PCPA: A Practical Certificateless Conditional Privacy Preserving Authentication Scheme for Vehicular Ad Hoc Networks

Vehicle ad hoc networks (VANETs) is a promising network scenario for greatly improving traffic efficiency and safety, in which smart vehicles can communicate with other vehicles or roadside units. For the availability of VANETs, it is very important to deal with the security and privacy problems for VANETs. In this paper, based on certificateless cryptography and elliptic curve cryptography, we present a certificateless signature with message recovery (CLS-MR), which we believe are of independent interest. Then, a practical certificateless conditional privacy preserving authentication (PCPA) scheme is proposed by incorporating the proposed CLS-MR scheme. Furthermore, the security analysis shows that PCPA satisfies all security and privacy requirements. The evaluation results indicate that PCPA achieves low computation and communication costs because there is no need to use the bilinear pairing and map-to-point hash operations. Moreover, extensive simulations show that PCPA is feasible and achieves prominent performances in terms of message delay and message loss ratio, and thus is more suitable for the deployment and adoption of VANETs.


Introduction
With the progress in human civilization and development of industrial technology, vehicles are widely popularized in modern society, which leads to such problems as traffic congestion, accidents, vehicle emissions, etc. Therefore, wide attention has been paid to deal with the abovementioned issues in both the academia and automobile industry.
Vehicular ad hoc networks (VANETs), as a key component of intelligent transport system (ITS) and a particular mobile ad hoc networks (MANETs), is promising in improving traffic management efficiency and road traffic safety [1] . Generally, a typical VANET is mainly comprised of three types of entities, i.e., the trusted authorizers (TAs), the roadside units (RSUs) installed along the roads, and the vehicles rigged with onbroad units (OBUs). The TAs maintain the whole system and communicate with the RSUs using a secure wired communication. The RSUs alleviate the burden of the TAs by performing authentication tasks, while the vehicles (OBUs) provided the wireless communication capability, which communicate with the RSUs (Vehicle-to-Infrastructure, V2I) communication and other vehicles (Vehicle-to-Vehicle, V2V) communication. Here, IEEE 802.11 p standard is used for wireless communication based on Dedicated Short Range Communication (DSRC) protocol [2,3], in which each vehicle (OBU) broadcasts the traffic-related messages (e.g., vehicle's speed, position, turning direction and time) periodically every 300 ms. According to the received traffic-related messages, other vehicles can alter driving routes to avoid emergent braking or traffic accidents, and the RSU will inform the traffic control center to regulate the traffic for preventing potential traffic jams. Based on the hybrid architecture of V2I and V2V communication, VANETs are conducive to enhancing traffic safety, improving traffic management and optimizing traffic efficiency.
Owing to the inherent broadcast nature of the wireless channels, the communication in VANETs is vulnerable to various attacks such as eavesdropping, replaying, tampering, modification and forgery attacks, etc. Therefore, for the widespread deployment of VANETs, the security and privacy challenges must be solved [4,5].
The authentication mechanism, which consists of identity authentication and message integrity, is the key to ensuring the security of VANETs [1,5,6]. If identity authentication is not satisfied, a malicious vehicle may impersonate as a legal vehicle to broadcast messages for obtaining illegal benefits. If message integrity is not ensured, a malicious vehicle may broadcast falsified or altered messages to seriously disrupt traffic or incur serious consequences for the surrounding vehicles without being caught. Thus, authentication has to be implemented to verify a vehicle's identity and to differentiate trustworthy messages from received ones. The digital signature technology may be used to address this problem in VANETs, the vehicle should make a signature on messages before sending them out, and the receivers will authenticate the messages before employment.
Apart from that, privacy is also important for VANETs [7,8]. The vehicle's privacy information like current position, license number, driver's identity and travel route must be kept confidential for a long time. For example, the leakage of vehicle's route information will incur the grave consequences since the information may be used for crimes or traffic accident. In general, the vehicles wouldn't want their privacy information disclosed in broadcasting messages. Therefore, the vehicle privacy must be protected.
However, the fact is that security sometimes conflicts with privacy. Especially, the former often involves some identity information and message's origin, while the latter requires that no entity can trace a message to its generator. Thus, conditional privacy is usually considered in VANETs. That being said, the vehicle's privacy is usually preserved in the system. If a malicious vehicle does not perform the protocol correctly (e.g., broadcasting false messages), then its privacy is revoked, in which case a trust authority (TA) will be capable to trace or retrieve the real identity of vehicle. The conditional privacy-preserving authentication (CPPA) mechanism [9,10], which is able to achieve message authentication and conditional privacy preservation simultaneously, is fully appropriate for addressing the security and privacy issues in VANETs.
Despite having solved the key escrow problem in ID-based schemes and the public key certification management problem in PKI-based schemes, the certificateless schemes are still unsuitable for the VANETs. The reason is that such schemes [12][13][14][15] have poor performances due to the requirements of map-to-point hash and bilinear pairing operations. Compared to other cryptographic operations, these two operations are complex and time-consuming. Therefore, it is important to design a practical certificateless CPPA scheme for VANETs without using bilinear pairing and map-to-point hash operations.

Our Contributions
This paper proposes a practical certificateless conditional privacy preserving authentication (PCPA) scheme for VANETs. To summarize, the major contributions of this paper are as follows: • A certificateless signature with message recovery (CLS-MR), which is proved to be secure under the assumption of elliptic curve discrete logarithm (ECDL) in the random oracle, is proposed based on certificateless cryptography [16] and elliptic curve cryptography (ECC) [17,18]. This is of independent interest.
• A practical certificateless conditional privacy preserving authentication (PCPA) scheme for VANETs is proposed based on CLS-MR. The security analysis and comparison indicate that PCPA satisfies all security and privacy requirements.

•
The performance in computation and communication cost is evaluated through quantitative calculations. Experimental results depict that PCPA is more efficient than other schemes in [12][13][14][15]. • An extensive simulation is performed and the results display that PCPA is more feasible and achieves the low average message delay and message loss ratio.

Organization
Organization of this paper is demonstrated as follows: in Section 2, we survey the related work about CPPA in VANETs. In Section 3, the preliminaries are introduced. We present the concrete PCPA scheme for V2I communication in Section 4. Section 5 analyzes the security of the proposed scheme. Section 6 conducts the performance evaluations and experimental simulation results. Finally, Section 7 concludes the paper.

Related Works
A lot of researchers have put great efforts on authentication schemes aimed to achieve security, privacy and efficiency. These schemes are roughly classified into three categories: PKI-based authentication schemes, ID-based authentication schemes, and certificateless authentication schemes.
In the first category, the anonymous certificates are used to hidden the vehicle's real identities. In 2004, Hubaux et al. [4] claimed that the PKI technology could be used to address the security and privacy preserving problems in VANETs. In 2007, Raya and Hubaux [1], based on PKI and anonymous certificates, put forward an anonymous authentication scheme for VANETs. In this scheme, each vehicle needs to preload lots of anonymous public/private key pairs and the corresponding public key certificates. In this case, the vehicles need a large storage spaces and a huge verification overhead. Furthermore, a trusted authority (TA) will generate a large certificate revocation list (CRL), making the revocation mechanism very inefficient. In 2008, Lu et al. [10] constructed an efficient conditional privacy preserving (ECPP) mechanism for VANETs, to solve the storage space problem and the CRL growth problem in [11]. Zhang et al. [19] proposed a message authentication scheme based k-anonymity approach and hash message authentication code to achieve the privacy preserving of the vehicles and low communication cost. However, all the PKI-based authentication schemes for VANETs have a bottleneck problem on the management and storage of certificates.
ID-based authentication schemes for VANETs have been proposed so as to solve the problems mentioned above. Incorporating the ID-based cryptography [20], Zhang et al. [11,21] proposed ID-based CPPA schemes supporting batch verification based on bilinear pairing for VANETs. In these schemes, the RSU and the vehicle utilize the pseudo-identity information as the public keys, while the private keys are generated by a trusted third party, namely, the private key generator (PKG). Thus, these schemes avoid the requirements of certificate storage in the entities, and alleviate the certificate management of PKI. Furthermore, the schemes achieve low verification cost because of batch message verification, which allows a large number of messages to be verified simultaneously. In 2009, based on binary authentication tree, an ID-based authentication scheme for V2I communication is proposed by Jiang et al. [22]. This scheme meets the security and privacy requirements, and achieves high efficiency in VANETs. In 2011, Chim et al. [23] pointed out that the schemes proposed in [11,21] were insecure against impersonation and anti-traceability attacks, then constructed a secure communication scheme for VANETs. Based on bilinear pairing, Huang et al. [24] presented a new authentication scheme for VANETs that not only is efficient in performances, but also provides conditional privacy to the vehicles. Based on the pseudo-identity-based signature, Shim [25] proposed an ID-based CPPA scheme for VANETs. In 2013, Shim [26] and Li et al. [27] pointed out that the schemes in [11,22] were insecure against the security attacks, and then established the improved ID-based authentication schemes. Horng et al. [28] showed that scheme in [23] is not secure against impersonation attack and proposed a secure scheme to make up for the security flaw in [23]. In 2014, Zhang et al. [29], aiming at the weakness mentioned in [27], constructed an improved ID-based CPPA scheme for VANETs. Liu et al. [30] indicated that the underlying ID-based signature scheme in [25] was unable to reach an acceptable security level, and thus the corresponding Coron's technique authentication scheme suffers from a modification attack. In 2015, Bayat et al. [31] further pointed out the security flaws in [27] and designed a new scheme. Based on bilinear pairing, ID-based authentication schemes [32][33][34][35][36] were proposed, which are capable of guaranteeing the security and privacy requirements in VANETs. However, the performance of such schemes is not satisfactory because bilinear pairing operations should be used to implement authentication in VANETs. Based on the ECC, efficient ID-based authentication schemes for VANETs were proposed in [37][38][39][40][41][42][43], where bilinear pairing operations and map-to-hash operations are not applied. They achieve high efficiency in terms of computation and communication cost. Although ID-based authentication schemes eliminate the certificates, simplify the key management and reduce the storage overhead, they are confronted with the inherent key escrow challenge. That is to say, PKG has the knowledge on the private keys of all vehicles and RSUs. It appears that this condition may be excessively strong and not appropriate for VANETs.
To solve the key escrow problem in ID-based authentication schemes, certificateless authentication schemes have been proposed for VANETs. Horng et al. [12], based on certificateless cryptography [16], put forward a secure certificateless CPPA scheme. In this scheme, only the partial private key of the users (RSU and Vehicle) is generated by a trusted party, namely, the Key Generator Center (KGC). A secret value is picked by the user itself, and combines the partial private key to form the private key. Therefore, the KGC has no the private key s of all users. Moreover, in the certificateless CPPA scheme, public key certificates are not needed to guarantee the authenticity of public keys. In 2016, Li et al. [13] found that the scheme in [12] was not secure against a malicious-but-passive KGC under the existing security model. In other words, KGC may maliciously implant a trapdoor in the public system parameters and attempts to forge a signature without the vehicle's private key. Based on bilinear pairing, an efficient certificateless aggregate signature scheme for VANETs was put forward by Malhi et al. [14], which achieves low computation cost s in verification phase. In 2018, Kumar et al. [15] demonstrated that the scheme in [14] was vulnerable to malicious KGC attack and proposed an improved scheme for VANETs, which was able to eliminate the security flaws of scheme in [14] and achieved the same performances.
Upon reviewing the literature, the aforementioned schemes have different problems. The PKI-based schemes suffer from the high cost of certificate management on CA, in which the vehicles could easily disrupt the service of VANETs. As for ID-based schemes, a key escrow problem is inevitable and incurs the security of VANETs. Until now, the existing certificateless schemes solve the above problems in PKI-based and ID-based schemes but are still not efficient and suitable to VANETs because of the huge computation overhead and communication cost.
The proposed scheme had addressed the aforementioned issues simultaneously based on the ECC. It neither requires the certificate management, nor the involves key escrow problem. Moreover, the proposed scheme does not use bilinear pairing and map-to-point hash operations, which achieves outstanding performances and is more suitable for VANETs than other schemes.

Preliminaries
The elliptic curves and related problem, system model, security requirement and cryptographic primitive used as building blocks are introduced in this section. For readability, the notations adopted in the present paper are listed in Table 1.

Symbol Description
p, q two large prime numbers F p a finite field over p G an additive group P a generator of G KGC a key generation center (P pub , s) KGC's public key and private key H 1 (·), H 2 (·), H 3 (·), H 4 (·) hash functions: TRA's public key and private key a message sent from vehicle to RSU P i V i 's public key in [12][13][14] [12,13]

Elliptic Curves
Miller [17] and Koblitz [18] first proposed the concept of elliptic curve cryptography (ECC). Let F p be a finite field with a large prime p. The elliptic curve E over F p is defined as the set of an infinity point O and all points P = (x, y) that meet the equation where the discriminant ∆ = 4a 3 + 27b 2 = 0 and a, b ∈ F p . The elliptic curve E forms an additive cyclic group G under the operation of point addition P + Q = R. Scalar multiplication operation over F p is expressed as kP = P + P + · · · + P (k times). The hard problems based on ECC are shown as follows: • Elliptic curve discrete logarithm (ECDL) problem: Given two random points P, Z = yP ∈ G, find an integer x, such that Z = xP. • Elliptic curve discrete logarithm (ECDL) assumption problem: There are no polynomial-time algorithms to solve the ECDL problem with non-negligible probability. • Elliptic curve computational Differ-Hellman (ECCDH) problem: For unknown x, y integers and the given two random points R = xP, Z = yP ∈ G, calculate the point xyP . • Elliptic curve computational Differ-Hellman (ECCDH) assumption: There are no polynomial-time algorithms to solve the ECCDH problem with non-negligible probability.

System Model
The system model of the proposed scheme is shown in Figure 1. As is shown in Figure 1, the system is composed of five entities: the Key Generator Center (KGC), the Trace Authority (TRA), the Application Servers (AS), the RSU, and the OBU.
KGC: It is in charge of calculating system parameters and preloading them on RSUs and OBUs in offline mode. In addition, it also produces and distributes the partial private keys for RSUs and OBUs. The KGC is assumed to be a trusted third party with sufficient storage space and computing power. TRA: It is used for the registration of RSUs and OBUs. It can trace messages to their source and disclose the vehicles' real identity. Similarly, the TRA is assumed to be a trusted third party with sufficient storage space and computing power.
AS: It is a safety-related application server, like a traffic-data analysis center or traffic manage center. It first gathers the traffic-related messages including current location, time, traffic accidents from RSUs, and then conducts further analysis and/or provides feedback to them. The AS communicates with KGC, TRA and RSUs via the wired channel.
RSU: It is located along the roadside and is used for verifying the authenticity and integrity of messages and processing them locally or forwarding them to TAs or AS when received the messages from OBUs. The RSU communicates with the vehicle in a certain coverage region by a wireless channel and communicates with KGC, TRA and AS via a secure wired channel.
OBU: It is installed on the vehicle to communicate with other vehicles and RSUs for sharing traffic-related status information like speed, direction, and position through the Dedicated Short Range Communication (DSRC) [2,3]. Generally, the OBU is assumed to have less computation power than RSU.

Security Requirements
In V2I communication, the following security requirements need to be satisfied in the proposed scheme. Authentication and message integrity: The message receiver (RSU) should be able to verify the legality of the vehicle efficiently in the system and detect any modification of the received message.
Identity privacy preserving: Any entity should not identify or trace the vehicle's real identity by analyzing the received messages.
Traceability: The generator of any mistake message should be traceable. TRA should be able to disclose the real identity of any malicious vehicle, which has broadcasted forged messages to other vehicles in order to disrupt the traffic.
Unlinkability: Apart from TRA, neither should the RSU nor the malicious vehicle be able to determine whether two messages are from the same vehicle.
Key escrow resilience: KGC, a semi-trusted party, should not impersonate legitimate vehicle to generate a valid signature using the vehicle's private key.
Role separation: Two trusted authorities exist in the proposed scheme, i.e., KGC and TRA. KGC is working for creating the vehicle's partial private key on the pseudo identity. TRA is responsible for producing the pseudo identities and tracing the vehicle's real identity.

Resistance to attack:
The proposed scheme should resist various of popular attacks such as the replay attack, the modification attack, the impersonation attack, and the man-in-the-middle attack in VANETs.

CLS-MR
The CLS-MR includes the following algorithms: setup, partial-private-key-extract, set-secret-value, set-private-key, set-public-key, sign, and verify.
• Setup: Given a security parameter k, the KGC generates a group G of the prime order q based on an elliptic curve E defined over a finite field F p , where P ∈ G is a generator. The KGC randomly chooses s ∈ Z * q and computes P pub = sP. The KGC also chooses hash where l 1 and l 1 are positive integers such that l 1 + l 2 = |q|. The system parameter is params = {F p , G, q, P, P pub , H 1 , H 2 , H 3 , F 1 , F 2 , l 1 , l 2 } and the master key is s . • Partial-Private-Key-Extract: Given params and an identity ID i , the KGC chooses at random r i ∈ Z * q and computes The partial private key for Set-Public-Key: Given params and the user's secret value x i , the user ID i computes P i = x i P and sets PK i = {R i , P i } as its public key. • Sign: Given params, private key {d i , x i } for the user ID i under {R i , P i } and a message m ∈ {0, 1} l 2 , the user ID i picks a random number t i ∈ Z * q and computes Verify: Given params , the public key {R i , P i }, the user's identity ID i and the signature σ i , any verifier recovers the message and checks the validity of signature. To recover message m, the verifier computes are the most significant l 1 -bit of f and the least significant l 2 -bit of f , respectively.

Correctness:
Then, one can recover

Security Proof
According to certificateless cryptography [16], two types of adversaries, i.e., Type I adversary A 1 and Type II adversary A 2 , are considered in CLS-MR. The adversary A 1 models an outside adversary and acts as a malicious third party while the adversary A 2 models an inside adversary and serves as a malicious-but-passive KGC.

•
Type I adversary A 1 : The adversary A 1 is not in possession of the master key, but is capable of replacing the public key of the user with a value chosen by itself. • Type II adversary A 2 : The adversary A 2 is in possession of the master key, but cannot replace the public key of the user.
The formal security model of CLS-RM is depicted in detail in [16].
Theorem 1. The proposed CLS-MR is existentially unforgeable under the ECDL assumption in the random oracle model.
Proof. Theorem 1 is proved according to Lemma 1 and Lemma 2 listed below.

Lemma 1.
In the random oracle model, CLS-MR is existential unforgeable against Type I adversary A 1 under the ECDL assumption.

Lemma 2.
In the random oracle model, CLS-MR is existential unforgeable against Type II adversary A 2 under the ECDL assumption.
The security proof of Lemma 1 and Lemma 2 can be found in the appendix.

The Proposed Scheme
This section proposes a practical certificateless conditional privacy-preserving authentication (PCPA) scheme for VANETs based on CLS-MR. Specifically, the proposed scheme includes system initialization, pseudo identity generation and partial private key extraction, public/private key generation and message signing, and message verification phases.

System Initialization
The system initialization, which is carried out by TAs (KGC and TRA), is to produce system parameters for all RSUs and OBUs. The following steps are performed in this phase: The TAs randomly choose a prime p, an elliptic curve E over the finite field F p , which is defined by the equation The TAs pick a group G of prime order q based on E and denote P ∈ G a generator. (3) The KGC calculates its public key P pub = sP, where s ∈ Z * q is the master key for partial private key generation. (4) The TRA chooses a random number t ∈ Z * q as the master key for identity traceability and computes T pub = tP . (5) The TAs choose hash functions: where l 1 and l 1 are positive integers such that l 1 + l 2 = |q|.
The TAs publish the system parameters {p, q, G, P, P pub , T pub , H, H 1 , H 2 , H 3 , F 1 , F 2 } and send them to all RSUs and vehicles (OBUs). Here, the system parameters are preloaded into the all vehicles' tamper-proof devices (TPD) for VANETs. The master keys s and t are kept secretly by KGC and TRA, respectively.

Pseudo Identity Generation and Partial Private Key Extraction
This phase is performed between the TAs (TRA and KGC) and the vehicles. Receiving the real identity RID i from V i , where RID i uniquely identifies the vehicle V i , the KGC calculates partial private keys on them after the TRA generates pseudo identities for the vehicle V i . Then, the partial private keys and pseudo identities are preloaded in TPD of vehicle V i . The details of this phase are as follows: (1) The vehicle V i sends the real identity RID i to the TRA in secure mode. (2) Upon receiving the real identity RID i , the TRA randomly chooses w i ∈ Z * q and computes Then, a pseudo identity PID i = {PID i,1 , PID i,2 , T i } is transmitted to the KGC via a secure way.
When receiving the pseudo identity PID i = {PID i,1 , PID i,2 , T i }, the KGC randomly chooses r i ∈ Z * q and calculates the partial private key PPK i = {R i , d i } using the master key s where After that, the KGC sends the partial private key and pseudo identity {PPK i , PID i } to the vehicle V i .

Public/Private Key Generation and Message Signing
During this phase, the vehicle V i generates public/private key and signs messages. Then, the vehicle V i broadcasts a final message, including the pseudo identity, public key, timestamp, and signature, to nearby RSUs. The details of this phase are as follows: (1) The vehicle V i randomly picks x i ∈ Z * q as the secret value and computes P i = x i P. Then, the vehicle V i 's private key is SK i = {d i , x i } and the public key is PK i = {R i , P i }. (2) The vehicle V i randomly chooses a pseudo identity PID i from its storage and a current timestamp ct i , which is used to ensure the freshness of message so as to resist the replay attack. Given a traffic-related message m i ∈ {0, 1} l 2 , the vehicle V i randomly picks t i ∈ Z * q , and calculates The signature of a traffic-related message m i is {u i , v i }. Then, the vehicle V i broadcasts the final message M i = {PID i , PK i , ct i , u i , v i } to nearby RSUs.

Message Verification
In this phase, after receiving the final message {PID i , PK i , ct i , u i , v i }, the verifier (RSU) recovers the messages and checks the validity of the signature. Based on this, it is a guarantee that the corresponding vehicle cannot broadcast false messages or masquerading as other legal vehicles. This phase is described as follows: (1) The verifier checks whether T i is valid and ct i is fresh. If T i is not valid or ct i is not fresh, the message will be rejected.
The verifier computes

Security Analysis
In this section, an analysis on the security of the proposed scheme as well as its comparison with the latest schemes is conducted.
Authentication and message integrity: To ensure the authentication and message integrity, a new CLS-MR scheme is employed in the proposed PCPA. According to Theorem 1, the underlying CLS-MR is secure against adaptive chosen message and identity attacks under the ECDL assumption in the random oracle model. Through a Message Verification algorithm, a verifier (RSU) can confirm the validity and integrity of {PID i , PK i , ct i , u i , v i }. That is to say, any polynomial-time adversary is unable to forge or modify a valid signature. Therefore, the message integrity and authentication can be ensured in the proposed scheme.
Identity privacy preserving: According to the description of the proposed scheme, the real identity RID i of the vehicle V i is only included in random pseudo identity PID i = {PID i1 , PID i2 , T i }, where PID i1 = w i P, PID i,2 = RID i ⊕ H(w i T pub , T i ) and T pub = tP. To extract the vehicle V i s real identity RID i , the adversary has to compute RID i = PID i,2 ⊕ H 1 (w i T pub , T i ) = PID i,2 ⊕ H 1 (w i · t · P, T i ). However, without knowing w i and t, it is impossible for any adversary to obtain RID i as it is an instance of a ECCDH problem to solve w i · t · P. Therefore, the identity privacy preserving can be ensured in the proposed scheme.
Traceability: According to the description of the proposed scheme, the TRA can use its own master key t to compute t · PID i1 = t · w i · P = w i · t · P = w i · T pub and RID i = PID i,2 ⊕ H 1 (w i T pub , T i ). TRA can extract the real identity RID i from a pseudo identity PID i = {PID i,1 , PID i,2 , T i } involved in the broadcast messages. Therefore, the proposed scheme satisfies the traceability.
Unlinkability: According to the description of the proposed scheme, the TRA, KGC, and the vehicle randomly choose w i ∈ Z * q , r i ∈ Z * q and t i ∈ Z * q respectively, and generates Due to the randomness of w i , r i and t i , any adversary is unable to link two messages sent from the same vehicle or two anonymous pseudo identities, through which the unlinkability of the proposed scheme is satisfied.
Role separation: According to the description of the proposed scheme, there are two trusted authorities with different functions, i.e., TRA and KGC. The real identity of a vehicle can only be revealed by TRA rather than KGC by using the master key t. Here, t have to be well safeguarded for the vehicle's privacy preserving. However, there is no need to give strong protection to the master key s of KGC, since no adversaries can generate a valid signature without the vehicle's secret value. Therefore, the role separation can be provided in the proposed scheme.
Key escrow resilience: According to the Lemma 2, the malicious KGC cannot impersonate a vehicle successfully under the ECDLP assumption. The basic reason is that the vehicle V i calculates the secret value x i itself, and it cannot be accessed by the KGC. Therefore, the key escrow resilience is satisfied in the proposed scheme.
Resistance to attacks: The proposed scheme is secure against the main attacks of network. The details are as follows: • Replay attack: It can be known from the description of the proposed scheme, the timestamp We compare the security of the proposed PCPA scheme for VANETs with that of the schemes put forwarded by Horng et al. [12], Li et al. [13], Malhi et al. [14], and Kumar et al. [15]. Details on the security comparisons between the proposed scheme and the abovementioned schemes are given in Table 2, where indicates "satisfy" and refers to "not satisfy".

Performance Evaluation and Simulation
Here, we analyze the computation and communication costs of the proposed PCPA and evaluate its performance with the existing schemes in [12][13][14]. It should be pointed out that the analysis and comparison of Kumar et al.'s scheme [15] are omitted, as it has only made a small change in the signing phase to fix the security flaw in [14]. Moreover, a comprehensive simulation is carried out using simulation of urban mobility (SUMO) [44] and ns-3.26 simulator [45]. SUMO is a traffic simulation tool that can provide the realistic traffic mobility model and ns-3.26 is used for wireless network simulation. Based on the simulations, we give concrete evaluation on average message delay and average message loss ratio in real scenarios.

Computation Cost
The computation cost for the message signing and verification in the proposed scheme is analyzed and the results are compared with those obtained from the schemes put forward by Horng et al. [12], Li et al. [13], and Malhi et al. [14].
For the pairing-based schemes [12][13][14], the symmetric bilinear pairing for the 80-bit security can be defined as follows: e : G 1 × G 1 → G T , where G 1 is an additive group formed by a generator P with the order q on a super singular elliptic curve E : y 2 = x 3 + x mod p with embedding degree 2. q is 160-bit Solinas prime number and p is 512-bit prime number, which satisfy q · 12 · r = p + 1. For the proposed scheme, the ECC for the same security level can be constructed as follows: G with order q is an additive group generated by a point P on a non-singular elliptic curve E : where p, q are two 160-bit prime numbers, a = −3, and b is a random 160-bit prime number.
The time cost for performing the cryptographic operations is defined below. Let T p be the time to perform a bilinear pairing operation, T m−bp and T m−ecc be the time to perform a scale multiplication operation in bilinear pairing and ECC, respectively. The time to perform a map-to-point hash function operation is denoted as T mtp . Other lightweight operations (point addition, and one-way hash function operation) are not taken into account.
Using the MIRACL Crypto SDK [46], the running time of the above cryptographic operations can be quantified. The experiment is run on Intel Corei5-4590 (Intel Corporation, Santa Clara, CA, USA), 3.3 GHz CPU, 8 gigabytes memory with Windows 7 (Microsoft Corporation, Redmond, WA, USA). The average execution times of those operations are listed in Table 3. Table 3. Execution time of cryptographic operation (in Milliseconds).

Cryptographic Operation Execution Time
Bilinear pairing T p 9.  [14] and the proposed PCPA are compared and shown in Table 4.  Li et al.'s scheme [13] requires two map-to-point hash operations, one scalar multiplication operation in bilinear pairing and three bilinear pairing operations. Thus, the total verification time is 2T mtp + T m−bp + 3T p = 50.4247 ms. Mahli et al.'s scheme [14] requires three scalar multiplication operations in bilinear pairing and three bilinear pairing operations. Thus, the total verification time is 3T m−bp + 3T p = 38.5683 ms. The proposed scheme requires four scalar multiplication operations in ECC. Therefore, the total verification time is 4T m−ecc = 3.3240 ms. Figure 2 clearly indicates the computation cost for one message and that with an increasing number of messages, respectively. As is shown in Table 4 and Figure 2a, the computation cost of a message signing is 0.8310 ms in the proposed scheme, which decreases by 88.9%, 95.2% and 94.5% compared with those in [12][13][14], respectively. In terms of the computation overhead of one message verification, the proposed scheme needs 3.3240 ms, which decreases by 91.8%, 93.4% and 91.4% compared with those in [12][13][14], respectively. To obtain the computation cost of multiple (n) messages signing, the computation delay of one message signing should be repeated n times. Therefore, the computation costs of n messages signing in [12][13][14] and the proposed scheme are 7.5540n ms, 17.2592n ms, 15.1080n ms, and 0.8310n ms, respectively.
For computation cost of multiply (n) messages verification, Horng et al.'s scheme [12] requires n map-to-point hash operations, n scalar multiplication operations in bilinear pairing and three bilinear pairing operations. Thus, the total verification time is nT mtp + nT m−bp + 3T p = 13.4822n + 27.2373 ms. Li et al.'s scheme [13] requires (n + 1) map-to-point hash operations, n scalar multiplication operations in bilinear pairing and three bilinear pairing operations. Thus, the total verification time is (n + 1)T mtp + nT m−bp + 3T p = 13.4822n + 36.9425 ms. Mahli et al.'s scheme [14] requires 3n scalar multiplication operations in bilinear pairing and three bilinear pairing operations. Thus, the total verification time is 3nT m−bp + 3T p = 11.3310n + 27.2373 ms. The proposed scheme requires 4n scalar multiplication operations in ECC. Therefore, the total verification time is 4nT m−ecc = 3.3240n ms.
It is known from Figure 2b,c that the signing cost together with verification cost grows linearly with the increase of the number of messages. In addition, the proposed scheme has the lowest slope. As is shown in Figure 2b, when n = 60, the signing costs of the schemes in [12][13][14] and the proposed scheme respectively are 453.2400 ms, 1035.5520 ms, 906.4800 ms, 49.8600 ms. As is shown in Figure 2c, the verification costs of the schemes in [12][13][14] and the proposed scheme respectively are 162.0593 ms, 171.7645 ms, 140.5473 ms, and 33.2400 ms when n = 10, and 836.1693 ms, 845.8745 ms, 707.0973 ms, and 199.4400 ms when n = 60.
Therefore, the proposed PCPA achieves lower computation cost than the schemes in [12][13][14] in the signing and verification phases, regardless of the number of messages.

Communication Cost
In this subsection, the communication costs of Horng et al.'s scheme [12], Li et al.'s scheme [13], Malhi et al.'s scheme [14] and the proposed scheme are evaluated. In V2I communication, the communication cost refers to the size of message transmitted from a vehicle (OBU) to an RSU.
As is mentioned above, the length of q is 160 bits and that of p is 512 bits, so the length of elements in G and G 1 , respectively, are 20 bytes and 64 bytes. Assuming that the output length of general one-way hash function is 160 bits (20 bytes), and the length of the timestamp is 32 bits (4 bytes). According to IEEE Trial-Use standard [47] for VANETs security, the length of the traffic-related message is 67 bytes. The comparison of communication cost is shown in Table 5 and analyzed as follows.

Scheme Send a Message Send n Messages
Horng er al.'s scheme [12] 351 bytes 351n bytes Li et al.'s scheme [13] 351 bytes 351n bytes Malhi et al.'s scheme [14] 323 bytes 323n bytes The proposed scheme 128 bytes 128n bytes In [12,13], {M i , PID i , P i , ct i , R i , S i } is sent from the vehicle (OBU) to a RSU, where PID i = {PID i,1 , PID i,2 , T i }, PID i,1 ∈ G 1 , PID i,2 ∈ Z q and T i denotes a timestamp. Thus, the communication cost of these two schemes is 351 bytes as In [14], Thus, the communication cost of this scheme is 323 bytes as In the proposed PCPA, {PID i , PK i , ct i , u i , v i } is sent from the vehicle (OBU) to a RSU, where PID i = {PID i,1 , PID i,2 , T i }, PID i,1 ∈ G, PID i,2 ∈ Z q and T i denotes a timestamp. Thus, the communication cost of the proposed scheme is 195 bytes as |PID i | + |PK i | + |ct i | + |u i | + |v i | = 44 + 40 + 4 + 20 + 20 = 128 bytes.
The comparisons on the communication costs of one message and multiply (n) messages is shown in Figure 3. The communication costs increase linearly with the growth of the number of messages in all schemes. The schemes in [12,13] are the same in communication costs. The communication costs of the proposed scheme are the lowest in all schemes, which significantly decreases by 63.5%, 63.5%, and 60.4% compared with those of the schemes in [12][13][14], respectively. When the number of messages is 30,000, the proposed scheme can save 6.38 MB and 5.58 MB bandwidth compared with the schemes [12][13][14], respectively.

Simulation
Exploring SUMO [44] and ns-3.26 [45], we evaluate the performances of the schemes of Horng et al. [12], Li et al. [13], and Malhi et al. [14] as well as the proposed PCPA scheme. The SUMO is used to generate detailed vehicle movement traces by employing models, and then these traces is put into the ns-3.26 simulator to assess the efficiency and applicability of the schemes.
The simulation road scenario is shown in Figure 4, in which the RSUs are distributed every 500 m along the road, and each vehicle broadcasts messages every 300 ms. The vehicles are distributed on the road and move to the crossings randomly. The parameters for the simulation are listed in Table 6.  The aMD reflects the average time latency for a message to be received by the RSU after it is generated, which is defined as Two experiments are conduced to analyze that how aMD with the density and speed of vehicles. The results of simulation are demonstrated in Figure 5. The relationship between aMD and the number of vehicles is described in Figure 5a, where the number of vehicles varies from 20 to 100, and the average speed of vehicles is approximately 20 m/s (72 km/h). As is shown in Figure 5a, the aMD for RSUs increases with the number of vehicles in all schemes. The aMD is 2.94 s, 2.98 s, 2.40 s and 0.009 s in Horng et al.'s scheme [12], Li et al.'s scheme [13], Mahli et al.'s scheme [14] and the proposed scheme, respectively. In addition, the aMD of the proposed scheme is the lowest, which is slightly influenced by vehicle density.
The relationship between aMD and the speed of vehicles is shown in Figure 5b. The average speed of vehicles varies from 10 to 50 m/s (36 to 180 km/h) and the number of vehicles is 50. Obviously, when the vehicle density is constant, the aMD hardly changes, indicating that it is scarcely affected by the vehicle speed. This is only a theoretical simulation result with no practical implementation.

Average Message Loss Ratio (aMLR)
The aMLR expresses the ratio of the number of messages dropped to the total number of messages received by the RSUs, which is defined as Two experiments are conducted to analyze aMLR with the density and speed of vehicles. The results of simulation are shown in Figure 6.  [14]. Furthermore, the aMLRs respectively hit 57%, 57%, 46% in the schemes of [12][13][14] when the number of vehicles is 100. No matter the density of the vehicles, the aMLR is almost 0. Figure 6b shows the relationship between aMLR and the speed of vehicles. The speed of vehicles varies from 10 to 50 m/s (36 to 180 km/h) and the number of vehicles is 50. It is easy to see that, when the speed of vehicles is higher than 20 m/s, the aMLRs in the schemes of Horng et al. [12], Li et al. [13], and Malhi et al. [14] are slightly influenced. The aMLR in the proposed scheme is 0% regardless of how the vehicle speed changes.

Conclusions
In this paper, a new efficient certificateless signature with message recovery (CLS-MR) is first presented. Under the ECDLP assumption, this scheme is secure in the random oracles. Based on the invented CLS-MR, a practical certificateless conditional privacy-preserving authentication (PCPA) scheme for VANETs is put forward. The security analysis indicates that PCPA satisfies the security and privacy-preserving requirements in VANETs. The performance evaluation and comparison show that the PCPA scheme is more efficient in both computation cost and communication cost since it does not employ map-to-point hash function and bilinear pairing operations. Furthermore, the simulation experimental results demonstrate the superiority of PCPA compared to other schemes in average message delay and message loss ratio, and thus PCPA is more suitable for VANETs.

•
If the list L list PPK does not include (ID i , R i , d i ), B picks random numbers d i , c i ∈ Z q and sets c i = H 1 (ID i , R i ) and R i = d i P − c i P pub . Finally, B outputs the (R i , d i ) to A 1 , and inserts the (ID i , R i , c i ) and (ID i , R i , d i ) to L list H 1 and L list PPK , respectively.
Secret value queries: Suppose A 1 submits a secret value query on the identity ID i , B checks L list SK and executes as follows: • If the list L list SK includes (ID i , P i , x i ), B responds with previous value x i to A 1 .

•
If the list L list SK does not include (ID i , P i , x i ), B randomly chooses x i ∈ Z * q and computes P i = x i P. Finally, B returns x i to A 1 , and inserts the (ID i , P i , x i ) to L list SK .
Public key queries: Suppose A 1 submits a public key query on the identity ID i , B checks L list PPK , L list SK and executes as follows: issues a partial private key query or secret value query itself on ID i . Finally, B returns (R i , P i ) to A 1 , and inserts the corresponding values to L list PPK and L list SK .
Public key replacement queries: Suppose A 1 submits a public key replacement query on {ID i , R i , P i }, B checks L list PPK , L list SK and executes as follows: PPK and L list SK , respectively.
Sign queries: Suppose A 1 submits a sign query on (m, ID i , R i , P i ), B firstly conducts a partial private key query itself to generate (R i , d i ). B randomly chooses v i ∈ Z * q and computes Using the Forking Lemma [48], B can obtain another valid signature (u * i , v * i ) under (ID * i , R * i , P * i ) by replaying the process with the same random tape, yet with a different choice of H 1 . Then, we have From the above equation, we obtain Finally, B outputs the solution to ECDL problem . After completing the above simulation, we will analyze the B's probability and time for solving the ECDL problem.
Let us assume that A 1 can make at most q H i H i (i = 1, 2, 3) queries, q pp partial private key queries, q sv secret value queries, q pk public key queries, q pr public key replacement queries, and q s times sign queries.
The probability of failure in making a partial private key query caused by a conflict on is H 1 most q H 1 q pp q . The probability of failure in issuing a sign query resulting from a conflict on H 3 is at most q s (q H 3 +q s ) q . In addition, the probability of A 1 outputs a valid forgery without asking the corresponding H 1 , H 2 , H 3 is at most 3 q . The probability of B correctly guesses it as the point of rewind is at least 1 q H 1 . Therefore, the success probability of B for solving the ECDL problem is at least ε−(q H 1 q pp +q s (q H 3 +q s )+3) q q H 1 .
The running time of B is equal to the running time of A 1 plus the time it takes to respond to q pp partial private key queries, q sv secret value queries, q pk public key queries and q s sign queries. Each partial private key query requires 2 scale multiplication operations in G. Each secret value query requires 1 scale multiplication operation in G. Each public key query requires 1 scale multiplication operation in G. Each sign query requires 4 scale multiplication operations in G. Assuming that each scale multiplication in G needs time t sm , the total running time of B is at most t + (2q pp + q sv + q pk + 4q s )t sm .

Appendix B.
Proof of Lemma 2. Assuming that a Type II adversary A 2 can break the proposed CLS-MR in time t with probability ε, there exists an algorithm B that can solve ECDL problem by utilizing A 2 as subroutine. Given a random instance {P, xP = Q} of the ECDL problem, the task of B is to compute x.
Setup: The algorithm B randomly selects θ ∈ Z q and defines θP = P pub ; then, B sends the system parameters params and master key θ to A 2 . Note that A 2 has the master key and does not require to issue any partial private key query. Similar to Lemma 1, the lists L list H 1 , L list H 2 , L list H 3 , L list PPK and L list SK are maintained by B. B also keeps a list L list = (ID i , P i , x i , z i ), which is initial-empty.
H 1 , H 2 and H 3 queries: It is the same as Lemma 1. Secret value queries: Suppose A 2 submits a secret value query on the identity ID i , B checks L list and executes as follows: • If the list L list includes (ID i , P i , x i , z i ), if z i = 0, B halts; if z i = 1, B responds with previous value x i to A 2 .

•
If the list L list does not include (ID i , P i , x i , z i ), using the Coron's technique [49], B tosses a coin z i ∈ {0, 1} that produces 0 with probability δ and 1 with probability 1 − δ. B randomly chooses a value x i ∈ Z q . If z i = 0, B sets P i = x i Q ; if z i = 1, B sets P i = x i P. Finally, B inserts the (ID i , P i , x i , z i ) to L list . If z i = 0, B halts; if z i = 1, B responds the value x i to A 2 .
Public key queries: Suppose A 2 submits a public key query on the identity ID i , B checks L list and executes as follows: • If the list L list includes (ID i , P i , x i , z i ), B responds with previous value P i to A 2 .

•
If the list L list does not include (ID i , P i , x i , z i ), B submits a secret value query on ID i and returns P i to A 2 . Here, A 2 can obtain R i corresponding to D i using the master key.
Sign queries: It is the same as Lemma 1.
Forgery: A 2 outputs a valid signature (u * i , v * i ) on m * under (ID * i , R * i , P * i ). Using the Forking Lemma [48], B can obtain another valid signature (u * i , v * i ) on m * under (ID * i , R * i , P * i ) by replaying process under the same random tape with a different choice of H 2 . Then, we have From the above equation, B checks the L list , if c * i = 1, B aborts; if c * i = 0, the above equation, we have Finally, B outputs x by computing , which is the solution to the ECDL problem.
The same as Lemma 1, the analysis on the probability and time of B is as follows, assuming that A 2 can make at most q H i H i (i = 1, 2, 3) queries, q sv secret value queries, q pk public key queries, and q s sign queries.
The probability of failure in handing a sign query because of a conflict on q H 3 is at most q s (q H 3 +q s ) q . In a secret value query and forgery phase, the probability of success is (1 − δ) q sv δ according to Coron's technique [49]. When the optimal probability is δ = 1 q sv +1 , it is greater than 1 e(q sv +1) . The probability of A 2 outputs a valid forgery signature without asking the corresponding H 1 or H 2 or H 3 is at most 3 q . The probability of B correctly guesses it, as the point of rewind is at least 1 q H 2 . Therefore, the success probability of B for solving the ECDL problem is at least ε−(q s (q H 3 +q s )+3) q e(q sv +1)q H 2 .
The running time of B is equal to the running time of A 2 plus the time it takes to respond to q sv secret value queries, q pk public key queries and q s sign queries. Each secret value query requires one scale multiplication operation in G. Each public key query requires one scale multiplication operation in G. Each sign query requires four scale multiplication operations in G. Assuming that each scale multiplication in G needs time t sm , the total running time of B is at most t + (q cv + q pk + 4q s )t sm .