Privacy Protection Scheme for the Internet of Vehicles Based on Private Set Intersection

Abstract

Performing location-based services in a secure and efficient manner that remains a huge challenge for the Internet of Vehicles with numerous privacy and security risks. However, most of the existing privacy protection schemes are based on centralized location servers, which makes them all have a common drawback of a single point of failure and leaking user privacy. The employment of anonymity and cryptography is a well-known solution to the above problem, but its expensive resource consumption and complex cryptographic operations are difficult problems to solve. Based on this, designing a distributed and privacy-secure privacy protection scheme for the Internet of Vehicles is an urgent issue for the smart city. In this paper, we propose a privacy protection scheme for the Internet of Vehicles based on privacy set intersection. Specially, using privacy set intersection and blockchain techniques, we propose two protocols, that is, a dual authentication protocol and a service recommendation protocol. The double authentication protocol not only ensures that both communicating parties are trusted users, but also ensures the reliability of their session keys; while the service recommendation protocol based on pseudorandom function and one-way hash function can well protect the location privacy of users from being leaked. Finally, we theoretically analyze the security that this scheme has, i.e., privacy security, non-repudiation, and anti-man-in-the-middle attack.

1. Introduction

Traffic congestion and road accidents are becoming increasingly severe with the increasing number of vehicles. It has caused great potential threats to their privacy, property, and even their lives. However, with the development of new generation mobile communication technologies, location-based services on the Internet of Vehicles (IoV) have become popular, which have alleviated the above problems to some extent and brought great convenience to people in their lives, such as carpooling [1,2], Ride-hailing [3,4,5], navigation [6,7] and finding parking spaces [8,9]. Unfortunately, however, it still poses a certain level of security threat to people. For example, the data traffic generated during data interaction can be analyzed by hackers to get the rest of the user’s sensitive information [10,11,12].

Most of the existing privacy protection schemes for the IoV generally adopt a centralized location server, which then performs location-based services via user-initiated location service queries. However, such schemes suffer from shortcomings such as single points of failure and user privacy leakage. Based on this, some scholars have tried to secure the privacy of the IoVs in other ways, and blockchain technology is a good way to do this.

Blockchain is a distributed network that can secure privacy in the IoV with hash functions and cryptography, and is not tampered with, and also supports the traceability of vehicle information. Existing blockchains can be divided into two categories, public and federated, depending on whether they require licensing authority. Where a public chain is a fully decentralized blockchain system that does not require a trusted center for maintenance, a federated chain is a partially decentralized or polycentric blockchain system. With the emergence of blockchain technology, some scholars have tried to combine blockchain technology with the IoV, and many schemes have been proposed [13,14,15]. However, since the public chain-based privacy protection scheme requires a consensus mechanism for inter-node maintenance, it runs slower compared to the federation chain-based privacy protection scheme.

Another issue that needs our attention is that privacy protection schemes based on anonymous, complex cryptographic algorithms can protect the privacy and security of users, but they consume enormous resources. Can we use the existing fundamental knowledge to propose a novel privacy protection scheme for vehicular networks? For this, we invoke the privacy set intersection (PSI). PSI is a specific problem in secure multi-party computation that allows participants to input private sets and jointly compute the intersection of private sets without revealing any information beyond the intersection. PSI-based privacy protection schemes can perform location-based services while protecting user privacy [16]. Nevertheless, it is still a great challenge to get a good application in the highly flexible and scalable vehicular networks.

1.1. Motivations

Existing privacy protection schemes for the IoV are difficult to protect users’ identity and location privacy in a privacy-secure manner. The main objective of this paper is to propose a privacy protection scheme for the IoV based on private set intersection, and to analyze the security of the proposed scheme from a theoretical point of view.

1.2. Contributions

To address the privacy and security issues in the IoV as much as possible, this paper proposes a privacy protection scheme for the IoV based on privacy set intersection. The legitimate user in the scheme completes the location-based service by initiating a query for the location-based service. In this process, no additional personal information of the user is disclosed and no large and complex cryptographic operations are required.

Below, we conclude our main contributions as follows.

1.

Privacy Security: This scheme can effectively protect the privacy and security of users from privacy and security threats caused by man-in-the-middle attacks.

2.

Dual Authentication Protocol: The dual authentication protocol based on PSI can achieve dual guarantees: First, it ensures that both communicating parties have registration certificates issued by the trusted authority (TA) and are trusted users. Second, it ensures that both communicating parties have established secure and reliable session keys in the process.

3.

Collaborative Recommendation of Location Services: Based on pseudorandom functions and secure one-way hash functions, we propose a privacy-secure PSI-based collaborative recommendation location service protocol. It can well protect the privacy and security of users without requiring large computational overhead and complex cryptographic algorithms.

4.

Distributed Storage of Transaction Information: We construct a private blockchain formed by the location service provider (LSP) and record service recommendation information in its transaction ledger to reduce LSPs’ storage costs.

1.3. Organization

The rest of this paper is organized as follows. We present the related work in Section 2, the scheme model and design goals in Section 3, some preparatory knowledge in Section 4, the main location privacy protection scheme in Section 5, the security analysis of our scheme and its comparison with existing schemes in Section 6, the performance analysis of our scheme and its comparison with existing schemes in Section 7, and finally a summary of the full paper in Section 8.

2. Related Work

We divided the related work into two main categories: authentication and privacy protection on the Internet of Vehicles.

2.1. Authentication

The IoVs refer to the all-around network connection of vehicles and people, vehicles and vehicles, vehicles and roads, and vehicles and service platforms with the help of a new generation of mobile communication technology, thus providing better location-based services for people. However, there are a number of factors that threaten people’s privacy and security in this process. On the one hand, there exist certain devices that are vulnerable to attacks by malicious users, such as Road Side Units (RSU). If the RSU is attacked by a malicious user, it may tamper with the information received or sent by the vehicle, thus causing irreversible damage to the user. On the other hand, the Internet of Vehicles is highly dynamic and its devices are deployed in the open domain, which makes it vulnerable to various attacks such as surveillance and remote intrusion. To avoid the above attacks, scholars have proposed many different authentication protocols for the Internet of Vehicles. And identity authentication schemes can be traced back to the first identity-based authentication scheme proposed by Shamir in 1985 [17]. Subsequently, scholars have proposed an increasing number of authentication schemes based on vehicular networks [18,19,20,21,22,23,24,25,26].

Gupta et al. [18] proposed a blockchain-enabled game theory-based authentication mechanism. Specially, they also proposed a three-layer multi-trusted authorization solution that supports cross-region authentication of vehicles with almost no communication delay. Wu et al. [19] proposed an authentication protocol based on symmetric encryption and fog computing in the Internet of Vehicles. Specially, they also proposed a four-layer architecture to reduce the computational burden of cloud servers. Using bilinear mapping and a one-way hash function, Sikarwar et al. [20] proposed an efficient and lightweight batch verification scheme. Compared with the single message verification, they claim that their scheme has better security and efficiency. Zhang et al. [21] proposed a trust platform module (TPM)-based conditional privacy-preserving authentication protocol. In this protocol, they used bilinear mapping to accelerate the process of authentication of messages by entities in the Internet of Vehicles. Considering some resource-constrained mobile devices, Jan et al. [22] proposed a secure and efficient lightweight, and anonymous authentication and key establishment scheme which is applicable to “Vehicle to Vehicle (V2V)” and “Vehicle to RSU (V2R)”. For forensic services on the Internet of Vehicles, it is critical to ensure data privacy of vehicles and the efficiency of data transfer between vehicles. Therefore, Zhang et al. [23] proposed a lightweight conditional anonymous authentication scheme for forensic services in IoV. Considering the vulnerability of onboard sensors of unattended vehicles to physical attacks, Jiang et al. [24] proposed a physically secure authentication and key exchange protocol using physical unclonable function. However, Ahmim et al. [25] argued that the scheme of Jiang et al. [24] has drawbacks such as a lack of message confidentiality. Based on this, Ahmim et al. [25] proposed some solutions and improved the security of the scheme of Jiang et al. [24]. Zhao et al. [26] proposed a federated learning collaborative authentication protocol for shared data. It can effectively protect user privacy and prevent data leakage.

2.2. Privacy Protection

The privacy security of users plays a very important role in the development of the Internet of Vehicles. Therefore, scholars have proposed many privacy protection schemes for the Internet of Vehicles based on anonymity and cryptography technologies, among which blockchain, as a distributed technology, has been continuously applied to privacy protection schemes on the Internet of Vehicles with the needs of application scenarios.

2.2.1. Anonymity

K-anonymity is a common approach in privacy-preserving schemes for the Internet of Vehicles. K-anonymity can be traced back to the work proposed by Sweeney in 2002 [27], but the first application to vehicular privacy protection was by Gruteser et al. [28]. And in order to be able to satisfy the level of privacy protection required by users, Kido et al. [29] proposed the first scheme to generate anonymous sets for users in the form of generated dummy users. However, this scheme suffers from unreliable dummy user data and the communication overhead increases as the number of dummy users increases. To solve the problem of unreliable virtual user data, scholars have proposed different K-anonymity based privacy preserving schemes for the Internet of Vehicles [30,31,32,33,34].

Sun et al. [30] proposed a region-of-interest division-based algorithm to preserve the location privacy of users. Specially, after considering the semantic location information, they also proposed an approach to generate dummy locations based on entropy, which can generate safe and secure dummy locations that do not contain the real location information of users. Considering frequent regions and time reachability, Liu et al. [31] proposed frequency-aware dummy-based method to the location privacy of users, which ensures that the generated dummy locations are as safe and reasonable as possible. Niu et al. [32] proposed a dummy-based privacy protection scheme for continuous location based services (LBSs). Especially, after considering factors such as time-sensitive side information, they proposed a dummy filtering algorithm to ensure that the dummy locations are realistic and reliable. Ni et al. [33] proposed an anonymous entropy-based location privacy protection scheme in mobile social networks. According to the population distribution method, the scheme contains two algorithms: an anonymous region constructing algorithm based on kd-trees in densely populated regions (K-DDCA) and an anonymous region constructing algorithm based on kd-trees in sparsely populated regions (K-SDCA). To ensure the validity, uncertainty and dispersion of virtual location, Xu et al. [34] proposed a location privacy-preservation method based on dummy locations under road restriction.

2.2.2. Cryptography

Due to the ability to provide higher quality of service and its communication overhead does not increase linearly with the number of users, cryptography-based privacy-preserving schemes for the Internet of Vehicles have numerous applications in carpooling [35,36] and hailing [37,38,39,40].

In view of the centralization problem existing in the traditional carpooling schemes, Li et al. [35] proposed an efficient and privacy-preserving carpooling scheme using blockchain-assisted vehicular fog computing. Using attribute-based proxy re-encryption, Wang et al. [36] proposed a secure ride-sharing scheme based on a consortium blockchain. All of their schemes ensure data security.

While online ride-hailing services bring a convenient way for people to travel, the privacy concern is also highly raised. Based on this, using somewhat homomorphic encryption, Yu et al. [37] proposed an efficient and privacy-preserving ride matching scheme for Online Ride Hailing services. Specially, they also proposed an efficient exact shortest road distance computation approach over encrypted data. And by this approach, they can find the taxi with the minimum road distance to serve a rider. Using paillier cryptosystem, Huang et al. [38] proposed a privacy-preserving online ride-sharing matching scheme. It also supports privacy-preserving ride-sharing between multiple riders. Using elliptic curve cryptosystem and digital signature technology, Wang et al. [39] proposed a blockchain-based anonymous ride-hailing scheme for autonomous taxi network. Using somewhat homomorphic encryption, Ma et al. [40] proposed a privacy-preserving cross-zone ride-matching scheme.

3. Problem Statement

3.1. System Model

The system model of this scheme consists of trusted authority (TA), road side unit (RSU), requesting users ($R{U}_i$), collaborating users ($C{U}_j$), and location service provider (LSP) which are depicted in Figure 1.

1.

TA: A trust center, mainly responsible for user registration, generation of system private key $sk$, system public key $pk$ and system parameters $params$.

2.

LSP: A location service provider, which is the core component of this paper, is primarily responsible for the maintenance of the blockchain.

3.

RSU: A roadside infrastructure is installed on both sides of the road with some computing and storage capacity, mainly responsible for message forwarding, functional verification, and PSI operations.

4.

$R{U}_i$: Users who initiate location service queries.

5.

$C{U}_j$: Users who respond to a location service query.

The key notations are listed in

Table 1. Symbol description.

Symbol	Description
$\lambda ,\kappa ,p$	Security parameter, prime number
$\mathbb{G}{}_1,\mathbb{G}{}_2,g_1$	Cyclic group, generator
e	Bilinear mapping
$H_1,H_2,H_3,H_4$	Hash function
$C_{TA}$	certificate of registration
$pk,sk$	The system public key and private key
$params$	The public parameter
$i{d}_{TA}$	The identity of TA
$i{d}_i$	The identity of user ($R{U}_i$ and $C{U}_j$)
$s{k}_{i,1},s{k}_{i,2},p{k}_{i,1}$	The user’s private key and public key
$F_{\kappa }$	Pseudorandom function
$PSI(X,Y)$	PSI operation of X and Y
$SK$	Session key
M	Service content
$En{c}_{SK}\left(\right)$, $De{c}_{SK}\left(\right)$	Encryption and decryption algorithm with SK

.

3.2. Threat Model

The main security threats to this scheme originate from the following components.

1.

Most of the requesting users are honest and trustworthy, and will send real and reliable location service queries. However, a small percentage of requesting users will upload false location service queries or repeatedly initiate queries multiple times within a short period of time, thus reducing system security and query efficiency.

2.

Most of the collaborative users are honest and trustworthy, and will generate true and reliable location service responses based on their historical experience, background knowledge. However, there exists a small percentage of collaborative users who will generate false service responses, thus reducing service efficiency.

3.

A typical vulnerable attack during the communication between two parties is the man-in-the-middle attack, where a malicious user can perform acts such as wiretapping and forging messages during the communication between two parties.

4.

Security threats due to physical factors are not considered.

3.3. Design Goals

The design goals of this scheme have the following main parts.

1.

Identity Privacy: The user’s identity information is anonymous to other users, RSUs and LSPs during the registration, authentication and service query process.

2.

Location Privacy: Users’ location information must be protected from remaining malicious users who may obtain it in an undisclosed manner and derive the rest of the user’s sensitive information from it.

3.

Route Privacy: The user’s route information is known only to him/herself, and it is difficult for the rest of the users to infer the user’s route from the available information.

4.

Non-Repudiation: No user can repudiate the act of sending a message and the content of the message. TA can reveal the identity of users who have malicious behavior.

5.

Anti-Man-in-the-Middle Attack: No man-in-the-middle attacks from malicious users during the communication between the two parties.

4. Preliminaries

In this section, we briefly revisit elemental techniques that are used to support the construction of the proposed scheme. These include bilinear pairing, the problem of collusion attack algorithm with k traitors (k-CAA), and private set intersection.

4.1. Bilinear Pairing

Assume ${\mathbb{G}}_1,{\mathbb{G}}_2$ are cyclic groups of prime order p, where $g_1$ is a generator in ${\mathbb{G}}_1$. Let $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ be a bilinear pairing if the following conditions are satisfied.

1.

Bilinearity: for all $z_1\in {\mathbb{G}}_1,z_2\in {\mathbb{G}}_2$ and $w_1,w_2\in {\mathbb{Z}}_P^{*}$, $e\left(w_1{z}_1,w_2{z}_2\right)=e{\left(z_1,z_2\right)}^{w_1{w}_2}$.

2.

Non-degeneracy: $e\left(g_1,g_1\right)\ne 1$.

3.

Computability: for all $z_1\in {\mathbb{G}}_1$ and $z_2\in {\mathbb{G}}_2$, $e\left(z_1,z_2\right)$ is efficiently computable.

4.2. k-CAA Problem

For any integer k and $s\in {\mathbb{Z}}_P^{*}$, $g_1\in {\mathbb{G}}_1$, given $\left\{v_1,\dots ,v_k\in {\mathbb{Z}}_p^{*},g_1,s{g}_1,\frac{g_1}{s+v_1},\dots ,\frac{g_1}{s+v_k}\right\}$, compute $\left(v,\frac{g_1}{s+v}\right)$, where $v\in {\mathbb{Z}}_p^{*}$ and $v\notin \left\{v_1,\dots ,v_k\right\}$.

4.3. Private Set Intersection

PSI means that the participants input the private set and jointly compute the intersection of the private set without revealing any information other than the intersection. And the most popular PSI scheme is the PSI scheme based on oblivious pseudo-random functions (OPRF-Based PSI), as shown in Figure 2.

1.

Sender holds the set $Y=\left\{y_1,\dots ,y_n\right\}$, Receiver holds the set $X=\left\{x_1,\dots ,x_n\right\}$, $k_i$ is Sender’s private key, and F is an oblivious pseudo-random function.

2.

Receiver sends $x_i\in X$ to OPRF. Then OPRF generates $k_i$ and $F\left(k_i,x_i\right)$ and sends them to Sender and Receiver respectively.

3.

When receiving $k_i$, Sender computes $F\left(k_i,y_1\right),\dots ,F\left(k_i,y_n\right)$ and sends it to the Receiver.

4.

When receiving $F\left(k_i,y_1\right),\dots ,F\left(k_i,y_n\right)$ from Sender, Receiver contrasts $F\left(k_i,x_i\right)$ with $F\left(k_i,y_j\right)$, and then generates the PSI results for Sender and Receiver.

In Section 5.4, we construct a dual authentication protocol using PSI techniques and define a notation, i.e., $PSI\left(X,Y\right)$, which indicates that the PSI result of the set X and Y is $PSI\left(X,Y\right)$. For this, we make the following rules.

$$PSI\left(X,Y\right)\leftarrow \left\{\begin{array}{cc}1,\hfill & PSI\left(X,Y\right)=X=Y,\\ 0,\hfill & Otherwise.\hfill \end{array}\right.$$

(1)

If Sender and Receiver have the same set, i.e., $PSI\left(X,Y\right)=X=Y$, then we make $PSI\left(X,Y\right)\leftarrow 1$; otherwise we make $PSI\left(X,Y\right)\leftarrow 0$.

5. The Proposed Scheme

5.1. Overview

The scheme consists of the following parts: system initialization, user registration, dual authentication, service query (response), service recommendations and service transactions. The flow of the scheme is shown in Figure 3. Specifically, In (i), each user (requesting user and collaborating user) registers with the TA and generates the corresponding public-private key pair. In (ii), each user to be communicated authenticates with each other and generates a temporary session key. In (iii), the requesting user initiates a service request (and the collaborating user generates a service response) and sends it to the RSU. In (iv), the RSU performs signature verification of the requesting user (or collaborating user) and generates the corresponding service recommendation for the requesting user. Finally, in (v), the requesting user and the collaborating user establish a communication channel to complete the service recommendation.

5.2. System Initialization

Given a security parameter $\lambda$, the TA generates two cyclic groups ${\mathbb{G}}_1,{\mathbb{G}}_2$ of prime order $p\left(p\ge 2^{\lambda }\right)$ and chooses a bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$, where $g_1$ is a generator in ${\mathbb{G}}_1$, and $g_2=e\left(g_1,g_1\right)$. The TA chooses three hash functions $H_1:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_p^{*}$, $H_2:{\mathbb{Z}}_p^{*}\times \mathbb{G}{}_1\to {\mathbb{Z}}_p^{*}$, $H_3:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{\kappa }$, and $H_4:{\left\{0,1\right\}}^{*}\times {\mathbb{Z}}_p^{*}\to {\{0,1\}}^l$. Next, the TA chooses $s\in {}_R{\mathbb{Z}}_p^{*}$, computes $h_1=s{g}_1$ and generates a user’s certificate of registration $C_{TA}=H_1{\left(i{d}_{TA}\right)}^s$. Finally, the public key is $pk=h_1$, the private key is $sk=s$, and the public parameters is $params=\left\{\mathbb{G}{}_1,\mathbb{G}{}_2,g_1,g_2,e,p,pk,H_1,H_2,H_3,H_4\right\}$.

5.3. User Registration

Each user $i{d}_i$ ($R{U}_i$ and $C{U}_j$) must register with the TA and generate their own public-private key pair, specifically.

1.

The user $i{d}_i$ chooses $s{k}_{i,1}\in {}_R{\mathbb{Z}}_p^{*}$, computes $p{k}_{i,1}=g^{s{k}_{i,1}}$ and sends $\left(p{k}_{i,1},H_1\left(i{d}_i\right)\right)$ to TA via a public channel.

2.

When receiving $\left(p{k}_{i,1},H_1\left(i{d}_i\right)\right)$ from user $i{d}_i$, TA performs the following operations.

• Compute $s{k}_{i,2}=\frac{1}{s+H_1\left(i{d}_i\right)}{g}_1$.
• Choose ${\xi }_1,{\xi }_2\in {}_R{\mathbb{Z}}_p^{*}$, and compute $\left(h_2,h_3\right)\leftarrow \left(g^{{\xi }_1},g^{{\xi }_2}\right)$.
• Finally, send $\left(s{k}_{i,2},h_2,h_3,C_{TA}\right)$ to user $i{d}_i$ via a secure channel.

5.4. Dual Authentication

In this part, $R{U}_i$ and $C{U}_j$ verify each other and agree on a temporary session key.

1.

$R{U}_i$ randomly chooses a security parameter $\kappa$ for pseudorandom function (PRF) and a number $\alpha \in {}_R{\mathbb{Z}}_p^{*}$. $R{U}_i$ computes

$$\left\{\begin{array}{c}{R}_0=g_1^{\alpha }\left(modp\right),\hfill \\ R_1=\alpha \left(pk+g_1·H_1\left(i{d}_i\right)\right),\hfill \\ R_2=\frac{1}{\alpha +H_2\left(C_{TA},R_1\right)}·s{k}_{i,2},\hfill \\ R_3=H_3\left(C_{TA}\Vert R_0\Vert R_1\Vert R_2\right)\oplus \left(\kappa \right).\hfill \end{array}\right.$$

(2)

Then $R{U}_i$ sends $\left(R_0,R_1,R_2,R_3\right)$ to $C{U}_j$ via public channel.

2.

When receiving $\left(R_0,R_1,R_2,R_3\right)$ from $R{U}_i$, $C{U}_j$ verifies

$$e\left(R_2,R_1+H_2\left(C_{TA},R_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\stackrel{?}{=}{g}_2.$$

(3)

If the verification is correct, $C{U}_j$ chooses a number $\beta \in {}_R{\mathbb{Z}}_p^{*}$ and computes

$$\left\{\begin{array}{c}\kappa =R_3\oplus H_3\left(C_{TA}\Vert R_0\Vert R_1\Vert R_2\right),\hfill \\ C_0=g_1^{\beta }\left(modp\right),\hfill \\ C_1=\beta \left(pk+g_1·H_1\left(i{d}_i\right)\right),\hfill \\ C_2=\frac{1}{\beta +H_2\left(C_{TA},C_1\right)}·s{k}_{i,2},\hfill \\ C_3=R_0^{\beta },\hfill \\ C_4=H_3\left(F_{\kappa }\left(C_{TA},C_3\right)\right).\hfill \end{array}\right.$$

(4)

Then $C{U}_j$ sends $\left(C_0,C_1,C_2,C_4\right)$ to $R{U}_i$ via public channel.

3.

When receiving $\left(C_0,C_1,C_2,C_4\right)$ from $C{U}_j$, $R{U}_i$ verifies

$$e\left(C_2,C_1+H_2\left(C_{TA},C_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\stackrel{?}{=}{g}_2$$

(5)

If the verification is correct, $R{U}_i$ computes $R_4=C_0^{\alpha }$, $R_5=H_3\left(F_{\kappa }\left(C_{TA},R_4\right)\right)$ and performs a intersection operation on $\left(R_5,C_4\right)$. If $PSI\left(R_5,C_4\right)\leftarrow 1$, i.e., $PSI\left(R_5,C_4\right)=R_5=C_4$, this indicates that $C{U}_j$ and $R{U}_i$ have the same registration certificate $C_{TA}$ issued by TA and generate a secure and reliable session key $SK=C_3=R_4$, and indicates that $C{U}_j$ is a reliable user. Then $R{U}_i$ sends $R_5$ to $C{U}_j$ via public channel; otherwise, interrupt process.

4.

When receiving $R_5$ from $R{U}_i$, $C{U}_j$ performs a intersection operation on $\left(C_4,R_5\right)$. If $PSI\left(C_4,R_5\right)\leftarrow 1$, i.e., $PSI\left(C_4,R_5\right)=C_4=R_5$, this indicates that $R{U}_i$ and $C{U}_j$ have the same registration certificate $C_{TA}$ issued by TA and generate a secure and reliable session key $SK=R_4=C_3$, and indicates that $R{U}_i$ is a reliable user; otherwise, interrupt process.

The proof of correctness of the Equations (3) and (5) are demonstrated as shown below.

$$\begin{array}{c}e\left(R_2,R_1+H_2\left(C_{TA},R_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\hfill \\ =e\left(\frac{1}{\alpha +H_2\left(C_{TA},R_1\right)}·s{k}_{i,2},\alpha \left(pk+g_1·H_1\left(i{d}_i\right)\right)+H_2\left(C_{TA},R_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\hfill \\ =e\left(\frac{1}{\left(\alpha +H_2\left(C_{TA},R_1\right)\right)\left(s+H_1\left(i{d}_i\right)\right)}·g_1,\left(\alpha +H_2\left(C_{TA},R_1\right)\right)\left(s+H_1\left(i{d}_i\right)\right)g_1\right)\hfill \\ =e\left(g_1,g_1\right)\hfill \\ =g_2.\hfill \end{array}$$

(6)

$$\begin{array}{c}e\left(C_2,C_1+H_2\left(C_{TA},C_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\hfill \\ =e\left(\frac{1}{\beta +H_2\left(C_{TA},C_1\right)}·s{k}_{i,2},\beta \left(pk+g_1·H_1\left(i{d}_i\right)\right)+H_2\left(C_{TA},C_1\right)\left(pk+g_1·H_1\left(i{d}_i\right)\right)\right)\hfill \\ =e\left(\frac{1}{\left(\beta +H_2\left(C_{TA},C_1\right)\right)\left(s+H_1\left(i{d}_i\right)\right)}·g_1,\left(\beta +H_2\left(C_{TA},C_1\right)\right)\left(s+H_1\left(i{d}_i\right)\right)g_1\right)\hfill \\ =e\left(g_1,g_1\right)\hfill \\ =g_2.\hfill \end{array}$$

(7)

5.5. Service Query (Response)

In the service query (response) part, $R{U}_i$ initiates a service query ($C{U}_j$ generates a service response) and sends it to the RSU for service recommendations, specifically.

1.

The user $i{d}_i$ chooses numbers $r_1,r_2\in {}_R{\mathbb{Z}}_p^{*}$ and computes $D_1=g^{r_1},D_2=g^{r_2},D_3=h_2^{r_1}{h}_3^{r_3}s{k}_{i,2}$.

2.

The user $i{d}_i$ computes $E=H_3\left(F_{\kappa }\left(M\right)\right),L_1=H_1\left(D_1,D_2,D_3,E\right),L_2=r_1+s{k}_{i,1}{L}_1$, and $L_3=r_2+s{k}_{i,1}{L}_1$, where $M\in {\{0,1\}}^l$ is the service query contents of $R{U}_i$ (or the service response contents of $C{U}_j$).

3.

Finally, the user $i{d}_i$ sends $\sigma \leftarrow \left(E,D_1,D_2,D_3,L_1,L_2,L_3\right)$ to the RSU via public channel.

5.6. Service Recommendations

When receiving $\sigma$ from different users $i{d}_i$ ($R{U}_i$ or $C{U}_j$), the RSU performs the following operations:

1.

Compute $D_1^{\prime }=g^{L_2}p{k}_{i,1}^{-L_1},D_2^{\prime }=g^{L_3}p{k}_{i,1}^{-L_1}$, and $L_1^{\prime }=H_1\left(D_1^{\prime },D_2^{\prime },D_3,E\right)$ and then verify the validity of $D_1^{\prime }\stackrel{?}{=}{D}_1,D_2^{\prime }\stackrel{?}{=}{D}_2$, and $L_1^{\prime }\stackrel{?}{=}{L}_1$. If it is not valid, drop the corresponding query (response); otherwise, continue.

2.

For two different users $i{d}_i$ ($R{U}_i$ and $C{U}_j$) of $E_i\in {\sigma }_i$, compute $PSI\left(E_i,E_j\right)$ and send it to the $R{U}_i$

3.

Write ${\left\{\left(i{d}_i,E_i\right),\left(i{d}_j,E_j\right),E_i\cap E_j\right\}}_{i\ne j}$ into the transaction and send it to the blockchain network.

The proof of correctness of the equations $D_1^{\prime }\stackrel{?}{=}{D}_1,D_2^{\prime }\stackrel{?}{=}{D}_2$, and $L_1^{\prime }\stackrel{?}{=}{L}_1$ are demonstrated as shown below.

$$D_1^{\prime }=g^{L_2}p{k}_{i,1}^{-L_1}=g^{r_1+s{k}_{i,1}{L}_1}{\left(g^{s{k}_{i,1}}\right)}^{-L_1}=g^{r_1}=D_1.$$

(8)

$$D_2^{\prime }=g^{L_3}p{k}_{i,1}^{-L_1}=g^{r_2+s{k}_{i,1}{L}_1}{\left(g^{s{k}_{i,1}}\right)}^{-L_1}=g^{r_2}=D_2.$$

(9)

$$L_1^{\prime }=H\left({D^{\prime }}_1,{D^{\prime }}_2,D_3,E\right)=H\left(D_1,D_2,D_3,E\right)=L_1.$$

(10)

5.7. Service Transactions

In the service transactions part, the $R{U}_i$ and $C{U}_j$ will complete the relevant service recommendations via the personal channel. Specifically, the $C{U}_j$ encrypts the relevant service response content, i.e., $En{c}_{SK}\left(M\right)=H_4\left(SK,C_{TA}\right)\oplus \left(M\right)$, using the temporary session key $SK=C_3=R_4$ and finally sends it to the $R{U}_i$. And the $R{U}_i$ completes the location-based service query by computing $De{c}_{SK}\left(En{c}_{SK}\left(M\right)\right)=En{c}_{SK}\left(M\right)\oplus H_4\left(SK,C_{TA}\right)=M$.

6. Privacy and Security Analysis

In this section, we analyze the privacy and security of the proposed scheme, which mainly includes identity privacy, location privacy, route privacy, non-repudiation, and anti-man-in-the-middle attacks.

6.1. Identity Privacy

In our scheme, we protect the privacy of the user’s identity. During the user registration process, each user $i{d}_i$ must register with the TA to obtain the corresponding private key $s{k}_{i,2}$ and registration certificate $C_{TA}$. And in this process, all users are registered using the hash of their identity, i.e., $H_1\left(i{d}_i\right)$, without revealing the user’s identity information. In the dual authentication process, each user proves that he or she is secure and trustworthy via a registration certificate $C_{TA}$ obtained at the time of registration, while maintaining the user’s anonymity. In the service query (response) process, the user’s identity information is secure because the user’s identity (in this case, anonymous identity) is not involved. In summary, the user’s identity information is anonymous to the rest of the users, RSUs and LSPs. However, the user’s identity privacy is conditionally secure for the TA. This is because the user’s private key $s{k}_{i,2}$ is issued by the TA. If the TA is compromised, the user’s identity will be revealed.

6.2. Location Privacy

In the service query (response) process, we use a secure pseudo-random function and a one-way hash function to process the user’s location data, i.e., $H_3\left(F_{\kappa }\left(M\right)\right)$. And during the service transaction, we process the user’s location data by its constructed session key, i.e. $En{c}_{SK}\left(M\right)$. The location data processed in both ways will become indistinguishable, thus ensuring the privacy and security of the user’s location.

6.3. Route Privacy

When $R{U}_i$ initiates a service query ($C{U}_j$ generates a service response), it is known from Section 6.2 that the user’s location privacy is security. Moreover, the user uses a pseudo-random function and a hash function for its message content M, i.e., $E=H\left(F_{\kappa }\left(M\right)\right)$, which prevents the adversary from determining that E and $E^{\prime }$ are generated by the same M. Finally, in the service transaction phase, we claim the following two facts. (1) $R{U}_i$ cannot infer the routing information of $C{U}_j$ from the location service sent by $C{U}_j$. For example, there are three routes available for driving from A to B. $R{U}_i$ only knows that $C{U}_j$ took one of the three routes, and does not know which one was taken. (2) $C{U}_j$ also cannot infer the next routing information of $R{U}_i$ from the location service it sends. On the one hand, the path selection of $R{U}_i$ has a large uncertainty, and on the other hand, $C{U}_j$ cannot know whether $R{U}_i$ accepts the location service it sends.

6.4. Non-Repudiation

When there exists some malicious users who endanger the privacy and security of the rest of the users by means of message replay and forgery, TA can compute $D_3/\phantom{D_3{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}}{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}$ to obtain the private key of the malicious user and its corresponding identity.

The proof of correctness of the equations $D_3/\phantom{D_3{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}}{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}$ is demonstrated as shown below.

$$D_3/\phantom{D_3{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}}{D}_1^{{\xi }_1}{D}_2^{{\xi }_2}=h_2^{r_1}{h}_3^{r_3}s{k}_{i,2}/\phantom{h_2^{r_1}{h}_3^{r_3}s{k}_{i,2}{\left(g^{r_1}\right)}^{{\xi }_1}{\left(g^{r_2}\right)}^{{\xi }_2}}{\left(g^{r_1}\right)}^{{\xi }_1}{\left(g^{r_2}\right)}^{{\xi }_2}=s{k}_{i,2}.$$

(11)

6.5. Anti-Man-in-the-Middle Attack

We have mainly considered man-in-the-middle attack resistance in the dual authentication phase. Specifically, under the random oracle and k-CAA assumptions, we prove by Theorem 1 that the proposed signature technique is resistant to existential forgery in the dual authentication phase. This ensures that the dual authentication protocol proposed in this paper is resistant to man-in-the-middle attacks.

Theorem 1.

The proposed scheme is existentially unforgeable in the random oracle model under the k-CAA assumption.

Proof of Theorem 1.

We assume that there exists an attacker $\mathcal{A}$ who adaptively selects messages and identities can break the scheme proposed in this paper with a non-negligible advantage $\epsilon$ after performing $n_{H_i}\left(i=1,2\right)$ times of $H_i\left(i=1,2\right)$ queries, $n_E$ times of private key extraction queries and $n_S$ times of signature queries within the time t. Then there exists a challenger $\mathcal{C}$ who can solve the $n_E-CAA$ problem with a non-negligible advantage ${\epsilon }^{\prime }$ in time $t^{\prime }$.

We assume that given a challenge to $\mathcal{C}$, i.e., given $g_1$, $h_1=s{g}_1$, $v_1,v_2,\dots ,v_{n_E}\in {\mathbb{Z}}_p^{*}$, the goal of $\mathcal{C}$ is to output a solution $\left(v,\frac{g_1}{s+v}\right)$ of the $n_E-CAA$ problem, where $v\notin \left\{v_1,v_2,\dots ,v_{n_E}\right\}$.

1.

Setup. $\mathcal{C}$ runs the system initialization algorithm, then chooses ${\alpha }_i\in {\mathbb{Z}}_p^{*}$, and computes $R_{i,1}={\alpha }_i\left(pk+g_1·H_1\left(i{d}_1\right)\right)\left(1\le i\le n_{H_1}\right)$. $\mathcal{C}$ constructs a list $Q_{list}$ containing the array $\left(i{d}_i,H_1\left(i{d}_i\right),{\alpha }_i,R_{i,1}\right)$, and finally sends the public parameter $\left\{{\mathbb{G}}_1,{\mathbb{G}}_2,g_1,g_2,e,p,pk,H_1,\right.$$\left.H_2,{\left\{R_{i,1}\right\}}_{i=1}^{n_{H_1}}\right\}$ to $\mathcal{A}$.

2.

Queries. In response to the query of $\mathcal{A}$, $\mathcal{C}$ maintains list $Q_1,Q_2,Q_3,Q_4$ to track the $H_1$ query, $H_2$ query, private key extraction query and signature query of $\mathcal{A}$. The list $Q_1,Q_2,Q_3,Q_4$ is empty at the beginning. We assume that for each $i{d}_i\left(1\le i\le n_E\right)$, $\mathcal{A}$ has queried the $H_1$ value of $i{d}_i$ before performing $H_2$ query, private key extraction query and signature query for simplicity.

• $H_1$ query. $\mathcal{C}$ maintains a list $Q_1$ containing the array $\left(i{d}_i,H_1\left(i{d}_i\right)\right)$. Specifically, for $i{d}_i$, $\mathcal{C}$ prepares a $n_{H_1}$ response ${\left\{H_1\left(i{d}_i\right)\right\}}_{i=1}^{n_{H_1}}$ and adds it to the $Q_1$. When $\mathcal{A}$ makes a $H_1$ query to $i{d}_i$, $\mathcal{C}$ recovers $\left(i{d}_i,H_1\left(i{d}_i\right)\right)$ from $Q_1$ and sends it to $\mathcal{A}$.
• $H_2$ query. $\mathcal{C}$ maintains a list $Q_2$ containing the array $\left(i{d}_i,C_{TA},R_{i,1},O_i\right)$. When $\mathcal{A}$ makes a $H_2$ query to $\left(C_{TA},R_{i,1}\right)$, $\mathcal{C}$ recovers $\left(i{d}_i,H_1\left(i{d}_i\right),{\alpha }_i,R_{i,1}\right)$ from $Q_{list}$ and chooses a number $O_i\in {\mathbb{Z}}_p^{*}$, so that $O_i=H_2\left(C_{TA},R_{i,1}\right)$. Then adds $\left(i{d}_i,C_{TA},R_{i,1},O_i\right)$ to $Q_2$ and sends $O_i$ to $\mathcal{A}$.
• Private key extraction query. When $\mathcal{A}$ makes a private key extraction query to $i{d}_i\left(1\le i\le n_E\right)$, $\mathcal{C}$ recovers $\left(i{d}_i,H_1\left(i{d}_i\right),{\alpha }_i,R_{i,1}\right)$ from $Q_{list}$ and then verifies $H_1\left(i{d}_i\right)\stackrel{?}{\in }\left\{v_1,v_2,\dots ,v_{n_E}\right\}$. If $H_1\left(i{d}_i\right)\notin \left\{v_1,\dots ,v_{n_E}\right\}$, output “⊥” (“⊥” means failure). Otherwise there is $H_1\left(i{d}_i\right)\in \left\{v_1,v_2,\dots ,v_{n_E}\right\}$ (i.e., there is $v_j\in \left\{v_1,\dots ,v_{n_E}\right\}$ such that $H_1\left(i{d}_i\right)=v_j$), then computes $s{k}_{i,2}=\frac{g_1}{s+v_j}$. Finally, adds $\left(i{d}_i,s{k}_{i,2}\right)$ to $Q_3$ and sends $\left({\alpha }_i,s{k}_{i,2}\right)$ to $\mathcal{A}$.
• Signature query. When $\mathcal{A}$ makes signature query to $\left(i{d}_i,C_{TA}\right)$, $\mathcal{C}$ recovers $(i{d}_i,$$H_1\left(i{d}_i\right))$ from $Q_1$ and verifies $H_1\left(i{d}_i\right)\stackrel{?}{\in }\left\{v_1,\dots ,v_{n_E}\right\}$. If $H_1\left(i{d}_i\right)\notin \left\{v_1,\dots ,v_{n_E}\right\}$, $\mathcal{C}$ outputs “⊥”. Otherwise, $\mathcal{C}$ computes $R_{i,2}=\frac{s{k}_{i,2}}{{\alpha }_i+H_2\left(C_{TA},R_{i,1}\right)}$ and sends it to $\mathcal{A}$.

3.

$\mathcal{A}$ outputs a message signature pair $\left(C_{TA}^{*},R_{i,2}^{*}\right)$ about the $i{d}_i^{*}$, and the signature satisfies the following equation.

$$e\left(R_{i,2}^{*},R_{i,1}^{*}+H_2\left(C_{TA}^{*},R_{i,1}^{*}\right)\left(pk+g_1·H_1\left(i{d}_i^{*}\right)\right)\right)=g_2$$

(12)

$\mathcal{C}$ verifies $H_1\left(i{d}_i^{*}\right)\stackrel{?}{\in }\left\{v_1,v_2,\dots ,v_{n_E}\right\}$. If $H_1\left(i{d}_i^{*}\right)\in \left\{v_1,v_2,\dots ,v_{n_E}\right\}$, output “⊥”. Otherwise, we have that equation (12) holds. Therefore, $\mathcal{C}$ can compute $\frac{g_1}{s+H_1\left(i{d}_i^{*}\right)}=\left({\alpha }^{*}+H_2\left(C_{TA}^{*},R_{i,1}^{*}\right)\right)R_{i,2}^{*}$ and thus output the array $\left(H_1\left(i{d}_i^{*}\right),\frac{g_1}{s+H_1\left(i{d}_i^{*}\right)}\right)$ as a solution to the $n_E-CAA$ problem, where $H_1\left(i{d}_i^{*}\right)\notin \left\{v_1,v_2,\dots ,v_{n_E}\right\}$. And this contradicts the k-CAA assumption that it is a difficult problem.

□

We compare this scheme with existing work in

Table 2. Comparison of privacy and security properties.

Scheme	Identity Privacy	Location Privacy	Route Privacy	Non-Repudiation	Anti-Man-in-the-Middle Attack
[1]	✓	×	×	✓	N/A
[2]	✓	×	×	N/A	N/A
[4]	✓	×	×	N/A	N/A
[5]	✓	✓	✓	N/A	N/A
[7]	✓	✓	✓	✓	N/A
[8]	✓	×	×	✓	N/A
[41]	✓	×	×	✓	N/A
[42]	✓	✓	N/A	✓	N/A
[43]	✓	N/A	N/A	✓	✓
[44]	✓	N/A	N/A	✓	✓
Our Scheme	✓	✓	✓	✓	✓

in terms of privacy and security. Only the proposed scheme can satisfy all the conditions. Generally speaking, some smart parking, carpooling and ride hailing schemes [1,2,4,8,41] based on location services can protect users’ location privacy to a certain extent, but they can still lead to location and route information leakage due to malicious compromise by attackers.

7. Performance Analysis

To instantiate our proposed scheme, we compare the proposed scheme with other existing schemes in terms of computational and communication overheads. The experimental performance verifies the efficiency and effectiveness of our scheme.

7.1. Experiment Setting

The experiments in our scheme were all conducted on a computer (Intel®Core™ i5-3470S CPU @ 2.90 GHz × 2, 3.8 GiB RAM) running Ubuntu 20.04.3 LTS 64-bit OS. We made use of modules such as hashlib and cryptography in Python. We first evaluate the time cost of the exponential operation $T_e$, hash operation $T_h$, and bilinear operation $T_p$, where the time cost of each operation is the average time after running 1000 times. Specifically, the time cost of each operation is $T_e=0.0431$ ms, $T_h=0.0293$ ms, $T_p=4.6691$ ms. Next, we instantiated 100 users on a computer and compared the performance of our scheme with other schemes in terms of computation and communication overhead.

7.2. Computational Overhead

We experimentally evaluate the computational overhead of our scheme in the user registration, signature and signature verification phases and compare it with PiSim [7], SRPP [8], and ASAP [41], as shown in Figure 4.

In user registration, we only use exponential and hash operations with low computational overhead, making the computational overhead of this paper only 0.1586 ms, which is much smaller than [7,8,41]. In signature, we use only 5 exponential operations and 2 hash operations, and its computational overhead is 0.2741 ms. Compared with [7,8,41], our scheme has a slight advantage. And in signature verification, although we use bilinear operations with high computational overhead, we can still have some advantages in this paper compared with [7,8,41].

7.3. Communication Overhead

Next, we analyze the communication overhead of the user’s location service query during transmission.

In PPCS [30], the user generates a service query $L_q=\left(u_{id},\left\{\left(x_1,y_1\right),\dots ,\left(x_n,y_n\right),R,C\right\}\right)$, where $u_{id}$ is the user’s identity, $\left(x_1,y_1\right),\dots ,\left(x_n,y_n\right)$ are the location data, R is the the radius of the user’s query scope, C is the service query content. Therefore, the total communication overhead is expressed as $\left|L_q\right|=\left|u_{id}\right|+\left|\left(x_1,y_1\right)\right|+\cdots +\left|\left(x_n,y_n\right)\right|+\left|R\right|+\left|C\right|\approx 1.52+0.0020n$ KBytes.

In RR-DLS [34], the user generates a service query $L_q=(u_{id},\{\left(x_1,y_1\right),\dots ,\left(x_n,y_n\right),C_1,$$\dots ,C_n,V\left\}\right)$, where $C_i$ is the service query content at location $\left(x_i,y_i\right)$, V is the degree of privacy protection. Therefore, the total communication overhead is expressed as $|L_q|=|u_{id}|+|\left(x_1,y_1\right)|+\cdots +|\left(x_n,y_n\right)|+|C_1|+\cdots +|C_n|+|V|\approx 1.5+0.03n$ KBytes.

In DK-A [45], the user generates a service request $R_i=\left\{nam{e}_i,po{s}_i,re{q}_i\right\}$ and sends it to a trusted server for encryption. After the server receives n service requests $R_i$, it saves ${\left\{nam{e}_i\right\}}_{i=1}^n$ and generates two matrices $O,E$ about the service requests. Finally, it outputs $O\times E$ as the user’s service query, where $nam{e}_i$ is the user ID, $po{s}_i$ is the location data, $re{q}_i$ is the service query content. Therefore, the total communication overhead is expressed as $\left|O\times E\right|\approx 0.0020n^2$ KBytes.

In our scheme, the user generates a service query $\sigma \leftarrow \left(E,D_1,D_2,D_3,L_1,L_2,L_3\right)$, then its total communication overhead is expressed as $\left|\sigma \right|=\left|E\right|+\left|D_1\right|+\left|D_2\right|+\left|D_3\right|+\left|L_1\right|+\left|L_2\right|+\left|L_3\right|\approx 0.10$ KBytes. Specifically, since the number of occupied bits of $D_1,D_2,D_3,L_1,L_2,L_3$ is fixed, and the number of bits of E is related to the hash function $H_3$. In the case that $H_3$ is deterministic, the number of bits of E is also fixed and does not change with the number of users. Therefore, the communication overhead of the service query of the users in our scheme is constant 0.10 KBytes.

The results of the communication overhead comparison for each scheme are shown in Figure 5. Through our analysis, we found that the service queries of [30,34,45] are constructed based on anonymity sets, which makes their communication overhead increase linearly with the increase of anonymity sets. Although the increase of anonymity set can further improve the security of user’s location privacy, its higher communication overhead is not tolerable for us. In contrast, this paper reduces the communication overhead to a constant 0.10 while guaranteeing user privacy security. Obviously, our paper has a greater advantage in terms of communication overhead compared to [30,34,45].

8. Conclusions

To better protect users’ privacy and security, this paper proposes a privacy protection scheme for the Internet of Vehicles based on privacy set intersection. Specifically, we propose two privacy-secure protocols: a dual authentication protocol and a service recommendation protocol. The dual authentication protocol based on privacy set intersection has dual security guarantees. One can ensure that both sides of the authenticated communication are secure and trusted, and the other ensures that the session keys established by both sides in the process are secure and reliable. While in the service recommendation protocol, users are blinded to their location information by a pseudorandom function and a one-way hash function, making the user’s location information available and invisible. Compared with existing schemes, our scheme is more security, achieving identity privacy, location privacy, routing privacy, non-repudiation, and anti-man-in-the-middle attack. Also, it is experimentally shown that our scheme is significantly better than the existing schemes in terms of computation overhead and communication overhead.

In the future, we will design a more fully functional privacy protection scheme, such as migrating the PSI operation in the service recommendation protocol to the smart contract of the blockchain. Thus, we can avoid the privacy leakage of users due to the excessive authority of RSU.