A Secure Pseudonym-Based Conditional Privacy-Preservation Authentication Scheme in Vehicular Ad Hoc Networks

Existing identity-based schemes utilized in Vehicular Ad hoc Networks (VANETs) rely on roadside units to offer conditional privacy-preservation authentication and are vulnerable to insider attacks. Achieving rapid message signing and verification for authentication is challenging due to complex operations, such as bilinear pairs. This paper proposes a secure pseudonym-based conditional privacy-persevering authentication scheme for communication security in VANETs. The Elliptic Curve Cryptography (ECC) and secure hash cryptographic function were used in the proposed scheme for signing and verifying messages. After a vehicle receives a significant amount of pseudo-IDs and the corresponding signature key from the Trusted Authority (TA), it uses them to sign a message during the broadcasting process. Thus, the proposed scheme requires each vehicle to check all the broadcasting messages received. Besides, in the proposed scheme, the TA can revoke misbehaving vehicles from continuously broadcasting signed messages, thus preventing insider attacks. The security analysis proved that the proposed scheme fulfilled the security requirements, including identity privacy-preservation, message integrity and authenticity, unlinkability, and traceability. The proposed scheme also withstood common security attacks such as man-in-the-middle, impersonation, modification, and replay attacks. Besides, our scheme was resistant against an adaptive chosen-message attack under the random oracle model. Furthermore, our scheme did not employ bilinear pairing operations; therefore, the performance analysis and comparison showed a lower resulting overhead than other identity-based schemes. The computation costs of the message signing, individual signature authentication, and batch signature authentication were reduced by 49%, 33.3%, and 90.2%, respectively.


Introduction
In recent years, the Vehicular Ad hoc Network (VANET) has been attracting more and more attention from academia and industry [1,2]. According to a report published in 2015 [3,4], around 1800 fatalities and more than 20,000 injuries were due to road accidents annually in the United Kingdom. Therefore, the VANET, one of the cornerstone technologies of the Intelligent Transport System (ITS), is expected to help reduce traffic accidents [5,6].
VANETs are an emerging type of Mobile Ad hoc Network (MANET), where the vehicle is considered a mobile node [7]. The VANET typically comprises three components; a Trusted Authority (TA), some fixed Roadside Unit (RSU), and many mobile Onboard Units (OBUs). As presented in Figure 1, a vehicle equipped with an OBU communicates with others via Vehicle-to-Vehicle (V2V) or with the RSU via Vehicle-to-Infrastructure (V2I) communications. More specifically, driving safety and efficiency improvement are the main goals of ITS research, making VANETs a promising technology. Nevertheless, the advantages are out-weight by issues with security, privacy-preservation, and performance efficiency. Therefore, these challenges should be carefully considered in VANETs [8][9][10][11][12]. The security issue is crucial in V2V and V2I communications. The open nature of the transmission medium in VANETs is susceptible to security attacks [13][14][15], i.e., attackers can replay, modify, intercept, and impersonate transmitted messages in VANETs. Therefore, every receiver must check the authenticity and integrity of all received messages before accepting them. In addition, privacy preservation is also a fundamental requirement. In VANETs, attackers may discover the vehicle's identity and trace its journey paths by dissecting captured messages. Therefore, anonymous communication is needed to preserve privacy and support drivers' unlinkability requirements. Finally, performance efficiency is vital in V2V and V2I communications, apart from the security and privacy requirements.
Several scholars have proposed to address the security, privacy, and performance efficiency for the VANET system. However, some existing identity schemes have several limitations: (i) using time-consuming operations based on the bilinear pair; (ii) susceptible to an insider attack; (iii) only the vehicle's message is verified by the RSU. As a result, this renders the whole system to be exposed and insecure.
Therefore, this paper aimed to cope with these three limitations arising from the existing identity schemes by generating lists of pseudonym-IDs and the corresponding signature keys by the TA. The main contribution of this paper is a secure pseudonymbased conditional privacy-preservation authentication scheme based on Elliptic Curve Cryptography (ECC).
The proposed scheme's novelty is that: (i) it can sign and verify messages without relying on the online RSU for verification; (ii) the proposed scheme does not use the RSU during the mutual authentication process, thereby the TA issues and preloads the pool of pseudonym-IDs and the corresponding signature keys into the vehicle; (iii) the TA can revoke attackers' certificates to prevent the continuous broadcast of fake signed messages.
The rest of the paper is structured as follows. The review of existing works is in Section 2. Section 3 presents the design of our scheme. Section 5 gives an illustrative example of the proposed scheme, followed by an in-depth discussion of the proposed scheme for VANETs in Section 4. Section 6 presents the security proof and analysis of the proposed scheme. In Section 7, we discuss the performance of the proposed scheme and a comparison with several existing schemes. Finally, Section 8 concludes this paper.

Related Work
In order to mitigate the burden of preloading several key pairs and their corresponding certificates from the common Public Key Infrastructure (PKI), in 1984, Shamir introduced the Identity (ID) approach [16]. This ID eliminated the need for key pairs and their corresponding certificates with the PKI due to not utilizing any certificate for verifying messages, thus decreasing the overhead generated from the messages containing certificates. Consequently, several studies have proposed ID-based schemes for communication security. In the following subsection, we classify the ID-based schemes in three ways.

ID Bilinear Pair Based
Zhang et al. [17,18] utilized the vehicle's identity in which a vehicle is not required to preload a pool of key pairs and the corresponding certificates, eliminating the need for large storage, therefore reducing the overall processing overhead. Additionally, it mitigates the need to manage certificates and a CRL. Jiang et al. [19] suggested a Binary Authentication Tree (BAT) by using an ID-based scheme for V2I communication in VANETs. Huang et al. [20] suggested leveraging an ID-based scheme, called PACP, which relies on utilizing pseudonyms instead of the original identities, providing conditional privacypreservation in VANETs. Chim et al. [21] and Lee and Lai [22] highlighted that the schemes proposed in [17,18] are not able to satisfy the traceability requirement. Besides, these schemes are vulnerable to impersonation and replay attacks. Lee and Lai [22] proposed an enhanced authentication scheme to secure communication and fulfill high-performance efficiency in VANETs. Horng et al. [23] pointed out that the scheme in [21] is vulnerable to security attacks such as impersonation and that an attacker can mimic an authorized vehicle for broadcasting bogus messages in VANETs. Therefore, Horng et al. [23] suggested a scheme named SPECS to enhance the scheme's limitations [21]. Jianhong et al. [24] pointed out many security limitations in the scheme by Lee and Lai [22]. For instance, it cannot satisfy the requirements of non-repudiation and traceability and it cannot withstand attacks, such as replay attacks. In order to address the limitations in the scheme of Lee and Lai [22], Jianhong et al. [24] proposed an enhanced authentication scheme for communication security in VANETs.

ID Vulnerable to Insider Attack Based
He et al. [25] suggested an authentication scheme established on conditional privacy preservation for communication security in VANETs that does not utilize bilinear pairing operations during message signing and verification. For instance, in the scheme of He et al. [25], the system's master key (TA) is preloaded and saved on the TPD of the vehicle and remains there for a long time. However, if an insider attacker compromises one vehicle, the entire VANET system will be vulnerable and insecure. The TA cannot revoke the compromised vehicle's certificate to prevent it from being in the system. Therefore, the scheme by He et al. [25] does not satisfy the revocation requirement. Zhong et al. [26] structured a security and privacy scheme for secure service provision, accounting for messages' security and users' privacy in VANETs. Lo and Tasi [27] proposed an authentication scheme based on conditional privacy preservation for communication security in VANETs by adopting an ID-based scheme using ECC. Wu et al. [28] designed the concept of location to propose an authentication scheme based on conditional privacy preservation without using the operation of the bilinear pairing and TPD in VANETs. Xie et al. [29] proposed an authentication scheme based on conditional privacy preservation, which utilizes ID-based signatures to guarantee messages' reliability and integrity in VANETs.
In ID vulnerable-to-insider-attack-based schemes [25][26][27][28][29], when a vehicle is transmitting false messages, the TA has the ability to trace this vehicle, but does not have the ability to revoke it for broadcasting these messages. Furthermore, an insider attacker has the ability to possibly disclose the vehicle's identity, since the attacker has the key pairs of the TA. Thus, none of these schemes satisfy the revocation and privacy-preservation requirements in VANET.

ID RSU Authentication Based
Cui et al. [30] introduced a secure privacy-preservation authentication scheme based on ECC in VANETs. A cuckoo filter and binary search methods were used in this scheme to enhance the success rate of batch signature authentication. Zhong et al. [31] suggested an authentication scheme based on conditional privacy preservation, which utilizes the list of registration rather than the list of revocation to decrease the overhead of the system in terms of communication cost.
ID-RSU-authentication-based schemes [30,31] rely on RSUs to authenticate the trafficrelated messages and then broadcast authentic and rogue vehicles lists with the notification issues. Therefore, the vehicle will wait for these issues before checking the validity of the signer, which increases the overhead.
In this paper, we propose a secure pseudonym-based conditional privacy-preservation authentication scheme to cope with the above-mentioned issues. It utilizes ECC rather than the bilinear pair operations to reduce the overhead of the system in terms of performance efficiency in ID-bilinear-pair-based schemes [17][18][19][20][21][22][23][24]. In addition, the authentic sender signs the message by utilizing a signature generated by the TA during the registration phase, and this process assists in coping with the flaws in ID vulnerable-to-insider-attackbased schemes [25][26][27][28][29]. Unlike the ID-RSU-authentication-based schemes [30,31], the proposed scheme relies on each vehicle checking the received messages.

Preliminaries
In this section, the network model, as well as the security requirements of the proposed scheme are presented. Besides, the mathematical tool used in this work is described as well.

Network Model
The network model of the proposed scheme consisted of three components, the TA, RSU, and OBU: • TA: The TAs are trusted parties in VANETs with high resources such as computation and communication. The TA issues the system's public parameters, pseudo-ID, and the private keys for each vehicle and transmits them to each respective vehicle; • RSU: The RSU is a wireless base station deployed on the road as a brigade interface between the TA and OBUs. The RSU connects with the TA by wired technology and connects with vehicles by wireless technology; • OBU: Each vehicle is fit with an On-Board Unit (OBU), enabling the vehicle to process, receive, and broadcast messages in the VANET. Each OBU is equipped with a Tamper-Proof Device (TPD) that is usually utilized to keep secrets. Therefore, it is difficult for any adversary to obtain the information stored in the TPD.

Security Requirements
The proposed scheme must fulfill all security and privacy requirements to achieve V2V and V2I communication security in VANETs. The security and privacy requirements are as follows: • Authentication and integrity: The vehicle or RSU must be able to identify any alteration of the received message and must have the ability to authenticate the integrity and validity of the received messages to ensure communication security; • Identity privacy preservation: An attacker must not have the ability to reveal the vehicle's identity by capturing multiple messages transmitted by it. Therefore, the vehicle's identity must remain anonymous to other legal and illegal nodes to ensure users' privacy; • Traceability: The TA must have the ability to reveal the vehicle's identity from its message in case of any misbehavior to prevent misbehaving vehicles from denying their responsibility for disrupting the system by broadcasting false messages to other registered vehicles; • Unlinkability: The misbehaving vehicles and RSUs cannot link two or more messages transmitted by the same source to ensure privacy preservation.

Adversary Model
A better understanding of adversity attacks against VANETs is needed. The following attack types should be resisted in the proposed scheme on VANETs: Man-in-the-middle attacks. Malicious nodes intercept two sides of the communication and perform data tampering and sniffing [33,34].

Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) [35] is a tool used in the security algorithms' design and digital signatures to secure communications. Due to the length of the smaller key and the same security level contrast with other encryption tools, ECC is commonly utilized in cryptography.

Definition 1.
Elliptic curve: Consider that the large prime value p is the order of F p and F p is a finite field. The equation of an elliptic curve E is determined as There is an additive group G q identified on E, the order of which is q, and the generator is P. Let O be an infinity point: -Scalar multiplication. Denote P ∈ G q , n ∈ Z * q , then the scalar multiplication is L · P = P + P + P +. . . +P (for all the L times).

Definition 2.
Computational Diffie-Hellman Problem (CDHP): There are two random points P, Q ∈ G, where P = yP, Q = xP, x, y are unknown integers, and it is impossible to calculate xyP. Definition 3. Elliptic Curve Discrete Logarithm (ECDL) problem: Given two random points P, Q ∈ G, and Q = xP, it is impossible to calculate x from Q in the polynomial time t.

The Proposed Scheme
Security and privacy are significant challenges that need to be carefully faced in VANET communication. This paper proposes a conditional privacy persevering based on mutual authentication scheme to fulfill the security and privacy requirements and reduce the system's overhead. The secure pseudonym-based scheme means that the proposed scheme satisfies all security and piracy requirements mentioned (Section 3.2) and resists common security attacks, especially insider attacks. The proposed scheme consists of five phases: initialization, vehicle registration, message signing, individual signature authentication, and batch signature authentication, as shown in Figure 2.
The behavior of the overall system is as follows. The first phase is initialization, where the TA is responsible for generating and preloading the public parameters of the system based on an elliptic curve. The second phase is vehicle registration, where the TA is responsible for generating and preloading the list of pseudonym-IDs and signature keys to each participating registered vehicle in the VANET. The third phase is message signing, where the registered vehicle signs each traffic message by using randomly the pseudonym-ID and the signature key before broadcasting. The fourth phase is individual signature authentication, where the receiving vehicle should verify the validity and authenticity of the message before accepting. The fifth phase is batch signature authentication, where the verified vehicle has the ability to check a large number of messages simultaneously. Furthermore, when receiving a report about a malicious vehicle, the TA is responsible for tracing and revoking it. After all pseudonym-IDs have expired, the TA does not update the new pseudonym-ID list to avoid it being utilized for additional applications and services in the VANET. Table 1 presents the notation utilized and their definitions in the following phases.

Notations
Descriptions The elliptic curve G The additive group based on E P The base generator P∈ G h 1 , h 2 , h 3 The three functions of the one-way hash ID V I , PW The identity and password of the vehicle s, P pub The private and public key of the system The pseudo-identity of the vehicle ⊕ The XOR operator LPID i The list of pseudo-identities ζ l The random secret value The concatenation operation LSK i The list of signature keys

Initialization
The TA executes the initialization parameter of the public system in the following steps: • The TA sets the chosen elliptic curve E determined by the non-singular equation The TA chooses a point P on E p (a, b) as an adaptive group generator G of prime order q; • The TA selects the private key s ∈ Z * q of the system and computes the respective public key P pub = sP of the system; • The TA selects three secure cryptographic hash functions h 1 : The TA publishes the functions and the public parameters of the system to all RSUs via public channels.

Vehicle Registration
The TA registers the vehicle as follows: • The owner of the vehicle submits personal information including the identity ID vi and password PW to the TA through a secure communication channel; • After the personal information is received, the TA first starts the authenticity of ID vi ; • After checking the validity of ID vi , the TA chooses n random secret values ζ l ∈ Z * q , where l = 1 : n, and calculates a family of unlinkable pseudo-IDs LPID i = < pid il , . . . , pid in > as follows: where l = 1,2, . . . n; • For each pseudo-ID pid il ∈ LPID i , l = 1 : n, the TA calculates the respective signature key SK as follows and organizes LSK i =< sk il , . . . , sk in >: • The TA then transmits the n of ζ l , LPID i , and LSK i to the vehicle via a secret technology.
The process of preloading as introduced in [26,36] is to guarantee the requirements of the security and privacy of ζ l , the pseudo-ID, and the signature keys for the proposed scheme. The TA preloads a new list of ζ l , the pseudo-ID, and the signature keys that are utilized for a short time for each vehicle moving in a VANET close to the expiration time; they are renewed with a new pseudo-ID and signature key pool.
Our previous study [37] was based on the RSU executing the authentication process by issuing and preloading a pool of pseudonym-IDs and the corresponding signature keys into each registered vehicle. However, the disadvantages of RSU utilization are: (i) once a single RSU is compromised, as a result, the whole system becomes insecure; (ii) RSUs are expensive in terms of installation and maintenance; (iii) adding a TPD to both the OBU and the RSU makes the system even more costly. Besides, our previous study [37] depended on generating several keys to each domain, which makes the key exchange complete.
Therefore, this paper aimed to address these issues by issuing and preloading a pool of pseudonym-IDs and the corresponding signature keys from the TA. This was because the resource of the TA is high in terms of computation and communication costs. Hence, the proposed scheme does not use RSUs during the mutual authentication process. Besides, only the private key and public key of the TA are used to sign and verify the messages.

Message Signing
The signer (OBU or RSU) signs and broadcasts traffic-related messages m i to other vehicles in the VANET. A vehicle with pseudo-ID pid in receives a message m i and signs it by utilizing its signature keys sk il and the public parameter of the system. This is executed in the phases below: • OBU i randomly chooses a pseudo-ID pid in with the respective ζ l and sk il ; Finally, the message signature tuple {pid in , m i , T, σ i } is sent to the neighboring recipient.

Individual Signature Authentication
The main aim of this method was to verify only one message signature δ m i on trafficrelated message m i by the recipient (OBU or RSU). Before accepting the message m i , once having received a signed message m i , the recipient would check the node authenticity and validity of the message. This guarantees that no illegitimate recipient is impersonating a legitimate recipient or sending fake messages. The recipient receives an authentic signature The proof of the correctness is as follows: Thus, the individual signature authentication correctness is accurate.

Batch Signature Authentication
The main aim of this method is to authenticate a multiple of messages signature δ m i = {δ m 1 , δ m 2 , δ m 3 , . . . , δ m n } on n traffic-related messages m i = {m 1 , m 2 , m 3 . . . , m n } from n vehicles with n pseudo-ID pid in = {pid i1 , pid i2 , pid i3 , . . . , pid in }. The verifying recipient checks its authenticity and validity as shown in the following steps: • The OBU checks the validity of timestamp T. If (T > T r − T ), T is fresh. Otherwise, the message is rejected; • The OBU utilizes the small exponent technique [23,38] to achieve security in the proposed scheme. The OBU issues a random value γ i = {γ 1 , γ 2 , γ 3 , . . . , γ n }, where γ i ∈ [1 : 2 t ] and t is a small value; • The OBU utilizes the following Equation (4) to accept them.

Illustrative Example
In this section, we describe an illustrative example of the five phases of the proposed scheme: initialization, vehicle registration, message signing, individual signature authentication, and batch signature authentication according to our simulation experiment (Section 7.1). The illustrative example of the proposed scheme is as follows.

Example of Initialization Phase
The first phase includes the initialization of the system's public parameters and the generation of the secure key pairs by the TA component in the VANET system. Figure 3 shows the parameters and their assigned values used in the illustrative examples. These parameters were generated based on the NIST P-192 Curve.

Example of the Vehicle Registration Phase
The second phase includes the vehicle registration by the TA before the vehicle leaves the factory. The TA is responsible for issuing and preloading the list of pseudonym-IDs and the corresponding signature keys to each participating vehicle. Figure 4 shows one example of a list of pseudonym-IDs and the corresponding signature keys. As mentioned in Equation (1), pid 2 il = ID vi ⊕ h 1 (ζ l P pub ), where ID vi = 973934020496 881228184811862531869198952520602146 and h 1 (ζ l P pub ) = 132492968833948026265171677068 9894765777252473179. Therefore, the result of pid 2 il is : where pid 2 il is the pseudonym-ID of the vehicle, ID vi is the real identity of the vehicle, ζ l is a random private key of pid 2 il , and P pub is the published key of the system (TA). All these parameters are based on an elliptic curve.

Example of the Message Signing Phase
After the vehicle has saved the list of signature keys and the corresponding signature keys, it is considered as an authenticated node and allowed to broadcast messages. Figure 5 shows the broadcasting message signature tuple in the VANET.

Example of the Individual Signature Authentication Phase
Upon receiving the message signature tuple, the verifier uses a scalar multiplication operation to check the freshness of the timestamp and the validity of the message. The verifier executes the following process : σ i · P = (2270327100600948043112723198985285564808416667064180454920, 1952967422112747467668372522590950986900866071665660895860)

Example of the Batch Signature Authentication Phase
Upon receiving several message signature tuples, the verifier checks all signatures simultaneously as follows :

Security Proof and Analysis
This section evaluates the proposed scheme's security proof, analysis, and comparison as follows.

Security Proof
Several scholars [25,30,31] have proposed the most secure signature algorithms that satisfy the random oracle model based on their scheme. This work was also needed to satisfy the random oracle model based on the renew procedure, pseudo-ID, and signature keys for the proposed scheme. Based on the network model and the ability of the malicious node, we show the security proof in the proposed scheme by identifying a game between attacker A and challenger C. When the game is won by attacker A, a legally forged signature can easily be returned. Consequently, if attacker A has negligible effectiveness, the proposed scheme is secure in the VANET.

Theorem 1.
Under the random oracle model, the proposed scheme can be unforgeable against an adaptively selected message attack.
Proof. Suppose an attacker A can forge a legitimate message signature tuple {pid in , m i , T, σ i } for the VANET; therefore, a challenger C could be issued to return the ECDL problem by working A as a subroutine with non-negligible probability.
Setup initialization phase: Challenger C first sets value s ∈ Z * q chosen randomly as the system's master key and calculates P pub = sP as the system's public key. Hence, C broadcasts the system's functions and public parameters to A. h 1 -oracle. C initializes h list 1 in the form of (α, τh 1 ). Once A receives a message in the form of (α), C tests whether (α) is in h list 1 , and if it exists, C sends (τh 1 = h(α)) to A. Otherwise, C sets the chosen value τh 1 ∈ Z * q randomly and adds (α, τh 1 ) into h list 1 . Then, A broadcasts τh 1 = h(α) to C. h 2 -oracle. C initializes h list 2 in the form of (pid 1 il , pid 2 il , τh 2 ). After A receives the message in the form of (pid 1 il , pid 2 il ), C tests whether (pid 1 il , pid 2 il ) is in h list 2 , and if it exists, C broadcasts (τh 2 = h(pid 1 il ||pid 2 il ||τh 2 ) to A. Otherwise, C sets the chosen value τh 2 ∈ Z * q randomly and adds (pid 1 il , pid 2 il , τh 2 ) into h list 2 . Then, A broadcasts τh 2 = h(pid 1 il ||pid 2 il ||τh 2 ) to C. h 3 -oracle. C initializes h list 3 in the form of (m i , T, τh 3 ). After A receives the message in the form of (m i , T), C tests whether (m i , T) is in h list 3 , and if it exists, C sends (τh 3 = h(m i ||T||τh 3 ) to A. Otherwise, C chooses τh 3 ∈ Z * q randomly and puts (m i , T, Sign oracle: Upon receiving a sign request from A, C calculates three random numbers, h i,2 ; h i,3 ; δ m,i ∈ Z * q and a random point pid 2 il ∈ G. Then, C computes pid 1 il ∈ = (δ m,i P − h i,2 P pub /h i,3 ). C puts (pid 1 il , pid 2 il , τh 2 ) into h list 2 and (m i , T) into h list 3 . Finally, C generates a message signature tuple {pid in , m i , T, σ i } and transmits it to A, where pid in = pid 1 il , pid 2 il . The reply is a legal sign oracle due to the message signature tuple {pid in , m i , T, σ i } achieving the following equation: Output: Lastly, A results in a message signature tuple {pid in , m i , T, σ i }. C tests this message using the following equation: If Equation (5) does not hold, C ends the game. According to the cross lemma, A can output another message signature tuple {pid in , m i , T σ * i } that achieves the following equation: According to Equations (5) and (6), we can obtain: Nevertheless, under the random oracle model, owing to the ECDL problem difficulty with the nonnegligible probability, the proposed scheme is resistant against an adaptively selected message attack.

Security Analysis
This subsection discusses the analyses of the proposed scheme that should achieve the security requirements according to Section 3.2 as follows.
• Authentication and integrity: Consistent with Theorem 1, no malicious node can return the ECDL problem and generate the legitimate signature; it is considered to be forged otherwise. In our scheme, the verifying recipient can test the authenticity and integrity of the message signature tuple {pid in , m i , T, σ i } sent from the vehicle by checking the equation δ m i P = h 2 (pid 1 il ||pid 2 il )P pub + Y i before accepting it. If verified and validated, the recipient accepts traffic-related message m i ; otherwise, the message is rejected. Thus, our scheme can satisfy messages' authentication and integrity requirements; • Identity privacy preservation: After the identity ID vi of a vehicle is received, the TA converts it to pseudo-ID pid in in the proposed scheme. The main purpose of this requirement is to support anonymous communication and preserve the driver's privacy. The pseudo-ID pid in involves two secret values ζ l and s selected randomly by the OBU and TA, respectively. It is impossible for an attacker to disclose identity ID vi from pseudo-ID pid in = pid in =< pid 1 il , pid 2 il > =< ζ l P, ID vi ⊕ h 1 (ζ l P pub ) > of any vehicle without knowing ζ l and s. Therefore, it cannot calculate spid 1 il = sζ l P from P pub = sP and pid 2 il = ζ l P to obtain the identity ID vi of the vehicle because it is a difficult CDHP problem. Thus, the proposed scheme can satisfy the identity privacy-preservation requirement in the VANET; • Traceability: If a malicious node broadcasts a bogus message, i.e., m i to participating vehicles to disrupt the system managing the road, the TA can revoke the malicious node's identity after tracing him/her during traveling. Suppose a vehicle V i issues a false message m i and sends it to a vehicle V j . The TA receives a report on the forged message m i from vehicle V j . The TA verifies the pseudo-ID pid in on message m i for vehicle V i in its database registration list. When the pseudo-ID pid in is match stored, the TA uses its private key s to disclose the identity ID vi of vehicle V i by calculating the following: After tracing the vehicle's identity, the TA revokes its database registration list, saves it in the Certificate Renovation List (CRL). The vehicle cannot send traffic-related messages in the VANET. Therefore, our scheme can satisfy the traceability requirement in the VANET; • Unlinkability: Each message signature tuple {pid in , m i , T, σ i } involves a pseudo-ID pid in =< pid 1 il , pid 2 il >, where pid 1 il = ζ l · P and ζ l ∈ Z * q is a random secret value; therefore, the particular vehicle generates the different pseudo-ID in our scheme. Furthermore, since vehicles utilize different pseudo-IDs to sign every message m i , an attacker cannot link multiple messages transmitted by the same source. Thus, the proposed scheme can satisfy the unlinkability requirement in the VANET; • Security attack resistance: The proposed scheme can resist the common attacks as follows. Figure 6 shows the process of the system resisting replay, modification, and impersonation attacks; Figure 6. The process of the system resisting attacks.
-Replay attacks. In the proposed scheme, timestamp T in the message signature tuple {pid in , m i , T, σ i } allows the recipient to check the authenticity of the message m i . Once the vehicle receives the message m i , it verifies the freshness of the timestamp by verifying whether the inequalities (T > T r − T ) hold. If it is fresh, the message m i is accepted; otherwise, the vehicle does not accept message m i . The proposed scheme can detect the message m i replay in the VANET. Therefore, our scheme can withstand replay attacks in the VANET; -Modification attacks. An attacker cannot modify a message signature tuple {pid in , m i , T, σ i } consistent with Theorem 1 since the vehicle can expose any alteration in the tuple by verifying the equation δ m i P = h 2 (pid 1 il ||pid 2 il )P pub + Y i . Therefore, the alteration probability of the signature for the message m i is minimal. Therefore, the proposed scheme can withstand modification attacks in the VANET; -Impersonation attacks. It is impossible for an attacker to forge a legitimate message signature tuple {pid in , m i , T, σ i } consistent with Theorem 1 because the recipient verifies the authenticity of the tuple {pid in , m i , T, σ i } by checking the equation δ m i P = h 2 (pid 1 il ||pid 2 il )P pub + Y i . The forged signature probability for message m i is trivial. Therefore, the proposed scheme can resist impersonation attacks in the VANET; - Man-In-The-Middle (MITM) attacks. In the proposed scheme, mutual authentication is executed among the nodes in the VANET. If an attacker tries an MITM attack, forged messages must link with the signer and the receiver. Nevertheless, consistent with Theorem 1, it is impossible for an attacker to launch this attack type. Therefore, the proposed scheme can resist MITM attacks in the VANET.

Security Comparison
We compared the performance of our scheme with other ID-based schemes. Table 2 presents the comparison results, where SC-1, SC-2, and SC-3 denote bilinear pair used, vulnerable to insider attacks, and RSU authentication, respectively.
As presented in Table 2, we know that none of them completely address all security issues such as bilinear pair used, vulnerability to an insider attack, and RSU authentication in their scheme. However, the proposed scheme addresses all security issues regarding identity-based schemes in VANETs.

Performance Analysis and Comparison
This section presents the experiment and the comparative performance analysis of the proposed scheme and other schemes in terms of computation and communication costs.

Experimental
The simulation experiment of the proposed scheme includes two parts, namely network generation and road traffic generation. As shown in Figure 7, this paper used OM-NeT++ [39], VEINS [40], MIRACL [41,42], OpenStreetMap [43], GatcomSUMO [44], and SUMO [45] to carry out the simulation experiments for VANETs. OMNeT++ is a modular, component-based C++ simulation library for communication networks. VEINS combines road traffic generation and network generation. MIRACL is a cryptographic library used to execute cryptography operations for algorithms. OpenStreetMap is the most prominent crowd-sourced web-based mapping platform. GatcomSUMO is a graphical application that simplifies VANET simulation, specifically the SUMO traffic and the OMNeT++ network generation. SUMO is a highly portable, multi-model traffic simulation. Table 3 presents the simulation experiment parameters.  For road traffic generation, each vehicle has some functional characteristics such as the minimum and maximum speed, dimension, and direction. These characteristics influence and restrict the mobility model.
In this work, the trip trajectory and mobility model were random, and the number of vehicles was constant. In the simulation experiment of the proposed scheme, the Security Processing Service (SPS) layer was added in each RSU and OBU on network simulators (VEINS/OMNeT++). The main reason behind the SPS layer used was to execute the process of signing and verifying messages that was higher than the MAC and physical layer and lower than the application layer, as shown in Figure 8. In the VANET communications, the data flow for sending and receiving messages during three layers, namely, the App, SPS, and NIC layers, is shown in Figure 9.   For easy measurement, let MSG, ISA, and BSA be the message signing generation, individual signature authentication, and batch signature authentication, respectively.

Computation Cost Analysis and Comparison
In He et al.'s scheme [25], three secure hash cryptography functions and three ECCbased scalar multiplication operations are needed during the MSG, resulting in a total cost of 3T e−m + 3T h ≈ 2.0184 ms. This scheme involved two point-addition operations, two secure hash cryptography functions, and three scalar multiplication operations for ISA, resulting in a total cost of 3T e−m + 2T e−a + 2T h ≈ 2.0236 ms. During the BSA, (2n) functions regarding secure hash cryptography, (2n − 1) operations regarding point addition, (2n) operations regarding small scalar multiplication, and (n + 2) operations regarding scalar multiplication are needed in this scheme; thus, the whole cost is (n + 2)T e−m + (2n)T e−sm + (2n − 1)T e−a + (2n)T h ≈ 0.6718n + 1.3405 ms. MSG includes a scalar multiplication and two secure hash cryptography functions in the proposed scheme, resulting in the whole cost being 1T e−m + 2T h ≈ 0.6738 ms. Meanwhile, ISA includes two scalar multiplication, one secure hash cryptography, and one point addition operation in the proposed scheme, resulting in the whole cost being 2T e−m + 1T h + 2T e−a ≈ 1.3477 ms.
Finally, BSA includes two operations regarding scalar multiplication, (2n) operations regarding small scalar multiplication, (n + 1) operations regarding point addition, and (n) functions regarding secure hash cryptography in the proposed scheme; thus, the whole cost is 2T e−m + (2n)T e−sm + (n + 1)T e−a + (n)T h ≈ 0.0737n + 1.3467 ms. We also measured the computation cost of other schemes' MSG, ISA, and BSA using the same procedure, as tabulated in Table 4. Table 4. The computation cost of the five authentication schemes.

MSG ISA BSA
Jianhong et al. [24]  To satisfy the privacy requirements in terms of identity preserving and unlinkability, the scheme uses the elliptic curve operations. For example, the proposed scheme randomly selects unused pseudonym-IDs for signing a message from a pseudonym-ID list to avoid the adversary linking two or more messages sent from the same source, while the proposed scheme computes a new pseudonym-ID to sign each message. Thereby the computing cost will increase. ≈ 198.46 that signed messages, individual signature authentication, and batch signature authentication in 1 s, respectively. A similar method was used for the schemes for comparative purposes, and the result is shown in Figure 10. As presented in Table 4, the computation cost of the proposed scheme decreased by ( [25]. Table 5 presents the performance of the proposed scheme against the existing schemes for MSG, ISA, and BSA. The computational result shows that the elliptic curve used in the proposed scheme could handle the very fast pseudonym-changing process in signing and verifying messages in VANETs. Hence, the total time was based on the execution time of each operation. The Elapsed Time (ET) between the exit and entrance to the SPS layer is the overhead cost.
where M is the number of messages and T i out and T i in are the exit and entrance times of message i, respectively. Figures 11 and 12 depict the average time to sign and verify the message between the proposed scheme and that of Cui et al. [30].

Communication Cost Analysis and Comparison
This subsection evaluates and compares the communication costs between the proposed scheme and the existing schemes. Based on the experiment by He et al. [25], let the sizes of the elements in G 1 and G be 128 bytes and 40 bytes, respectively. Besides, let the elements in Z * q , the size of the timestamp, and the output of a hash function be 20 bytes, 4 bytes, and 20 bytes, respectively.
In the scheme of He et al. [25], the format of the message signature tuple <pid in , m i , T i , R i , σ i >, due to the pid 1 il , pid 2 il and σ i ∈ Z * q , R i ∈ G and one timestamp; thus, the full size is 40 × 3 + 20 + 4 = 144 bytes. In the proposed scheme, the vehicle sends the message signature tuple {pid in , m i , T, σ i } with size 40 +20 × 3 + 8 = 104 bytes. The metrics for the other schemes were also measured using the same procedure. Table 6 lists the communication cost comparison of our scheme with the other schemes.

Conclusions
This paper proposed a secure pseudonym-based conditional privacy-preservation authentication scheme to secure V2V and V2I communications in VANETs. The proposed scheme eliminates the dependency on RSU-only authentication by using many pseudo-IDs with corresponding signature keys from the TA, therefore allowing each vehicle to authenticate the received messages directly. The proposed scheme is resistant to insider attacks as the TA can revoke rogue vehicles' certificates, preventing them from continuously broadcasting fake messages. The security analysis proved that the proposed scheme under the random oracle model is secure, and it also satisfies the security and privacy requirements. Since the proposed approach uses ECC, its computation cost overhead is lower than other related bilinear pair-based approaches. Future work could include the analysis and performance measurement of the proposed approach in terms of latency, average delay, and throughput using network simulators, such as OMNeT++, and road traffic simulators, such as SUMO. Besides, the future work will also include the design of an authentication scheme based on fog computing that does not use ECC in 5G-enabled vehicular networks.