HCDA: Efﬁcient Pairing-Free Homographic Key Management for Dynamic Cross-Domain Authentication in VANETs

: Emerging as the effective strategy of intelligent transportation system (ITS), vehicular ad hoc networks (VANETs) have the capacity of drastically improving the driving experience and road safety. In typical VANET scenarios, high mobility and volatility of vehicles result in dynamic topology of vehicular networks. That is, individual vehicle may pass through the effective domain of multiple neighboring road-side-units (RSUs) during a comparatively short time interval. Hence, efﬁcient and low-latency cross-domain veriﬁcation with all the successive RSUs is of signiﬁcance. Recently, a lot of research on VANET authentication and key distribution was presented, while the critical cross-domain authentication (CDA) issue has not been properly addressed. Particularly, the existing CDA solutions mainly reply on the acquired conﬁdential keying information from the neighboring entities (RSUs and vehicles), while too much trustworthiness is granted to the involved RSUs. Please note that the RSUs are distributively located and may be compromised or disabled by adversary, thus vital vehicle information may be revealed. Furthermore, frequent data interactions between RSUs and cloud server are always the major requisite so as to achieve mutual authentication with cross-domain vehicles, which leads to heavy bandwidth consumption and high latency. In this paper, we address the above VANET cross-domain authentication issue under the novel RSU edge networks assumption. Please note that RSUs are assumed to be semi-trustworthy entity in our design, where critical vehicular keying messages remain secrecy. Homomorphic encryption design is applied for all involved RSUs and vehicles. In this way, successive RSUs could efﬁciently verify the cross-domain vehicle with the transited certiﬁcate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. Afterwards, dynamic updating towards the anonymous vehicle identity is conducted upon validation, where conditional privacy preserving is available. Moreover, pairing-free mutual authentication method is used for efﬁciency consideration. Formal security analysis is given, proving that the HCDA mechanism yields desirable security properties on VANET cross domain authentication issue. Performance discussions demonstrate efﬁciency of the proposed HCDA scheme compared with the state-of-the-art.


Introduction
Recently, the vigorous development of communication technology in recent years facilitated the tremendous proliferation of advanced intelligent transportation systems (ITS), which are seen as the progressive solution for improving driving safety and efficiency [1][2][3]. ITS is responsible for providing computation cost will be are made for individual RSU, which crucially restricts the vast implementation of VANETs [13,24,25].
Presently, although some research attention has been paid so far, the critical cross-domain authentication issue has not been properly addressed in the field of VANET [11,26]. As a matter of fact, most of the existing mechanisms on VANET authentication tend to develop the verification scheme under static trust model, where only the occasion with initial RSU is discussed [27][28][29]. That is, the CDA occasion have not been taken into consideration at all. As for the rest schemes where CDA issue has been discussed indeed, all the successive RSUs have to inquire cloud server of confidential information, causing extra communication burden and high latency. In conclusion, trade-off between transmission security and efficiency in terms of cross-domain authentication issue remain unsolved [1]. Furthermore, in the existing CDA schemes, too much trustworthiness has been granted to the involving RSUs. Thus, vital vehicle information may be revealed, providing that certain RSU is compromised or disabled by adversary [30][31][32][33].
Motivated by the above discussion on VANET secure transmission, we address the above VANET CDA issue under the novel RSU edge networks assumption. In our design, the CDA issue can be solved by adopting the certificate transited from RSU clusters. In particular, the successive RSUs could efficiently verify the cross-domain vehicle with the transited certificate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. Please note that it is not necessary for the successive RSUs to exchange confidential information with remote cloud server, thus balance between efficiency and security is properly made. Meanwhile in our design, the dynamic updating towards the anonymous vehicle identity is conducted upon validation, where conditional privacy preserving is enabled in this way.

Research Contributions
In this paper, we develop a pairing-free homographic authentication and key management scheme for dynamic cross-domain authentication in VANETs. Our nontrivial efforts can be briefly summarized as follows: • Pairing-free certificateless mutual authentication scheme for cloud-assisted VANETs with edge computing infrastructure: Our method adopts cloud-assisted system model with edge infrastructure. In our assumption, the massive vehicular data are to be transmitted and processed in remote cloud. Hence, practical requirements for sufficient processing and storing capacities can be satisfied. Meanwhile, the deployed edge RSU architecture enables low latency and high reliability of vehicle-to-RSU transmission (V2R), while the bandwidth burden for cloud server can be significantly alleviated. Furthermore, certificateless cryptography is exploited. TA and individual vehicle respectively generate the corresponding partial key pair so that the key escrow issue can be solved. The entire authentication scheme is performed without complex pairing functions so that the computation cost is drastically reduced. • Homographic key management towards cross-domain authentication: In the proposed scheme, the cross-domain authentication issue is addressed by using the certificate transited from RSU clusters. Therefore, the successive RSUs could efficiently verify the cross-domain vehicle according to the certificate from the neighbor RSUs and vehicle itself. During the CDA process, homomorphic encryption is deployed for all participating RSUs and vehicles. Hence, RSU is able to conduct the verification process without accessing the vital vehicle secrets, where the vehicle privacy is guaranteed from the compromised RSUs. Please note that it is not necessary for the successive RSUs to exchange confidential information with remote cloud server, thus balance between efficiency and security is properly made. • Dynamic updating strategies on anonymous vehicle for conditional privacy preserving: Constant identity is hidden during entire process, while the anonymous identities for RSUs and vehicles are constructed. Therefore, crucial security characteristics including unlinkability, conditional privacy-preserving, and user anonymity for all participating entities are provided.
Meanwhile, the transmitted vehicle certificate will be automatically updated whenever the vehicle passes by a new RSU. Thanks to the homographic encryption property and vehicle conditional privacy, confidential keying information cannot be extracted or forged by the compromised RSUs.
The remainder of this paper is organized as follows. Section 2 briefly introduces the related research progress. Section 3 illustrates the preliminary works for the reader to obtain a better understanding of the topic. Section 4 presents the proposed HCDA scheme in detail. Section 5 presents the security analysis. Section 6 displays the performance analysis. The final conclusions are drawn in Section 7.

Related Works
Currently, lots of research efforts on VANET secure transmission have been made [30,34]. Particularly, methods emphasizing on conditional-privacy preserving of the participating vehicles have been developed. In 2010, Zhang et al. [35] developed the decentralized group authentication protocol where each RSU organizes the vehicular group for users within its range. Hence, messages originating from the passing vehicles could be broadcast anonymously and verified by group members. False message sender could be revealed by the invoked third party. Similarly, the pseudonymous authentication protocol PACP is proposed [20], where the anonymous communication is guaranteed with the pseudonyms generated by both RSUs and vehicle. Later, Lu et al. [36] developed the dynamic key management scheme for VANET location-based services (LBSs). The LBS session is divided into various time slots with different session keys. In this way, the new session key can be autonomously updated. Afterwards, an identity-based VANET mutual authentication mechanism is designed by He et al. [37]. Bilinear pairing operations are not applied in the design so as to alleviate the computation cost. For the same purpose, Lo et al. developed the paring-free identity-based message authentication scheme with batch verification mechanism [38], thus optimized performance in term of time consumption can be achieved. Meanwhile, an anonymous mutual authentication protocol for VANETs is proposed [39], where group signature and batch message verification are adopted in multiple-vehicle scenarios. In 2019, Alazzawi et al. constructed a pseudo-identity-based message verification scheme [30] with resistance to insider attack and provision of message integrity. Please note that certificate revocation list is not deployed for the purpose of optimizing the communication cost.
Specifically, key management and vehicular data verification process for VANETs has been widely studied so far. In 2011, Hao et al. proposed a distributed key management framework with VANET group signature design [32]. Compromised RSUs and the colluding malicious vehicles can be timely detected and revoked. Meanwhile, the cooperative vehicular message authentication mechanism is used with the purpose of alleviating computation overhead. Hence, each vehicle only needs to perform a small amount of message verification tasks. Thereafter, another VANET message authentication mechanism EMAP [25] is developed by Wasef et al., where the time-consuming certificate revocation matching process is replaced with keyed hash-message-authentication-code (HMAC) design. Please note that the input key values are securely shared among on-board units of validated vehicles. Later, Chuang et al. [27] proposed a decentralized trust-extended message authentication mechanism TEAM for high-mobility V2V communication. The lightweight transitive trust relationships frame is deployed in order to reduce storage consumption. Meanwhile, emphasizing on low-latency computation for the certificate revocation procedure, Zhu et al. developed the hash-based VANET group signature [18], where cooperative message authentication among vehicular entities is implemented. Similarly, a two-factor lightweight VANETs authenticating schemes 2FLIP is proposed [13], which applied the decentralized certificate authority (CA) and biological password. Recently, multiple relevant VANETs key distribution and message validation methods have been proposed [2,8], where the blockchain structure is used for secure data sharing.
Due to the superiority in heterogenous data storing and parallel processing, cloud infrastructure has been extensively exploited in various VANET scenarios. In 2017, the vehicular message safe dissemination for cloud-assisted VANET-cellular heterogeneous network is studied in [9]. The message delivery from remote server to destinated area is investigated. The proposed CMDS scheme provides reliable data sharing with the assistance of corresponding gateways and neighboring vehicles. Moreover, the resource allocation issue for vehicular cloud data is discussed by Lin et al. [40]. The legitimate RSUs help significantly improve the computing capability of vehicular cloud computing (VCC) system. In this way, optimal solution for VCC resource allocation is proposed under the modified semi-Markov decision process (SMDP) model. Furthermore, the message dissemination scheme for vehicular fog-assisted network is proposed by Ullah et al. [16], where message congestion avoidance is achieved. Thereafter, multiple methods on VANET secure transmission with cloud/fog infrastructure are accordingly presented [6,23,41].
As one of the critical issues in secure vehicular data transmission, cross-domain authentication under practical VANET environment has not been fully addressed so far. Presently, several relevant cross-domain solutions for other wireless transmission occasions have been proposed. In 2015, Li et al. proposed a certificateless cross-domain authentication and key management protocol for wireless mesh networks (WMNs) with multiple administrative domains [1]. The proposed CAKA protocol enables two-round authenticated key agreement for the users affiliated to various WMN domains, while the discussion on high mobility and dynamic topology of WMN nodes is not included. Thereafter, He et al. developed the handshake scheme with symptom-matching for mobile healthcare social networks (MHSNs) [5]. Similarly, emphasizing on telemedicine communication system, a certificateless cross-domain authenticated asymmetric group key management is proposed [42], which provides resistance to key escrow problem. In 2019, a blockchain-assisted lightweight anonymous authentication scheme for vehicular fog service (VFS) is presented [4]. However, the proposed scheme mainly focuses on data sharing with vehicular data center, while efficient updating is not provided [26]. In conclusion, existing research either discussed the CDA issue in other general IoT wireless circumstances without taking into consideration the particular characteristics of VANET communications (e.g., high-mobility entities, self-organized topology, and instant data transmission), or failed to present the efficient and flexible security strategies employing extensive VANET infrastructures (e.g., cloud-assisted VANET, edge-based RSUs). As a result, the proposed scheme of this paper is of significance for practical VANETs.

Preliminaries
The essential cryptographic concepts and basic knowledge are introduced in this section for the purpose of facilitating the reader's understanding. The definitions of elliptic curve cryptosystem (ECC), one-way hash function, and homomorphic encryption, have been respectively presented. Thereafter, the corresponding notations, system model, security requirements, and network assumptions are respectively described.

Elliptic Curve Cryptography (ECC)
Let p > 3 be the large prime, and F p be the finite field with order p, where a, b ∈ F p satisfy 4a 3 + 27b 2 (mod p) = 0. The elliptic curve E p (a, b) over the finite field F p is defined with the following equation: where (x, y) ∈ F p . The addition operation on the curve is defined as point doubling when the two points are identical. Otherwise, it is defined as the point addition. All the points on the curve, as well as the point at infinity ∞ form an additive Abelian group E F p . Please note that ∞ = (−∞) performs as the identity element.
Definition 1 (Computational Diffie-Hellman Problem (CDHP)). Given P, aP, bP ∈ G 1 for a, b ∈ Z * q , where P is a generator of G 1 , the advantage in computing abP to solve the CDHP problem for any probabilistic polynomial-time (PPT) algorithm A is negligible, which can be defined as: Definition 2 (Elliptic Curve Discrete Logarithm Problem (ECDLP)). Given P, Q ∈ G 1 , where Q = aP. The advantage in finding the integer a ∈ Z * q in order to solve the ECDLP problem for any probabilistic polynomial-time (PPT) algorithm A is negligible, which can be defined as:

Hash Function
The one-way hash function h(·) is defined to be secure if the following properties can be achieved all:

1.
Input a message x of arbitrary length, it is easy to compute a message digest of a fixed length output h(x).

2.
Given y, it is hard to compute x = h −1 (y).

3.
Given x, it is computationally infeasible to find x = x such that h(x ) = h(x).

Homomorphic Encryption
The homomorphic encryption design allows the predefined standard computations on ciphertexts, with which the output matches the encryption result on the computations conducted on plaintexts. With its unique properties, homomorphic encryption can be widely applied into vast security designs and privacy preserving strategies. Hence, the transmitted data can be securely processed and out-sourced without revealing the privacy-related information. The encryption and decryption functionalities can be considered as the homomorphisms between plaintext and ciphertext spaces. In practical communication scenarios with semi-trusted entities, homomorphic encryption could remove privacy barriers inhibiting data sharing since the operations on encrypted data can be performed instead of direct calculations on the confidential user data. The Paillier cryptosystem is one of the homomorphic cryptosystems for public key infrastructure (PKI), the security of which is based on the decisional composite residuosity assumption (DCRA) described as follows: Definition 3 (Decisional Composite Residuosity Assumption (DCRA)). Let p, q be two large primes such that n = pq. Given α ∈ Z * n 2 , if there exist γ ∈ Z * n 2 satisfying α ≡ γ n mod n 2 , hence α is defined as the n-th residue modulo n 2 . Please note that given the composite n and an integer β, it is hard to decide whether β is the n-th residue modulo n 2 . The Paillier encryption process is additively homomorphic. That is, the product of two ciphertexts will decrypt to the sum of their corresponding plaintexts. Let m 1 , m 2 ∈ Z * n be the plaintexts, r 1 , r 2 < n be the random integers during encryption. The following additive homomorphic properties can be satisfied (Θ ∈ Z * n ): Dec Enc (m 1 , r 1 ) · Enc (m 2 , r 2 ) mod n 2 = (m 1 + m 2 ) mod n Dec Enc (m 1 , r 1 ) Θ mod n 2 = (m 1 Θ) mod n , where Enc (·), Dec (·) denote the encrypting and decrypting operation, respectively.

Notations
The notations used in our scheme are listed in Table 1, along with the corresponding description.
Homomorphic Cryptography of Vehicle

System Model
In this section, the used VANET infrastructure in our design is briefly illustrated. Please note that the deployed cloud-assisted VANET system with edge RSU layer could significantly satisfy the computing and storing requirements for massive vehicular data processing scenarios. As shown in Figure 1, the proposed VANET system model is composed of three different components with distinctive functionalities, which includes the cloud layer, edge layer, and device layer. Respectively, these three layers along with its general instructions are described as follows. Cloud layer are considered as the core central data facilities responsible for the entire VANET system, where numerous vehicular data originating from terminal VANET devices are analyzed and safely stored. Moreover, crucial VANET system operations including device registration, confidential key generation, user verification, are all conducted by the topmost cloud layer, which is assumed to be valid and trustworthy at all time. Please note that the distributed cloud servers are capable of arranging multiple VANET prototypes, promoting the construction of worldwide Internet of Vehicles (IoV) initiatives. Similarly, the promising 5G communicating infrastructure has been dedicated, thus stable and seamless data transmission towards local RSUs can be guaranteed. For better description, we consider the entire cloud layer as one entity in our assumption.
Edge layer is a set of RSU clusters enabled by the direct and indirect wired connection between neighboring RSUs within certain vicinity. Instead of independently managing the data transmission tasks with in-range vehicles, each RSU cluster is able to collaboratively share essential vehicular information for vehicle authentication and then arrange distributive edge computation tasks. Generally, in cloud-assisted VANET system, heterogeneous vehicular data are processed in cloud server, while the edge architecture can be deployed so that low latency and high reliability properties of vehicle-to-RSU transmission (V2R) are satisfied accordingly. In this case, instead of requesting information from the remote TA every time, the edge cluster including all the nearby RSUs is able to cache the frequently used data and manage the instant and frequent data exchange with vehicles, while the bandwidth burden for cloud server can be significantly alleviated. Practically, some RSUs located in harsh natural environment far away from the central server may be easily compromised or disabled. In this way, vital vehicle secret information should not be fully revealed to RSUs for user privacy preservation. In other words, the RSUs are assumed to be semi-trusted entities in our design.
Device layer refers to all the participating terminal vehicles, where heterogenous vehicular data and road information are aggregated. The embedded on-board unit in vehicle is responsible for transmission and reception in high-mobility VANET scenarios, while the deployed tamper-proof device (TPD) is for confidential message preserving. Hence, large amounts of temporary and high-speed V2V and V2R networks are constructed continuously. Due to resource restriction, the comparatively complex computation cannot be performed in vehicle side.

Networks Assumptions
As shown in Figure 1, the cloud layer and edge layer are correspondingly communicated through VANET core networks, which are constructed with wired connections between cloud server and local individual RSUs. Adequate safety strategies can be implemented accordingly, thus secure and reliable data transmissions are enabled. Consequently, data exchange in core networks are beyond our consideration. On the other hand, interactions between the edge layer and device layer are conducted through vehicle-to-RSU (V2R) communications performed by DSRC communicating technique. Moreover, the self-organized vehicle networks within the device layer are constructed through vehicle-to-vehicle (V2V) communications, while the inherent wireless transmission property of both V2R and V2V communication leads to potential security risks and privacy threats. The transmitted vehicular data may be forged or eavesdropped by malicious entities, bringing danger to the entire VANET and its vehicles. Hence, proper security methods are of significance for safe wireless transmission of VANET.

Security Requirements
The design objective of our design is to enhance the security assurance of VANETs wireless transmissions, and to address the cross-domain authentication issue in practical VANETs. Moreover, efficiency for system management and authentication are to be taken into consideration. The following security requirements for VAENT key management and authentication scheme should be fully satisfied.

•
Mutual Authentication: In the VANET design, mutual authentication is the basic but leading security property ensuring that both VANET entities in one communication process authenticate each other. In this way, the impersonation attack towards certain device can be prevented. • Conditional Privacy Preserving: As one of the essential privacy parameters, conditional privacy consists of user privacy protection and certain device retrieving. That is, the private information regarding user identity is safely preserved during the entire transmission process. Hence, the illegal tracing toward specific device cannot be performed. Resistance to replay attack is guaranteed as well. Meanwhile, the central server in charge of system management is able to reveal the real identity of individual vehicle if necessary. In this case, the compromised or corrupted vehicle can be timely revoked. • Non-repudiation: The message sender of VANET cannot deny the authenticity of its signature on the transmitted messages. Non-repudiation ensures the validity of the transmitted information. • Unforgeability: In wireless VANET transmission, adversary may selectively forge the valid certificates, keys, or signatures in order to pass the verification process and acquire crucial system secrets. Unforgeability against chosen message attack is the major property in secure data exchange. • Anonymity: In open environment, the communication channels may be eavesdropped by malicious entities. Meanwhile, messages originating from the same device carry unique patterns in order for distinction in the receiver side. In this case, by analyzing the eavesdropped information, vital parameters such as sending frequency, user location may be exposed, which endangers user privacy. Hence, anonymity during the whole VANET communications is extremely important. • Session Key Establishment: Upon verification, the shared session key between individual vehicle and VANET system should be established so as to provide safe data exchange. Due to the semi-trustworthiness of intermediate RSUs, the constructed session key should be hidden from the interacting RSUs.

The Proposed HCDA Scheme
In this section, the homographic authentication and key management scheme is presented, which emphasizes on dynamic cross-domain authentication issue in high-mobility VANET scenarios. In our design, the pairing-free certificateless cryptography is deployed for key escrow avoidance.
Hence low-cost verification for resource-constrained wireless devices is achieved accordingly. User anonymity for both vehicles and RSUs is maintained during the entire processing time. Moreover, the independent anonymous identity updating mechanism is developed so as to prevent message linkability for individual vehicle of different RSU domains. Upon validation on each vehicle, the exclusive session key among cloud server and legitimate terminal user is constructed so as to facilitate independent data transmission. Thereafter, the cross-domain authentication issue is further discussed, where the successive RSUs could efficiently verify the vehicle from other RSU domain according to the confidential certificate from the neighboring RSUs. Particularly, the successive RSUs do not need to access the remote cloud server, thus drastically alleviate the bandwidth burden. In this way, a tradeoff between efficiency and security is properly made. Please note that homomorphic encryption is deployed for CDA solution. Hence, RSU is able to conduct the verification process without accessing the vital vehicle secrets, where the vehicle privacy is guaranteed from the compromised RSUs.
Intuitively, the proposed scheme can be roughly divided into device registration, mutual authentication, and cross-domain authentication strategy. In device registration section, the nontrivial system initialization are preliminarily performed. Registration process towards all the participating vehicles and RSUs are conducted. In this way, vital private information including fundamental vehicle identity and initial secret key are safely stored in cloud server. Subsequently, the mutual authentication process regarding vehicle and initial RSU is performed in mutual authentication section, where the new vehicle is able to participate in VANET system after validation with cloud server. The independent secret key is generated for each vehicle. Finally, the solution towards cross-domain authentication issue is presented. The authentication mechanism with random approaching vehicle is provided in RSU side, while the edge RSU network is used for confidential key sharing. In this way, the detailed routine information for each legitimate vehicle can be effectively monitored and organized by cloud server, which is essential for location-related VANET applications including navigation, remote surveillance, and traffic dispute settlement.

Device Registration
The device registration operation is conducted for system initialization and vehicle registration. As mentioned above, the vehicular cloud (VC) is assumed to be validated and trustworthy entity during the whole communication session. Hence, vital VANET parameters are generated and allocated from VC to destinated devices. Initially, G 1 is defined as the cyclic group generated by large prime order q, where P denotes the generator of G 1 . Meanwhile, the secure cryptographic hash functions (1) Accordingly, the system parameter set param = {G 1 , q, P, H 1 , Respectively, the unique identity ID i T ∈ {0, 1} * for each legitimate RSU is issued. The correlated secret s i RSU ∈ Z * q is randomly generated for independent RSU. Therefore, the confidential RSU information set ID i T , s i RSU is safely shared among VC and RSU itself. Similarly, it is prerequisite for all the vehicles to register in advance. The distinctive vehicle identity ID j V ∈ {0, 1} * is distributed, along with the secret key k j ∈ Z * q generated by VC. Hence the key pair for vehicle is ID j V , k j . Please note that the whole device registration is safely performed in offline mode. Crucial vehicular personal information regarding user name, address, social identifier, and phone number, are recorded in VC as well. Consequently, VC constructs the unique vehicular records regarding all registered vehicles and RSUs as shown in Table 2.

1
RSU For anonymity protection, the registered RSU randomly generates r i RSU ∈ Z * q and periodically extracts the current RSU anonymous identity ID i RSU as where the current timestamp TS i 1 is adopted for freshness assurance. In this case, each RSU session identity D i RSU is only valid within certain time period. The RSU partial secret key pair r i RSU , s i RSU is then stored in RSU side, while r i RSU is kept secret to VC. In the next, the homomorphic encryption infrastructure for each registered RSU is constructed. RSU independently chooses two large prime value M i and N i with gcd (M i N i , (M i − 1) (N i − 1)) = 1. Hence, the calculations on O i and Λ i can be performed as Thereafter, RSU selects randomh i ∈ Z * O 2 i and computes where TS i 2 denotes the latest timestamp. At this point, the RSU parameters set denoted as TS i 2 , ID i RSU , O i ,h i , R i , Cert i RSU is periodically broadcast to all entities within its effective domain.

Mutual Authentication
In this section, mutual authentication between vehicle and VANET system is conducted. Initially, assuming the vehicle of identity ID j V , partial secret key k j is approaching specific RSU, vehicle itself randomly generates its own secret r j ∈ Z * q . At this point, partial secret k j , r j is stored by vehicle. Consequently, the anonymous identity used in the authentication session is computed as At the same time, vehicle is acknowledged of the published RSU parameters set Hence, the calculations on Q j and Γ j can be performed as Thereafter, vehicle selects random ξ j ∈ Z * Q 2 j and computes where the function φ j (y) = y−1 At this point, the encryption key pair for vehicle is extracted as Q j , ξ j . The vehicle then uses the randomly generated secret key r j and the acquired RSU encryption key pair O i ,h i to perform the encrypting operations as Please note that Enc [M] denotes the homomorphic encryption performed as Thereafter, vehicle sends the following requesting packet to RSU for further validation.
On the receipt of the verification packet, freshness verification towards timestamp TS j 3 is first carried out by checking whether TS cur 3 − TS j 3 ≤ ε 2 holds, where TS cur 3 indicates the current timestamp. Subsequently, RSU is able to decrypt the received Cert j V by computing where Dec [C] denotes the RSU homomorphic decryption performed as Please note that the mathematical correctness for the above decryption can be briefly illustrated as Hence, ℵ j ||Q j , ξ j || j is successfully extracted from Cert j V by RSU. Confidentiality of the information can be verified by checking the value of j according to the currently acquired ℵ j and the previously broadcast R i from RSU. If validated, RSU accepts the vehicle homomorphic encryption key pair Q j , ξ j . Moreover, with the stored R i = r i RSU s i RSU P and Υ j = r j R i , the following Ψ j can be calculated as At this point, RSU uploads TS j 3 , ID j , Ψ j , ℵ j to VC for remote identification. As mentioned above, the identity information ID j V , k j involving the legitimate vehicles are stored in VC database. Hence, VC is able to confirm the corresponding vehicle identity ID j V with the transmitted TS j 3 , ID j , Ψ j , ℵ j from RSU. If matches, identity of certain vehicle is verified. The vehicle access to VANET system can be granted by VC.
Thereafter, VC computes ω j = h 2 ID j V , k j r j P and replies to RSU with the acknowledgement message Ack, ID j , ω j . Upon receipt of the acknowledgement message, RSU update the vehicle identity as ID 1 j = h 2 ID j , r i RSU s i RSU P , where the RSU key pair r i RSU , s i RSU is adopted. Please note that in our design, anonymous identity of the participating vehicle is safely updated as soon as a successful verifying session is operated. In this case, the message unlinkability for different communication sessions can be guaranteed. Untraceability of specific vehicle is preserved as well.
In the next, RSU conducts the vehicle homomorphic encryption process with the aforementioned vehicle key pair Q j , ξ j and its own r i RSU as Please note that Enc [M] denotes the homomorphic encryption performed as where Dec ℘ j Q j ,Γ j [C] denotes the vehicle homomorphic decryption performed as Please note that the mathematical correctness for the above decryption can be briefly illustrated as Hence, ω j is successfully extracted from Cert j RSU by vehicle. Confidentiality of the delivered packet can be verified by checking the value of Φ j . If validated, vehicle conducts the final authentication on ω j ? = h 2 ID j V , k j r j P .
At this point, mutual authentication for vehicle and RSU is completed, which adopts homomorphic encryption and certificateless cryptographic technique. The semi-trusted RSUs can proceed the authentication process without acquiring confidential secrets for specific vehicle. Meanwhile, the partial secret keys of individual vehicle are respectively generated by VC and vehicle itself. The complex pairing operations are not used in our design, providing new prospect for resource-limited VAENTs devices. The session key established between VC and vehicle is calculated as sk j = H 5 k j r j P , which is used as the unique identifying code shared between vehicle and VC. Meanwhile, the secure vehicular data exchange is performed through the aforementioned homomorphic cryptographic techniques including Enc

Cross-Domain Authentication Strategy
In this section, the specific cross-domain authentication problem in high-mobility VANET is further investigated. Generally, in practical VANET scenarios, individual vehicles randomly pass through effective domains of multiple RSUs within short time intervals. Hence, temporary and volatile data transmission and dynamic network topologies are enabled. Moreover, crucial vehicular operations for independent vehicle, such as key updating, identification, and revocation may be conducted at any time. Efficient authentication mechanism between vehicle and all the encountering RSUs is required whenever the vehicle enters the RSU effective domain. Consequently, secure and reliable VANET transmissions can be achieved. Considering the large number of participating vehicles, huge time consumption and computation cost will be made for individual RSU, which crucially restricts the vast implementation of VANETs. As shown in Figure 2, vehicle V i has successfully passed the mutual authentication process with certain RSU 1 at timepoint t 1 , where the interaction with VC is performed for confidential key information. Subsequently, at t 2 (t 2 > t 1 ), dynamic verification should be conducted as soon as V i approaches the effective domain of a brand-new RSU 2 . Please note that the mutual trustworthiness of V i ↔ RSU 2 is constructed in this way. On further timepoint t n (t n > t n−1 ), dynamic cross-domain authentication with random RSU n should also be conducted. ...

Figure 2. Cross-Domain Authentication in VANETs
To address the CDA issue, our design adopts the novel communication workflow, which could significantly avoid heavy bandwidth burden of VC for cross-domain authentication. The workflow logic can be briefly elaborated in Figure 3, where certain vehicle set {V 1 , · · · , V i } is assumed to respectively carry out linear validation with the encountering RSU set {RSU 1 , · · · , RSU n } . Please note that the vehicles are assumed to follow the same path RSU 1 → RSU n for better description. In this case, the vehicle in {V 1 , · · · , V i } conducts initial authentication with RSU 1 , where the detailed verification and key management process has been illustrated previously. Please note that in this phase data acquisition from remote VC is enabled for each vehicle of {V 1 , · · · , V i }. Thereafter, vital certificate information is delivered to the successive RSU 2 such that efficient validation between RSU 2 and each vehicle can be achieved. The validation process does not require remote assistance of VC from now on, while fast and efficient verification is provided. Furthermore, the anonymous identity is dynamically updated upon each verification. The detailed CDA solution is presented as follows.   According to the authentication and key management scheme in the previous section, mutual authentication with the initial RSU can be successfully finished after vehicle itself validates the delivered packet TS i 4 , ID 1 j , Cert j RSU , Φ j from RSU. The secure vehicular data exchange is performed through the homomorphic cryptographic techniques including Enc In our CDA solution, RSU is designed to use the edge RSU networks to achieve fast and efficient validation without accessing the remote VC. That is, RSU calculates the original vehicular proof as where r RSU i ∈ Z * q is the newly generated pseudorandom for CDA mechanism and r RSU i = r i RSU . That is, the Proof ≺ [j,1] is constructed by two different pseudorandom r RSU i and r i RSU . Moreover, the relevant certificate is computed as In this case, the initial RSU will simultaneously broadcast the packet 1] to all its neighboring RSUs through wired edge networks. On receiving the packet, all its neighboring RSUs temporarily store it in their storage for possible further use. If not required in certain time interval ∆ CDA , the packet is abandoned.
According to the previous assumption on vehicle path RSU 1 → RSU n , vehicle is approaching the effective domain of RSU 2 on timepoint t 2 , while the RSU parameters set TS 2 2 , ID 2 RSU , O 2 ,h 2 , R 2 , Cert 2 RSU is periodically broadcast by RSU 2 (index i ← 2). At this moment, vehicle generates the new random number r CDA j ∈ Z * q and calculates the corresponding proof and credential as Subsequently, vehicle conducts the RSU encryption using the broadcast key {O 2 ,h 2 } of RSU 2 as Consequently, vehicle identity ID 1 j is detected by RSU 2 . As mentioned above, the certificate information of vehicle has already broadcast to all neighboring RSUs including RSU 2 . That is, RSU 2 has R.H.S.
With Enc H.S. holds. Hence, the correctness of 1] is proved. At this point, the previous stored vehicle homomorphic encryption key pair Q j , ξ j can be used by RSU 2 . The secure vehicular data exchange is performed through the homomorphic cryptographic techniques including Enc In this case, RSU 2 computes the certificate information for final authentication in vehicle side, which is encrypted with vehicle homomorphic encryption key pair Q j , ξ j and the generated pseudorandom where TS 2 CDA is the current timestamp for cross-domain authentication. The packet is then sent to vehicle for mutual verification.
On receiving TS 2 CDA , ID 2 j , Cert Final 2 , freshness verification towards the timestamp TS 2 CDA is carried out by checking whether TS cur CDA − TS 2 CDA ≤ ε 3 holds, where TS cur CDA indicates the current timestamp. Subsequently, vehicle is able to decrypt the received Cert Final 2 by computing Finally, the cross-domain authentication design with RSU 2 is finished. Identity of vehicle can be verified by the other RSUs without accessing the remote VC. Moreover, in order for successive cross-domain authentication V j ↔ RSU k ∈ {RSU 3 , RSU 4 , · · · , RSU n }, RSU 2 will simultaneously broadcast 2] to all its neighboring RSUs through wired edge networks. Upon receiving the packet, all its neighboring RSUs temporarily store it in their storage for possible further use. If not required in certain time interval ∆ CDA , the packet is abandoned. Please note that 2] . Following this way, in the next k cross-domain authenticating sessions, Please note that r CDA j ∈ Z * q and r RSU i ∈ Z * q refers to the generated random numbers that are only effective within each successful authentication session. Intuitively, the anonymous identity for individual vehicle is updated in each session as ID k j = h 2 ID k−1 j , r CDA j P . The Proof ≺ [j,k] is calculated according to the previous two valid proofs and the characteristics of the current RSU k . Our cross-domain authentication mechanism can be performed in this way.

Security Analysis
In this section, the corresponding proofs on featured security properties of the proposed HCDA scheme are given. The comparisons in terms of the major security characteristics with the state-of-the-art are presented.

Security Proofs
Theorem 1. The cross-domain verification process is proven to be correct if and only if the credential is successfully issued following the device registration, mutual authentication, and cross-domain authentication strategy.
Proof of Theorem 1. As mentioned above, for individual vehicle with previously allocated identity ID j V , its vehicle partial secret key pair and the homographic encryption key pair is extracted as k j , r j and Q j , ξ j , respectively. With the vehicle path RSU k−1 → RSU k (k ∈ [1, n]), vehicle is approaching the effective domain of RSU k on timepoint t k , while the RSU parameters set where partial secret key pair and the homographic encryption key pair for RSU k is extracted as r k RSU , s k RSU and O k ,h k , respectively. Following this way, in the k cross-domain authenticating sessions, RSU k has already acquired Meanwhile, vehicle generates the new random number r CDA j ∈ Z * q and calculates the corresponding proof and credential as Since vehicle has successfully passed the verification process within the previous (k − 1) domains, we can extract Meanwhile, In this way, vehicle anonymity can be guaranteed during all n cross-domain authentication sessions. Particularly, with random number r CDA j ∈ Z * q generated by current RSU, the one-way mapping between ID k−1 j → ID k j is known only to RSU k of current domain, while the successive RSU k+1 cannot trace the anonymous identity from the acquired ID k j . That is, each RSU has zero knowledge about the vehicle identity out of its domains, which significantly reduces the risk of message linkability across various domains. In this case, the semi-trustworthy RSUs cannot acquire confidential information about certain vehicles. Illegal tracing towards vehicle can be prevented as well. Even in worse situations with compromised RSUs, the adopted session key sk j = H 5 k j r j P is shared among VC and vehicle, while kept secret to each RSU. Hence, impersonate attack by compromised RSUs is not possible in our design. In conclusion, message unlinkability and secure data transmission with semi-trustworthy RSUs can be provided.

Theorem 3.
Conditional identity privacy preserving is guaranteed. The dynamic anonymous identities used during all authentication sessions offer untraceability towards specific vehicle, while the remote VC is able to trace the real identity of malicious devices if necessary.

Proof of Theorem 3. In device registration, the unique records regarding all registered vehicles and
RSUs are safely stored in vehicular cloud. The key pair for vehicle is defined as ID j V , k j . Similarly, the confidential RSU information set ID i T , s i RSU is safely shared among VC and each RSU i . Please note that the distinctive identity ID j V and ID i T remain hidden all the time. For individual RSU, the adopted anonymous identity ID i RSU is issued as ID i RSU = h 1 TS i 1 , ID i T , r i RSU s i RSU P , where the fresh timestamp TS i 1 and the randomly generated r i RSU ∈ Z * q provide uncertainty in generation of ID i RSU . With obvious time feature, each ID i RSU is only valid within certain time period and will expire in future. As for each vehicle, anonymous identity used in the initial authentication session is computed as ID j = h 2 ID j V , r j P , while after the initial validation, RSU update the vehicle identity as ID 1 j = h 2 ID j , r i RSU s i RSU P , where the RSU key pair r i RSU , s i RSU is adopted. Subsequently, the dynamic updating for anonymous identity is computed as ID k j = h 2 ID k−1 j , r CDA j P , which is the hashed value of previous identity and current random number r CDA j ∈ Z * q . In this way, anonymous identities for both RSUs and vehicles are provided. The malicious devices cannot illegally trace certain vehicle through eavesdropping the transmitted messages. On the other hand, by retrieving the entire vehicle path RSU 1 → RSU n , VC is able to reveal the original identity, which is crucial for detecting and revoking the compromised VANET entities. Conditional identity privacy preserving is enabled in this way.
Please note that both ℵ j and j are relate to timestamp TS j this case, assuming that in specific timepoint T A , adversary A 1 has access to all the z transmitted requesting packets during time interval [T H , T C ], where T C < T A . In this case, the acquired z packets can be presented as Request, TS l 3 , ID l , Υ l , Cert l V l∈ [1,z] , where vehicle {V 1 , · · · , V z } are involved.
Intuitively, the direct message replaying with historical packets cannot pass the RSU validation since TS l 3 < T C < T A for ∀l ∈ [1, z]. Hence, A 1 acquires current timestamp TS A of T A and manages to generate the modified certificate Cert A V . Intuitively, the probability for Cert A V to pass the verification is 1 2 y , where the length of output Cert A V is assumed to be y. Hence, our design is resistant to replay attack.

Theorem 5.
A certificateless authentication infrastructure is adopted for all VANET entities in the proposed design. The intrinsic key escrow problem of identity-based cryptography can be addressed. No-repudiation for specific vehicle is provided accordingly.
Proof of Theorem 5. As mentioned above, during the device registration phase, the distinctive identity for a vehicle is allocated as ID j V , while the assigned secret key is k j . Please note that k j is stored in VC record and shared between VC and vehicle. Subsequently, vehicle itself randomly generates its own partial secret key r j ∈ Z * q , which will be kept secret to VC. In this way, the partial secret key pair is set as k j , r j , while VC has no access to r j . Afterwards, with the characteristics of elliptic curve discrete logarithm problem, other VANET entities cannot extract r j from the published ID j = h 2 ID j V , r j P or Υ j = r j R i , given the value of R i . Similarly, the partial secret key is defined as r i RSU , s i RSU , where r i RSU ∈ Z * q is randomly generated by RSU during registration and kept confidential to all other entities including VC. In other words, VC does not have full control over the participating vehicles and RSUs. Theorem 6. In the proposed scheme, VC and RSUs cannot frame an innocent vehicle or accuse the honest vehicle of misbehaviors.
Proof of Theorem 6. Initially, the essential vehicle partial secret key is generated as k j , r j , where VC has no access to r j . Upon validation, the session key established between VC and vehicle is issued as sk j = H 5 k j r j P , which is used as the unique identifying code shared between vehicle and VC. Please note that VC cannot issue or modified the shared sk j due to ignorance on the r j generated my vehicle itself. In this case, VC cannot authenticate itself to vehicle and pass the final authentication process on ω j ? = h 2 ID j V , k j r j P . In subsequent data transmission, the adopted homographic encryption mechanism is able to guarantee the message security. As for RSUs, the time-related vehicle anonymous identity and valid key information cannot be forged or decrypted. Overall, the non-frameability for a specific vehicle can be guaranteed.

Security Properties Comparison
The proposed protocol is compared with the state-of-the-art VANET authentication and key agreement schemes including ICPP [37], SAKM [43], and PFCA [44]. The comparison results are presented in Table 3, proving that the proposed scheme satisfies the desired security requirements.

Performance Analysis
Performance analysis of the proposed scheme is presented in this section, which specifically emphasizes on the crucial properties for resource-limited VANET environment: storage overhead, computation cost, and communication cost.

Storage Overhead
In practical VANETs environment, both vehicles and the RSUs perform as the basic units in VANETs communication. The state-of-the-art VANETs authentication schemes including ICPP [37], SAKM [43], and PFCA [44] are analyzed. Hence, advantages of our scheme can be shown as shown in the comparison.
In device registration, the distinctive identity ID i T and correlated partial secret key pair r i RSU , s i RSU for individual RSU are safely stored. Upon registration, the current RSU anonymous identity ID i RSU is generated. Subsequently, the key generation for homomorphic encryption infrastructure is conducted. Both encryption key pair O i ,h i and decryption key pair Λ i , ð i are issued. Relevant calculations on the RSU parameters set TS i 2 , ID i RSU , O i , hbar i , R i , Cert i RSU is periodically executed. Accordingly, we define the length of the identity and secret key such as ID i T and O i ,h i is 32 bits, while length of the elements in group G 1 is 256 bits. The length of Cert i RSU and the timestamp TS i 2 are assumed to be 160 bits and 24 bits respectively. At this point, the total storage for individual RSU is calculated as 32 × 6 + 256 × 1 + 160 × 3 + 24 × 1 = 952 bits. In the subsequent mutual authentication, each RSU derives the authentication request from vehicles, which includes Request, TS j 3 , ID j , Υ j , Cert j V . The currently acquired ℵ j , Ψ j , as well as the vehicle homomorphic encryption key pair Q j , ξ j , are stored. Moreover, Ack, ID j , ω j from VC is delivered for final VC verification. At last, the acknowledgement packet TS i 4 , ID 1 j , Cert j RSU , Φ j is generated. In this way, the storage overhead for n vehicles can be computed as (32 × 5 + 256 × 2 + 160 × 1 + 24 × 2) n + 24 + 32 × 2 = 880n + 56 bits. Hence, the total storage cost in RSU side involving vehicles is 952 + 880n + 56 = 880n + 1008 bits.
In vehicle side, the original vehicle identity ID j V and the related partial secret key k j is stored. In mutual authentication, the randomly generated r j ∈ Z * q , as well as the anonymous identity is generated. Moreover, the vehicle homomorphic encryption key pair Q j , ξ j and the decryption key pair Γ j , ℘ j are distributed. , Φ j is generated finally. Please note that the delivered session key sk j is stored as well. Hence, the total storage cost for individual vehicle is 32 × 13 + 256 × 3 + 160 × 2 + 24 × 3 = 1576 bits. Comparison results with existing VANETs authentication schemes are shown in Table 4. Obviously, less storage overhead is required in the proposed scheme.

Computation Cost
The computation cost of the proposed authentication scheme is presented in this section. For better description, The employed secure hash functions, multiplication, and exponential operation are respectively denoted as H, M and Ex. The point multiplication and the pairing operation are respectively denoted as p and e. The comparison results on computation cost is shown in Table 5, where the approximate execution time is given according to [43]. Complex pairing computations are not adopted. Hence, less computation overhead for resource limited vehicles is required, which is of significance to practical VANET scenarios.

Communication Cost
The communication rounds for the VANETs' authentication in RSU side is discussed in this section, where a total of n vehicles are to be successfully verified. Furthermore, the same path RSU 1 → RSU k is assumed, where k cross-domain authentication sessions are conducted. In this case, the initial communication rounds with single vehicles is 2n in total. Accordingly, the communication cost is given in Table 6, proving that less communication rounds are required compared to the state-of-the-art.

Conclusions
In this paper, the cross-domain authentication issue is further studied under the cloud-assisted VANET infrastructure with edge RSU clusters. In our design, the successive RSUs could efficiently verify the cross-domain vehicle with the transited certificate from the neighbor RSUs and vehicle itself, while the identity and secrets of each vehicle is hidden all the time. In this case, the semi-trusted RSUs cannot access the confidential information from the remote cloud server, thus the balance between efficiency and security is properly made. Meanwhile, homographic encryption cryptography is adopted. Dynamic updating towards the anonymous vehicle identity is conducted upon each successful validation, where conditional privacy preserving is enabled in this way. Advanced security properties is guaranteed in our design, while performance discussion demonstrates its efficiency.