A more efficient conditional private preservation scheme in Vehicular Ad Hoc Networks

A more efficient conditional private preservation scheme in Vehicular Ad Hoc Networks Tao Wang 1,†* , Xiaohu Tang 1, 1 School of Information Science and Technology, Southwest Jiaotong University, Chengdu 610000, China 2 School of Information Science and Technology, Southwest Jiaotong University, Chengdu 610000, China * Correspondence: nirro@163.com; Tel.: +86-138-8093-3379 † Current address: Affiliation 3 Version November 12, 2018 submitted to Preprints

bilinear pairing techniques in Section 4. Our improved MECPP will be presented in Section 5. Section 48 6 will give security analysis about our protocol, followed by performance analysis in Section 7. Finally, 49 we conclude the paper in Section 8. ring signature. However, this scheme does not achieve conditional privacy. Later, two PKI-based 54 authentication schemes were proposed by Raya and Hubaux[2] in which a large number of anonymous 55 public/private key pairs and corresponding public key certificates are preloaded. Each public/private 56 key pair has a short lifetime and is changed frequently. As a result, a larger storage capacity is required. 57 In addition, the CRL will grow with time, their revocation protocols will encounter problems with 58 efficiency. OBU communicates with RSU or other OBU through wireless links which is unsecured. 70 • RSU is assumed to connect with the TA by wired links or any other creditable links with high 71 bandwidth, low bit error rates and low delay. In this subsection, we present the system assumption and the desired requirements for our 74 proposed protocol.  In this subsection, we state the strong Diffie-Hellman hardness assumption on which our scheme 115 are based. Let g 1 be a generator of cyclic groups G 1 and g 2 be a generator of cyclic groups G 2 . G 1 and 116 G 2 have the same prime order p.
117 q-Strong Diffie-Hellman Problem(q-SDH). Given a (q + 2)-tuple (g 1 , g 2 , g x 2 , g x 2 2 , ..., g x q 2 ) as input, p . An algorithm A is said to has advantage ε in solving q − SDH 119 problem if 120 Pr[A(g 1 , g 2 , g x 2 , ..., g x q 2 ) = (c, g 1 x+c where the probability is over the random choice of x in Z * p and the random bits consumed by A.

121
Theorem 1. We say that the (q, t, ε) − SDH assumption holds in (G 1 , G 2 ) if no t − time algorithm has 122 advantage at least ε in solving the q − SDH problem in (G 1 , G 2 ).  Theorem 2. A forger A(t, q s , ε)-weakly breaks a signature scheme is A runs in time at most t, A makes at 135 most q s signature queries, and has advantage at least ε. A signature scheme is (t, q s , ε)-existentially unforgeable 136 under a weak chosen message attack if no forger (t, q s , ε)-weakly breaks it.

138
Our MECPP protocol includes four parts: system initialization, temporary anonymous key 139 generation, safe message sending, and fast tracking algorithm. First of all, The TA generates the system parameters (p, G 1 , G 2 , G T , g 1 , g 2 , e) for each RSU and 142 vehicle using the security parameter k. Then it chooses a random number u ∈ Z * p as its master key 143 and computes U = g u 2 ∈ G 2 as its public key. In addition, it selects two secure hash functions: f and h, 144 where f , h : 0, 1 * → Z * p , and a secure symmetric encryption algorithm Enc k (). Finally, TA publishes all 145 public prameters (p, G 1 , G 2 , G T , g 1 , g 2 , e, U, f , Enc k ()). Choose a fixed-length random number rnd ∈ Z * p , compute the pseudo-id PID i = Enc u (rnd|| 2. Return to RSU the location-awareness key A i , where the location-awareness key means it working 157 at location L i ; 158 Subsequently, RSU itself picks a random number x i ∈ Z * p as the secret key which is used to 159 encrypt OBU's pseudo-id.

161
This part, we will describe how to generate the OBU temporary anonymous key.

162
Based on ECPP, we propose an improved protocol. First of all, the temporary anonymous 163 information of OBU do not have to be stored by RSU. After mutual authentication, a random pseudo-id 164 of OBU has been generated by RSU which is contained in temporary certificate. When a dispute occurs, 165 the real identity of malicious vehicle could be recovered from temporary certification by RSU and 166 TA together. The temporary anonymous key will be changed frequently, therefore that will help to 167 save large storage spaces. Secondly, the interaction rounds are decreased to 3 times on the premise of  Table 1. OBU temporary anonymous key generation Setp 1. When an OBU go into the location L j , it firstly compute and R 2 = e(g 1 , g 2 ) r 1 where r 1 ∈ Z * p is a random number. Then the OBU chooses another 174 random number x ∈ Z * p as its temporary short-time anonymous private key, computes the 175 corresponding temporary public key Y = g x 1 ∈ G 1 . At last, the OBU uses its private key S i 6 of 11 to make a signature Sig OBU = S where T i is the current time-stamp, encrypts the signature as C = Enc R 2 (Y, T i , Sig OBU , PID i ), and sends request information (R 1 , C) to the

•
Step 2. After receiving the request, RSU(ID j ) computes R 2 = e(A j , R 1 ), and decrypts the ciphertext C with R 2 . Then RSU(ID j ) will check the validity of T i and PID i . Either of them are invalid, the protocol aborts. Otherwise, RSU(ID j ) checks the equation R 2 · e(g 1 , If it holds, i.e., the OBU is authenticated, then RSU(ID j ) issues the certificate • Setp 3. To verify RSU(ID j ) and the validity of certificate Cert i , the OBU checks e(g h(L j ) 2 · U, Sig RSU ) If it holds, Cert i is valid and the RSU is also authenticated, because the adversary has no ability to recover the secret key R 2 ; Otherwise, the protocol aborts and the RSU cannot pass the authentication since Step 1. Compute R = g r 1 ∈ G 1 where r ∈ Z * p is a random number, and sign the message 184 s r ≡ r + x · h(M, R)(mod p).

•
Step 2. Set signature Sig M = (R, s r , Cert i ).  can not get temporary short-time anonymous key from the RSUs any more. Proof of Lemma 1. Assume A is a forger that (t, q S , ε)-breaks our scheme and B is an attacker which 214 solves the q − SDH problem in time t with advantage ε by interacting with A. (g 1 , g 2 , A 1 ∈ G 2 for i = 1, ...., q and for some unknown x ∈ Z * p .

216
For convenience we set A 0 = g 2 . Algorithm B's goal is to produce a pair (c, g 1 x+c 1 ) for some c ∈ Z * p . It 217 does so as follows: 218 Query: Algorithm A chooses a list of random pseudo-id PID 1 , PID 2 , ..., PID q s ∈ Z * p , and requests 219 for private key of PID i , where q s < q. We may assume that q s = q − 1.
As can be seen from the above, x can be computed successfully. But it contradicts with the discrete 248 logrithm assumption. Therefore, Sig M is unforgeable.  the equation e(h(L j )P 2 + U, Sig RSU ) = e(g 1 , g 2 ) f (R 2 ||T i ||Y||PID i ) holds, the RSU is authenticated.

258
Because the adversary is infeasible to recover the correct R 2 without knowing the RSU's private  When the OBU requests for a short-time anonymous key, it sends to RSU the pseudo-id PID i = 263 Enc u (rnd||ID i ) which is a random identity mark, and RSU does not know who it is.

264
• When OBUs communicate each other, OBU uses a random pseudo-id PID i = Enc x j (T i , PID i ) to 265 denote the identity, it is different with time going by and it has no means to other OBUs.  4. Long-term Unlinkability. In order to protect the privacy of the driver, we require that the 269 information sent by the same vehicle be unlinkable in the long-term. We calculate the probability to 270 quantify the risk that the victim OBU is tracked by some compromised RSUs. Here we give some 271 assumptions:

272
• The RSUs may be compromised because of the insecure environment, but will be quickly rescued 273 in the next period. We assume that the number of RSUs is N rsu , and at most probability p c RSUs 274 can be compromised. Then the number of compromised RSUs is N c = N rsu * p c .

275
• We assume that the number of anonymous keys that an OBU requests at some period is N k .

276
Let Pr{i} represent the probability that exactly i (i ≥ 2) among N k anonymous keys are requested 277 from different compromised RSUs, we have Pr{i} = . Then the probability is

288
In this section, we compare the performance of the proposed protocol with ECPP. In ECPP protocol, it requires 13T pmul + 6T pair to generate the short-time anonymous key. Let T ECPP be the required time cost in ECPP, then we have: T ECPP = 13T pmul + 6T pair = 13 * 0.6 + 6 * 4.5 = 34.8 In our scheme, there are less pairing computation and e(P 1 , P 2 ) can be calculate in advance. Let T MECPP stand for the required time cost in our MECPP protocol, so that: T MECPP = 7T pmul + 3T pair = 7 * 0.6 + 3 * 4.5 = 17.7 From the comparison, we can notice that our require time has decreased by about 50%. Besides, 293 our interaction steps are decreased to 3 times while ECPP is 6 times. In ECPP, every short-time anonymous key should be storaged by RSU in order to track the 296 malicious vehicle. While in our MECPP, pseudo-id is hidden in Cert, so the real identity could be 297 decrypted from Cert directly, when it is necessary.

298
Considering that the short-time anonymous key will be changed frequently to secure the identity, 299 it helps to save a large of storage space for RSU.

300
In this sense, our MECPP protocol is more practial than ECPP.

302
In this paper, we proposed an optimized protocol based on ECPP for secure vehicular 303 communications. Our protocol not only provides the security and privacy protection to vehicles 304 but also is more efficient than ECPP in terms of computation overhead on temporary anonymous key 305 generation and RSU storage overhead. In the next study, we will try to improve the efficiency of batch 306 certification on the temporary anonymous key generation phase.