Practical Homomorphic Authentication in Cloud-Assisted VANETs with Blockchain-Based Healthcare Monitoring for Pandemic Control

Currently, the outbreak of COVID-19 pandemic has caused catastrophic effect on every aspect of our lives, globally. The entire human race of all countries and regions has suffered devastating losses. With its high infectiousness and mortality rate, it is of great significance to carry out effective precautions and prevention of COVID-19. Specifically, the transportation system has been confirmed as one of the crucial spreading routes. Hence, enhancing healthcare monitoring and infection tracking for high-mobility transportation system is infeasible for pandemic control. Meanwhile, due to the promising advantages in the emerging intelligent transportation system (ITS), vehicular ad hoc networks (VANETs) is able to collect and process relevant vehicular data for improving the driving experience and road safety, which provide a way for non-contact automatic healthcare monitoring. Furthermore, the proliferating cloud computing and blockchain techniques enable sufficient processing and storing capabilities, along with decentralized remote auditing towards heterogenous vehicular data. In this case, the automated infection tracking for pandemic control could be achieved accordingly. For the above consideration, in this paper we develop a practical homomorphic authentication scheme for cloud-assisted VANETs, where the healthcare monitoring for all involving passengers is provided. Notably, the integrated cloud-assisted VANET infrastructure is utilized, where the hybrid medical data acquisition module is attached. In this way, timely, non-contact measurement on all passengers’ physical status can be remotely done by vehicular cloud (VC), which could also drastically improve the efficiency and guarantee safety. Vulnerabilities of the employed dedicated-short-range-communication (DSRC) technique could be properly addressed with the applied homomorphic encryption design. Additionally, the decentralized blockchain-based vehicle recording mechanism is cooperatively performed by VC and edge units. Infection tracking on specific vehicle and individual can be offered in this way. Each signature sequence is collaboratively maintained and verified by the current roadside unit (RSU) and its neighbor RSUs. The security analysis demonstrates that the proposed scheme is secure against major attacks, while the performance comparison with the state-of-the-arts relevant methods are presented for efficiency discussion.


Introduction
Nowadays, the entire world is facing a severe global health crisis unlike any in the history, which is spreading human suffering and upending people's lives. The coronavirus disease COVID-19, which is characterized as a lethal and highly infectious pandemic by the World Health Organization (WHO), wireless data transmission characteristics of VANETs. That is, the transmitted vehicular data may be illegally eavesdropped or forged by adversaries, thus compromising the VANET data safety [34,35].
Nowadays, lots of studies with various safe strategies and cryptographic techniques have been made on VANET secure data transmission in order to address the VANET security issues [36][37][38]. However, the necessary parameters for practical implementation of VANET system have not yet been fully considered. When considering the globally urgent situation on COVID-19 pandemic control, potential usages and valuable applications of VANETs should be dug out. Measurements regarding VANETs and its relevant extensions should be prepared, now that the transportation system have become the one of the most dangerous scenarios for virus surveillance and infection tracking.
With the urgent motivation for automotive pandemic control, a practical homomorphic authentication scheme for cloud-assisted VANETs is developed. The proposed mechanism supports automotive healthcare monitoring and infection tracking for all involving passengers. Non-contract surveillance towards random vehicles can be remotely conducted by VC. First of all, our design applies the novel cloud-assisted VANET infrastructure with the hybrid medical data acquisition module. The WBAN layer is adopted for the integrated medical data acquisition. Notably, the essential user information on participating device is shared among edge RSU cluster. Secondly, the homomorphic encryption design is deployed for mutual authentication and key agreement. Meanwhile, the decentralized blockchain-based infection tracking mechanism on suspicious vehicles is presented. The historical route records for each vehicle can be securely preserved in VC. The signature sequence is collaboratively arranged by several RSUs at a time, offering distributive data confidentiality. Respectively, the security analysis and performance analysis are proposed, showing the superiority of the proposed scheme.
The remainder of this paper is organized, as follows. Section 2 briefly introduces the related research achievements. Section 3 illustrates the preliminary contents and relevant system settings. Section 4 presents the proposed homomorphic authentication design in cloud-assisted VANETs with blockchain-based healthcare monitoring for pandemic control. Section 5 presents the security analysis. Section 6 displays the performance analysis. The final conclusion is drawn in Section 7.

Related Works
Currently, many researches on VANET secure data transmission and privacy preservation have been made, while the practical requirements for medical surveillance in practical occasions have not been fully satisfied. In 2013, a expedite message authentication protocol (EMAP) is constructed for VANET secure data transmission [17]. The efficient revocation check process is enabled with the keyed hash message authentication code (HMAC), which drastically reduces the computation burdens of certificate revocation lists (CRLs). Meanwhile, the proposed EMAP deploys the probabilistic key distribution function for confidential key sharing among non-revoked OBUs during key updating. Afterwards, a privacy-preserving authentication scheme for VANETs is developed in [21], where the designated RSUs distribute the group private information to vehicles within its arranged domain. In this case, massive vehicles can be efficiently verified without causing extensive time consumption. Chuang et al. [20] presented a decentralized trust-extended message authentication mechanism (TEAM), where the transitive trust relationships frame is utilized, so as to reduce storage consumption. Similarly, Wang et al. presented a two-factor lightweight VANETs authenticating scheme in [24], where the decentralized certificate authority (CA) and biological password are applied. The non-repudiation property for conditional tracing is achieved. In 2019, Alazzawi et al. developed a pseudo-identity-based message verification scheme [15]. Data integrity and mutual authentication can be provided. Moreover, the proposed scheme is resistant to insider attack and man-in-the-middle (MITM) attack.
Specifically, lots of schemes on vehicle conditional-privacy preserving (CPP) property have been developed. In 2010, a scalable robust authenticating method for secure VANETs transmission is proposed in [1]. Each RSU is responsible for maintaining the active vehicular groups within its vicinity. The authentic V2V broadcast is available for all participating vehicles with anonymous identities. The benign third party is involved in the relevant vehicle revocation process. The negative impact of compromised RSUs is minimized in this case. Meanwhile, system salability is provided. Thereafter, Huang et al. developed the privacy-preserving authentication scheme with conditional privacy protection. The anonymous identity for each legitimate vehicle is activated until further revocation [3]. In 2012, a dynamic key arrangement mechanism with efficient updating for location-based services (LBSs) is proposed [9]. The double registration detection design is adopted. The newly joined vehicle autonomously updates its session key for forward secrecy. Subsequently, He et al. proposed an identity-based pairing-free mutual authentication and privacy protection method [7]. Better performance and minimized computational complexity for information processing can be achieved in this way. Similarly, a two-round certificateless-based cross-domain key agreement scheme for wireless mesh networks is presented [30]. The user in previous is adomainble to prove its identity to the current domain server for session key negotiation.
Currently, the VANET scenarios with cloud computing and blockchain techniques for remote data storing and parallel processing have been studied [33,34]. In 2017, Liu et al. constructed a vehicular message safe dissemination mechanism CMDS in the cloud-assisted VANET-cellular environment [31]. Reliable and confidential data processing can be processed by the related VANET gateways and nearby vehicles. Thereafter, emphasizing on emergency message dissemination, solution to the congestion avoidance issue is proposed in the assumed vehicular fog-assisted VANET [38]. Lin et al. discussed the vehicle heterogeneity of resource allocation in the vehicular cloud computing (VCC) system [37]. Optimal strategy for VCC allocation is presented under the improved semi-Markov decision process (SMDP) model. In 2019, Ma et al. proposed an efficient pairing-free authenticated key agreement design for secure interactions in fog-based VANETs [35]. As for blockchain infrastructure in VANETs, a blockchain-assisted distributed lightweight anonymous authentication scheme with cross-datacenter interaction in vehicular fog service (VFS) is presented [4]. Similarly, in [29], with the applied Merkle Patricia tree (MPT) structure, the conventional blockchain structure is extended. Hence, the distinctive verification process without CRLs is developed. Conditional privacy preserving is achieved as well.
To be concluded, existing researches on VANETs communication either emphasize security and privacy preserving with conventional cryptographic design or construct authenticated key agreement under advanced techniques such as cloud computing and blockchain. However, the potential usages of VANETs application have not been taken full consideration for pandemic control. For this purpose, we proposed a practical homomorphic authentication scheme with the unique functionalities of healthcare surveillance and infection tracking, which is of great significance for the pandemic control towards COVID-19.

Preliminaries
In this section, the necessary security and cryptographic concepts are respectively introduced, which include the definitions of homomorphic encryption, one-way hash function, and elliptic curve cryptosystem (ECC). Afterwards, the relevant notations of the proposed design, the novel VANET system model, and security requirements are illustrated.

Homomorphic Encryption
With its unique properties, homomorphic encryption can be widely applied into vast security designs and privacy preserving strategies. The homomorphic encryption design allows for the predefined standard computations on ciphertexts, with which the output matches the encryption result on the computations conducted on plaintexts. Hence, the transmitted data can be securely processed and out-sourced without revealing the privacy-related information. In other words, the related homomorphic encryption and decryption functionalities can be considered as the homomorphisms between plaintext and the ciphertext spaces. In practical communication scenarios with semi-trusted entities, homomorphic encryption could remove potential privacy barriers that inhibit data sharing. The Paillier cryptosystem [39] is defined as one of the homomorphic cryptosystems on public key infrastructure (PKI). The Paillier encryption process is additively homomorphic. That is, the product of the two ciphertexts will decrypt to the sum of their corresponding plaintexts. In this case, m 1 , m 2 ∈ Z * n are defined as the plaintexts. r 1 , r 2 , r 3 < n are defined as the random integers for encryption process. The following additive homomorphic properties can be satisfied: where µ ∈ Z * n holds. E (·) denotes the encrypting operation. The security of Paillier cryptosystem is based on the decisional composite residuosity assumption (DCRA) described, as follows: Definition 1 (Decisional Composite Residuosity Assumption (DCRA)). Define p and q as the two large primes with the condition n = pq. Given α ∈ Z * n 2 , if there exist γ ∈ Z * n 2 satisfying α ≡ γ n mod n 2 , α could be defined as the n-th residue modulo n 2 . Note that, given the composite n and an integer β, it is hard to decide whether β is the n-th residue modulo n 2 .

Elliptic Curve Cryptography (ECC)
Define p > 3 as a large prime and F p as the finite field of order p, where 4a 3 + 27b 2 (mod p) = 0 and a, b ∈ F p [40]. In this case, E p (a, b) is defined as the the elliptic curve over the finite field F p , which has the following characteristic: where (x, y) ∈ F p . The point doubling is defined as the unique addition operation on the curve E p (a, b), only if the two points are identical. Otherwise, it is called the point addition. All of the points on E p (a, b), as well as the point at infinity ∞ construct an additive Abelian group E F p , where ∞ = (−∞) is defined as the identity element.
Definition 2 (Elliptic Curve Discrete Logarithm Problem (ECDLP)). Define P, Q ∈ G 1 , where Q = aP. Hence, for any probabilistic polynomial-time (PPT) adversary A , the advantage in finding the integer a ∈ Z * q to solve the ECDLP problem is defined as Adv ECDLP A ,G 1 , which is negligible as the following equation: Definition 3 (Computational Diffie-Hellman Problem (CDHP)). Define G 1 as the cyclic group with the large prime order q. Given P, aP, bP ∈ G 1 for a, b ∈ Z * q , where P is the generator of the cyclic group G 1 . Hence, for any probabilistic polynomial-time (PPT) adversary A , the advantage in finding computing abP for solving the given CDHP problem is defined asAdv CDHP , which is negligible as the following equation:

Hash Function
The one-way secure hash function h(·) is constructed with the following properties [41]: 1.
With a random message x of arbitrary length, the message digest of its fixed length output h(x) can be easily calculated.

2.
It is hard to compute x = h −1 (y) with the given y.

3.
It is computationally infeasible to find x = x such that h(x ) = h(x), providing that x is given.

Notations
The notations used in our design are listed in Table 1, along with the corresponding description.

System Model
In this section, the deployed cloud-assisted VANET infrastructure with healthcare monitoring function is briefly illustrated, which can be classified into four different communication layers, including the cloud layer, edge layer, vehicle layer, and WBAN layer. The four layers with the instructions are as follows. Meanwhile, Figure 1 shows te intuitive VANET system model.  Cloud layer is considered to be the centralized data facility responsible for all of the essential system operations. Crucial system operations such as master key issuance and user registration, are all conducted by the remote cloud layer, which is defined to be trustworthy at all time. Meanwhile, massive amount of vehicular information gathered from the terminal devices is analyzed and safely stored. Particularly, the distributed cloud servers are capable of managing multiple VANET prototypes, which promotes the construction of global Internet of Vehicles (IoV) initiatives. For better description, we consider the entire cloud layer as the VC.

Cloud
Edge layer is defined as the combination of the RSU clusters, each of which is organized by direct and indirect wired connection between the nearby RSUs within predefined vicinity. Each RSU of the clusters is able to independently conduct the vehicular data interaction tasks with in-range vehicles, while the essential user information on participating devices could be shared within the cluster members. That is, collaborative computation and data processing operations for mutual authentication and message delivery could be achieved. For example, the existing cross-domain verification issue can be addressed with the applied distributive VANET edge layer, since the frequent and reliable RSU-to-RSU data exchange are assumed within RSU clusters. Practically, as for cloud-assisted VANET, low latency and high reliability characteristics of vehicle-to-RSU transmission could be satisfied with the deployed edge computing architecture (edge layer). In this case, the edge cluster involving neighboring RSUs collaboratively cache the frequently used vehicular data instead of requesting it from remote TA. The bandwidth burden of cloud server can be alleviated in this way.
Device layer refers to the terminal vehicles, where the heterogenous vehicular data and real-time road information are aggregated. Each vehicle is equipped with the embedded on-board unit (OBU) for vehicular data transmission and reception. Meanwhile, the deployed tamper-proof device (TPD) is used for confidential message preserving. Large amounts of temporary and high-speed V2V and V2R networks are continuously constructed, while complex computation cannot be carried out due to the resource limitation in vehicle side.
WBAN layer is defined as the integrated facilities for extensive medical data acquisition. VANETs with healthcare monitoring functionality can be constructed accordingly. In our assumption, all of the passengers in each vehicle are equipped with wearable device such as electronic bracelet or smart watch. The sensitive medical parameters regarding COVID-19 pandemic control can be measured and collected for subsequent test. The automotive interaction between wearable devices and the regarding vehicle is enabled, so that the pandemic factors, such as body temperature, could be remotely measured by VC. Non-contract surveillance towards passing vehicles can be conducted in this way.

Security Requirements
The design purpose of the proposed scheme is to improve the security properties in terms of VANET transmissions, and provide automotive healthcare monitoring for all passengers of transportation systems, so that the urgent COVID-19 pandemic control requirements can be satisfied. Consequently, the following major security characteristics for VANET security scheme are introduced.

•
Conditional Privacy Preserving: considering as one of the crucial features for privacy protection, conditional privacy contains two aspects: user privacy protection and targeted vehicle information retrieving. That is, the confidential user information should be safely stored in the whole session. The illegal tracking toward specific vehicle cannot succeed. Meanwhile, the VC responsible for VANET system management should be able to reveal the real identity of suspect vehicle if necessary. • Anonymity: due to the open wireless transmission features, VANET communication channels may be eavesdropped by malicious devices. Normally, messages that originated from the same device naturally carry unique data patterns. In this case, by analyzing the eavesdropped information, vital parameters, such as transmitting frequency, user location may be exposed, which severely endangers user privacy. For this consideration, the anonymity of each VANET device should be guaranteed. • Unforgeability: in practical VANET transmission, adversary may selectively forge the valid certificates, session keys, or signatures to pass the verification process. Hence, unforgeability against chosen message attack is the major property in secure data exchange. • Mutual Authentication: in the VANET design, mutual authentication is the fundamental but leading security property, which guarantees that both VANET entities in one communication session could authenticate each other. In this way, the impersonation attack towards certain device can be prevented. • Non-repudiation: non-repudiation ensures the validity of the transmitted information.
The message sender of VANET cannot deny the authenticity of the issued signature on the transmitted messages. • Session Key Establishment: upon mutual authentication, the unique session key between individual vehicle and VANET system should be established, so as to provide subsequent secure data exchange.

Proposed Design
In this section, the proposed homomorphic authentication scheme for practical VANETs is illustrated in detail. The automotive healthcare monitoring and detection strategies for all passengers of passing vehicles can be achieved. Sensitive personal medical data are locally validated and then uploaded to remote VC for further analysis and historical retrieving. Subsequently, the efficient infection tracking mechanism on suspected cases can be done, where the precise time-oriented travelling route of individual passenger could be retrieved. Therefore, the current practical healthcare monitoring requirements for COVID-19 pandemic control can be met. Intuitively, our design emphasizes the automotive authentication and medical data sharing in high-mobility VANET scenarios. The pairing-free certificateless cryptography is employed for key escrow resilience. User anonymity for all participating vehicles, as well as the involving passengers, are well preserved. Meanwhile, random identity updating design for various communication session is provided. Motivated by the blockchain design, the hash value for each vehicle is maintained by each RSU upon validation. Moreover, the successive RSUs could efficiently verify the correctness of the chain information by taking use of the data sharing characteristic of edge RSU clusters.
Generally, the proposed design is composed of three communicating phases: device initialization, blockchain-based key agreement, and healthcare monitoring strategy, where the workflow is shown in Figure 2. In device initialization phase, the essential vehicle, and RSU registration are preliminarily conducted. The confidential private data including the original vehicle identity and corresponding key are safely preserved in VC. Afterwards, the mutual authentication and key distribution process between requesting vehicle and RSU is carried out in the key agreement phase, where the new vehicle is allowed to join the VANET network after interaction with VC. The blockchain data regarding private driving records of each vehicle is updated by the RSU cluster. Finally, the healthcare monitoring strategy is presented, where the physical conditions of all involving passengers are timely surveilled and uploaded to the remote server in a secure way. Notably, the RSUs can be classified into the regular RSUs without healthcare monitoring duty, as well as the checkpoint RSU that is assigned as the checkpoint for pandemic control. Detailed introduction of all the three phases are respectively presented, as follows.

Device Initilization Phase
The device initialization phase is designed for system initialization and vehicle registration prior to authentication. Notably, the VC is defined as the validated and trustworthy entity during the whole communication session. Therefore, the crucial VANET system parameters and master key are issued and distributed by VC. Initially, VC define G 1 as the cyclic group generated by the large prime order q, where P denotes the generator of the cyclic group. Additionally, the utilized one-way hash functions H 1 , H 2 , H 3 , H 4 , H 5 , h 1 , h 2 , h 3 , h 4 are, respectively, performed as (1) In this case, the VANET system parameters set will be published in the form of param = {G 1 , q, P, H 1 , As for individual RSU, VC assigns the original identity I i T ∈ {0, 1} * to each legitimate RSU during offline registration. The corresponded RSU secret key s i R ∈ Z * q is randomly generated and distributed to RSU as well. Therefore, the confidential RSU identity set I i T , s i R is safely stored in both VC and RSU itself. Similarly, the initial registration process of vehicle should be conducted in advance. That is, the distinctive vehicle original identity I j V ∈ {0, 1} * and the corresponded vehicle secret key k j ∈ Z * q are issued by VC during offline registration. The confidential vehicle identity set is defined as I j V , k j . Note that the secure data exchange for RSU and vehicle initialization is assumed. At this point, VC maintains the records of all the registered RSUs and vehicles in its database. Notably, the private vehicular information, such as user name, address, social security identifier, and phone number, are stored. Table 2 shows the data structure of the vehicular records in VC.
With the purpose of illegal tracing prevention and privacy protection, the RSU anonymous identity is created by each legitimate RSU. That is, the registered RSU randomly generates its partial secret key i R ∈ Z * q and periodically extracts the time-oriented anonymous identity I i R , as where the above TS i 1 is referred to as the current timestamp, so that the freshness of identity can be assured. The session identity I i R is effective only within certain time period and will expire in the subsequent time. The RSU partial secret key set i R , s i R is preserved in its storage, while i R is kept secret to VC.
According to the confidential information, the homomorphic encryption infrastructure can be built for each registered RSU. Initially, RSU selects two large prime M i and N i , so that Hence, the computation on Λ i and k i can be conducted according to . At this point, the RSU homomorphic encryption key set is extracted in the form of O i ,h i . Afterwards, RSU carries out the following calculations: where TS i 2 denotes the latest timestamp. Therefore, RSU broadcasts the parameters set periodically to all devices within its range.

Blockchain-Based Key Agreement Phase
In this section, the authentication and key management for vehicle is introduced. Initially, while assuming the vehicle with I j V , k j is approaching the effective domain of the aforementioned RSU with anonymous identity I i R , the vehicle itself generates the random partial secret key j ∈ Z * q . In this case, the partial secret key set k j , j is stored in vehicle side. For anonymity protection, the vehicle temporary identity is applied as As mentioned above, vehicle is acknowledged of the broadcast RSU public information set Firstly, freshness validation on the received timestamp TS i 2 is first performed by comparing whether TS cur 2 − TS i 2 ≤ ε 1 holds, where TS cur 2 refers to the current timestamp. Subsequently, correctness of the certificate Ξ i R is verified, so as to guarantee the message integrity. Upon verification, the RSU homomorphic encryption key pair O i ,h i can be extracted by vehicle. Meanwhile, similar homomorphic encryption design for vehicle can be constructed as well. That is, the vehicle with identity I j selects two large prime S j and T j so that gcd S j T j , S j − 1 T j − 1 = 1 holds. Subsequently, vehicle randomly chooses ξ j ∈ Z * Q 2 j , where Q j = S j T j . Hence, the computation on Γ j and Θ j can be conducted according to where φ j (y) = y−1 Q j . At this point, the vehicle homomorphic encryption key set is extracted in the form of Q j , ξ j . Preliminarily, with the purpose of managing the historical driving information, the block chain is built in the form of h (·) , h TS 1 , ♦ i R , h (·) , · · · , where h (·) represents the previous hash value generated by the last encountered RSU. The entire block chain is distributively stored in VC, while the vehicle itself stores its successive two hash values of the chain, which contains the authentication timestamp and the information of the last RSU, such as location and verification number. Notably, the vehicle does not preserve all of the chain data in storage for the consideration of inherent resource limitation, while the previous two hash values as well as the related timestamp TS −1 for signature are enough for further validation. For better description, the two stored hash values are simplified as h −2 and h −1 , which are generated by the previous RSU with identity I i−1 R as Upon extracting the RSU homomorphic encryption key pair O i ,h i , the vehicle intends to construct the authentication process with RSU. Moreover, the previous blockchain data should also be validated and updated. Hence, the following calculations are conducted: where the homomorphic encryption Enc At this point, the vehicle requesting packet with its vehicle homomorphic encryption key set Q j , ξ j are issued as where the blockchain information is also included. Upon receipt of the requesting packet, freshness verification is conducted by checking whether TS cur 3 − TS j 3 ≤ ε 2 holds, where TS cur 3 refers to the current timestamp. If validated, RSU is able to decrypt the received Ξ j V by computing where the RSU homomorphic decryption Dec The mathematical correctness for decryption can be illustrated as Hence, ℵ j ||Q j , ξ j ||TS −1 , h −1 , h −2 || j is successfully extracted from Ξ j V by RSU. The message confidentiality can be guaranteed by verifying j with the acquired ℵ j and the previously broadcast R i from RSU. If validated, RSU stores the vehicle homomorphic encryption key set Q j , ξ j .
Moreover, the extensive validation procedure on blockchain should be carried out. In our assumption, upon successful authentication with certain RSU, vehicle will request RSU to verify and update its current blockchain values TS −1 , h −1 , h −2 . Dynamic information sharing among nearby RSUs is enabled, according to the aforementioned cloud-assisted VANET system model with edge RSU cluster. That is, the identity information ♦ i−1 R of the previous RSU will be broadcast in the way of RSU i−1 → RSU i . Hence, with the received ♦ i−1 R from RSU cluster, and the current blockchain R , h −2 so as to confirm the correctness of chain value. Subsequently, RSU i computes h according to where the TS denotes the current timestamp, and ♦ i R is the identity information of current RSU i . Meanwhile, with the extracted R i = i R s i R P and Υ j = j R i , RSU conducts the following calculation on Ψ j as At this point, RSU uploads TS j 3 , I j , Ψ j , ℵ j , TS , ♦ i R to VC for the cloud verification. Notably, the vehicle identity information I j V , k j are stored in VC server. Therefore, VC is able to confirm the vehicle identity I j V with the transmitted TS j 3 , I j , Ψ j , ℵ j , TS , ♦ i R from RSU. If matches, the requesting vehicle is the legitimate registered device. The vehicle access to VANET system will be granted. As for chain value updating, VC refreshes the stored blockchain values with the uploaded TS , ♦ i R of RSU i as well. Hence, the record h 1 , · · · , h −1 , h is updated. The TS , ♦ i R information is securely preserved as additional contents for further vehicle tracking. In our assumption, every time that the vehicle communicates with a new RSU, VC will receive confirmation message along with the crucial contents TS , ♦ i R for chain updating. With all acquired information, VC is able to synchronize the decentralized blockchain values with vehicle itself, where the chain updating for vehicle is performed by the involved RSU.
Subsequently, VC distributes the acknowledgement message Ack, I j , δ j to RSU, where Upon receiving the acknowledgement, the vehicle identity can be updated as which includes the RSU partial key set i R , s i R . In our design, the anonymous vehicle identity is safely updated as soon as the successful that verifies session is conducted. In this case, the message unlinkability for various communication sessions, and untraceability for specific vehicle, can be achieved.
Next, RSU is able to deliver the essential information δ j , TS , h −1 , h to vehicle following the vehicle homomorphic encryption process with the previous vehicle key set Q j , ξ j and its own i R as Note that the homomorphic encryption Enc can be performed as can be decrypted as where the vehicle homomorphic decryption Dec Note that the mathematical correctness for the vehicle homomorphic decryption can be briefly illustrated as At this point, δ j can be successfully extracted from Ξ j R . Confidentiality of the delivered packet can be confirmed by checking Φ j . If validated, the vehicle conducts the final authentication, as At this point, mutual authentication between RSU and requesting vehicle is completed. In our design, the semi-trusted RSUs can perform the authentication and updating procedures without accessing the confidential vehicle secrets. Meanwhile, sk j = H 5 k j j P is used as the shared session key established between remote VC and participating vehicle. In this case, the constructed homomorphic cryptographic scheme of Enc could guarantee secure and reliable data exchange. Moreover, the vehicle could also extract the updated blockchain values h −1 , h and related timestamp TS from Ξ j R . Hence, the previous value TS −1 , h −1 , h −2 can be replaced with the updated TS , h −1 , h . In the next authentication session with successive RSU, the newly generated TS +1 , h , h +1 will be issued in the same way. The blockchain record h 1 , · · · , h −1 , h , h +1 is maintained by VC and vehicle itself, while the validation processes on successive values of the chain are operated by all of the involved RSUs. With the precise signing information TS −1 , h −1 , h −2 of the encountered RSU on the road, the driving routes of particular vehicle could be securely recorded in a decentralized way. All of these strategies enable the following healthcare monitoring and infection tracking design.

Healthcare Monitoring Strategy
With the preliminary operations introduced in the previous two phases, the healthcare monitoring strategy can be achieved, along with the infection tracking algorithm for COVID-19 pandemic control. The RSUs can be classified into regular RSUs and the checkpoint RSU, as shown in Figure 2. Regular RSU is in charge of vehicular data exchange of conventional VANETs, while the checkpoint RSUs take the responsibility of traffic surveillance and healthcare monitoring particularly.
As for practical scenarios of pandemic control in transportation system, all of the regular RSUs can be selected as the checkpoint if necessary. Extensive modification on RSU hardware is not required, thus any regular RSUs can switch to checkpoint RSU easily. Therefore, effective and reliable healthcare monitoring functionality could be provided to any road sections under emergency situations. Intuitively, the above key management and mutual authentication operations are illustrated in terms of regular RSU, while the healthcare monitoring strategy in this section will be described with the assistance of checkpoint RSU. That is, real time physical status of the passengers in the passing vehicles are monitored, collected, and uploaded to VC at final. Additionally, the driving route information on vehicles will be attached to wearable device of individual passenger. Hence, infection tracking towards suspected persons is available.
We assume that the aforementioned vehicle is approaching the checkpoint RSU in the next (RSU i → RSU i+1 ). At this point, the vehicle possesses the essential chain values TS , h −1 , h sent by the previous RSU i . The blockchain-based key agreement phase is the same as above until the generation of packet TS i 4 , I 1 j , Ξ j R , Φ j . In the assumption of checkpoint RSU, a simple request is attached to the packet and then sent to destinated vehicle in the form of Request, TS i 4 , I 1 j , Ξ j R , Φ j . After validation, the vehicle is then aware of the request for healthcare monitoring towards its passengers.
In our assumption, the passengers in vehicles are considered to be the essential parties for healthcare monitoring in VANETs. Preliminarily, each passenger should register to VC in advance. Hence, the confidential identities set of the registered passengers are issued as {cid 1 , · · · , cid i }, where the distributed cid i is the unique original identity. The identity set {cid 1 , · · · , cid i } for all the legitimate passengers is safely stored in VC server. As for individual passenger, the wearable device, such as smart watch or smart bracelet, is mandatory for medical data measurement and aggregation. Moreover, with the assistance of the intra body area network (intra-BAN) and the connected medical sensors, precise and seamlessly physical data collection can be provided. Notably, each passenger and their corresponded wearable device is assumed to be the same entity with identity cid i .
As mentioned above, in the range of the checkpoint RSU i+1 , the parameters set TS i+1 R is periodically to all devices. Importantly, all of the wearable devices could also acquire the RSU parameters set. Hence, with the same validation and decryption process, the RSU homomorphic encryption key set O i ,h i is then acquired by passenger with cid i , provided that there are n passengers within one vehicle. Note that, for the n devices, the temporary identity tid i is generated as tid i = h(cid i , TS ⊕ i ). Hence, each wearable device delivers the sensitive physical data regarding pandemic control to vehicle in the form of Enc The vehicle then gathers all n packets from different passengers and forwards it to RSU in the form of RSU can then decrypt the identities tid i and medical data from the passengers. If unique patterns are detected, then RSU sends the warning report to VC and request for retransmission. Eventually, the gathered healthcare data, along with the current RSU information ♦ i+1 R , are uploaded to VC and stored for further usage. In the further time, if certain passenger is infected, its historical healthcare record and route information can be retrieved in the VC database, the infection tracking method is accordingly available, which is of great significance for pandemic control.

Security Analysis
In this section, the major security characteristics of the proposed design are discussed, respectively. Moreover, comparisons with the existing methods in terms of the VANET authentication and key management are presented.

Security Discussions
Theorem 1. The authentication process is proven to be correct if and only if the certificates are successfully issued following the device registration and authentication strategy.
Proof of Theorem 1. Initially, the specific vehicle with I j V , k j approaches the regular RSU with original identity set I 1 T , s 1 R . RSU itself issues the public parameter set TS 1 2 , I 1 With the assigned vehicle homomorphic encryption mechanism Enc At this point, the blockchain has not been generated, since it is in the first RSU range. Upon receiving the confirmation message from remote VC, RSU computes h 1 = h TS 1 , ♦ 1 R , where TS 1 denotes the current timestamp, and ♦ 1 R is the identity information of current RSU i . Note that the crucial contents TS 1 , ♦ 1 R is uploaded to VC for chain updating. Only with the delivered acknowledgement message Ack, I j , δ j from VC, the RSU is able to legitimately pass the verification process δ j ? = h 2 I j V , k j j P in vehicle side. Similarly, in the next authentication session of second RSU with I 2 T , s 2 R , the VC hash chain is updated as h 1 , h 2 , where h 2 = h TS 2 , ♦ 2 R , h 1 . Following this way, in the session, RSU is able to deliver the essential information δ j , TS , h −1 , h to vehicle following the vehicle homomorphic encryption process. Note that δ j = h 2 I j V , k j j P holds, Assuming the length of partial secrets k j , j is t, respectively. Hence, the probability to successfully pass the validation process is 1 4 t . The correctness of our design can be proven.

Theorem 2.
Message unlinkability within various RSUs effective range can be achieved. Moreover, dynamic chain updating is performed upon each successful validation.
Proof of Theorem 2. Assuming specific vehicle with route RSU 1 → RSU n is in the i-th RSU domain (i ∈ [1, n]), the vehicle with I j V , k j utilizes the temporary identity I j = h 2 I j V , j P , where the random partial secret key is adopted. Note that the temporary identity varies for different sessions. Furthermore, upon receiving the acknowledgement at final step, the vehicle identity can be updated as I 1 j = h 2 I j , i R s i R P . The delivered packet from RSU is TS i 4 , I 1 j , Ξ j R , Φ j . That is, dynamic vehicle identities are used in the same authentication session, which significantly prevents information eavesdropping and tracing. Unlinkability on the confidential vehicular data during transmission can be provided as well. Additionally, the vehicle does not preserve all of the chain data in storage for the consideration of inherent resource limitation, while the previous chain values denoted as h −2 and h −1 are stored for chain validation and updating. Note that the previous RSU calculates With the constructed homomorphic encryption strategy, the chain values can be managed by each encountered RSU in a decentralized way. Specifically, the vehicle and each RSU share the two successive chain values, while VC preserves the integrated blockchain for further usage.
Theorem 3. Conditional identity privacy preservation for vehicle and RSUs is achieved. Untraceability towards specific vehicle is guaranteed, while the remote VC is capable of retrieving the real identity of certain vehicle under extreme situations.

Proof of Theorem 3.
In the device initialization phase, the registered RSU randomly generates its partial secret key i R ∈ Z * q and periodically extracts the time-oriented anonymous identity I i R as where the random partial secret key set i R , s i R , along with the current timestamp TS i 1 is applied. Similarly, for anonymity protection, the vehicle temporary identity is applied as I j = h 2 I j V , j P and I 1 j = h 2 I j , i R s i R P , respectively. Note that the distinctive identity I j V ∈ {0, 1} * and I i T ∈ {0, 1} * remain hidden all of the time. Each I i R is only effective within a certain time period and will expire periodically. In this way, anonymous identities for both RSUs and vehicles are provided. Privacy preservation property is provided in this way. Meanwhile, the entire block chain regarding driving route and real identity is safely stored in VC. Therefore, VC is able to reveal the original identity of all RSUs or vehicles, which is crucial for detecting and revoking the compromised VANET entities. Accordingly, conditional identity privacy preserving is provided.

Theorem 4.
Replay attacking resistance is provided during the whole authentication process. Reusage of the previous information from past authentication sessions cannot pass the current validation.
Proof of Theorem 4. In the device initialization phase and key agreement phase, the fresh timestamps are widely used in each calculation. Meanwhile, the certificates with all transmitted elements are presented so as to guarantee data integrity. As mentioned above, the RSU public information set is broadcast in the form of TS i where the latest time stamp is included. In the subsequent authentication session, the vehicle calculates the certificate Ξ according to the intermediate values ℵ j , j , which is related to the timestamp TS j 3 . In this case, provided that, in specific moment T A , the adversary A 1 is able to collect z transmitted packets Request, TS l 3 , I l , Υ l , Ξ l V l∈ [1,z] during certain time interval [T H , T C ] (T C < T A ). Intuitively, the probability for Ξ A V to pass the verification is z 2 t , where the length of output Ξ A V is assumed to be t. Therefore, our design has proved to be resistant to replay attack.

Theorem 5.
Certificateless authentication design is deployed in the proposed authentication session. No-repudiation characteristic is provided for vehicles.
Proof of Theorem 5. In the aforementioned device initialization phase, the original identity for vehicle is assigned as I j V , while the assigned secret key k j is safely shared among VC and vehicle. Meanwhile, the vehicle itself randomly generates the partial key j ∈ Z * q and keeps it secret to VC. Therefore, with the characteristics of ECDLP, it is difficult to extract j from the published I j = h 2 I j V , j P or Υ j = j R i . The impersonation towards specific vehicle cannot be accepted by the receiver. Similarly, the RSU partial secret key i R ∈ Z * q is randomly generated by RSU and kept hidden to VC. Therefore, VC does not have full control over the participating vehicles and RSUs. Hence, the certificateless authentication property is provided.

Security Properties Comparison
In this section, the security properties comparison with existing VANETs secure communication is presented. The proposed protocol is compared with the state-of-the-art authentication and key management methods: AKMB [42], IBCPA [7], and EPCBV [43] in order to demonstrate its superiority on security properties. The comparison results presented in Table 3 show that the proposed scheme could meet the desirable security requirements that are introduced in Section 3.6.

Performance Analysis
In this section, the performance of the proposed scheme is discussed, which specifically emphasizes on the crucial properties for resource-limited VANETs environment, such as storage overhead andcomputation cost.

Storage Overhead
In practical environment, the VANET entities, including vehicles and RSUs, are the fundamental units in V2V and V2R wireless communication. Due to the resource restriction, the storage overhead required for the authentication process should be optimized. The state-of-the-art VANETs authentication schemes, including AKMB [42], IBCPA [7], and EPCBV [43] are also analyzed. Hence, the advantages of our scheme on storage overhead can be demonstrated as shown in Figure 3, where the storage cost for individual RSU is presented. Obviously, less storage overhead is required in the proposed scheme.

Computation Cost
In this section, the computation cost of the proposed design is analyzed. The time consumption for authentication in RSU side is discussed in terms of the number of participating vehicles. Note that the complex pairing calculations are not adopted in our design. The comparison results with AKMB [42], IBCPA [7], and EPCBV [43] are presented in Figure 4. Intuitively, less time consumption is required for authenticating process with resource limited vehicles, which proves the performance advantages of our design.

Conclusions
In this paper, emphasizing automotive pandemic control in intelligent transportation system, a practical homomorphic authentication method for healthcare monitoring in cloud-assisted VANETs is developed. In the proposed scheme, medical surveillance and infection tracking towards suspected passengers can be achieved. Our design applies the novel cloud infrastructure with the hybrid medical data acquisition module. Non-contract surveillance towards random vehicles can be remotely conducted by vehicular cloud. Moreover, the decentralized blockchain-based route recording mechanism is enabled, where the accurate and timely route information for each involved vehicle can be securely uploaded and analyzed in VC. The chain updating operations are collaboratively conducted by several decentralized RSU edge entities at a time, so that vehicular data confidentiality is guaranteed. Analysis on the featured security properties and comparison with other schemes prove that our design can meet the practical security requirements. Meanwhile, performance analysis with other studies show its efficiency. With these unique advantages, the proposed design can be utilized for the current COVID-19 pandemic control.