An Anonymous Mutual Authentication Scheme for RFID-Based Transportation System

: In traditional transportation, each driver usually relies on their experience to determine an appropriate route, which may shorten the driving time and transport cost. However, this may also lead to a waste of time in trafﬁc jams or due to other problems. In recent years, by introducing Internet of Things technology into the transportation system, trafﬁc condition data can be collected and analyzed in real-time, which makes it easier for drivers to choose appropriate routes. However, the transmitted data may be intercepted or falsiﬁed, especially in untrusted public communication channels. Some schemes have been proposed to protect personal data, while they are vulnerable to some known attacks. Therefore, we propose a mutual authentication scheme for session key agreement and information encryption before transmitting personal data. This scheme can correctly identify vehicles and information. The Burrows–Abadi–Needham logic proof and our security discussion demonstrate that this authentication scheme can resist the various known attacks, including de-synchronization, the replay attack and the reader lost attack, which is solved for the ﬁrst time in this ﬁeld. Compared with some typical schemes, the performance analysis shows that this new scheme realizes a balance between security and computing costs.


Introduction
With wireless network and sensing technology applied to people's daily routine, various convenient and smart services for people have been developed. For example, by assembling or attaching sensors to household appliances, wearable devices and vehicles [1], the running statuses of items can easily be sensed and controlled without geographical limitations when a user utilizes a phone or tablet to send commands. In vehicle transportation management particularly, this technology plays a very meaningful role for drivers and administrators when they need reliable reports to acquire current vehicle and road conditions in real time and determine the proper traffic route. The occasional traffic event, such as a road accident or road maintenance, may affect some routines and the successive transportation service. Thus, different schemes have been designed to collect and share information about vehicles and roads. These are known as vehicular ad hoc networks (VANETs), which consist of vehicle-to-vehicle communication and vehicle-to-roadside-unit (RSU) infrastructure communication [2]. However, attackers may eavesdrop or falsify communicated messages that are unencrypted or transmitted to a receiver via an unprotected wireless channel. These attacks may result in personal data disclosure and unexpected errors or losses. In one particular scenario, an attacker tries to falsify transactor data for eluding barrier tolls, which may result in the loss of the administrator's • A new retrieval method is adopted by the server. For solving the aforementioned privacy problem, we design a new retrieval method to assist the server in searching for the authenticated information, which initially allows multiple readers to identify different tags at the same time.
Based on this retrieval method, we can predefine the scope of the tags that each reader recognizes, which is also a method to protect data privacy. That is to say, the reader is only permitted to recognize authorized vehicles. • An anonymous RFID authentication scheme is proposed for vehicles in a transportation system. To resist attack after losing a reader, the authentication protocol innovatively confirms the legitimacy of a reader's identity . By requiring the reader to update its password periodically, the server can ensure the running condition of the reader after verifying the updated response. Thus, the lost reader cannot be used to attack our protocol and may be nullified. Considering that the tag is limited, the proposed protocol adopts some lightweight operations. In experimental comparisons with related protocols, we prove that the proposed scheme consumes fewer computing and communication resources in relation to tags.

•
The new protocol is proven to be secure with the Burrows-Abadi-Needham (BAN) logic [12] proof method and security discussion. Firstly, we employ a formal analysis tool BAN logic to demonstrate the security of key agreement and mutual authentication. Secondly, we discuss that the protocol achieves multiple safety goals, including reader lost resistance, anonymity un-traceability, mutual authentication, forward security, replay attack, and de-synchronization attack resistance. Thirdly, we compare the secure property of our protocol with some related protocols.
Organization: The remainder of this paper is organized as follows. Section 2 surveys some previous work. Section 3 introduces the system architecture and some security goals. In Section 4, we illustrate, in detail, our scheme which contains some initial assumptions, an anonymous authentication protocol, and a reader's password modification. Section 5 presents the formal analysis tool BAN logic and the careful security analysis for the new scheme. Section 6 presents the performance analysis and evaluation of the proposed scheme. Finally, some conclusions are provided in Section 7.

Related Work
With various services growing in VANETs, many issues appear in VANET research. The cooperation in VANETs can share information to improve traffic instructions and entertainments. However, Fuad et al. [13] pointed out that misbehaving vehicles disrupted participant cooperativeness by sharing bogus information, where the misbehaving vehicle may cause a loss of people's lives and properties. An anonymous VANET is considered a privacy-preserving vehicle network. Lu et al. [14] stated that a mechanism based on pseudonymity is insufficient to thwart a tracking attack that may expose the vehicles' privacy. Lu et al. considered that location privacy needs further protection. Shrikant et al. [15] found that VANETs can improve traffic management and be susceptible to security attacks from malicious entities. With RFID deploying in many IoT applications, much attention is focused on the security and privacy-preserving scheme based-on RFID [16].
The transportation system integrates with RFID and other sensors to transport and dispatch manufacturing materials [17]. The system not only takes the bond to link vehicles and transportation but also brings some issues to them. For instance, the geographic position and identity mark are easily intercepted [18], for the reason that these data are transmitted for different services in a public network frequently. To protect personal privacy, Fan et al. [19] proposed a privacy-preserving scheme. However, there is a fatal error for synchronization when looping some steps. To design a proper scheme, we study the related RFID-based works. Pedro et al. [20] proposed an RFID-based system to handle the replay and forgery attack. Later, Liu et al. [21] pointed out that [20] is vulnerable under the imitative and de-synchronization attack [22], which causes the secret to be out of sync in different entities and may interrupt the running protocol. To avoid the de-synchronization attack, Tian et al. [23] presented a protocol to preserve the old and updated key values. Although the replay attack could be resisted in their security analysis, the adversary may still imitate the reader to fraud the tag.
Li et al. [24] considered it inadvisable in the previous works, such as [25], to declare each tag's identity before authenticating each entity in their protocols, which may leak its identity privacy to attackers. Thus, Li et al. proposed a novel authentication notion and three improved protocols based on the bilinear diffie hellman (BDH) problem under different security conditions. However, their protocols, which are designed for some special scenes, are not generic. Later, Chou [26] proposed a protocol based on elliptic curve cryptography (ECC) against usual attacks. However, Zhang et al. [27] pointed out the identity privacy exposure issue in [26] and presented an efficient protocol to overcome that issue. Abughazalah et al. [28] found that an adversary can distinguish a tag from different sessions in [9] and proposed an improved protocol. Xiao et al. [29] considered that the secure hypothesis in [28] is infeasible and the privacy of tags is ignored. Then, Xiao et al. presented a supporting anonymity protocol to resist various attacks in a communication channel. Though these protocols can resist some known attacks, it is hard for the limited passive tags to execute relatively heavy computing operations according to the criterion in [30] and the demand in real-time applications. Thus, many lightweight RFID protocols are proposed and adopted in most RFID systems to deduce the cost of implementation.
Fan et al. [31] gave an RFID-based lightweight protocol for IoT. To reduce the time cost of retrieving and authenticating tags, they presented a cache mechanism to store the recent tag key in their reader. However, in fact, an adversary may attack this protocol after compromising the off-line reader's secrets. Later, Fan et al. [10] summed up the previous works and proposed a new lightweight protocol that has satisfied some necessary security properties. They illustrated a lightweight operation "Cro(x, y)" called "Cross". Actually, "Cro(x, y)" can be seen as a particular function composed of some XOR operations [32]. By analyzing the new protocol, we consider that anonymity and de-synchronization security have not be realized. To be specific, an adversary may obtain the tag's identity and interrupt the secret update through intercepting or modifying the communicating message. To deal with the above problems, we propose a new scheme. To protect the private data during the system communication, the new scheme has to mutually identify the system participants and achieve session key updates securely. The participants consist of three types that are the server, RSU/reader, and the recognized OBU/tag. Server: The server undertakes the duty to initialize some necessary system parameter values for recognizing each participant. In addition, the server has the responsibility to provide enough computing ability and storage resources for reasonable access requests.

System Model
RSU/Reader: The RSU is a special reader, employed on the roadside and seen as the intermediate to obtain information from vehicles and the server. It is worth noting that there are two types of readers. One type connects to the server or the recognized vehicles with the insecure wireless channel. The other accesses the server through a wireline communication channel, which can be seen as a reliable connection. In general, we only discuss wireless access for the reader. Every reader has a unique and private password to prove the rightful identity, which is utilized to acquire the server's authorization before access to different information.
OBU/Tag: OBU consists of ample sensors (such as RFID tag, position, speed, acoustic sensor) and is assembled in the recognized vehicle. Here, the RFID tag is used as an identification license and session key calculation participant when a vehicle tries to enter VANETs. Only by passing through the reader's authentication can the vehicle attain shared messages from VANETs and send its traffic condition. Besides, the tag is able to distinguish the faked and rightful messages.

Security Goals
According to the previous research works and Dolev-Yao model [33], an attacker may have the ability to control the wireless channel and launch some attacks that are intercepting, modifying, and even simulating a rightful participate to replay the transmitted messages at will. However, the traffic data is crucial, and an unexpected error may threaten personal property or even life. Thus, we designed this scheme to transmit traffic session data securely. To overcome those attacks, the following security goals are essential.
Anonymity Un-traceability: To protect the recognized vehicle's privacy, our scheme preserves the real identity and prevents attackers from distinguishing different session messages whether from the same recognized vehicle.
Mutual Authentication: Before providing the required information, the recognized vehicle or server has to verify the reader's reliability. The reader also authenticates the recognized vehicle or server to ensure the integrity and correctness of messages.
Forward Security: To ensure secure communication, the scheme updates the shared key in each new session. In addition, the utilized key previously cannot be deduced according to the current parameters.
Resist Replay Attack: Because the previous messages are valid and can be used to fraud the rightful participant. The scheme has to ensure each participant can recognize the replayed messages and resist this attack.
De-synchronization Attack Resistance: In most protocols, some secret parameters are periodically updated to resist the leakage of session secret values. However, an attacker may interrupt this operation. This attack leads to parameters that are out of sync in different participants and failure in a future session. Thereby, our scheme has to resist this attack.
Resist Reader Lost: After losing a reader, an attacker may utilize the reader to collect privacy information before it is nullified. To resist such an attack, precaution is indispensable.

The Scheme
We firstly describe some notations utilized in this scheme and their definitions, that are both shown in Table 1. Then, we illustrate, in detail, the new scheme in three subsections that are the initialization, authentication, and the reader's password updated phase. Table 1. Symbols used in the scheme.

Symbol Definition
id R , id T A reader's identity, a tag's identity R, T, S A reader, a tag, a server K RS Reader's next session key shared with a server K TS Tag's next session key shared with a server N S A number selected randomly by a server N R A number selected randomly by a reader N T A number selected randomly by a tag W(y) Calculate the number of non-zero bits in y LRot(x, y) The cyclic left shift W(y) bits operation Rot(x, y) The cyclic right shift W(y) bits operation H() A secure one-way hash function ⊕ The exclusive or operation || The concatenation operation

Initialization Phase
To recognize reasonable participants, the server S has to initialize some parameters for the system roles. Firstly, the server S establishes two registration parameter tables RegT and RegR, shown in Figure 2 before distributing identities and keys to all tags and readers. Then, the server S allocates a sole identity and key to every tag and reader via some secure channels, respectively.
RegT includes some tuples (id T i , υ i ) about the corresponding relation of each tag's identity and key. RegR includes some information about each reader's identity id Ri and the related long-term key C i . Every reader has to calculate C pw = C ⊕ H(id R ||pwd) to protect the long-term key C before storing it, where pwd is a pre-generated password for every reader and can be changed for the future. Additionally, the server S needs to encrypt this information with a private key before storing them in the database.
In addition, we define a new retrieval method by utilizing the relation between RegT and RegR. From Figure 2, we can see an arrow from RegR's content (C 1 , id R1 ) to (υ 1 , id T 1 ) in RegT, which indicates that the reader id R1 is only permitted to authenticate the tag id T 1 . The arrow from content (C 2 , id R2 ) to (υ i , id T i ) means that the reader id R2 is able to authenticate these tags from id T 1 to id T i . Then, we can alter the reader's ability and the range of information retrieval by predefining the orientation of the arrow. Thus, this method assures that the privacy data are only accessed by the authorized users and distinguishes the security level for different vehicles.   (Step 1) The reader selects a random number N R and sends the message {N R , T 1 , Initial} to the tag, where T 1 is a timestamp and Initial is a session beginning notification.

Authentication Phase
( Step 2) The tag first validates the freshness of T 1 . If the timestamp T 1 is overdue, the tag terminates the protocol. Otherwise, the tag randomly selects a number N T . Then, the tag computes . Finally, the tag sends {ρ 1 , ρ 2 } to the reader. (Step 3) When getting the tag's response, the reader computes C * = H(id R ||pwd) ⊕ C pw , ∆ 1 = H(C * ||ρ 1 ||ρ 2 ||N R ||T 1 ), where C pw and pwd are periodically updated values. Then, the reader sends the message {ρ 1 , ρ 2 , N R , T 1 , ∆ 1 } to the server. (Step 4) After obtaining that message from the reader, the server first checks the freshness of the timestamp T 1 and the value of ∆ 1 by computing If the message does not reach the server within a predefined threshold or the value of ∆ 1 is invalid, the server immediately terminates the current protocol. Otherwise, the server continues to compute N T . Then, the server searches id T * in its registration table RegT in order to verify the tag's identity. When id T * is found in RegT, the server randomly generates a number N S and calculates Finally, the server sends the message {ρ 3 , ρ 4 , α, T 2 , ∆ 2 } to the reader and inserts a new record (υ new , id T * ) into RegT.
(Step 5) Upon receiving a response message from the server, the reader first checks whether T 2 is fresh. If T 2 is fresh, the reader computes the session key K RS = H(C * ⊕ α||T 2 ) which is shared with the server. Then, the reader verifies ∆ 2 by using the received values and K RS to calculate ∆ 2 * = H(K RS ||α||ρ 3 ||ρ 4 ||T 2 ). If the value ∆ 2 * equals ∆ 2 , that session key K RS is established, and the reader sends {ρ 3 , ρ 4 , T 2 } to the tag. Otherwise, the reader terminates the protocol. (Step 6) After receiving the reader's response message, the tag computes N S itself, the tag ends this phase. Otherwise, the tag considers that the server and reader are reliable and the session key K TS has been shared with the server. Then, the tag updates t = T 2 + 1 and υ = υ ⊕ N S * , which manifests in a new session key being established. After the update, the tag sends a message The reader calculates the cipher EC = H(K RS ||ρ 5 ) and sends it to the server. When the server obtains EC, it can verify EC by calculating EC * = H(K RS ||Rot(N S * , K TS ⊕ (T 2 + 1)) with K RS and K TS . If there exists an equation relationship "EC = EC * ", it indicates that the server has shared a session key with the reader and tag severally. In this case, the server has to delete old tuples (υ i = υ new , id T * ) and update RegT.

Password Updated Phase
Due to the reader being installed in an unmanned site, it is inconvenient to check the running condition. We propose a periodically updated password strategy to avoid the failure or loss of a reader. To be specific, the server sends updated order and the encrypted nonce E C (N S ) to a certain reader. After confirming the updated command, the reader preserves the new password pwd new and C pw new , . Then, the reader returns E C⊕N S (C||T i ) to the server, where T i is a timestamp. After passing through the authentication of the server, we consider the reader working normally. It is easy to see that the authentication structure of a reader R is a single factor mechanism. We can extend a single-factor authentication into two-factor authentication by adding an extra XOR operation into C pw to resist password leakage, e.g., we have another factor named pos, which is a position code [34] transformed into the same bit length of C pw , and we can calculate C pw = C pw ⊕ C ⊕ pos to hide the secret information C. In that case, as long as one factor has not been corrupted, the reader's secret is still secure [35,36]. To resist the leakage of secret keys, a leakage-resilient mechanism [37,38] can be introduced into our scheme. However, the resilient key's leakage is beyond this paper, we do not expand the work in this paper.

Security Analysis
We firstly employ the logic "Burrows-Abadi-Needham (BAN) [12]" proof tool to demonstrate that our scheme is correct and secure. Further, we discuss the security goals of our authentication protocol in detail. Finally, we present the properties of our protocol in comparison with some typical protocols.

Security Proof
BAN logic is an intuitive and efficient proof tool. We can employ this logic to idealize and model the authentication phase, which forms assumptions and goals. By utilizing some logical belief rules to prove the security goals, we can judge the correctness and mutual authentication security in our scheme.

Notations
Before exploiting the BAN logic, we briefly introduce the following notations utilized in this proof.
• P |≡ X: P believes that a statement X is authentic. • P |∼ X: P sent the statement X before. • P X: P once received that statement X. • P |⇒ X: P has jurisdiction over that statement or a notation X. • #(X): The statement or notation X that has never been sent is fresh. • {X} k : This statement is obtained by using a secret key k to encrypt X or combining X with a secret value k. • P Y Q: P only shares the same secret value Y with Q and the others that P or Q believes. • P k ↔ Q: There is a secret key k only known by P and Q.

Rules
To deduce and prove some secure goals, we need to employ the following BAN rules. From the following rules, we can obtain a corollary below when these hypotheses above the horizontal line are satisfied.

Descriptions
According to these messages exchanged in our scheme and the proof procedure of BAN logic, we extract essential parameters and form the idealized description of the authentication phase. Descriptions are shown as follows.
The exchanged messages:

Assumptions
According to the next procedure of BAN logic, we analyze our authentication protocol and present some initial assumptions for the proof phase.

Goals
According to the logic analytic program, it is a necessary step to prove that the protocol achieves the following specific goals before believing the correctness and session security of the proposed scheme.

Proof
The following statements are the detailed process to prove these goals G o1 , G o2 , G o3 , G o4 , G o5 , G o6 .  From R u5 and (12), we obtain the goal, G o2 : T |≡ T N S S and G o3 : From R u5 and (18), we can prove the goal, G o5 : S |≡ T K TS ↔ S and G o6 : S |≡ R K RS ↔ S. After these goals are proved, it means that the mutual authentication security has been achieved and the session is secure.

Security Discussion
To make out our scheme, it is necessary to discuss some security and functionality goals detailedly. The following analysis illustrates all the realized goals.
Anonymity Un-Traceability (AU): Anonymity is a critical security goal. Without the protection of identity privacy, attackers can find out a certain vehicle or reader by eavesdropping the wireless signals and collecting more information to analyze the vehicle's or reader's behaviors. Then, attackers may simulate a right participant to fraud a certain reader or vehicle. To prevent such a tracking attack, both the tag's and reader's anonymity are considered in our scheme. Note that the reader's identity is only used in the local, and the unique secret C * cannot be inferred from the value ∆ 1 due to the advantage of the one-way hash function H() and the random number N R , which is different in every session. So, it is hard for the adversary to distinguish and trace a certain reader. For the tag, its identity id T is never disclosed and cannot be retrieved from the transmitted ρ 2 without knowing N T , which is a secret value hidden in ρ 1 and changed in each session. Additionally, attackers cannot retrieve N T from ρ 1 without knowing the tag's secret υ, which is shared with the server. Thus, tag anonymity is also realized.
Mutual Authentication (MA): In the open environment, there are some attackers to impersonate real participants to cheat other legitimate participants and filch secret information. Thus, it is necessary to confirm the protocol participators' identity before establishing the session key or executing some operations. In this protocol, the server has to authenticate the tag and reader, respectively. Upon receiving the message {ρ 1 , ρ 2 , N R , T 1 , ∆ 1 } from the reader, the server searches a value C to calculate ∆ 1 i , where i is the reader's number. If there is an equation ∆ 1 i = ∆ 1 , it indicates that the reader's identity is legitimate. Then, the server retrieves N T * from ρ 1 with the shared secret υ and obtains the tag's identity id T * from ρ 2 . When the tuple (υ, id T * ) can be matched in RegT, which includes tag identity and the related key, this means that the server authenticates a tag successfully. Meanwhile, the reader can verify ∆ 2 to confirm the server's reliability, and the tag can calculate and compare N T * with the local N T to authenticate the server. Therefore, this protocol satisfies the need for mutual authentication. Forward Security (FS): Even if an adversary illegally gets access to partial or intact secret information that is related to the current session key, she/he is unable to speculate the previous session key, which is named as forward security. In this protocol, the session keys K RS = H(C * ⊕ α||T 2 ) and K TS = N S * ⊕ N T * contain different random numbers and timestamps. It is noted that the session key is changed in each new communication and these random numbers are only used in the current session. Thus, it is hard for an adversary to guess the previous keys according to current or past information.
Resist Replay Attack (RA): Attackers may resend some messages to fraud the real authenticator when they collect sufficient communication messages. To deal with the replay attack, we adopt two mechanisms that are timestamps {T 1 , T 2 } and random nonces {N T , N R , N S }. Assuming an adversary replays the message {ρ 1 , ρ 2 , N R , T 1 , ∆ 1 } to the server, it may fail to pass authentication due to the overdue timestamp or random nonces. Even if the replayed message reaches the server within the valid period and the adversary gets a response message, the adversary is still unable to compute the shared session key K RS = H(C * ⊕ α||T 2 ) and the confirmation message EC. Because the adversary has to know the reader's secret value C to compute the K RS and EC. However the adversary can not obtain that value C without the reader's password pwd and C pw . In addition, the adversary is also unable to impersonate a tag and infer the tag's session key K TS = N S * ⊕ N T * from ρ 4 without knowing secret id T and υ.
De-Synchronization Attack Resistance (DA): When some participants update some secrets, a kind attack that an adversary blocks one part of a session's update is named de-synchronization, which may cause the later authentication failure. In our protocol, if an adversary intercepts {ρ 3 , ρ 4 , T 2 }, the tag may not update υ. So, the server inserts updated content (υ new , id T * ) into RegT before getting synchronization acknowledgement EC, to prevent such an attack. To be specific, when the server fails to verify id T * with the new content (υ, id T * ) in the next authentication session, it can try the old content (υ, id T * ) to verify id T * . After a successful verification, the server deletes the invalid content (υ, id T * ) to maintain the consistency of υ.
Resist Reader Lost (RL): If a reader is stolen, an adversary may utilize it to trick the server and filch some secret information. By hiding the essential value C * in C pw = C * ⊕ H(id R ||pwd) with identity id R and password pwd, it is hard for the adversary to guess the right value. Because we do not arrange a mechanism to verify C * in the reader, the adversary has to speculate the lost reader's password on-line. Only if the latest password and the protocol is executed honestly, may the adversary pass through the server's authentication and get its response. However, the number of failed attempts is limited by the server, which is a method to avoid such an on-line password dictionary attack. Besides, the server periodically sends updated orders to a certain reader. If the server does not receive the updated response in time, the lost reader may be nullified or removed from rightful RegT.

Property Comparison
This section selects some typical schemes [9,10,28,29] properties in comparison with our authentication phase (AP). Table 2 shows the comparison vividly, where " " indicates this property is satisfied, while the symbol "×" means this property is unfulfilled.
From Table 2, we can see that MA and DA are both achieved in [9,28,29] and AP. However, [29] only satisfies partial MA between the tag and reader. Compared to other schemes, the server and reader cannot be authenticated by each other. The authors in [9,28,29] fail to satisfy the FS and RA properties simultaneously. However, FS and RA are vital for authentication key agreement protocol to establish some secure session keys. When these properties are absent, the attacker may illegally speculate some secret information from previous messages by deducing the old session key with some corrupted keys. Though [29] simultaneously achieves the MA and RA properties, it is still unable to protect personal privacy. Because the tag keys are all preserved in the server, and MA between the reader and server is absent, an honest server is unable to confirm the validity of a reader. After corrupting the reader successfully, an adversary may imitate a rightful reader and steal the tag's privacy data, which may not be detected.
We also find that MA, FS, and RA are achieved in the lightweight protocol [10] except for AU, DA, and RL. Though [10] deems that the property AU and DA are satisfied, it fails to preserve the identity of the tag and update session key. Due to a design defeat, an adversary can extract a tag's identity and even current key from the authentication message by a simple exclusive or operation. Besides, an adversary may utilize a lost reader to pass validation and collect private information before declaring it invalid when the feature RL is absent. Compared with the aforesaid protocols, our authentication protocol (AP) can guarantee AU, MA, FS security and prevent RA, DA, RL attack. That is our secure property advantage.

Performance Analysis And Evaluation
We first compare our authentication phase (AP) with some typical schemes [9,10,28,29] in the aspect of computation, storage, and communication cost. Then, we conduct a simulated performance evaluation for the new scheme.

Performance Analysis
Computing complexity analysis: In Table 3, it shows the time of different operations or functions that are utilized in each participant. "T H " represents the time to execute a secure one-way function. "T N " is the time to generate a number randomly. "T E/D " is the symmetric encryption or decryption time. "T Cro " is the time of a cross mixing operation which is defined in the paper [10]. Because the computing complexity of "H" is further higher than other functions, it is more significant for us to focus on the amount of "T H ". From Table 3, it is apparent that [9,28,29] may consume more time and energy resources than AP, for the reason that more "H" and other operations have to be executed in comparison to AP. However, in fact, we know the tags' power is limited relative to their readers. It is inefficient and unwise for the tag to execute many complex computations, especially in some scenarios of timeliness. We also pay attention to the number of operations in the tag. Therefore, some lightweight operations are adopted in the tag of AP. From Table 3, it appears that [10] and AP are both efficient when some lightweight operations are utilized in their tags. However, [10] has to handle more operations on their readers than AP. In AP, the computation cost of its reader is five times H and an N for the message authentication, which is less than [9,28,29]. Thus, AP is lightweight and efficient.

Protocol
Tag Reader Server Storage complexity analysis: In Table 4, the symbol ι is the average length of these notations utilized in our scheme and the compared schemes. Additionally, the length of these notations is considered as same. We compare the storage cost of different schemes on the tag and reader, respectively, where that cost is the static storage space occupied in the reader or tag. In AP, the secret values id T , υ and the timestamp T of the last session are preserved in the tag, and the reader preserves id R , C PW in its storage space. Therefore, the storage cost on the tag is 3ι, and that on the reader is 2ι. Similarly, in the compared schemes, the tag or reader also has to preserve its identity and some secret values for future authentication and next key agreement. Table 4 displays the storage comparison. The storage cost of AP is almost no different from the compared schemes. We can find that the tag's storage cost is 3ι in [9,29] and AP, which is slightly greater than that in [28,29]. That is because [9,29] and AP need an extra value to achieve de-synchronization or replay attack resistance except storing the tag's identity and keyword. Indeed, therefore, their schemes reach that resistance.

Performance Evaluation
To get the accurate performance evaluation, we utilize C programming language to simulate our scheme on a personal computer with the Win8.1 operation system, an Intel(R) Core(TM) i5-5200U CPU @ 2.19GHz, 8G RAM, and a Visual C++ 6.0 testbed. Figure 4 presents the time cost of executing the new scheme and compared schemes. The horizontal axis indicates the number of recognized tags. The vertical axis indicates the total computation time cost of processing authentication and key agreement phase for each scheme. From the figure, we can see that the consumed time appears to have linear growth as the number of recognized tags increases. The time cost of [9,10] is larger than other schemes for the reason of heavy computation and communication. The consumed time of AP is obviously less than [9,10,28,29]. When the number of recognized tags is 60 and 80, this excellent performance is the most intuitive. Therefore, our scheme is efficient and suitable for the vehicle identification scene.

Conclusions and Future Work
In this paper, we survey some privacy issues of VANETs and discuss the previous work. Then, we put forward an anonymous RFID authentication scheme for VANETs. This scheme can resist different attacks and establish session keys securely. In this scheme, we also exhibit a new retrieval method that permits multiple readers to access different tags in the same authentication scope. Additionally, security analysis proves that secure goals are fulfilled. Finally, the performance comparison shows that our protocol is efficient and suitable for the limited tags. However, there is a limitation that must be discussed in the next work. The limitation is that the proposed retrieval method has to be implemented on a trusted server or third party. Otherwise, an adversary may collude with a semi-trusted party to confirm and steal private information through some corrupted readers. Though our scheme can resist the lost reader attack, the values stored in the lost reader are still a threat before the lost reader is nullified. So, in future work, we have to design a mechanism to avoid the collusion attack and value leakage under a semi-trusted server.