A Hierarchical Blockchain-Assisted Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks

Through information sharing, vehicles can know the surrounding road condition information timely in Vehicular Adhoc Networks. To ensure the validity of these messages and the security of vehicles, the message authentication, privacy-preserving, and delay problems are three important issues. Although many conditional privacy-preserving authentication schemes have been proposed to ensure secure communication, there still exist some imperfections such as frequent interactions or unlinkability. From this, our paper proposes a novel hierarchical blockchain-assisted authentication scheme to solve these existing issues comprehensively. First, unlinkability is achieved by a dynamic key derivation algorithm. Second, the proposed scheme can reduce correlation processing delay, queuing delay, and deployment costs by adopting hierarchical Vehicle Fog Computing. Third, cross-region authentication is achieved by taking advantage of the properties of blockchain. In addition, we demonstrate our scheme can fulfill the security criteria of the Vehicular Adhoc Network by security analysis. Furthermore, the simulations are carried out to show its availability by using JAVA and NS-3. The findings reveal that the suggested method outperforms earlier schemes in terms of computation cost and communication cost. All in all, making the authentication scheme more efficient and concise is the focus of our future research.


Introduction
Vehicular Adhoc Networks(VANETs) were proposed to ease traffic pressure and reduce traffic accidents [1,2]. VANETs take vehicles as the basic information units and realize the network connection between vehicles and X (e.g., vehicles, infrastructures) through the help of the new generation of information and communication technology. Figure 1 is a typical VANET. There are two basic modalities of communications, namely: Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructures (V2I). By sharing information about the surrounding road conditions, other vehicles can replan their routes in time to avoid traffic jams and traffic accidents after receiving these messages. In addition, the Traffic Control Center (TCC) can make flexible adjustments to traffic timely to ease the traffic pressure. VANETs are seen as a potential technology in current intelligent transportation systems because of these benefits.
Since communications are exchanged wirelessly via open channels, it is simple for an attacker to intercept messages from communication channels and launch a series of harmful assaults (e.g., impersonate a legitimate vehicle to send a false message or tamper with messages) [3][4][5][6]. Once the recipient makes a wrong decision based on these malicious messages, it may lead to traffic jams or even car accidents. In addition, the identity information of vehicles, itinerary, and other factors may be used by the adversary to carry • First, to reduce the deployment costs and the associated processing time, the proposed scheme adopted distributed VFC, which uses multiple regional managers instead of a single TA. • Second, to achieve unlinkability, the proposed scheme employs a dynamic key derivation algorithm to generate dynamic public-private key pairs for each communication of vehicles. • Third, through Java and NS-3 simulation experiments, we show that our scheme is suitable for VANETs in terms of communication and computing overhead.

Organization
The following is a rough outline of the paper's structure. Section 2 examines relevant CPPA schemes for VANETs. Section 3 presents the relevant preliminary knowledge for our scheme. Our system model and security and privacy requirements for VANETs and the details of our scheme are shown in Section 4. Security analysis is carried out in Section 5. In Section 6, we examine the corresponding computing and communication overhead and compare it to existing schemes. In the end, we provided a brief summary of this study in Section 7.

Related Work
To achieve effective communication in VANETs, many authentication schemes have been proposed. Picconi et al. [16] relied on PKI-based authentication, proposed a solution for validating aggregated data in V2V traffic information systems. Zhang et al. [17] adopted the k-anonymity to protect user identity privacy, while they are useful to some extent in addressing privacy issues VANET, the difficulties of certificate management make them impractical. To improve the efficiency of ID-based CPPA scheme, He et al. [8] proposed a novel CPPA scheme by utilizing the elliptic curve cryptography(ECC). Zhong et al. [18] employs pseudonym-based signatures for identity authentication for VANET. Furthermore, both of them also support batch validation, allowing the verifier to validate multiple messages simultaneously, which greatly improves the validation efficiency. However, then, these programs require a pre-established trust relationship between the regional management center and vehicles, which will not exist once a vehicle moves to another region. Wang et al. [19] adopted group-based message authentication algorithm to address the security issues in V2V communication. When a vehicle enters the coverage area of a new RSU, it must be re-authenticated to the new RSU, which undoubtedly increases the delay. Ali et al. [20] design an efficient conditional privacy-preserving hybrid signcryption scheme for heterogeneous vehicle communication based on bilinear pairing. The users' privacy is protected to a certain extent, but the unlinkability cannot be guaranteed.
With the popularity of blockchain technology, many scholars employ blockchain to realize cross-region authentication. Yao et al. [14] proposed a BLA for distributed VFS to achieve a flexible cross-region authentication. The public key and identity information of vehicles are placed on a consortium blockchain so that different regional managers can verify the messages sent by legal vehicles and then provide VFS for them. Kaur et al. [15] present an effective cross-region authentication and key-exchange scheme based on Yao [14], which realize mutual authentication between vehicles and service managers. However, unlinkability cannot be satisfied. Wang et al. [21] present trustworthiness evaluation to achieve a time-efficient V2I-handover authentication. It seems only considered V2I communication scenarios. Lu et al. [22] adopted the Merkle Patricia tree (MPT) to extend the conventional blockchain and record the activities of the semiTAs in blockchain to achieve the certificate and revocation transparency. However, it requires vehicles to interact frequently with the certificate center to generate anonymous certificates, resulting in low efficiency. Inspired by the HD Wallet, Lin et al. [11] proposed a novel BCPPA by using key derivation algorithms and smart contracts. The public key certificate of each communication of vehicles is pre-placed in the blockchain for vehicles to retrieve, saving the overhead of storing a large number of certificates in OBUs. However, it seems to be burdensome for Certificate Authorities (CA) to generate a public key certificate for every communication of all vehicles. For clarification, a brief summary is given in Table 1.

Preliminaries
The relevant preliminary knowledge was briefly present-ed in this part.

Broadcast Encryption
Broadcast encryption may be thought of as a type of key encapsulation scheme. In our proposed scheme, we adopt a broadcast encryption case from [23] to complete the identification of vehicles by legitimate SMs. The whole process can be divided into the following three parts.

1.
Setup: In our proposal, the maximum number of SMs is set to be n. Let L stand for a set where L ⊆ {1, . . . , n}. This step is mainly TA distributes a key d j for each SM j , for j ∈ L. Then TA publish a public parameter PK.

2.
Enc(PK, L): A vehicle want to jion the internet of vehicles, it uses PK to calculate the encryption key K and the header Hdr. The vehicle then encrypts a message M using K as a symmetric encryption key. Let E k (M) be the encryption of M. Finally, it broadcast <E K (M), Hdr>.

3.
Dec(PK, L, k, d k , Hdr): Let SM k be an example to decrypt E K (M). If k ∈ L, by inputting PK, the set L, the key d k and Hdr, SM k can easily compute a message encryption key K k . It's remarkable that K k = K, this indicates that SM k can decrypt E K (M) and retrieve M by using K k .
For convenience, we let g i = g (α i ) ∈ G 1 while g and α are given. An algorithm A has advantage to tackle ζ-BDHE in G 1 if Pr[A(h, g, g 1 , . . . , g ζ , g ζ+2 , . . . , g 2ζ ) = e(g ζ+1 , h)] ≥ . Note that g and h are random picks in G 1 , α is random pick in Z q , and A picks the bits randomly.

Key Derivation
We anticipate that a vehicle will be able to employ distinct public and private key pairs to achieve unlinkability and not need to exchange keys or preload abundant key pairs. Therefore, we adopt a key derivation algorithm which proposed by [11]. This algorithm is separated into two parts: public key generation algorithm and private key generation algorithm. We have developed a flow chart in Figure 2 and included a quick explanation below to make it simpler to understand.

•
Private key generation algorithm: The goal of this algorithm is for vehicles to generate a private key for subsequent communication. A vehicle randomly selects a seed to create the root private key (sk root ) and root chain code (chain root ). Then calculates the appropriate root public key (pk root = sk root · P) and sends <pk root , chain root > to public key generator (i.e., SM). Based on sk root , chain root and serial number of the current communication (i), the vehicle can derive a different private key. • Public key generation algorithm: The purpose of this algorithm is for SMs to generate corresponding public keys for subsequent communication of vehicles. According to Figure 2, for the same serial number i, pk i = sk i · P. It ensures that the public key retrieved by the verifier corresponds to the private key of the vehicle.

Scheme Description
In this section, we first introduced the system model and related security requirements, and then described our solution in detail. On the whole, The proposed scheme can mainly be divided into five phases, namely Initialization Phase, Registration Phase, Identity Authentication Phase, Consensus Phase and Message Authentication Phase. Note that we assume that there are n SMs in the system. Table 2 shows the definitions of the notations used in this article.

Notations Definition
an additive cyclic group of prime order q P a generator of G n the number of SMs G 1 , G T two multiplicative cyclic groups of prime order q g a generator of G 1 e a bilinear map where

System Model
Figure 3 depicts our system model. In conclusion, we separated the entire system into a number of regions, and each region is managed by a single SM. The functions of each entity in our system are described as follows.

1.
Trusted Authority (TA): TA is a completely trusted department that generally has strong computing and communication capabilities. In our system, TA is required to complete registration SMs and vehicles. If necessary, TA can find out the real identity of a malicious vehicle through a relevant message.

2.
Service Manager (SM): an SM is mainly responsible for the identification of new vehicles joining VANETs in its region. Furthermore, SM is also responsible for the calculation of public keys and pseudonyms for subsequent communication of its certified vehicles.

3.
Road Side Unit (RSU): RSU is a semi-trusted roadside infrastructure that can communicate wirelessly with vehicles according to the Dedicated Short Range Communication (DSRC) protocol [24]. Furthermore, RSUs are also responsible for forwarding messages between vehicles and SMs and providing VFS to vehicles.

4.
Vehicle: as moving nodes, vehicles are outfitted with On-Board Units (OBUs), which are wireless communication devices. OBU is a tamper-proof device that also has certain computation and communication capabilities. By using OBUs, vehicles may exchange their current road traffic circumstances and driving status with the adjacent vehicles and RSUs in real-time via DSRC protocol. What'more, OBU's information will never be revealed.

1.
Identity authentication: SM can effectively verify the legitimacy of new vehicles joining VANETs.

2.
Message authentication: for any received message, the verifier can verify that the message is valid.

3.
Identity privacy preservation: except for TA, no one can deduce the true identity of vehicles from the intercepted messages.

4.
Unlinkability: it will be impossible for a adversary to link two messages transmitted by the same vehicle.

5.
Traceability: if required, TA can determine the message sender's true identity. This guarantees that messages are held accountable. 6.
Resist various attacks: our scheme also assures that oth-er assaults in VANETs, such as the replay attack, the impersonation attack and the modification attack, can be easily identified.

Initialization Phase
This phase is mainly performed by TA to creates a series of system parameters. The following are the specifics.

•
Picks two random large prime integers p, q and choose an additive group G generated by a point P with order q on a non-singular elliptic curve E : Picks two large prime numbers p, q at random and chooses two multiplicative groups G 1 ,G T generated by a point g with order q. • Selects a number sk TA ∈ Z * q at random as its private key, then computes pk TA = sk TA · P as its public key.
• Choose a secure hash function H, where H : G → Z q .
• Finally, the TA sends the public parameters {G, G 1 ,G T , q, P, g, pk TA , PK, H} to all SMs and vehicles.

Registration Phase
This phase is mainly divided into SMs and vehicles registration. Figure 4 briefly depicts this process. It's worth noting that this process only needs to be done once. An SM's registration details are as follows.

•
Assume that jth SM's real identity is ID SM j . It choos-es a random integer sk SM j as its private key and calculates pk SM j = sk SM j · P as public key. Then sends <ID SM j , pk SM j > to TA through a secure channel.
• TA first checks the availability of ID SM j in its databa-se after getting this registration request. If a match is found, TA will rejects this registration request. Otherwise, TA computes d j = v α j for SM j to decrypt broadcast messages. Then TA stores ID SM j and pk SM j into its database and returns d j to SM j through a secure channel.
• SM j stores d j into its database.
The specific operations of a vehicle's registration are as follows.
• Assume that ith vehicle's real identity is ID V i , V i first randomly chooses a private seed to generate the private information (sk root and chain root ). Then V i computes pk root = sk root · P . Finally, V i sends <ID V i ,pk root , chain root > to TA via a secure channel. • When the TA receives this registration request, it first checks whether ID V i is vaild. If not, the TA will rejects this request. Otherwise, the TA issue a password PWD and a certificate S for pk root and chain root , where S = Sign sk TA (pk root ||chain root ). Finally, the TA stores <ID V i , pk root , chain root > into its repository and returns <S, PWD> to V i via a secure channel. • V i save <S, chain root , sk root > into its repository.

Identity Authentication Phase
The main purpose of this phase is to authenticate the identity of vehices through the corresponding SMs. After verification, SMs will generates corresponding pseudonym and public key pairs for future communications of vehicles. The detailed process is shown in Figure 5. When a registered vehicle V a first access VFS, it will executes the following operations to complete the authentication. • Picks a random integer r ∈ Z * q and then computes symmetric encryption (e.g., AES) key K = e(g n , g 1 ) r . Then V a sets the header Hdr = (C 0 , C 1 ) ∈ G 2 1 , where C 0 = g r and Calculate the signature ϑ = Sign sk root (ID V a ||tst||pk root ||chain root ). where tst is current timestamp and ID V a is real identity of V a . • Compute the ciphertext CT = E K (ϑ||ID V a ||tst||S||pk root ||chain root ). Then V a sends <CT, Hdr, tst> to the nearest RSU, let us assume it is RSU m and its region manager is SM k . • RSU m will transmits <CT, Hdr, tst> to SM k .
SM k will executes the following operations after receiving <CT, Hdr, tst> transmitted by RSU m .
• Check whether tst is fresh. SM k will reject this message if tst is not fresh.
ID V a , pk root and chain root . • Verify ϑ by using pk root and verify S by using TA's public key. SM k will reject this message As long as there is a validation failure. Then SM k calculates corresponding pseudonyms and public keys pairs (PID V a , pk V a ) for V a future communications by excuting public key generation algorithm described in IV-D. Here (PID V a , pk V a )={(PID V a 1 , pk V a 1 ), (PID V a 2 , pk V a 2 ), . . . , (PID V az , pk V az )}, where z is the number of elements in each set. For any u ∈ {1, . . . , z}, PID V au = (PID V a u,1 , PID V a u,2 ) where PID V a u,1 = chain V au · P and PID V a u,2 = ID V a ⊕ H(chain V au · pk TA ).
• Send (PID V a , pk V a ) to blockchain.

Consensus Phase
We assume that there are n SMs in our system, and all of them are trusted. Under the circumstances, SMs acts as commit nodes according to the serial number. As we discussed earlier, SMs will send these related messages to the blockchain each time it completes the derivation of the pseudonyms and public key pairs of the vehicle it certifies. Assume that the time to produce a block is τ. During this time, SMs briefly store these pseudonyms and public key pairs it receives in their own memory. After τ time, the current commit node will publish the relevant information it has stored in memory as a new full block. Any SM, upon receiving a block, deletes the information in its own memory that is duplicated with the block and then performs the next consensus.

Message Authentication Phase
At this phase, as long as V a communication number does not exceed Z, re-authentication is not required regardless of whether V a has left SM k 's jurisdiction. Figure 6 gives a brief description of this process, and the details are described below.

•
Assume the current serial number of V a is b, V a first initiates a request to the OBU by entering PWD and ID V a . OBU will reject the request if it does not match its own stored information, otherwise it goes to the next step.
• OBU calculates the current private key private key sk V a,b and chain V a b based on private key generation algorithm. Then, calculates the current pseudonym • Upon receiving the above information, ) and then broadcasts the message {δ, M, tst, PID V a b }. • When a receiver wants to verify the message, it first checks whether the timestamp is valid. If valid, search for the corresponding public key pk V a b on blockchain according to the pseudonym. The receiver will rejects the message if the query fails. Finally, the receiver validates the signature by using pk V a b . If the authentication succeeds, the message is trusted.

Security Analysis
We examine the security of our proposed VANET system in light of the design goals set out in Section 3. The details are given as follows.

Correctness
For the proof of the correctness of our proposed scheme, we need to verify K k = k to ensure SM k can decrypt the message send by V a .The details are as follows.

Security Model
We define chosen ciphertext security (CCS) of a broadcast encryption system against a static adversary. Security is defined by following game between an algorithm A and a challenger. In addition, n (i.e., the total number of users.) is the input for algorithm A and the challenger C.
Init. A generates a set L * ⊆ {1, . . . , n} of users that it wishes to assault. Setup. C executes Setup(n) to gain PK and d 1 , . . . , d n . Then, sends PK and all d f to A, where f / ∈ L * .

Query phase 1.
A sends out adaptive decryption queries q 1 , . . . , q m . Here, (u, L, Hdr) is included in all decryption queries where L ⊆ L * and u ∈ L. Then, C returns Dec(PK, L, u, d u , Hdr) as response.
Challenge. C executes Enc(PK, L) to generate (Hdr , K) where Hdr is another header, K is a finite key set and K ∈ K. Then, selects a bit ψ ∈ {0, 1} randomly. Next, sets K ψ = K and selects a random K 1−ψ ∈ K. Finally, returns (Hdr , K 0 , K 1 ) to A.
Query phase 2. Adaptively, A send out more decryption queries q m+1 , . . . , q q D where q i = (u, L, Hdr) for L ⊆ L * and u ∈ S . Notice that Hdr = Hdr . Then, the C returns same response as phase 1.
Here, let AdvBr A,n represent the probability of A wins the game.

Definition 1.
The broadcast encryption is (t, , n, q D ) chosen ciphertext attack(CCA) secure if for all t-time algorithm A make q D times decryption queries, we have that |AdvBr A,n − 1 2 | < .
Similarly, we define semantic security of the broadcast encryption by preventing the attacker from issuing decryption queries. Definition 2. The broadcast encryption system is (t, , n) semantically secure assuming it is (t, , n, 0) CCA secure. Definition 3. The D-(t, , ζ)-BDHE assumption is hold in G 1 assuming no t-time algorithm has at least advantage to tackle the D-(t, , ζ)-BDHE problem in G 1 .

Formal Analysis
Theorem 1. For any postive integers I, n (n > I), our I-broadcast encryption system is (t, , n) semantically secure if the D-(t, , I)-BDHE assumption is hold in G 1 .
Proof of Theorem 1. Assuming A is a t-time adversary, for a given I, AdvBr A,n > is hold. Build a new algorithm B that has advantage to tackle the D-I-BDHE problem in G 1 . B picks a random D-I-BDHE challenge (g, h, y g,α,I , Z) as input, where y g,α,I =(g 1 ,. . . , g I , g I+2 ,. . . , g 2I ) and Z is either e(g I+1 , h) or a random member of G T . The following is how B continues.
Init. B executes A and get L of users that A wants to assault. Setup. B is responsible for generating PK and all d i for i / ∈ L. Let j = n I . Note that the choice of v 1 , . . . , v j is the key of the proof.
B picks random u i ∈ Z q for 1 ≤ i ≤ j. Here, we define two subsetsL i and L i aŝ Then, B returns the public key PK to A, where PK = (g, g 1 , . . . , g I , . . . , as required. Furthermore, we know that b / ∈ L a because of i / ∈ L, so d i does not include the term g I+1 . Challenge. B sets Hdr as (h, h (u 1 ) , . . . , h (u j ) ). Then, cho-oses a random bit ψ ∈ {0, 1} and makes K ψ = Z and randomly selects a K 1−ψ ∈ G T . Finally, returns (Hdr, K 0 , K 1 ) as the challenge to A. We claim (Hdr,K 0 ,K 1 ) is a reasonable challenge to A while Z = e(g I+1,h ) (i.e., the input to B is a B-BDHE tuple from P BDHE sampling). Moreover, for some (unknown) t ∈ Z q , we write h = g t . Then, for all i = 1, . . . , j, we have Here, for key e(g I+1 , g) t , (h, h u 1 , . . . , h u j ) is a vaild encryption. Furthermore, since e(g I+1 , g) t = e(g I+1 ,h) = Z = K ψ ), (Hdr,K 0 ,K 1 ) is a reasonable challenge to A. In addition, K 0 , K 1 are both picked randomly from G T while Z is chosen randomly from G 1 (i.e., the input to B is a B-BDHE tuple from P BDHE sampling).

Nonformal Analysis
• In Message Authentication phase, this real identity will be hidden under a pseudonym, which means no one(besides TA, who has its private key sk TA ) could deduce a vehicle's true identification from the delivered communications. Therefore, our scheme can satisfiy the identity privacy preservation. • Unlinkability: The vehicle produces a new private key and pseudonym each time it transmits a message M, then signs M. Because the pseudonym is linked to the chain code of vehicles, to link two message delivered by the same vehicle, adversary should own the chain code chain root and pk root of this vehicle. However, this two information only known by TA and the regional managers. Hence, our proposal can meet the security property requirement of Unlinkability. • Traceability: Note that only TA owns its private key sk TA . Since sk TA · ID V a b,1 = sk TA · chain V a b · P = chain V a b · pk TA , when necessary(e.g., a vehicle sends a error messages that causes a traffic accident) , TA can retrieve the vehicle's genuine identifying information. through ID V a = PID V a b,2 ⊕ H(sk TA · PID V a b,1 ).
• Resist various attacks: Other assaults that our plan can withstand are outlined below.
-Replay attack: Either in the identity authentication phase or in the message authentication phase, the timestamp tst is included in the messages sent by the vehicle. The repeat of the message could be discovered by SMs and other verifiers by checking the freshness of tst. Therefore, our proposal can resist replay attack effectively. -impersonation attack: An attacker must create a valid signature for a message in order to spoof a legitimate vehicle. Based on the above discussion, this is impossible for an attacker and the verifier can easily detect such a malicious attack by validating this signature. -modification attack: To alter a message M to M , an attacker need to generate a valid signature for message M . It impossible for the attacker without sender's private key, and this modified message will be discard by verifiers. As a result, our approach is resistant to modification. -Stolen Verifier Table Attack: The proposed sc-heme does not require the verifier to maintain a verification table to complete the authentication. It means that the attacker will not be able to steal any verifier tables for nefarious purposes.

Security Comparisons
We evaluate the security of our proposed approach to three proposed ID-based CPPA schemes [11,14,20] that have been presented.
None of the three previous schemes, according to Table 3, can fulfill all of these security requirements. For Yao [14] and Ali [20], since pseudonym of a vehicle is a constant, they cannot able to realize Unlinkability. In addition, although Lin [11] is able to provide Traceability, TA need to store the relevant public key information for every communication of all vehicles, which is a huge burden for TA. In VANETs, on the other hand, our suggested approach can meet all of these security criteria. On the other hand, TA does not need to maintain any information in order to trace out a vehicle's genuine identity, which greatly reduces the workload of TA.

11] Ali [20] Ours
Identity authentication Message authentication Identity privacy preservation Unlinkability × × Traceability Resist various attacks :The requirement is satisfy. ×:The requirement is not satisfy.

Performance Analysis
In this section, we looked at the performance of the suggested strategy. Firstly, we analyzed the overhead incurred by the proposed scheme, including computing overhead and communication overhead. Then, compared the performance of the proposed scheme with [11,14,20]. Finally, we simulated the scheme based on NS-3 and proved that our scheme is suitable for VANET environment.

Computing Overhead
Due to the pre-set of Initialization Phase and Registration Phase and consensus phase is a completely independent process, we only evaluates the overheads of Identity Authentication and Message Authentication phases. The following are various notations for execution time. T pm : the time required for a point multiplication operation (i.e., g 1 · g −1 2 ), where g 1 and g 2 ∈ G T and the inverse of g 2 is g −1 2 . • T ex : the time required for a an exponentiation operation g θ 1 where g 1 ∈ G 1 and θ ∈ Z q . • T h : the time required for a general hash function operation. in G.
To compare the computing overhead with [11,14,20] we measured the execution time of the relevant operations through the Java environment with an Intel (R) Core (TM) i7-8750H CPU 2.20 GHZ and 8 GB RAM. The pairing-based library was used in our simulation and Type A pairings were constructed on the curve y 2 = x 3 + x over the field F q for some primes q = 3mod4. We performed 1000 times on each operation and ignore the much cheaper operations such as point addition. The average times obtained are shown in Table 4.
To have a better comparison, we separate the communication into two parts to calculate the computing cost, respectively: Vehicle-SM(V2S) communication and Vehicle-Vehicle(V2V) communication. Since TA completes the calculation of public key for all vehicle communication, V2S communication is no longer required for Lin [11]. Instead, we let SMs to do this job to relieve pressure and burden of TA. Similarly, Ali's [20] scheme does not require this stage because it uses a fixed public-private key pair. In V2S communication phase, the vehicle can calculate the relevant information in advance based on the public parameters, such as symmetric key, the header and so on. As a result, at this phase, the vehicle just needs to deliver ciphertext to the nearest RSU. Upon receiving the message, RSU is responsible for forwarding it to its region manager SM. When SM receives the message, it will authenticate the message. Similarly, PK is public information, SM only needs to perform two bilinear pairings and one point multiplication operation to calculate the corresponding symmetric key. Then, perform a symmetric decryption operation to get the certificate. Finally, verify the signature by pk root and verify the certificate by using public key of TA. In a word, the execution time of this step is 2T bp + T dec-aes + T pm + 2T ver-ecc ≈ 22.3196 ms. For the phase of Yao [14], SM need to execute k + 4 point multiplication operations which is tied to the k SMs, and perfom three hash operations. Therfore, the execution time is (k + 4)T sm-ecc + 3T h ≈ (0.7088k + 0.0141) ms.
For the V2V communication phase of our proposed sche-me, vehicle can calculate the subsequent keys and pseudony-ms according to key derivation algorithm in advance. Vehicle sign a message by a new private key and send to nearby RSUs or vehicles. Then RSU will forward this message to SM if this message is a request to access the VFC. Otherwise, adjacent vehicles will verify the message. The verifier(an SM or vehicle) retrieve the corresponding public key by pseudonym and then verfiy the message. Therefore, the execution time of this step is T sig-ecc + T ver-ecc ≈ 11.1461 ms. On the other side, the execution flow of Yao [14] and Lin [11] are the same as us, so the execution time are also 11.1461 ms. However, for Ali [20], it need to perform two bilinear pairings, three scale multiplication operations, four hash function operations and one exponentiation during this whole process. So the execution time is 2T bp + 3T sm-ecc + 1T ex + 4T h = 12.0269 ms.
To compare the computational overhead of the three sch-emes more clearly, the execution time of four schemes in V2S communication phase and V2V communication phase phases are shown in Table 5. In V2S communication phase, the execution time of our scheme is a constant value. However, in Yao [14], this time will increase with the increasing of k (i.e., the number of SMs). Once k exceed 32, Yao [14] execution time will beyond ours. In practice, the number of SMs is much bigger than 32. In addition, the execution time during the V2V communication phase is the same for Lin [11], Yao [14] and our scenarios. However, for Ali [20], because of the complicated bilinear pairing process involved in verification phase, the whole communication cost is also the largest among the four shemes. The proposed scheme was reduced about 7% compared with Ali [20]. From the above comparison, our scheme has good efficiency in both stages.

Communication Overhead
We primarily study and compare the communication overhead of our method with three other techniques (i.e., [11,14,20].) in this paragraph. Since Identity Authentication phase only needs to be performed once in our scheme, we only consider the communication overhead associated with Message Authentication phase. Furthermore, because p and p have sizes of 64 bytes (512 bits) and 20 bytes (160 bits), the elements in G 1 and G have sizes of 64 × 2 = 128 bytes and 20 × 2 = 40 bytes, respectively.
In each V2V or V2S communication, take the bth communication of V a for example, it ) is a ECDSA signature (i.e., 64 bytes), M is a message(where we set as 32 bytes), tst is current timestamp(where we set as 4 bytes) and PID V a b = (PID V a b,1 , PID V a b,2 ). As a consequence, the presented solution is = 64 + 32 + 4 + 2 × 40 = 180 bytes.
For the same step in Yao [14], where PID z is a random pick in Z q (i.e., 20 bytes) that represents its pseudonym. Therefore, the communication overhead is 120 bytes.
In Lin [11], the sender needs to get the transaction identity (TxID, i.e., 32 bytes) from the smart contract by the corresponding pk V b first. Then, {Sign sk V b (M, tst, TxID), M,tst, TxID} will be transmitted. Here, |pk| is a element of G (i.e., 40 bytes). Therefore, the communication cost of Lin [11] is 304 bytes.
Similarly, in the Ali's scheme [20], the vehicle broadcasts (PID a , κ a , S a , tst) where PID a = (PID a,1 , PID a,2 ), κ a = M ⊕ h(g θ a ) and S a = θ a pk v a . Since PID a,1 , PID a,2 , S a ∈ G, the length of S a is 64 bytes (i.e., suppose the SHA-512 is used), the total communication cost is 188 bytes.
The comparison results are shown in Table 6. It is not difficult to see that the communication overhead of our sche-me is lower than that of Lin [11] and Ali [20]. The communication cost reduces 41% compared with Lin [11] and reduces 4% compared with Ali [20]. Furthermore, even though communication overhead of our scheme is higher than Yao [14], this expense is acceptable because our strategy includes a bonus function(Unlinkability). Therefore, we believe that our solution is more suitable for VANETs in this respect.

Message Authentication Delay and Packet Loss Rate
We also perform a simulation by using NS-3 in a personal computer (Lenovo with Intel Core i7-10875H 2.30 GHz, 16 GB RAM and Ubuntu 20.04 OS) to measure the average message authentication delay and average packet message loss rate. Figure 7 shows a map with 0.5 × 0.5 km 2 which we adopt in our simulation scenario. The block is maintained by an SM and the interval of broadcast messages is 100 ms. In addition, the packet size in our simulation is 288 bytes. Other parameters like Channel, Propagation, Phy and Mac are set as WirelessChannel, TwoRayGround, WirelessPhy and 802.11, respectively. The simulation time in each simulation are set as 100 s. Here, we increased the number of vehicles from 5 to 30 and increased the speed of the cars from 7.5 to 40 m/s. The final results are shown in Figure 8. From Figure 8, we can observe that the average packet loss rate is essentially unchanged and until the number of vehicles increases to 30, it increases a little. On the other hand, the average delay increases as the the number of vehicles increases. This could be owing to an increase in the number of vehicles on the road, which would result in an increase in the number of broadcast messages, eventually making a increase in average delay. However, this value is still within our acceptable range.

Conclusions
With the serious traffic congestion and frequent accidents in real life, VANETs is expected to relieve traffic pressure, for example, changing driving route or reasonable change of traffic lights by the control center through traffic information sent by nearby vehicles. Hence, in this paper, we proposed a hierarchical blockchain-assisted CPPA scheme for VANETs with following advantages: (i) Adopted distributed VFC to reduce the delay effectively in theory. (ii) Attacker unable to link two messages transmitted by same vehicle because the vehicle uses different public key and pseudonym everytime it broadcasts a message. (iii) The proposed scheme has better performance in computing and communication than the previous scheme, which is shown by simulation experiments. The findings reveal that the proposed scheme is available. In the future, how to adopt a more efficient algorithm to design the authentication scheme, whether there is a better way to replace the offline registration of vehicles, will be our focus to improve the efficiency of authentication.