Improvement of a Conditional Privacy-Preserving and Desynchronization-Resistant Authentication Protocol for IoV

Abstract

In Internet of Vehicles (IoV), the secure data transmission between vehicles and transportation infrastructure effectively ensures the safety and fast driving of vehicles, while authentication and key agreement protocols between vehicles and transportation infrastructure (V2I) play an important role in ensuring data security and user privacy. However, how to design a provably secure and lightweight V2I authentication protocol for IoV is a challenge. Recently, Kumar et al. proposed a conditional privacy-preserving and desynchronization-resistant authentication protocol for IoV, but we find that Kumar et al.’s scheme is vulnerable to identity guessing attacks, impersonation attacks, and a lack of session key secrecy once the attacker obtains data stored in smart card through side-channel attacks. We also point out that Kumar et al.’s protocol is vulnerable to Roadside Unit (RSU) captured attacks and lacks perfect forward secrecy. Therefore, we propose an improved V2I authentication protocol for IoV, which uses the Physical Unclonable Function (PUF) to resist RSU captured attacks, and designed a three-factor secrecy strategy to resist side-channel attacks; a conditional privacy-preserving strategy was also adopted to achieve anonymity and malicious user tracking. Furthermore, the proposed protocol is provably secure under the random oracle model and has low computation and communication costs.

1. Introduction

In the construction of smart cities, Intelligent Transportation Systems (ITS) and the Internet of Vehicles (IoV) have become key technologies for improving traffic efficiency and driving safety [1]. The IoV leverages on-board units (OBUs) and wireless communication technologies to facilitate communication among vehicles and other entities. Based on specific application scenarios, it can be divided into two categories: vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) [2,3]. The general entity of the system architecture of the IoV is shown in Figure 1, which contains vehicles, Roadside Units (RSUs), and Trusted Authority (TA). An OBU is a device mounted on a vehicle that is considered to have limited computing, storage, and communication capabilities; RSUs are curbside infrastructure with more computing and communication capabilities than OBUs; TA can provide the IoV with system initialization and entity registration as well as node authentication. Vehicles often exchange and share road information around them, such as road congestion, vehicle location, speed, etc., with other entities (such as other vehicles, RSUs). This information can help the vehicle dynamically judge the road traffic flow, thereby improving the experience of driver and traffic operation efficiency.

However, due to the fact that the information exchange between vehicles and other vehicles or Roadside Units (RSUs) takes place over public channels, it is susceptible to different attacks, such as privacy breaches, impersonation attacks, ID/password guessing attacks, RSU hijacking attacks, and more. Particularly, with the extensive application of smart cards (SCs) in the authentication field, the attackers employ various hardware and software attack methods in their attempts to access the information stored within smart cards [4]. Therefore, designing a security authentication and key agreement scheme based on SCs is still a challenge.

Motivation and Contributions

Through the analysis of existing IoV authentication protocols, we identified certain deficiencies in several of the existing authentication protocols, such as high computational costs, a lack of multi-factor secrecy and no known session key secrecy, and also found that they may suffer from ID/password guessing attacks, RSU captured attacks and so on. Recently, Kumar et al. [5] proposed a conditional privacy protection and desynchronization-resistant authentication scheme for IoV. However, we found that Kumar et al.’s [5] scheme suffers from several attacks. To solve these problems, we proposed a secure and efficient V2I authentication scheme for IoV. The contributions of this article are as follows:

• Firstly, we point out that Kumar et al.’s protocol cannot resist identity guessing attacks, impersonation attacks and no session key secrecy when the attacker obtains data stored in SC through side-channel attacks, as well as that it is vulnerable to RSU captured attacks and lacks perfect forward secrecy.
• Secondly, we propose a lightweight V2I authentication protocol based on PUF and the Fuzzy Extractor algorithm for the IoV. In particular, we used PUF to resist RSU captured attacks, designed a three-factor secrecy strategy to resist side-channel attacks, and also adopted a conditional privacy-preserving strategy to achieve anonymity and malicious user tracking.
• Our proposed protocol is provably secure under the random oracle model. In comparison to various related protocols, our protocol demonstrates resilience against a range of known attacks and offers lower computational and communication costs.

The remaining part of this article is as follows. Section 2 presents a summary of the related work. Section 3 provides the preliminaries, and Section 4 reviews Kumar et al.’s scheme. Section 5 analyzes the security of Kumar et al.’s scheme. In Section 6, the proposed scheme is introduced. Section 7 presents formal and information security analysis of the proposed scheme. In Section 8, we present security and performance comparisons with related protocols. Finally, the study is concluded in Section 9.

2. Related Work

Because of the openness and dynamic nature of the IoV, the communication process is faced with many security threats such as tracking, eavesdropping and so on. To improve the security and efficiency, many V2I authentication schemes have been proposed.

PKI (Public Key Infrastructure) is a system of technologies, processes, and policies that enable the secure management and distribution of digital certificates, which are used for authentication and encryption in various applications such as secure communication, digital signatures, and secure online transactions. In 2007, Raya and Hubaux [6] presented a PKI-based authentication scheme that uses a large number of pseudonyms to improve user privacy. Joshi et al. [7] also designed a PKI-based authentication scheme, which tests the validity of the broadcast beacon based on a PKI-based signature. Sun et al. [8] proposed a pseudonymous authentication scheme to provide strong privacy, which permits the RSU to provide services of distributing certificates and vehicles to renew their certificates on road. Although using a pseudonym instead of a real name can protect the user’s privacy, complete anonymity should not be allowed because malicious vehicles may perform malicious operations, such as sending forged messages or modifying the valid messages. To address this issue, Cui et al. [9] proposed conditional privacy-preserving authentication (CPPA) using edge computing for vehicular ad hoc networks (VANETs). In their scheme, TA can track and obtain the real identity of vehicles by analyzing the pseudonym extracted from their messages and revocation malicious vehicles. Liu et al. [10] provided a CPPA authentication scheme using short-term regional certificates. However, certificate exchange is a drawback in the authentication process. These PKI-based authentication schemes can improve the security of VANETs, but there are some obvious common defects. Firstly, the trusted authority needs to preload massive private/public keys and corresponding certificates in vehicles, which leads to some problems, such as limited vehicle storage, inefficient certificate management, and high deployment costs. Meanwhile, as the quantity of malicious vehicles grows, the speed and efficiency of searching for malicious vehicles in the Certificate Revocation List (CRL) will be affected.

In order to solve the issues in managing certificates, in 1984, Shamir [11] presented identity-based (ID-based) cryptography (IBC), which uses the user’s phone number or ID number as the public key and associates the user directly with the public key without the need for a certificate to associate the user identity with the public key. Thus, ID-based authentication protocols can solve the issues of certificate management. Zhang et al. [12] proposed an ID-based authentication scheme for VANETs and support batch verification. However, their scheme is not resistant to replay attacks and lacks non-repudiation. Liu et al. [13] also proposed an anonymous authentication protocol with batch verification for VANETs. Because these schemes use bilinear pairings and asymmetric encryption, they have high computational costs. In order to improve the efficiency, He et al. [14] designed an ID-based V2V and V2I authentication scheme without bilinear paring. Nevertheless, their scheme may divulge real identities, compromising privacy.

The design of lightweight cryptographic protocols has garnered attention from researchers because V2I authentication protocols based on public key cryptography or bilinear pairs require high computational complexity. In 2019, Ma et al. [15] presented a lightweight authentication scheme for VANETs without bilinear paring. In 2023, Saleem et al. [16] presented a lightweight physically secure authentication scheme in VANETs. Because RSU is installed in an unmanned environment, it is easy for attackers to capture and launch a series of attacks [17]; therefore, these two schemes cannot resist RSU captured attacks. Since PUF can effectively protect data stored in RSUs, some lightweight V2I authentication protocols based on PUF have been proposed. In 2021, Othman et al. [18] presented a physically secure CPPA scheme based on PUF and secret sharing. In 2023, Xie et al. [19] designed a V2I and V2V authentication CPPA scheme based on Elliptic Curve Cryptography (ECC) and PUF. Unfortunately, Xie et al.’s [19] scheme cannot achieve three-factor secrecy. Xu et al. [20] also presented a three-factor CPPA scheme in VANETs. Duan et al. [21] demonstrated that Xu et al.’s [20] protocol is insecure; in the presence of an untrustworthy RSU, it has the ability to circumvent the Trusted Authority (TA) and establish a session key directly with the vehicle. To solve this issue, Duan et al. [21] proposed an improved scheme. However, Duan et al.’s [21] scheme lacks untraceable, known-session key secrecy and three-factor secrecy.

3. Preliminaries

In this section, we will briefly introduce some of the tools used in this article, such as Elliptic Curve Cryptography (ECC), the Fuzzy Extractor, PUF, the Network Model, and the Attack Model.

3.1. Elliptic Curve Cryptography

$F_P$ represents the finite field and $p$ represents a large prime number that denotes the size of a finite field. An elliptic curve $E$ over the finite field $F_P$ is defined by $y^2=x^3+ax+b(mod p)$, where $a,b\in F_P$, $(4a^3+27b^2)(mod p)\ne 0$. $G$ is the additive group with prime order $q$. $P$ is the generator of the addition group $G$. The infinity point $\mathrm{O}$ and the points of the curve form an elliptic curve additive group $\mathrm{G}$. The difficult problems based on curves are shown below.

• Elliptic Curve Discrete Logarithm Problem (ECDLP): The random points $Q=x\cdot P$ on $E$, where $Q,P\in G$, and $x\in Z_q^{\mathrm{*}}$. The computation of $x$ is hard in polynomial time.
• Computational Diffie–Hellman Problem (CDHP): The random point $Q=x\cdot P$ and $R=y\cdot P$ on $E$, where $Q,R,P\in G$ and $x,y\in Z_q^{\mathrm{*}}$. The computation of $xyP\in G$ is hard in a polynomial time when $x$ and $y$ are two unknown random numbers.

3.2. Fuzzy Extractor

We utilize a fuzzy extractor (FE) to transform biometric information into a uniformly random string, which is then used as the biometric key. This algorithm has two operations to function properly: $Gen(\cdot )$ and $Rep(\cdot )$ [22]. $Gen(\cdot )$ is a fuzzy extractor probabilistic generation function, which inputs biometric template ${BIO}_v$ and then outputs binary ${BSK}_v\in \left\{\mathrm{0,1}\right\}$ and a helper ${\epsilon }_v\in {\left\{\mathrm{0,1}\right\}}^{\mathrm{*}}$. We can generate biometric key pair $Gen\left({BIO}_v\right)=\{{BSK}_v,{\epsilon }_v\}$ using the biometric template by fuzzy extraction algorithm. The ${BSK}_v$ string is kept confidential, while ${\epsilon }_v$ is also stored. $Rep(\cdot )$ is a fuzzy extractor deterministic reproduction function. To recover biometric key ${BSK}_v$, the second operation $Rep\left({BIO}_v,{\epsilon }_v\right)={BSK}_v$ is employed to use the factors ${\epsilon }_v$ and ${BIO}_v$.

3.3. Physical Unclonable Function

We utilize the Physical Unclonable Function (PUF) to assist in securely storing secret parameters within the RSU. PUF is a hardware implementation circuit that utilizes chip characteristics to achieve unique, non-replicable, instance-specific functions [23]. As PUFs are generated during the chip manufacturing process, incorporating multiple random parameters, this guarantees its randomness and uncertainty. It establishes a unique relationship between the challenge $\mathcal{C}$ and response $\mathcal{R}$ signals by utilizing process parameter deviations in chip manufacturing, expressed as $\mathcal{R}=\mathrm{P}\mathrm{U}\mathrm{F}\left(\mathcal{C}\right)$, and can be regarded as a one-way function. In simpler terms, each integrated circuit has a distinct PUF, which means that no two circuits produce the same response ($\mathcal{R}$) for the same challenge ($\mathcal{C}$). This unique combination of challenge and response is referred to as a challenge–response pair.

Presently, PUF has gained significant usage in delivering essential security services, particularly authentication and key generation, within constrained environments like the Internet of Things (IoT). These contexts often demand a delicate equilibrium between power consumption and security. In numerous applications, PUF primarily serves the purpose of authenticating IoT devices and securely storing cryptographic keys. This is mainly because PUF has the following characteristics:

• Each physical device can provide a unique challenge–response pair, even when the same input challenge bits are used [24];
• Any attempt to alter the behavior of the device will impact the PUF outcomes and render the PUF inoperable [25];
• PUF can be regarded as a one-way function, which greatly guarantees safety features [26].

3.4. Network Model

The network model includes the Trusted Authority (TA), Roadside Units (RSUs) and vehicle (OBU). The notations used in the paper are organized and presented in

Table 1. List of notations.

Symbols	Meaning
${ID}_{TA}$, ${ID}_r$ and ${ID}_v$	Identity of TA, RSU and $VU$, respectively
${BIO}_v$	The biometric information of $VU$
${PW}_v$	The password of $VU$
${BSK}_v$	The biometric key of $VU$
${\epsilon }_v$	The reproduction parameter of $VU$
$K$	The private key of TA
$x_r$	The private key of RSU
$P_{pub}$	The public key of RSU
$\mathcal{A}$	The adversary or attacker
$h(.)$	The collision resistance one hash function
$E_{e/d}(.)$	The symmetric encryption/decryption
$\oplus$	The XOR operator
$+$	The normal addition operator
$\parallel$	The concatenation operator
$N_i$, $i\in [0\dots 7]$	The freshly generated random numbers
${\alpha }_i$, $i\in [1\dots m]$	The nonzero positive random number
${\beta }_i$, $i\in [1\dots n]$	The nonzero positive random number
$ctr$	The randomized counter
${\mathrm{t}}_0$, ${\mathrm{t}}_1$, ${\mathrm{t}}_2$, ${\mathrm{t}}_3$, ${\mathrm{t}}_4$	Timestamps

.

• Trusted Authority (TA): The TA can initialize the system and register the RSU and vehicle. In case of malicious activities, only the Trusted Authority (TA) has the ability to reveal the true identity of the vehicle.
• Roadside Units (RSUs): The RSUs are a series of roadside base stations that assist the TA in authentication and share information with the vehicle after negotiating the session key with the vehicle. In addition, the PUF is installed on the RSU.
• Vehicle (OBU): The OBU is deployed in the vehicle. The OBU is responsible for computation and communication with the vehicle and RSUs via wireless channels.

3.5. Attack Model

We assume that the TA is fully trusted and RSUs are honest and curious (semi-trusted). RSU may attempt to know private details regarding the vehicle, such as the real identity, location, trajectory, and so on. The Dolev–Yao (DY) adversary model [27] is widely used in the analysis of wireless network security. This model makes the following assumptions:

• The adversary has the capability to intercept messages transmitted over insecure wireless channels. By analyzing the intercepted messages, the adversary can forge valid messages as well as insert or modify the original messages.
• The adversary can steal valid users’ smart cards and sensing devices and gain access to stored values.
• The adversary can launch guessing, known specific session information, impersonation, and session key disclosure attacks based on the obtained values.

4. Review of a V2I Authentication Scheme

This section presents a brief review of Kumar et al.’s scheme [5].

4.1. System Initialization

Firstly, each RSU inputs its unique real identity ${ID}_r$ to TA. TA randomly chooses a fresh number ${\alpha }_i$ where $i\in \left[1\dots m\right]$, ${\alpha }_1\ne {\alpha }_2\ne \cdots \ne {\alpha }_m$. Then, TA calculates a group of pseudo identities ${RID}_i=E_K\left[{ID}_r\right.‖{ID}_{TA}\Vert {\alpha }_i]$ and assigns $\{{ID}_{TA},\left({RID}_i,{\alpha }_i\right)\}$ to RSU. Then, TA stores $h\left({ID}_r\right.‖K)$ into its database but does not store them in plaintexts. At the beginning of every session, RSU reselects the $\left({RID}_i,{\alpha }_i\right)$ pair and updates the set of $\left({RID}_i,{\alpha }_i\right)$ pairs periodically to keep the $RSU$ anonymous.

4.2. User Registration

Each $VU$ sends its real identity ${ID}_v$ to TA for registration. TA randomly chooses a fresh number ${\beta }_i$ where $i\in [1\dots n]$, ${\beta }_1\ne {\beta }_2\ne \cdots \ne {\beta }_n$. Then, $TA$ calculates a group of pseudo identities ${VID}_i=E_K\left[{ID}_v\right.‖{ID}_{TA}\Vert {\beta }_i]$. $TA$ initializes a counter as $ctr=N_0$, $N_0\in Z_p^{\mathrm{*}}$. $TA$ stores the tuple $\left\{h\left({ID}_v\right.‖K\right),ctr\}$ into its database, but does not store them in plaintexts, and transmits $SC=\{{ID}_{TA},({VID}_i,{\beta }_i),ctr\}$ to $VU$. $VU$ inputs its password ${PW}_v$ and computes parameters $PID=N_1\oplus h({ID}_v\Vert {PW}_v)$ and $AID=h\left({ID}_v\right.‖{PW}_v\Vert N_1)$. Finally, $VU$ inserts these parameters into $SC$, which contains $\{{ID}_{TA},PID,AID,({VID}_i,{\beta }_i),ctr\}$. At the beginning of every session, $VU$ selects the $({VID}_i,{\beta }_i)$ pair and updates the set of $({VID}_i,{\beta }_i)$ pairs periodically to keep the $VU$ anonymous.

4.3. User Login and Mutual Authentication

Under this phase, $VU$ performs user login and mutual authentication with RSU through TA and generates the session key through the authentication process.

Step 1. OBU → RSU: $m_1=\{{VID}_i,Q_1,C_1,{ctr}^{\mathrm{*}}\}$

$VU$ inserts its $SC$ into the OBU, and then inputs identity ${ID}_v$ and password ${PW}_v$. Then, OBU calculates $N_1=PID\oplus h({ID}_v\Vert {PW}_v)$ and verifies $AID?=h\left({ID}_v\right.‖{PW}_v\Vert N_1)$. If the verification is not valid, $VU$ re-enters the login credentials until exceeding the $maximum limit$ (${△}_{max}$). If the login is successful, OBU randomly selects a $({VID}_i,{\beta }_i)$ pair and chooses two fresh random numbers $N_2$ and $N_3$. Then, OBU calculates ${CK}_{VT}=h\left({ID}_v\right.‖{\beta }_i),$ $Q_1={CK}_{VT}\oplus h\left(N_2\right.‖{ID}_v)$ and the verification parameter $C_1=h\left({ID}_v\right.‖h\left(N_2\right.‖{ID}_v\left)‖{CK}_{VT}‖{ctr}^{\mathrm{*}}\right)$, where ${ctr}^{\mathrm{*}}=ctr+N_3$. Finally, $VU$ transmits the service access request $m_1=\{{VID}_i,Q_1,C_1,{ctr}^{\mathrm{*}}\}$ to RSU.

Step 2. RSU → TA: $m_2=\{{VID}_i,Q_1,C_1,{{RID}_i{,Q}_2,C_2,ctr}^{\mathrm{*}}\}$

While receiving messages from $VU$, RSU randomly chooses a $\left({RID}_i,{\alpha }_i\right)$ pair and generates a random number $N_4$. Then, RSU calculates ${CK}_{RT}=h\left({ID}_r\right.‖{\alpha }_i)$, $Q_2={CK}_{RT}\oplus h\left(N_4\right.‖{ID}_r)$ and $C_2=h\left({ID}_r‖{CK}_{RT}‖h\left(N_4\right.‖{ID}_r\right))$. Finally, RSU sends the message of authentication request $m_2=\{{VID}_i,Q_1,C_1,{{RID}_i{,Q}_2,C_2,ctr}^{\mathrm{*}}\}$ to a centralized TA.

Step 3. TA → RSU: $m_3=\{{RID}_i^{\mathrm{*}},{VID}_i^{\mathrm{*}},Q_3,Q_4,Q_5,Q_6,C_3,C_4\}$

While receiving messages from RSU, TA checks whether $ctr<{ctr}^{\mathrm{*}}$ is fresh or not. If not, TA rejects it. Otherwise, TA uses its secret key $K$ to decrypt ${VID}_i$ and ${RID}_i$, and obtains $({ID}_v,{ID}_{TA},{\beta }_i)$ and $({ID}_r,{ID}_{TA},{\alpha }_i)$, respectively. TA verifies whether $h({ID}_r\Vert K)$ and $h({ID}_v\Vert K)$ are available in its database or not. If not, the session is stopped. Otherwise, TA calculates ${CK}_{VT}=h\left({ID}_v\right.‖{\beta }_i)$, ${CK}_{RT}=h\left({ID}_r\right.‖{\alpha }_i)$, $h\left(N_2\right.‖{ID}_v)={CK}_{VT}\oplus Q_1$ and $h\left(N_4\right.‖{ID}_r)={CK}_{RT}\oplus Q_2$. Subsequently, TA updates $ctr$ as $ctr={ctr}^{\mathrm{*}}$ on successful verification of $C_2?=h\left({ID}_r‖{CK}_{RT}‖h\left(N_4\right.‖{ID}_r\right))$ and further verifies $C_1?=h\left({ID}_v\right.‖h\left(N_2\right.‖{ID}_v\left)‖{CK}_{VT}‖{ctr}^{\mathrm{*}}\right)$. TA computes ${\alpha }_i^{\mathrm{*}}=N_5$, ${\beta }_i^{\mathrm{*}}=N_6$, ${RID}_i^{\mathrm{*}}=E_K\left[{ID}_r\right.‖{ID}_{TA}\Vert {\alpha }_i^{\mathrm{*}}]$, ${VID}_i^{\mathrm{*}}=E_K\left[{ID}_v\right.‖{ID}_{TA}\Vert {\beta }_i^{\mathrm{*}}]$, $Q_3=N_2\oplus N_7\oplus {CK}_{RT}\oplus {ID}_v$, $Q_4=N_4\oplus N_7\oplus {CK}_{VT}\oplus {ID}_r$, $Q_5=h\left({CK}_{RT}\right)\oplus {\alpha }_i^{\mathrm{*}}$ and $Q_6=h\left({CK}_{VT}\right)\oplus {\beta }_i^{\mathrm{*}}$ where $N_5$, $N_6$ and $N_7$ are random numbers. TA calculates the verification parameters $C_3=h({RID}_i^{\mathrm{*}}\Vert (N_2\oplus N_7\oplus {ID}_v)\Vert {\alpha }_i^{\mathrm{*}})$ and $C_4=h({VID}_i^{\mathrm{*}}\Vert (N_4\oplus N_7\oplus {ID}_r)\Vert {\beta }_i^{\mathrm{*}}\Vert ctr)$ for RSU and VU, respectively. Finally, TA transmits the message of authentication response $m_3=\{{RID}_i^{\mathrm{*}},{VID}_i^{\mathrm{*}},Q_3,Q_4,Q_5,Q_6,C_3,C_4\}$ to RSU.

Step 4. RSU → OBU: $m_4=\{{VID}_i^{\mathrm{*}},Q_4,Q_6,C_4,Auth\}$

RSU computes ${{(N}_2\oplus N_7\oplus {ID}_v)=Q}_3\oplus {CK}_{RT}$ and ${{\alpha }_i^{\mathrm{*}}=Q}_5\oplus h\left({CK}_{RT}\right)$. Subsequently, RSU computes the session key $SK=h(N_2\oplus N_4\oplus N_7\oplus {ID}_v\oplus {ID}_r)$ and verifies $Auth?=h(SK\Vert {ctr}^{\mathrm{*}})$ and $C_3?=h({RID}_i^{\mathrm{*}}\Vert (N_2\oplus N_7\oplus {ID}_v)\Vert {\alpha }_i^{\mathrm{*}})$. Finally, RSU updates $R{ID}_i^{new}={RID}_i^{\mathrm{*}}$, ${\alpha }_i^{new}={\alpha }_i^{\mathrm{*}}$ and transmits $m_4=\{{VID}_i^{\mathrm{*}},Q_4,Q_6,C_4,Auth\}$ to $VU$.

Step 5. $Session key agreement$: $VU$ computes ${{(N}_4\oplus N_7\oplus {ID}_r)=Q}_4\oplus {CK}_{VT}$, ${{\beta }_i^{\mathrm{*}}=Q}_6\oplus h\left({CK}_{VT}\right)$ and verifies $C_4?=h({VID}_i^{\mathrm{*}}\Vert (N_4\oplus N_7\oplus {ID}_r)\Vert {\beta }_i^{\mathrm{*}}\Vert {ctr}^{\mathrm{*}})$. If the verification is successful, $VU$ computes a session key $SK=h(N_2\oplus N_4\oplus N_7\oplus {ID}_v\oplus {ID}_r)$ and updates $V{ID}_i^{new}={VID}_i^{\mathrm{*}}$, ${\beta }_i^{new}={\beta }_i^{\mathrm{*}}$ and verifies $Auth?=h(SK\Vert {ctr}^{\mathrm{*}})$. If the verification is successful, $VU$ accepts the session key $SK$ and continues the communication process; otherwise, the process is repeated.

5. Security Analysis of a V2I Authentication Scheme

In the section, we show some attacks on Kumar et al.’s [5] scheme.

5.1. Side-Channel Attacks

If the attacker steals the information in the user’s smart card through side-channel attacks and obtains the authentication information $m_1$ sent by the user, then the attacker can launch identity guessing attacks and impersonation attacks and can compute the session key.

• Identity guessing attacks/no anonymity: If an attacker knows the information $\{{ID}_{TA},PID,AID,({VID}_i,{\beta }_i),ctr\}$ in a user’s smart card through side-channel attacks, and the authentication information $m_1=\{{VID}_i,Q_1,C_1,{ctr}^{\mathrm{*}}\}$ transmitted via the public channel, where ${CK}_{VT}=h\left({ID}_v\right.‖{\beta }_i)$, $Q_1={CK}_{VT}\oplus h\left(N_2\right.‖{ID}_v)$ and $C_1=h\left({ID}_v\right.‖h\left(N_2\right.‖{ID}_v\left)‖{CK}_{VT}‖{ctr}^{\mathrm{*}}\right)$, then the adversary can guess ${ID}_v\mathrm{\prime }$ and find ${\beta }_i$ based on ${VID}_i$, compute ${CK}_{VT}\mathrm{\prime }=h\left({ID}_v\mathrm{\prime }\right.‖{\beta }_i)$, $h\left(N_2\right.‖{ID}_v)={CK}_{VT}\mathrm{\prime }\oplus Q_1$, and verify whether $C_1=h\left({ID}_v\mathrm{\prime }\right.‖h\left(N_2\right.‖{ID}_v\left)‖{CK}_{VT}\mathrm{\prime }‖{ctr}^{\mathrm{*}}\right)$ is correct or not. If yes, the guessed ${ID}_v\mathrm{\prime }$ is correct. Therefore, their scheme cannot achieve anonymity.
• No session key secrecy: Once the adversary can know the user’s identity ${ID}_v$ and ${CK}_{VT}$ from the above analysis and can obtain $m_4=\{{VID}_i^{\mathrm{*}},Q_4,Q_6,C_4,Auth\}$ from the public channel, then the adversary can compute ${{(N}_4\oplus N_7\oplus {ID}_r)=Q}_4\oplus {CK}_{VT}$, ${{\beta }_i^{\mathrm{*}}=Q}_6\oplus h\left({CK}_{VT}\right)$ and verifies whether $C_4=h({VID}_i^{\mathrm{*}}\Vert (N_4\oplus N_7\oplus {ID}_r)\Vert {\beta }_i^{\mathrm{*}}\Vert {ctr}^{\mathrm{*}})$ is correct or not. After successful verification, the adversary can calculate the session key $SK=h(N_2\oplus N_4\oplus N_7\oplus {ID}_v\oplus {ID}_r)$.
• Impersonation attacks: According to the above analysis, the adversary can know $\{{ID}_{TA},PID,AID,({VID}_i,{\beta }_i),ctr\}$ stored in smart card and can obtain user’s identity ${ID}_v$ and ${CK}_{VT}$, then they can launch impersonation attacks. The adversary randomly selects $({VID}_i,{\beta }_i)$, selects two fresh random numbers $N_2$ and $N_3$, and computes ${CK}_{VT}=h\left({ID}_v\right.‖{\beta }_i)$, $Q_1={CK}_{VT}\oplus h\left(N_2\right.‖{ID}_v)$ and the verification parameter $C_1=h\left({ID}_v\right.‖h\left(N_2\right.‖{ID}_v\left)‖{CK}_{VT}‖{ctr}^{\mathrm{*}}\right)$, where ${ctr}^{\mathrm{*}}=ctr+N_3$. Finally, the adversary transmits the service access request $m_1=\{{VID}_i,Q_1,C_1,{ctr}^{\mathrm{*}}\}$ to $RSU$. Obviously, it can pass through the authentication of TA and can establish the session key. So, their scheme is not resistant to impersonation attacks.

Remark 1.

The reasons why Kumar et al.’s scheme suffers from these attacks are that once the attacker can obtain information stored in the smart card through side channel attacks, the attacker can guess the user’s identity, and the authentication request depends on the unencrypted information stored in the smart card and the user’s identity. On the other hand, the generation of session key in their scheme does not use Diffie–Hellman value.

5.2. RSU Captured Attacks

Suppose the adversary captures a RSU and obtains the stored information $\{I{D}_{TA},(RI{D}_i,{\alpha }_i\left)\right\}$. For the message $m_3=\{RI{D}_i^{\mathrm{*}},VI{D}_i^{\mathrm{*}},Q_3,Q_4,Q_5,Q_6,C_3,C_4\}$, $N_7\oplus {CK}_{VT}=Q_4\oplus {ID}_r\oplus N_4$, where $N_7$ and $N_4$ are the random numbers selected by TA and RSU, respectively, ${ID}_r$ is RSU’s identity. RSU calculates $N_2\oplus N_7\oplus {ID}_v=Q_3\oplus {CK}_{RT}$, which can be translated to $N_2\oplus {ID}_v\oplus {CK}_{VT}=Q_3\oplus {CK}_{RT}\oplus Q_4\oplus {ID}_r\oplus N_4$, in 5.1, ${CK}_{VT}=Q_1\oplus \left(N_2\right.‖{ID}_v)$; therefore, $N_2\oplus {ID}_v\oplus {CK}_{VT}=N_2\oplus {ID}_v\oplus Q_1\oplus \left(N_2\right.‖{ID}_v)$, $N_2\oplus {ID}_v\oplus \left(N_2\right.‖{ID}_v)=Q_3\oplus {CK}_{RT}\oplus Q_4\oplus {ID}_r\oplus N_4\oplus Q_1$, where $Q_3$, ${CK}_{RT}$, $Q_4$, ${ID}_r$, $N_4$, and $Q_1$ are RSU’s known parameters, and the length of identity ${ID}_v$ is shorter than the random number $N_2$, in the output of $N_2\oplus {ID}_v\oplus \left(N_2\right.‖{ID}_v)$, ${ID}_v$ is easy to be recovered. So, their scheme cannot achieve user anonymity.

On the other hand, the adversary can also compute the session keys of all users authenticated with the captured RSU.

Remark 2.

The reason why their scheme suffers from this attack is because the secret values in RSU are not well protected due to, for instance, not using a physically unclonable function.

5.3. No Perfect Forward Secrecy

Suppose the adversary obtains the long-term key $K$, they can recover $N_2$, $N_4$, $N_7$, ${ID}_v$, and ${ID}_r$ from the messages transmitted publicly. Therefore, the previous and subsequent session keys $SK=h(N_2\oplus N_4\oplus N_7\oplus {ID}_v\oplus {ID}_r)$ can be calculated. The protocol has no perfect forward secrecy.

Remark 3.

The reason why their scheme cannot achieve perfect forward secrecy is that the generation of session key in their scheme does not use the Diffie–Hellman value.

6. Proposed Scheme

In this section, we introduce the proposed scheme. It is divided into six stages: system initialization, RSU registration, user registration, user login and authentication, password and biometric change, and malicious user tracking.

6.1. System Initialization

Firstly, TA chooses the cyclic additive group $G$ with order of $p$ and a generator $P$. TA chooses an elliptic curve $E$: $y^2=X^3+iX+j(mod p)$, where $i,j\in Z_p^{\mathrm{*}}$. TA chooses a secure one-way hash function $h(\cdot )$. TA randomly chooses a secret number $K\in Z_q^{\mathrm{*}}$ as the system’s primary key.

6.2. RSU Registration

TA generates secret numbers $x_r\in Z_q^{\mathrm{*}}$ and calculates the $P_{pub}=x_r\cdot P$ as the corresponding public keys. TA chooses ${ID}_r$ as the identity of RSU and computes ${PSID}_r=h({ID}_r\Vert K)$. Through a secure channel, TA uploads these parameters $\{x_r,{ID}_r,{PSID}_r\}$ into RSU. RSU randomly chooses challenge $C_r$ to generate their corresponding response $R_r=PUF\left(C_r\right)$. Then, RSU selects a random number $t_r$ and calculates ${sk}_r=x_r\oplus h(R_r\Vert t_r)$, ${PD}_r={PSID}_r\oplus h(t_r\Vert R_r)$ and stores $<C_r,{sk}_r,{ID}_r,{PD}_r,t_r>$.

Remark 4.

The reason for deploying PUF in RSUs and protecting their secret values with PUF is to resist RSU captured attacks.

6.3. User Registration

The $VU$ chooses $({ID}_v,{PW}_v)$ and submits ${ID}_v$ to TA via a secure channel. TA generates a random number $y_v$ and timestamp $t_v$ for each $VU$ and TA computes ${PID}_v=E_K\left[{ID}_v\right.‖y_v\Vert t_v]$, $A_v=h(I{D}_v\Vert K)$ and responses (${PID}_v,A_v$) to $VU$ via a secure channel. $VU$ inputs their biometric information ${BIO}_v$ on the reader to obtain $\{{BSK}_v,{\epsilon }_v\}=GEN\left({BIO}_v\right)$, and computes $C_v=h\left({ID}_v,{PW}_v,{BSK}_v\right)mod n$, ${PPID}_v={PID}_v⨁h\left({PW}_v,{ID}_v,{BSK}_v\right)$, ${PA}_v=A_v⨁h\left({PW}_v,{BSK}_v,{ID}_v\right)$, where $n\in (2^4,2^8)$, and stores $<G,p,P,{\epsilon }_v,C_v,{PPID}_v,h\left(\cdot \right),{PA}_v>$ into a Smart Card (SC).

Remark 5.

The reason for taking the modulus n in the verification equation$C_v=h\left({ID}_v,{PW}_v,{BSK}_v\right)mod n$ is to resist side channel attacks. Even if the attacker’s guessed identity and password can pass verification, when n = 256, there are $2^{32}$ pairs of identities and passwords, and the attacker cannot know which pair is correct. Meanwhile, it can achieve three-factor secrecy. On the other hand, the advantage of using the Fuzzy Extractor algorithm is that even if the user inputs a small difference in biometric information compared to the previous one, the same biometric key can still be restored.

6.4. User Login and Authentication

Firstly, User $VU$ inserts the SC into OBU of vehicle and inputs the ${ID}_v^{\mathrm{*}}$, ${PW}_v^{\mathrm{*}}$, and biometric information ${BIO}_v^{\mathrm{*}}$. The SC extracts ${BSK}_v^{\mathrm{*}}=Rep({BIO}_v^{\mathrm{*}},{\epsilon }_v)$ and checks whether $C_v=h\left({ID}_v^{\mathrm{*}},{PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)mod n$ or not, where $n\in (2^4,2^8)$. If not, SC terminates login process. Otherwise, SC computes ${PID}_v^{\mathrm{*}}={PPID}_v⨁h\left({PW}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)$, $A_v^{\mathrm{*}}={PA}_v⨁h\left({PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}}\right)$, and performs the authentication process. Figure 2 describes this process.

Step 1. OBU → RSU: $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$

The OBU chooses a random number $r$, $d$ and computes $R_0=r\cdot P$, $R_1=r\cdot P_{pub}$, computes the dynamic identity ${DID}_v={PID}_v^{\mathrm{*}}⨁h(R_1\Vert t_0)$, ${CID}_v=d⨁h(t_0\Vert R_1)$, $M_1=h\left(d,{ID}_v^{\mathrm{*}},{PID}_v^{\mathrm{*}},{DID}_v,A_v^{\mathrm{*}},t_0,{ID}_r\right),$ where $t_0$ is timestamp. Then, OBU sends $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$ to RSU on the public channel.

Step 2. RSU → TA: $\{{ID}_r,{DID}_v,{AID}_v,M_1,t_0,t_1\}$

While receiving the message from OBU, the RSU firstly checks the freshness of $t_0$. If the $t_0$ is fresh, the authentication continues; otherwise, RSU drops the message. The RSU computes $R_r=PUF\left(C_r\right)$ and recovers private key $x_r={sk}_r\oplus h(R_r\Vert t_r)$ and ${PSID}_r={PD}_r\oplus h(t_r\Vert R_r)$. The RSU calculates $R_1=x_r{\cdot R}_0$, ${PID}_v^{\mathrm{*}}={DID}_v⨁h(R_1\Vert t_0)$, $d={CID}_v⨁h(t_0\Vert R_1)$. The RSU computes ${AID}_v=h(t_1\Vert {DID}_v\Vert {PSID}_r)⨁({PID}_v^{\mathrm{*}}\Vert d)$, where $t_1$ is timestamp. Now, the RSU sends the message $\{{ID}_r,{DID}_v,{AID}_v,M_1,t_0,t_1\}$ to the TA.

Step 3. TA → RSU: $\{{BID}_v,t_2\}$

After TA receives the message from RSU, it first checks the freshness of $t_1$. Then, TA computes ${PSID}_r=h({ID}_r\Vert K)$, ${PID}_v^{\mathrm{*}}\Vert d=h\left(t_1\Vert {DID}_v\Vert {PSID}_r\right)⨁{AID}_v$, and uses system key $K$ to decrypt ${PID}_v^{\mathrm{*}}$, and obtains $\left(I{D}_v\parallel y_v\parallel t_v\right)=D_K\left[{PID}_v^{\mathrm{*}}\right]$ and computes $A_v^{\mathrm{*}}=h\left(I{D}_v\Vert K\right)$. TA verifies whether $M_1=h(d,I{D}_v,{PID}_v^{\mathrm{*}},{DID}_v,A_v^{\mathrm{*}},t_0,{ID}_r)$ is right or not. If yes, TA computes ${BID}_v=h({PID}_v^{\mathrm{*}}\Vert {PSID}_r\Vert t_2)$, where ${\mathrm{t}}_2$ is timestamp. After that, TA sends $\{{BID}_v,t_2\}$ to RSU.

Step 4. RSU → OBU: $\{M_2,R_2,t_3\}$

While receiving the message from TA, RSU checks the freshness of ${\mathrm{t}}_2$ and verifies whether ${BID}_v=h({PID}_v^{\mathrm{*}}\Vert {PSID}_r\Vert t_2)$ is right or not. If the equation holds, RSU chooses a random number $s$ and computes $R_2=s\cdot P$, $SK=h(d,R_0,R_2,({s\cdot R}_0),{PID}_v^{\mathrm{*}},{ID}_r)$, $M_2=h(SK,t_3,t_0)$, where ${\mathrm{t}}_3$ is the timestamp. The RSU sends the message $\{M_2,R_2,t_3\}$ to OBU.

Step 5. After receiving the message from RSU, OBU checks the freshness of $t_3$, and computes $SK=h(d,R_0,R_2,({r\cdot R}_2),{PID}_v^{\mathrm{*}},{ID}_r)$, and verifies whether $M_2=h(SK,t_3,t_0)$ is right or not. If yes, OBU and RSU share the session key $SK$.

Remark 6.

The purpose of using the Diffie–Hellman value when generating a session key is to achieve perfect forward secrecy.

6.5. Password Renewal and Biometric Change

If $VU$ want to change their password or hand over the vehicle to another user, $VU$ will follow the steps outlined below to change its biometric key.

The $VU$ inserts SC into OBU and inputs the identity ${ID}_v^{\mathrm{*}}$, password ${PW}_v^{\mathrm{*}}$ and biometric information ${BIO}_v^{\mathrm{*}}$. The SC extracts ${BSK}_v^{\mathrm{*}}=Rep({BIO}_v^{\mathrm{*}},{\epsilon }_v)$. Then, SC verifies $C_v?=h({ID}_v^{\mathrm{*}},{PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}})$. If the equation is valid, $VU$ is allowed to renew their password and biometric key; otherwise, it stops the process. If $VU$ wants to change their password, the SC computes the ${PID}_v={PPID}_v⨁h\left({PW}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)$, $A_v={PA}_v⨁h\left({PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}}\right)$, $C_{v_{New}}=h({ID}_v^{\mathrm{*}},{PW}_{v_{New}}^{\mathrm{*}},{BSK}_v^{\mathrm{*}}),$ ${PPID}_{v_{New}}={PID}_v⨁h\left({PW}_{v_{New}}^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)$, ${PA}_{v_{New}}=A_v⨁h\left({PW}_{v_{New}}^{\mathrm{*}},{BSK}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}}\right)$. The SC replaces the values of $C_v$, ${PPID}_v$, ${PA}_v$ with $C_{v_{New}}$, ${PPID}_{v_{New}}$, ${PA}_{v_{New}}$ and stores these into memory.

If $VU$ wants to give the vehicle temporarily to another ${VU}_{New}$, they need to change the biometric key. ${VU}_{New}$ inputs their biometric information ${BIO}_{v_{New}}$ to obtain $\{{BSK}_{v_{New}},{\epsilon }_{v_{New}}\}=Gen\left({BIO}_{v_{New}}\right)$ via the fuzzy extractor. SC calculates $C_{v_{New}}=h({ID}_v^{\mathrm{*}},{PW}_v^{\mathrm{*}},{BSK}_{v_{New}})$, ${PPID}_{v_{New}}={PID}_v⨁h\left({PW}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_{v_{New}}\right)$, and ${PA}_{v_{New}}=A_v⨁h\left({PW}_v^{\mathrm{*}},{BSK}_{v_{New}},{ID}_v^{\mathrm{*}}\right)$ and replaces $({\epsilon }_v,C_v,{PPID}_v,{PA}_v)$ in memory with $({\epsilon }_{v_{New}},C_{v_{New}},{PPID}_{v_{New}},{PA}_{v_{New}})$.

6.6. Malicious User Tracking

After the RSU and a vehicle completing the mutual authentication and sharing a session key, they are able to encrypt traffic information through session key $SK$ for information transmission. Once RSU detects malicious behavior of the vehicle, it computes the $MP={PID}_v^{\mathrm{*}}⨁h({PSID}_r\Vert t_4)$, $M_3=h(MB,{PID}_v^{\mathrm{*}},{PSID}_r,t_4)$ and sends $\{{ID}_r,MP,M_3,t_4,MB\}$ to TA, where $MB$ means the message of malicious behavior. While receiving a message from the RSU, TA checks the freshness of $t_4$ and calculates ${PSID}_r=h\left({ID}_r\Vert K\right)$, ${PID}_v^{\mathrm{*}}=MP⨁h({PSID}_r\Vert t_4)$, and verifies whether $M_3=h(MB,{PID}_v^{\mathrm{*}},{PSID}_r,t_4)$ is right or not. If yes, TA computes $\left(I{D}_v\Vert y_v\Vert t_v\right)=D_K\left[{PID}_v^{\mathrm{*}}\right]$, and knows the identity of the malicious vehicle.

7. Security Analysis

7.1. Formal Security Proof

In this section, we provide a formal proof of the semantic security of the proposed protocol, utilizing the random oracle model.

Definition 1.

(Participants): The participants consist of the Vehicle User ($VU$), RSU and TA. In the $i\_th$ instance, the participants are represented as ${IN}_{VU}^i$, ${IN}_{RSU}^i$, and ${IN}_{TA}^i$

Definition 2.

(States): The status of oracle Accept indicates that it received the correct message.

Definition 3.

(Partnering): If the oracles ${IN}_{VU}^i$, and ${IN}_{RSU}^i$are in the “Accept” state and the session keys have been successfully agreed upon, the oracles obtain their respective session identities and participant identities. The oracles can be considered partners if their session keys, session identities, and participant identities are all identical.

In this model, the adversary $\mathcal{A}$ has access to the following queries:

• Queries: The queries simulate the capabilities of attackers, replicating their potential actions and abilities.
• $Execute({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i)$: The adversary $\mathcal{A}$ has the capability to intercept all the messages exchanged over the wireless channel.
• $Send({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i,m)$: $\mathcal{A}$ has the ability to forge the message $\mathrm{m}$ and sends it to ${IN}_{VU}^i$, ${IN}_{RSU}^i$, or ${IN}_{TA}^i$; if the message $\mathrm{m}$ is valid, ${IN}_{VU}^i$, ${IN}_{RSU}^i$, or ${IN}_{TA}^i$ will provide a response $\mathcal{A}$.
• $Reveal({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i)$: $\mathcal{A}$ can obtain the agreed session keys between ${IN}_{VU}^i$, ${IN}_{RSU}^i$, and ${IN}_{TA}^i$.
• $Test({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i,r)$: This query can be executed at most once, generating a random bit $r$, This query can be executed at most once, generating a random bit $r$, which returns the real session key if $r=1$; otherwise, a random number is returned.
• $Corrupt\left({IN}_{VU}^i\right)$: It simulates a side channel attack on the SC and returns the stored values $<G,p,P,{\epsilon }_v,C_v,{PPID}_v,h\left(\cdot \right),{PA}_v>$.
• $CorruptRSU\left({IN}_{RSU}^i\right)$: It simulates a side channel attack on the TPD of RSU and returns the stored information $<C_r,{sk}_r,{ID}_r,{PD}_r,t_r>$.

Definition 4.

(Freshness): An instance can be deemed fresh if it fulfills the following conditions:

• ${IN}_{VU}^i$,${IN}_{RSU}^i$, and ${IN}_{TA}^i$ are in Accept.
• The query $Reveal({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i)$ has not been executed.
• The queries $Corrupt\left({IN}_{VU}^i\right)$ and $CorruptRSU\left({IN}_{RSU}^i\right)$ has been executed at most once.

Definition 5.

(Semantic security): $\mathcal{A}$ can only execute $Test({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i,r)$ at most once and can make multiple additional queries to validate the accuracy of the return value from $Test({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i,r)$. That is, $\mathcal{A}$ guesses the random bit $r$ generated by $Test$. The possibility is ${Adv}_P^A=|2\mathit{Pr}\left[suc\left(A\right)\right]-1|$, ${Adv}_P^A<\eta$ denotes the protocol is secure, where $\eta$ is sufficiently small.

Theorem 1.

The advantage of obtaining the session key in polynomial time by $\mathcal{A}$ is ${Adv}_P^A\le \frac{q_H^2}{2^{l_H}}+\frac{{\left(q_S+q_E\right)}^2}{n}+\frac{q_S}{2^{l_{bio}-1}}+2q_S{Adv}_{PUF}^A+2{Adv}_{ECDLP}^A$. Where $q_H$, $q_S$ and $q_E$ denote the numbers of executing Hash, Send and Execute, respectively. $l_H$, $n$, and $l_{bio}$ are the length of hash, the number of transcripts, and the length of biological key, respectively. The advantage of breaking PUF and ECDLP by $\mathcal{A}$ are ${Adv}_{PUF}^A$ and ${Adv}_{ECDLP}^A$, respectively.

Proof. 

The games ${Game}_i(0\le i\le 4)$ are defined to simulate the attacks initiated by $\mathcal{A}$. The variable ${Win}_i(0\le i\le 4)$ represents $\mathcal{A}$’s success in guessing the random bit $r$ in the ${Game}_i$. □

The games are defined as follows:

• ${Game}_0$: In this game, we simulate the actual attacks initiated by $\mathcal{A}$. Based on the given definition, we obtain the following results:

  $${\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}}^{\mathrm{A}}=|2\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_0\right]-1|$$

  (1)
• ${Game}_1$: In this game, we simulate eavesdropping attacks where $\mathcal{A}$ has access to all the messages transmitted publicly. Then, $\mathcal{A}$ obtains all the messages transmitted between ${IN}_{VU}^i$, ${IN}_{RSU}^i$, and ${IN}_{TA}^i$ by executing $Execute({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i)$. Then, $\mathcal{A}$ executes $Test({IN}_{VU}^i,{IN}_{RSU}^i,{IN}_{TA}^i,r)$ and attempts to guess whether the returned value corresponds to the session key. However, due to the presence of random numbers and ECDLP, the attacker is unable to determine the correlation between the captured messages and the session keys. Thus, we obtain the following:

  $$\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_0\right]=\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_1\right]$$

  (2)
• ${Game}_2$: In this game, we simulate collision attacks on the transcripts and hash results. According to the definition of the birthday paradox, the probability of a hash collision is less than $\frac{q_H^2}{2^{l_H+1}}$, and the collision probability of other transcripts is less than $\frac{{(q_S+q_E)}^2}{2n}$. Thus, we have:

  $$\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_2\right]-\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_1\right]\le \frac{{\mathrm{q}}_{\mathrm{H}}^2}{2^{{\mathrm{l}}_{\mathrm{H}}+1}}+\frac{{({\mathrm{q}}_{\mathrm{S}}+{\mathrm{q}}_{\mathrm{E}})}^2}{2\mathrm{n}}$$

  (3)
• ${Game}_3$: This game simulates that $\mathcal{A}$ executes $Corrupt\left({IN}_{VU}^i\right)$ and $CorruptRSU\left({IN}_{RSU}^i\right)$ to gain the stored information $<G,p,P,{\epsilon }_v,C_v,{PPID}_v,h\left(\cdot \right),{PA}_v>$ in the SC and $<C_r,{sk}_r,{ID}_r,{PD}_r,t_r>$ in RSU, where $C_v=h\left({ID}_v,{PW}_v,{BSK}_v\right)mod n$, ${PPID}_v={PID}_v⨁h\left({PW}_v,{ID}_v,{BSK}_v\right)$, ${PA}_v=A_v⨁h\left({PW}_v,{BSK}_v,{ID}_v\right)$, where $n\in (2^4,2^8)$ and ${BSK}_v$ is the biometric key. In addition, ${sk}_r=x_r\oplus h(R_r\Vert t_r)$, ${PD}_r={PSID}_r\oplus h(t_r\Vert R_r)$, and $R_r=PUF\left(C_r\right)$. If $\mathcal{A}$ wants to gain these parameters, they must guess the biological key ${BSK}_v$ or break PUF. Let us assume that the probability of A successfully breaking the PUF is denoted as ${Adv}_{PUF}^A$. Thus, we have:

  $$\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_3\right]-\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_2\right]\le {\mathrm{q}}_{\mathrm{S}}(\frac{1}{2^{{\mathrm{l}}_{\mathrm{b}\mathrm{i}\mathrm{o}}}}+{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}\mathrm{U}\mathrm{F}}^{\mathrm{A}})$$

  (4)
• ${Game}_4$: $\mathcal{A}$ can obtain $R_0=r\cdot P$, $R_2=s\cdot P$ through the public channel, which are utilized for session key agreements based on the ECDLP. The simulation in the game assumes that $\mathcal{A}$ calculates the session keys based on the transcripts. We have:

  $$\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_4\right]-\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_3\right]\le {\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{E}\mathrm{C}\mathrm{D}\mathrm{L}\mathrm{P}}^{\mathrm{A}}$$

  (5)
  Since the session keys are generated independently and randomly, the advantage of guessing the value $r$ is equivalent to guessing the session key itself. We have:

  $$\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_4\right]=\frac{1}{2}$$

  (6)
  Combining the above formulas, we have:

  $$\frac{1}{2}{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}}^{\mathrm{A}}=\left|\mathrm{Pr}\left[{\mathrm{W}\mathrm{i}\mathrm{n}}_0\right]-\frac{1}{2}\right|\le \frac{{\mathrm{q}}_{\mathrm{H}}^2}{2^{{\mathrm{l}}_{\mathrm{H}}+1}}+\frac{{\left({\mathrm{q}}_{\mathrm{S}}+{\mathrm{q}}_{\mathrm{E}}\right)}^2}{2\mathrm{n}}+{\mathrm{q}}_{\mathrm{S}}\left(\frac{1}{2^{{\mathrm{l}}_{\mathrm{b}\mathrm{i}\mathrm{o}}}}+{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}\mathrm{U}\mathrm{F}}^{\mathrm{A}}\right)+{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{E}\mathrm{C}\mathrm{D}\mathrm{L}\mathrm{P}}^{\mathrm{A}}$$

  (7)

  $${\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}}^{\mathrm{A}}\le \frac{{\mathrm{q}}_{\mathrm{H}}^2}{2^{{\mathrm{l}}_{\mathrm{H}}}}+\frac{{\left({\mathrm{q}}_{\mathrm{S}}+{\mathrm{q}}_{\mathrm{E}}\right)}^2}{\mathrm{n}}+\frac{{\mathrm{q}}_{\mathrm{S}}}{2^{{\mathrm{l}}_{\mathrm{b}\mathrm{i}\mathrm{o}}-1}}+2{\mathrm{q}}_{\mathrm{S}}{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{P}\mathrm{U}\mathrm{F}}^{\mathrm{A}}+2{\mathrm{A}\mathrm{d}\mathrm{v}}_{\mathrm{E}\mathrm{C}\mathrm{D}\mathrm{L}\mathrm{P}}^{\mathrm{A}}$$

  (8)

7.2. Informal Security Analysis

During this phase, we employ an informal security analysis to demonstrate the robustness of our proposed scheme against a range of well-known attacks.

• Anonymity and unlinkability: In the user authentication of our scheme, the OBU sends the dynamic identity ${DID}_v={PID}_v^{\mathrm{*}}⨁h(R_1\Vert t_0)$ instead of real identity ${ID}_v$ on the wireless channel. The adversary may listen and intercept information from the common channel to obtain ${DID}_v$, but it cannot obtain ${ID}_v$ because it is hidden in a pseudonym ${PID}_v$ and only TA can decrypt ${PID}_v$, and ${DID}_v$ includes a one-way hash function, a random number, and other parameters. Moreover, the RSU only knows the pseudonym ${PID}_v^{\mathrm{*}}={DID}_v⨁h(R_1\Vert t_0)$ and does not know the real identity ${ID}_v$ of the vehicle during the authentication process. Even if the RSU is dishonest, it is not a privacy breach. In addition, the authentication messages $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$ in each session are different because they are all made up of random numbers, timestamps, and other parameters. Thus, the protocol provides user anonymity and unlinkability.
• Perfect forward secrecy: In proposed scheme, the session key $SK=h(d,R_0,R_2,({s\cdot R}_0),{PID}_v^{\mathrm{*}},{ID}_r)=h(d,R_0,R_2,({r\cdot R}_2),{PID}_v^{\mathrm{*}},{ID}_r)$ are composed of random number $d$, ECDLP $R_0=r\cdot P$, $R_2=k\cdot P$, and CDHP $\left({s\cdot R}_0\right)$ or $\left({r\cdot R}_2\right)$, the pseudonym of vehicle ${PID}_v^{\mathrm{*}}$ and identity of RSU ${ID}_r$. Even if the attacker $\mathcal{A}$ knows these parameters and the current $SK$, $\mathcal{A}$ cannot obtain random numbers and cannot compute previous or future session keys. Thus, the scheme has perfect forward secrecy.
• Known key secrecy: In our scheme, the session key $SK=h(d,R_0,R_2,({s\cdot R}_0),{PID}_v^{\mathrm{*}},{ID}_r)=h(d,R_0,R_2,({r\cdot R}_2),{PID}_v^{\mathrm{*}},{ID}_r)$ is based on a random number, ECDLP, Diffie–Hellman, and one-way hash function. Even if the attacker $\mathcal{A}$ gains the session key, they cannot obtain any long-term keys.
• Replay attacks: In our scheme, every message that is sent via the wireless channel contains random numbers and timestamps to ensure the integrity and freshness of the message. For example, in the user authentication phase, the sent message is $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$, where $R_0=r\cdot P$ ($r$ is random number), ${CID}_v=d⨁h(t_0\Vert R_1)$ ($d$ is random number), ${DID}_v={PID}_v⨁h(R_1\Vert t_0)$, $M_1=h(d,{ID}_v^{\mathrm{*}},{PID}_v^{\mathrm{*}},{DID}_v,A_v^{\mathrm{*}},t_0,{ID}_r)$ and $t_0$ (timestamp). So, the proposed scheme has the ability to resist replay attacks.
• Password guessing attacks: If $\mathcal{A}$ can know the user’s biometric template ${BIO}_v$ and all information stored in smart card, it can guess ${ID}_v^{\mathrm{*}}$ and ${PW}_v^{\mathrm{*}}$ such that $C_v=h\left({ID}_v^{\mathrm{*}},{PW}_v^{\mathrm{*}},{BSK}_v\right)mod n$. However, there are $\left|D_{PW}\right|\ast \left|D_{ID}\right|/n\approx 2^{32}$ candidates of the $(I{D}_v,P{W}_v)$ pair to satisfy this equation when $n=256$ [28]. Therefore, our protocol meets resistance password guessing attacks.
• Three-factory secrecy: If $\mathcal{A}$ obtains the date from the smart card through side-channel attacks and knows the user’s ${BIO}_v$, and cannot know the correct $(I{D}_v,P{W}_v)$, $\mathcal{A}$ cannot launch any attacks without knowing ${PID}_v$ and $A_v$. For the same reasons, if $\mathcal{A}$ knows the user’s $({BIO}_v,P{W}_v)$, or knows the user’s $P{W}_v$ and information stored in the smart card, $\mathcal{A}$ still cannot launch any attacks. Thus, the proposed protocol can achieve three-factor secrecy.
• Identity guessing attacks: In our scheme, $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$, $\{{ID}_r,{DID}_v,{AID}_v,M_1,t_0,t_1\}$, $\{{BID}_v,t_2\}$ are transmitted via the wireless channel, and $<G,p,P,{\epsilon }_v,C_v,{PPID}_v,h\left(\cdot \right),{PA}_v>$ stored into a smart card. Even if the attacker $\mathcal{A}$ eavesdrops and obtains these messages, $\mathcal{A}$ cannot verify the guessed identity. Because these messages not only contain identity but also include random numbers, the passwords and biometric keys, such as $M_1=h(d,{ID}_v^{\mathrm{*}},{PID}_v^{\mathrm{*}},{DID}_v,A_v^{\mathrm{*}},t_0,{ID}_r)$ ($d$ is random number), ${DID}_v={PID}_v^{\mathrm{*}}⨁h(R_1\Vert t_0)$, ${PID}_v^{\mathrm{*}}={PPID}_v⨁h\left({PW}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)$, $A_v^{\mathrm{*}}={PA}_v⨁h\left({PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}}\right)$, ${PW}_v^{\mathrm{*}}$ is the password and ${BSK}_v^{\mathrm{*}}$ is the biometric key. Thus, $\mathcal{A}$ is unable to verify the accuracy of the guessed identity without having knowledge of ${PID}_v^{\mathrm{*}}$, ${PW}_v^{\mathrm{*}}$ and ${BSK}_v^{\mathrm{*}}$.
• Forgery attacks and impersonation attacks: Suppose the attacker $\mathcal{A}$ impersonates user ${\mathrm{U}}_{\mathrm{i}}$ and sends message $\{{CID}_v,{DID}_v,M_1,R_0,t_0\}$ to RSU, where $R_0=r\cdot P$, ${DID}_v={PID}_v^{\mathrm{*}}⨁h(R_1\Vert t_0)$, $R_1=r\cdot P_{pub}$, $M_1=h(d,{ID}_v^{\mathrm{*}},{PID}_v^{\mathrm{*}},{DID}_v,A_v^{\mathrm{*}},t_0,{ID}_r)$, ${PID}_v^{\mathrm{*}}={PPID}_v⨁h\left({PW}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}}\right)$, $A_v^{\mathrm{*}}={PA}_v⨁h\left({PW}_v^{\mathrm{*}},{BSK}_v^{\mathrm{*}},{ID}_v^{\mathrm{*}}\right)$. $\mathcal{A}$ cannot forge ${\mathrm{M}}_1$ without knowing ${ID}_v^{\mathrm{*}}$, ${PID}_v^{\mathrm{*}}$ and $A_v^{\mathrm{*}}$. If the attacker wants to know $A_v^{\mathrm{*}}$, they must know the three-factor ${ID}_v^{\mathrm{*}}$, password ${PW}_v^{\mathrm{*}}$, and biometric key ${BSK}_v^{\mathrm{*}}$ at the same time, which is obviously impossible. Therefore, $\mathcal{A}$ cannot impersonate the user. Suppose the attacker $\mathcal{A}$ wants to impersonate RSU and sends $\{{ID}_r,{DID}_v,{AID}_v,M_1,t_0,t_1\}$ to TA, where ${AID}_v=h(t_1\Vert {DID}_v\Vert {PSID}_r)⨁({PID}_v^{\mathrm{*}}\Vert d)$, ${PSID}_r={PD}_r\oplus h(t_r\Vert R_r)$, $R_r=PUF\left(C_r\right)$. Since the PUF is unique, even if the attacker $\mathcal{A}$ obtains Challenger $C_r$, they cannot obtain $R_r$ and cannot compute the ${PSID}_r$. Thus, the attacker cannot impersonate the RSU without knowing ${PSID}_r$. Supposed the attacker $\mathcal{A}$ wants to impersonate TA and sends $\{{BID}_v,t_2\}$, where ${BID}_v=h({PID}_v^{\mathrm{*}}\Vert {PSID}_r\Vert t_2)$, ${PSID}_r=({ID}_r\Vert K)$, $K$ is the system’s primary key. Since $\mathcal{A}$ cannot know $K$, $\mathcal{A}$ cannot impersonate TA. Hence, our scheme effectively mitigates the risks of forgery attacks and impersonation attacks.
• RSU captured attacks: In our scheme, RSU stores $<C_r,{sk}_r,{ID}_r,{PD}_r,t_r>$, where $C_r$ is the corresponding challenge to generate a response of PUF. Suppose the attacker $\mathcal{A}$ captures the RSU and obtains the date $<C_r,{sk}_r,{ID}_r,{PD}_r,t_r>$. Due to the characteristics of PUF, $\mathcal{A}$ cannot obtain the corresponding $R_r$ and cannot compute private key $x_r=s{k}_r\oplus h(R_r\Vert t_r)$ and shared key ${PSID}_r={PD}_r\oplus h(t_r\Vert R_r)$. In simpler terms, capturing an RSU will yield no valuable information. Therefore, our protocol effectively withstands RSU capture attacks.

8. Performance Analysis

This section describes the security features and performance cost of this protocol compared with other protocols [5,15,16,21,29,30].

Table 2. Security comparison.

Properties/Attacks	[5]	[15]	[16]	[21]	[29]	[30]	Ours
Unlinkability	✓	✓	✓	✗	✓	✓	✓
Mutual authentication	✓	✓	✓	✓	✗	✗	✓
Anonymity	✗	✓	✓	✓	✓	✓	✓
Conditional privacy preservation	✓	✓	✓	✗	✗	✗	✓
Perfect forward secrecy	✗	✓	✓	✓	✓	✓	✓
Session key secrecy	✗	✓	✓	✓	✓	✓	✓
Known session key secrecy	✓	✓	✓	✗	✓	✓	✓
Key agreement	✓	✓	✓	✓	✓	✓	✓
N-factor secrecy	✗	-	✗	✗	✗	✗	✓
Resist message modification	✓	✓	✓	✓	✓	✓	✓
Resist impersonation attacks	✗	✓	✓	✓	✓	✓	✓
Resist replay attacks	✓	✓	✓	✓	✓	✓	✓
Resist password guessing attacks	✓	-	✓	✓	-	✓	✓
Resist identity guessing attacks	✗	-	✓	✓	✓	✓	✓
Resist stolen SC attacks	✗	✗	-	✓	-	-	✓
RSU captured attacks	✗	✗	✗	✗	✗	✗	✓

provides a comprehensive analysis of the security comparison between our proposed scheme and other relevant schemes. It can be seen that our solution can achieve better security.

We compute the computation cost of the proposed protocol and the other related protocol. We use the environment of Windows 10 on a 64-bit laptop (CPU: Intel i5-6300; 4.00 GHz; RAM 16 GB).

Table 3. Execution time of cryptographic operations.

Notations	Description	Execution Time (ms)
$T_{sm}$	Scalar multiplication	2.610
$T_h$	General hash function	0.019
$T_{SY}$	Symmetric encryption/decryption	0.511

shows the result of the execution time for various cryptographic operations, and

Table 4. Communication cost of primitive operations.

Primitive Operations	Communication Cost (bits)
Elliptic Curve Point	256
Message	256
identity of individual participant	256
Hash function	256
Timestamp	32
Random number	256
Symmetric encryption/decryption	AES-128

is the result of the communication cost for various primitive operations.

Table 5. Comparison of computation cost.

Schemes	Vehicle	RSU/Fog Node	TA/Cloude Server	Total (ms)
[5]	$9T_h$	$7T_h$	$4T_{SY}+10T_h$	$2.538$
[15]	$3T_{sm}+4T_h$	$4T_{sm}+4T_h$	$10T_{sm}+11T_h$	$44.731$
[16]	$1T_{SY}+1T_{sm}+6T_h$	$3T_h$	$2T_{SY}+7T_h$	$3.425$
[21]	$3T_{sm}+6T_h$	$3T_{sm}+7T_h$	$2T_h$	$15.945$
[29]	$6T_{sm}+4T_h$	$7T_{sm}+5T_h$	$4T_{sm}+5T_h$	$44.636$
[30]	$3T_{sm}+8T_h$	$4T_{sm}+6T_h$	$5T_{sm}+8T_h$	$31.738$
Ours	$3T_{sm}+5T_h$	$3T_{sm}+8T_h$	$1T_{SY}+5T_h$	$16.513$

depicts the comparison of computation costs between some related protocols and ours, and

Table 6. Comparison of communication cost.

Schemes	Vehicle	RSU/Fog Node	TA/Cloude Server	Total (bits)
[5]	1536	4608	3072	9216
[15]	800	2682	1312	4794
[16]	1024	3328	2304	6656
[21]	1056	1088	288	2432
[29]	1056	2144	288	3488
[30]	800	2144	800	3744
Ours	1056	1632	288	2976

depicts the comparison of communication costs between some related protocols and ours. In general, our computational efficiency and communication efficiency are somewhat better than most related protocols. Although it can be the case that our solution takes slightly more time than some related solutions, it can achieve better security and with a lower communication cost.

9. Conclusions

In this paper, we conducted an initial analysis of the security of Kumar et al.’s scheme and pointed out some security vulnerabilities, as shown in Section 5. Subsequently, we proposed a novel PUF-based authentication and key agreement scheme between vehicles and RSUs that can effectively defend against traditional security threats and RSU captured attacks because of the characteristics of PUF. We also designed a conditional privacy-preserving and traceable message authentication strategy to regain the real identity of the malicious vehicle by the TA and support to tracking, which also achieved three-factor secrecy. Furthermore, we validated the security of our proposed protocol through a rigorous formal security analysis under the random oracle model. In comparison to other related protocols, our protocol demonstrates enhanced security measures, improved computational efficiency, and enhanced communication efficiency. However, the proposed protocol requires TA’s participation in the authentication process. When there are a large number of cars, TA’s computation and transmission will encounter bottlenecks. Therefore, in the future, we will design a protocol that does not require TA’s participation in the authentication process.