RSU-Aided Remote V2V Message Dissemination Employing Secure Group Association for UAV-Assisted VANETs

Abstract

Nowadays, the research on vehicular ad hoc networks (VANETs) remains a hot topic within the Internet of Things (IoT) scenarios. Diverse studies and techniques regarding all aspects of VANETs have been investigated thoroughly. Particularly, the wireless characteristic of heterogeneous vehicular communication, along with the complicated and dynamic connection topology among participating VANET entities, have severely affected the secure and stable data exchange. Specifically, the spontaneous vehicle-to-vehicle (V2V) message dissemination, as the essential functionality of VANET, plays a significant role for instant and real-time data sharing for vehicles within a certain vicinity. However, with the short-time interaction and high mobilization of vehicular connections, the remote V2V message delivery intended for long-distance vehicles in the range of different roadside units (RSUs) has not been properly researched. Meanwhile, both V2V and V2R (Vehicle-to-RSU) communication are highly restricted by environmental factors such as physical obstructions or signal interferences, thus drastically reducing the wireless connectivity in practical VANET implementations. In this case, the unmanned aerial vehicles (UAVs), as the auxiliary facilities, can provide the VANET with substitute wireless routes, so that the transmission quality and availability can be improved. In this paper, the authenticated UAV group association design is proposed at first. On this basis, the remote V2V message dissemination method is enabled, where the decentralized V2V connections involving all RSUs along the way are provided. The analysis regarding crucial security properties is presented accordingly, where the formal proofs and comparison are conducted. Moreover, the performance evaluation in terms of storage and time consumption during RSU authentication process is illustrated, respectively. Comparison results with the state-of-the-art prove that superiority on the major performance factors can be achieved.

1. Introduction

The tremendous popularization of the intelligent transportation system (ITS), which is considered to be the primary strategy for improving transportation quality, has been prompted by major enhancements in information and communication technology in recent years [1,2]. ITS, with its anticipated benefits, is responsible for delivering groundbreaking services and applications covering diverse modes of transport and traffic management, which are of particular interest to metropolitan cities and prosperous regions. Consequently, as the fundamental infrastructure of ITS, the VANET is characterized as the dispersed, self-organized wireless networks developed by heterogeneous vehicle entities. Generally, there are three key components of a typical VANET architecture: trusted authority (TA) as the centralized service provider, RSUs as the fundamental roadside facilities, and vehicles as the terminal users [3,4].

TA is in charge of the entire VANET operations including the confidential key allocation. Notably, vast vehicular data from VANET agencies are also consolidated and analyzed on the TA side. Evidently, TA is in strong need of computational and storage capabilities. Nowadays, advanced networking and data transmission approaches, including promising 5G networks and cloud computing, have been devoted to a heterogeneous IoT paradigm including VANETs, where ample computing and storage capacity can be assured [5]. The remote cloud networks have been able to accommodate communications between several VANETs at the same time, accelerating the creation of a universal global vehicle internet initiative (IoV) [6]. The RSUs are specified as the dispersed facilities built along the roadsides at fixed intervals. The successful ranges of fixed RSUs are expected to cover all road areas in order to offer services to specified vehicles [7,8,9]. In particular, each RSU is able to perform the requisite key computing task and store critical data in its storage. Each vehicle can then at all times get access to the applications and resources from VANETs. As the terminal users of VANET, the vehicles in turn collaboratively collect vast heterogeneous vehicular data, as well as real-time road characteristics such as traffic congestion and car crash reports. The aggregated data are then transmitted to the VANETs central server for further processing. In the meantime, relevant VANETs services are being forwarded to those vehicles, which dramatically enhances driving safety. Functionally, each vehicle is installed with an on-board unit (OBU) on which wireless communication modules, including transceiver and transponder, are mounted [10,11,12]. The OBU of the vehicle is designed to manage both transmission and receiving of messages in the high-mobility environment.

Connectivity between the vehicle and its surrounding RSU can be accomplished by the communication between vehicle to RSU (V2R). Meanwhile, data exchange between vehicles can be assured by vehicle to vehicle connection (V2V). Self-organized wireless networks comprising multiple vehicles within specified locations can also be built [13,14], providing real-time data sharing and aggregation. Note that the dedicated short-range communications (DSRC) technique is implemented in both V2V and V2R communication. The interconnected system of VANETs is therefore developed with high connectivity and complex topology. However, critical V2V and V2R data sharing are carried out in the open wireless environment of realistic VANET circumstances. Therefore, serious vulnerability to various security threats and privacy risks exists [15,16]. The critical key details and user secrets may be unlawfully exposed to malicious attackers or unauthorized users, which may compromise the whole VANET network. In this case, efficient security preservation and privacy protection mechanisms in VANETs need to be deployed [17].

In practical VANET circumstances, the VANET data exchange is highly restrained by complicated physical environments and changeable communication conditions [18]. Specifically, the geographical barriers including high mountains and skyscrapers may obstruct the regular message delivery for V2V and V2R data sharing. Moreover, the dynamic wireless ad hoc topologies constructed by the spontaneous high-speed vehicles lead to a temporary and indisciplined interaction paradigm [19], which brings challenges to real-time V2V communication. In this case, the VANET connectivities will be drastically impacted, resulting in insufficient availability and low scalability. To address this practical issue, additional auxiliary facilities can be implemented in the VANET model for active connectivity improvement. Hence, multi-hop message forwarding can be provided with extra routes. With this motivation, the unmanned aerial vehicles (UAVs) can be applied to practical VANETs as the autonomous switching nodes for advancing the transmission quality and availability [20,21,22]. Apparently, with its unique advantages including substitutability, low expense, and applicability, the UAV-assisted VANETs could play a substantial part in practical VANET implementation [23]. In this case, the studies emphasizing UAV secure association and its correlation with the remaining VANET entities are imperative [24,25,26].

V2V communication provides instant and spontaneous data sharing channel for the nearby vehicles of comparatively short distances [27]. Therefore, open and legitimate data interactions among neighboring vehicles can be achieved, specifically for vehicles within one RSU domain. However, the V2V communication topology constructed by high-mobility vehicles may not properly satisfy the requirements for constant and reliable vehicular data exchange for long-distance vehicles. That is, due to the high mobility of participating vehicles, the constructed V2V network appears to be temporary and time-oriented [28]. For example, two vehicles within one RSU domain can easily access the VANET and conduct V2V communication according to their own will. Both the V2V and V2R channels are securely preserved with advanced cryptographic techniques and strategies. However, the two vehicles are then traveling to different spots in the next moment, and each is in the range of individual RSU. At this moment, assuming the two vehicles have to disseminate subsequent messages, the conventional V2V communication intended for short-distance data exchange is not suitable. Meanwhile, the multi-hops channel among other vehicles is not efficient in this case. The long-distance remote V2V communications should be further studied accordingly. However, the corresponding remote V2V message delivery topic for long-distance vehicular communication in the range of different RSUs has not been properly researched so far.

Motivated by the above issues on secure VANET communication and V2V remote message dissemination, in this paper, the novel UAV-based VANET infrastructure is constructed initially. Therefore, VANET communication connectivity can be significantly improved, specifically for practical vehicular communication scenarios. Accordingly, the efficient group verification and key management process for the participating UAVs are presented. Moreover, the remote vehicular message dissemination for long-distance vehicles within different RSU domains is investigated. In the cross-domain authentication (CDA) paradigm, the decentralized V2V connection strategy with RSUs assistance is proposed.

Our Research Contributions

In this paper, the RSU-aided remote V2V message dissemination design with group association for UAV-assisted VANETs is proposed. The nontrivial efforts can be briefly summarized as follows:

• Secure and efficient UAV association design with batch verification: Our design adopts the UAV-assisted VANETs infrastructure, where multiple UAV entities are involved in V2V and V2R communications for connectivity improvement. The certificateless mutual authentication process for UAV association is developed. The partial secret key is utilized by the central server and UAV itself. Non-repudiation, user anonymity, and conditional privacy for each UAV can be guaranteed. Moreover, batch verification is provided in our design. Reliable vehicular data transmission in practical VANET environments can be achieved via the constructed UAV networks.
• Dynamic key management and updating mechanism for UAV-assisted VANETs: Upon verification, the corresponding UAV group key can be generated and safely distributed to the requesting UAVs. The efficient key updating method for all the involved UAVs is achieved. Notably, the dynamic UAV revocation is enabled, while the updated group key is timely acquired by the remaining legitimate UAVs. Heterogeneous vehicular data can then be forwarded through UAV assistance so that the geographic obstructions and interferences can be avoided with the alternative routes provided by UAV interactions.
• RSU-aided remote V2V message dissemination with anonymity: The remote vehicular data exchange method is presented for long-distance V2V communication. Particularly, the proposed design is conducted without remote cloud assistance. With the pre-stored driving records collected from the CDA process, the disseminated vehicular message can be forwarded through the edge RSUs and finally transmitted to the destination vehicle. Subsequently, anonymity for the participating vehicles can be guaranteed. Moreover, the superiority on both the security and performance characteristics can be achieved with the formal analysis and performance comparison.

The remainder of this paper is formulated as follows: The corresponding research development is briefly introduced in Section 2. To gain a better understanding of the topic, Section 3 outlines the requisite preliminary works and the developed UAV-assisted VANET system model. In Section 4, the secure UAV group authentication and key management, and V2V remote message dissemination are presented in detail. The security analysis and performance discussion are presented in Section 5 and Section 6, respectively. The conclusions are drawn in Section 7.

2. Related Works

Nowadays, secure vehicular communication in VANET scenarios has been widely investigated. Various schemes on the authentication and key management for VANETs entities have been proposed so far. In 2012, to enhance privacy preservation and efficiency for key updating, Lu et al. [5] proposed the dynamic authenticated key management scheme with location-based services (LBSs) in VANETs. The double-registration detection mechanism is applied in the proposed DIKE scheme. The LBS session key is assigned to each time slot divided from LBS session. The backward secrecy can be achieved with the integrated threshold technique. Subsequently, the EMAP protocol intended for certificate revocation of VANET is developed in [18]. The received message is validated with the current certificate revocation lists (CRLs) for verifying the authenticity. Meanwhile, the generated keys for the related efficient revocation checking process are shared among the non-revoked vehicles. Subsequently, Lin et al. proposed an efficient cooperative authentication scheme for massive message validation in VANETs [9]. The authentication overhead for the individual vehicle can be reduced. Thereafter, the two-factor lightweight VANETs authenticating scheme (2FLIP) is designed by Wang et al. [4]. The decentralization of certificate authority (CA) and biological-password-based two-factor 2FA are applied. The lightweight hashing process with fast message authentication code (MAC) regeneration design is utilized for efficient user verification. The overhead of certificate management can be reduced with the decentralized CA structure. Similarly, Lo et al. developed the paring-free identity-based message authentication scheme with the batch signature mechanism [27], thus optimized performance in terms of time consumption can be achieved. Recently, several VANET authentication schemes emphasizing on lightweight vehicular verification and privacy-preserving have been developed [7,13].

As for secure V2V data exchange, Liu et al. proposed a dual authenticated key agreement scheme (PPDAS) for secure V2V communication in the IoV paradigm [19]. The historical vehicle trust reputation evaluation method is adopted for the final V2V session key establishment. The dual verification leverages anonymous vehicle identity and behavior authentication to improve decision-making accuracy. In the next, the decentralized lightweight authentication protocol for vehicular networks is developed in [2]. The biometric device (BD) and tamper-proof device (TPD) are used for vehicle verification and key preservation. The authentication signature protocol with hash-chain key generation is introduced for V2V interactions. Anonymous identities for vehicles are applied. Similarly, Wu et al. presented the privacy-preserving mutual authentication protocol for secure vehicular data exchange in dynamic topographical VANET scenarios [17]. Recent research also includes the V2V authentication method developed by Vasudev et al. [12].

The research on UAV communication has attracted lots of attention from academia. In 2017, Yoon et al. proposed the security authentication system employing the encrypted channel for UAV networks [24]. The hijacking problem for UAV control can be addressed. Subsequently, Zhou et al. developed the physical layer security improvement method through UAV with air-to-ground jammer for secure wireless communication [25]. In 2020, Gope et al. constructed the authenticated key agreement scheme for edge-assisted UAV networks. The mobile edge computing service providers are responsible for UAV verification in this scheme. In the next, Zhang et al. presented the gateway-oriented two-server authenticated key agreement [20]. The security of user passwords can be guaranteed in this way. Recently, a mobile edge computing (MEC) system with UAV assistance is developed in [23]. The ground users could offload the computing tasks to the nearby legitimate UAVs. Notably, the jamming signals are to be transmitted from the full-duplex legitimate UAV and other non-offloading ground users. The latency of the MEC system can be reduced accordingly. Aliev et al. proposed a scalable and lightweight group key management and matrix-based message encryption method for confidentiality preservation of V2V broadcasting [22]. The distributed and scalable VANET architecture is applied. Overall, the existing V2V schemes mainly focus on the close vehicular communication within the single RSU domain, while the long-distance remote V2V communication has not been properly studied so far.

3. Preliminaries and Model Definitions

In this section, the relevant cryptographic principles and fundamental knowledge are presented in order to promote the reader’s comprehension of the proposed schemes. The concepts of Lagrange polynomial interpolation, bilinear pairing, Chinese remainder theorem, and homomorphic encryption are introduced, respectively. Subsequently, the related notations, the UAV-assisted VANET system model, the security criteria, and network assumptions are defined.

3.1. Lagrange Polynomial Interpolation

Given a set of $k+1$ different data points $\{(x_0,y_0),\cdots ,(x_j,y_j),\cdots ,(x_k,y_k)\}$, $\forall m\ne j$, $x_m\ne x_j$ holds. Define the polynomial of the degree k in a finite field ${\mathbb{F}}_p$ as $P_k\left(x\right)=a_0+a_{1}x+\cdots +a_k{x}^k$, where $a_i\in {\mathbb{F}}_p$ for $i\in \{0,\cdots ,k\}$. Hence, for $\forall i\in \{0,\cdots ,k\}$, $y_i=P_k\left(x_i\right)$ holds. The interpolation polynomial $L_k\left(x\right)$ in the Lagrange form can be defined as the linear combination as follows:

$$L_k\left(x\right)={\sum }_{j=0}^k{\ell }_j\left(x\right)y_j.$$

Note that the Lagrange basis polynomials ${\ell }_j\left(x\right)$ ($0\le j\le k$) are computed as

$${\ell }_j\left(x\right)=\frac{(x-x_0)}{(x_j-x_0)}\cdots \frac{(x-x_{j-1})}{(x_j-x_{j-1})}\frac{(x-x_{j+1})}{(x_j-x_{j+1})}\cdots \frac{(x-x_k)}{(x_j-x_k)}={\prod }_{m=0,m\ne j}^k\frac{x-x_m}{x_j-x_m}.$$

That is, $L_k\left(x\right)={\sum }_{j=0}^k\left({\prod }_{m=0,m\ne j}^k\frac{x-x_m}{x_j-x_m}\right)y_j$ holds. Accordingly, for $\forall i\ne j$,

$$\left\{\begin{array}{c}{\ell }_j\left(x_i\right)={\prod }_{m=0,m\ne j}^k\frac{x_i-x_m}{x_j-x_m}=\frac{(x_i-x_0)}{(x_j-x_0)}\cdots \frac{(x_i-x_i)}{(x_j-x_i)}\cdots \frac{(x_i-x_k)}{(x_j-x_k)}=0\hfill \\ {\ell }_j\left(x_j\right)={\prod }_{m=0,m\ne j}^k\frac{x_j-x_m}{x_j-x_m}=1\hfill \end{array}\right..$$

Hence, for the polynomial $P_k\left(x\right)$ of degree k, with $k+1$ different data points on the graph of polynomial $P_k\left(x\right)$ and $L_k\left(x\right)$, the reconstruction of the polynomial $P_k\left(x\right)$ can be conducted accordingly.

3.2. Bilinear Pairing

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be the cyclic additive group and multiplicative group generated with the same prime order q. A mapping function $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ can be defined as a bilinear pairing if all of the following three properties are satisfied:

(1)

Bilinearity:$\forall P,Q,R\in {\mathbb{G}}_1$ and $\forall a,b\in {\mathbb{Z}}_q^{*}$, there is

$$\left\{\begin{array}{c}\widehat{e}\left(aP,bQ\right)=\widehat{e}{\left(P,bQ\right)}^a=\widehat{e}{\left(aP,Q\right)}^b=\widehat{e}{\left(P,Q\right)}^{ab}\hfill \\ \widehat{e}\left(P,Q+R\right)=\widehat{e}\left(Q+R,P\right)=\widehat{e}\left(P,Q\right)\widehat{e}\left(P,R\right)\hfill \end{array}\right..$$

(2)

Non-degeneracy:$\exists P,Q\in {\mathbb{G}}_1$ such that $\widehat{e}\left(P,Q\right)\ne 1_{{\mathbb{G}}_2}$, where $1_{{\mathbb{G}}_2}$ is the identity element of ${\mathbb{G}}_2$.

(3)

Computability:$\forall P,Q\in {\mathbb{G}}_1$, there is an efficient algorithm to calculate $\widehat{e}\left(P,Q\right)$.

The bilinear map $\widehat{e}$ satisfying the above properties can be constructed with the modified Weil pairing or Tate pairing on the supersingular elliptic curve ${\mathbb{G}}_1$, where the following characteristics are presented.

Definition 1

(Elliptic Curve Discrete Logarithm Problem (ECDLP)). Define $P,Q\in {\mathbb{G}}_1$, where $Q=aP$. Hence, for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, the advantage in finding the integer $a\in {\mathbb{Z}}_q^{*}$ to solve the ECDLP problem is defined as $Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{ECDLP}$, which is negligible as the following equation:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{ECDLP}=Pr\left(\mathcal{A}\left(P,aP\in {\mathbb{G}}_1\right)\to a|\forall a\in {\mathbb{Z}}_q^{*}\right)\le \epsilon .$$

Definition 2

(Computational Diffie–Hellman Problem (CDHP)). Define ${\mathbb{G}}_1$ as the cyclic group with the large prime order q. Given $P,aP,bP\in {\mathbb{G}}_1$ for $a,b\in {\mathbb{Z}}_q^{*}$, where P is the generator of the cyclic group ${\mathbb{G}}_1$. Hence, for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, the advantage in finding computing $abP$ for solving the given CDHP problem is defined as $Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{CDHP}$, which is negligible as the following equation:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{CDHP}=Pr\left(\mathcal{A}\left(P,aP,bP\in {\mathbb{G}}_1\right)\to abP\in {\mathbb{G}}_1|\forall a,b\in {\mathbb{Z}}_q^{*}\right)\le \epsilon .$$

3.3. Chinese Remainder Theorem (CRT)

Let $\{n_1,n_2,\dots ,n_k\}$ be the pairwise co-prime positive integers. For an arbitrary sequence of integers $\{a_1,a_2,\dots ,a_k\}$, the system congruences defined as

$$\left\{\begin{array}{c}x\equiv a_{1}mod{n}_1\hfill \\ x\equiv a_{2}mod{n}_2\hfill \\ ⋮\hfill \\ x\equiv a_{k}mod{n}_k\hfill \end{array}\right.$$

has a unique solution modulo $N={\prod }_{i=1}^k{n}_i$. In this case, for $i=1,2,\dots ,k$, we can get

$$\left\{\begin{array}{c}{y}_i=\frac{N}{n_i}=n_1{n}_2\dots n_{i-1}{n}_{i+1}\dots n_k\hfill \\ z_i\equiv y_i^{-1}mod{n}_i\hfill \end{array}\right..$$

Hence, $y_i{z}_i\equiv 1mod{n}_i$ and $y_j\equiv 0mod{n}_i$ for $i\ne j$. The solution can be computed as

$$x=\left(a_1{y}_1{z}_1+a_2{y}_2{z}_2+\cdots +a_k{y}_k{z}_k\right)mod{n}_i=\left({\sum }_{i=1}^k{a}_i{y}_i{z}_i\right)mod{n}_i$$

3.4. Homomorphic Encryption

The homomorphic encryption design allows the predefined standard computations on ciphertexts, with which the output matches the encryption result on the computations conducted on plaintexts. With its unique properties, homomorphic encryption can be widely applied to vast security designs and privacy-preserving strategies. Hence, the transmitted data can be securely processed and out-sourced without revealing privacy-related information. The encryption and decryption functionalities can be considered as the homomorphisms between plaintext and ciphertext spaces. In practical communication scenarios with semi-trusted entities, homomorphic encryption could remove privacy barriers inhibiting data sharing since the operations on encrypted data can be performed instead of direct calculations on the confidential user data. The Paillier cryptosystem is one of the homomorphic cryptosystems for public key infrastructure (PKI). The security of Paillier cryptosystem is based on the decisional composite residuosity assumption (DCRA) described as follows:

Definition 3

(Decisional Composite Residuosity Assumption (DCRA)). Let $p,q$ be two large primes such that $n=pq$. Given $\alpha \in {\mathbb{Z}}_{n^2}^{*}$, if there exist $\gamma \in {\mathbb{Z}}_{n^2}^{*}$ satisfying $\alpha \equiv {\gamma }^{n}mod{n}^2$, hence α is defined as the n-th residue modulo $n^2$. Notably, given the composite n and an integer β, it is hard to decide whether β is the n-th residue modulo $n^2$.

The Paillier encryption process is additively homomorphic. That is, the product of the two ciphertexts will decrypt to the sum of their corresponding plaintexts. Let $m_1,m_2\in {\mathbb{Z}}_n^{*}$ be the plaintexts, $r_1,r_2,r_3<n$ be the random integers during encryption. The following additive homomorphic properties can be satisfied:

$$\left\{\begin{array}{c}\mathtt{E}\left(m_1,r_1\right)·\mathtt{E}\left(m_2,r_2\right)mod{n}^2=\mathtt{E}\left(m_1+m_2,r_3\right)modn\hfill \\ \mathtt{E}{\left(m_1,r_1\right)}^{\mu }mod{n}^2=\mathtt{E}\left(m_1\mu ,r_3\right)modn\hfill \end{array}\right.,$$

where $\mu \in {\mathbb{Z}}_n^{*}$ holds. $\mathtt{E}\left(·\right)$ denotes the encrypting operation.

3.5. Notations

The notations used in the proposed scheme, as well as the corresponding descriptions are listed in the following

Table 1. Notations.

Symbol	Description
VC, RSUs	Vehicular Cloud, Road-Side Units
${\mathbb{G}}_1,{\mathbb{G}}_2$	Cyclic Group
$\mathcal{G}$	Generator of ${\mathbb{G}}_1$
$\widehat{e}$	Bilinear Pairing
${‡}_T^i,{‡}_{\perp }^i$	RSU Identities
$〈{\mathfrak{s}}_{\perp }^i,{\mathfrak{r}}_{\perp }^i〉$	Partial Secret Key Pair of RSU
${‡}_U^j,{‡}_j^{\otimes }$	UAV Identities
$〈{\mathfrak{k}}_j^{\otimes },{\mathfrak{r}}_j^{\otimes }〉$	Partial Secret Key Pair of UAV
$〈{\mathcal{G}}_i,{\hslash }_i〉$	RSU Encryption Key Set
$us{k}_j$	UAV Session Key
$g{k}^i$	UAV Group Key
${\left\{{\partial }_i\right\}}_{i\in \left[0,n\right]}$	Coefficients Set of ${\aleph }^i\left(x\right)$
${‡}_V^j,{‡}_j$	Vehicle Identities
$〈{\mathfrak{k}}_j,{\mathfrak{r}}_j〉$	Partial Secret Key Pair of Vehicle
$〈{\mathcal{X}}_j,{\xi }_j〉$	Vehicle Encryption Key Pair
$〈{\mathcal{X}}_j,{\mathrm{\Gamma }}_j〉$	Vehicle Decryption Key Pair
$〈H_1,H_2,H_3,H_4,H_5〉$	Secure Hash Functions
$〈h_1,h_2,h_3,h_4,h_5〉$	Secure Hash Functions

.

3.6. System Model

The UAV-assisted VANET infrastructure of our design is briefly explained in this section. In our assumption, the UAVs participate in the vehicular communication process as the significant message forwarding and transmission node. The VANET wireless network connectivity can be improved in order to overcome the negative impacts caused by geographical obstructions and signal interferences. As shown in Figure 1, the typical VANETs system model consists of four different layers with distinctive functionalities: the vehicular cloud as the central server, the edge layer containing the RSU facilities, the vehicle layer regarding the terminal vehicles/users, and the UAV layer for connectivity improvement. The relevant descriptions of the four VANET layers are respectively presented as follows.

Vehicular cloud is regarded as the core storage facility in charge of data storing and processing. Heterogeneous vehicular data of the whole VANET are analyzed in the vehicular cloud (VC). Notably, the utilized cloud architecture is able to provide sufficient processing and storage capabilities for multiple VANET prototypes simultaneously, which drastically facilitates the implementation of global IoV initiatives. Additionally, efficient data interchanges with nearby VANET facilities can be accomplished with the dedicated 5G communicating infrastructure. With full authority, the essential operations for the entire VANET system, including the vehicle registration, session key allocation, and user authentication, are all carried out by the VC, which is considered as the legitimate and trustworthy data server in the assumption. Note that VC is defined to be valid and trustworthy anytime.

Edge layer is defined as the distributed local VANET facility composed of various RSU clusters. Each RSU cluster maintains collaborative wired connections among the neighboring RSUs within the vicinity. Accordingly, the decentralized edge network for instant vehicular data exchange and service provision can be guaranteed. Each RSU cluster is responsible for essential vehicular information sharing and distributive edge computation. Overall, in the cloud-assisted VANET system, heterogeneous vehicular data are analyzed and stored in the cloud server, while the edge computing RSU clusters are deployed. Low latency, better response time, and transfer rates can be guaranteed in V2R interactions, which leverages the physical proximity to the terminal user. That is, the frequently used data requested from VC can be temporarily cached in the local edge server so that rapid response to the vehicles can be guaranteed. The bandwidth burden for VC can be significantly alleviated in this way.

Vehicle layer refers to the vehicle networks constructed during V2V and V2R communication. The embedded OBU within each vehicle is equipped with wireless transceiver and transponder for message delivery in high-mobility VANET scenarios. Meanwhile, the implemented TPD is for confidential information preservation. Notably, the vehicle, the OBU, and the driver are considered as one entity in our system model. Considering of the resource limitation, lightweight designs in terms of authentication and secure data exchange are crucial for practical VANETs.

UAV Cluster is defined as a set of autonomous switching nodes for advancing the transmission quality and availability. Upon validation, the legitimate UAV networks are responsible for the low-cost and multi-hop routing network construction. In practical VANET occasions, the geographical barriers such as high mountains and skyscrapers may interfere with regular V2V or V2R connections. In this case, the VANETs could take advantage of the self-organized UAV network and built substantial routing paths via dynamic UAV connections. Apparently, with its unique advantages including substitutability, low expense, and applicability, the UAV-assisted VANETs could play an imperative part in practical VANET implementation. The studies emphasizing UAV secure association and its correlation with the remaining VANET entities are vital.

3.7. Network Assumptions

As illustrated in Figure 1, the wired connections involving the VC and various local RSUs enable reliable vehicular data exchange with all the participating vehicles. Accordingly, effective strategies and techniques could be executed. Moreover, the connectivity between the vehicle and its surrounding RSU can be accomplished by V2R communication, while the data exchange between vehicles can be assured by V2V communication. All are supported by the dedicated short-range communications (DSRC) technique. However, critical V2V and V2R data sharing are carried out in the open wireless environment of realistic VANET circumstances. Therefore, serious vulnerability to various security threats and privacy risks exists. The critical key details and user secrets may be unlawfully exposed to malicious attackers or unauthorized users, which may compromise the whole VANET network. In this case, efficient security preservation and privacy protection mechanisms in VANETs need to be deployed.

Additionally, the geographical barriers may also obstruct the regular message delivery for stable V2V and V2R data sharing. The dynamic wireless ad hoc topologies constructed by the spontaneous high-speed vehicles lead to a temporary and indisciplined interaction paradigm, which brings challenges to real-time V2V communication. In this case, the VANET connectivities will be drastically impacted, resulting in insufficient availability and low scalability. With this motivation, the unmanned aerial vehicles, as the additional auxiliary facilities, can be applied to practical VANETs as the autonomous switching nodes for advancing the transmission quality and availability. Hence, proper security methods are of significance for the interactions among UAVs and vehicles.

3.8. Security Objectives

The objectives of our design are to enhance the security assurance of UAV-assisted VANETs wireless transmissions and to address the remote V2V communication for long-distance, remote vehicles. The following security requirements for VAENT key management and authentication scheme should be fully satisfied:

• Anonymity: Messages originated from the same device carry unique patterns for verification of the receiver side. In the open wireless environment, by analyzing the eavesdropped information, vital parameters including the user location may be extracted, which endangers user privacy. Therefore, anonymity for all the participating vehicles during the whole VANET communications is extremely crucial.
• Unforgeability: The adversary may selectively forge the valid certificates, keys, or signatures in wireless VANET transmission in order to pass the verification process and acquire crucial system secrets. Unforgeability is the key property of safe data sharing against the selected message attack.
• Session Key Establishment: Upon validation, the shared session key between individual vehicles and the VANET system should be established so as to provide safe data exchange. Due to the semi-trustworthiness of intermediate RSUs, the constructed session key should be hidden from the interacting RSUs.
• Conditional Privacy Preserving: As one of the essential privacy criteria, conditional privacy is mainly composed of user privacy protection, and device identity retrieving. On the one hand, private information regarding user identity should be preserved during the entire transmission process. Hence, the illegal tracing toward the specific device cannot be performed. On the other hand, the legal authority should be capable of revealing the real identity of the individual vehicle under specific situations. The compromised or corrupted vehicle can then be timely traced.
• Non-repudiation: The message sender of VANET is unable to deny the authenticity of its signature on the messages transmitted. Non-repudiation guarantees that the information transmitted is valid.
• Mutual Authentication: Mutual authentication is the fundamental but leading security property in the VANET architecture, ensuring that the participating two VANET entities of the same communication session authenticate each other.

4. Proposed UAV Association and V2V Dissemination Scheme

In this section, the UAV authenticated key management scheme is developed, followed by the remote V2V message dissemination design. The proposed UAV group association design applies the certificateless cryptography technique for key escrow avoidance, where the partial secret key set is respectively managed by VC and individual UAV device. The user anonymity for the participating UAVs is provided accordingly. The edge RSU structure is responsible for pairing-based computations, while complicated processing tasks for resource-constrained UAVs are exempted during the whole process. Upon verification, the dynamic UAV group key distribution mechanism is conducted subsequently. Notably, efficient batch UAV validation design is enabled. In the next, the remote V2V message dissemination is presented. The RSU-aided vehicle communication is conducted through the RSU clusters along the driving path, while the vehicle route retrieving is achieved in this way.

The proposed scheme regarding UAV association can be roughly classified into the UAV batch authentication and group key distribution. In the initial UAV batch authentication, the UAV device registration and the nontrivial mutual verification design are executed. Subsequently, the universal group key is constructed for the universal UAV networks, which is of benefit to connectivity improvement in VANET implementation with geographical obstructions. Afterward, the remote V2V message delivery is composed of remote vehicular verification and V2V message dissemination, where the RSU-aided identity route retrieving method with remote VC assistance is developed.

4.1. UAV Batch Authentication

Initially, the corresponding UAV registration prior to the verification process is conducted, which is explicitly performed on the VC side. In this case, VC is in charge of vital UAV parameter allocation and essential key distribution to the destined UAVs. Firstly, ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are respectively defined as the cyclic groups with the same large prime order q, where $\mathcal{G}$ denotes the generator of ${\mathbb{G}}_1$. Meanwhile, the map function $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ is defined as the bilinear pairing. The cryptographic hash functions ${\left\{H_i\right\}}_{i\in [1,5]}$ and ${\left\{h_i\right\}}_{i\in [1,5]}$ are respectively defined as $H_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}$, $H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}$, $H_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}$, $H_4:{\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}$, $H_5:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $h_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $h_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $h_3:{\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}$, $h_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$, $h_5:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$. At this point, VC is able to generate the unique confidential secret set $〈{‡}_T^i,{\mathfrak{s}}_{\perp }^i〉$ for each validated RSU, where ${‡}_T^i\in {\{0,1\}}^{*}$ denotes the identity, and ${\mathfrak{s}}_{\perp }^i\in {\mathbb{Z}}_q^{*}$ denotes the RSU partial secret key randomly generated by VC. At this moment, the confidential RSU information set $〈{‡}_T^i,{\mathfrak{s}}_{\perp }^i〉$ is safely shared among TA and each RSU itself.

Similarly, it is essential for each UAV to conduct the registration process in advance. The UAV identity ${‡}_U^j\in {\{0,1\}}^{*}$ and the partial secret key ${\mathfrak{k}}_j^{\otimes }\in {\mathbb{Z}}_q^{*}$ are then assigned by VC. Hence, the key pair for UAV is defined as $〈{‡}_U^j,{\mathfrak{k}}_j^{\otimes }〉$. With the purpose of user anonymity preservation, each registered RSU randomly generates ${\mathfrak{r}}_{\perp }^i\in {\mathbb{Z}}_q^{*}$ and computes its temporary session identity ${‡}_{\perp }^i$ as ${‡}_{\perp }^i=h_1\left({\mathfrak{t}}_1^i,{‡}_T^i,{\mathfrak{r}}_{\perp }^i{\mathfrak{s}}_{\perp }^i\right)$, where the current timestamp ${\mathfrak{t}}_1^i$ is adopted. In this case, each session identity ${‡}_{\perp }^i$ is valid within a certain time interval. The partial secret key pair is stored as $〈{\mathfrak{r}}_{\perp }^i,{\mathfrak{s}}_{\perp }^i〉$, while ${\mathfrak{r}}_{\perp }^i$ is kept secret to VC. Meanwhile, the homomorphic encryption design is utilized. That is, each RSU computes ${\mathcal{G}}_i={\mathcal{X}}_i{\mathcal{Y}}_i$ satisfying $\gcd \left({\mathcal{X}}_i{\mathcal{Y}}_i,\left({\mathcal{X}}_i-1\right)\left({\mathcal{Y}}_i-1\right)\right)=1$, where ${\mathcal{X}}_i$ and ${\mathcal{Y}}_i$ denote the prime values randomly selected by RSU itself. Hence, RSU chooses random ${\hslash }_i\in {\mathbb{Z}}_{{\mathcal{G}}_i^2}^{*}$ and computes ${\mathfrak{A}}_i=\mathrm{lcm}\left({\mathcal{X}}_i-1,{\mathcal{Y}}_i-1\right)$ and ${\mathfrak{B}}_i={\ell }_i\left({\hslash }_i^{{\mathfrak{A}}_i}mod{\mathcal{G}}_i^2\right)mod{\mathcal{G}}_i$, where the function ${\ell }_i\left(x\right)=\frac{x-1}{{\mathcal{G}}_i}$. At this point, the RSU encryption key pair can be extracted as $〈{\mathcal{G}}_i,{\hslash }_i〉$. Subsequently, the following calculations are conducted by RSU

$$\left\{\begin{array}{c}{\mathbb{J}}^i={\mathfrak{r}}_{\perp }^i\mathcal{G}\hfill \\ {\mathbb{K}}^i={\mathfrak{s}}_{\perp }^i{h}_2\left({‡}_{\perp }^i,{\mathfrak{r}}_{\perp }^i\right)\mathcal{G}\hfill \\ {\mathbb{R}}^i={\mathfrak{r}}_{\perp }^i{\mathfrak{s}}_{\perp }^i\mathcal{G}\hfill \\ Si{g}_{\perp }^i=H_1\left({\mathfrak{t}}_N^i,{‡}_{\perp }^i,{\mathcal{G}}_i,{\hslash }_i,{\mathbb{J}}^i,{\mathbb{K}}^i,{\mathbb{R}}^i\right)\hfill \end{array}\right.,$$

(1)

where ${\mathfrak{t}}_N^i$ denotes the latest timestamp. At this point, the RSU parameters set $<{\mathfrak{t}}_N^i,{‡}_{\perp }^i,{\mathcal{G}}_i,{\hslash }_i,$${\mathbb{J}}^i,{\mathbb{K}}^i,{\mathbb{R}}^i,Si{g}_{\perp }^i>$ is published to all entities in its effective range. In the next, the UAV batch authentication process is described step by step. Assuming n, UAVs with identity set $〈{‡}_U^j,{\mathfrak{k}}_j^{\otimes }〉$ ($j\in \left[1,n\right]$) are organized in the range of one RSU, and each UAV itself generates the partial secret key ${\mathfrak{r}}_j^{\otimes }\in {\mathbb{Z}}_q^{*}$ on its own. At this moment, the partial secret key pair $〈{\mathfrak{k}}_j^{\otimes },{\mathfrak{r}}_j^{\otimes }〉$ is stored in UAV storage. Hence, the temporary identity used in the authentication session is computed as ${‡}_j^{\otimes }=H_2\left({‡}_U^j,{\mathfrak{k}}_j^{\otimes },{\mathfrak{r}}_j^{\otimes }\mathcal{G}\right)$. Meanwhile, all the UAVs are acknowledged of the published RSU parameters set $〈{\mathfrak{t}}_N^i,{‡}_{\perp }^i,{\mathcal{G}}_i,{\hslash }_i,{\mathbb{J}}^i,{\mathbb{K}}^i,{\mathbb{R}}^i,Si{g}_{\perp }^i〉$. By validating the certificate $Si{g}_{\perp }^i$, the integrity of the received message can be guaranteed. Thereafter, each UAV computes

$$\left\{\begin{array}{c}{\mathbb{S}}_j={\mathfrak{r}}_j^{\otimes }\mathcal{G}\hfill \\ {\daleth }_j=H_3\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{‡}_{\perp }^i,{\mathbb{S}}_j\right)\hfill \end{array}\right.$$

(2)

and calculates the signature as ${\beth }_j=H_4\left({\mathfrak{r}}_j^{\otimes }{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G}+{\daleth }_j\left[{\mathfrak{r}}_j^{\otimes }{\mathbb{K}}^i+{\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right){\mathbb{J}}^i\right]$, which combines the published RSU parameters with vehicle partial secret keys $〈{\mathfrak{k}}_j^{\otimes },{\mathfrak{r}}_j^{\otimes }〉$. The authentication requests ${〈Request,{\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathbb{S}}_j,{\daleth }_j,{\beth }_j〉}_{j\in \left[1,n\right]}$ from n vehicles are respectively delivered to RSU for further verification.

Upon receipt of the n requesting messages, the RSU checks the freshness of the received timestamp ${\mathfrak{t}}_2^j$ and verifies ${\daleth }_j$ according to its session identity ${‡}_{\perp }^i$. Subsequently, RSU forwards $〈{\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathbb{S}}_j〉$ to the VC for final identification. As mentioned above, significant identity information $〈{‡}_U^j,{\mathfrak{k}}_j^{\otimes }〉$ involving all the legitimate UAVs is stored in VC. Therefore, VC adopts the delivered ${\mathfrak{t}}_2^j$ and ${\mathbb{S}}_j$ to the records and computes the UAV identity with the received one. If it matches, the identity of the UAV is confirmed. Hence, VC extracts the partial secret ${\mathfrak{k}}_j^{\otimes }$ and computes ${\mathfrak{Z}}_j=\widehat{e}\left({\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)$ and ${\mathrm{\Xi }}_j=\widehat{e}\left(H_4\left({\mathfrak{k}}_j^{\otimes }{\mathbb{S}}_j\right)\mathcal{G},\mathcal{G}\right)$, which will be forwarded to the RSU with session identity ${‡}_{\perp }^i$. At this moment, the confidential information set ${〈{\mathfrak{Z}}_j,{\mathrm{\Xi }}_j,{\beth }_j,{\daleth }_j,{\mathbb{S}}_j〉}_{j\in \left[1,n\right]}$ for n UAVs are acquired by local RSU. Hence, RSU executes the following batch authentication calculation for n UAVs as

$$\frac{\widehat{e}\left({\sum }_{j=1}^n{\beth }_j,\mathcal{G}\right)}{{\left({\prod }_{j=1}^n{\mathfrak{Z}}_j^{{\daleth }_j}\right)}^{{\mathfrak{r}}_{\perp }^i}\widehat{e}{\left(h_2\left({‡}_{\perp }^i,{\mathfrak{r}}_{\perp }^i\right)\mathcal{G},{\sum }_{j=1}^n{\daleth }_j{\mathbb{S}}_j\right)}^{{\mathfrak{s}}_{\perp }^i}}\stackrel{?}{=}{\prod }_{j=1}^n{\mathrm{\Xi }}_j.$$

(3)

The correctness of Equation (3) can be briefly elaborated as follows:

$$\begin{array}{cc}\hfill & \frac{\widehat{e}\left({\sum }_{j=1}^n{\beth }_j,\mathcal{G}\right)}{{\left({\prod }_{j=1}^n{\mathfrak{Z}}_j^{{\daleth }_j}\right)}^{{\mathfrak{r}}_{\perp }^i}\widehat{e}{\left(h_2\left({‡}_{\perp }^i,{\mathfrak{r}}_{\perp }^i\right)\mathcal{G},{\sum }_{j=1}^n{\daleth }_j{\mathbb{S}}_j\right)}^{{\mathfrak{s}}_{\perp }^i}}\hfill \\ \hfill & =\frac{{\prod }_{j=1}^n\widehat{e}\left({\daleth }_j{\mathfrak{r}}_j^{\otimes }{\mathbb{K}}^i,\mathcal{G}\right)\widehat{e}\left({\sum }_{j=1}^n{\daleth }_j{\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right){\mathbb{J}}^i,\mathcal{G}\right)\widehat{e}\left({\sum }_{j=1}^n{H}_4\left({\mathfrak{r}}_j^{\otimes }{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)}{{\left({\prod }_{j=1}^n{\mathfrak{Z}}_j^{{\daleth }_j}\right)}^{{\mathfrak{r}}_{\perp }^i}\widehat{e}{\left(h_2\left({‡}_{\perp }^i,{\mathfrak{r}}_{\perp }^i\right)\mathcal{G},{\sum }_{j=1}^n{\daleth }_j{\mathfrak{r}}_j^{\otimes }\mathcal{G}\right)}^{{\mathfrak{s}}_{\perp }^i}}\hfill \\ \hfill & =\frac{{\prod }_{j=1}^n\widehat{e}\left({\daleth }_j{\mathfrak{r}}_j^{\otimes }{\mathbb{K}}^i,\mathcal{G}\right)\widehat{e}\left({\sum }_{j=1}^n{\daleth }_j{\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right){\mathbb{J}}^i,\mathcal{G}\right)\widehat{e}\left({\sum }_{j=1}^n{H}_4\left({\mathfrak{r}}_j^{\otimes }{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)}{{\prod }_{j=1}^n\widehat{e}{\left({\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)}^{{\daleth }_j{\mathfrak{r}}_{\perp }^i}\widehat{e}\left({\sum }_{j=1}^n{\daleth }_j{\mathfrak{r}}_j^{\otimes }{\mathbb{K}}^i,\mathcal{G}\right)}\hfill \\ \hfill & =\frac{\widehat{e}\left({\sum }_{j=1}^n{\daleth }_j{\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right){\mathbb{J}}^i,\mathcal{G}\right){\prod }_{j=1}^n\widehat{e}\left(H_4\left({\mathfrak{r}}_j^{\otimes }{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)}{\widehat{e}\left({\sum }_{j=1}^n{\daleth }_j{\mathfrak{k}}_j^{\otimes }{H}_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right){\mathbb{J}}^i,\mathcal{G}\right)}\hfill \\ \hfill & ={\prod }_{j=1}^n\widehat{e}\left(H_4\left({\mathfrak{r}}_j^{\otimes }{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)\mathcal{G},\mathcal{G}\right)\hfill \\ \hfill & ={\prod }_{j=1}^n{\mathrm{\Xi }}_j\hfill \end{array}$$

(4)

The batch authentication process involving n UAVs is performed in this way. Therefore, if the request message does not pass the validation process, the current authentication session is terminated. Otherwise, for the n UAVs, RSU computes ${‡}_j^{†}=h_2\left({‡}_j^{\otimes },H_4\left({\mathfrak{r}}_{\perp }^i{\mathbb{S}}_j\right)\right)$ and $Si{g}_j^{†}=H_3\left({\mathfrak{t}}_3^i,{‡}_{\perp }^i,{‡}_j^{†},{\mathrm{\Xi }}_j\right)$ and distributes the acknowledgment message ${〈{\mathfrak{t}}_3^i,{‡}_j^{†},Si{g}_j^{†}〉}_{j\in \left[1,n\right]}$, where ${\mathfrak{t}}_3^i$ denotes the latest timestamp.

Upon receiving the acknowledgement message, UAV first checks the freshness of ${\mathfrak{t}}_3^i$ and then validates the correctness of ${‡}_j^{†}$ and $Si{g}_j^{†}$ according to ${‡}_j^{†}=h_2\left({‡}_j^{\otimes },H_4\left({\mathfrak{r}}_{\perp }^i{\mathbb{S}}_j\right)\right)=h_2{\left({‡}_j^{\otimes },H_4\left({\mathfrak{r}}_j^{\otimes }{\mathbb{J}}^i\right)\right)}_{j\in \left[1,n\right]}$. Note that the current UAV identity is now updated as ${‡}_j^{†}$ to provide message unlinkability. At this point, mutual authentication among UAVs and RSU is provided, which adopts the certificateless cryptographic technique for key escrow avoidance. The partial secret keys of individual UAV are respectively generated by VC and UAV itself. Moreover, bilinear pairing is utilized, while the complicated pairing calculations are exempted in UAV sides. In our design, the shared session key $us{k}_j^{\otimes }$ for the individual UAV is independently constructed as $us{k}_j^{\otimes }=H_4\left({\mathrm{\Xi }}_j\right)$, which can be used for the following UAV group key distribution process.

4.2. Group Key Distribution

The group key involving all the n validated UAVs is distributed in each RSU domain so that the substantial UAV networks can be built. Initially, for $j\in \left[1,n\right]$, RSU computes ${\sigma }_j=\frac{1}{us{k}_j^{\otimes }}\left({\prod }_{i=1}^{n}us{k}_i^{\otimes }\right)$ and ${\mu }_j\equiv {\sigma }_j^{-1}modus{k}_j^{\otimes }$ satisfying ${\mu }_j{\sigma }_j=1modus{k}_j^{\otimes }$ for $\forall j\in \left[1,n\right]$. In the next, RSU chooses the distinctive UAV group key $g{k}^i\in {\mathbb{Z}}_q^{*}$ and extracts the keying value as ${\tau }^i=g{k}^i{\sum }_{j=1}^n\left({\mu }_j{\sigma }_j\right)$. At this point, the keying function can be constructed in the form of ${\aleph }^i\left(x\right)=g{k}^i{\sum }_{j=1}^n\left({\mu }_j{\sigma }_j\right)+{\prod }_{j=1}^n\left(x-us{k}_j^{\otimes }\right)$, which can be further transformed into ${\aleph }^i\left(x\right)={\sum }_{j=0}^n{\partial }_j{x}^j$. Notably, the corresponding coefficients set $\{{\partial }_0,\dots ,{\partial }_n\}$ is extracted. Therefore, $\forall \ell \in \left[1,n\right]$, ${\aleph }^i\left(us{k}_{\ell }^{\otimes }\right)=g{k}^i{\sum }_{j=1}^n\left({\mu }_j{\sigma }_j\right)+{\prod }_{j=1}^n\left(us{k}_{\ell }^{\otimes }-us{k}_j^{\otimes }\right)=g{k}^i{\sum }_{j=1}^n\left({\mu }_j{\sigma }_j\right)$ holds. Hence, the following computation is conducted as $Si{g}_{gk}^i=h\left({\mathfrak{t}}_{gk}^i,{‡}_{\perp }^i,{\partial }_0,\dots ,{\partial }_n,g{k}^i{\sum }_{j=1}^n\left({\mu }_j{\sigma }_j\right)\right)$, where $h\left(.\right)$ denotes the secure hash function. Accordingly, RSU broadcasts the keying packet as $〈{\mathfrak{t}}_{gk}^i,{‡}_{\perp }^i,{\left\{{\partial }_j\right\}}_{j\in \left[0,n\right]},Si{g}_{gk}^i〉$. Finally, all the n UAVs receive the keying packet and reconstruct the function ${\aleph }^i\left(x\right)$ so that the group key $g{k}^i$ can be correctly derived as $g{k}^i={\aleph }^i\left(us{k}_j^{\otimes }\right)modus{k}_j^{\otimes }$. In this way, the UAV group key is shared among all requesting n UAVs.

4.3. Remote Vehicular Verification

In this section, the V2V communication assumptions are presented at first. As shown in Figure 2, assuming at timepoint $t_1$, the vehicles $V_1$ and $V_2$ are in the range of original ${RSU}_1$, the instant V2V interactions between $V_1$ and $V_2$ can be achieved through multiple existing schemes so far [19,22,29]. At the current time $t_2$ ($t_2>t_1$), both $V_1$ and $V_2$ are now arriving at different RSU domains. At this moment, the $V_1\to V_2$ vehicular connection is required in the case for the subsequent message dissemination, which has not been properly addressed in the existing VANET schemes. Therefore, the remote vehicular verification is introduced in this section, followed by the remote V2V message dissemination in the next section.

Initially, assuming the vehicle with original identity ${‡}_V^j$ and that the partial secret key pair $〈{\mathfrak{k}}_j,{\mathfrak{r}}_j〉$ is approaching the communicating range of specific RSU, its temporary identity can be updated as ${‡}_j=h_3\left({‡}_V^j,{\mathfrak{r}}_j\mathcal{G}\right)$. Meanwhile, the vehicle extracts the encryption key pair $〈{\mathcal{G}}_i,{\hslash }_i〉$ from the published $〈{\mathfrak{t}}_N^i,{‡}_{\perp }^i,{\mathcal{G}}_i,{\hslash }_i,{\mathbb{J}}^i,{\mathbb{K}}^i,{\mathbb{R}}^i,Si{g}_{\perp }^i〉$. Following the same way as that of the RSU, the vehicle homomorphic encryption design with encryption key pair $〈{\mathcal{X}}_j,{\xi }_j〉$ and decryption key pair $〈{\mathcal{X}}_j,{\mathrm{\Gamma }}_j〉$ is constructed. Therefore, the vehicle calculates $Si{g}_V^j={\hslash }_i^{\left({\mathfrak{X}}_j\left|\right|{\mathcal{X}}_j,{\xi }_j\left|\right|{\mathfrak{F}}_j\right)}·{\mathfrak{r}}_j^{{\mathcal{G}}_i}mod{\mathcal{G}}_i^2$, with

$$\left\{\begin{array}{c}{\Im }_j={\mathfrak{r}}_j{\mathbb{R}}^i\hfill \\ {\mathfrak{X}}_j=H_2\left({\mathfrak{t}}_{\diamond }^j,{‡}_V^j,{\mathfrak{k}}_j{\mathfrak{r}}_j\mathcal{G}\right)\hfill \\ {\mathfrak{F}}_j=H_5\left({\mathfrak{t}}_{\diamond }^j,{‡}_j,{\mathbb{R}}^i,{\mathcal{X}}_j,{\xi }_j,{\mathfrak{X}}_j\right)\hfill \end{array}\right.,$$

(5)

and sends the requesting packet $〈\mathrm{Request},{\mathfrak{t}}_{\diamond }^j,{‡}_j,{\Im }_j,Si{g}_V^j〉$ to RSU for further verification.

Upon receipt of the packet, RSU decrypts the received $Si{g}_V^j$ using the the decryption key $〈{\mathcal{G}}_i,{\mathfrak{A}}_i〉$ and then extracts $〈{\mathfrak{X}}_j\left|\right|{\mathcal{X}}_j,{\xi }_j\left|\right|{\mathfrak{F}}_j〉$. If the values of ${\mathfrak{F}}_j$ and ${\mathfrak{X}}_j$ are validated, RSU stores the vehicle homomorphic encryption key pair $〈{\mathcal{X}}_j,{\xi }_j〉$. Moreover, the value ${\aleph }_j$ can be calculated as ${\aleph }_j={\left({\mathfrak{r}}_{\perp }^i{\mathfrak{s}}_{\perp }^i\right)}^{-1}{\Im }_j={\mathfrak{r}}_j\mathcal{G}$. At this point, RSU uploads $〈{\mathfrak{t}}_{\diamond }^j,{‡}_j,{\aleph }_j,{\mathfrak{X}}_j〉$ to VC for remote identification. Thereafter, VC computes ${ð}_j=h_3\left({‡}_V^j,{\mathfrak{k}}_j{\mathfrak{r}}_j\mathcal{G}\right)$ and replies to RSU with the acknowledgment $〈Ack,{‡}_j,{ð}_j〉$. Subsequently, RSU updates the vehicle identity as ${‡}_j^1=h_3\left({‡}_j,{\mathfrak{r}}_{\perp }^i{\mathfrak{s}}_{\perp }^i\mathcal{G}\right)$, where the RSU key pair $〈{\mathfrak{r}}_{\perp }^i,{\mathfrak{s}}_{\perp }^i〉$ is adopted. Note that, in our design, anonymous identity of the participating vehicle is safely updated as soon as a verification session is finished successfully. In this case, the message unlinkability for different communication sessions can be guaranteed. Untraceability of specific vehicle is provided as well.

With the aforementioned vehicle key pair $〈{\mathcal{X}}_j,{\xi }_j〉$ and its own ${\mathfrak{r}}_{\perp }^i$, RSU conducts the vehicle homomorphic encryption process and computes $Si{g}_{\perp }^j={\xi }_j^{{ð}_j}·{\left({\mathfrak{r}}_{\perp }^i\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2$ and ${\Phi }_j=h_1\left({\mathfrak{t}}_{\circ }^i,{‡}_j^1,Si{g}_{\perp }^j\right)$. Hence, RSU is able to broadcast the packet $〈{\mathfrak{t}}_{\circ }^i,{‡}_j^1,Si{g}_{\perp }^j,{\Phi }_j〉$ to the destined vehicle. Upon validation on the timestamp ${\mathfrak{t}}_{\circ }^i$, the vehicle is able to decrypt the received $Si{g}_{\perp }^j$ and successfully extract ${ð}_j$. Notably, ${\Phi }_j$ of the delivered packet is for integrity validation. Therefore, the vehicle extracts the final verification process as ${ð}_j\stackrel{?}{=}{h}_3\left({‡}_V^j,{\mathfrak{k}}_j{\mathfrak{r}}_j\mathcal{G}\right)$. At this point, the vehicle validation with the original RSU is completed. The session key established between VC and vehicle is generated as $s{k}_j=H_4\left({\mathfrak{k}}_j{\mathfrak{r}}_j\mathcal{G}\right)$, which can be used as the unique identifier between vehicle and VC. Meanwhile, the unique proof for each validated vehicle is issued as ${\mathfrak{P}}_{\left[j,1\right]}^{\prec }=Si{g}_{\perp }^j·{\xi }_j^{h_2\left({‡}_{\perp }^i,{\Im }_j\right)}·{\left({\mathfrak{r}}_i^{\perp }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2$, where ${\mathfrak{r}}_i^{\perp }\in {\mathbb{Z}}_q^{*}$ (${\mathfrak{r}}_i^{\perp }\ne {\mathfrak{r}}_{\perp }^i$) is the newly generated pseudorandom for remote vehicle verification. Moreover, the relevant certificate is computed as $Si{g}_{\left[j,1\right]}^{\propto }=h_4\left({‡}_j^1,{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,1\right]}^{\prec }\right)$. In this case, the original RSU will deliver the packet $〈{‡}_j^1,{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,1\right]}^{\prec },Si{g}_{\left[j,1\right]}^{\propto }〉$ to all its neighboring RSUs via the edge networks. Upon receiving the packet, all its neighboring RSUs temporarily store it in their storage for possible further use. If not required in a certain time interval ${\mathsf{\Delta }}_{\propto }$, the packet will be abandoned.

In our assumption, the vehicle is on the path of ${RSU}_1\to {RSU}_n$. Hence, in the domain of ${RSU}_2$ with RSU parameter set $〈{\mathfrak{t}}_N^i,{‡}_{\perp }^i,{\mathcal{G}}_i,{\hslash }_i,{\mathbb{J}}^i,{\mathbb{K}}^i,{\mathbb{R}}^i,Si{g}_{\perp }^i〉$, the vehicle randomly generates ${\mathfrak{r}}_j^{\propto }\in {\mathbb{Z}}_q^{*}$ and computes

$$\left\{\begin{array}{c}{\mathfrak{P}}_{\left[j,1\right]}^{\succ }={\xi }_j^{\left({ð}_j-h_2\left({‡}_{\perp }^i,{\Im }_j\right)\right)}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\hfill \\ {\mho }_{\left[j,1\right]}=h_5\left({\xi }_j^{2{ð}_j}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \end{array}\right.$$

(6)

Subsequently, the vehicle conducts the RSU encryption using the broadcast key $\{{\mathcal{G}}_2,{\hslash }_2\}$ of ${RSU}_2$ as

$$Si{g}_{\left[j,1\right]}^{⊠}={\hslash }_2^{\left({‡}_j^1,{\mathfrak{r}}_j^{\propto }\mathcal{G},{\mathfrak{P}}_{\left[j,1\right]}^{\succ },{\mho }_{\left[j,1\right]}\right)}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{G}}_2}mod{\mathcal{G}}_2^2,$$

(7)

which will be delivered to ${RSU}_2$ for fast verification.

Upon receiving $Si{g}_{\left[j,1\right]}^{⊠}$, ${RSU}_2$ is able to decrypt it and extract $〈{‡}_j^1,{\mathfrak{r}}_j^{\propto }\mathcal{G},{\mathfrak{P}}_{\left[j,1\right]}^{\succ },{\mho }_{\left[j,1\right]}〉$. Notably, ${RSU}_2$ has already received $〈{‡}_j^1,{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,1\right]}^{\prec },Si{g}_{\left[j,1\right]}^{\propto }〉$ from the original ${RSU}_1$. Therefore, the validation $h_5\left({\mathfrak{P}}_{\left[j,1\right]}^{\prec }·{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\right)\stackrel{?}{=}{\mho }_{\left[j,1\right]}$ could be executed. The correctness can be elaborated as

$$\begin{array}{cc}\hfill & h_5\left({\mathfrak{P}}_{\left[j,1\right]}^{\prec }·{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\right)\hfill \\ \hfill & =h_5\left(Si{g}_{\perp }^j·{\xi }_j^{h_3\left({‡}_{\perp }^i,{\Im }_j\right)}·{\left({\mathfrak{r}}_i^{\perp }\right)}^{{\mathcal{X}}_j}·{\xi }_j^{\left({ð}_j-h_3\left({‡}_{\perp }^i,{\Im }_j\right)\right)}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \\ \hfill & =h_5\left({\xi }_j^{{ð}_j}·{\left({\mathfrak{r}}_{\perp }^i\right)}^{{\mathcal{X}}_j}·{\xi }_j^{h_3\left({‡}_{\perp }^i,{\Im }_j\right)}·{\left({\mathfrak{r}}_i^{\perp }\right)}^{{\mathcal{X}}_j}·{\xi }_j^{\left({ð}_j-h_3\left({‡}_{\perp }^i,{\Im }_j\right)\right)}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \\ \hfill & =h_5\left({\xi }_j^{{ð}_j+{ð}_j-h_3\left({‡}_{\perp }^i,{\Im }_j\right)+h_3\left({‡}_{\perp }^i,{\Im }_j\right)}·{\left({\mathfrak{r}}_{\perp }^i·{\mathfrak{r}}_i^{\perp }·{\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \\ \hfill & =h_5\left({\xi }_j^{2{ð}_j}·{\left({\mathfrak{r}}_{\perp }^i·{\mathfrak{r}}_i^{\perp }·{\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \\ \hfill & =h_5\left({\xi }_j^{2{ð}_j}·{\left({\mathfrak{r}}_j^{\propto }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\right)\hfill \\ \hfill & ={\mho }_{\left[j,1\right]}\hfill \end{array}.$$

(8)

At this point, the current identity ${‡}_j^1$ and the previous received ${\mathfrak{P}}_{\left[j,1\right]}^{\prec }$ should be updated as ${‡}_j^2=h_3\left({‡}_j^1,{\mathfrak{r}}_j^{\propto }\mathcal{G}\right)$ and ${\mathfrak{P}}_{\left[j,2\right]}^{\prec }={\mathfrak{P}}_{\left[j,1\right]}^{\prec }{\mathfrak{P}}_{\left[j,1\right]}^{\succ }En{c}_{〈{\mathcal{X}}_j,{\xi }_j〉}^{{\mathfrak{r}}_i^{\perp }}\left[h_3\left({‡}_{\perp }^2,{\mathfrak{r}}_j^{\propto }{\mathbb{R}}^2\right)\right]$. In this case, ${RSU}_2$ computes the certificate information for final authentication on the vehicle side, which is encrypted with vehicle homomorphic encryption key pair $〈{\mathcal{X}}_j,{\xi }_j〉$ and the generated pseudorandom ${\mathfrak{r}}_i^{\perp }\in {\mathbb{Z}}_q^{*}$ as $Si{g}_2^{\mathrm{F}}=En{c}_{〈{\mathcal{X}}_j,{\xi }_j〉}^{{\mathfrak{r}}_i^{\perp }}\left[{\mathfrak{P}}_{\left[j,1\right]}^{\prec }{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\left|\right|h_1\left({\mathfrak{t}}_{\propto }^2,{‡}_j^2,{\mathfrak{P}}_{\left[j,1\right]}^{\prec }{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\right)\right]$, where ${\mathfrak{t}}_{\propto }^2$ is the current timestamp for authentication. The packet $〈{\mathfrak{t}}_{\propto }^2,{‡}_j^2,Si{g}_2^{\mathrm{F}}〉$ is then sent to the vehicle for mutual verification. Upon receiving $〈{\mathfrak{t}}_{\propto }^2,{‡}_j^2,Si{g}_2^{\mathrm{F}}〉$, the vehicle derives $〈{\mathfrak{P}}_{\left[j,1\right]}^{\prec }{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\left|\right|h_1\left({\mathfrak{t}}_{\propto }^2,{‡}_j^2,{\mathfrak{P}}_{\left[j,1\right]}^{\prec }{\mathfrak{P}}_{\left[j,1\right]}^{\succ }\right)〉$ to confirm the identity of ${RSU}_2$.

4.4. V2V Message Dissemination

In the assumption, in further time $t_2$ of the n cross-domain verification sessions, $〈{‡}_j^n,{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,n\right]}^{\prec },Si{g}_{\left[j,n\right]}^{\propto }〉$ will be broadcast by ${RSU}_n$, where

$$\left\{\begin{array}{c}{‡}_j^n=h_3\left({‡}_j^{n-1},{\mathfrak{r}}_j^{\propto }\mathcal{G}\right)\hfill \\ {\mathfrak{P}}_{\left[j,n\right]}^{\prec }={\mathfrak{P}}_{\left[j,n-1\right]}^{\prec }{\mathfrak{P}}_{\left[j,n-1\right]}^{\succ }{\xi }_j^{h_2\left({‡}_{\perp }^n,{\mathfrak{r}}_j^{\propto }{\mathbb{R}}^n\right)}·{\left({\mathfrak{r}}_n^{\perp }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2\hfill \end{array}\right..$$

(9)

Intuitively, the anonymous identity for each vehicle is updated in each session. The ${\mathfrak{P}}_{\left[j,k\right]}^{\prec }$ is also updated based on the previously validated proofs and the keys from the current ${RSU}_n$. As mentioned above, each RSU around the path safely preserves the identities, valid proofs, and the corresponding timestamps for all the passing-by legitimate vehicles. The remote long-distance V2V message dissemination method can be constructed accordingly.

Assuming a vehicle $V_1$ intends to conduct remote vehicular data exchange with the vehicle $V_2$ at time $t_2$, $V_1$ is in the range of ${RSU}_{\ll }$, $V_2$ is in the range of ${RSU}_{\gg }$. Notably, both $V_1$ and $V_2$ crossed the original ${RSU}_1$ previously and conducted V2V communication at $t_1$ ($t_2>t_1$). In this case, assuming the vehicle $V_2$ is with original identity ${‡}_V^2$ and the partial secret key pair $〈{\mathfrak{k}}_2,{\mathfrak{r}}_2〉$, the two historical temporary identities in the range of ${RSU}_1$ are ${‡}_2=h_3\left({‡}_V^2,{\mathfrak{r}}_2\mathcal{G}\right)$ and ${‡}_2^1=h_3\left({‡}_2,{\mathfrak{r}}_{\perp }^1{\mathfrak{s}}_{\perp }^1\mathcal{G}\right)$. The vehicle $V_1$ is able to retrieve the $〈{‡}_2,{‡}_2^1〉$ from its historical transmission record. In this case, the current ${RSU}_{\ll }$ broadcast $〈{\mathfrak{t}}_N^{\ll },{‡}_{\perp }^{\ll },{\mathcal{G}}_{\ll },{\hslash }_{\ll },{\mathbb{J}}^{\ll },{\mathbb{K}}^{\ll },{\mathbb{R}}^{\ll },Si{g}_{\perp }^{\ll }〉$ to all. In the meantime, the current identity of vehicle $V_1$ is ${‡}_1^{\ll }=h_3\left({‡}_1^{\ll -1},{\mathfrak{r}}_1^{\propto }\mathcal{G}\right)$. The vehicle generates the packet to be delivered as $〈{\mathfrak{t}}_1^{\nabla }\left|\right|{‡}_1^{\ll }\left|\right|{\mathcal{P}}_1^{\ll }\left|\right|h_1({\mathfrak{t}}_1^{\nabla },{‡}_1^{\ll },{\mathcal{P}}_1^{\ll })〉$, where ${\mathcal{P}}_1^{\ll }={\hslash }_{\ll }^{{\mathfrak{t}}_1^{\nabla }\left|\right|{‡}_1^{\ll }\left|\right|s{k}_1\left|\right|\mathcal{M}\left|\right|{‡}_2\left|\right|{\mathfrak{t}}_2^{\mathsf{\Delta }}}·{\mathfrak{r}}_1^{{\mathcal{G}}_{\ll }}mod{\mathcal{G}}_{\ll }^2$. Respectively, ${\mathfrak{t}}_1^{\nabla }$ and ${\mathfrak{t}}_2^{\mathsf{\Delta }}$ denote the current timestamp generated on vehicle $V_1$, and the previous timestamp associated with time $t_1$. ${‡}_2$ refers to the temporary identity previous used by the destined vehicle $V_2$ at $t_1$. The identifier $s{k}_1$ is adopted for distinction on ${RSU}_{\ll }$. $\mathcal{M}$ refers to the confidential data intended to be sent.

The current ${RSU}_{\ll }$ then decrypts the packet and derives ${\mathcal{P}}_1^{\ll }$ after validation on ${\mathfrak{t}}_1^{\nabla }$ and $h_3({\mathfrak{t}}_1^{\nabla },{‡}_1^{\ll },{\mathcal{P}}_1^{\ll })$. Notably, the vehicle $V_1$ has already passed the cross-domain validation process conducted by ${RSU}_{\ll }$. Therefore, the corresponding identity ${‡}_1^{\ll -1}=h_3\left({‡}_1^{\ll -2},{\mathfrak{r}}_1^{\propto }\mathcal{G}\right)$ acquired from ${RSU}_{\ll -1}$ is also stored in ${RSU}_{\ll }$ side. The packet is then forwarded to the previous RSUs following the sequence of $〈{RSU}_{\ll },{RSU}_{\ll -1},\dots ,{RSU}_1〉$. Each RSU in the sequence holds the record of vehicle $V_1$ on $〈{‡}_1^i,{‡}_1^{i-1}〉$ ($i\in [1,\ll ]$). The remote V2V packet can then be delivered to the original ${RSU}_1$. Subsequently, ${RSU}_1$ extracts the $〈{‡}_2,{‡}_2^1〉$ record of $V_2$ and continues broadcasting the packet to neighboring RSUs. Each RSU holds the record of vehicle $V_2$ on $〈{‡}_2^i,{‡}_2^{i-1}〉$ ($i\in [1,\gg ]$). Finally, the message $\mathcal{M}$ can be delivered to $V_2$ by ${RSU}_{\gg }$. The remote V2V message dissemination process is completed.

5. Security Analysis

In this section, the crucial security properties described in the previous Section 3.8 are analyzed in order to demonstrate the proposed scheme is provably secure. Moreover, the security comparisons on the major characteristics with the state-of-the-art are shown.

5.1. Security Discussions

Definition 4

(Forking Lemma [30]). Define $\mathcal{A}$ as the probabilistic polynomial-time Turing machine with only the public data as input. With non-negligible probability, $\mathcal{A}$ can generate, a valid signature $(m,{\delta }_1,{\delta }_2,h)$ within a certain time bound $\mathbb{T}$, where the tuple $({\delta }_1,{\delta }_2,h)$ is simulated without accessing the secrets. In this case, with an indistinguishable distribution probability, there is another machine that has control over the machine obtained from $\mathcal{A}$ replacing interaction with the signer by simulation and produces two valid signatures $(m,{\delta }_1,{\delta }_2,h)$ and $(m,{\delta }_1,{\delta }_2^{\prime },h^{\prime })$ ($h\ne h^{\prime }$).

Theorem 1.

The proposed scheme is provably unforgeable towards CMA if the CDHP is intractable.

Proof of Theorem 1.

Initially, let ${\mathcal{A}}_1$ be a probabilistic polynomial time (PPT) adversary who could violate the proposed authentication scheme with a non-negligible advantage. The challenger ${\mathcal{C}}_1$ is constructed to solve the CDHP with a non-negligible advantage. According to Definition 4, within a polynomial time, adversary ${\mathcal{A}}_1$ obtains two validated signatures $〈{‡}_j^{\otimes },{\daleth }_j,{\beth }_j,{\mathrm{\Xi }}_j,{\mathfrak{Z}}_j〉$ and $〈{‡}_j^{\otimes },{\daleth }_i,{\beth }_i^{*},{\mathrm{\Xi }}_i,{\mathfrak{Z}}_i^{*}〉$ after querying ${\mathcal{C}}_1$, where both tuples can pass the validation process. Let $H_2=H_2\left({\mathfrak{t}}_2^j,{‡}_j^{\otimes },{\mathfrak{k}}_j^{\otimes }\mathcal{G}\right)$ so that ${\mathfrak{Z}}_j=\widehat{e}\left({\mathfrak{k}}_j^{\otimes }{H}_2\mathcal{G},\mathcal{G}\right)$. That is,

$$\begin{array}{cc}\hfill & {\prod }_{j=1}^n\left(\widehat{e}({\beth }_j^{*}-{\beth }_j),\mathcal{G}\right)\hfill \\ \hfill & ={\prod }_{j=1}^n\widehat{e}\left({\daleth }_j{\mathfrak{r}}_{\perp }^i{\mathfrak{k}}_j^{\otimes }(H_2^{*}-H_2)\mathcal{G},\mathcal{G}\right)\hfill \\ \hfill & ={\prod }_{j=1}^n\widehat{e}\left({\daleth }_j{\mathfrak{k}}_j^{\otimes }(H_2^{*}-H_2){\mathbb{J}}^i,\mathcal{G}\right)\hfill \end{array}.$$

(10)

Hence, assume ${\mathbb{J}}^i=a\mathcal{G}$ and ${\daleth }_j{\mathfrak{k}}_j^{\otimes }=b\mathcal{G}$ for $a,b\in {\mathbb{Z}}_q^{*}$ so that $({\beth }_j^{*}-{\beth }_j)={\daleth }_j{\mathfrak{r}}_{\perp }^i{\mathfrak{k}}_j^{\otimes }(H_2^{*}-H_2)\mathcal{G}={\daleth }_j{\mathfrak{k}}_j^{\otimes }(H_2^{*}-H_2){\mathbb{J}}^i.$ Finally, with $H_2\ne H_2^{*}$ and ${\beth }_i\ne {\beth }_i^{*}$, ${\mathcal{C}}_1$ derives $ab\mathcal{G}={\daleth }_j{\mathfrak{k}}_j^{\otimes }{\mathbb{J}}^i=({\beth }_j^{*}-{\beth }_j){(H_2^{*}-H_2)}^{-1}$ and outputs $ab\mathcal{G}$ as the solution to the given CDHP instance, which contradicts with the hardness of the CDHP. □

Theorem 2.

Dynamic identity updating mechanism is provided upon each successful verification so that unlinkability for the specific vehicle is guaranteed.

Proof of Theorem 2.

Assuming the vehicle has passed through $n-1$ validating sessions by previous RSUs and follows the route ${RSU}_{n-1}\to {RSU}_n$. The current ${RSU}_{n-1}$ receives $〈{‡}_j^{n-2},{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,n-2\right]}^{\prec },Si{g}_{\left[j,n-2\right]}^{\propto }〉$ from its previous ${RSU}_{n-2}$. Upon validation by ${RSU}_{n-1}$, $〈{‡}_j^{n-1},{\mathcal{X}}_j,{\xi }_j,{\mathfrak{P}}_{\left[j,n-1\right]}^{\prec },Si{g}_{\left[j,n-1\right]}^{\propto }〉$ is delivered to ${RSU}_n$. That is, the vehicle identity has been dynamically updated in different RSU domains as $\{{‡}_j^1,\cdots ,{‡}_j^n\}$, where ${‡}_j^n=h_2\left({‡}_j^{n-1},{\mathfrak{r}}_j^{\propto }\mathcal{G}\right)$. The relevant signatures are updated in the form of ${\mathfrak{P}}_{\left[j,n\right]}^{\prec }={\mathfrak{P}}_{\left[j,n-1\right]}^{\prec }{\mathfrak{P}}_{\left[j,n-1\right]}^{\succ }{\xi }_j^{h_2\left({‡}_{\perp }^n,{\mathfrak{r}}_j^{\propto }{\mathbb{R}}^n\right)}·{\left({\mathfrak{r}}_n^{\perp }\right)}^{{\mathcal{X}}_j}mod{\mathcal{X}}_j^2$. Hence, anonymous communication is enabled during all the communication sessions. Notably, each RSU only keeps the two successive vehicle identity as ${‡}_j^{n-1}\to {‡}_j^n$, while the historical and future identities are organized by the randomly issued ${\mathfrak{r}}_j^{\propto }\in {\mathbb{Z}}_q^{*}$ of each RSU domain. That is, without the assistance of VC, tracing towards an individual vehicle requires the collusion of all the RSUs on the path. Therefore, message linkability for vehicles across various domains can be provided. Moreover, the adopted session key $s{k}_j=H_4\left({\mathfrak{k}}_j{\mathfrak{r}}_j\mathcal{G}\right)$ is shared among VC and vehicle, while keeping a secret from each RSU. Overall, impersonate attacks from the compromised RSUs can not be achieved. □

Theorem 3.

The proposed scheme is resistant to replay attack during the entire process. The transmitted messages from past sessions cannot pass the current validation.

Proof of Theorem 3.

During each communication session, data integrity and confidentiality are effectively preserved by the attached timestamps and hashed signatures. Therefore, the delivered packets are mapped to accurate timestamps. Modification or reusing on the previously acquired messages results in failure of the verification process on the receiver side. In device registration, mutual authentication, and cross-domain authentication phases, the fresh timestamps set $\left\{{\mathfrak{t}}_1^i,{\mathfrak{t}}_2^i,{\mathfrak{t}}_3^j,{\mathfrak{t}}_4^i,{\mathfrak{t}}_{\propto }^i\right\}$ are used in each communication round. Meanwhile, the signatures involving all transmitted elements are presented. For example, in the mutual authentication phase, the vehicle sends the requesting packet $〈\mathrm{Request},{\mathfrak{t}}_{\diamond }^j,{‡}_j,{\Im }_j,Si{g}_V^j〉$ to RSU for verification, where the signature $Si{g}_V^j={\hslash }_i^{\left({\mathfrak{X}}_j\left|\right|{\mathcal{X}}_j,{\xi }_j\left|\right|{\mathfrak{F}}_j\right)}·{\mathfrak{r}}_j^{{\mathcal{G}}_i}mod{\mathcal{G}}_i^2$ is calculated with $〈{\mathfrak{X}}_j,{\mathfrak{F}}_j〉$. Note that both ${\mathrm{\Xi }}_j$ and ${\mathfrak{Z}}_j$ are attached to the current timestamp ${\mathfrak{t}}_{\diamond }^j$. Assuming that, in specific duration, $\left[{\mathbb{T}}_1,{\mathbb{T}}_2\right]$, adversary ${\mathcal{A}}_1$ has obtained x transmitted requesting packet ${〈\mathrm{Request},{\mathfrak{t}}_{\diamond }^{⋊},{‡}_{⋊},{\Im }_{⋊},Si{g}_V^{⋊}〉}_{⋊\in [1,x]}$ from $\{{‡}_1,\cdots ,{‡}_x\}$. ${\mathcal{A}}_1$ acquires ${\mathfrak{t}}_{\mathcal{A}}$ and calculates $Si{g}_V^{\mathcal{A}}={\hslash }_{\mathcal{A}}^{\left({\mathfrak{X}}_{\mathcal{A}}\left|\right|{\mathcal{X}}_{\mathcal{A}},{\xi }_{\mathcal{A}}\left|\right|{\mathfrak{F}}_{\mathcal{A}}\right)}·{\mathfrak{r}}_{\mathcal{A}}^{{\mathcal{G}}_i}mod{\mathcal{G}}_i^2$. Intuitively, $\forall ⋊\in \left[1,x\right]$, and the probability for $Si{g}_V^{\mathcal{A}}=Si{g}_V^{⋊}$ to pass the verification is $\frac{1}{2^d}$, where d denotes the length of $Si{g}_V^{\mathcal{A}}$. Hence, our design is resistant to replay attack. □

Theorem 4.

Conditional identity privacy-preserving for both UAVs and RSUs is provided. Anonymity for specific vehicle and UAV is achieved, while the real identity of malicious entities can be revealed if necessary.

Proof of Theorem 4.

As described, the original identity ${‡}_T^i\in {\{0,1\}}^{*}$ for validated RSU is kept confidential all the time. Instead, the corresponding session identity is computed as ${‡}_{\perp }^i=h_1\left({\mathfrak{t}}_1^i,{‡}_T^i,{\mathfrak{r}}_{\perp }^i{\mathfrak{s}}_{\perp }^i\right)$, which includes the randomly generated ${\mathfrak{r}}_{\perp }^i\in {\mathbb{Z}}_q^{*}$ and time-oriented ${\mathfrak{t}}_1^i$. The RSU session identity varies in each authentication session. Anonymity and message unlinkability in different communication sessions can be provided accordingly. The temporary UAV identity ${‡}_j^{\otimes }=H_2\left({‡}_U^j,{\mathfrak{k}}_j^{\otimes },{\mathfrak{r}}_j^{\otimes }\mathcal{G}\right)$ is applied as well, which is only valid within a certain time period and will expire in the future. Note that the distinctive identity ${‡}_T^i\in {\{0,1\}}^{*}$ and ${‡}_U^j\in {\{0,1\}}^{*}$ remain hidden all the time. Meanwhile, VC stores crucial keying secrets in the remote server. Hence, identity in each session can be further extracted if needed, which offers conditional identity privacy-preserving property for UAVs. As for vehicles, the anonymous identity for initialization is computed as ${‡}_j=h_3\left({‡}_V^j,{\mathfrak{r}}_j\mathcal{G}\right)$. Therefore, vehicle anonymity is provided. With the assistance of RSU edge cluster, VC is able to reveal the original identity according to the stored driving path ${RSU}_1\to {RSU}_n$. Overall, conditional identity privacy-preserving is enabled in this way. □

5.2. Security Comparison

In this section, the proposed scheme is briefly compared with the existing VANET designs in terms of the crucial security characteristics. The comparison results are shown in

Table 2. Comparison results on security properties.

Scheme	PPDAS [19]	HABHM [31]	BPAS [32]	The Proposed Scheme
Unforgeability	◯	◯	◯	◯
Conditional Anonymity	◯	◯	×	◯
Session Key Establishment	◯	◯	◯	◯
Key Escrow Resilience	◯	◯	◯	◯
Scalability	×	×	×	◯
Efficient Key Updating	◯	◯	◯	◯
V2V Connectivity	×	×	×	◯
Collusion Attack Resilience	×	◯	◯	◯
Unlinkability	◯	◯	×	◯

, where the state-of-the-art VANETs authenticated key management schemes PPDAS [19], HABHM [31], and BPAS [32] are discussed. The proposed design is able to meet the desired security requirements.

6. Performance Analysis

In this section, the performance on the proposed VANET scheme is analyzed. The evaluation on major properties including storage overhead and computation cost is respectively presented for resource-constrained VANETs. The existing schemes PPDAS [19], HABHM [31], and BPAS [32] are evaluated as well.

6.1. Storage Overhead

In the proposed design, the RSU performs as the decentralized edge center for both UAV association and V2V remote data exchange, where the confidential keying information is aggregated and stored. Notably, the design for V2V authenticated key management is discussed in this section in order to compare with other existing schemes, while the storage for UAV association is not included. Meanwhile, the remote VC is able to conduct complicated tasks with sufficient computing ability. Therefore, this section emphasizes RSU storage overheard during the vehicle authentication session. The advantages of our scheme on storage overheard can be illustrated from the comparison results in Figure 3.

6.2. Computation Cost

In this section, the computation cost of the proposed design is analyzed. The time consumption for authentication on the RSU side is discussed in terms of the number of participating vehicles. The comparison result with the existing PPDAS [19], HABHM [31], and BPAS [32] are shown in Figure 4. Intuitively, with the batch authentication feature of our scheme, less time consumption is required for the mutual authenticating execution, proving the performance advantages of our design.

7. Conclusions

As the essential functionality of VANET, the spontaneous vehicle-to-vehicle (V2V) message dissemination plays a significant role for instant and real-time data sharing for vehicles within a certain vicinity. Firstly, the remote V2V message delivery intended for long-distance vehicles in the range of different RSUs has not been properly researched. Secondly, both V2V and communication are highly restricted by environmental factors. In this paper, the unmanned aerial vehicles is adopted as the auxiliary facilities for improving the VANET connectivity. The certificateless mutual authentication process for UAV association is developed. The partial secret key is utilized by the central server and UAV itself. Upon verification, the corresponding UAV group key can be generated and safely distributed to the requesting UAVs. The efficient key updating method for all the involved UAVs is achieved. Notably, the dynamic UAV revocation is enabled, while the updated group key is timely acquired by the remaining legitimate UAVs. Meanwhile, the remote V2V message dissemination method is presented, which deploys the decentralized edge RSUs. Particularly, the proposed design is conducted without remote cloud assistance. With the pre-stored driving records collected from the CDA process, the disseminated vehicular message can be forwarded through the edge RSUs and finally transmitted to the destination vehicle. Afterwards, the analysis regarding crucial security properties is presented accordingly, followed by the performance evaluation on storage and time consumption for the authentication process. The comparison results shows that the proposed scheme is able to satisfy the major security and performance requirements. The future works include the further optimization on storage cost and the real VANET implementation of the proposed scheme.