Practical Homomorphic Authentication in Cloud-Assisted VANETs with Blockchain-Based Healthcare Monitoring for Pandemic Control

1. Introduction

Nowadays, the entire world is facing a severe global health crisis unlike any in the history, which is spreading human suffering and upending people’s lives. The coronavirus disease COVID-19, which is characterized as a lethal and highly infectious pandemic by the World Health Organization (WHO), has caused thousands of deaths around the world and is keeping attacking societies at their core. So far, the COVID-19 outbreak has affected all segments of population grievously and it is particularly detrimental to every social groups within the most vulnerable situations. Devastating health and economic impacts of the pandemic are being borne by everyone worldwide. When considering the high infectiousness and mortality rate, effective precautions and prevention strategies on COVID-19 is indispensable for pandemic control. Meanwhile, due to its comparatively high-density population in enclosed space and untraceable characteristics, the transportation system has been confirmed as one of the crucial spreading routes of COVID-19 [1,2]. As for public transportation tools including railway, subway, airplane, and the corresponding public locations, like airport, train station, strict detection, and surveillance mechanisms, have been adopted by most of countries so far [3]. However, infection tracking and detection for spontaneous vehicles in public highway still depends on manual work, which requires huge labor forces and financial resource [4,5,6]. Moreover, the working personnel also faces inevitable risks due to close physical contact with possible infectors.

With the urgent requirements on pandemic control, the unique advantages of vehicular ad hoc networks (VANETs) could be taken into consideration [7,8]. That is, the advanced healthcare monitoring and infection tracking, which are the two most important factors of COVID control, could be carried out by VANETs in a non-contact way. Hence, the working personnel do not need to carry out highly-risky surveillance in each checkpoint station. Instead, each RSU could be assigned as the automatic checkpoint if necessary [9,10]. On the other hand, historical route tracking towards suspected infectors is also available, provided that the sensitive medical data are uploaded to the remote VC, along with the confidential vehicle route information [11,12]. In this way, effective pandemic control strategy against COVID-19 could be achieved with VANETs. In order to provide innovative vehicular data processing and traffic management analysis, the VANET is considered as the critical component of emerging intelligent transportation system (ITS) in populous metropolitan cities and regions [13,14,15]. Generally, VANET is the distributed heterogeneous wireless network that is constructed among vehicles and roadside facilities with the functionalities of real-time dynamic vehicular data transmission [16]. VANET facilitates advanced driving security and improves the driving experience.

A fundamental VANET infrastructure is composed of road-side unit (RSU), trusted authority (TA), and terminal vehicles [17,18,19]. TA performs as the centralized service center in charge of all the corresponding system settings, such as vehicle initialization and user registration, confidential key generation [20,21]. Currently, advanced cloud computing and edge data processing techniques have been adopted, so as to provide sufficient data processing capacity for massive vehicular data [22,23]. Hence, the cloud-assisted TA is able to simultaneously manage different VANET implementations, the global Internet of Vehicles (IoV) initiatives can be achieved in this way [24,25]. The rode-side units are the distributive VANET facilities that are responsible for instant interaction with all vehicles in the vicinity. Specifically, the edge computing architecture could be utilized between RSUs with the purpose of providing low-latency and reliable data transmission with remote TA [26,27]. The edge cluster that involves neighboring RSUs collaboratively cache the frequently used vehicular data instead of requesting it from remote TA. The bandwidth burden of cloud server can be alleviated in this way. On the other hand, the vehicles are defined as the VANETs users where massive heterogenous data and driving characteristics are aggregated and forwarded for further processing [28,29,30].

VANETs enable two distinctive data transmission types: vehicle-to-RSU (V2R) and vehicle-to-vehicle (V2V). They are both powered with the 802.11p-based dedicated short-range communication (DSRC) technique [31,32,33]. V2V communication refers to the wireless data exchange of surrounding vehicles, which could help avoid crashes, ease traffic congestion, and improve the environment. The transmitted data include speed, location, direction of travel, braking, and loss of stability. V2R communication refers to the direct data interaction between each vehicle and nearby RSU. Intuitively, security and privacy protection mechanisms are of significance due to the open wireless data transmission characteristics of VANETs. That is, the transmitted vehicular data may be illegally eavesdropped or forged by adversaries, thus compromising the VANET data safety [34,35].

Nowadays, lots of studies with various safe strategies and cryptographic techniques have been made on VANET secure data transmission in order to address the VANET security issues [36,37,38]. However, the necessary parameters for practical implementation of VANET system have not yet been fully considered. When considering the globally urgent situation on COVID-19 pandemic control, potential usages and valuable applications of VANETs should be dug out. Measurements regarding VANETs and its relevant extensions should be prepared, now that the transportation system have become the one of the most dangerous scenarios for virus surveillance and infection tracking.

With the urgent motivation for automotive pandemic control, a practical homomorphic authentication scheme for cloud-assisted VANETs is developed. The proposed mechanism supports automotive healthcare monitoring and infection tracking for all involving passengers. Non-contract surveillance towards random vehicles can be remotely conducted by VC. First of all, our design applies the novel cloud-assisted VANET infrastructure with the hybrid medical data acquisition module. The WBAN layer is adopted for the integrated medical data acquisition. Notably, the essential user information on participating device is shared among edge RSU cluster. Secondly, the homomorphic encryption design is deployed for mutual authentication and key agreement. Meanwhile, the decentralized blockchain-based infection tracking mechanism on suspicious vehicles is presented. The historical route records for each vehicle can be securely preserved in VC. The signature sequence is collaboratively arranged by several RSUs at a time, offering distributive data confidentiality. Respectively, the security analysis and performance analysis are proposed, showing the superiority of the proposed scheme.

The remainder of this paper is organized, as follows. Section 2 briefly introduces the related research achievements. Section 3 illustrates the preliminary contents and relevant system settings. Section 4 presents the proposed homomorphic authentication design in cloud-assisted VANETs with blockchain-based healthcare monitoring for pandemic control. Section 5 presents the security analysis. Section 6 displays the performance analysis. The final conclusion is drawn in Section 7.

2. Related Works

Currently, many researches on VANET secure data transmission and privacy preservation have been made, while the practical requirements for medical surveillance in practical occasions have not been fully satisfied. In 2013, a expedite message authentication protocol (EMAP) is constructed for VANET secure data transmission [17]. The efficient revocation check process is enabled with the keyed hash message authentication code (HMAC), which drastically reduces the computation burdens of certificate revocation lists (CRLs). Meanwhile, the proposed EMAP deploys the probabilistic key distribution function for confidential key sharing among non-revoked OBUs during key updating. Afterwards, a privacy-preserving authentication scheme for VANETs is developed in [21], where the designated RSUs distribute the group private information to vehicles within its arranged domain. In this case, massive vehicles can be efficiently verified without causing extensive time consumption. Chuang et al. [20] presented a decentralized trust-extended message authentication mechanism (TEAM), where the transitive trust relationships frame is utilized, so as to reduce storage consumption. Similarly, Wang et al. presented a two-factor lightweight VANETs authenticating scheme in [24], where the decentralized certificate authority (CA) and biological password are applied. The non-repudiation property for conditional tracing is achieved. In 2019, Alazzawi et al. developed a pseudo-identity-based message verification scheme [15]. Data integrity and mutual authentication can be provided. Moreover, the proposed scheme is resistant to insider attack and man-in-the-middle (MITM) attack.

Specifically, lots of schemes on vehicle conditional-privacy preserving (CPP) property have been developed. In 2010, a scalable robust authenticating method for secure VANETs transmission is proposed in [1]. Each RSU is responsible for maintaining the active vehicular groups within its vicinity. The authentic V2V broadcast is available for all participating vehicles with anonymous identities. The benign third party is involved in the relevant vehicle revocation process. The negative impact of compromised RSUs is minimized in this case. Meanwhile, system salability is provided. Thereafter, Huang et al. developed the privacy-preserving authentication scheme with conditional privacy protection. The anonymous identity for each legitimate vehicle is activated until further revocation [3]. In 2012, a dynamic key arrangement mechanism with efficient updating for location-based services (LBSs) is proposed [9]. The double registration detection design is adopted. The newly joined vehicle autonomously updates its session key for forward secrecy. Subsequently, He et al. proposed an identity-based pairing-free mutual authentication and privacy protection method [7]. Better performance and minimized computational complexity for information processing can be achieved in this way. Similarly, a two-round certificateless-based cross-domain key agreement scheme for wireless mesh networks is presented [30]. The user in previous is adomainble to prove its identity to the current domain server for session key negotiation.

Currently, the VANET scenarios with cloud computing and blockchain techniques for remote data storing and parallel processing have been studied [33,34]. In 2017, Liu et al. constructed a vehicular message safe dissemination mechanism CMDS in the cloud-assisted VANET-cellular environment [31]. Reliable and confidential data processing can be processed by the related VANET gateways and nearby vehicles. Thereafter, emphasizing on emergency message dissemination, solution to the congestion avoidance issue is proposed in the assumed vehicular fog-assisted VANET [38]. Lin et al. discussed the vehicle heterogeneity of resource allocation in the vehicular cloud computing (VCC) system [37]. Optimal strategy for VCC allocation is presented under the improved semi-Markov decision process (SMDP) model. In 2019, Ma et al. proposed an efficient pairing-free authenticated key agreement design for secure interactions in fog-based VANETs [35]. As for blockchain infrastructure in VANETs, a blockchain-assisted distributed lightweight anonymous authentication scheme with cross-datacenter interaction in vehicular fog service (VFS) is presented [4]. Similarly, in [29], with the applied Merkle Patricia tree (MPT) structure, the conventional blockchain structure is extended. Hence, the distinctive verification process without CRLs is developed. Conditional privacy preserving is achieved as well.

To be concluded, existing researches on VANETs communication either emphasize security and privacy preserving with conventional cryptographic design or construct authenticated key agreement under advanced techniques such as cloud computing and blockchain. However, the potential usages of VANETs application have not been taken full consideration for pandemic control. For this purpose, we proposed a practical homomorphic authentication scheme with the unique functionalities of healthcare surveillance and infection tracking, which is of great significance for the pandemic control towards COVID-19.

3. Preliminaries

In this section, the necessary security and cryptographic concepts are respectively introduced, which include the definitions of homomorphic encryption, one-way hash function, and elliptic curve cryptosystem (ECC). Afterwards, the relevant notations of the proposed design, the novel VANET system model, and security requirements are illustrated.

3.1. Homomorphic Encryption

With its unique properties, homomorphic encryption can be widely applied into vast security designs and privacy preserving strategies. The homomorphic encryption design allows for the predefined standard computations on ciphertexts, with which the output matches the encryption result on the computations conducted on plaintexts. Hence, the transmitted data can be securely processed and out-sourced without revealing the privacy-related information. In other words, the related homomorphic encryption and decryption functionalities can be considered as the homomorphisms between plaintext and the ciphertext spaces. In practical communication scenarios with semi-trusted entities, homomorphic encryption could remove potential privacy barriers that inhibit data sharing.

The Paillier cryptosystem [39] is defined as one of the homomorphic cryptosystems on public key infrastructure (PKI). The Paillier encryption process is additively homomorphic. That is, the product of the two ciphertexts will decrypt to the sum of their corresponding plaintexts. In this case, $m_1$, $m_2\in {\mathbb{Z}}_n^{*}$ are defined as the plaintexts. $r_1,r_2,r_3<n$ are defined as the random integers for encryption process. The following additive homomorphic properties can be satisfied:

$$\left\{\begin{array}{c}\mathtt{E}\left(m_1,r_1\right)·\mathtt{E}\left(m_2,r_2\right)mod{n}^2=\mathtt{E}\left(m_1+m_2,r_3\right)modn\hfill \\ \mathtt{E}{\left(m_1,r_1\right)}^{\mu }mod{n}^2=\mathtt{E}\left(m_1\mu ,r_3\right)modn\hfill \end{array}\right.,$$

where $\mu \in {\mathbb{Z}}_n^{*}$ holds. $\mathtt{E}\left(·\right)$ denotes the encrypting operation.

The security of Paillier cryptosystem is based on the decisional composite residuosity assumption (DCRA) described, as follows:

Definition 1

(Decisional Composite Residuosity Assumption (DCRA)). Define p and q as the two large primes with the condition $n=pq$. Given $\alpha \in {\mathbb{Z}}_{n^2}^{*}$, if there exist $\gamma \in {\mathbb{Z}}_{n^2}^{*}$ satisfying $\alpha \equiv {\gamma }^{n}mod{n}^2$, α could be defined as the n-th residue modulo $n^2$. Note that, given the composite n and an integer β, it is hard to decide whether β is the n-th residue modulo $n^2$.

3.2. Elliptic Curve Cryptography (ECC)

Define $p>3$ as a large prime and ${\mathbb{F}}_p$ as the finite field of order p, where $4a^3+27b^2(modp)\ne 0$ and $a,b\in {\mathbb{F}}_p$ [40]. In this case, $E_p\left(a,b\right)$ is defined as the the elliptic curve over the finite field ${\mathbb{F}}_p$, which has the following characteristic:

$$y^2=x^3+ax+bmodp,$$

where $\left(x,y\right)\in {\mathbb{F}}_p$. The point doubling is defined as the unique addition operation on the curve $E_p\left(a,b\right)$, only if the two points are identical. Otherwise, it is called the point addition. All of the points on $E_p\left(a,b\right)$, as well as the point at infinity ∞ construct an additive Abelian group $E\left({\mathbb{F}}_p\right)$, where $\infty =\left(-\infty \right)$ is defined as the identity element.

Definition 2

(Elliptic Curve Discrete Logarithm Problem (ECDLP)). Define $P,Q\in {\mathbb{G}}_1$, where $Q=aP$. Hence, for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, the advantage in finding the integer $a\in {\mathbb{Z}}_q^{*}$ to solve the ECDLP problem is defined as $Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{ECDLP}$, which is negligible as the following equation:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{ECDLP}=Pr\left(\mathcal{A}\left(P,aP\in {\mathbb{G}}_1\right)\to a|\forall a\in {\mathbb{Z}}_q^{*}\right)\le \epsilon .$$

Definition 3

(Computational Diffie-Hellman Problem (CDHP)). Define ${\mathbb{G}}_1$ as the cyclic group with the large prime order q. Given $P,aP,bP\in {\mathbb{G}}_1$ for $a,b\in {\mathbb{Z}}_q^{*}$, where P is the generator of the cyclic group ${\mathbb{G}}_1$. Hence, for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, the advantage in finding computing $abP$ for solving the given CDHP problem is defined as $Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{CDHP}$, which is negligible as the following equation:

$$Ad{v}_{\mathcal{A},{\mathbb{G}}_1}^{CDHP}=Pr\left(\mathcal{A}\left(P,aP,bP\in {\mathbb{G}}_1\right)\to abP\in {\mathbb{G}}_1|\forall a,b\in {\mathbb{Z}}_q^{*}\right)\le \epsilon .$$

3.3. Hash Function

The one-way secure hash function $h(·)$ is constructed with the following properties [41]:

• With a random message x of arbitrary length, the message digest of its fixed length output $h\left(x\right)$ can be easily calculated.
• It is hard to compute $x=h^{-1}\left(y\right)$ with the given y.
• It is computationally infeasible to find $x^{\prime }=x$ such that $h\left(x^{\prime }\right)=h\left(x\right)$, providing that x is given.

3.4. Notations

The notations used in our design are listed in

Table 1. Notations.

Symbol	Description
$\mathtt{VC}$, $\{{\mathtt{RSU}}_1,\cdots ,{\mathtt{RSU}}_n\}$	Vehicular Cloud, Road-Side Units
${\mathrm{I}}_V^j,{\mathrm{I}}_j,{\mathrm{I}}_j^k$	Vehicle Identities
${\mathbb{G}}_1$	Cyclic Group
P	Generator of ${\mathbb{G}}_1$
${\mathrm{I}}_T^i,{\mathrm{I}}_{\mathbb{R}}^i$	${\mathtt{RSU}}_i$ Identities
$〈{\mathcal{Q}}_j,{\xi }_j〉$	Vehicle Encryption Key Set
$〈{\Gamma }_j,{\Theta }_j〉$	Vehicle Decryption Key Set
$〈{\varrho }_{\mathbb{R}}^i,s_{\mathbb{R}}^i〉$	${\mathtt{RSU}}_i$ Partial Secret Key Set
$〈{\mathcal{O}}_i,{\hslash }_i〉$	${\mathtt{RSU}}_i$ Encryption Key Set
$〈{\Lambda }_i,{\mathbb{k}}_i〉$	${\mathtt{RSU}}_i$ Decryption Key Set
${\mathcal{M}}_i,{\mathcal{N}}_i,{\mathcal{S}}_j,{\mathcal{T}}_j$	Large Prime Values
$〈k_j,{\varrho }_j〉$	Vehicle Partial Secret Key Set
${◊}_{\mathbb{R}}^i$	${\mathtt{RSU}}_i$ Additional Information
$\{h_1^{⊛},\cdots h_{\ell }^{⊛}\}$	Route Records

, along with the corresponding description.

3.5. System Model

In this section, the deployed cloud-assisted VANET infrastructure with healthcare monitoring function is briefly illustrated, which can be classified into four different communication layers, including the cloud layer, edge layer, vehicle layer, and WBAN layer. The four layers with the instructions are as follows. Meanwhile, Figure 1 shows te intuitive VANET system model.

Cloud layer is considered to be the centralized data facility responsible for all of the essential system operations. Crucial system operations such as master key issuance and user registration, are all conducted by the remote cloud layer, which is defined to be trustworthy at all time. Meanwhile, massive amount of vehicular information gathered from the terminal devices is analyzed and safely stored. Particularly, the distributed cloud servers are capable of managing multiple VANET prototypes, which promotes the construction of global Internet of Vehicles (IoV) initiatives. For better description, we consider the entire cloud layer as the $\mathtt{VC}$.

Edge layer is defined as the combination of the RSU clusters, each of which is organized by direct and indirect wired connection between the nearby RSUs within predefined vicinity. Each RSU of the clusters is able to independently conduct the vehicular data interaction tasks with in-range vehicles, while the essential user information on participating devices could be shared within the cluster members. That is, collaborative computation and data processing operations for mutual authentication and message delivery could be achieved. For example, the existing cross-domain verification issue can be addressed with the applied distributive VANET edge layer, since the frequent and reliable RSU-to-RSU data exchange are assumed within RSU clusters. Practically, as for cloud-assisted VANET, low latency and high reliability characteristics of vehicle-to-RSU transmission could be satisfied with the deployed edge computing architecture (edge layer). In this case, the edge cluster involving neighboring RSUs collaboratively cache the frequently used vehicular data instead of requesting it from remote TA. The bandwidth burden of cloud server can be alleviated in this way.

Device layer refers to the terminal vehicles, where the heterogenous vehicular data and real-time road information are aggregated. Each vehicle is equipped with the embedded on-board unit (OBU) for vehicular data transmission and reception. Meanwhile, the deployed tamper-proof device (TPD) is used for confidential message preserving. Large amounts of temporary and high-speed V2V and V2R networks are continuously constructed, while complex computation cannot be carried out due to the resource limitation in vehicle side.

WBAN layer is defined as the integrated facilities for extensive medical data acquisition. VANETs with healthcare monitoring functionality can be constructed accordingly. In our assumption, all of the passengers in each vehicle are equipped with wearable device such as electronic bracelet or smart watch. The sensitive medical parameters regarding COVID-19 pandemic control can be measured and collected for subsequent test. The automotive interaction between wearable devices and the regarding vehicle is enabled, so that the pandemic factors, such as body temperature, could be remotely measured by $\mathtt{VC}$. Non-contract surveillance towards passing vehicles can be conducted in this way.

3.6. Security Requirements

The design purpose of the proposed scheme is to improve the security properties in terms of VANET transmissions, and provide automotive healthcare monitoring for all passengers of transportation systems, so that the urgent COVID-19 pandemic control requirements can be satisfied. Consequently, the following major security characteristics for VANET security scheme are introduced.

• Conditional Privacy Preserving: considering as one of the crucial features for privacy protection, conditional privacy contains two aspects: user privacy protection and targeted vehicle information retrieving. That is, the confidential user information should be safely stored in the whole session. The illegal tracking toward specific vehicle cannot succeed. Meanwhile, the $\mathtt{VC}$ responsible for VANET system management should be able to reveal the real identity of suspect vehicle if necessary.
• Anonymity: due to the open wireless transmission features, VANET communication channels may be eavesdropped by malicious devices. Normally, messages that originated from the same device naturally carry unique data patterns. In this case, by analyzing the eavesdropped information, vital parameters, such as transmitting frequency, user location may be exposed, which severely endangers user privacy. For this consideration, the anonymity of each VANET device should be guaranteed.
• Unforgeability: in practical VANET transmission, adversary may selectively forge the valid certificates, session keys, or signatures to pass the verification process. Hence, unforgeability against chosen message attack is the major property in secure data exchange.
• Mutual Authentication: in the VANET design, mutual authentication is the fundamental but leading security property, which guarantees that both VANET entities in one communication session could authenticate each other. In this way, the impersonation attack towards certain device can be prevented.
• Non-repudiation: non-repudiation ensures the validity of the transmitted information. The message sender of VANET cannot deny the authenticity of the issued signature on the transmitted messages.
• Session Key Establishment: upon mutual authentication, the unique session key between individual vehicle and VANET system should be established, so as to provide subsequent secure data exchange.

4. Proposed Design

In this section, the proposed homomorphic authentication scheme for practical VANETs is illustrated in detail. The automotive healthcare monitoring and detection strategies for all passengers of passing vehicles can be achieved. Sensitive personal medical data are locally validated and then uploaded to remote $\mathtt{VC}$ for further analysis and historical retrieving. Subsequently, the efficient infection tracking mechanism on suspected cases can be done, where the precise time-oriented travelling route of individual passenger could be retrieved. Therefore, the current practical healthcare monitoring requirements for COVID-19 pandemic control can be met. Intuitively, our design emphasizes the automotive authentication and medical data sharing in high-mobility VANET scenarios. The pairing-free certificateless cryptography is employed for key escrow resilience. User anonymity for all participating vehicles, as well as the involving passengers, are well preserved. Meanwhile, random identity updating design for various communication session is provided. Motivated by the blockchain design, the hash value for each vehicle is maintained by each RSU upon validation. Moreover, the successive RSUs could efficiently verify the correctness of the chain information by taking use of the data sharing characteristic of edge RSU clusters.

Generally, the proposed design is composed of three communicating phases: device initialization, blockchain-based key agreement, and healthcare monitoring strategy, where the workflow is shown in Figure 2. In device initialization phase, the essential vehicle, and RSU registration are preliminarily conducted. The confidential private data including the original vehicle identity and corresponding key are safely preserved in $\mathtt{VC}$. Afterwards, the mutual authentication and key distribution process between requesting vehicle and RSU is carried out in the key agreement phase, where the new vehicle is allowed to join the VANET network after interaction with $\mathtt{VC}$. The blockchain data regarding private driving records of each vehicle is updated by the RSU cluster. Finally, the healthcare monitoring strategy is presented, where the physical conditions of all involving passengers are timely surveilled and uploaded to the remote server in a secure way. Notably, the RSUs can be classified into the regular RSUs without healthcare monitoring duty, as well as the checkpoint RSU that is assigned as the checkpoint for pandemic control. Detailed introduction of all the three phases are respectively presented, as follows.

4.1. Device Initilization Phase

The device initialization phase is designed for system initialization and vehicle registration prior to authentication. Notably, the $\mathtt{VC}$ is defined as the validated and trustworthy entity during the whole communication session. Therefore, the crucial VANET system parameters and master key are issued and distributed by $\mathtt{VC}$. Initially, $\mathtt{VC}$ define ${\mathbb{G}}_1$ as the cyclic group generated by the large prime order q, where P denotes the generator of the cyclic group. Additionally, the utilized one-way hash functions $H_1,H_2,H_3,H_4,H_5,h_1,h_2,h_3,h_4$ are, respectively, performed as

$$\left\{\begin{array}{c}{H}_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ H_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ H_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ H_5:{\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_1:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_2:{\{0,1\}}^{*}\times {\mathbb{G}}_1\to {\mathbb{Z}}_q^{*}\hfill \\ h_3:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \\ h_4:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}\hfill \end{array}\right..$$

(1)

In this case, the VANET system parameters set will be published in the form of $param=\left\{{\mathbb{G}}_1,q,P,H_1,H_2,H_3,H_4,H_5,h_1,h_2,h_3,h_4\right\}$.

As for individual RSU, $\mathtt{VC}$ assigns the original identity ${\mathrm{I}}_T^i\in {\{0,1\}}^{*}$ to each legitimate RSU during offline registration. The corresponded RSU secret key $s_{\mathbb{R}}^i\in {\mathbb{Z}}_q^{*}$ is randomly generated and distributed to RSU as well. Therefore, the confidential RSU identity set $〈{\mathrm{I}}_T^i,s_{\mathbb{R}}^i〉$ is safely stored in both $\mathtt{VC}$ and RSU itself. Similarly, the initial registration process of vehicle should be conducted in advance. That is, the distinctive vehicle original identity ${\mathrm{I}}_V^j\in {\{0,1\}}^{*}$ and the corresponded vehicle secret key $k_j\in {\mathbb{Z}}_q^{*}$ are issued by $\mathtt{VC}$ during offline registration. The confidential vehicle identity set is defined as $〈{\mathrm{I}}_V^j,k_j〉$. Note that the secure data exchange for RSU and vehicle initialization is assumed. At this point, $\mathtt{VC}$ maintains the records of all the registered RSUs and vehicles in its database. Notably, the private vehicular information, such as user name, address, social security identifier, and phone number, are stored.

Table 2. Data Structure of Vehicular Records for Registered Entities.

	No.	Original Identity Set	Location	Name/Addr./SSN/	Route Info.	Add. Info.
Type
RSU	1	$\langle {\mathrm{I}}_T^1,s_{\mathbb{R}}^1\rangle$	◯	∖	∖	${◊}_{\mathbb{R}}^1$
	2	$\langle {\mathrm{I}}_T^2,s_{\mathbb{R}}^2\rangle$	◯	∖	∖	${◊}_{\mathbb{R}}^2$
	⋯	⋯	⋯	⋯	⋯	⋯
	i	$\langle {\mathrm{I}}_T^i,s_{\mathbb{R}}^i\rangle$	◯	∖	∖	${◊}_{\mathbb{R}}^i$
Vehicle	1	$\langle {\mathrm{I}}_V^1,k_1\rangle$	∖	◯	$\left\{h_1^{⊛},h_2^{⊛},\cdots \right\}$	$\left[\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle ,\cdots \right]$
	2	$\langle {\mathrm{I}}_V^2,k_2\rangle$	∖	◯	$\left\{h_1^{⊛},h_2^{⊛},\cdots \right\}$	$\left[\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle ,\cdots \right]$
	⋯	⋯	⋯	⋯	⋯	⋯
	j	$\langle {\mathrm{I}}_V^j,k_j\rangle$	∖	◯	$\left\{h_1^{⊛},h_2^{⊛},\cdots \right\}$	$\left[\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle ,\cdots \right]$
Passenger	1	${\mathtt{cid}}_1$	∖	◯	$\{{◊}_{\mathbb{R}}^i,\cdots \}$	∖
	2	${\mathtt{cid}}_2$	∖	◯	$\{{◊}_{\mathbb{R}}^i,\cdots \}$	∖
	⋯	⋯	⋯	⋯	⋯	⋯
	n	${\mathtt{cid}}_n$	∖	◯	$\{{◊}_{\mathbb{R}}^i,\cdots \}$	∖

shows the data structure of the vehicular records in $\mathtt{VC}$.

With the purpose of illegal tracing prevention and privacy protection, the RSU anonymous identity is created by each legitimate RSU. That is, the registered RSU randomly generates its partial secret key ${\varrho }_{\mathbb{R}}^i\in {\mathbb{Z}}_q^{*}$ and periodically extracts the time-oriented anonymous identity ${\mathrm{I}}_{\mathbb{R}}^i$, as

$${\mathrm{I}}_{\mathbb{R}}^i=h_1\left(T{S}_1^i,{\mathrm{I}}_T^i,{\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\right),$$

(2)

where the above $T{S}_1^i$ is referred to as the current timestamp, so that the freshness of identity can be assured. The session identity ${\mathrm{I}}_{\mathbb{R}}^i$ is effective only within certain time period and will expire in the subsequent time. The RSU partial secret key set $〈{\varrho }_{\mathbb{R}}^i,s_{\mathbb{R}}^i〉$ is preserved in its storage, while ${\varrho }_{\mathbb{R}}^i$ is kept secret to $\mathtt{VC}$.

According to the confidential information, the homomorphic encryption infrastructure can be built for each registered RSU. Initially, RSU selects two large prime ${\mathcal{M}}_i$ and ${\mathcal{N}}_i$, so that $gcd\left({\mathcal{M}}_i{\mathcal{N}}_i,\left({\mathcal{M}}_i-1\right)\left({\mathcal{N}}_i-1\right)\right)=1$ holds. Subsequently, RSU randomly chooses ${\hslash }_i\in {\mathbb{Z}}_{{\mathcal{O}}_i^2}^{*}$ where ${\mathcal{O}}_i={\mathcal{M}}_i{\mathcal{N}}_i$. Hence, the computation on ${\Lambda }_i$ and ${\mathbb{k}}_i$ can be conducted according to

$$\left\{\begin{array}{c}{\Lambda }_i=\mathrm{lcm}\left({\mathcal{M}}_i-1,{\mathcal{N}}_i-1\right)\hfill \\ {\mathbb{k}}_i={\ell }_i\left({\hslash }_i^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)mod{\mathcal{O}}_i\hfill \end{array}\right.,$$

(3)

where ${\ell }_i\left(x\right)=\frac{x-1}{{\mathcal{O}}_i}$. At this point, the RSU homomorphic encryption key set is extracted in the form of $〈{\mathcal{O}}_i,{\hslash }_i〉$. Afterwards, RSU carries out the following calculations:

$$\left\{\begin{array}{c}{\mathcal{R}}^i={\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\hfill \\ {\Xi }_{\mathbb{R}}^i=H_1\left(T{S}_2^i,{\mathrm{I}}_{\mathbb{R}}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i\right)\hfill \end{array}\right.,$$

(4)

where $T{S}_2^i$ denotes the latest timestamp. Therefore, RSU broadcasts the parameters set $〈T{S}_2^i,{\mathrm{I}}_{\mathbb{R}}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,{\Xi }_{\mathbb{R}}^i〉$ periodically to all devices within its range.

4.2. Blockchain-Based Key Agreement Phase

In this section, the authentication and key management for vehicle is introduced. Initially, while assuming the vehicle with $\langle {\mathrm{I}}_V^j,k_j\rangle$ is approaching the effective domain of the aforementioned RSU with anonymous identity ${\mathrm{I}}_{\mathbb{R}}^i$, the vehicle itself generates the random partial secret key ${\varrho }_j\in {\mathbb{Z}}_q^{*}$. In this case, the partial secret key set $〈k_j,{\varrho }_j〉$ is stored in vehicle side. For anonymity protection, the vehicle temporary identity is applied as

$${\mathrm{I}}_j=h_2\left({\mathrm{I}}_V^j,{\varrho }_{j}P\right).$$

(5)

As mentioned above, vehicle is acknowledged of the broadcast RSU public information set $〈T{S}_2^i,{\mathrm{I}}_{\mathbb{R}}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,{\Xi }_{\mathbb{R}}^i〉$. Firstly, freshness validation on the received timestamp $T{S}_2^i$ is first performed by comparing whether $\left|T{S}_2^{cur}-T{S}_2^i\right|\le {\epsilon }_1$ holds, where $T{S}_2^{cur}$ refers to the current timestamp. Subsequently, correctness of the certificate ${\Xi }_{\mathbb{R}}^i$ is verified, so as to guarantee the message integrity. Upon verification, the RSU homomorphic encryption key pair $〈{\mathcal{O}}_i,{\hslash }_i〉$ can be extracted by vehicle. Meanwhile, similar homomorphic encryption design for vehicle can be constructed as well. That is, the vehicle with identity ${\mathrm{I}}_j$ selects two large prime ${\mathcal{S}}_j$ and ${\mathcal{T}}_j$ so that $gcd\left({\mathcal{S}}_j{\mathcal{T}}_j,\left({\mathcal{S}}_j-1\right)\left({\mathcal{T}}_j-1\right)\right)=1$ holds. Subsequently, vehicle randomly chooses ${\xi }_j\in {\mathbb{Z}}_{{\mathcal{Q}}_j^2}^{*}$, where ${\mathcal{Q}}_j={\mathcal{S}}_j{\mathcal{T}}_j$. Hence, the computation on ${\Gamma }_j$ and ${\Theta }_j$ can be conducted according to

$$\left\{\begin{array}{c}{\Gamma }_j=\mathrm{lcm}\left({\mathcal{S}}_j-1,{\mathcal{T}}_j-1\right)\hfill \\ {\Theta }_j={\varphi }_j\left({\xi }_j^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)mod{\mathcal{Q}}_j\hfill \end{array}\right.,$$

(6)

where ${\varphi }_j\left(y\right)=\frac{y-1}{{\mathcal{Q}}_j}$. At this point, the vehicle homomorphic encryption key set is extracted in the form of $〈{\mathcal{Q}}_j,{\xi }_j〉$.

Preliminarily, with the purpose of managing the historical driving information, the block chain is built in the form of $\langle h^{⊛}\left(·\right),h^{⊛}\left(T{S}_1^{⊛},{◊}_{\mathbb{R}}^i,h^{⊛}\left(·\right)\right),\cdots \rangle$, where $h^{⊛}\left(·\right)$ represents the previous hash value generated by the last encountered RSU. The entire block chain is distributively stored in $\mathtt{VC}$, while the vehicle itself stores its successive two hash values of the chain, which contains the authentication timestamp and the information of the last RSU, such as location and verification number. Notably, the vehicle does not preserve all of the chain data in storage for the consideration of inherent resource limitation, while the previous two hash values as well as the related timestamp $T{S}_{\ell -1}^{⊛}$ for signature are enough for further validation. For better description, the two stored hash values are simplified as $h_{\ell -2}^{⊛}$ and $h_{\ell -1}^{⊛}$, which are generated by the previous RSU with identity ${\mathrm{I}}_{\mathbb{R}}^{i-1}$ as

$$h_{\ell -1}^{⊛}=h^{⊛}\left(T{S}_{\ell -1}^{⊛},{◊}_{\mathbb{R}}^{i-1},h_{\ell -2}^{⊛}\right).$$

(7)

Upon extracting the RSU homomorphic encryption key pair $〈{\mathcal{O}}_i,{\hslash }_i〉$, the vehicle intends to construct the authentication process with RSU. Moreover, the previous blockchain data should also be validated and updated. Hence, the following calculations are conducted:

$$\left\{\begin{array}{c}{\mathsf{{\rm Y}}}_j={\varrho }_j{\mathcal{R}}^i\hfill \\ {\aleph }_j=H_2\left(T{S}_3^j,{\mathrm{I}}_V^j,k_j{\varrho }_{j}P\right)\hfill \\ {\Im }_j=H_3\left(T{S}_3^j,{\mathrm{I}}_j,{\mathcal{R}}^i,{\mathcal{Q}}_j,{\xi }_j,{\aleph }_j\right)\hfill \\ {\Xi }_V^j={\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j}\left[{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\left|\right|{\Im }_j\right]\hfill \end{array}\right.,$$

(8)

where the homomorphic encryption ${\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j}\left[M\right]$ is performed as

$${\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j}\left[M\right]={\hslash }_i^M·{\varrho }_j^{{\mathcal{O}}_i}mod{\mathcal{O}}_i^2.$$

(9)

At this point, the vehicle requesting packet with its vehicle homomorphic encryption key set $\langle {\mathcal{Q}}_j,{\xi }_j\rangle$ are issued as

$$〈\mathtt{Request},T{S}_3^j,{\mathrm{I}}_j,{\mathsf{{\rm Y}}}_j,{\Xi }_V^j〉,$$

(10)

where the blockchain information is also included.

Upon receipt of the requesting packet, freshness verification is conducted by checking whether $\left|T{S}_3^{cur}-T{S}_3^j\right|\le {\epsilon }_2$ holds, where $T{S}_3^{cur}$ refers to the current timestamp. If validated, RSU is able to decrypt the received ${\Xi }_V^j$ by computing

$$\begin{array}{cc}\hfill & 〈{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\left|\right|{\Im }_j〉\hfill \\ \hfill & ={\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\Lambda }_i〉}^{{\mathbb{k}}_i}\left[{\Xi }_V^j\right]\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[{\Xi }_V^j\right]}^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)}{{\mathbb{k}}_i}mod{\mathcal{O}}_i\hfill \end{array},$$

(11)

where the RSU homomorphic decryption ${\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\Lambda }_i〉}^{{\mathbb{k}}_i}\left[C\right]$ is performed in the way of

$${\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\Lambda }_i〉}^{{\mathbb{k}}_i}\left[C\right]=\frac{{\ell }_i\left(C^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)}{{\mathbb{k}}_i}mod{\mathcal{O}}_i.$$

(12)

The mathematical correctness for decryption can be illustrated as

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\Lambda }_i〉}^{{\mathbb{k}}_i}\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j}\left[M\right]\right]\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j}\left[M\right]\right]}^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)}{{\mathbb{k}}_i}mod{\mathcal{O}}_i\hfill \\ \hfill & =\frac{{\ell }_i\left({\left[{\hslash }_i^M·{\varrho }_j^{{\mathcal{O}}_i}mod{\mathcal{O}}_i^2\right]}^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)}{{\ell }_i\left({\hslash }_i^{{\Lambda }_i}mod{\mathcal{O}}_i^2\right)}mod{\mathcal{O}}_i\hfill \\ \hfill & =Mmod{\mathcal{O}}_i\hfill \end{array}.$$

(13)

Hence, $\langle {\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\left|\right|{\Im }_j\rangle$ is successfully extracted from ${\Xi }_V^j$ by RSU. The message confidentiality can be guaranteed by verifying ${\Im }_j$ with the acquired ${\aleph }_j$ and the previously broadcast ${\mathcal{R}}^i$ from RSU. If validated, RSU stores the vehicle homomorphic encryption key set $〈{\mathcal{Q}}_j,{\xi }_j〉$.

Moreover, the extensive validation procedure on blockchain should be carried out. In our assumption, upon successful authentication with certain RSU, vehicle will request RSU to verify and update its current blockchain values $\langle T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\rangle$. Dynamic information sharing among nearby RSUs is enabled, according to the aforementioned cloud-assisted VANET system model with edge RSU cluster. That is, the identity information ${◊}_{\mathbb{R}}^{i-1}$ of the previous RSU will be broadcast in the way of ${\mathtt{RSU}}_{i-1}\to {\mathtt{RSU}}_i$. Hence, with the received ${◊}_{\mathbb{R}}^{i-1}$ from RSU cluster, and the current blockchain $\langle T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\rangle$ from vehicle, ${\mathtt{RSU}}_i$ checks $h_{\ell -1}^{⊛}\stackrel{?}{=}{h}^{⊛}\left(T{S}_{\ell -1}^{⊛},{◊}_{\mathbb{R}}^{i-1},h_{\ell -2}^{⊛}\right)$ so as to confirm the correctness of chain value. Subsequently, ${\mathtt{RSU}}_i$ computes $h_{\ell }^{⊛}$ according to

$$h_{\ell }^{⊛}=h^{⊛}\left(T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i,h_{\ell -1}^{⊛}\right),$$

(14)

where the $T{S}_{\ell }^{⊛}$ denotes the current timestamp, and ${◊}_{\mathbb{R}}^i$ is the identity information of current ${\mathtt{RSU}}_i$. Meanwhile, with the extracted ${\mathcal{R}}^i={\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P$ and ${\mathsf{{\rm Y}}}_j={\varrho }_j{\mathcal{R}}^i$, RSU conducts the following calculation on ${\mathsf{\Psi }}_j$ as

$$\begin{array}{cc}\hfill & {\mathsf{\Psi }}_j\hfill \\ \hfill & ={\left({\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^i\right)}^{-1}{\mathsf{{\rm Y}}}_j\hfill \\ \hfill & ={\varrho }_j{\left({\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^i\right)}^{-1}{\mathcal{R}}^i\hfill \\ \hfill & ={\varrho }_j{\left({\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^i\right)}^{-1}\left({\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^i\right)P\hfill \\ \hfill & ={\varrho }_{j}P\hfill \end{array}.$$

(15)

At this point, RSU uploads $\langle T{S}_3^j,{\mathrm{I}}_j,{\mathsf{\Psi }}_j,{\aleph }_j,T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle$ to $\mathtt{VC}$ for the cloud verification. Notably, the vehicle identity information $〈{\mathrm{I}}_V^j,k_j〉$ are stored in $\mathtt{VC}$ server. Therefore, $\mathtt{VC}$ is able to confirm the vehicle identity ${\mathrm{I}}_V^j$ with the transmitted $\langle T{S}_3^j,{\mathrm{I}}_j,{\mathsf{\Psi }}_j,{\aleph }_j,T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle$ from RSU. If matches, the requesting vehicle is the legitimate registered device. The vehicle access to VANET system will be granted. As for chain value updating, $\mathtt{VC}$ refreshes the stored blockchain values with the uploaded $\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle$ of ${\mathtt{RSU}}_i$ as well. Hence, the record $\langle h_1^{⊛},\cdots ,h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$ is updated. The $\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle$ information is securely preserved as additional contents for further vehicle tracking. In our assumption, every time that the vehicle communicates with a new RSU, $\mathtt{VC}$ will receive confirmation message along with the crucial contents $\langle T{S}_{\ell }^{⊛},{◊}_{\mathbb{R}}^i\rangle$ for chain updating. With all acquired information, $\mathtt{VC}$ is able to synchronize the decentralized blockchain values with vehicle itself, where the chain updating for vehicle is performed by the involved RSU.

Subsequently, $\mathtt{VC}$ distributes the acknowledgement message $〈\mathtt{Ack},{\mathrm{I}}_j,{\delta }_j〉$ to RSU, where

$${\delta }_j=h_2\left({\mathrm{I}}_V^j,k_j{\varrho }_{j}P\right).$$

(16)

Upon receiving the acknowledgement, the vehicle identity can be updated as

$${\mathrm{I}}_j^1=h_2\left({\mathrm{I}}_j,{\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\right),$$

(17)

which includes the RSU partial key set $〈{\varrho }_{\mathbb{R}}^i,s_{\mathbb{R}}^i〉$. In our design, the anonymous vehicle identity is safely updated as soon as the successful that verifies session is conducted. In this case, the message unlinkability for various communication sessions, and untraceability for specific vehicle, can be achieved.

Next, RSU is able to deliver the essential information $\langle {\delta }_j,T{S}_{\ell }^{⊛},h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$ to vehicle following the vehicle homomorphic encryption process with the previous vehicle key set $〈{\mathcal{Q}}_j,{\xi }_j〉$ and its own ${\varrho }_{\mathbb{R}}^i$ as

$$\left\{\begin{array}{c}{\Xi }_{\mathbb{R}}^j={\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i}\left[{\delta }_j\left|\right|T{S}_{\ell }^{⊛}\left|\right|h_{\ell -1}^{⊛}\left|\right|h_{\ell }^{⊛}\right]\hfill \\ {\mathsf{\Phi }}_j=H_4\left(T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j\right)\hfill \end{array}\right..$$

(18)

Note that the homomorphic encryption ${\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i}\left[M\right]$ can be performed as

$${\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i}\left[M\right]={\xi }_j^M·{\left({\varrho }_{\mathbb{R}}^i\right)}^{{\mathcal{Q}}_j}mod{\mathcal{Q}}_j^2.$$

(19)

Hence, the packet $〈T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j,{\mathsf{\Phi }}_j〉$ is then delivered to the destinated vehicle.

Upon receiving $〈T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j,{\mathsf{\Phi }}_j〉$, freshness confirmation is first carried out by checking whether $\left|T{S}_4^{cur}-T{S}_4^i\right|\le {\epsilon }_3$ holds, where $T{S}_4^{cur}$ refers to the current timestamp. Subsequently, the received ${\Xi }_{\mathbb{R}}^j$ can be decrypted as

$$\begin{array}{cc}\hfill & {\delta }_j\left|\right|T{S}_{\ell }^{⊛}\left|\right|h_{\ell -1}^{⊛}\left|\right|h_{\ell }^{⊛}\hfill \\ \hfill & ={\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\Gamma }_j〉}^{{\Theta }_j}\left[{\Xi }_{\mathbb{R}}^j\right]\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[{\Xi }_{\mathbb{R}}^j\right]}^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)}{{\Theta }_j}mod{\mathcal{Q}}_j\hfill \end{array},$$

(20)

where the vehicle homomorphic decryption ${\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\Gamma }_j〉}^{{\Theta }_j}\left[C\right]$ is performed, as

$${\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\Gamma }_j〉}^{{\Theta }_j}\left[C\right]=\frac{{\varphi }_j\left(C^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)}{{\Theta }_j}mod{\mathcal{Q}}_j.$$

(21)

Note that the mathematical correctness for the vehicle homomorphic decryption can be briefly illustrated as

$$\begin{array}{cc}\hfill & {\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\Gamma }_j〉}^{{\Theta }_j}\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i}\left[M\right]\right]\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i}\left[M\right]\right]}^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)}{{\Theta }_j}mod{\mathcal{Q}}_j\hfill \\ \hfill & =\frac{{\varphi }_j\left({\left[{\xi }_j^M·{\left({\varrho }_{\mathbb{R}}^i\right)}^{{\mathcal{Q}}_j}mod{\mathcal{Q}}_j^2\right]}^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)}{{\varphi }_j\left({\xi }_j^{{\Gamma }_j}mod{\mathcal{Q}}_j^2\right)}mod{\mathcal{Q}}_j\hfill \\ \hfill & =Mmod{\mathcal{Q}}_j\hfill \end{array}.$$

(22)

At this point, ${\delta }_j$ can be successfully extracted from ${\Xi }_{\mathbb{R}}^j$. Confidentiality of the delivered packet can be confirmed by checking ${\mathsf{\Phi }}_j$. If validated, the vehicle conducts the final authentication, as ${\delta }_j\stackrel{?}{=}{h}_2\left({\mathrm{I}}_V^j,k_j{\varrho }_{j}P\right)$.

At this point, mutual authentication between RSU and requesting vehicle is completed. In our design, the semi-trusted RSUs can perform the authentication and updating procedures without accessing the confidential vehicle secrets. Meanwhile, $s{k}_j=H_5\left(k_j{\varrho }_{j}P\right)$ is used as the shared session key established between remote $\mathtt{VC}$ and participating vehicle. In this case, the constructed homomorphic cryptographic scheme of $\left[{\mathtt{Enc}}_{〈{\mathcal{O}}_i,{\hslash }_i〉}^{{\varrho }_j},{\mathtt{Dec}}_{〈{\mathcal{O}}_i,{\Lambda }_i〉}^{{\mathbb{k}}_i}\right]$ and $\left[{\mathtt{Enc}}_{〈{\mathcal{Q}}_j,{\xi }_j〉}^{{\varrho }_{\mathbb{R}}^i},{\mathtt{Dec}}_{〈{\mathcal{Q}}_j,{\Gamma }_j〉}^{{\Theta }_j}\right]$ could guarantee secure and reliable data exchange. Moreover, the vehicle could also extract the updated blockchain values $\langle h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$ and related timestamp $T{S}_{\ell }^{⊛}$ from ${\Xi }_{\mathbb{R}}^j$. Hence, the previous value $\langle T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\rangle$ can be replaced with the updated $\langle T{S}_{\ell }^{⊛},h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$. In the next authentication session with successive RSU, the newly generated $\langle T{S}_{\ell +1}^{⊛},h_{\ell }^{⊛},h_{\ell +1}^{⊛}\rangle$ will be issued in the same way. The blockchain record $\langle h_1^{⊛},\cdots ,h_{\ell -1}^{⊛},h_{\ell }^{⊛},h_{\ell +1}^{⊛}\rangle$ is maintained by VC and vehicle itself, while the validation processes on successive values of the chain are operated by all of the involved RSUs. With the precise signing information $\langle T{S}_{\ell -1}^{⊛},h_{\ell -1}^{⊛},h_{\ell -2}^{⊛}\rangle$ of the encountered RSU on the road, the driving routes of particular vehicle could be securely recorded in a decentralized way. All of these strategies enable the following healthcare monitoring and infection tracking design.

4.3. Healthcare Monitoring Strategy

With the preliminary operations introduced in the previous two phases, the healthcare monitoring strategy can be achieved, along with the infection tracking algorithm for COVID-19 pandemic control. The RSUs can be classified into regular RSUs and the checkpoint RSU, as shown in Figure 2. Regular RSU is in charge of vehicular data exchange of conventional VANETs, while the checkpoint RSUs take the responsibility of traffic surveillance and healthcare monitoring particularly. As for practical scenarios of pandemic control in transportation system, all of the regular RSUs can be selected as the checkpoint if necessary. Extensive modification on RSU hardware is not required, thus any regular RSUs can switch to checkpoint RSU easily. Therefore, effective and reliable healthcare monitoring functionality could be provided to any road sections under emergency situations. Intuitively, the above key management and mutual authentication operations are illustrated in terms of regular RSU, while the healthcare monitoring strategy in this section will be described with the assistance of checkpoint RSU. That is, real time physical status of the passengers in the passing vehicles are monitored, collected, and uploaded to $\mathtt{VC}$ at final. Additionally, the driving route information on vehicles will be attached to wearable device of individual passenger. Hence, infection tracking towards suspected persons is available.

We assume that the aforementioned vehicle is approaching the checkpoint RSU in the next (${\mathtt{RSU}}_i\to {\mathtt{RSU}}_{i+1}$). At this point, the vehicle possesses the essential chain values $\langle T{S}_{\ell }^{⊛},h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$ sent by the previous ${\mathtt{RSU}}_i$. The blockchain-based key agreement phase is the same as above until the generation of packet $\langle T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j,{\mathsf{\Phi }}_j\rangle$. In the assumption of checkpoint RSU, a simple request is attached to the packet and then sent to destinated vehicle in the form of $\langle \mathtt{Request},T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j,{\mathsf{\Phi }}_j\rangle$. After validation, the vehicle is then aware of the request for healthcare monitoring towards its passengers.

In our assumption, the passengers in vehicles are considered to be the essential parties for healthcare monitoring in VANETs. Preliminarily, each passenger should register to $\mathtt{VC}$ in advance. Hence, the confidential identities set of the registered passengers are issued as $\{{\mathtt{cid}}_1,\cdots ,{\mathtt{cid}}_i\}$, where the distributed ${\mathtt{cid}}_i$ is the unique original identity. The identity set $\{{\mathtt{cid}}_1,\cdots ,{\mathtt{cid}}_i\}$ for all the legitimate passengers is safely stored in $\mathtt{VC}$ server. As for individual passenger, the wearable device, such as smart watch or smart bracelet, is mandatory for medical data measurement and aggregation. Moreover, with the assistance of the intra body area network (intra-BAN) and the connected medical sensors, precise and seamlessly physical data collection can be provided. Notably, each passenger and their corresponded wearable device is assumed to be the same entity with identity ${\mathtt{cid}}_i$.

As mentioned above, in the range of the checkpoint ${\mathtt{RSU}}_{i+1}$, the parameters set $\langle T{S}_2^{i+1},{\mathrm{I}}_{\mathbb{R}}^{i+1},{\mathcal{O}}_{i+1},{\hslash }_{i+1},{\mathcal{R}}^{i+1},{\Xi }_{\mathbb{R}}^{i+1}\rangle$ is periodically to all devices. Importantly, all of the wearable devices could also acquire the RSU parameters set. Hence, with the same validation and decryption process, the RSU homomorphic encryption key set $\langle {\mathcal{O}}_i,{\hslash }_i\rangle$ is then acquired by passenger with ${\mathtt{cid}}_i$, provided that there are n passengers within one vehicle. Note that, for the n devices, the temporary identity ${\mathtt{tid}}_i$ is generated as ${\mathtt{tid}}_i=h({\mathtt{cid}}_i,T{S}_i^{\oplus })$. Hence, each wearable device delivers the sensitive physical data regarding pandemic control to vehicle in the form of $En{c}_{\langle {\mathcal{O}}_i,{\hslash }_i\rangle }^{{\mathtt{cid}}_i}\left[{\mathtt{tid}}_i,data\right]$. The vehicle then gathers all n packets from different passengers and forwards it to RSU in the form of

$$En{c}_{\langle {\mathcal{O}}_i,{\hslash }_i\rangle }^{{\varrho }_j}\left[En{c}_{\langle {\mathcal{O}}_i,{\hslash }_i\rangle }^{{\mathtt{cid}}_1}\left[{\mathtt{tid}}_1,data\right],\cdots ,En{c}_{\langle {\mathcal{O}}_i,{\hslash }_i\rangle }^{{\mathtt{cid}}_n}\left[{\mathtt{tid}}_n,data\right]\right].$$

(23)

RSU can then decrypt the identities ${\mathtt{tid}}_i$ and medical data from the passengers. If unique patterns are detected, then RSU sends the warning report to $\mathtt{VC}$ and request for retransmission. Eventually, the gathered healthcare data, along with the current RSU information ${◊}_{\mathbb{R}}^{i+1}$, are uploaded to $\mathtt{VC}$ and stored for further usage. In the further time, if certain passenger is infected, its historical healthcare record and route information can be retrieved in the $\mathtt{VC}$ database, the infection tracking method is accordingly available, which is of great significance for pandemic control.

5. Security Analysis

In this section, the major security characteristics of the proposed design are discussed, respectively. Moreover, comparisons with the existing methods in terms of the VANET authentication and key management are presented.

5.1. Security Discussions

Theorem 1.

The authentication process is proven to be correct if and only if the certificates are successfully issued following the device registration and authentication strategy.

Proof of Theorem 1.

Initially, the specific vehicle with $\langle {\mathrm{I}}_V^j,k_j\rangle$ approaches the regular RSU with original identity set $\langle {\mathrm{I}}_T^1,s_{\mathbb{R}}^1\rangle$. RSU itself issues the public parameter set $\langle T{S}_2^1,{\mathrm{I}}_{\mathbb{R}}^1,{\mathcal{O}}_1,{\hslash }_1,{\mathcal{R}}^1,{\Xi }_{\mathbb{R}}^1\rangle$, where

$$\left\{\begin{array}{c}{\mathrm{I}}_{\mathbb{R}}^1=h_1\left(T{S}_1^1,{\mathrm{I}}_T^1,{\varrho }_{\mathbb{R}}^1{s}_{\mathbb{R}}^{1}P\right)\hfill \\ {\Lambda }_1=\mathrm{lcm}\left({\mathcal{M}}_1-1,{\mathcal{N}}_1-1\right)\hfill \\ {\mathcal{R}}^1={\varrho }_{\mathbb{R}}^1{s}_{\mathbb{R}}^{1}P\hfill \\ {\Xi }_{\mathbb{R}}^1=H_1\left(T{S}_2^1,{\mathrm{I}}_{\mathbb{R}}^1,{\mathcal{O}}_1,{\hslash }_1,{\mathcal{R}}^1\right)\hfill \end{array}\right..$$

(24)

With the assigned vehicle homomorphic encryption mechanism $En{c}_{\langle {\mathcal{O}}_1,{\hslash }_1\rangle }^{{\varrho }_j}\left[M\right]={\hslash }_1^M·{\varrho }_j^{{\mathcal{O}}_1}\mathtt{mod}{\mathcal{O}}_1^2$, $\langle \mathtt{Request},T{S}_3^j,{\mathrm{I}}_j,{\mathsf{{\rm Y}}}_j,{\Xi }_V^j\rangle$ can be generated by vehicle in the form of ${\Xi }_V^j=En{c}_{\langle {\mathcal{O}}_1,{\hslash }_1\rangle }^{{\varrho }_j}\left[{\aleph }_j\parallel {\mathcal{Q}}_j,{\xi }_j\parallel {\Im }_j\right]$. At this point, the blockchain has not been generated, since it is in the first RSU range. Upon receiving the confirmation message from remote $\mathtt{VC}$, RSU computes $h_1^{⊛}=h^{⊛}\left(T{S}_1^{⊛},{◊}_{\mathbb{R}}^1\right)$, where $T{S}_1^{⊛}$ denotes the current timestamp, and ${◊}_{\mathbb{R}}^1$ is the identity information of current ${\mathtt{RSU}}_i$. Note that the crucial contents $\langle T{S}_1^{⊛},{◊}_{\mathbb{R}}^1\rangle$ is uploaded to $\mathtt{VC}$ for chain updating. Only with the delivered acknowledgement message $\langle Ack,{\mathrm{I}}_j,{\delta }_j\rangle$ from $\mathtt{VC}$, the RSU is able to legitimately pass the verification process ${\delta }_j\stackrel{?}{=}{h}_2\left({\mathrm{I}}_V^j,k_j{\varrho }_{j}P\right)$ in vehicle side. Similarly, in the next authentication session of second RSU with $\langle {\mathrm{I}}_T^2,s_{\mathbb{R}}^2\rangle$, the $\mathtt{VC}$ hash chain is updated as $\langle h_1^{⊛},h_2^{⊛}\rangle$, where $h_2^{⊛}=h^{⊛}\left(T{S}_2^{⊛},{◊}_{\mathbb{R}}^2,h_1^{⊛}\right)$. Following this way, in the ℓ session, RSU is able to deliver the essential information $\langle {\delta }_j,T{S}_{\ell }^{⊛},h_{\ell -1}^{⊛},h_{\ell }^{⊛}\rangle$ to vehicle following the vehicle homomorphic encryption process. Note that ${\delta }_j=h_2\left({\mathrm{I}}_V^j,k_j{\varrho }_{j}P\right)$ holds, Assuming the length of partial secrets $\langle k_j,{\varrho }_j\rangle$ is t, respectively. Hence, the probability to successfully pass the validation process is $\frac{1}{4^t}$. The correctness of our design can be proven. □

Theorem 2.

Message unlinkability within various RSUs effective range can be achieved. Moreover, dynamic chain updating is performed upon each successful validation.

Proof of Theorem 2.

Assuming specific vehicle with route ${\mathtt{RSU}}_1\to {\mathtt{RSU}}_n$ is in the i-th RSU domain ($i\in [1,n]$), the vehicle with $\langle {\mathrm{I}}_V^j,k_j\rangle$ utilizes the temporary identity ${\mathrm{I}}_j=h_2\left({\mathrm{I}}_V^j,{\varrho }_{j}P\right)$, where the random partial secret key is adopted. Note that the temporary identity varies for different sessions. Furthermore, upon receiving the acknowledgement at final step, the vehicle identity can be updated as ${\mathrm{I}}_j^1=h_2\left({\mathrm{I}}_j,{\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\right)$. The delivered packet from RSU is $\langle T{S}_4^i,{\mathrm{I}}_j^1,{\Xi }_{\mathbb{R}}^j,{\mathsf{\Phi }}_j\rangle$. That is, dynamic vehicle identities are used in the same authentication session, which significantly prevents information eavesdropping and tracing. Unlinkability on the confidential vehicular data during transmission can be provided as well. Additionally, the vehicle does not preserve all of the chain data in storage for the consideration of inherent resource limitation, while the previous chain values denoted as $h_{\ell -2}^{⊛}$ and $h_{\ell -1}^{⊛}$ are stored for chain validation and updating. Note that the previous RSU calculates $h_{\ell -1}^{⊛}=h^{⊛}\left(T{S}_{\ell -1}^{⊛},{◊}_{\mathbb{R}}^{i-1},h_{\ell -2}^{⊛}\right)$. With the constructed homomorphic encryption strategy, the chain values can be managed by each encountered RSU in a decentralized way. Specifically, the vehicle and each RSU share the two successive chain values, while $\mathtt{VC}$ preserves the integrated blockchain for further usage. □

Theorem 3.

Conditional identity privacy preservation for vehicle and RSUs is achieved. Untraceability towards specific vehicle is guaranteed, while the remote VC is capable of retrieving the real identity of certain vehicle under extreme situations.

Proof of Theorem 3.

In the device initialization phase, the registered RSU randomly generates its partial secret key ${\varrho }_{\mathbb{R}}^i\in {\mathbb{Z}}_q^{*}$ and periodically extracts the time-oriented anonymous identity ${\mathrm{I}}_{\mathbb{R}}^i$ as ${\mathrm{I}}_{\mathbb{R}}^i=h_1\left(T{S}_1^i,{\mathrm{I}}_T^i,{\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\right)$, where the random partial secret key set $\langle {\varrho }_{\mathbb{R}}^i,s_{\mathbb{R}}^i\rangle$, along with the current timestamp $T{S}_1^i$ is applied. Similarly, for anonymity protection, the vehicle temporary identity is applied as ${\mathrm{I}}_j=h_2\left({\mathrm{I}}_V^j,{\varrho }_{j}P\right)$ and ${\mathrm{I}}_j^1=h_2\left({\mathrm{I}}_j,{\varrho }_{\mathbb{R}}^i{s}_{\mathbb{R}}^{i}P\right)$, respectively. Note that the distinctive identity ${\mathrm{I}}_V^j\in {\{0,1\}}^{*}$ and ${\mathrm{I}}_T^i\in {\{0,1\}}^{*}$ remain hidden all of the time. Each ${\mathrm{I}}_{\mathbb{R}}^i$ is only effective within a certain time period and will expire periodically. In this way, anonymous identities for both RSUs and vehicles are provided. Privacy preservation property is provided in this way. Meanwhile, the entire block chain regarding driving route and real identity is safely stored in $\mathtt{VC}$. Therefore, $\mathtt{VC}$ is able to reveal the original identity of all RSUs or vehicles, which is crucial for detecting and revoking the compromised VANET entities. Accordingly, conditional identity privacy preserving is provided. □

Theorem 4.

Replay attacking resistance is provided during the whole authentication process. Reusage of the previous information from past authentication sessions cannot pass the current validation.

Proof of Theorem 4.

In the device initialization phase and key agreement phase, the fresh timestamps are widely used in each calculation. Meanwhile, the certificates with all transmitted elements are presented so as to guarantee data integrity. As mentioned above, the RSU public information set is broadcast in the form of $\langle T{S}_2^i,{\mathrm{I}}_{\mathbb{R}}^i,{\mathcal{O}}_i,{\hslash }_i,{\mathcal{R}}^i,{\Xi }_{\mathbb{R}}^i\rangle$, where the latest time stamp is included. In the subsequent authentication session, the vehicle calculates the certificate ${\Xi }_V^j=En{c}_{\langle {\mathcal{O}}_i,{\hslash }_i\rangle }^{{\varrho }_j}\left[{\aleph }_j\left|\right|{\mathcal{Q}}_j,{\xi }_j\left|\right|{\Im }_j\right]$ according to the intermediate values $\langle {\aleph }_j,{\Im }_j\rangle$, which is related to the timestamp $T{S}_3^j$. In this case, provided that, in specific moment ${\mathbb{T}}_{\mathcal{A}}$, the adversary ${\mathcal{A}}_1$ is able to collect z transmitted packets ${\langle \mathtt{Request},T{S}_3^l,{\mathrm{I}}_l,{\mathsf{{\rm Y}}}_l,{\Xi }_V^l\rangle }_{l\in \left[1,z\right]}$ during certain time interval $\left[{\mathbb{T}}_{\mathcal{H}},{\mathbb{T}}_{\mathcal{C}}\right]$ (${\mathbb{T}}_{\mathcal{C}}<{\mathbb{T}}_{\mathcal{A}}$). Intuitively, the probability for ${\Xi }_V^{\mathcal{A}}$ to pass the verification is $\frac{z}{2^t}$, where the length of output ${\Xi }_V^{\mathcal{A}}$ is assumed to be t. Therefore, our design has proved to be resistant to replay attack. □

Theorem 5.

Certificateless authentication design is deployed in the proposed authentication session. No-repudiation characteristic is provided for vehicles.

Proof of Theorem 5.

In the aforementioned device initialization phase, the original identity for vehicle is assigned as ${\mathrm{I}}_V^j$, while the assigned secret key $k_j$ is safely shared among $\mathtt{VC}$ and vehicle. Meanwhile, the vehicle itself randomly generates the partial key ${\varrho }_j\in {\mathbb{Z}}_q^{*}$ and keeps it secret to $\mathtt{VC}$. Therefore, with the characteristics of ECDLP, it is difficult to extract ${\varrho }_j$ from the published ${\mathrm{I}}_j=h_2\left({\mathrm{I}}_V^j,{\varrho }_{j}P\right)$ or ${\mathsf{{\rm Y}}}_j={\varrho }_j{\mathcal{R}}^i$. The impersonation towards specific vehicle cannot be accepted by the receiver. Similarly, the RSU partial secret key ${\varrho }_{\mathbb{R}}^i\in {\mathbb{Z}}_q^{*}$ is randomly generated by RSU and kept hidden to $\mathtt{VC}$. Therefore, $\mathtt{VC}$ does not have full control over the participating vehicles and RSUs. Hence, the certificateless authentication property is provided. □

5.2. Security Properties Comparison

In this section, the security properties comparison with existing VANETs secure communication is presented. The proposed protocol is compared with the state-of-the-art authentication and key management methods: AKMB [42], IBCPA [7], and EPCBV [43] in order to demonstrate its superiority on security properties. The comparison results presented in

Table 3. Comparison Results on Security Properties.

Scheme	AKMB [42]	IBCPA [7]	EPCBV [43]	The Proposed Scheme
Anonymous Identity Updating	×	×	×	◯
Unforgeability	◯	◯	◯	◯
Collusion Attack Resilience	◯	×	◯	◯
Sibiling Attack Resilience	◯	×	×	◯
Session Key Establishment	◯	◯	◯	◯
Conditional Privacy Preserving	◯	◯	◯	◯
Scalability	×	×	◯	◯
Key Escrow Resilience	◯	◯	◯	◯
Replay Attack Resistance	×	◯	◯	◯
Unlinkability	×	×	×	◯

show that the proposed scheme could meet the desirable security requirements that are introduced in Section 3.6.

6. Performance Analysis

In this section, the performance of the proposed scheme is discussed, which specifically emphasizes on the crucial properties for resource-limited VANETs environment, such as storage overhead andcomputation cost.

6.1. Storage Overhead

In practical environment, the VANET entities, including vehicles and RSUs, are the fundamental units in V2V and V2R wireless communication. Due to the resource restriction, the storage overhead required for the authentication process should be optimized. The state-of-the-art VANETs authentication schemes, including AKMB [42], IBCPA [7], and EPCBV [43] are also analyzed. Hence, the advantages of our scheme on storage overhead can be demonstrated as shown in Figure 3, where the storage cost for individual RSU is presented. Obviously, less storage overhead is required in the proposed scheme.

6.2. Computation Cost

In this section, the computation cost of the proposed design is analyzed. The time consumption for authentication in RSU side is discussed in terms of the number of participating vehicles. Note that the complex pairing calculations are not adopted in our design. The comparison results with AKMB [42], IBCPA [7], and EPCBV [43] are presented in Figure 4. Intuitively, less time consumption is required for authenticating process with resource limited vehicles, which proves the performance advantages of our design.

7. Conclusions

In this paper, emphasizing automotive pandemic control in intelligent transportation system, a practical homomorphic authentication method for healthcare monitoring in cloud-assisted VANETs is developed. In the proposed scheme, medical surveillance and infection tracking towards suspected passengers can be achieved. Our design applies the novel cloud infrastructure with the hybrid medical data acquisition module. Non-contract surveillance towards random vehicles can be remotely conducted by vehicular cloud. Moreover, the decentralized blockchain-based route recording mechanism is enabled, where the accurate and timely route information for each involved vehicle can be securely uploaded and analyzed in VC. The chain updating operations are collaboratively conducted by several decentralized RSU edge entities at a time, so that vehicular data confidentiality is guaranteed. Analysis on the featured security properties and comparison with other schemes prove that our design can meet the practical security requirements. Meanwhile, performance analysis with other studies show its efficiency. With these unique advantages, the proposed design can be utilized for the current COVID-19 pandemic control.