PAS: Privacy-Preserving Authentication Scheme Based on SDN for VANETs

: Privacy disclosure has become a key challenge in vehicular ad hoc networks (VANETs). Although IEEE, ERSI, etc. suggest that a pseudonym-based scheme is a solution, how to support pseudonym management and vehicle authentication is still an open issue. In this paper, a secure VANETs authentication scheme (PAS) is proposed, where software-deﬁned network (SDN) is integrated as a suitable infrastructure to support anonymous authentication and pseudonym management, while removing the requirement for pseudonym certiﬁcation in the dynamic VANETs environment. The security and performance analysis indicate that PAS is able protect the privacy of vehicles and has a high efﬁciency.


Introduction
The intelligent transportation system (ITS) integrates a variety of advanced equipment and technologies (e.g., sensors and intelligent access control), and has become a vital part of next-generation urban transportation.Vehicle ad hoc networks (VANETs), the important part of ITS, are able to realize rapid interconnection among vehicles and surrounding terminals by utilizing dedicated short-range communication technology (DSRC) [1] to guarantee that drivers and passengers obtain continuous and stable communication services.On the one hand, VANETs effectively make up for the shortcoming of the unstable communication in terms of distance and direction to ensure vehicle driving safety.On the other hand, VANETs can fully share information among various traffic environments and obtain relevant services.Recently, VANETs have been considered to be a major research direction to strengthen the relationship among vehicles, roads, and drivers [2].Different from traditional ad hoc networks, VANETs own unique features, such as the frequent changing topology, variable network density, and predictable mobility, which are able to provide continuous and stable network communication services for high-speed moving vehicles [3].In VANETs, vehicles can communicate with infrastructures on both sides of the road (e.g., roadside units, RSUs) to obtain diverse application services [4].Furthermore, vehicles are also able to communicate with each other so that drivers may gain surrounding traffic information in time.However, due to the wireless communication environment, all messages are transmitted in the form of broadcast and any adversaries within the signal domain can obtain the messages freely.Meanwhile, as for the features of the dynamic change of network topology and the highspeed running of vehicles, it is challenging to resist cyber threats and quickly establish a safe and stable communication among entities in VANETs [5,6].Consequently, a secure, reliable, and efficient communication scheme that withstands various attacks is vital for VANETs [7].
Secure and efficient authentication protocol is considered key during the large-scale deployment of VANETs.Plenty of authentication protocols that support vehicle verification have been proposed in the past four years.Nevertheless, several shortcomings have been exposed.(i) Once the trusted authority is compromised or data are lost, the message of vehicles in VANETs is likely to be leaked.Consequently, it becomes impossible to rely on a single trusted authority to establish a trusting relationship among the entities.(ii) In the traditional authentication schemes, if a vehicle misbehaves, the informant needs to submit relevant evidence to the trusted authority to revoke the illegal vehicle.However, these schemes do not mention how to determine the integrity and authenticity of the evidence, which makes the evidence difficult to trust.(iii) When providing communication services for vehicles, RSUs have to store and maintain some necessary information for vehicles, which causes huge pressure to be applied to the RSU due to its limited computation and storage capacity.(iv) Authentication protocols in the proposed schemes are treated as one-model-fits-all.Once the protocols are determined, it becomes hard to upgrade and update them.
As a result, in terms of the conflicting goals of security and efficiency, we propose a privacy-preserving authentication scheme based on SDN for VANETs (PAS).The contributions are summarized as follows: (i) The proposed scheme integrates with software-defined network (SDN) to support vehicle identity management and anonymous authentication.(ii) Integrity, confidentiality, non-repudiation, and the unforgeability of vehicle identities are guaranteed when using the secure-data-sharing approach.(iii) A complete privacy-preserving authentication scheme is proposed, including a vehicle-to-infrastructure (V2I) authentication protocol, vehicle-to-vehicle (V2V) authentication protocol, and pseudonym revocation.Furthermore, extensive experiments are adopted to evaluate PAS compared with the typical ones.
The organization of the paper is structured as follows: Section 2 describes the related works about anonymous authentication schemes in VANETs.The preliminaries such as SDN, bilinear mapping, GDH assumption, and BLS signature mechanism are sketched in Section 3. Section 4 formalizes the network architecture, trust model, threat model, and the details of PAS.Security analysis, privacy analysis, and performance analysis are discussed in Section 5. Finally, the conclusion and future work are presented in Section 6.

Symmetric Cryptography-Based Authentication Schemes
In symmetric cryptography, the sender and the receiver share the same secret key.Compared to other cryptography mechanisms, symmetric cryptography has higher efficiency.In [8], vehicles generate a set of pseudonymous which handle depending on the seeds issued by the trusted authority, where RSUs are able to assign short-term pseudonyms for vehicles based on the handles.The proposed scheme alleviates the cost of generating and maintaining the pseudonyms for ombudsman and reduces the delay of changing pseudonyms.However, as only the pseudonym owner and RSU know the key corresponding to the pseudonym, when receiving the message from the sender, the receiver has to communicate with RSU to verify the legality of the message from the sender.Ref. [9] proposed prediction-based authentication (PBA).PBA adds the location prediction result generated by a position-prediction mechanism.In order to improve efficiency and reduce storage pressure, a short signature mechanism is adopted to guarantee the security of the location prediction result.Rhim et al. uses an efficient MAC-based message to achieve mutual authentication [10].In the proposed scheme, all messages transmitted by vehicles do not include any identifying information, which ensures privacy protection.However, the above schemes cannot guarantee non-repudiation.Once the key is disclosed, it is difficult to identify the adversaries from all entities in VANETs.

Asymmetric Cryptography-Based Authentication Schemes
In asymmetric cryptography-based authentication schemes, pseudonym and certification are usually considered as an essential message to prove the legality of the sender.In [11], the trusted authority (TA) provides the registration and anonymous authentication services for all RSUs and vehicles.When a registered vehicle enters VANETs, the vehi-cle can get the TPD activation key from the TA through RSU.The vehicle with the TPD activation key is able to generate a short-term anonymous certificate to achieve anonymous authentication.Moreover, in V2I authentication protocol, RSUs support the batch verifications of anonymous communication requests from multiple vehicles.However, according to [12], in order to prevent external adversaries from obtaining the vehicle's trajectory, each vehicle needs to change its own pseudonym and corresponding certificate frequently.Consequently, the TA has to provide services for a large number of vehicles that need to change pseudonyms at the same time, which leads to high communication cost and computational cost for the TA.Refs.[13,14] propose the anonymous authentication schemes to achieve conditional privacy-preserving, where anonymous certificates are maintained by vehicles themselves.Vehicles are able to generate dummy identities and certificates independently to achieve mutual authentication and communication.However, since the computational cost of certificate generation is high, frequent changes of pseudonyms and certificates are computationally expensive for vehicles [15].

Identity-Based Cryptography-Based Authentication Schemes
Different from traditional asymmetric cryptography mechanism, IBC takes the identity information of the sender instead of the certificate for message authentication, which addresses the issue of storing and guaranteeing the security of vehicle certificates in traditional asymmetric cryptography authentication schemes.Ref. [16] provides an anonymous authentication scheme to protect vehicle privacy and trajectory.The proposed scheme assures that additional authentication beyond the threshold will lead to the revocation of illegal vehicles.Meanwhile, Ref. [16] designs a role-splitting mechanism to guarantee that any vehicles cannot be framed by a single corrupted authority.Meanwhile, identity-based cryptography is adopted to facilitate communication and storage efficiently.Ref. [17] presents an IBS-based scheme for mutual authentication in VANETs.The scheme adopts online and offline signatures to achieve V2I and V2V authentication, respectively, which meets conditional privacy and non-repudiation.However, as part of the asymmetric cryptography mechanism, IBC-based authentication schemes have to face the challenge of the limited computation and storage capacities of vehicles.

Group Signature-Based Authentication Schemes
In group signature-based authentication schemes, VANETs contain multiple groups, where each group manager is trustworthy.All group members are able to participate in authentication and communication as a group without revealing their real identities.Ref. [18] provides a threshold anonymous authentication protocol for VANETs.The proposed scheme employs a decentralized group model to release the burden of vehicle certificate generation and maintenance for the TA.Meanwhile, Ref. [18] supports traceability and message linkability.The tracking manager (TM) can easily trace the true identity of illegal vehicles.However, in mutual authentication protocol, the computational cost and authentication delay are too high for vehicles, which makes it difficult to build a trusting relationship between vehicles.In [19], RSUs, as the group leaders, are required to support vehicles' anonymous authentication.As an anonymous certificate is cancelled, Ref. [19] can effectively reduce the transmission and communication costs in certificate issuing and anonymous authentication.However, the RSU is vulnerable to adversaries.Once the RSU is compromised, the information of all vehicles in the group will be exposed.Ref. [20] proposes a group signature-based secure VANETs communication scheme (GIGS).GIGS adopts a group signature to achieve the secure communication among vehicles, where messages are able to be anonymously signed by vehicles to hide their identities.On the other hand, in [20], as a certificate is canceled, the risk of certificate leakage is solved and the computational cost of certificate verification is reduced.However, there is no effective mechanism to revoke illegal vehicles.In [21], a regional group manager is added into VANETs to update vehicle identifiers and group keys periodically, which is able to solve the authorisation disputes.Nevertheless, for vehicle signature and verification, a large number of point multiplications and bilinear pairings seriously affects the communication efficiency.In addition, if a vehicle is considered as the illegal node, it is difficult to trace the vehicle's historical communication records.NECPPA [22] adopts a group signature to support conditional privacy-preserving.In order to protect the security of VANETs, all vital information is stored in RSUs and TPDs.In addition, NECPPA achieves batch verifications to improve efficiency.However, the pseudonyms are randomly generated by vehicles; once a vehicle misbehaves, it is difficult to trace the vehicle.Ring signature, a special group signature mechanism, is employed in [23].Vehicles can generate a ring signature independently; thus, RSU is able to centralize computation and communication capabilities to provide services for vehicles.However, in order to revoke illegal vehicles, other vehicles have to traverse all the information of the ring members, which leads to a low efficiency of revocation.

Blockchain-Based Authentication Schemes
Due to the characteristics of decentralization, immunity, auditability and fault tolerance, blockchain technology is being tried by researchers to support VANETs authentication.BUA [24] realizes the maintenance of the blockchain storing vehicle information by adding multiple service managers.On this basis, the vehicles are able to independently generate legal pseudonyms to participate in anonymous authentication.However, due to the complete anonymization, BUA cannot meet the conditional privacy.It is difficult to track the malfunctioning vehicle.In order to solve the issue, BPPA [25] integrates certificate with blockchain, where all activities of issuing certificate for the vehicle are recorded in blockchain.Furthermore, in order to verify the legitimacy of vehicles, BPPA requires blockchain nodes to synchronize the issued certificate to RSUs and vehicles through the consensus mechanism.BPPA hides the real identity of the vehicle in the certificate, realizes the anonymity of the vehicle and ensures the traceability to the malicious vehicle.However, the proposed scheme does not solve the problem of high computational cost caused by verifying the certificates.EPAM [26] supports the distributed authentication by extending the blockchain with an asynchronous accumulator, and reduces the computational cost through a one-way hash function instead of certificates.In order to improve the authentication efficiency, the RSU can query the hash value of the vehicle certificate from the regional service manager who maintains the blockchain.However, the above schemes ignore the cost of vehicle information maintenance.Due to the high computational cost of blockchain and communication delay caused by the consensus mechanism, blockchain-based authentication schemes usually require blockchain nodes to have high computation and storage capacity.

VANETs
VANETs are considered as an essential part of ITS to connect vehicles either to each other or to an infrastructure.In VANETs, a broad range of mobile communication technologies are integrated into roadside unit (RSU) and vehicles to relieve traffic congestion, improve safety, and enhance productivity.As shown in Figure 1, vehicles with on-board units (OBUs) adopt dedicated short-range communication (DSRC) to communicate with RSUs or other OBUs to obtain the required services [27].RSUs provide safety-related services, efficiency-related services, entertainment-related services, and so forth for vehicles with surrounding vehicles.The base station can communicate with external networks and provide network communication services for VANETs.Consequently, two different types of communication are used to support the application and services in VANETs.( 1) Vehicle-toinfrastructure (V2I) communication-V2I refers to the communication between the vehicle and RSU.When vehicles enter the signal coverage range of RSUs, vehicles are able to adopt DSRC to request RSUs to obtain the services.RSUs deployed and managed by motorway operators own external network communication capability through interconnection with surrounding base stations, and provide necessary services for surrounding vehicles; (2) vehicle-to-vehicle (V2V) communication-V2V refers to the communication between vehicles, which is completed by vehicles independently, without the participation of central entities.This type of communication is usually carried out without the RSU or in some specific scenarios.

Software-Defined Network
Due to VANETs' salient features, it is difficult to supply coordinate services according to diverse quality of service (QoS) requirements.As a result, building a programmable network architecture to support the inter-operation among entities in VANETs becomes vital [28].Software-defined network (SDN) is an important network architecture to support network management.The core concern of SDN is how to separate the system (control plane) and the sending capacities (data plane) [29], which are able to improve network performance in terms of network management, control, and data handling.
As shown in Figure 2, SDN consists of a control plane and data plane.The control plane is responsible for generating internal exchange paths, boundary service routes, as well as handling the network state change events.The data plane only provides a simple data forwarding function, which can quickly process matching packets to meet the increasing demand of traffic.A standard protocol (e.g., openflow) is used for communication between the two planes.Openflow switch is the core component of the whole network, which stores a flow table that is generated, maintained, and distributed by an external controller to support data forwarding.There are two modes for distributing the flow table: active mode and passive mode.In active mode, the SDN controller actively sends the flow table data collected by itself to open the flow switch.Then, the open flow switch is able to directly forward data according to the flow table.The advantage of active mode is that the data plane shortens the waiting time for controller operation and greatly reduces the forwarding delay.However, this mode has high requirements for the capacity of the flow table.In passive mode, after receiving the packet, the open flow switch first finds the forwarding target port on the local flow table.If there is no match, the open flow switch forwards the data packet to the controller.The control layer determines the forwarding port and issues the flow table.The advantage of passive mode is that the network equipment does not need to maintain all flow tables.Only when the actual traffic is generated can the flow table records be obtained from the controller.When the records expire, the corresponding flow tables are deleted, so the storage space is greatly saved.

Bilinear Mapping
G 1 and G T are supposed as two multiplicative groups with the large prime number order q.A bilinear pairing e: G 1 × G 1 → G T satisfies the following properties [30].(i) Bilinearty: for any P, Q ∈ G 1 , a, b ∈ Z * q , there is e(aP, bQ) = e(P, Q) ab .(ii) Non-degeneracy: existing P, Q ∈ G 1 satisfies e(P, Q) = 1.(iii) Computability: for all P, Q ∈ G 1 , an algorithm exists to calculate e(P, Q).

Gap Diffie-Hellman (GDH) Groups
Given an additive group G generated by P, whose order is a prime p with λ bits, let a, b, and c be elements of Z * q .The following mathematical problems are detailed: • Computation Diffie-Hellman Problem (CDHP).Given P, aP, and bP, no PPT algorithm exists that is able to output abP with negligible probability negl(K).
Group G is the GDH group if a probabilistic algorithm exists to solve DDHP in polynomial time; however, no probabilistic algorithm can solve CDHP with a non-negligible advantage within polynomial time.

Short Signature Scheme (BLS)
In 2001, a short signature scheme (BLS) based on pairing cryptography was proposed by Boneh et al. [31].The length of the signature is only half of the digital signature algorithm (DSA).Thus, BLS can guarantee the lower communication cost in VANETs.The BLS scheme is expressed as follows: Setup.Private key generator (PKG) chooses an cycle addition group G 1 and cycle multiplication group G T generated by prime q, a bilinear mapping e : G 1 × G 1 → G T , P is the generator of G 1 , and hash function: Extract.The signer randomly chooses r ∈ Z * q as its long term private key and gets the public key P pub = rP.
Sign.For message M, the signer calculates the signature as: V = rH 0 (M).
Verify.During verifying V, the verifier checks whether e(P pub , H 0 (M)) == e(P, V) is satisfied.If yes, then the verifier accepts the message M. Otherwise, the message M is refused.

The Proposed Scheme
In this section, the details of the proposed scheme are presented, which include network architecture, trust model, system initialization, registration protocol, and authentication protocol.The relevant symbols and descriptions are first given in Table 2.

Network Architecture
This part describes the secure communication network architecture based on SDN.As depicted in Figure 3, the below entities are incorporated for deploying the system.Trust authority (TA) is liable for computing and broadcasting system parameters.Meanwhile, the TA provides public keys and private keys for vehicles registered in DMV.
Moreover, the TA communicates with the SDN controller to provide the vehicles' public keys for supporting anonymous authentication.
SDN controller is considered as the global intelligence to control all network behaviors.SDN controller communicates with TA to obtain vehicles' public keys and relay them to SDN RSU controllers.
SDN RSU controllers are deployed into base stations, which are mainly responsible for vehicle identity management.Furthermore, in order to support the authentication protocol, SDN RSU controllers periodically send vehicles' information to RSUs.
RSUs use the information stored from SDN RSU controller to verify the legality of vehicles.Once the vehicles are thought to be legal, RSUs are able to provide the services for the vehicles.
Vehicles equipped with OBUs adopt DSRC and IEEE WAVE standard to communicate with the surrounding vehicles and RSUs to obtain various services.

Threat Model
The proposed threat model is built on the network architecture.The DMV, TA, and SDN controller are assumed to be fully trusted entities.Any adversary cannot compromise and breach them.SDN RSU controllers and RSUs are honest but curious, which means that these entities follow the proposed scheme, but may attempt to obtain vehicles' privacy through the received message.Vehicles are vulnerable and easily breached by adversaries.As a result, these vehicles are the most likely to threaten the safety of VANETs.
DMV, TA, and SDN controllers can resist external attacks.Since the DMV, TA, and SDN controller are maintained by the government or regulator, the proposed scheme defaults so that it is impossible to be attacked from an internal source.
RSU controllers may try to obtain the identities, location, and transmitted message of a vehicle, which indicates that they may find the real ID and the trajectory of the vehicle from the stored data, so as to associate it with the owner's identity information and privacy.
RSUs are curious about the real identities of the vehicles.Since vehicles need to connect to the backbone network through RSUs, RSUs are likely to be interested in the data forwarded, so as to obtain the owners' hobbies, occupations and other useful information.Moreover, as each vehicle needs to broadcast a beacon regularly, RSUs may be very inquisitive about the vehicles' trajectories when receiving this information.
Vehicles can not only pretend to be legitimate users to communicate with other entities, but also forge false messages to worsen the road service level and traffic safety.
External adversaries have the ability to eavesdrop on communication channels and collect the messages to violate vehicles privacy.Furthermore, external adversaries have the ability to impersonate an RSU or vehicle to obtain the privacy of other vehicles.

System Initialization
The TA is required to generate system parameters of VANETs during system initialization.The details are depicted as follows: The TA chooses an additive group and a multiplicative group G 1 , G T , respectively, where the prime order is q and the generator is P. (ii) A bilinear pairing e: G 1 × G 1 → G T , and four hash functions H 2 : {0, 1} * → Z * q , and H 3 : {0, 1} * × G 1 → Z * q are selected.(iii) TA chooses SK TA ∈ Z * q as the master key and PK TA = SK TA P as the public key.In addition, K ∈ {0, 1} n is selected as a secret key.

Vehicle Registration Protocol
After submitting the basic information to the DMV, the vehicle needs to upload its real identity to the TA and apply for registration.The details are shown as Figure 4. Finally, the TA encrypts PS i v , PK i v , SK i v , and N 1 to get The TA sends C TA−v to the vehicle.
(ix) When receiving C TA−v , the vehicle generates the session key with the TA K v−TA = aPK TA and decrypts C TA−v to get PS i v , PK i v , SK i v , and N 1 .Then, the vehicle checks N 1 .If N 1 is correct, the vehicle stores PS i v , PK i v , and SK i v ; otherwise, the vehicle discards C TA−v , and re-applies for registration.

RSU Registration Protocol
Before joining into VANETs, the RSU is required to execute RSU registration protocol and obtain its privacy key.RSU first submits ID RSU to the TA via a secure channel.When receiving ID RSU , the TA needs to check the legality of ID RSU .If the RSU is valid, the TA generates SK RSU = SK TA H 1 (ID RSU ) and sends it to the RSU.When obtaining SK RSU , the RSU is able to generate the legal signature through the IBPS mechanism proposed by [32].

V2I Authentication Protocol
The V2I authentication protocol is executed when the vehicle and RSU need to prove their legality to each other.The details are depicted in Figure 5.
The RSU sends C v−RSU to the vehicle.(vi) The vehicle decrypts C v−RSU and verifies N 3 .If N 3 is legal, the secure bi-tunnel between the vehicle and RSU is established.(vii) During the communication between the vehicle and RSU, the RSU needs to send the pseudonyms and public keys of other vehicles to the vehicle for future V2V authentication.

Input:
RSU true identity ID RSU , timestamp TS 1 , challenge value N 2 , RSU privacy key SK RSU Output: RSU signature Sign RSU 1: Choose a random number r ∈ Z * q

V2V Authentication Protocol
The V2V authentication protocol is executed when the vehicle v and the vehicle v needs to prove their legality to each other.The details about the V2V authentication protocol are depicted in Figure 6.(iii) Vehicle v first checks the freshness of TS 3 , and then selects , where TS 4 is the current timestamp and N 5 is the challenge value.Finally, v encrypts N 4 to get When the message from v , v confirms the freshness of TS 4 .Then, v queries PK i v and verifies Sign v .If v is thought as a legal vehicle, v computes If N 5 is legal, then the secure bi-tunnel between v and v is built.Otherwise, the V2V authentication has failed.

Vehicle Revocation Protocol
When the vehicle v misbehaves, vehicle revocation protocol is executed.The details are shown in Figure 7.The SDN RSU controller removes all local pseudonyms PS i v , public keys PK i v , expirations EXP i v and broadcasts the newest identity information of vehicles to another SDN RSU controller.(vi) All legal vehicles are able to obtain the newest identity information of surrounding legal vehicles, which include the pseudonyms, public key, and expirations.

Security and Privacy Analysis
In this section, we present the security and privacy analysis of PAS in the following aspects in terms of the requirement proposed by [33].

Security Analysis (i)
Anonymity.In the vehicle registration phase, the TA conceals the vehicle's true identity ID v into PS i v , where PS i v = H 2 (ID v ||r i ), r i is the random number selected by the TA.As a result, adversaries have to launch the second-preimage attack to find x, where x meets H 2 (ID v ||r i ) == H 2 (x).However, due to the feature of weak collision resistance for H 2 , the probability of finding x is quite low.(ii) Authentication.In VANETs, authentication includes identity authentication and message authentication.In PAS, all legal public keys are stored into the SDN RSU controller and only vehicles with legal private keys can generate legal signatures to participate in authentication.Thus, any adversaries cannot generate a set of legal pseudonyms, public keys, and private keys to participate in the authentication.In addition, since each signed message contains a timestamp, PAS is able to effectively resist replay attacks.The adversaries cannot forward the legal signature to the target disguised as a legal vehicle for authentication, which satisfies identity authentication.For message authentication, vehicles are required to adopt a BLS signature to prove the legitimacy of their identity.All legal public keys are stored into the SDN RSU controller, and adversaries cannot generate a set of legal pseudonyms, public keys, and private keys to participate in the authentication.Meanwhile, Refs.[31,32] have proved the security of the signature mechanism, which guarantees that the proposed scheme is able to resist an MOV attack.Furthermore, adversaries cannot obtain a session key unless the DH problem is solved.(iii) Accountability and credential revocation.VANETs require the whole network to own the ability to record the misbehaviors of vehicles in time and exclude these vehicles from the network.PAS supports removing illegal vehicles from VANETs.Once the illegal vehicle is identified, vehicle revocation protocol is triggered to remove the public keys of illegal vehicles.Thus, the corresponding real identities are exposed in time.Furthermore, accountability denotes non-repudiation, which means that all messages transmitted cannot be denied by the senders.In PAS, all signatures need to be verified by the public keys stored at the SDN RSU controller.Since the mapping between the public keys and the real identities of the vehicles are stored in the TA, the vehicles cannot deny their signature.Meanwhile, these signatures also imply the real identities of the vehicles.(iv) Restricted credential usage.In the proposed scheme, all legal public keys stored in the RSU SDN controller must be used within the validity period.Once the public key expires, the vehicle has to communicate with the TA again to obtain a new pseudonym, public key, and private key.Furthermore, each signature contains a timestamp and challenge value to resist a replay attack and Sybil attack.

Privacy Analysis
(i) Minimum disclosure.In authentication protocol, all authentication messages sent can only reveal the information required in the authentication process, but cannot expose more information.In PAS, the signed message only contains a pseudonym, timestamp, and challenge value-no additional messages need to be transmitted.(ii) Unlinkability.The unlinkability of vehicle identity and messages is vital to prevent vehicles from being tracked by external adversaries.PAS supports mainstream pseudonym exchange protocols, such as mix-zone, silent period, etc.These mechanisms guarantee that each vehicle identity cannot be linked through cooperation with surrounding vehicles.In addition, when the pseudonym is changed, the public key and private key of the vehicle are also changed.Therefore, in authentication and message transmission, adversaries have no way to link the different messages sent before and after the pseudonym change.(iii) Distributed resolution authority.As for the privacy of vehicles, a single authority is not allowed to reveal the vehicle identity, obtain the vehicle track, and revoke vehicle at the same time.In PAS, the mapping of the vehicle's real identity and pseudonym is maintained by the TA, the vehicle's public key and expiration list is protected by the SDN RSU controller, and the misbehavior verification and confirmation of illegal vehicles are performed by the SDN controller.It is not possible for any single authority to decide whether a vehicle can join VANETs or revoke a vehicle from VANETs.(iv) Perfect forward privacy.Due to active interference by adversaries, vehicles' long term secret keys are likely to be compromised in the future.Perfect forward privacy ensures that even if the secret key is leaked, the encrypted communication in the past will not be recovered.In PAS, given the public key of vehicle v: PK i v , there is no way for adversaries to compute the other public keys of vehicle v. Therefore, even if the secret key of a vehicle is known by the adversary, the adversary cannot obtain the privacy information of the message sent by the vehicle, which equips PAS with perfect forward privacy.

Performance Analysis
The proposed scheme (PAS) is compared with EAAP [13], TAAP [18], and LIAP [14] in computational cost and communication cost.In addition, Veins simulation framework [34] is introduced to test the performance of the schemes including average authentication delay and packet loss ratio.

Computational Cost
Computational cost refers to the total computation time required for authentication.Since the computational cost of bilinear pairing and point multiplication are thousands time of hash function: {0, 1} → Z * q , we focus on such high computation operations.In order to get the computational cost of each cryptographic operations, we adopted the pairing-based cryptography library [35] that provides interfaces and classes to support cryptographic operations based on bilinear pairing.The benchmark includes: the hardware platform with 2.6 GHz Intel(R) Core(TM) i7-6700HQ CPU, 2 GB RAM, operating system with Debian 9.4.The experiment adopted a bilinear map e : G 1 × G 1 → G T , where G 1 is the additive group, G T represents the multiplicative group, and the generator is P. Equation y 2 = x 3 + x mod p defines the curve, where p: 512 bits, and Solinas prime number q =160 bits.Table 3 shows the experiment results.For V2I anonymous authentication in EAAP, the vehicle is required to generate anonymous certificates.The vehicle first chooses temporary private keys r 1 , r 2 , . . ., r l ∈ Z * q and computes corresponding public keys Y k = g r k 2 , where l ≤ n, k = 1, 2, . . ., l, g 2 is the public parameter.Then, the vehicle selects µ, k 1 , k 2 ∈ Z * q and generates its anonymous certificate: , where B 1 , A 1 are public parameters, and T i ∈ is the vehicle authorization key (AK = {DID µ , T i , E i }).Finally, the vehicle computes the challenger c = H(DID and signature of message M: sig = g 1/(r k +H(M)) 1 . The vehicle sends M, sig, Y k , and Cert k to the verifier.When getting the packet from the vehicle, the verifier derives ) == e(g 1 , g 2 ).If it holds, M will be accepted; otherwise, it will be rejected.Therefore, the computational cost of EAAP includes 14 point exponentiation operations and 2 bilinear pairing operations.
In LIAP, vehicle chooses random number is the corresponding private key.The signatures of message M are computed: Then, PID i , M, PK R i , and σ i are sent to RSU.When receiving the message, RSU checks the equation e(σ 1 , P) == e(PID 1 i , If the equation holds, the signature is legal; otherwise, the RSU rejects it.Consequently, the computational cost of LIAP consists of six point-multiplication operations, three bilinear pairing operations, and three hash-to-point operations in G 1 . In PAS, vehicle needs to generate its signature Sign v = Sign_BLS_SK i v {PS i v , TS, N}, where Sign v = SK i v H 1 (PS i v ||TS||N).When receiving the signature, RSU checks e(P, Sign v ) == e(PK i v , H 1 (PS i v ||TS||N)) to verify the legality of vehicle.Thus, the communicational cost includes one point multiplication-operation, two bilinear pairings operations, and two map-to-point hash function operations in G 1 .
The computational cost of each scheme is shown in Table 4.We can see that PAS owns the lowest computational cost compared with other ones.

Communication Cost
Communication cost is defined as the total size of messages contained in VANETs in order to achieve mutual authentication.According to [36,37], for type A pairing with respect to 80 bits security level, the size of p is 64 bytes.A point on the group of points E(F q ) consists of x and y coordinates.This means that the size of each element in G 1 is 64 × 2 = 128 bytes, whilst that of each element in G 2 is 20 × 2 = 40 bytes.In addition, the size for a general hash function in Z * q , an expiration, and a timestamp were considered to be 20 bytes, 4 bytes, and 4 bytes, respectively.As the basic configuration message is the same in VANETs, we only considered the size of the signature on the message with the corresponding vehicle's identity.
In this section, we use Veins [34] to test the performance of PAS and the other three schemes with regard to average authentication delay and packet loss ratio.Veins is an open source network framework.As a comprehensive model, veins can be used for rapid setup and interactive operation simulation through the GUI and IDE of OMNeT++ and Sumo, which guarantees that VANETs simulation is as real as possible without sacrificing speed.In the simulation, we adopt the real map of Tianhe District in Guangzhou, China, obtained from OpenStreetMap.The SUMO NET map of Guangzhou, and simulation parameters are shown in Figure 8, and Table 6, respectively.The Pairing-Based Cryptography (PBC) Library, Crypto++ Library

V2I Average Authentication Delay
The V2I average authentication delay is defined as the average of the time taken by the RSU and all vehicles covered by the RSU to complete the authentication protocol.The equation of average authentication delay (AD) is depicted as follows: where N is the number of vehicles within the communication range of RSU, T i end represents the end time of V2I authentication protocol, and T i start refers to the start time of V2I authentication protocol.
Figure 9 displays the simulation results of PAS, EAAP, TAAP, and LIAP in terms of V2I average authentication delay, with the number of vehicles ranging from 20 to 200.We can see that the average authentication delay tends to increase steadily with the increasing number of vehicles.Due to limited channel bandwidth, the high computational cost and communication cost, EAAP, TAAP, and LIAP lead to longer average authentication delay.Moreover, with the increase of the number of vehicles, the efficiency of RSU continues to decrease, while the average authentication delay of PAS holds steady.

Packet Loss Ratio
Packet loss ratio (PR) is defined as the percentage of dropped packets in total sent packets.The equation to compute PR is depicted as follows: where N refers to the number of vehicles within the communication range of RSU, D i represents the number of data packets dropped, and R i is the total number of packets sent.
Figure 10 shows the relationship between PR and the number of vehicles within the RSU.In V2I authentication, due to the limitation of network bandwidth, with the increase in vehicles, the signal-to-noise ratio (SNR) is decreasing.At the same time, when a large number of vehicles send messages to the RSU, a channel congestion issue has to be faced, which results in PR increasing.EAAP, TAAP, and LIAP require vehicles and RSUs to send request/response packets, which causes a longer transmission delay and a higher PR compared with PAS.

Discussion
In terms of the high identity management cost and low authentication and communication efficiency, PAS adopts BLS signature mechanism and SDN to propose a privacypreserving authentication scheme, which includes registration protocol, V2I authentication protocol, V2V authentication protocol, and vehicle revocation protocol.Compared with the traditional authentication schemes, PAS has the following advantages: • PAS alleviates the high computational cost and communication cost caused by certificate generation, transmission and verification, which improves authentication efficiency.

•
Since the traditional schemes focus on the authentication of vehicle identity and ignore the establishment of a secure tunnel for reliable data transmission, PAS requires the ve-hicle to store the key negotiation parameters in a signed message.Once authenticated, the vehicle assumes that the message can be sent and received safely and reliably.• By integrating SDN, it is more convenient to dynamically update the public keys of vehicles, which improves the flexibility of vehicle management.
However, in order to support the large-scale deployment of VANETs, there are several problems that must be addressed.

•
Multi-hop packet routing and forwarding mechanism-As the vital part of data transmission in VANETs, multi-hop packet routing and forwarding mechanism supports vehicles to interact with other vehicles across a wider range.However, due to the high-speed of vehicles and the rapid change in network topology, it is difficult to find an appropriate intermediate node for data transmission between the source node and the destination node, resulting in unstable communication between vehicles with a long distance between them.As a result, establishing a new multi-hop packet routing and forwarding mechanism to improve the stability of data transmission and ensure the reliability of data is very important for the rapid promotion of VANETs.• Pseudonym change mechanism-In order to protect the location privacy, the vehicles need to periodically change their identity to prevent the tracking from adversaries.However, the traditional pseudonym change schemes are severely limited by the environment in which the vehicles are located, and cannot change the pseudonym in areas with low vehicle density safely.Therefore, proposing an efficient pseudonym change scheme is crucial to protect the location privacy of vehicles.• Data-sharing mechanics-The data-sharing mechanism supports the vehicles to obtain the required data in time and improves the driving experience.However, it is easy for the adversaries to forge the shared data and confuse the surrounding vehicles in VANETs.The traditional data-sharing mechanisms usually face the problems of complex access control mechanism and low efficiency of data sharing.Therefore, designing a secure and efficient data-sharing mechanism is very important to support the rapid development of VANETs.

Conclusions
Authentication is considered to be the vital approach to guarantee the security of VANETs.This paper proposes a privacy-preserving authentication scheme based on SDN for VANETs (PAS).In PAS, SDN is introduced to provide identities management, anonymous authentication, and revocation for vehicles.The pseudonym maintenance costs of TA and RSU are reduced, and the computational cost in V2I and V2V authentication is improved.Security analysis and performance analysis show that the proposed scheme is secure and efficient.
In future work, we will explore the pseudonym change schemes based on adaptive privacy metrics, where vehicles are able to choose the most appropriate pseudonym change strategy according to the actual scene to keep the balance between security and efficiency.

Figure 3 .
Figure 3. Network architecture.Department of Motor Vehicles (DMV) provides necessary management service for vehicles, such as registration, user change, transfer, mortgage, and cancellation registration.Vehicles need to apply for registration with DMV.Trust authority (TA) is liable for computing and broadcasting system parameters.Meanwhile, the TA provides public keys and private keys for vehicles registered in DMV.

Figure 4 .
Figure 4. Vehicle registration protocol.(i)Vehiclesubmits its real ID information to the DMV offline, such as the owner's identity, to apply for registration.(ii) The DMV confirms the validity of the received information.If considered a legal vehicle, the vehicle will receive an identity confirmation message.Meanwhile, the DMV will send vehicle information to the TA via a secure channel.(iii) The vehicle chooses a ∈ Z * q as the key agreement parameter, and random number N 1 as the challenge value.Then, the vehicle computes aP and ciphertext C v−TA , whereC v−TA = Enc_ECIES_PK TA {ID v , aP, N 1 }.(iv)The vehicle sends C v−TA to the TA for registration.(v) When receiving C v−TA from the vehicle, the TA takes the private key SK TA to decrypt C v−TA and obtains ID v , aP, N 1 .Then, the TA verifies the legality of ID v , depending on the information from the DMV.If ID v is legal, then the TA computes the vehicle multiple pseudonyms PS i v = H 2 (ID v ||r i ), private keys SK i v ∈ Z * q , and public keys PK i v = SK i v P, where r i is the random number without repetition.(vi) The TA sends multiple pseudonyms, public keys, and expirations to SDN RSU controllers via the SDN controller.The RSU SDN controller stores them locally.(vii) The TA stores vehicle information and computes session key K TA−v = SK TA aP.Finally, the TA encrypts PS i v , PK i v , SK i v , and N 1 to get C TA−v = Enc_AES _ K TA−v {PS i v , PK i v , SK i v , N 1 }.(viii) The TA sends C TA−v to the vehicle.
its true identity ID RSU , timestamp TS 1 , and challenge value N 2 through the signature mechanism shown in Algorithm 1 to get Sign RSU = Sign_IBPS_SK RSU {ID RSU , TS 1 , N 2 }.Then, the RSU broadcasts ID RSU , TS 1 , N 2 , and Sign RSU .(ii) When entering the signal coverage of RSU, the vehicle can receive the broadcast message from the RSU.The vehicle first checks the freshness of TS 1 ; if TS 1 is not fresh, the authentication has failed.Otherwise, the vehicle checks e(V, P) == e(H 1 (ID RSU ||TS 1 ||N 2 ), P Pub ) e(H 1 (ID RSU ||TS 1 ||N 2 ), W) to verify Sign RSU .If the verifications are successful, then the vehicle computes session key K v−RSU = SK i v W. Finally, the vehicle adopts the BLS signature mechanism [31] to sign PS i v , timestamp TS 2 , and challenge value N 3 to get Sign
(i) Vehicle v chooses its pseudonym PS i v and generates signature Sign v = Sign_BLS_SK i v {PS i v , TS 3 , N 4 }, where TS 3 is the current timestamp, N 4 is the challenge value.(ii) v sends PS i v , TS 3 , N 4 , and Sign v to v .
(i)Other vehicle (e.g., v ) is able to send PS i v to the RSU via a secure bi-tunnel.(ii) When receiving the message from v , the RSU forwards the pseudonym to the SDN controller via the SDN RSU controller.(iii) The SDN controller confirms the vehicle v's misbehaviors and sends a request for the TA to obtain all pseudonyms of v. (iv) TA queries all pseudonyms of v and sends these pseudonyms to the SDN RSU controller via the SDN controller.(v) the verifier verifies the signature: e(sig, Y k • g H(M) 2

Figure 9 .
Figure 9. Average authentication delay of each scheme.

Figure 10 .
Figure 10.Packet loss ratio of each scheme.

Table 1 .
Comparison of the related schemes.

Table 2 .
Symbols and descriptions.
A The true identity of A PK A /SK A The public and private key of A K A−B The shared key between A and B C A−B The ciphertext generated by A and sent to B A {M} Using PK A to encrypt message M through ALG algorithm Sign_ALG_SK A {M} Using SK A to sign message M through ALG algorithm Enc_ALG_K A−B {M} Using K A−B to encrypt message M through ALG algorithm Then, the RSU selects the vehicle public key PK i v according to PS i v and checks e(P, Sign v ) == e(PK i v , H 0 (PS i v ||.TS 2 ||N 3 )) to verify Sign v .If Sign v is legal, the vehicle is considered a legal vehicle.Afterwards, the RSU generates the session key K v−RSU = rPK i v and decrypts C v−RSU to check N 2 .Finally, the RSU encrypts N 3 to get The vehicle sends PS i v , TS 2 , N 3 , Sign v , and C v−RSU to the RSU.(iv) Once obtaining the message from vehicle, the RSU confirms the freshness of TS 2 .If TS 2 is fresh, then the RSU continues to confirm whether PS i v is stored in the local database.If there is no PS i v , RSU sends request to SDN RSU controller and obtains the latest data.

Table 3 .
The execution time of pairing and element functions.

Table 4 .
The computational cost of each scheme.

Table 5 .
The communication cost of each scheme.