# A More Efficient Conditional Private Preservation Scheme in Vehicular Ad Hoc Networks

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Work

## 3. System Model and System Security

#### 3.1. System Model

**System roles:**VANETs generally consist of vehicles equipped with wireless communication devices, which are called On Board Unit (

**OBU**), infrastructure units such as Road Side Units (

**RSU**s) which are located on the roadside or at a street intersection providing wireless interfaces to vehicles within their radio coverage, and a centralized Trusted Authority (

**TA**) which is responsible for the RSU and OBU Registration, and what is more, recovering the vehicle’s identity if it is necessary.

**Channels:**To secure the vehicular communications which are mainly used for civilian applications, we have been following assumptions about the channels:

- OBU communicates with RSU or other OBU through wireless links, which is unsecured.
- RSU is assumed to connect with the TA by wired links or any other creditable links with high bandwidth, low bit error rates and low delay.

#### 3.2. System Security

#### 3.2.1. Secure VANETs Assumption

- All OBUs and RSUs are registered with the TA. The TA is not feasible to be compromised in the system and can be fully trusted by all parties.
- RSUs are usually deployed in open unattended environments, which can be compromised by attackers or collude with each other. However, we assume that RSUs are monitored so that their compromise can be detected in a short time. As a result, at a given time slot, very few RSUs are compromised.
- OBUs have limited computing power and storage space while TAs have greater computational power and enough hardware.

#### 3.2.2. Desired Requirements

**Anonymous Vehicle Authentication.**The purpose of anonymous vehicle authentication is to verify a vehicle’s authentic and legitimate while without revealing the real ID of the vehicle.**Short-term Linkability.**In some cases, like broadcasting road condition, applications require that a recipient can link two messages sent out by the same OBU in the short-term.**Long-term Unlinkability.**In the long-term, messages from the same vehicle should not be able to be linked by attackers or eavesdroppers.**Traceability and Revocation.**There must be a TA in VANETs which can trace the OBU that abuses the VANET. In addition, once the compromised OBU has been revealed, TA must revoke it immediately to prevent any further damage.**Non-repudiation.**Both OBUs and RSUs should not deny their behaviors and must be responsible for the decision.**Efficiency.**On the one hand, OBUs have resource-limited computing power to make VANETs economically viable. On the other hand, OBUs may move with the high speed. Suppose the application incorporates emergency information to be transferring to another vehicle, which has more probabilities to meet accident. This needs a quick response from the network to pass the information. A delay less than a second may cause severe damage and result in meaningless message. Therefore, the computation overhead and communication overhead at each vehicle must be as small as possible.

## 4. Preliminaries

#### 4.1. Bilinear Pairing

**Bilinearity:**The mapping $e:{G}_{1}\times {G}_{2}\to {G}_{T}$ is said to be bilinear if the following relation holds: $e({h}_{1}^{a},{h}_{2}^{b})=e{({h}_{1},{h}_{2})}^{ab}$, $\forall {h}_{1}\in {G}_{1}$, $\forall {h}_{2}\in {G}_{2}$ and $\forall a,b\in {Z}_{p}$.**Non-degeneracy:**There exists ${h}_{1}\in {G}_{1},{h}_{2}\in {G}_{2}$ such that $e({h}_{1},{h}_{2})$ is not the identity of ${G}_{T}$.**Isomorphism:**$\psi $ is an isomorphism from ${G}_{2}$ to ${G}_{1}$, with $\psi \left({h}_{2}\right)={h}_{1}$**Computability:**The bilinear map $e:{G}_{1}\times {G}_{2}\to {G}_{T}$ can be computed efficiently.

#### 4.2. The Strong Diffie–Hellman Assumption

**q-Strong Diffie–Hellman Problem (q-SDH).**Given a $(q+2)$-tuple $({g}_{1},{g}_{2},{g}_{2}^{x},{g}_{2}^{{x}^{2}},\dots ,{g}_{2}^{{x}^{q}})$ as input, output a pair $(c,{g}_{1}^{\frac{1}{x+c}})$ where $c\in {Z}_{p}^{\ast}$. An algorithm A is said to have an advantage $\epsilon $ in solving q-SDH problem if

**Definition**

**1.**

#### 4.3. Weak Chosen Message Attacks

**Query:**A list of ${q}_{s}$ messages ${M}_{1},\dots ,{M}_{{q}_{s}}\in {\{0,1\}}^{\ast}$ were sent to challenger by the adversary A.

**Response:**The challenger runs algorithm $KeyGen$ to generate a public key $PK$ and private key $SK$ and then give A the public key $PK$ and signatures ${\sigma}_{i}=Sign(SK,{M}_{i})$ for $i=1,\dots ,{q}_{s}$.

**Output:**Algorithm A wins the game if a pair $(M,\sigma )$ is output, where:

- M is not in $({M}_{1},\dots ,{M}_{{q}_{s}})$, and
- $Verify(PK,M,\sigma )=true$

**Definition**

**2.**

## 5. The Improved More Efficient Protocol

#### 5.1. System Initialization

#### 5.1.1. OBU Registration Protocol

- Check the validity of the identity $I{D}_{i}$. If not valid, terminate the protocol;
- Choose a fixed-length random number $rnd\in {Z}_{p}^{\ast}$, compute the pseudo-id $PI{D}_{i}=En{c}_{u}\left(rnd\right||I{D}_{i}\left|\right|h\left(rnd\right||I{D}_{i}\left)\right)$;
- Set ${S}_{i}={g}_{1}^{\frac{1}{h\left(PI{D}_{i}\right)+u}}\in {G}_{1}$.
- Return to OBU the private key $s{k}_{i}=(PI{D}_{i},{S}_{i})$.

#### 5.1.2. RSU Registration Protocol

- Get a location information ${L}_{i}\in {Z}_{p}^{\ast}$ such that $h\left({L}_{i}\right)+u\neg \equiv 0$ mod p, set ${A}_{i}={g}_{1}^{\frac{1}{h\left({L}_{i}\right)+u}}\in {G}_{1}$;
- Return to RSU the location-awareness key ${A}_{i}$, where the location-awareness key means it working at location ${L}_{i}$;

#### 5.2. Temporary Anonymous Key Generation

- Step 1. When an OBU goes into the location ${L}_{j}$, it firstly computes ${R}_{1}={({g}_{2}^{h\left({L}_{j}\right)}\xb7U)}^{\left({r}_{1}\right)}\in {G}_{2}$ and ${R}_{2}=e{({g}_{1},{g}_{2})}^{{r}_{1}}$ where ${r}_{1}\in {Z}_{p}^{\ast}$ is a random number. Then, the OBU chooses another random number $x\in {Z}_{p}^{\ast}$ as its temporary short-time anonymous private key, computes the corresponding temporary public key $Y={g}_{1}^{x}\in {G}_{1}$. At last, the OBU uses its private key ${S}_{i}$ to make a signature $Si{g}_{OBU}={S}_{i}^{({r}_{1}+f({R}_{2}\left|\right|{T}_{i}\left|\right|Y\left)\right)}$ where ${T}_{i}$ is the current time-stamp, encrypts the signature as $C=En{c}_{{R}_{2}}(Y,{T}_{i},Si{g}_{OBU},PI{D}_{i})$, and sends request information $({R}_{1},C)$ to the $RSU\left(I{D}_{j}\right)$.
- Step 2. After receiving the request, $RSU\left(I{D}_{j}\right)$ computes ${R}_{2}^{\prime}=e({A}_{j},{R}_{1})$, and decrypts the cipher text C with ${R}_{2}^{\prime}$. Then, $RSU\left(I{D}_{j}\right)$ will check the validity of ${T}_{i}$ and $PI{D}_{i}$. Either of them are invalid, the protocol aborts. Otherwise, $RSU\left(I{D}_{j}\right)$ checks the equation ${R}_{2}^{\prime}\xb7e{({g}_{1},{g}_{2})}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right)}\stackrel{?}{=}\phantom{\rule{4pt}{0ex}}e(Si{g}_{OBU},{g}_{2}^{h\left(PI{D}_{i}\right)}\xb7U)$. If it holds, i.e., the OBU is authenticated, then $RSU\left(I{D}_{j}\right)$ issues the certificate $Cer{t}_{i}=({L}_{j},{T}_{i},Y,PI{D}_{i}^{\prime},Si{g}_{RSU})$, where $PI{D}_{i}^{\prime}=En{c}_{{x}_{j}}({T}_{i},PI{D}_{i})$ and $Si{g}_{RSU}=f({R}_{2}^{\prime}\left|\right|{T}_{i}\left|\right|Y\left|\right|PI{D}_{i}^{\prime}){A}_{j}$, the lifecycle of certification is based on time-stamp ${T}_{i}$; otherwise, the OBU fails the authentication since$$\begin{array}{cc}\hfill e(Si{g}_{OBU},{g}_{2}^{h\left(PI{D}_{i}\right)}\xb7U)& =e({S}_{i}^{({r}_{1}+f({R}_{2}\left|\right|{T}_{i}\left|\right|Y\left)\right)},{g}_{2}^{h\left(PI{D}_{i}\right)}\xb7{g}_{2}^{u})\hfill \\ & =e({g}_{1}^{\frac{({r}_{1}+f({R}_{2}\left|\right|{T}_{i}\left|\right|Y\left)\right)}{h\left(PI{D}_{i}\right)+u}},{g}_{2}^{(h\left(PI{D}_{i}\right)+u)})\hfill \\ & ={R}_{2}^{\prime}\xb7e{({g}_{1},{g}_{2})}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right)}\hfill \end{array}$$
- Step 3. To verify $RSU\left(I{D}_{j}\right)$ and the validity of certificate $Cer{t}_{i}$, the OBU checks $e({g}_{2}^{h\left({L}_{j}\right)}\xb7U,Si{g}_{RSU})\stackrel{?}{=}\phantom{\rule{4pt}{0ex}}e{({g}_{1},{g}_{2})}^{f\left({R}_{2}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}$. If it holds, $Cer{t}_{i}$ is valid and the RSU is also authenticated, because the adversary has no ability to recover the secret key ${R}_{2}$; Otherwise, the protocol aborts and the RSU cannot pass the authentication since$$\begin{array}{cc}\hfill e({g}_{2}^{h\left({L}_{j}\right)}\xb7U,Si{g}_{RSU})& =e({g}_{2}^{h\left({L}_{j}\right)}\xb7{g}_{2}^{u},{A}_{j}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)})\hfill \\ & =e({g}_{2}^{(h\left({L}_{j}\right)+u)},{g}_{1}^{\frac{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}{h\left({L}_{j}\right)+u}})\hfill \\ & =e{({g}_{1},{g}_{2})}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}\hfill \\ & =e{({g}_{1},{g}_{2})}^{f\left({R}_{2}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}\hfill \end{array}$$

#### 5.3. Safe Message Sending

- Signing: When a vehicle i wants to send message M to other surrounding vehicles, it signs on message M with the short-time anonymous public-key certificate $Cer{t}_{i}$ and the private key x before sending it out.
- Step 1. Compute $R={g}_{1}^{r}\in {G}_{1}$ where $r\in {Z}_{p}^{\ast}$ is a random number, and sign the message ${s}_{r}\equiv r+x\xb7h(M,R)(\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.166667em}{0ex}}p)$.
- Step 2. Set signature $Si{g}_{M}=(R,{s}_{r},Cer{t}_{i})$.

- Verification: Once receiving the message, the receiver is firstly checking the validity of ${T}_{i}$ and $Cer{t}_{i}$ like Step 3 in Section 5.2. If invalid, the verification process aborts. Otherwise, the receiver verifies the signature $Si{g}_{M}$ by checking the equation ${g}_{1}^{{s}_{r}}=R\xb7{Y}^{h(M,R)}$. If it holds, the message is true and can be accepted, otherwise neglected, since$$\begin{array}{cc}\hfill R\xb7{Y}^{h(M,R)}& ={g}_{1}^{r}\xb7{g}_{1}^{x\xb7h(M,R)}\hfill \\ & ={g}_{1}^{r+x\xb7h(M,R)}\hfill \\ & ={g}_{1}^{{s}_{r}}\hfill \end{array}$$

#### 5.4. Fast Tracking

- step 1. The TA sends the tracing demand $(M,Si{g}_{M})$ to the specified RSU according to the location information ${L}_{j}$ in $Cer{t}_{i}$.
- step 2. The RSU returns the pseudo-id $PI{D}_{i}$ to TA by decrypting $PI{D}_{i}=De{c}_{{x}_{j}}\left(PI{D}_{i}^{\prime}\right)$ with security key ${x}_{j}$.
- step 3. The TA recovers the real identity $I{D}_{i}$ by decrypting $rnd\left|\right|I{D}_{i}\left|\right|h\left(rnd\right||I{D}_{i})=De{c}_{u}\left(PI{D}_{i}\right)$ with master key u and then calculate ${h}^{\prime}\left(rnd\right||I{D}_{i})$. If ${h}^{\prime}\left(rnd\right||I{D}_{i})=h(rnd\left|\right|I{D}_{i})$, the $I{D}_{i}$ and $PI{D}_{i}$ are valid and then broadcasts the pseudo-id $PI{D}_{i}$ to all RSUs. Then, the malicious vehicle cannot get temporary short-time anonymous key from the RSUs any more.

## 6. Security Analysis

#### 6.1. Provable Security

**1. Private Key Security.**The TA use master key to allocate initial private keys to OBUs or RSUs during the registration stage. The security of private key is based on the q-SDH [27] hardness assumption. Even through several OBUs and RSUs are compromised, deducing the private keys of other OBUS and RSUs from the compromised private key is still computationally not feasible. It is still computationally not feasible to deduce other OBUs and RSUs’ private keys from the compromised private keys.

**Lemma**

**1.**

**Proof**

**of**

**Lemma**

**1.**

**Query:**Algorithm A chooses a list of random pseudo-id $PI{D}_{1},PI{D}_{2},\dots ,PI{D}_{{q}_{s}}\in {Z}_{p}^{\ast}$, and requests for private key of $PI{D}_{i}$, where ${q}_{s}<q$. We may assume that ${q}_{s}=q-1$.

**Response:**B must response with $TA$’s public key and $PI{D}_{i}$’s private keys. Let $f\left(y\right)$ be the polynomial $f\left(y\right)={\prod}_{i=1}^{q-1}(y+h\left(PI{D}_{i}\right))$. Expand $f\left(y\right)$ and write $f\left(y\right)={\sum}_{i=0}^{q-1}{\alpha}_{i}{y}^{i}$ where ${\alpha}_{0},\dots ,{\alpha}_{q-1}\in {Z}_{p}$. Compute:

**Output:**Algorithm A returns a forgery $(PI{D}_{\ast},{k}_{\ast})$ such that ${k}_{\ast}\in {G}_{1}$ is a valid private key for $PI{D}_{\ast}$ and $PI{D}_{\ast}\notin PI{D}_{1},\dots ,PI{D}_{q-1}$. In other words, $e({k}_{\ast},{K}_{TA}\xb7{\left({g}_{2}^{\prime}\right)}^{h\left(PI{D}_{\ast}\right)})=e({g}_{1}^{\prime},{g}_{2}^{\prime})$. Since ${K}_{TA}={\left({g}_{2}^{\prime}\right)}^{x}$, we have that $e({k}_{\ast},{\left({g}_{2}^{\prime}\right)}^{(x+h\left(PI{D}_{\ast}\right))})=e({g}_{1}^{\prime},{g}_{2}^{\prime})$ and therefore

**2. Signature Security.**The security of OBU’s signature $Si{g}_{M}$ is based on the discrete logarithm assumption. it is not feasible to output a forgery in polynomial time, which makes the scheme resistive to the impersonation attack and the bogus message spoofing attack.

**Lemma**

**2.**

**Proof**

**of**

**Lemma**

**2.**

#### 6.2. Further Security Analysis of The Proposed Scheme

**1. Mutual Authentication**. The scheme realizes mutual authentication between the RSU and the OBU by the request-response protocol.

- The RSU can quickly authenticate the OBU. In Step 2 of Section 5.2, if the verification equation ${R}_{2}^{\prime}\xb7e{({g}_{1},{g}_{2})}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right)}=\phantom{\rule{4pt}{0ex}}e(Si{g}_{OBU},{g}_{2}^{h\left(PI{D}_{i}\right)}\xb7U)$ holds, the OBU can be authenticated with pseudo-id $PI{D}_{i}$. Since the private key is secure according to
**Lemma 1**, therefore, $Si{g}_{OBU}$ is unforgeable, and no adversary can launch an impersonation’s attack on the RSU. - The OBU can also efficiently authenticate the RSU at location ${L}_{j}$. In Step 3 of Section 5.2, if the equation $e(h\left({L}_{j}\right){P}_{2}+U,Si{g}_{RSU})=\phantom{\rule{4pt}{0ex}}e{({g}_{1},{g}_{2})}^{f\left({R}_{2}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}$ holds, the RSU is authenticated. Because the adversary is not feasible to recover the correct ${R}_{2}$ without knowing the RSU’s private key ${A}_{j}={g}_{1}^{\frac{1}{h\left({L}_{j}\right)+u}}$.

**2. Anonymous Vehicle Authentication**. The OBU’s identity can be kept perfectly anonymous in this protocol, since the real ID of OBU is not known to the RSU and other vehicles except the TA.

- When the OBU requests for a short-time anonymous key, it sends to RSU the pseudo-id $PI{D}_{i}=En{c}_{u}\left(rnd\right||I{D}_{i})$ which is a random identity mark, and RSU does not know which it is.
- When OBUs communicate each other, OBU uses a random pseudo-id $PI{D}_{i}^{\prime}=En{c}_{{x}_{j}}({T}_{i},PI{D}_{i})$ to denote the identity, it is different with time going by and it has no means to other OBUs.

**3. Short-term Linkability**. Since the anonymous key is valid for a short time interval, any message signed by that key can be linked.

**4. Long-term Unlinkability**. In order to protect the privacy of the driver, we require that the information sent by the same vehicle be unlinkable in the long-term. We calculate the probability to quantify the risk that the victim OBU is tracked by some compromised RSUs. Here, we give some assumptions:

- The RSUs may be compromised because of the insecure environment, but will be quickly rescued in the next period. We assume that the number of RSUs is ${N}_{rsu}$, and that ${p}_{c}$ RSUs can be compromised. Then, the number of compromised RSUs is ${N}_{c}={N}_{rsu}\ast {p}_{c}$.
- We assume that the number of anonymous keys that an OBU requests at some period is ${N}_{k}$.

**6. Traceability**. Even if the message does not contain identifying information about vehicles, by using the Fast Tracking algorithm described in Section 5.4, the TA can recover the real identity of the malicious vehicle if required.

**7. Non-repudiation**. It is obvious that signature $Si{g}_{OBU}$ of OBU can provide the non-repudiation proof on the OBU’s temporary anonymous key requesting, while signature $Si{g}_{RSU}$ of RSU provide the non-repudiation proof on cert issue.

## 7. Performance Analysis

#### 7.1. Computational Cost Analysis

#### 7.2. Communication Overheads Analysis

#### 7.3. Storage Analysis

## 8. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Aloqaily, M.; Al Ridhawi, I.; Kantarci, B.; Mouftah, H.T. Vehicle as a resource for continuous service availability in smart cities. In Proceedings of the 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), Montreal, QC, Canada, 8–13 October 2017. [Google Scholar]
- Qu, F.; Wu, Z.; Wang, F.-Y.; Cho, W. A security and privacy review of VANETs. IEEE Trans. Intell. Transp. Syst.
**2015**, 16, 2985–2996. [Google Scholar] [CrossRef] - Aloqaily, M.; Kantarci, B.; Mouftah, H.T. On the impact of quality of experience (QoE) in a vehicular cloud with various providers. In Proceedings of the 2014 11th Annual High Capacity Optical Networks and Emerging/Enabling Technologies (Photonics for Energy), Charlotte, NC, USA, 15–17 December 2014; pp. 94–98. [Google Scholar]
- Ming, Y.; Shen, X. PCPA: A Practical Certificateless Conditional Privacy Preserving Authentication Scheme for Vehicular Ad Hoc Networks. Sensors
**2018**, 18, 1573. [Google Scholar] [CrossRef] [PubMed] - Zhang, C.; Lu, R.; Lin, X.; Ho, P.; Shen, X. An efficient identity-based batch verification scheme for vehicular sensor networks. In Proceedings of the 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008; pp. 246–250. [Google Scholar]
- Zhu, H.; Lin, X.; Lu, R.; Ho, P.; Shen, X. AEMA: An aggregated emergency message authentication scheme for enhancing the security of vehicular ad hoc networks. In Proceedings of the 2008 IEEE International Conference on Communications, Beijing, China, 19–23 May 2008; pp. 1436–1440. [Google Scholar]
- Raya, M.; Hubaux, J.-P. Securing Vehicular Ad Hoc Networks. J. Comput. Secur.
**2007**, 15, 39–68. [Google Scholar] [CrossRef] - Lin, X.; Sun, X.; Ho, P.-H.; Shen, X. GSIS: A Secure and Privacy-Preserving Protocol for Vehicular Communications. IEEE Trans. Veh. Technol.
**2007**, 56, 3442–3456. [Google Scholar] [Green Version] - Calandriello, G.; Papadimitratos, P.; Hubaux, J.-P.; Lioy, A. Efficient and Robust Pseudonymous Authentication in VANET. In Proceedings of the fourth ACM international workshop on vehicular ad hoc networks 2007, Montreal, QC, Canada, 10 September 2007. [Google Scholar]
- Lu, R.; Lin, X.; Zhu, H.; Ho, P.-H.; Shen, X. ECPP: Efficient Conditional Privacy Preservation Protocol for Secure Vehicular Communications. In Proceedings of the 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008; pp. 1229–1237. [Google Scholar]
- Sánchez-García, J.; García-Campos, J.M.; Reina, D.G.; Toral, S.L.; Barrero, F. OnsiteDriverID: A secure authentication scheme based on Spanish eID cards for vehicular ad hoc networks. Future Gener. Comput. Syst.
**2016**, 64, 50–60. [Google Scholar] [CrossRef] - Yang, X.; Huang, X.; Liu, J.K. Efficient handover authentication with user anonymity and untraceability for Mobile Cloud Computing. Future Gener. Comput. Syst.
**2016**, 62, 190–195. [Google Scholar] [CrossRef] - Ye, F.; Roy, S.; Wang, H. Efficient data dissemination in vehicular ad hoc networks. IEEE J. Sel. Areas Commun.
**2012**, 30, 769–779. [Google Scholar] [CrossRef] - Gamage, C.; Gras, B.; Crispo, B.; Tanenbaum, A.S. An identity-based ring signature scheme with enhanced privacy. In Proceedings of the 2006 Securecomm and Workshops, Baltimore, MD, USA, 28 August–1 September 2006; pp. 1–5. [Google Scholar]
- Liu, J.; Yuen, T.; Au, M.; Susilo, W. Improvements on an authentication scheme for vehicular sensor networks. Expert Syst. Appl.
**2014**, 41, 2559–2564. [Google Scholar] [CrossRef] [Green Version] - Bayat, M.; Barmshoory, M.; Rahimi, M.; Aref, M. A secure authentication scheme for VANETs with batch verification. Wirel. Netw.
**2015**, 21, 1733–1743. [Google Scholar] [CrossRef] - Baker, T.; García-Campos, J.M.; Reina, D.G.; Toral, S.; Tawfik, H.; Al-Jumeily, D.; Hussain, A. GreeAODV: An Energy Efficient Routing Protocol for Vehicular Ad Hoc Networks. In Proceedings of the International Conference on Intelligent Computing, Wuhan, China, 15–18 August 2018; pp. 670–681. [Google Scholar]
- Aloqaily, M.; Kantarci, B.; Mouftah, H.T. Fairness-Aware Game Theoretic Approach for Service Management in Vehicular Clouds. In Proceedings of the 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), Toronto, ON, Canada, 24–27 September 2017; pp. 1–5. [Google Scholar]
- Al Ridhawi, I.; Aloqaily, M.; Kantarci, B.; Jararweh, Y.; Mouftah, H.T. A continuous diversified vehicular cloud service availability framework for smart cities. Comput. Netw.
**2018**, 145, 207–218. [Google Scholar] [CrossRef] - Aloqaily, M.; Kantarci, B.; Mouftah, H.T. Multiagent/multiobjective interaction game system for service provisioning in vehicular cloud. IEEE Access
**2016**, 4, 3153–3168. [Google Scholar] [CrossRef] - Lazarevic, A.; Ertöz, L.; Kumar, V.; Ozgur, A.; Srivastava, J. A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. In Proceedings of the SIAM International Conference on Data Mining, San Francisco, CA, USA, 1–3 May 2003; pp. 25–36. [Google Scholar]
- Otoum, S.; Kantarci, B.; Mouftah, H.T. In Hierarchical trust-based black-hole detection in WSN-based smart grid monitoring. In Proceedings of the IEEE International Conference on Communications, Paris, France, 21–25 May 2017; pp. 1–6. [Google Scholar]
- Otoum, S.; Kantarci, B.; Mouftah, H.T. Mitigating false negative intruder decisions in wsn-based smart grid monitoring. In Proceedings of the 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), Valencia, Spain, 26–30 June 2017; pp. 153–158. [Google Scholar]
- Otoum, S.; Kantarci, B.; Mouftah, H. Adaptively Supervised and Intrusion-Aware Data Aggregation for Wireless Sensor Clusters in Critical Infrastructures. In Proceedings of the IEEE International Conference on Communications (ICC), Kansas City, MO, USA, 20–24 May 2018. [Google Scholar]
- Camenisch, J.; Lysyanskaya, A. Signature Schemes and Anonymous Credentials from Bilinear Maps. In CRYPTO 2004; LNCS; Franklin, M., Ed.; Springer: Heidelberg, Germany, 2004; Volume 3152, pp. 56–72. [Google Scholar]
- Boneh, D.; Boyen, X. Short signatures without random oracles. In Advances in Cryptology- EUROCRYPT 2004, Volume 3027 of Lecture Notes in Computer Science; Springer: Berlin, Germany, 2004; pp. 56–73. [Google Scholar]
- Boneh, D.; Boyen, X.; Shacham, H. Short group signatures. In Advance in Cryptology—CRYPTO 2004, LNCS 3152; Springer: Berlin, Germany, 2004; pp. 41–55. [Google Scholar]
- Pointcheval, D.; Stern, J. Security arguments for digital signatures and blind signatures. J. Cryptol.
**2000**, 13, 361–396. [Google Scholar] [CrossRef] - Boneh, D.; Gentry, C.; Lynn, B.; Shacham, H. Aggregate and verifiably encrypted signatures from bilinear maps. Proceedings of Eurocrypt 2003, Volume 2656 of LNCS; Springer: Berlin, Germany, 2003; pp. 416–432. [Google Scholar]
- Gong, Z.; Long, Y.; Hong, X.; Chen, K. Two certificateless aggregate signatures from bilinear maps. In Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, Qingdao, China, 30 July–1 August 2007; pp. 188–193. [Google Scholar]
- Lu, R.; Lin, X.; Luan, T.-H. Pseudonym changing at social spots: An effective strategy for location privacy in VANET. IEEE Trans. Veh. Technol.
**2012**, 61, 86–96. [Google Scholar] - Cygwin: Linux Environment Emulator for Windows. Available online: http://www.cygwin.com/ (accessed on 2 August 2018).

**Figure 1.**The VANET System Model. Three roles included: vehicle equipped with on-board unit (OBU), road side unit (RSU) and the trusted authority (TA).

**Figure 2.**The Flowchart of Temporary Anonymous Key Generation. This flowchart describes how the OBU’s temporary anonymous key is generated.

**Figure 3.**Tracking Probability of the system. Note that it increases very slowly with the increase of the number of anonymous keys and the number of compromised RSUs

Notation | Descriptions |
---|---|

$OBU$ | The smart vehicle equipped with on-board unit |

$RSU$ | Road side unit |

$TA$ | The centralized Trusted Authority |

${L}_{j}$ | The location of RSU |

$I{D}_{i}$ | The real identity of vehicle i |

$PI{D}_{i}$ | The pseudo-id of vehicle i |

$Cer{t}_{i}$ | The short-time certificate of vehicle i |

$X\left|\right|Y$ | Concatenate operation |

OBU$({\mathit{ID}}_{\mathit{i}},{\mathit{PID}}_{\mathit{i}})$ | RSU$\left({\mathit{ID}}_{\mathit{j}}\right)$ at Location ${\mathit{L}}_{\mathit{j}}$ | |
---|---|---|

${R}_{1}={({g}_{2}^{h\left({L}_{j}\right)}\xb7U)}^{\left({r}_{1}\right)}$, | ||

${R}_{2}=e{({g}_{1},{g}_{2})}^{{r}_{1}}$, | ||

$Y={g}_{1}^{x}$, | ||

$Si{g}_{OBU}={S}_{i}^{({r}_{1}+f({R}_{2}\left|\right|{T}_{i}\left|\right|Y\left)\right)}$, | ||

$C=En{c}_{{R}_{2}}(Y,{T}_{i},Si{g}_{OBU},PI{D}_{i})$. | ||

$\underrightarrow{({R}_{1},\phantom{\rule{4pt}{0ex}}C)}$ | ||

${R}_{2}^{\prime}=e({A}_{j},{R}_{1})$, | ||

decrypt C as $De{c}_{{R}_{2}^{\prime}}\left(C\right)$, judge ${T}_{i}$ and $PI{D}_{i}$, | ||

check | ||

${R}_{2}^{\prime}\xb7e{({g}_{1},{g}_{2})}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right)}\stackrel{?}{=}\phantom{\rule{4pt}{0ex}}e(Si{g}_{OBU},{g}_{2}^{h\left(PI{D}_{i}\right)}\xb7U)$, | ||

issue the certificate | ||

$Cer{t}_{i}=({L}_{j},{T}_{i},Y,PI{D}_{i}^{\prime},Si{g}_{RSU})$, | ||

where | ||

$PI{D}_{i}^{\prime}=En{c}_{{x}_{j}}({T}_{i},PI{D}_{i})$ and | ||

$Si{g}_{RSU}={A}_{j}^{f\left({R}_{2}^{\prime}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}$. | ||

$\underrightarrow{\left(Cer{t}_{i}\right)}$ | ||

Judge ${T}_{i}$ and check | ||

$e({g}_{2}^{h\left({L}_{j}\right)}\xb7U,Si{g}_{RSU})\stackrel{?}{=}\phantom{\rule{4pt}{0ex}}e{({g}_{1},{g}_{2})}^{f\left({R}_{2}\right|\left|{T}_{i}\right|\left|Y\right|\left|PI{D}_{i}^{\prime}\right)}$. |

Descriptions | Execution Time | |
---|---|---|

${T}_{pmul}$ | The time for one point multiplication | 0.6 ms |

${T}_{pair}$ | The time for one pairing operation | 1.6 ms |

${T}_{hash}$ | The time for one hash function | 2.7 ms |

${T}_{exp}$ | The time for one exponentiation operation | 0.6 ms |

Scheme | Certificate and Signature | Execution Time |
---|---|---|

$ECPP$ | $3{T}_{pair}+11{T}_{pmul}+{T}_{hash}$ | 14.1 ms |

$BLS$ | $4{T}_{pair}+2{T}_{hash}$ | 11.8 ms |

$GSB$ | $3{T}_{pair}+9{T}_{exp}+{T}_{hash}$ | 12.9 ms |

$CAS$ | $5{T}_{pair}+2{T}_{hash}$ | 13.4 ms |

$KPSD$ | $4{T}_{pair}+10{T}_{exp}+{T}_{hash}$ | 15.1 ms |

$MECPP\left(Proposed\right)$ | $2{T}_{pair}+{T}_{exp}+{T}_{hash}$ | 6.5 ms |

**Table 5.**Communication overhead between the proposed scheme and efficiency conditional privacy preservation (ECPP).

Scheme | Sending the Signature Message | Size of Signature Message |
---|---|---|

$ECPP$ | $({\sigma}_{M},Y,{T}_{i},Cer{t}_{{t}_{i}})$ | 120 bytes |

$MECPP\left(Proposed\right)$ | $(R,{s}_{r},Cer{t}_{{t}_{i}})$ | 108 bytes |

Scheme | Stored Message about Temporary Anonymous Key | Size of Stored Message |
---|---|---|

$ECPP$ | $PI{D}_{i},{T}_{i},Y,{R}_{2},{\sigma}_{1}$ | 64 bytes |

$MECPP\left(Proposed\right)$ | —- | —- |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Wang, T.; Tang, X.
A More Efficient Conditional Private Preservation Scheme in Vehicular Ad Hoc Networks. *Appl. Sci.* **2018**, *8*, 2546.
https://doi.org/10.3390/app8122546

**AMA Style**

Wang T, Tang X.
A More Efficient Conditional Private Preservation Scheme in Vehicular Ad Hoc Networks. *Applied Sciences*. 2018; 8(12):2546.
https://doi.org/10.3390/app8122546

**Chicago/Turabian Style**

Wang, Tao, and Xiaohu Tang.
2018. "A More Efficient Conditional Private Preservation Scheme in Vehicular Ad Hoc Networks" *Applied Sciences* 8, no. 12: 2546.
https://doi.org/10.3390/app8122546