A Privacy-Preserving Traffic Monitoring Scheme via Vehicular Crowdsourcing

The explosive number of vehicles has given rise to a series of traffic problems, such as traffic congestion, road safety, and fuel waste. Collecting vehicles’ speed information is an effective way to monitor the traffic conditions and avoid vehicles’ congestion, however it may threaten vehicles’ location and trajectory privacy. Motivated by the fact that traffic monitoring does not need to know each individual vehicle’s speed and the average speed would be sufficient, we propose a privacy-preserving traffic monitoring (PPTM) scheme to aggregate vehicles’ speeds at different locations. In PPTM, the roadside unit (RSU) collects vehicles’ speed information at multiple road segments, and further cooperates with a service provider to calculate the average speed information for every road segment. To preserve vehicles’ privacy, both homomorphic Paillier cryptosystem and super-increasing sequence are adopted. A comprehensive security analysis indicates that the proposed PPTM can preserve vehicles’ identities, speeds, locations, and trajectories privacy from being disclosed. In addition, extensive simulations are conducted to validate the effectiveness and efficiency of the proposed PPTM scheme.


Introduction
Nowadays, the number of global vehicles has exceeded 1.2 billion and may be headed to 2 billion by 2035 [1]. With such a large number of vehicles, many critical social problems, such as traffic congestions and slow traffic, have emerged, leading to significant time and fuel waste. According to a report released by Harvard Center, for the drivers in the 10 most-congested cities in USA, more than 48 h are wasted in traffic jams, causing $121 billion loss in time and fuel every year [2]. To deal with these critical problems, both industry and academia are paying great attention to traffic monitoring, and the vehicular ad hoc network (VANET) is considered as one of the most promising ways that can be leveraged in traffic management [3,4].
In VANETs, vehicles, embedded with onboard units (OBUs), can share traffic information (e.g., locations and speeds) to the roadside units (RSUs) through vehicle-to-infrastructure (V2I) communications, and nearby vehicles by vehicle-to-vehicle (V2V) communications [5]. By collecting and analyzing this traffic information, vehicles can easily know different locations' traffic conditions and road safety, and accordingly plot their optimal routes. Recently, several VANET-based traffic monitoring applications have been built. For example, Google and Apple provide real-time navigation services based on current traffic information [6]. Waze has developed an application that can help drivers get the best route with real-time help from other drivers [7]. Although many benefits can be brought by this emerging network paradigm, its adoption still hinges on how to resolve security and privacy concerns for the users. Since a vehicle's location is tightly bundled with its driver, an attacker can predict a driver's future location based on his vehicle's trajectory, or even infer the drivers' personal information, such as habits, health condition, income, and religious belief, according to their frequently visited places.
To preserve the vehicles' privacy, pseudonyms and anonymous authentication are two effective ways to conceal vehicles' real identities and realize conditional privacy preservation [8][9][10][11]. For example, Ni et al. [12] proposed a privacy-preserving real-time navigation system by collecting vehicles' location and speed information, and, with the randomization technique, the sensitive identity privacy is preserved. However, the work in [13] shows that user identities can sometimes be inferred from the location data if users' home and work locations are deduced from the data. Moreover, we observe an attack that, by linking vehicles' speed information, vehicles can also be identified even if they change their pseudonyms. An example is illustrated in Figure 1. At time t 1 , a vehicle provides its speed information PID A ||v 1 ||L 1 ||t 1 to a roadside unit (RSU), and at time t 2 , it uploads the speed information PID B ||v 2 ||L 2 ||t 2 , where v denotes the average speed in the road segment, L denotes the location, and t represents the current time. Although the vehicle's pseudonym is changed (i.e., PID A → PID B ), attackers can still link the pseudonyms by comparing the estimated passing time (the average passing time can be calculated by using the distance and average speed, and the distance from L 1 to L 2 can be obtained from GPS) and actual passing time (i.e., t 2 − t 1 ) between these two locations. Thus, there still lacks a privacy-preserving traffic monitoring scheme that can protect the vehicles' identities and defend against the linkable attack.
In this paper, to deal with the above challenges, we propose a privacy-preserving traffic monitoring (PPTM) scheme to enable vehicles provide their traffic information without sacrificing their privacy. This scheme uses the homomorphic Paillier cryptosystem to guarantee the privacy of vehicles' speeds, and adopts a well-defined super-increasing sequence to not only protect vehicles' location privacy, but also save tremendous computational costs and communication overhead. Our main contributions can be further summarized below.

•
First, inspired by the fact that the average speed would be sufficient to achieve traffic monitoring, we propose PPTM, which uses the super-increasing sequence and homomorphic Paillier cryptosystem to realize privacy-preserving speed aggregation and efficient traffic monitoring. Concretely, each vehicle uses a well defined super-increasing sequence to aggregate its multiple speeds and encrypts the aggregated result before uploading it to the RSU. Then, the RSU will aggregate all reports and cooperate with a service provider to calculate each road segment's average speed. During this process, vehicles' identity, speed, and location privacy will not be disclosed to any other party. • Second, we find that the anonymous technologies such as pseudonyms and randomizable signature are not suitable for certain VANET-based applications because of the time link attack. To mitigate this attack, we design a privacy-preserving data aggregation approach. Through a comprehensive security analysis, the proposed PPTM is proven to be secure and privacy preservation. Particularly, the proposed scheme can achieve report privacy preservation, report authentication, data integrity, and identity preservation, as well as defend against the collusion attack. The detailed analysis is given in Section 5. • Third, we conducted extensive simulations to show PPTM is practical and efficient. Compared with a traditional baseline scheme, PPTM could significantly reduce computational costs and communication overhead, indicating that the proposed scheme can indeed realize real-time traffic monitoring.
The rest of this paper is organized as follows. In Section 2, we introduce the system model, security requirement, and design goals of the proposed PPTM scheme. In Section 3, preliminaries including bilinear pairings and Paillier cryptosystem are introduced. The detailed introduction of PPTM is given in Section 4. In Sections 5 and 6, we analyze the security and performance of PPTM, respectively. In Section 7, some related works are listed, and we draw our conclusion in Section 8.

System Model, Security Requirements, and Design goals
In this section, we formalize the proposed scheme by giving the system model, threat model, and design goals.

System Model
In the proposed PPTM scheme, roads are divided into multiple segments and vehicles are expected to provide their average speed for each segment they have passed through. A typical RSU-assisted VANET application is illustrated in Figure 2. In particular, the considered system model consists of the following entities.

•
Trust authority (TA): TA is a fully trusted entity that is responsible for the registration of vehicles and RSUs. It builds public/secret key pairs for all entities, and generates sufficient pseudonyms for vehicles before their next registration.

Security Requirements
In our security model, TA is fully trusted as it is responsible for initializing the whole system and generating credentials and public/private keys for all participating entities. SP and RSUs are considered to be honest-but-curious, which means both will strictly follow the designed protocol, but are curious about vehicles' privacy. In particular, we assume there is no collusion between SP and RSUs, which is similar to most existing RSU-assisted scenarios [14,15]. Meanwhile, we assume that vehicles will provide correct speed information to the RSU. This assumption is reasonable in most traffic monitoring scenarios, since: (1) the speed provided by vehicles is in the area where they have passed through, and providing false data would not benefit them; and (2) vehicles want to know the correct traffic conditions, and thus will honestly follow the designed protocol for their mutual benefits. Besides, we also assume there exists an attacker which is curious about drivers' privacy. It may launch attacks, modify speed reports, and threaten data integrity. Based on the above assumptions, the proposed scheme should achieve the following security requirements.
Identity Privacy Preservation. As described above, an attacker can potentially identify drivers even though they adopt pseudonyms and anonymous authentication. Thus, to preserve drivers' identity privacy, attackers cannot infer vehicles' location information (i.e., road segments) based on the given data.
Location Privacy Preservation. Since the speed is location-aware, preserving drivers' location privacy requires preventing their speed from being disclosed. Hence, the proposed scheme should ensure that, even if the RSU or an attacker receives a vehicle's speed information, it cannot recover its speed and further infer its location privacy.
Data Integrity. An attacker may eavesdrop drivers' reports and modify them for its benefits. Thus, the proposed scheme should guarantee data integrity and any malicious operations should be detected.

Design Goals
Based on the aforementioned security requirements, our goal is to design a privacy-preserving traffic monitoring scheme, which enables vehicles to upload their speeds towards the RSU securely and efficiently. Concretely, the proposed scheme should achieve the following two design goals.
The defined security requirements should be guaranteed. If the proposed scheme fails to realize the aforementioned security requirements, drivers' identity and location privacy may be disclosed, and data reports transmitted to the RSU or other vehicles may be modified. Then, vehicles may be reluctant to provide their speed, and traffic conditions will not be accurately estimated.
High efficiency should be guaranteed. To provide real-time traffic monitoring, vehicles are expected to upload speed information in a short transmission interval. However, to preserve drivers' privacy, sensitive information should be encrypted, which may introduce tremendous computational costs and bandwidth consumption for resource-constrained vehicles. Thus, the proposed scheme should achieve high efficiency in computational costs and communication overhead.

Preliminaries
In this section, we review the pairing-based cryptography [16] and the Paillier cryptosystem [17], which serve as the basis of our proposed traffic monitoring scheme.

Bilinear Pairings
Suppose there are two cyclic groups G 1 and G 2 , both of which share a same order q. Then, a bilinear map e : G 1 × G 1 → G 2 has the following properties. • Bilinearity: e(aP, bQ) = e(P, Q) ab ∈ G 2 , for all P, Q ∈ G 1 and a, b ∈ Z * q . • Non-degeneracy: e(P, P) = 1, for all P ∈ G 1 . • Computability: e(P, Q) can be efficiently computed, for all P, Q ∈ G 1 .
By referring to [18,19], we give two more comprehensive definitions for bilinear pairings.

Definition 1.
Given an input security parameter κ, Gen is a probabilistic algorithm to output a 5-tuple (q, P, G 1 , G 2 , e), in which q is a κ-bit prime, P is a generator, (G 1 , G 2 ) are two cyclic groups sharing a same order q, and e : G 1 × G 1 → G 2 is an efficient, computable, and non-degenerated bilinear map.
Definition 2 (Computational Diffie-Hellman (CDH) Problem). Given elements (P, aP, bP) ∈ G 1 , there exists no effective algorithm can calculate abP ∈ G 1 for unknown a, b ∈ Z * q in a probabilistic and polynomial time.

Paillier Cryptosystem
As an effective technology to achieve homomorphic properties on the ciphertexts, Paillier cryptosystem has been widely used in various privacy-preserving applications. Concretely, three algorithms are included in the Paillier cryptosystem. • Key Generation: With a security parameter κ 1 , select two large κ 1 -bit primes p 1 , q 1 , and calculate n = p 1 q 1 and the least common multiple of p 1 and q 1 , i.e., λ = lcm(p 1 , q 1 ). Then, define a function L(a) = a−1 n , and calculate µ = (L(g λ mod n 2 )) −1 mod n 2 , where g ∈ Z * n . Then, the public/private keys are pk = (n, g) and sk = (λ, mu).

•
Message Encryption: Given a plaintext m ∈ Z n , after choosing a random value r ∈ Z * n , the message is encrypted as c = E(m) = g m · r n mod n 2 . • Ciphertext Decryption: Given a ciphertext c = E(m) ∈ Z * n 2 , the message is recovered as m = D(c) = L(c λ mod n 2 ) · µ mod n.

Proposed PPTM Scheme
In this section, we give the details of the proposed PPTM scheme, which includes system initialization, speed request and speed reporting, privacy-preserving report aggregation, secure report reading, and traffic guidance and identity tracing.

System Initialization
TA initializes the whole system. After selecting two security numbers κ, κ 1 , it first runs Gen(κ) to generate a 5-tuple (q, P, G 1 , G 2 , e) and calculates public/private keys of the Paillier cryptosystem, i.e., pk = (n, g), sk = (λ, µ), according to κ 1 . Then, TA selects a secure cryptographic hash function H, where H : {0, 1} * → G 1 . Vehicles are required to register themselves periodically. TA chooses a secure key k 0 and generates a secure symmetric encryption algorithm AES k 0 . For every registered vehicle with its real identity number ID i (the real ID can be license number or social secure number), TA generates a group of pseudonyms {PID ij = AES k 0 (ID i ||x ij )} n j=1 by choosing a set of random values {x ij } n j=1 ∈ Z * q . Then, TA uses x ij as each vehicle's certified private key and calculates the corresponding public key as Y ij = x ij P. For each RSU with its identity number ID r , TA selects a random number x r ∈ Z * q as its private key and calculates the public key as Y r = x r P. Finally, TA publishes In addition, in the coverage of an RSU, roads are divided into multiple segments. Assume that the maximum number of segments within the coverage of each RSU is M, the number of vehicles in every segment is no more than Q, and the maximum speed in every road segment is smaller than V. Then, for the segments located in each RSU's coverage, TA generates a super-increasing sequence − → a = (a 1 , a 2 , · · · , a M ), where a i denotes the ith segment such that a i ∈ Z * n is randomly Figure 3 illustrates the system procedure of PPTM. As can be seen, RSU first generates a speed request and all vehicles response it by providing their driving reports. Specifically, the request contains the RSU's ID, the current timestamp TS, the time range TR, and the signature σ r = x r H(ID r ||TS||TR). Note that, the timestamp is used to defend against the replay attack launched by forged RSUs. Then, the RSU broadcasts the request R r = ID r ||TS||TR||σ r to vehicles driving in its communication coverage. After receiving this request, vehicles first verify the report by examining whether e(P, σ r ) equals to e(Y r , H(ID r ||TS||TR)). If the equation holds, the request will be accepted, since e(P, σ r ) = e(x r P, H(ID r ||TS||TR)) = e(Y r , H(ID r ||TS||TR||)).

Speed Request and Speed Reporting
If the request is valid, vehicles are expected to provide their speed reports. The format of speed is defined as , where t i (j) denotes the time passing by the ith segment for the vehicle V j , and {A i (j), S i (j)} are calculated as follows, where v i (j) is V j 's average speed when passing by the segment i. Note that the speed report is time series data, which means the reports will be sorted in time order. For example, if a vehicle has gone through the segments in order of 1, 4, and 5, with the average speed 50, 75, and 60, its speed reports are represented as {(1, 5, 1, 50), (4, 3.5, 1, 75), (5, 2, 1, 60)}. Then, given a time range as 8, the vehicle should submit the speed report {(5, 2, 1, 60), (4, 3.5, 1, 75)} since 2 + 3.5 < 8. To preserve the privacy of location and speed privacy, the report should be encrypted before uploaded to the RSU. The vehicle V j selects two random values r j1 , r j2 ∈ Z * n and calculates the ciphertexts as C j1 = g (a 1 ·A 1 (j)+···+a M ·A M (j)) · r n j1 mod n 2 and C j2 = g (a 1 ·S 1 (j)+···+a M ·S M (j)) · r n j2 mod n 2 . Then, the vehicle signs the report with its secret key by computing σ j = x j H(PID j ||Y j ||C j1 ||C j2 ||TS). After that, V j delivers the speed report R j = PID j ||Y j ||C j1 ||C j2 ||TS||σ j to the RSU.

Privacy-Preserving Report Aggregation
Upon receiving the report, RSU first checks the freshness of this report, i.e., to make sure that the difference between request and response is within a certain range. Then, the RSU verifies the vehicle's report by examining e(P, σ j ) ? = e(Y j , H(PID j ||Y j ||C j1 ||C j2 ||TS)) as e(P, σ j ) = e(x j P, H(PID j ||Y j ||C j1 ||C j2 ||TS)) = e(Y j , H(PID j ||Y j ||C j1 ||C j2 ||TS)). Especially, to improve efficiency, RSU can perform batch verification to check e(P, ∑ N j=1 σ j ) , where N is the number of vehicles passing by every segment. The proof is given below.
After checking the validity of vehicles' reports, the RSU executes the following steps to obtain the aggregated results in a privacy-preserving way.

•
Step 1. Calculate the aggregated results C 1 and C 2 based on the encrypted data {C j1 } N j=1 and {C j2 } N j=1 as follows. • Step 2. Use the secret key x r to generate a signature as • Step 3. Send the aggregated and encrypted data ID r ||C 1 ||C 2 ||TS||σ r to the SP.
For ease of understanding, we give an example to show how aggregated vehicle and speed are aggregated, as shown in Figure 4. The RSU receives the ciphertexts of four speed reports {R 1 , R 2 , R 3 , R 4 }, each of which contains four segments. After performing the aggregations, the aggregated results of vehicle and speed are the ciphertexts of a i ∑ 4 j=1 A i (j) and a i ∑ 4 j=1 S i (j), respectively, where i ∈ [1,4]. In the following, we show how to recover the aggregated vehicles and speeds for every segment.

Secure Report Reading
On receiving the aggregated report, SP first checks data validity by examining e(P, σ r ) ? = e(Y r , H(ID r ||C 1 ||C 2 ||TS)), and then performs the following steps to recover the aggregated results from the ciphertexts,
Input: M 1 , M 2 , and − → a Output: The correctness of Algorithm 1. For ease of description, we use the aggregated vehicles to give the correctness analysis. In this algorithm, . As the number of aggregated vehicles in every segment is smaller than Q, we have Hence, L M−1 = L M mod a M = a 1 ∑ N j=1 A 1 (j) + · · · + a M−1 ∑ N j=1 A M−1 (j), and accordingly we have Following a similar analysis, L i = ∑ N j=1 A i (j) can be proven. In addition, we can prove LS i = ∑ N j=1 S i (j), as it shares the similar procedure as L i .

Traffic Guidance and Identity Tracing
After calculating the aggregated vehicles and speeds in all segments, i.e., (L 1 , L 2 , · · · , L M ) and (LS 1 , LS 2 , · · · , LS M ), the average speed in each segment can be computed as L i = LS i L i . Finally, SP broadcasts the speed information and vehicles can select optimal routes based on the road conditions. In addition, although we assume that all vehicles report their speeds honestly, some vehicles may still upload false traffic data. In this case, the TA can periodically select some speed reports stored in the RSU and recover them to check whether they are truthful. Since vehicles' pseudonyms are generated by using vehicles' real identity ID, malicious vehicles can be easily and quickly identified.

Security Analysis
In this section, we give the security analysis of the proposed PPTM scheme. In particular, recalling the aforementioned security requirements, the analysis focuses on how our proposed PPTM scheme can protect each vehicle's report privacy, ensure report authentication and data integrity, and achieve vehicles' identity and location privacy preservation.
The proposed scheme can achieve report privacy preservation. The proposed scheme preserves reports' privacy by using the Paillier cryptosystem. In PPTM, vehicle V j 's location and speed are formed as C j1 , C j2 . Since both ciphertexts are valid ciphertexts of Paillier cryptosystem and the Paillier cryptosystem has been proven to be secure under the chosen plaintext attack, the messages are secure and privacy-preserving. That is, although an adversary may eavesdrop a ciphertext, it cannot recover the corresponding message. After receiving all reports from vehicles, instead of recovering each report, the RSU will perform report aggregation and deliver the aggregated ciphertext to the SP. Thus, even though SP holds the secret key, it can only obtain the aggregated result. Therefore, each individual vehicle's report is privacy-preserving in the proposed PPTM scheme.
The proposed scheme can achieve report authentication and data integrity. In our proposed scheme, vehicles' reports and RSU's aggregated report are signed using BLS short signature [20]. Since it has been proven that BSL short signature can defend against the CDH problem [21], our proposed scheme can guarantee the report authentication and data integrity, and any malicious behavior on the vehicles' reports will be detected.
The proposed scheme can protect vehicles' identity privacy. In our proposed scheme, vehicles periodically update their pseudonyms from TA. By changing pseudonyms, vehicles are able to keep themselves anonymous. Moreover, the proposed scheme is also effective to defend against the possible link attack presented in [13], since each vehicle's route (i.e., road segment) is aggregated and encrypted. By this way, attackers cannot infer where vehicles have been based on the given data, and accordingly cannot link their identities. Besides, although SP can obtain the aggregated vehicle information, it is infeasible for it to recover each individual vehicle's route. Therefore, vehicles' identity privacy is preserved in the proposed PPTM scheme.
The proposed scheme can protect vehicles' location privacy. In our proposed scheme, vehicles' location privacy is preserved by aggregating their route reports. Considering the speed is location-aware, attackers may infer vehicles' locations based on the speed information. In this case, our proposed scheme is still effective, since in PPTM each individual speed is also aggregated and encrypted. Similarly, since all speed reports are also aggregated in the RSU, SP cannot obtain each individual vehicle's speed information. Thus, vehicles' location privacy is preserved.
The proposed scheme can resist collusion attacks. The basic idea to mitigate collusion attacks is to ensure the separation of data between different entities. In PPTM, with the assumption that RSU does not collude with SP, neither of them can know each individual vehicle's privacy. More specifically, the RSU cannot know vehicles' reports since they are encrypted by using the SP's public key. The SP can decrypt the summation of vehicles and speed in each segment, while not knowing each individual vehicle's data.

Performance Evaluation
In this section, we evaluate the performance of the proposed PPTM scheme in terms of computational costs of vehicles and RSU, and communication overhead of vehicle-to-RSU and RSU-to-SP communications.

Computational Costs
For the proposed PPTM scheme, when a vehicle V j generates an encrypted report PID j ||Y j ||C j1 ||C j2 ||TS||σ j , it performs two exponentiation operations in Z n 2 to calculate C j1 and C j2 , and one multiplication in G to build the vehicle's signature σ j . After collecting vehicles' reports, the RSU verifies the received reports with N + 1 pairing operations. Besides, the RSU also aggregates vehicles' reports to obtain the aggregated vehicle and speed information, which requires N − 1 multiplication operations. However, since the multiplication operations in Z n 2 is negligible compared with the time-consuming exponentiation and pairing operations, the time costs can be omitted. In addition, to generate the signature, it also performs one multiplication operation in G. As for the SP, it needs to verify the aggregated data sent from the RSU and obtain the aggregated data, which cost one pairing operation in G and two exponentiation operations in Z n 2 . Here, we use C n , C e , C m to denote the computational cost of an exponentiation operation in Z n 2 , a pairing operation in G, and a multiplication operation in G, respectively. Then, the total computation costs for the vehicle, RSU, and SP will be 2 * C n + C m , (N + 1) * C e + C m , and C e + 2 * C n , respectively.
Our proposed PPTM scheme enables each vehicle to embed its multiple speed into one compressed data, and thus large computational costs can be saved. To compare the efficiency of PPTM, a traditional approach denoted by TRPM is considered, which encrypts every individual speed information at the corresponding road segment. Under the same setting, a vehicle has to generate M ciphertexts, consuming M exponentiation operations in Z n 2 to perform the encryption. In addition, for the ciphertexts, the vehicle is required to generate one signature, which needs one multiplication operation in G. Thus, the total time costs will be M * C n + C m . For the RSU, it performs batch verification to authenticate the reports, which takes N + 1 pairing operations. However, since the number of ciphertexts in TRPM is much more than that in PPTM, i.e., (M * N vs. M * 2), the RSU has to perform more multiplication operations for speed aggregation. Then, the RSU generates a signature and forwards it to the RSU, which will execute M exponentiation operations to recover the aggregated speed in all road segments. Thus, the total computational costs of an individual vehicle, the RSU, and the SP will be M * C n + C m , (N + 1) * C e + C m , and C e + M * C n , respectively.
We list the computational costs of PPTM and TRPM in Table 1. In addition, we conducted extensive experiments to compare the efficiency of our proposed PPTM scheme. We used nodes with 1.5 GHz and 2 GB RAM as resource-constrained nodes (i.e., vehicles), and used a laptop with Intel Core i7-7600U CPU and 16 GB RAM as the entities that hold enhanced computational capacities (i.e., the RSU and cloud). The security number of κ and κ 1 were set as 1024 bits and 160 bits. All experiments were executed 10 times, and the average results were selected. The experimental results indicate that each single multiplication operation in G took 2 ms, each exponentiation operation in Z n 2 took 5 ms, and each pairing operation in G took 2 ms. To validate the efficiency of our proposed PPTM, we show the computational costs in terms of the number of vehicles and road segments in  In Figure 5, we can see that, as the number of road segments increased, the time TRPM took at the vehicle side increased linearly, while it was relatively stable in PPTM. The reason is that PPTM uses a well defined super-increasing sequence to aggregate the speeds before performing data encryption. We then plot the time cost of the fog node in Figure 6. Since the reports were verified through a batch way, the scheme was efficient at the RSU side. For example, when the number of vehicles reached 500, PPTM only needed 0.994s to finish reports authentication and ciphertexts aggregation. To validate the efficiency of the proposed PPTM, we further conducted a comparative experiment by changing the number of vehicles and road segments. As shown in Figure 7, it was obvious that our proposed PPTM scheme performed much better than the traditional TRPM scheme, which demonstrated the correctness of the complexity analysis in Table 1. The result shown in Figure 8 also demonstrates the efficiency of our proposed scheme in terms of the average speed calculation at the SP side.

PPTM TRPM
Vehicle 2 * C n + C m M * C n + C m RSU (N + 1) * C e + C m (N + 1) * C e + C m SP C e + 2 * C n C e + M * C n

Communication Overhead
We then analyzed the communication overhead of the proposed scheme. Generally, the communications of PPTM includes two parts, i.e., vehicle-to-RSU communication and RSU-to-SP communication. For the vehicle-to-RSU communication, each individual vehicle generates its traffic report and transmits it to the RSU. Recalling our previous description, the vehicle's report is defined as PID j ||Y j ||C j1 ||C j2 ||TS||σ j and the size is S v = |PID j | + 160 + 2048 * 2 + |TS| + 160, where the size of n and G were set as 1024 bits and 160 bits, respectively. RSU is responsible for collecting N reports in its coverage region, thus the total communication cost for the RSU is S R = N * S v . In the traditional TRPM scheme, each vehicle needs to generate a ciphertext with 2048-bits for every road segment. Then, the total communication cost of vehicle-to-RSU will be S v = |PID j | + 160 + 2048 * M + |TS| + 160. We then considered the RSU-to-SP communication.
In PPTM, RSU transmits the aggregated report ID r ||C 1 ||C 2 ||TS||σ r to the SP, which costs S S = |ID r | + 2048 * 2 + |TS| + 160 bits. Alternatively, TRPM needs to forward each segment's aggregated report to the SP, which requires |ID r | + 2048 * M + |TS| + 160 bits. Based on the analysis presented above, it was obvious that our proposed PPTM could significantly reduce the bandwidth costs compared with the traditional TRPM.

Related Works
Recently, traffic monitoring has received considerable attention as it is important to reduce fuel waste, air pollution, and improve drivers' driving experience. By collecting vehicles' traffic information, the traffic conditions can be better identified. Based on this, many schemes and applications have been proposed. However, the security and privacy of vehicles are still major concerns [22,23]. In fact, if drivers' privacy is not being strictly protected, they are usually reluctant to submit their data.
To realize privacy-preserving traffic monitoring, some schemes [12,[24][25][26] have been proposed. For example, Chim et al. [24] presented a secure navigation scheme that uses RSUs to guide vehicles in a distributed way. However, since all vehicles can obtain a same master key, their scheme cannot defend against the insider attacks. By using vehicular cloud and zero-knowledge proof, Sur et al. [25] designed a secure navigation approach. Nevertheless, the credentials cannot be reused, which introduces more computational costs. Ni et al. [12] and Wang et al. [27] realized real-time navigation by collecting vehicles' speed information. With the technology of randomizable signature, their schemes can achieve conditional privacy preservation. Rabieh et al. [26] further proposed a privacy-preserving route reporting scheme. In their scheme, vehicles' future routes are collected, which would be used to calculate the number of vehicles appearing in next routes.
Although many efforts have been made to realize privacy-preserving traffic monitoring, most of them, nevertheless, ignore the time link attack, as described in Figure 1. Since vehicles are required to report their driving reports periodically or at different road segments, by linking their arriving time, vehicles' trajectories can be easily identified. That is, the traditional technologies to protect drivers' identity privacy, such as pseudonyms or randomizable signature, are not suitable in certain VANET-based applications. Besides, to preserve data privacy, cryptographic primitives such as elliptic curve cryptography [28] and key and key aggregation are proposed [29], which may introduce extensive workloads on the vehicles. Inspired by the work in [30], we applied the use of super-increasing sequence to aggregate vehicles' routes and speed information. In this way, vehicles' identity and location privacy are preserved.

Conclusions
Vehicles' speed information is important to monitor the traffic conditions and prevent road congestion, however it threatens drivers' privacy. In this paper, we propose a privacy-preserving traffic monitoring scheme by collecting vehicles' speed and route information. The main idea is to aggregate multiple speeds into one compressed datum so that vehicles' identity and location privacy will not be disclosed. Security analysis indicates that the proposed PPTM scheme is secure and privacy-preserving. Besides, extensive simulations demonstrated its efficiency. In the future, we will try to achieve privacy-preserving traffic monitoring without the assistance of the RSU.
Author Contributions: C.Z. designed the scheme, conducted the experiments, gave formal analysis, and wrote the manuscript. L.Z. contributed to the manuscript's idea, scheme design, and reviewing and editing the manuscript. C.X. contributed to the manuscript's idea, formal analysis, and reviewing and editing the manuscript. X.D. contributed to the manuscript's idea and reviewing and editing the manuscript. M.G. contributed to the scheme design and formal analysis.