then selects d x other points randomly to define q x completely.
In T c , let Z be the set of leaf nodes. Then, the cloud server outputs the signing token SN as The cloud server randomly chooses t j ∈ Z p for each node j ∈ Z, and computes with SK k as follows.
(2) If j ∈ Z/S k ∩ Z, the cloud server computes S j = (H 1 (j) t j ) 1/r = H 1 (j) t j /r , and S j = (g t j ) 1/r = g t j /r .
Finally, the cloud server randomly selects λ ∈ Z p and outputs the partial signature ST as

Vehicle Signing
With the partial signature generated by the cloud server, the vehicle first runs the Vehicle.Sign algorithm to randomly choose µ ∈ Z p and compute S 1 = S 1 · (S 0 ) µ · D k and S 2 = S 2 · g µ . At last, the vehicle generates the encrypted message's signature ST as The vehicle sends the signature ST with encrypted message to the connected RSUs, and the message will be broadcasted to other vehicles.

Message Decryption
When receiving the encrypted and signed message, the recipient RSU runs the Veri f y algorithm to verify that the message is from an authorized source.

RSU Verifying
The RSU runs the VerNode algorithm, which takes as input ST, SN and a node x of T c . (1) If x is a leaf node, then we set w = attr x . If w ∈ S ∩ Z, then VerNode(ST, SN, x) = e( Sw, Kx) e( S w , K x ) = e(g (ν k +γ k )β/r H 1 (z) (r k,w +u k,w +tw )/r ,g qx (0) ) e(g (r k,w +u k,w +tw )/r ,H 1 (attrx) qx (0) ) = e(g, g) (ν k +γ k )β/r·qx(0) If w ∈ Z/S ∩ Z, then (2) If x is a non-leaf node, the algorithm VerNode(ST, SN, x) computes as follows. It calls the VerNode(ST, SN, n) algorithm for each child node n of x, and outputs the result as I n .
We denote S x as an arbitrary k x -sized set of child nodes n such that I n = ⊥. If no such set exists, it returns ⊥. Otherwise, the algorithm computes the I x .
where j = index(n) and S x = {index(n) : n ∈ S x }. Then, we can define the evaluation result for predicate tree T c as I, if T c is satisfied.
Finally, the RSU checks whether the equation holds.

RSU Decryption
With part of the secret key SK k = (D k,1 , D k,2 , AK k ) from the vehicle corresponding to attribute set S k , the RSU runs the RSU.Decrypt algorithm to decrypt the CT. In order to evaluate whether the vehicle's attributes satisfy T (k) a or not, the RSU runs the DecNode algorithm, which takes as input CT k , SK k , and a node x from T (k) a .
(1) If x is a leaf node, then we let w = attr x and compute the following. If w ∈ S k , then If z / ∈ S k , then DecNode(CT k , SK k , x) = ⊥. (2) If x is a non-leaf node, the algorithm DecNode(CT k , SK k , x) computes the following. It calls DecNode(CT k , SK k , n) for each child node n of x, and generates the result as F k,n . Let S x be an arbitrary k x -sized set of child nodes n such that F k,n = ⊥. Similar to the verifying process, the algorithm computes as follows. If the receiver owns enough attributes to satisfy T (k) a , we set the evaluation result as F k .

Vehicle Decryption
After receiving the result from the RSU, the vehicle runs the Vehicle.Decrypt algorithm to recover DK with its own secret key.
Finally, the vehicle can recover the message M with DK based on the symmetric decryption algorithm, while the unauthorized vehicles are prevented from accessing it.

Security Analysis
The construction of SmartVeh is based on CP-ABE [25] and ABS [26], which have been proved secure, thus our scheme has the same security property as these. Then we discuss the security properties of SmartVeh, which not only provides message confidentiality, but also guarantees fine-grained access control, efficient message authentication and collusion resistance.

Message Confidentiality
The broadcast message in our scheme is first encrypted with a symmetric encryption technique. Then the DK is encapsulated by access policy. Hence, message confidentiality against outside vehicles which do not have enough attributes can be guaranteed. In the message broadcasting phase, the cloud server executes most of encryption computations for the vehicle. However, the cloud server cannot access the plaintext of message without the secret key. Moreover, if the attribute set of the vehicle cannot satisfy the T a in the ciphertext, the value A k = e(g, g) (ν k +γ k )βt cannot be computed by the RSUs to get DK in the message decryption phase. Therefore, only vehicles that satisfy T a can decrypt the encrypted message, and message confidentiality against a semi-trusted cloud server and RSUs is also guaranteed.

Fine-Grained Access Control
Our work used the CP-ABE mechanism to protect DK, and ensure flexibility by specifying the access policies of vehicles. In the message encryption phase, the sender is able to protect the symmetric key with an expressive access policy, and broadcast the encrypted message through RSUs. Specifically, the access policy in the ciphertext can be represented by flexible access tree. In this way, our scheme can dramatically increase the flexibility and represent any desired access conditions.

Message Authentication
In our work, the ABS technique was adopted to achieve message authentication with privacy preservation. The adversary, such as a malicious vehicle, may want to forge a signature with an unsatisfied predicate policy, so that fake messages have a reliable source. However, as proved in [26], our work is secure under the computational Diffie-Hellman assumption, since the adversary cannot forge a valid ST with a non-negligible probability.

Collusion Resistance
Malicious vehicles may collude to combine their secret keys to decrypt a ciphertext that each of them cannot access individually. However, the secret key outputted by AA in our scheme is generated with random γ i , which is unique for each vehicle. Thus, even if two or more vehicles combine their attributes to satisfy the access policies, the value F k = e(g, g) (ν k +γ k )βs k cannot be computed. Moreover, even if malicious vehicles collude with RSUs to decrypt the encrypted message, the collusion will not succeed.

Functionality Comparisons
In this part, we will analyze the performance of several ABE-based message sharing schemes. The results are shown in Table 1. The functionality comparison of our scheme with these schemes in VCC is in terms of message confidentiality, hierarchical authorities, persistent attribute key generation, anonymous authentication and computation outsourcing. First, the compared schemes all adopt the ABE technique to grant fine-grained access control for vehicular messages. Moreover, only Xia et al. [9], Liu et al. [20] and our scheme clearly define the attributes of vehicles that include persistent attributes and dynamic attributes. However, a persistent attribute key is generated only once in Liu et al. [20] and our scheme, while in Xia et al. [9] it needs to be generated when the vehicles move into another RSU. Further, we can see that in our scheme, Xia et al. [9] and Liu et al.
[28] achieve decryption outsourcing, which incur less computation costs for message decryption for resource-limited OBUs in vehicles. This is because the RSU helps the OBU to decrypt the ciphertext. However, the origin of the message is not authenticated in Xia et al. [9] and Liu et al. [28], which may bring security concerns, such as forged messages and man-in-the-middle attacks. Chim et al. [24] and Liu et al. [20] adopt IBS with pseudonym and ABS, respectively, to achieve anonymous authentication, but the pseudonym method creates large extra storage overheads and the standard ABS method would bring large computation costs.
Compared to these schemes, our scheme first introduces HABE to reduce the overhead for key management on a single TA by dividing dynamic and persistent attributes managed by different AAs, which also resolves the problem of single point failure to a certain extent, and the complexity of operations of AAs in the key generation phase is independent of the number of vehicles, which means that our scheme is scalable enough to handle a case where the number of authorized vehicles increases dynamically. Further, our scheme proposes an outsourced architecture to satisfy the lightweight demand of resource-limited OBUs in VCC.

Performance Analysis
We discuss the efficiency of our scheme in terms of message encryption, decryption and signing, and compare the results with Liu et al. [28], Xia et al. [9] and Liu et al. [20], which are related schemes in a vehicular network. Table 2 shows the comparison results. Let T r , T 0 , T t , N c , N u and N d denote the computation cost of the pairing operation, the computation cost of the exponentiation operation in G 0 , the computation cost of the exponentiation operation in G T , the number of attributes in the ciphertext, the total number of attributes of the vehicle, and the number of dynamic attributes, respectively. The symmetric encryption and decryption, hash and simple multiplication operations are ignored. (3 + N u )T 0 (3N c + 1)T 0 + T t T r -Xia et al. [9] (3 + N u )T 0 (3N c + 1)T 0 + T t T r -Liu et al. [20] ( First, we analyzed the computation cost in the key generation phase. As vehicles are moved through different RSUs dynamically along with time, the secret keys should be generated for vehicles by TA. Xia et al. [9] and Liu et al. [28] both need to perform (3 + N u )T 0 to generate all secret keys for vehicles. Our scheme and Liu et al. [20] both divide attributes into two types, namely persistent attributes and dynamic attributes. The AA only needs to generate secret keys according to dynamic attributes for vehicles since the value of persistent attributes are not changed. From the table, we can notice that the computation cost of our scheme in this phase is less than that in Liu et al. [20] which needs to generate extra signing keys at the same time.
Second, we discuss the overhead of encryption and decryption of the message. Since Liu et al.
[28], Xia et al. [9] and Liu et al. [20] all execute the complex ABE algorithm, the encryption computation costs on the vehicle side of these schemes are (3N c + 1)T 0 +T t , (3N c + 1)T 0 + T t and (2N c + 1)T 0 + T t , respectively, which increase with N c . Conversely, the result stay constant in our scheme. For the message decryption phase, the vehicles use secret keys to decrypt the encrypted message recursively in Liu et al. [20], and the computation cost is (2N c + 1)T r + N c T t . In Liu et al.
[28], Xia et al. [9] and our scheme, most of decryption computations are outsourced to nearby RSUs, and the OBUs in vehicles only need one pairing operation to decrypt the partially decrypted message.
In order to analyze the time cost of signing the message, we compared our scheme with Liu et al. [20], which achieves anonymous authentication based on ABS as well, and needs to perform 3N u T 0 + 2T t in signing the algorithm, while in our scheme, the cloud server is able to partially sign the ciphertext with a predicate policy and outsourced secret key, which are both sent by the vehicles. The OBUs in the vehicles only need to perform two exponent operations in G 0 . Thus, most of the laborious signing operations in the vehicle are delegated to the cloud server through RSUs, so that the computation overhead of the vehicles can be reduced.

Simulation Evaluation
Next, we analyze the computation cost of our scheme by conducting experiments on a simulated RSU with an Intel CPU at 2.53 GHz and 4 GB RAM. The OBU in the vehicle, which has limited processing power, is simulated by an Android phone with a 1.2 GHz processor [27]. The simulations are developed with a pairing-based cryptography library [30]. A type A elliptic curve of 160-bit group order is chosen. We assume that each vehicle has the same number of persistent attributes and dynamic attributes, which means that each of them has half of the whole attributes.
From Figure 2, we can observe that the computation costs for key generation in these schemes all grow with N c , while those for our scheme and Liu et al. [20] grow at a slower pace than Xia et al. [9], and our scheme costs almost the same as Liu et al. [20].
Next, we analyze the computation cost of our scheme by conducting experiments on a simulated RSU with an Intel CPU at 2.53 GHz and 4 GB RAM. The OBU in the vehicle, which has limited processing power, is simulated by an Android phone with a 1.2 GHz processor [27]. The simulations are developed with a pairing-based cryptography library [30]. A type A elliptic curve of 160-bit group order is chosen. We assume that each vehicle has the same number of persistent attributes and dynamic attributes, which means that each of them has half of the whole attributes.
From Figure 2, we can observe that the computation costs for key generation in these schemes all grow with c N , while those for our scheme and Liu et al. [20] grow at a slower pace than Xia et al. [9], and our scheme costs almost the same as Liu et al. [20]. In the message broadcasting phase, the OBU in our scheme encrypts the message with a predefined access policy, and signs the ciphertext. To compare the efficiency of Xia et al. [9], Liu et al. [20] and our scheme, we evaluated the computation costs under two situations, namely nonauthentication and authentication. Figure 3 shows that the computation time for message broadcasting is related with c N in Ta. Firstly, the cost of Xia et al. [9] and Liu et al. [20] without authentication increase with c N in Ta, while remaining constant at a low level in our scheme.
Then, we compared our scheme with Liu et al. [20] with authentication, to illustrate the encryption efficiency of our authentication scheme. As shown in the figure, the time cost of Liu et al. [20] is related to c N in Ta. Although the results for our scheme are slightly greater than the previous situation, they are still constant, which illustrates that our scheme is more efficient. Figure 4 illustrates the computation time for the OBU by decrypting the ciphertext. The data decryption time of Liu et al. [20] also increased with c N in the Ta, while Xia et al. [9], while, on the contrary, our scheme, based on decryption outsourcing, remained constant. In the message broadcasting phase, the OBU in our scheme encrypts the message with a predefined access policy, and signs the ciphertext. To compare the efficiency of Xia et al. [9], Liu et al. [20] and our scheme, we evaluated the computation costs under two situations, namely non-authentication and authentication. Figure 3 shows that the computation time for message broadcasting is related with N c in T a . Firstly, the cost of Xia et al. [9] and Liu et al. [20] without authentication increase with N c in T a , while remaining constant at a low level in our scheme. Then, we compared our scheme with Liu et al. [20] with authentication, to illustrate the encryption efficiency of our authentication scheme. As shown in the figure, the time cost of Liu et al. [20] is related to N c in T a . Although the results for our scheme are slightly greater than the previous situation, they are still constant, which illustrates that our scheme is more efficient. Figure 4 illustrates the computation time for the OBU by decrypting the ciphertext. The data decryption time of Liu et al. [20] also increased with N c in the T a , while Xia et al. [9], while, on the contrary, our scheme, based on decryption outsourcing, remained constant.

Conclusions
This paper proposes a secure and efficient message access control and authentication scheme for VCC based on HABE and ABS. In our scheme, the attributes of vehicle are divided into persistent attributes and dynamic attributes. These two kinds of attributes are managed by different AAs, which reduces the key management for single TAs. To prevent the forging of messages, we adopt ABS to anonymously authenticate the origin of messages in VCC. Considering the resource-limited OBUs in vehicles, our scheme outsources the heavy computations from OBUs to cloud servers and RSUs. The analysis shows that our scheme achieves efficient access control and authentication of messages in VCC.