Privacy-Preserving Smart Road-Pricing System with Trustworthiness Evaluation in VANETs

With the advanced development of the intelligent transportation system, vehicular ad hoc networks have been observed as an excellent technology for the development of intelligent traffic management in smart cities. Recently, researchers and industries have paid great attention to the smart road-tolling system. However, it is still a challenging task to ensure geographical location privacy of vehicles and prevent improper behavior of drivers at the same time. In this paper, a reliable road-tolling system with trustworthiness evaluation is proposed, which guarantees that vehicle location privacy is secure and prevents malicious vehicles from tolling violations at the same time. Vehicle route privacy information is encrypted and uploaded to nearby roadside units, which then forward it to the traffic control center for tolling. The traffic control center can compare data collected by roadside units and video surveillance cameras to analyze whether malicious vehicles have behaved incorrectly. Moreover, a trustworthiness evaluation is applied to comprehensively evaluate the multiple attributes of the vehicle to prevent improper behavior. Finally, security analysis and experimental simulation results show that the proposed scheme has better robustness compared with existing approaches.


Introduction
Vehicular ad hoc networks (VANETs) have attracted keen interest from researchers and industries [1][2][3]. VANETs have been studied in depth over recent years, which has contributed to the construction of smart traffic networks in smart cities. As a promising technology in Intelligent Transportation Systems, VANETs play a key role in avoiding traffic congestion, reducing accidents, decreasing fuel consumption, road safety, and driving comfort [4][5][6]. Optimal road-pricing algorithms force drivers to choose the best routes with less payment, which solves problems in modern society such as exhaust gas pollution.
Since many efforts have focused on developing new tolling methods to better meet the requirements of VANETs in smart cities, road-pricing has evolved into smarter ways, such as the smart road-pricing (SRP) system. Instead of depending on physical equipment, SRP can combine the Global Navigation Satellite System with electronic equipment in vehicles, which makes room for other vehicles and reduces road upkeep [3]. However, properties of decentralization, heterogeneity, and non-trustworthiness in VANETs pose significant challenges in securing message transmission. Therefore, security issues are a priority when deploying this kind of tolling approach, in that malicious vehicles may try to pay less or

Motivation
The smart road-tolling system has drawn significant attention from researchers and industry, as it succeeds in relieving traffic pressure, reducing fuel consumption, and promoting the construction of eco-friendly cities. Though many smart road-pricing schemes have been proposed, they may not apply practically due to the large communication overhead and redundant operations. To cope with these issues, a privacy-preserving smart road-pricing scheme with trustworthiness evaluation is proposed. First, the term privacy means that a vehicle route needs to be kept secret during communication with RSUs or other vehicles, otherwise malicious entities may track it. Secondly, the identity of the vehicle itself should be protected.
Our contributions: In this paper, an efficient and secure road-pricing system with trustworthiness evaluation is proposed. The contributions of our proposed scheme are as follows: • A novel effective road-tolling violation scheme is proposed. Smart road-tolling in smart cities can be a challenging task given that tolling violation happens frequently. In this paper, a novel road-tolling violation scheme is proposed. The proposal combines video surveillance cameras (VSCs) and RSUs to detect malicious behavior for a vehicle even if a driver turns off his/her on-board unit (OBU) completely from its vehicle. To be certain, the TCC compares the data collected by VSCs, which are fixed on the pivotal toll road, with the routes collected by RSUs to check whether they are the same. • A scalable trustworthiness evaluation of the vehicle scheme is investigated. The trustworthiness of a vehicle shows the act of passing through toll roads in the past. In this paper, we present a novel scalable trustworthiness evaluation of vehicle scheme to handle the behaviors of sending false geolocation messages or malicious vehicle users, such as the impersonation of another legitimate vehicle. Therefore, to behave truthfully is the best choice for drivers when using toll roads. The higher the trusted value of a vehicle, the better the access to infrastructure services such as priority parking. • The detection rate of toll evasion with high efficiency is achieved. On the one hand, though many theoretic smart road-tolling schemes have been proposed, they suffer from a lot of computational overheads. On the other hand, these proposed schemes cannot record tolling violations effectively. That is to say, the schemes which have already been proposed are inefficient. In our scheme, PUF-based VSCs are fixed to pivotal places that can monitor the of passing vehicles accurately. Therefore, the detection rate of toll evasion in our proposed scheme is higher compared to others.

Organization
The structure of this paper is as follows: Section 2 presents related works. Section 3 describes the preliminaries that will be used later. Section 4 provides the system model of our proposed scheme and the design objections. Section 5 introduces a detailed description of our scheme, followed by security analysis in Section 6. Section 7 presents the performance of our scheme and a conclusion is provided after that.

Related Works
Privacy issues, especially vehicle geolocation data disclosure in road-pricing systems, have drawn widespread attention from researchers over recent years. Numerous solutions have been proposed to achieve security requirements in smart road-pricing.
Vehicle geolocation data can be collected by the OBU and the TCC easily. The encrypted geolocation data is then stored at the TCC, which can reduce the burden of OBU tremendously. Moreover, the TCC can respond in a timely manner when something urgent happens using to the data stored in it [3]. However, such a solution raises another threat after payment information finishes. Chen et al. [11] claimed that this information can be cracked by an external malicious attacker. Therefore, post hoc analysis concerning user traceability based on a user toll payment information scheme has been proposed by them. To avoid violating the location privacy of drivers, Popa et al. [12] proposed a scheme that can be applied to various location-based applications. The authors developed a practical protocol to compute the routing function concerning various tolling, the speed of vehicles, and delay estimation without revealing vehicle geolocation. To ensure the users always pay right tolls, homomorphic commitment [13] has been applied. Random spot-checks with cameras hidden on vehicles are employed to prevent dishonest drivers from cheating on their location. However, an anonymous network is needed to communicate their sensitive traveling data, which imposes heavy overheads on the system. More recently, a group signature [14] toll-pricing system has been proposed by Chen et al. [15] to achieve a balance between vehicle anonymity, computation, and communication overheads. In the proposed scheme, a high-efficiency group signature is deployed to sign each vehicle location before sending them to toll servers. Those vehicles are also grouped by a trusted authority according to criteria such as speed, reputation, and similarity, as per [3,16]. Vehicle privacy in this way can be better protected if proper group management is designed.
With the improvement of smart cities, the location privacy of vehicles plays a significant role in deploying smart electronic systems in VANETs. In 2016, a low-emission zone (LEZ) privacy-preserving road-tolling system was proposed in [17]. The authors divided LEZ into multiple zones, charging various prices according to the topology of the city and the level of congestion. However, the authors in [3] pointed out that vehicles need to authenticate themselves when entering or leaving a zone, which imposes heavy computational overheads. Therefore, a distributed, reliable, and secure pricing system was proposed by Siham Bouchelaghem et al. [3] to better meet the requirements of privacy preservation in SRP. The authors apply a threshold-based control system to discover malicious vehicles who try to cheat on their tolls. Once the accused drivers are tested, a toll server can take relevant measures to punish them. Moreover, the scheme can resist a variety of potential attacks, and the computation and communication overheads are considerably better behaved.
Location-based privacy for vehicles has been investigated actively in recent years. Reza Shokri et al. proposed a k-anonymity location privacy preservation scheme [18] in which the real locations of drivers are obfuscated by the construction of cloaking regions. However, Fifi Farouk et al. [6] claimed that this scheme cannot be applied to low-density zones where the users who want to send requests must wait for k other users, which may lead to delays and degrade the quality of service. Levente Buttyan et al. [19] proposed that vehicles blind their real identities, which changes with some frequency to solve the problem of privacy disclosure. However, this method may be impractical when applied to long-term communication, because changing frequently may interrupt the quality of correspondence. Recently, Fifi Farouk et al. [6] proposed a location-based service (LBS) to protect the privacy of vehicles using fully homomorphic encryption [20] over advanced encryption standard [21]. However, they do not take road-tolling into consideration.

Preliminaries
In this section, we present the relative cryptographic primitives used in our scheme.

The Computational Diffie-Hellman (CDH) Assumption
The CDH problem used in our scheme is briefly defined in the following definition. Given an instance (P, aP, bP) where a, b ∈ Z * p , the computational Diffie-Hellman problem (CDH Problem) in a multiplicative group G is to compute abP. The success probability of any probabilistic, polynomial-time, 0/1-valued algorithm A to solve CDH problem in G can be defined as: The CDH assumption is that for every adversary A in probabilistic polynomial time, the probability of Suc CDH A,G is negligible.

Fuzzy Comprehensive Strategy (FCS)
Driver behavior cannot be determined by a single evaluation accurately, because of the uncertainty and complexity of their actions. Therefore, the fuzzy comprehensive strategy is used to evaluate the trustworthiness of drivers. With such a strategy, multiple attributes and actions are taken into consideration.

Vehicle Behavior Attributes
The behavior attributes of vehicles can be described by a variety of factors, including mileage, timings of vehicle accident records, maximum speed, number of passing tolling spots, and number of toll violations. The trustworthiness of vehicles can be evaluated by the attributes recorded in each vehicle OBU.

Entropy Method
Entropy was originally one of the parameters used to describe the state of matter in thermodynamics. It has been widely used to evaluate multiple-attribute comprehensive evaluation problems since it was introduced into information theory in 1948 by Shannon [22]. According to the degree of variation, information entropy can be used to calculate the entropy weight of attributes. Moreover, entropy weight can also be applied to correct the value to arrive at a more objective weight value.

Comprehensive Attribute Weight
Specifically, comprehensive attribute weight applies various important attributes to vehicle behavior. To obtain objective evaluation results, the attribute weight is not obtained from historical experience, but from the entropy weight mentioned previously. Considering the characteristics of each vehicle's multiple attributes, it is necessary to illustrate the attribute weight with a comprehensive method W = {w 1 , w 2 , · · · , w n } where

Schnorr Signature
We apply the Schnorr signature [23] to realize our scheme. As with the Elgamal digital signature [24], the Schnorr digital signature is also based on the discrete logarithm problem. The Schnorr scheme minimizes the amount of message computation required to generate the signature. The main work of generating a signature is independent of the message and can be performed when the processor is idle. We chose two large primes p, q, where q is the prime factor of p − 1 where p, q is assumed to be 1024, and a 160-bit integer respectively. m ∈ Z p is chosen randomly, and m q = 1 mod p. The signature is δ Schnorr = (r + sΥ) mod q, where Υ = H(M||m r ), s is the private key, r ∈ Z p and satisfies 0 < r < q. The public key can be computed by pk = m −s mod p. To verify the signature, the receiver computes ξ=m δ Schnorr pk H(M||m r ) mod p and verifies whether H(M||m r ) = H(M||ξ).

The System Model
The system model and design objections of this proposed scheme will be presented in this section. The system model is provided in Figure 1. Please note that for the convenience of display, we only give the model of part of the road for VANETs in Figure 1. In a real scenario, there would be multiple vehicles, RSUs, and VSCs. • TCC: In our proposed system, the TCC is a fully trusted entity that stores the real identities of vehicles, which are used to track the real driven routes of vehicles if necessary. It also acts as a judge to check whether a vehicle behaves incorrectly by comparing the data collected by VSCs with the data obtained by RSUs in its storage space. The TCC can be managed by a government organization and its computation and communication resources are powerful enough. • Roadside Unit: As computing and communicating devices, RSUs can receive geolocation information transmitted from vehicles and then transfer them to a cloud server [4]. We assume that the RSUs in our scheme are trusted entities. • Video Surveillance Camera: As common equipment in modern life, video surveillance cameras (VSCs) play a tremendous role in crime prevention, terrorist detection and obtaining evidence. Equipped with edge computing software units, VSCs have certain computing and storing capabilities. Installed in a pivotal place, the VSC can watch passing vehicles constantly [25]. To ensure security, we adopt the PUF-based VSCs that have been mentioned in [26] for the purpose of resisting various kinds of attacks. Moreover, when regulated by TCC, VSCs behave correctly and are never compromised.
• Vehicle: Equipped with an on-board unit (OBU), vehicles can realize communication and information exchange through a dedicated short-range communication (DSRC) protocol as proposed in [1,2,6,10,27,28]. The vehicle-to-vehicle and vehicle-to-RSU communications are wireless. In our proposed scheme, the vehicles may turn off their OBUs or impersonate a legitimate one to pay less.

The Threat Model
In this part, the threat model of the proposed scheme is presented in detail as follows: A. An attacker can intercept messages transmitted between VSCs and the TCC, and then may alter, temper, or replay these messages. B. A malicious vehicle may impersonate another legitimate one to send false geolocation messages for less payment when using toll roads. C. An adversary may turn off his/her OBU to prevent nearby RSUs from detecting their driving signal to avoid payments.

The Design Goals
Security and privacy issues in VANETs are significant for mutual communication of entities. In this part, detailed design goals are presented as follows: • Identity privacy preservation: Other malicious vehicles are not able to recover the vehicle's true identity. • Message authentication: The TCC can check the validation of messages sent by VSCs, and messages sent by vehicles can also be checked by nearby RSUs. • Conditional privacy preservation: In the event of a disagreement, the TCC can recover real identities of vehicles by analyzing messages sent by itself. To be specific, a malicious vehicle sends false geolocation message when it uses toll roads to reduce payment. • Resistance of various kinds of attacks: Our proposed scheme can withstand some frequent attacks such as impersonation attack, modification attack, and man-in-themiddle attack, all of which are harmful to the normal execution of VANETs.

The Proposed Scheme
In this section, detailed descriptions of our privacy-preserving smart pricing scheme will be presented. The notations used in our scheme is presented in Table 1. Basically speaking, our scheme consists of five stages, named system bootstrapping, VSCs, vehicles and RSUs registration, geolocation message transmission, verification and comparison, trustworthiness evaluation process, and tolling bill.

System Bootstrapping
In this section, the TCC generates the system public parameters. The following operations are carried out by the TCC in our scheme:

•
Choosing two large prime numbers p, q and an elliptic curve E which is defined by an equation A generator P is selected in the group G which with order q. The group G consists of all points on the elliptic curve and the infinity point O. • S ∈ Z q * will be selected randomly by the TCC as the system's private key, and the public key of the system can be therefore computed as P pub = S · P. • Three secure collusion-resistance hash functions are chosen as H 1 : TCC publicizes the public system parameters {p, q, a, b, P, P pub , H 1 , H 2 , H 3 }.

Symbol Description
G An additive group with order q E An elliptic curve y 2 = x 3 + ax + b mod p p, q Represent two large prime numbers S The master key generated by traffic control center P The group generator P pub The system public key, where P pub = S · P AID vsc i The pseudonym of VSC including (AID vsc i 1 , AID vsc i 2 ) SK i vsc The private key of the VSC Hash function H 1 : The total number of vehicles passing a toll road in a period time ⊕ Represent the exclusive-OR-operation || The information concatenation operation

Entity Enrollment
Each PUF-based VSC must preload the system public parameters and register with the TCC, and then the TCC will assign {ID i vsc , S} to each VSC over a secure channel. Each VSC checks whether the identities are equal to the stored ones. A denial request will be issued if one of them is not equal. Then, each VSC chooses a random number x i ∈ Z q * and computes the pseudonym of VSC which consists of two parts AID vsc i = (AID vsc i 1 , AID vsc i 2 ). Later, computing the private key SK i vsc of the VSC where ψ i = H 2 (AID vsc i ||T i ||L i ), L i is the location of the VSC, T i is the timestamp. The specific calculation process is shown in Algorithm 1 lines 1 to 4. In the process of VSC enrollment, each vehicle is equipped with a tamper-proof device which is preloaded with system public parameters and information {RID i v , S} transmitted from the TCC over a secure channel. Then, each vehicle chooses a random numberh i ∈ Z q * , and computesh i and PID i v ; the private key corresponding to the vehicle anonymity is SK i v , the public key is PK i v = SK i v · P. At the same time, each vehicle computes Λ i v = SK i v · P pub . The specific calculation process is shown in Algorithm 1. The specific calculation process is shown in Algorithm 1 lines 5 to 8. Each RSU sends the real identity RID RSU i to the TCC over a secure channel, then the TCC chooses a random number ε i ∈ Z q * and computes E i , the private key of corresponding RSU is SK i RSU , where T i is the timestamp. The public key is PK i RSU and compute Λ i RSU = SK i RSU · P pub , then the TCC send the {RID RSU i , SK i RSU , PK i RSU , E i , Λ i RSU } to the corresponding RSU over a secure channel. The specific calculation process is shown in Algorithm 1 lines 9 to 12.

Geolocation Message Transmission
The geolocation message transmission phase can be divided into two parts, which are separately named VSC evidence generation and transmission, and vehicle route information dissemination, respectively.
In the process of VSC evidence generation and transmission, each VSC which is deployed in a fixed position takes pictures of passing vehicles to record their route information. This information is then transmitted to the TCC. The TCC stores the evidence information transmitted from the VSCs in the database, which is specially designed for storing evidence. The detailed operations are as follows: assuming that a vehicle enters a pricing road, the corresponding road VSC chooses a random number ω i ∈ Z p * , and com- , and generates the evidence signature σ i = SK i vsc + α i · ω i mod q, where AID vsc i is the ith anonymity identity of the VSC, L i is the ith location information of the vehicle, LP i is ith vehicle license plate, which is bound to the driver's real identity. Then, the VSC sends {σ i , AID vsc i , T i , L i , W i , LP i } to the TCC. In the process of vehicle route information dissemination, each vehicle sends its geolocation information when entering a toll road. The detailed executions are as follows: for the purpose of privacy protection, each vehicle entering a toll road computes a communication session key with the nearby RSU based on its own private key and the identity of a nearby RSU, where the communication session key can be calculated as where RID RSU i is the ith real identity of RSU. Then, choose a number z i ∈ Z q * randomly, and compute Z i = z i · P, where Sig v i means the message signature generated by the passing vehicles and M = (L i ||T i ||PID i v ) represents the message transmitted by a vehicle who enters a toll road at the nearby RSU. To ensure vehicle location privacy, symmetric encryption is adopted to blind the message C = E K (M||Sig v i ). Then, the generated message {PID i v , C, T i , Z i ,h i } is transmitted to the nearby RSU.

Verification and Comparison
Upon receiving the message, the RSU operates as Algorithm 2 only if T i is in its valid period: computing the communication session key DK to decrypt the ciphertext C to obtain M||Sig v i . To verify the Sig v i , the RSU validates whether the equation is true. Based on the received message, RSUs only need to perform RID i v = PID i v ⊕ H 1 (S ·h i ||T i ) to obtain the true identities of passing vehicles. When obtaining the true identities of passing vehicles, RSUs forward {RID i v , L i , T i } to the TCC over a secure channel for further road-tolling. Later, the TCC verifies the signature to judge whether the messages have been altered by a malicious adversary.

Algorithm 2 Verification
The TCC executed the following operations: • Verification of a single message Checking the freshness of the T i , the TCC rejects the message if the T i is not fresh. The TCC checks whether the equation σ i · P = AID vsc i 1 + ψ i · P pub + α i · W i holds.

• Verification of multiple messages
To speed up verification, many related works have been proposed [29][30][31][32][33]. Therefore, to improve verified efficiency, the small exponent test technique [34,35] is applied. Within such technology, a vector consisting of small random integers can be used to quickly detect any modification in the process of batch verification. Upon receiving multiple messages from VSCs, the TCC verifies the correctness of those messages. First, it checks the freshness of T i . Messages merely with the valid T i can be accepted. Second, a vector Γ = {τ 1 , τ 2 , · · · , τ n } is chosen randomly, where τ i is a small random integer. After that, the TCC verifies whether Equation (1) holds.
The TCC rejects the messages if the above equation fails to pass verification; otherwise, the TCC accepts them. Then, the TCC stores the messages in a database 1. For these monitoring messages {σ 1 , AID vsc 1 , T 1 , L 1 , W 1 , LP 1 }, {σ 2 , AID vsc 2 , T 2 , L 2 , W 2 , LP 2 }, · · · , {σ n , AID vsc n , T n , L n , W n , LP n } from VSCs, the TCC first perform XOR operations RID vsc = AID vsc i 2 ⊕ H 1 (x i · S · P) to obtain the real identities of each VSC. Afterwards, the TCC stores these monitoring messages {RID vsc 1 , T 1 , L 1 , LP 1 }, {RID vsc 2 , T 2 , L 2 , LP 2 }, · · · , {RID vsc n , T n , L n , LP n } in database 2. Specifically, the license plate (LP) of each vehicle in database 1 corresponds to the real identities in database 2. We assume that the PUF-based VSCs can never be compromised, and the messages recorded by them can be trusted. Therefore, the messages transmitted from these VSCs which are fixed on pivotal toll roads can be seen as a reference. Then, the TCC compares whether L i stored in database 1 and database 2 are equal using an efficient comparison algorithm in the same period T i .

Trustworthiness Evaluation
There are various methods to explore and analyze user behaviors, such as [36,37]. To evaluate the attributes of the vehicle more accurately, a fuzzy comprehensive strategy is adopted in our scheme to analyze each vehicle behavior comprehensively, assuming that the A = {a 1 , a 2 , · · · , a n } are vehicle n-th attributes which can be seen as trustworthiness evaluation indexes. A 0 = {a 1 0 , a 2 0 , · · · , a n 0 } denotes the initial attribute weight of each vehicle, and T t = {t 1 , t 2 , · · · , t l } means the l instances in time t i . The following matrix A is adopted to demonstrate the behavioral attribute clearly.
where A ij denotes the attribute a i in the j-th instance. The normalized matrix Λ can be obtained by processing the fuzzy matrix A in the following equation.
where the P + and P − represents the positive and negative attributes, respectively.
As previously mentioned, the entropy method used to demonstrate the uncertainty of things has determined multi-attribute comprehensive evaluation problems in a highefficiency way. Specifically, the higher uncertainty of the attribute means the higher its weight. According to the normalization of the matrix Λ , the TCC calculates A ij (i = (1, 2, · · · , l), j = (1, 2, · · · , n)). For each attribute in j = (1, 2, · · · , n), entropy weight can be calculated by the TCC as . Therefore, the vehicle's initial trustworthiness value can be represented as the following equation Please note that the V rwd and V psh are the reward and punishment thresholds used to encourage honest vehicle behavior. To be specific, once the initial trustworthiness value is more than V rwd , more reward Q will be awarded. Otherwise, the initial value will be deducted correspondingly.
The new trusted value of a driver will be increased if the comparison results are equal. By contrast, the new trusted value will be decreased. The following equation can be used to represent the final trustworthiness value for a vehicle

Toll Bill
The final toll bill will be generated based on the trusted value NEW V i TV at the end of pricing period and then be sent to the drivers who use the toll road. For each vehicle, the TCC calculates the fee g(T i j , L i j ) with the billing function, where j represents the vehicle using the toll road for j times. The final total costs of the i-th vehicle can be represented where the vehicle trusted value NEW V i TV is incorporated. To guarantee the integrity and authenticity of the bill, the TCC encrypts the bill using the public key of a vehicle, and then signs it using the private key of the TCC. Detailed operations of the TCC are as follows: randomly chosen numbers λ ∈ Z q * , and (Φ 1 , Φ 2 ) are computed where Φ 1 = λ · P, Φ 2 = λ · PK i v . Afterwards, = Bill i v · X Φ 2 mod p and η = λ − P pub · mod q are calculated where X Φ 2 means the horizontal axis of Φ 2 . Finally, the TCC generates the bill's signature σ Bill i v = ||η||Φ 1 . The detailed generation process of the toll bill is provided in Algorithm 3.

Algorithm 3 Generating Tolling Bill Signature
Require: 4: End for; 5: Randomly choose λ ∈ Z q * ; Only those bills that pass the signature verification can be seen as a legitimate bill. For this purpose, the vehicle checks whether the equation · P pub + η · P = SK i v · Φ 1 holds. The vehicle accepts the bill if the verification holds, and then recovers the toll bill Bill i v by computing Bill i v = · X −1 Φ 2 mod p. Otherwise, the vehicle rejects it. The detailed signature verification process of the toll bill is provided in Algorithm 4.

Security Analysis
In this section, security analysis is presented to show that how our proposed scheme can satisfy our design objections and resist some attacks.

•
The signature messages generated by VSCs are correct and can resist threat model A mentioned in Section 4.2 if the system security parameters are correctly generated. The proof is as follows: With system security parameters and signature messages generated by VSCs and vehicles, our proposed scheme can be proved to be correct as per the following equation.
• The signature messages generated by vehicles are correct if the system security parameters are correctly generated.
With system security parameters and signature messages generated by vehicles, our proposed scheme can be proved to be correct as per the following equation.
where Proof of Theorem 1. Based on the threat model and design objections, the security model of our proposed scheme is defined by a game, which involves the interaction between a challenger C and an adversary A. Assuming there exists an adversary A who can forge a valid signature, a challenger C, who is able to solve the hardness of the DL problem with a non-negligible advantage, uses A as a subroutine. The detailed proof of our scheme is similar to the one in [38]. Due to space limitation, we omit it in this paper.

• Identity privacy preservation
The real identities of vehicles RID i v are blinded by computingh i =h i · P and PID i v = RID i v ⊕ H 1 (S ·h i ||T i ). To obtain the real identities RID i v from PID i v , the adversary must compute S ·h i = S ·h i · P =h i · P pub from P pub = S · P. Therefore, due to the hardness of the CDH problem defined previously, we show that our proposed scheme can provide identity privacy preservation.

• Message authentication
In our scheme, the signature messages {σ i , AID vsc i , T i , L i , W i , LP i } where σ i = SK i vsc + α i · ω i mod q, Sig v i = SK i v + z i · H 2 (RID TCC ||RID RSU i ||T i ||M) mod q generated by VSCs and vehicles during passing toll road can be checked by the TCC and RSUs, and the correctness of the equation verification is shown in Section 6.1. Using Section 6.1, the threat model B can be avoided in our proposed scheme.

• Conditional privacy preservation
The real identities of vehicles RID i v are covered up by The TCC can perform an XOR operation as RID i v = PID i v ⊕ H 1 (S ·h i ||T i ) using the system master private key S in an emergency or in the event of a disagreement to obtain vehicle real identities.

•
Resisting impersonation attacks Adversaries who want to impersonate a legitimate actor to reduce payment must generate a message As is shown in 6.1, RSUs can identify such an attack easily by checking whether Equation (6) holds. Therefore, any adversaries cannot impersonate a legitimate vehicle.

•
Resisting modification attacks is a signature generated by VSCs fixed on pivotal toll roads. According to Theorem 1, the TCC can easily identify whether the signature {σ i , AID vsc i , T i , L i , W i , LP i } generated by VSCs has been modified by checking the equation Resisting man-in-the-middle attacks Based on message authentication among entities such as VSCs, vehicles, and the TCC, we know that our proposed scheme can provide authentication for participants. Therefore, a man-in-the-middle attack can by resisted in our proposed scheme.

Performance Evaluation
In this section, the performance analysis of our proposed scheme is presented. To better demonstrate our proposed protocol intuitively, implementation with a pairing-based cryptography (PBC) library https://crypto.stanford.edu/pbc/ (accessed on 19 May 2021) and GNU Multiple Precision Arithmetic library on a Linux system using an Intel Core i5-9500 at a frequency of 3.0 GHz, and 8 GB of RAM are provided.
As illustrated in Figure 2, seven phases are separately named VSC enrollment, vehicle enrollment, RSU enrollment, message transmission of VSCs, message transmission of vehicles, message verification of RSUs, and TCC, respectively. It is not difficult to see that the time cost of vehicle enrollment is more than the other entities. Essentially, the vehicle needs to execute a point multiplication related to ECC, two additive operations, and three multiplication operations on Z p in this phase. However, this takes a lot of time, so this phase can be executed offline ahead of time. Therefore, the amount of system time cost on execution is not burdensome.  Figure 3 presents the time cost of signature verification. With the increase of the number of vehicles, the computation overheads of the RSU and TCC are increased. Essentially, each vehicle sends geolocation messages to the RSU and each VSC sends surveillance messages to the TCC, which leads to increased overheads. The reason that the time cost of the TCC is higher than the RSUs is that the TCC needs to execute three multiplication operations related to the ECC and an additive operation on Z p . To illustrate the superiority of our proposed scheme, the time costs of signature verification of different schemes are presented in Figure 4. Clearly, performance analysis shows that our scheme is much better than [38,39], i.e., the computation overheads in our scheme are much lower. Without using bilinear pairing, our proposed scheme can better meet the requirements of resource constraint in VANETs.
To cope with drivers who want to reduce payments or pay no bill by turning off his/her OBU, the performance of detection rates is evaluated. As shown in Figure 5, with the increase in vehicles, the detection rate increases slowly. Please note that the lowest detection rate of our scheme is still more than 89%, though the number of vehicles is 50.  In fact, no more than 50 vehicles will pass through the toll road at the same time in the existing highway section. Therefore, our proposed scheme can be easily applied in practical application.

Conclusions
In this paper, a novel privacy-preserving road-pricing system with a trustworthiness evaluation scheme is proposed. In the scheme, we combine cryptographic primitives and our unique comparison method to force passing vehicles to behave honestly as much as possible. The PUF-based VSCs, which can resist various attacks such as man-in-themiddle, are used to record the real geolocation and corresponding time. Meanwhile, messages generated by the vehicle itself can be received by nearby RSUs and then be forwarded to the TCC, which compares whether they are equal. Moreover, a novel fuzzy comprehensive strategy trustworthiness evaluation approach is designed and applied to our proposed scheme to record vehicle misbehavior. Finally, sufficient theoretical and experimental analysis yields better performance in security and efficiency in comparison with previous schemes.