A Secure and Efficient Group Key Agreement Scheme for VANET

Abstract

A vehicular ad hoc network (VANET) is a special mobile ad hoc network that provides vehicle collaborative security applications using intervehicle communication technology. The method enables vehicles to exchange information (e.g., emergency brake). In VANET, there are many vehicle platoon driving scenes, where vehicles with identical attributes (location, organization, etc.) are organized as a group. However, this organization causes the issue of security threats (message confidentiality, identity privacy, etc.) because of an unsafe wireless communication channel. To protect the security and privacy of group communication, it is necessary to design an effective group key agreement scheme. By negotiating a dynamic session secret key using a fixed roadside unit (RSU), which has stronger computational ability than the on-board unit (OBU) equipped on the vehicle, the designed scheme can help to provide more stable communication performance and speed up the encryption and decryption processes. To effectively implement the anonymous authentication mechanism and authentication efficiency, we use a batch authentication scheme and a shared secret key mechanism among the vehicles, RSUs and trusted authority (TA). We design an efficient group secret key agreement scheme, which satisfies the above communication and security requirements, protects the privacy of vehicles, and traces the real identity of the vehicle at a time when it is necessary. Computational analysis shows that the proposed scheme is secure and more efficient than existing schemes.

1. Introduction

A VANET is a special mobile ad hoc network, which is mainly composed of OBUs installed on vehicles and RSUs. The VANET can be used to achieve vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication [1,2]. Vehicles in VANET can generate their own driving state information (acceleration, lane changing information, etc.) and collect traffic information such as traffic congestion and slippery road. These information can be used by the vehicles in VANET to improve driving comfort and safety.

Many traffic jams or traffic accidents are caused by the driver’s inability to predict instantaneous and variable road conditions. Intervehicle communication can exchange information about road conditions and vehicle status in time, which helps the driver to determine the driving environment in advance. Thus, effective intervehicle communication can reduce traffic accidents and alleviate traffic congestion. There are three communication modes: unicast, multicast, and broadcast. On some occasions, the emergency message must only be forwarded to specific vehicles. If the message is forwarded by unicast, it takes much time to inform specific vehicles on a road section. If the message is forwarded by broadcast, it is easy to cause a broadcast storm. Multicast is a more efficient method to exchange messages in VANET. However, the wireless channel of VANET may be easily jammed and monitored, which results in data monitoring, tampering and replaying [3]. Some private information of vehicles such as the driver information, driving track, and parking position may be leaked on these channels [4], which would result in potential threats to the drivers and passengers [2]. Therefore, the security of VANET data transmitted on these communication channels must be enhanced.

With the development of group communication application in VANET, the group key agreement mechanism is widely studied. Because of the lower density and high mobility of vehicles [5], the secure and effective group key agreement mechanism for VANET becomes extremely important. Compared to mobile ad hoc networks (MANETs) [6], the vehicles in VANET have lower fixity, communication ability and computing power than the RSU. Therefore, to improve the efficiency of the group key agreement, people can use the advantages of the RSU to complete the computing and communication. The vehicles in VANET may move fast and must dynamically change the running route because there are always vehicles joining or leaving a communication group. A secure secret key agreement scheme must ensure that the legality of new vehicles should be verified before joining the communication group. In addition, when some vehicle leaves the communication group, the RSU can revoke its group key. Therefore, designing a secure and efficient group key agreement for VANET is the key to realize group communication.

In recent years, many studies have been conducted on group key agreement in VANET. A batch authentication scheme [7] was presented to improve the computation efficiency, but the integrity of the request messages were not checked before the batch authentication. Hai [8] proposed an authenticated group key agreement scheme using bilinear pairings, which satisfies all secure group communication requirements for VANET. However, this scheme authenticates vehicles using certificates, which results in low authentication efficiency. Therefore, it is a great challenge to design an efficient and secure group secret key agreement for VANET.

To address the aforementioned problems, we present a group secret key agreement scheme for VANETs with batch verification. Our main contributions are summarized as follows:

• The RSU is used at the main node in the group key agreement. Since the RSU has more powerful computing and communication capabilities than the vehicles, the communication cost can be reduced, and the key negotiation efficiency can be increased.
• The shared secret key mechanism is used among the vehicles, RSUs and TA to effectively implement the anonymous authentication mechanism.
• The RSU verifies a set of signatures in the batch, which greatly improves the authentication performance compared to individually verification.

The remainder of this paper is organized as follows. We describe the related works in Section 2. The system model and security requirements for VANET are defined in Section 3. We present a secure and efficient group key agreement (SEGKA) scheme in Section 4 and analyze the security and evaluate the performance for SEGKA in Section 5. Finally, the paper is concluded in Section 6.

2. Related Work

The VANET provides a series of applications, such as efficiency applications [9,10] (urban traffic management, path planning, etc.), commercial applications [11] (location-based services, path planning etc.), information entertainment applications (video sharing, social networks, etc.), and security applications [12,13,14,15] (rear end warning, road ice testing, etc.). However, the vehicles communicating in the wireless network are easily attacked, particularly when the vehicles have private messages to be shared with others in the same group. Therefore, VANET must build secure channels for group communication. The emergence of group-oriented communication applications has triggered research on group communication security and privacy protection. A difficult problem of group communication is to design an effective group membership authentication key agreement mechanism.

In VANET, the relative position among vehicles may fast and frequently changed, thus the vehicles are often dynamically divided into groups to perform broadcast communication, i.e., group communication. Vehicle group communication refers to communication among vehicles with the same attribute. A secure group communication scheme should be able to ensure that once a new vehicle joins the group and becomes a legitimate group member, it could receive or send messages in the group in time. Also, once some node moves far away, there should be a mechanism to let it leave the current group, so that it cannot continue to enjoy the rights of a legitimate group member and cannot continue to receive or send messages in this group. The group key agreement schemes can be divided into two types: a central node to assign a communication key to other members, and every group member provides a partial key and finally forms a group key. Although the communication mechanism using the asymmetric encryption technology can well satisfy this requirement, it is not suitable for VANET applications because it does not account for the vehicle’s computation capability and complicated key management. To reduce the cost of computing and improve communication efficiency, it is preferable to use symmetrical key encryption in designing VANET communication schemes.

Because of the fast-moving speed and limited communication scope, the secure and effective group key agreement mechanism becomes extremely important. To handle the security and efficiency issues, Han, Hua and Ma [16] proposed a self-authentication and deniable efficient group key agreement (SADEGKA) protocol. The certification efficiency is improved with the group key transmission method without certification authority and prevents the attacker from attacking the legal vehicle through a deniable group key agreement method. However, this scheme is not scalable because every vehicle must verify other vehicles during the key agreement, which increases the verification delay. Chim et al. [17] studied privacy protection and presented a method to verify a batch of signatures within a short time period using two shared secrets. This method enables the existing vehicles to form a group for secure communications. Meanwhile, the RSU is involved in the signature verification process, which greatly mitigates the vehicle’s computing burden. Our scheme also uses shared secrets for the group key agreement to improve the group key agreement efficiency. The RSU always has more powerful computation ability than vehicles; thus, it can speed up the vehicle legality certification. Lei, Yu and Xian [18] proposed an ID-based group authenticated key agreement protocol based on the DBDH assumption and considered the dynamic issue of group communication. In this scheme, the vehicles cannot be anonymous, and their privacy cannot be protected. Zheng et al. [19] introduced an ID-based authenticated group key agreement protocol without the management of certifications. However, both [18,19] have privacy protection problems.

3. Preliminaries

In this section, we briefly introduce the system model and bilinear maps. Some notations are shown in

Table 1. Notations.

Notations	Definitions
TA	Trusted authority
s	A master key of TA
$P_{pub}$	A public key of TA
$PI{D}_i$	The pseudo identity of vehicle
$TI{D}_i$	The true identity of vehicle
$V_i$	The vehicle number
$VI{D}_i$	$V_i$’s verification identity
$EN{C}_k(M)$	Encrypting function of M using key k
h	One secure one-way hash function
H	A MapToPoint hash function
$P{K}_{RSU}$	A public key for the RSU
$S{K}_{RSU}$	A private key for the RSU
$T_i$	The freshness of time
$G_1$	The cyclic additive group with prime order q
$G_2$	The cyclic multiplicative group with the prime order q

.

3.1. System Model

As shown in Figure 1, a typical VANET system includes three types of entities: OBU, RSU and TA.

• Each vehicle is equipped with an OBU, which is responsible for the communication with other neighbor OBUs or RSUs using the dedicated short range communication (DSRC) protocol. The OBU has limited computation and storage capabilities. Vehicles periodically broadcast messages of their driving state, e.g., emergency braking. Since the OBU is semicredible, it is necessary for vehicles to sign and authenticate messages transmitted in such unreliable transmission scenarios. Otherwise, the communication channel would be vulnerable to attacks from malicious attackers.
• RSUs are always distributed on both the roadside and intersections, which are responsible for the vehicle-to-infrastructure communication and infrastructure-to-TA communication. They periodically broadcast the road information (e.g., road congestion) and local environment (e.g., gas station and parking lot) to vehicles to improve the traffic condition. The RSU is also semicredible. The RSU has more powerful computation and communication capability than OBU; thus, it is notably suitable to authenticate vehicles and distribute keys to vehicles, which reduces the authentication latency and improves the communication efficiency [20].
• TA is a trustworthy third party, which is responsible for the generation and distribution of the private and public keys for OBUs and RSUs. The public key of every entity in the system is certified by a trusted party, so that the corresponding certificate can be publicly verified. This trusted party is also responsible for certificate managements. It also initializes the system and generates system parameters. Before performing the key agreement, OBUs and RSUs must be legally registered in TA. TA allocates the related authentication parameters to RSUs and OBUs. TA can trace the real vehicle identification when it is necessary to realize traceability [21].

3.2. Bilinear Maps

Let $G_1$ be a cyclic additive group with prime order q and $G_2$ be a cyclic multiplicative group with the same prime order q. The bilinear map is denoted as the mapping $e:G_1\times G_1\to G_2$, which has the following properties:

(1)

Bilinearity

$$\begin{array}{c}e(aP,bQ)=e{(P,Q)}^{ab}\hfill \end{array}$$

where $P,Q\in G_1,a,b\in {}_{R}Z_q^{*}$.

(2)

Nondegeneracy

$$\begin{array}{c}e(P,P)\ne 1\hfill \end{array}$$

where P is the generator of $G_1$.

(3)

Efficiency

There is an efficient polynomial time algorithm to compute $e(P,Q)$ for any $P,Q\in G_1$.

3.3. Mathematical Assumptions

Definition 1.

Discrete Logarithm Problem (DLP): $\forall a\in {}_{R}Z_q^{*}$, given $P,aP\in G_1$, compute a.

Definition 2.

Computational Diffie-Hellman Problem (CDHP): $\forall a,b\in {}_{R}Z_q^{*}$, given $P,aP,bP\in G_1$, compute $abP$.

Definition 3.

Decisional Diffie-Hellman Problem (DDHP): $\forall a,b,c\in {}_{R}Z_q^{*}$, given $P,aP,bP,cP\in G_1$, decide whether $cP=abP$.

4. Scheme Design

To address the security and privacy issues of VANET group communication, this paper designs a secure and efficient group key agreement scheme for VANET in bilinear groups. The vehicles will apply for their own group when registering with the TA. TA will authenticate them and assign relevant group identification according to vehicle attribute. The RSU computes the group key for the vehicles in its coverage according to the group identification. When vehicles are driving in the same RSU coverage area, they with the same group identification initiate group key negotiation due to communication needs. With the relatively fixed location, wide coverage, strong communication and computing capabilities, the RSU is selected as the manager of the group to complete the signature batch authentication of the vehicles and compute and distribute the group key. This can greatly improve the negotiation efficiency of the group key and reduce the communication delay. Figure 2 depicts the process of our group key agreement.

(1)

TA initializes the system parameters and sends them to vehicles and RSUs.

(2)

The RSU requests registration to TA.

(3)

TA returns the verification information.

(4)

Vehicle sends the vehicle registration information to TA.

(5)

TA returns the verification information.

(6)

TA sends the partial vehicle verification information (the shared key, etc.) to RSUs.

(7)

Vehicle requests the group key agreement and sends its signature to the RSU.

(8)

The RSU sends the final group key agreement result to vehicle according to the signature verification.

The scheme contains seven modules, i.e., parameter initialization, vehicle and RSU registration, vehicle signing, RSU verification, group key generation, group member joining, and group member leaving.

4.1. Parameter Initialization

TA generates some initial system parameters. This process must only be performed once for the entire system. However, TA may periodically update the system master key to enhance the security performance. The detailed processes are as follows.

(1)

TA selects a cyclic additive group $G_1$ and a cyclic multiplicative group $G_2$ that have bilinear map properties.

(2)

TA selects a random number $s\in {}_{R}Z_q^{*}$ as the system master key and computes $P_{pub}=sP$ as the corresponding public key.

(3)

TA selects two cryptographic hash functions: $H:G_1\to Z_q^{*}$, $h:{\{0,1\}}^{*}\to Z_q^{*}$.

(4)

TA broadcasts the public parameters $paras=\{G_1,G_2,e,q,P,P_{pub},H,h\}$ to all vehicles and RSUs, as shown in Figure 3.

4.2. Vehicle and RSU Registration

The vehicle and RSU are registered at TA. TA assigns the corresponding registration information to them, as shown in Figure 4.

TA assigns unique n-dimensional column vectors $TI{D}_i$, $a_i$ and $b_i$ to every legitimate vehicle. $TI{D}_i$ denotes the vehicle’s real identity, $a_i$ is the shared secret between vehicle $V_i$ and TA, and $b_i$ is the shared secret between vehicle $V_i$ and the RSU. TA computes $c_i=sH(a_i\oplus TI{D}_i)$ and sends $RE{G}_V=TI{D}_i\left|\right|a_i\left|\right|b_i\left|\right|c_i$ to vehicle $V_i$ through a secure channel.

TA computes $V_i$’s verification $VI{D}_i=a_i\oplus TI{D}_i$ and sends $RE{G}_{RSU}=VI{D}_i\left|\right|b_i$ to the RSU through a secure channel.

4.3. Vehicle Signing

In this module, the RSU authenticates the vehicles to prepare for the group key agreement. The detailed processes are described below.

Vehicle $V_i$ selects a random nonce $r_i$, which is used to prevent an attacker from tracing the vehicle. Then, it generates a pseudo identity $PI{D}_i$ that is composed of $PI{D}_{i,1}=r_{i}P$ and $PI{D}_{i,2}=VI{D}_i\oplus H(b_i·PI{D}_{i,1})$

$V_i$ calculates the signature ${\sigma }_i=c_i+b_i{c}_{i}h(M_i)$, where $M_i=PI{D}_i\left|\right|T_i$ and $T_i$ is the signing time. Then, it provides the information $D_i=r_i\left|\right|PI{D}_i\left|\right|{\sigma }_i\left|\right|T_i$ to the RSU through a secure channel, as shown in Figure 5.

4.4. RSU Verification

This module enables the RSUs to verify the vehicles’ signatures. The verification can be performed as single verification and batch verification.

(1)

Single verification

When the RSU receives the vehicle $V_i$’s signature $D_i$, it decrypts $D_i$ with its secret key $S{K}_{RSU}$ and checks the freshness of time $T_i$. If $T_i$ is fresh, that is, $T_i$ is within the validity period, the RSU continues to find out $V_i$’s verification public key $VI{D}_i$ and shared secret key $b_i$; then, it verifies whether the received $PI{D}_{i,2}$ is equal to $VI{D}_i\oplus H(b_i·PI{D}_{i,1})$. If it is true, the RSU verifies Equation (1):

$$e({\sigma }_i,P)=e(H(VI{D}_i)(1+b_{i}h(M_i)),P_{pub}).$$

(1)

Proof of correctness:

$$\begin{array}{c}L.H.S\hfill \\ =e(c_i+b_i{c}_{i}h(M_i),P)\hfill \\ =e(c_i,P)e(b_i{c}_{i}h(M_i),P)\hfill \\ =e(sH(a_i\oplus TI{D}_i),P)e(b_{i}sH(a_i\oplus TI{D}_i)h(M_i),P)\hfill \\ =e(H(VI{D}_i),sP)e(b_{i}H(VI{D}_i)h(M_i),sP)\hfill \\ =e(H(VI{D}_i),P_{pub})e(b_{i}H(VI{D}_i)h(M_i),P_{pub})\hfill \\ =e(H(VI{D}_i)(1+b_{i}h(M_i)),P_{pub})\hfill \\ =R.H.S\hfill \end{array}$$

Therefore, Equation (1) holds.

(2)

Batch verification

Assume the RSU receives a batch of signatures $D_1,D_2,\dots ,D_n$ from vehicles $V_1,V_2,\dots ,V_n$. First, the RSU checks the freshness of every time $T_i(1\le i\le n)$. If all are fresh, then the RSU continues to find the vehicle’s public verification key and the shared secret key and checks whether the second part of the pseudo identity is valid. If all are valid, the RSU verifies the signatures in the batch by checking Equation (2).

$$e(\sum _{i=1}^n{\sigma }_i,P)=e(\sum _{i=1}^{n}H(VI{D}_i)(1+b_{i}h(M_i)),P_{pub}).$$

(2)

Proof of correctness:

$$\begin{array}{c}L.H.S\hfill \\ =e({\displaystyle \sum _{i=1}^n}(c_i+b_i{c}_{i}h(M_i)),P)\hfill \\ =e({\displaystyle \sum _{i=1}^n}{c}_i,P)e({\displaystyle \sum _{i=1}^n}{b}_i{c}_{i}h(M_i),P)\hfill \\ =e({\displaystyle \sum _{i=1}^n}sH(a_i\oplus TI{D}_i),P)\hfill \\ e({\displaystyle \sum _{i=1}^n}{b}_{i}sH(a_i\oplus TI{D}_i)h(M_i),P)\hfill \\ =e({\displaystyle \sum _{i=1}^n}H(VI{D}_i),sP)e({\displaystyle \sum _{i=1}^n}{b}_{i}H(VI{D}_i)h(M_i),sP)\hfill \\ =e({\displaystyle \sum _{i=1}^n}H(VI{D}_i),P_{pub})e({\displaystyle \sum _{i=1}^n}{b}_{i}H(VI{D}_i)h(M_i),P_{pub})\hfill \\ =e({\displaystyle \sum _{i=1}^n}H(VI{D}_i)(1+b_{i}h(M_i)),P_{pub})\hfill \\ =R.H.S\hfill \end{array}$$

Therefore, Equation (2) holds.

4.5. Group Key Generation

After the vehicles are authenticated, the RSU generates the group key for the vehicles. The detailed processes are as follows.

(1)

The RSU randomly selects a random nonce $d_{RSU}\in {}_{R}Z_q^{*}$, computes $D_i=d_{RSU}PI{D}_{i,1}$, and computes the group key $K_{RSU}$ as follows:

$$K_{RSU}=e({\displaystyle \sum _{i=1}^n}{D}_i,d_{RSU}P)$$

(3)

(2)

The RSU computes its signature ${\sigma }_{RSU}=S{K}_{RSU}H(D)$, where $D=D_1\left|\right|D_2\left|\right|\dots \left|\right|D_n$. Then, it broadcasts $Z={\sigma }_{RSU}\left|\right|D$ to the vehicles, as shown in Figure 6.

(3)

After vehicle $V_i$ receives Z, it first verifies the signature of the RSU by checking Equation (4) as follows.

$$e({\sigma }_{RSU},P)=e(H(D),P{K}_{RSU}).$$

(4)

(4)

If the signature of the RSU is valid, vehicle $V_i$ computes group key $K_i$ as follows.

$$K_i=e(\sum _{i=1}^n{D}_i,r_i^{-1}{D}_i)$$

(5)

4.6. Group Member Joining

Suppose that $V_1,V_2,\dots ,V_n$ have a group key as described. The detailed process of a new vehicle $V_a$ joining the group is described as follows.

(1)

$V_a$ selects a random nonce $r_a$ and generates a pseudo identity $PI{D}_a=(PI{D}_{a,1},PI{D}_{a,2})$, where $PI{D}_{a,1}=r_{a}P,PI{D}_{a,2}=VI{D}_a\oplus H(b_a·PI{D}_{a,1})$. Then, $V_a$ calculates the signature ${\sigma }_a=r_{a}H(PI{D}_a)+b_a{c}_{a}H(T_a)$ and sends $D_a=EN{C}_{P{K}_{RSU}}(r_a\left|\right|PI{D}_a\left|\right|{\sigma }_a\left|\right|T_a)$ to RSU.

(2)

When the RSU receives signature $D_a$ of vehicle $V_a$, it decrypts $D_a$ with its secret key $S{K}_{RSU}$ and checks the freshness of time $T_a$. If the time is fresh, the RSU continues to find the public verification key $VI{D}_a$ of $V_a$ and shared secret key $b_a$. The RSU verifies whether the received $PI{D}_{a,2}$ is equal to $VI{D}_a\oplus H(b_a·PI{D}_{a,1})$. If it holds, the RSU verifies $V_a$’s signature as shown in Equation (1). If the signature is valid, the RSU allows for vehicle $V_a$ to join the group. Then, the RSU reselects a random nonce $d_{RSU}^{\prime }\in {}_{R}Z_q^{*}$ and recomputes $D_i^{\prime }=d_{RSU}^{\prime }PI{D}_{i,1}(1\le i\le n)$ and $D_a=d_{RSU}^{\prime }PI{D}_{a,1}$. The RSU computes the group key $K_{RSU}^{\prime }$ as follows.

$$K_{RSU}^{\prime }=e(\sum _{i=1}^n{D}_i^{\prime }+D_a,d_{RSU}^{\prime }P)$$

(6)

(3)

The RSU computes its signature ${\sigma }_{RSU}^{\prime }=S{K}_{RSU}H(X^{\prime })$, where $X^{\prime }=D_1^{\prime }\left|\right|D_2^{\prime }\left|\right|\dots \left|\right|D_n^{\prime }\left|\right|D_a$. Then, it broadcasts $Z^{\prime }={\sigma }_{RSU}^{\prime }\left|\right|X^{\prime }$ to all vehicles in the group.

(4)

When vehicles including $V_a$ receive $Z^{\prime }$, they verify the signature of the RSU as defined in Equation (4). If the signature is valid, they compute a new group key $K_i^{\prime }$ as follows.

$$K_i^{\prime }=e(\sum _{i=1}^n{D}_i^{\prime }+D_a,r_i^{-1}{D}_i^{\prime })$$

(7)

4.7. Group Member Leaving

Suppose that $V_1,V_2,\dots ,V_n$ have a group key as described above. Let $V_n$ be a vehicle leaving the group. The RSU should update the group key for the remaining $n-1$ vehicles. The detailed process of the group key updating is described as follows.

(1)

The RSU selects a random nonce $d_{RSU}^{\prime }\in {}_{R}Z_q^{*}$ and computes $D_i^{\prime }=d_{RSU}^{\prime }PI{D}_{i,1}(1\le i\le n-1)$. The RSU computes the group key $K_{RSU}^{\prime }$ as follows.

$$K_{RSU}^{\prime }=e(\sum _{i=1}^{n-1}{D}_i^{\prime },d_{RSU}^{\prime }P)$$

(8)

(2)

The RSU computes the signature ${\sigma }_{RSU}^{\prime }=S{K}_{RSU}H(X^{\prime })$, where $D^{\prime }=D_1^{\prime }\left|\right|D_2^{\prime }\left|\right|···\left|\right|D_{n-1}^{\prime }$. Then, it broadcasts $Z^{\prime }={\sigma }_{RSU}^{\prime }\left|\right|X^{\prime }$ to the vehicles.

(3)

After the vehicles receive $Z^{\prime }$, they verify the signature of the RSU as shown in Equation (4). If the signature is valid, they compute a new group key $K_i^{\prime }$ as follows.

$$K_i^{\prime }=e(\sum _{i=1}^{n-1}{D}_i^{\prime },r_i^{-1}{D}_i^{\prime })$$

(9)

5. Scheme Analysis

In this section, we analyze the correctness, security and performance of our proposed dynamic group key agreement scheme.

5.1. Correctness Analysis

Given the group secret keys $K_i$ and $K_j$ generated by two vehicles $V_i$ and $V_j$, we have:

$$PI{D}_{i,1}=r_{i}P,D_i=d_{RSU}PI{D}_{i,1}$$

$$PI{D}_{j,1}=r_{j}P,D_j=d_{RSU}PI{D}_{j,1}$$

Thus,

$$r_i^{-1}{D}_i=d_{RSU}P$$

$$r_j^{-1}{D}_j=d_{RSU}P$$

$$\begin{array}{c}{K}_i\hfill \\ =e({\displaystyle \sum _{k=1}^n}{D}_i,r_i^{-1}{D}_i)\hfill \\ =e({\displaystyle \sum _{k=1}^n}{D}_i,d_{RSU}P)\hfill \\ =e({\displaystyle \sum _{k=1}^n}{D}_i,r_j^{-1}{D}_j)\hfill \\ =K_j\hfill \end{array}$$

Therefore, the two keys $K_i$ and $K_j$ are identical.

5.2. Security

In this section, we present detailed analyses on the security and privacy protection of our scheme.

5.2.1. Forward Security

Forward security indicates that even if an attacker can obtain the previous group secret key, it cannot calculate the secret keys of the group in future. In other words, when some vehicle leaves the communication range of the RSU, the RSU will regenerate a random number $d_{RSU}$ for the group key generation and recalculate a secret key from the remaining vehicles $D_i$. Thus, the proposed scheme offers forward security.

5.2.2. Backward Security

Backward security indicates that even if the attacker holds the current group key, it cannot calculate the group keys before it joins the group. In other words, before the vehicle enters the communication range of the RSU, it does not hold the previous random number $d_{RSU}$ for the part of the group key, which implies that it cannot calculate the previous group keys. Therefore, the scheme offers the backward security.

5.2.3. Replay Attack Resistance

In the scheme, $D_i$ generated by the RSU is different from the secret keys of the vehicles, where a notably strong collision-resistant one-way function H is used. Therefore, the group key negotiated is highly independent. In addition, because of the difficulty of $CDHP$, it is not feasible for any attacker to calculate the secret keys in polynomial time.

5.2.4. Anonymity

$PI{D}_i=PI{D}_{i,1}\left|\right|PI{D}_{i,2}$ is a pseudo identity, which contains two random numbers $b_i$ and $r_i$ generated by TA and the vehicle, respectively. Thus, $PI{D}_i$ can well protect the vehicle’s privacy. Since the attacker cannot calculate the true identity $TI{D}_i=a_i\oplus PI{D}_{i,2}\oplus H(b_i·PI{D}_{i,1})$, the proposed scheme supports anonymity.

5.2.5. Traceability

The true identity of the vehicle can only be extracted by TA. Since TA has stored $(TI{D}_i,a_i,b_i,VP{K}_i)$ during the vehicle registration phase, it can verify the given pseudo identity $PI{D}_i=PI{D}_{i,1}\left|\right|PI{D}_{i,2}$. The verification process is shown as follows.

$$\begin{array}{c}{a}_i\oplus PI{D}_{i,2}\oplus H(b_i·PI{D}_{i,1})\hfill \\ =a_i\oplus VP{K}_i\hfill \\ =TI{D}_i\hfill \end{array}$$

Therefore, the proposed scheme enables TA to trace the true identities of the vehicles.

5.2.6. Replay Attack Resistance

There is a timestamp $T_i$ in the signature generated by vehicle, which enables the RSU to check the freshness of $T_i$ to prevent the replay of request for group key generation. Therefore, the proposed scheme can satisfy the replaying resistance.

5.3. Performance and Comparison

In this section, the proposed scheme is compared with existing schemes [8,16,22] in terms of computation overhead. Jiang, Zhu and Wang [22] proposed a conditional privacy (ACP) scheme based on anonymized batch authentication in vehicular ad hoc networks. Hai [8] proposed an authenticated group key Agreement (AGKA) scheme for mobile communication based on bilinear. For comparison, only the time-consuming multiplication/division and bilinear pairing operations are considered, and the other efficient operations such as point addition are omitted. Let $T_{par}$ be the execution time of a pairing operation, $T_{mul}$ be the execution time of performing a scale multiplication over an elliptic curve, Terminal be the user terminal node, and ACS be the access control server. The comparison is summarized in

Table 2. Computation Overhead Comparison.

Scheme	OBU/Terminal	RSU/ACS
ACP [22]	$n{T}_{mul}$	$3T_{par}+(2n+1)T_{mul}$
AGKA [8]	$3T_{par}+T_{mul}$	$(2n-1)T_{par}+(n+1)T_{mul}$
SADEGKA [16]	$2n{T}_{par}+5n{T}_{mul}$	$2n{T}_{par}+4n{T}_{mul}$
Our scheme	$3T_{par}+T_{mul}$	3$T_{par}+T_{mul}$

. As shown in Table 2, every procedure of our scheme enjoys constant computing costs, whereas the costs of existing schemes are linear with the group size. With the increase of the number of vehicles, the advantages of our scheme are more and more obvious, that is, the computation costs would not increase. Since both our scheme and ACP use the batch verification method, RSU takes less computations than the other two schemes. Note that OBU in [22] should take n multiplications, which requires more computation resources than our scheme. Although the computation cost of OBU in [8] is the same as that of our scheme, there requires a complicated certificate management mechanism, which affects the overall secret key negotiation efficiency.

We conducted experiments on a system with Intel(R) Core(TM) i5-5200U CPU at 2.20 GHz and 8.00 MB memory, using Pairing Based Cryptography Library (PBC) [23]. The elliptic curve is of Type A ($y^2=x^3+x$), where the element size of group G is 256 bits and the size of order p is 160 bits. We use Network Simulator 3 (NS3) as communication protocol simulator and follow the IEEE 802.11p standard. Our vehicle mobility model is based on the statistical analysis of the real GPS traces, which includes 360,000 records for a 1043 vehicles network. We extract 50 vehicle traces for delay evaluations. We deployed RSU and TA in the vehicles network. We assume that the OBU, RSU, and TA have completed parameter initialization and registration, and stored related group key negotiation information, such as VID, signature key, etc. The default parameter settings are listed in

Table 3. Default parameter settings.

Parameter	Default Value
Vehicles number	50
Communication range	250 (m)
Average speed	40 (kph)
Slot time	$1.3\times {10}^{-5}$ (s)

Figure 7 depicts the whole delay in group key negotiation, which includes computation delay and communication delay. In the simulation, we statistically analyzed the average delay of n vehicles initiating the negotiation group key. As shown in Figure 7, with the increase of the number of vehicles, the number of channel collisions increases, thereby increasing the communication delay. The communication efficiency of our scheme outperforms other ones, since the computation delay of our scheme is lower than that of other ones. When a new vehicle enters the communication range of RSU to apply for a new session key, the vehicle only needs to send its own group identity and signature to the RSU. Other existing n vehicles do not need to resend their pseudo identities and signatures again. The RSU computes a new group key according to the newly added vehicle information and broadcasts it. In this procedure, only $n+2$ messages are exchanged. Thus, this phase only requires two rounds to update group key. When a vehicle leaves the communication range of some RSU, the RSU only needs to recalculate the group key based on the information about the remaining $n-1$ vehicles. In this procedure, only $n-1$ messages are transferred. This phase only requires one round in updating group key.

6. Conclusions

This paper has proposed an authenticated group key agreement scheme for VANET in bilinear groups. The scheme selects the RSU as the main node in group key agreement, adopts the idea of shared secret keys, and realizes the identity authentication of each vehicle. Thorough analyses and comparison demonstrate that the proposed scheme provides privacy protection, traceability and revocability requirements and improves the performance compared to other schemes.