A Seamless Authentication Scheme for Edge-Assisted Internet of Vehicles Environments Using Chaotic Maps

Abstract

Internet of Vehicles (IoV) is a concept that combines IoT and vehicular ad hoc networks. In IoV environments, vehicles constantly move and communicate with other roadside units (edge servers). Due to the vehicles’ insufficient computing power, repetitive authentication procedures can be burdensome for automobiles. In recent years, numerous authentication protocols for IoV environments have been proposed. However, there is no study that considers both re-authentication and handover authentication situations, which are essential for seamless communication in vehicular networks. In this study, we propose a chaotic map-based seamless authentication scheme for edge-assisted IoV environments. We propose authentication protocols for initial, handover, and re-authentication situations and analyze the security of our scheme using informal methods, the real-or-random (RoR) model, and the Scyther tool. We also compare the proposed scheme with existing schemes and show that our scheme has superior performance and provides more security features. To our knowledge, This paper is the first attempt to design an authentication scheme considering both handover and re-authentication in the IoV environment.

1. Introduction

Internet of Vehicles (IoV) is a new paradigm that applies Internet of Things (IoT) to vehicular networks [1,2]. IoV can be combined with cloud computing and edge computing to reduce the computational burden on network entities. IoV is considered a key technology to realize high-definition mapping, autonomous driving, and other convenient services. In IoV environments, vehicle-to-infrastructure (V2I), vehicle-to-person (V2P), and vehicle-to-vehicle (V2V) interactions occur continuously to provide services to drivers. Among these interactions, V2I is the most important and fundamental communication because edge nodes maintain a connection with mobile vehicles and transmit necessary information in real-time.

However, various security attacks can occur in V2I communications. When an adversary is in the network, the adversary can masquerade as a legitimate vehicle or edge node and try to transmit false information to the other party [3,4,5]. Furthermore, an adversary can capture messages transmitted over a wireless channel and try to track the location of a particular vehicle, which can be an invasion of privacy. To prevent these potential threats, designing a mutual authentication protocol for V2I communication is essential to provide reliable autonomous driving services.

In recent years, many authentication schemes have been proposed for secure and efficient communications in edge-assisted IoV networks [6,7,8,9]. Vehicles have much higher mobility than general IoT devices, and handover situations in other regions occur frequently. Moreover, a vehicle is often parked or stopped, and it should re-authenticate with the same edge server (ES) again. If a vehicle repeats the authentication process again, it is inefficient and generates unnecessary computational costs on the ES. Many existing authentication schemes take into account handover, yet they do not handle re-authentication. We are confident that if we can design an authentication protocol by considering the re-authentication situation, the network efficiency would considerably improve. Furthermore, most existing schemes utilize an elliptic curve cryptosystem (ECC), which generates intensive computational costs. Since vehicles perform numerous authentications, the computational costs incurred in authentication needs to be minimized. In this paper, we propose a chaotic map-based seamless authentication scheme for edge-assisted IoV considering both handover and re-authentication situations. The main contributions of this paper are as follows:

• We propose a chaotic map-based [10] initial authentication scheme for V2I communications. The Chebyshev chaotic map has a lower computational cost than elliptic curve-based authentication. Thus, it can ensure efficient authentication for IoV environments.
• We propose re-authentication and handover authentication schemes to ensure seamless communication in IoV environments. After the initial authentication, the ES stores the pseudo identity of the authenticated vehicle and sets the expiration time. It can lead to authenticating the vehicle quickly during the re-authentication process. In a handover situation, the ES transmits information about the vehicle in advance to the other ES and enables the performance of a quick handover authentication.
• We analyzed the security of our scheme using the Scyther tool and RoR model to show that our scheme can guarantee mutual authentication and session key security. We also compared the proposed scheme with previous schemes in terms of computational costs, communication cost, and security features. We show that the proposed scheme has better security and has lower computational cost than other schemes.

Paper Organization

In Section 2, we introduce the previous research studies and describe their strengths and limitations. In Section 3, we explain the preliminaries of our scheme. In Section 4, we demonstrate the proposed mutual authentication protocols for various situations. In Section 5, we prove the security of our scheme using informal and formal methods. In Section 6, we provide the performance comparison result of the proposed scheme and related schemes. Finally, we provide the conclusions of this paper in Section 7.

2. Related Work

We introduce state-of-the-art authentication schemes proposed in IoV environments.

Wang et al. [11] proposed a V2I initial authentication and handover authentication schemes based on bilinear pairing. Their scheme succeeded in significantly lightening the computational load of handover authentication compared to the load of initial authentication. However, in both authentication situations, vehicles should perform bilinear pairing opearations, which require considerable computational cost.

Bojjagani et al. [12] proposed a secure authentication protocol for fog-based IoV networks. Their scheme considers various situations, including V2V, V2I, and V2R, and proposes an authentication protocol for each scenario. They also analyzed their scheme using the RoR model, Scyther, and Tamarin tools. However, their scheme utilized the elliptic curve cryptosystem (ECC), which requires high computational cost, and they did not consider repeated authentication situations.

Shen et al. [13] proposed a blockchain-assisted authentication scheme for edge computing-based IoV environments. In their scheme, the vehicle’s information is stored in the blockchain after a vehicle is authenticated to an edge node. Then, when the vehicle moves to the region of another edge node, the edge node can authenticate the vehicle quickly by querying the blockchain. However, blockchain can burden the edge server because it has to perform a high degree of computing in addition to vehicle authentication.

Wang et al. [14] proposed an authentication protocol using a chaotic map for electric vehicle charging systems. In their scheme, an electric vehicle authenticates to an aggregator to be provided charging services. They utilized chaotic map for fast authentication. However, there is a vulnerability in that the aggregator authenticates without knowing the pseudo identity of the vehicle; additionally, their scheme struggles to ensure mutual authentication.

Xi et al. [15] proposed a zero-knowledge proof (ZKP)-based anonymous authentication scheme for IoV environments considering fast reconnect situations. In their scheme, a vehicle can authenticate to an authentication server anonymously, and therefore, it can guarantee the privacy of the vehicle. Furthermore, they considered a fast reconnection phase, allowing for seamless communication in IoV environments. However, they used ECC encryption and decryption during the reconnection, and their scheme suffers from high computational cost.

Yang et al. [16] proposed a novel initial authentication and subsequent authentication schemes for IoV. They designed an initial authentication scheme using ECC and designed the subsequent authentication efficiently based on the initial authentication. However, they utilized ECC operations in a subsequent authentication phase, and it did not show a significant advantage in relation to computational costs compared to the initial authentication.

Dwivedi et al. [17] proposed a blockchain-assisted V2I handover scheme. They proposed a novel VANET system model using two blockchains. In their scheme, vehicle location information is stored in the auxiliary blockchain, and an RSU that keeps the auxiliary blockchain can authenticate the vehicle promptly. When a vehicle moves to the other region, the V2I authentication process requires more computational load. However, this approach is not suitable for the VANET environment because vehicles generally have high mobility.

Wang et al. [18] proposed physically unclonable function (PUF)-based authentication and a key agreement scheme for vehicular networks. They utilized various cryptosystems, including ECC, exclusive-OR, PUF, and hash operation, to guarantee privacy of vehicles. However, they did not consider handover and re-authentication situations, and their method could result in network inefficiency.

Rani and Tripathi [19] proposed a blockchain-based authentication scheme for VANET. They utilized consortium blockchain and ECC for secure V2I communication. They integrated a two-level blockchain storage method for reducing the computational cost. Therefore, their scheme prevents re-registration and re-authentication of vehicles in VANET. However, in their scheme, it is inevitable that additional costs arise due to the use of blockchain.

The contributions and limitations of cutting-edge schemes are summarized in Table 1. Overall, the existing schemes have limitations when applied to real IoV environments. In this paper, we propose a secure and seamless authentication protocol compared with existing schemes.

Table 1. Strengths and limitations of the existing schemes.

Ref.	Year	Technique	Strengths	Limitations
Wang et al. [11]	2021	ECC, bilinear pairing	Consider both initial and handover authentications	High computational cost because of using bilinear pairing
Bojjagani et al. [12]	2022	ECC	Consider various situations including V2V, V2I, and V2R	Lack of considerations about repeated authentications, high computational cost because of using ECC
Shen et al. [13]	2022	ECC, blockchain	Store vehicle’s identity on blockchain for handover situation	High storage cost because of using blockchain
Wang et al. [14]	2022	Chaotic map	Design fast and efficient authentication and re-authentication protocols	Do not consider repeated authentications; RSU cannot retrieve vehicle’s pseudo identity
Xi et al. [15]	2022	ECC, ZKP	Propose a ZKP-based authentication scheme considering a fast reconnection	High computational cost because of using ECC
Yang et al. [16]	2023	ECC	Consider subsequent authentication situations for IoV	High computational cost beacuse of using ECC
Dwivedi et al. [17]	2023	ECC, blockchain	Design blockchain-based IoV system model and propose various authentication schemes	Generate computational load when a vehicle moves to the other region
Wang et al. [18]	2024	ECC, PUF	Utilize various cryptosystems to guarantee privacy of vehicles	Do not consider handover and re-authentication situations
Rani and Tripathi [19]	2024	ECC, blockchain	Integrate a blockchain storage for reducing the computational cost in re-authentication	Additional costs arise due to the use of blockchain

3. Preliminary

We introduce the preliminaries of the proposed scheme.

3.1. Chaotic Map

We describe the basic definition of Chebyshev chaotic map and its hardness assumptions [10].

3.1.1. Definition

For a degree n and $x\in [-1,1]$, Chebyshev polynomial $T_n\left(x\right):[-1,1]\to [-1,1]$ can be defined as the following equation:

$$T_n\left(x\right)=\left\{\begin{array}{ll}{T}_0\left(x\right)=1\hfill & (n=0)\\ T_1\left(x\right)=x\hfill & (n=1)\\ T_n\left(x\right)=2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right)\hfill & (n \le 2)\end{array}\right.$$

(1)

Then, Chebyshev polynomial defined in $x\in (-\infty ,+\infty )$ can satisfy the semigroup properties for $n\ge 2$, a large prime number p, and large numbers a and b as follows:

$$\begin{array}{c}\hfill T_n\left(x\right)\equiv (2x{T}_{n-1}\left(x\right)-T_{n-2}\left(x\right))modp,\end{array}$$

(2)

$$\begin{array}{c}\hfill T_{ab}\left(x\right)=T_a\left(T_b\left(x\right)\right)=T_b\left(T_a\left(x\right)\right)modp.\end{array}$$

(3)

3.1.2. Hardness Assumptions

Based on Equation (2), the following three hardness assumptions hold for $x\in (-\infty ,+\infty )$ and a large prime p due to the Chebyshev polynomial: “Extended chaotic map-based discrete logarithm problem (CMDL)”, “extended chaotic map-based computational Diffie–Hellman problem (ECMCDH)”, and “extended chaotic map-based decisional Diffie–Hellman problem (ECMDDH)”. They are defined as follows:

1.

ECMDL problem: When a big integer $y\ge p$ is given, there is no efficient algorithm to find s which satisfies $(T_s\left(x\right)$$mod$ $p)$ ≡ y in polynomial time.

2.

ECMCDH problem: When $T_y\left(x\right)$$mod$ p and $T_z\left(x\right)$$mod$ p for big integers y and z are given, there is no efficient algorithm to calculate $T_{yz}\left(x\right)$$mod$ p in polynomial time.

3.

ECMDDH problem: When $T_y\left(x\right)$$mod$ p, $T_z\left(x\right)$$mod$ p, and $T_r\left(x\right)$$mod$ for big integers y, z, and r are given, it is hard to determine whether $T_{yz}\left(x\right)\stackrel{?}{=}{T}_r\left(x\right)$.

3.2. Threat Model

We adopt both Dolev–Yao (DY) [20] and Canetti–Krawczyk (CK) [21] adversary models to analyze the proposed scheme. The adversary has the following capabilities [22,23]:

• The adversary has complete control over the wireless communication channels, and can eavesdrop, modify, and delete the messages transmitted in wireless channels.
• The adversary can act as a middleman between communication entities, performing replay attacks and man-in-the-middle attacks.
• The adversary can try to trace an identity or location of a vehicle using obtained messages from wireless channels.
• The adversary can obtain long-term or short-term keys of the network and try to reveal the session key.

In the informal analysis section, we demonstrate the security of the proposed scheme based on the adversary’s capabilities.

3.3. Design Goal

We designed the proposed scheme to meet the following security goals.

1.

Mutual authentication: A vehicle and an edge server must verify each other’s legitimacy before agreeing to a session key. The communication should be rejected if the other party cannot be authenticated during the authentication phase.

2.

Vehicle privacy: A vehicle’s identity, location, and transmitted data must be hidden in wireless channels. If traceable messages are continuously sent from a vehicle, an adversary may be able to guess the vehicle’s location or personal information.

3.

Perfect forward secrecy: Even if the network is compromised and long-term keys are leaked, previously agreed-upon session keys must not be calculated. This includes session keys in all situations of initial authentication, handover authentication, and re-authentication.

4.

Resistance to ephemeral secret leakage attack: Even if random numbers generated in a session are leaked to an adversary, the adversary cannot calculate the session key.

5.

Seamless authentication: Considering the characteristics of IoV environments, it is necessary to lower the computational cost in repeated authentication situations. Furthermore, security must be guaranteed during the re-authentication and handover authentication processes.

3.4. System Model

There are three entities in the proposed model: the cloud server (CS), edge server (ES), and vehicle. Figure 1 shows the system model.

Figure 1. The edge-assisted IoV network model.

• CS: CS is a fully trusted entity that initializes the network, distributes secret keys for edge servers, and registers vehicles.
• ES: ESs communicate with vehicles in real-time and provide services. The transmitted data between an ES and a vehicle may contain sensitive and private data of the vehicle, and the transmission should be carried out after being mutually authenticated. In addition, when vehicles’ handover or re-authentication occurs, ESs should be able to verify vehicles quickly to ensure real-time communication.
• Vehicle: A vehicle with a user registers with CS and participates in the network. Vehicles initially authenticate with a nearby ES, and perform re-authentication and handover authentication with ESs frequently. An adversary may attempt to masquerade as a legitimate vehicle and steal private information.

4. Proposed Scheme

We demonstrate the proposed authentication schemes for IoV environments. The proposed scheme includes system initialization, registration, login and initial authentication, re-authentication, and handover authentication phase. Before providing detailed descriptions for each phase, notations and their meanings are summarized in Table 2, and the flowchart of the proposed scheme is presented in Figure 2.

Table 2. Notations and meanings.

Notation	Meaning
$V_i$	i-th vehicle
$E{S}_j$	j-th edge server
s	secret key of $CS$
$T_k$ (k = 1, 2, …)	timestamps
$E{T}_i$	expiration time of $V_i$
$RI{D}_i$	pseudo identity of $V_i$
$SI{D}_i$	secret identity of $V_i$
$Aut{h}_i$	$V_i$ authentication value for login
$r_i,r_j,r_{CS}$	random nonce
$h(.)$	one-way hash function
$H_i,H_j,H_{CS}$	message digest
$M_i,M_j,M_{CS}$	message from $V_i$, $E{S}_j$, and $CS$
$AI{D}_i^j$	pseudo identity of $V_i$ agreed upon between $E{S}_j$ and $V_i$
$BI{D}_i^j$	secret identity of $V_i$ agreed upon between $E{S}_j$ and $V_i$

Figure 2. The flowchart of the proposed scheme.

4.1. System Initialization

The system is initiated by $CS$. $CS$ chooses a Chebyshev polynomial function $T_n\left(x\right)$ with $x\in (-\infty ,+\infty )$, a large prime number p, cryptographic one-way hash function $h(.)$, and a time threshold ΔT. Then, $CS$ chooses a random number $s<n$, computes $P=T_s\left(x\right)$$mod$ p, publishes $\{x,T_n\left(x\right),p,h(.),P,\Delta T\}$, and keeps s as a secret. Afterwards, $CS$ chooses $I{D}_j$ and $s_j$, computes $SI{D}_j=h(I{D}_j\left|\right|s)$, and sends $(I{D}_j,SI{D}_j,s_j)$ to $E{S}_j$. $E{S}_j$ computes $P_j=T_{s_j}\left(x\right)$, publishes $(I{D}_j,P_j)$, and stores $(SI{D}_j,s_j)$ securely.

4.2. Vehicle Registration

A user chooses $I{D}_i$ and $P{W}_i$ and inputs them to $V_i$. Then, $V_i$ computes $HI{P}_i=h(I{D}_i\left|\right|P{W}_i)$, $R_{i-TA}=T_{HI{P}_i}\left(x\right)$, and $HI{D}_i=I{D}_i\oplus h\left(R_{i-TA}\right)$, and sends $(HI{D}_i,T_{HI{P}_i}\left(x\right))$ to $CS$. Then, $CS$ computes $R_{i-TA}=T_s\left(T_{HI{P}_i}\left(x\right)\right)$ and $I{D}_i=HI{D}_i\oplus h\left(R_{i-TA}\right)$ and checks whether $I{D}_i$ is registered. $CS$ chooses a random number $a_{CS}$ and computes $RI{D}_i=h(I{D}_i\left|\right|a_{CS})$, $SI{D}_i=h(RI{D}_i\left|\right|s)$, and $M_i=(RI{D}_i\left|\right|SI{D}_i)\oplus h(R_{i-TA}\left|\right|HI{D}_i)$. Then, $CS$ sends $M_i$ to $V_i$ and transmits $RI{D}_i$ to $E{S}_j$, which is the closest edge server to $V_i$. $V_i$ computes $(RI{D}_i\left|\right|SI{D}_i) =M_i\oplus h(R_{i-TA}\left|\right|HI{D}_i)$, chooses a random number $a_i$, computes $X_i=a_i\oplus HI{P}_i$, $Y_i=(RI{D}_i\left|\right|SI{D}_i)\oplus h(I{D}_i\left|\right|P{W}_i\left|\right|a_i)$, and $Aut{h}_i=h(I{D}_i\left|\right|P{W}_i\left|\right|RI{D}_i\left|\right|SI{D}_i)$, and stores $X_i,Y_i$$,Aut{h}_i$ in the memory.

4.3. Login and Initial Authentication

After registration, a user logs in to $V_i$ and authenticates with the nearest $E{S}_j$ to be provided services. First, the user inputs $I{D}_i$ and $P{W}_i$ to $V_i$, and $V_i$ computes $a_i=X_i\oplus h(I{D}_i||P{W}_i)$ and $(RI{D}_i||SI{D}_i)=Y_i\oplus h(I{D}_i||P{W}_i||a_i)$, and checks $Aut{h}_i\stackrel{?}{=}h(I{D}_i||P{W}_i||RI{D}_i||SI{D}_i)$. If it is equal, $V_i$ generates a timestamp $T_1$ and a random number $r_i$, computes $D_i=T_{r_i}(x)$, $D_{ij}=T_{r_i}(P_j)$, $M_{i1}=RI{D}_i\oplus h(D_{ij}||T_1)$, and $H_{i1}=h(SI{D}_i||RI{D}_i)$, and sends $(I{D}_j,D_i,M_{i1},H_{i1},T_1)$ to $E{S}_j$. After $E{S}_j$ receives the message, $E{S}_j$ computes $RI{D}_i=M_{i1}\oplus h(D_{ij}||T_1)$, checks whether $RI{D}_i$ is registered and $|T_1^{\prime }-T_1| \le$ΔT. If it satisfies, $E{S}_j$ generates a random number $r_j$ and a timestamp $T_2$, $R_j=T_{r_j}(x)$, $M_{j1}=RI{D}_i\oplus h(T_{r_j}(P)||T_2)$, $H_{j1}=h(H_{i1}||SI{D}_j||T_2)$, and sends $(I{D}_j,R_j,M_{j1},H_{j1},T_2)$ to $CS$. $CS$ first checks whether $|T_2^{\prime }-T_2| \le$ΔT, computes $RI{D}_i=M_{j1}\oplus h(T_s(R_j)||T_2)$, $SI{D}_i=h(RI{D}_i||s)$, $H_{i1}=h(SI{D}_i||RI{D}_i)$, and $SI{D}_j=h(I{D}_j||s)$, and checks $H_{j1}\stackrel{?}{=}h(H_{i1}||SI{D}_j||T_2)$. Then, $CS$ generates a timestamp $T_3$ and random numbers $a_{cs}^{new}$ and $r_{cs}$, computes $RI{D}_i^{new}=h(RI{D}_i||a_{cs}^{new})$, $SI{D}_i^{new}=h(RI{D}_i^{new}||s)$, $R_{CS}=T_{r_{CS}}(x)$, $M_{CS}=RI{D}_i^{new}\oplus h(T_{r_{CS}}(R_j)||T_s(P_j))$, $N_{CS}=SI{D}_i\oplus h(T_{r_{CS}}(R_j)||T_s(P_j)||RI{D}_i^{new})$, $O_{CS}=SI{D}_i^{new}\oplus h(SI{D}_i||RI{D}_i^{new})$, and $H_{CS}=h(SI{D}_i^{new}||$$RI{D}_i^{new})$, and sends $(R_{CS},M_{CS},N_{CS},O_{CS},H_{CS},T_3)$ to $E{S}_j$. After $E{S}_j$ receives the message, the user checks whether $|T_3^{\prime }-T_3| \le$ΔT, and generates a timestamp $T_4$, random number $a_j$ and $AI{D}_i^j$, and expiration time $E{T}_i^j$. Then, $E{S}_j$ computes $RI{D}_i^{new}=M_{CS}\oplus h(T_{r_j}(R_{CS})||T_{s_j}(P))$, $SI{D}_i=N_{CS}\oplus h(T_{r_{CS}}(R_j)||T_s(P_j)||RI{D}_i^{new})$, $E_j=T_{a_j}(x)$, $M_{j2}=RI{D}_i^{new}\oplus h(T_{a_j}(D_i)||T_4)$, $BI{D}_i^j=h(AI{D}_i^j||s_j)$, $M_{j3}=(O_{CS}||AI{D}_i^j||BI{D}_i^j)\oplus h(RI{D}_i||RI{D}_i^{new})$, $SK=h(AI{D}_i^j$$||BI{D}_i^j||$$SI{D}_i||RI{D}_i^{new}||T_{a_j}(D_i))$, and $H_{j2}=h(H_{CS}||$$SK||T_4)$, sends $(E_j,M_{j2},M_{j3},H_{j2},T_4)$ to $V_i$, and stores $(AI{D}_i^j,RI{D}_i^{new},E{T}_i^j)$ in a secure memory. $V_i$ receives the message, checks whether $|T_4^{\prime }-T_4| \le$ΔT, computes $RI{D}_i^{new}=M_{j2}\oplus h(T_{r_i}(E_j)||T_4)$, $(O_{CS}||AI{D}_i^j||BI{D}_i^j)=M_{j3}\oplus h(RI{D}_i||RI{D}_i^{new})$, $SI{D}_i^{new}=O_{CS}\oplus h(SI{D}_i||$$RI{D}_i^{new})$, $H_{CS}=h(SI{D}_i^{new}||RI{D}_i^{new})$, and $SK=h(AI{D}_i^j||BI{D}_i^j||SI{D}_i||RI{D}_i^{new}||T_{r_i}(E_j))$, and checks $H_{j2}$$\stackrel{?}{=}h(H_{CS}||SK||T_4)$. If it is equal, $V_i$ computes $Y_i^{new}=(RI{D}_i^{new}||SI{D}_i^{new})\oplus h(I{D}_i||P{W}_i||a_i)$, $Z_i^j=(AI{D}_i^j||$$BI{D}_i^j)\oplus h(RI{D}_i^{new}||SI{D}_i^{new}||a_i)$, and $Aut{h}_i^{new}=h$$(RI{D}_i^{new}||SI{D}_i^{new}||AI{D}_i^j||BI{D}_i^j)$. Then, $V_i$ updates $Y_i$ and $Aut{h}_i$ to $Y_i^{new}$ and $Aut{h}_i^{new}$ and adds $Z_i^j$ in a memory. Figure 3 presents the proposed initial authentication phase.

Figure 3. Proposed login and initial authentication phase.

4.4. Re-Authentication

Within the expiration time $E{T}_i^j$ determined in the initial authentication, $V_i$ can perform fast re-authentication with $E{S}_j$. When $I{D}_i$ and $P{W}_i$ are input to $V_i$, $V_i$ computes $a_i=X_i^{new}\oplus h(I{D}_i||P{W}_i)$, $(RI{D}_i^{new}||SI{D}_i^{new})=Y_i^{new}\oplus h(I{D}_i||P{W}_i||a_i)$, and $(AI{D}_i^j||BI{D}_i^j)=Z_i^j\oplus h(RI{D}_i^{new}||SI{D}_i^{new}||a_i)$, and checks $Aut{h}_i^{new}\stackrel{?}{=}h(RI{D}_i^{new}$$||SI{D}_i^{new}||$$AI{D}_i^j||BI{D}_i^j)$. If it is equal, $V_i$ generates a timestamp $T_5$, computes $N_i=h(RI{D}_i^{new}||BI{D}_i^j||T_5)$, and sends $(AI{D}_i^j,N_i,T_5)$ to $E{S}_j$. $E{S}_j$ checks whether $|T_5^{\prime }-T_5| \le$ΔT, retrieves $RI{D}_i^{new}$ and $E{T}_i^j$ using $AI{D}_i^j$, and checks $E{T}_i$ is valid. After that, $E{S}_j$ computes $BI{D}_i^j=h(AI{D}_i^j||s_j)$ and checks $N_i\stackrel{?}{=}h(RI{D}_i^{new}||BI{D}_i^j||T_5)$. If it is equal, $E{S}_j$ generates a timestamp $T_6$ and a random number $b_j$, computes $AI{D}_i^{j^{new}}=h(AI{D}_i^j||b_j)$, $BI{D}_i^{j^{new}}=h(AI{D}_i^{j^{new}}||s_j)$, $L_j=(AI{D}_i^{j^{new}}||BI{D}_i^{j^{new}})\oplus h(AI{D}_i^j||BI{D}_i^j||T_6)$, $SK=h(RI{D}_i^{new}||BI{D}_i^{j^{new}}||T_5||T_6)$, and $N_j=h(SK||T_5||T_6)$. $E{S}_j$ sends $(L_j,N_j,T_6)$ to $V_i$ and updates $AI{D}_i^j$ and $BI{D}_i^j$ to $AI{D}_i^{j^{new}}$ and $BI{D}_i^{j^{new}}$, respectively. $V_i$ checks whether $|T_6^{\prime }-T_6| \le$ΔT, computes $(AI{D}_i^{j^{new}}||BI{D}_i^{j^{new}})=L_j\oplus h(AI{D}_i^j||BI{D}_i^j||T_6)$ and $SK=h(RI{D}_i^{new}||BI{D}_i^{j^{new}}||T_5||T_6)$, and checks $N_j\stackrel{?}{=}h(SK||T_5||T_6)$. Then, $V_i$ computes $Z_i^{j^{new}}=(AI{D}_i^{j^{new}}||$$BI{D}_i^{j^{new}})\oplus h(RI{D}_i^{new}||SI{D}_i^{new}||a_i)$ and $Aut{h}_i^{ne{w}^{\prime }}=h(RI{D}_i^{new}||SI{D}_i^{new}$$||AI{D}_i^{j^{new}}||BI{D}_i^{j^{new}})$ and updates $Z_i^j$ and $Aut{h}_i^{new}$ to $Z_i^{j^{new}}$ and $Aut{h}_i^{ne{w}^{\prime }}$. Figure 4 presents the proposed re-authentication phase.

Figure 4. Proposed re-authentication phase.

4.5. Handover Authentication

When $V_i$ moves to $E{S}_{j+1}$ from $E{S}_j$, $V_i$ can quickly authenticate to $E{S}_{j+1}$ through the proposed handover authentication. $V_i$ generates a timestamp $T_7$, computes $O_i=h(RI{D}_i^{new}||BI{D}_i^j)$, and sends $(I{D}_j,AI{D}_i^j,O_i,T_7)$ to $E{S}_{j+1}$. Then, $E{S}_{j+1}$ checks whether $|T_7^{\prime }-T_7| \le$ΔT, generates a random number $r_{j+1}$ and a timestamp $T_8$, computes $R_{j+1}=T_{r_{j+1}}(x)$, and sends $(I{D}_{j+1},R_{j+1},AI{D}_i^j,O_i,T_8)$ to $E{S}_j$. After $E{S}_j$ checks whether $|T_8^{\prime }-T_8| \le$ΔT and retrieves $RI{D}_i^{new}$ and $E{T}_i^j$ using $AI{D}_i^j$. Then, $E{S}_j$ computes $BI{D}_i^j=h(RI{D}_i^{new}||s_j)$ and checks $O_i\stackrel{?}{=}h(RI{D}_i^{new}||BI{D}_i^j)$. If it is equal, $E{S}_j$ generates a random number $k_j$ and a timestamp $T_9$, computes $K_j=T_{k_j}(x)$ and $O_j=(RI{D}_i^{new}||BI{D}_i^j)\oplus h(T_{s_j}(P_{j+1})||T_{k_j}(R_{j+1}))$, and sends $(K_j,O_j,T_9)$ to $E{S}_j$. After $E{S}_j$ checks whether $|T_9^{\prime }-T_9| \le$ΔT, computes $(RI{D}_i^{new}||BI{D}_i^j)=O_j\oplus h(T_{s_{j+1}}(P_j)||T_{r_{j+1}}(K_j))$ and checks $O_i\stackrel{?}{=}h(RI{D}_i^{new}||BI{D}_i^j)$. If it is equal, $E{S}_{j+1}$ generates a timestamp $T_{10}$, a random number $a_{j+1}$, and an expiration time $E{T}_i^{j+1}$, computes $AI{D}_i^{j+1}=h(AI{D}_i^j||a_{j+1})$, $BI{D}_i^{j+1}=h(AI{D}_i^{j+1}||s_{j+1})$, $L_{j+1}=(AI{D}_i^{j+1}||BI{D}_i^{j+1})\oplus h(AI{D}_i^j||BI{D}_i^j||$$T_{10})$, $SK=h(RI{D}_i^{new}||BI{D}_i^{j+1}||AI{D}_i^{j+1})$, and $N_{j+1}=h(SK||T_{10})$, sends $(L_{j+1},N_{j+1},T_{10})$ and stores $(AI{D}_i^{j+1},RI{D}_i^{new},E{T}_i^{j+1})$ in secure memory. $V_i$ checks whether $|T_{10}^{\prime }-T_{10}| \le$ΔT, $(AI{D}_i^{j+1}||BI{D}_i^{j+1})=L_{j+1}\oplus h(AI{D}_i^j||BI{D}_i^j||T_{10})$, and $SK=h(RI{D}_i^{new}||BI{D}_i^{j+1}||AI{D}_i^{j+1})$ and checks $N_{j+1}\stackrel{?}{=}h(SK||T_{10})$. After that, $V_i$ computes $Z_i^{j+1}=(AI{D}_i^{j+1}||BI{D}_i^{j+1})\oplus h(RI{D}_i^{new}||SI{D}_i^{new}||a_i)$ and updates $Z_i^j$ to $Z_i^{j+1}$. Figure 5 presents the propose handover authentication phase.

Figure 5. Proposed handover authentication phase.

5. Security Analysis

We analyzed the the proposed scheme against different attacks using the informal security analysis and formal security analysis. We denote our proposed scheme as CM-SAS in the analysis sections.

5.1. Informal Analysis

In this section, we demonstrate that our scheme has resistance to various attack scenarios.

5.1.1. Resistance to Replay Attacks

A can intercept messages transmitted in public channels and reuse the message to cause delays or harm the network. In our scheme, every message includes a timestamp and a message hash value such as $H_{i1}$, $H_{j1}$, $H_{CS}$, and $H_{j2}$. If A transmits the message, the time threshold will be exceeded and the message will not be regarded as valid, and if A arbitrarily modifies the message, the hash value of the message is incorrect and it will be rejected by the other party. Therefore, the proposed protocol can defend against replay attacks.

5.1.2. Resistance to Privileged Insider Attacks

In this attack scenario, we assume that A is a privileged insider of $CS$, and A tries to log in to other networks using the information of $V_i$. In our scheme, A can obtain $I{D}_i$ in the registration phase. However, A cannot know any information about $P{W}_i$, which is required to log in to another server using $I{D}_i$. Therefore, A cannot access other networks by impersonating $V_i$, and the proposed scheme is secure against the privileged insider attacks.

5.1.3. Resistance to Impersonation Attacks

A can impersonate $V_i$ or $E{S}_j$ and try to generate a session key with the other entity. In case of masquerading as $V_i$, A must be able to generate a legitimate message $(I{D}_j,D_i,M_{i1},H_{i1},T_1)$. $I{D}_j$ is published and $D_i$ and $T_1$ can be generated by A. However, A cannot generate $M_{i1}$ and $H_{i1}$ without knowing $RI{D}_i$ and $SI{D}_i$, which can be obtained with correct $I{D}_i$ and $P{W}_i$. Therefore, A fails to send a message disguised as $V_i$. On the other hand, A must be able to generate $(E_j,M_{j2},M_{j3},H_{j2},T_4)$ to disguise as $E{S}_j$. Similarly, A cannot make a legitimate $M_{j2}$, $M_{j3}$, and $H_{j2}$, and the message generated by A will be rejected by $V_i$. Therefore, the proposed protocol is secure against impersonation attacks.

5.1.4. Support Perfect Forward Secrecy

In the proposed scheme, long-term keys are s, $s_j$, and $SI{D}_j$ and the session key $SK=h(AI{D}_i^j||BI{D}_i^j||SI{D}_i$$\left|\right|RI{D}_i^{new}\left|\right|T_{a_j}\left(D_i\right))$. Among these values, A can calculate $RI{D}_i$=$M_j\oplus h(T_s\left(R_j\right)\left|\right|T_2)$ and can calculate $SI{D}_i=h(RI{D}_i\left|\right|s)$. However, A can obtain no more values because $RI{D}_i^{new}$ cannot be calculated without knowing $r_i^{new}$ or $a_j$ or $r_i$, which are random numbers generated in each session, and $AI{D}_i^j$ and $BI{D}_i^j$ are masked with $RI{D}_i^{new}$. Therefore, A cannot know $AI{D}_j^j$, $BI{D}_i^j$, $RI{D}_i^{new}$, and $T_{a_j}\left(D_i\right)$. It is also impossible to guess the above values simultaneously, and the proposed protocol can guarantee perfect forward secrecy.

5.1.5. Resistance to Ephemeral Session Random Number Leakage Attacks

The session random numbers include $(r_i,r_j,r_i^{new}$$,r_{CS},a_j)$. To disclose $SK=h(AI{D}_i^j||BI{D}_i^j$$\left|\right|SI{D}_i\left|\right|RI$$D_i^{new}\left|\right|T_{a_j}\left(D_i\right))$, A can calculate $RI{D}_i=M_j\oplus h(T_{r_j}\left(P\right)\left|\right|T_2)$, $RI{D}_i^{new}=h(RI{D}_i\left|\right|$$r_i^{new})$, and $T_{a_j}\left(D_i\right)$. Then, A can obtain $AI{D}_i^j$ and $BI{D}_i^j$ using $RI{D}_i$ and $RI{D}_i^{new}$. However, A can still cannot obtain $SI{D}_i$ because it is masked with secret keys s and $s_j$ as well as the random numbers. Therefore, A fails to calculate the session key and the proposed scheme is resistant to ephemeral session random number leakage attacks.

5.1.6. Support Vehicle Anonymity and Untraceability

In the proposed protocol, $V_i$ transmits $(I{D}_j,D_i,$$M_{i1},H_{i1},T_1)$ and receives $(E_j,M_{j2},M_{j3},$$H_{j2},T_4)$ from $E{S}_j$. The transmitted messages in a public channel do not include the identity of $V_i$. Furthermore, when re-authentication or handover authentication occurs, $V_i$ sends $AI{D}_i^j$, yet it is updated in each session. Therefore, vehicle anonymity is guaranteed in the proposed protocol. Instead, A can try to trace $V_i$ using the transmitted messages. Messages sent in public channels must contain repetitive values to succeed in this attack. In our scheme, the pseudo identity of $V_i$ is updated in every session and A cannot figure out the value to track $V_i$, and therefore, a vehicle is untraceable in the proposed scheme.

5.2. Formal Security Under RoR Model

We formally analyzed the session key security of the proposed scheme using a Real-or-Random (RoR) model [24,25,26]. We conducted the RoR model-based security analysis of the initial authentication scheme because the re-authentication and handover authentication phases were performed based on the initial authentication. We denote $p^V$ and $p^{ES}$ as network participants representing $V_i$ and $E{S}_j$, respectively. Under the RoR model, an adversary A executes queries (i.e., attacks) to obtain the agreed session key between network participants. The notations and their descriptions are summarized in Table 3.

Table 3. Queries and their descriptions.

Query	Description
$Execute(p^V,p^{ES})$	It represents an eavesdropping attack carried out by A. A can obtain the messages between $p^V$ and $p^{ES}$ transmitted through a wireless channel.
$Corrupt\left(p^V\right)$	It indicates that A succeeded in corrupting $V_i$. A can extract stored values in $V_i$ using power analysis attack.
$Send(p,M)$	It represents A sending a message to a network participant and that A can receive the response.
$Hash$	It indicates that A performs a one-way hash operation using the obtained values.
$Test\left(p\right)$	It is performed to verify the semantic security of the session key. We assume that there is an unbiased coin c, which of the head represents 1 and the tail represents 0, and the results are veiled from A. When A performs $Test$ query, c is flipped, and a random number is given to A if $c=0$, and the session key is given if $c=1$. At this time, A must be able to determine whether the value is a session key or a random number.

What we can prove through ROR analysis is that the probability of A successfully distinguishing a session key and a random number when performing a $Test$ query is not significantly different from 1/2.

Theorem 1.

Let $Advan\left(A\right)$ be an advantage function of A to distinguish a random number and the session key after performing the above queries.

$$\begin{array}{c}\hfill Advan\left(A\right) \le {\displaystyle \frac{q_{hash}^2}{\left|Hash\right|}}+{\displaystyle \frac{2q_{send}}{|D_{ID}\left|\right|D_{PW}|}}\end{array}$$

(4)

where $q_{hash}$, $q_{send}$, $D_{ID},$ and $D_{PW}$ represent the number of $Hash$ queries performed by A, the number of $Send$ queries performed by A, and the range space of uniformly distributed identity and password dictionaries, respectively.

• $Gam{e}_0$: In $Gam{e}_0$, we assume that A has no information about the session key $SK$ and performs no queries. When $P\left[S_{G_0}\left(A\right)\right]$ denotes the probability of A succeeding in guessing the correct bit c after $Gam{e}_0$ ends, we can induce the following equation by the definition of the semantic security:

  $$\begin{array}{c}\hfill Advan\left(A\right)=\left|2P\right[S_{G_0}\left(A\right)]-1|\end{array}$$

  (5)

• $Gam{e}_1$: A performs $Execute$ and $Test$ queries in the first game. In our scheme, A cannot obtain any values to calculate $SK$ through a public channel. In the proposed scheme, the session key is calculated by $SK=h(AI{D}_i^j||BI{D}_i^j||SI{D}_i||RI{D}_i^{new}||T_{r_i}\left(E_j\right))$. A cannot obtain any of the values to calculate $SK$ through a public channel. Therefore, A has no advantage by executing $Execute$ query for guessing $SK$ successfully, and we can induce the following equation at the end of $Gam{e}_1$:

  $$\begin{array}{c}\hfill P\left[S_{G_0}\left(A\right)\right]=P\left[S_{G_1}\left(A\right)\right]\end{array}$$

  (6)

• $Gam{e}_2$: A performs $Send$ and $Hash$ queries to calculate $SK$ in this game. Each message transmitted through a public channel includes a timestamp and message hash value, and A cannot arbitrarily modify the message. Therefore, A must find a hash collision to compromise $SK$ of our scheme. Then, the advantage function of A after the end of $Gam{e}_2$ can be induced as follows:

  $$\begin{array}{c}\hfill |P\left[S_{G_2}\left(A\right)\right]-P\left[S_{G_1}\left(A\right)\right]| \le {\displaystyle \frac{q_{hash}^2}{2\left|Hash\right|}}\end{array}$$

  (7)

• $Gam{e}_3$: A can perform $Corrupt$ query and can obtain the stored values of $V_i$ such as $X_i$, $Y_i$, and $Aut{h}_i$. If A succeeds to log in and sends an authentication request a message to $E{S}_j$, then A can agree on a session key with $E{S}_j$ disguising as $V_i$. However, for this attack to succeed, A must successfully guess the correct $I{D}_i$ and $P{W}_i$, which is mathematically impossible. Assuming that A has $D_{ID}$ and $D_{PW}$, the probability of successful guessing is

  $$\begin{array}{c}\hfill |P\left[S_{G_2}\left(A\right)\right]-P\left[S_{G_3}\left(A\right)\right]| \le {\displaystyle \frac{q_{send}}{|D_{ID}\left|\right|D_{PW}|}}\end{array}$$

  (8)

When all the games are over, A performs the $Test$ query and should guess the correct bit c to win the game. A has no advantages through the above games, and we can obtain $P\left[S_{G_3}\left(A\right)\right]={\displaystyle \frac{1}{2}}$. Then, we can obtain the following equation using the triangle inequality:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\displaystyle \frac{1}{2}}Advan\left(A\right)& =|P\left[S_{G_0}\left(A\right)\right]-{\displaystyle \frac{1}{2}}|\hfill \\ \hfill & =|P\left[S_{G_0}\left(A\right)\right]-P\left[S_{G_3}\left(A\right)\right]|\hfill \\ \hfill & \le |P[S_{G_0}\left(A\right)]-P[S_{G_1}\left(A\right)]|\hfill \\ \hfill & +|P[S_{G_1}\left(A\right)]-P[S_{G_2}\left(A\right)]|\hfill \\ \hfill & +|P[S_{G_2}\left(A\right)]-P[S_{G_3}\left(A\right)]|\hfill \\ \hfill & \le {\displaystyle \frac{q_{hash}^2}{2|Hash|}}+{\displaystyle \frac{q_{send}}{|D_{ID}||D_{PW}|}}\hfill \end{array}\end{array}$$

(9)

Finally, the proof is completed.

5.3. Scyther Tool

We simulated the CM-SAS using the Scyther tool [27], which is a developed for the automatic verification of security protocols. The Scyther tool verifies security for four statuses: Alive, Weakagree, Niagree, and Nisynch. The Alive status is the most basic level, which means that the communication partner is currently in a connectable state. Weakagree status is for checking whether the communication partner is legitimate. For example, the communication partner can decrypt or sign messages as well as being alive. Niagree is short for non-injective agreement. Niagree status means that the responder apparently previously ran the protocol with the sender, and both agreed on the values of the variables. Finally, Nisynch is short for non-injective synchronization, and it means that all the above conditions are satisfied and all messages are sent in the precise order described in the protocol. If a security protocol cannot satisfy the Nisynch status, it means that the protocol could be vulnerable to replay attacks. When a security protocol satisfies the four statuses, the protocol guarantees mutual authentication and resists replay attacks. The simulation result of the CM-SAS is shown in Figure 6. For all participating entities of the CM-SAS, the four statuses are satisfied, and we can say that the CM-SAS can guarantee mutual authentication and is resistant to replay attacks.

Figure 6. Scyther simulation results.

6. Performance Analysis

We compare the proposed CM-SAS with the existing schemes [11,12,13,14,15,16,17,18,19] in terms of computational cost, communication cost, and security features.

6.1. Computational Cost

Based on Kilinc and Yanik’s report [28], a notation and time cost of each operation is as shown in Table 4. The operations were executed with Ubuntu 12.04.1 LTS 32bit operating system, Intel Pentium Dual CPU E2200 2.20 GHz processor, 2048 MB of RAM. Furthermore, similar to [29], we estimated the time cost of the chaotic map to be one-third of ECC scalar multiplication. We compared the total computational cost in three scenarios: initial authentication, handover authentication, and re-authentication. Some schemes that do not handle handover and re-authentication are considered to repeat the initial authentication in those situations. The computational cost comparison results are summarized in Table 5.

Table 4. Notation and time cost of each operation.

Notation	Meaning	Time Cost
$T_{sign}$	signature generation	3.85 ms
$T_{ver}$	signature verification	0.1925 ms
$T_{mul}$	ECC scalar multiplication	2.226 ms
$T_{add}$	ECC point addition	0.0288 ms
$T_{mod}$	modular exponentiation	3.85 ms
$T_c$	Chebyshev chaotic map	0.742 ms
$T_p$	bilinear pairing	5.811 ms
$T_h$	one-way hash	0.0023 ms

Table 5. Computational cost comparison.

	Initial Authentication				Handover Authentication				Re-Authentication
	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	$\mathit{TA}\mathbf{/}\mathit{CS}$	Total	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	${\mathit{RSU}}_{\mathit{j}\mathbf{+}\mathbf{1}}\mathbf{/}{\mathit{ES}}_{\mathit{j}\mathbf{+}\mathbf{1}}$	Total	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	Total
Wang et al. [11]	$T_p+T_{mul}+4T_{mod}+T_h\approx 23.4393$ ms	$T_p+T_{mul}+6T_{mod}+T_h\approx 31.1393$ ms	-	54.5786 ms	$T_p+T_{mul}+T_{mod}+T_h\approx 11.8893$ ms	$2T_{mod}\approx 7.7$ ms	$T_p+T_{mul}+3T_{mod}\approx 19.587$ ms	$39.1753$ ms	-	-	-
Bojjagani et al. [12]	$2T_{enc}+2T_{sign}+2T_{ver}+2T_h\approx 15.7896$ ms	$T_{enc}+T_{sign}+T_{ver}+T_h\approx 7.8971$ ms	-	$23.6867$ ms	-	-	-	-	-	-	-
Shen et al. [13]	$14T_{mul}+T_h\approx 31.1663$ ms	$11T_{mul}+2T_h\approx 24.4906$ ms	$8T_{mul}+T_h\approx 17.8103$ ms	$73.4672$ ms	$5T_{mul}\approx 11.13$ ms	-	$2T_{mul}\approx 4.452$ ms	$15.582$ ms	-	-	-
Wang et al. [14]	$4T_c+T_h\approx 2.9703$ ms	$4T_c+T_h\approx 2.9703$ ms	-	$5.9406$ ms	-	-	-	-	-	-	-
Xi et al. [15]	$3T_{mod}+2T_{mul}+T_{add}\approx 16.0308$ ms	$6T_{mod}+2T_{mul}+T_{add}\approx 27.5808$ ms	-	$43.6116$ ms	-	-	-	-	$2T_{mul}+T_{add}\approx 4.4808$ ms	$2T_{mul}+T_{add}+T_h\approx 4.4831$ ms	$9.9639$ ms
Yang et al. [16]	$3T_{mul}+T_{add}+6T_h\approx 6.7207$ ms	$7T_{mul}+T_{add}+4T_h\approx 15.6246$ ms	-	$22.3453$ ms	$T_{mul}+6T_h\approx 2.2398$ ms	-	$3T_{mul}+6T_h\approx 6.6919$ ms	$8.9317$ ms	-	-	-
Dwivedi et al. [17]	$3T_{mul}+6T_h\approx 6.6918$ ms	$3T_{mul}+6T_h\approx 6.6918$ ms	-	$13.3836$ ms	$3T_{mul}+6T_h\approx 6.6918$ ms	$6T_{mul}+10T_h\approx 13.379$ ms	-	$20.0708$ ms	-	-	-
Wang et al. [18]	$3T_{mul}+3T_{add}+2T_h\approx 6.679$ ms	$3T_{mul}+3T_{add}+2T_h\approx 6.679$ ms	-	$13.538$ ms	-	-	-	-	-	-	-
Rani and Tripathi [19]	$2T_{mul}+T_{add}+8T_h\approx 4.4992$ ms	$7T_{mul}+2T_{add}+7T_h\approx 15.6557$ ms	$2T_{mul}+T_{add}+2T_h\approx 4.4854$ ms	$24.6403$ ms		-	-	-	-	-	-
CM-SAS	$3T_c+11T_h\approx 2.2513$ ms	$9T_c+10T_h\approx 6.6701$ ms	$4T_c+10T_h\approx 2.991$ ms	$11.9433$ ms	$5T_h\approx 0.0115$ ms	$3T_c+6T_h\approx 2.2398$ ms	$3T_c+3T_h\approx 2.2329$ ms	$4.4843$ ms	$6T_h\approx 0.0138$ ms	$7T_h\approx 0.0161$ ms	$0.0299$ ms

In the initial authentication, the CM-SAS has the lowest time cost on the vehicle side compared to the existing schemes, and has the second lowest time cost on the RSU/ES side. Compared to [11,12,14,15], TA/CS participates in the initial authentication and may have additional communication costs, yet it is much more efficient in terms of computational cost. In the handover authentication, the CM-SAS takes an overwhelmingly low computational cost on the vehicle, and on the RSU/ES side, it also takes significantly lower computational cost. Ref. [15] is the only scheme that considers re-authentication, and the CM-SAS is also much more efficient compared to the scheme of [15]. The computational cost of increasing the number of vehicles and RSU/ESs can be seen in Figure 7. In Figure 7, scenarios 1, 2, and 3 represent the initial, handover, and re-authentication situations, respectively. We assume that the existing schemes that do not design handover or re-authentication should repeat initial authentication in scenarios 2 and 3. Although the computational cost of the CM-SAS is similar to the scheme of [14] in the initial authentication, the CM-SAS is more efficient than other schemes. Furthermore, in the handover and re-authentication, the CM-SAS has a remarkably low computational load compared to any other schemes as the number of authentication increases. Overall, the proposed scheme is the most efficient compared to the existing schemes in terms of computational costs.

Figure 7. Total computational cost as the number of authentication increases.

6.2. Communication Cost

For a communication cost comparison, we assume that a bit length of an identity, a hash output, a random number, an ECC point, a point of pairing-based group, a request, a timestamp, a token, and a chaotic map are, respectively, 160 bits, 256 bits, 256 bits, 320 bits, 1024 bits, 32 bits, 32 bits, 160 bits, and 256 bits. Furthermore, we assume that the AES-256 algorithm is used for symmetric en/decryption. The comparison results are summarized in Table 6.

Table 6. Communication cost comparison.

	Initial Authentication				Handover Authentication				Re-Authentication
	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	$\mathit{TA}\mathbf{/}\mathit{CS}$	Total	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	${\mathit{RSU}}_{\mathit{j}\mathbf{+}\mathbf{1}}\mathbf{/}{\mathit{ES}}_{\mathit{j}\mathbf{+}\mathbf{1}}$	Total	${\mathit{V}}_{\mathit{i}}$	${\mathit{RSU}}_{\mathit{j}}\mathbf{/}{\mathit{ES}}_{\mathit{j}}$	Total
Wang et al. [11]	1056 bits	-	-	1056 bits	-	2048 bits	160 bits	2208 bits	-	-	–
Bojjagani et al. [12]	2752 bits	1408 bits	-	4160 bits	-	-	-	-	-	-	-
Shen et al. [13]	1016 bits	3808 bits	960 bits	5784 bits	896 bits	-	1312 bits	2208 bits	-	-	-
Wang et al. [14]	1056 bits	768 bits	-	1824 bits	-	-	-	-	-	-	-
Xi et al. [15]	2240 bits	256 bits	-	2496 bits	-	-	-	-	1728 bits	256 bits	1984 bits
Yang et al. [16]	1696 bits	800 bits	-	2496 bits	1696 bits	800 bits	-	2496 bits	-	-	-
Dwivedi et al. [17]	1376 bits	864 bits	-	2240 bits	1376 bits	864 bits	1472 bits	3712 bits	-	-	-
Wang et al. [18]	3584 bits	3872 bits	128 bits	7584 bits	-	-	-	-	-	-	-
Rani and Tripathi [19]	576 bits	1216 bits	288 bits	2080 bits	-	-	-	-	-	-	-
CM-SAS	960 bits	2016 bits	1312 bits	4288 bits	704 bits	1054 bits	544 bits	2752 bits	544 bits	544 bits	1088 bits

In the initial authentication phase, the proposed scheme generates a slightly higher communication cost than other schemes, except the scheme of [13,18]. However, in the handover authentication phase, the proposed scheme has similar communication costs with other schemes that consider handover situations. In the re-authentication phase, the proposed scheme generates much lower communication costs than other schemes, even compared to the scheme of [15], which is the only scheme that considers re-authentication situations. In real IoV environments, handover and re-authentication occur more frequently than the initial authentication, and the proposed scheme has competitive communication cost with existing schemes.

6.3. Security Features

We compare the provided security features of the CM-SAS and existing protocols [11,12,13,14,15]. We consider security and functional features, including A1, “resistance to replay attack”; A2, “resistance to privileged insider attack”; A3, “resistance to impersonation attack”; A4, “preservation of perfect forward secrecy”; A5, “resistance to ephemeral session random number leakage attack”; A6, “preservation of anonymity and untraceability”; A7, “preservation of mutual authentication”; and A8, “considering repeated authentications”. Table 7 shows that the CM-SAS can provide more security features than previous schemes.

Table 7. Security feature comparison.

Features	[11]	[12]	[13]	[14]	[15]	[16]	[17]	[18]	[19]	CM-SAS
A1	O	O	O	O	O	O	O	O	O	O
A2	−	−	O	O	O	−	−	O	O	O
A3	O	O	O	−	O	O	O	O	O	O
A4	−	−	O	O	−	−	O	−	−	O
A5	−	−	−	O	−	−	O	−	−	O
A6	O	O	O	O	O	O	O	O	O	O
A7	O	O	O	X	O	O	O	O	O	O
A8	O	X	O	X	O	O	O	X	O	O

−: Not considered. X: Insecure. O: Secure.

As shown in Table 7, the CM-SAS can provide more security features than the existing protocols. Furthermore, the proposed scheme has better performance than existing schemes. Therefore, the proposed protocol is more secure and efficient than other schemes.

7. Conclusions

In this paper, we proposed a chaotic map-based seamless authentication scheme (CM-SAS) for IoV environments. In the CM-SAS, an edge server stores a pseudo identity of a vehicle after initial authentication. Then, the edge server can use the stored information to authenticate the vehicle in re-authentication and handover situations. Therefore, the computational costs occurred in redundant authentication are significantly reduced. We have analyzed the CM-SAS using informal methods, the RoR model, and the Scyther tool to prove that the CM-SAS is resistant to various attacks, guarantees session key security, and provides mutual authentication. We also compared the CM-SAS with cutting-edge schemes, and showed that our scheme has better performance in terms of the computational and communication costs. In the future work, we plan to conduct simulations to apply our plans to a real environment.