An Effective Data Sharing Scheme Based on Blockchain in Vehicular Social Networks

Vehicular social networks (VSNs) are the vehicular ad hoc networks (VANETs) that integrate social networks. Compared with traditional VANETs, VSNs are more suitable to serve a group of vehicles with common interests. In VSNs, vehicles can upload the necessary data in the cloud service provider (CSP) and other vehicles can query the data they are interested in through CSP, which enables VSNs to provide more user-friendly services. However, due to the wireless network communication environment, the data sent by the vehicle can easily be monitored. Adversaries are able to violate the privacy of the vehicle based on the collected data, thereby threatening the security of the entire network. In addition, if a vehicle shares malicious or false data with other vehicles, it is easy to mislead drivers and even cause serious traffic accidents. This paper proposes an effective data sharing scheme based on blockchain in VSNs. By integrating an identity based signature mechanism and pseudonym generation mechanism, we first propose an anonymous authentication mechanism as the basis for establishing trust relationships before data transmission between entities in VSNs. Then, a data sharing scheme based on blockchain is described, in which the signature mechanism and the consensus mechanism guarantee the security and traceability of data. The result of the performance analysis and the simulation experiment indicate that VAB can achieve a favourable performance compared with existing schemes.


Introduction
Vehicular ad hoc networks (VANETs) are special mobile ad hoc networks (MANETs), which provide network and communication services for vehicles running on the road [1]. Due to the rapid movement of vehicles and wireless communication environment, VANETs have to confront the issues of dynamic changes of network topology, uneven density distribution of communication nodes, and noise jamming [2]. Recently, the United States and Europe propose independent standards to meet the communication requirements of VANETs, and offer a series of suggestions to solve the above problems [3,4]. Now, VANETs have been able to support a variety of services, such as traffic management, collision warning, and sharing data etc., which effectively promotes the development of VANETs in the world [5]. Vehicular Social Networks (VSNs) are thought as the integration between VANETs and social networks, which emphasizes the social attributes of VANETs [6]. A VSN is divided into several independent groups, in which each group has common interests or needs in a short time and the group members are close to each other on the road. For example, a group of people driving to the concert are looking forward to sharing data about the concert (i.e., traffic conditions near the stadium, guests of the concert, schedule, etc.). VSNs are required to be able to identify socially-similar vehicles and provide sharing information service.

Problem Definition
Due to wireless network environment, VSN has to face a variety of cyber threats and challenges [7]. In the process of data sharing, external attackers can easily collect the transmitted data stream. If there is no effective mechanism to protect the security of the data, the external attacker can not only obtain the information contained in the data stream, but also violate the privacy information of data sender, such as driving track, hobbies, etc. In addition, if an illegal vehicle joins a group, the vehicle can also send fake messages (traffic flow of the target road) to confuse other vehicles, which is easy to cause losses to other vehicles. In order to resist above threats and protect the privacy of vehicle, all shared messages are suggested to be transmitted in ciphertext and the identities of group members need to be authenticated and only vehicles that meet the access control policy can obtain shared data. Consequently, how to design a security and efficient mechanism to realize data sharing under the premise of protecting vehicle and data security is a huge challenge for the continuous and rapid development of VSNs [8].
Blockchain is regarded as a promising technology to support data sharing and access control [9]. Different from traditional technologies, blockchain owns the following advantages [10]. (i) Blockchain eliminates the central server for the maintenance and management of the whole network data by the central server, and improves the flexibility of network organization and data sharing. (ii) Due to the distributed and decentralized characteristics of blockchain, individual tampered data cannot be recognized by the whole network, which ensures the correctness, integrity and security of the data stored in the blockchain. (iii) Blockchain uses cryptography mechanism to effectively control the access of stored data and protects the security data information and the privacy of data owner and data sender. As a result, Blockchain is very suitable for the application scenario of data sharing in VSNs.
Generally, data is maintained by multiple nodes in the blockchain and these nodes are usually the data owners and data users. However, in VSNs, the data owners and data users are usually vehicles. As limited the storage, it is difficult to guarantee that vehicles have enough capacity to store all the data in the communication process. Meanwhile, since fast-moving vehicles need to communicate with surrounding entities by wireless, it is unrealistic for VANETs to ensure the stability and reliability of a large number of data stream transmission in the process of blockchain maintenance. Moreover, due to the fact that once an unauthorized user is compromised, it is difficult to track the user and the records of its usage data. Therefore, in data access control, the authentication of data owners and data users is essential before judging whether these users meet the access policy.

Related Works
Before sharing the data, it is considered essential to authenticate the legitimacy of the vehicle identity. According to [11,12], the true identity of the vehicle should not be exposed to any other entity except trusted authority. Consequently, it becomes critical to design an anonymous authentication scheme. In proposed pseudonym authentication schemes, public key infrastructure (PKI)-certificate based scheme is the most popular authentication scheme [13,14]. PKI scheme requires Central Authorities (CA) issues certificates for vehicles and RSUs to support vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) authentication within the network. However, according to [15], it is difficult for PKI based on authentication schemes to overcome the following limitations. (1) The adversaries are able to do Dos attacks through invalid signed message; (2) It is difficult to protect the location privacy of vehicles; (3) High computation cost and communication cost. In order to vehicles' location privacy, scheme [16] proposed an anonymous authentication scheme based on social spots (KPSD). KPSD adopts the BonehâȂŞBoyen short signature to achieve the conditional privacy preservation authentication. In social spots, such as the road intersection ,free parking lots near the shopping mall, vehicles are able to generate their pseudonyms and short-life keys independently and implement anonymous authentication. However, high computational cost leads to low efficiency due to the weak computation capability of vehicles. Zhu etc. adopt group signature to propose a conditional privacy preserving authentication scheme [17]. In the proposed scheme, VANETs are divided into several domains, the group public key of each domain is generated by trusted authority (TA). Vehicles participate in authentication and communication as group members. Scheme [18] uses short group mechanism to protect vehicle privacy. This scheme utilizes cooperative message authentication protocol to achieve distributed key management and alleviate computation overhead. However, due to the indistinguishability of the group signature, once the malicious behavior of the vehicle is found in the group, it is difficult to revoke the vehicle. In order to solve the above problem, schemes [19][20][21][22] use identity-based mechanism to provide identity authentication and message verification. These mechanisms eliminate the verification of the certificate, improves the authentication efficiency, and reduces the management overhead of certificate revocation list (CRL). In addition, scheme [21] supports batch authentication and improves the service ratio of RSU. Scheme [22] combines identity based cryptography and group signature mechanism and provides unconditional privacy under the full key exposure attack. However, identity-based signature authentication schemes usually have to face high computational cost. It is a challenge to design an efficient authentication mechanism.
In proposed data sharing schemes in VSNs, scheme [23] proposes a on-demand data dissemination scheme in VANETs, if a vehicle want to obtain data it interested in, it is required to send the request message with beacons. When other vehicles hold the data, these vehicles will dynamically adjust the location of data transmission and send data repeatedly, which are able to effectively protect the location privacy of vehicles. However, the effectiveness of the scheme depends entirely on the density of vehicles in the area. In addition, if there is no incentive mechanism, it is difficult to ensure that the data owner can send the required data to the data user in time. Scheme [24] proposes a access control access scheme based on a decentralized CP-ABE, the proposed scheme support policy hidden and are able to effectively protect the identity of the data owner. However, scheme [24] does not consider the identity authentication of data ownesr and data users, which is not safety to the whole network, because illegal users have a great probability to meet the policy of attribute based encryption scheme. Scheme [25] proposes a verifiable scheme to achieve one-to-many data sharing. The proposed scheme adopts blockchain to achieve access control and guarantee non-repudiation. Meanwhile, policy hiding strategy is designed to hide the privacy of data owner. However, in scheme [25], the blockchain storing data is maintained by vehicles, and it is difficult to determine the method to determine consortium blockchain members. In addition, due to the low storage capacity and computing power of vehicles, it is not practical for vehicles to realize data sharing in time or maintenance through consistency mechanism. Scheme [26] designs a secure vehicle-to cloud service communication mechanism, blockchain is adopted to store reward and punishment records about data sharing. Besides, in order to protect vehicles communication security from malicious vehicles, relevant tracking strategy is also to be proposed. However, the proposed scheme does not mention access policy, the access control of uploaded data depends on CSP without considering the wishes of the data owner.

Contributions
In order to solve above problem, this paper proposes an effective data sharing scheme based on blockchain in VSNs. In the proposed scheme, we first describes the details of anonymous authentication and the establishment of secure communication channels. Then all data is transmitted to the cloud through secure channel. Cloud service provider (CSP) is responsible for managing cloud resources and supports a variety of application services based on cloud resources. Blockchain is adopted to achieve access control and data index. RSUs as the nodes of blockchain save the key words of data and the address where the data is saved in cloud. Only vehicles meeting the access control strategies can obtain the required data from cloud through CSP. In addition, the process of data submission and data use is saved in blockchain as historical records, and the vehicles that release malicious data and use data maliciously will be tracked in time. The contributions of the proposed scheme are summarized as follows:

1.
A secure anonymous authentication protocol is proposed to establish the trust relationship between RSU and vehicle, which realizes the legality verification of communication entity before data sharing.

2.
We use blockchain technology and cloud storage to realize the data sharing among vehicles in VSNs, so as to ensure that the data users can obtain the data information they are interested in in time.

3.
The proposed scheme supports sensitive hidden information to ensure that data users can not find the sensitive information of the data owners through the obtained data.

4.
Security analysis and performance analysis show that our scheme is secure and effective.

Paper Organization
The rest of this paper is structured as follows: Section 2 sketched necessary preliminaries such as VSNs, blockchain, bilinear maps. The details of the scheme are described in Section 3. Sections 4 and 5 discuss the result of the proposed scheme in security and performance respectively. Finally, in Section 6, the conclusions are given.

Vehicular Scoial Networks (VSNs)
Vehicular social networks (VSNs) integrate social networks into VANETs and provide a variety of application services for vehicles. Compared with traditional VANETs, VSNs inherit the relevant features of the social networks and provide more humanized service for vehicles [27]. In VANETs, roadside units (RSUs) and vehicles are considered as the main communication entities. As roadside infrastructures, RSUs are deployed on both sides of the road and provide reliable network and communication services for vehicles running within range of signal. Vehicles deployed with on-board units (OBUs) are able to record the running state of vehicles and communicate with nearby vehicles and RSUs. Thus, vehicleto-infrastructure (V2I) and vehicle-to-vehicle (V2V) are the two main communication forms of VANETs [28]. In V2I, vehicles can communicate with backbone network through RSUs and obtain services or required data from CSP. V2V guarantees that vehicles can obtain the surrounding traffic flow status and other necessary information through the communication with other surrounding vehicles, so as to ensure the safe and smooth driving of the vehicle. In addition, V2V supports the communication between vehicles with similar geographical location and provides more humanized service. In the United States, the standards of V2V and V2I (DSRC/WAVE) are formulated by the Institute of electrical and electronics engineers. Although DSRC/WAVE supports TCP and IP protocols, it is recommended to use the standard called WAVE Short Message Protocol (WSMP), which is more suitable for VANETs network characteristics and communication environment, and ensures the speed of data transmission and processing [3,29]. Social network is considered to be a virtual social relationship network. As social network is integrated into VANETs, VSNs have the capacity to analyze individuals' social relationship through communication information in VANETs, and support related data services to extend drivers' social activities. Therefore, the main service target group of VSN is the people with common interests in given scenarios and time. According to [30], VSNs have supported multiple applications, such as navigation, health-care, safety warming, smart calendar etc.

Blockchain
Blockchain is widely known with the cryptocurrency called bitcoin, which is considered as a new technology to combine decentralization, distributed computation, modern cryptography, and consensus algorithm [31]. As a distributed ledger, blockchain has the following advantages.

1.
Decentralization. Decentralization means there is no need for a third party to centrally manage the system. Due to distributed account and storage, the rights and obligations of any node in system are equal. The data blocks in the system are jointly maintained by the nodes in the whole system.

2.
No tampering. In blockchain, individual tampering cannot be recognized by the whole network, which makes data tampering impossible.

3.
Openness. Blockchain data opens to all nodes except the protected private information. Anyone can query the data stored in blockchain and develop applications.

4.
Auditability. The operation information of nodes is required to store in blockchain and all nodes in the system hold the copy of all data saved. Thus, all logs of users' operations on the blockchain can be queried.

5.
Fault tolerance: Any faults can be corrected by decentralized consensus. If a node fails, blockchain support other nodes to recover all data stored by the fails node. Figure 1 shows the details of the data structure of bitcoin based blockchain. Each block is divided into block header and block body. Block header stores the hash value of the previous block, root hash, etc. Root hash is the value of merkle root hash, where merkle composes of all transactions stored in blockchain and corresponding hash value. If a transaction on the blockchain is tampered with, the root hash will also be changed, resulting in changes in the content of the whole subsequent block.

Bilinear Mapping
Support G 1 and G T to be the two groups with the large prime number order q, where G 1 is additive group and G T is multiplicative group. A bilinear mapping e: G 1 × G 1 → G T satisfies the following properties [32].

The Proposed Scheme
This section gives the details of our scheme, which contains system model, security assumption, security goals, system initialization, initialization registration, V2I authentication, data sharing, and data revocation. The abbreviations which are used in the following protocol are shown in Table 1. The i-th pseudonym of entity e N i The i-th challenge value Sign e The signature generated by entity e C e The ciphertext encrypted by entity e K e1−e2 The shared key between entity e1 and e2 PK e The public key of entity e SK e The private key of entity e EXP i The expiration of pseudonym PS i TS Current timestamp A i The i-th attribute

System Model
As shown in Figure 2, the system model of our scheme consists of four entities, which includes trusted authority (TA), cloud service provider (CSP), RSUs, and vehicles. TA is a third-party trusted authority. All entities in VSNs trust TA. In system initialization, TA is responsible for generating public system parameters, providing registration services for other nodes in VSNs, and supports for establishing trust relationship between vehicles and RSUs. • CSP is the entity managing the cloud resources and provides a variety of application services based on cloud resources for vehicles in VSNs. In the proposed scheme, CSP provides data sharing services for vehicles to support vehicles to obtain interested data in time. • RSUs deployed on both roadside have the ability to obtain the surrounding road information by communicating with vehicles, so as to support the vehicles to obtain the necessary information in time. At the same time, RSUs assist vehicles to communicate with CSP to upload or use data. Moreover, all RSUs in VSNs build blockchain network, which stores data owner pseudonym, the key words of shared data, and the address of storing data in CSP. Each RSU shares the data with other RSUs through the consensus mechanism. The vehicle authenticated by RSUs can obtain the address of the required data stored in CSP through communication with RSUs, and then obtain the data. • Vehicles follow the WAVE/DSRC standard to communicate with surrounding vehicles and RSUs. In VSNs, vehicles can apply to upload data to cloud through RSU and CSP, and legitimate vehicles can also obtain interested data information from cloud.

Security Assumption
In order to ensure the safety and reliability of data, the following security assumption is made. Assumption 1. In the proposed effective data sharing scheme based on blockchain in VSNs, we assume that that unauthenticated vehicles are illegal vehicles, which means that these illegal vehicles can not upload data or obtain data they are interested in. Assumption 2. In our scheme, we assume that the CSP have access granted to the data, which means CSP may use its access to obtain data and analyze the privacy information of the data owner. Assumption 3. RSUs and vehicles are easy to be attacked by adversaries. Before mutual authentication, RSU and vehicle cannot trust the data sent by each other.

Assumption 4.
In the blockchain, RSUs may be compromised by malicious adversaries and become Byzantine nodes. We assume that the number of Byzantine nodes no more than (n − 1)/3, where n is the number of RSUs in VSNs.

Security Goal
(1) User Privacy. The true identities of vehicles are hidden from CSP, RSUs, and other vehicles, which means RSU cannot get the true identities of vehicles in authentication and providing services. Meanwhile, data users can not determine the real identity of the data sharer according to the data obtained. (2) Data Confidentiality. Entities that do not meet the access policy cannot obtain any information related to plaintext through ciphertext.

System Initialization
In system initialization, TA needs to generate public system parameters and supports to build VSNs security system. The details are shown as follows.

1.
Let G 1 be an additive group where |G 1 | = p for prime p, |G T | be an multiplicative group with the same prime p. P is the generator of G 1 . Meanwhile, An bilinear pairing e : TA compute its public key PK TA = SK TA P.

Vehicle Registration Protocol
Vehicles are requested to send their identities to apply for registration. The details are depicted as follows.

1.
Vehicle chooses a ∈ G 1 , random number N 1 ∈ Z * q and uses PK TA to compute C v−TA = Enc_PK TA {ID v , N 1 } and aP. Finally, C v−TA and aP are sent to TA.

2.
If receiving the registration message from vehicle, TA first decrypts C v−TA to get ID v , N 1 . Then, TA generates n pseudonyms PS i (0 < i <= n) and computes corresponding public key PK i = H 1 (PS i ||EXP i ), private key : Then, TA generates vehicle attribute based private key . Finally, TA calculates K TA−v = SK TA aP and adopts AES mechanism to encrypt PS i , SK i , EXP i , SK a , N 1 : When obtain the cipthertext from TA, vehicle first computes session key: K v−TA = aPK TA , and uses K v−TA to decrypt C TA−v and gets PS i , SK i , EXP i , SK a , N 1 . vehicle verifies the correctness of N 1 , if N 1 is correct, then vehicle stores PS i , SK i , EXP i , SK a .

RSU Registration Protocol
In this section, RSU register with the TA to obtain its private key. Similar to vehicle registration protocol, RSU first sends its real identity ID RSU to TA. TA computes and returns the private key of ID RSU : SK RSU = SK TA H 1 (ID RSU ) to RSU through secure channel. Once receiving SK RSU , RSU is able to generate an approved signature and participate in authentication.

V2I Authentication Protocol
When vehicle enters the signal coverage range of RSU, in order to realize the data exchange, vehicles and RSUs are required to use Hess signature mechanism [33] to execute V2I authentication protocol. The details are described as Figure 3.

1.
Vehicle chooses PS i , SK i , EXP i , P 1 ∈ G 1 , and r ∈ Z * q to generate signature r v P, e(P 1 , P) r ), W = rP 1 + hSK v , TS 1 is current timestamp, N 2 is challenge value and r v P is the key agreement parameter.

2.
Vehicle sends PS i , EXP i , TS 1 , N 2 , r v P, and Sign v to RSU.

3.
When receiving the request message from vehicle, RSU first checks the freshness of TS 1 and the validity of EXP i . If TS 1 is fresh and EXP i is valid, then, RSU computes T = e(W, P)e(H 1 (PS i ||EXP i ), −PK TA ) h , and check h == H 2 (PS i ||EXP i ||TS 1 ||N 2 || r v P, T), if the equation holds, vehicle is considered as a legal vehicle. Finally, RSU signs ID RSU , TS 2 , N 3 , r RSU P to get Sign RSU = Sign_SK RSU {ID RSU , TS 2 , N 3 , r RSU P} and generates session key K RSU−v = r RSU r v P. Then RSU adopts AES mechanism to encrypt N 2 and gets RSU sends ID RSU , TS 2 , N 3 , r RSU P, Sign RSU , and C RSU−v to vehicle.

5.
Vehicle checks the freshness of TS 2 and verifies the legitimacy of Sign RSU . If TS 2 is fresh, and Sign RSU is legal, RSU is thought to be a legal entity. Then, vehicle generates session key K v−RSU = r v r RSU P to decrypt C RSU−v and gets N 2 , if N 2 is legal, vehicle believe that a secure channel is established between the vehicle and the RSU. Finally, vehicle adopts AES mechanism to encrypt N 3 : Vehicle sends C v−RSU to RSU. 7.
RSU decrypts C v−RSU to get N 3 . If N 3 is legal, RSU believes a secure channel is established.

Data Sharing Protocol
After V2I authentication, vehicle is able to upload or download the data it is interested in. The proposed scheme adopts Zhou's encryption mechanism [34] to achieve the goal of access control. The details are depicted as follows.
As shown in Figure 4, when a vehicle is the data owner, the vehicle are able to upload the data it wants to share to CSP through RSU.

1.
For message M and the policy W with k attributes, vehicle chooses t ∈ Z * q and computes data encryption key key = e(P K , P 1 ) kt .

3.
Vehicle encrypts CT, the keyword of message M keyword to get C v−RSU = Enc_K v−RSU {CT, keyword}, where AES mechanism is used as encryption mechanism. 4.
Vehicle sends C v−RSU to RSU.

5.
When RSU receives the ciphertext from vehicle, RSU decrypts C v−RSU to get CT, keyword, and sends CT to CSP. 6.
CSP stores CT and signs CT and addr to gets Sign CSP = Sign_SK CSP {CT, addr}, where addr is the address of data stored in cloud. Then CSP sends Sign CSP to RSU. 7.
RSU verifies Sign CSP and stores PS i , keyword, addr, and H(CT) hash value of CT in blockchain. Then RSU sends Sign CSP to vehicle. 8.
Vehicle verifies Sign CSP , if Sign CSP is legal, vehicle believes that CT has been stored in cloud.
When a vehicle is the data user, the vehicle can obtain the message it interested in from CSP through RSU. The details are shown in Figure 5.

1.
Vehicle adopts AES mechanism to encrypt keyword it interested in to get C v−RSU = Enc_K v−RSU {keyword}.

3.
RSU decrypts C v−RSU and gets keyword. Then RSU finds addr of the data according to keyword.
CSP queries CT by address and signs CT to get Sign CSP = Sign_SK CSP {CT}. 6.
CSP sends CT and Sign CSP back to RSU. 7.
RSU verifies Sign CSP and checks whether the hash value of CT stored in blockchain equals H(CT), if the equation holds, RSU encrypts CT to get C RSU−v and stores the data downloading log into blockchain. 8.
RSU sends C RSU−v and Sign CSP to vehicle. 9.
Vehicle decrypts C RSU−v to get CT. Then, vehicle verifies signature Sign CSP , if the signature is legal, vehicle constructs local guess of access policyW, after that, ∀i ∈ Afterwards, vehicle computes T 0,i /T 1,i = e(P, P) −tβr i +tα K+1 . When computing all k terms, vehicle are able to get key=e(P, P) −tβ(r 1 +r 2 +..r k )+ktα K+1 · e(D, C 0 ). Finally, vehicle decrypts C v to get the message it interested in.

Security Analysis
This section presents the the security analysis in the following aspects.
(1) User Privacy. For vehicle identity privacy protection, in mutual authentication, a vehicle uses its pseudonym PS i and signature Sign v to prove the legality of its identity in VSNs, which means that no entity other than the TA can determine the true identity of other vehicles. In the process of data downloading, a data user only needs to prove that he/she has the right to obtain the required data, and meanwhile, since data does not contain any identity information, the data user cannot associate the real identity of the data owner according to the data. (2) Data Confidentiality. The data is encrypted and stored in the CSP. Any user who does not meet access policies cannot obtain the plaintext. In addition, since the blockchain maintained by RSUs only stores the mapping relationship between keyword and address, RSUs cannot obtain useful data information. (3) Accountability and Credential Revocation. In a secure network environment, the system can track the data information sent by vehicles in time, and exclude illegal vehicles from the network. The proposed scheme supports illegal vehicles revocation. If a vehicle is comprised, RSU are able to upload its pseudonym PS i , signature Sign v , and operation logs to TA and applies to reveal the true identity of the comprised vehicle. due to the signature and unforgeable logs, the vehicle cannot deny its illegal behaviour. Consequently, when the information of the illegal vehicle is broadcast in VSNs, the illegal vehicle can not communicate with other entities in VSNs. (4) CSP Attacks Resistance. According to security assumption, CSP has access to grant the data stored, which means CSP may analyze the stored data and try to obtain the privacy of the data owner. In the proposed scheme, the message is encrypted by attribute-based encryption mechanism, CSP can not decrypt the ciphertext depending on its own attributes. Besides, for the issue that CSP may tamper with data, in data uploading protocol, CSP is required to generate sign CSP to prove that the message was stored in the cloud without being tampered with. In data downloading protocol, RSU is able to check whether H(CT) stored in blockchain is equal H(CT ), where CT is the data from CSP. If the verification fails, the data is considered to be tempered. (5) Minimum Disclosure and Unlinkability. In data sharing scheme, data users can not reveal information other than what the data owner wants to share. In the proposed scheme, the content of data in CSP is completely determined by the data owner. Therefore, any entity cannot obtain the information that the data owner does not want to expose through the data. In the aspect of data association, the association between data and real vehicle information depends on the security of pseudonym changing mechanism. (6) Distributed Resolution Authority. In a security network environment, any single entity cannot rely on the information collected by itself to track vehicles. For the proposed scheme, in terms of vehicle identity privacy protection, the mapping between the pseudonym and the real vehicle identity is maintained by TA. However, as the vehicle changes its pseudonym frequently during the communication with the surrounding RSUs and other vehicles, TA can not know the vehicle's trajectory alone. Similarly, RSUs only know the pseudonym information and location information of the current communication vehicle. RSUs can not obtain the real identity and long-term trajectory of the vehicle. In terms of data sharing, CSP only provides data uploading and data downloading services for vehicles and cannot accurately know the identity of the data owner. Similarly, RSUs only maintain the list of keyword address and cannot obtain the real content of the data.

Performance Analysis
This section gives the details of authentication performance of the proposed scheme compared with KPSD [16], LIAP [21], and IMAEP [22] in the computational and communication cost. Moreover, we use Veins simulation framework and Ethereum to test the data uploading and data downloading performance.

Computational Cost
Computational cost is defined the total computation time of RSU and vehicle in mutual authentication. in this section, cheaper operations of point addition operation, one-way hash function are ignored. We focus on expensive operations. T bp refers to the running time of a bilinear pairing operation, T pm indicates the running time of a point multiplication operation, T pe is the running time of a point exponentiation operation, and T mpt implies the running time of a map-to-point hash function operation.
In order to test the computational cost of the above operations, we make an experiment by choosing the Pairing-Based Cryptography Library. The benchmark includes 2.6 GHz Intel(R) Core(TM) i7-6700HQ CPU, 2GB RAM, Debian 9.4 operating system. The bilinear pairing is e : G 1 × G 1 → G T , where G 1 and G T are additive and multiplicative group respectively. The curve is defined: y 2 = x 3 + x mod p, where prime number p = 512 bits, Solinas prime number q = 160 bits. The experiment results are shown in Table 2. In KPSD, vehicle picks random number sk ∈ Z * q as temporary private key and computes the public key pk = g sk , where g ∈ G 1 . Then vehicle selects α, r α , r x , r γ ∈ Z * q and calculates . When receiving message M, sign, Y j , and Cert, RSU computes δ , the certificate is considered to be legal. Then RSU checks whether the equation e(Y j g H(M) 1 , sign) == e(g 1 , g 2 ) is hold, if it holds, the sign and M are accepted, otherwise, vehicle's message is rejected.
In LIAP, vehicle first picks k ∈ Z * q , and computes its pseudonym PID = {PID 1 , PID 2 }, where PID 1 = kP, PID 2 = ID ⊕ H(kPK CA ), ID is the real identity of vehicle, P, PK CA are public parameters, H : {0, 1} * → Z * q . Then vehicle uses local master keys m 1 , m 2 to generate private keys SK 1 = m 1 PID 1 , SK 2 = m 2 H(PID 1 , PID 2 ). After that, vehicle signs message M to get σ = SK 1 + h(M)SK 2 and sends {PID, M, PK R to RSU, where h : {0, 1} * → Z * q , PK R = {PK 1 R , PK 2 R } is the public key of the last RSU that communicated with the vehicle. When receiving the message {PID, M, PK R , σ}, RSU checks whether the equation is hold: e(σ, P) = e(PID 1 , PK 1 R )e(h(M)H(PID 1 , PID 2 ), PK 2 R ). In IMAEP, in order to sign message M, vehicle selects a set of identities ID = {ID 1 , ID 2 , ..., ID n }, in which vehicle identity is one member of ID. Then, vehicle computes the public keys of PK ID = {PK ID 1 , PK ID 2 , ..., PK ID n }, PK ID i = H(ID i ) ∈ G 1 . Afterwards, vehicles selects random numbers U = {U 1 , U 2 , ..., U n } ∈ G 1 , r s ∈ Z * q , α ∈ Z * q and computes U = r s PK ID + αP pub − ∑ n i=1,i =s (U i + h i PK ID i ), W = αP, h s = H 0 (M||ID||U s ), and V = (r s + h s )SK ID + αP pub , where P is public parameter, H 0 : {0, 1} * → Z * q , SK ID is the private key of vehicle. When receiving the message σ = {U 1 , U 2 , ...U n , V, W, ID}, RSU first computes PK ID i = H(ID i ), h i = H 0 (M||ID||U). Afterwards, RSU requests T 1 , T 2 from key generation center, where T 1 = e(P, W) x 2 , T 2 = e(P, W) x , x is the private key of key generation center. Finally, RSU checks the equation e(P pub , ∑ n i=1,i =s (U i + h i PK ID i ))T −1 1 = e(P, V)T −1 2 . If the equation holds, σ is considered to be legal. In the proposed scheme, vehicle signs message M to get sign = {h, W}, where h = H 2 (M, e(P 1 , P) r ), W = rP 1 + hSK v . When receiving the authentication request, RSU first computes T = e(W, P)e(H 1 (PS i ), P) r , and checks h = H 2 (M, T). if the above equation holds, the vehicle is considered as a legal node.
The comparison of computational cost is shown in Table 3. In signature generation phrase, the computational cost of KPSD is 3T pm + 9T pe + 2T bp = 23.67 ms. LIAP includes 5 point multiplication operations and 1 hash-to-point function operations, the computational cost is 5T pm + T mtp = 12.91 ms. IMAEP contains n + 4 point multiplication operations and 1 hash-to-point function operation, the total of computational cost is (n + 4)T pm + T mtp = 11.14 + 1.77n ms. The proposed scheme contains 1 bilinear map operation and 2 point multiplication operations, the total of computational cost is 2T pm + T pe + T bp = 6.63 ms. In signature verification phrase, KPSD needs to take 7T pm + 10T pe + 5T bp = 36.54 ms to verify signature. LIPA needs to compute 3 bilinear map operations, 2 point multiplication operations, and 1 hash-to-point function operation, the total of computational cost is 2T pm + T mtp + 3T bp = 11.65 ms. IMAEP is requested to calculate 2 bilinear map operations, n+1 point multiplication operation, and 1 hashto-point function operation: (n + 1)T pm + T mtp + 2T bp = 8.53 + 1.77n ms. The proposed scheme contains 2 bilinear map operations, 1 point multiplication operation, and 1 point exponentiation operation, the total of computational cost is T pm + T pe + 2T bp = 5.21 ms. Consequently, the proposed proposed scheme is efficient. (n + 4)T pm + T mtp = 1.77n + 11.14 (n + 1)T pm + T mtp + 2T bp = 8.53 + 1.77n our scheme 2T pm + T pe + T bp = 6.63 T pm + T pe + 2T bp = 5.21

Communication Cost
This section gives the details of communication cost of our scheme compared with KPSD, LIAP, IMAEP. In the bilinear map schemes with respect to 80-bit security level, the size of each element in G 1 is 64 bytes × 2 = 128 bytes, each element in G 2 is 2 × 20 = 40 bytes. Moreover, the size of Z * q and a timestamp are 20 bytes and 4 bytes respectively. Due to the same traffic-related message in all above related schemes, we focus on the size of signature with pseudo-identity. For KPSD, vehicle is required to send Cert = {Y j ||T U ||T V ||c||s α ||s x ||s γ }, and sign, where Y j , sign ∈ G 2 , T U , T V ∈ G 1 , c, s α , s x , s γ ∈ Z * q , the communication cost of KPSD is 2 × 40 + 2 × 128 + 4 × 20 = 416 bytes. In LIAP, vehicle needs to sends PID = {PID 1 , PID 2 }, PK R = {PK 1 R , PK 2 R }, and σ to RSU, where PID 1 , PID 2 , PK 1 R , PK 2 R , σ ∈ G 1 , as a result, the total communication cost of LIAP is 128 × 5 = 640 bytes. In IMAEP, vehicle transmits σ = {U, V, W, ID}, where U = {U 1 , U 2 , ..., U n } ∈ G 1 , ID = {ID 1 , ID 2 , ..., ID n } ∈ Z * q , V, W ∈ G 1 . consequently, the communication cost of IMAEP is 148n + 256 bytes. In the proposed scheme, vehicle sends PS i , TS i , N i ∈ Z * q , and sign SK i = {h, W}, h ∈ Z * q , W ∈ G 1 . The communication cost is 3 × 20 + 20 + 128 = 208 bytes. The comparison results of the above schemes in communication cost are shown in Table 4.

Simulation
This section illustrates the experiment result of data uploading and data downloading. We use Veins to run the vehicular network simulation with road traffic simulator SUMO, SUMO is used to generate the movement of vehicles' pattern under a certain trace [35]. and discrete event network simulator OMNET++, Huangpu District of Shanghai, China is selected as the simulation scenario in Veins as shown in Figure 6. In the simulation scenario, the number of vehicles is 250, and the running route is generated randomly. Vehicles are requested to broadcast the basic safety message every 300 ms. In addition, Etherum is deployed in Debian 9.4 to test the performance of RSU data query. The smart contract is loaded in Ethereum to control the read and write permissions of the data. The simulation parameters are shown in Table 5.    [24] and Fan's scheme [25]. Figure 7 shows the total time of data uploading, which includes T _ Enc v : the time for user encryption, T v−RSU :the data transmission time between vehicle and RSU, T RSU−CSP : the data transmission time between RSU and CSP, and T RSU : the time when RSU stores PS, keyword and addr to the blockchain. From Figure 7, we can see that the total data uploading time increases with the increase of vehicles due to the limited communication bandwidth. In Zhong's scheme, when uploading data, vehicle is requested to define an access policy over attributes and encrypt data using encrypt algorithm. As a result, the vehicle needs to execute 2n + 2 bilinear map operations, 2n + 1 point multiplication operations, 5n + 4 point exponentiation operations, and 1 hash-topoint operation, where n is the size of the attributes set. In Fan's scheme, vehicle is required to execute 2 bilinear map operations, 1 point multiplication operations, 2n + 4 point exponentiation operations, and n+ 2 hash-to-point operations to encrypt uploaded data. The proposed scheme requires vehicle, RSU, and CSP to execute 2 bilinear map operations, n + 4 point multiplication operations, and 3 point exponentiation operations to upload data. Although the proposed scheme has to meet higher transmission delay due to the participation of RSU and CSP, low computational cost still makes our scheme the most efficient. Figure 8 depicts the average delay of data download, which includes T _ Dec v : the time for user decryption, T RSU : the time when RSU queries keyword and address from the blockchain, T v−RSU , and T RSU−CSP . In Zhong's scheme, data user needs to execute 2n bilinear map operations, 3n point multiplication operations, and n point exponentiation operations to obtain the content of downloaded data. Fan's scheme requires data user to execute 2n + 1 bilinear map operations, n + 1 point multiplication operations, and n point exponentiation operations to get data. In the proposed scheme, data users are required to compute 2n + 6 bilinear map operations, n + 3 point multiplication operations, and 4 point exponentiation operations to obtain the data it is interested in. As a result, the proposed scheme and FanâȂŹs scheme are more efficient than Zhong's scheme due to less bilinear maps and point multiplication operations. However, in the proposed scheme, if RSU does not find keyword from blockchain, RSU needs to update its local blockchain through consensus mechanism, which affects efficiency and service ratio of RSU and leads to the proposed scheme owns higher average delay than Fan's scheme. However, in Fan's scheme, since all data is stored in vehicles without the help of RSU, which makes difficult to ensure the data consistency, integrity and security stored in vehicles. Besides, as each vehicle is requested to maintain blockchain and storage data, the computational cost and storage cost of vehicles in Fan's scheme is higher than our scheme even though the average download delay of Fan's scheme is lowest.

Discussion
This paper proposed an effective data sharing scheme based on blockchain in VSNs, which includes anonymous authentication mechanism and data sharing mechanism. In anonymous authentication mechanism, we design a pseudonym generation mechanism and adopt identity based on signature to achieve anonymous authentication between RSU and vehicle. If a vehicle is comprised, TA is able to reveal the real identity depending on the vehicle's pseudonym and corresponding signature. In data sharing mechanism, RSU is responsible for verifying the legality of vehicles and maintain the key words of data and CSP signature on the data. CSP provides data sharing services for vehicles and supports vehicles to obtain interested data in time. During data uploading and data downloading, CSP is requested to signs the data, which guarantees the data does not be tampered. Consequently, the security of data is also effectively guaranteed. However, the proposed scheme depends on the density of RSUs deployed on both sides of the road, if there is no RSU around the road where the vehicle is travelling, the vehicle cannot upload or download the data of interest. In recent years, although many researchers have proposed vehicle data sharing mechanisms without RSUs, it is difficult to ensure the efficiency of data sharing due to the low computation power and storage capacity of vehicles. In addition, it is still a challenge to ensure the legality and security of data.

Conclusions
Data sharing is vital for VSNs to provide a variety of humanized services. Meanwhile, the access permissions of shared data should fully consider the wishes of the data owner and the shared data should not expose the privacy of the data owner. We first proposed an anonymous authentication protocol. This mechanism removes the PKI certificate, which not only keeps vehicles low storage, improves the authentication efficiency, but also reduces the management cost of the vehicle. In addition, the pseudonym generation mechanism is adopted to effectively prevent the adversary from obtaining the privacy of the vehicle through tracking. In data sharing protocol, CSP supports the storage and maintenance of data, RSU is responsible for maintaining the blockchain for storing keywords and data addresses, and vehicles are able to upload and download data after mutual authentication. Security analysis shows that the proposed scheme is able to protect the privacy of vehicles and guarantee the confidentiality and integrity of data. Performance analysis proves our scheme is more efficient than traditional schemes.
Due to the limitations of our scheme discussed in Section 6, in the future work, we will focus on researching a more efficient vehicle identity management scheme and propose an efficient data sharing scheme without RSUs.