SE-CPPA: A Secure and Efficient Conditional Privacy-Preserving Authentication Scheme in Vehicular Ad-Hoc Networks

Communications between nodes in Vehicular Ad-Hoc Networks (VANETs) are inherently vulnerable to security attacks, which may mean disruption to the system. Therefore, the security and privacy issues in VANETs are entitled to be the most important. To address these issues, the existing Conditional Privacy-Preserving Authentication (CPPA) schemes based on either public key infrastructure, group signature, or identity have been proposed. However, an attacker could impersonate an authenticated node in these schemes for broadcasting fake messages. Besides, none of these schemes have satisfactorily addressed the performance efficiency related to signing and verifying safety traffic-related messages. For resisting impersonation attacks and achieving better performance efficiency, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed in this paper. The proposed SE-CPPA scheme is based on the cryptographic hash function and bilinear pair cryptography for the signing and verifying of messages. Through security analysis and comparison, the proposed SE-CPPA scheme can accomplish security goals in terms of formal and informal analysis. More precisely, to resist impersonation attacks, the true identity of the vehicle stored in the tamper-proof device (TPD) is frequently updated, having a short period of validity. Since the MapToPoint hash function and a large number of cryptography operations are not employed, simulation results show that the proposed SE-CPPA scheme outperforms the existing schemes in terms of computation and communication costs. Finally, the proposed SE-CPPA scheme reduces the computation costs of signing the message and verifying the message by 99.95% and 35.93%, respectively. Meanwhile, the proposed SE-CPPA scheme reduces the communication costs of the message size by 27.3%.


Introduction
Annually, approximately 1.3 million persons die, and between 20 and 50 million more persons are non-fatally injured as a result of a road traffic accidents [1,2]. Therefore, the technology of Vehicular Ad-Hoc Networks (VANETs) is expected to play a major role in reducing the number of accidents and increasing road safety [3,4]. VANETs have attracted increasing attention from academia, the motor industry, and even the government in recent years [5].
VANETs are an extreme case of Mobile Ad-Hoc Networks (MANETs), in which the vehicle nodes are highly mobile. The main structure includes three components of the VANET, namely a trusted authority (TA), some fixed road-side units (RSUs), and many mobility on-board units (OBUs), as shown in Figure 1. Each vehicle has OBU to share safety traffic-related messages with others or neighbor RSU via vehicle-to-vehicle (V2V) communication and vehicle-to-infrastructure (V2I) communication, respectively. More precisely, the main goals of intelligent transport system (ITS) are to offer safety improving, • First, this efficient bilinear pair cryptography based on the conditional privacypreserving authentication (SE-CPPA) scheme satisfies the security and privacy requirements. • Second, since the vehicle's true identity is regularly updated at short intervals of time, the proposed SE-CPPA scheme is resistant to impersonation attacks, as attackers are unable to launch side-channel attacks for obtaining the vehicle's true identity. • Third, since the signing and verifying of the messages do not employ a MapToPoint hash operation function, the proposed SE-CPPA scheme has a lower overhead compared to the existing schemes based on bilinear pair cryptography.
The remainder of this paper is structured as follows. The existing CPPA schemes for VANETs are reviewed in Section 2. Section 3 introduces the background for the proposed SE-CPPA scheme. The phases of the proposed SE-CPPA schemes are presented in detail in Section 4. Section 5 introduces a security analysis and comparison in this paper. In Section 6, the performance efficiencies of the SE-CPPA and the existing CPPA schemes are evaluated and compared. Lastly, our conclusion is introduced in Section 7.

Related Work
In this section, the existing CPPA schemes for VANETs are briefly reviewed. The following categories for the existing CPPA schemes are, namely: Public key infrastructure, group signature, and Identity. These categories will be separately reviewed in the next subsections.

Public Key Infrastructure-Based CPPA
The main idea of the public key infrastructure-based CPPA schemes [22][23][24][25][26][27][28][29][30] is to preload a massive pool of private/public keys and their matching certificates to the OBUs of vehicles, generated by the TA during the registration process. This approach supports privacy-preserving, since a massive pool of private/public keys and their matching certificates are preloaded in advance.
Joshi et al. [29] designed an event-triggered authentication scheme that sends messages to investigate problems regarding security in the VANET. Asghar et al. [30] designed a feasible PKI-CPPA scheme to tackle the process of authenticating requests, in which the size of the Certificate Revocation List (CRL) is linear. Thus, this scheme enhances the scalability of vehicles' obtaining services.
Nevertheless, the main limitations of a public key infrastructure based-CPPA schemes are: (i) preloading a massive pool of private/public keys and their matching certificates to the OBUs of the vehicles makes the management of the certificates a serious burden; (ii) the storage of a vehicle in a VANET is limited, since massive keys and their matching certificates are preloaded; (iii) there are additional computational and communication costs, since the certificate is included in the message signature, and the verifier must verify these certificates as well.

Group Signature Based-CPPA
To address the limitations regarding a public key infrastructure based-CPPA scheme, several researchers design a group signature based-CPPA scheme [31][32][33][34]. These schemes enable the members of the group to sign on behalf of the whole group anonymously. In the event of a dispute, the group manager could retrieve the identification of the sender. Thus, the existing group signature-based CPPA schemes preserve the anonymity of secured authenticated messages. Besides, these schemes ensure secure communication with conditional privacy. Therefore, signing the messages with these schemes can hide the signer's identity.
Nevertheless, the main limitations of a group signature based-CPPA schemes are: (i) the whole group must be reconstructed; (ii) it is not easy for nodes' VANETs to update their private keys; (iii) the adversary identifies the group members when the size of the group is small; and (iv) once the number of vehicles revoked is high, the signature's verification technique becomes time-consumed for VANETs.

Identity-Based CPPA
To address the limitations regarding a public key infrastructure-based CPPA and group signature-based CPPA schemes, several researchers propose an identity-based CPPA scheme [35][36][37][38][39][40][41]. The primary insight of identity based-CPPA scheme is to extract the public key from the identity information, while the TA creates a private key with the same information. The sender signs the message using its private key, and the verifier can verify this signature by using the sender's public key.
Bayat et al. [36] designed an identity-based CPPA scheme to save the TA's private key on the TPD of the OBU on the vehicle. However, the revocation requirement is not satisfied in the scheme designed by [36], which is vulnerable to impersonation attacks. Lei Zhang et al. [37] designed a distributed aggregate CPPA scheme by using a realistic TPD rather than an ideal TPD, since this is more practical. Bayat et al. [38] designed an identity-based CPPA to propose an RSU-based authentication scheme that uses bilinear pair operations to secure the communications. Pournaghi et al. [39] designed an identity-based CPPA to provide secure communications between nodes for VANETs. Nevertheless, it is vulnerable to replay attacks. Zhong et al. [40] found that the CPPA process of the scheme proposed by Lei Zhang et al. [37] introduced a massive computational cost, and it did not indicate who is the aggregator in the aggregation process. Bayat et al. [41] introduced an identity based-CPPA scheme without using an online RSU, for the sake of the security of the communication in the VANET.
Nevertheless, the two evident limitations of an identity based-CPPA scheme are: (i) the vehicle's true identity preloaded by the TA is vulnerable to impersonation attacks by launching side-channel attacks, since it is not updated rapidly enough; and (ii) the MapToPoint hash function and a large number of cryptography operations are used, which cause a huge performance overhead by the verifier. To address these issues, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme is proposed for resisting impersonation attacks and achieving better performance efficiency during the broadcasting process. The proposed SE-CPPA scheme regularly updates the vehicle's true identity for the short period of validity assigned by the TA. As well, it does not use the MapToPoint hash function and a large number of cryptography operations.

Preliminaries
This section first presents the network model of the proposed scheme; this is followed by a presentation of the security and privacy requirements for VANETs, and finally, the bilinear pair cryptography (BPC) used in the proposed SE-CPPA scheme is defined.

Network Model
As shown in Figure 1, the main structure of the network model for the proposed SE-CPPA scheme includes three components: TA, RSU, and OBU.
• TA: TA is a fully trusted unit with a great number of resources in terms of computation and communication costs. The TA issues the public parameters of the system for each node in VANETs, and transmits them to each respective node. • RSU: An RSU is a wireless base station deployed on the road as a bridge interface between the TA and the OBUs. Since RSU has a TPD to save a sensitive information, RSU is considered as a trusted entity in this paper. An RSU connects with the TA by wired technology and connects with vehicles by wireless technology. • OBU: Each vehicle has an OBU to allow the vehicle to process, receive, and broadcast messages. Each OBU has a TPD that is usually used to keep secrets.

Security and Privacy Requirements
To maintain the security and privacy of V2V and V2I communications in VANETs, the proposed SE-CPPA scheme should fulfill the following requirements.
• Authentication and integrity: The vehicle or RSU must be able to identify any alteration of the received message, by checking the authentication process and validating integrity, in order to ensure the security of the communications in the VANET. • Identity privacy-preserving: An attacker must not be able to retrieve the true identity of the vehicle by the capturing messages transmitted. Therefore, the vehicle's true identity must be kept anonymous from the other legal and illegal nodes for the sake of ensuring the privacy of the drivers. • Traceability and revocation: The TA must be able to retrieve the true identity of the vehicle from its message in the event of a dispute, so as to avoid misbehaving vehicles from denying their responsibility for a disruption of the system by broadcasting false messages to other registered vehicles. • Unlinkability: An attacker must not be able to cross-match several messages transmitted by the same source for ensuring privacy-preserving. • Resistance to security attack: A secure proposed SE-CPPA scheme should resist the following security attacks.
-Replay attacks. The malicious nodes aim to replay a previously generated legitimate signature to the recipient.

-
Modification attacks. The malicious nodes aim to alter the authentic message and broadcast that to other users. -Impersonation attacks.
After launching a side-channel attack to retrieve the true identity of the vehicle, the malicious nodes aim to impersonate an authenticated node to broadcast a legitimate message to other nodes. Therefore, the vehicle's true identity must be frequently updated within a short period of validity.

-
Man-In-The-Middle attacks. The malicious nodes aim to intercept two sides of the communication and perform data tampering and sniffing.

Bilinear Pair Cryptography (BPC)
Let G 1 and G 2 be a cyclic additive and a cyclic multiplicative group, respectively. Both G 1 and G 2 have the same generator P and prime order p.
BPC is a map e:G 1 * G 1 → G 2 which has the following properties.

Proposed Scheme
In this section, the proposed SE-CPPA scheme is discussed. More precisely, the proposed SE-CPPA scheme consists of seven phases, namely initialization, vehicle registration, mutual authentication, message signing, individual-signature verification, batch-signature verification, and updating the vehicle's true identity. Table 1 presents the notation used, and their description in the following phases.
We noted that an external attacker has the ability to impersonate legitimate vehicles by launching side channel attack to disclose the sensitive information stored on TPD of legitimate vehicle when information is not updated; in the result, the external attacker should be possible to forge a secret.

Initialization
As explained in Section 3.3, the TA executes the initial public parameters of the BPC for the system in the following steps: • Consider G 1 and G 2 be groups of a cyclic additive a cyclic multiplicative, respectively, with the same prime order q and generator P. Consider e:G 1 * G 1 → G 2 as a bilinear pairing. • The TA chooses three functions of secure cryptographic hash h 1 : The TA chooses a random integer s TA ∈ Z * q to be the TA's master private key, and then calculates P TA = s TA P to be its matching master public key. • The TA preloads the system's public parameters {G 1 , G 2 , P, q, P TA , h 1 , h 2 , h 3 } and the TA master private key s TA in each TPD on RSU.

Vehicle Registration
Prior to the vehicle leaving the factory, the vehicle registration phase via a secure channel (offline) should be executed. Due to the core problem study in this paper, the vehicle's true identity should be regularly updated to avoid side channel attack. Hence, the proposed scheme is resisting impersonation attacks. As shown in Figure 2, the TA registers each vehicle as follows: • The driver of the vehicle submits the personal information including the identity ID vi and password Pwd to the TA via a secure communication network. • After the personal information is received, the TA first starts the authenticity of ID vi . • After the TA chooses a short period of validity SVP, the TA computes the vehicle's true identity The TA saves the tuple {ID vi , Pwd, TID SVP i , SVP} to its vehicle registration list, and then preloads the system's public parameters {G 1 , G 2 , P, q, P TA , h 1 , h 2 , h 3 } and TID SVP i into TPD of OBU i on the vehicle.

Mutual Authentication
Before the vehicle signs and verifies exchanged messages, it should be authorized with a nearby RSU. Therefore, when a vehicle enters the communication area of an RSU, it starts to broadcast an entering request message. After the messages are validated, the RSU sends a signature key SK svt to the vehicle with a chosen timestamp svt that will be valid for a short period of time. To execute the mutual authentication process, the following process should be done.

•
The vehicle randomly selects a value ζ i ∈ Z * q and then calculates the following pseudonym ID: The RSU obtains the vehicle's true identity using the following equation, • The RSU then computes the validity of the request to join • The RSU then checks the vehicle's true identity on its certificate revocation list (CRL).
If it is on the list, the request is rejected by the RSU for joining the session. Otherwise, the RSU continues the process. • The RSU computes the signature key SK svt of the vehicle's true identity from the request to join, as follows: Here, svt is the expiry of a certain brief period of validity of the timestamp of the created signature key. • The RSU sends the message of the acceptance of the joining {SK ENC svt , The vehicle retrieves the signature key from the message of acceptance {SK ENC svt , svt, pid 1 i , pid 2 i δ AJ } by calculating SK svt = SK ENC svt ⊕ h 2 (ζ i P TA ), and then verifies the validity of the acceptance by utilizing the following equation.
The process in the proposed SE-CPPA scheme of preloading, as introduced in [42,43], fulfills the requirements of security and privacy of ζ l , the pseudonym IDs, and the signature keys. The TA preloads a new list of ζ l , pseudonym IDs, and signature keys, used for an svt for each vehicle moving in a VANET; close to the expiration time, they are renewed with a new pseudonym ID and pool of signature keys.

Message Signing
After the signature key, SK svt of the vehicle's true identity has been received, the vehicle is taken into consideration as an authorized component in the VANET. The vehicle signs and sends safety traffic-related messages m i to other vehicles and RSUs in the VANET. This is executed in the phases listed below.

•
The vehicle computes the message signature The vehicle then broadcasts the signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } to the neighboring recipient.

Individual Signature Verification
At a given point of time, the main aim of this method is to verify only one message with the signature δ m i on the message m i by the recipient (OBU or RSU). Once having received the signed message m i , and before accepting it, the recipient checks the authenticity of the node and the validity of the message. This guarantees that no illegitimate recipient is impersonating a legitimate recipient or sending fake messages. The recipient receives an authentic signature δ m i = SK svt · h 3 (m i ||ts) on the message m i from the vehicle with a pseudonym ID pid i and timestamp ts, where i = 1, and checks its authenticity and validity following the steps below.

•
Once the signature tuple {pid 1 i , pid 2 i , m i , ts, δ m i } has been received, the vehicle first verifies the timestamp TS and svt validity. If (ts > ts r − ts ), where ts r is the time of receiving and ts is a predefined delay, then ts is considered as fresh. Otherwise, the message is rejected. • The vehicle uses the public parameters and functions of the system and signature δ m i = SK svt · h 3 (m i ||ts) on the message m i . When the following Equation (6) holds, the vehicle accepts it.

Batch-Signature Verification
The main aim of this method is to authenticate a batch of signature messages δ m i = {δ m 1 , δ m 2 , δ m 3 , . . . ., δ m n } on n traffic-related messages m i = {m 1 , m 2 , m 3 . . . ., m n } from n vehicles with n pseudonym IDs pid i = {pid 1 , pid 2 , pid 3 , . . . ., pid n }. The verifying recipient checks its authenticity and validity, as shown in the following steps.

•
The vehicle verifies the validity of ts and svt. If (ts > ts r − ts ), ts is considered as fresh. Otherwise, the message is rejected.
• The vehicle uses the small exponent technique [44,45] to avoid denying the validity of the message sent in the SE-CPPA proposed. The vehicle generates a random vector To accept them, the vehicle checks whether

Updating the Vehicle's True Identity
In order to resist impersonation attacks, the vehicle's true identity stored in the TPD should be frequently updated through an online process and annual examination. However, if one were to wait for the next annual examination to update the vehicle's stored true identity, the adversary would have a long enough period to retrieve a vehicle's true identity, something that can disrupt the entire VANET by impersonating as an authorized vehicle. During the vehicle, true identity SVP is close to expired; the registered vehicle could not have requested update the lists before the process of TID svp is totally completed to avoid contradictions. As presented in Figure 3, the following steps are used to update the vehicle's true identity saved in the vehicle by using an online process: • The vehicle selects a random value k ∈ Z * q and calculates PsID i,1 = kP and PsID i,2 = TID svp ⊕ h 1 (k · P TA ). Then, the vehicle broadcasts an update message {PsID v,new ,ts 1 , Once the TA receives the update message {PsID v,new , ts 1 , δ OBU i new }, the timestamp ts 1 validity is tested. If ts 1 is freshness, then the TA computes the vehicle's old true identity of the authenticated vehicle TID svp = PsID i,2 ⊕ h 1 (k · P TA ). The TA tests whether

Security Analysis and Comparison
This section presents the formal and informal analysis of the proposed SE-CPPA scheme. In addition, the security-based privacy requirements are listed.

Formal Analysis
The formal analysis presents the security proof regarding the verification equations; this is followed by a description of the steps of the random oracle model.

Proof of Equation (6).
In individual-signature verification, the verifier checks the message using the following Equation (6).
Hence, the individual signature verification correctness is true. (7). In batch-signature verification, the verifier checks a large number of messages by using the following Equation (7). Proof of the correctness:

Proof of Equation
Hence, the batch-signature verification correctness is true.

Random Oracle Model
In order to analyze the security proof in the SE-CPPA scheme, the random oracle model analysis defines a game between an attacker ER and the challenger Ch. Once ER wins the game, it is easily retrieved from a valid faked signature. Furthermore, the proposed SE-CPPA scheme is secure for VANETs when ER is negligible for any attack. i , pid 2 i , m i , svt, ts, δ m i } for the message m i , it would follow that a challenger Ch can be generated to resolve the ECDL problem with non-negligible probability by launching ER as a subroutine.
Setup initialization phase: Challenger Ch first randomly chooses a value s TA ∈ Z * q as the system's private key and computes P TA = s TA P as the system's public key. Then, Ch broadcasts the public parameters and functions of the system to ER.
Oracle − h 2 . Ch starts the h list 2 with (pid 1 i , pid 2 i , τh 2 )form. After, ER receives a mes- Otherwise, Ch randomly chooses τh 2 ∈ Z * q and puts (pid 1 i , pid 2 i , τh 2 ) into h list 2 . Then, ER broadcasts τh 2 = h(pid 1 i ||pid 2 i ||τh 2 ) to Ch. Oracle − h 3 . Ch starts the h list 3 with (m i , ts, svtτh 3 )form. After ER receives a message with (m i , ts, svt)form, Ch tests whether (m i , ts, svt) is in h list 3 ; if so, Ch broadcasts τh 3 = h(m i ||ts||svt||τh 3 ) to ER. Otherwise, Ch chooses τh 3 ∈ Z * q randomly and puts (m i , ts, svt, τh 3 ) into h list 3 . Then, ER broadcasts τh 3 Sign Oracle: Once ER sends a sign request, Ch calculates three random numbers, h i,2 ; h i,3 ; σ m,i ∈ Z * q , and a random point pid 2 i ∈ G. Then, Ch computes P TA = (σ m,i P/h i,2 · h i,3 Output: Finally, ER outputs the message of the signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i }. Ch tests the message using the following Equation (8): Once (8) does not hold, the game is finished by Ch.
According to the Cross Lemma, ER can output another message of signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } that achieves the following Equation (9): From Equations (8) and (9), it can be obtained However, since the difficulty of the ECDL problem with non-negligible probability, the proposed SE-CPPA scheme for VANETs is unforgeable against an adaptively chosen message attack under the random oracle model.

Informal Analysis
In this subsection, the proposed SE-CPPA scheme is shown below to fulfill the following security and privacy requirements for VANETs.

•
Message integrity and authentication: Consistent with Theorem 2, when the problem of ECDLP is hard to solve, then no attacker can generate a legal message of the signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } in a specified polynomial time. Thus, the message of the signature tuple fulfills the equation e:(δ m i P) = e:(h 2 (pid 1 i ||pid 2 i ||svt) h 3 (m i ||ts), P TA ), and so the proposed EPBC-CPPA can ensure message integrity and authentication. • Identity privacy-preserving: Assume that an authorized vehicle sends a message of signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } to neighbouring RSUs or vehicles in a VANET, where In order to obtain the vehicle's true identity, the attacker should calculate TID SVP i = pid 2 i ⊕ h 1 (s TA · pid 1 i ). Nevertheless, ζ i is saved in the TPD, s TA is a random value, and therefore the attacker does not have the ability to obtain TID SVP i , since the hardness of the problem is related to the hardness of the Diffie-Hellman problem. So, the proposed EPBC-CPPA can ensure identity privacy-preserving. • Unlinkability: A random number ζ i ∈ Z * q is used in the proposed scheme to compute The vehicle periodically requests an update of its pseudonym IDs with timestamps svt that are only valid for brief periods. This scheme provides a list of them, to support unlinkability. Thus, no attacker could relate two or more signatures sent by the same vehicle for a long trip. Therefore, the proposed EPBC-CPPA scheme can fulfill the unlinkability requirement. • Traceability and revocation: In the proposed SE-CPPA scheme, the TA has the ability to obtain the vehicle's true identity from the received pseudonym ID that includes two parts-pid 1 i = ζ i P and pid 2 i = TID SVP i ⊕ h 1 (ζ i P TA ). The TA uses its master private key s TA , and calculates After the vehicle's true identity has been traced, the TA should revoke it on the database registration list, saving it in the CRL. Therefore, the proposed EPBC-CPPA scheme can fulfill traceability and revocation requirements. • Resistance to replay attacks: The message of a signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } in the proposed SE-CPPA scheme includes the current timestamp ts to generate the signature of the message updates the (TID SVP i ) in the TPD during SVP, where TID SVP i = h 1 (ID vi ||SVP) and SVP is a short period of validity. It has been stated that the vehicle's true identity is used repeatedly; thus, if the TID SVP i is not regularly updated, this will offer a wide opportunity for an attacker for impersonating and exploiting the registered vehicle's true identity related to the safety messages. However, TID SVP i is already updated before the vehicle can be impersonated and exploited by a misbehaving vehicle. • Resistance to man-in-the-middle attacks: This SE-CPPA scheme executes mutual authentication between the signer and the recipient. If an attacker launches this attack, the attacker wants to send false messages for sharing with the the signer and the recipient. Nevertheless, based on Theorem 2, the attacker cannot succeed with this attack. Hence, the proposed SE-CPPA scheme for VANETs can resist man-in-the-middle attacks.

Security and Privacy Comparison
This subsection presents a comparison in terms of security and privacy requirements of the proposed SE-CPPA scheme with the existing schemes. Table 2 presents the results of this comparison. As presented in Table 2, all the existing schemes suffer from impersonation attacks by lunching side channel attacks to retrieve the vehicle's true identity that saved on the OBU of the registered vehicle for broadcasting fake messages. In contrast, the proposed SE-CPPA scheme regularly updates the vehicle's true identity at short intervals of time. Therefore, the impersonation attack is resisting by the proposed SE-CPPA scheme.
Furthermore, we know that the schemes proposed by Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39] and Bayat et al. [41] for VANETs cannot satisfy all of the security analysis-based privacy requirements, as presented in Table 2. Nevertheless, the SE-CPPA scheme can satisfy all of the security analysis-based privacy requirements.

Performance Evaluation and Comparison
In this section, the performance evaluation of the proposed SE-CPPA scheme is analyzed in terms of computation and communication costs. Besides, the performance of the proposed SE-CPPA scheme is compared with Bayat et al. [36], Lei Zhang et al. [37], Bayat et al. [38], Pournaghi et al. [39], and Bayat et al. [41] through a simulation experiment. As shown in Figure 4, this paper uses OMNeT++ [46], Veins [47], MIRACL [48,49], OpenStreetMap [50], GatcomSUMO [51] and SUMO [52] to carry out simulation experiments for VANETs. OMNeT++ is a modular, component-based C++ simulation library for communication networks. Veins is combined with road traffic generation and network generation. MIRACL is a cryptography library used to execute cryptography operations for algorithms. OpenStreetMap is the most prominent crowd-sourced web-based mapping platform. GatcomSUMO is a graphical application used to simplify the utilization of VANET simulation, specifically the SUMO traffic and the OMNeT++ network generation. SUMO is a highly portable, multi-model traffic simulation. Table 3 presents the simulation experiment parameters.

Computation Cost and Comparison
The bilinear pairing is constructed on the 80 bits security level: e:G 1 * G 1 → G 2 , where G 1 is an additive group created on a super-singular EC E:y 2 = x 3 + xmodp with embedding degree 2. For performance evaluation, the following bilinear pairing operations are considered.  Table 4 tabulates the single cryptographic operation time are taken into account. Table 5 presents a comparison of the computational costs of the proposed SE-CPPA and the other existing schemes. For simplicity, MSP denotes the message-signing phase, ISVP denotes the single-signature verification phase, BSVP denotes the batch-signature verification phase. These steps will be separately explained in the following, Bayat et al. [41] 1T The process of message signing in Bayat et al. [36] scheme consists of five bilinear pair operations 5T bp , a MapToPoint hash function operation 1T M·T·P and two cryptographic hash function operations 2T h , hence, the whole computation cost of the message signing process is 5T bp + 1T M·T·P + 2T h . The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations T M·T·P and three cryptographic hash function operations 3T h ; hence, the whole computation cost of the message signing process is 2T M·T·P + 3T h . The process of message signing in Lei Zhang et al. [37] scheme consists of two MapToPoint hash function operations 2T M·T·P and three cryptographic hash function operations 3T h ; hence, the whole computation cost of the message signing process is 2T M·T·P + 3T h . The process of message signing in Bayat et al. [38] scheme consists of only one MapToPoint hash function operation 1T M·T·P ; hence, the whole computation cost of the message signing process is 1T M·T·P . The process of message signing in the Pournaghi et al. [39] scheme consists of three scalar multiplication operations 3T bp·pm , an addition point operation 1T bp·pa , one MapToPoint hash function operation 1T M·T·P and two cryptographic hash function operations 2T h ; hence, the whole computation cost of the message signing process is 3T bp·pm + T bp·pa + 1T M·T·P + 2T h . The process of message signing in Bayat et al. [41] scheme consists of two bilinear pair operations 2T bp , four scalar multiplication operations 4T bp·pm , an addition point operation 1T bp·pa , one MapToPoint hash function operation 1T M·T·P and three cryptographic hash function operations 3T h ; hence, the whole computation cost of the message signing process is 2T bp + 4T bp·pm + 1T bp·pa + 1T M·T·P + 3T h . The process of message signing in the proposed SE-CPPA scheme consists of only one cryptographic hash function operation 1T h , hence, the whole computation cost of the message signing process is 1T h . Figure 5 shows the comparison of message signing process.

ISVP
The process of single-signature verification in Bayat et al. [36] scheme consists of four bilinear pair operations 4T bp , three scalar multiplication operations 3T bp·pm , a Map-ToPoint hash function operation 1T M·T·P and two cryptographic hash function operations 2T h ; hence, the whole computation cost of the single-signature verification process is 4T bp + 3T bp·pm + T M·T·P + 2T h . The process of single-signature verification in Lei Zhang et al. [37] scheme consists of three bilinear pair operations 3T bp , two MapTo-Point hash function operations 1T M·T·P and three cryptographic hash function operations 3T h ; hence, the whole computation cost of the single-signature verification process is 3T bp + 2T M·T·P + 3T h . The process of single-signature verification in Bayat et al. [38] scheme consists of three bilinear pair operations 3T bp , a scalar multiplication operation 1T bp·pm , and a MapToPoint hash function operation 1T M·T·P ; hence, the whole computation cost of the single-signature verification process is 3T bp + 1T bp·pm + 1T M·T·P . The process of single-signature verification in Pournaghi et al. [39] scheme consists of three bilinear pair operations 3T bp , three scalar multiplication operations 3T bp·pm , a MapToPoint hash function operation 1T M·T·P and a cryptographic hash function operation 1T h ; hence, the whole computation cost of the single-signature verification process is 3T bp + 3T bp·pm + 1T M·T·P + 1T h . The process of single-signature verification in the Bayat et al. [41] scheme consists of a bilinear pair operation 1T bp , four scalar multiplication operations 4T bp·pm , an addition point operation 1T bp·pa , a MapToPoint hash function operation 1T M·T·P , and two cryptographic hash function operations 2T h ; hence, the whole computation cost of the single-signature verification process is 1T bp + 4T bp·pm + 1T bp·pa + 1T M·T·P + 2T h . The process of single-signature verification in the proposed SE-CPPA scheme consists of two bilinear pair operations 2T bp , two scalar multiplication operations 2T bp·pm , and two cryptographic hash function operations 2T h ; hence, the whole computation cost of the single-signature verification process is 2T bp + 2T bp·pm + 2T h . Figure 6 shows the comparison of single-signature verification process.

BSVP
The process of batch-signature verification in Bayat et al. [36] scheme consists of n bilinear pair operations nT bp , n scalar multiplication operations nT bp·pm , n MapTo-Point hash function operations nT M·T·P and n cryptographic hash function operations nT h , hence, the whole computation cost of the batch-signature verification process is nT bp + nT bp·pm + nT M·T·P + nT h . The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations 3T bp , 2n MapToPoint hash function operations 2nT M·T·P and 3n cryptographic hash function operations 3nT h , hence, the whole computation cost of the batch-signature verification process is 3T bp + (2n)T M·T·P + (3n)T h . The process of batch-signature verification in Lei Zhang et al. [37] scheme consists of 3 bilinear pair operations 3T bp , 2n MapToPoint hash function operations 2nT M·T·P and 3n cryptographic hash function operations 3nT h , hence, the whole computation cost of the batch-signature verification process is 3T bp + (2n)T M·T·P + (3n)T h . The process of batch-signature verification in Bayat et al. [38] scheme consists of 3 bilinear pair operations 3T bp , n scalar multiplication operations nT bp·pm and n MapToPoint hash function operations nT M·T·P , hence, the whole computation cost of the batch-signature verification process is 3T bp + nT bp·pm + nT M·T·P . The process of batch-signature verification in Pournaghi et al. [39] scheme consists of 3 bilinear pair operations 3T bp , 3n scalar multiplication operations 3nT bp·pm , n MapToPoint hash function operations nT M·T·P and n cryptographic hash function operations nT h , hence, the whole computation cost of the batch-signature verification process is 3T bp + (3n)T bp·pm + nT M·T·P + nT h . The process of batch-signature verification in Bayat et al. [41] scheme consists of (4 + n) scalar multiplication operations (4 + n)T bp·pm , n addition point operations nT bp·pa , n MapTo-Point hash function operations nT M·T·P and n cryptographic hash function operations nT h , hence, the whole computation cost of the batch-signature verification process is (4 + n)T bp·pm + nT M·T·P + (n)T bp·pa + nT h . The process of batch-signature verification in the proposed SE-CPPA scheme consists of a bilinear pair operations T bp , n scalar multiplication operations nT bp·pm and 2n cryptographic hash function operations 2nT h , hence, the whole computation cost of the batch-signature verification process is T bp + nT bp·pm + (2n)T h . Figure 7 shows the comparison of batch-signature verification process.

Communication Overhead and Comparison
This section analyses and compares the communication cost of the proposed SE-CPPA and other schemes. The main focus is the communication cost involved in the pseudonym-IDs, signatures, and timestamps for the signature tuple. Table 6 presents the costs of several bilinear pairing operations. Table 6. The costs of several bilinear pairing operations.

Items Size
Cost (Bytes) − P 64 The elements in G 1 128 The output of a hash function 20 The output of timestamp 4 The size of the signature tuple {ID i , M i , σ i , T i } in the scheme of Bayat et al. [36] is 128 × 3 + 4 × 1 = 388 bytes, which contains three elements in G 1 (ID i1 , ID i2 , σ i ∈ G 1 ) and one timestamp (T i ), where ID i = {ID i1 , ID i2 }. The size of the signature tuple {m i , PPID i,t , σ i } in the scheme of Lei Zhang et al. [37] is 128 × 2 = 256 bytes, which contains two elements in G 1 (PPID i,t , σ i ∈ G 1 ). The size of the signature tuple {M i , pid i , σ i } in the scheme of Bayat et al. [38] is 128 × 2 + 20 = 276 bytes, which contains two elements in G 1 (ID i1 , σ i ∈ G 1 ), one outputs regarding the hash function (ID i2 ∈ Z * q ) and one timestamp (T i ), where pid i = PID 1 , PID 2 . The size of the signature tuple {pID i , σ i , M i , ID RSU } in the scheme of Pournaghi et al. [39] is 128 × 3 + 20 = 404 bytes, which contains three elements in G 1 (ID i1 , ID i2 , σ i ∈ G 1 ) and one timestamp (T i ), where ID i = {ID i1 , ID i2 }. The size of of the signature tuple {V, m, r, T i1 , T i2 , T i3 , PID i , ts} in Bayat et al. [41] is 128 × 4 + 20 × 2 + 4 × 2 = 556 bytes, which contains four elements in G 1 (T i1 , T i2 , T i3 , PID i ∈ G 1 ), two outputs regarding the hash function (V, r ∈ Z * q ) and one timestamp (ts). The size of of the signature tuple {pid 1 i , pid 2 i , m i , svt, ts, δ m i } in the proposed SE-CPPA scheme is 128 × 1 + 20 × 2 + 4 × 2 = 216 bytes, which contains one element in G 1 (pid 1 i ∈ G 1 ), two outputs regarding the hash function (pid 2 i , δ m i ∈ Z * q ) and two timestamps (svt, ts).
The communication cost of each scheme is presented in Table 7. Figure 8 compares the communication overheads of the SE-CPPA and the other schemes.

Conclusions
In this paper, a Secure and Efficient Conditional Privacy-Preserving Authentication (SE-CPPA) scheme for VANETs has been proposed. In contrast with the existing schemes, it has the ability to resist impersonation attacks, since it frequently updates the vehicle's true identity stored on a TPD on the vehicle. In a region with dense traffic, the batchsignature verification process in the SE-CPPA scheme efficiently checks a large number of the signature tuple messages sent from different components in the VANET. The security proof showed that the proposed SE-CPPA scheme resists security attacks and fulfills requirements regarding security and privacy. Lastly, due to the fact that the proposed SE-CPPA scheme does not employ time-consuming operations involving the MapToPoint hash function while signing and verifying the messages, it has lower overhead costs in contrast to the existing schemes. Hence, SE-CPPA has a more efficient performance regarding computational and communication costs. In the future work, further performances in terms of end-to-end delay and throughput will be briefly analyzed and introduced by using OMNeT++ and SUMO simulations.