# A Distributed Model for Privacy Preserving V2I Communication with Strong Unframeability and Efficient Revocation

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

- Trust distribution. To avoid strong trust assumptions for a single TMA authority, our model assumes two independent honest but curious authorities: a Credential Authority (CA) who is responsible for issuing/revoking credentials for vehicles; and a Signing Authority (SA) who is responsible to anonymously authenticating messages of authorized vehicles.
- Enhanced conditional privacy preserving authentication, since all the involved entities (CA, SA and the relevant RSUs) need to collaborate, to trace a message back to a vehicle.
- Vehicle unforgeability and unframeability. Even if all the entities (CA, SA and RSUs) collude, it is not possible to forge messages and/or frame a honest vehicle, by tracing a forged message back to an honest vehicle.
- Efficient Revocation. Revocation will be equivalent to the deletion of an encrypted credential, stored in an anonymous credential list. Revocation management is significantly more efficient in comparison with the use of certificate revocation lists.

## 2. Related Work

## 3. The Proposed Solution

- Security. Only authenticated nodes (vehicles) will be allowed to communicate with RSUs (unforgeability). In addition, no adversary, even as strong as the collusion of all the authorities, should be able to impersonate a legitimate node (unframeability).
- Privacy. Vehicle anonymity must be assured, meaning that the identity of the vehicle should not be disclosed to RSUs or any external entity. In addition no single entity should not be able to trace the transmitted messages send to one or more RSUs with a particular sender (message-vehicle untraceability). Traceability should only be possible for a collusion of the CA, the SA and the relevant RSUs. Finally, an RSU (or any other external entity) should not be able to link together different messages coming from a single sender, even if the identity of the sender is not revealed (message unlinkability).
- Efficiency. The system must be efficient enough in terms of communication and computation overhead. The RSUs must be able to process multiple messages per second. For example, 100-200 messages/second are sufficient for RSUs to receive informed decisions about the current traffic conditions and unexpected events, even if some messages will be eventually lost in case of bursts. Vehicles must not require to be able to perform crypto operations that are not ‘mainstream’ in terms of computational cost. For example although public key crypto is feasible, bilinear pairings are not within the current state of the art.
- Privacy-preserving and efficient revocation. Finally revocation should be both efficient and privacy preserving. The system should not require CRLs for revocation, as they can become a system bottleneck. At the same time, revocation of a node must not disclose the identity of the node as this would violate the privacy of previous communications.

- Trust Assumptions

#### 3.1. Building Blocks

- Bilinear map

- Bilinear: For all $(u,\widehat{v})\in {\mathbb{G}}_{1}\times {\mathbb{G}}_{2}$ and all $a,b\in {\mathbb{Z}}_{p}$ that $e(au,b\widehat{v})=e{(u,\widehat{v})}^{ab}$.
- Non-degenerate: $e(g,\widehat{g})\ne 1$

- All or Nothing Public Key Encryption with Equality Tests (AoN-PKEET)

- $AEnc(h,r,m)\to C:$ On input the public encryption key, a random $r{\in}_{R}{\mathbb{Z}}_{p}$ and a message m, it outputs the encryption $C=({K}_{1},{K}_{2})=({g}^{r},m{h}^{r})$.
- $Aut\left(\xi \right)\to tk:$ On input the secret key, it returns the trapdoor information $tk=(\widehat{\rho},\widehat{\varphi}\phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}{\widehat{\rho}}^{\xi})\in {\mathbb{G}}_{2}^{2}$ for $\widehat{\rho}{\in}_{R}{\mathbb{G}}_{2}$, allowing equality tests for ciphertexts.
- $Com(C,{C}^{\prime},tk)\to \left\{0\right|1\}:$ On input two ciphertexts $C\phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}({K}_{1},{K}_{2})\phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}({g}^{a},m{h}^{a})$ and ${C}^{\prime}\phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}({K}_{1}^{\prime},{K}_{2}^{\prime})\phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}({g}^{{a}^{\prime}},{m}^{\prime}{h}^{{a}^{\prime}})$ and the trapdoor $tk=(\widehat{\rho},\widehat{\varphi}={\widehat{\rho}}^{\xi})$, it outputs 1, if $e({K}_{2},\widehat{\rho})\xb7e{({K}_{1},\widehat{\varphi})}^{-1}=e({K}_{2}^{\prime},\widehat{\rho})\xb7e{({K}_{1}^{\prime},\widehat{\varphi})}^{-1}$ holds and 0 otherwise. If the output is 1 then $m={m}^{\prime}$.

- Non Interactive Zero Knowldge Proofs (NIZKP)

- Partially Blind Digital Signature Scheme

#### 3.2. High Level Description

**Phase 1 (Set Up):**During this phase the Credential Authority (CA) will publish all the system parameters, including the public encryption key of an AoN-PKEET scheme. In addition, the CA will securely transfer to the Signing Authority (SA) the trapdoor information $tk$, to allow the SA to perform equality tests on messages encrypted with the AoN-PKEET scheme.

**Phase 2 (Registration):**Registration is an ongoing phase and allows new vehicles to dynamically join. For each new vehicle V generates a unique identified $ID$, is chosen by the CA and it is AoN-PKEET encrypted by V, using the AoN public key of the CA. The randomness used for the encryption is not revealed to the CA and will be later used by the vehicle, to provide a NIZKP of the assigned $ID$. The vehicle also receives from the CA signed proofs on the registration parameters. The CA will forward the encrypted credential to the SA, who will append this to a private list $B{B}_{SA}$ containing the encrypted credentials of all registered users.

**Phase 3 (Secure communication):**During the secure communication phase, a registered vehicle V will communicate with the SA in order to authorize the message to be send to the RSU via a partially blind signature.

**Phase 4 (Revocation):**When needed, the revocation phase will be executed, to anonymously revoke a counterfeit, misused or compromised credential. According to a predefined policy, revocation will be equivalent to the deletion of the encrypted credential stored in the private list $B{B}_{SA}$ maintained by the SA. Therefore, revocation in our scheme is very efficient, as it does not require maintaining and managing revocation lists. Detection of misbehaving vehicles is possible from the timestamps.

#### 3.3. Detailed Protocol Description

#### 3.3.1. Set Up

#### 3.3.2. Registration

`join-request`to the CA. The CA will choose a unique identifier $ID$ and send this to V along with the current registration time ${t}_{0}$. Then V chooses ${r}_{0}{\in}_{R}{\mathbb{Z}}_{p}$, computes $AEnc(h,{r}_{0},ID)\to ({C}_{1},{C}_{2})=({g}^{{r}_{0}},ID{h}^{{r}_{0}})$ and also the signature ${\sigma}_{V}=si{g}_{V}(ID,{t}_{0})$. It will then forward $({C}_{1},{C}_{2}),{t}_{0},{\sigma}_{V}$ to the CA.

#### 3.3.3. V2I Communication

#### 3.3.4. Revoking

## 4. Security Analysis

#### 4.1. Unforgeability

**Setup.**${C}_{DLOG}$ provides a challenge $g,{g}^{\rho}$ to $\mathcal{B}$, which forwards the challenge to ${\mathcal{A}}^{f}$. Then ${\mathcal{A}}^{f}$ uses its oracle access to ${\prod}_{1}$ with input the challenge $g,{g}^{\rho}$, to receive the corresponding output of the set up protocol, i.e., ${\mathcal{O}}_{{\prod}_{1}}:g,{g}^{\rho}\to \xi ,(g,h={g}^{\xi})$. Thus, an AON-PKEET is set up with $\xi $ and $(g,h={g}^{\xi})$ the private and public keys respectively.- ${\mathcal{A}}^{f}$ uses its oracle access to ${\prod}_{2}$, to receive the encryptions of valid credentials $I{D}_{1},\dots ,I{D}_{N}$. For the encryption of $I{D}_{i}$, ${\mathcal{O}}_{{\prod}_{2}}$ outputs ${\left({g}^{\rho}\right)}^{\xi}={\left({g}^{\xi}\right)}^{\rho}={h}^{\rho}$ end sets $AEnc(h,{r}_{i},1)\xb7({g}^{\rho},{h}^{\rho}I{D}_{i})=({g}^{\rho +{r}_{i}},{h}^{\rho +{r}_{i}}I{D}_{i})=$$AEnc(h,\rho +{r}_{i},I{D}_{i})$ re randomizing encryptions. Thus, $B{B}_{SA}$ is formed.
**Attack.**${\mathcal{A}}^{f}$ requests oracle access to ${\mathcal{O}}_{{\prod}_{3}}$ for polynomially many executions of ${\prod}_{3}$. Then, the challenge $AEnc(h,r,I{D}_{i})=({K}_{1},{K}_{2})$ is given to ${\mathcal{A}}^{f}$ for forgery. The adversary chooses a message m and computes $\mathcal{C}=H({K}_{1},{K}_{2},m,{t}_{cur}|\left|rand\right)$. It outputs a valid NIZKP $\mathcal{R}$ such that ${g}^{\mathcal{R}}{K}_{1}^{\mathcal{C}}={g}^{\rho +{r}_{i}}$.**Guess.**$\mathcal{B}$ receives from ${\mathcal{A}}^{f}$ the values $\mathcal{R},r,\mathcal{C},{r}_{i}$ and outputs its guess $\rho \prime =\mathcal{R}+r\mathcal{C}-{r}_{i}$. If $\rho \prime =\rho $ then $\mathcal{B}$ wins.

#### 4.2. Unframeability

#### 4.3. Anonymity and Message-Vehicle Untraceability

**Definition**

**1.**

**Claim**

**1.**

**Proof.**

- (a)
- The vehicle requests from the CA an anonymous ID.
- (b)
- The CA sends to the vehicle the anonymous ID and the relevant proofs to the SA.
- (c)
- The vehicle requests a signature from the SA.
- (d)
- The SA responds to the vehicle.
- (e)
- The vehicle sends the blindly signed message to an RSU.
- (f)
- The RSU posts the transmitted message.

**Case**

**1.**

`Corrupted`and the encryption scheme used in ${\prod}_{1}$ is secure.

**Proof.**

`Corrupted`set cannot learn the real identity of the vehicle, since the communication is encrypted using the public key of the CA. □

**Case**

**2.**

`Corrupted`.

**Proof.**

**Case**

**3.**

`Corrupted`.

**Proof.**

**Lemma**

**1.**

#### 4.4. Message Unlinkability

**Definition**

**2.**

**Claim**

**2.**

**Proof.**

**Traceability:**

#### 4.5. Scenario-Based Analysis

**Man-in-The-Middle Attack.**In this attack scenario, the adversary intercepts messages and performs data tampering in the communication between a vehicle and an RSU or the SA. However a MiTM attack will not succeed, since it requires from the adversary to forge the actual data sent be the vehicle, which are bind to the certificate of the vehicle via the use of a hash function.

**Replay Attack.**In this attack scenario, the adversary replays the previously obtained legitimate signature to the receiver. Such attacks will not succeed, since the use of time stamps ensures message freshness.

**Identity Revealing Attack.**The adversary attempts to reveal the real identity of a target vehicle. Then the adversary can illegally gather the personal data about the vehicle, which will threaten the privacy of the driver. That requires to win the IND-CPA property of the underlying cryptosystem.

**Authority Abuse Attack.**In this scenario the CA attempts to arbitrarily issue certificates to illegal vehicles or revoke certificates of legal vehicles. Such attacks can be thwarted by employing a threshold CA scenario. In addition, revoking a legal vehicle must be accompanied by a transaction proving misbehaviour. That is equivalent to framing a vehicle which was proven impossible.

## 5. Efficiency Analysis

#### 5.1. Efficiency of the Cryptographic Primitives

#### 5.1.1. Blind Digital Signature Scheme

#### 5.1.2. Encryption Schemes

#### 5.1.3. Billinear Pairing

#### 5.2. Signing Authority (SA) Performance

#### 5.3. RSU Performance

#### 5.4. End-to-End Cost

#### 5.5. Qualitative Efficiency Comparison

## 6. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Plossl, K.; Nowey, T.; Mletzko, C. Towards a security architecture for vehicular ad hoc networks. In Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06), Vienna, Austria, 20–22 April 2006; p. 8. [Google Scholar]
- ITS-ETSI. European profile standard for the physical and medium access control layer of Intelligent Transport Systems operating in the 5 GHz frequency band. ETSI ES
**2009**, 202, 663. [Google Scholar] - ITS-ETSI. Volume 102 637-2 V1.2.1 (2011-03), Intelligent Transport Systems (Its); Vehicular Communications; Basic Set of Applications; Part 2: Specification of Co-Operative Awareness Basic Service. ETSI Sophia Antipolis Cedex France. 2010, pp. 14–48. Available online: https://www.etsi.org/deliver/etsi_ts/102600_102699/10263702/01.02.01_60/ts_10263702v010201p.pdf (accessed on 3 May 2022).
- Parno, B.; Perrig, A. Challenges in securing vehicular networks. In Proceedings of the Workshop on Hot Topics in Networks (HotNets-IV), San Diego, CA, USA, 2–4 November 2005; pp. 1–6. [Google Scholar]
- Raya, M.; Papadimitratos, P.; Hubaux, J.P. Securing vehicular communications. IEEE Wirel. Commun.
**2006**, 13, 8–15. [Google Scholar] [CrossRef] - Stellios, I.; Kotzanikolaou, P.; Psarakis, M.; Alcaraz, C.; Lopez, J. A survey of iot-enabled cyberattacks: Assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor.
**2018**, 20, 3453–3495. [Google Scholar] [CrossRef] - Raya, M.; Hubaux, J.P. The security of vehicular ad hoc networks. In Proceedings of the 3rd ACM Workshop on Security of ad hoc and Sensor Networks, Alexandria, VA, USA, 7 November 2005; pp. 11–21. [Google Scholar]
- Zhang, C.; Lin, X.; Lu, R.; Ho, P.H. RAISE: An efficient RSU-aided message authentication scheme in vehicular communication networks. In Proceedings of the 2008 IEEE International Conference on Communications, Beijing, China, 19–23 May 2008; pp. 1451–1457. [Google Scholar]
- Guette, G.; Ducourthial, B. On the Sybil attack detection in VANET. In Proceedings of the 2007 IEEE International Conference on Mobile Adhoc and Sensor Systems, Pisa, Italy, 8–11 October 2007; pp. 1–6. [Google Scholar]
- Hu, Y.C.; Perrig, A.; Johnson, D.B. Packet leashes: A defense against wormhole attacks in wireless networks. In Proceedings of the IEEE INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No. 03CH37428), San Francisco, CA, USA, 30 March–3 April 2003; Volume 3, pp. 1976–1986. [Google Scholar]
- Safi, S.M.; Movaghar, A.; Mohammadizadeh, M. A novel approach for avoiding wormhole attacks in VANET. In Proceedings of the 2009 Second International Workshop on Computer Science and Engineering, Washington, DC, USA, 28–30 October 2009; Volume 2, pp. 160–165. [Google Scholar]
- Lo, N.W.; Tsai, H.C. Illusion attack on vanet applications-a message plausibility problem. In Proceedings of the 2007 IEEE Globecom Workshops, Washington, DC, USA, 26–30 November 2007; pp. 1–8. [Google Scholar]
- Manvi, S.; Kakkasageri, M.; Adiga, D. Message authentication in vehicular ad hoc networks: Ecdsa based approach. In Proceedings of the 2009 International Conference on Future Computer and Communication, Kuala Lumpur, Malaysia, 3–5 April 2009; pp. 16–20. [Google Scholar]
- Raya, M.; Hubaux, J.P. Securing vehicular ad hoc networks. J. Comput. Secur.
**2007**, 15, 39–68. [Google Scholar] [CrossRef] - Camenisch, J.; Drijvers, M.; Lehmann, A.; Neven, G.; Towa, P. Short threshold dynamic group signatures. In Proceedings of the International Conference on Security and Cryptography for Networks, Amalfi, Italy, 14–16 September 2020; pp. 401–423. [Google Scholar]
- Gennaro, R.; Goldfeder, S.; Ithurburn, B. Fully Distributed Group Signatures. 2019. Available online: https://www.orbs.com/assets/docs/white-papers/Crypto_Group_signatures-2.pdf (accessed on 3 May 2022).
- Hao, Y.; Cheng, Y.; Ren, K. Distributed key management with protection against RSU compromise in group signature based VANETs. In Proceedings of the IEEE GLOBECOM 2008-2008 IEEE Global Telecommunications Conference, New Orleans, LA, USA, 30 November–4 December 2008; pp. 1–5. [Google Scholar]
- Jiang, Y.; Ge, S.; Shen, X. AAAS: An anonymous authentication scheme based on group signature in VANETs. IEEE Access
**2020**, 8, 98986–98998. [Google Scholar] [CrossRef] - Zhu, X.; Jiang, S.; Wang, L.; Li, H.; Zhang, W.; Li, Z. Privacy-preserving authentication based on group signature for VANETs. In Proceedings of the 2013 IEEE Global Communications Conference (GLOBECOM), Atlanta, GA, USA, 9–13 December 2013; pp. 4609–4614. [Google Scholar]
- Dötzer, F. Privacy issues in vehicular ad hoc networks. In International Workshop on Privacy Enhancing Technologies; Springer: Berlin/Heidelberg, Germany, 2005; pp. 197–209. [Google Scholar]
- Ali, I.; Li, F. An efficient conditional privacy-preserving authentication scheme for Vehicle-To-Infrastructure communication in VANETs. Veh. Commun.
**2020**, 22, 100228. [Google Scholar] [CrossRef] - Cui, J.; Wu, D.; Zhang, J.; Xu, Y.; Zhong, H. An efficient authentication scheme based on semi-trusted authority in VANETs. IEEE Trans. Veh. Technol.
**2019**, 68, 2972–2986. [Google Scholar] [CrossRef] - He, D.; Zeadally, S.; Xu, B.; Huang, X. An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 2681–2691. [Google Scholar] [CrossRef] - Kumar, P.; Kumari, S.; Sharma, V.; Li, X.; Sangaiah, A.K.; Islam, S.H. Secure CLS and CL-AS schemes designed for VANETs. J. Supercomput.
**2019**, 75, 3076–3098. [Google Scholar] [CrossRef] - Rajput, U.; Abbas, F.; Oh, H. A hierarchical privacy preserving pseudonymous authentication protocol for VANET. IEEE Access
**2016**, 4, 7770–7784. [Google Scholar] [CrossRef] - Wang, M.; Liu, D.; Zhu, L.; Xu, Y.; Wang, F. LESPP: Lightweight and efficient strong privacy preserving authentication scheme for secure VANET communication. Computing
**2016**, 98, 685–708. [Google Scholar] [CrossRef] - Zhang, L.; Wu, Q.; Domingo-Ferrer, J.; Qin, B.; Hu, C. Distributed aggregate privacy-preserving authentication in VANETs. IEEE Trans. Intell. Transp. Syst.
**2016**, 18, 516–526. [Google Scholar] [CrossRef] - Lu, R.; Lin, X.; Zhu, H.; Ho, P.H.; Shen, X. ECPP: Efficient conditional privacy preservation protocol for secure vehicular communications. In Proceedings of the IEEE INFOCOM 2008-The 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008; pp. 1229–1237. [Google Scholar]
- Huang, D.; Misra, S.; Verma, M.; Xue, G. PACP: An efficient pseudonymous authentication-based conditional privacy protocol for VANETs. IEEE Trans. Intell. Transp. Syst.
**2011**, 12, 736–746. [Google Scholar] [CrossRef] - Chim, T.W.; Yiu, S.M.; Hui, L.C.; Li, V.O. SPECS: Secure and privacy enhancing communications schemes for VANETs. Ad Hoc Netw.
**2011**, 9, 189–203. [Google Scholar] [CrossRef] - Horng, S.J.; Tzeng, S.F.; Pan, Y.; Fan, P.; Wang, X.; Li, T.; Khan, M.K. b-SPECS+: Batch verification for secure pseudonymous authentication in VANET. IEEE Trans. Inf. Forensics Secur.
**2013**, 8, 1860–1875. [Google Scholar] [CrossRef] - Pournaghi, S.M.; Zahednejad, B.; Bayat, M.; Farjami, Y. NECPPA: A novel and efficient conditional privacy-preserving authentication scheme for VANET. Comput. Netw.
**2018**, 134, 78–92. [Google Scholar] [CrossRef] - Azees, M.; Vijayakumar, P.; Deboarh, L.J. EAAP: Efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks. IEEE Trans. Intell. Transp. Syst.
**2017**, 18, 2467–2476. [Google Scholar] [CrossRef] - Li, J.; Ji, Y.; Choo, K.K.R.; Hogrefe, D. Cl-CPPA: Certificate-less conditional privacy-preserving authentication protocol for the Internet of vehicles. IEEE Internet Things J.
**2019**, 6, 10332–10343. [Google Scholar] [CrossRef] - Wang, F.; Xu, Y.; Zhang, H.; Zhang, Y.; Zhu, L. 2FLIP: A two-factor lightweight privacy-preserving authentication scheme for VANET. IEEE Trans. Veh. Technol.
**2015**, 65, 896–911. [Google Scholar] [CrossRef] - Zhang, C.; Lu, R.; Lin, X.; Ho, P.H.; Shen, X. An efficient identity-based batch verification scheme for vehicular sensor networks. In Proceedings of the IEEE INFOCOM 2008-The 27th Conference on Computer Communications, Phoenix, AZ, USA, 13–18 April 2008; pp. 246–250. [Google Scholar]
- Zhang, C.; Ho, P.H.; Tapolcai, J. On batch verification with group testing for vehicular communications. Wirel. Netw.
**2011**, 17, 1851–1865. [Google Scholar] [CrossRef] - Jiang, S.; Zhu, X.; Wang, L. An efficient anonymous batch authentication scheme based on HMAC for VANETs. IEEE Trans. Intell. Transp. Syst.
**2016**, 17, 2193–2204. [Google Scholar] [CrossRef] - Sutrala, A.K.; Bagga, P.; Das, A.K.; Kumar, N.; Rodrigues, J.J.; Lorenz, P. On the design of conditional privacy preserving batch verification-based authentication scheme for Internet of vehicles deployment. IEEE Trans. Veh. Technol.
**2020**, 69, 5535–5548. [Google Scholar] [CrossRef] - Shen, J.; Liu, D.; Chen, X.; Li, J.; Kumar, N.; Vijayakumar, P. Secure real-time traffic data aggregation with batch verification for vehicular cloud in VANETs. IEEE Trans. Veh. Technol.
**2019**, 69, 807–817. [Google Scholar] [CrossRef] - Horng, S.J.; Tzeng, S.F.; Huang, P.H.; Wang, X.; Li, T.; Khan, M.K. An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Inf. Sci.
**2015**, 317, 48–66. [Google Scholar] [CrossRef] - Mei, Q.; Xiong, H.; Chen, J.; Yang, M.; Kumari, S.; Khan, M.K. Efficient certificateless aggregate signature with conditional privacy preservation in IoV. IEEE Syst. J.
**2020**, 15, 245–256. [Google Scholar] [CrossRef] - Wu, L.; Fan, J.; Xie, Y.; Wang, J.; Liu, Q. Efficient location-based conditional privacy-preserving authentication scheme for vehicle ad hoc networks. Int. J. Distrib. Sens. Netw.
**2017**, 13, 1550147717700899. [Google Scholar] [CrossRef] - Cui, J.; Wei, L.; Zhang, J.; Xu, Y.; Zhong, H. An efficient message-authentication scheme based on edge computing for vehicular ad hoc networks. IEEE Trans. Intell. Transp. Syst.
**2018**, 20, 1621–1632. [Google Scholar] [CrossRef] - Wei, L.; Cui, J.; Xu, Y.; Cheng, J.; Zhong, H. Secure and Lightweight Conditional Privacy-Preserving Authentication for Securing Traffic Emergency Messages in VANETs. IEEE Trans. Inf. Forensics Secur.
**2020**, 16, 1681–1695. [Google Scholar] [CrossRef] - Sang, G.; Chen, J.; Liu, Y.; Wu, H.; Zhou, Y.; Jiang, S. PACM: Privacy-Preserving Authentication Scheme with On-Chain Certificate Management for VANETs. IEEE Trans. Netw. Serv. Manag.
**2022**, 1. [Google Scholar] [CrossRef] - Zhang, C.; Zhu, L.; Xu, C.; Sharif, K.; Ding, K.; Liu, X.; Du, X.; Guizani, M. TPPR: A Trust-Based and Privacy-Preserving Platoon Recommendation Scheme in VANET. IEEE Trans. Serv. Comput.
**2022**, 15, 806–818. [Google Scholar] [CrossRef] - Wang, S.; Chen, X.; Tong, F.; Zhang, Y. RSU-Aided Authentication for VANET Based on Consortium Blockchain. In Proceedings of the 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS), Beijing, China, 14–16 December 2021; pp. 324–331. [Google Scholar]
- Jagriti, J.; Lobiyal, D.K. An Efficient and Anonymous Authentication Key Agreement Protocol for Smart Transportation System. In Proceedings of the 2021 International Conference on Computational Performance Evaluation (ComPE), Online, 1–3 December 2021; pp. 190–194. [Google Scholar]
- Liu, Y.; Wang, L.; Chen, H.H. Message authentication using proxy vehicles in vehicular ad hoc networks. IEEE Trans. Veh. Technol.
**2014**, 64, 3697–3710. [Google Scholar] [CrossRef] - Ming, Y.; Cheng, H. Efficient certificateless conditional privacy-preserving authentication scheme in VANETs. Mob. Inf. Syst.
**2019**, 2019, 7593138. [Google Scholar] [CrossRef] - Yang, G.; Tan, C.H.; Huang, Q.; Wong, D.S. Probabilistic Public Key Encryption with Equality Test. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; pp. 119–131. [Google Scholar]
- Tang, Q. Public key encryption schemes supporting equality test with authorisation of different granularity. Int. J. Appl. Cryptogr.
**2012**, 2, 304–321. [Google Scholar] [CrossRef] - Ma, S.; Huang, Q.; Zhang, M.; Yang, B. Efficient public key encryption with equality test supporting flexible authorization. IEEE Trans. Inf. Forensics Secur.
**2014**, 10, 458–470. [Google Scholar] [CrossRef] - Slamanig, D.; Spreitzer, R.; Unterluggauer, T. Adding controllable linkability to pairing-based group signatures for free. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; pp. 388–400. [Google Scholar]
- Blazy, O.; Derler, D.; Slamanig, D.; Spreitzer, R. Non-interactive plaintext (in-) equality proofs and group signatures with verifiable controllable linkability. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; pp. 127–143. [Google Scholar]
- Liu, J.; Sun, R.; Kou, W. Fair e-payment protocol based on simple partially blind signature scheme. Wuhan Univ. J. Nat. Sci.
**2007**, 12, 181–184. [Google Scholar] [CrossRef] - Möller, B. Algorithms for multi-exponentiation. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; pp. 165–180. [Google Scholar]
- Hao, F. Schnorr non-interactive zero-knowledge proof. RFC
**2017**, 8235, 1–13. [Google Scholar] - Lu, Z.; Wang, Q.; Qu, G.; Zhang, H.; Liu, Z. A blockchain-based privacy-preserving authentication scheme for vanets. IEEE Trans. Very Large Scale Integr. Syst.
**2019**, 27, 2792–2801. [Google Scholar] [CrossRef] - Wasef, A.; Shen, X. EMAP: Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks. IEEE Trans. Mob. Comput.
**2013**, 12, 78–89. [Google Scholar] [CrossRef] - Sun, Y.; Feng, Z.; Hu, Q.; Su, J. An efficient distributed key management scheme for group-signature based anonymous authentication in VANET. Secur. Commun. Netw.
**2012**, 5, 79–86. [Google Scholar] [CrossRef] - Liu, J.; Li, X.; Jiang, Q.; Obaidat, M.S.; Vijayakumar, P. Bua: A blockchain-based unlinkable authentication in vanets. In Proceedings of the ICC 2020-2020 IEEE International Conference on Communications (ICC), Dublin, Ireland, 7–11 June 2020; pp. 1–6. [Google Scholar]
- Galbraith, S.D.; Paterson, K.G.; Smart, N.P. Pairings for cryptographers. Discret. Appl. Math.
**2008**, 156, 3113–3121. [Google Scholar] [CrossRef]

**Figure 6.**Overall cost. (

**a**) End-to-end cost for the secure communication protocol. (

**b**) End-to-end average wait time 50–250 messages/s.

Notation | Description |
---|---|

$(\xi ,h={g}^{\xi})$ | The AoN-PKEET encryption key pair of the CA (see Section 3.1) |

$AEnc(h,r,m)\to ({K}_{1},{K}_{2})=({g}^{r},m{h}^{r})$ | The AoN-PKEET encryption of m with key h and random r |

$en{c}_{X}\phantom{\rule{3.33333pt}{0ex}}|\phantom{\rule{3.33333pt}{0ex}}de{c}_{X}(\xb7)$ | Typical encryption (decryption) with the public (private) key of X |

$si{g}_{X}(\xb7)\phantom{\rule{3.33333pt}{0ex}}|\phantom{\rule{3.33333pt}{0ex}}ve{r}_{X}(\xb7)$ | Signature (verification) functions with the private (public) key of X |

$H(\xb7)$ | A cryptographic hash function |

$NIZKP(\xb7)$ | The NIZKP of |

$H(m,b)\to \overline{m}$ | Blinding of message m using b as blinding factor |

**Table 2.**Comparison with existing literature. (MVU = Message Vehicle Untraceability, MU = Message Unlinkability).

Security Properties of Various Schemes | |||||
---|---|---|---|---|---|

Scheme | Unframeability | Impersonation | MVU-MU | Revocation List | Re-Issuing of Keys |

BPPA [60] | YES | YES | NO | NO | NO |

EMAP [61] | NO | NO | NO | YES | YES |

DKM [62] | NO | NO | NO | YES | NO |

BUA [63] | NO | NO | NO | YES | NO |

PACM [46] | NO | NO | NO | NO | NO |

Our Scheme | YES | YES | YES | NO | NO |

Blind Signature | Public Key (RSA) | AoN-PKEET (ElGamal) | Pairings and Other Operations |
---|---|---|---|

Blind 0.01 | Encrypt 0.111 | Encrypt 1.0512 | Pairing 10.376 |

Sign 0.466 | Decrypt 0.615 | Decrypt 0.4735 | Multiply $4.1\times {10}^{-3}$ |

Unblind 0.01 | Inverse 0.151 | ||

Verify 0.897 | Exponent(wpc) 0.473 | ||

Exponent 9.036 | |||

Hash $6.3\times {10}^{-3}$ | |||

Subtract-Add $1\times {10}^{-3}$ | |||

Binary Search 0.011 |

Processing Incoming Message | Time in ms |
---|---|

Compute $e({K}_{1},\widehat{\rho})\xb7e{({K}_{2},\widehat{t})}^{-1}$ | 20.903 |

Binary Search (5000 random shorted list) | 0.011 |

Decrypt $en{c}_{SA}(\overline{m},{t}_{cur}\left|\right|rand\left|\right|\mathcal{R})$ | 0.615 |

Verify $\mathcal{R}$ | 9.515 |

Verify ${t}_{cur}\left|\right|rand$ | 0.007 |

Sign | 0.466 |

Encrypt $(r,s)$ | 0.111 |

Total time Request | 31.628 |

AM | PDM | AQL | AW | MP |
---|---|---|---|---|

50 | 0.02 | 7 | 0.14 | 178,182 |

100 | 0.01 | 28 | 0.29 | 347,005 |

151 | 0.0066 | 84 | 0.57 | 532,075 |

200 | 0.005 | 192 | 0.97 | 709,188 |

250 | 0.004 | 537 | 2.1 | 908,106 |

AM | PDM | AQL | AW | MP |
---|---|---|---|---|

100 | 0.01 | 14 | 0.15 | 347,002 |

200 | 0.005 | 65 | 0.33 | 709,494 |

300 | 0.00333 | 190 | 0.61 | 1,120,710 |

400 | 0.0025 | 406 | 0.99 | 1,462,935 |

500 | 0.002 | 1014 | 2 | 1,816,057 |

Scheme | Vehicle | Server |
---|---|---|

BPPA [60] | ${T}_{em}+{T}_{h}$ | $2{T}_{em}+{T}_{ea}+25{T}_{h}$ |

EMAP [61] | ${T}_{em}+2{T}_{h}$ | $4{T}_{em}+2{T}_{ea}+3{T}_{h}$ |

DKM [62] | $3{T}_{bp}+3{T}_{bpe}+5{T}_{em}+{T}_{ea}+{T}_{h}$ | $5{T}_{bp}+4{T}_{bpe}+4{T}_{em}+2{T}_{ea}+3{T}_{h}$ |

BUA [63] | $8{T}_{me}+4{T}_{mm}+{T}_{h}$ | $3{T}_{me}+3{T}_{mm}+{T}_{h}$ |

PACM [46] | $3{T}_{ge}+5{T}_{h}$ | $2{T}_{ge}+9{T}_{h}$ |

Our Scheme | ${T}_{ge}+{T}_{gm}+2{T}_{h}+{T}_{mm}+{T}_{ma}$ | $2{T}_{bp}+1{T}_{bpe}+2{T}_{gm}+2{T}_{h}+3{T}_{ge}+{T}_{mm}+{T}_{ma}+{T}_{bs}$ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Kalogeropoulos, P.; Papanikas, D.; Kotzanikolaou, P. A Distributed Model for Privacy Preserving V2I Communication with Strong Unframeability and Efficient Revocation. *J. Cybersecur. Priv.* **2022**, *2*, 778-799.
https://doi.org/10.3390/jcp2040040

**AMA Style**

Kalogeropoulos P, Papanikas D, Kotzanikolaou P. A Distributed Model for Privacy Preserving V2I Communication with Strong Unframeability and Efficient Revocation. *Journal of Cybersecurity and Privacy*. 2022; 2(4):778-799.
https://doi.org/10.3390/jcp2040040

**Chicago/Turabian Style**

Kalogeropoulos, Panayiotis, Dimitris Papanikas, and Panayiotis Kotzanikolaou. 2022. "A Distributed Model for Privacy Preserving V2I Communication with Strong Unframeability and Efficient Revocation" *Journal of Cybersecurity and Privacy* 2, no. 4: 778-799.
https://doi.org/10.3390/jcp2040040