HCDA: Efficient Pairing-Free Homographic Key Management for Dynamic Cross-Domain Authentication in VANETs

Abstract

Emerging as the effective strategy of intelligent transportation system (ITS), vehicular ad hoc networks (VANETs) have the capacity of drastically improving the driving experience and road safety. In typical VANET scenarios, high mobility and volatility of vehicles result in dynamic topology of vehicular networks. That is, individual vehicle may pass through the effective domain of multiple neighboring road-side-units (RSUs) during a comparatively short time interval. Hence, efficient and low-latency cross-domain verification with all the successive RSUs is of significance. Recently, a lot of research on VANET authentication and key distribution was presented, while the critical cross-domain authentication (CDA) issue has not been properly addressed. Particularly, the existing CDA solutions mainly reply on the acquired confidential keying information from the neighboring entities (RSUs and vehicles), while too much trustworthiness is granted to the involved RSUs. Please note that the RSUs are distributively located and may be compromised or disabled by adversary, thus vital vehicle information may be revealed. Furthermore, frequent data interactions between RSUs and cloud server are always the major requisite so as to achieve mutual authentication with cross-domain vehicles, which leads to heavy bandwidth consumption and high latency. In this paper, we address the above VANET cross-domain authentication issue under the novel RSU edge networks assumption. Please note that RSUs are assumed to be semi-trustworthy entity in our design, where critical vehicular keying messages remain secrecy. Homomorphic encryption design is applied for all involved RSUs and vehicles. In this way, successive RSUs could efficiently verify the cross-domain vehicle with the transited certificate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. Afterwards, dynamic updating towards the anonymous vehicle identity is conducted upon validation, where conditional privacy preserving is available. Moreover, pairing-free mutual authentication method is used for efficiency consideration. Formal security analysis is given, proving that the HCDA mechanism yields desirable security properties on VANET cross domain authentication issue. Performance discussions demonstrate efficiency of the proposed HCDA scheme compared with the state-of-the-art.

1. Introduction

Recently, the vigorous development of communication technology in recent years facilitated the tremendous proliferation of advanced intelligent transportation systems (ITS), which are seen as the progressive solution for improving driving safety and efficiency [1,2,3]. ITS is responsible for providing innovative services and applications regarding transportation and traffic management, which is critical to populous metropolitan cities and regions. As the significant infrastructure of ITS, vehicle ad hoc network (VANET) is the self-organized and distributed wireless network built by heterogeneous vehicular entities including remote servers, road side units, and vehicles [4]. In general, VANET enables dynamic real-time communication for vehicles, thereby significantly enhances road safety and facilitate the driving experience.

In general, the basic components of VANET infrastructure consist of trusted authority (TA), road-side unit, and the terminal vehicles. As the top-level VANET management center and trustworthy key center, TA is in charge of crucial system operations including device registration, key generation, and vehicular data processing. Due to its keen demands for complex interactions and computation, currently TA applies advanced cloud computing technique for sufficient processing and storing capacities [5]. Please note that the distributed cloud servers are capable of arranging multiple VANET prototypes, which promote the construction of worldwide Internet of Vehicles (IoV) initiatives. Similarly, the promising 5G communicating infrastructure has been dedicated, thus stable and seamless data transmission can be guaranteed in this way.

The RSUs are organized as the distributed road-side facilities at fixed intervals, where their interacting ranges cover the entire road sections. Therefore, each vehicle can access the VANET through communication with its nearby RSU [6,7]. Specifically, the necessary key calculation and processing are performed in RSU side so as to provide low-latency data exchange with specific vehicles. This allows timely VANET applications delivery and sensitive vehicular data transmission. As mentioned above, in cloud-assisted VANET system, heterogeneous vehicular data are processed and stored in cloud server, while the novel edge architecture can be implemented so that low latency and high reliability properties of vehicle-to-RSU transmission (V2R) are satisfied accordingly [8]. In this case, instead of requesting information from the remote TA every time, the edge cluster including all the nearby RSUs is able to cache the frequently used data and manage the instant and frequent data exchange with vehicles, while the bandwidth burden for cloud server can be significantly alleviated [9,10,11,12].

The vehicles are the terminal users of VANET system, where massive vehicular data and road characteristics are collected [13,14,15]. Subsequently, the aggregated data are forwarded to cloud server for further analysis and management. The embedded on-board unit (OBU) in vehicle conduct packet transmission and reception in practical high-mobility VANET scenarios [16].

Two major type of VANET communications, including vehicle-to-RSU (V2R) communication, and vehicle-to-vehicle (V2V) communication, are enabled by the deployed dedicated short-range communication (DSRC) technique, which is an 802.11p-based wireless communication technology enable connection between vehicle and the surrounding entities in ITS. The inherent wireless transmission property leads to potential security risks and privacy threats in open environment [15,17]. The transmitted data may be forged or eavesdropped by malicious entities, bringing danger to the entire VANET and its vehicles. Consequently, effective authentication and verification mechanism should be deployed for security and privacy preservation [18,19].

Recently, lots of research has been done on VANET secure transmission. Various cryptographic techniques and safe strategies have been deployed in existing studies, where the proposed authentication and key management schemes have to a certain extent addressed the VANET security issues [20]. However, in practical VANET scenarios, high mobility and volatility of vehicles makes the authentication process challenging as the vehicles change their position fast. Numerous vehicles may continuously pass through effective domains of multiple RSUs in a short time interval. Moreover, random vehicle may join or leave the VANET network at any point of time beyond prediction [21,22]. For this concern, mutual authentication between each vehicle and all the RSU it passed by should be timely conducted prior to vehicular data exchange [23]. In other words, identity of the new vehicle will be verified whenever the vehicle enters the RSU effective domain, which is defined as cross-domain authentication. Considering the large number of participating vehicles, huge time consumption and computation cost will be are made for individual RSU, which crucially restricts the vast implementation of VANETs [13,24,25].

Presently, although some research attention has been paid so far, the critical cross-domain authentication issue has not been properly addressed in the field of VANET [11,26]. As a matter of fact, most of the existing mechanisms on VANET authentication tend to develop the verification scheme under static trust model, where only the occasion with initial RSU is discussed [27,28,29]. That is, the CDA occasion have not been taken into consideration at all. As for the rest schemes where CDA issue has been discussed indeed, all the successive RSUs have to inquire cloud server of confidential information, causing extra communication burden and high latency. In conclusion, trade-off between transmission security and efficiency in terms of cross-domain authentication issue remain unsolved [1]. Furthermore, in the existing CDA schemes, too much trustworthiness has been granted to the involving RSUs. Thus, vital vehicle information may be revealed, providing that certain RSU is compromised or disabled by adversary [30,31,32,33].

Motivated by the above discussion on VANET secure transmission, we address the above VANET CDA issue under the novel RSU edge networks assumption. In our design, the CDA issue can be solved by adopting the certificate transited from RSU clusters. In particular, the successive RSUs could efficiently verify the cross-domain vehicle with the transited certificate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. Please note that it is not necessary for the successive RSUs to exchange confidential information with remote cloud server, thus balance between efficiency and security is properly made. Meanwhile in our design, the dynamic updating towards the anonymous vehicle identity is conducted upon validation, where conditional privacy preserving is enabled in this way.

Research Contributions

In this paper, we develop a pairing-free homographic authentication and key management scheme for dynamic cross-domain authentication in VANETs. Our nontrivial efforts can be briefly summarized as follows:

• Pairing-free certificateless mutual authentication scheme for cloud-assisted VANETs with edge computing infrastructure: Our method adopts cloud-assisted system model with edge infrastructure. In our assumption, the massive vehicular data are to be transmitted and processed in remote cloud. Hence, practical requirements for sufficient processing and storing capacities can be satisfied. Meanwhile, the deployed edge RSU architecture enables low latency and high reliability of vehicle-to-RSU transmission (V2R), while the bandwidth burden for cloud server can be significantly alleviated. Furthermore, certificateless cryptography is exploited. TA and individual vehicle respectively generate the corresponding partial key pair so that the key escrow issue can be solved. The entire authentication scheme is performed without complex pairing functions so that the computation cost is drastically reduced.
• Homographic key management towards cross-domain authentication: In the proposed scheme, the cross-domain authentication issue is addressed by using the certificate transited from RSU clusters. Therefore, the successive RSUs could efficiently verify the cross-domain vehicle according to the certificate from the neighbor RSUs and vehicle itself. During the CDA process, homomorphic encryption is deployed for all participating RSUs and vehicles. Hence, RSU is able to conduct the verification process without accessing the vital vehicle secrets, where the vehicle privacy is guaranteed from the compromised RSUs. Please note that it is not necessary for the successive RSUs to exchange confidential information with remote cloud server, thus balance between efficiency and security is properly made.
• Dynamic updating strategies on anonymous vehicle for conditional privacy preserving: Constant identity is hidden during entire process, while the anonymous identities for RSUs and vehicles are constructed. Therefore, crucial security characteristics including unlinkability, conditional privacy-preserving, and user anonymity for all participating entities are provided. Meanwhile, the transmitted vehicle certificate will be automatically updated whenever the vehicle passes by a new RSU. Thanks to the homographic encryption property and vehicle conditional privacy, confidential keying information cannot be extracted or forged by the compromised RSUs.

The remainder of this paper is organized as follows. Section 2 briefly introduces the related research progress. Section 3 illustrates the preliminary works for the reader to obtain a better understanding of the topic. Section 4 presents the proposed HCDA scheme in detail. Section 5 presents the security analysis. Section 6 displays the performance analysis. The final conclusions are drawn in Section 7.

2. Related Works

Currently, lots of research efforts on VANET secure transmission have been made [30,34]. Particularly, methods emphasizing on conditional-privacy preserving of the participating vehicles have been developed. In 2010, Zhang et al. [35] developed the decentralized group authentication protocol where each RSU organizes the vehicular group for users within its range. Hence, messages originating from the passing vehicles could be broadcast anonymously and verified by group members. False message sender could be revealed by the invoked third party. Similarly, the pseudonymous authentication protocol PACP is proposed [20], where the anonymous communication is guaranteed with the pseudonyms generated by both RSUs and vehicle. Later, Lu et al. [36] developed the dynamic key management scheme for VANET location-based services (LBSs). The LBS session is divided into various time slots with different session keys. In this way, the new session key can be autonomously updated. Afterwards, an identity-based VANET mutual authentication mechanism is designed by He et al. [37]. Bilinear pairing operations are not applied in the design so as to alleviate the computation cost. For the same purpose, Lo et al. developed the paring-free identity-based message authentication scheme with batch verification mechanism [38], thus optimized performance in term of time consumption can be achieved. Meanwhile, an anonymous mutual authentication protocol for VANETs is proposed [39], where group signature and batch message verification are adopted in multiple-vehicle scenarios. In 2019, Alazzawi et al. constructed a pseudo-identity-based message verification scheme [30] with resistance to insider attack and provision of message integrity. Please note that certificate revocation list is not deployed for the purpose of optimizing the communication cost.

Specifically, key management and vehicular data verification process for VANETs has been widely studied so far. In 2011, Hao et al. proposed a distributed key management framework with VANET group signature design [32]. Compromised RSUs and the colluding malicious vehicles can be timely detected and revoked. Meanwhile, the cooperative vehicular message authentication mechanism is used with the purpose of alleviating computation overhead. Hence, each vehicle only needs to perform a small amount of message verification tasks. Thereafter, another VANET message authentication mechanism EMAP [25] is developed by Wasef et al., where the time-consuming certificate revocation matching process is replaced with keyed hash-message-authentication-code (HMAC) design. Please note that the input key values are securely shared among on-board units of validated vehicles. Later, Chuang et al. [27] proposed a decentralized trust-extended message authentication mechanism TEAM for high-mobility V2V communication. The lightweight transitive trust relationships frame is deployed in order to reduce storage consumption. Meanwhile, emphasizing on low-latency computation for the certificate revocation procedure, Zhu et al. developed the hash-based VANET group signature [18], where cooperative message authentication among vehicular entities is implemented. Similarly, a two-factor lightweight VANETs authenticating schemes 2FLIP is proposed [13], which applied the decentralized certificate authority (CA) and biological password. Recently, multiple relevant VANETs key distribution and message validation methods have been proposed [2,8], where the blockchain structure is used for secure data sharing.

Due to the superiority in heterogenous data storing and parallel processing, cloud infrastructure has been extensively exploited in various VANET scenarios. In 2017, the vehicular message safe dissemination for cloud-assisted VANET-cellular heterogeneous network is studied in [9]. The message delivery from remote server to destinated area is investigated. The proposed CMDS scheme provides reliable data sharing with the assistance of corresponding gateways and neighboring vehicles. Moreover, the resource allocation issue for vehicular cloud data is discussed by Lin et al. [40]. The legitimate RSUs help significantly improve the computing capability of vehicular cloud computing (VCC) system. In this way, optimal solution for VCC resource allocation is proposed under the modified semi-Markov decision process (SMDP) model. Furthermore, the message dissemination scheme for vehicular fog-assisted network is proposed by Ullah et al. [16], where message congestion avoidance is achieved. Thereafter, multiple methods on VANET secure transmission with cloud/fog infrastructure are accordingly presented [6,23,41].

As one of the critical issues in secure vehicular data transmission, cross-domain authentication under practical VANET environment has not been fully addressed so far. Presently, several relevant cross-domain solutions for other wireless transmission occasions have been proposed. In 2015, Li et al. proposed a certificateless cross-domain authentication and key management protocol for wireless mesh networks (WMNs) with multiple administrative domains [1]. The proposed CAKA protocol enables two-round authenticated key agreement for the users affiliated to various WMN domains, while the discussion on high mobility and dynamic topology of WMN nodes is not included. Thereafter, He et al. developed the handshake scheme with symptom-matching for mobile healthcare social networks (MHSNs) [5]. Similarly, emphasizing on telemedicine communication system, a certificateless cross-domain authenticated asymmetric group key management is proposed [42], which provides resistance to key escrow problem. In 2019, a blockchain-assisted lightweight anonymous authentication scheme for vehicular fog service (VFS) is presented [4]. However, the proposed scheme mainly focuses on data sharing with vehicular data center, while efficient updating is not provided [26]. In conclusion, existing research either discussed the CDA issue in other general IoT wireless circumstances without taking into consideration the particular characteristics of VANET communications (e.g., high-mobility entities, self-organized topology, and instant data transmission), or failed to present the efficient and flexible security strategies employing extensive VANET infrastructures (e.g., cloud-assisted VANET, edge-based RSUs). As a result, the proposed scheme of this paper is of significance for practical VANETs.

3. Preliminaries

The essential cryptographic concepts and basic knowledge are introduced in this section for the purpose of facilitating the reader’s understanding. The definitions of elliptic curve cryptosystem (ECC), one-way hash function, and homomorphic encryption, have been respectively presented. Thereafter, the corresponding notations, system model, security requirements, and network assumptions are respectively described.

3.1. Elliptic Curve Cryptography (ECC)

Let $p>3$ be the large prime, and ${\mathbb{F}}_p$ be the finite field with order p, where $a,b\in {\mathbb{F}}_p$ satisfy $4a^3+27b^2(modp)\ne 0$. The elliptic curve $E_p\left(a,b\right)$ over the finite field ${\mathbb{F}}_p$ is defined with the following equation:

$$y^2=x^3+ax+bmodp,$$

where $\left(x,y\right)\in {\mathbb{F}}_p$. The addition operation on the curve is defined as point doubling when the two points are identical. Otherwise, it is defined as the point addition. All the points on the curve, as well as the point at infinity ∞ form an additive Abelian group $E\left({\mathbb{F}}_p\right)$. Please note that $\infty =\left(-\infty \right)$ performs as the identity element.

Definition 1 (Computational Diffie-Hellman Problem (CDHP)).

Given $P,aP,bP\in {\mathbb{G}}_1$ for $a,b\in {\mathbb{Z}}_q^{*}$, where P is a generator of ${\mathbb{G}}_1$, the advantage in computing $abP$ to solve the CDHP problem for any probabilistic polynomial-time (PPT) algorithm $\mathcal{A}$ is negligible, which can be defined as:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{CDHP}=Pr[\mathcal{A}\left(P,aP,bP\right)\to abP:a,b\in {\mathbb{Z}}_q^{*}].$$

Definition 2 (Elliptic Curve Discrete Logarithm Problem (ECDLP)).

Given $P,Q\in {\mathbb{G}}_1$, where $Q=aP$. The advantage in finding the integer $a\in {\mathbb{Z}}_q^{*}$ in order to solve the ECDLP problem for any probabilistic polynomial-time (PPT) algorithm $\mathcal{A}$ is negligible, which can be defined as:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{ECDLP}=Pr[\mathcal{A}\left(P,aP\right)\to a:a\in {\mathbb{Z}}_q^{*}].$$

3.2. Hash Function

The one-way hash function $h(·)$ is defined to be secure if the following properties can be achieved all:

• Input a message x of arbitrary length, it is easy to compute a message digest of a fixed length output $h\left(x\right)$.
• Given y, it is hard to compute $x=h^{-1}\left(y\right)$.
• Given x, it is computationally infeasible to find $x^{\prime }=x$ such that $h\left(x^{\prime }\right)=h\left(x\right)$.

3.3. Homomorphic Encryption

The homomorphic encryption design allows the predefined standard computations on ciphertexts, with which the output matches the encryption result on the computations conducted on plaintexts. With its unique properties, homomorphic encryption can be widely applied into vast security designs and privacy preserving strategies. Hence, the transmitted data can be securely processed and out-sourced without revealing the privacy-related information. The encryption and decryption functionalities can be considered as the homomorphisms between plaintext and ciphertext spaces. In practical communication scenarios with semi-trusted entities, homomorphic encryption could remove privacy barriers inhibiting data sharing since the operations on encrypted data can be performed instead of direct calculations on the confidential user data. The Paillier cryptosystem is one of the homomorphic cryptosystems for public key infrastructure (PKI), the security of which is based on the decisional composite residuosity assumption (DCRA) described as follows:

Definition 3 (Decisional Composite Residuosity Assumption (DCRA)).

Let p, q be two large primes such that $n=pq$. Given $\alpha \in {\mathbb{Z}}_{n^2}^{*}$, if there exist $\gamma \in {\mathbb{Z}}_{n^2}^{*}$ satisfying $\alpha \equiv {\gamma }^{n}mod{n}^2$, hence α is defined as the n-th residue modulo $n^2$. Please note that given the composite n and an integer β, it is hard to decide whether β is the n-th residue modulo $n^2$. The Paillier encryption process is additively homomorphic. That is, the product of two ciphertexts will decrypt to the sum of their corresponding plaintexts. Let $m_1,m_2\in {\mathbb{Z}}_n^{*}$ be the plaintexts, $r_1,r_2<n$ be the random integers during encryption. The following additive homomorphic properties can be satisfied ($\mathsf{\Theta }\in {\mathbb{Z}}_n^{*}$):

$$\left\{\begin{array}{c}Dec\left(Enc\left(m_1,r_1\right)·Enc\left(m_2,r_2\right)mod{n}^2\right)=\left(m_1+m_2\right)modn\hfill \\ Dec\left(Enc{\left(m_1,r_1\right)}^{\mathsf{\Theta }}mod{n}^2\right)=\left(m_1\mathsf{\Theta }\right)modn\hfill \end{array}\right.,$$

where $Enc\left(·\right)$, $Dec\left(·\right)$ denote the encrypting and decrypting operation, respectively.

3.4. Notations

The notations used in our scheme are listed in

Table 1. Notations.

Symbol	Description
$\mathtt{VC}$, $\{{\mathtt{RSU}}_1,\cdots ,{\mathtt{RSU}}_n\}$	Vehicular Cloud, Road-Side Units
${\mathbb{G}}_1$	Cyclic Group
P	Generator of ${\mathbb{G}}_1$
$I{D}_T^i,I{D}_{RSU}^i$	Distinctive and Anonymous Identity for ${\mathtt{RSU}}_i$
$〈r_{RSU}^i,s_{RSU}^i〉$	Partial Secret Key Pair of ${\mathtt{RSU}}_i$
$〈{\mathcal{O}}_i,{\hslash }_i〉$	Encryption Key Pair of ${\mathtt{RSU}}_i$
$〈{\mathsf{\Lambda }}_i,{ð}_i〉$	Decryption Key Pair of ${\mathtt{RSU}}_i$
${\mathcal{M}}_i,{\mathcal{N}}_i,{\mathcal{S}}_j,{\mathcal{T}}_j$	Large Prime Values
$I{D}_V^j,I{D}_j,I{D}_j^k$	Distinctive and Anonymous Vehicle Identities
$〈k_j,r_j〉$	Partial Secret Key Pair of Vehicle
$〈{\mathcal{Q}}_j,{\xi }_j〉$	Encryption Key Pair of Vehicle
$〈{\mathsf{\Gamma }}_j,{\wp }_j〉$	Decryption Key Pair of Vehicle
${\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec },{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }$	Proofs in ${\mathtt{RSU}}_k$ Domain
${\mathtt{Credential}}_{\left[j,k-1\right]}$	Credential in ${\mathtt{RSU}}_k$ Domain
$s{k}_j$	Vehicle Session Key
$\left\{{TS}_1^i,T{S}_2^i,T{S}_3^j,T{S}_4^i,T{S}_{\mathtt{CDA}}^i\right\}$	Timestamps
$\left\{{\mathtt{V}}_1,\cdots ,{\mathtt{V}}_i\right\}$	Vehicle Set
$\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j},{\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\right]$	Homomorphic Cryptography of ${\mathtt{RSU}}_i$
$\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i},{\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\right]$	Homomorphic Cryptography of Vehicle

, along with the corresponding description.

3.5. System Model

In this section, the used VANET infrastructure in our design is briefly illustrated. Please note that the deployed cloud-assisted VANET system with edge RSU layer could significantly satisfy the computing and storing requirements for massive vehicular data processing scenarios. As shown in Figure 1, the proposed VANET system model is composed of three different components with distinctive functionalities, which includes the cloud layer, edge layer, and device layer. Respectively, these three layers along with its general instructions are described as follows.

Cloud layer are considered as the core central data facilities responsible for the entire VANET system, where numerous vehicular data originating from terminal VANET devices are analyzed and safely stored. Moreover, crucial VANET system operations including device registration, confidential key generation, user verification, are all conducted by the topmost cloud layer, which is assumed to be valid and trustworthy at all time. Please note that the distributed cloud servers are capable of arranging multiple VANET prototypes, promoting the construction of worldwide Internet of Vehicles (IoV) initiatives. Similarly, the promising 5G communicating infrastructure has been dedicated, thus stable and seamless data transmission towards local RSUs can be guaranteed. For better description, we consider the entire cloud layer as one entity in our assumption.

Edge layer is a set of RSU clusters enabled by the direct and indirect wired connection between neighboring RSUs within certain vicinity. Instead of independently managing the data transmission tasks with in-range vehicles, each RSU cluster is able to collaboratively share essential vehicular information for vehicle authentication and then arrange distributive edge computation tasks. Generally, in cloud-assisted VANET system, heterogeneous vehicular data are processed in cloud server, while the edge architecture can be deployed so that low latency and high reliability properties of vehicle-to-RSU transmission (V2R) are satisfied accordingly. In this case, instead of requesting information from the remote TA every time, the edge cluster including all the nearby RSUs is able to cache the frequently used data and manage the instant and frequent data exchange with vehicles, while the bandwidth burden for cloud server can be significantly alleviated. Practically, some RSUs located in harsh natural environment far away from the central server may be easily compromised or disabled. In this way, vital vehicle secret information should not be fully revealed to RSUs for user privacy preservation. In other words, the RSUs are assumed to be semi-trusted entities in our design.

Device layer refers to all the participating terminal vehicles, where heterogenous vehicular data and road information are aggregated. The embedded on-board unit in vehicle is responsible for transmission and reception in high-mobility VANET scenarios, while the deployed tamper-proof device (TPD) is for confidential message preserving. Hence, large amounts of temporary and high-speed V2V and V2R networks are constructed continuously. Due to resource restriction, the comparatively complex computation cannot be performed in vehicle side.

3.6. Networks Assumptions

As shown in Figure 1, the cloud layer and edge layer are correspondingly communicated through VANET core networks, which are constructed with wired connections between cloud server and local individual RSUs. Adequate safety strategies can be implemented accordingly, thus secure and reliable data transmissions are enabled. Consequently, data exchange in core networks are beyond our consideration. On the other hand, interactions between the edge layer and device layer are conducted through vehicle-to-RSU (V2R) communications performed by DSRC communicating technique. Moreover, the self-organized vehicle networks within the device layer are constructed through vehicle-to-vehicle (V2V) communications, while the inherent wireless transmission property of both V2R and V2V communication leads to potential security risks and privacy threats. The transmitted vehicular data may be forged or eavesdropped by malicious entities, bringing danger to the entire VANET and its vehicles. Hence, proper security methods are of significance for safe wireless transmission of VANET.

3.7. Security Requirements

The design objective of our design is to enhance the security assurance of VANETs wireless transmissions, and to address the cross-domain authentication issue in practical VANETs. Moreover, efficiency for system management and authentication are to be taken into consideration. The following security requirements for VAENT key management and authentication scheme should be fully satisfied.

• Mutual Authentication: In the VANET design, mutual authentication is the basic but leading security property ensuring that both VANET entities in one communication process authenticate each other. In this way, the impersonation attack towards certain device can be prevented.
• Conditional Privacy Preserving: As one of the essential privacy parameters, conditional privacy consists of user privacy protection and certain device retrieving. That is, the private information regarding user identity is safely preserved during the entire transmission process. Hence, the illegal tracing toward specific device cannot be performed. Resistance to replay attack is guaranteed as well. Meanwhile, the central server in charge of system management is able to reveal the real identity of individual vehicle if necessary. In this case, the compromised or corrupted vehicle can be timely revoked.
• Non-repudiation: The message sender of VANET cannot deny the authenticity of its signature on the transmitted messages. Non-repudiation ensures the validity of the transmitted information.
• Unforgeability: In wireless VANET transmission, adversary may selectively forge the valid certificates, keys, or signatures in order to pass the verification process and acquire crucial system secrets. Unforgeability against chosen message attack is the major property in secure data exchange.
• Anonymity: In open environment, the communication channels may be eavesdropped by malicious entities. Meanwhile, messages originating from the same device carry unique patterns in order for distinction in the receiver side. In this case, by analyzing the eavesdropped information, vital parameters such as sending frequency, user location may be exposed, which endangers user privacy. Hence, anonymity during the whole VANET communications is extremely important.
• Session Key Establishment: Upon verification, the shared session key between individual vehicle and VANET system should be established so as to provide safe data exchange. Due to the semi-trustworthiness of intermediate RSUs, the constructed session key should be hidden from the interacting RSUs.

4. The Proposed HCDA Scheme

In this section, the homographic authentication and key management scheme is presented, which emphasizes on dynamic cross-domain authentication issue in high-mobility VANET scenarios. In our design, the pairing-free certificateless cryptography is deployed for key escrow avoidance. Hence low-cost verification for resource-constrained wireless devices is achieved accordingly. User anonymity for both vehicles and RSUs is maintained during the entire processing time. Moreover, the independent anonymous identity updating mechanism is developed so as to prevent message linkability for individual vehicle of different RSU domains. Upon validation on each vehicle, the exclusive session key among cloud server and legitimate terminal user is constructed so as to facilitate independent data transmission. Thereafter, the cross-domain authentication issue is further discussed, where the successive RSUs could efficiently verify the vehicle from other RSU domain according to the confidential certificate from the neighboring RSUs. Particularly, the successive RSUs do not need to access the remote cloud server, thus drastically alleviate the bandwidth burden. In this way, a tradeoff between efficiency and security is properly made. Please note that homomorphic encryption is deployed for CDA solution. Hence, RSU is able to conduct the verification process without accessing the vital vehicle secrets, where the vehicle privacy is guaranteed from the compromised RSUs.

Intuitively, the proposed scheme can be roughly divided into device registration, mutual authentication, and cross-domain authentication strategy. In device registration section, the nontrivial system initialization are preliminarily performed. Registration process towards all the participating vehicles and RSUs are conducted. In this way, vital private information including fundamental vehicle identity and initial secret key are safely stored in cloud server. Subsequently, the mutual authentication process regarding vehicle and initial RSU is performed in mutual authentication section, where the new vehicle is able to participate in VANET system after validation with cloud server. The independent secret key is generated for each vehicle. Finally, the solution towards cross-domain authentication issue is presented. The authentication mechanism with random approaching vehicle is provided in RSU side, while the edge RSU network is used for confidential key sharing. In this way, the detailed routine information for each legitimate vehicle can be effectively monitored and organized by cloud server, which is essential for location-related VANET applications including navigation, remote surveillance, and traffic dispute settlement.

4.1. Device Registration

The device registration operation is conducted for system initialization and vehicle registration. As mentioned above, the vehicular cloud ($\mathtt{VC}$) is assumed to be validated and trustworthy entity during the whole communication session. Hence, vital VANET parameters are generated and allocated from $\mathtt{VC}$ to destinated devices. Initially, ${\mathbb{G}}_1$ is defined as the cyclic group generated by large prime order q, where P denotes the generator of ${\mathbb{G}}_1$. Meanwhile, the secure cryptographic hash functions $H_1,H_2,H_3,H_4,H_5,h_1,h_2,h_3,h_4$ are respectively performed as

$$\left\{\begin{array}{c}{H}_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ H_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ H_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ H_5:{\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_2:{\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ h_4:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \end{array}\right..$$

(1)

Accordingly, the system parameter set $param=\left\{{\mathbb{G}}_1,q,P,H_1,H_2,H_3,H_4,H_5,h_1,h_2,h_3,h_4\right\}$ are published.

Respectively, the unique identity $I{D}_T^i\in {\{0,1\}}^{*}$ for each legitimate RSU is issued. The correlated secret $s_{RSU}^i\in {\mathbb{Z}}_q^{*}$ is randomly generated for independent RSU. Therefore, the confidential RSU information set $〈I{D}_T^i,s_{RSU}^i〉$ is safely shared among $\mathtt{VC}$ and RSU itself. Similarly, it is prerequisite for all the vehicles to register in advance. The distinctive vehicle identity $I{D}_V^j\in {\{0,1\}}^{*}$ is distributed, along with the secret key $k_j\in {\mathbb{Z}}_q^{*}$ generated by $\mathtt{VC}$. Hence the key pair for vehicle is $〈I{D}_V^j,k_j〉$. Please note that the whole device registration is safely performed in offline mode. Crucial vehicular personal information regarding user name, address, social identifier, and phone number, are recorded in $\mathtt{VC}$ as well. Consequently, $\mathtt{VC}$ constructs the unique vehicular records regarding all registered vehicles and RSUs as shown in

Table 2. Vehicular Records for Registered Entities.

Number	Type	Distinctive Identity	Assigned Secret	Location	Name/Add./Social ID/Phone No.
1	RSU	$I{D}_T^1$	$s_{RSU}^1$	√	∖
2	RSU	$I{D}_T^2$	$s_{RSU}^2$	√	∖
⋯	⋯	⋯	⋯	⋯	⋯
i	RSU	$I{D}_T^i$	$s_{RSU}^i$	√	∖
1	Vehicle	$I{D}_V^1$	$k_1$	∖	√
2	Vehicle	$I{D}_V^2$	$k_2$	∖	√
⋯	⋯	⋯	⋯	⋯	⋯
j	Vehicle	$I{D}_V^j$	$k_j$	∖	√

.

For anonymity protection, the registered RSU randomly generates $r_{RSU}^i\in {\mathbb{Z}}_q^{*}$ and periodically extracts the current RSU anonymous identity $I{D}_{RSU}^i$ as

$$I{D}_{RSU}^i=h_1\left(T{S}_1^i,I{D}_T^i,r_{RSU}^i{s}_{RSU}^{i}P\right),$$

(2)

where the current timestamp $T{S}_1^i$ is adopted for freshness assurance. In this case, each RSU session identity $D_{RSU}^i$ is only valid within certain time period. The RSU partial secret key pair $〈r_{RSU}^i,s_{RSU}^i〉$ is then stored in RSU side, while $r_{RSU}^i$ is kept secret to $\mathtt{VC}$.

In the next, the homomorphic encryption infrastructure for each registered RSU is constructed. RSU independently chooses two large prime value ${\mathcal{M}}_i$ and ${\mathcal{N}}_i$ with $gcd\left({\mathcal{M}}_i{\mathcal{N}}_i,\left({\mathcal{M}}_i-1\right)\left({\mathcal{N}}_i-1\right)\right)=1$. Hence, the calculations on ${\mathcal{O}}_i$ and ${\mathsf{\Lambda }}_i$ can be performed as

$$\left\{\begin{array}{c}{\mathcal{O}}_i={\mathcal{M}}_i{\mathcal{N}}_i\hfill \\ {\mathsf{\Lambda }}_i=\mathrm{lcm}\left({\mathcal{M}}_i-1,{\mathcal{N}}_i-1\right)\hfill \end{array}\right..$$

(3)

Thereafter, RSU selects random ${\hslash }_i\in {\mathbb{Z}}_{{\mathcal{O}}_i^2}^{*}$ and computes

$${ð}_i={\ell }_i\left({\hslash }_i^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)mod{\mathcal{O}}_i,$$

(4)

where the function ${\ell }_i\left(x\right)=\frac{x-1}{{\mathcal{O}}_i}$. At this point, the encryption key pair for RSU is extracted as $〈{\mathcal{O}}_i,{\hslash }_i〉$. Subsequently, RSU performs the following calculations:

$$\left\{\begin{array}{c}{\mathcal{R}}^i=r_{RSU}^i{s}_{RSU}^{i}P\hfill \\ Cer{t}_{RSU}^i=H_1\left(T{S}_2^i,I{D}_{RSU}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i\right)\hfill \end{array}\right.,$$

(5)

where $T{S}_2^i$ denotes the latest timestamp. At this point, the RSU parameters set denoted as $〈T{S}_2^i,I{D}_{RSU}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,Cer{t}_{RSU}^i〉$ is periodically broadcast to all entities within its effective domain.

4.2. Mutual Authentication

In this section, mutual authentication between vehicle and VANET system is conducted. Initially, assuming the vehicle of identity $I{D}_V^j$, partial secret key $k_j$ is approaching specific RSU, vehicle itself randomly generates its own secret $r_j\in {\mathbb{Z}}_q^{*}$. At this point, partial secret $〈k_j,r_j〉$ is stored by vehicle. Consequently, the anonymous identity used in the authentication session is computed as

$$I{D}_j=h_2\left(I{D}_V^j,r_{j}P\right).$$

(6)

At the same time, vehicle is acknowledged of the published RSU parameters set $〈T{S}_2^i,I{D}_{RSU}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,Cer{t}_{RSU}^i〉$. Upon extracting the parameters, freshness verification towards the timestamp $T{S}_2^i$ is first carried out by checking whether $\left|T{S}_2^{cur}-T{S}_2^i\right|\le {\epsilon }_1$ holds, where $T{S}_2^{cur}$ indicates the current timestamp. Subsequently, by validating the certificate $Cer{t}_{RSU}^i$, integrity of the received message can be guaranteed. Upon validation, the encryption key pair $〈{\mathcal{O}}_i,{\hslash }_i〉$ can be extracted by vehicle. Similarly, the homomorphic encryption design for vehicle is constructed. The vehicle with identity $I{D}_j$ then chooses two large prime value ${\mathcal{S}}_j$ and ${\mathcal{T}}_j$ with $gcd\left({\mathcal{S}}_j{\mathcal{T}}_j,\left({\mathcal{S}}_j-1\right)\left({\mathcal{T}}_j-1\right)\right)=1$. Hence, the calculations on ${\mathcal{Q}}_j$ and ${\mathsf{\Gamma }}_j$ can be performed as

$$\left\{\begin{array}{c}{\mathcal{Q}}_j={\mathcal{S}}_j{\mathcal{T}}_j\hfill \\ {\mathsf{\Gamma }}_j=\mathrm{lcm}\left({\mathcal{S}}_j-1,{\mathcal{T}}_j-1\right)\hfill \end{array}\right..$$

(7)

Thereafter, vehicle selects random ${\xi }_j\in {\mathbb{Z}}_{{\mathcal{Q}}_j^2}^{*}$ and computes

$${\wp }_j={\varphi }_j\left({\xi }_j^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)mod{\mathcal{Q}}_j,$$

(8)

where the function ${\varphi }_j\left(y\right)=\frac{y-1}{{\mathcal{Q}}_j}$.

At this point, the encryption key pair for vehicle is extracted as $〈{\mathcal{Q}}_j,{\xi }_j〉$. The vehicle then uses the randomly generated secret key $r_j$ and the acquired RSU encryption key pair $〈{\mathcal{O}}_i,{\hslash }_i〉$ to perform the encrypting operations as

$$\left\{\begin{array}{c}{\aleph }_j=H_2\left(T{S}_3^j,I{D}_V^j,k_j{r}_{j}P\right)\hfill \\ {\Im }_j=H_3\left(T{S}_3^j,I{D}_j,{\mathcal{R}}^i,{\mathcal{Q}}_j,{\xi }_j,{\aleph }_j\right)\hfill \\ {\mathsf{{\rm Y}}}_j=r_j{\mathcal{R}}^i\hfill \\ Cer{t}_V^j={\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|{\Im }_j\right]\hfill \end{array}\right..$$

(9)

Please note that ${\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[M\right]$ denotes the homomorphic encryption performed as

$${\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[M\right]={\hslash }_i^M·r_j^{{\mathcal{O}}_i}mod{\mathcal{O}}_i^2.$$

(10)

Thereafter, vehicle sends the following requesting packet

$$〈\mathtt{Request},T{S}_3^j,I{D}_j,{\mathsf{{\rm Y}}}_j,Cer{t}_V^j〉$$

(11)

to RSU for further validation.

On the receipt of the verification packet, freshness verification towards timestamp $T{S}_3^j$ is first carried out by checking whether $\left|T{S}_3^{cur}-T{S}_3^j\right|\le {\epsilon }_2$ holds, where $T{S}_3^{cur}$ indicates the current timestamp. Subsequently, RSU is able to decrypt the received $Cer{t}_V^j$ by computing

$$\begin{array}{cc}\hfill & 〈{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|{\Im }_j〉\hfill \\ \hfill & ={\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\left[Cer{t}_V^j\right]\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[Cer{t}_V^j\right]}^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)}{{ð}_i}mod{\mathcal{O}}_i\hfill \end{array},$$

(12)

where ${\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\left[C\right]$ denotes the RSU homomorphic decryption performed as

$${\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\left[C\right]=\frac{{\ell }_i\left(C^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)}{{ð}_i}mod{\mathcal{O}}_i.$$

(13)

Please note that the mathematical correctness for the above decryption can be briefly illustrated as

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[M\right]\right]\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[M\right]\right]}^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)}{{ð}_i}mod{\mathcal{O}}_i\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[{\hslash }_i^M·r_j^{{\mathcal{O}}_i}mod{\mathcal{O}}_i^2\right]}^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)}{{\ell }_i\left({\hslash }_i^{{\mathsf{\Lambda }}_i}mod{\mathcal{O}}_i^2\right)}mod{\mathcal{O}}_i\hfill \\ \hfill & =Mmod{\mathcal{O}}_i\hfill \end{array}.$$

(14)

Hence, $〈{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|{\Im }_j〉$ is successfully extracted from $Cer{t}_V^j$ by RSU. Confidentiality of the information can be verified by checking the value of ${\Im }_j$ according to the currently acquired ${\aleph }_j$ and the previously broadcast ${\mathcal{R}}^i$ from RSU. If validated, RSU accepts the vehicle homomorphic encryption key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$. Moreover, with the stored ${\mathcal{R}}^i=r_{RSU}^i{s}_{RSU}^{i}P$ and ${\mathsf{{\rm Y}}}_j=r_j{\mathcal{R}}^i$, the following ${\mathsf{\Psi }}_j$ can be calculated as

$$\begin{array}{cc}\hfill & {\mathsf{\Psi }}_j\hfill \\ \hfill & ={\left(r_{RSU}^i{s}_{RSU}^i\right)}^{-1}{\mathsf{{\rm Y}}}_j\hfill \\ \hfill & =r_j{\left(r_{RSU}^i{s}_{RSU}^i\right)}^{-1}{\mathcal{R}}^i\hfill \\ \hfill & =r_j{\left(r_{RSU}^i{s}_{RSU}^i\right)}^{-1}\left(r_{RSU}^i{s}_{RSU}^i\right)P\hfill \\ \hfill & =r_{j}P\hfill \end{array}.$$

(15)

At this point, RSU uploads $〈T{S}_3^j,I{D}_j,{\mathsf{\Psi }}_j,{\aleph }_j〉$ to $\mathtt{VC}$ for remote identification. As mentioned above, the identity information $〈I{D}_V^j,k_j〉$ involving the legitimate vehicles are stored in $\mathtt{VC}$ database. Hence, $\mathtt{VC}$ is able to confirm the corresponding vehicle identity $I{D}_V^j$ with the transmitted $〈T{S}_3^j,I{D}_j,{\mathsf{\Psi }}_j,{\aleph }_j〉$ from RSU. If matches, identity of certain vehicle is verified. The vehicle access to VANET system can be granted by $\mathtt{VC}$.

Thereafter, $\mathtt{VC}$ computes ${\omega }_j=h_2\left(I{D}_V^j,k_j{r}_{j}P\right)$ and replies to RSU with the acknowledgement message $〈\mathtt{Ack},I{D}_j,{\omega }_j〉$. Upon receipt of the acknowledgement message, RSU update the vehicle identity as $I{D}_j^1=h_2\left(I{D}_j,r_{RSU}^i{s}_{RSU}^{i}P\right)$, where the RSU key pair $〈r_{RSU}^i,s_{RSU}^i〉$ is adopted. Please note that in our design, anonymous identity of the participating vehicle is safely updated as soon as a successful verifying session is operated. In this case, the message unlinkability for different communication sessions can be guaranteed. Untraceability of specific vehicle is preserved as well.

In the next, RSU conducts the vehicle homomorphic encryption process with the aforementioned vehicle key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$ and its own $r_{RSU}^i$ as

$$\left\{\begin{array}{c}Cer{t}_{RSU}^j={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[{\omega }_j\right]\hfill \\ {\mathsf{\Phi }}_j=H_4\left(T{S}_4^i,I{D}_j^1,Cer{t}_{RSU}^j\right)\hfill \end{array}\right..$$

(16)

Please note that ${\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[M\right]$ denotes the homomorphic encryption performed as

$${\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[M\right]={\xi }_j^M·{\left(r_{RSU}^i\right)}^{{\mathcal{Q}}_j}mod{\mathcal{Q}}_j^2.$$

(17)

Hence, RSU is able to broadcast the packet $〈T{S}_4^i,I{D}_j^1,Cer{t}_{RSU}^j,{\mathsf{\Phi }}_j〉$ to the destination vehicle.

Upon receipt of the packet, freshness verification towards the timestamp $T{S}_4^i$ is first carried out by checking whether $\left|T{S}_4^{cur}-T{S}_4^i\right|\le {\epsilon }_3$ holds, where $T{S}_4^{cur}$ indicates the current timestamp. Subsequently, vehicle is able to decrypt the received $Cer{t}_{RSU}^j$ by computing

$$\begin{array}{cc}\hfill & {\omega }_j\hfill \\ \hfill & ={\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\left[Cer{t}_{RSU}^j\right]\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[Cer{t}_{RSU}^j\right]}^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}{{\wp }_j}mod{\mathcal{Q}}_j\hfill \end{array},$$

(18)

where ${\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\left[C\right]$ denotes the vehicle homomorphic decryption performed as

$${\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\left[C\right]=\frac{{\varphi }_j\left(C^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}{{\wp }_j}mod{\mathcal{Q}}_j.$$

(19)

Please note that the mathematical correctness for the above decryption can be briefly illustrated as

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[M\right]\right]\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[M\right]\right]}^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}{{\wp }_j}mod{\mathcal{Q}}_j\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[{\xi }_j^M·{\left(r_{RSU}^i\right)}^{{\mathcal{Q}}_j}mod{\mathcal{Q}}_j^2\right]}^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}{{\varphi }_j\left({\xi }_j^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}mod{\mathcal{Q}}_j\hfill \\ \hfill & =Mmod{\mathcal{Q}}_j\hfill \end{array}.$$

(20)

Hence, ${\omega }_j$ is successfully extracted from $Cer{t}_{RSU}^j$ by vehicle. Confidentiality of the delivered packet can be verified by checking the value of ${\mathsf{\Phi }}_j$. If validated, vehicle conducts the final authentication on ${\omega }_j\stackrel{?}{=}{h}_2\left(I{D}_V^j,k_j{r}_{j}P\right)$.

At this point, mutual authentication for vehicle and RSU is completed, which adopts homomorphic encryption and certificateless cryptographic technique. The semi-trusted RSUs can proceed the authentication process without acquiring confidential secrets for specific vehicle. Meanwhile, the partial secret keys of individual vehicle are respectively generated by $\mathtt{VC}$ and vehicle itself. The complex pairing operations are not used in our design, providing new prospect for resource-limited VAENTs devices. The session key established between $\mathtt{VC}$ and vehicle is calculated as $s{k}_j=H_5\left(k_j{r}_{j}P\right)$, which is used as the unique identifying code shared between vehicle and $\mathtt{VC}$. Meanwhile, the secure vehicular data exchange is performed through the aforementioned homomorphic cryptographic techniques including $\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j},{\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\right]$, and $\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i},{\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\right]$.

4.3. Cross-Domain Authentication Strategy

In this section, the specific cross-domain authentication problem in high-mobility VANET is further investigated. Generally, in practical VANET scenarios, individual vehicles randomly pass through effective domains of multiple RSUs within short time intervals. Hence, temporary and volatile data transmission and dynamic network topologies are enabled. Moreover, crucial vehicular operations for independent vehicle, such as key updating, identification, and revocation may be conducted at any time. Efficient authentication mechanism between vehicle and all the encountering RSUs is required whenever the vehicle enters the RSU effective domain. Consequently, secure and reliable VANET transmissions can be achieved. Considering the large number of participating vehicles, huge time consumption and computation cost will be made for individual RSU, which crucially restricts the vast implementation of VANETs. As shown in Figure 2, vehicle ${\mathtt{V}}_i$ has successfully passed the mutual authentication process with certain ${\mathtt{RSU}}_1$ at timepoint $t_1$, where the interaction with $\mathtt{VC}$ is performed for confidential key information. Subsequently, at $t_2$ ($t_2>t_1$), dynamic verification should be conducted as soon as ${\mathtt{V}}_i$ approaches the effective domain of a brand-new ${\mathtt{RSU}}_2$. Please note that the mutual trustworthiness of ${\mathtt{V}}_i\leftrightarrow {\mathtt{RSU}}_2$ is constructed in this way. On further timepoint $t_n$ ($t_n>t_{n-1}$), dynamic cross-domain authentication with random ${\mathtt{RSU}}_n$ should also be conducted.

To address the CDA issue, our design adopts the novel communication workflow, which could significantly avoid heavy bandwidth burden of $\mathtt{VC}$ for cross-domain authentication. The workflow logic can be briefly elaborated in Figure 3, where certain vehicle set $\left\{{\mathtt{V}}_1,\cdots ,{\mathtt{V}}_i\right\}$ is assumed to respectively carry out linear validation with the encountering RSU set $\left\{{\mathtt{RSU}}_1,\cdots ,{\mathtt{RSU}}_n\right\}$. Please note that the vehicles are assumed to follow the same path ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_n$ for better description. In this case, the vehicle in $\left\{{\mathtt{V}}_1,\cdots ,{\mathtt{V}}_i\right\}$ conducts initial authentication with ${\mathtt{RSU}}_1$, where the detailed verification and key management process has been illustrated previously. Please note that in this phase data acquisition from remote $\mathtt{VC}$ is enabled for each vehicle of $\left\{{\mathtt{V}}_1,\cdots ,{\mathtt{V}}_i\right\}$. Thereafter, vital certificate information is delivered to the successive ${\mathtt{RSU}}_2$ such that efficient validation between ${\mathtt{RSU}}_2$ and each vehicle can be achieved. The validation process does not require remote assistance of $\mathtt{VC}$ from now on, while fast and efficient verification is provided. Furthermore, the anonymous identity is dynamically updated upon each verification. The detailed CDA solution is presented as follows.

According to the authentication and key management scheme in the previous section, mutual authentication with the initial RSU can be successfully finished after vehicle itself validates the delivered packet $〈T{S}_4^i,I{D}_j^1,Cer{t}_{RSU}^j,{\mathsf{\Phi }}_j〉$ from RSU. The secure vehicular data exchange is performed through the homomorphic cryptographic techniques including $\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j},{\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\right]$, and $\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i},{\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\right]$. In our CDA solution, RSU is designed to use the edge RSU networks to achieve fast and efficient validation without accessing the remote $\mathtt{VC}$. That is, RSU calculates the original vehicular proof as

$${\mathtt{Proof}}_{\left[j,1\right]}^{\prec }=Cer{t}_{RSU}^j·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right],$$

(21)

where $r_i^{RSU}\in {\mathbb{Z}}_q^{*}$ is the newly generated pseudorandom for CDA mechanism and $r_i^{RSU}\ne r_{RSU}^i$. That is, the ${\mathtt{Proof}}_{\left[j,1\right]}^{\prec }$ is constructed by two different pseudorandom $r_i^{RSU}$ and $r_{RSU}^i$. Moreover, the relevant certificate is computed as

$$Cer{t}_{\left[j,1\right]}^{\mathtt{CDA}}=h_3\left(I{D}_j^1,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec }\right).$$

(22)

In this case, the initial RSU will simultaneously broadcast the packet $〈I{D}_j^1,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec },Cer{t}_{\left[j,1\right]}^{\mathtt{CDA}}〉$ to all its neighboring RSUs through wired edge networks. On receiving the packet, all its neighboring RSUs temporarily store it in their storage for possible further use. If not required in certain time interval ${∆}_{\mathtt{CDA}}$, the packet is abandoned.

According to the previous assumption on vehicle path ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_n$, vehicle is approaching the effective domain of ${\mathtt{RSU}}_2$ on timepoint $t_2$, while the RSU parameters set $〈T{S}_2^2,I{D}_{RSU}^2,{\mathcal{O}}_2,{\hslash }_2,{\mathcal{R}}^2,Cer{t}_{RSU}^2〉$ is periodically broadcast by ${\mathtt{RSU}}_2$ (index $i\leftarrow 2$). At this moment, vehicle generates the new random number $r_j^{\mathtt{CDA}}\in {\mathbb{Z}}_q^{*}$ and calculates the corresponding proof and credential as

$$\left\{\begin{array}{c}{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j-h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]\hfill \\ {\mathtt{Credential}}_{\left[j,1\right]}=h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2{\omega }_j\right]\right)\hfill \end{array}\right..$$

(23)

Subsequently, vehicle conducts the RSU encryption using the broadcast key $\{{\mathcal{O}}_2,{\hslash }_2\}$ of ${\mathtt{RSU}}_2$ as

$$Cer{t}_{\left[j,1\right]}^{\mathtt{FA}}={\mathtt{Enc}}_{〈{\mathcal{O}}_2,{\hslash }_2〉}^{r_j^{\mathtt{CDA}}}\left[I{D}_j^1,r_j^{\mathtt{CDA}}P,{\mathtt{Proof}}_{\left[j,1\right]}^{\succ },{\mathtt{Credential}}_{\left[j,1\right]}\right],$$

(24)

which will be delivered to ${\mathtt{RSU}}_2$ as the fast authentication packet in the form of $〈\mathtt{Fast}\_\mathtt{Auth},Cer{t}_{\left[j,1\right]}^{\mathtt{FA}}〉$.

On receiving $〈\mathtt{Fast}\_\mathtt{Auth},Cer{t}_{\left[j,1\right]}^{\mathtt{FA}}〉$, ${\mathtt{RSU}}_2$ is able to decrypt the received $Cer{t}_{\left[j,1\right]}^{\mathtt{FA}}$ according to

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{O}}_2,{\mathsf{\Lambda }}_2〉}^{{ð}_2}\left[Cer{t}_{\left[j,1\right]}^{\mathtt{FA}}\right]\hfill \\ \hfill & ={\mathtt{Dec}}_{〈{\mathcal{O}}_2,{\mathsf{\Lambda }}_2〉}^{{ð}_2}\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_2,{\hslash }_2〉}^{r_j^{\mathtt{CDA}}}\left[I{D}_j^1,r_j^{\mathtt{CDA}}P,{\mathtt{Proof}}_{\left[j,1\right]}^{\succ },{\mathtt{Credential}}_{\left[j,1\right]}\right]\right]\hfill \\ \hfill & =〈I{D}_j^1,r_j^{\mathtt{CDA}}P,{\mathtt{Proof}}_{\left[j,1\right]}^{\succ },{\mathtt{Credential}}_{\left[j,1\right]}〉\hfill \end{array}.$$

(25)

Consequently, vehicle identity $I{D}_j^1$ is detected by ${\mathtt{RSU}}_2$. As mentioned above, the certificate information of vehicle has already broadcast to all neighboring RSUs including ${\mathtt{RSU}}_2$. That is, ${\mathtt{RSU}}_2$ has already stored $〈I{D}_j^1,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec },Cer{t}_{\left[j,1\right]}^{\mathtt{CDA}}〉$ in its storage within certain time interval ${∆}_{\mathtt{CDA}}$. If $I{D}_j^1$ matches, ${\mathtt{RSU}}_2$ extracts ${\mathtt{Proof}}_{\left[j,1\right]}^{\prec }$ from the stored packet and $〈{\mathtt{Proof}}_{\left[j,1\right]}^{\succ },{\mathtt{Credential}}_{\left[j,1\right]}〉$ from the fast authentication packet. The validation on

$$h_4\left({\mathtt{Proof}}_{\left[j,1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)\stackrel{?}{=}{\mathtt{Credential}}_{\left[j,1\right]}$$

(26)

is performed in this case. If Equation (26) holds, the requesting vehicle is successfully verified by ${\mathtt{RSU}}_2$. Please note that the correctness can be elaborated as follows

$$\begin{array}{cc}\hfill & L.H.S.\hfill \\ \hfill & =h_4\left({\mathtt{Proof}}_{\left[j,1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)\hfill \\ \hfill & =h_4\left(Cer{t}_{RSU}^j·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j-h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]\right)\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[{\omega }_j\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j-h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]\right)\hfill \\ \hfill & =h_4\left(\frac{{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[{\omega }_j\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j\right]}{{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[h_2\left(I{D}_{RSU}^i,{\mathsf{{\rm Y}}}_j\right)\right]}\right)\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[{\omega }_j\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j\right]\right)\hfill \end{array}.$$

(27)

$$\begin{array}{cc}\hfill & R.H.S.\hfill \\ \hfill & ={\mathtt{Credential}}_{\left[j,1\right]}\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2{\omega }_j\right]\right)\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j\right]{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j\right]\right)\hfill \end{array}.$$

(28)

With ${\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_{RSU}^i}\left[{\omega }_j\right]={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[{\omega }_j\right]$, $L.H.S.=R.H.S.$ holds. Hence, the correctness of $h_4\left({\mathtt{Proof}}_{\left[j,1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)={\mathtt{Credential}}_{\left[j,1\right]}$ is proved. At this point, the previous stored vehicle homomorphic encryption key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$ can be used by ${\mathtt{RSU}}_2$. The secure vehicular data exchange is performed through the homomorphic cryptographic techniques including $\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j^{\mathtt{CDA}}},{\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\mathsf{\Lambda }}_i〉}^{{ð}_i}\right]$, and $\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}},{\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\right]$.

In this case, ${\mathtt{RSU}}_2$ computes the certificate information for final authentication in vehicle side, which is encrypted with vehicle homomorphic encryption key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$ and the generated pseudorandom $r_i^{RSU}\in {\mathbb{Z}}_q^{*}$ as

$$Cer{t}_2^{\mathtt{Final}}={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[{\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\left|\right|H_4\left(T{S}_{\mathtt{CDA}}^2,I{D}_j^2,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)\right],$$

(29)

where $T{S}_{\mathtt{CDA}}^2$ is the current timestamp for cross-domain authentication. The packet $〈T{S}_{\mathtt{CDA}}^2,I{D}_j^2,Cer{t}_2^{\mathtt{Final}}〉$ is then sent to vehicle for mutual verification.

On receiving $〈T{S}_{\mathtt{CDA}}^2,I{D}_j^2,Cer{t}_2^{\mathtt{Final}}〉$, freshness verification towards the timestamp $T{S}_{\mathtt{CDA}}^2$ is carried out by checking whether $\left|T{S}_{\mathtt{CDA}}^{cur}-T{S}_{\mathtt{CDA}}^2\right|\le {\epsilon }_3$ holds, where $T{S}_{\mathtt{CDA}}^{cur}$ indicates the current timestamp. Subsequently, vehicle is able to decrypt the received $Cer{t}_2^{\mathtt{Final}}$ by computing

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\mathsf{\Gamma }}_j〉}^{{\wp }_j}\left[Cer{t}_2^{\mathtt{Final}}\right]\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[Cer{t}_2^{\mathtt{Final}}\right]}^{{\mathsf{\Gamma }}_j}mod{\mathcal{Q}}_j^2\right)}{{\wp }_j}mod{\mathcal{Q}}_j\hfill \\ \hfill & ={\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\left|\right|H_4\left(T{S}_{\mathtt{CDA}}^2,I{D}_j^2,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)\hfill \end{array}.$$

(30)

If the extracted values of ${\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }$ and the hashed value $H_4\left(T{S}_{\mathtt{CDA}}^2,I{D}_j^2,{\mathtt{Proof}}_{\left[j,1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)$ matches the information in its storage, vehicle confirms the validity of ${\mathtt{RSU}}_2$.

Finally, the cross-domain authentication design with ${\mathtt{RSU}}_2$ is finished. Identity of vehicle can be verified by the other RSUs without accessing the remote $\mathtt{VC}$. Moreover, in order for successive cross-domain authentication ${\mathtt{V}}_j\leftrightarrow {\mathtt{RSU}}_k\in \{{\mathtt{RSU}}_3,{\mathtt{RSU}}_4,\cdots ,{\mathtt{RSU}}_n\}$, ${\mathtt{RSU}}_2$ will simultaneously broadcast the packet $〈I{D}_j^2,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,2\right]}^{\prec },Cer{t}_{\left[j,2\right]}^{\mathtt{CDA}}〉$ to all its neighboring RSUs through wired edge networks. Upon receiving the packet, all its neighboring RSUs temporarily store it in their storage for possible further use. If not required in certain time interval ${∆}_{\mathtt{CDA}}$, the packet is abandoned. Please note that $Cer{t}_{\left[j,2\right]}^{\mathtt{CDA}}=h_3\left(I{D}_j^2,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,2\right]}^{\prec }\right)$.

Following this way, in the next k cross-domain authenticating sessions, $〈I{D}_j^k,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,k\right]}^{\prec },Cer{t}_{\left[j,k\right]}^{\mathtt{CDA}}〉$ will be broadcast by ${\mathtt{RSU}}_k$, where

$$\left\{\begin{array}{c}I{D}_j^k=h_2\left(I{D}_j^{k-1},r_j^{\mathtt{CDA}}P\right)\hfill \\ {\mathtt{Proof}}_{\left[j,k\right]}^{\prec }={\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }{\mathrm{Proof}}_{\left[j,k-1\right]}^{\succ }{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^k,r_j^{\mathtt{CDA}}{\mathcal{R}}^k\right)\right]\hfill \end{array}\right..$$

(31)

Please note that $r_j^{\mathtt{CDA}}\in {\mathbb{Z}}_q^{*}$ and $r_i^{RSU}\in {\mathbb{Z}}_q^{*}$ refers to the generated random numbers that are only effective within each successful authentication session. Intuitively, the anonymous identity for individual vehicle is updated in each session as $I{D}_j^k=h_2\left(I{D}_j^{k-1},r_j^{\mathtt{CDA}}P\right)$. The ${\mathtt{Proof}}_{\left[j,k\right]}^{\prec }$ is calculated according to the previous two valid proofs and the characteristics of the current ${\mathtt{RSU}}_k$. Our cross-domain authentication mechanism can be performed in this way.

5. Security Analysis

In this section, the corresponding proofs on featured security properties of the proposed HCDA scheme are given. The comparisons in terms of the major security characteristics with the state-of-the-art are presented.

5.1. Security Proofs

Theorem 1.

The cross-domain verification process is proven to be correct if and only if the credential is successfully issued following the device registration, mutual authentication, and cross-domain authentication strategy.

Proof of Theorem 1.

As mentioned above, for individual vehicle with previously allocated identity $I{D}_V^j$, its vehicle partial secret key pair and the homographic encryption key pair is extracted as $〈k_j,r_j〉$ and $〈{\mathcal{Q}}_j,{\xi }_j〉$, respectively. With the vehicle path ${\mathtt{RSU}}_{k-1}\to {\mathtt{RSU}}_k$ ($k\in [1,n]$), vehicle is approaching the effective domain of ${\mathtt{RSU}}_k$ on timepoint $t_k$, while the RSU parameters set $〈T{S}_2^k,I{D}_{RSU}^k,{\mathcal{O}}_k,{\hslash }_k,{\mathcal{R}}^k,Cer{t}_{RSU}^k〉$ is periodically broadcast by ${\mathtt{RSU}}_k$ (index $i\leftarrow k$). That is

$$\left\{\begin{array}{c}{\mathcal{R}}^k=r_{RSU}^k{s}_{RSU}^{k}P\hfill \\ Cer{t}_{RSU}^k=H_1\left(T{S}_2^k,I{D}_{RSU}^k,{\mathcal{O}}_k,{\hslash }_k,{\mathcal{R}}^k\right)\hfill \end{array}\right.,$$

(32)

where partial secret key pair and the homographic encryption key pair for ${\mathtt{RSU}}_k$ is extracted as $〈r_{RSU}^k,s_{RSU}^k〉$ and $〈{\mathcal{O}}_k,{\hslash }_k〉$, respectively.

Following this way, in the k cross-domain authenticating sessions, ${\mathtt{RSU}}_k$ has already acquired $〈I{D}_j^{k-1},{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec },Cer{t}_{\left[j,k-1\right]}^{\mathtt{CDA}}〉$ from the previous ${\mathtt{RSU}}_{k-1}$ within certain time interval ${∆}_{\mathtt{CDA}}$, where

$$\left\{\begin{array}{c}I{D}_j^{k-1}=h_2\left(I{D}_j^{k-2},r_j^{\mathtt{CDA}}P\right)\hfill \\ {\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }={\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]\hfill \\ Cer{t}_{\left[j,k-1\right]}^{\mathtt{CDA}}=h_3\left(I{D}_j^{k-1},{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }\right)\hfill \end{array}\right..$$

(33)

Meanwhile, vehicle generates the new random number $r_j^{\mathtt{CDA}}\in {\mathbb{Z}}_q^{*}$ and calculates the corresponding proof and credential as

$$\left\{\begin{array}{c}{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j-h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]\hfill \\ {\mathtt{Credential}}_{\left[j,k-1\right]}=h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-1}{\omega }_j\right]\right)\hfill \end{array}\right..$$

(34)

In this case, ${\mathtt{RSU}}_k$ extracts ${\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }$ from the stored packet, and $〈{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ },{\mathtt{Credential}}_{\left[j,k-1\right]}〉$ from the fast authentication packet. The validation on $h_4\left({\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }\right)\stackrel{?}{=}{\mathtt{Credential}}_{\left[j,k-1\right]}$ is performed. The correctness can be elaborated as

$$\begin{array}{cc}\hfill & L.H.S.\hfill \\ \hfill & =h_4\left({\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }\right)\hfill \\ \hfill & =h_4\left({\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j-h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]\right)\hfill \\ \hfill & =h_4\left(\frac{{\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]}{{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[h_2\left(I{D}_{RSU}^{k-1},r_j^{\mathtt{CDA}}{\mathcal{R}}^{k-1}\right)\right]}\right)\hfill \\ \hfill & =h_4\left({\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]\right)\hfill \end{array}.$$

(35)

Since vehicle has successfully passed the verification process within the previous $(k-1)$ domains, we can extract

$$\left\{\begin{array}{c}{h}_4\left({\mathtt{Proof}}_{\left[j,1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,1\right]}^{\succ }\right)={\mathtt{Credential}}_{\left[j,1\right]}\to h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2{\omega }_j\right]\right)\hfill \\ h_4\left({\mathtt{Proof}}_{\left[j,2\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,2\right]}^{\succ }\right)={\mathtt{Credential}}_{\left[j,2\right]}\to h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^2{\omega }_j\right]\right)\hfill \\ \cdots \cdots \hfill \\ h_4\left({\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }\right)={\mathtt{Credential}}_{\left[j,k-2\right]}\to h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]\right)\hfill \end{array}\right..$$

(36)

Hence, ${\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]$ holds. In this case,

$$\begin{array}{cc}\hfill & L.H.S.\hfill \\ \hfill & =h_4\left({\mathtt{Proof}}_{\left[j,k-2\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-2\right]}^{\succ }·{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]\right)\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-2}{\omega }_j\right]\right)\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_j^{\mathtt{CDA}}}\left[2^{k-1}{\omega }_j\right]\right)\hfill \end{array}.$$

(37)

Meanwhile,

$$\begin{array}{cc}\hfill & {\mathtt{Credential}}_{\left[j,k-1\right]}\hfill \\ \hfill & =h_4\left({\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉\rangle }^{r_j^{\mathtt{CDA}}}\left[2^{k-1}{\omega }_j\right]\right)\hfill \\ \hfill & =L.H.S.\hfill \end{array}.$$

(38)

Hence, $L.H.S.=R.H.S.$ holds. The correctness of $h_4\left({\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }·{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }\right)\stackrel{?}{=}{\mathtt{Credential}}_{\left[j,k-1\right]}$ can be proved. In conclusion, the proposed cross-domain authentication mechanism is proved to be correct if the certificate is successfully issued. □

Theorem 2.

Dynamic key updating is conducted during each successful validation session. Message unlinkability among all participating semi-trustworthy RSUs can be provided.

Proof of Theorem 2.

Assuming certain vehicle follows path ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_n$ and has passed through $k-1$ cross-domain authenticating sessions, ${\mathtt{RSU}}_k$ ($k\in [1,n]$) acquires $〈I{D}_j^{k-1},{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec },Cer{t}_{\left[j,k-1\right]}^{\mathtt{CDA}}〉$ from its previous ${\mathtt{RSU}}_{k-1}$. After successful mutual authentication with ${\mathtt{RSU}}_k$, $〈I{D}_j^k,{\mathcal{Q}}_j,{\xi }_j,{\mathtt{Proof}}_{\left[j,k\right]}^{\prec },Cer{t}_{\left[j,k\right]}^{\mathtt{CDA}}〉$ will be broadcast from ${\mathtt{RSU}}_k$ to ${\mathtt{RSU}}_{k+1}$. Please note that the anonymous vehicle identity is dynamically updated as $I{D}_j^k=h_2\left(I{D}_j^{k-1},r_j^{\mathtt{CDA}}P\right)$, along with the corresponding proof updated as ${\mathtt{Proof}}_{\left[j,k\right]}^{\prec }={\mathtt{Proof}}_{\left[j,k-1\right]}^{\prec }{\mathtt{Proof}}_{\left[j,k-1\right]}^{\succ }{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{r_i^{RSU}}\left[h_2\left(I{D}_{RSU}^k,r_j^{\mathtt{CDA}}{\mathcal{R}}^k\right)\right]$. In this way, vehicle anonymity can be guaranteed during all n cross-domain authentication sessions. Particularly, with random number $r_j^{\mathtt{CDA}}\in {\mathbb{Z}}_q^{*}$ generated by current RSU, the one-way mapping between $I{D}_j^{k-1}\to I{D}_j^k$ is known only to ${\mathtt{RSU}}_k$ of current domain, while the successive ${\mathtt{RSU}}_{k+1}$ cannot trace the anonymous identity from the acquired $I{D}_j^k$. That is, each RSU has zero knowledge about the vehicle identity out of its domains, which significantly reduces the risk of message linkability across various domains. In this case, the semi-trustworthy RSUs cannot acquire confidential information about certain vehicles. Illegal tracing towards vehicle can be prevented as well. Even in worse situations with compromised RSUs, the adopted session key $s{k}_j=H_5\left(k_j{r}_{j}P\right)$ is shared among $\mathtt{VC}$ and vehicle, while kept secret to each RSU. Hence, impersonate attack by compromised RSUs is not possible in our design. In conclusion, message unlinkability and secure data transmission with semi-trustworthy RSUs can be provided. □

Theorem 3.

Conditional identity privacy preserving is guaranteed. The dynamic anonymous identities used during all authentication sessions offer untraceability towards specific vehicle, while the remote $\mathtt{VC}$ is able to trace the real identity of malicious devices if necessary.

Proof of Theorem 3.

In device registration, the unique records regarding all registered vehicles and RSUs are safely stored in vehicular cloud. The key pair for vehicle is defined as $〈I{D}_V^j,k_j〉$. Similarly, the confidential RSU information set $〈I{D}_T^i,s_{RSU}^i〉$ is safely shared among $\mathtt{VC}$ and each ${\mathtt{RSU}}_i$. Please note that the distinctive identity $I{D}_V^j$ and $I{D}_T^i$ remain hidden all the time. For individual RSU, the adopted anonymous identity $I{D}_{RSU}^i$ is issued as $I{D}_{RSU}^i=h_1\left(T{S}_1^i,I{D}_T^i,r_{RSU}^i{s}_{RSU}^{i}P\right)$, where the fresh timestamp $T{S}_1^i$ and the randomly generated $r_{RSU}^i\in {\mathbb{Z}}_q^{*}$ provide uncertainty in generation of $I{D}_{RSU}^i$. With obvious time feature, each $I{D}_{RSU}^i$ is only valid within certain time period and will expire in future. As for each vehicle, anonymous identity used in the initial authentication session is computed as $I{D}_j=h_2\left(I{D}_V^j,r_{j}P\right)$, while after the initial validation, RSU update the vehicle identity as $I{D}_j^1=h_2\left(I{D}_j,r_{RSU}^i{s}_{RSU}^{i}P\right)$, where the RSU key pair $〈r_{RSU}^i,s_{RSU}^i〉$ is adopted. Subsequently, the dynamic updating for anonymous identity is computed as $I{D}_j^k=h_2\left(I{D}_j^{k-1},r_j^{\mathtt{CDA}}P\right)$, which is the hashed value of previous identity and current random number $r_j^{\mathtt{CDA}}\in {\mathbb{Z}}_q^{*}$. In this way, anonymous identities for both RSUs and vehicles are provided. The malicious devices cannot illegally trace certain vehicle through eavesdropping the transmitted messages. On the other hand, by retrieving the entire vehicle path ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_n$, $\mathtt{VC}$ is able to reveal the original identity, which is crucial for detecting and revoking the compromised VANET entities. Conditional identity privacy preserving is enabled in this way. □

Theorem 4.

The proposed design is resistant to replay attack during the whole authentication process. The historical messages from past sessions cannot pass the current validation.

Proof of Theorem 4.

In device registration, mutual authentication, and cross-domain authentication phases, the fresh timestamps set $\left\{T{S}_1^i,T{S}_2^i,T{S}_3^j,T{S}_4^i,T{S}_{\mathtt{CDA}}^i\right\}$ are used in each communication round. Meanwhile, the certificates involving all transmitted elements are presented. For example, in mutual authentication phase, vehicle sends the requesting packet $〈\mathtt{Request},T{S}_3^j,I{D}_j,{\mathsf{{\rm Y}}}_j,Cer{t}_V^j〉$ to RSU for verification, where the certificate $Cer{t}_V^j={\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{r_j}\left[{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|{\Im }_j\right]$ is conducted based on the intermediate values $〈{\aleph }_j,{\Im }_j〉$. Please note that both ${\aleph }_j$ and ${\Im }_j$ are relate to timestamp $T{S}_3^j$. In this case, assuming that in specific timepoint ${\mathbb{T}}_{\mathcal{A}}$, adversary ${\mathcal{A}}_1$ has access to all the z transmitted requesting packets during time interval $\left[{\mathbb{T}}_{\mathcal{H}},{\mathbb{T}}_{\mathcal{C}}\right]$, where ${\mathbb{T}}_{\mathcal{C}}<{\mathbb{T}}_{\mathcal{A}}$. In this case, the acquired z packets can be presented as ${〈\mathtt{Request},T{S}_3^l,I{D}_l,{\mathsf{{\rm Y}}}_l,Cer{t}_V^l〉}_{l\in \left[1,z\right]}$, where vehicle $\{{\mathtt{V}}_1,\cdots ,{\mathtt{V}}_z\}$ are involved. Intuitively, the direct message replaying with historical packets cannot pass the RSU validation since $T{S}_3^l<{\mathbb{T}}_{\mathcal{C}}<{\mathbb{T}}_{\mathcal{A}}$ for $\forall l\in \left[1,z\right]$. Hence, ${\mathcal{A}}_1$ acquires current timestamp $T{S}_{\mathcal{A}}$ of ${\mathbb{T}}_{\mathcal{A}}$ and manages to generate the modified certificate $Cer{t}_V^{\mathcal{A}}$. Intuitively, the probability for $Cer{t}_V^{\mathcal{A}}$ to pass the verification is $\frac{1}{2^y}$, where the length of output $Cer{t}_V^{\mathcal{A}}$ is assumed to be y. Hence, our design is resistant to replay attack. □

Theorem 5.

A certificateless authentication infrastructure is adopted for all VANET entities in the proposed design. The intrinsic key escrow problem of identity-based cryptography can be addressed. No-repudiation for specific vehicle is provided accordingly.

Proof of Theorem 5.

As mentioned above, during the device registration phase, the distinctive identity for a vehicle is allocated as $I{D}_V^j$, while the assigned secret key is $k_j$. Please note that $k_j$ is stored in $\mathtt{VC}$ record and shared between $\mathtt{VC}$ and vehicle. Subsequently, vehicle itself randomly generates its own partial secret key $r_j\in {\mathbb{Z}}_q^{*}$, which will be kept secret to $\mathtt{VC}$. In this way, the partial secret key pair is set as $〈k_j,r_j〉$, while $\mathtt{VC}$ has no access to $r_j$. Afterwards, with the characteristics of elliptic curve discrete logarithm problem, other VANET entities cannot extract $r_j$ from the published $I{D}_j=h_2\left(I{D}_V^j,r_{j}P\right)$ or ${\mathsf{{\rm Y}}}_j=r_j{\mathcal{R}}^i$, given the value of ${\mathcal{R}}^i$. Similarly, the partial secret key is defined as $〈r_{RSU}^i,s_{RSU}^i〉$, where $r_{RSU}^i\in {\mathbb{Z}}_q^{*}$ is randomly generated by RSU during registration and kept confidential to all other entities including $\mathtt{VC}$. In other words, $\mathtt{VC}$ does not have full control over the participating vehicles and RSUs. □

Theorem 6.

In the proposed scheme, $VC$ and RSUs cannot frame an innocent vehicle or accuse the honest vehicle of misbehaviors.

Proof of Theorem 6.

Initially, the essential vehicle partial secret key is generated as $〈k_j,r_j〉$, where $\mathtt{VC}$ has no access to $r_j$. Upon validation, the session key established between $\mathtt{VC}$ and vehicle is issued as $s{k}_j=H_5\left(k_j{r}_{j}P\right)$, which is used as the unique identifying code shared between vehicle and $\mathtt{VC}$. Please note that $\mathtt{VC}$ cannot issue or modified the shared $s{k}_j$ due to ignorance on the $r_j$ generated my vehicle itself. In this case, $\mathtt{VC}$ cannot authenticate itself to vehicle and pass the final authentication process on ${\omega }_j\stackrel{?}{=}{h}_2\left(I{D}_V^j,k_j{r}_{j}P\right)$. In subsequent data transmission, the adopted homographic encryption mechanism is able to guarantee the message security. As for RSUs, the time-related vehicle anonymous identity and valid key information cannot be forged or decrypted. Overall, the non-frameability for a specific vehicle can be guaranteed. □

5.2. Security Properties Comparison

The proposed protocol is compared with the state-of-the-art VANET authentication and key agreement schemes including ICPP [37], SAKM [43], and PFCA [44]. The comparison results are presented in

Table 3. Comparison Results on Security Properties.

Scheme	ICPP [37]	SAKM [43]	PFCA [44]	The Proposed Scheme
Cross-Domain Authentication	×	×	×	√
Unforgeability	√	√	√	√
Replay Attack Resistance	√	√	√	√
Conditional Privacy Preserving	√	√	√	√
Session Key Establishment	√	√	√	√
Key Escrow Resilience	√	√	√	√
Scalability	×	√	√	√
Anonymous Identity Updating	×	×	×	√
Modification Attack Resistance	√	√	√	√
Collusion Attack Resilience	√	×	√	√
Sybil Attack Resilience	√	×	√	√

, proving that the proposed scheme satisfies the desired security requirements.

6. Performance Analysis

Performance analysis of the proposed scheme is presented in this section, which specifically emphasizes on the crucial properties for resource-limited VANET environment: storage overhead, computation cost, and communication cost.

6.1. Storage Overhead

In practical VANETs environment, both vehicles and the RSUs perform as the basic units in VANETs communication. The state-of-the-art VANETs authentication schemes including ICPP [37], SAKM [43], and PFCA [44] are analyzed. Hence, advantages of our scheme can be shown as shown in the comparison.

In device registration, the distinctive identity $I{D}_T^i$ and correlated partial secret key pair $〈r_{RSU}^i,s_{RSU}^i〉$ for individual RSU are safely stored. Upon registration, the current RSU anonymous identity $I{D}_{RSU}^i$ is generated. Subsequently, the key generation for homomorphic encryption infrastructure is conducted. Both encryption key pair $〈{\mathcal{O}}_i,{\hslash }_i〉$ and decryption key pair $〈{\mathsf{\Lambda }}_i,{ð}_i〉$ are issued. Relevant calculations on the RSU parameters set $〈T{S}_2^i,I{D}_{RSU}^i,{\mathcal{O}}_i,hba{r}_i,{\mathcal{R}}^i,Cer{t}_{RSU}^i〉$ is periodically executed. Accordingly, we define the length of the identity and secret key such as $I{D}_T^i$ and $〈{\mathcal{O}}_i,{\hslash }_i〉$ is 32 bits, while length of the elements in group ${\mathbb{G}}_1$ is 256 bits. The length of $Cer{t}_{RSU}^i$ and the timestamp $T{S}_2^i$ are assumed to be 160 bits and 24 bits respectively. At this point, the total storage for individual RSU is calculated as $32\times 6+256\times 1+160\times 3+24\times 1=952$ bits. In the subsequent mutual authentication, each RSU derives the authentication request from vehicles, which includes $〈\mathtt{Request},T{S}_3^j,I{D}_j,{\mathsf{{\rm Y}}}_j,Cer{t}_V^j〉$. The currently acquired ${\aleph }_j$, ${\mathsf{\Psi }}_j$, as well as the vehicle homomorphic encryption key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$, are stored. Moreover, $〈\mathtt{Ack},I{D}_j,{\omega }_j〉$ from $\mathtt{VC}$ is delivered for final $\mathtt{VC}$ verification. At last, the acknowledgement packet $〈T{S}_4^i,I{D}_j^1,Cer{t}_{RSU}^j,{\mathsf{\Phi }}_j〉$ is generated. In this way, the storage overhead for n vehicles can be computed as $\left(32\times 5+256\times 2+160\times 1+24\times 2\right)n+24+32\times 2=880n+56$ bits. Hence, the total storage cost in RSU side involving vehicles is $952+880n+56=880n+1008$ bits.

In vehicle side, the original vehicle identity $I{D}_V^j$ and the related partial secret key $k_j$ is stored. In mutual authentication, the randomly generated $r_j\in {\mathbb{Z}}_q^{*}$, as well as the anonymous identity is generated. Moreover, the vehicle homomorphic encryption key pair $〈{\mathcal{Q}}_j,{\xi }_j〉$ and the decryption key pair $〈{\mathsf{\Gamma }}_j,{\wp }_j〉$ are distributed. With the published RSU parameter set $〈T{S}_2^i,I{D}_{RSU}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,Cer{t}_{RSU}^i〉$, vehicle delivered the requesting packet $〈\mathtt{Request},T{S}_3^j,I{D}_j,{\mathsf{{\rm Y}}}_j,Cer{t}_V^j〉$ to RSU. The packet $〈T{S}_4^i,I{D}_j^1,Cer{t}_{RSU}^j,{\mathsf{\Phi }}_j〉$ is generated finally. Please note that the delivered session key $s{k}_j$ is stored as well. Hence, the total storage cost for individual vehicle is $32\times 13+256\times 3+160\times 2+24\times 3=1576$ bits. Comparison results with existing VANETs authentication schemes are shown in

Table 4. Comparison of Storage Overhead.

Scheme	ICPP [37]	SAKM [43]	PFCA [44]	The Proposed Scheme
Storage Cost (RSU)	$1760n+1056$ bits	$1616n+1360$ bits	$3992n+1376$ bits	$880n+1008$ bits
Storage Cost (Vehicle)	2112 bits	2208 bits	4368 bits	1576 bits

. Obviously, less storage overhead is required in the proposed scheme.

6.2. Computation Cost

The computation cost of the proposed authentication scheme is presented in this section. For better description, The employed secure hash functions, multiplication, and exponential operation are respectively denoted as $\mathtt{H}$, $\mathtt{M}$ and $\mathtt{Ex}$. The point multiplication and the pairing operation are respectively denoted as $\mathtt{p}$ and $\mathtt{e}$. The comparison results on computation cost is shown in

Table 5. Comparison Result of Computation Cost.

Scheme	ICPP [37]	SAKM [43]	PFCA [44]	The Proposed Scheme
Computation Cost (RSU)	$(2n$ + $2)\mathtt{p}$ + $3n\mathtt{M}$ $\approx (3.418n$ + $3.418)$ ms	$2\mathtt{e}$ + $(2n$ + $2)\mathtt{p}$ + $(2n$ + $3)\mathtt{H}$ + $2n\mathtt{Ex}$ + $(n$ + $1)\mathtt{M}$ $\approx (1.76n$ + $10.184)$ ms	$(5n$ + $3)\mathtt{p}$ + $(2n$ + $3)\mathtt{H}$ + $2\mathtt{M}$ $\approx (8.545n$ + $5.127)$ ms	$(n$ + $1)p$ + $(2n$ + $2)\mathtt{H}$ + $(4n$ + $2)\mathtt{Ex}$ + $\mathtt{M}$ $\approx (1.143n$ + $6.973)$ ms
Computation Cost (Vehicle)	$3\mathtt{p}$ + $3\mathtt{H}$ + $2\mathtt{M}$ $\approx \left(2.441\right)$ ms	$3\mathtt{p}$ + $3\mathtt{H}$ + $\mathtt{M}$ $\approx \left(1.869\right)$ ms	$4\mathtt{p}$ + $5\mathtt{H}$ + $6\mathtt{M}$ $\approx \left(3.632\right)$ ms	$\mathtt{p}$ + $4\mathtt{H}$ + $4\mathtt{Ex}$ $\approx \left(1.477\right)$ ms

, where the approximate execution time is given according to [43]. Complex pairing computations are not adopted. Hence, less computation overhead for resource limited vehicles is required, which is of significance to practical VANET scenarios.

6.3. Communication Cost

The communication rounds for the VANETs’ authentication in RSU side is discussed in this section, where a total of n vehicles are to be successfully verified. Furthermore, the same path ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_k$ is assumed, where k cross-domain authentication sessions are conducted. In this case, the initial communication rounds with single vehicles is $2n$ in total. Accordingly, the communication cost is given in

Table 6. Comparison Results of Communication Cost.

Scheme	ICPP [37]	SAKM [43]	PFCA [44]	The Proposed Scheme
Communication Rounds (Initial Validation)	$4n$ + 2	$2n$ + 1	$2n$	$2n$
Communication Rounds (Cross-Domain Validation)	∖	∖	∖	$2kn$

, proving that less communication rounds are required compared to the state-of-the-art.

7. Conclusions

In this paper, the cross-domain authentication issue is further studied under the cloud-assisted VANET infrastructure with edge RSU clusters. In our design, the successive RSUs could efficiently verify the cross-domain vehicle with the transited certificate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. In this case, the semi-trusted RSUs cannot access the confidential information from the remote cloud server, thus the balance between efficiency and security is properly made. Meanwhile, homographic encryption cryptography is adopted. Dynamic updating towards the anonymous vehicle identity is conducted upon each successful validation, where conditional privacy preserving is enabled in this way. Advanced security properties is guaranteed in our design, while performance discussion demonstrates its efficiency.