4. Cross-Domain Message Authentication Scheme Based on VANET
The symbol definitions for this article are as
Table 1:
4.1. System Initialization
Given the safety parameter , the TA chooses a cyclic addition group and generates the system key . The public key is then calculated. The secure hash functions used include , , , , and . The TA publishes the system parameter to the registration information chain of the core layer (CL) and broadcasts these parameters within the VANET system. To maintain security and facilitate regular updates, the TA regularly selects a random number for the region and calculates the updated public key using as the key update parameter, where represents the start and end times of usage on the network. represents the region of . The TA uploads the key update parameter to the registration information chain and broadcasts to the VANET system.
4.2. Vehicle Registration
The vehicle provides owner information, its real ID, license plate number, and the AID to which it belongs, and submits a registration application to the TA through a secure channel. The vehicle selects
random numbers
for the vehicle and calculates
; it then sends
to the TA through a secure channel. The TA selects the currently valid parameter
for the current region and calculates multiple original shared keys
between the TA and the vehicle using the provided values. The TA then calculates the temporary public key of the vehicle
. The vehicle registration process is shown in
Figure 2.
The TA uploads the owner information, real ID, and original shared key of the vehicle to a private registration information chain within the core layer. Additionally, the TA uploads the temporary public key of the vehicle to the global temporary public key chain in the management layer, which mainly provides cross-domain validation services for vehicles. Finally, the TA sends an acknowledgment to the vehicle. Upon receiving the acknowledgment, the vehicle calculates the shared keys and its temporary public key based on the information from the TA, and securely stores them for future authentication and communication purposes.
4.3. RSU Registration
The
chooses a random number
, calculates
, and sends its location information, identity information ID, area ID
, and
to the TA through a secure channel. After validating the submitted information, the TA selects the currently valid system parameter
for the current region and calculates the original shared key
between the TA and RSU. The TA then calculates the temporary public key
for the RSU. The TA uploads the information of the RSU and the original shared key
to the registration information chain of the core layer. It also uploads the temporary public key
of the RSU to the global temporary public key chain in the management layer. Finally, the TA sends
to the RSU. Upon receiving it, the RSU calculates the original key
and its temporary public key
and securely stores them for future use in authentication and communication. The RSU registration process is shown in
Figure 3.
4.4. Cross-Domain Anonymous Message Authentication Between Vehicles and RSUs
When the vehicle arrives at an area, it needs to send a message . The vehicle selects a random number and calculates its pseudonym . Next, the vehicle calculates the message signature , where () is one of the temporary keys selected by the vehicle and negotiated with TAs, and is the temporary public key corresponding to the temporary shared key of the vehicle. is the area ID for vehicle registration and is the timestamp. The vehicle then sends the message to nearby RSUs.
Upon receiving the message, the RSU checks if the timestamp is within its validity period and verifies if Equation (1) holds.
If Equation (1) does not hold, the message is discarded. However, if Equation (1) holds and the
and RSU’s region ID are not the same, the RSU sends query request (
,
,
,
) to the TA in this region. Here,
is the shared key between TAs and RSU, and
is the identity of the RSU. The TA then queries
the global temporary public key chain in the management layer for the temporary public key. If it is found, the TA returns the query results to the RSU through the secure channel
. Upon receiving a confirmation message from the TA, the RSU confirms that the message signature is valid. If
is not found in the global temporary public key chain, the TA will return an error message (
) to the RSU, indicating that the signature is invalid. The vehicle and RSU authentication process is shown in
Figure 4.
4.5. Cross-Domain Anonymous Message Authentication Between Vehicles
When the vehicle arrives in an area, it needs to send a message . The vehicle randomly selects a random number and calculates its pseudonym . then calculates the message signature , where is one of the temporary shared keys selected by the vehicle and negotiated with TA, and is the temporary public key corresponding to the vehicle’s temporary shared key , is the area ID for vehicle registration, and is the timestamp. The vehicle sends to the other vehicles.
Upon receiving the message, the other vehicle
checks if the timestamp is within the validity period. If the timestamp has not expired, it verifies if Equation (2) holds.
If Equation (2) holds, the receiving vehicle determines whether the sending vehicle and itself are in the same area. If they are, it queries the local consortium blockchain, if
is found, then the signature is valid. If the vehicle
and the other vehicle
are not in the same area, the vehicle
chooses a random number
and calculates
and
. The vehicle
then sends a query request
to the TA in the current area. The TA calculates
and obtains the original shared key
between the vehicle and TA based on
. The TA then verifies whether
is valid. If it is established, the TA queries whether
exists in the global temporary public key chain, if it is found, the TA returns a confirmation message
to the vehicle
, and adds
to the local consortium chain. After the vehicle
receives the confirmation, it recognizes that the signature of the confirmation message is valid. If
is not found in the global temporary public key chain, the TA returns an error message
to the vehicle
, indicating that the signature is invalid. The vehicle and vehicle authentication process is shown in
Figure 5.
4.6. Batch Authentication of Message
When the RSU receives
n message signatures
from different vehicles simultaneously, the RSU calculates
and verifies if Equation (3) holds.
If Equation (3) holds, the public key is queried to determine whether it exists in the blockchain. If it is found in the blockchain, the message signature is considered valid. However, if the public key is not found, the batch authentication fails.
4.7. Update of Temporary Public Key for Vehicles
TA selects a new random number
r’ for the region and calculates
,
. In VANET system, the TA broadcasts
to the region, where
is the duration of use for
,
is the area identifier for the current region. Upon receiving this broadcast, the vehicle verifies whether Equation (4) holds.
If Equation (4) is established, the vehicle uses the original shared keys () to calculate new temporary shared keys and new temporary public keys ; here , represents the sequence generated using the original shared keys.
Simultaneously, the TA calculates the new temporary shared keys based on the original shared keys of the vehicle stored in the registration information chain of the private chain; here . The TA then calculates the corresponding new temporary public keys (). The TA uploads the new temporary public keys () to the corresponding region of the global temporary public key chain.
5. Security Analysis
Anonymity: In the proposed scheme, the vehicle sends message signatures using its pseudonym , where the real identity is hidden within a pseudonym. For other vehicles or RSUs, the real identity remains hidden. Given and , the discrete logarithm problem on elliptic curves (ECDLP) makes it computationally infeasible to determine and . Without knowing the random numbers and , it is impossible to calculate according to ECDHP or recover the true name of the vehicle. Only the TA has the capability to restore the true identity of the vehicle from a pseudonym.
Unlinkability: In the proposed scheme, the vehicle employs pseudonyms and temporary public keys for message signing. Each pseudonym used by the vehicle is unique for every signature, and the vehicle has multiple temporary public keys at its disposal. For each message, one signature is randomly selected, and the vehicle’s temporary public key is regularly updated. This approach makes it challenging for attackers or other vehicles to link the vehicle’s identity across different messages, as it is difficult to correlate pseudonyms and temporary public keys from two separate message signatures.
Lemma 1. The signed message in the Cross-domain authentication process between vehicle and RSU is unforgeable. Assuming that the ECDLP is a difficult problem, the message signature proposed in the Cross-domain authentication process between vehicle and RSU can resist adaptive chosen-message forgery attacks.
Proof.
Assume there exists an attacker A who is capable of forging a signature message of a vehicle within polynomial time with a non-negligible probability . Given an instance of the Elliptic Curve Diffie-Hellman (ECDLP) problem (), where and , assume that there exists a challenger C acting as a solver of the ECDLP problem, who can solve it in polynomial time. □
The security model is defined as a game between Attackers A and Challenger C. Challenger C initializes the system and generates the system key using the public key . The challenger C sets system parameters paras = . C randomly selects a vehicle (with an identity tag ) as the identity of the challenge. The vehicle’s public key is . Then, A adaptively proceeds to query the oracle to C. After querying the oracle, C responds to A’s query in the following:
- (1)
oracle query: When A initiates a query with , C checks the maintained list . If there is no information about in the list, C selects a random number and adds to the list , and return to A, otherwise return from the list to A. Here, .
- (2)
Query vehicle pseudonym: C maintains the list . When A initiates a query with , C checks the maintained list , If there is no information about , C selects random number , and makes . Next C adds to the list , and returns to A.
- (3)
Query vehicle message signature.
When A queries with , if , then C terminates the game. Otherwise, C selects random number , and makes , and then C returns to A. A receives it.
According to the bifurcation lemma [
26], A selects different
and generates another valid signature
in polynomial time
. At this stage, the two signatures meet as follows:
From Equations (5) and (6), we have the following:
According Equation (7), C can calculate , with as a solution to the equation . In the process of solving for , the probability of its solution can be divided into two events:
E1: C terminates the game during the query on the signature message.
E2: C outputs a valid signature message.
Let
ns denote the number of queries made to the signature message in the game. According to the game rules, we have
,
. The probability of solving the ECDLP problem under the random oracle model is as follows:
Obviously, Equation (8) represents a non-negligible probability, which conflicts with the difficulty of the ECDLP problem. Therefore, it can be proven that the message signature proposed in the Cross-domain authentication process between vehicle and RSU can resist adaptive chosen-message forgery attacks.
Lemma 2. The signed message in the Cross-domain authentication process between vehicles unforgeable. Assuming that the ECDLP is a difficult problem, the message signature proposed in the Cross-domain authentication process between vehicles can resist adaptive chosen-message forgery attacks.
By a similar argument as in Lemma 1, we obtain that the signed message in the Cross-domain authentication process between vehicles is unforgeable.
Anti-forgery attack during the cross-domain query phase: If an attacker forges the vehicle private key and public key , successfully forges the signature , and makes Equation (1) hold, the RSU queries the local consortium chain or global temporary public key chain to check if exists. When querying during cross-domain queries, the RSU sends to the TA, and the TA replies with or . During cross-domain queries, it is difficult for the attacker to control the consortium chain and global temporary public key chain to forge . Similarly, both the messages sent by the RSU and the replies from the TA require the use of the shared key xu between the RSU and TA. Without knowing xu, based on the strong collision property of the hash function, the attacker cannot construct a hash value that meets the requirements. Therefore, the vehicle and RSU cross-domain authentication scheme can resist forgery attacks.
Similarly, during cross-domain authentication between vehicles, if an attacker forges the vehicle’s private key and public key
and successfully forges the signature
, making Equation (2) hold, other vehicles need to query the local consortium blockchain or global temporary public key blockchain to verify whether the public key
exists. During cross-domain authentication, the vehicle sends a public key query message
to the TA, and the TA replies with
or
to the vehicle. It is difficult for the attacker to control the consortium blockchain and global temporary public key blockchain to forge
. Without knowing the shared key
x between the vehicle and the TA, the attacker cannot forge the message sent by the vehicle and the message replied by the TA based on the collision resistance of the hash function. Therefore, the blockchain-based cross-domain query scheme proposed in this paper can resist forgery attacks.
Theorem 1. Lemmas 1 and 2 reveal that when the ECDLP problem is difficult, the opponent cannot forge the authentication message. Based on the security analysis of cross-domain queries, if the hash function has strong collision resistance, the proposed solution can resist forgery attacks. Thus, the authentication scheme proposed can resist the adaptive selection message forgery attack.
Traceability: During vehicle authentication, if it is discovered that vehicle
is sending a malicious message, the signature
of the message is sent to the TA. The TA can recover the real ID of the vehicle using pseudonym and system private keys. According to
, the TA can recover the real ID
through the system key
. The TA can then locate the address corresponding to the temporary public key
of the vehicle in the global registration information chain through the global temporary public key chain. The TA can find the original real ID of the vehicle by finding the address and identifying the real vehicle. Even if
and
have expired, the TA can still calculate the vehicle’s public key at the time of the incident using the original shared key and the updated key parameters stored in the information registration chain. This allows the TA to retrieve the vehicle’s real ID and related information. The reference [
27] offers a time-aware LSTM model for detecting criminal activities in blockchain transactions on monitoring changes. It provides a basis for detecting harmful behaviors through transaction patterns. The blockchain transaction behavior discussed can be subjected to crime detection using this method before starting the identity recovery process. Therefore, the proposed scheme satisfies the traceability requirements.
Resist common attacks: The proposed scheme employs a private key to digitally sign messages, providing resistance against message-tampering attacks. Because only the vehicle possessing its private key can generate a valid message signature, the scheme effectively resists impersonation attacks. Additionally, the messages, key update parameters, and query requests used in this study are all timestamped, ensuring the freshness of the messages and providing protection against replay attacks. Communications between the vehicle and TA, as well as between the RSU and TA, utilize original shared keys, which further bolster security by effectively resisting attacks such as forgery, impersonation, and man-in-the-middle attacks. A security comparison of various schemes is presented in
Table 2.
Forward security analysis of cryptographic keys: To prevent the leakage of r from compromising the security of the entire network for a certain period of time, we modify the scheme so that each region maintains a separate r. This way, even if r is leaked, it will only affect the security of one region for a certain period of time. To enhance the security of vehicle keys, the scheme proposed in this paper utilizes k original shared keys ,. It employs these k shared keys and the region update parameter to collectively update the vehicle’s individual key. The compromise of the vehicle’s individual key only affects the signature at a specific moment. Attackers are unable to update the key based on the updated parameters, thus preventing them from forging future signatures.
6. Performance Analysis and Evaluation
6.1. Calculate Overhead
Section 6.1 evaluates the performance of the proposed scheme in terms of message signatures, message signature verification, and batch verification, comparing and analyzing it against other studies. All operations in the scheme are based on elliptic curve calculations, utilizing cryptographic algorithms implemented with the MIRACL library. In order to compare at the same security level, we construct two 80-bit security level cryptographic operation schemes. Bilinear pair cryptographic schemes are set as follows:
,
is a hyper singular curve with degree 2, where
is a 512-bit prime.
is an additive group based on
with order
;
is the generator of
with order
. The same security level of elliptic curve cryptography is set as follows:
is a non-super singular elliptic curve, where
p and
q are 160-bit primes,
.
G is an additive group on
E.
P is the generator of
G with order
q. The evaluations were conducted on a Windows 10 platform equipped with 8GB of memory and a CPU running at a clock speed of 2.5 GHz. The primary calculation operation is executed 1000 times to derive the average value. The primary operations and their corresponding computational times are detailed in
Table 3. The computational costs of different schemes are shown in
Table 4.
The pseudonyms
used in this article are calculated offline by the vehicles, with no partial key calculation involved. The vehicle keys are derived using public key parameters published by TA. Specifically, the TA calculates
and
whether the vehicle’s verification equation holds,
. If the verification equation is established, the vehicle uses the original shared key
to calculate a new temporary shared key
and a new temporary public key
. The public key for the vehicle is then updated based on the original shared key stored in the private chain. The calculation of the public parameters published by TA was 1
+1
= 0.7761 ms, and the TA performed once for all vehicles. Therefore, when handling a large number of vehicles, the key generation for a single vehicle is computationally efficient, and the computational complexity associated with the TA’s common parameters can be ignored. As a result, the computational cost for generating vehicle pseudonyms and keys is approximately 6
+
+ 3
≈ 4.6627 ms. Compared to the schemes proposed by Yang et al. [
23], Liu et al. [
24], and Shen et al. [
22], the cost of generating pseudonyms and keys in this study has been reduced by 14.3%, 14.4%, and 83.8%, respectively.
Cross-domain anonymous message authentication between vehicles and RSUs involves calculating the message signature
for the vehicle and the RSU verifying the signature
. If the vehicle is not in the same area as the RSU, the RSU needs to send a query request
to the TA in this region. The TA verifies the request, queries the temporary public key chain, and returns either a confirmation
, or an error
. The RSU then receives and verifies the response. Therefore, the cost of cross-domain message signing for vehicles is
≈ 0.0004 ms. Compared to the schemes of Liu et al. [
24] and Shen et al. [
22], the cost of generating pseudonyms and keys was reduced by 99.9% in both cases, whereas the computational complexity of Yang et al.’s [
23] scheme remained similar. The maximum cost of verifying cross-domain signatures is 2
+
+ 5
≈ 1.5607 ms. In comparison to the schemes developed by Yang et al. [
23], Liu et al. [
24], and Shen et al. [
22], the cost of generating pseudonyms and keys was reduced by 33.8%, 33.4%, and 91.1%, respectively.
When authenticating cross-domain messages between vehicles, the vehicle calculates the
. Upon receiving the message, the other vehicle verifies the equation
. If the equation holds and the two vehicles are not in the same area, the receiving vehicle calculates
,
,
, and sends a query request to the TA in the current area. The TA then calculates
, verifies if
holds true, and returns
or
. The receiving vehicle then verifies the returned message. The cost of cross-domain message signing for vehicles is
≈ 0.0004 ms, whereas the maximum cost of verifying cross-domain signatures is 5
+
+ 7
≈ 3.8886 ms. This scheme demonstrates significant advantages in computational complexity for generating pseudonyms and keys, as well as for message signing and signature verification. A comparative analysis of computational costs is shown in
Figure 6.
6.2. Communication Overhead
To assess the communication overhead associated with pseudonym use, key generation, and authentication, the experiment set the real identity, AID and timestamp used in authentication to 4 bytes each, the hash length to 32 bytes, the element length in group
to 64 bytes, the length of elements in a bilinear group to 128 bytes, the length of message to
, and the length of other non-group elements to 32 bytes. A cost comparison of the communication schemes is presented in
Table 5. In this study, pseudonyms are generated independently by the vehicle, resulting in no communication overhead for pseudonym generation. For key generation, the TA must publish the public key update parameter
. Therefore, the total communication length for the key generation update is 32 + 64 + 4 = 100 bytes.
The signature sent by the vehicle in the vehicle-to-RSU (V2R) message signature is denoted as . The length was calculated as 32 + 32 + 64 + 64 + 4 + 4 + = 200 + bytes.
During the V2R signature verification phase, if the vehicle and RSU are not in the same region, the RSU sends a query request , , , , to the TA in this region. The TA then replies with or . The length of this communication is calculated as 32 + 4 + 64 + 4 + 32 + 4 + 4 = 144 bytes. Thus, the total cost of the V2R authentication was 100 + 200 + + 144 = 444 + bytes. The signature sent by the vehicle in the V2V (vehicle-to-vehicle) message signature is denoted as (). The length was calculated as 32 + 32 + 64 + 64 + 4 + 4 + = 200 + bytes. When verifying V2V signatures, if the vehicles and are not in the same area, the vehicle sends a query request to the TA in the current area. The TA replies with either or , with a length of 32 + 32 + 64 + 64 + 4 + 4 + 32 + 4 = 236 bytes.
This study demonstrates a significant advantage in reducing the total communication overhead of V2R authentication. Specifically, it achieves a reduction in communication overhead of approximately 23.9% compared to the schemes proposed by both Yang et al. [
23] and Liu et al. [
24], and a substantial reduction of 63.1% compared to the scheme proposed by Shen et al. [
22].
To investigate other loads and overheads in communication, this paper also compares the number of information exchanges required during the message authentication process and the number of blockchain queries.
Table 5 presents a comparison of the number of exchanges and blockchain queries for each scheme during the message authentication process. In this paper, when vehicles perform message authentication with RSU or between vehicles, the vehicle signs the message and sends it to the RSU or other vehicles. The RSU or other vehicles determine whether the sending vehicle is in the same area as themselves. If it is, they query the local consortium blockchain; if not, they query the global temporary public key blockchain. The local consortium blockchain or global temporary public key blockchain returns the query results to the RSU or receiving vehicle, requiring three communication exchanges and one blockchain query.
Table 6 shows that the number of communication exchanges and blockchain queries in this paper’s message authentication is the same as that in Yang and Shen’s scheme, and more than Liu’s scheme. However, Liu’s scheme requires the blockchain for each generation of vehicle pseudonyms, while this paper’s scheme does not. Therefore, the other communication overheads in this paper’s message authentication are similar to mainstream schemes.
6.3. Other Performance Analysis
To analyze the impact of high-speed mobility of vehicles in VANETs on the scheme proposed in this paper, assuming the vehicle speed is 120 km/hour, approximately 0.33 km/s, the time overhead for message authentication in this paper is 0.0004 + 1.5607 = 1.5611 ms. During the authentication process, a blockchain query is required, which simply checks whether the temporary public key of the vehicle exists. The global temporary public key chain in this paper is stored by region, and the time consumed for a blockchain query based on region is approximately in the millisecond range. Adding other delays, a single message authentication will not exceed 1 s. The distance traveled by a vehicle within 1 s is 330 m. Within this diameter distance range, the communication delay between the vehicle and the RSU can be neglected. Therefore, the scheme proposed in this paper can be applied in high-speed mobile VANETs networks.